Choking Someone is Felony Assault and Attempted Homicide

There have been several high-profile cases in the news this week about people choking people. I wanted to bring it up and talk about some important facts.

Consent must be talked about before-hand. Non-consensual choking, even during consensual sex, is strangulation. It is felony assault and it is attempted homicide; with a mandatory prison sentence.

Beyond the legal definitions, it is also the number one indicator that a person will go on to kill a partner in the future, and since it is a power-and-control-dynamic, it is also one of the highest indicators that abuse and violence will escalate in the future between the two partners.

It is not ok to choke another person, even during consensual sex, without talking about it beforehand and getting an explicit and enthusiastic yes to that specific act. Furthermore, if a person wants to do that to you, it is extremely likely that it will lead to more violence and potentially homicide in the future.

https://www.strangulationtraininginstitute.com/about-us/

http://time.com/5269444/eric-schneiderman-sponsored-strangulation-law/

https://www.vox.com/identities/2018/5/10/17340008/anthony-wall-police-waffle-house-video

A New Subtitle; A New Chapter

I put a great deal of thought into the subtitles I use on my website, blog, github, linkedin, etc. The backdrop for this decision is that I have been going through a period of great change in my life. I left a dead-end software engineering job and decided to go back to school in order to maximize the rest of my life. But maximize how? Financially, sure. But also in terms of impact. I want to be effective beyond just profitability.

I have also had many conversations with several mentors and decided to move my career’s focus to a more altruistic and empowerment-based perspective. I want to work on social business projects. I want to make things that really help people. I want to solve real problems with great products.

My old subtitle came largely from impressions after reading Eric Schmidt’s How Google Works, and Peter Thiel’s Zero to One. I was very excited about the way Eric Schmidt talks about setting up systems which empower creative people to solve whatever problems they want. I was also very excited by Peter Thiel’s ideas about the value and importance of creating entirely new things, rather than incrementally improving on old things.

The old subtitle was;

“Smart-creative and award-winning innovator, building technical solutions to business problems.”

This is an excellent approximation of the chapter which recently ended in my life. But I made a mistake. It’s the same mistake Google made somewhere along the way. And it’s something Peter Thiel was right about all along.

It’s not possible to be a revolutionary who works within the boundaries of the old world.

What do I mean by that? Well I found a huge problem which was not addressed by any current products. It was a ten billion dollar market that nobody was attacking, and the market was desperate for a solution. I identified a company that needed this solution, and I built it for them from within, offering them 50/50 terms. The problem was that these kinds of companies are not just a symptom of the problem, they are also the cause of the problem. They couldn’t see the solution, even when I handed it to them for free. It wasn’t a part of their paradigm. They didn’t want it. They didn’t know to want it. They knew they needed it and their business couldn’t function without it, but they just didn’t understand its value.

If you want to create real innovation, real solutions to shared problems, you have to start from scratch and attack the problem from the outside. It’s funny because once I said it that way, I immediately thought of half a hundred examples where that is so obviously true.

The end of the Christian dark ages could never have come from within the church; the renaissance and the reformation were forced on them from without.

The failed American education system could never be fixed from within; it will be supplanted by groups like Khan Academy, FreeCodeCamp, and others.

Swollen and bloated bureaucracies are a major source for the downfall of empires throughout history.

The only way to start over is to start over. You can’t incrementally improve broken systems. What I needed was autonomy. Every great business project I’ve ever worked on which I’ve written off has collapsed for the same reason; a lack of coherent understanding on the part of a powerful partner.

When I was at Sequoia, I had access to essentially unlimited money and resources but I was subject to completely out of touch supervision of those resources. Even though I was bringing in $20k a month, I had to fight tooth and nail for spending on basic health code compliance.

When I was at Tech 2U, I spent the vast majority of my time dealing with bike shedding on the part of incompetent, uneducated middle-managers who wanted random little fiefdoms to be the focus of a project that could have truly changed the world for the better.

The problem with my strategy and philosophy was finally clear. I needed to be completely independent and autonomous in order to execute the revolutionary empowerment projects I wanted to be working on without wasting all my time and energy convincing bloated bureaucracies to come along for the ride.

So here it is, my new subtitle;

Creating business solutions to shared problems.

Bits are great, but I have always cared about bricks too. In fact, the vast majority of my financial success with entrepreneurship has been non-digital. There is no reason to identify as a software entrepreneur and ignore the physical world and the impact I can have there. This mirrors a major change I made earlier this year with my two main ventures. I decided to combing my digital marketing and event services projects into a single unified project with a common theme of maximizing the impact of leaders by combining in-person outreach events with web presence.

I think the word “social” has too many unlooked-for connotations, so instead of saying something like “social entrepreneur,” I decided to phrase the rest it this way.

I also want to communicate agency rather than egoism. I don’t necessarily want it to be about me, rather what I’m doing and why. I think this communicates the same message with less noise.

A Period of Transition

In the year since I left Tech 2U, I have been attending both Sierra College and ARC, and both more than full time. I have completed nearly three years of school in the past year. Soon, I will be done with my three degrees, and ready to take the next steps. I am hoping to get started on a couple of my projects before that time. It will be interesting to see how this central theme of a life’s subtitle evolves through this period.

My major plans include building a new CRM company and building some kind of capsule hotel.

We need a better abstraction of digital workspaces.

When you run a software application on any modern device, you get some kind of window with the content of what it’s doing, and some number of processes in the background which perform the work.

Virtualization tools like VirtualBox allow you to run programs in a completely enclosed environment which look and feel just like any others. Some virtualization tools like Xen also allow software to run redundantly on multiple machines at the same time with milisecond failover if something goes wrong with one of the machines.

When I think about the role of mobile devices in the near future, there will be a lot more virtual-reality. Specifically, one major place that will be impacted by this is the way we work. Hardware is expensive. Redundant hardware is especially expensive in the context of opportunity cost.

Imagine if you will, a person a few years from now who needs a workspace with multiple 4k screens and lots of compute power to do various tasks, but wants to avoid paying for all of that. One obvious option is renting the compute power. There are numerous services which allow users to rent time on high powered machines in the cloud. I have several of these for various projects.

So imagine using something cheap like Google Daydream or an even cheaper alternative. Combine that with something like React VR, and you can already create an immersive virtual reality experience on any modern mobile device. So why not include virtual workstations in that environment which interact just like a real machine, because they are connected to a real machine somewhere in the cloud. Maybe some tasks are simpler, so they can be performed on the device itself. Maybe there is a single way to think about both types of tasks.

If we create simple virtual machines which can automatically switch their load to and from the cloud as demand increases or decreases, we will solve more problems than just this.

Imagine the implications for today’s applications. If my laptop, phone, and work machine were all literally using a shared, distributed container system to run my applications, those applications could move seamlessly between my devices. If I need to render something complex on my phone, my laptop can help. If I want to pick up exactly where I left of in a spreadsheet, I’m already there.

There are already technologies which have most of these features. For example, I could just use remote desktop on my phone and laptop to connect to my work machine and use applications there. I often do this. The problem is connectivity. If I have no connection or a slow connection, I have no access to my apps and data.

Likewise, if I use Xen to virtualize a workspace which is colocated in the cloud and at my home and work, I have to do that to the entire operating system, not just the applications I want to use.

Let’s go back to the person working in a virtual workspace within React VR on their cell phone. Maybe the short-term answer is just remote desktop. Maybe connecting their virtual workstation to a real one in the cloud via something like VNC is the answer. Maybe a cool, old-fashioned looking terminal within the virtual environment is a good alternative to something like putty on the desktop. But I think these types of solutions will lead to something more like what I am describing.

The First Run: 140 Care Packages For People Who Are Homeless

We liked the idea of having something other than cash to hand out to people who are homeless in order to be more helpful with less money. We also wanted to start conversations around the project which helped to humanize people who are homeless. This comes in the face of intense prejudice in our communities and stigmatization of people who are homeless as though they are the source of our problems rather than a symptom of our community abandoning its most vulnerable members.

So we decided to make care packages. This is what we came up with…

Care Packages For People Who Are Homeless

In this first run, each care package contains;

  • A Bottle of Water
  • A Granola Bar
  • A Ramen Packet
  • Tissues
  • Toilet Paper
  • A Feminine Hygiene Product
  • A Bag of Dog Food For Man’s Best Friend
  • A Tooth Brush
  • Hand Sanitizer
  • Apple Sauce
  • A Bar of Soap (Special Thanks to Stand Up Placer and Jenny Davidson for donating these!)

How To Tell If Facebook Hides Your Posts

I challenge everyone to look at their profile and see whether Facebook shows your posts to anyone, or if you’re just sharing things with the wall behind you. Look back at your Facebook posts on your profile and see how many of them have no likes or comments. If they do, it means Facebook’s algorithm has decided not to show this post to anyone after testing it on one or two people who ignored it.

Even the most high-impact people make mistakes. The difference between having a high impact versus a low impact is checking in with how effective your methods are and how you can do things better.

The way the Facebook feed algorithm works is that it tests every post on one or two people to see whether they “engage” with it by liking or commenting on it. If they don’t, the algorithm stops showing the post to anyone and it disappears forever, except on your profile. If the test subjects do engage with the post, the algorithm will keep showing it to people until new people stop engaging with it.

If you have a post with no likes or comments, a maximum of one or two people saw it, and no one will ever see it again unless they go look at your profile.

Let’s do the math on your recent posts;

How Many Likes Or Comments? Likely Audience
0-1 A maximum of two people have ever seen this post.
2 A maximum of three to four people have ever seen this post.
>10 A maximum of twelve people have ever seen this post.

How many friends do you have on your profile? If it is the case that you are getting zero likes and comments on posts, ask yourself what you’re trying to accomplish with your posts and who you are trying to reach. What percentage of your friends are you actually reaching?

I think most of us should be posting less, and posting better.

No matter what you’re trying to accomplish, it’s important to understand whether you’re doing it well and how you can do it better. Look for posts that have lots of engagements. What is different about these from your less successful posts?

Cheap Global Data And Voice Is Easy

The Phone

Before my recent trip to Europe, I bought a Pixel 2 which I have to say is the best phone I’ve ever had. The pictures are stunning, especially in low light. The phone is fast. It holds a charge all day and charges very quickly. I also got a really great wallet case for it. I can’t recommend this phone enough.

Pixel 2 Pixel 2 Wallet Case

The Pixel 2 is the newest and most high-end phone officially supported by Google’s Project Fi.  One other detail about the Pixel 2; there are two sizes. I chose the regular Pixel 2, but there is also the Pixel 2 XL with a larger screen. Other than the screen size, there is no difference between the two. I like a smaller screen so I went with the Pixel 2. I essentially did this the most expensive way possible.

This is the newest flagship phone from Google and I chose the largest available memory size. I also chose the unlocked version so I can do whatever I want with it in the future. There are much cheaper options which still qualify for Google’s Project Fi. For example, you can pick up a certified refurbished Nexus 5X for just $149 which will still do everything I describe here.

Optional Secondary Router

I also picked up a USB LTE modem which works with Google’s Project Fi. You could also just use hotspot on your phone, but I wanted to have a router that works all the time with my data and it doesn’t cost any more to use it this way. This modem plugs in to my cheap travel router to provide my Project Fi data over wifi for my chromebook and for any friends’ phones and laptops. This modem will probably work with any router that has a USB port.

Router and LTE Modem

I also set the router up to encrypt all its traffic through Private Internet Access. This protects against stingrays or other trivially easy attacks by unscrupulous third parties. Our own government publicly acknowledges that these devices are being used in America and that they don’t know how to find them or stop them. It is now trivially easy for malicious third parties to see anything you do on an mobile data unless you use a VPN like Private Internet Access. The last thing I need is my accounts being hijacked while I’m overseas.

If you do decide to use this LTE modem, you will need a sim card adapter to fit the Project Fi sim card into the modem. They are just a few dollars.

Project Fi: How It Works

Project Fi is so simple. It works in over 120 countries including almost all of the developed world. It’s $20/month for unlimited voice and texts. And then you pay $10/gig for data up to a maximum monthly cost of $60. So if you use one gig, you pay $30 for the month. If you use six gigs, you pay $80 for the month. If you use a hundred gigs, you pay that same $80 for the month. It doesn’t go higher than $80 no matter how much data you use.

This rate applies to your phone and any other data-only devices you add to your plan. That could be a tablet or a router for example. So in my case, my travel router and my phone share the same single bill of $80/month for unlimited data almost anywhere in the world.

This is an amazing deal! If I am on my phone using gigs and gigs or data, and on my laptop watching movies and using tons more data, it still just costs me $80/month total. That’s cheaper than paying for my old phone plan plus my home internet. And I only used a few gigs the whole time I was in Europe, because there’s excellent wifi everywhere. Since I am using Private Internet Access to encrypt my data, I don’t have to worry about jumping on whatever sketchy wifi I come across. I am protected!

Thoughts On Race In America

I have spent the last week getting to know people from all over the world: refugees from Iraq and Iran, students from Ghana, a Korean-German cheeseburger artisan, a Turkish telecom businessman, room mates from Germany and Italy and Spain and Austria. One thing that hasn’t come up even once is race.

In America, the issue of race today basically has two perspectives. It is either a dividing force of injustice or a pervasive effort to correct that injustice through the empowerment of historically marginalized groups paired with the silencing or disruption of “the oppressor” (or everyone else). This is a distinctly American issue. It’s a local cultural metaphor or constuct popularized by dead generations to justify exploitation of minority groups and then redefined by academics in the seventies to mean the opposite.

Language does only what it must. So why does this metaphor continue to exist?

The metaphor of race in America exists today only to perpetuate contrived divisions or to perpetuate backlash towards it.

Soon, the last extant dregs of the former will be gone forever, swept away by the winds of time. And the age of the latter in America will truly begin. The only cure for the former is time. And time is inexorable. It is perhaps no mistake that the astrological age of the king is at it’s end and the age of the child at its dawn.

Group Meditation: Free Will

I attend a biweekly meditation and discussion group. The following is a prompt provided by another member for the discussion this week. It is followed by the member’s own analysis and then by my response. I include my response in order to help me focus my initial thoughts before the group discussion.

The Prompt

{Free Will: Do We Have a Choice?}
Free – choosing or capable of choosing for itself
Will – the power of control over one’s own actions or emotions
Author – Sam Harris
Book: Free Will

The question of free will touches nearly everything we care about. Morality, law, politics, religion, public policy, intimate relationships, feelings of guilt and personal accomplishment—most of what is distinctly human about our lives seems to depend upon our viewing one another as autonomous persons, capable of free choice. If the scientific community were to declare free will an illusion, it would precipitate a culture war far more belligerent than the one that has been waged on the subject of evolution. Without free will, sinners and criminals would be nothing more than poorly calibrated clockwork, and any conception of justice that emphasized punishing them (rather than deterring, rehabilitating, or merely containing them) would appear utterly incongruous. And those of us who work hard and follow the rules would not “deserve” our success in any deep sense. It is not an accident that most people find these conclusions abhorrent. The stakes are high. In the early morning of July 23, 2007, Steven Hayes and Joshua Komisarjevsky, two career criminals, arrived at the home of Dr. William and Jennifer Petit in Cheshire, a quiet town in central Connecticut. They found Dr. Petit asleep on a sofa in the sunroom. According to his taped confession, Komisarjevsky stood over the sleeping man for some minutes, hesitating, before striking him in the head with a baseball bat. He claimed that his victim’s screams then triggered something within him, and he bludgeoned Petit with all his strength until he fell silent. The two then bound Petit’s hands and feet and went upstairs to search the rest of the house. They discovered Jennifer Petit and her daughters—Hayley, 17, and Michaela, 11—still asleep. They woke all three and immediately tied them to their beds. At 7:00 a.m., Hayes went to a gas station and bought four gallons of gasoline. At 9:30, he drove Jennifer Petit to her bank to withdraw $15,000 in cash. The conversation between Jennifer and the bank teller suggests that she was unaware of her husband’s injuries and believed that her captors would release her family unharmed. While Hayes and the girls’ mother were away, Komisarjevsky amused himself by taking naked photos of Michaela with his cell phone and masturbating on her. When Hayes returned with Jennifer, the two men divided up the money and briefly considered what they should do. They decided that Hayes should take Jennifer into the living room and rape her—which he did. He then strangled her, to the apparent surprise of his partner. At this point, the two men noticed that William Petit had slipped his bonds and escaped. They began to panic. They quickly doused the house with gasoline and set it on fire. When asked by the police why he hadn’t untied the two girls from their beds before lighting the blaze, Komisarjevsky said, “It just didn’t cross my mind.” The girls died of smoke inhalation. William Petit was the only survivor of the attack. Upon hearing about crimes of this kind, most of us naturally feel that men like Hayes and Komisarjevsky should be held morally responsible for their actions. Had we been close to the Petit family, many of us would feel entirely justified in killing these monsters with our own hands. Do we care that Hayes has since shown signs of remorse and has attempted suicide? Not really. What about the fact that Komisarjevsky was repeatedly raped as a child? According to his journals, for as long as he can remember, he has known that he was “different” from other people, psychologically damaged, and capable of great coldness. He also claims to have been stunned by his own behavior in the Petit home: He was a career burglar, not a murderer, and he had not consciously intended to kill anyone. Such details might begin to give us pause. As we will see, whether criminals like Hayes and Komisarjevsky can be trusted to honestly report their feelings and intentions is not the point: Whatever their conscious motives, these men cannot know why they are as they are. Nor can we account for why we are not like them. As sickening as I find their behavior, I have to admit that if I were to trade places with one of these men, atom for atom, I would be him: There is no extra part of me that could decide to see the world differently or to resist the impulse to victimize other people. Even if you believe that every human being harbors an immortal soul, the problem of responsibility remains: I cannot take credit for the fact that I do not have the soul of a psychopath. If I had truly been in Komisarjevsky’s shoes on July 23, 2007—that is, if I had his genes and life experience and an identical brain (or soul) in an identical state—I would have acted exactly as he did. There is simply no intellectually respectable position from which to deny this. The role of luck, therefore, appears decisive. Of course, if we learned that both these men had been suffering from brain tumors that explained their violent behavior, our moral intuitions would shift dramatically. But a neurological disorder appears to be just a special case of physical events giving rise to thoughts and actions. Understanding the neurophysiology of the brain, therefore, would seem to be as exculpatory as finding a tumor in it. How can we make sense of our lives, and hold people accountable for their choices, given the unconscious origins of our conscious minds?

Response From The Member Who Offered This Topic

I would like to start off by bringing attention to what I consider a bit of an elephant in the room, which is the extremely broad, and general nature of this topic. Sam Harris presents an almost laser focused example of what he considers a case against free will, and in doing so he comes off as very matter of fact, but I would like to leave the discussion open for personal interpretation. In this subject a number of topics can be brought to the table, ranging from nature vs nurture, nihilism, morality, to crime & punishment, and plenty more, so in that fact I would like to provide a guiding question for us to consider throughout the discussion after any initial thoughts are shared.

In the example provided by Sam Harris, do you believe nature vs. nurture was at play, did the childhood of Komisarjevsky contribute to who he became, does it make him less accountable, and did he have any choice in his upbringing to begin with? To clear up the underlined concept: nature vs. nurture is a debate between two causes for our actions, nature being the purely biological side of things, what we inherit from our parents, genetics, DNA & so forth, while nurture is what we acquire throughout life, or what is adapted, and learned. One side supposes all actions are the result of your biology, the other supposes your actions are the result of the environments you’ve lived in. It isn’t my hope that anyone walk away from here convinced one way or the other, because the depth of this topic is too vast for that sort of revelation to be meaningful, instead I hope we can walk away thinking more about whether or not we’re truly in control of our thoughts, and actions, and to be more considerate and mindful about the decisions we believe we make each, and every day, be it our choice or not.

(1273)

My Response

My first reaction is to emphatically agree with everything Sam Harris said in this reading. I have followed his broader work on this topic and found his arguments very compelling. His education is in neurology and much of his professional writing career has been focused on the idea of removing the mysticism from concepts like this one; to empower secular debate with fluent vocabulary which is able to approach topics once relegated to the proponents of superstition.

My own thinking on this topic has evolved to include an appreciation for the distinction between behaviors driven by the default mode network versus the prefrontal cortex, and the impact of mindfulness and willpower on allowing the prefrontal cortex to exert inhibitory control over the amygdala and hypothalamus, overriding the default mode network.

Based on my understanding of the neuroscience of decision making from the perspective of meditation practice; a person is very much the product of their environment. Genetic and other biological factors play a large role in defining a person’s many predilections and predispositions. Environmental factors such as early childhood development and the hierarchy of needs have an equally important role in defining a person’s default behaviors based on their predilections and predispositions.  Lastly, there is the potential for the influence of a practiced use of mindfulness based cognitive behavior therapy.

In the example given above, a person sexually assaults a child after having been sexually assaulted as a child. There are lots of other obvious examples of antisocial behavior which is clearly stemming from the default mode network and a person’s likelihood to do things based on their memories, especially in cases of abuse. There are also lots of examples of people doing things because of various physiological problems with the brain. Take for example America’s first mass shooting which was caused by a brain tumor pressing on the shooter’s amygdala (a major component of the default mode network).

Let’s define the default mode network. The way we respond to an average situation is based on our default mode network. It is a feedback loop of the amygdala and hypothalamus using memory to trigger emotional states based on stimuli we perceive. So when we see something happening, a memory is triggered by the hypothalamus. This causes the amygdala to trigger an associated emotional state, and the cycle loops back and forth, intensifying the experience until a reaction happens in the person’s mind and behavior. This is the function of the default mode network of the brain. This is the active system in the brain when we are not exerting executive function from the prefrontal cortex.

As we discussed last week, the prefrontal cortex is capable of exerting inhibitory control over the default mode network. This is the mode the brain goes into when we are trying to focus on a particular task or solve a problem for example. This also means we can choose not to accept a feeling or thought which is triggered by the default mode network. We can choose to think or feel something different from our initial reaction through the use of mindfulness based cognitive behavior therapy.

The evidence (as discussed last week) suggests that the more often we make the choice whether or not to accept a thought of feeling, the easier it is to do that. And the thoughts and feelings we choose, become the types of thoughts and feelings produced spontaneously by the default mode network.

For example, if one is burdened by feelings of anxiety, and one persistently chooses not to feel anxious, then one will stop feeling anxious by default. This application of mindfulness based cognitive behavior therapy is more effective than medicine at treating a number of chronic conditions, according to research discussed last week.

I would argue that an inverse correlation therefore exists between the predisposition towards a particular reaction, and the relative ease of choosing otherwise. For example, a person with a brain tumor pressing on their amygdala would have a very hard time choosing not to act on strong emotional reactions to stimuli. Conversely, a person who is well practiced in mindfulness meditation would have a very easy time choosing to disregard a suggested thought or feeling from their default mode network.

The inverse correlation which describes the ease of disregarding the default mode network and its thoughts and feelings is one which closes in distance with practice. I think this is an accurate analog to the metaphor we think of as free will. I think people can choose to choose, or they can go with the flow. If people choose to choose, and do it frequently enough, then they can overcome their predilections and predispositions.

If the people in the example above had been given training in mindfulness based cognitive behavior therapy as children, it is entirely conceivable that they would have overcome the impulses which led to their antisocial behavior. Especially in the cases where the perpetrators were reenacting things which had been done to them, it seems very likely they would have had different outcomes. It almost seems like these people were trying to self-medicate by inflicting their trauma on others in order to find some kind of catharsis. Their reaction to one victim escaping; to burn down the house as though that would somehow erase the evidence, and Sam’s comment that they later showed remorse, suggests that if they were able to, they would likely have chosen to disregard the series of successive impulses which compounded to become these crimes.

Sam invites us to imagine ourselves in the shoes of the perpetrators deciding to do these things based on the lives that led to this moment. It is easy to look in from the outside and advise another path. But without the ability to disregard thoughts and feelings which one does not want to accept, it’s hard to imagine a path where a victim of this kind of trauma finds a healthier outcome.

 

Perfect Server: v19

This is the latest iteration of my perfect server. The biggest change is that this is updated to reflect the requirements of Debian 9.4 which are slightly different than previous versions. Also Certbot has changed somewhat.

 

The first step is to provision a new server. I use Digital Ocean. (Referral Coupon) I will be logged in as root for all of this since this is all stuff that needs to be done as root. If you don’t want to log in as root, you can instead use sudo at the beginning of each command.

(In previous versions, we needed to add new sources to install certbot. This is no longer necessary.)

 

apt-get update && apt-get upgrade

Now install all the packages we will need, and a few that everyone should really have which are no longer included by default;

apt-get -y install fail2ban apache2 php7.0 php-pear php7.0-mysql php7.0-mcrypt php7.0-mbstring libapache2-mod-php7.0 php7.0-curl screenfetch htop nload curl git unzip ntp mcrypt postfix mailutils php7.0-memcached mysql-server certbot python-certbot-apache man-db && a2enmod rewrite && service apache2 restart && mysql_secure_installation

You will no longer be prompted to create a mysql password when installing mysql-server. Now, you create it during the configuration command at the end of the line above.

Name Thyself

Now navigate to the virtualhost directory;

cd /etc/apache2/sites-available

Remove the default ssl virtualhost. We will be creating a new one instead.

rm default-ssl.conf

Rename the default virtualhost to the fqdn of the server. Example: server3.website.com. Note that this is not the fqdn of the site(s) we are hosting on the server.

mv 000-default.conf [fqdn].conf

Edit the default configuration file. We need to change the admin email to your email, and change the webroot to the webroot you want to use. I like /var/www

Restart Apache and apply the changes so it knows where the files are…

a2dissite 000-default && a2ensite [fqdn].conf && service apache2 restart

 

Free SSL

We already set up LetsEncrypt so now we just need to run their Certbot. Once the domains are set up and pointed to the server’s ip, along with a virtualhost being configured as shown above, all it takes is running Certbot which takes care of everything.

certbot –authenticator webroot –installer apache

Certbot will ask you to enter the webroot from the previous step for validation.

Make sure to choose the most secure options as specified by Certbot.

Now you have an SSL certificate installed!

 

Hardening Apache

Edit our default configuration file and comment out the DocumentRoot with a # sign at the beginning of the line. You will notice LetsEncrypt has added some redirect rules. We need to modify one of them. Look for the line that looks like this, and change it as shown;

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

Becomes… (Use your fqdn where it says [fqdn].)

RewriteRule ^ https://[fqdn]%{REQUEST_URI} [END,QSA,R=permanent]

Save that file and exit.

Now, let’s make sure no one can navigate to the IP of the server and access any virtualhosts that way.

cp [fqdn].conf [ip].conf && a2ensite [ip]

Where [ip] is the public ip of your server.

Now edit the newly created ssl virtualhost configuration file replace the default webroot with the one you want to use. It will be called something like /etc/apache2/sites-available/[fqdn]-le-ssl.conf. Add the following block within the virtualhost tag of the file and save it. Substitute the directory path with your chosen webroot path.

<Directory “/var/www”>
AuthType Basic
AuthName “Restricted Content”
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>

Lock it Down

Let’s create a credential set for our new virtualhost. This is sort of a catch-all for any domains we point here which are not yet set up.

htpasswd -c /etc/apache2/.htpasswd [username]

You will be prompted for a password. This is very bruteforceable. My best practice is to use a very high entropy strings for both the username and the password. Typically at least 64 bits of random base 64 for each.

Apply Changes

Now restart apache

 

service apache2 restart

Test our changes by navigating to the public ip of the server. You should be redirected to a https url with the fqdn of the server and prompted for a username and password. If this happens, everything so far has worked!

Administrative Tools

We will need to put some tools in here so we can administer the server.

PHPMyAdmin

This will allow us to manage the databases we will be creating on the server. Head over to their website and get the download link for the current version.

Navigate to our new secure DocumentRoot directory and download that link.

cd /var/www && wget [link]

Now unzip it and remove the zip file we downloaded.

unzip [file] && rm [file]

Now that we have a PHPMyAdmin directory in our secure virtualhost, we need to configure it. Luckily it can do that itself! Use this command and enter the mysql root password when prompted.

mysql -uroot -p < /[unzipped phpmyadmin folder]/sql/create_tables.sql

The last thing PHPMyAdmin needs is a secret string. Edit the config file config.sample.inc.php and save it as nano config.inc.php.

Make sure to add a random string where prompted at the top of the file.

Postfix Outbound-Mail Server

We need to edit the config files for postfix and change the interface to loopback-only like so. We already set up a firewall rule to block connections to port 25, but those rules can be changed by mistake, so this will be a good second line of defense to prevent public access to sending mail through our server, while allowing us to still use it locally.

nano /etc/postfix/main.cf

Find this line;

inet_interfaces = all

And change to;

inet_interfaces = 127.0.0.1

Now edit the email aliases;

nano /etc/aliases

At the end of the file, make sure there is a line that starts with root and ends with your email, like so;

root: email@domain.com

Save the file and exit. Then run newaliases to let Postfix apply the changes. Restarting Postfix is not enough because we changed the interfaces line in the config file. We need to stop and start it like so;

newaliases && postfix stop && postfix start

Now our sites will be able to send emails!

VPS Home

This is something simple I built which serves as a better index page for the secure virtual host and includes several helpful tools for diagnostic purposes. To try it out, run this command from the DocumentRoot directory.

wget https://raw.githubusercontent.com/cjtrowbridge/vps-home/master/index.php

PHPInfo

It’s helpful to be able to access details of the server’s php installation from this directory. I like to create a file called phpinfo.php which contains simply

<?php phpinfo();

Automatic Backups

Create a new file called /root/backup.sh and add the following to it. Make sure to replace the mysql password with yours.

#!/bin/bash

#deletes old backups
find /var/www/backups/www -mindepth 1 -mmin +$((60*24)) -delete
find /var/www/backups/mysql -mindepth 1 -mmin +$((60*24)) -delete

#backs up webs
cd /var/www/webs
for i in *
do
tar -czf “/var/www/backups/www/webs-$( date +’%Y-%m-%d’ )-$i.tar.gz” “/var/www/webs/$i”
done

#backs up databases
for i in `mysql -uroot -p[MySQL Root Password] -e “SHOW DATABASES;” | grep -v Database`; do
if [[ ( “$i” != “mysql” && “$i” != “phpmyadmin” && “$i” != “performance_schema” && “$i” != “information_schema” ) ]]
then
mysqldump -c -uroot -p[MySQL Root Password] ${i} | gzip > /var/www/backups/mysql/mysql.$( date +’%Y-%m-%d’ ).${i}.sql.gz
fi
done

 

#fix permissions just in case they changed for some reason

chmod 644 /var/www/webs -R
find /var/www/webs/ -type d -exec chmod 750 {} +
find /var/www/webs/ -type f -exec chmod 640 {} +
chown www-data:www-data /var/www/webs -R

Now edit the crontab with nano /etc/crontab and add this line. This will automatically run that script every day at 8pm.

0 20 * * * root /root/backup.sh > /dev/null 2>&1

Make sure to give the script permission to execute.

chmod +x backup.sh

Offsite Backups

The system I have used for this is no longer available. Will update when I decide on a new system.

Migrating Sites In

Move over the files for all the sites you want to host into individual directories in the /var/www/webs directory.

Now navigate to your virtualhosts directory.

cd /etc/apache2/sites-available

We created a default virtualhost file for the server and named it [fqdn].conf. This was the fqdn of the server, but not the sites it will host. Now we want to create our first hosted site. Copy the default file we made to create a new virtualhost like so…

cp [server fqdn].conf [site fqdn].conf

You can use any naming convention you like, but managing dozens or hundreds of these will become impossible if you are not naming them clearly.

Next, we need to add some new things to this hosted site fqdn. Add a new line inside the virtualhost tag like this;

ServerName [site fqdn]

And change the line which has DocumentRoot to point to the directory for this hosted site. For example;

DocumentRoot /var/www/webs/[site fqdn]

Lastly add these two blocks at the end of the file.

<Directorymatch “^/.*/\.git/”>
Order deny,allow
Deny from all
</Directorymatch>

<Directory /var/www/webs/[site fqdn]>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>

The first block will prevent anyone from navigating into a git repository and accessing sensitive data like credentials or from cloning the repository.

The second block will allow htaccess files or directory rewrites, and prevent directory listing. These are required changes if you want to host WordPress sites, and best practices all around.

Now we just need to enable these changes and make the site live with;

a2ensite [site fqdn] && service apache2 restart

From this point on, this new virtualhost can be copied to create new sites, rather than recreating each one from the original virtualhost file.

 

The Levels Finish Line In Sight

As the finish line approaches, I have noticed issues with several of the older projects in the list. Maintaining them seems pointless unless I plan on actually using them, so I am removing some of the projects from production while I focus on completing the last items on the list. These will also have met with limited interest from test marketing.

Startup 9: What are you wearing today?
Startup 8: Stardate.Today
Startup 7: Top Story Review
Startup 6: Exotic Weapons
Startup 5: Condensr
Startup 4: CronPUT
Startup 3: Draupnr
Startup 2: RSI Alert
Startup 1: Securities Science

All of these are still available on Github if anyone wants to check out the code or clone and reactivate them. The RSI Alert project in particular has found a following and I’m sorry to disappoint the few dedicated users who are interested in this project. Feel free to fork the repo and take it over if you’d like! :]

Three projects left!