Concealed carry/Law Enforcement/Police/Second Amendment

Misinterpreting Massad Ayoob

Posted on by Kenneth Ballard / 0 Comment

Full disclosure: I am an active member of the United States Concealed Carry Association.

For accessibility technologies:

A basic principle of American justice holds that a bad man has the same rights as a good man.
— Massad Ayoob

And USCCA’s tweet caption is: “RT if you believe in the rights of the ‘good man'”.

The full quote isn’t nearly as… inspiring as the USCCA and many others have interpreted it. Here’s the paragraph the quote is pulled from:1Ayoob, Massad F. “The Dangerous Myth of Citizen’s Arrest.” In the Gravest Extreme: the Role of the Firearm in Personal Protection, Police Bookshelf, 1980, pp. 28–29.

It is a widespread and dangerous misconception that all criminals are fair game for the bullets of the good guys. A basic principle of American justice holds that a bad man has the same rights as a good man. When the pursuer lets his own sense of justice determine whether the chased is a man with the same rights as his, or a target of opportunity, the stage has been set for tragedy.

So what exactly is Ayoob saying here? To find out, we actually need to back up to just before a large parenthetical that precedes the above paragraph. For continuity, I’ll reproduce the above paragraph in line, but I won’t reproduce the parenthetical, which discusses events from The French Connection:

A man with a gun, lawfully pursuing a fugitive, feels an impulse to shoot that must be resisted despite the excitement of the moment. Civilians, who generally don’t carry guns eight hours a day or receive several hours of justifiable force instruction, tend to be awfully bloodthirsty. The situation is understandable. The private citizen assisting a policeman does, in good faith, what he thinks a policeman is supposed to do. His only learning models are the policemen he sees on the screen, who shoot running suspects with impunity. (omitting parenthetical)

It is a widespread and dangerous misconception that all criminals are fair game for the bullets of the good guys. A basic principle of American justice holds that a bad man has the same rights as a good man. When the pursuer lets his own sense of justice determine whether the chased is a man with the same rights as his, or a target of opportunity, the stage has been set for tragedy.

Clearly Ayoob’s words are being taken completely out of context. The above paragraphs are reproduced from Chapter 3 called “The Dangerous Myth of Citizen’s Arrest”. The quote isn’t intended to be inspirational in any way, but more serve as a warning.

The full context is in regard to an armed citizen assisting law enforcement in apprehending a fugitive, and the extent to which that citizen can use lethal force.

Speaking in practical rather than legal terms, you are on thin ice any time you pull the trigger on the basis of anyone else’s judgment. Even if that command comes from a sworn officer, even if his judgment was correct, it is always possible that you could misinterpret his orders.

While the quoted statement above is correct with regard to American jurisprudence, it is clearly not intended to be taken in any kind of inspirational fashion. Yet it seems too many do. Because they’ve only seen the quote, not the context.

Now to hammer home the point the quote is part of a greater warning with the use of deadly force, I’ll leave you with this from the same chapter:

He who chooses to play the role of Citizen Cop does so at his own peril. A man requested by a police officer to assist the latter must do so, on pain of being a convicted obstructor of justice. But he owes it to himself to watch out for his own interests before those of the law or the community. Confronted with a fleeing felon, it is in the citizen arrester’s best interests to hold his fire. The question of whether he is responsible for the escaped suspect’s future crimes is less imminent and painful than the probability that he will be crucified for using more force than he should have. He must consider every repercussion that his every response could create, in light of laws and public opinion that will damn him from the moment he steps out of bounds.

In short, the citizen arrester must cope with an intensified form of the socio-legal threat that every full-fledged police officer faces every hour of his working day.

Note: if you wish to read the referenced book, you can reserve it through The Internet Archive.

References[+]

Federal Reserve

Did Woodrow Wilson regret signing the Federal Reserve Act?

Posted on by Kenneth Ballard / 0 Comment

Recently I was in a very heated exchange over the Federal Reserve. My opponent did nothing but peddle various conspiracy theories I’d already heard, which culminated in him calling me a shill since he didn’t really have anything else to say.

One point he made, though, was with regard to Woodrow Wilson regretting signing the Federal Reserve Act. And it is that point I will address herein.

Here’s the quote in question:

I am a most unhappy man. I have unwittingly ruined my country. A great industrial nation is controlled by its system of credit. Our system of credit is concentrated. The growth of the nation, therefore, and all our activities are in the hands of a few men. We have come to be one of the worst ruled, one of the most completely controlled and dominated Governments in the civilized world no longer a Government by free opinion, no longer a Government by conviction and the vote of the majority, but a Government by the opinion and duress of a small group of dominant men.

Now since this was brought up in the course of the referenced conversation, I decided to try to track this down. To see if there was actually any evidence Wilson regretted signing the Federal Reserve Act. I couldn’t find any.

Like the oft-repeated quote attributed to Mayer Amschel Rothschild1“Give me control of a nation’s money supply, and I care not who makes its laws.” or Nathan Rothschild2“I care not what puppet is placed upon the throne of England to rule the Empire on which the sun never sets. The man who controls Britain’s money supply controls the British Empire, and I control the British money supply.”, which neither actually said, I was very skeptical that Wilson actually said or wrote what is quoted above. Attempting to Google the quote brought up numerous conspiracy websites peddling the same thing about the Federal Reserve.

Given how popular the quote was, I knew that Wikipedia had to have something on it. And the Talk page for the Wikipedia article on the Federal Reserve Act detailed that the above quote is a quote mine. But didn’t exactly go into much detail beyond that. But it was a lead, and it was enough for the keyboard brawl I was having at the time.

Looking into it further, I was able to discover it to be an extensive quote mine. Manufactured from two sections The New Freedom: A Call for the Emancipation of the Generous Energies of a People, which Wilson wrote and published in 1913 based on his campaign platform also called “The New Freedom“. Long before the Federal Reserve Act even made it to Wilson’s desk. The book is available via Project Gutenberg, so feel free to check my work below if you wish.

Let’s start with this:

I am a most unhappy man. I have unwittingly ruined my country.

These introductory sentences may have been uttered at one point by Wilson, but not with regard to the Federal Reserve. A plausible context being the fact he dragged the United States into the First World War. It is nowhere in Wilson’s book. The word “unhappy” only appears once, and not to say “unhappy man”, and “ruined my country” never appears in the book.

The rest of the quote is mined and assembled from two paragraphs. The first half can be found (quote mined section in blue) in chapter 8 called “Monopoly, or Opportunity”:

However it has come about, it is more important still that the control of credit also has become dangerously centralized. It is the mere truth to say that the financial resources of the country are not at the command of those who do not submit to the direction and domination of small groups of capitalists who wish to keep the economic development of the country under their own eye and guidance. The great monopoly in this country is the monopoly of big credits. So long as that exists, our old variety and freedom and individual energy of development are out of the question. A great industrial nation is controlled by its system of credit. Our system of credit is privately concentrated. The growth of the nation, therefore, and all our activities are in the hands of a few men who, even if their action be honest and intended for the public interest, are necessarily concentrated upon the great undertakings in which their own money is involved and who necessarily, by very reason of their own limitations, chill and check and destroy genuine economic freedom. This is the greatest question of all, and to this statesmen must address themselves with an earnest determination to serve the long future and the true liberties of men.

And the latter half is found in chapter 9, called “Benevolence, or Justice?” (quote mined section in blue):

We are at the parting of the ways. We have, not one or two or three, but many, established and formidable monopolies in the United States. We have, not one or two, but many, fields of endeavor into which it is difficult, if not impossible, for the independent man to enter. We have restricted credit, we have restricted opportunity, we have controlled development, and we have come to be one of the worst ruled, one of the most completely controlled and dominated, governments in the civilized world—no longer a government by free opinion, no longer a government by conviction and the vote of the majority, but a government by the opinion and the duress of small groups of dominant men.

So it is clear that the oft-repeated quote from Woodrow Wilson was never actually said or written by Wilson as it is quoted. The quote is mined from two completely separate paragraphs of Wilson’s book. From two separate chapters of Wilson’s book.

And as the quote came from a book published before the Federal Reserve Act was even voted on by Congress, let alone signed by Wilson into law, Wilson could not have been speaking about the Federal Reserve Act.

This does not mean Woodrow Wilson never regretted signing it into law. He very well may have. But the oft-repeated quote cannot be used as evidence to that effect. One would need to find a specific quote showing Wilson explicitly expressing such regret.

And, thus far, to the best I was able to find, no one has shown such a quote.

* * * * *

There is an alternate version of this quote that hasn’t received a lot of exposure, but is just as fake as the oft-repeated quote I’ve debunked herein. The two parts of the quote are in red (Chapter 8 portion) and blue (Chapter 9 portion). Like the oft-repeated fake quote, this one has a preamble that cannot be sourced anywhere.

Yes. The Federal Reserve Act, which I signed, allowed our system of credit to become too concentrated. The growth of the nation and all our activities are in the hands of a few men who, even if their action be honest and intended for the public interest, are necessarily concentrated upon the great undertakings in which their own money is involved. We have restricted credit, we have restricted opportunity, we have controlled development, and we have come to be one of the worst ruled, controlled and dominated governments in the civilized world—a ­government run by the opinion of small groups of dominant men.

* * * * *

Here’s an idea: if you’re going to link to this article, READ IT first so you don’t end up sharing something that says the opposite of what you claim. It’s as if people are assuming the answer to the headline question is “Yes” without actually reading this. The number of people sharing this article as a source for the quote in question, apparently not aware I’m debunking the quote, is just baffling…

https://twitter.com/morgendz7/status/1551119462438420480
And, no, the Federal Reserve is NOT privately owned. (Details in the comments below.)
https://twitter.com/Sleuth_4_Truth/status/1319127656970047488

References[+]

Constitution

Massively misunderstanding the Constitution

Posted on by Kenneth Ballard / 0 Comment

Article: “America’s Constitution is terrible. Let’s throw it out and start over.

Setting aside the American self-flagellation that appears to be going on lately, this is not the first article I have encountered calling the Constitution “terrible” and saying we need to scrap it. And generally what I have discovered about those who call for such is a massive amount of misunderstanding about the Constitution and how it is supposed to work.

Along with holding the perspective the United States is merely a country of provinces like Canada. When in actuality the United States is a federated republic of independent, sovereign States. Not provinces. States. With each State being a republic of its own, with its own sovereignty, with some of that sovereignty ceded to the Federal government by way of the Constitution.

Note the word republic as well. Not democracy. Republic. There’s a major difference, yet many keep using the word “democracy” when referring to the United States.

Last year, Ryan Cooper wrote an article for The Week called “The case against the American Constitution” in which he said the Constitution is “falling apart before our very eyes.” I have not specifically read that article — I glanced it enough to pull that specific phrase — and I will write a specific rebuttal to it later. But I will speculate that there will be very little within that article I have not already seen.

The subject of this rebuttal is Cooper’s set of ideas for replacing the Constitution. Ryan Cooper is not the first I have encountered calling for replacing the Constitution. Earlier I wrote a rebuttal to Dr. Sanford Levinson and his article called “Our Imbecilic Constitution”. So ahead of examining Cooper’s points, I am unsure if Ryan Cooper will be presenting anything original.

Especially since Cooper starts out on fallacious footing:

The major problem with America’s Constitution is that it creates a system in which elections generally do not produce functioning governments, and there is no mechanism to break the deadlock (like calling snap elections). Most of the time, control of the House, Senate, and presidency is split between the two parties in some way. Bipartisan compromises to keep government functioning used to be common, but are near-impossible anymore due to extreme party polarization. So as Michael Kinnucan points out, during divided government “there is de facto no legislative body.”

This is not an issue with the Constitution. The Constitution merely sets the framework for a government. It doesn’t specifically prescribe or proscribe how those within the government are to act. Nor does it prescribe or proscribe who is to comprise that government, with some restrictions on age and residency.

That our political system has devolved itself into two major political factions with several smaller factions continually vying for breadcrumbs — though they had a much better showing in 2016 than years prior — is a problem with the People.

To fix the problem, America should aim to make itself more like a proportional parliamentary democracy, by far the most successful and road-tested form of government.

And this completely ignores the underlying problem. The problem the United States faces is not with the Constitution. It is the Federal government. A proper consideration is shrinking the Federal government and returning much of its ill-gotten power to the States from which it stole that power.

After all, the Tenth Amendment prescribes that all powers not explicitly enumerated to the Federal government belong to the States.

This does not mean there are not ways even the foundational system can be improved. Indeed I have entertained some such ideas in the past. For example, I advocate reforming the Electoral College such that the Nebraska/Maine model is universal.

In light of that, let us now entertain Ryan Cooper’s ideas.

1. Get rid of the Senate filibuster.

Okay, this ought to be good.

This would at least allow a party that got the presidency plus both houses of Congress to govern, and could be passed by a simple majority vote in the Senate. However, that sort of unified control only happens every six to 10 years or so, so this reform would only be periodically useful.

His idea doesn’t follow from the premise. The filibuster has nothing to do with whether the party that got the Washington Trifecta would be able to govern. Indeed, look to everything the Democrats had to do in order to pass the Affordable Care Act, the various compromises they had to make to placate other Democrats while holding a “filibuster-proof majority”.

Beyond that, getting rid of the filibuster doesn’t require scrapping the Constitution. Only changing the Senate rules.

2. Radically change the way House members are elected.

One major engine of political extremism in America is the partisan drawing of district boundaries. The United States has the most entrenched two-party system in the world, partly a result of “first past the post” voting, and partly because the parties have locked themselves into place behind enormous legal barricades to third parties.

Actually the latter has more to do with it than the former. The “first past the post” voting rules have little to do with this. Ballot-access laws enact significant barriers to third parties, such as the Libertarian Party, from actually gaining any significant electoral ground. Though third parties did have a very significant showing in the 2016 election.

At the same time, we’ve seen both the Republicans and Democrats enact rules to prevent insurgencies and ensure that favored candidates are the ones winning primaries.

Worse, the ironclad two-party system has proved to be highly vulnerable to an extreme right-wing fringe that protects itself with gerrymandering and other cheating tactics.

Do not pretend the Republicans are the only ones who gerrymander. And gerrymandering is not what protects “an extreme right-wing fringe”, setting aside for a moment that term not being explicitly defined.

Where in any other country the 15-20 percent of the national population that makes up Republican primary voters would have their own small party, instead they now own one out of two parties.

Do I really need to go into how Democrat primaries work? At least the Republicans do not have the concept of “super-delegates”, which, along with all other corruption that has come to light, worked very well to ensure Bernie Sanders had little more than a prayer in the 2016 Democratic primaries.

As the folks at Fair Vote demonstrate, one clever way to solve this problem would be to change the way House members are elected. Instead of drawing one district for every representative, make each district have three seats, allocated by a ranked-vote system.

Such a system could only effectively work in the larger States. But let’s entertain the idea for a moment by pointing out something most likely don’t realize about the Constitution: there is no requirement for districts. No, seriously. Look if you don’t believe me. See Article I, Section 2 of the Constitution of the United States.

A State is granted a certain number of representatives based on population. That is the only advance requirement, other than age and residency of those actually chosen to serve.

The States were free to decide how their Representatives are chosen. For example in the First Congress, all Representatives from Connecticut, New Hampshire, New Jersey, and Pennsylvania were chosen “at-large”. And many States retained at-large representation into the early 20th century.

Obviously in States with only one Representative — Wyoming and Montana come to mind — this is a moot point. But larger States like Texas, California, and New York could adopt a different model that doesn’t rely heavily on district lines.

In other words, this is something that doesn’t require scrapping the Constitution, or even amending it. This is an idea any State could start considering as soon as next year. Provided Congress let them.

The requirement of one district per Representative is given by statute, specifically 2 USC § 2c. So if a State wanted to try something different, they would need to convince Congress to remove that statute, or challenge it in Court.

And while we’re at it, let’s change House elections from every two years to every four years. American lawmakers need time to actually govern, and should not be perpetually seeking re-election.

I doubt the four year intervals would change that. But if we were to change to a four year interval, it would probably work best to have everyone staggered like with the Senate, with about 1/4th of the House up for election every year. Obviously such would require amending the Constitution.

3. Neuter the Senate.

And now we enter dangerous territory. The Senate was introduced with the Connecticut Compromise as a means of neutering the power of the largest States, thus preventing those large States from exacting control over the smallest States. The Senate, in short, ensures that all States have some kind of say on a matter, even if they’re not in the final majority vote.

As such, enacting this idea:

However, it might be possible to pass an amendment making the Senate a House of Lords-style institution without real power. Senators could still be elected, but not be able to pass a binding vote on legislation.

would be very, very dangerous.

Read the history of the Connecticut Compromise and you will understand why it was so important to the Constitution’s framework.

4. Elect the president from the House.

This was initially proposed in the Virginia Plan, the House and Senate jointly selecting the President.

The point of “separation of powers” was to create a check on tyranny, but it has ironically worked to increase tyranny and undermine democracy.

This is again blaming the framework when the blame lies on the actors who maneuvered things in that direction. When a history professor writes in an article on Presidential term limits, “Democratic lawmakers would worry about provoking the wrath of a president who could be reelected”, clearly something went haywire somewhere down the line.

What we need are the proper people in office who can correct that course.

The separate executive branch is a major factor behind the rise of the lawless imperial presidency in the United States, and most other American-style constitutions fell apart due to standoffs between the president and legislature.

The separate Executive Branch was initially created to have a functioning Federal government during the months Congress was not in session. In the first Congresses, sessions only lasted a few months at most. Much like what we see in most States today.

And we don’t have anywhere near a “lawless imperial presidency” in the United States.

In normal countries, the executive is simply part of the legislature.

And here’s more of that self-flagellation I referred to earlier. I don’t think I need to go any further. Especially since his last point is, literally:

5. Throw the entire Constitution in the garbage.

And where does he start off? Attacking the amendment process. No need to respond to that, as I’ve already done so.

Cordelia

Proxmox VE vs VMware vSphere

Posted on by Kenneth Ballard / 0 Comment

If you’re seeking to get involved in anything computer-related with the intent of making it a career, two concepts with which you really need to be familiar are virtualization and containerization. The latter is relatively new to things, but virtualization has been around for quite a while.

VMware made virtualization more accessible, releasing their first virtualization platform almost 20 years ago. Almost hard to believe it’s been that long. I started fooling around with a very early version of VMware back when I was still in community college.

And it’s why they are basically the name for virtualization. But they are not the only name.

In my home setup, I have a virtualization server that is an old HP Z600 I picked up a couple years ago. A dual-Xeon E5520 (4 cores/8 threads per processor) that I loaded out with about 40GB RAM (it came with 8GB when I ordered it), a Mellanox 10GbE SFP+ NIC, and a 500GB SSD. The intent from the outset was virtualization. I wanted a system I could dedicate to virtual machines.

Initially I put VMware ESXi on it. Simply because it was a name I readily recognized and knew. The free version you can readily download online after registering a VMware online account. First, let’s go over the VMs I had installed:

  • Docker machine: Fedora 27, 4 cores, 8GB RAM
  • Plex media server: Fedora 27, 2 cores, 4GB RAM
  • Backup proxy: Fedora 27, 2 cores, 2GB RAM
  • Parity node: Ubuntu Server 16.04.3 LTS, 4 cores, 8GB RAM

All Fedora 27 installations use the “Minimal Install” option from the network installer with “Guest Agents” and “Standard” add-ons.

My wife and I noticed that Plex had a propensity to pause periodically when playing a movie, and even when playing music. I didn’t think Plex was the concern, but rather the virtual machine subsystem. Everything is streamed in original quality, so the CPU was barely being touched.

And my NAS certainly wasn’t the issue either. Playing movies or music directly from the NAS didn’t have any issues. So if Plex’s CPU usage was nowhere near anything concerning, this points to virtualization as the issue. The underlying VMware hypervisor.

This prompted me to look for another solution. Plus VMware 6.5’s installation told me the Z600’s hardware was deprecated.

Enter Proxmox VE.

I’ve been using it for a few weeks now, and I’ve already noticed the virtual machines appear to be performing significantly better than on VMware. All of them. Not just Plex – the intermittent pausing is gone. Here’s the current loadout (about same as before):

  • Docker machine: Fedora 27, 4 cores, 4GB RAM
  • Plex media server: Fedora 27, 2 cores, 4GB RAM
  • Backup proxy: Fedora 27, 2 cores, 2GB RAM
  • Parity node: Ubuntu 16.04.3 LTS, 4 cores, 16GB RAM

A note about Parity: it is very memory hungry, hence why I gave it 16GB this round instead of just 8GB (initially I gave it 4GB). Not sure if it’s due to memory leaks or what, but it seems to always max out the RAM regardless of how much I give it.

Plex at least I know uses the RAM to buffer video and audio. What is Parity doing with it?

Proxmox VE out of the box has no limitation on cores either. They don’t limit system use to get you to buy a subscription. So it will use all 16 cores on the Z600. Though according to the specification sheet, it’ll support up to 160 CPU cores and 2TB of RAM per node. And it’s free to use.

It will, however, nag you when logging into the web interface if you don’t buy a support subscription. And you’ll see error messages in the log saying the “apt-get update” command failed — since you need a subscription to access the Proxmox update repository. But you can disable the Proxmox repository to keep those error messages from showing up, and there are tutorials online about removing the nagging message for not having a subscription.

The lowest cost for that subscription, as of this writing, is 69.90 EUR per physical CPU, not CPU core. So in a dual-Xeon or dual-Opteron, it’d be shy of 140 EUR (~170 USD) per year. Quad-Xeon or Quad-Opteron servers would be shy of 280 EUR (~340 USD). Which isn’t… horrible, I suppose.

The base system is built around Debian Linux and integrates KVM for virtualization. Which basically makes Proxmox a custom Debian Linux distribution with a nice front-end for managing virtual machines. Kind of how Volumio for the Raspberry Pi is a custom Raspbian Jessie distribution.

It also supports LXC for container support. Note that LXC containers are quite different from Docker containers, though there have been several requests to integrate Docker support into Proxmox VE. Which would be great if they did, since that would eliminate one of my virtual machines altogether. But I doubt they’ll be able to cleanly support Docker given what would be involved — not just containers, but volumes, networks, images, etc.

The only hiccup I’ve had with it came while installing Proxmox. First, I had to burn a disc to actually install it. Attempting to write the ISO to a USB drive didn’t work out. Perhaps I needed to use DD mode with Rufus, but following their instructions didn’t work.

It also did not support the 10GbE card during installation, so I had to re-enable the Z600’s onboard Gigabit port to complete the installation with networking support properly enabled. Once installed, it detected the 10GbE card, and I was able to add it into the bridge device and disconnect the Gigabit from the switch.

This machine will also soon be phased out. I don’t have enough room on this box to set up other virtual machines that I’d like to run. For example, I’d like to play around with clustering — Apache Mesos, Docker Swarm, perhaps MPI. So this will be migrated to system with dual Opteron 6278 processors on an Asus KGPE-D16 dual-G34 mainboard, which supports up to 256GB RAM (128GB if using unregistered or non-ECC).

I’ll be keeping this system around for a while still, though, since it does still have some use. It’s just starting to really show its age.

Docker

OpenVPN on Docker

Posted on by Kenneth Ballard / 0 Comment

A self-hosted VPN is a simple and secure way to access your home or small business network. For small businesses, this is a great way to set up a VPN connection to allow your employees to work remote. For the rest of us, it is also a great way to secure your Internet connection when using unsecured WiFi.

And for a self-hosted VPN solution, OpenVPN is one of the best solutions. One of the best known as well. It’s free and there are both desktop and mobile clients available.

Setting it up, however, isn’t nearly as straightforward. But that’s where Docker comes in. If you’ve never played around with it…. why not? It allows for very clean deployments and easy cleanup and upgrades without affecting the host system and anything else installed on it. As you’ll see here with deploying an OpenVPN instance.

In my instance I’m using Docker on Fedora 27 inside a virtual machine running on Proxmox, hosted on an old HP Z600 dual-Xeon workstation (the Xeons are from 2009, not anything to write home about). While the instructions for setting up the container are pretty straightforward, I’ll walk through some of the finer details based on my experience setting it up.

Before setting things up

Hopefully in your research on self-hosting a VPN you’ve discovered that you need a domain name for accessing it. So go to one of the several dynamic DNS hostname services and create a hostname for your home network. Without that hostname, you’re only setting yourself up for problems down the line trying to consistently use your VPN. So if you’re settled on self-hosting a VPN service, do that now.

Personally I use No-IP, and I’ve used them for… about 12 years now. While they do give one hostname for free, if you sign up for them, do yourself a favor and pay the $25 yearly subscription price so you don’t have to keep renewing your hostname every month.

Most home routers have built in support for dynamic DNS hostname services so it automatically updates your hostname with the IP address, so read the instructions on your router to set it up. Not all routers support all services, so use your router support to determine which service to select.

Fedora 27 and Docker

One thing needs to be said about using Docker with Fedora, though this kind of applies to all distros as well: do not use the Docker packages that come with Fedora. Instead follow the commands on Docker’s website to install the latest Docker Community Edition. Regardless of distribution, though, you’ll want to do this with their supported distributions.

The OpenVPN container does not play well with the Docker build distributed with Fedora 27. And that build is also several versions behind, and it’s always imperative to stay up to date.

With Docker installed, it’s time to pull the container and continue with the installation.

Note: If you will be running other Docker containers to which you want access over the VPN connection – e.g. a MySQL container for a GnuCash database – make sure the Docker bridge (e.g. docker0) is in the same firewall zone as the network adapter, otherwise the firewall will cut you off from being able to access them.

Installing OpenVPN on Docker

Installing OpenVPN is as simple as pulling the OpenVPN container and setting things up. If you’re familiar with Docker, you’ll notice right away the instructions in the container’s documentation are likely not familiar. I copied these instructions mostly verbatim from the container’s documentation to fill in a few details from my own experience.

# Pull the image
sudo docker pull kylemanna/openvpn
 
# Create the volume and set up the keys
OVPN_DATA="ovpn-data-home" # Call this whatever you want
sudo docker volume create $OVPN_DATA
 
# Create initial configuration
sudo docker run \
-v $OVPN_DATA:/etc/openvpn \
--rm kylemanna/openvpn ovpn_genconfig \
-u udp://[VPN.SERVERNAME.COM]

where, in the last command, VPN.SERVERNAME.COM is the DNS name for your home network. This would be the dynamic DNS name you created earlier.

Updating the configuration

The default configuration for the OpenVPN Docker image uses the Google DNS servers. This may not be desirable depending on what is available on your network that you want accessible – such as mapped drives from a NAS or other services.

So the configuration will need to be updated to push different DNS servers to clients. You need access to the configuration file in the volume. (Note: highlight, copy and paste the below code if the all underscores aren’t showing in your browser.)

cd /var/lib/docker/volumes/$OVPN_DATA/_data

The file to edit is “openvpn.conf”, and the lines you’re looking for are:

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

You’ll want to modify the DNS server IPs to whatever is used on your home network. You can tweak any other options as you feel necessary – that is well beyond the scope of this article. Just DO NOT touch the “proto” and “port” options.

Setting up certificates and client profiles

With the volume created, now to create the server certificate:

sudo docker run --rm \
-v $OVPN_DATA:/etc/openvpn \
-it kylemanna/openvpn ovpn_initpki

You will be prompted to create a passphrase for this certificate. So as always make sure to pick a reasonably secure passphrase since you’re securing the key used to generate the client profile for accessing your VPN. When asked for the “Common Name” for the certificates, use the hostname entered earlier when setting up the initial configuration.

After the certificate is generated, you will be prompted for that password later to finish the initial configuration.

Creating the container

I prefer creating containers over just using “docker run”. So that’s the command I’ll be using to create a container for the VPN:

sudo docker create --name [name] \
-v $OVPN_DATA:/etc/openvpn \
-p 1194:1194/udp \
--cap-add=NET_ADMIN \
kylemanna/openvpn

sudo docker start [name]

where [name] is the name for the container – I used “openvpn”. If the container is ever updated, you can just stop and delete the previous container, then re-run the steps above to create a new one. Since it’s operating off a pre-created volume, all your settings and certificates are preserved.

Now to expose it on the firewall. If you’re running Docker on Ubuntu, this step isn’t necessary.

sudo firewall-cmd --zone=[zone] --permanent --add-port=1194/udp
sudo systemctl restart firewalld

where [zone] is the zone for your network adapter.

If restarting the firewall service kicks you off SSH, you’ll need to recreate the OVPN_DATA variable upon next login.

Exposing it in public

In general, when exposing services where they are accessible outside your network, you want to avoid using default port numbers. Either configure the service to use a different port number, or use the port forwarding on the router to provide a different port number.

By default OpenVPN will run on 1194/UDP. And the OpenVPN container will always use that port number. You’ll notice above that all the configuration left this default port in place. I didn’t publish a different port when creating the container.

So securing your exposed VPN service is relatively easy: pick a random port number, preferably north of 32768, and map it to 1194/UDP for the Docker host. The vast majority of hackers will look only for default port numbers.

If your router does not allow this option, then you will need to publish a different port on the Docker host. Instead of -p 1194:1194/udp, use -p [port]:1194/udp, where [port] is a random port number. This also means you’ll need to update the firewall configuration as well to expose the random port number.

Creating client profiles

First, run:

sudo docker run \
-v $OVPN_DATA:/etc/openvpn \
--rm \
-it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass

where CLIENTNAME is the name of the profile you’re creating. For example, if I’m creating a profile for my personal cell phone, I’d call it “Kenneth_Phone”, or even “Kenneth_GalaxyS7” since that is the model I have. That way when I upgrade phones, I can create a new profile for the new phone and revoke the profile for my current phone.

With the profile created, now retrieve it. This will save it to the local folder, where you can retrieve it to install it on the client device.

sudo docker run \
-v $OVPN_DATA:/etc/openvpn \
--rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn

Before using the profile on the client device, you will need to edit the file. Look for this line:

remote [host] 1194 udp

If you’re exposing a different port externally for your VPN service, you will need to update the 1194 port number to the port number you’re using.

Backing up your configuration

Now that you have your VPN set up, you likely won’t want to go through that all over again. Especially since it’d require generating new profiles – and certificates – for all your devices. So to avoid that, back up everything in the OpenVPN volume you created earlier.

cd /var/lib/docker/volumes/$OVPN_DATA/_data
tar cvfz ~/openvpn.tar.gz *

Restoring it is straightforward. After recreating the volume, just extract the archive back into the same location.

Conclusions

And that’s about it. The profile you’ve created will work with any OpenVPN client, such as the Android OpenVPN client that I use on my cell phone. Just follow the steps above to create profiles for each device you want accessible from the VPN.

Also remember that security here is paramount. If you believe that any of the client profiles have been compromised, you will want to revoke the certificates for those profiles to prevent them from being used to access your VPN.

Server projects

Simple way to keep compute GPUs cool

Posted on by Kenneth Ballard / 0 Comment

First, a little bit of an update on my setup. After noticing it available for a good price from B&H Photo Video, I bought a second Zotac GTX 1060 3GB. And I pulled the setup out of the 4U chassis (Athlon X4 with RX 580) and replaced it with one of my 990FX boards and the two GTX 1060s. Running Windows 10 as well to allow for overclocking.

Specifications:

  • CPU: AMD FX-8350
  • Mainboard: Gigabyte 990FXA-UD3
  • Memory: 8GB DDR3-1866
  • GPUs: Zotac GTX 1060 3GB (x2)
  • Power: Corsair AX860

Interestingly, the acquired GTX 1060 performs about 25% lower than the one I already had, despite being the same model running at about the same clocks. That is why I wanted to put these on Windows 10. Overclocking just the memory by +500 on both cards brought the combined hashrate to a little north of 41MH/s.

But it ran HOT. As in climbing easily over 80C. Couldn’t last 24 hours before shutting down. So something needed to be done. Inside the 4U chassis, there isn’t much intake airflow. And virtually no exhaust.

PlinkUSA IPC-G4380S

The solution drew inspiration from the Mountain Mods Gold Digger chassis lineup (Ascension and U2UFO), which features 20-slot expansion card mounting for mounting graphics cards. But there’s something else: the cards are recessed behind 25mm (1 in) deep 120mm fan mounts. The fans are for drawing heat away from the cards. While not necessary for blower cards, it’s essential for custom cooled cards.

Mountain Mods U2UFO “Gold Digger” (Rear)

So I did the next best thing initially: loosely attached a 120mm Corsair SP120 to the rear of the chassis right behind the graphics cards. With it running at full speed. It has been a while since I had these in an actual system, so I forgot how loud they could be. The result?

So one card is holding fine at 72C, while the other is running at a nice, chilly 60C. With the hotter card being the one closer to chassis sidewall.

But with the SP120 running loud, I decided against using that particular fan and attached a Bitspower Spectre Pro to the back instead. Initially the 120mm fan, then a 140mm fan. But I couldn’t quite get the result I was aiming for, and the reason is the lesser static pressure. Even with removing the expansion slot covers for the slots immediately adjacent to the GPU coolers to allow for better airflow.

The chassis initially had a Cougar CF-V12HPB for airflow onto the cards. I switched that for a Bitfenix Spectre Pro 140mm. The fan has 120mm fan mount holes as well. And then mounted the Cougar fan on the rear behind the cards since it has better static pressure while being able to push ~60 CFM.

So that gives decent airflow into the chassis and onto the GTX 1060s with a quieter 120mm fan behind the cards pulling the hot air away. Both cards run in the low to mid 70s while mining.

What would likely allow for better cooling, since it would allow for better airflow, is sealing the inset area of the chassis so the fan is all but guaranteed to be sucking air from just the cards. Likely with thick weatherstripping or something like that. So perhaps that’ll be a future revisit of this depending on what I can find.

Dress codes

I don’t think we have the whole story

Posted on by Kenneth Ballard / 0 Comment

Back in 2015 I wrote about Stephanie Hughes and how she was coded because she wasn’t wearing a crew neck shirt as her school dress code mandated. Instead she chose to wear a tank top with a sweater-like garment over top.

Recently a student named Remy was dress coded for… well:

Remy claims she was coded for not wearing a bra. And I’m not buying it. Not for a moment. Instead, I think based on the hysteria around school dress codes and the apparent disproportionate penalization of young women, she manufactured the idea she was coded for not wearing a bra when the likely reason she was coded is a bit more… obvious.

And what’s allowing her claim to propagate comes down to two simple things: the school won’t comment on such situations, and, again, the recent hysteria regarding dress codes, including attempts to label dress codes “fashion censorship”.

A Yahoo! article even pointed out that, while the dress code doesn’t specify anything regarding undergarments — likely because they presume it to be a given — it does say this (emphasis mine): “Tops must cover all parts of undergarments and shall not be low cut or revealing.”

Again, I think it’s obvious why Remy was coded for her choice of apparel. And that she manufactured the statement that she got coded for not wearing a bra to get around the fact that she was wearing something blatantly in violation of her school’s dress code and is hoping to shame the administration for the fact she got called on it. In other words, scream the equivalent of “pervert” at school administrators, likely only male school administrators as well, for having the audacity to call out young women who violate them.

The dress code for Remy’s high school also points this out: “Students who repeatedly dress inappropriately for school may be suspended for defiance.” Just as I’ve said that repeated violation of a workplace dress code is grounds for termination.

Due process/Feminism/Free speech and press

As we leave 2017

Posted on by Kenneth Ballard / 0 Comment

One lesson all of us should learn ahead of this Christmas given everything that’s happened politically in 2017 and also 2016: RIGHTS limit how the government interacts with the People, PRINCIPLES limit how you interact with everyone else. That is why I’ve spent much of the last several years continually defending PRINCIPLES over rights.

Without the underlying principles of free speech and the presumption of innocence, for example, there is no foundation for the RIGHTS derived from those principles. Yet more and more I see those principles continually violated by people who claim to stand up for the rights derived from those principles.

Lay judgment against others only by the same measure you expect judgment to be laid on you. Treat others how you want to be treated. Respect must always be earned by how you treat others.

Do not be so quick to deduce motive or malice from someone’s actions. Presume someone is innocent when that person is accused of something, regardless of the accusation, regardless of the accuser, and regardless of who is being accused.

I’m certainly not perfect on these principles, but I at least try. Unlike a lot of others in the United States and the world.

At the same time, learn to be grateful for what you have, not envious of what others have. Do not seek to take what you have not earned. And above all, no one can legitimately do for you or someone else that which you cannot yourself morally or legally do.

Capitalism/Technology

Apple’s battery woes

Posted on by Kenneth Ballard / 0 Comment

Recently Apple confirmed that its iPhones slow down as the battery degrades. A lot of people have taken this to mean that Apple is trying to force people to upgrade -i.e. “planned obsolescence”. Because when is something like this never about corporate greed?

Here’s the long and the short of it.

Rechargeable batteries degrade over time. If you have a laptop, you can use a program like CPUID’s HWMonitor to see the original max charge level and the current max charge level on the battery, measured in mAh, or milliamp-hours. You will see those two numbers deviate more and more over time. It happens with laptop batteries. It happens with your cell phone batteries.

This isn’t some kind of ploy like “planned obsolescence” either. It’s just the nature of rechargeable batteries. They have a limited lifespan.

But given that I said you can use software to determine your laptop battery’s max charge level, that should tell you that your cell phone can also detect its battery’s max charge level. This can allow the underlying operating system to warn you the battery needs to be replaced – if you own something other than an iPhone, that is.

But there’s something else, and it plays right into why Apple’s phones slow down over time: it is adjusting how much power it consumes based on the max charge level of the phone.

That’s right, either the iOS operating system or the phone’s internal hardware controls are throttling your phone’s performance to preserve battery time. Otherwise you’d find yourself needing to charge your phone more often. But the in-built throttling also has the complimentary effect of preserving your battery since, in the case of all iPhone models, you can’t easily change it.

So there. Now it’s bad that Apple didn’t disclose it – or if they did, it’s buried in something no one’s read. But there isn’t anything sinister behind that. But since few seem to understand the underlying technology and electronics…

Which would you rather have: a phone that artificially throttles itself in steadily-increasing, but minute amounts over time based on battery wear, or a battery that drains faster and faster as time goes on because it’s wearing down and the phone’s power draw is wearing it down faster and faster over time?

If you can’t replace the battery easily, it’s best to preserve it as best as possible.

Net neutrality

Net neutrality

Posted on by Kenneth Ballard / 0 Comment

All the various discussions of incidents wherein ISPs have done “shady things” all ignore WHY they made those moves over the simple fact that it happened. Instead the ready assumption is that ISPs did it to extort money from the content platforms, and this has led to presumptions of things like “micro transactions” and all kinds of other fear mongering merely “because they can” because ISPs in many regions hold a monopoly.

Except businesses typically try to avoid losing customers. A company having a monopoly in a region doesn’t mean they can just do what they want. Not when they still have to answer to municipalities (who answer to voters). And if a business artificially prices customers off their service, that’s not exactly a good thing.

BitTorrent was blocked by ComCast because BitTorrent is designed to saturate an Internet connection when downloading. Even prior to P2P, download managers already existed with the intent of taking advantage of HTTP protocol flexibility to download files from multiple sources (aka “mirrors”) with the intent of saturating your Internet connection. P2P sharing arguably started with Napster, which gave rise to other P2P network protocols like Gnutella and, eventually, BitTorrent.

Unless throttled in the client software, P2P is designed to saturate an Internet connection. And will saturate an Internet connection, which can affect network availability in a home or apartment, college campus (something I had fun dealing with when I was in college), or a local region.

Video streaming is also designed to saturate a connection. Video streaming protocols will change quality settings based on bandwidth availability between the sender and receiver. We’ve all seen this with YouTube and streamers have likely experienced such as well trying to stream via YouTube or Twitch. All of that has the potential to affect availability for everyone.

So much of the hyperbole over what could happen if the “Open Internet Order” is repealed seems to avoid the question of why ISPs did those “shady” things and merely looks to the fact that it happened. And that does nothing to further any understanding. And it’s fueling a lot of baseless speculation as well.

And the idea of “micro transactions” and extortion comes from a very, very broad misunderstanding of the whole “fast lane” concept. Recall where I said that video streaming is designed to saturate a connection up to the maximum throughput needed to stream the video at the requested quality settings. And the sender will throttle the video stream if congestion is encountered. In other words, video is very bandwidth intense. And given that Netflix and YouTube both support 4K streaming (likely with few consumers right now), this isn’t a problem going away any time soon.

Enter the “fast lanes”. While it’s been portrayed as ISPs trying to extort money from Netflix, there’s actually a much more benign motive here: getting Netflix to help upgrade the infrastructure needed to support their video streaming. Since it was the start of their streaming service, and the eventual consumption of it by millions of people, that led to massive degradation in Internet service for millions of other customers who weren’t streaming Netflix or much else.

To alleviate traffic congestion, many metropolitan areas have HOV lanes, or “high occupancy vehicle” lanes to encourage carpooling. The degree to which this is successful being highly debatable. The “fast lane” concept for the Internet was similar. But when the idea was first mentioned, many took it to mean that ISPs were going to artificially throttle websites who don’t pay up. When what it actually means is providing a separate bandwidth route for bandwidth-intense applications. Specifically video streaming.

And since these were sources of complaints among the general populace — whose only knowledge of computer networking, let alone the structure of the Internet, isn’t much — this led the FCC to talk about trying to regulate the Internet infrastructure. Since regulating the Internet is something that governments across the world have been trying to do for at last the last 15 years. And since they haven’t had much luck regulating what happens on the Internet, regulating the infrastructure is the next best thing.

Misconceptions and misunderstandings, and the speculation and doomsday predictions that have come from all of that, lead to bad policy. And it’s fueling much of the current discussion on net neutrality.

Note: The above is a comment I attempted to put on a video for Paul’s Hardware, but the comment appears to have been filtered or deleted.