## Docker Jail for Skype

As I’m now permanently installed at our University (yeah!) I probably need to use skype more often than desired. However, I still try to avoid proprietary software, and skype is the worst of all. Skype is a

obfuscated malicious binary blob with network capabilities

as jvoisin beautifully put into words. I came in contact with skype multiple times and it was always a mess. Ok, but what are the options if I need skype? So far I’ve been using a virtual box if I needed to call somebody who insisted on using skype, but now that I’ll be using skype more often I need an alternative to running a second OS on my machine. My friend Tom meant to make a joke about using Docker and … TA-DAH! … Turns out it’s actually possible to jail a usable skype inside a Docker container! Guided by jvoisin’s article Running Skype in docker I created my own setup:

# The Dockerfile

The Dockerfile is available from the skype-on-docker project on GitHub. Just clone the project and change into the directory:

$git clone https://github.com/binfalse/skype-on-docker.git$ cd skype-on-docker
$ls -l total 12 -rw-r--r-- 1 martin martin 32 Jan 4 17:26 authorized_keys -rw-r--r-- 1 martin martin 1144 Jan 4 17:26 Dockerfile -rw-r--r-- 1 martin martin 729 Jan 4 17:26 README.md  The Docker image is based on a Debian:stable. It will install an OpenSSH server (it exposes 22) and download the skype binaries. It will also install the authorized_keys file in the home directories of root and the unprivileged user. Thus, to be able to connect to the container you need to copy your public SSH key into that file: $ cat ~/.ssh/id_rsa.pub >> authorized_keys


Good so far? Ok, then go for it! Build a docker image:

$docker build -t binfalse/skype .  This might take a while. Docker will execute the commands given in the Dockerfile and create a new Docker image with the name binfalse/skype. Feel free to choose a different name.. As soon as that’s finished you can instantiate and run a new container using: $ docker run -d -p 127.0.0.1:55757:22 --name skype_container binfalse/skype


This will start the container as a daemon (-d) with the name skype_container (--name skype_container) and the host’s port 55757 mapped to the container’s port 22 (-p 127.0.0.1:55757:22). Give it a millisecond to come up and then you should be able to connect to that container via ssh. From that shell you should be able to start an configure skype:

$ssh -X -p 55555 docker@127.0.0.1 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Jan 4 23:07:37 2016 from 172.17.42.1$ skype


You can immediately go and do your chats and stuff, but you can also just configure skype. Do setup everything just like you want to find it when starting skype, for example tick the auto-login button to get rid of the login screen etc. As soon as that’s done, commit the changes to build a new image reflecting your preferences:

$docker commit skype_container binfalse/deb-skype  Now you’ll have an image called binfalse/deb-skype that contains a fully configured skype installation. Just kill the other container: $ docker stop skype_container
$docker rm skype_container  And now your typical workflow might look like: docker run -d -p 127.0.0.1:55757:22 --name skype__ binfalse/deb-skype sleep 1 ssh -X -p 55757 docker@127.0.0.1 skype && docker rm -f skype__  Feel free to cast it in a mould just as I did. The script is also available from my apt repo, it’s name is bf-skype-on-docker: echo "deb http://apt.binfalse.de binfalse main" > /etc/apt/sources.list.d/binfalse.list apt-get update && apt-get install bf-skype-on-docker  ## Getting into a new group You know, … you just got this new floppy disk with very important material but you cannot access it because you’re not in the system’s floppy group and, thus, you’re not allowed to access the floppy device. Solution is easy: add your current user to the floppy group! Sounds easy, doesn’t it? The annoying thing is that those changes won’t take affect in the current session. You need to log out and log in again – quite annoying, especially if you’re into something with lots of windows and stuff. Just happened to me with docker again.. However, there are two methods to get into the new groups without the need to kill the current session: • su yourself: let’s say your username is myname you just need to su myname to get a prompt with the new group memberships. • ssh localhost: that also gives you a new session with updated affiliations. That way, you do not need to start a new session. However, you still need to start all applications/tools from that terminal - might be odd to those who are used to the gnome/kde menues.. :) ## Supplemental material Display group membership:  groups USERNAME  Add a new system group:  groupadd GROUPNAME  Add a user to a group:  useradd -G GROUPNAME USERNAME  ## CyanogenMod Updates and the firewall I’m running CyanogenMod on my phone and I have the firewall AFWall+ installed. To update the list of available updates the application CM Updater need to be able to connect to the internet. It will contact a website from within the google empire and ask for available images. In order to download a new image the application Media Storage, Download Manager, Downloads needs internet access, as this app is in charge of downloading the actual image file. To be remembered. ## JavaDoc Cheat Sheet • The first sentence of each doc comment should be a summary sentence • Write the description to be implementation-independent, but specifying such dependencies where necessary. (what is required, what is allowed) • wrap keywords in <code>...</code> ## typical meta annotations • @author is not critical, because it is not included when generating the API specification • @version SCCS string "%I%, %G%", which converts to something like “ 1.39, 02/28/97” (mm/dd/yy) when the file is checked out of SCCS • @since specify the product version when the Java name was added to the API specification (if different from the implementation) ## typical method definition • @param parameter-name description • followed by the name (not data type) of the parameter, followed by a description of the parameter • the first noun in the description is the data type • @return description • omit for methods that return void and for constructors • include it for all other methods, even if its content is entirely redundant with the method description • @throws class-name description should be included for any checked exceptions (previously, it was @exception) ## additional annotations • {@value package.class#field} • when {@value} is used (without any argument) in the doc comment of a static field, it displays the value of that constant: The value of this constant is {@value}. • otherwise it displays the value of the specified constant: Evaluates the script starting with {@value #SCRIPT_START}. • {@code text} • Equivalent to <code>{@literal}</code>. ## linking • @see reference • Adds a "See Also" heading • reference is a string: Adds a text entry for string. No link is generated. The string is a book or other reference to information not available by URL. • reference is an <a href="URL#value">label</a>: Adds a link as defined by URL#value. The URL#value is a relative or absolute URL. • reference is an package.class#member label: Adds a link (with optional visible text label) that points to the documentation for the specified name in the Java Language that is referenced. • {@link package.class#member label} • in-line link with visible text label that points to the documentation for the specified package, class or member name of a referenced class • not necessary to add links for all API names in a doc comment • @serial (or @serialField or @serialData) for interoperability with alternative implementations of a Serializable class and to document class evolution ## deprecation • @deprecated deprecated-text • the first sentence should at least tell the user when the API was deprecated and what to use as a replacement • a {@link} tag should be included that points to the replacement method ## example /** * The Class CombineArchive to create/read/manipulate/store etc. * CombineArchives. * <p> * We directly operate on the ZIP file, which will be kept open. Therefore, do * not forget to finally close the CombineArchive when you're finished. * </p> * * @see <a href="https://sems.uni-rostock.de/projects/combinearchive/"> * sems.uni-rostock.de/projects/combinearchive</a> * @author martin scharm */ public class CombineArchive extends MetaDataHolder implements Closeable { /* ... */ /** * Gets the the first main entry of this archive, if defined. As of RC2 of the spec there may be more than one main entry, so you should use {@link #getMainEntries()} instead. * * @return the first main entry, or <code>null</code> if there is no main entry * @deprecated as of version 0.8.2, replaced by {@link #getMainEntries()} */ public ArchiveEntry getMainEntry () { if (mainEntries == null) return null; return mainEntries.size () > 0 ? mainEntries.get (0) : null; } /** * Gets the main entries as defined in the archive. * * @return the main entries in this archive */ public List<ArchiveEntry> getMainEntries () { return mainEntries; } /** * Replace the file associated with a certain entry while keeping the meta * data. * * @param toInsert * the new file to insert * @param oldEntry * the old entry whose file should be replaced * @return the new entry * @throws IOException If an input or output exception occurred */ public ArchiveEntry replaceFile (File toInsert, ArchiveEntry oldEntry) throws IOException { addEntry (toInsert, oldEntry.getFilePath (), oldEntry.getFormat (), false); entries.put (oldEntry.getFilePath (), oldEntry); return oldEntry; } } # References ## Block URLs on phone using AdAway Using AdAway on your Android phones it is very easy to block a set of URLs. AdAway (available from F-Droid, source from GitHub) is an ad-blocker. The application basically maintains a list of resources containing lists to ad-servers, see figure for example, e.g.: # dest ip url 127.0.0.1 some.ad.server.com  This entry will redirect all traffic meant for some.ad.server.com to the server 127.0.0.1, which is your localhost. Entries from different resources are merged. Thus, all requests to typical ad-servers will fail → annoying advertisements won’t be delivered. It’s quite powerful and gives impressive results. However, I didn’t want to talk about ad-stuff. The cool thing is ## AdAway allows for extensions with own hosts files! You can simply add another link to a file containing further host entries. I created my own AdAway file, uploaded it to https://stuff.lesscomplex.org/adaway.txt and added it to AdAway, as you can see in the figure. The current version contains a few entries for: • facebook/yahoo/etc: I’m not using facebook or stuff, all these request shouldn’t leave my phone • captive portal detection: To detect captive portals the phone downloads a few bytes from a google server and checks if it is able to access the real internet or just a captive portal • swift key: I’m using swift key, but do not want it to communicate to the internet. Thus, I’m blocking a few URLs that swiftkey wants to talk to. As I’m already using a firewall this just adds another layer of privacy. Feel free to use my “extension”, but I expect it to change over time. :) ## Shortcomings This method only works if applications load contents from URLs. As soon as the IPs are hard-coded the hosts file ## Disable shutter sound on Cyanogenmod 12 Everyone knows that annoying shutter sound of the camera app on Android phones. It’s against the law to sell android phones which do not make sounds when taking pictures. And in general, it is a good feature as it improves other people privacies. However, I still want to get rid of the sound. It’s a bit tricky, but having a rooted phone (with e.g. CyanogenMod) it’s very easy: Just delete the sound file /system/media/audio/ui/camera_click.ogg! :) For the lazy: Get a root shell (eg. ssh or adb) and execute the following: mount -o remount,rw /system mv /system/media/audio/ui/camera_click.ogg /system/media/audio/ui/camera_click.ogg.backup mv /system/media/audio/ui/camera_focus.ogg /system/media/audio/ui/camera_focus.ogg.backup mount -o remount,ro /system Problem solved. ## Kile menu bar hides entries Kile, KDE’s Integrated LaTeX Environment, has a weird bug: Every time I update something in the UI it recreates its config file and I loose some menu options, such as Settings -> Configure Kile where you used to configure your preferences.. In Figure 1 you can see the menu as expected. There are some entries to Configure Kile, t0 Configure Toolbars, to Configure Shortcuts and to switch to Full Screen Mode, etc. However, as soon as I update certain things in the user interface (UI), eg. if I add a new action icon to the toolbar to quickly get the \textbf{} environment for bold fonts, these entries get lost. In those cases Kile won’t be configureable anymore. The resulting toolbar is shown in Figure 2. You see, the number of entries significantly decreased.. However, I just discovered the reason: Kile in these cases rewrites its config in an unexpected manner… If you have a look at the configuration stored in ~/.kde/share/apps/kile/kileui.rc you’ll find an XML subtree such as: ... <Menu noMerge="1" name="settings"> <text>&amp;Settings</text> <Action name="Mode"/> <Separator/> <Action name="settings_perform_check"/> <Separator/> <Action append="show_merge" name="StructureView"/> <Action append="show_merge" name="MessageView"/> </Menu> ... No idea where it comes from, but the 1 in noMerge prevents the default menu entries to be merged into the minimal set of entries defined in that snippet. However, now that we know what’s wrong we can easily fix it! Just replace the 1 with a 0 and restart Kile. You might want to do the same for all other menus to discover that you’ve also been missing some entries in the Help menu ;-) ## Food equivalents in Social Media I’ve just been listening to a podcast from DRadio Wissen: Hörsaal (German podcast streaming lectures). I particularly like the podcast of DRadio. This time the lecture was held by Fabian Hemmert, a German design researcher, who was talking about the smartphones’ future. Quite interesting thought in there, but what I actually wanted to jot down was his comparison between food and social media. He tried to find food equivalents in media: ### The equivalent of Fat is Fiction! Invented/fictional things – easy to consume, but not a good base. And too much of it and you’ll often have unnecessary ballast at the end of the day. ### The equivalent of Sugar is Approbation! Everyone likes to hear approvals and confirmation, it’s music to your ears. But too much of it is also unhealthy. ### The equivalent of Protein is Truth! Not too easy to digest, but an important thing to base on. ### We are very short on Attention He also notes that attention is the scarcest resource. Everyone wants us to pay attention and we want everyone to pay attention.. I kind of like the idea! Any other equivalences you can think of? ## Tunneling TinyTinyRSS traffic through a Proxy TinyTinyRSS (TT-RSS) is something that the Google reader always wanted and Feedly still wants to be. Just better! :) TT-RSS is a free and open source feed aggregator, which can be deployed to your own machine. For example, my instance is running on a cubieboard in my living room. Thus, I’m independent of any company and their plans with my data :) However, I don’t want to advertise TT-RSS too much, but I want to tell you how to fetch your feeds through a proxy, such as polipo or squid. ## Configuring TT-RSS to use a Proxy It’s apparently undocumented, but looking into the code it turns out that feeds are fetched using cURL: $ grep -rn PROXY *
include/functions2.php:2257:            if (defined('_CURL_HTTP_PROXY')) {
include/functions2.php:2258:                    curl_setopt($curl, CURLOPT_PROXY, _CURL_HTTP_PROXY); include/functions.php:389: if (defined('_CURL_HTTP_PROXY')) { include/functions.php:390: curl_setopt($ch, CURLOPT_PROXY, _CURL_HTTP_PROXY);
plugins/af_unburn/init.php:41:                          if (defined('_CURL_HTTP_PROXY')) {
plugins/af_unburn/init.php:42:                                  curl_setopt(\$ch, CURLOPT_PROXY, _CURL_HTTP_PROXY);

And as you can see, the code already supports the usage of a proxy: if (defined('_CURL_HTTP_PROXY')).

I think that might be very interesting to many of you guys and I’ve no idea why it is not documented. However, you can simply define the variable _CURL_HTTP_PROXY in your config.php file. For example, to use a proxy at host 127.0.0.1 listening at port 8123 add the following:

define ('_CURL_HTTP_PROXY', '127.0.0.1:8123');

Now, the TT-RSS traffic will go through the proxy at :8123, which might tunnel everything through, e.g., TOR. Thus, the location of your living room will not be disclosed :)

## BONUS: Cache all the Images in Feeds

By default, TT-RSS will not cache the images in feeds. That means, if there is an image in an article, you will be redirected to load the image from a foreign server. That’s obviously something I’d like to avoid, especially because there are plenty of ads or tracking pixels which shouldn’t know about my habits and surf times. But there is an alternative: TT-RSS is able to cache images. It will download the images to your server and deliver the cached versions instead of forwarding you to somewhere else.

Unfortunately, that is not the default. If you want that functionality you need to configure every single feed (Edit FeedOptionsCache images locally). And you must not forget to repeat that procedure for every new feed that will be added in 15+ months…

To avoid that you can simply open the database that TT-RSS uses (e.g. using phpMyAdmin), go to the table ttrss_feeds and modify the default value of the column cache_images from 0 to 1. If that is done, the images of every newly added feed will be cached by default.

If you’re too lazy to manually update the feeds that are already there you can simply run the following SQL query:

UPDATE ttrss_feeds SET cache_images=1 WHERE 1

## Air Pollution makes Babies skinnier

China radically reduced the air pollution in preparation of the Olympics in 2008 in Beijing. The authors of the publication Differences in Birth Weight Associated with the 2008 Beijing Olympic Air Pollution Reduction: Results from a Natural Experiment [Rich2015a] studied its affect on the weights of newborns. They evaluated how specific months of pregnancy with less air pollution correlate to the birth weights, compared to pregnancies during the same dates in 2007 or 2009. The records were created and maintained by the Beijing Obstetrics and Gynecology Hospital and for the study they just included singleton live births of infants who were 28 completed weeks of gestation or greater in one of four adjacent Beijing districts at the time of birth, which is a sample size of 140,298.

And indeed, they found a correlation:

Babies with their 8th month of pregnancy during the 2008 Olympics were, on average, 23g larger

Interestingly, there was apparently no correlation for months 1-7 of pregnancy!?