Hardening SSH connections on pfSense (part II)

In some special situations, or not so special, you want to trace user sessions, for example in a critical server or when you find weird behaviors in your system.

In a previous entry I explained how to setup a user account just to make SSH tunnels what is preventing open shells in your systems when is not necessary, but when you need to provide an interactive shell you need at least to be sure that you are be able to review a log file in case you have to diagnose some problems in your infrastructure, and that is what I want to explain in this entry.

The first step in this process it would be to setup a shell with logging activated so first of all I going to create a shell script to assign it as a custom shell to a user account, let’s create the file /bin/lsh:
# To prevent the user can't kill us by pressing Ctrl-C, Ctrl-z ...
trap : 2
trap : 3
trap : 4
export SHELL=/bin/sh
/usr/local/bin/bash -c '/usr/local/bin/screen -m -T xterm-256color -s /usr/local/bin/bash -L -Logfile PATH_TO_LOG_FILES/${LOGNAME}_`date +%Y%m%d-%H:%M:%S`.log'

You can download the previous script from here.
Note that is needed to have installed bash on your system, so you can’t forget execute this:
# pkg install bash

The second step will be to add our new custom shell script into /etc/shells file:
# cat /bin/lsh >> /etc/shells

Now we are going to change user shell with this command, in this case I’m going to change the shell to “honeypot” user:
# chsh -s /bin/lsh honeypot
chsh: user information updated

Investigating to achieve a functional version of this settings I experiment a lot of times a weird glitch when screen window shows up, my first thought was that in other sessions I haven’t this problem so I want to compare environment variables in xterm sessions with this new screen session so I play adding the following commands to /bin/lsh script:
#sleep 10

This is the way how I found that I hadn’t set properly SHELL environment variable.

And That’s all folks!

“The land belongs to its workers”
— Emiliano Zapata


Installing private Git server on pfSense

UPDATE: Other possibility to all these steps it would be a public Git encrypted repository on an open platform, just if you don’t want to invest time on this option. As a comment if you have a Keybase.io account they have implemented this option for you using GitHub as Git platform.

Some times I have needed to share some private projects between different machines and I found quite useful to have an internal git server installed to be accessible from everywhere, once solved, in a more or less secured way, the access to my platform read this for more information I only need to install a minimal Git server.

The first choice which I had to make was chosen where I wanted to install my private Git server, as I have all day up my router I think it would be the perfect place, moreover I just have a couple private personal projects hosted in this server so for me it’s enough. Anyways it’s needed to check out how much free space we have, considering projects size:
# df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/ufsid/569025cc62366d87 21G 872M 19G 4% /

Now it’s time to install the git server package on our pfSense:
# pkg install git
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
The following 5 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
git: 2.14.1 [pfSense]
p5-Authen-SASL: 2.16_1 [pfSense]
p5-GSSAPI: 0.28_1 [pfSense]
p5-Digest-HMAC: 1.03_1 [pfSense]
p5-Error: 0.17025 [pfSense]
Number of packages to be installed: 5
The process will require 24 MiB more space.
4 MiB to be downloaded.
Proceed with this action? [y/N]: y
[1/5] Fetching git-2.14.1.txz: 100% 4 MiB 1.3MB/s 00:03
[2/5] Fetching p5-Authen-SASL-2.16_1.txz: 100% 40 KiB 41.2kB/s 00:01
[3/5] Fetching p5-GSSAPI-0.28_1.txz: 100% 38 KiB my_ 39.0kB/s 00:01
[4/5] Fetching p5-Digest-HMAC-1.03_1.txz: 100% 10 KiB 10.1kB/s 00:01
[5/5] Fetching p5-Error-0.17025.txz: 100% 19 KiB 19.3kB/s 00:01
Checking integrity... done (0 conflicting)
[1/5] Installing p5-GSSAPI-0.28_1...
[1/5] Extracting p5-GSSAPI-0.28_1: 100%
[2/5] Installing p5-Digest-HMAC-1.03_1...
[2/5] Extracting p5-Digest-HMAC-1.03_1: 100%
[3/5] Installing p5-Authen-SASL-2.16_1...
[3/5] Extracting p5-Authen-SASL-2.16_1: 100%
[4/5] Installing p5-Error-0.17025...
[4/5] Extracting p5-Error-0.17025: 100%
[5/5] Installing git-2.14.1...
===> Creating groups.
Creating group 'git_daemon' with gid '964'.
===> Creating users
Creating user 'git_daemon' with uid '964'.
Extracting git-2.14.1: 100%
Message from git-2.14.1:
*************************** GITWEB *************************************
If you installed the GITWEB option please follow these instructions:
*************************** GITWEB *************************************
*************************** CONTRIB ************************************
If you installed the CONTRIB option please note that the scripts are
installed in /usr/local/share/git-core/contrib. Some of them require
other ports to be installed (perl, python, etc), which you may need to
install manually.
*************************** CONTRIB ************************************

I’m not going to use a web interface so I’m not going to explain gitweb installation.

Let’s create the service user:
# adduser
Username: git
Full name: git
Uid (Leave empty for default):
Login group [git]:
Login group is git. Invite git into other groups? []:
Login class [default]:
Shell (sh csh tcsh ssh_tunnel_shell scponly scponlyc git-shell nologin) [sh]:
Home directory [/home/git]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password:
Enter password again:
Lock out the account after creation? [no]: ç
Lock out the account after creation? [no]:
Username : git
Password : *****
Full Name : git
Uid : 1005
Class :
Groups : git
Home : /home/git
Home Mode :
Shell : /bin/sh
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (git) to the user database.
Add another user? (yes/no): no

With this user created we can enable SSH access to users who are going to use this service, so we just need put their public SSH keys into authorized_keys file in git user account. This can be done with ssh-copy-id command or just copying public keys manually.

For a proper installation is needed to setup the right permissions:
$ mkdir .ssh && chmod 700 /home/git/.ssh/
$ cd .ssh && ls -ld .
drwx------ 2 git git 512 Feb 8 14:28 .
$ touch authorized_keys && chmod 600 authorized_keys

Let’s create a directory structure to store our ultra-secret projects, this part is very personal so I’m going a be a little generic here (logged as git user, by the way):
$ mkdir -p WHEREVER_YOU_WANT_PATH/secret.git && cd WHEREVER_YOU_WANT_PATH/secret.git
$ git init --bare
Initialized empty Git repository in WHEREVER_YOU_WANT_PATH/secret.git/
$ ls -l
total 32
-rw-r--r-- 1 git git 23 Feb 10 10:17 HEAD
drwxr-xr-x 2 git git 512 Feb 10 10:17 branches
-rw-r--r-- 1 git git 66 Feb 10 10:17 config
-rw-r--r-- 1 git git 73 Feb 10 10:17 description
drwxr-xr-x 2 git git 512 Feb 10 10:17 hooks
drwxr-xr-x 2 git git 512 Feb 10 10:17 info
drwxr-xr-x 4 git git 512 Feb 10 10:17 objects
drwxr-xr-x 4 git git 512 Feb 10 10:17 refs

Now it’s time of the fun part because we are going to config the client side:
client_host:$ vim ~/.ssh/config
Host gitserver
User git
client_host:$ mkdir my_secret_project && cd my_secret_project
client_host:$ git init
Initialized empty Git repository in WHEREVER/my_secret_project/.git/
client_host:$ git add .
client_host:$ git commit -m 'initial commit'
On branch master
Initial commit
nothing to commit
client_host:$ git remote add origin gitserver:WHEREVER_YOU_WANT_PATH/secret.git
client_host:$ git push origin master
Counting objects: 3, done.
Writing objects: 100% (3/3), 227 bytes | 227.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0)
To ssh://gitserver:WHEREVER_YOU_WANT_PATH/secret.git
* [new branch] master -> master

Note that I made some tests while I was writing this entry because of that the push command has written 3 objects in my case.

When other user want to clone this repository “just” need to execute:
$ GIT_SSH_COMMAND='ssh -p CUSTOM_SSH_PORT' git clone ssh://git@YOUR_IP:WHEREVER_YOU_WANT_PATH/secret.git
Cloning into 'secret'...
remote: Counting objects: 3, done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3/3), done.

I highly important recommendation is to use git-shell option in our configuration just to get a more secure environment.
# chsh -s /usr/local/bin/git-shell git
chsh: user information updated
# grep git: /etc/passwd

If you don’t want to use git perhaps you want consider this option:

To my installation process I follow this reference.
And this link can also be useful:

Have fun!

Nothing shows a man’s character more than what he laughs at.
— J. W. von Goethe

Hardening SSH connections on pfSense

This is a quick entry to explain how to use a low privileged user just to create a SSH tunnel (port forwarding) to access remotely to some internal service in your infrastructure.

Considering these settings, let’s create the user from command line on Pfsense (which is based on FreeBSD):

[2.4.2-RELEASE][root@pf.acme.local]/root: adduser
Username: dude
Full name: Mr. Dude
Uid (Leave empty for default):
Login group [dude]:
Login group is dude. Invite dude into other groups? []:
Login class [default]:
Shell (sh csh tcsh ssh_tunnel_shell scponly scponlyc nologin) [sh]: ssh_tunnel_shell
Home directory [/home/dude]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]:
Username : dude
Password :
Full Name : Mr. Dude
Uid : 1004
Class :
Groups : dude
Home : /home/dude
Home Mode :
Shell : /usr/local/sbin/ssh_tunnel_shell
Locked : no
OK? (yes/no):
OK? (yes/no): yes
adduser: INFO: Successfully added (dude) to the user database.
Add another user? (yes/no): no
[2.4.2-RELEASE][root@pf.acme.local]/root: cp -rp /root/.ssh /home/dude/
[2.4.2-RELEASE][root@pf.acme.local]/home/dude: chown -R dude:dude .ssh

Now you can check to access with this new account:
Edit /etc/motd to change this login announcement.
This login only supports SSH tunneling.
You are logged in for 0 hours 0 minute(s)

With this new user created and TESTED we could remove SSH access using root account if we don’t :
[2.4.2-RELEASE][root@pf.acme.local]/home/dude: mv ~/.ssh/authorized_keys ~/.ssh/authorized_keys.OLD.`date +%Y%m%d`

If don’t want to enter this long command you can edit your profile settings file and add the following:
$ vim .profile
home() {
ssh -p NON_PRIVILEGED_PORT -l dude -L LOCAL_PORT:iLO_INTERNAL_IP_ADDRESS:443 your.public.domain
$ . .profile
$ home

You can check new user information from passwd file:
$ grep dude /etc/passwd
dude:*:1004:1004:Mr. Dude:/home/dude:/usr/local/sbin/ssh_tunnel_shell

I have to say that as a GNU/Linux user that I love this option:/usr/local/sbin/ssh_tunnel_shell.

As a hint you would want to change default /etc/motd file to prevent exposing information about your system, and here is an option from here:

That’s all Folks!

“The greatest mistake is to imagine that we never err.”

Thomas Carlyle

Some of my favorite movie quotes

In a completely random order:

“I love the smell of napalm in the morning.”

Apocalypse Now, 1979

“Carpe diem. Seize the day, boys.”

Dead Poets Society, 1989

“The greatest trick the devil ever pulled was convincing the world he didn’t exist.”

The Usual Suspects, 1995

“Roads? Where we’re going we don’t need roads.”

Back to the Future, 1985

“I need you to be clever, Bean. I need you to think of solutions to problems we haven’t seen yet. I want you to try things that no one has ever tried because they’re absolutely stupid.”
— Orson Scott Card, Ender’s Game

“You had me at hello.”

Jerry Maguire, 1996

“You can’t handle the truth!”

A Few Good Men, 1992

“Houston, we have a problem.”

Apollo 13, 1995

“To infinity and beyond!”

Toy Story, 1995

“Bud: Hippy, you think everything’s a conspiracy.
Hippy: Everything is.”

The Abyss

“I see dead people.”

The Sixth Sense, 1999

“Yippie-ki-yay, motherf—er!”
Die Hard, 1988

“Fasten your seatbelts. It’s going to be a bumpy night.”

All About Eve, 1950

“We’ll always have Paris.”

Casablanca, 1942

“The key to a woman’s heart is an unexpected gift at an unexpected time.”

Finding Forrester 2000

“Play it, Sam. Play ‘As Time Goes By.'”

Casablanca, 1942

“We walk away from our dreams afraid that we may fail, or worse yet, afeaid we may succeed.”

Finding Forrester 2000

“Pay no attention to that man behind the curtain!”

The Wizard of Oz, 1939

“You must write your first draft with your heart. You rewrite with your head. The first key to writing is… to write, not to think.”

Finding Forrester 2000

“I’m just one stomach flu away from my goal weight.”

The Devil Wears Prada, 2006

“Nobody’s perfect.”

Some Like It Hot, 1959

“I’m having an old friend for dinner.”

The Silence of the Lambs, 1991

“Wax on, wax off.”

The Karate Kid, 1984

“Mama says, ‘Stupid is as stupid does.'”

Forrest Gump, 1994

“Of all the gin joints in all the towns in all the world, she walks into mine.”

Casablanca, 1942

“May the Force be with you.”

Star Wars, 1977

“Frankly, my dear, I don’t give a damn.”

Gone With the Wind, 1939

“Shaken, not stirred.”

Goldfinger, 1964

“There’s no place like home.”

The Wizard of Oz, 1939

“Keep your friends close, but your enemies closer.”

The Godfather, Part II, 1974

“The first rule of Fight Club is: You do not talk about Fight Club.”

Fight Club, 1999

“I don’t want to survive. I want to live.”

12 Years a Slave, 2013

“Elementary, my dear Watson.”

The Adventures of Sherlock Holmes, 1939

“I wish I knew how to quit you.”

Brokeback Mountain, 2005

“Good morning, Vietnam!”

Good Morning, Vietnam, 1987

“Why so serious?”

The Dark Knight, 2008

“I am your father.”

Star Wars Episode V: The Empire Strikes Back, 1980

“Go ahead, make my day.”

Sudden Impact, 1983

“After all, tomorrow is another day!”

Gone With the Wind, 1939

“They may take our lives, but they’ll never take our freedom!”

Braveheart, 1995

“Perhaps it’s impossible to wear an identity without becoming what you pretend to be.”

Orson Scott Card, Ender’s Game

“If you let my daughter go now, that’ll be the end of it. I will not look for you, I will not pursue you. But if you don’t, I will look for you, I will find you, and I will kill you.”

Taken, 2008

“My name is Maximus Decimus Meridius, commander of the Armies of the North, General of the Felix Legions and loyal servant to the true emperor, Marcus Aurelius. Father to a murdered son, husband to a murdered wife. And I will have my vengeance, in this life or the next.”

Gladiator, 2000

“To build a better world sometimes means having to tears the old one down. And that makes enemies”

Captain America: The Winter Soldier

“In the moment when I truly understand my enemy, understand him well enough to defeat him, then in that very moment I also love him. I think it’s impossible to really understand somebody, what they want, what they believe, and not love them the way they love themselves. And then, in that very moment when I love them…. I destroy them.”

Orson Scott Card, Ender’s Game (perhaps from the book)

“These go to eleven.”

This Is Spinal Tap, 1984

Many of these quotes have been found here.

I always finish my blog entries with a quote but not this time, I hope you can understand it 😉


Problems after installing Debian GNU/Linux on Thinkpad T470p

In this entry I would like to explain the problem that I faced with my new Lenovo Thinkpad T470p after installing Debian GNU/Linux Buster as a second operating system in the box.

I have to notice that I was playing a little bit with Microsoft Window 10 Pro installed by default just to know how has been evolved Windows, because I not use Windows since some years ago.

During this time I remembered installed a BIOS update although I don’t remember which version was.

So, the first thing before installing Debian GNU/Linux using an USB stick is change BIOS settings just to be able to boot from the Debian Testing image burn into the USB stick.
Secure Boot option has to be disabled in order to change Boot mode from UEFI only to Both UEFI and Legacy system
CSM was also setup to Yes

With these changes I installed without any problems GNU/Linux in my laptop but I started to have problems booting it, many times laptop was frozen in the Lenovo logo screen without responding to any keyboard event.

I opened an incident with Hardware Lenovo Support Team and they help me to find a solution, the workaround in my case was:
1. Unplug external battery and also unplug AC power wire
2. Keep pressing laptop power button for at least 15 seconds.

The second step is used to make a hard reset and restore default settings in T470p.

Following these steps I could restore fully my laptop without loosing any data.

I guess that the BIOS version I was using had a kind of bug that with certain settings, Secure boot disabled … was causing the problem.

“The ideal situation occurs when the things that we regard as beautiful are also regarded by other people as useful.”
— Donald Knuth

Installing i3wm themes on Debian (Buster)

Quick entry explaining the steps that I followed to adapt this guide on Debian Buster.

First of all backup your current i3wm configuration, these steps are based on a previous i3wm installation, that depends on where your settings files are located:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux testing (buster)
Release: testing
Codename: buster
$ cd ~ && cp .i3/config .i3/config.OLD.`date +%Y%m%d`
$ cp .conkyrc .conkyrc.OLD.`date +%Y%m%d`
# apt-get update

– Let’s start with the most difficult requirement Polybar installation on Debian

Installing Polybar dependencies from this reddit discussion:
# apt install cmake cmake-data libcairo2-dev libxcb1-dev libxcb-ewmh-dev libxcb-icccm4-dev libxcb-image0-dev libxcb-randr0-dev libxcb-util0-dev libxcb-xkb-dev pkg-config python-xcbgen xcb-proto libxcb-xrm-dev i3-wm libasound2-dev libmpdclient-dev libiw-dev libcurl4-openssl-dev

$ git clone https://github.com/jaagr/polybar.git
$ cd polybar && ./build.sh
[100%] Built target polybar
** Execute 'sudo make install'? [Y/n]
** Install example configuration? [Y/n]:
** Build complete!
# make install
** Installing...
make[1]: Entering directory '/home/aitor/Downloads/polybar/build'
make[2]: Entering directory '/home/aitor/Downloads/polybar/build'
make[3]: Entering directory '/home/aitor/Downloads/polybar/build'
make[3]: Leaving directory '/home/aitor/Downloads/polybar/build'
[ 5%] Built target xpp
make[3]: Entering directory '/home/aitor/Downloads/polybar/build'
make[3]: Leaving directory '/home/aitor/Downloads/polybar/build'
[100%] Built target polybar
make[2]: Leaving directory '/home/aitor/Downloads/polybar/build'
Install the project...
-- Install configuration: "RelWithDebInfo"
-- Installing: /usr/local/share/doc/polybar/config
-- Installing: /usr/local/share/bash-completion/completions/polybar
-- Installing: /usr/local/share/zsh/site-functions/_polybar
-- Installing: /usr/local/share/zsh/site-functions/_polybar_msg
-- Installing: /usr/local/share/man/man1/polybar.1
-- Installing: /usr/local/bin/polybar

– Install rofi and compton:
# apt install rofi compton

Download i3wm-themer public GitHub repository:
$ git clone https://github.com/unix121/i3wm-themer

If you want you can use the script to make a new backup just to be able to restore your current theme.
$ cd i3wm-themer/scripts && ./i3wmthemer -b XXX_theme

Just the first time run this:
$ cd i3wm-themer/scripts && ./i3wmthemer -c

And to apply a theme:
$ cd i3wm-themer/scripts && ./i3wmthemer -t THEME_NAME

That’s all!

“To act is to exile yourself”
— Fernando Pessoa

Install and setup my LAN with pfSense v2.4.2

Much time after I bought my APU1D4 I could get done my pfSense installation on it and I would like to share some notes about this process with you. Let’s start with router hardware specifications:

APU1D4 specifications (PCEngines link):

    Mainboard: APU ALIX Engines APU.1D4
    CPU: 1 GHz AMD G-Series T40E APU Dual core
    RAM: 4GB DDR3
    Network: 3 x 1 Gbps Ethernet ports

      Compex WLE200NX a/b/g/n miniPCI Express radio card
      2 x Wireless LAN omni antennas 2dBi 802.11 b and g with RP SMA connector (Reverse Polarity) for indoor use
    Ports: 1 x mSATA, 1 x SD Card, 2 x Mini PCIe, 1 x SATA
    Storage: Transcend 32 GB mSATA Solid State Drive, MSA370

      Storage Media: NAND Flash
      Operating Voltage: DC 3.3 V
      Connection Type: 52-pin mini-PCIe (mSATA)
      Form Factor: MO-300
      Performance: Read up to 570MB/s, Write up to 470 MB/s

The first and best advice which a friend of mine give me to finish successfully Pfsense installation (if you are not a Network specialist like me) was: draw LAN-WAN network schema on a paper (or in the computer). Once you are glad with your design you’ll have the first step to achieve your target.

After reading a lot of web pages I decide enable DMZ on my FTTH ISP router pointing to my internal pfSense IP address, this approach was the simplest way to access from The Internet to my LAN because my FTTH has an ONT integrated on the same box, NOT in a separated one.

The installation process was simple I just follow these instructions:
$ gunzip -c pfSense-CE-2.4.2-RELEASE-4g-amd64-nanobsd.img.gz | sudo dd of=/dev/sdc bs=4M
0+121433 records in
0+121433 records out
3989970432 bytes (4.0 GB, 3.7 GiB) copied, 26.8437 s, 149 MB/s
# fdisk -l /dev/sdc
Disk /dev/sdc: 3.7 GiB, 3989970432 bytes, 7792911 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x90909090
Device Boot Start End Sectors Size Id Type
/dev/sdc1 * 63 3844511 3844449 1.9G a5 FreeBSD
/dev/sdc2 3844575 7689023 3844449 1.9G a5 FreeBSD
/dev/sdc3 7689024 7791839 102816 50.2M a5 FreeBSD

The device in which I write the pfSense image it was a SD card, /dev/sdc in my case.

Once pfSense is installed I just want to mention that I used the following wire to connect with router, also notice that the wire has to be null RS232 modem.

To connect to APU I use the following command:
$ minicom -D /dev/ttyS0 -b 115200

With pfSense installed I continued my reading about these topics and I found this option OPNsense which would a great alternative to Pfsense but I haven’t much free time so at least for a while I’m going to continue with Pfsense.

Considering how to connect from the Internet to my LAN I had to decide if I was going to use VPN or SSH to this matter. For performance reasons I have chosen SSH access using RSA keys but when I have a time I want to setup a VPN access also and take my own timing comparing two solutions. I also that you read this blog entry to go deeper between differences between VPN and SSH.

The external access it is needed to be able to boot through iLO interface of my HP G8 microserver, once I setup RSA keys properly I have to use I a command like the following one:


DYNAMIC_HOSTNAME: is the public name (hostname) associated with my dynamic public IP address associated to the ISP FTTH router, I’m using

Once SSH session is opened you can browser to web login page from the client SSH computer using the following URL:

Obviously all of this is a very personal set up and depend completely on my hardware, but I hope you find this approach useful in some way to cover your needs.

That’s all, folks!

“Persistence is the twin sister of excellence. One is a matter of quality; the other, a matter of time”
— Marabel Morgan.

Rule to personal investments

A workmate is involve in all this cryptocoins investments and everyday share with the rest of us some articles and videos… to illuminate us about tendencies, but to be honest I haven’t enough time to read all the stuff that he shares with us so I have to make a vertical read to analyse roughly some information and I want to share something that I think that could be useful if you are thinking in any kind of investement. I don’t know his source but this is the text:

After having some real nice profits and losing most of them during this dip ( due to fear of selling, buying again etc) i now realize the importance of profit taking.. In stock investment is actually real simple, 4% is “the golden rule” obviously this doesn’t apply to crypto. Do you have a plan for this?*

Some very smart people at Bell Labs figured this problem out decades ago. They were trying to understand how much money to bet on horse races. The solution is called the Kelly Criterion.

Basically for any investment, bet or gamble, the optimal amount of money to utilize is [Edge]/[Odds]*[Wealth]. The idea here is that if you keep betting the farm, eventually you will lose the farm. The only time it makes sense to bet everything is if it’s 100% sure shot. Even if you have an advantage, the more uncertainty the less of your total wealth you should bet.

Specific to Bitcoin, if the future is anything like the past it has very high expected future returns. However it also has extremely volatility compared to other financial assets. It makes sense to invest in, but it definitely doesn’t make sense to invest all or even most of your personal wealth in.

That’s where the other insight of the Kelly Criterion comes in. You should be scaling your bets to the total size of your bankroll or personal wealth. This gets to the problem you’re describing. If you bought bitcoin years ago, you probably made an investment that was only a small percentage of your overall wealth. However because bitcoin has returned so much, that investment now represents a substantial portion of your total net worth.

To take an extreme example let’s say you bought $1000 worth of bitcoin in 2011 at $1/BTC. Maybe you had $10,000 in the bank at the time. You made a sensible decision to invest 10% of your wealth in bitcoin. If you’ve been holding all this time, you now have $14 million worth, and 99.99% of your wealth is BTC. It’s not sensible or prudent to have that much of your wealth in a single asset.

If you go back to your original allocation, you should rebalance to keeping only 10% of your wealth in Bitcoin. That means selling all but $1.4 million worth, and investing the rest in another asset. Or maybe something different, to reflect that BTC in 2017 has a different risk/return profile than BTC in 2011. But regardless of whether your $14 million in wealth came from an early crypto investment, or a random inheritance, the optimal financial decision is not any different.

Pick a certain percentage of your total net worth that you want to keep invested in bitcoin. Whether bitcoin goes up or down, that number should not change unless there’s a meaningful change to bitcoin’s future outlook. Then with at some regular interval, rebalance your portfolio to keep your bitcoin holdings in line with that percentage. E.g. if you decide that number is 50% and you start out with 25k in BTC and 25k in USD, and BTC goes up 20%, then you sell $2500 of BTC. If BTC went down 40%, then you’d buy $5k worth.

“Perfection is attained not when there is nothing more to add, but when there is nothing left to remove”
— Antoine de Saint Exupéry

Microsoft Windows 10 Pro commands to GNU/Linux users

I’ve been using just Debian GNU/Linux operating system for years at home and in my daily work, but sometimes is needed to go out of our comfort zone to keep learning new things.

As my new laptop ships with Microsoft Windows 10 Pro I’m going to take this opportunity to remember how to administrate a Windows box, and how some tasks can be done.

Here some tools or commands which I have used until now:

To show network interfaces if you want to setup static IP or change some default settings:
Windows_Key+R ncpa.cpl

Other not so frequent use case which I have faced was to remove a protected partition, we are going to suppose that we want to remove the first partition from the first disk:
Windows_Key+R diskpart
list disk
select disk 1
list partition
select partition 1
delete partition override

To measure hard disk there is a built-in tool on Windows explained here:
winsat disk -drive c
Although if you prefer a tool with graphical interface I would recommend you Crystal Disk Mark.

How to renew DHCP settings to our network interfaces:
Windows_Key+R + ipconfig /release
Windows_Key+R + ipconfig /renew

To clear client DNS cache:
Windows_Key+R ipconfig /flushdns

To view data in DNS resolver cache:
Windows_Key+R ipconfig /displaydns

If you want to build a ship, don’t drum up to gather the wood, divide the work, and give orders. Instead, teach them to yearn for the vast and the endless sea.
– Antoine De Saint-Exupery (author of The Little Prince)

Visualizar resonancias del SALUD (imágenes DCIM) en Debian GNU/Linux

Actualización: He encontrado el siguiente enlace en el que aparecen algunas alternativas de visores DCIM para Linux que se podrían probar.
Esta entrada la escribo en español porque creo que puede ser útil para personas que estén en la misma situación que yo. Hace unas semanas me realizaron una resonancia en la Seguridad Social y solicité en Atención al Paciente que me enviaran las imágenes de la resonancia, como era de esperar el CD estaba escrito considerando que iba a ser leído en un PC con Windows, como en casa no tengo ninguno y no quería instalar una máquina virtual solamente para esto intenté visualizar las imágenes en mi portatil con Debian, estos son los pasos que seguí para conseguirlo (esta guía parte de una instalación de Wine correctamente configurada, un enlace con una guía para la instalación de Wine y otra entrada para una configuración más fina otra entrada para una configuración más fina):

El primer intento fue ejecutar el programa que se tiene que lanzar en Windows cuando se introduce el CD utilizando Wine:
$ wine disco.exe
Could not load wine-gecko. HTML rendering will be disabled.
wine: configuration in '/home/aitor/.wine' has been updated.
err:mscoree:load_mono Could not load Mono into this process

El segundo intento busqué el visualizador de imágenes que viene en el CD que se llama Alma3D para instalarlo, sin éxito:
$ /media/Alma3DLiteCD/bin
$ wine Alma3D.exe
err:virtual:NtMapViewOfSection map_file_into_view 0x15d0000 1000 000000000 failed
err:module:import_dll Library mfc90.dll (which is needed by L"J:\\Alma3DLiteCD\\bin\\A3dProfileSettings.dll") not found
err:module:import_dll Library A3dProfileSettings.dll (which is needed by L"J:\\Alma3DLiteCD\\bin\\Alma3D.exe") not found
err:module:import_dll Library mfc90.dll (which is needed by L"J:\\Alma3DLiteCD\\bin\\Alma3D.exe") not found
err:module:LdrInitializeThunk Main exe initialization for L"J:\\Alma3DLiteCD\\bin\\Alma3D.exe" failed, status c0000135

Es posible que se pueda encontrar la solución a los errores que han aparecido en la ejecución del visualizador Alma3D, pero creo que iba a llevar más tiempo que buscar un visualizador de imágenes DCIM (Digital Camera IMages) que funcione sin problemas con Wine y a la primera encontré éste.

Me bajé el instalador y lo ejecuté con Wine:
$ wine RadiAnt-4.2.1-Setup.exe

La instalación realizada fue la opción Express y fue suficiente para poder visualizar las imágenes. Es importante tener en cuenta que el programa utilizará una licencia Trial pero será suficiente para poder visualizar las imágenes que nos han realizado y podremos exportar las imágenes en diferentes formatos e incluso algunos videos montados con las imágenes de los cortes realizados.

Con esto ya podríais visualizar las imágenes exportadas en cualquier plataforma con un programa que visualice ficheros JPEG o BMP.

El victorioso tiene muchos amigos, el vencido buenos amigos.
— Proverbio Mongol

Continue reading “Visualizar resonancias del SALUD (imágenes DCIM) en Debian GNU/Linux”