s Gooken - Internet Search Engine and Online Excurs "IT-Security" and more ODY>




Schritt 1 - Mulitple Protection - The Basic Security Level

starting situation | groundworking theory - the security-functions | The essential idea | ISO-LSB-OpenSource with Changelogs | beautiful KDE (4.4.5, mdv, el6: "The cows are prettier than the girls!") | Hardware: driver, support, hardware-databasis | SSD optimization | seachengine/Gooken | data bases | anonymous proxy | fundamental theory | security concepts | data backup and restore | (no) updates (at last up from year 2026, "UNIX", german: "you? no.": Miro´s suneater has spoken so far, hugh!): "UNIVERSAL-LINUX" on the DAILY UPDATE-PATCH-CHANNEL (el6, el7, rosa2014.1) | Secure and stable "Universal-Linux": updates and actualizations for CentOS 6 (el6) and Mandriva | emulation of MS Windows | emulation of MS Windows | update firefox | Ad- resp. Scriptblocker: blocking everything | msec-security-levels ( level.secure: no-remote-root-login, no root-login, ... and perm.secure) | msec -MAC Tomoyo-Linux (mdv2010/el6) - Advanced Acess-Control for the process-interaction | Ordinary access control as part of msec | ACL - Advanced Access Control on files and directories for user and groups, in order to prevent brakes for example | /etc/passwd - allen entkommen: no login-shell accessible | Linux-Sandboxes: docker and firejail: to start programs going online | Root-Partition with enough memory free | Root-Partition read-only | New Kernel - Howto install and Howto patch Kernel-Sources resp. Kernel-Source | full system encryption (FSE) by LUKS | encrypting methods | LAN: connecting Linux- and Windows-hosts, file release | anti-hacker and anti-trojan iptables/Linfw3 | additional filter-concepts | Konqueror: integrated script- and adblocker, importable filter list from our update-side | system integrity check: IDS (intrusion detection systems): incron, iptables by psd (linfw3), aide, ... | installation following rootkit-scan | Session | Anonymized (and encrypted) name resolution without censorship and surveys by DNS-Proxy pdnsd with dnscrypt-proxy and /etc/hosts | Goal or own goal (Goal-Tor or self-goal)? TOR, the onion-router: Anonymization-Network | Program troubleshooting | Network Troubleshooting | X-Troubleshooting (x11-server) | Clever and Smart: All for the "little elephant": Printer Troubleshooting (CUPS) | News&Links: All (and more) about the computer, repair, network, printer, tips and tricks, more Troubleshooting | single methods and repair | WLAN | CIAO hardware-problems! Just hot and still functioning today: datasheed "certified lifetime-hardware" (energy saving, mouseclick-fast): Operating System: mdv2010.2 (updated with CentOS/EPEL (el6, el7) and Rosa on the update-channel pro-linux.de, All-in-one-Mainboard (from year 2009/2010, Mini-ITX-220/ASUS-Express 945GC/ICH7 with classical 1,2GHz-64-bit-Celeron-CPU up to 8 GB DDR-2 and INTEL GMA 950, 82945G/GZ Integrated Graphics Controller, max. 224MB 4800×1200 px, Atheros-Gigbit-Ethernet-LAN-Chip, VIA VT 1705 High Definition Audio-6-Kanal-HD-Azalia-Audio CODEC Soundsystem, 19W, socked and crashfree EZ-Bios AMI, 6×USB 2.0, MS Windows 7- and Linux-tested, 29,95€), 18,5 inch (48 cm) Ultraslim WLED-TFT-Monitor Brilliant Display (18W, 95€), SSD (1W, 128GB, 30&euro,), Steel-Computer-Tower with tower-cooler and front-LEDs, 4,95€, netadapter SL-A 500 W (19,95euro;), ...| More than 1000 Linux-Top-Games (mdv2010 resp. rosa2014): OpenGL, SDL, PyGames and more | mdv2010-final: Printer, Printer-Troubleshooting | MS Windows: Tips and Tricks for more security | mdv-2010-final: Software (65 GB + 50 GB (26 DVD ) | CIAO hardware-problems: mdv-2010-final: powersaving hardware (stable and mouseclick-fast) | Hardware (quit) for free | Hardware for free | Energy power for free (pyhsical motion incl.) | World culture shame: Defrustration and dereaction for free |Sex for free | money for free, country for free ("A revolution never took place", Niko.L.), system for free (FED, EZB, Draghi & Co.) | Everything for free | Complains and ads for free | News&Links#Computer | Everlasting Browser Konqueror: Download Konqueror-Update ( all rpm-based distributions? )|Computer | Monitor | Printer / Drucker | SSD | Network / Netzwerk | Smartphone | MS Windows Advertisement | spends, thanksgiving and quiz | Society - Computer - The Huge Fun of Sun Eating | Society - Niue-Muenzen - Pay with Mickey Maus! | No Horror in Sodom and Gomorrha: Weak point human ( weak point Germany ) - Society Report, Part 1-6 | Society, Part 2 - Crawler´s Century (Book) | Society Part 12 - Superrich.de (Forbes) - She got eyes of the bluest sky - and when there comes the rain ... ( open eye sleeping performances and arts ) - wet, wet, wet! | Beauty on Gooken: 1000× more beautiful than you: Marching to die - Narcissism into death Ads | ... unimprovable? News&Links | BACK



Spend or pay Gooken by PayPal.me :

Pay by Paypal.me: Please click here! / Spenden oder zahlen Sie an Gooken: Bitte hier klicken!

Continuation of the excurs:

Depending on instructions within file INSTALL, ./config resp. cmake or similar commads are used instead. The session comes to an end with

Our system-reference collects such UNIX-commands.

Configuration of /etc/sysctl.conf (rpm initscripts el6, mdv2010)

# Kernel sysctl configuration file for Mandriva Linux mixed up with Centos 6
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
net.ipv6.conf.lo.use_tempaddr = 0
# Disables IP dynaddr
net.ipv4.ip_dynaddr = 1
# Disable ECN
net.ipv4.tcp_ecn = 1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
#kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# If you set this variable to 1 then cd tray will close automatically when the
# cd drive is being accessed.
# Setting this to 1 is not advised when supermount is enabled
# (as it has been known to cause problems)
# removed to fix some digital extraction problems
# dev.cdrom.check_media=1
# to be able to eject via the device eject button (magicdev)
# Disable netfilter on bridges
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536
# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
Last two kernel-parameter can be left out for example, especially if their values are not known.


Encryption: HTTPS-connections and E-mail

http://www.tecchannel.de/sicherheit/management/3281630/verschluesselung_ist_nicht_gleich_verschluesselung/: It is quit impossible for the user to distinguish between the many kinds of encryption. Some were used automatically without consciousness. HTTPS-connections of the Transport Layer Security Protokoll (TLS, previous SSL) are applied for homebanking or online-shopping. In the internet, the way (connection) of the data from the client to the server is encrypted. Good luck, that this becomes quit the standard, especially for significant (sensible) data. Many internet user are sensitized in this matter. But what is the encrypted data transfer good for, if security lacks enpossible hacker to make them encrypted data accessible again? One more example: One does not really know, that an email is receipt the addressed receiptor through its transfer, that is always encrypted. Since the popular internet provider in Germany used TLS to secure up connections betweeen e-mail-clients (desktop, mobil) and e-mail-server, the e-mail transfer got in a quit reliable way even more secure, but in general this is not the truth. For e-mail-transfer, at least two popular methods are already in use for many years: S/MIME and PGP respective OpenPGP, what is also part of the end-to-end-encryption. The sender encrypts the e-mail, and only the meant receiptor can decrypt it again. This refers to the content of the email only and not the metadata in the header like subject, mail-addresses or the timestamp. Once more a digital signature protects the e-mail from manipulation during its transfer.

So are you such "kmail", or interested in becoming one? Please read our section about Kmail (and other email-client-programs) then!

FSE: Full System Encryption

It is not very difficult to chroot or mount partitions by rescue-CD from the "inside" or over many networks from the "outside". Their files can be reinstalled or installed as much as getting manipulated to dangerous trojans and other malware or contribute to serious hard system-defects. Therefore FSE is needed.

Loop-AES can be take into its effect by the simple option "encrypt" out of the package-manager of the system-configuration drakconf.real resp. Yast2. For some Linux, you need to download some of the mentioned packages to get Loop-AES started (you can get them from the mdv-update server fr2.rpmfind.net), while cryptsetup resp. LUKE does its best from installation-DVD/CD without the need of further packages. Now the access time from hd is increasing a little bit (although you might get the impression like I have, that it declines...). An overview upon the different methods for encryption is given from our linkside. Notice reports about the weakness of methods like XOR-encryption. Nevertheless, processes like those for browser should always be deactivated, especially right before an USB-stick is plugged in. At least, all temporary directories, the user resp. home-directory and even the partition with the swap file should be encrypted, but see our linkside, some think, it is most important to do it for the SWAP. Newer Versions of distributions prefer LUKE-cryptsetup, see links. For single files, the popular kleopatra resp. kgpg resp. gpg freeware provides a good addition. Methods for encyption itself like AES, serpent, two- and blowfish are secure as much as XOR-encryption already depends on the conrete passphrase. Nevertheless, cracking supercomputers might exist... The amount of attempts for decryption might be restricted there, but it is still not possible to beware from unlimited attempts to crack the passphrase. At least a relative long delay between the input of two phassprases of more than 30 seconds should take into effect. Intern this can be already performed by many login into Unix/Linux. Mycompanies as much as online-banking do only allow three false-logins to need the administrator for three more attempts. For internet choose the SSL with equal or more than 128 bit encryption. Nearby Tunnel-concepts are still interesting for the case online. See linkside and checklist for more details.

1 Filesystem stacked level encryption
1.1 eCryptfs - It is a cryptographic stacked Linux filesystem. eCryptfs stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts; the file will be decrypted with the proper key in the Linux kernel keyring. This solution is widely used, as the basis for Ubuntu´s Encrypted Home Directory, natively within Google´s ChromeOS, and transparently embedded in several network attached storage (NAS) devices.
1.2 EncFS -It provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface. You can find links to source and binary releases below. EncFS is open source software, licensed under the GPL.

2 Block device level encryption
2.1 Loop-AES - Fast and transparent file system and swap encryption package for linux. No source code changes to linux kernel. Works with 3.x, 2.6, 2.4, 2.2 and 2.0 kernels.
2.2 Truecrypt - It is free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X and Linux.
OK 2.3 dm-crypt+LUKS - dm-crypt is a transparent disk encryption subsystem in Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, removable media, partitions, software RAID volumes, logical volumes, and files.

OK The full disk encryption resp. full system encryption (FDE, FSE) through the secure LUKS/dm-crypt has always been most important! LUKS also bewares several seconds between two manual login-attempts increasing its security. Only the entire encryption of the harddisc prevents from its "preparation" by exchanging packets, tarballs and files from outside for example managed by using a Live-DVD or even without. Many years ago I have met an elder computer-expert on the railway-station of Essen with the opinion, that all you need for security-tasks is an entire encrypted harddisc (I even undestood including the boot-partition!). But existing communication protocols tell us, that this is not the truth. Indeed, a complete encryption of the root-partiton and SWAP-partition of a SSD do theirself best against cases of mounting and chrooting in conjunction with the installation of manipulated tarballs and packets (for example by agents from foreign countries after breaking in into the computer-room). Full disk encryption solutions with LUKS only protect the data, if your computer is off. Once the computer is on and LUKS has decrypted the disk, the files on that disk are available to anyone who would normally have access to them. To protect your files when the computer is on, use full disk encryption in combination with another solution such as file based encryption. Also remember to lock your computer whenever you are away from it. A passphrase protected screen saver set to activate after a few minutes of inactivity is a good way to keep intruders out. Methods for encryption are described over links from our linksite, links from the left menu, section "alternatives". But for entire encryption of the root-partition we think

the following method using dracut contributing to FSE in main does its best: Gentoo-Schnatterente: Entire (complete) encryption of Linux WITHOUT ANY LVM and WITHOUT NEW-INSTALLATION REQUIRED!

We prefer this method also because of the possiblities of the command dracut. Notice: Only dracut (mdv2011) run with success on our environment. One more advantage: The harddrive resp. SSD gets completely demirrored by this method, so that invisible and so called "deleted" files get removed from them Then such invisible files can not be made visible anymore... For mdv2010 this method requires two SSD or two harddrives or one SSD and one harddrive and the packet dracut and cryptsetup (Luks/dm-crypt), you can get not only for Gentoo but from fr2.rpmfind.net also for mdv2010. At first, a around 500 MB sized boot-partition should be created by the partiton-manager out of MCC. I won it out of the my relative large swap-partition. Now you can follow the depicted method form the linked site even for mdv2010 using dracut and cryptsetup (LUKS/dm-crypt). Depending on the kernel, in our example kernel-desktop-2.6.39, you can also use btrfs or ext4, reiserfs etc for the formatting by mkfs.filesystem. In order to format by Luks, cryptsetup is not performed as described there, but as follows

mdv2010 offers all, full and partial system- and disc-encryption (FDE) by LUKS and the encryption of the boot-partition and the load of memtest by grub2 in the sense of the configuration of /boot/grub/menu.lst, where an md5-encrypted password can be set for each bootable kernel and memtest.

man fstrim: Intensive usage of fstrim or "mount -o discard" can influences the life age of minor-qualitative SSD-devices. For workstation and server It is recommended to execute this command one time the week. Notice, that not all devices support a overruling-queue, therefore such overruling command causes minor performance for all devices and commands accessing the harddrive.

cryptsetup -h sha256 -c twofish-cbc-essiv:256 -s 256 luksFormat Root-Partition

cryptsetup -c aes-xts-plain64:sha256 -y -s 256 luksFormat Root-Partition

cryptsetup -c twofish-xts-plain:wd256 -s 256 luksFormat Root-Partition

Ubuntu 10.4:
cryptsetup -c aes-xts-plain64 -s 256 -h sha256 luksFormat Root-Partition

and since Kernel 2.6.20, they told us in general:
cryptsetup -c aes-lrw-benbi -y -s 256 luksFormat Root-Partition

all for 128, 256, 384 and 512 bit, here 256.

dracut itself should be started by

dracut -f /boot/initramfs-4.20 4.20.6.pclos1

To be careful, take dracut (el6) or dracut-008-3 for mdv2010.0 and 2010.1 (from mdv2011, but we do not recommend higher!).

For SSD useful kernel options to add in /etc/fstab and /etc/crypttab even for the encrypted swap-partition are:

noatime (or relatime) and data=writeback

We prefer notaime. noatime stands for "no atime", the same for relatime except time to time. data=writeback finds an effective compromise between journalling and non-journalling of journalling filesystems. Such options are provided up from kernel 2.6.39 or some earlier. Option discard does only work, if luksFormat has been made with option --allow-discards.

Have a look at your kernel-modules by the command


and add to dracut.conf, section " # additional kernel modules to the default the following modules:

add_drivers+="dm-crypt dm-mod twofish twofish_common cbc cryptd aes aes_x86_64 aes_generic sha256 sha256_generic xts lrw twofish twofish_common snd_hda_codec_via loop sr_mod dm-mod dm_region_hash dm-crypt dm-snapshot dm-multipath dm-mirror dm-log dm-log-userspace pata_acpi ide_core binfmt_misc ide-pci-generic ata_generic ata_piix libata ide-cd_mod i2c_core ohci_hcd ehci_hcd usbcore pata_amd ide_pci_generic ide_gd_mod ide_core pata_acpi sd_mod reiserfs i915 drm i2c_algo_bit i2c_cor sd_mod scsi_mod dv1394 ieee1394 ohci1394 raw1394 sbp2"

Same modules should be entered in /etc/modules.

For /etc/dracut.conf.d/dracut.conf of dracut (el6, 008-mdv2011) for kernel like kernel-desktop- (mdv2011) as much as kernel-4.9.49 and 4.20 (PCLinuxOS) with mkinitrd (mga2), nash (mga2), dracut (el6), glibc (pclos) and LUKS/dm-crypt (cryptsetup (pclos, rosa2014.1, fc, el6, ...)) we enter the following:

# Sample dracut config file
# Specific list of dracut modules to use
dracutmodules+=" crypt dm dmraid dash i18n resume multipath selinux base kernel-modules biosdevname lvm mdraid rdma lvm dash fips fips-aesni rootfs-block udev-rules terminfo base fs-lib shutdown caps" # Dracut modules to omit
omit_dracutmodules+=" redhat-i18n img-lib usrmount network debug nfs fcoe iscsi ifcfg gensplash nbd"
# Dracut modules to add to the default
# additional kernel modules to the default
add_drivers+=" dm-crypt dm-mod twofish twofish_common cbc cryptd aes aes_x86_64 iso9660 ext4 asus-nb-wmi ahci ata_generic aes_generic sha256 sha256_generic lrw xts twofish twofish_common snd_hda_codec_via aes_generic scsi_mod loop sr_mod dm-mod dm_region_hash dm-crypt dm-snapshot dm-multipath dm-mirror dm-log dm-log-userspace pata_acpi ide_core binfmt_misc ide-pci-generic ata_generic ata_piix libata ide-cd_mod i2c_core ohci_hcd ehci_hcd pata_amd ide_pci_generic ide_gd_mod ide_core pata_acpi sd_mod reiserfs i915 drm i2c_algo_bit i2c_cor sd_mod scsi_mod dv1394 ieee1394 ohci1394 raw1394 sbp2"
add_device+=" /dev/mapper/luks-21e3b216-458b-c191-1231-41ad48311a21" # list of kernel filesystem modules to be included in the generic initramfs filesystems+=" proc tmpfs"
# build initrd only to boot current hardware
# install local /etc/mdadm.conf
# install local /etc/lvm/lvm.conf

Not all SSD (microcontroller) support allow-discards resp. TRIM, although TRIM is strongly recommended to increase their performance. This has to do with the kind of deletion. With TRIM, 4 KB blocks are deleted at once instead of large 512 KB blocks at "any" time causing many hugh gaps called fragments.

Notice, that the keycode for the keyboard is not loaded completely for special chars during the boot with dracut. Whenever the passwords for the decrypted root-partition are entered, keys for special chars still exchanged, so that the typed-in passwords containing special chars do not fit to the meant regardless from setkey in /boot/menu.lst of grub. For example key y still stands for key z! dracut stops the booting after three times wrong passwords have been entered. In this case the root-partition is quit lost!

We think, that a Live-CD/DVD or an USB-stick is not needed except (but then as a must) for repair of the encrypted partitons (and up-to-now we ourselves do not know even such cases...), where they can be mounted followed by password-request, but in the well-known way by the command mount, if package mount_pam is installed! Use Knoppix-DVD or create such DVD through Mindi or Mondo or install mdv on USB using mandriva_seed. For the last purpose you can also download MandrivaOne out of the internet. Did I tell you? Nevertheless do not use Live-Linux from such media for luksFormat! So all in all, thanks, "Gentoo-Schnatterente" it managed us to achieve full disc- and system-encryption without a new installation and without any LVM, all doing fine for mdv2010.0 too! It is working such fine, that you can also order a dd-command (dd always worked fine on my SSD for many and all times, although some tell us the opposite...) based copy onto your (except boot-partition with dracut and kernel- full-encrypted, at least 120GB sized SSD including the encrypted SWAP and main-themed root-Partition reiserfs, reiser4fs, ext4 (recommended) or btrfs! 60GB-packaged mdv2010.0-x86_64 (64 bit) with a separat encrypted home- and free-partition from us (Gooken) for 20 €, password for all encrypted partition: "full-encrypted-ssd-mdv-2010-x86_64-software60GB". Please tell us, if you ever get any problems with your computer based on this SSD (we think it´s impossible...)!

A report about FDE (full disc encryption) on the base of LVM with Luks on the base of Ubuntu, but with new installation required for example is linked here..

There you can read about the fact, that quit all efforts for security remain still essential, what is based upon the usage of communication-protocols by their nature and remaining risks of system-interna.

One more report about FDE resp. FSE on the base of LVM for Ubuntu, that is offering a link to a script for automized FDE: FDE (full disk encryption) by LUKS for Ubuntuusers (in german language, but we think there is one in english available too).

Trim the SSD (if its micocontroller permits it): http://wiki.ubuntuusers.de/SSD/TRIM

And for mdv2010 by Live-CD/DVD for example please read this well illustrated article: FDE (full disk encryption) with Luks and LVM by installation- or Live-CD/DVD.

OK FSE means to encrypt all USB-sticks too. If you want to know, howto encrypt an USB-memory-stick with LUKS, please click here. Whenever an USB-stick is put into the USB-slot, KDE4.4.5 immediately opens a window for the typing in of the password, if autodetection is activated by the user. After this, a special plasma for plugged-in media and harddrives offers several programs to open the USB-stick. If you do not like to open it this way, take dolphin to access files from the stick.

One more encryption for mdv2010 still without new installation required is performed by LUKS on single partitions, at least upon the partion for home, swap and temporary files, all without LVM, click here.

We also link in links section alternative to a website explaining how to encrypt USB-memory-sticks without LVM, but with LUKS (analog, just the device has to be set for the stick). Now, with installed packet mount_pam the stick can be easyly mounted as all LUKS-encrypted partitions by "mount /dev/USB-device_name any_mountpoint" and unmounted by "umount.crypt mountpoint".

LUKS Cryptsetup Iso9660 - howto setup encrypted CDs and DVDs with LUKS: LUKS has also some great features for encoding iso-images: http://www.sourcentral.org/luks/iso9660/

In some of such cases knowledge about LVM (logical volume management) becomes quit essential, please click here.

Against the unyielding opinion of a the 90th personally met expert, the complete encryption of his harddisc protects against everything, communication-protocols do still their work upon even once encrypted but decrypted working directories and files. Nevertheless, in order to prevent not only the risk from the inside (computer-room), but also the outside (online and other net), it makes most sense to create an FSE consisting of a separate LUKS_encrypted partition for all the sensible user-data beneath the decrypted root-partiton using dracut and by LUKS.

A hardened kernel called RSBAC-Kernel (mdv2010 kernel-rsbac- can also be booted up in the case of disc-encryption like FSE and FDE through dracut, by

rsbac_softmode rsbac_um_no_excl

These two boot-parameters are added to the other boot-parameter like "nosmp" and "speedboot=yes" in /boot/grub/menu.lst of Grub (mentioned rsbac-version is also running for mdv-kernel-2.6.39). We have made best experiences as the hardened kernel did not seem to restrict any functionalities.

One more access-control is pregiven for the X11-server in the case of LAN, therefore named X11-Server-Access-Control. The core of the x-protocol provides a authentification for hosts. By the command xhost a list of allowed hosts can be set. After a first query by typing xhost, access control is already enabled, so that only authorized X-clients can connect. X11 offers place for so called extensions, one interesting here is named the X11-SECURITY-EXTENSION. It differences in trusted and untrusted X-clients keeping away from reading windows-contents, controling inputs of other clients etc.. This all is documented within within the package xorg-docs, the documentation of the X11-server.

For server, for example Apache webserver, you can configure apache.conf resp. httpd.conf after configuring samba for your local network (LAN), Squid for Proxy Server and Privoxy for netfilter as a kind of firewall-(pre)filter, although rules are collected in what is called firewall pure. All in all, against backdoors and hacker, a firewall like the iptables based linfw3 (other OS: remark the referential character of linfw3) is still needed in many cases, even, if it is just making up the background, which iptables-code (incl. logging) has been certified by ICSA and tested by generations of mighty communities like universities, banks and industries as much as private-investigators from all over the world. With linfw3, the construction-time should become nearly no one anymore, while transparency of computer-age is increasing up to a maximum. Proofs for its correct, reliable working are supported by its many test-opportunities the modules and its strategy conditioned scientific completeness, companioned by transparent and good understandable code. Ports of each connection are iptables-natured distinguished into source- and destination, not all FW support this concept. While other FW almost depend on version and distribution, linfw3 keeps stable independent from (most) all of them. The higher flexibility: Any increasing amount of iptable-modules can be integrated. Even if your kernel or iptables-version does not support all modules of iptables, through always present includes of all fundamental blocks, linfw3 does not loose much of its effectivity - so that the system is always reacting basically secure. linfw3_active

OK So linfw3 sets an end to naivety in basic IT-security matters for a lot of more than six main reason:

1 Like Klean it is written in UNIX-SH (OS-mother UNIX). This provides unbeatable transparency of code for everyone. Rules, that can be implemented in many wrong ways, are described in all details instead of at last somehow but nowhere
2 its basement on (by years-long tested) built-in open-source filter-set iptables/ipchains and
3 the possibility of modification and enhancement to a standard you like
4 the block of ALL HACKER,HACKER-REQUESTS A N D ALL TROJANS in a good understandable and one of the best ways on INPUT (client/server) and FORWARD (router) by state "NEW" as much by a "beaming" prefilter on NEW and match OWNER
5 its optional, detailed protocoling of each intrusion-attempt in possible limitation and
6 the increase of throughput up to a maximum, higher than without or by many other FW

eth+, ppp+, ippp+, .... : What kind of interface (ppp0, ippp0, eth0,...) you are using doesn´t matter. Certainly I can´t give you any guarantees that this firewall solves all of your security-tasks. Also remember in security-matters, that firewalls generally can´t be blamed for all lacks in IT-security. We are going to see this in the second step of the excursion, where the question of concrete analyzes of data burdened in payload is almost more user-friendly supported by the concept of what we like to call "a d d i t i o n a l (REFINING) p a c k e t - f i l t e r s" (than by iptable´s module string). This helps to reach a sufficient security-level (for any system), especially after the just two steps of this excursion have been performed.

Now we dare to compare linfw3 with other FW more concretely: no hackers, no trojans anymore- no intrusions possible! GUIs are not expandable, or one can get difficulties by misunderstandings - with DIALOG everything is explainable and bewaring software-transparency. You can choose and modify dialog-(alternative cdialog-) widgets in order to get an easy to handle OSD-like outfit. Help-items guarantee user´s right answers to different questions instead of not knowing what to enter. By many FW Hacker often still have chances to intrude, they do not have any (!) through the consequent integration of iptable´s state NEW. Installation- and configuration-time take several minutes or more than one hour, with linfw3 you just need one up to five seconds for installation (i.e. with krpm) and up to 1 to 10 minutes only for configuration. The handling with Samba might not be correct, so that Samba does not work, with linfw3 Samba works within seconds. The quality of the FW-socket can´t be tested - linfw3 presents a statistic for different iptables-version that helps quickly to separate the secure from the lacked ones to patch. Protocoling does not come to an end - linfw3 can limit the amount of log-entries by time or packets through time, packets, general restrictions and many log-levels. Many firewalls suffer from one update or upgrade to another, while linfw keeps the highest possible transparency for self-correcting: instead of authors by its users. The same for the expansion of the filtering rules: It is almost very difficult for many firewalls to expand, with linfw3 it is nearly childish and as without any dimensions. ICMP Traffic is not blocked in many firewalls, linfw3 can block all ICMP-type by -type. A lot of FW forget to block trojans (risky outgoings). linfw3 blocks trojans and programs port-ranges by port-ranges, by match OWNER containing CMD, PID respective USER- and Group-ID, last ones configured to 2, the daemon of privoxy, that enables the block of scripts similar to special firefox-addons and ad-filter (for Firefox <= 2.0.0 recommended), or by adding any new group only not belonging to root, even sessions by session-id; work in all FTP-modes (especially by opening such ports like ftp-data resp. ftps-data and ftp resp. ftps), change characteristics up from single- or multi-user, client, server up to router, enjoy special hardening of rules by choosing the right FW-strategy (DROP-policy), change log-levels from simple protocoling info(rmation) to warn(ing) by default up to alert, crit(ical) or even emerg(ancy), where each intrusion is indicated by its own window in accordance with beeps - here´s the overview:

Packet filter: Firewall

Linfw3-(UID- und GID)- OWNER- and ELSE-PORT-LOG (all deactivateable!) on the base of Mandriva 2010: Trojans and hacker "squeaking" mad

linfw3_description Most features of the dynamic firewall linfw3:
For beginners and advanced on their look out for the really secure solution up to the expert for formulation of high-end ones


With this firewall you WON´T GET ANY HACKER, TROJANS AND SPYWARE anymore!

Simple&effective Kernel-konsole-GUI dialog (resp. cdialog) with permanent help-item in native UNIX-sh(ell-language)/bash

main configuration by dialog is structured by all (NYN+YN+kernel-parameter), NYN (non-yes-no-values), YN (yes-no-values) and kernel-parameter (KP); advantage: fast reaction in detailled configuration depend from different situations; for port-release, and for example you can allow and forbid downloads out of the internet via ftp, many single log-options, STATE-NEW-lined-blocks, modules of iptables, change single IP for mailserver, ...

configuration is possible from two sides: by GUI-dialog or by the UNIX-Standard-editor for the konsole xedit, ed, vi, vim, further on pico resp. nano within the textmode as much as by a common text-editor like kwrite upon the main shell-script

native design, sufficient transparency, easy configuration, high extendability, maximal secure

for 2.4.x and 2.6.x kernel or higher, all kernel, all UNIX (please mail, if not)

Linfw3 runs on all terminal-programs like Konsole, xterm, aterm, yakuake, ...

and can also work beneath a separate router-firewall ( "doing it all more or less twice" ) as much as alone.

A kernel still might be able to build-up connections through glibc. Therefore choose the glibc we recommended above for example: glibc from mdv2012 in mix with glib-utils, glibc-profile, glibc-i18ndata from Mageia Cauldron 3 (mga3), alternatively all glibc-packages from mdv2010. A secure running glibc is indicated by a calm working of the computer-system (the never blinking red LED).

for all protocols within the address-rooms iptables-ipv4 resp. iptables-ipv6

support of all interfaces: DSL- and analogous modems (ppp), ethernet-cards (eth) and isdn (ippp)

Indication of the state for activated and deactivated iptables-rules in * (active) and # (deactivated), ftp for disabled ftp-downloads, ftp for enabled ftp-downloads, lined for either state-new-lineblock-only or addition UID-/GID-owner or UID-/GID-owner root in the headline of the main menu in addition by the indication of the reached FW-security-level in percent and the last called menu-item
  • Linfw3 also for server and anonymized surfing: To make it very secure, server (httpd/Apache, SAMBA (LAN), SSH/SFTP/FTP, media, printer, Tor (even Tor-Browser/client), browser...) might have got their own user accounts with belonging groups upon UNIX/Linux-file-systems (in coordination with protecting owner- and access-rights (including ACL: chown, chmod and getfacl/setfacl). User accounts can be freed, (login-shell-) blocked and locked manually or within the system-configuration). On this website, we describe in detail, how to set such owner- and acess-rights and how to configure the configuration-files for different server. At last through setfacl other user neither can see quit anything (no possible reading of files and directories), nor overwrite (files and directories), nor execute (files and directoires, sandbox), while the server-configuration-file often sets more internal filter. And additionally do not forget the other concepts of LINFW3 like port-release/-blocking, relevant for server too. As a sandbox, firejail is recommended additionally (but it is not a must anymore).
    All this methods and concepts are explained in detail within this step of our excurs.

    connection- resp. traffic-monitor (iptables module contrack) in refreshed frequency 1 up to 9 seconds: In some seldom cases, client programs require the releases of IP or ports, especially those, increasing security-lacks. Contrack helps to find out such IP and ports, to be set in LInfw3 for releases (e.g. in section I P - h a n d l i n g)
  • Connection-Tracking:
    Time-Wait: blocked conncetions, listed with the IP of hacker and Trojans, that can be precised by the command whois. Many are invoked by the call of websites in the address-line of the browser
    Close: closed connections
    Established: established connections

    Color-adjustment: /root/.dialogrc

    iptables-ruleset-monitor (after each activation by the debugger)

    Estimation of the FW-security-level past each new-configuration

    We recommend in future, to use "https" (resp. port 443) in TCP-INPUT-SPORTS only by removing www (resp. port 80) from this list. Use Tor for port 80, although this is not recommended for Tor too.

    „just-surf“-concept: almost default for the mode single-user

    With this native firewall of a strong referential character you can even make presentations in detail ... without risking hacks after configuration. Now the secret of howto get rid of (hacker and) all trojan is known by Gooken for a larger public audience instead just a small circle of some UNIXer.. Beneath viruses you can get rid of hacker, trojan (except the risk with the browser itself), dialer and connection-breakdowns! Therefore this FW is closing ENTIRELY ALL PORTS from the outside to the inside within its main part and through infinite beams - while only those from inside to outside for the from you built-up connections are opened. This is made possible in at least one of three main ways marked by H1, ..., Hn for methods against hacker and T1, ...., Tm against trojans:

    1) some kernel > 2.6.12 by PID- or the reliable automized pid-Agent of LINFW3 (please notice, that we did not test kernel >= 3.X.X) (T1)

    2) kernel <= 2.6.12 (we recommend the last version 2.6.12-31): like 1) and/or CMD-(command-name)-owner (T2) of the command resp. process by name especially for some browsers only like mozialla-firefox (mozilla-firefox, firefox or firefox-bin) for firefox, kdeinit for Konqueror and so on

    3) independent from the kernel version (almost, but not 100% secure) by the usage of a separate netfilter like privoxy pre- resp. reconfigured for user daemon and group daemon (T3), where the user- and the group-ID have to be set to daemon resp. almost number 2 in Linfw3 through GUI dialog, especially if the netfilter is advised to a free determinable port and if connections of that netfilter as in this case privoxy, are limited within all its configuration resp. action-files of /etc/privoxy to 80 (www) and 443 (SSL): "+limit-connect{80,443}".

    CMD-owner and its more secure (!), but also within SMP-(mulitprocessor-)Linux-kernel destroyed subsitution SID-owner, what would have been a userful addition even to the following, can only take quit similar in effect by UID- and GID-owner (T3) as follows:

    UID- and GID-Owner enpossibles the access into internet for processes like firefox only, while all other processes are blocked by LINFW3:

    set chmod 700 -R to /home/surfuser.
    1. Create a new group and add a new user to it:
    * Create: groupadd surfgroup
    * Validation: grep surfgroup /etc/group
    * Add a user, that ONLY is allowed to surf to this group: useradd -g surfgroup surfuser
    If the user should already exist, enter "usermod -g surfgroup surfuser"
    2. Only a password protected user named other_user_member_of_surfgroup is allowed to change the group (by command sg) to the group named surfgroup in future after performing the next steps, while the server-port 80 as an exception of the (rare to keep) ports allowed from the other end of all conneciton only does not enpossible any uploads of files resp. information:

    /bin/su - surfuser
    Password for surfuser
    sg surfgroup firefox

    You can enter this commands for the entry, here firefox, in the K-menu, you just have to enter: kmenuedit (or right mouseclick on K-Menu, where to choose "edit") "surfuser" for the input-field for the starting user and "sg sufgroup firefox" for the field for the command. Now you do not need a terminal to start firefox anymore. Instead, the password-window for surfuser appears before firefox starts. You can not, you should do this for all communicating programs like ifup eth0, ifdown eth0, konqueror, gftp, kphone, kdict, xchat, tv-browser, eboard and so on. You do not have to do anything else to get with the programs into the net.
    4. Now the process, here named firefox, is starting. The connection is owned (exclusiv resp.) only by surfuser with group surfgroup, where surfuser is member. In order to preven read and write access, access-rights should have been set adequately. Therefore you can close or end the terminal already now (never forget to logout from terminal by command exit or clicking with the mouse onto close or the command for end out of the menu of the terminal, especially as superuser root!)

    After the field "remind password" is filled up by making a cross per mouseclick, the password for "su - surfuser" from above needs not to be typed in once more the actual session.


    or, if you closed the terminal by mouseclick, in order to free some capacity for surfuser you can type:

    killall -u surfuser

    Do this step by step 1.-4.for each process (here it is firefox) that should build up connections. You always have to enter the very ensecuring password for a change to the other_uer_member_of_surfgroup. Now process firefox is started by surfuser and group surfgroup. The terminal, if K-Menu remains unused, became a center for all online traffic (here of process firefox). It is also possible to write an adequate shell-script for the input of the meant process to click upon by mouse, but this is not such secure for the storage of the name resp. ID of the surfuser and surgroup. Also think of a script containing the questions for even them.
    3. Now start Linfw3 or edit its main-script LINFW3.sh and configure GID within the NYN-section by assigning the UID and GID for "surfgroup" resp. belonging user name and group name. Please care for LINFW3 being configured in the YN-section to block all other UID and GID. This way is secure. One more advantage: you do not have to release and block each of the many, many programs that is elected to build-up a connection into the net like essential within the configuration of many other firewalls!

    To be even more careful, do not let surfuser be member of the group named "wheel", all other users are members of. It would be one more advantage to remove the option "exec" for the (we hope like the root- and separate partition: encrypted) home-partition out of /etc/fstab (although this might be unnecessary), while the option "nodev" can be added. In MCC (drakconf), part msec, where this opportunity is explicitly mentioned, you can configure resp. set by convenience, that only users, that are member of the group named "wheel" (wheel-mice) are allowed to change to superuser(-mode) by su. After this, members of this group wheel are all user including root except surfuser. The directory with the locked desktop-icons can be moved to /usr/local to get unlocked again.

    OK Hooray! First the risc was reduced to trojans and then upon once opened connections only - a risc of many firewalls! With this method (most perfect would be to add the protection by the integrated port-concept or SID-Owner instead of the insecure CMD-owner), a process, here named firefox, is assigned a new user-ID and group-ID that allows to comunicate password-protected only within the net, while his previous one belongs to all those blocked like all the other ones including root. After perfoming this for firefox (similar for programms with other communication-protocol like xchat, filesharing, kphone, TV-browser and bidwatcher (Ebay-auctions), you can do this process by process for all processes you are going to allow to communicate within the net up from any certain time you want. The group-ID itself should be less all those ones listed for the groups of user by the command "id", for example choose GID 28 (< 500) for surfgroup. The BIS recommends this method starting processes with another, second user-account for important bank-transactions and so on. Remember this kind of start of firefox by su and sg in future. Notice, that Linfw3 can be enabled to allow processes for E-mail-transfer (smtp, ssmtp, pop3 and pop3s, imap), time server ntp, news, (s)ftp either in conjunction with the IP or in general, the same for all your server after their configuration within Linfw3. There is a special option for ftp- and ftps-clients (ftp and ftps) to run for set UID resp. "surfuser" and GID resp. "surfgroup" only.

    Do not forget to adapt the access-rights, so that reads and writes especially upon user-accounts are really forbidden! In order to prevent the reading of emails and news, do not follow this way for email-clients and news-reader. Use certificated by BSI ones like kmail, knodes or kontact by just choosing the options "allow pop3s", "allow smtp" and "allow nntp" within Linfw3

    One more (similar to the refered) portlist additionaly cares for the traffic through ports independent from OWNER, for example needed for ntp

    Alternatively, in order to resign from the terminal for net-communication-processes, we can use a proxy with its own user and group like privoxy with UID and GID 2 for daemon. Such owner and group do own only a few directories and files, but not all clients do allow to configure proxies. As there is no password-protection build up of connection owned by user squid or daemon, this has the advantage, that processes and trojans can build up connecitons over the proxy. For this purpose the proxy should be started password-protected by "su - surfuser-daemon-or-squid" and "sg surfgruppe-daemon-oder-squid "/usr/sbin/squid-or-privoxy /etc/privoxy/config"".

    The use of sg similar to su (change to superuser), in conjunction with following methods, trojans (and hacker) do not have chances anymore!

    4) all kernel: fundamental block of hacker and trojans follows the (server-)port-release of INPUT-source- and -destination-ports - (H2 and T4) with belonging OUTPUT-port-settings

    almost independent from kernel-ver: UID- and GID-owner by user-ID and prelonging group-ID (T4)

    You see: Once descripted how and howto, you know everything too! All methods do profit from the distinction between incoming and outgoing ports (H2 and T4), so that many connections can not be established neither from the inside to the outside nor from the outside to the inside. Therefore it is good to know, that one port stands for one and the same certain service resp. server resp. communicaton-protocol only. Anyhow such services should be restricted on your side (H3 and T5), what can be done within the system-configuration. Hackers from outside to inside do not have any chance by the additional target DROP in conjunction with their STATE NEW on chain INPUT lined completely out at the beginning as much as on all opened and closed ports in the following parts (H4). You can also use the iptables-module STRING (H5 and T6) and/or a scriptfilter (H6) like netfilter privoxy, firefox addon-plugins like adblockplus and disconnect. Last one is recommended by prism-break.org. Tagesschau.de already critizised adblockplus for some includes. NRW-TV recommended Noscript, consisting of ABE and blocker of plugins like shockwave-flash. This plugin enables read-write-operations on harddisc resp. SSD. Forbid this by configuring this plugin within the kontrol-center resp. workout-configuration by clicking on the appearing self-named icon. We also think of the adblocker of the standard-browser Konqueror with the opportunity to import actual lists out of the internet for its adblocker, that is also functioning as adblockplus (even out of the toolbar to add new items) or many other scriptfilter, and do not forget servers by additional specifications like within httpd.conf (Apache). Noscript itself should block all scripts by default (configuration). Now elements of the website might not be shown anymore, that are shown again, if belonging blocking scripts gets sequences allowed. We suggest the adfilter of konqueror, that is working like ublock-origin and noscript. If all javascripts are blocked by the expression like "*.js*", same for perl by "*.pl" each blocked script can be allowed again after clicking on the symbol for the adblocker in the status bar within the opening administration-windows. This follows our firewall-strategy "forbidden is, what is not (explicitly) allowed!". The adfilter finds out all suspicious scripts, listing them loaded webside by webside within the administartion-window. You can order an importable filterlist for the adfilter of Konqueror with more than 8.000 regular expressed entries from Easylist and other collection for such entries also from us to download by our order-formular for a onetime protection-fee of 10 €. In general, such list actually cuts out neither too much nor too few elements out of websites, but still has to be actualized permanently in the way we described (from webside to webside).

    P(rocess-)ID-Agent for all kernel version:
    The PID-agent (T1) of linfw3 periodically checks out the activation of any allowed processes resp. their PID (CMD section with acceptedprograms) in 25 seconds (by default), in order to enable only their access from inside to outside during activation (except always accepted processes from WPC-processes resp. from a list named processeswithoutportcheck, if set). The only point is, that you have to wait up to default 25 seconds each browser newstarts before websites can be built up for the first time. This all does not influence the guaranteed transfer for email (pop3, pop3s, imap, imap3, imaps, smtp), time sever ntp, Usenet news (nntp), filt transfer ftp and ftps, independent from all this as described in another list-item), although alternatively by the fact that many trojans send email such processes can also be started like the other communication processes only, by typing again "su surfuser" and "sg surfgroup process" after allowing belonging ports through the Dialog-menu (or manually).

    Special programs with many ports to open named in a separate list (called processeswithoutportcheck) like for internet telephony (skype, skypeforlinux, kphone, ...) can be trusted by the PID-agent in the same way, but without essential port-check!

    Further on Linfw3 sets an end to all system-dependencies and lacks in configuration-possibilities

    Process names to resolve for the owner-concept can initally be found out by the process-audit of linfw3 owner

    Dialog menu with direct-help-support, nothing that could be overseen or configured wrong: The configuration part is structured into three, all significant values configuring sections: NON-YES/NO-values NYN, YES/NO-values YN and kernel-parameters. In mode transparent, more values and default rules based upon iptables can be edited by pico resp. nano (default: nano)

    standarized protocoling: fine-tuneable by example-file syslog-example.conf, what opens the into the control-bar beneath the tray minimizable, each attack blue blinking live UNIX-system-message-window (KWrited, see our picture below) for all (log-level) emergency including the protocolings resp. loggings of LINFW3 (we ourself always prefer this mode); after each new log-entry such window remains blue colored until you have analyzed it by maximizing its window out of the system-tray; beneath that, each log-entry is stored in a system-logfile; of course you can always find out the needed data about the right in time protocoled actual hacker by "whois IP" delivering the information

    organization, domain, server and e-mail-address

    right onto your computer

    alternativ geioplookup from geoip

    GeoIP Country Edition (Land): US, United States
    GeoIP City Edition (Stadt), Rev 1: US, RI, Rhode Island, Riverside, 02915, 41.772701, -71.350304, 521, 401
    GeoIP ASNum Edition (Provider): AS701 MCI Communications Services, Inc. d/b/a Verizon Business
    geoip-Blocking (of countries like de, en, cn, ...)

    not only complete blocking, but also proctocoling through kwrited

    fast checks of modules of "firewall-language" iptables- related to different kernel versions

    Lined out blocking from outside to inside by state NEW at the beginning, over ports in the middle and complete like at the beginning in the end part, hardened by blocking through the rules for POLICY

    certified norms from universities, ICSA and international press

    regard of Internet-Telephony (configuration see checklist)

    multi-layered firewall by the GUI for kernel-configuration Dialog, rules in dialog mode with explicit help items and transparent-mode

    extensible protection by Dialog supported settings of kernel-flags like ECN (Early Recognition Notification), bootprelay, TCP-keep-alive time, IP-fragtime, against redirects, source-route, IP-hightresh and -lowtresh, martians, ...

    The strong referential (universal and optimized) FW-character presents the right configuration for all FW

    Beneath several strategies, Linfw3 mainly follows the more efficient (for all better to handle) FW-strategy „forbidden is, what is not (explicit) allowed“ (and not:“ allowed is, what is not forbidden“)

    In order to achieve the promised security for the calculation of delays of iptables itself, network should be up after the booting of the operating system (you can control this for example by the command ifup and a belonging network-applet), while the amount of services (server-ports) generally got restricted through settings made within the MCC (control-center) of the operating system

    quick activation and deactivation by DIALOG-Menu: secure receipt of email (POP3, POP3s), news (NNTP), secure news (NNTPS), ssh, telnet, up-/download of files and name resolving WHOIS- and (D)NSLOOKUP-queries - all independent from SATE, IP and subnet-mask and from configured modules like Owner and concepts etc.. You can also set different belonging IP resp. IP/subnet-masks for more restrictions. We repeat: alternatively by the fact that many trojans send email, such processes can also be started like the other communication processes only, by typing again "su surfuser" and "sg surfgroup process" after allowing belonging ports.

    The main output of LINFW3 consists of an UNIX fundamental usability also by one shell-script only protocoling

    fast script-switching through the Dialog-menu of LINFW3 between the configurable main part and alternative parts with alternative scripts by dialog-menu-item "STATE-NEW-LINE-BLOCKS": either a) closed STATE NEW lineblocks on chain INPUT only or b) STATE NEW lineblocks on INPUT in addition with blocks upon UID- and GID-owner for the arranged surfuser and the surfgroup only on chain OUTPUT (using above concept) resp. c) like a) and b), but only for the user and group named root (this case is not unimportant for quick updates of software and packages), very effective for system-updates with auto-installation, some other updates, updating firefox, still disabling all hacker and quit all trojan

    with section for router ( that can be supported in addition by tcp_wrapper )

    hardened, cored UNIX; highest orientation on UNIX by UNIX-sh

    iptables-rules are in effective order/structure

    blockrate: default 100% (each packet), depending on the iptables-ver

    protection up from the first connection built-up during system-start

    prevention for health and time reason from always typing „iptables“

    living support by authors of iptables. For (if ever necessary) expansion you can find plenty of sources out of the internet

    ability for auto-configuration through own boot- resp. runlevel-init-script for quick autostarts, with statistics for quick tests on different iptables-versions/-sets; ready for Samba (Netbios) within seconds. Each modules of iptables can be activated or not and therefore be tested

    expandable, dialog-styled GUI in the look of iptraf (iptraf-ng(rosa2016.1, rosae2014.1)), one of the best for firewalls and well-known from kernel-configuration

    Dialog based, scaled indication in percent of the estimated FW-Security-Level reached by each configuration, details about basing security-lacks, with the opportunity to precise all evaluating factors and information about detailed single lacks within the configuration up to any aimed exactness

    stability by TCP-FLAG-PROTECTION against sudden connection-breakdowns, shoot-ups (of processes like browser or FW itself), unexpected system-newstarts, annoying application-closures, system´s and application´s hangs and halts

    configurable kernel-parameter like martian-option, freeable from any false alarms

    For installation all one need is an any secure, not necessarily the newest, a rel. tested and patched iptables, eventually patch-o-matic from netfilter.org, dialog equal or greater 0.9b-20030316, because of INPUTMENU with several textfields and an editor like pico or nano (default: nano), all see download-section

    transparent: without any black or complicate source-code

    modules easy configuration by almost simple „yes“/„no“-settings

    reliability: linfw3 is never the cause of any net-problems, neither during ftp-transfer, for tunneling, usage of a proxy-server or anything else

    working upon all protocols and ICMP-TYPES e.g. to reach stealth-mode

    detailed protocoling of all kind of attacks, if wanted, even martians by a window opening kwatch or the each log-entry of linfw3 in blue color blinking kwrited (/dev/pts/0 or /dev/pts/1 and so on), both minimized for the system-tray; for such purpose, linfw3 contains an exemplary configuration /etc/syslog.conf of syslog to envoke kwrited and to protocol FW-messages and system-messages into different logfiles within /var/log

    user-section "user-defined" 65) to formulate Linfw3 up to a high-end, in order to allow more protocols than just UDP and TCP, to integrate iptables-rules using further iptables-modules and so on

    LINFW3, section 63) iptables-rules for IPSEC (freeswan)

    LINFW3, section 64),NFQUEUE and QUEUE, packets storing queues for the authentification-firewall-addon nufw and other applications

    Many different test-opportunities consist of: a debugger for the syntax, a compare-base for "SHOULD- AND IS"-log-analyzes-compares;

    full-compatible with other "additional" filters mentioned in step 2

    CMD-audit for the easy prevention and deinstallation of all trojan

    speed-optimisation: increase of data-transfer-rates up to 30% by maximizing TCP-throughputs, minimized UDP-(DNS)-delays by choosing the right TOS (Type-Of-Service) and through prefiltering through beamy state NEW,

    address-and packet-type-filter, address-verification, filter for blackholes

    Internet telephony in simple activation and deactivation

    during modifications: fast station-wise checks of syntax-errors

    for nearly all kind of client-/server-architectures (router, single-user, samba-, ftp-client, samba-, ftp-server, ...)

    fast overview of services by an integrated port-list

    internet-lock for breakdown-situations

    Blacklists are positioned right before the NEW-line-blocks, in order to block single IP, false alarms causing malformed IP, IP-ranges, on HTTPS, for router and LAN

    prevention of smurf-, tcp-syn-flood, ip-spoofing, martians, land- and large-packet-attacks as much as all attacks basing upon too large packets

    support of active and the more secure passive ftp-mode

    Rules can be limited, disposed, exchanged and/or reconfigured by time

    The files referring to linfw3 can be secured by one mouseclick - no chance for their manipulation from the outside

    Route verification

    Exclusion of all interfaces not declared explicitly

    Special rules within the mangle table prevent the scan of the computer or router

    log-statistics follow arbitrary time-periods

    structured iptables-rules by theme

    association of kernel-flags with belonging iptables-rules

    full-compatible with additional filter-concepts like the already inherent port-scan-detector psd, arptables and arpwatch for protection against ARP-protocol based Man-In-The-Middle-(Proxy)-Attacks within a LAN, ebtables (Bridge-FW), system-logger syslog and log-alert-window kwrited, proxies like squid and privoxy, netfiltering proxies, browser-addons and spamfilter

    LAN-prewarning-system: The integrated alarm-system also indicates each unwelcome local visit

    Module-support (some modules are included in the rpm xtables-addons from netfilter.org or libxtables from SuSE, both are successors of patch-o-matic)

    dialog support of module TIME-MATCHING

    module STRING to filter any strings on packet`s field data payload (the field with the main part of information)
    Please notice, that a script-blocker res. ad-filter is strongly recommended!

    filtering of malformed or unusual packets by module UNCLEAN, MAC-addresses


    blocks all IP out of /etc/hosts.deny

    additional filtering with program-/process-control, CMD-, User-,Group- Process- and Session-ID by module OWNER

    adjustable blocking-rates of packets in percentages from 0 up to 100% (contin.), just 50 by default (each second package) through module RANDOM; to increase the blocking-rate from 1% up to 99% ); notice, that Linfw3 in main already blocks twice up to threefold, so that RANDOM becomes not essential.

    PSD: Port Scan Detection: this all is possible with iptables (mga2), lib64iptables (mga2) and xtables-addons (OpenSuSE 12.3 or mga2).

    stringfilter with CONNection-LIMITation and XOR-encryption of packages and connections

    indication of slow, bad connections by TTL

    modul QUOTA for volume-tariffs, TARPIT instead of DROP

    modul IP-CONNection-TRACKing for further analyzes on traffic

    usage of modul CONNBYTES for download-restriction and

    modul ACCOUNT: traffic-ACCOUNT for counting visitors

    modul RECENT to trap single IP by (trap-)ports like 139 - unlimited long or restricted by time

    modul ECN

    modul PSD: protocols and/or prevents detected serious hard portscans

    modul POLICY: place for the integration of IPSEC

    modul RATEEST: Router-balancing rules

    many other modules, a right place for all

    Notice: Depending on the version of itables and xtables-addons, not all modules might work. Find out, which one are working and those, who don´t by LINFW3.

    IP can be entered directly with subnet-mask

    Linfw3 within the K- resp. Startmenü: call it by /usr/bin/konsole -e sh /usr/local/LINFW3/fwdialog.sh (alternatively you can use xterm or any other terminal for konsole)

    Do everything against fatal system-errors: Do you know the shutdown-supplement for WIN98/SE...? Each system-shutdown all connections are closed completely by the bootup-script resp. daemon linfw, quit before the open sourced linfw3 resp. iptables deactivate itself

    Linfw3, concipated to leave the word firewall forever behind yourself within short time

    lixlogoPhoto4 ICSA

    Release date: 31.12.2006
    Last update: 26.01.2016
    OKDownload from this server (bowser-address-line):
    linfw3-1.1.2-1.tar.gz (recommended actual version)
    linfw3-1.1.2-0.noarch.rpm (old version)

    Please type in this packages or tarball into the address-bar of your browser like "https://gooken.safe-ws.de/linfw3-1.1.2-1.tar.gz".
    On patches, malfunction and bugs, please mailto: info@gooken.de. Then your name will be listed in the changelog.

    Additional filter concepts

    Be such careful not to forget to reinstall iptables-rpm after you have installed linfw3 and all the packages from your distribution! The Filesystem Hierarchy Standard (FHS) defines the directory structure and directory contents in Unix and Unix-like operating systems, maintained by the Linux Foundation. The current version is 2.3, announced on 29 January 2004.[1]. Notice that protocol ftp remains insecure resp. risky. Enable ftp-downloads as seldom as you can (although ftp can not do us much harm after configuring Linfw3 quit right!) Portscan-detectors like psad are useful additions for the iptables-based LINFW3, especially in the case of unnecessary opened ports by evaluating logentries made by protocolling rules of iptables. The arpwatch package contains arpwatch and arpsnmp. Arpwatch and arpsnmp are both network monitoring tools. Both utilities monitor Ethernet or FDDI network traffic and build databases of Ethernet/IP address pairs, and can report certain changes via email. Install the arpwatch package if you need networking monitoring devices which will automatically keep track of the IP addresses on your network. For not using GID-owner only, but also CMD-owner, kernel up to 2.6.12 is recommended. In this matter, look out for all kernel versions in future! To take firewalls in effect, some points of the checklist by Gooken have to be also checked out! The start of the process for iptables itself follows a delay, so that connections should be build up (manually) from a point past the newstart through the command "ifup device" with a device like eth0, and some connection opening or keeping routines may remain in the RAM during system shutdown, so that it is recommended to build down all connections completely quit before by "ifdown device".

    OK/etc/psad/psad.conf, extraction of an example

    ### Supports multiple email addresses (as a comma separated
    ### list).
    EMAIL_ADDRESSES myemailaddress@localhost;

    ### Machine hostname
    HOSTNAME localhost;

    ### Specify the home and external networks. Note that by default the
    ### ENABLE_INTF_LOCAL_NETS is enabled, so psad automatically detects
    ### all of the directly connected subnets and uses this information as
    ### the HOME_NET variable.
    HOME_NET any;

    ### The FW_SEARCH_ALL variable controls how psad will parse iptables
    ### messages. If it is set to "Y" then psad will parse all iptables
    ### messages for evidence of scan activity. If it is set to "N" then
    ### psad will only parse those iptables messages that contain logging
    ### prefixes specified by the FW_MSG_SEARCH variable below. Logging
    ### prefixes are set with the --log-prefix command line option to iptables.
    ### Setting FW_SEARCH_ALL to "N" is useful for having psad only analyze
    ### iptables messages that are logged out of a specific iptables chain
    ### (multiple strings can be searched for, see the comment above the
    ### FW_MSG_SEARCH variable below) or a specific logging rule for example.
    ### FW_SEARCH_ALL is set to "Y" by default since usually people want psad
    ### to parse all iptables messages.

    ### The FW_MSG_SEARCH variable can be modified to look for logging messages
    ### that are specific to your firewall configuration (specified by the
    ### "--log-prefix" option. For example, if your firewall uses the
    ### string "Audit" for packets that have been blocked, then you could
    ### set FW_MSG_SEARCH to "Audit"; The default string to search for is
    ### "DROP". Both psad and kmsgsd reference this file. NOTE: You can
    ### specify this variable multiple times to have psad search for multiple
    ### strings. For example to have psad search for the strings "Audit" and
    ### "Reject", you would use the following two lines:
    #FW_MSG_SEARCH Audit;

    ### Set the type of syslog daemon that is used. The SYSLOG_DAEMON
    ### variable accepts four possible values: syslogd, syslog-ng, ulogd,
    ### or metalog. Note: this variable is only used if ENABLE_SYSLOG_FILE is
    ### disabled, and this in turn will mean that the legacy kmsgsd daemon will
    ### collect firewall logs from syslog via the old named pipe mechanism.
    SYSLOG_DAEMON syslogd;

    ### What type of interface configuration do you use? Set this variable to
    ### "iproute2" if you want to use the iproute2 type configuration.
    ### iproute2 does not use aliases for multi-homed interfaces and
    ### ifconfig does not show secondary addresses for multi-homed interfaces.
    #IFCFGTYPE iproute2;
    IFCFGTYPE ifconfig;

    ### Danger levels. These represent the total number of
    ### packets required for a scan to reach each danger level.
    ### A scan may also reach a danger level if the scan trips
    ### a signature or if the scanning ip is listed in
    ### auto_ips so a danger level is automatically
    ### assigned.
    ### Number of packets.

    ### Set the interval (in seconds) psad will use to sleep before
    ### checking for new iptables log messages
    ### Search for snort "sid" values generated by fwsnort
    ### or snort2iptables
    ### For systems with an init daemon like ´upstart´ that offer built-in process
    ### monitoring, it is not necessary to run the psadwatchd daemon. For such
    ### systems, the following variable can be set to ´N´ to disable psadwatched
    ### altogether.
    ### Set the minimum range of ports that must be scanned before
    ### psad will send an alert. The default is 1 so that at
    ### least two port must be scanned (p2-p1 >= 1). This can be set
    ### to 0 if you want psad to be extra paranoid, or 30000 if not.

    ### For IP protocol scan detection (nmap -sO). While it may be relatively
    ### common for a host to trigger on tcp, udp, and icmp, it is more unusual if
    ### a host triggers on, say, five different IP protocols

    ### If "Y", means that scans will never timeout. This is useful
    ### for catching scans that take place over long periods of time
    ### where the attacker is trying to slip beneath the IDS thresholds.

    ### This is used only if ENABLE_PERSISTENCE = "N"
    SCAN_TIMEOUT 3600;
    ### seconds
    ### Specify how often to timeout old scan data relative to CHECK_INTERVAL
    ### iterations. This feature is only used if ENABLE_PERSISTENCE is disabled.
    ### Note that for psad processes that have tracked a lot of scans, it is
    ### advisable to leave this threshold at the default value of 5 or greater
    ### because the scan tracking hash may be quite large.

    ### Limit the number of src->dst IP pairs that psad will track. The default
    ### is zero (i.e. unlimited), but if psad is running on a system with limited
    ### memory, this can be handy to restrict psad´s memory usage. It is best to
    ### combine this option with disabling ENABLE_PERSISTENCE so that older scans
    ### are deleted and therefore newer scans will on average continue to be
    ### tracked. A good non-zero value is, say, 50000, but this will vary
    ### depending on available system memory.

    ### If "Y", means all signatures will be shown since
    ### the scan started instead of just the current ones.

    ### Allow reporting methods to be enabled/restricted. This keyword can
    ### accept values of "nosyslog" (don´t write any messages to syslog),
    ### "noemail" (don´t send any email messages), or "ALL" (to generate both
    ### syslog and email messages). "ALL" is the default. Both "nosyslog"
    ### and "noemail" can be combined with a comma to disable all logging
    ### and alerting.

    ### By default, psad acquires iptables log data from the /var/log/messages
    ### file which the local syslog daemon (usually) writes iptables log messages
    ### to. If the ENABLE_SYSLOG_FILE variable below is set to "N", then psad
    ### reconfigures syslog to write iptables log data to the
    ### /var/lib/psad/psadfifo fifo file where the messages are picked up by kmsgsd
    ### written to the file /var/log/psad/fwdata for analysis by psad. On some
    ### systems, having syslog communicate log data to kmsgsd can be problematic
    ### (syslog configs and external factors such as Apparmor and SELinux can play
    ### a role here), so leaving the ENABLE_SYSLOG_FILE variable set to "Y" is
    ### usually recommended.
    IPT_SYSLOG_FILE /tmp/messages;

    ### When enabled, this instructs psad to write the "msg" field
    ### associated with Snort rule matches to syslog.
    ### Expect that all logged TCP SYN packets include the options portion of the
    ### TCP header (requires the --log-tcp-options argument to the iptables LOG
    ### rule). If a SYN packet is received that does not include TCP options, then
    ### it may be created by a scanner such as Eratta Security´s "masscan"). Note
    ### that psad still does a check to see if at least one log message is seen
    ### includes the OPT field before expecting the remaining messages to also
    ### include this field.

    # .. (SHORTENED.)

    ### Minimum danger level a scan must reach before any logging or
    ### alerting is done. The EMAIL_ALERT_DANGER_LEVEL variable below
    ### only refers to email alerts; the MIN_DANGER_LEVEL variable
    ### applies to everything from email alerts to whether or not the
    ### IP directory is created within /var/log/psad/. Hence
    ### MIN_DANGER_LEVEL should be set less than or equal to the value
    ### assigned to the EMAIL_ALERT_DANGER_LEVEL variable.

    ### Only send email alert if danger level >= to this value.

    ### Enable detection of malicious activity that is delivered via IPv6. If
    ### ip6tables is not logging any traffic, then psad won´t know anything
    ### about IPv6, or this variable can be set to "N" (this would be slightly
    ### faster if ip6tables isn´t logging anything).
    ### Treat all subnets on local interfaces as part of HOME_NET (this
    ### means that these networks do not have to be manually defined)

    ### Include MAC addresses in email alert

    ### Look for the iptables logging rule (fwcheck_psad is executed)

    # ... ( SHORTEND )

    OKStart psad
    before start: nano /etc/init.d/psad
    exchange "daemon..." with line: "daemon /usr/sbin/psad --no-whois --no-rdns --no-snort-sids --messages-file /tmp/messages"
    and start psad: sh /etc/init.d/psad restart


    If the iptables-based Linfw3 remains a kind of trust for you, you can also (beneath Linfw3) activate the firewall of your router (AVM FritzBox!) , the perl-based (pre-)firewall nufw (mdv2010) and various acl-lists within the configuration-files for activated server. Tell us, if you think, that this solution is not secure!

    For the prevention of weak-hosts (including localhost) command netstat -apn is listing opened ports related to opening programs. Such ports can be closed by firewall, deactivation of programs and/or changing or unlinking runlevel-scripts of /etc/init.d.

    Generally all points of this list contribute to higher IT security-level. Therefore Gooken still asks you for your contributes for its completion!

    You can login to KDE by all user as as much as by root after configuring /etc/kde/kdm/kdmrc (allowrootlogin=yes beneath further more interesting options like allowshutdown=true and AutoReLogin=false)). Beware the activation of Linfw3 resp. a closed connection to the network. This and not the many confusing postings to the same question of mine from alt.linux.de with their advice to reconfigure the login-manager can enable this quality (back) for root, same with most browser´s useragent (about:config, we prefer "Privoxy/1.0", followed by something like general.useragent.override (do not use overwrite) or through belonging addons) instead of recompiling as one of the many reason to keep yourself away from all that SuSE, with this newsgroup full of questions, typically generally not new to me (see other reports of Gooken...). If the geo-localization, the data about the local location of your computer should be concealed by firefox, set the possibility of WLAN-identification "geo.enabled" to "false", see links how to do this within other browsers. Also have a look on the performance increasing settings for firefox from our linksite, links, in the section for alternatives.

    Kmail (Email-client with PGP and Antivirus Scanner)

    Kmail ( German insultation for you as a camel )?

    kplayer, kmplayer (working upon phonon), kmail including kontact, browser and filemanager konqueror, filemanager dolphin and krusader, kdeenlive and kino, konversation, klipper, koffice, kivio, kwrite and kate, file-and E-mail-encryption kgpg, burner k3b, kompozer, kaudiocreator, kover, konsole, kuickshow, kbillards, kde-Desktop, kde-Plasma, kde-Desktop-Effects, kmenuedit, ... nevertheless we almost do believe, that software is really much better and more reliable than that (kept up-to-date) OpenSource one beginning with "K" - for KDE resp. widgets out of Qt from Trolltec.inc like so many (if not all) software from introduced UNIX/Linux!
    In the same way of Mozilla Firefox, the many information including User-Agent within the header of Mozilla Thunderbird (we refer to version 3.0.1 and 10, actually, also going: ESR (el6, el7, rosa2014.1) ) can be changed: Click onto edit -> settings -> register card General -> and overwork the configuration. Kmail manages this too: Click onto settings ->, configure Kmail -> E-Mail-Editor -> Header -> type in one header without colon, in this case User-Agent and assign any (short) expression. Kmail can be configured in detail within file kmailrc out of .kde4/share/config sectionwise: [General] CloseDespiteSystemTray=true for the behaviour during the closing (finishing) of kmail, [MDN] SendMDNsWithEmptySender=true for the acknowledgement of E-Mail-receipts, [Reader] with ShowUserAgent=true (or false), [Composer] MaximumAttachmentSize=30 (in megabyte) and so on. As already recommended, E-mails should be always encrypted by their includes and be sent and receipt only over encrypted TLS-connections too. The receipt by kmail is secure, but If you do not want the word "kmail" in the header X-sender of the E-mail you send, you have to choose another E-mail-client like thunterbird with "thunderbird" in the header instead involving a for us unknown server from third party on port 641 or so as a result of conntrack of LINFW3. Actual Thunderbird like ESR (el6,el7), do not do this, so updates are recommended. Notice, that Kmail is working very slow in comparison to Thunderbird. That has to do with the virus-scanner clamav. But in comparison with kmail, the much too fast emails receiving Thunderbird seems not to integrate the virus-scanner (clamav), although the integration of clamav can be configurated too. If you handle email-attachements with care, you can delete the filter-rules for clamav from menu. Spamassassin has got a tiny virus-scanner in one of its modules. To increase the speed a little bit more, use bogofilter instead of spamassassin and filter out email by the sender you already know having a minimum size of some KB (we suggest 10 KB), before the filter-rules for clamav can take into effect. Then "camel" Kmail is running even faster than the thunderbird flies!

    [ SOLVED by sources out of the internet: kopete, kmail, kontact and so on do not start because of a khtml-css-version conflict of html4.css. ]
    Add into /usr/share/apps/.../css/html4.css the following line right up at first at the beginning:

    It is also strongly recommended to read the following article written by Mike Pilone:
    "It is widely known that POP3 is a very insecure protocol, since it is a plain text protocol that transmits passwords and usernames with no protection. Anyone on a private network can quickly sniff packets and determine all the passwords used on the network. Although advances in POP3 authentication have surfaced (APOP, SSL, etc.) many servers still use the old plain text format.
    SSH tunneling is the process of establishing a secure, encrypted tunnel between you and the mail host. This tunnel can be used for anything, but by using the Precommand feature of KMail, I will show you how to use a tunnel for POP3 and SMTP.

    Signature for and encryption of E-mail (E-Mail) with PGP/MIME and the help of the gnu-GPG-Privacy-assistent gpg (mdv2011 or mdv2010.1) and GnuPG (el7, el6, mdv2010.1):
    At first, Kmail or any other E-mail-client should "not be allowed to load extern references". Also prefer Plain-Text instead of the view upon HTML-messages in settings of Kmail, what is demanded by reports from News&Links#computer.
    Now following packages should be installed:


    Configure GnuPG and the gpg-agent
    Enter or uncomment within ~/.gnupg/gpg.conf the following line

    Within ~/.gnupg/gpg-agent.conf add at the end of the lines:.

    pinentry-program /usr/bin/pinentry-qt
    default-cache-ttl 1800

    and start the gpg-agent:

    eval "DOLLARSIGN(gpg-agent --daemon)"

    Now make a test with another key-id as listed:

    echo "test" | gpg -ase -r 0xDEADBEEF | gpg

    Confirm yourself, that the OpenPGP-backend is active:

    "settings -> configure KMail -> securityt -> cryptographic-modules" should be set for OpenPGP."

    Source: http://developer.gauner.org/kmail-pgpmime/index.de.html

    In order to make it really work each start of kmail, write a shell-script for /usr/sbin with the following simple content:

    killall gpg-agent
    eval "DOLLARSIGN(gpg-agent --deamon)"

    OKNow start kmail always by sh /usr/sbin/kmail-including-signature-encryption.sh, if the E-Mail aimed to send should be encrypted and signatured. Otherwise firejail can used for kmail too. Or adjust firejail to enable these features.

    OK Mouseclick-fast: Kill the together with kmail started gpg-agent by creating a file in /usr/share/autostart like kill-gpg-agent with the content exec=killall gpg-agent. Some ressources get freed by this. As known, try this for as much root-prozesses as possible.

    Enigmail (thunderbird (el6)):

    killall gpg-agent
    eval "DOLLARSIGN(gpg-agent --deamon)"

    Like kmail by now, start thunderbird always by sh /usr/sbin/startthunderbird-including-signature-encryption.sh.

    Some more configurations can be made within kmail:
    kmail -> settings -> configure kmail -> identities -> change/modify/edit -> cryptography,
    kmail -> settings -> configure kmail -> security -> "create messages", and within "warnings and cryptographical-modules"

    You might want to autostart gpg-agent. This can be done by creating a .desktop-file gpg-agent.desktop in /usr/share/autostart with the entry exec=gpg-agent --daemon and name=gpg-agent.

    OpenPGP (rpm-package gnupg). Encyption is done by the public key for the E-mail-address of the recipient, obtainable by CD/DVD, sent USB-memory-stick, out of the internet especially from the homepage, menu or editorial, per E-mail, key-server or that can be ordered through whois by phone. The key itself has to be imported into the key-ring by kgpg or "gpg --import keyfile". The sender can send his own public key in any attachement as a key file exported from this keyring too.
    For the decryption of an E-Mail the include of the message is within a file like msg.asc within the attachement. This file has eventually stored into a home directory for decryption with kgpg or gpg by the belonging own private key. For this, all keys should be marked at least as "trusted" by kgpg or gpg.

    As each key consists of its own passphrase, encryption gets secure - as much as the signature can be considered like a real signature.

    "One kmail (camel) less!" Now both, encrytion and signment of E-mail should really function! So please tell us, if not!
    Instead of presented small shell-script, for the receipt of E-Mail only, you still might like to start kmail by

    firejail --nice=17 --profile=/etc/firejail/kmail.profile kmail

    KDE KMail: Secure Email Through SSH Tunneling"


    Signature and Decryption of e-mail with the help of GnuPG: https://docs.kde.org/stable5/de/kdepim/kmail/pgp.html .
    So all you need is gpg and gpa, kgpg does not matter too. There, in the linked article, it is not mentioned, that the gpg-agent has to be startet as much as pineentnry, done by the command "gpg-agent --daemon [ --use-standard-socket ]", what can be entered in /etc/rc.local, but we found out, that this is not necessary. The with kgpg or gpa by ID and key signed key for encryption entered into Kmail-> Identity-> cryptography should consist of your own public and private key and your own email-address (of you as the sender). The pulic key from that key should be exported onto a key-server. Now, if you want to send a message (an E-Mail), Kmail automatically suggests the fitting public key of the recipient (and not the own one) from the keyring in gpa and gpg (kgpg and gpa) after pressing the lock symbol out of the toolbar of Kmail. If missing, import this public key from the key-server or by contacting the recipient for its ID (email-address or sequence of characters). Eventually use Enigmail of Thunderbird instead of Kmail: All e-mail-decryption is funcitoning, even without signature and without gpgms (MIME).

    The internet offers the opportunity to download the filter-extension kmailpt consisting of perl-Scripts for Kmail to delete, separate and decrypt e-mail-attachements automatically and manually with the help of the gpg-agent. Two icons are presented in the tool-bar of Kmail as much aus two new items in the context-menu: http://jice.free.fr/kmailpt

    Finally, choose a suitable charset for kmail in "settings" from menu like unicode (locale) and unicode.

    More information about kmail see News&Links, section "Alternatives"...

    Security audit for Enigmail and Thunderbird: Posteo warns against security leaks, 21.12.2017
    Reader opinion by Gooken
    Patched Enigmail >0.99 on the base of gnupg2 seem to work fine by now.

    It is safer to login through a terminal for root by su (for superuser resp. root) instead of the general login for root like by the mask belonging to (here:) kdm. Therefore the file named su itself has to be set always correctly by the commands "chown root:root /bin/su" and "chmod 4755 /bin/su", where the suid-bit is set. With these commands lost permissions and ownership of su can be restored from another Linux-System after a mount.

    E-Mail encryption
    GMX & Web.de: Howto secure your account by 2-factor-authentification, PC-Magazin, 17.07.2019
    GMX and Web.de offer 2FA (2-factor-authentification) for more security. In this report t is shown, how 2FA can be configured for both popular freemailer.

    System Integrity Check by IDS (Intrusion Detection Systems)

    In order to avoid childish operating systems without encryption, encryption should be performed as one can. So no way keeps away from external backups, especially by MCC with drakbackup! You can use an Intrusion Detection System (IDS) with similar rules to iptables like lids (PDF) to verify the work of LINFW3. IDS like watchdog and Samhain do scan from hard-disk for configurable, but several, almost longer periods resp. times during the increase of the access time, while those like the console-program tripwire and aide register attacks just the timepoint past their actual time up from the point of the manual or cron-tab envoked scan. Both IDS can be configured to scan some directories and files like those for configuration, especially directory /etc and /boot of UNIX/Linux. Notice, that IDE like aide also perfrom important checks by different checksums, atime, mtime and ctime

    aide (el6), configuration: /etc/aide.conf. Start: Initialize the databasis through aide -i in order to update the databasis through aide -u.

    The inotify-based taskmanager incron provides beneath psd of iptables (LINFW3) one of the best IDS, for he is able to control the file-system for changes and manipulations of directories and files. Have a look in News&Links # computer, look out for the report from PCWelt and see, how easy it is to configure incron him by "incrontab -e" for this purpose, although using LINFW3, you almost do not need an IDS anymore!

    tripwire (el6): Tripwire requires two key-pairs generated during the installation or manually, a site-key to protect files used by several systems and a local key, in order to protect files belonging to the localhost including the tripwire-database itself. The manually way is to start sh tripwire-setup-keyfiles, before the initialization and configuration of the databasis through tripwire --init. Comment out all error-messages in /etc/tripwire/twpol.txt by commenting in belonging lines with "#" like #/proc/driver/rtc. Finish the configuraiton with twadmin -m P /etc/tripwire/twpol.txt. Now the intergrity check can start through "tripwire --check" or "tripwire --check --interactive". Of course the output of the check can be deflect to a file.

    gnome-schedule (cron and crontabs): Regulary Tasks

    Not only the configuration and start by buttons for daily, monthly and weekly within the security-section of MCC but also cron and crontab configuring frontend "gnome-schedule" can perform scheduled security checks and other checks: integrity checks, backups, data rubbish deletion and so on. This has got the disadvantage for the user, that the control over the computer gets influenced by the computer itself.

    "Here it is hälpt you!"

    For remaining weakness of netfilter and firewall upon connections opened by users, in conjunction with sensible data, all connection administrating processes like browser and ftp-client should be terminated resp. deactivated. UNIX/Linux are well known as operating-systems for server. If the security-level is set to "server", or if you set REMOTE_ROOT_LOGIN and ROOT_LOGIN to false, one of the most important steps for security is done. Cases of vandalism become quit impossible now! Linfw3 can harden this principle until such settings are made, but especially concentrates on the data-streams.

    One more risk remains in the way from the inside through boot of other OS like from USB or CD/DVD for achieving root-rights passing by even the password protection of bootloader like lilo, what is enabled through a simple reset of the BIOS or by exchanging the mainboard, furthermore offering the opportunity for password hacks. Partition-manager indicate the existence of tools to "spear" access through partitions independent from file systems. Therefore only System-Administrators should be allowed to install new software!

    OK Guaranted password protection is achieved by the method Two-Factor-Authentification similar to online banking per PIN and chipcard. There a login follows within two steps: one for the typing in the pin or password, the next step for the typing in of a code sent by an SMS to the user´s handy or smartphone each time after you entered the PIN, changing each login.

    Some more security tipps we once described in our step 2 are already well known like checking the signatur and checksum by comparing it with the key from installation-DVD/CD, the check of file-integrity by their own database creating progs like tripwire and the advise toresign from telnet, rlogin and ftp. IDS can be considered as a similar method we already introduced.

    Linux was recommended by a good old friend of mine (today living in Hamburg - and still Linuxer). In this time I still used SE and asked myself on the phone, why I do not have it too! I had to wait for a quit stable SuSE Linux 8.2. Until this time, this has it costs! To go really sure, if you ask me in person, which computer-system to take, I recommend a quit old one but manufactured past 2001 at low energy costs, good would be with IDE to S-ATA adapter or direct support for hard-drives greater at least 65 GB and USB equal or greater 2.0, but still fulfilling ergonomic aspects, especially by access-time. System-requirements as a mix of CPU, capacity for RAM and hard-disk have always been minimal for Linux. To go really sure, we like to recommend Mandriva (previous name Mandrake) mdv.2010 64-bit (almost independent from platforms, but for well made for the small factorized ASUS Mini-ITX-220 from year 2009/2010 with crashfree bios, graphic, sound and LAN onboard, max. 8 GB DDR-2, crashfree BIOS (socked) with possible EZ-Flash from DVD or USB-stick, Samsung TSSTcorp. DVD-ROM SH-D162D, CD-RW BCE4816, 500-Watt-power-transformator SL-500A), source packages, the UNIX distribution like from the Linux fan article store, a very stable and almost secure behaving, quit full functional and comfort distribution from Poland and France with many applications like 3ddesktop (quit independent from many other distributions) by an exactly one version downgraded (patched) kernel 2.6.31-14, mdv2007.0 still with support of the mentioned iptables module CMD-OWNER, although the mentioned PID-agent works fine, so that you can use both owner concepts. Such operating system installs itself in less than one hour (in my case about 20 minutes) and runs stable and, as the errata-list shows, it does not need to be updated anyhow except ekiga softphone (if you do not use kphone, gphone or ohphone), alacarte for gnome (if really needed..) and Firefox 1.5 patched up to a fast and secure, inspite of some incomplete loading websites and marquee (HTML-tag) resigning from any higher versions! Firefox 12 up to Firefox ESR are also running fine (although I ask myself for the difference, except adblock plus did not work) as everything on this distribution. Even predecessor mdk10.1 from year 2004 convinced.

    Related to Debian Linux, the typical linux bewaring mdv2007.0 (resp. mdv2010) with an immense repertoire of applications is quit easy to handle.

    Manuals and information material to system-applications and other applications can be found in /usr/share/docs, within the help-center "khelpcenter", by the gnome-help-browser yelp, by the system-package-manager drakrpm, by rpm, by the command man <command> and info <command> , a first introduction by the commandname followed by the option -help, -h, --h.

    As generally known, beneath an increasing amount of various applications accompanied with manuals resp. manpages within the directory man you can read by command man, all kind of server can be installed from DVD and activated within the MCC (control-center, kcontrol and drakconf.real (SuSE: Yast2), if you like, each newstart.

    For mdv, before the boot of the operating system, run bootmanager grub, press F3, choose default and an adequate runlevel (3 up to 6) to type drakx11 into the opening terminal resp. konsole.

    The Same for Yast2 started from a konsole/terminal. Mentioned MCC (control-center) summarizes most configurations and settings. At the very beginning, the many fonts importing OpenOffice was starting with some delays. Until now that´s all that should be patched, bugfixed or updated for that distribution. An excellent support was guaranteed for more than five years through rpmseek by the server ftp://ftp-stud.fht-esslingen.de. Each system-shutdown, the daemon of klean named tmpdel does the last important step to free the system from any unwanted files against maintenance. Together with apt and its graphical front-end Synaptic you can get from rpmfind.net, Debian packages can also be intalled (if ever needed...). Partitions got encrypted not only such with the sensible data but also other ones containing firefox, thunderbird and the ftp-client gftp, many executables and many configurations out of /etc and Linfw3 moved together with dialog to such encrypted one. In most cases, for the mozilla products, this managed after moving preloging directory out of /usr/lib to an encrypted partition after reconfiguring their shell scripts in /usr/bin and by adopting just two of their linked library (.so) files with ln -sf. So symbolic links should already be studied, before any data are moved onto encrypted partitions, quit the same for some directories within /etc and so on! The more parts of directories and files got encrypted, the faster the system runs! All in all this in conjunction with this excursion might be ready for eternity. Only the alsa sound-server sometimes does report errors like "fatal error: sound server overloaded, CPU aborted!" from time to time, although still everything worked (and sounded) fine! If this should still disturbs, an update of alsa leads into a placid stable system like our downloads without any error-messages and anything (although alsa still remained beta)- quit weird (can´t believe in the times before)! At last you can reconfigure xorg.conf for the mouse. This is necessary, if an unpredictable amount of windows is ever opening after the selection of several files by mouse lied frames and mouseclicks.

    Keylogging resp. audit trace of commands on the server should be prevented, so look out for commands like "script -f pathtologfile/keylog.log" within /etc/profile enabling the audit of commands entered in bash. Timestamp for commands typed into the bash-history are set by adding "export HISTTIMEFORMAT=´%F %T ´" in /etc/profile.


    Train Spamassassin by

    sa-learn -L --spam --progress /~/surfuser/.kde4/share/apps/kmail/mail/Spam/cur/*

    and add additional filter-action "exec by program spamassassin -L" (Bogofilter:

    cat /~/surfuser/.kde4/share/apps/kmail/mail/Spam/cur/* | bogofilter -s

    Notice: For formatted printout (prittyprint), use bat instead cat.

    OK resp. bogofilter -s --input-file=single_filename" upon e-mails to registrate as spam. E-mail-clients like kmail automatically configure these spam-filter in their filter-part. Notice, that bogofilter works faster than spamassassin. The email themselves is placed in the directory "mail" sub the user-directory ~. Spamassassin is configured in the directory mail/spamassassin and /etc/mail/spamassassin. There modules of spamassassin can be activated and deactivated and the number of essential registrations for a mail as spam for incoming mail to register in future be set, we recommend to decline pregiven five times to one time only.

    Linux resp. KDE offer a lot of useful functions. One of them helps to make windows sticky keeps windows from minimizing into the symbol-tray just by clicking into the upper left corner whenever further ones are opened - as known by (certain) other OS.

    One generally should think about updates, especially not referring to the installed distribution. Information are exchanged suspiciously. Since mdv2007.0 the general need for them is not given and the possibility to achieve just the opposite in kinds of degress.

    Diagnosis and Repair

    Mindi of mdv like 2007.0 takes the installed kernel to create an ISO-file, that can be burnt on CD/DVD for the rescues. It offers a hugh set of UNIX-commands for maintanence. You still have to mount partitions to repair by the command mount and chroot.

    chroot mountpoint /bin/bash [-i]

    enpossibles to load the bash from the system to maintain. Then any UNIX-sh commands can be entered like paket-manager rpm, passwd for resetting the password, rcp and scp for copying files over the net. Alternatively you can use Knoppix, SuSE LiveEval or bootable USB-Sticks. SuSE Live Eval 9.2 did not manage to mount the partitions to repair, after I tried to increase the performance by setting the fstab-parameters noatime and relatime for the SSD, recommended by OpenSuSE, see our linksite, related to kernel >= 2.6.16 (I still prefer 2.6.12-31). fstab crashed awfully, even after booting in mode failsafe! But I was so lucky to have the great Mindi iso-burnt onto CD! In every case, look out for the mount-command by the common "man mount" resp. "mount --help". Later on I found out, that mdv2007.0 set those mount-options in the file for devices named /etc/mtab already by itself. Now the computer resp. mouse seems to turn quit over by his clocking! So also notice, that not only btrfs, but also reiserfs fits for SSD, especially by setting the kernel-options relatime or noatime.

    Whenever the boot-loader gets overwritten by partitioning from another operating-system, rescue by installation-DVD helps to install him again.

    If the main directory for the temporary files named /tmp should be emptied the system-shutdown, a belonging option for experts from the section "system-start" of drakconf.real (resp. Yast2) can be chosen. For such demands you can also use the service resp. daemon tmpdel of klean, that can delete by seed (batch file editor), rm, srm, shred, wipe and by blanks. The secure deleting srm is working like the "insecure" deleting rm.

    wipe -f filename
    OK shred -fu filename
    OK srm -dfr directory_or_filename

    In the case of boot-failures, especially long waiting time the initrd-Ramdisk should be recreated by the command "bootloader --config --action rebuild-initrds" or "update-initramfs". Maybe the bootloader got overwritten or destructed. The mdv-installation-DVD, part rescue, can restore the MBR. Alternatively use bootloader-utils or the ISO-burnt CD "boot-repair". You can get the ISO-file to burn for free from Sourceforge.net, alternative: with method 1 up to 6, 1: super_grub2_disk_hybrid_xxx.iso.

    Bootloader repair, http://linuxwiki.de/GRUB
    Howto get the bootloader again:
    The Linux-root-partition in this example is /dev/hda8 .
    Start the Knoppix-CD (or any other Live-CD with grub installed).
    Start x-term (or change to konsole)
    sudo -s
    # Make the root-partition writeable (through devices for chroot):
    mount -o rw,dev /dev/hda8 /mnt/hda8
    # Install all essential grub-files onto /mnt/hda8/boot/grub:
    # and write the grub-masterboot-sector onto /dev/hda:
    grub-install --root-directory=/mnt/hda8 \(hd0\)
    # update-grub always works upon /boot:
    chroot /mnt/hda8
    # Create menu.lst:
    Here an alternative basing on Knoppix::
    sudo -s
    # Make the root-Partition accessible:
    mount -o rw /dev/hda2 /mnt/hda2
    # Exchange the /boot of Knoppix with the original /boot
    rmdir /boot
    link /mnt/hda2/boot /boot
    # Execute grub
    # and tell grub, that root is assigned to hda2
    grub# root (hd0,1)
    # and that he shall write the MBR
    grub# setup (hd0)

    # Leave grub:
    grub# quit
    # and restart the system

    Starting with a distribution like mdv2007.0, all other linux-distributions can be quit good installed too. You have to care for glibc-version, where I´d like to recommend glibc of mdv2007.1. Or you can travel back into the past, where many apps of mdk10.0 out of seven CD from year 2004 can be also installed! But notice, that all this can results in an overwhelming repertoire of software almost found already on installation-DVD, where, see fr2.rpmfind.net, most software can be found for mdv!

    Everything is configured by the system-configuraiton drakconf.real and the MCC (control-center including the login-manager for determining the user for logins as much as allowed for shutting down the system)..

    Draksec: Periodical checks by draksec and drakperm are not essential anymore. A one-time performed, closing check for rootkits (tarned malware like trojan and for exploits) by utils like rkhunter zeppoo and chkrootkit by the result of "nothing found" can almost not be quit bad, while a login as superuser should ony be enabled for members of the wheel-group. A remote-login (of the superuser) should never be possible, what can also be configured by the login-manager of the operating-system. See step 2 about msec resp. draksec: The some access-rights and ownerships reconfiguring security-level 3- "high" might suffer the needs for single users, 4 - server, while mode paranoid disables any access completely.

    General backup and recover of the system almost done by drakbackup out of the MCC (system-control-center) introduced shortly in step two.

    In order to avoid errors, for compilation of the content of tarballs with gcc executing "./configure [--prefix=/usr]" resp. ./config [--prefix], cmake or similar commands at first, the underlying partition must be mounted with option exec. Therefore remember this option well, in order to set for most partitions almost the opposite called noexec!

    UNIX/Linux-filesystems with errors become seldomly.
    As a file-system we have chosen Reiserfs (where we can set performance-values for the already fast working SSD see links (our linkside), section alternatives).
    This one is enabled to repair itself on data loss automatically within a short time, which is enabled by its Journalling feature. Manually, think of USB-sticks, you can repair all common file systems by the one fast working command named

    Shortened mount and unmount of a LUKS-encrypted and discard supporting SSD-Partition by (rpm) pam_mount instead of using cryptsetup and mount:

    mount -o discard device_filename_like_/dev/sda1 mountpoint_like_/mnt/mymountpoint1
    umount.crypt mountpoint_like_/mnt/mountpoint1

    ... instead of the explicit, long termed

    cryptsetup luksOpen device_filename_like_/dev/sda1 any_container_filename_like_container1
    mount -o discard any_container_filename_like_container1 mountpoint_like_/mnt/mymountpoint1
    umount /mnt/mymountpoint1

    fsck [-t filesystem_name] [-C0] /dev/device-name -r
    reiserfsck -check /dev/device_name [--rebuild-tree]
    e2fsck -yf /dev/device_name (same for btrfs by fsck automatic through fsck.btrfs)
    If the message: "Inode extent tree (at level 1) could be shorter IGNORED.": is shown, optimize the filesystem with:
    e2fsck -fpDv -E bmap2extent /dev/device_name

    resp. for LUKS-encrypted partitions (cryptsetup), one is named sde1 for example, analogous for LVM with the partition name out of vgscan or lvdisplay):

    cryptsetup luksOpen /dev/sde1 checkitout-container1
    fsck /dev/mapper/checkitout-container1 -r
    reiserfsck -check /dev/mapper/checkitout-container1 [--rebuild-tree]
    e2fsck -yf /dev/mapper/checkitout-container1 (analogous btrfs)
    cryptsetup luksClose checkitout-container1

    fsck was chosen with Option r for repair and device_file out of /dev like /dev/sde1 (accompanied with automatical search for routines for belonging file-systems like fsck.vfat after an unmount of belonging partitions by umount. fsck helps in most but not all cases for repair - fsck.<filesystem> with filesystem like ext2, ext3, ext4, reiserfs, reiser4fs, vfat, btrfs, ... . If errors should still occur, the partition is almost overfilled. And as already told, we recommend for mdv2010 (el7, el6) file system reiserfs-utils (el7) - we never have had any serious hard problems with it..

    In order to mount an LUKS/dm-crypt-encrypted partition and having mount_pam installed just type

    mount [-o discard] /dev/device mountpoint (of course also per mouseclick in Dolphin or a certain plama of the taskline
    umount.crypt mountpoint.

    If the harddrive is out of order, try safecopy: http://www.pcwelt.de/ratgeber/Festplatte-defekt-So-klappt-die-Datenrettung-9787775.html. Many programs for repair are already integrated in fsck. fsck checks out filesystems like btrfs, ext4, reiserfs, reiser4fs and vfat:

    ln -sf /sbin/dosfsck /sbin/fsck.vfat

    Alternatively use even more precise checks and repairs of blocks like badblocks -ns, e2fck -f /dev/sdb6 for the sixth partition on the device connected to the second S-ATA-port named b (get informed by the partiton-manager which partition is named by what), for the repair of superblocks additionally with option b followed by the amount of superblocks and the same by reiserfsck upon files-systems, both in the case of serious deep errors like inode-errors, mdadm for LVM, e2fsck -c and mke2fs -c, details see manuals (man-command). You can tune reiserfs and ext4 by reiserfstune and tune2fs like

    tune2fs -c 3 /dev/mapper/cryptedroot_resp_home_resp_boot_partition


    reiserfstune -m 1 /dev/mapper/cryptedroot_resp_home_resp_bootpartition


    reiserfstune -d 7 /dev/mapper/cryptedrootpartition

    for the maximal amount (here three) of and maximal days before reboots (system-newstarts) of an ext-filesystem resp. reiser-filesystem are performed (upon the root-, home- and the unencrypted boot-partition and so on, but not upon the kernel-partiones proc, shm and tmp) automatically regardless from the case, if errors ocurred or not. Instead of the container-file "/dev/mapper/cryptedhomepartition" any device-filename of a not encrypted ext-partition like /dev/sda1 can be entered.

    fsck is also needed for USB-Sticks with malfunction. Duration (incl. repair even on VFAT32) of fsck and e2fsck -yf resp. reiserfsck lasts a few seconds only. Generally link fsck for (V)FAT-partitions by

    ln -s /sbin/dosfsck /sbin/fsck.vfat

    before the first use of fsck. This step is not essential for newer mdv-versions equal or higher mdv2010.

    For Reiserfs type fsck -t reiserfs ... resp. fsck.reiserfs ... instead of fsck, analog other file-systems. Journaling-filesystems consist of a special structure, that shortens the time for repair very much, while file systems of MS windows like vfat and ntfs can not be repaired in any case. In order to go sure, the standard linux partition-manager should have always been used for partitionings and formattings. With such commands a repair can be done in most cases within few seconds! Notice, that from file-systems like ext3 and reiserfs, how difficult it is in opposite to vfat of MS Windows to restore once deleted data, while it is always possible to restore the system resp. data from garbage cans and tarballs (archives like zip, tar.gz and bz2), especially if the operating system has already started. Klean reflects a kind of dilemma in conjunction with the restoration of data. If you use the program qphotorec or rlinux, data recovery is not the problem, even not for the filesystems ext3 and ext4.

    Did I already tell you? Damaged files from media like DVD and CD can be almost partially rescued by the command.

    ddrescue [ -options ] infile outfile

    Extern partitions are made and by mirroring (Limone:)

    dd if=filename of=filename

    is copying (mirroring) files, sectors, partitions and complete hard discs, ready for more.

    #>dd if=/dev/hda1 of=/dev/hdb1
    copies the 1. partition of the 1. hard drive onto the 1. partition of the 2. hard drive
    #>dd if=dev/hda of=/dev/hdb
    copies the complete 1. hard drive 1:1 onto the 2. hard drive - where the capacity should reach. CD/DVD-Rom drives are named by device files /dev/cdrom, /dev/dvd and /dev/sr0. Time needed for mirroring our complete SSD: 20 GB per hour and therefore around 6 hours. Processes for power-saving should be deactivated before. So nothing speaks against such backup on extern media of at least the free capacity of the original!

    Backup: is performed by the MCC (drakconf.real) resp. Yast2, but it might be best to use the command dd we already decribed or to store the files and directories within a Tarball resp. ZIP-Archive. Prefer extern media to keep it, but as some person might wait for manipulaton of it, do not store anything online. The period for the succeeding backups should be short enough to take all actual data into account. See the datasheed: If you use SSD with MC technique instead of harddiscs, backups might almost not be needed anymore, but more secure is more secure... . "partimage" enpossibles to make img-screenshots from partitions excluding the mounted one for root.

    WLAN (for the unimprovable one)

    Software-packages should almost be from the best reliable source and therefore from rpmfind.net. Check out their checksums keeping integrity of downloaded files. Following our steps, such strength is not essential. You can install Linux-Taballs from anywhere in the user-mode user, although it is still not recommended to do this in the files-ovewriting mode root.

    Always use a modern internet-browser with modern mechanisms for security like a sandbox also containing a filter-mechanism against maligny websides before using it, for example those ones for phising and malware-protection of Mozilla Firefox in advantage with scriptblockers like ublock-origin and noscript.
    Only use the browser-plugins really needed. They should be OpenSource. Chronique should be deactivated, Cookies deleted after each session, the private-mode should almost be preferred- Let the browser question for all attempts to connect online by himself when asking for browser-updates and addons. Deactiate many protecition by clicking onto the proteciton shield in the statusbar. Do not resign from SSL-encryption, if possible. Warnings should not be missed before the load of suspect websites. Passwords should not be stored- except in some cases by the master-password beyond the protection of certificates. .

    Debian Ubuntu seems to be hopeless out. One reasan are established connecitons to Amazon. We do not recommend automatic software-actualisations. They cause mammouthed data-transfers and once more contribute to loose the control about the computer. Nothing can be more dangerous! So actualize from time to time, we recommend for mdv2010 each year and shortly past new-installation (and not during). Therefore use MCC. The full functionality of software is what counts in main, so you have only to look out for security-updates.

    Never install programs inprehictable suggested online. The worst thing you can do is to enter also any passwords for their download.

    Command "rpm - checksig paketname.rpm" evaluates a checksum for intergrity-check of downloaded files.

    Following all introduced methods, for mdv2010 it is still possible to install so many progs as you want on SSD resp. harddisc.

    Email should not be presented in the format HTML. Use format for text instead, so that intergrated images as the output of scripts can not function as backdoors.

    Do not use the same password for different online-services. Regulary change such passwords. By manfacturer pregiven passwords should be changed immediately. Secure passwords consits of letters, special chars and numbers and can be suggested by programs like pwgen.

    Java and Browser-Plugins: Resign from runtime as much as plugins as possible. Deactivate and activate java within the browser-configuration.

    Sensible resp. personal data should be kept secret as much as possible. Within formulars, only fill out fields mandatory Never open e-mail attachements. Verify the sender by an identifying telephone-call.

    Resign from wireless LAN (WLAN). If you do not want this, notice all those additional steps from our linkside to care for essential security. The protocol must be WPA2-encryption.

    Periodically check out the security state of your system. This can be performed automatically by a MCC-Function taking care of many pregiven security-configurations and settings.

    ... Now I am waiting for many years for any system breakdown, essential repair for the file-system, the first hacker, trojan, virus, worm, spyware, dialer, update, upgrade, newstart, hard-disk-scan, restriction of file-capacities during copying and so on, but, good luck, that has become a quit seldom, if not an impossible case!
    If an application ever should not start, try to start it by entering the name of its executable into the terminal. Then the cause is almost listed. In most cases, a simple repair can follow to start it again. The name of the executable itself can be found out by kmenuedit or within /usr/bin.
    Thanks from manufacturer delivered rpm- (resp. deb) packages out of the internet, all drivers on the easy to handle mdv-2007.0 also work fine, even the one for Brother DCP-115C multifunction device from year 2012 I got from my relatives for free, costs for a cartridge less than 3 €, out of printer, scanner, copying and fax. Inspite of proprietary drivers for my nvidia graphic card I took the already integrated one without opengl-function, resp. I prefer the power-saving and less poisoning onboard (IGP) S3 Unichrome (3D!) with 64 MB of the VIA KM 400 by installing the 3D resp. many opengl-functions supporting uni- or the gl-functions less supporting openchrome-drivers presenting the even more sharp graphic without having any complications. First one, the unichrome driver, was already included into mdv2007.0. Good luck: If Linux sould ever be missing the driver for a graphic-card, it takes the standard-VESA-driver. Also onboard: the AC97-sound- and Ethernet-LAN-Chip). The air in my chamber refreshed, and the network-adapter enburdened itself. Network started up within few minutes without configuring, same for the printer.

    If there should ever something be missed for mdv2007.0, you can extend it by upgrading the GLIBC from mdv2007.1. Now it is possible to install many packages from at least mdk10.0 up to mdv2010. Beneath this, emulation of Amiga through uae, basilisk for MAC, wine and wine64 with wine-gecko and wine-gecko64 and xwine for MS Windows 98 and/or XP helps to complete. Installed on linux-partitions, by the help of LINFW3 such programs are again running free from trojan and by the help of the access-control also virus-free, for about estimated more than 100.000 program-packages.

    All in all this satisfying "snapshot" can be a quit good sign for UNIX-Systems in future. This reliability can be kept by licensing at least one distribution to high schools keeping the sources well and packing the binaries - the place, where UNIX / Linux origins.

    In order to complete our computer-care, I prefered a brilliant about 48 cm display of a modern 1920x1200 (1366x768 @ 60Hz for films, websites and in order to prevent anatural widenings of that wide screen) WLED-TFT-monitor with 18 Watt power-consumption only for less than 100 € (asian AOC 943Fws), brilliant focus, in conjunction with well-functioning ACPI-functions and a power-saving mode of this operating system for the CPU (I still have the one 32-bit Sempron for this power-saving reason, that still is working far below 60 Watt, especially in the CPU-power-saving mode of Linux), the same aspect for the hardware from about year 2004, but with at least IDE and/or USB 2.0- or modern S-ATA- and USB 3.0-devices. Hard-disk can be replaced by one up to three Watt power-consumption , I read everlasting SSD-HDD from SanDisk (typ: Solid State Drive) by support of the S-ATA interface resp. IDE-S-ATA-adapter. Such modern powerful devices do consume power of around some Milliwatt only and have got very low access-times. Generally refresh your battery up (caution: such celle isn´t the the same celle!) from time to time (beware the contact of its maybe cheap-built socket!) and replace your hard-disk for life-expectancies of about five years, if you do not use an USB-stick instead, in order to get your computer started. If the computer ever has problems after his powering on, check out for the net-adapter and the RAM by type like DDR, DDR-2, DDR-3..., by regarding downward-compatible frequencies and by memtest, before the BIOS is reseted by a jumper of the mainboard or even flashed by firmware from a medium like floppy, CD or USB-stick. If BIOS strikes, check out the net-adapter and pull off slot-cards, that can cause many malfunctions. BIOS-configuration for PCCHIPS M851G with "SPD (automatic mainboard hardware detection) enabled" and for the case of non-IGP "PCI-graphic" and "ALLOCATE IRQ to PCI (IGP-graphic)" by disabled and AUTO-detection is strongly recommended. Against malfunction, also use as few slot-cards as possible. If the BIOS-chip is socked, in many cases it is also possible to order a complete new one including a special nippers by an address see our linksite. The computer can start and boot without any battery for the BIOS by default-BIOS-settings. Then each boot of the operating-system the NTP-daemon, which is part of each Linux-distribution, can set the date and time instead of the BIOS. Also it is possible to boot by USB-sticks, if a function-key like F8 is pressed. If nothing helps, even not following biosflash.com and www.bios-chip.com from linksite, the net-adapter should always run in mode standby. Please notice, that Gooken still can not give you any guarantees!

    Howto adjust the TFT resp. monitor: http://www.pcwelt.de/ratgeber/Monitor_und_TV_professionell_kalibrieren_-Lebensechte_Farben-8525546.html

    WLAN (for the unimprovable ones)

    WLAN: troubleshooting and howto make secure: see News&Links, section Computer and section Alternatives. We recommend wired networking.


    mdv2010 provides all kind of Windows- and Linux-fonts. Fonts should not be presented distorte or smeared, so the screen solution should be the right one, selected auto by the sytem whereever possible. For our hardware the resolution is 1366 x 768 square pixel. Choose systemsettings or gnome-control-center to adjust fonts. Arial seems to looks a little bit slimed, so what about "Linux-Arial" Liberation Sans? We choosed Liberation Sans 10pt for our workspace. After an update of freetype (rpm resp. Tarball, rpm recommended) fonts can appear smallened or refined. But for a brilliant sharp display, we still prefer Arial.

    Data sheed: Super-powersaving Lifetime-Hardware: mainboard ITX-220 with brilliant high resolution graphic and sound and Ethernet with free activateable LAN-BIOS-Chip at lowest costs

    Look out for the right connection of the cables and their contacts (mainboard, monitor, netzwork, SSD/hdd (S-ATA), USB-memory-stick,...)! Do not connect the USB-memory stick into a hub, thuse a prolonging cable can be used. Do you remember? The trick from right at the beginning with the chalk in the inside of the tower keeps from troubles and defects as the cause of moisture and rust.
    Now we can go on with our next theme: lifetime-hardware:

    Data sheed ergonomic and mouseclick-fast 40-Watt-PC out of Intel ASUS-Mini-ITX-220-All-On-One-Mainboard 19W year 2009/2010 crashfree BIOS with EZ-flash from DVD/USB-stick, Operating System mdv2010.0, WLED-TFT AOC 18 W, 128 GB SanDisk SSD 1W, Chassis and stable netadapter all in all for about 200 € (Stand 2009-2016)

    Linux/Unix - ("time to say goodbye")

    Mandriva forever

    Mandriva 2010 ( Mandriva = Mandrake + Connectiva + Lycoris) is the result of the merging of three distros; I have bought the following french-brasilian Mandriva past SuSE 7.3 professional and SuSE 8.2 professional): mdk10.1 (2004), mdv2007.0, mdv2008.0, mdv2010.0-final (updates of mdv2010 are already included; mdv2010 is almost compatible with Linux-Enterprise resp. CentOS (resp. ALT Linux) el3-el6, Fedora Core fc <= 18 and PCLinuxOS <=2010 and other distributions, many rpm from Mageia1 up to 4, mdv2011 and 2.6-and 3.x-kernel from mdv2012, Debian (also packages will not be missed here) by alien, dpkg and apt for mdv2010)

    Show your computer the green card: extraction mdv2010.0-final for quit all devices, three DVD: mdv2010.0-final installation-DVD (X86_64, 64-Bit) plus update-DVD with listed software (packages) and updated SOURCE-CODE-DVD (mdv2010.0-final) you can order from us

    Update- resp. upgradeable to mdv2010.1 and mdv2010.2 and Mageia (by packet mgaonline-2.77.29-1.mga1.noarch)

    Mandriva is according to ISO-standard LSB 4.0

    simple handling, almost independent from companies, banks and states

    for beginners, advanced and professionals, most software is already known from 7 CD since secure and stable Mandrake 2004

    Opensource from DVD 3, free access to the libraries

    mouseclick-fast and secure Linux: free from instablity, viruses, trojans and other backdoors (certified resp. eliminatable through rkhunter and chkrootkit)

    to get installed completely on SSD resp. harddisc without risks, if you want:

    desktop-PC, server, tablet-PC, notebook, touchlet, kcm_touchpad and gsynaptics (touchpad driver), support for mobil phone, wammu (mobile phone manager), from harddrive, SSD, DVD/CD as much as USB-stick (of at least 4GB installable out of the pregiven one resp. Mandriva-one)...

    all languages


    Software administration: installation and removal of software, actualizing the system, actualize-frequency, packet sources for installation and actualization, more opportunities for maintenance, packet statistics
    Filerelease: configure FTP, configure the webserver
    Network-interfaces: DHCP, DNS, Proxy, NTP, OpenSSH-Daemon
    Hardware: view upon and configuration of the hardware, sound-configuration, configuring the 3D-desktop-Effects, configure the graphical server, keyboard-layout, pointer-device (mouse, touchpad), printer and printer queue, scanner , Fax-server, USV for power control
    Network&Internet: network-center, network interfaces (LAN, ISDN, ADSL, ...), remove a connection, proxy, share internet connection with other computer, network-profiles, VPN-connections, hosts-definition
    System: authentification, menü-style, Activate/Deactivate system-services, fonts, import fonts, date and time, regions and languages, view and anlayze system-logs, konsole with administration-rights, user- and group- administration, import of documents from other operating systems and settings, backups, snapshots, virtualization
    Network-interfaces: shared Windows-harddrives and directories (SMB), shared harddrives and directories with Windows-systems (SMB), NFS (network filesystem), shared harddrives and directories by NFS, Web-DAV (Online harddrives)
    Local harddrives: partitionmanager, CD/-DVD-burner, release partitions in the network
    Security: finetuning of system-security-rights, Tomoyo-Linux, Firewall, authentification for Mandriva-tools, extended configuraiton of network-interfaces and firewall, child-protection
    System start: Auto-Login for automatic login, boot-manager, display-Manager

    Systemsettings separted into groups: Desktop (Workplace, workplace-effects, screen-edges, screensaver, program start display, virtual desktop), systemmessages (signals, messages), appearances (emoticons, colors, windows, GTK-styles and fonts, startscreen, stylel, symbols), windows-configuration, Adobe Flash Player (security settings), country/region/language (spell and grammar checkings, keyboard-layout and so on), personal information (fingerprint-manager, passwords and user-accesses, pathes), standard components (for the services), access help (speech processor, access), bluetooth, release, network settings (service-search, network-settings, network monitor, proxy, connections), screen resp. display (gamma, size and orientation, several monitors), date and time, printer configuration,
    (infrared) remote controls, multimedia (audio- and videoprocessing), font installation, keyboard & mouse (short commands, joystick, mouse, keyboard, touchpad), key-combinations, Work-Design-Details, semantic search by Nepomuk and Strigi (mdv2010.2 only), Audio-CDs, Autostart, CDDB-requests, file allocation, service administration, digital wallets, digital cams, powermanagement (contrasts, and brightness, suspend modes, power-profiles), device-actions, hardware (device-integration through Solid), KDE-ressources, Open-Collaboration-Services, session management, storage media, login-manager, task planer, K3B-configuration-wizard, child protection, PolicyKit, Samba

    Kernel 2.6.31-14.mnb2 (alternativ 2.6.33-7.mnb2) with enhanced hardware-support for all well-known desktop-PC and netbooks like ASUS EeePC, Acer Aspire One, MSI Wind and other ones, actual kernel from kernel.org (with SuSE-fillup, -insserv and -permissions, nash, udev, cpuid, ... from DVD 1 and 2), kernel-types, but almost kernel-modules (driver): desktop, server, Linus (Tovald´s Kernel), desktop, SMP-support, SMB, RSBAC, RSBAC-client, RSBAC-server, RT, TMB, TMB-Laptop, TMB-Server, libafs, squashfs-lzma (high compressed filesystem for embedded systems), UML (sandbox for userspace), virtualbox (system-emulation in hosts), vboxaddition, madwifi (WLAN), Xen (virtual machines), convirt (graphical Xen management), Netbook, ... with drivers broadcom-wl, em8300, fglrx, hsfmodem, lirc (infrared), lzma (data compression), nvidia, atmel-firmware, bluez-firmware, fxload, makebootfat (bootable USB-stick), kernel-rsbac (hardened), ...

    Kernel of mdv2010.0, alternative kernel or enhanced kernel module (device drivers): kernel-desktop-2.6.39 (standard-kernel), actual kernel-3.x.x, kernel-desktop-3.4.1-1.4 (Mandriva Devel Cooker), kernel-server-2.6.39 (standard-kernel), kernel-linus-2.6.31 (original kernel from Linus Tovalds), kernel-rsbac (hardened kernel), kernel-uml (protected usermode-kernel), xen-Kernel (XEN-virtual machines), javabin_fmt (service to load the kernel modul, in order to directly execute Java applications and applets), lirc-kernel (infrared-driver), kernel-tmb (laptop), kqemu-kernel (kquemu-driver for the standard-kernel), vpnclient-kernel (vpnc-driver), fglrx-kernel (nvidia-driver), em8300-kernel, broadcom-wl-kernel, hfsmodem-kernel, madwifi-kernel (WLAN-driver), libafs-kernel, lzma-kernel, kernel-rt (SMP-onboard-Realttek/Atheros-LAN-BIOS-Chip), fusion-kernel (fusion-driver), kernel-netbook, kernel-openvz (SMP: multiprocessor-kernel), libafs-kernel, kernel-kerrighed (kerrighed-Support), obencbm-kernel, psb-kernel, actuator-kernel (actuator-driver), lzma-kernel (lzma-driver), m560x-kernel, broadcom-wl-kernel, nvidia-current-kernel, nvidia96xx-kernel, nvidia173-kernel, netfilter-rtsp-kernel, fortune-kernel, vhba-kernel (vhba-driver), em8300-kernel, r5u870-kernel, r5u870-kernel-laptop, squashfs-lzma-kernel, vboxadditions-kernel, virtualbox-kernel, actual Kernel-3.X.X (from fr2.rpmfind.net or kernel.org), ...

    kernel-uml: "User-Mode Linux is a safe, secure way of running Linux versions and Linux processes. Run buggy software, experiment with new Linux kernels or distributions and poke around in the internals of Linux, all without risking your main Linux setup. User-Mode Linux gives you a virtual machine that may have more hardware and software virtual resources than your actual, physical computer. Disk storage for the virtual machine is entirely contained inside a single file on your physical machine. You can assign your virtual machine only the hardware access you want it to have. With properly limited access, nothing you do on the virtual machine can change or damage your real computer, or its software."

    free access onto kernel-source to select moduls by commands like make config and make gconfig

    kernel-security-modules: to startup with speedboot=yes or speedboot=none, self-learnable "NSA" Tomoyo Linux with the four editors for the domains (processes) and their exclusion (security=tomoyo or security=none), selinux (like tomoyo, but from NSA), pxelinux

    One everlasting update-source: ftp://fr2.rpmfind.net/linux/Mandriva/official/2010.0/x86_64/media/contrib/release

    tabatha (popup-menu for tablet-pc and handhelds), enlargeable desktop-icons 32, 64, ..., 256 pixel, onboard and matchbox-keyboard (on-screen-keyboard), florecne (virtual keyboard), btkbdd (Bluetooth keyboard service), wizardpen (driver), ...

    kernel-firmware (mga6, el6), if you want, plus kernel-firemware (rosa2014.1) plus kernel-firemware-extra (rosa2014.1) plus kernel-firmware (OpenSuSE 42.2, 32 MB) plus kernel-firmeware (OpenSuSE 13.2, 22 MB) plus linux-firmware (fc27), firmwarekit (Linux firmware tester), initrd-nonfree-firmware, prism54-firmware, speedtouch-firmware, zd1201-firmware, rt-firmware, ueagle-firmware, iscan-firmware (Epson flatbed scanner), ivtv-firmware (iCompression or Conexant video capture cards), ipw-firmware ((Intel PRO/Wireless WLAN Cards), mpt-firmware, multipath-tools, pmtools (check of Kernel ACPI tables), sane-backends-firmware, sane-backends-iscan, zd1211-firmware, Atheros/Realtek-LAN-chip-driver (atl1), ...

    Graphic-card-driver resp. onboard (needed for some games only): independency from driver: (24 bit-) VESA-STANDARD-graphic-card-driver (for all graphic-cards) with svgalib, psb, psb-kernel, nvidia-kernel, ati-kernel with an ati-catalyst-control-center, atieventsd (ATI events daeomin), VIA, Intel, openchrome, unichrome, Xorg, nvidia-kernel, ati-kernel, atieventsd (ATI-events-daemon), VIA, Intel, openchrome, unichrome, 3Dlabs, Ark Logic, Chips, Cirrus Logic, Diamond, Digital, Intel, Matrox, NeoMagic, Number Nine, Redition Verite, S3, SiS, Silicon Motion, Sun, Trident, 915resolution, crystalspace (3D-engine), ...

    parallel computing: lib64mm14, ...

    OpenGL: mesa, glut (mesa, lib64mesagl1, lib64mesaglu1, lib64mesaglut3, lib64mesaglw1, lib64gii..., lib64gigii..., ), OpenAL (lib64openal) and alut (lib64freealut), jogl (Java-Bindings für die OpenGL API), ...

    SDL: lib64sdl, ... lsmod: lists all used kernel-modules (device-drivers), modprobe and /etc/.../modules.conf: manual or automized use of kernel-modules

    util-linux (rpm) with fstrim support taken over by util-linux for mdv2011), support for allow-discard since kernel 2.6.36
    man fstrim: Intensive usage of fstrim or "mount -o discard" can influences the life age of minor-qualitative SSD-devices. For workstation and server It is recommended to execute this command one time the week. Notice, that not all devices support a overruling-queue, therefore such overruling command causes minor performance for all devices and commands accessing the harddrive.

    OSD (On Screen Display for volume, brightness, ...): kosd, xosd-tools, ...

    Monitor/Graphics: driconf, xcalib, xgamma, redshift, MCC -> Hardware -> Monitor/Graphikkarte, ...

    redshift - cares for more ergonomy by continuosly adjusting the color temperature of your screen depending from the time of the day and the location by latitude and longiute (for brilliant display and against becoming red eyes; we use the following command: "redshift -l 59.6:6.5 -t 6500:6200"; you can autostart it like many other programs in /usr/share/autostart), DDCcontrol (to control monitor-parameter like brightness and contrast, by software, i.e. without using the OSD and the buttons in front of the monitor), .....

    Sound-card-driver resp. onboard: alsa, alsaconf, alsa-firmware, pulseaudio, arts, High Definition Audio, 2/4/5.1/7.1-channel audio, AC97, Dolby surround, ..., eventually missing printer-driver can be installed by belonging postscript-files (filetype .ps) or from the support-side of manufacturer (if you can hear no tone, check out kmix), ...

    Printer-driver: cups for Epson, HP, Brother, Lexmark, Canon, Kyoccera, Turboprint (not included on DVD), MCC section hardware printers, localhost:631/admin, system-config-printer, xpp (configuration), upsddk (cups driver development kit), foomatic, gutenprint, ..., mpage brings more sites to print on one
    To set up a printer configuration only a printer description file (PPD file) is required. A printer description file is not a driver. For non-PostScript printers a driver is needed together with a PPD file which matches exactly to the particular driver. For PostScript printers, a PPD file alone is sufficient (except for older PostScript level 1 printer models). The PPD files are provided in the following sub-packages depending on which kind of driver software is needed: rpm manufacturer-PPD and OpenPrintingPPDs-ghostscript provides PPDs which use Ghostscript built-in drivers. OpenPrintingPPDs-hpijs provides PPDs which use the hpijs driver from HPLIP. OpenPrintingPPDs-postscript provides PPDs which need no driver, xplsprinters (lists x-printers), ...

    Installation of a printer-driver: MCC -> add a printer -> select the ppd-file (in our case out of the directory /usr/share/cups/model/), thats all, ready. You can set him there as the defauft printer, letter size (A4) and choose some color opitions like grayscale and truecolor. Follow the installation instructions from Brother.inc. or https://ubuntuforums.org/showthread.php?t=105703 .

    cups-windows (pclos), /usr/share/cups/drivers: MS-Windows-printing-system and -drivers for all postscript-printer:
    ps5ui.dll (out of MS Windows or download out of the internet)
    pscript5.dll (out of MS Windows or download out of the internet)

    USB 2.0 and 3.0 (under secure unmount), bluetooth (kbluetooth, bluez-firmware, ...) and firewire; madwifi and rt-driver, ...;.if a driver for LAN/Ethernet-Chip onboard should ever be missed and loading of modules like atl1 do not help, the driver for PCI-ethernet-cards for about 5 € also does its best, TV-card-driver, dfu-util (reflash firmware of usb-devices), ...

    Credit cards and some other cards: pcsc or pcsc-lite

    PCI: pciutils, pcitools, ...

    Hardware database hwinfo for compatiblity checks
    hwinfo --<hwitem> bios, block, bluetooth, braille, bridge, camera, cdrom, chipcard, cpu, disk, dsl, dvb, fingerprint, floppy, framebuffer, gfxcard, hub, ide, isapnp, isdn, joystick, keyboard, memory, modem, monitor, mouse, netcard, network, partition, pci, pcmcia, pcmcia-ctrl, pppoe, printer, scanner, scsi, smp, sound, storage-ctrl, sys, tape, tv, usb, usb-ctrl, vbe, wlan and zip, ldetect, hcl, ...

    CPU: cpuinfo, cpuid (dumps cpu-info), cpudynd (power-saving-functions), cpulimit, cpufreq and cpufreqd on the base of cpufrequtils (automatic fine-tuning and exhaust of many CPU to mouseclick-fast (to resign from new ones in future), hyperthreading), uname (Anzeige des vollständigen Rechnernamens samt seiner Umgebung), tuna (el6), ...

    Firewire: coriander - GUI for controlling IEEE1394-cameras, gscanbus (scans IEEE1394-firewire-bus) ...

    ACPI, ACPI powermanagement (Modi: performance, aggressiv performance, Xtreme powersave and presentation; console-kit of powermanagement-debil should be activated!; empty screen, screensaver, shutdown, poweroff monitor, monitor standby, standby CPU, standby for harddisc, standby for the complete system, standby onto RAM and standby onto the harddrive (all functioning on listed hardware below, red. )

    Manuals: khelpcenter (glossary resp. advise for the OS, applications and tools), man (manpages, if not in english, you also can get actual versions from rpmfind.net in the language of your country from other distributions as it managed us from mga5, margeia 5 of increased size), info, /usr/share/doc (including. books.rpm mit "Linux Installation and getting started", "Linux Programmers Guide", "Linux Network Administrators Guide, Second Edition" "Linux System Administrators Guide", "Linux Users Guide", "Linux Kernel Internals", "The Linux Kernel Module Programming Guide" yelp, rpmdrake, "--help" for quick help, info, howtos ...

    elearning (computer course): dokeos, ...

    Speech recognition and speech-output: festival and espeak, gnome-speech, jsspeex, CVoiceControl enables a user to connect spoken commands to unix commands. It automagically detects speech input from a microphone, performs recognition on this input and in case of successful recognition - executes the associated unix command.

    KDE-start-image: Login splashes (after the login with kdm): hand with fingerprint, air,...

    pregiven boot-splashes, designs, desktop-wallpapers, themes, kdm-themes, styles, windows, window-decorations, kwin-effects, wallpaper, mouse-themes, icons, colors, fonts, free choice of colors for title, progress-bar and so on, unllmited self-mades or for example from kde-look.org and kde-apps.org, ...

    Window-manager: kwin, openbox, compiz and metacity

    Desktop-manager: KDE 4.3.4 (or any version, KDE with plasma), GNOME, LXDE, XFCE4, fvwm, fvwm2, IceWM, Fluxbox, Matchbox, Openbox, Blackbox, e, enlightment, sawfish, drak3d, safe-mode, sddm (el6)....

    KDE-Icon-themes, K-Desktop-icons & Co.: free-positionable or ordered by criteria like "from upper left to lower right", storable positions, optional by a grid, within a free determinable directory, faenza icon theme with scalable icons (format svg), armor (desktop-mascot: person, smiley, tux, cat, ghost, eyes, BSD-mascot, bonhome, neko, worm, taho, ...), aphorisms, cowsay, superkarmba (system-monitors like on foils) and kiba, oneko (cat chasing the cursor), ...

    Effects for the desktop (composite, if. translucency, since 2010, you almost need fast graphic-hardware to avoid delays): 3D-window-galery, 3D-windows-stack, cube, preview, showcase with miniaturized images, transparency, dimming, zoom, gliding, magnifier, shadow, wonderlamp, wave, ... on the base of composite: spotlighter (justable desktop-spotlight), ardesia (desktop-sketching), curtain (curtain to move on the desktop from one side to the other)...

    KDE tuning with the monitor and graphic card: vsync, direct rendering, ...

    Color-schemes: infnite: LinuxMint, Mint-RGS, Oxygen, Kinomoto-colors, Caledonia6, Lucky Eyes, Perso, Black Velvet, New Wave, glass of wine, openSUSE, Midnight, Aqua, Lightsteel, Blue Sky, Ardour3, Black Frost, Pink, Dracula, Midnight Sun, Gaia, Delta Colors, solarized dark, Tea Sun, Jupiter, la Ora Steel, Silicon, Wonton Soup, Cherry Blossom, la Ora blue, Polyester Orange Juice, Whitewater, Skulpture stone, Desert, Skulpture Vanilla, Win7, Evening Lilac, la Ora Orange, Honeycomb, ... by download

    Desktop-design: any design from kde-look.org and kde-apps.org (user definable), Mandriva, blend, oxygen, silicon, slim glow, elegance, heron, Aya, Air, Mandriva, Klassik, Klassik-blue, Marysia, Metalized, Mirado, Neon Glow, Nitro, Old-Oxygen, Oxyglass, Oxywin, Plateau, Silicon, Slim Glow, Svista, ThinAir2, Tibanna, Tragedy, Transparet-sima, USU, Underworld, Unity Ambiance, Unity Radiance, Violet Pastel, XP-Desktop and Windows7 (MS), downloadbare oder hausgemachte, ximian-desktop, ..., XP-Desktop and Windows 7 (MS), downloadable or self-made ones, ximian-desktop, ... by download

    Login-screens: Standard, G-Air, login-scan-splash-cg (hand-fingerscan), md2 (Mandriva2), Bespin, Powerpack, Simple, kde_XP, ..., downloadable

    Types for desktop-wallpapers under more submenues (mdv2010.0): globus, pattern, Mandelbrot, color, weather, image (any importable wallpaper (bmp, jpg, ...), diashow, Time of The Day, ...

    Desktop-wallpapers: Mandriva dolphins (mdv2010), Mandriva free (2007), aisbaa (Gentoo), Gentoo12.1-walllpapers, Debian-forest, bliss (XP), SuSE-bliss, Propaganda Vol. 1-13, xpenguins, ...

    Screensaver: OpenGL, xfishtank, ...

    mdv-plasmoids Plasmoids resp. plasma (applets) for the desktop and the controlbar (please notice, that in differnence to mdv2010-rpm-packages actually not all of them do function, so we have to wait, and that some of them get their information to present out of the internet): Daisy (free program choice within rings or bars), Lancelot (desktop-menu), timezones and weather, birthday-reminder, calculator, widget-dashboard, system-monitoring, multiple rowed fast-loader (more-rowed compressing collector for icons with optional mini-pull-down-(up-)menu), unit-conversion, LCD-weather-station, weather forecast, wordclock with timezones, accu-check, image frame, comic, egg-clock, jumping ball, colorchoosing stick, calculator, moon phases, zoom, social desktop, ToDo-lists, remember the milk, system-monitor, guitar-tuner, image-preview, widget-dashboard, birthday-reminder, flickr, language-translator, sun-system, fishtank, DVB-signal-meter, newsticker, Mountoid, Bundesliga, Facebook, Flickr, bsun (wandernde Sonne), FrustML resp. (Mensch-Ärger-Dich-Nicht), Fancy Tasks (quickstarter similar to cairo-dock), Koala (similar to Tamagocchi), Astrocalendar, Plasmio (SMS), daisy (desktop-icons in a cricle), 15 stones,Tomatoid, egg-clock, spell verification, blackboard, WorkContext (nepomuk) and much more ...

    Gadgets, Apps-installer, Google-App-Installer...

    Android Studio 2.3 released
    , pro-linux.de, 03.03.2017

    mdv-screenlets Desktop-Screenlets: GUI screenlet-administration and -daemon with actually more than 100 screenlets plus downloadable ones, running in the foreground, background, scalable size, widget-option, many settings like: growing flower (to give some water and so on), slideshow, pager, control for adding screenlets, radio, meter, stocks, speech, sensors, ringssensors, ruler, convert, example of howto create a screenlet, copystack, clear weather from weather.com, ...

    Active Desktop: wallpaper, fly mode, slideshow, colors, time-of-the-day, globus: weather-maps, day-and-night, Mercator, original, Mandelbrot, patterns, desktop-icon-sizes, association for mouseclicks left, middle, right like freely set KDE-startmenu the left mouseclick upon the desktop, ...

    KDE-Colors (qt-curves): LinuxMint, Mint-RGS, MAC-OS, Oxygen, Kinomoto-colors, Caledonia6, Lucky Eyes, Perso, Black Velvet, New Wave, glass of wine, openSUSE, Midnight, Aqua, Lightsteel, Blue Sky, Ardour3, Black Frost, Pink, Dracula, Midnight Sun, Gaia, Delta Colors, solarized dark, Tea Sun, Jupiter, la Ora Steel, Silicon, Wonton Soup, Cherry Blossom, la Ora blue, Polyester Orange Juice, Whitewater, Skulpture stone, Desert, Skulpture Vanilla, Win7, Evening Lilac, la Ora Orange, Honeycomb, . ..

    Design, Styles: unifyable for gtk to all KDE (systemsettings), gnome-control-center, Diamond, Doomsday, Mandriva, Heron, Elegance, Neon Glow, Nitro, Oxywin, Oxyglass, PerlaNegra, Plateau, Blue Sora, Blend, Air for netbooks, Air, Ambience, Androbit, Arezzo, Atelier,. Black Glass, ...

    infinite amount of designs

    Taskline: from different desktop-manager and KDE with optional cairo-dock (3D-icon-desktop-look with zoom upon the icons following the mousepointer-position), glx-dock, kiba-dock, ...

    wm-applets: wmweather (weather-applet), wmmoonclock (moon-pases), wmglobe, wmfishtime, wemmemmon, wmstock (stock market), wmnut, wmnat, wmwebcam, ...

    gai-applets: weather, gai-sun (sunset time and sunrise time), gai-pal (verdicts), ...

    gtkmotd (Message-of-The-Day-Display), ...

    more applets: netapplet, printer-applet (mga5 for mdv2010), knemo, monitor-applet, KRandRTray (variable screen resolution), ...

    Boss-key: alarm-clock-applet (SuSE 11.4), ...

    kde-look.org: more design, themes, styles, kwin-effects, dekstop-icons, wallpapers, system-sounds, ...

    Desktop-icons: svg, icon-themes, screenlets, ...

    K-Menu in classic and modern look: kmenuedit (free configuration of the start-menu),

    quick configuration by tiny orange half-moons within the right upper corner and the control-bar

    Control-line for example with K-menu (plasmoid); terminal (plasmoid), MCC (system control), system-settings, quick launcher (plasmoid), opened windows (plasmoid), workplaces-desktop-switcher (plasmoid), E-mail-client, browser, system-area (plasmoid), system-messages (plasmoid), clock with calendar and organizer, power-on/off-button (plasmoid), desktop-settings half-moon, ...

    font generator: fontopia (el6), ...

    Quick launcher (example): out of help-center khelpcenter, telephone linphone3, sflphone, phonebook, addressbook, global atlas marbles, maps, cronie-task-manager gnome-scheduler, dictionary kdict, Linfw3, kmail, gftp, IRC-client kvirc, pocket calculator kcalc, speedcrunch, notices: knotes and tomboy, kteatime (alarm-ticker), qstardict and stardict (Dictionary and full-text-translator), gedit (Texteditor), Schreibtischglobus marbles, bosskey, ...

    system-area within the control-line (tray, autostarted programs) for example out of: net_applet (NetworkManager), printer-applet (printer jobs), klipper, loudspeaker-symbol resp. mixer (kmix), kgpg (encryption keys), krandr (screen resolution), nepomuk (semantic search), USB-media (one more Plasmoid), ...

    Remote-Desktop and remote access (it might be wise to deinstall all packages for such remote that you do not need...): krdc, putty, rdesktop, rlogin, rsh, tsh, telnet, ssh, capture, concordance, ftpsync, gexec, pam_mount, php_pear_remote_installer, rsnaphost, rstart, nc, ...

    Desktop-Indixing-systems: beagle, pinot, kerry, ...

    Net/internet with DSL: Applet for ifup and ifdown), immediate configuration, ipv4, with mdv2010 you can still communicate and surf with the dynamic ipv4-address, and ipv6 (ipv6 past ipv4-support), wicd (WLAN- and LAN-network-manager), knemo (simple-traffic-monitor blinking depending on the traffic for the taskline, useful addition replacing a red LED of the tower)), pppoe...

    Firewall: Linfw3 (not on the DVD) resp. iptables-1.4.12 with IPSEC, xtables-addons or libxtables from OpenSuSE (both are successors of patch-o-matic for some iptables-modules), arptables, ebtables, ... , ipflood (detector), deynhosts ( protocols and blocks SSH and/or other services in hosts.deny), dropwatch (el6), ...

    Desktop-indexing-system: beagle, pinot, ...

    Internet easy access with DSL by self-configuration, wicd (wireless and wired network manager for Linux starting at boot time), ...

    Packet-type: RPM, packet-manager: drakrpm and rpm, alien, dpkg and apt (Debian Linux packet manager), gurpmi and urpmi (care for no problems anymore with package-dependencies!), smart, yum, kpackage, stow, alien (packages from foreign distributions), packagekit, qtrpm, ...

    Debian: alien, dpkg, apt, dpatch (Debian patch tool), debmirror, ...

    Archive-manager (manager for the tarballs): file-roller, ark, karchiver, zipios+ (el6), zip, unzip, tar, untar, rar, unrar, star, 7zip, bzip2, squeeze, mscompress, nscompress, cabextract, advancecomp, ...

    Update, but also installation (!) by packet-manager rpm: rpm -U packet-name. Wildcards like * are allowed. Installation by rpm (analogous dpkg) according to man rpm (but its better to choose option -U): rpm -i packet-name-including-version.rpm, rpm -i --force packet-name-version.rpm resp. "rpm -i --force --nodeps packet-name-version.rpm", you can use wildcards like * within the packet name, deinstallation: "rpm -e packet_name_WITHOUT_VERSION", option: --nodeps and only in the case of happend installation of several packages the name with version, but still without naming the distribution; queries to the packet-database: -qa, -qf, ..., see: "man rpm". Rebuild the packet-database on errors (almost database db-errors) by

    rm -f /var/lib/rpm/__*

    followed by

    rpm --rebuilddb

    rpm also enpossibles to check the checksum and signature of a packet, but there is no need of it from rpmfind.net. Notice, that rpm by comparison to urpmi urpmi is installing all dependent packages during the installation of one package, if present.

    Installation of tarballs: waf (frontend for the following:), /configure or install, make, eventuallyy make clean, make install, alternatively by xmake, cmake, ... (option "exec" has to be set in /etc/fstab)

    Bootmanager (that also can boot MS Windows): grub (takes over belonging configuration /boot/grub/menu.list by command update-grub) and lilo (with password-protection by adding the line with "password=xxx" past prompt in /etc/lilo.conf); bootsplash: draksplash and bootsplashchooser with bootsplash-themes and skripts like switch-themes out of /usr/share/bootsplash (for better control, we recommend the text-modus)

    Runlevel-concept with Runlevel-editor

    Partition-manager: fdisk, sfdisk, mkfs, drakconf and gparted for parted

    Local filesystem: reiserfsprogs-3.6.24 endversion (journalling: self repairing within seconds, fsck), best might be version mdv2011 or el6 and e2fsprogs (1.43.2) with ext4 (2010) resp. ext3, encfs and more (including vfat and ntfs), btrfs-progs, Benchmark: bonnie++, hfsutils (Macintosh-fs), macutils (MAC), bwbar (bandwith benchmark), macchanger (MAC), btrfs (actual kernel 3.X.X), ...

    Search for character strings, files and directories: gnome-search-tool from gnome-utils, gtkfind, find, grep, sgrep, fgrep, agrep (char-sequences with typing-errors) ...

    Extern webserver (configuration in the section network-interfaces of the system-configuration MCC): SMB (together used windows-harddrives), NFS (network-filesytem), WebDAV (online-harddrives), ...

    Filesystem-check and fast, effective repair of many different filesystems: fsck

    Defragmentation: shake (defragmenter for live systems), ...

    Encryption: FDE (full disk encryption by installer), dracut (creates /boot/initramfs.img for entire harddisc-enryption), LUKS/dmcrypt (ab 2010) des Pakets cryptsetup, by parted the easy-to-handle LoopAES up from mdv2007.0, truecrypt, encfs (special encryption for userspace (home-partition, home) and belonging system-tray-applet cryptkeeper (from mdv2011.0), clauer (cryptographic keyring on a USB-storage-device) , ...


    OK https://www.nethinks.com/blog/it-ueberwachung/debugging-ssltls-connections/
    TLS steht f ür "Transport Layer Security" und ist ein Protokoll, mit dem TCP-Verbindungen abgesichert werden. Es bietet auf einer TCP-Verbindung eine Ende-zu-Ende Verschl üsselung an, sorgt für Datenintegrität (stellt also sicher, dass übertragene Nachrichten nicht verändert werden) und ermöglicht eine gegenseitige Authentifizierung der Kommunikationspartner mit Hilfe von Zertifikaten. Entwickelt wurde es vom Unternehmen "Netscape Communications" unter dem Namen "SSL" (Secure Socket Layer) und wird seit der Version "SSL3" unter dem Namen TLS standardisiert und weiterentwickelt. Die aktuelle Version ist TLSv1.2.
    Fehlerbehebung bei SSL/TLS-Verbindungen
    In letzter Zeit haben uns mehrere Support-Anfragen zu demselben Problem erreicht: Eine TLS/SSL-gesicherte Verbindung kommt nicht zustande. Dieser Artikel soll mögliche Ursachen und Lösungsmöglichkeiten aufzeigen. Zum besseren Verständnis: Eine kurze Einführung in TLS/SSL
    TLS steht f ür "Transport Layer Security" und ist ein Protokoll, mit dem TCP-Verbindungen abgesichert werden. Es bietet auf einer TCP-Verbindung eine Ende-zu-Ende Verschlüsselung an, sorgt für Datenintegrität (stellt also sicher, dass übertragene Nachrichten nicht verändert werden) und ermöglicht eine gegenseitige Authentifizierung der Kommunikationspartner mit Hilfe von Zertifikaten. Entwickelt wurde es vom Unternehmen "Netscape Communications" unter dem Namen "SSL" (Secure Socket Layer) und wird seit der Version "SSL3" unter dem Namen TLS standardisiert und weiterentwickelt. Die aktuelle Version ist TLSv1.2. Eine mit TLS abgesicherte Verbindung wird mit Hilfe eines Handshakes aufgebaut. Hierbei durchlaufen Server und Client folgende Aufgaben:
    überprüfung des Server-Zertifikats durch den Client
    optional: Überpr üfung des Client-Zertifikats durch den Server
    Einigung auf die verwendete TLS/SSL-Version
    Einigung auf ein gemeinsames Verschlüsselungs- und Signaturverfahren (Cipher-Suite)
    Generierung eines gemeinsamen geheimen Schlüssels (Master-Key) für die Session
    Der Handshake startet mit der Nachricht Client Hello, die der Client an den Server sendet. Hierbei enthalten ist unter anderem die höchste SSL/TLS-Version, die der Client unterstützt, sowie eine Liste der durch den Client unterstützten Verschlüsselungs- und Signaturverfahren (sogenannte "Cipher-Suites"). Der Server antwortet daraufhin mit der Nachricht Server Hello, die die verwendete Cipher Suite und SSL/TLS-Version, die für die Verbindung verwendet werden soll, enthält. In einer weiteren Nachricht sendet der Server sein SSL/TLS-Zertifikat an den Client, das vom Client überprüft wird. Anschließend findet die Aushandlung eines gemeinsamen geheimen Schlüssels statt, der für die Verbindung verwendet werden soll. Nach Abschluss des Handshakes wird mit einer Nachricht auf die ausgehandelte Cipher Suite gewechselt und die weitere Verbindung findet verschlüsselt statt.
    Mögliche Probleme
    Kommt eine per TLS/SSL gesicherte Verbindung nicht zustande, kann dies unter anderem folgende Ursachen haben:
    Die TCP Verbindung zum Server und dem entsprechenden Port ist nicht möglich
    Das Serverzertifikat konnte durch den Client nicht verifiziert werden
    Die Einigung auf eine gemeinsame Cipher Suite war nicht erfolgreich
    Die Einigung auf eine gemeinsame TLS/SSL-Version war nicht erfolgreich
    Gerade der letzte Punkt - die Einigung auf eine gemeinsame TLS/SSL-Version - ist nach Bekanntwerden der Sicherheitsl ücke Poodle und dem Deaktivieren bestimmter SSL-Versionen in unserem Umfeld häufig aufgetreten. Auf dem Server werden dabei ältere SSL-Versionen (in der Regel SSLv2 und SSLv3) deaktiviert. Ein TLSv1.2 Client, der neben der aktuellen Version auch noch SSLv2 unterstützen möchte, muss nach dem RFC5246 die Nachricht Client Hello im Handshake selbst in der Version SSLv2 senden (http://tools.ietf.org/html/rfc5246#appendix-E.2). Der Server muss diese Nachricht entgegennehmen und verarbeiten, auch wenn er selbst SSLv2 für die spätere Verbindung nicht zulassen möchte. In einigen Projekten und Supportanfragen gab es in der letzten Zeit aus diesem Grund einen Handshake Failure - die TLS-Verbindung kam nicht zustande.
    Um eine fehlerhafte Verbindung zu analysieren, gibt es verschiedene Möglichkeiten:
    Überprüfung des Aufbaus der TCP-Verbindung (telnet)
    Überpr üfung des Aufbaus der TLS-Verbindung (openssl s_client)
    Weitere überpr üfung mit wireshark
    Zuerst kann gepr üft werden, ob überhaupt eine TCP-Verbindung vom Client zum Server aufgebaut wird. Dies kann mit dem Tool telnet geschehen. Folgender Befehl testet den Verbindungsaufbau zu einem Server (in unserem Beispiel auf Port 443):
    root@test1:~# telnet 443
    Connected to
    Escape character is ´^]´.
    Erhält man die oben stehende Ausgabe, hat der Verbindungsaufbau funktioniert. Im Falle einer unverschlüsselten Verbindung könnte man nun direkt mit der jeweiligen Anwendung auf dem Server kommunizieren.

    Der Aufbau der TLS-Verbindung mit dem Handshake kann mit dem Tool openssl s_client getestet werden. Folgender Befehl stellt eine TLS-gesicherte Verbindung zu einem Server her: openssl s_client -connect
    Hiermit kann man testen, ob der TLS-Handshake richtig durchgeführt wird. Kommt eine Verbindung zustande, lässt sich das Tool anschließend wie Telnet verwenden und man kann direkt mit der jeweiligen Anwendung auf dem Server kommunizieren.

    Kommt hierbei keine Verbindung zustande, gibt die Ausgabe des Tools gegebenfalls Hinweise auf die Ursache. Um zu überprüfen, ob die Einigung auf eine gemeinsame SSL/TLS-Version nicht möglich ist, kann man durch die Angabe eines Parameters eine bestimmte SSL/TLS-Version erzwingen:
    openssl s_client -connect -ssl2
    openssl s_client -connect -ssl3
    openssl s_client -connect -tls1
    Kommt mit TLSv1 als erzwungene Version nun eine Verbindung zustande, lässt sich das Problem vermutlich darauf zur ückführen, dass der Server keine SSLv2 Client Hello Messages unters ützt.
    Weitere Analysen lassen sich mit dem Mitschneiden von Netzwerktraffic mit den Tools tcpdump / Wireshark durchführen. Mit folgendem Befehl werden die Pakete vollständig mitgeschnitten und in eine Ausgabedatei geschrieben:
    tcpdump -s 0 -w output.pcap
    Die mitgeschnittenen Pakete lassen sich anschließend mit dem Tool Wireshark genauer ansehen und analysieren.
    Je nach ermittelter Ursache sollte zunächst die Serverkonfiguration überprüft werden. Folgende Fragen sollte man dabei durchgehen:
    Problem: Das Serverzertifikat konnte durch den Client nicht verifiziert werden.
    Ist das Zertifikat noch gültig?
    Ist das Zertifikat für den Host ausgestellt?
    Ist das Zertifkat von einer vertrauenswürdigen Zertifizierungsstelle ausgestellt?
    Problem: Die Einigung auf eine gemeinsame TLS/SSL-Version war nicht erfolgreich.
    Sind alte SSL-Versionen (SSLv2 und SSLv3) deaktiviert?
    Wird SSLv2 Client Hello unterstützt?
    Manchmal hat man keine Möglichkeit, die Konfiguration des Servers zu verändern. Dann gibt es folgende Möglichkeiten:
    Problem: Das Serverzertifikat konnte durch den Client nicht verifiziert werden.
    Verifizierung des Servers deaktivieren.
    Problem: Die Einigung auf eine gemeinsame TLS/SSL-Version war nicht erfolgreich.
    Eine bestimmte SSL/TLS-Version im Client zu erzwingen.
    Weiterführende Links
    Wikipedia: Transport Layer Security
    RFC 5246 (TLSv1.2)

    Cryptographic encryption following RFC-rules, developed and known by highschools,partially based upon secure hash-functions, but still not end-to-end): insecure XOR, (not total secure) MD5 (Unix/Linux-command: "echo "any-text-to-encrypt" | md5sum"), (almost secure) SHA (Unix/Linux-command shasum, sha256sum, shaXXXsum) , see lsmod to list kernel-modules, the still secure aes-x86_64, aes-i586, aes_generic, sha256_generic, TWOFISH, SHA, SHA2, AES (RIJNDAEL), SERPENT, 3DES, GOST, SAFER+, CAST-256, RC2, XTEA, 3WAY, BLOWFISH, ARCFOUR, WAKE, TLS (Firefox 14, kmail depending on the freemailer, ...), ...

    File-encryption, certifcates-administration by pgp-keys: kgpg, kleopatra, gpgp (gnupg2), mcrypt, crypt, ... (this openscource together with KMail is developed by the BSI 2005, details see links, section alternatives), gnutls (TLS), ...

    On the fly encryption: scramdisk

    Connections: TLS and SSL (openSSL 1.0.2), ipsec/Freeswan (VPN, tunnel, host-to-host and host-to-subnet), MCC section for connections, connman (connection manager), ...

    encryption of files and text by hash-functions: UNIX-sh-commands md5sum, shasum and the up to now secure sha256 by sha256sum, sha512sum, ...

    Raid: raidtools, dmraid, a320raid, sasraid, adp94xx and adpahci (Adaptec), Quota: quotatool, quota, vzquota, ...

    Logical Volumen Management (LVM), separate lvmd

    USB 2.0 and 3.0: usb-driver, usbmuxd (communication with Apple ipod Touch and iPhone), usbmon, usbstress, usbutils, usb_modeswitch, dkms-usbvision and usbview (USB-TV-driver/viewer), ...

    ATA over Ethernet: aoetools (programs for users of the ATA over Ethernet (AoE) network storage protocol, a simple protocol for using storage over an ethernet LAN), ...

    UDF: udftool

    Bluetooth: kbluetooth, bluez-firmware, blueman (bluetooth-manager) ....

    USB-mice fine-adjustment: lmctl, lomoco, logitech, ...

    Network: self-configuration for DSL, ipv4 and ipv6 (including translation ipv6 to ipv4), knemo (can contribute to the certain red LED or replace it, by presenting two small tiny monitors in the taskline, one for client, one for server/router. Depending on the online-traffic they are shining lightblue), pppoe, ...

    Sandboxes, Container: docker (docker-io), firejail

    System-configuration: MCC (drakconf, drakconf.real) and desktop-configuration-center resp. control-center kcontrol for mdv2007.0 resp. systemsettings, gnome-control-center and help-center

    Kernel-Parameter: sysctlconfig-gtk for experts

    Child-Protection (like within Linfw3): control-level, user account, time based access control, blacklist (websides by domain and IP), whitelist

    Server: nginx (reverse proxy and http-server), lighttp (Webserver, el6), XAMPP (actual version from internet, Webserver (httpd resp. Apache, even local on localhost, webalizer for the logfiles), FTP (proftpd, vsftpd), database (MySQL, even local on localhost, phpMyAdmin, firebird, postgresql, adabas out of OpenOffice.org, also databasis of SAP), bind (DNS Server), dnsmasq (DNS Cache, DNS Server), Router (quagga, il4li, xorp), 383-ds-base (el6, Directory Server), LAN (Samba), printer (CUPS), Fileserver (mars-nwe), DNS (bind, maradns, mydns, security-tools: dnsflood, dnsdoctor, dnsa (audit), ...), DHCP (dhcpclient, dhcpserver, dhcpcd, dhcpxd), Mail (dovecot, roundcubemail (PHP based webmail server), egroupware-emailadmin, popa3d, masqmail (POP3-server), cyrus-imap-sasl, ... ), Mailinglisten (mailman), Fax (hylafax, drakfax), Radius-Server (freeradius), krb5-server, WINS, Proxy (Squid, localhost: privoxy, dansguardian, pdnsd (DNS-proxy)), USENET (noffle, ...), Tunnelingsever (pptpd, a PoPToP Point to Point Tunneling Server, openvpn is a Secure (ssl-) TCP/UDP Tunneling Daemon), NAS-Server (freeNAS, not included on DVD 1 and DVD 2!), NIS: ypbind and ypserv, nfs-utils (server) and nfs-utils-client...

    Smartphone: apps-installer or google-apps-installer, gadget-creator or google-gadgets, wammu, ...

    Emulators: virtualbox (MS Windows and other OS), qtemu, qemu (MS Windows, virtual emulators of many operating systems), mingw (the MSWindows-dll) and wine (MS Windows), dosemu-freedos (rosa2014.1, MSDOS, PC-DOS), basiliskII, basilisk (Macintosh), puae and uae (Amiga), hatari (ATARI ST), vice and micro64 (VC64), dosbox, dos2unix (text format converter), yabause (saturn emulator), xroar (dragon 32, 64, Tandy coco emulator), fbzx (Spectrum), caprice (Amstrad CPC), zboy (Nintendo Gameboy), ...

    MS Windows Software like MS Office on Linux: https://www.codeweavers.com/store

    DNS-Server: dnsmasq, bind, knot, ...

    Virtual machines: kvm (Kernel Virtual Machine virtualization environment), (the popular) XEN with xen-hypervisor, kde-cdemu-manager, qemu, cdemu, ...

    Terminals: bash (with the update containing all mentioned three patches by bash for CentOS (resp. ALT Linux) 6.5 and 6.6 resp. el6), colorprompt for bash (green and other colors for users, red for root), konsole, xterm, kterm, lxterminal, gnome-terminal, gnash, yakuake, ...

    Task-manager: incron (cron with inotify), fcron, cronie (from el6, cron, cron-daemon) together with cronie-anacron and cronie-noanacron, crontabs (el6), ...

    Data rubbish deletion: "clean tmp" in section system start of MCC (automatically each reboot), sweeper (KDE), bleachbit (does not clean everyting as told to), klean, ...

    IDE (Entwicklungsumgebungen) and GUI: scratch (Games, Animation, Music, ...), wedit, codeblocks (C/C++), kdevelop, anjuta, Qt-Creator und Qt4-Designer (C++ - IDE für Qt), geany (C editor using GTK2), glade, glade2, Glade3, gazpacho (glade clone), wxpython und wxglade (automatisierte GUI-Erstellung für GTK), eric (Python), boa, boa-constructor (IDE für Python), codeblocks (C++-IDE), ncurses, curses, cdialog (UNIX-sh), IDLE (python), anjuta, Kdevelop4, ksi und drscheme (Scheme), sbcl (common lisp), ciao (Prolog), openmotif und lesstif (motif), gtk, Programmiersprachenbindungen für qt3 und qt4, KAppTemplate, edyuk und qdevelop (Qt4), tk (tcl/tk), motor, spe (Python basierte IDE), lazarus (IDE für fpc bzw. Freepascal), monodevelop (IDE Gtk# und mono), coq (proof IDE), scratch (programming sytem and content development tool), chicken (Scheme), spyder (scientific python IDE), ...

    Programming Languages and development tools: rust (el7, "Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety"), sourceinstall, PCCTS Purdue Compiler Construction Tool, gcc-c, gcc-c++, ddd und gdb (Debugger), pcc, gcc-Java, gcc-Fortran, gcc-gnat (ADA), gnat (ADA), cxmon (Disassembler), R-base und R-cran (GNU S - für statistisches Computing und Graphiken) (nicht im Lieferumfang), gcc (C/C++), C# (mono, sharp), clips (Expertensysteme), Erlang (mdv, el6), golang (mdv, el6), clang (mdv, el6), clang-analyzer (el6), Delphi, R (mdv, el6), mp (el6, mathematical programming), Ruby (el6, mdv), g95 (gfortran), Fortran77, Perl, PHP 5, Python, clisp und gcl (Lisp), Lua (el6, mdv), ruby (el6, mdv), TCL/TK (el6, mdv) with tix (el6, mdv), gnat (Ada), Smalltalk, sci-prolog, gprolog, gforth, bigforth (el6, mdv), Falcon (el6, mdv), fpc und fpc-src (Pascal), chicken (el6, mdv), and umbscheme, plt-mzscheme und plt-drscheme (PLT Scheme), guile (el6, mdv), bigloo (scheme compiler), nemerle (el6, mdv), yabasic, Basic, sdlbasic, Algol68, mocka (modula-2), clisp, 64tass and nasm (Assembler), mono, C# (sharp), bash/UNIX-sh, Allegro (Spieleprogrammierung), nasm (Intel-Assembler), vala, li, maxima (symbolic computation program), ocatve (command line interface for solving linear and nonlinear problems numerically, and for performing other numerical experiments), cn (GPU shaping programming language), ..., javascript, see and jythen (Java Source Interpreter), java, jre (Java Runtime Environment), javacc, jikes (Java Quellcode nach Bytecode Compiler), jay ( LALR(1)-Parse-Code-Generator für Java und C#), ocaml (el6), caml5, caml4 (parallel), hugs98, bigloo (el6), jruby (Jave-embedded Ruby), js (die Javascript-Engine), haskell, hugs98, UNIX-sh (bash, Shellprogrammierung, Shellsprache), rpmlint, weblint (HTML-Code-Validierung), wml (Website META language), Kbugbuster, nemiver und ddd (Debugger), make, a-a-p, pmake, imake, qmake, remake and cmake, bakefile (creates makefiles), bison++ (Parser), lemon (Parser), parserd, sparse und dparser (Parser), malaga, agda, gnome-do (quick launch and search), aikido (objektorientierte Sprache mit C++ Semantik), c-0.05 C-Pseudo-Interpreter, clips (Expertensysteme), open64 (sourceforge compiler suite, around 60 MB), biopython, QEdje, regexp, f4lm (Flash für Linux), execline, mawk, listres (Widget-Ressourcen), orc (Oil runtime compiler), sourceinstall, shedskin (Python to C compiler), ragel (Finite state machine compiler), rkward (kde gui to R language), ...

    Web development, Content Management Systems (CMS) u.a.: Wordpress (CMS, mdv, el6), Drupal (CMS, mdv, el6), Joomla (CMS, mdv, el6), Typo3 (CMS) , Aptanastudio (pclos, 111 MB, Aptana Studio 3.60 english: create Web- and mobile apps in a comfortable IDE ) and Kompozer (CMS, mdv, el6), moodle (el6, Aufbau von Online Learning Communities), nvu (Web Authoring System), Bluefish (HTML-Editor), screem (HTML-Editor), clearsilver (HTML-Templates), sitecopy, w3cvalidate, weblint und jtidy (HTML Syntax-Checker und Prettyprinter), jigl (Perl Script zum Generieren statischer HTML-Photogallerien), booh (Webalbum-Generator), gtkasp2php, htmlc (html-file-generator for text-files), blue-griffon (pclos), brackets (pclos), ...

    Medicine: freemed (php-MySQL), gnumed, more transparency in medicine: symptoms - diagnosis - therapie/meds - Neben- und Wechselwirkungen - Prävention : auf Datenbank gestützte "Selbstdiagnose" wie bspws. von Data Becker für MS Windows (emulierbar?; Linux-Entsprechung? beachte: nicht im Lieferumfang enthalten!), netdoktor.de, ...

    Browser: Konqueror 4.4.5 resp. 4.3.4 (el6, patched) with the built-in adblocker resp. skriptfilter (we recommended), rekonq, hv3 (based upon the tcl/tk-widget tkhtml3, this really does function!), Arora, Midori, Fennec for Mandriva-Mini (Firefox for mobile phone), Mozilla Firefox (you can upgrade by now to Firefox ESR) and Mozilla Firefox 3.6.17 (this version is actual part of the browser-top10; resp. up to Firefox ESR version in future per update (especially by just overwriting the old files with the new ones from the Tarball) with firefox-extensions like noscript, ublock-origin, useragent-overrider, flash-plugin and mplayerplugin (all available as rpm except downloadable addon disconnect, Palemoon (pclos), Cherokee (not included), Chromium, Opera, Seamonkey, Galeon, Epiphany, Kazehakase, Amaya, Lynx, Links, Dillo, brave, ....

    Browser-Plugins and firefox-addons: flash-plugin 11.2 (adobe shockwave), adobe-reader, mplayerplugin-3.55, IcedTea6 1.8.7, noscript, addblockplus, ublock-origin (extensive adblocker), totem, windows-media-player-plugin (mplayerplugin), vlc-player, realplayer9, lib64kipiplugins1-0.7.0-2mdv2010.0, plymouth-plugin-label, lib64gstreamer-plugins-base, soprano-plugin-redland, alsa-plugins-pulse-config, soprano-plugin-sesame2, qt4-database-plugin-sqlite, plymouth-plugin-script, konq-plugins, libalsa-plugins-pulseaudio, xine-plugins, qca2-plugin-openssl, lib64pt2.6.5-plugins, kipi-plugins, nspluginwrapper, nspluginwrapper, lib64audiocdplugins4, gstreamer0.10-plugins-ugly, soprano-plugin-common, lib64konqsidebarplugin4, java-1.6.0-sun-plugin, alsa-plugins-doc, qt4-database-plugin-mysql, lib64alsa-plugins, gstreamer0.10-plugins-good-0.10.16-3mdv2010.0, kde4-nsplugins, lib64vamp-plugin-sdk1, lib64opal3.6.6-plugins, lib64koplugin6, gstreamer0.10-plugins-base, libalsa-plugins-1.0.21-2mdv2010.0, lib64alsa-plugins-pulse, ...

    Filemanager: mc (Midnight Commander), dolphin (together with the complex kde-servicemenu with much more entries for the context-menu from fedora dolpin: action-submenu, virus-scan, ssh-tools, security-tools, secure file deletion, midnight-tools, annotate: nepomuk semantic search and ginkgo, Repository functionos, fast file encryption, archiving, subversion, preview, TABs, splittable windows, preview, text-, image-, video-preview, directory- and file-includes-preview direct and/or per mouse-hover, ... ), doublecmd (pclos2017), gnome-commander, konqueror, krusader (el6.ru recommended), Cowdancer, nautilus, PCMan/pcmanfm, mc (Midnight Commander), thunar, ...

    Rescue-system: mindi and direct from installation-CD/DVD, mandriva_seed (for Linux like Mandrivaone on USB-stick), draklive or mklivecd (creates a Live-DVD/-CD/-USB-stick of a mandriva-installation) or from USB-stick (liveusb-creator, mandriva-seed, unetbootin, ...), isodumper (iso-images on usb-stick, you can use the package from Mageia mga4 without needing other packages), ...

    Ready for (old kind of backups) with streamer, taper, ...

    Ebay-auctions: JBidwatcher, ...

    Allrounder: klipper (encryptable clipboard), device control and system-info (taskline), work surface switch (of a free configurable amount), Konqueror, Kontact (kmail for Email, rn, slrn, knode and gpan for Usenet, yencode ( encoder, decoder, and posting package for the popular Usenet yEnc encoding format. It features the ability to encode single or multipart archives, a smart decoder which can decode multiple files (including files specified out of order or with nonsense filenames), an optional scan mode with recursion, and an easy to use Usenet posting utility. It is fully compliant with the yEnc specifications), notecase, knotes, keepnote and tomboy (notices), calender, ...), Evolution, Mozilla Thunderbird, blogtk (weblog client) ...

    FTP-Clients: kftpgrabber, gftp, proftp, kbear, kasablanca, filezilla, anonftp, wu-ftpd, ...

    News-at-once: empathy, ...

    USV (unbreakable power supply): nut-server with nut, lib64upsclient and lib64powerman0

    Company management (on localhost and LAN) over departments: Mycompanies (from Gooken)

    Office: dayplanner, koffice, OpenOffice 3.1.1 (also tested: actual OpenOffice, you can download out of the internet, today 4.0.1), Libreoffice (not on DVD), drakoo (file format wizard for OpenOffice), libreoffice (not included on our DVD), kile and lyx (LaTeX), koffice, goffice, klatexformula, texmaker, Tetex, KPlato, web2project and planner (project management), dia and kivio (flow charts), xmind (110 MB), semantik and freemind (mindmapping and brainstorming software), docear (pclos2017), gtodo and gtg (todo-list and todo-manager) korganizer (calendar and follow up chart), ktouch, gtypist and tuxtype2 (type-writing), wordpress (online publishing), scribus 1.3.5 (desktop publishing) and magicpoint (presentation software), skrooge (finance manager), aqbanking, gnucash and Homebank, units (conversion), parley (vocabulary trainer), ding and dict (dictionary), steak, stardict (multilingual dictionary), rhyme, lokalize, gtranslator, tkbabel and kbabel (language translator, frontend for babelfish), oscommerce (e-commerce, online store), sunclock, knewsticker, xournal (pen-based journal and PDF annotator​), Bibus (biographic database manager with intergration in OpenOffice) gnutu (dayplanner for students and pupils), gcstar (collection management), glabels (gLabels is a lightweight program for creating labels, etiquettes, cd-etiquettes, images for candidacies, window-foils, visitor cards, address-sticks, cd-sticks, ring-binders, business cards and so on)visitor cards, etiquettes)

    Natural language translators: gnome-translate, kbabel, babelfish, gtranslator, ..
    GNOME Translate is a GNOME interface to libtranslate library. It can translate a text or web page between several natural languages, and it can automatically detect the source language as you type.

    Archiving: calibre (ebooks), tellico (collection book manager, organizer for videos, books and music), gcfilms (for films), comic-organizer, zotero (pclos2017, collect, organize, cite, and share your research sources, description: Zotero is the only research tool that automatically senses content in your web browser, allowing you to add it to your personal library with a single click. Whether you're searching for a preprint on arXiv.org, a journal article from JSTOR, a news story from the New York Times, or a book from your university library catalog, Zotero has you covered with support for thousands of sites.), ...

    workrave (accomanying, illustrated computer-fitness starting out of the tray against illness and disease like RSI), ...

    Telephony: kiax on the base of asterisk (PBX, not on DVD), usbmuxd (daemon for the communication with ipod touch and iphone), kphone, gphone, linphone, ekiga softphone, sflphone, antphone, sflphone, glinuxsms, smssend, mail2sms, gammu (command line utility and library to work with mobile phones from many vendors. Support for different models differs, but basic functions should work with majority of them. Program can work with contacts, messages (SMS, EMS and MMS), calendar, todos, filesystem, integrated radio, camera, etc. It also supports daemon mode to send and receive SMSes), kpilot (Palm Pilot), gnokii (Nokia Mobilphone), gnokii-smsd (SMS), ...

    Scanner: skanlite, xsane and kooka with tesseract, gocr and clara (pattern recognition out of scanned-in documents), flex (to generated scanner with text-pattern-recognition),

    Sensors, especially such ones to find more mainboard-characteristics for the integration of more kernel-modules: ksensors, lm_sensors, lm_sensors-sensord (sensord), motion (software motion detector), sensor-viewer, ...

    Library (for media on localhost and LAN): Bibliomaster (from Gooken), artha (English Thesaurus), kdict and gdict (MIT online dictionary), goldendict (dictionary lookup program), ...

    Editors and viewer: kwrite, kate, gedit, medit, ghex, vi, vim, manedit, ed (konsole, terminal), joe (syntax highlighted UTF-8 editor), nano, pico, xedit, vi, vim, ed, bvi (for binary files), xmlwriter, leafnode, poedit, yudit, awk and sed (batch file editor), emacs, dailystrips (download of online-comic-strips), comix (comic viewer), qcomicbook (database for comics), Adobereader (acroread), okular (with this, pdf-documents can not be read but pdf-formulars also filled out and overworked), xpdf, qpdfview (el6), kpdftools, epdfview and pdftk (pdf-toolkit:: If PDF is electronic paper, then pdftk is an electronic staple-remover, hole-punch, binder, secret-decoder-ring, and X-Ray-glasses. Pdftk is a simple tool for doing everyday things with PDF documents. Keep one in the top drawer of your desktop and use it to: * Merge PDF Documents * Split PDF Pages into a New Document * Decrypt Input as Necessary (Password Required) * Encrypt Output as Desired * Burst a PDF Document into Single Pages * Report on PDF Metrics, including Metadata and Bookmarks * Uncompress and Re-Compress Page Streams * Repair Corrupted PDF (Where Possible) Pdftk is also an example of how to use a library of Java classes in a stand-alone C++ program. Specifically, it demonstrates how GCJ and CNI allow C++ code to use iText´s (itext-paulo) Java classes., coolreader and fbreader resp. FBReader (ebook reader), calibre (ebook-library: international press, newspapers, websites and journals), modlogan, gnome-system-log from rpm gnome-utils, ksystemlog, chainsaw and logfactor5 (logfile-viewer), sword (bible texts), mlview (xml-tree-editor), TeXMacs (WYSIWYG mathematical text editor), pdfgrep (el6, pclos), pdfedit (el6, pclos), pdfmerge (el6, pclos), pdfshuffler (el6, pclos), pdfcrack (el6, pclos), pdfsam (el6, pclos), kid3 (ID3-tag editor), id3, eric (python and ruby editor), geany (C editor using GTK2), atom (pclos, 66 MB), ...

    hdd-anaylizes: kdiskfree, kwikdisk, baobab from gnome-utils, nagios (system-, host- and network-monitor) ...

    Filesharing: nfs-utils, kdenetwork-filesharing-kde4, kfilebox (front-end for dropbox), dropbox, nautilus-filesharing, qbittorrent, transmission, frostwire (java based filesharing), limewire and gtk-gnutella (Filesharing)

    Cloud Computing: cloud-init (el6) and cloud-utils (el6), owncloud (el6, el7), cf-cli (OpenSuSE 15, this is the official command line client for Cloud Foundry), kfilebox (front-end for dropbox), dropbox, csync (file synchronizer, which provides the feature of roaming home directories for Linux clients. csync makes use of libsmbclient in Samba/Windows environments),...

    Short-communication by terminal (internet and LAN): whoami, users, up, mesg, talk, ytalk (short-messages), netatalk (Appletalk and Appleshare/IP services), whois (information about an IP), who, whereis, whatis, finger (active user), which, last, lastb and lastlog (last logins of different user), resign from insecuring ptrace, traceroute, ..., logrotate, logfinder (finding unwanted log files, logfinder informs system administrators when their servers are collecting personal data and gives them the opportunity to turn logging off if it isn´t gathering information necessary for administering the system), whowatch (el6, display information about users currently logged on), ... ...

    Globe, streetmaps: merkaartor (OpenStreet global focusable mapping program with the opportunity to search for street names of the whole world), marble (desktop globe with street-names), google-earth (you can use a google-earth-installer), gpxviewer (https://www.pcwelt.de/a/gps-aufgezeichnete-wege-in-linux-visualisieren,3463983, download out of the internet), viking (el7, like google earth and google maps: global gps-gui with free global determinable location (search) by city, streets and house number; this did function by opening maps with OpenStreetMap (mapnik) and by clicking on city/locations ), mapserver, qlandkartegt, Map&Route (seperate software from Telekom AG), spearfish (GIS data), geoip resp. geoiplookup (to an IP), geoclue ( network, GPS, cell), navit, gpsd, qlandkartegpsd, gpsbabel, gpscorrelate, gpspoint (transferring maps), gpsutil and gpsdrive (GPS navigation, view, edit and transform GPS-maps), ...

    Weather, climate maps: zyGrib, kweather, plamoids, wmweather, ...

    Phone-books (for mdv2010, but not included): Map&Route (Telekom), das Telefonbuch (Telekom AG), KlickTel (emulated), Telefonbuch (Data Becker, emulated), ...

    Password-key-manager: pm, KeyPassX, seahorse and revelation (secure password-manager), kwallet, kwalletmanager, pwgen and makepasswd (password-generators), steghide (hides passwords in image-files), zinnia (online hand recognition system with machine learning).. ...

    Anti-spam-filter: clement (E-Mail-firewall resp. -filter), Spamassassin (with Mail::SpamAssassin::Plugin::AntiVirus activated within /etc/mail), qsf (quick spam-filter), Spamoracle, spampd (spam proxy daemon), spampl, Bogofilter, mailscanner, mailfilter, Spamprobe, dspam, pyzor, rblcheck, Junk-Filter (Thunderbird), internal filter-system (kmail, kontact), spampd (spam proxy filter), ...

    recommended software by prism-break.org: tinc (virtual private network daemon), mumble (voice communication), hexchat and weechat (IRC), unbound (DNS), kolab (Groupware-Server), kontact, ...

    IRC/IRQ: konversation, WhatsApp-desktop (pclos), alternativ (allgemein empfohlen): pidgin, kopete, gajim, gaim, quassel and xchat, telepathy, kvirc, deluge, supybot (IRC), xcam, kamera, kamoso, xcam, camorama, cambozola and cheese (webcam), ...

    Pidgin-news services (protocols): Bonjour, MSN, MXit, Mail.Ru Agent, MySpaceIM, QQ, SILC, Sametime, WLM, Yahoo, ...

    Kopete-services: GroupWise, AIM, Bonjour, Gadu-Gadu, ICQ, Jabber, Meanwhile, QQ, SMS, Skype, Testbett, WLN Messanger, WinPopup, Yahoo

    Blogger: blogilo, blogtk, choqok, ...

    CD-/DVD-burning applications: tkdvd, k3b, brasero and xcdroast (dvd-/cd-burner) with cdlabelgen and tkdvd, bombono-DVD ( for the creation of Video-DVD with title and menus), openshot (to create and mix several audio- and videotracks as much as a title generator, cross fades and effects. OpenShot is a non-linear-video-editor for free, open-source, based on Python, GTK, and MLT. It can edit video and audio files, composite and transition video files, and mix multiple layers of video and audio together and render the output in many different formats), kmediafactory, gtkatalog (catalogue for storage media), k9copy (DVD-Format-converter, not included on DVD1 and DVD2!), isomaster, iso-codes, uif2iso, nrg2iso, pdi2iso, mdf2iso, daa2iso, cdi2iso, ccd2iso, bin2iso, b52iso, iso2uif, iso2nrg (changing of DVD/CD-image-file-types), gtktalog, DivFix++ (repair of broken AVI-file-streams), batik-slideshow and imagination (in order to create DVD slideshows), actoneiso (CD/DVD-image-manipulation), dvdisaster (failure-correcture of data against data-loss from CD/DVD, repair-program), ...

    CD-/DVD-Ripper: ripperx, acidrip (DVD-ripper), transcode, rubyripper (high precision cd ripper)​,...

    dvdstyler, dvdauthor, dvdsubs (subtitle), gaupol (subtitle editor), subcomposer (subtitle composer), chaplin (DVD-chaptering), kover, disk-cover, ...

    encyclopaedia (Wikipedia): mediawiki (el6), wikipediafs, dokuwiki (helper for the authorization of documents for Wikipedia), Wikipedia-DVD 2006-2014, twiki, ...

    Medicine: freemed (PHP-MySQL), freemed, health ( unknown vendor and distribution), gnumed, diagnosis - symptoms - therapy - slide-effects and interaction databasis like "Self-Diagnosis" from Data Becker (MS Windows, emulable?; adequate software for Linux?; notice: This software is not included in our offer, so you can not find them on DVD 1 up to 3!), ...

    Astrology and astronomy: universe (OpenSpace Simulator), kstars and stellarium, spacechart, WmGlobe, real-time simulation called celestia, astrolog, ATpy (astronomical tables in Python), ast (world coordinates of the astronomy), astronomy-bookmarks, astronomy-menus (el6), cpl (el6, ESO library for automated astronomical data-reduction tasks), erfa (essential routines for fundamental astronomy), libnova ( Libnova is a general purpose astronomy and astrodynamics library), nightfall (el6, Nightfall is an astronomy application for emulation of eclipsing stars), nightview (el6, a general astronomical software package to control of a CCD camera), pyephem (el6, the astronomy library for Python), saoimage (el6, utility for displaying astronomical images), sextractor (el6, extract catalogs of sources from astronomical images), siril (el6, an astronomical image processing software for Linux), xvarstar (el6, astronomical program used for searching GCVS), ... ...

    Mathmatics: mathomatic and axiom (Computer Algebra system. It is useful for research and development of mathematical algorithms. It defines a strongly typed, mathematically correct type hierarchy. It has a programming language and a built-in compiler (not on DVD)), singular and linalg-linbox (computing linear algebra), drgeo (geometry), kcalc and qualculate (pocket calculators), mathplot, kig (interactive geometry), kalgebra, kig (interactive geometry), yacas (computer algebra language), sagemath (complex mathematic-system), rocs (graph-editor and programming language), gnuplot and zhu3d (plotter), gnumexp, pari (number oriented Computer Algebra System), geogebra (dynamische Mathematik), genius, sagemath (Open-Source-Mathematik), singular, jama and kalgebra (Lineare Algebra), mathplot, kig (interaktive Geometrie), yacas (computer algebra programming language), sagemath (umfassendes Mathematik-System, nicht auf DVD 1 and 2 enthalten), rocs (Graphen-Editor and Programmierumgebung), pari (numerisch orientiertes Computer Algebra System), rlplot, gnuplot, zhu3d (3d-Plot), gnumexp, rkward, R out of R-Base and R-cran (Sprache für Datenanalysen and Graphik), R-bioconductor (statistische Analysen genomischer Daten), atlas (Lineare Algebra), axiom (Symbolische Programmierung), bc (numerisch prozessierende Programmierung), dc (zugehöriger Rechner) cdd (Motzkin), cliquer (Cliquen-Finder in gewichteten Graphen), eclip-mwrank (elliptische Kurven über Q via 2-Deszendent),. flint (Zahlentheorie), fplll (LLL-Reduktion auf euklidische Dimensionen), gap-system (programmierbare diskrete Algebra), gbase (Zahlen-Basen-Konvertierung), gfan (Gröbner), ghmm (Markov), hexcalc, iml (ganzzahlige Matrizen), k3dsurf (3D-Oberflächen aus mathematischen Funktionen and Formularen), macauley2 (algebraische Geometrie), wxmaxima and maxima (Computer-Algegra-System, symbolische Programmierung), Octave (numerisch orientierte Programmiersprache) pari (Algebra), polybori (Polynome über booleschen Ringen), polymake, ratpoints (Sieve-Verfahren, um rationale Punkte in hyperelliptischen Kurven zu bestimmen), rattle (R data mining), scilab (numerisch orientierte Programmierung), surf (Visualisierung algebraischer Geometrie), symmetrica (mehr Mathematik für C), sympow (Estimation of special values from symmetric ellipses Graph-L-functions), tesseracttrainer, .xaos (Echtzeit-Fraktal-Zoomer), xaos (fractals, fractal graphic in realtime), qtpfsgui (image workflow), Macaulay (el6), Mayavi (el6), atlas (pclos, Automatically Tuned Linear Algebra Software), ...

    rocrail (railroad control system), ...

    Chemistry: ghemistry, gchempaint (not on DVD), gchemcal, gchemtable, IQmol (el6), IBSimu (el6), easychem, gperiodic and kalzium (atom periodic system), bkchem (python 2D-chemical-structures), jmol (Java viewer for chemical structures in 3D), chemtool, qbrew, genchemlab, xdrawchem, viewmol, oregano and spice (electronic circuits), mpqc (rosa2014.1, Ab-inito chemistry program), wise (comparisons of DNA and protein sequences), ...

    Physics: step (complex physics simulation system), units and gonvert (unit converter), ...

    Electrotechnique: qelectrotech (electric diagams), oregano and elektra and gnucap (electronic circuit simulator), gtkwave, circuits and PCB design: gEDA Attribute editor, gerbv (Gerbv Gerber File Viewer), gschem (create and edit electronic schemas and symbols), step ( interactive physics simulation ), Archimedes ( design and simulation of submicron semiconductor devices. It is a 2D Fast Monte Carlo simulator which can take into account all the relevant quantum effects, thank to the implementation of the Bohm effective potential method. The physics and geometry of a general device is introduced by typing a simple script, which makes, in this sense, Archimedes a powerful tool for the simulation of quite general semiconductor devices), Arduino ( electronics prototyping platform based on flexible, easy-to-use hardware and software. It´s intended for artists, designers, hobbyists, and anyone interested in creating interactive objects or environments. This package contains an IDE that can be used to develop and upload code to the micro-controller), ....

    Cooking: krecipes, gourmet, ...

    Biology: R-bioconductor (not on DVD), qrna (prototype rcDNA-genfinder), emboss (molecular biology), hmmr (Protein-Sequence-Analyzis), primer3 (PCR-reactions), qrna (ncRNA-genfinder), readseq (read and write of nucleoid- and protein-sequences in different formats), sim4 (cDNA and genomical DNA), tree-puzzle (nucleocid-, aminoacid-analyzis and Two-State-Data), ...

    Identity kit: ktuberling, ...

    Children: childsplay (pclos), omnitux ( pclos, 133 MB, education platform for children which aim is to provide various educational activities around multimedia elements ( images, sounds, texts ) )

    Genealogy: ancestris, Genealogy J, GenJ, gramps (Genealogical Research and Analysis Management Programming System), ...

    Ebay-auctions: jbidwatcher, bidwatcher, ...

    Stocks and finances: electron-cash (Bitcoin), bitcoin (pclos2017, Bitcoin is a free open source peer-to-peer electronic cash system %{that} is completely decentralized, without the need for a central server or trusted parties. Users hold the crypto keys to their own money and transact directly with each other, with the help of a P2P network to check for double-spending. Full transaction history is stored locally at each client. This requires several GB of space, slowly growing), gretl (economics analysis tool), qstalker (stock market charts and -analyzis), kchart (charts and other diagrams), gnucash, kmymoney, grisbi, skrooge, homebank, quasar-client (accounting software)​, QuantLib (el6), bitcoin ( pclos, peer-to-peer electronic cash system %{that} is completely decentralized, without the need for a central server or trusted parties. Users hold the crypto keys to their own money and transact directly with each other, with the help of a P2P network to check for double-spending. Full transaction history is stored locally at each client. This requires several GB of space, slowly growing ), codelite (pclos), , ...

    celtx with celtx-en is a project planner for scriptwriters and regisseurs for complete screenplays resp. scripts, storyboards, termins and information about all actors, for scene books with sketches, photographes and images, calendars for the scene termins and scene locations. Bookmarks allow linking to websites and archives. The scene book can be provided in PDF-format. There are tools to organize, participate and to inform about film projects.

    Technical data analysis and graphics: scigraphica (data analysis and technical graphics), ...

    Filetype-conversion: ffmpeg with frontend feff and transcode (filetype-converter), tidy (charsets), ...

    Webside and ftp-side mirror tool (downloads): khttrack resp. webhttrack (httrack) and pavuk (el6, GUI: option -x), nntpgrab (USENET)

    more applications: decibel (realtime communications framework, meant to integrate services like CTI (Computer Telephone Integration), VoIP (Voice over IP), text based chat and instant messaging), unetbootin resp. mandriva-seed (script to to put a bootable Linux by ISO onto usb-memory-sticks), primer3, apps installer (smartphone), gco (gnome comics organizer), lecaviste and gwine (wine-cellar), cadaver (command line webDAV-client), macchanger (changes the MAC-address of the ethernet-card), maui (job scheduler for use on clusters and supercomputers), moin (MoinMoin is a WikiEngine to collaborate on easily editable web pages), flowtool, smtpscan (remote smtp server detection), garden planner (table), akregator and liferea (RSS-feeds), ggradebook, flvtool2, flvstreamer (RTMP client intended to stream audio or video content from all types of flash or rtmp servers.), hamster-applet (time-tracker), uptodate, kchildlock (Child protection), Sweet Home 3D is a free interior design application that helps you place your furniture on a house 2D plan, with a 3D preview. Available at http://www.sweethome3d.eu/, this program is aimed at people who want to design their interior quickly, whether they are moving or they just want to redesign their existing home. Numerous visual guides help you draw the plan of your home and layout furniture. You may draw the walls of your rooms upon the image of an existing plan, and then, drag and drop furniture onto the plan from a catalog organized by categories. Each change in the 2D plan is simultaneously updated in the 3D view, to show you a realistic rendering of your layout), zint (C library for encoding data in several standarized barcode variants. The bundled command-line utility provides a simple interface to the library), ...


    Image above: image filter with special effects gmic for Gimp 2.8

    photoprint: "PhotoPrint is a utility designed to assist in the process of printing digital photographs. PhotoPrint can do the following:
    * Print photographs 1-up, 2-up, 4-up or with any user-selectable number of rows and columns.
    * Create posters, split over several pages.* Arrange images into a sort of Carousel, fading from one to another. (Ideal for CD labels)
    * Crop images to fit a specific frame.
    * Apply a decorative border to an image.
    * Make use of ICC colour profiles to provide accurate output.
    * Send 16-bit data to the printer, to avoid "contouring" problems in smooth gradients.
    * Apply a handful of effecs to an image, including sharpening, removing colour and adjusting colour temperature (ideal for cooling or warming black-and-white prints)."

    Image processing: gimp (el7, 2.8), gmic (hugh image-filter-plugin for gimp and program), inkscape, darktable, blender, k3d (3D modeling, animation, and rendering system, aoi (Art of Illusion, free open source 3D modelling and rendering studio. Many of its capabilities rival those found in commercial programs. Highlights include subdivision surface based modelling tools, skeleton based animation and a graphical language for designing procedural textures and materials), phatch (image-stack-overwork and image-renaming), quat (3D-frakcal-objects), openimage, scrot and ksnaphot (screenshots), qimageblitz, Gimp (2.6), k3dsurf (3D graphical surfaces), gliv (OpenGL image viewer with sharp image-auto-zoom), kuickshow, gpicview (pclos2017), xnview, gwenview, digiKam, albumshaper, shotwell, hotsthots, flphoto and f-spot (for times photoalbum with different center of gravity), wings3d resp. kpovmodeller resp. povray (raytracing), xmorph, potrace (vector graphic converter), kicad, qcad and gcad3d (CAD), kbarcode, barcode and zint (barcode generators), animata, darktable (negatives and raw), socnetv (social networks analyzer and visualizer), manslide (slideshow), tintii, hugin (can be used to stitch multiple images together. The resulting image can span 360 degrees. Another common use is the creation of very high resolution pictures by combining multiple images), jpegoptim (optimizer, compression), jpegpixie (black-hole-correcture in images), png2ico (png to icon), pngcheck, pngcrush and pngrewrite (PNG-compression resp. Umfang-Optimierung), ktoon (2D animation), kiconedit, synfig and synfigstudio (vector based 2D-animation), mtpaint, ...

    Construction (CAD) and Modelling: Art Of Illusion (rpm aoi), blender, synfigstudio, qelectrotech, mm3d, gcad3d, freecad, SweetHome3D, kpovmodeller, ardesia (Desktop Sketchpad), pencil, wings3d, k3d, ...

    Cliparts: clipart-openclipart (over 300 MB cliparts), ...

    Animations: clipart-openclipart (pclos2017), clipgrab (pclos2017), pencil (el6, cartoons, vector- and bitmapgraphic), ktoon, ...

    Media player: exmplayer (3D video player), rhythmbox (internet-radio, start by rhythmbox-client), amarok, audacious, kaffeine, banshee, banshee-ipod, podracer (versatile Podcast fetcher), lapod (submit the songs played on an iPod to last.fm), gnupod (command line interface for the iPod), gtkpod, gpodder (podcast-catcher), gnupod (command line tool for iPod), totem, icepodder (Graphical podcast catcher and player), podsleuth (extract meta-data from ipods), podhtml (converts pod to html), python-gpod (pod-access),..., get_iplayer (Streaming-Werkzeug für Podcast, TV and Programme), gnuradio, xmms, xmms2, gst123 (gstreamer audio player), qmmp, gmpc, vlcplayer and MediathekView (from http://zdfmediathk.sourceforge.net/) and miroplayer (including Internet Radio streams and Live- and Internet-TV), kplayer (one of our favorite), kmplayer (best is phonon, plays videos even from damaged files, mp4-codec: xvidcore(el6)), smplayer, gmplayer, mplayer, miro, vlcplayer, kaboodle, Adobe Flashplayer, flashplayer, swfdec (free flashplayer), flvplayer (Flashplayer), flvstreamer (opensource commandline RTMP client), flvtool (manipulation tool for Macromedia Flash Video Files (FLV)), audacious, gxine and xine (tcl/tk- based mediaplayer, Internet-TV), SpiralLoops and synaesthesia (audio visualization), cowbell (music organizer), timemachine (records sounds/audio from times ago), Linvdr and vdr (video disc recorder), dvr (compressed record of video and films from video-capture-cards in realtime into codecs like divx4 and Indeo5), bangarang, lplayer, songbird, last-exit (last.fm web radio player), jorbis-player, foobnix (music player), bino (rosa2014.1, Video Player with 3D and Multi-Display Video Support), enjoy (rosa 2014.1, music player), popcorntime (rosa2014.1, allow any computer user to watch movies easily streaming from torrents, without any particular knowledge), atunes (pclos, 17 MB), bomi (pclos), ...

    flv-player: flash-plugin, gnash, PCLinuxOS-FLV-Player (pclos2017), vlc, ...

    Streaming Software for Linux: Plex

    remote: lirc, allremote, ...

    vdr: amarok, analogradio, analogtv, archive, autosort, autotimer, bitstreamout, calc, cdda, channelscan, channelswitcher, dxr3, externalplayer, filebrowser, fussball, games, iptv, iaxphone, image, joystick, loadepg, mailbox, mp3, newsticker, osdimage, podcatcher, prefermenu, remote, sky, streamdev, timersync, vdrrip, weather, xineliboutput, zaphistory, ...

    Codecs: mplayer-codecs, mplayer-codecs-extra, all codecs, xlv (extended video library), get_iplayer (iPlayer, TV, Radio, Podcase program-streaming Tool), ...

    Converter: ffmpeg with frontend feff and transcode, handbrake-cli, handbrake-gui, oggconvert (any audio-files into ogg-format), abcde, dvdrip (ripper and encoder), transcode, sox, glame, lame, soundconverter, soundkonverter, ...


    Abb.:Video-Editor pitivi TV, Video processing: streamripper, mediainfo, f4l (flash-editor), fly (to generate GIF on the fly), ifdvbtune (tuner for DVB-cards), antenna-dtv (free and open-source dvb-t (terrestrial digital tv) tuner for linux desktops. Antenna is a full featured tool to see what´s going on in the sky. It enables you to scan, watch and record television, radio and services broadcasted on air), dvbsnoop, dvbstream, dvb-utils, kdenlive, kino, cinelerra, pitivi, auteur, lives, openshot and avidemux (video-cut and -processing), videoporama ( image slideshow, export to video file), video4fuze ( video format converter by fuze ), alevt, zvbi and zapping (BTX), tvok (TV: watching and recording), kwintv, xawtv, tvtime (TV), irkick (infrared), gshowtv and nxtvepg and tvbrowser (TV-program), xvidcap (an efficient way of capturing your video into a video using console-based commands), openshot (with 3D-effects), fb2png (screenshots from framebuffer), shutter, mando (interactive camera-projector-system), luciole (stop motion software for animation movie realization), cinepaint (colorize movies), griffith (film collection manager), smtube and minitube (play and download videos from youtube), tvok (watching and recording TV), subtitleeditor (el6), stopmotion (rosa2014.1), ...

    Audio processing: derrick (stream recorder), csound (Music-synthesis sound-mixer), gnupod, gtkpod, podracer (versatiler, downloads from Podcasts), gpodder (graphical podcast), gnupod (commandline-tool for iPod), lapod (iPod-last-played songs on last.fm), dopi (Song-uploader for ipod), icepodder (graphical podcast catcher and player), podsleuth (extract meta-data from ipods), podhtml (converts pod to html), python-gpod (pod-access), ipod, mscore (compose and notation), kwave, audacity and gramofile (audio processing of LP), Tutka and tse3 (MIDI sequencer), mma (MIDI-accompainment), rosegarden (midi-, audio- and noteeditor), streamripper (audiostream-recorder), bristol (sound machine), jamin (multi-track-studio, soundtrack-mixer, for example for techno music), zynaddsubfx (MIDI-syntheziser), TiMidity++, mixxx (Music DJing Software), timidity++, puddletag (audio-tag-editor), WhySynth (versatile softsynth, which operates as a plugin for the DSSI Soft Synth Interface. Some of its features are 4 oscillators, 2 filters, 3 LFOs, and 5 envelope generators per voice, 10 oscillator modes: minBLEP, wavecycle, asynchronous granular, three FM modes, waveshaper, noise, PADsynth, and phase distortion, 6 filter modes, flexible modulation and mixdown options, plus effects), songwrite (composer with guitar-tabulators), songwrite2, gscore (note editor), lingot (instrument tone tuner), gtkguitune and lingot (two instrument- resp. guitar-tuner), fretsonfire (guitar playing by keyboard), gnuitar, ktabedit (tabulators) and rakarrack (effects for the guitar), gnometab, ecasound and Tuxguitar (guitar-tabulators), guitarix (guitar amplifier) with jackit (jackd, for the line-in-input and output), kguitar, gtkguitune and gnuitar (effects), drumstick, hydrogen (drum-machine, drum computer), terminatorx (audiosynthesizer for DJ works to scratch and for realtime-effect), FreeJ (vision mixer, a digital instrument for realtime video manipulation used in the fields of dance teather), veejaying, medical visualisation and TV), kaudiocreator and streamripper (audio stream recorder), swami (GPL sound font editor),cowbell (music organizer), streamtuner (Internetradio-streambrowser), last-exit ( last.fm Webradio- Player), kradio (a simple radio), qtradio, gnomoradio (searches for provided music for free), radio, hinedo (hinet-radio), sSpiralLoops and synaesthesia (Audio-visualizer), timemachine (records sounds from the past), lilypond, Sound Juicer, ripperx, rubyripper, dagrab and grip (Audio-Dateien von CD/DVD rippen), JuK, beep, clamz (downloader for the Amazon Music Store), csound, mp3info, mp3blaster, mp3stat, mp3val, mp3asm and mp3gain (mp3-player and mp3-failure-correction), DarkIce (IceCast, IceCast2 and ShoutCast live audio-streamer), dap (audio-Processing and editing), songbird (media player mixed up with the web), speaker-test, gnusound, jokosher and jorbis-player, kaudiocreator, extace ( rosa2014.1, Waveform Viewer with ALSA support ), flacon (rosa2014.1, audiofile-splitter), qtractor (el6, an Audio/MIDI multi-track sequencer), soundtouch (el6), calf (pclos, 14 MB, audio plugins for the DSSI, LV2, and LADSPA interface. Calf contains the following audio effects: vintage delay, rotary speaker, reverb, multi chorus, flanger, phaser, filter, compressor. It also contains two full-blown synthesizers: monosynth and organ), ....

    ... and more: cclive (Tool for downloading media from youtube and similar websites), ...

    Amateur broadcasting: ax25-apps, hamradio, hamlib, lib64ax25, talk-ax25, dpaccess, ghu, gnuradio, hamfax, demorse, acfax (Amateur Broadcast Fax Receiver), ...

    wireless LAN Access Point controller: chillispot, Coova-Chilli is a fork of the ChilliSpot project - an open source captive portal or wireless LAN access point controller. It supports web based login (Universal Access Method, or UAM), standard for public HotSpots, and it supports Wireless Protected Access (WPA), the standard for secure roamable networks. Authentication, Authorization and Accounting (AAA) is handled by your favorite radius server. Read more at http://coova.org/ and http://www.chillispot.org/), ...

    wammu (mobile phone manager), Multimedia-center: lmmc (linux multimedia studio, techno sound producer and techno sampler), xbmc (Home Entertainment System and mediaplayer), mms My Media System is an application that manages, displays and plays media content such as videos, music, pictures, scripts, TV, TV-program (EPG), wheather forecast, search resp. find and more. MMS runs perfectly on anything from a Set-Top-Box connected to your TV-Set, to your specially tailored multimedia PC and HD display. As the name implies, MMS is a media system with you in control. It lets other applications such as MPlayer, VDR, or Xine take care of what they respectively do best, and integrates them into one system, that is easy to understand and operate. By combining their individual strength, you get the best of all worlds, in one media application, slimrat (downloads from Rapidshare.com), movida, ....

    Games for Linux (mdv2010) from fr2.rpmfind.net (many of them provided by SDL and/or OpenGL)

    The amount of OpenGL- and SDL-games, pygames, games from steam and windows emulatable and other games becomes quit unlimited for introduced "Universal-Linux" and is still increasing. Most of them still can not be found on installation-DVDs. Advantage of Universal-Linux: The operating system and platform must not change to play many of them.

    Many, but not all games care for the right screen-resolution by themselves. krandrtray cares for its manual adjustment. The resolution might differ each open-GL-program. This configuration-tool should be loaded into the tray, by creating the desktop-file krandrtray.desktop in /usr/share/autostart.

    Games (DVD 1 and DVD 2 depending on their capacities; as we do not have to care too much about insecurties anymore...): playonlinux (prepare for games other OS), opengl-games-utils, game-compat (additional compatiblity), joystick, jscalibrator (joystick calibration), qjoypad, opengl-games-utils, ...

    Many Linux-Games can be played alone against the computer as much as against other player all over the net! Configure the pathes in ~/.bashrc and ~/.bash-profile, by adding /usr/games.

    OK/etc/X11/xorg.conf: Remove all screen resolutions except the actual permanent chosen one and choose very tiny,small frequencies tolerances. Some graphical games like to refer to the remaining one(s) directly and the display including the fonts are kept always brilliant sharp.
    Section "ServerFlags"
    Option "DontZap" "True" # disable S> (server abort)
    #DontZoom # disable / (resolution switching)
    AllowMouseOpenFail # allows the server to start up even if the mouse does not work

    Section "Module"
    Load "dbe" # Double-Buffering Extension
    Load "v4l" # Video for Linux
    Load "extmod"
    Load "glx" # 3D layer
    Load "dri" # direct rendering

    Section "Monitor"
    Identifier "monitor1"
    HorizSync 30-80
    VertRefresh 59.8-60.47

    # Monitor preferred modeline (59.8 Hz vsync, 47.7 kHz hsync, ratio 16/9, 84 dpi)
    ModeLine "1366x768" 85.5 1366 1436 1579 1792 768 771 774 798 +hsync +vsync

    # modeline generated by gtf(1) [handled by XFdrake]
    ModeLine "1280x720_60" 74.48 1280 1336 1472 1664 720 721 724 746 -HSync +Vsync

    # modeline generated by gtf(1) [handled by XFdrake]
    ModeLine "1280x720_50" 60.47 1280 1328 1456 1632 720 721 724 741 -HSync +Vsync

    Section "Device"
    Identifier "device1"
    VendorName "Intel Corporation"
    BoardName "Intel 810 and later"
    Driver "intel"
    Option "DPMS"

    Section "Screen"
    Identifier "screen1"
    Device "device1"
    Monitor "monitor1"
    DefaultColorDepth 24

    Subsection "Display"
    Depth 24
    Modes "1366x768" "1360x765" "1280x720"

    Section "ServerLayout"
    Identifier "layout1"
    Screen "screen1"

    Section "InputDevice"
    Identifier "Mymouse1"
    Driver "mouse"

    # Option "Device" "/dev/ttyS0"
    Option "Protocol" "ImPS/2"

    # Option "Device" "/dev/psaux"
    # Option "Device" "/dev/ttyS0"
    Option "Device" "/dev/input/mice"
    Option "Emulate3Buttons" "true"
    Option "CorePointer"

    # Option "Protocol" "Auto"
    # Option "Protocol" "ExplorerPS/2"
    # Option "Protocol" "auto"
    Option "ZAxisMapping" "4 5"

    Boswars (bos (mdv2010.1, game)): cd /usr/share/games/bos/graphics/ui && cp -f ui_1280_bpanel.png ui_1366_bpanel.png && chown root:root *.png && chmod 644 *.png

    OKGraphic card ITX mouseclick-fast, set in BIOS of ITX-220 Northbridge to COMBO-mode or DVMT > 128 MB (we´d like to recommend); notice that graphics of a few games still have to be configured through their menu. For some games at least 4 Gb ( 2 × 2 Gb) DDR-2 666 Mhz is recommended!

    Increasing amount of OpenGL-, SDL-, Python-games and other games!
    Beneath listed OpenGL,- SDL- und Python-Games of mdv2010 up to mdv2012, el6, el7, rosa2014.1, rosa2016.1 and fc an increasing amount (even of new releases) can be downloaded out of the internet too!

    mdv2010 (maintained by rosa2014, rosa2016, ...) - Top-Games (all error-free and wrinkless, but updating with rosa2014.1 might extend his feauture): njam (kind of "Pacman"), SDL-games, gnome-sudoku (Sudoku), sudoku, PySOL, Klondike, xpat, kpat and AisleRiot and klondike (Passiencen), kpatience (Asse hoch, Simple Simon, Freecell, Golf, Klondike, Mod3, Spider, Fourty and Eight, Yukon, ...), foobillard (3D billiard), kbilliards (fc22, kdelibs3 (el6)), frozen bubble and monkey bubble, rapaigawpoker (RA Pai Gaw Poker), poker2D, xskat (Skat), lskat, jskat, freedoko (Version 0.6.0 oder aktuell), kiriki and tali (Kniffel), dreamchess, eboard (local and online), gnuchess, glchess, chessx, knights, xtengen, brutalchess, samuel (Dame), quarry (Go, Amazons, Reversi), gnome-sudoku, tetravex, muehle 2D (muehle2D_bin122.zip), mahjongg3d (MahJongg 3D Solitaire), ksquares (Käsekästchen), tali and kiriki (Kniffel), grhino and iogno (Reversi/Othello), njam ("pacman"), clusterball (emulated by wine), gl117, flightgear, searchendrescue (helicpoter), mario: mari0, mario secret chronicles and megamario, goonies (pclos2017), ri-li, bubbros, blinken, bse_schlacht (similar to Mensch-Ärger-Dich-Nicht, emulated and from http://www.onlinewahn.de), palapeli, brainparty, gbrainy, arcade-puzzle, frozen-bubble, plee-the-bear, abe (processed only on elder packages resp. elder files), kiki (the nanobot, omv2015), fillets-ng, unknown-horizons, amphetamine, FooBillard, tuxfootball, freetennis, tuxpuck, canonsmash (3D table tennis), volley, blobby (Blobby Volley), trackball, neverball, neverputt, kolf, skijump (did not process on our system), csmash (CannonSmash, 3D table tennis), stepmania, pydance, freeorion (rosa 2014.1, 120 MB-Game), freeminer (rosa2014.1), freeplane (rosa2014.1), armagetron, armagetron-advanced, vdrift, tuxkard, supertuxkard, tuxracer, supertuxracer, extremetuxracer, penguinracer, whereverracer, supertux, Stormbaancoureur, torcs and speed-dreams (Formel1), ktron, supertuxkart, tuxkart, xmoto, motogt, triggerrallye, maniadrive, stuntrally, ultimatestunts, fretsonfire, tecnoballz, blobboats, searchandrescue (helicopter simulation), glx-copter-commander, urbanterror (1-GB-Game), 0ad (0.A.D., around 550 MB, pronounced "zero ey-dee") is a free, open-source, cross-platform real-time strategy (RTS) game of ancient warfare. In short, it is a historically-based war/economy game that allows players to relive or rewrite the history of Western civilizations, focusing on the years between 500 B.C. and 500 A.D. The project is highly ambitious, involving state-of-the-art 3D graphics, detailed artwork, sound, and a flexible and powerful custom-built game engine. The game has been in development by Wildfire Games (WFG), a group of volunteer, hobbyist game developers, since 2001..), warzone2000, lgeneral, scorched3d, adonthell, aisleriot, barrage, bzflag, netpanzer, granatier, btanks, atanks, blobwars (Metal Blob Solid), bjs, wesnoth, dccnitghtmare, mog (maze of galious), naev (300 MB, Space Combat Game), 7kaa (Seven Kingdoms), simutrans, micropolis, openttd, cultivation, stratagus, freecol, freeciv, d2x and d2x-rebirth (Descent2), freeciv, globulation2, simutrans, cultivation, micropolis, openttd, opencity and lincity-ng (city simulation), scourge, slune, luola, wormux, worminator, towertoppler (Nebulous), egoboo, glest, megaglest, einstein (puzzle), sdlwolv and wolf3d-shareware (Wolvenstein), hexen2, hheretic, halfd, millions, edgar, chromiumBSU, superburgerwld, freedroidrpg, freedroid, frogatto, astromenace (hardcore 3D shooter), kobodl (KOBO De Lux), highmoon, Might and Magic IV, clusterball (wine-emulated), criticalmass, cdvst, noiz2sa, glaxium (fc24, fc25, fc26), xsoldier, xgalaxy, xgalaga, eternallands, nethack (nethack falcons eye), flare (role playing, adventure), paintown, openmortal, orbital-eunuchs-sniper, pingus, flaw, luola, tux_afqh, nexuiz, openspades (pclos), smokingguns, warsow, prboom, vavoom, chocolate-doom (pclos2017), chocolate-hexen (pclos2017), doom/doom-games, world of padman (wop), teeworlds, adanaxisgpl, quakespasm, America´s Army, Hexen2 - Hammer Of Thyrion, chickennix (pclos, shoot´em-up game), teeworlds, engine chocolate-doom, alienarena, openarena, xonotic (successor of nexuiz), assaultcube (similar to counter strike, mkdir ~/assaultcube_v1.0/config, configuration file: ~/assaultcube_v1.0/config/init.cfg: "fullscreen1 scr_w 1366 scr_h 768 colorbits 24 depthbits 0 stencilbits 8 fsaa 0 vsync -1 audio 1 soundchannels 32 lang de"), abuse, vegastrike, darkplaces, marathon-infinity, alephone, tremulous, 0verkill (zero-overkill), dcctnitghmare (dnt), bobobot, 5ball, spacepong, warmux, freeorion, solarwolf, performous, apricots, asylum, Project: starfighter, openttd, drugwar, beret, minetest, nukem3d, highmoon, unvanquished, Mirror Magic, marsshooter (mdv2010.2 runs fine on glibc-rosa2014.1), pinball, freelords, reeciv, freecol, eternallands, nukem3d, holotz-castle, naev, nil, corsixth, liquidwar6, liquidwar, t-crisis, drascula (adventure), dreamweb (el6, adventure), bubbros, heroes, hedgewars, instead, openlierox, pinball, supermethanebrothers, xblast, krank, biniax2, defendguin, sudoku, krank, kiki (the nanobot), plee-the-bear resp. Plee The Bear (orig-tar or rosa2014.1), meandmyshadow, bloboats, retrovaders (Space Invaders Clone), jumpingcube, kubrick, asteroids3d, defendguin, lpairs, dragonmemory, memorypairs, mirrormagic, briquolo, xfrisk, frisk, gtkatlantic, pandemic, kapitalist (Art Monopoly), 3D Train Studio, ri-li, biniax2, bjs (3D tank wars), bse_schlacht (with bse-cows: wine-emulated, like Malefiz resp. Mensch-Ärger-Dich-Nicht), berusky, adonthell, ardentryst, flare, pathological, eternallands, widelands, digger, luola, pydance, stepmania, criticalmass, cdvst, amoebax, highmoon, tux_afqh (3D adventure), xpired, rocksndiamonds, funguloids (buggish code), stratagus, wargus (Warcraft II), knubrick and gnubrick (magic cube), lincity-ng (city simulation), dangerdeep (German submarine simulation), desurium, mures, djl, kbtin, manaplus, secondlife (Life 3D virtual world), halfd, simsu, swell-foop, xletters, dcctnithgtmare, xkarel, vassal (Engine), ksudoku, pythonsudoku, sudokuki, tetrinetx, instead (Adventure), freedink (pclos), flare, tmw, quadrapassel, rolisteam, goatattack (rosa2014.1), crack-attack (pclos2017), steam (Engine), openmw, performous, nfrotz (Engine), pushover (pclos, domino game), oilwar, Ogres (Engine), minetest, monster-masher, mudix, netrek-client-cow, lucidlife, lutris (to install any video game), kmuddy, iagno, gytha, freelords, fheroes (freeheroes), gnotravex, xye (puzzle), gnome-games, gnome-games-extra, gmudix, fglc, fgrun, fizmo, dvorak7min, pangzero (pclos), canta, bluedj, bsd-games, auralquiz (music quiz), dark-oberon (similar to Warcraft II, but with a texture made of plasticine), xsw (XStarshipWars), anglewars, alienpool, koules, minetest (pclos), viruskiller (pclos), zaz (pclos), playonlinux (around 200 Top-Windows-Games), steam: Counterstrike, Half Life 2, Wasteland 2, uqm (UrQuanMaster, Star Control2 with voice files), Civilization V and The Witcher 2. System requirement: for the steam-client of Linux is a graphic-card with drivers from Nvidia, AMD or Intel.and more Win&Mac&Amiga&... depending on the "grad" of emulation and
    more OpenGL-, SDL-games, pygames and other games from all over the internet

    PlayOnLinux: Je nach Vorbereitung des MSWindows-Emulators playonlinux von wine (wine32 oder wine64) lassen sich unzählige Windows-Games installieren und emulieren, das Gleiche für Games ursprünglich von Amiga, Commodore, Atari, Cedega usw.. Es gibt neben jeder Menge solcher Games for free auch free und kostenpflichtige Games für Linux wie aufgelistet auf http://holarse.de/ und https://www.gamingonlinux.com/sales/
    Spiele von PlayOnLinux (playonlinux (pclos2010)):
    Wheels of Steel, 3D Train Studio, A.R.E.S (Extinction Agenda), Age Of Empires I und II, Age of Mythology, Age Of Wonders, Alien Breed 2 und 3, Alien Carnage (Halloween Harry), Alien Swarm, Alone In The Dark (The New Nightmare), Anno 1602, Assassin´s Creed, BLAZE - mechforces, BMW M3 Challenge, Baldur´s Gate: Tales of the Sowrd Coast, II, Throne of Bhaal, Battlefield 2, Best One Poker, Bioshock, Black and White 2, Blade Runner, Blood Bol, Blur, Borderlands, Breath of Fire IV, Bulletstorm, Cacodemons Barbecue Party in Hell, Caesar III, Call of Duty 2, Call Of Juarez Gunslinger, Call of Chtulhu: Dark Coners of the Earth, Call of Duty 4: Modern Warfare 1, 2, 3, Cars 2, Champions Online, Chuzzle PC CD-Rom, Cities XL Platinum, CivCity Rome, CivNet, Civilization IV: Complete Edition, Clive Barker´s Jericho, Colin Mcrae Rally 04, 2005, Command and Conquer 1 und 3, Crayon Physics, Crea Vures, Croc Legend of the Gobbos, Dark Age of Camelot,: Labyrith of the Minotaur, Dark Messiah of Might and Magic, Dawn of War: Dark Cursade and Soulstorm, Dead Space 1 and 2, Deadpool The Game, Deep Finesse, Desura, Devil May Cry 4, Diablo II: Lord of Destruction, Diabolo III, Divine Divinity, DmC: Devil May Cry, Dragon Age2: DLC, Awakening, Origins, Driftmoon, Druid Soccer, Dungeion Siege III, EVE online, Emperor, Escape from Monkey Island, Eherlords 2, EveryQuest II Sentinenl´s Fate, F.E.A.R 1 and 2: Project Origin, FEZ (Steam), FIFA 11, Fable: The Lost Chapters, Fallout 3 - DLC, New Vegas, Far Cry 2, Final Fantasy: III and IV, FlatOut II, Football Manager 2010, Forbidden, Full Tilt Poker, GEX 1.0, many games from GOG.com, GTR2, Geheimakte Tunguska - German, GhostRecon, Goblins 3, Gothic 1, Grand Theft Auto 3 and Vice City, Guild Wars, Half-Life 2: Episode One and Two + Lost Coast + Blue Shift, Hanahira!, Hard Reset (Steam) Heroes of Might and Magic 5: Tribes Of the East, V, Heroes of the Storm, Hidden and Danerous Deluxe, Hitman 2 and 3, I Miss the Sunrise, IL2: Sturmovik, Indiana Jones and the Fate of Atlantis, Industry Giant II, Jerusalem: The 3 Roads To The Holy Land, King´s Bounty: The Legend, Kingdoms Of Amalur, LIMBO, LRose Online, La Panthere Rose 1 and 2, Lara Croft and the Guardian Light, Last Chaos, Legacy of Kain, Legions: Overdrive, Lemmings 2, Lume, Mafia, Mafia II, Magicka, Mansion Poker, Marine Malice 2, Mass Effect 1 and 2, Max Payne 1 and 2, Metal Slug Collection, Micosoft Freecell, MS Fury 3, MS Pinball, MS Spider Solitaire, Midnight Club II, Might and Magic IV: The Mandate of Heaven Platinum Edition, Monkey Island 2, Mount and Blade, Myst III and IV, Need for Speed, NeverWinter, NosTale, Nox, OnLive, Orcs Must Die! 1 + 2, RKR Poker, Paddy Power Poker, Path of Exile, Pathologic Classic HD, Pharaon, Pizza Syndicate, Planesape Torment, Planet Pokémon, Pluto Strkes Back, Poker Stars, Poker Stove, Portal 1 and 2, Prehistorik, Prince of Persia, Project 64, Proun, Q.U.B.E, Race Driver: GRID, Rage, Rally Championship 2000, Rayman2, Rayman Origins, Re-Volt, Red Faction II, Rex Cribbage, Richard Burns Rally, Risen 3: Titan Lords, RolleCoaster Tycoon 3, Runaway 1, 2 and 3, Runes Of Magic, Runespell: Overture, Ryzom, S.T.A.L.K.E.R., Sacrifice, Sam and Max 201, Sanctum, Seals with Clubs, Secret of Monkey Island Special Edition, Serious Sam, Settlers 4, Silent Hill 2, SimCity, Ski Challenge, Soldat, Soldier of Fortune Platinum, Sonic Adventure DX, Sonic and SEGA: All Stars Racing, Sonic Fan Remix, Spelunky, Spore, Star Trek Online, Star Wars, Star-Twine, Starcraft II: Wings of Liberty, Starlight Resonance, Steam, Steins;Gate, Strong Bad 101: Homestar Ruiner, 102: Strong Badia the Free, Sronghold, Stunt GP, Supaplex, Super Chuch Norris Bros., Super Meat Boy, Super Street Fighter IV, Supreme Commander, Swat 4, Syberia II, Synthesia, System Shock 2, Talisman, The Darkmod, The Elder Scrolls I - IV, : The Matrix, The Next BIG Thing, The Settlers II, The Sims, The Truth, The Witcher 1 and 2, Th ee Wolf Among Us, Theme Hospital, Theme Park World, Toca Race Driver 2 and 3, Tomb Raider, Toontown Online, Total Annhilation, Trackmania Nations and United Forever, Trainz Railroad Simulator, Tribes, Tropico 3, Tunneler, Two Worlds (GOTY + II), Unreal Tournament 3, Vanage Master Online, Villagers and Heroes, Volvo - The Game, Warcraft II + III, Warrior Kings Battles, Wolfenstein, Wolfenstein 3D, World Of Tanks, World of Warships, World Racing, World in Conflict, Worms Reloaded, Worms World Party, X3: Terran Conflict, Xenon 2, Zeus: Master of Olympus, Zoo Tycoon 2, rFactor1

    Games (demo, fc) with data files out of the internet: vavoom-strife, vavoom-hexen, vavoom-heretic, ...

    Game Engines (mga, mdv, rosa, pclos, fc) for an infinite amount of games (from internet or other media): quake1, darkplaces, yamagi-quake2, quake2, ioquake3, quake3, chocolate-doom, vavoom, doomsday, cube engine, sauerbraten (cube2), irrlicht, SDL, SDL2, ode, pygames resp. python-games, ...

    Halcyon: EAs new graphic-engine also for Linux, PRO LINUX, 30.10.2018

    Play everything - with moonlight!, PRO LINUX, 29.10.2018
    You have a gaming-PC and want to play onto platform Linux? With Moonlight games can be streamed over the network.

    Steam Play: More Windows-games, that can be gamed for Linux, PC-WELT.de, 22.08.2018
    Valve presents a new Beta from Steam Play, that enpossibles to game even more Windows games for Linux.

    Free car racingl Yorg with multiplayer-support, PRO LINUX, 22.06.2018

    Cover of "X-Plane kompakt"
    X-Plane kompakt
    Manual for the flight simulator X-Plane in german language, https://www.pro-linux.de/artikel/2/1529/x-plane-kompakt.html

    In best form too: Sudden Strike 4

    "Surviving Mars" for Linux, Pro-Linux, 03.16.2018

    "Unforeseen Incidents" for Linux released, PRO LINUX, 05.30.2018

    "Total War Saga;: Thrones of Britannia" for Linux introduced, PRO LINUX, 06.07.2018

    "Albion Online" for free, PRO-LINUX, 11.04.2019
    Sandbox Interactive has turned the Sandbox-MMO "Albion Online" into the Free-to-Play-modell. By this adventurere can lunge at the world of Albion upon Linux for free. Nothing does change for the previous business-model except the omit of the payment barrier.

    "Imperator: Rome" - Paradoxs new strategy game also for Linux, 05.22.2018

    RPG &quo;Pillars of Eternity II" released, PRO LINUX, 05.11.2018

    Ego-Shooter Ziggurat for Linux for free
    Gog.com provides one more free game..

    "Serious Sam 4: Planet Badass" for Linux confirmed, PRO LINUX, 04.25.2018

    "Rise of the Tomb Raider" for Linux released, 04.20.2018

    "Hum­ble Pa­ra­dox Bund­le 2018" with many Li­nu­x-games, PRO-LINUX.de, 01.30.2018

    "Neverwinter Nights: Enhanced Edition" for Linux, Pro-Linux, 04.02.2018

    Humble Bundle with more new packages, PRO LINUX, 30.10.2018
    Das Humble-Bundle-Team hat zwei neue "Humble Bundles" geschnürt. Unter dem Titel "Day of the Devs" finden sich zahlreiche Spiele, die auch unter Linux verfügbar sind. Das "RPG Maker"-Bundle vereinigt dagegen die Anwendung und diverse Resourcen. Weiterhin erhältlich ist immer noch das "WB Games Classic Bundle".

    Past "Tomb Raider", "Rise of the Tomb Raider":: "Shadow of the Tomb Raider" for Linux announced, PRO LINUX, 22.11.2018


    Life is Strange 2 for Linux, PRO LINUX, 21.11.2018
    [...] Die Brüder Sean und Daniel Diaz sind nach einem tragischen und mysteriösen Vorfall in Seattle gezwungen, ihr Zuhause zu verlassen und Richtung Mexiko zu fliehen. Das Leben auf der Straße ist jedoch hart, und Sean, jetzt voll und ganz für seinen viel jüngeren Bruder verantwortlich, erkennt schon bald, dass seine Entscheidungen auf der Reise gen Süden ihr Leben für immer verändern werden....

    Total Warhammer II for Linux, PRO LINUX, 22.11.2018

    How to play in mode fullscreen, if not functioning: Open the configuration-files and choose mode windows. Start and choose the actual screen resolution instead of mode "auto".

    pyopenglPython-Games, "small games for the long pause": https://www.pygame.org/wiki/GettingStarted, http://pygame.org/tags/pygame: solarwolf (el6), spacepong (el6) and much, much more python games in the rubriques:
    pygame arcade (612), 2d (582), pygame (533), game (264), puzzle (239), shooter (190), python (163), strategy (154), libraries (152), other (143), action (131), space (112), spam (101), rpg (96), multiplayer (95), applications (92), platformer (84), gpl (80), pyopengl (71), pyweek (6)

    ... in detail (extraction pygame):

    pygame_cards is a python package for creating simple card games powered by Pygame framework, Dumb Jump, simple impossible game inspired platformer,
    Shift Puzzle, 2d shift puzzle. About 130 lines. Simple example of a 2d game with mouse control using pygame,
    Bullet dodger, a fun and challenging mouse game where you must dodge bullets,
    Wario Land 3, Nintendos Wario Lad 3 for the Gameboy Color recreated in pygame, Graphformer, a platformer (engine; some levels have been included) with bitmap collisions,
    Learn Music 1.2, a program to help anyone Learn Music Theory and chords, this is a music educational tool with randomly generated self assessments, learn jazz chords in any scale, intervals etc.
    rpeg - FTL Styled Game Engine, rpeg is a game engine and editor designed to create roguelike, FTL-styled games,
    Tank Fission, A 1 on 1 top down tank game, with multiple weapons, barricades, trees, playing maps, and computer-controlled turrets,
    Piexel, a short game about square wanting to discover, why his memories are lost,
    Money Management, this is a simple application for managing how much money you have,
    Pixeldodge, dodge the enemies!, Secret Trump,
    koxinga, like board game Jamaica,
    pyHashi, a clone of the logic puzzle Hashi, aka Bridges or Hashiwokakeru,
    Bunny and Badgers, a Python game with a Bunny and some Badgers, Planet GP, by Tormented Pixels, the objective of the game is to race around each planet course as fast as possible, PB-Ball, Python Basketball Game, gsdl2 - Gumm´s SDL2, Gumm´s SDL2, a purely Pythonic pygame-like that targets pypy and SDL2,
    PC-BASIC, a free, cross-platform emulator for the GW-BASIC family of interpreters,
    easy scales and chords, an absolutely easy way to find notes in chords. Good for musicians who haven´'t studied music crossfiregrid, a little game you can play with one hand and one braincell while having a phone call,
    Planet GP, the objective of the game is to race around each planet course as fast as possible, awesome Space Shooter, turn-based space shooter,
    Snot II: The Rubberland [Android], Android port of my old hardcore puzzle platformer, written in Python/PyGame/PGS4A. Now with 15 levels and a lot of new cool stuff. Really playable. Really hard. Really free,
    Argh-steroids, Asteroids-like arcade game, with a twist, SLC Shmup´ a basic shoot em´ up created in about 2 frantic weeks between school and track practice,
    PY ROLLERS CASINO, a collaborative Pygame project YOU can contribute to, Py Rollers Casino is a group Pygame project focused on creating a collection of casino mini-games,
    London´s Burning!, a game about defending WW2 London from the blitz!,
    Lap Master, drive fast, stay on the track, get the best time,
    Juggleball, a minimalist game about trying and failing to juggle with your keyboard,
    cube-hunter is an shoot-them-all game in an cube mesh funny to play performed with pyopengl, attack Vector is a rail shooter with voxel graphics and retro sensibilities,
    Macario is a pyrotechnician, who is responsible for fireworks in different locations. He is so hopeless, that he keeps losing his matchboxes, but at least he always manages to keep a single match! Help him get his job done while travelling with him around the globe. Light all the fireworks in each level before the match extinguishes.
    Mind the mobs! If you fall or run too fast, the match will burn out faster,
    PyFormula1, a race game on circuits against the clock, with music, animations, and effects,
    SnakeByte, a snake pacman game with levels generated with raw text files generating the walls from the labyrinth, the apples to eat, the snake start position and the phantoms including their moving circuit, Flood It, ge made for the contest "Batalha de Games",
    Space Gladiator The Spiritual Warrior, 2D space shooter with original music for each level, power ups, teleport, multi levels,save and load game, AI Sky Eraser, fast-paced caravan shmup written in Pygame -- erase the sky!, bombr, bomberman clone, don´t Touch The Edge!, a simple twitch-finger game,
    Conway´s Life, I did a Conway´s Life program with some nice feature,
    Slopy Platforming, a scrolling platformer that handles sloped surfaces. A learning exercise, that I will try to build upon to turn into a real game,
    Ultimate Tic-Tac-Toe, Tic-Tac-Toe, but with an intense twist! This game packs almost as much strategy as chess, with much more simplicity,
    Mouse Game, a challenging game, where you must reach the end of the level without touching anything,
    Missile Game, Dodge the incoming missiles in 3 different game modes and see just how long you can last,
    Matchmaker, Use your memorization skills to outmatch your opponent! Find matches and avoid the mismatches to win,
    Gravity Game, launch your spaceship towards its destination but beware of the red planets´ gravity fields,
    Entangled, make the longest chain in this challenging puzzle game, 8-Bit Dimension, yet another Arkanoid,
    Namotavka, addictive 2D logic & puzzle game,
    MaTris, yet another tetris clone. Has a tetromino shadow, which makes it simpler to play quickly. Has some sounds too (created with sfxr),
    Lunar Panda, space action game featuring one brave Panda and a jetpack!,
    MiniWorld, an RPG Game similar to Legend of Zelda done in python and pygame,
    jBot, 2d platformer game about a robot, run and jump to collect coins and shoot your way through mobs and blue barrier doors. Avoid getting hit by spikes, lasers, or mobs and find your way to the white exit,
    Games Pit, a minigames collection for children and a framework to start programming simple games,
    Double Cross, unlike your common unilateral falling block games, "Double Cross" implements a bidirectional paradigm expanding the genre in both dimension and difficulty,
    Arachnoid, an Arkanoid/Breakout clone with moving spiders instead of bricks,
    Soldat Air Force, side view, fly a plane, rocket launching, firing machine guns, trying to knock down enemy aircraft. There are also allied aircraft (Friendly Fire off),
    Python Defender 2, this game is a follow up to my original version of pythonDefender. It is another shoot em up, only I have added a lot more functionality,
    Basic Blind Chess, Blind Chess also known as "Dark Chess" or "Banqi"
    M or Half Chess , is a two-player Chinese board game played on a 4× 8 grid, or half of the xiangqi (Chinese Chess) board. This application is using Taiwan rule,
    ReTux, a commercial platformer using the graphics of SuperTux,
    pySioGame, a set of simple, educational, grid-based activities for 3 - 10 years old kids build with Python & Pygame,
    Orbit Duel 0.1, by ChrAle (abbreviated in "Orbit 2l" because the number 2 in Italian is pronounced "due") is a game that simulates the orbitation of two satellites around a planet. The two players can modify trajectories trying to don't fall on the planet surface, or getting lost in space, Atari 2600 Combat 1.0,
    Shift Puzzle, 2d shift puzzle. About 130 lines. Simple example of a 2d game with mouse control using pygame,
    Tank Fission A 1 on 1 top down tank game, with multiple weapons, barricades, trees, playing maps, and computer-controlled turret,
    PB-Ball, Python Basketball Game,
    gsdl2 - Gumm´s SDL2, a purely Pythonic pygame-like that targets pypy and SDL2,
    Ages of the island, this is "Ages of the island", a real time strategy game based on the classical board game "Die Siedler von Catan" for many players connected online,
    Solitaire 1.0, Solitaire clone written with Pygame (very simple),
    Ultimate Tic-Tac-Toe, Tic-Tac-Toe, but with an intense twist! This game packs almost as much strategy as chess, with much more simplicity,
    Simple Chess, just a simple chess game. No AI so it must be played two player. Comes with source code,
    BASIC-RoBots, BASIC-RoBots is a real-time strategy game about programming robots to colonize a planet,
    Extinguished, a real-time strategy game, where you control firemen to rescue people from burning buildings. Battle against time and a raging fire to carry unconscious people from a burning building. Use your firemen to rescue or to hold back the fire at strategic points. Beware of dangerous chemicals which will explode and spread the fire, blocking your exit,
    Space Domination, Space Domination will be a cross-platform top-down scrolling spaceship shooter/adventure game,
    HedgeZOO, plant apple trees, build huts for hedgehogs, remove unfresh apples and sell the largest hedgehogs,
    Void Infinity, a real-time strategy game with online multiplayer,
    battle-rage: battle-rage: is a fighting game in 2D, where the battle rages on and the fighters encounter each other in terrible duels fights ! dependencies: sdl2, sdl2_image, sdl2_mixer, sdl2_ttf.


    Linux Games Top 100, http://hot-100.ru/page/2, http://hot-100.ru/page/3 and so on: 0 A.D., FreeOrion, OilRush, The Open Racing Car Simulator, Warsow, Savage 2, Second Life, Spring, TGatB, OpenXcom, Castle Vox, vulture, spiral knights, dredmor, gish, dwarf fortress, greedy car thieves, freespace2, starry, projectx, share the pain, sauerbraten (FPS), BOH, Aquaria, AC-130, Planescape: Torment, Quake4 1.4.2 + Q4Max 0.78d, Sacred, LambdaRogue, Dominions 3: The Awakening, The Dark Mod, Transcendence, Zero Ballistics, Conquest: Divide and Conquer, Cortex Command, Wolvenstein3D, TetriCrisis 3 100% C.P.U., Epiar, Endgame: Singularity, PipeWalker, Coldest, Hexen: Edge of Chaos, Catan Online World, GNU Robbo, Butterfly Effect, AC-130, Planescape: Torment, Dying Light Released, ALoneStory++, Fandango Mastered Release, Crimsonland, Dungeon Crawl Stone Soup 0.11, Wizorb, Wing Commander Saga: Prologue - port on Open Freespace2, 0 A.D. Bellerophon, Helena the 3rd, Heroes of Newerth, Catan Online World, UFO: Alien Invasion, Age of Conquest III, Excalibur: Morgana´s Revenge v3.0, Battle Tanks, Warzone2100, Amnesia: The Dark Descent released, ...

    Game: Transport Fever - Traffic Simulation for Linux, 09.11.2016
    With Transport Fever you become a tycoon for railroads. Up from year 1850 your are building up your railroad-empire.

    Software: Games
    Steam: More than 2000 games for Linux announced, pro-linux.de, 01.03.2016
    Since the release of Steam for Linux two years ago the amount of titles for Linux has permanently increased. Meanwhile the platfrom lists over 2000 titles either released for the free operating system or that will be released in future. The amount of actual released titles is more than 1900.
    Weak by weak more and more Linux games are offered. Game platform steams statues one example. Once there have been 60 games released, now there are 1900. Still there is an amount of unreleased Games for Linux, so that more than 2000 titles are counted, http://www.pro-linux.de/news/1/23303/steam-ueber-2000-spiele-fuer-linux-angekuendigt.html

    The best nonfree Linux-Games from desura http://www.desura.com/ , indiegamestand https://indiegamestand.com/, Gog.com https://www.gog.com/news/gogcom_now_supports_linux: Sky Rogue, Escape Goat, Guns of Icarus Online, Megabyte Punch, Epistory, Blueprint Tycoon, Finding Teddy 2, Evo Explores, Rochard, Bastion, Cave Story+, World of Goo, ARK Survival Evolved, Factorio, Enter the Gungeon, Tabletop Simulatior, Couter-Strike: Global Offensive, Firewatch, XCOM 2, American Truck Simulator, Creatures Internet Edition, Hyperspace Delivery Boy, EVE Online, Tribes 2, Warcraft II, Battlefield 2142, Transport Tycoon, Tribal Trouble 2, The Dark Mod, ...

    24.167 (actual date: 31.01.2015) popular and absolut TOP-games for Windows and Linux on the base of special game-engines like almost Unity, followed by Steam and so on, usage at your own risk: http://www.indiedb.com/games/top, for example:
    Planet Nomads, Craneballs, Shinobi Life Online, Gang Beasts, CHKN, Creator Powers, TerraTech, StarWars Battlecry, Garbage Day, Velocibox, Besiege, Planet Pokemon, Vanish, Robocraft, Hunie Pop (HuniePop is a unique sim experience for PC, Mac and Linux. It's a gameplay first approach that's part dating sim, part puzzle game, with light RPG elements, a visual novel style of presentation, an abrasive western writing style and plenty of "plot". After a pathetic attempt to try and pick up Kyu, a magic love fairy in disguise, she decides to take you under her wing and help you out with your crippling inability to meet new women. After a few dating lessons and some sound advice, Kyu sends you out into the world ready to take on the dating world and a wide cast of beautiful babes.), Overgrowth ( Hey everyone! I"m Steve, the new character concept artist for Overgrowth. In this post I will share some of the designs I"ve been working on. All images in this post can be clicked to bring up a wider view and higher resolution version of the image. It´s been a bit of a challenge to get used to drawing anthropomorphic animal characters as I have very little experience with animal anatomy. Here is my first attempt at designing the Overgrowth races, completed during the application process to supplement my portfolio), crawl, slime-rancher (Slime Rancher is the tale of Beatrix LeBeau, a plucky, young rancher, who sets out for a life a thousand light years away from Earth on the Far, Far Range where she tries her hand at making a living wrangling slimes. With a can-do attitude, plenty of grit, and her trusty vacpack, Beatrix attempts to stake a claim, amass a fortune and avoid the continual peril, that looms from the rolling, jiggling avalanche of slimes around every co), ...

    "Dead Island: Definitive Edition" for Linux released, pro-linux.de, 06.07.2016
    http://www.pro-linux.de/news/1/23624/dead-island-definitive-edition-für-linux-freigegeben.html .

    Steam: More than 2500 Li­nu­x-games, pro-linux.de, 09.30.2016

    Strategy game "Hearts of Iron IV" for Linux released, pro-linux.de, 06.07.2016

    Total War Collection for Linux released
    Medieval II: Total War Collection is released for Linux and Mac OS X this week, PCWelt.de, 01.13.2016

    GRID car sport for Linux and Mac OS X available
    Feral Interactive (XCOM: enemy unknown, middle earth: mordor´s shadow, alien: isolation) has released 2015 GRID Autosport for Linux, http://www.pcwelt.de/prolinux/GRID-Autosport-fuer-Linux-und-Mac-OS-X-verfuegbar-9895039.html

    At this place, for top gamer, we of course also advise to game-consoles like XBox and Playstation. As our onboard IGP graphic- and sound chip, both from INTEL, seem to master introduced games much to well, we proceed with games direct referring to mdv2010:

    mdv2010 (maintained by rosa 2014 - rosa2016 - pclos - fc - ...) - Games - arcade/Action: 2048 (2048-cli, for terminal), moon-buggy (arkade game for the konsole resp terminal: drive and jump a kind of car across the moon), circuslinux (cirucs acrbotics), childsplay, kapman and njam (kind of pacman), frogatto (frogger environment game), superburgerwld (Super Burger World is a jump and run game based on SuperTux, except with one big difference, You play as a burger trying to rid the world of an evil fruit company), supertux (50 MB), openlierox (aroand 50MB), Urbanterror (1GB-game), drascula (the vampire strikes back), vegastrike (500 MB, depending on the graphic-card), eternallands (MPPRG game), 0ad-r10803 (Cross-Platform RTS Game of Ancient Warfare), noiz2sa (arkade space shooter), ux_afqh (Tux on his way by feed), holotz-castle, hexen2, hexenworld and hhexen, fheroes2 (Might and Magic II), Freedroidrpg (130 MB), armagetron (like tron), ktron, gltron, slune (3D-Tux-car race for the good purpose), xtux (multiplayer arcade game featuring open-source mascots), liquidwar, liquidwar6, freefem3d (FreeFEM3D is a 3D version of freeFEM), blobwars(episode 1: Metal Blob Solid), xsw (XShipWars), glaxium (3D space shooter), unknown-horizons (ca. 200MB; A popular economy and city building 2D RTS game), starfighter and starvoyager and luola (space shooter), Chromium (rocket-shooter), Vegastrike (ca. 200 MB-Game; not on our DVD!), heroes, sdl-ball, kbreakout, highmoon, briquolo (3D) and lbreakout2, secondlife, aisleriot, bubbrothers, critical mass, Rocksndiamonds, defendguin, solarwolf, Powermanga (3D shootup), madbomber, bugsquish, burgerspace, worminator, wargus (Warcraft II, around 200 MB), XBill(G.), koules, killbots, jumpnbump, teeworlds (online multi-player platform 2D shooter), cdvst (arcade space shooter), bsd-games wie adventure, arithmetic, atc, battlestar, bcd, caesar, canfield, cfscores, cribbage, go-fish, gomoku, hunt, mille, mpoly, morse, number, phantasia, pig, pom, ppt, primes, quiz, rain, random, robots, rot13, sail, snake, snscore, teachgammon, bsd-fbg, trek, etoys, worm, worms and wump, copter-commander (2D helicopter game), qtads (GUI multimedia interpreter for TADS games), halfd (a Linux Half-Life server management tool, consisting of a daemon process and GUI clients. It is designed to work with all mods (TFC etc.)), koules, scourge (100MB game), planeshift, quake2, superburgerwld (around 50MB), teeworlds, OilWar, , xtux, xblast, airstrike (space shooter), alienblaster, amphetamine, anglewars, alienpool, ars-libertatis (roleplay-adventure game), asteroids3D, barrage, atanks, bobobot, briquolo, ioquake3, d2x and d2x-rebirth, eduke32, yadex, childsplay, kiki (nanobot), abe (scrolling, platform-jumping, key-collecting, ancient pyramid exploring game, vaguely in the style of similar games for the Commodore+4), barrage (rather violent action game with the objective to kill and destroy as many targets as possible within three minutes), corsixth (Open source clone of Theme Hospital), mazeofgalious (flick screen platform game), irrlamb, dcctnitghtmare (60 MB, 3D single player RPG in a satirical post apocaplyptical world), minetest (200MB, Minecraft inspired game), astromenace (100 MB hardcore 3D space shooter), skobo (sdl-port of xkobo), naev (744 MB space trading and combat), tmw -(2D mmorpg game the mana world), secondlife, xqf (network game browser), dunelegacy, gargoyle-free (graphic player for interactive fiction games), openclonk (rosa2014.1, free multiplayer action game about mining, settling and fast-paced melees), ...

    mdv2010 (maintained by rosa2014 - rosa 2016 -. ...) - Games - Jump´nRun: mari0 (pclos), marioland and megamario (Jump´nRun) and smc (Secret Maryo Chronicles, 81 MB), balazar (3D-adventure and roles), fillets-ng (200 MB, fishfillet-ng skill game), balazarbrothers (3D Puzzle), digger, eduke (Duke Nukem 3D), bumprace, Trackballs, Toppler (Kletterspiel nebulous), sdlscav, supertux (Jump and Run), trackball, freedroid, plee-the-bear (Plee The Bear 2D platform game), Mirror Magic, enigma, bubbros (Bub and Brothers game), ...

    mdv2010 - rosa2014 - rosa2016 - Games - Adventure: slune, drascula, dreamweb (el6), ardonthell, ... .

    mdv2010-games (quit all games can be updated by rosa2016.1 and rosa2014.1), all free from advertisement: 3D-SDL- und openGL-Alien-Person-Shooter (FPS): Counter-Strike (source), nexuiz-sdl and nexuiz-glx (ca. 1,2 GB), xonotic (1,3 GB FPS, successor of nexuiz), assaultcube (around 40 MB only, similar to counter strike; mkdir ~/assaultcube_v1.0/config, configuration file: ~/assaultcube_v1.0/config/init.cfg), urbanterror (ca. 1 GB), alienarena (1,2 GB), Openarena (Quake III, ca. 500 MB), Tremulous (ca. 200 MB), Alephone (benötigt marathon), marathon, marathon-infinity, marathon2, reaction, darkplaces (benötigt Quake I), marsshooter (1GB, ridiculous shooter), World of Padman (WOP), FPS and Top-Game-Game and Engine sauerbraten (427 MB), doom, prboom, prboomplus, vavoom (open source port of the DOOM game engine), warsow (ca. 1 GB), orbital_eunuch_sniper, yamagi-quake2, Quake II, Quake I, unvanquished, freedoom (dome game), smokingguns, openspades, Red Eclipse, Teeworlds, d2x (Descent2), Red Eclipse, Unreal Tournament, Half-Life2, Half-Life, Wolvenstein (Enemy Territory), The Binding of Isaac: Rebirth, True Combat: Elite, stargunner, Team Fortress, cube2 (sauerbraten), descent3, barbarium (not mdv), abuse, shambles (not mdv), discovery (not mdv), mighty (not mdv), startrade (not mdv), savage2 (not mdv), Infinium Strike (not mdv), quakespasm (not mdv), America´s Army (not mdv), Hexen2 - Hammer Of Thyrion, QuakeForge, ZDoom (not mdv), DelphiDoom (not mdv), ChaosEsqueAnthology (not mdv), Wolfenstein 3D html5 (not mdv), Ogrian Carpet (not mdv), quake2xp (not mdv), SpaceMax Shoot them up (not mdv), ...

    .. and, if someone is still missing it: The shooter Insurgency was released 2015 by the developers also for Linux. Owner of a Windows- or Mac OS X-version can dowload this game for free for the free operating system., PCWelt, 30.10.2015, http://www.pcwelt.de/prolinux/Taktik-Shooter-Insurgency-fuer-Linux-freigegeben-Daddeln-9839541.html

    Steam: More thans 2500 Li­nu­x-games, pro-linux.de, 09.30.2016

    "Humble Daedalic Bundle 2018" with plenty of Linux-tiles, PRO LINUX, 06.11.2018

    "Humble tinyBuild" with plenty of Linux-games, pro-linux.de, 05.13.2017

    Surviving Mars für Linux, pro-linux.de, 05.15.2017


    mdv2010-Games - board: kigo and gnugo (japanese Go), eboard, knights, phalanx, xboard, cboard, crafty, glchess, nuclearchess, brutalchess, dreamchess, gnuchess (chess), sirius (Otello chess game), csboard, glchess (3D-Schach), tengen and gamazons (Mix aus Schach and Go), muehle2D_bin122 (zip-Archive from Sourceforge), gnubg and backgammon, samuel (Dame, draughts game), opengoo (Goo), monopd and kapitalist (client), capitalist (Monopoly), lagno and kreversi, kmahjongg, kbattleship, scrabble (word game), gtkatlantic and monopd (Monopoly), prisk, ksirk, xfrisk and frisk (Risiko), xmris, quarry (Othello, Amazons, ... ), pioneers (internet playable implementation of the Settlers of Catan board game), 4stAttack (connect four), biloba, kcheckers, tuxmathscrabble (scabble with nums), xye (Puzzle), ...

    mdv2010-Games - cards: lparis (memory game), xskat, freedoko (Doppelkopf, 5.0.2, 6.0 or actual version), (K)poker, poker-network, RA Pai Gaw Poker, poker-network, gtali and pokerth (Texas Poker), Blackjack, xpat2, elitaer and sol (Solitär), PySol, Freecell and Klondike, Kpatience and kpat (passience), KardsGT (collection of card games like MauMau, Asse hoch, Einfach Simon, Freecell, Golf, Großvater, Größvaters Uhr, Mod3, Spider, Vierzig and Acht, Yukon, Zigeuner, ), PokerTH, rapaigawpoker, aisleriot (70×solitar games)

    mdv2010-Games - sport: motogt, xmoto(cross), obstacle (course for automobiles), stoormbaancoureur (car-skill), FooBillard (3D billiard), blobby (volley arcade game), triplane-classic (side-scrolling dogfighting game), paintown and openmortal (Mortal Szombat, around 50MB), bloboats (boat racing), tuxkart, vdrift (500 MB Open Source car driving simulation), tuxracer, supertuxracer, Torcs and speed-dreams (Open Racing Car Simulators), extremetuxracer, wherever-racer, penguin-racer, trophy (2D-Autorennen), speeddreams (ca. 1 GB), Maniadrive, enemylines, Freetennis (3D-tennis), Canon Smash (3D-table-tennis), spacepong (pong like game), volley (3D beach-volleyball) and gav (volleyball), hattrick-organizer and Tuxfootball and bygfoot (football), Pinball (flipper), neverball and neverputt (golf), kolf (miniature golf), Tuxpuk, skijump, neverball and neverputt (Golf), stepmania with stepmania-stepmix1 (250 MB) and pydance (dance), supertuxkart (ca. 100MB), triggerrallye (around 300 MB), ultimatestunts (300 MB), stuntrally (700 MB, racing game with track editor based on vdrift and OGRE), roadfighter, stuntrally (around 100 MB), ...

    mdv2010-Games - other: bluedj-online-games (mix of card games, go, chess, ...), maitretrarot (game server),

    mdv2010-Games - strategy: uqm (Ur-Quan-Masters), stratagus (settler 2), simutrans (transport and logistic-empire), scorched3d (war game Scorched Earth 3D OpenGL Remake, 54 MB), d2x (popular 3D-game Descent), reeciv, globulation2, worminator (terminator), warzone2000 and freecol (innovative 3D realtime-strategy), glest (towers and castle game, 3D-openGL-strategy), wesnoth (Battle of Wesnoth), abe (pyramid adventure), openttd ( city simluator ), micropolis (city game), Opencity (city simulator), 7kaa (Seven Kingdoms: Ancient Adversaries is a real-time strategy game), Drogenkrieg, Lincity-NG (Stadt-Simulationsspiel), spring (Realtime strategy game inspiriert von totaler Vernichtung), simutrans (Simulation eines Transport- and Logistik-Unternehmens), hedgewars (heavyly armed figthing hedgehogs), FreeLords (similar to Warlords), cultivation, hheretic and sdl-hheretic Hacked Heretic (one more OpenGL-game), glightoff (Puzzle), monkey-bubble (similar to bust a move), bos (59 MB realtime strategy game), Pathological, bzflag, americasarmy, legends, xsoldier, ultimatestunts (remake of the DOS-racing game stunts), Wormux, Armagetron, biloba (board game), krosswordpuzzle and TooHot (Java) (cross word quizz), kshisen, blinken (inkrementierende Ton- and Farbfolgen nachklicken), frozen bubble, jools (graphisches Puzzlespiel), cebreaker (Puzzel), penguin-command, dopewars, dragonmemory, samuel (draughts program, guicheckers), amoebax (action puzzle), berusky (sokoban), biniax2 (color block logic game), brainparty (brain stretching game with 36 minigames), gbrainy, einstein (puzzle-remake), hex-a-hop (hexagonal puzzle), hexglass (puzzle based on hexagonal grid), invertapple, jag, krank (mouse manipulation game with nifty graphics), opengoo (Goo-clone), zaz (puzzle game), opeke (playing with virtual bricks), nethack-falconseye (3D adventure), dccnitghtmare, netpanzer, nil (54 MB), death illustrated (Ausbruch aus einer bizrarren 3D-Comicwelt), Maelstrom, pingus (Pinguine ins Ziel bringen, free Lemmings clone), egoboo, BlueDJ, ksudoku, bastet, ltris, kturtle, bastet and gnometris (Art Tetris), kudoku and gnomesudoku (Zahlenrätsel), hangman, ri-li (railroads), crossfire (client/server games), diggers (remastered), gnometris, t-crisis, cuyo and Ltris (Tetris), Marbles, Methane (methane brothers), ksquares (Käsekästchen), xlogical (ray-traced-graphik, Puzzle), geweled and kdiamond (three in one row), gnect and fourinonerow (four in one row), pente, grhino and bovo (five in one row), hexamine (minesweeper), katomic and atomix, mures, monster-masher, kjumpingcube, gnubik and kubrick (Rubiks Zauberwürfel), Openalchemist (naturalchimie, puzzle), general (Panzerschlacht), Kiriki (Kniffel), d2x (Descent 2 Version 1.2, the famous 3D game for PC), sunclock, vpioneers (Settlers of Catan), etswitch (ETSWITCH - A *nix ´minimizer´ for a few games), fizmo (A-Z-Machine interpreter supporting unicode, sound, blorbfile and more), gargoyle-free (graphical player for Interactive fiction games), playonlinux (play your Windows games on Linux), tuxtype, typespeed (type words that are flying by from left to right as fast as you can), million (russian quiz), glightoff (Puzzle), penttd (clone of the Microprose game "Transport Tycoon Deluxe"), uqm (The Ur-Quan Masters), BlockOut II, adonthell (2D RPG-game), kanagram, khangman, Travex, knetwalk, ktamaga (Tamagochi), kblackbox, kanagram, ktuberling (Kartoffelknülch), gnurobbo (Logik-Spiel), cummvm (platform for many adventure games), dokeos (e-learning 50MB), pioneers (Settles of Catan), caboodle, jools, monsterz, palapeli (puzzle), tuxmathscrabble, tuxmath, meandmyshadow (puzzle game), sdlvexed (puzzle), openalchemist, crimson-fields (tactical war game), cultivation (gardening community), dark-oberon, springlobby, stratagus, teg (risk), wesnoth, widelands (66 MB, Siedler II clon), asc (26 MB, ), jag (around 30 MB), affenspiel, ...

    ScummVM (rpm) based adventures (you just have to type scummvm into a terminal): Baphomets Fluch, Baphomets Fluch II, Beneath a Steel Sky Dreamweb, Flight of the Amazon Queen, KingsQuest I-IV, Space Quest, Hopkins FBI, Indiana Jones and the Fate of Atlantis, Leisure Suit Larry 1 - In the Land of the Lounge Lizards (classics from the 80th), Loom, Leather Goddess, Lure of the Temptress, Lutris, Maniac Mansion: Day of the Tentacle, Monkey Island 2: LeChuck´s Revenge, Monkey Island 3: The Curse of Monkey Island, Police Quest, Police Quest II: The Vengeance, Police Quest III: The Kindred, Police Quest: In Pursuit of the Death Angel, Sam and Max Hit the Road, Simon the Sorcerer I and II, The 7th Guest, The Dig, The Secret of Monkey Island, Vollgas (Full Throttle), the 7th guest, the Manhole, Maniac Manson, .. .

    Overkill (ASCII-art game), 2h4u, 3omns, adime (Allegro Dialogs Made Easy), ags (Adventure Game Studio), andy-super-great-park (2D platforrm game), angrydd (Angry, Drunken Dwarves: Rock-Dropping Fun), arcomage (Arcomage clone), asc (Advanced Strategic Command--Turn-Based Strategy Game), atlas (high quality maps for flightgear), AtomicWorm, atomiks (emake of, and a tribute to, Atomix), ballerburg (Two players, two castles, and a hill in between), ballz (puzzle), barbie_seahorse_adventures (You are a seahorse and you want to go to the moon!), BASS (Beneath a Steel Sky (Adventure Game), bitfighter (2D multi-player space combat game), black-box (puzzle), blobAndConquer (Blob Wars: Blob and Conquer - a 3rd person action game ), bluemoon (card solitaire), bomns (Best old-school Deathmatch game ever (only for two players), bomberclone, brikx, bs (battleship game for the terminal), boswars, bsd-games, caesaria (Caesaria III remake), caph (Sandbox game based on physics), ceferino (game similar to Super Pang), cervi (Multiplayer game), chapping (button football game), chickens (target chickens with rockets and shotguns), chroma (puzzle), colobot (A real-time strategy game with programmable bots), commandergenius (open clone of the Commander Keen engines), crawl (Roguelike dungeon exploration game), crrcsim (Model-Airplane Flight Simulation), CubaLetra (word game), cube-escape, cubetest, cubosphere (3d puzzle similar to Kula World), cutemaze (Maze game), Desurium (Desura open-source client), domination (risk), dragonmemory, dunedynasty (Dune I), dunelegacy (Dune II), dustrac (2D Racing), ember (client for Woldforge), emilia (pinball), enemy-territory (Wolfenstein: Enemy Territory), etlegacy (Wolfenstein), fall-of-imiryn (2D RPG), fgrun (frontened for FlightGear), FlappyBird (Flap your wings to fly), FOTAQ (Flight of the Amazon Queen, Adventure), freedink (Adventure and Roleplaying), freegish (logic game), freeorion (space empire and galactic conquest), freeserf (modern Settlers 1 reimplementation), galaxis, gnome-mastermind, gnubg (Backgammon), gnurobo, gnushogi (Japanese Version of Chess), gpclient (gamepark client), gplanarity (puzzle), gweled (Clone of Bejeweled, align 3 crystals in a row), hexglass (Tetris-like Puzzle Game), hextris, jag (arcade puzzle 3D game), jools (puzzle), kbang (card game Bang!), kcheckers (Boardgame), keeperrl (Dungeon management and roguelike), khunphan (Thai Puzzle Board Game in 3D with Wooden Blocks), kiki (nano bot), knightsgame (dungeon bashing game), kqlives (console-style roleplaying game), kye (logic puzzle), lacewing (asteroids), legesmotus (Leges Motus is a 2D networked, team-based shooter), levelhead (Spatial Memory Game) and more: http://rpm.pbone.net/index.php3/stat/11/limit/129/dl/40/vendor/5207/com/obs

    Bsd-games includes adventure, arithmetic, atc, backgammon, battlestar, bcd, caesar, canfield, cfscores, cribbage, go-fish, gomoku, hunt, mille, mpoly, morse, number, phantasia, pig, pom, ppt, primes, quiz, rain, random, robots, rot13, sail, snake, snscore, teachgammon, bsd-fbg, trek, worm, worms and wump.

    mdv2010-Games - playonlinux: wine-emulatable: Many, many more games are waiting to get installed, including 3D-opengl Windows games with good sound like BSE-Schlacht (with cows on meadows from www.onlinewahn.de) and Clusterball - The Future Sports Experience - from daydream (also networking) Software, community / http://www.clusterball.de, actually 79 MB, 32 bit color depth, incl. MS Windows-drivers needed: airfight-balloon-game: collect together with other jet-fighters in different scenarios like Egypt and so on as many balloons as you can in order to turn them into real points by catching them from the next one too, hindering next ones by taking them under attack and flying through a ring in front of a great audience..., configuration of amount of ai-player (recommended seven max.), time limit, controls and so on: file config.cfg, 20 different flight-scenarios like Egypt, Yucatan, Metropolis, Ruhrmansk, Helter Skelter, Teranaki, Pole Position, Lunar, China, Matterhorn and Green Garden, Yucatan, Metropolis, Ruhrmansk, Matterhorn, Helter Skelter, China, Teranaki, Antarctica, Lunar, Green Garden, Electronica, Age Of Empires, Wheels of Steel, 3D Train Studio, Ares, Alone in the Dark, Alien Breed, BMW M3 Challenge, Baldur´s Gate, Battlefield2, Bioshock, Best One Poker, Bulletstorm, CivNet, Diabolo, Discworld, Dragon Age, FIFA, FlatOUtII, Football Manager, Full Tilt Poker, Dark Fall, Lands of Lore, Moonbase Commander, Nexus, Simon the Soucerer, Space Quest, Theme Hospital, Tyrian 2000, Ultima, Wizardry 8, Half-Life, Last Chaos, Lemmings2, Lume, MS Pinball, Poker Stars, Poker Stove, Seals with Clubs, Sanctum, Monkey Island, The Sims, Warcraft II and III, Xenon2, Zoo Tycoon, rFactor12, ... .

    Die besten Linux-Spiele für Steam, Ubuntu, Holarse, Gog, Shell, PCWelt.de, 15.04.2016
    Ego-Shooter, Adventure, Logik-Puzzle, Simulation. Von Steam, Holarse, Ubuntu und Gog - wir stellen die besten Spiele für Linux vor. Viele sind kostenlos und müssen den Vergleich mit Windows-Spielen nicht scheuen. Plus: Coole Kommandozeilenspiele für die Linux-Shell, http://www.pcwelt.de/ratgeber/Action-Adventure-Logik-Die-besten-Linux-Spiele-464058.html .
    Good old games (GOG): Alte Spielklassiker unter Linux zocken

    playonlinux (el6, mdv2010, around 200 Top-Windows-Games)

    Steam engine: Counterstrike, Half Life 2, secondlife, Wasteland 2, Civilization V and The Witcher 2. System requirement: for the steam-client of Linux is a graphic-card with drivers from Nvidia, AMD or Intel.and more Win&Mac&Amiga&... depending on the "grad" of emulation

    PCWelt.de: Steam ist zwar die bekannteste Downloadplattform für Linuxspiele, doch es gibt durchaus noch einige weitere Internetquellen, von denen man Spiele für Linux beziehen kann. Zum Beispiel Desura (kostenlose und kostenpflichtige Spiele), indiegamestand https://indiegamestand.com/ oder das allseits bekannte Gog.com, https://www.gog.com/news/gogcom_now_supports_linux. Auf Gog (Good old games) kauft man die Spiele (derzeit stehen rund 50 Linux-Spiele zur Auswahl) und lädt sie anschließend herunter. Gut: Die Gog-Spiele sind frei von DRM und lassen sich auch offline spielen. Neue Spiele findet man allerdings keine auf Gog, stattdessen bringt Gog Spieleklassiker auf Linux zum Laufen. Das muss dem Spielspaß aber keinen Abbruch tun, denn mit Klassikern wie Duke Nukem, Train Fever, The Dig, Tie Fighter Special Edition sowie Indiana Jones und das Schicksal von Atlantis ist langer Spielspaß garantiert. Auf indiegamestand wiederum findet man sogar zwei Rankings für die Linuxspiele.

    Die besten kostenpflichtigen Linux-Spiele: Sky Rogue, Escape Goat, Guns of Icarus Online, Megabyte Punch, Epistory, Blueprint Tycoon, Finding Teddy 2, Evo Explores, Bastion, Rochard, World of Goo, ARK Survival Evolved, Factorio, Enter the Gungeon, Tabletop Simulatior, Couter-Strike: Global Offensive, Firewatch, XCOM 2, American Truck Simulator, Creatures Internet Edition, Hyperspace Delivery Boy, EVE Online, Tribes 2, Warcraft II, Battlefield 2142, Transport Tycoon, Tribal Trouble 2, The Dark Mod, ...

    Einschub: clusterball: schließt das Spiel nicht immer. Sollte der fullscreen-mode versagen: Öffne die Konfigurationsdatei. Wähle den Fenstermodus. Starte und wähle die aktuelle Bildschirmauflösung anstelle "auto".

    Warhammer 40000: Dawn of War II kommt für Linux
    Das Strategiespiel Warhammer 40000: Dawn of War II kommt für Linux. Mit den Erweiterungen Chaos Rising und ...

    WineHQ, https://appdb.winehq.org/votestats.php: Final Fantasy XI Online Final Fantasy XI, EVE Online Current, World of Warcraft, Magic: The Gathering Online 3.x, The Sims, StarCraft I, Guild Wars All Versions, StarCraft II, Fallout 3 1.7 and GOTY, Aion: The Tower of Eternity 4.7.1, Team Fortress 2 Steam, Adobe Photoshop CS3 (10.0), Planetside 2 Release 97, Watchtower Library 2014, Guild Wars 2, Left 4 Dead Full (Steam), RF Online Episode 2, The Witcher 1.0, Deus Ex: Human Revolution, Empires: Dawn of the Modern World, Final Fantasy XIV Heavensward (Official Client), Counter-Strike: Source Retail / Steam, Warcraft III The Frozen Throne: 1.x, ... Command & Conquer 3: Tiberium Wars 1.x, PunkBuster, Supreme Commander SC 1.x.3xxx, The Elder Scrolls IV: Oblivion 1.2.x, Allods Online 1.x, Bioshock, Call of Duty 4: Modern Warfare 1.7, Sid Meier´s Civilization IV Complete, Gothic 3 1.x, Star Wars: The Old Republic 1.5-2.0 - Free to Play, Half-Life 2 Retail (32-bit), Battlefield 2 1.x, City of Heroes All Versions, Runes of Magic Official release, Homeworld 2 1.x, Day of Defeat: Source Steam, Lord of the Rings, Helm´s Deep, Planescape: Torment 2/4 CDs version (1.x), Garena Garena Messenger (Beta), GameGuard Bundled, The Elder Scrolls V: Skyrim All Versions, System Shock 2 2.3, Spore 1.x, Dragon Age: Origins 1.x, Silkroad Online 1.x, S.T.A.L.K.E.R.: Shadow of Chernobyl Retail, Space Empires V 1.77, Perfect World International, Diablo III 2.x.x (No RoS), X3: Reunion 2.0.0, High Velocity Paintball 1.2 28, Revit Architecture, Medieval 2: Total War Retail CD 1.x, The Elder Scrolls III: Morrowind 1.6.1820 (Bloodmoon), Mass Effect 1, Age of Empires II The Conquerors Expansion, Dragon Naturally Speaking 13, Company of Heroes 2, Assassin´s Creed 1.x, Armed Assault 1.x European, Galactic Civilizations II: Dread Lords 1.x, Age of Conan: Hyborian Adventures AoC client, EverQuest II Full Install Client, Command and Conquer: Red Alert 3 Retail 1.x, Worms Armageddon 1.0-, Reason 3.x, Portal 2 Steam, Age of Empires III 1.x, UnrealEd 3.0, Microsoft Word 2007, Voobly, Neverwinter Nights II 1.23.x, Unreal Tournament 3 Retail, Mythos Mythos-Europe Beta, Crysis Crysis 1.x , Battlefield Bad Company 2 Retail BFBC2, EverQuest EverQuest (Live), Xfire 1.10x, Rome: Total War 1.x, League of Legends 0.* beta, Lingvo x5 English, Orbiter 060929, Garry´'s Mod, Half-Life, Counter-Strike: 1.6 16, Diablo 1.0x, Rift Live, Sins of a Solar Empire 1.x, Fallout 4 Steam, The Longest Journey Build 161, IL-2 Sturmovik Series IL-2 Sturmovik 1946, Star Wars: Jedi Knight - Jedi Academy 1.01, SimCity 4 Deluxe, Empire Earth 1.0-2.0, Battlefield 2142 1.5, Baldur´s Gate II Throne of Bhaal, PokerStars Latest 14, Live For Speed S2, Left 4 Dead 2 Left 4 Dead 2 Full (Steam), Mount&Blade Warband,.TomTom HOME 2.x, Mafia II: Full game 13, Requiem Online 12, .Spore Creature Creator Trial Edition 13, Airline Tycoon Evolution 1.02, Fallout: New Vegas 1.x, Soulbringer 1.x, Vanguard: Saga of Heroes Release, TERA Online NA Retail, Warcraft III, Call of Duty 2 1.00 13, Anarchy Online Internet Play, Drakensang: Das Schwarze Auge 1.0, Walfadia Populous Online Lobby Walfadia Populous Online Lobby, Street Fighter 4 1.0, Microsoft Flight Simulator X, Company of Heroes 1.71, Age of Mythology Steam, Hearthstone: Heroes of Warcraft All Versions 12, Football Manager 2013, Entropia Universe 11.x, Empire: Total War 1.0, Phantasy Star Online: Blue Burst 1.24.15 (Schthack), Defense Grid: The Awakening Steam, .BYOND 5.x, Freelancer 1.x, Thief: Deadly Shadows 1.1 (CD), The Secret World Release, Age of Wonders III Steam, Halo: Combat Evolved 1.0.10, Need for Speed Most Wanted All Versions, Grand Theft Auto: San Andreas 1.x, Anno 1404 1.00, DotA 2 Early Access - Steam 11, ElsterFormular 17.x, Hearts of Iron III 1.x, The Witcher 1.4, Path of Exile Release, Sacred 2.02.5 --> 2.28 11, League of Legends 5.x, Hellgate: London SP 0-0.6 / MP 0-1.1b, Warhammer 40,000: Dawn of War II 1.1, The Saga of Ryzom FV 1.9.1, Thief II: The Metal Age 1.x, Black & White 1.100, Fable: The Lost Chapters 1.0, Borderlands 2 1.0, Evil Genius Steam / Retail 10, ..., ...

    Software: Spiele
    Steam: Über 2000 Spiele für Linux angekündigt, pro-linux.de, 01.03.2016
    Seit der Veröffentlichung von Steam für Linux vor zwei Jahren ist die Zahl der Titel für Linux stetig gewachsen. Mittlerweile listet die Plattform über 2000 Titel, die für das freie Betriebssystem entweder erschienen sind oder erscheinen werden. Die Zahl der veröffentlichten Titel liegt bei über 1900.
    Woche um Woche wird das Angebot an Linux-Spielen größer. Zu sehen ist das unter anderem auf der Spiele-Plattform Steam. Hatte der Anbieter noch im Spätsommer des vergangenen Jahres das Erreichen von 1500 Spielen verkünden können, so ist die Zahl der Titel weiter gewachsen. Aus den anfänglich 60 Spielen bei der Freigabe von Steam sind mittlerweile 1900 geworden. Rechnet man zu den Spielen auch die bereits für Linux angekündigten, aber noch nicht freigegebenen Spiele, so liegt die Zahl der Titel bei über 2000, http://www.pro-linux.de/news/1/23303/steam-ueber-2000-spiele-fuer-linux-angekuendigt.html

    Linux-TOP-Games auf Basis spezieller Game-Engines: 24.167 (Stand 31.01.2015) populäre absolute Top-Spiele auf der Basis der Engine Unity gefolgt von Steam, Sauerbraten u.a. für Windows und Linux, Nutzung auf eigene Gefahr: http://www.indiedb.com/games/top, z.B.:
    Planet Nomads, Craneballs, Shinobi Life Online, Gang Beasts, CHKN, Creator Powers, TerraTech, StarWars Battlecry, Garbage Day, Velocibox, Besiege, Planet Pokemon, Vanish, Robocraft, Hunie Pop (HuniePop is a unique sim experience for PC, Mac and Linux. It's a gameplay first approach that's part dating sim, part puzzle game, with light RPG elements, a visual novel style of presentation, an abrasive western writing style and plenty of "plot". After a pathetic attempt to try and pick up Kyu, a magic love fairy in disguise, she decides to take you under her wing and help you out with your crippling inability to meet new women. After a few dating lessons and some sound advice, Kyu sends you out into the world ready to take on the dating world and a wide cast of beautiful babes.), Overgrowth ( Hey everyone! I"m Steve, the new character concept artist for Overgrowth. In this post I will share some of the designs I"ve been working on. All images in this post can be clicked to bring up a wider view and higher resolution version of the image. It´s been a bit of a challenge to get used to drawing anthropomorphic animal characters as I have very little experience with animal anatomy. Here is my first attempt at designing the Overgrowth races, completed during the application process to supplement my portfolio), crawl, slime-rancher (Slime Rancher is the tale of Beatrix LeBeau, a plucky, young rancher, who sets out for a life a thousand light years away from Earth on the Far, Far Range where she tries her hand at making a living wrangling slimes. With a can-do attitude, plenty of grit and her trusty vacpack, Beatrix attempts to stake a claim, amass a fortune and avoid the continual peril, that looms from the rolling, jiggling avalanche of slimes around every co), ...

    Steam: Counterstrike, Half Life 2, Wasteland 2, Civilization V und The Witcher 2. You need a graphic card from Nvidia, AMD or Intel.

    Total War Collection for Linux vorgestellt, PCWelt.de, 13.01.2016
    Medieval II: Total War Collection wird in dieser Woche für Linux und Mac OS X veröffentlicht.

    GRID Autosport für Linux and Mac OS X available
    Feral Interactive (XCOM: Enemy Unknown, Mittelerde: Mordors Schatten, Alien: Isolation), http://www.pcwelt.de/prolinux/GRID-Autosport-fuer-Linux-und-Mac-OS-X-verfuegbar-9895039.html

    "Dead Island: Definitiv Edition" for Linux released, pro-linux.de, 07.06.2016
    http://www.pro-linux.de/news/1/23624/dead-island-definitive-edition-für-linux-freigegeben.html .

    Strategy game "Hearts of Iron IV", pro-linux.de, 07.06.2016

    Für absolute Gamer bieten sich natürlich auch Spielekonsolen wie XBox und Playstation an. Doch weiter mit mdv2010, zumal u.a. unsere onboard IGP Graphik wie der Soundchip von INTEL überall ganz ausgezeichnet mitspielen:

    WineHQ, https://appdb.winehq.org/votestats.php: Final Fantasy XI Online Final Fantasy XI, EVE Online Current, World of Warcraft, Magic: The Gathering Online 3.x, The Sims, StarCraft I, Guild Wars All Versions, StarCraft II, Fallout 3 1.7 and GOTY, Aion: The Tower of Eternity 4.7.1, Team Fortress 2 Steam, Adobe Photoshop CS3 (10.0), Planetside 2 Release 97, Watchtower Library 2014, Guild Wars 2, Left 4 Dead Full (Steam), RF Online Episode 2, The Witcher 1.0, Deus Ex: Human Revolution, Empires: Dawn of the Modern World, Final Fantasy XIV Heavensward (Official Client), Counter-Strike: Source Retail / Steam, Warcraft III The Frozen Throne: 1.x, ... Command & Conquer 3: Tiberium Wars 1.x, PunkBuster, Supreme Commander SC 1.x.3xxx, The Elder Scrolls IV: Oblivion 1.2.x, Allods Online 1.x, Bioshock, Call of Duty 4: Modern Warfare 1.7, Sid Meier´s Civilization IV Complete, Gothic 3 1.x, Star Wars: The Old Republic 1.5-2.0 - Free to Play, Half-Life 2 Retail (32-bit), Battlefield 2 1.x, City of Heroes All Versions, Runes of Magic Official release, Homeworld 2 1.x, Day of Defeat: Source Steam, Lord of the Rings, Helm´s Deep, Planescape: Torment 2/4 CDs version (1.x), Garena Garena Messenger (Beta), GameGuard Bundled, The Elder Scrolls V: Skyrim All Versions, System Shock 2 2.3, Spore 1.x, Dragon Age: Origins 1.x, Silkroad Online 1.x, S.T.A.L.K.E.R.: Shadow of Chernobyl Retail, Space Empires V 1.77, Perfect World International, Diablo III 2.x.x (No RoS), X3: Reunion 2.0.0, High Velocity Paintball 1.2 28, Revit Architecture, Medieval 2: Total War Retail CD 1.x, The Elder Scrolls III: Morrowind 1.6.1820 (Bloodmoon), Mass Effect 1, Age of Empires II The Conquerors Expansion, Dragon Naturally Speaking 13, Company of Heroes 2, Assassin´s Creed 1.x, Armed Assault 1.x European, Galactic Civilizations II: Dread Lords 1.x, Age of Conan: Hyborian Adventures AoC client, EverQuest II Full Install Client, Command and Conquer: Red Alert 3 Retail 1.x, Worms Armageddon 1.0-, Reason 3.x, Portal 2 Steam, Age of Empires III 1.x, UnrealEd 3.0, Microsoft Word 2007, Voobly, Neverwinter Nights II 1.23.x, Unreal Tournament 3 Retail, Mythos Mythos-Europe Beta, Crysis Crysis 1.x , Battlefield Bad Company 2 Retail BFBC2, EverQuest EverQuest (Live), Xfire 1.10x, Rome: Total War 1.x, League of Legends 0.* beta, Lingvo x5 English, Orbiter 060929, Garry´'s Mod, Half-Life, Counter-Strike: 1.6 16, Diablo 1.0x, Rift Live, Sins of a Solar Empire 1.x, Fallout 4 Steam, The Longest Journey Build 161, IL-2 Sturmovik Series IL-2 Sturmovik 1946, Star Wars: Jedi Knight - Jedi Academy 1.01, SimCity 4 Deluxe, Empire Earth 1.0-2.0, Battlefield 2142 1.5, Baldur´s Gate II Throne of Bhaal, PokerStars Latest 14, Live For Speed S2, Left 4 Dead 2 Left 4 Dead 2 Full (Steam), Mount&Blade Warband,.TomTom HOME 2.x, Mafia II: Full game 13, Requiem Online 12, .Spore Creature Creator Trial Edition 13, Airline Tycoon Evolution 1.02, Fallout: New Vegas 1.x, Soulbringer 1.x, Vanguard: Saga of Heroes Release, TERA Online NA Retail, Warcraft III, Call of Duty 2 1.00 13, Anarchy Online Internet Play, Drakensang: Das Schwarze Auge 1.0, Walfadia Populous Online Lobby Walfadia Populous Online Lobby, Street Fighter 4 1.0, Microsoft Flight Simulator X, Company of Heroes 1.71, Age of Mythology Steam, Hearthstone: Heroes of Warcraft All Versions 12, Football Manager 2013, Entropia Universe 11.x, Empire: Total War 1.0, Phantasy Star Online: Blue Burst 1.24.15 (Schthack), Defense Grid: The Awakening Steam, .BYOND 5.x, Freelancer 1.x, Thief: Deadly Shadows 1.1 (CD), The Secret World Release, Age of Wonders III Steam, Halo: Combat Evolved 1.0.10, Need for Speed Most Wanted All Versions, Grand Theft Auto: San Andreas 1.x, Anno 1404 1.00, DotA 2 Early Access - Steam 11, ElsterFormular 17.x, Hearts of Iron III 1.x, The Witcher 1.4, Path of Exile Release, Sacred 2.02.5 --> 2.28 11, League of Legends 5.x, Hellgate: London SP 0-0.6 / MP 0-1.1b, Warhammer 40,000: Dawn of War II 1.1, The Saga of Ryzom FV 1.9.1, Thief II: The Metal Age 1.x, Black & White 1.100, Fable: The Lost Chapters 1.0, Borderlands 2 1.0, Evil Genius Steam / Retail 10, ..., ...

    https://appdb.winehq.org/objectManager.php?bIsQueue=false&bIsRejected=false&sClass=distribution&iId=1099&sAction=view&sTitle=View+Distribution: Heroes of Might and Magic II 1.0 (original) Giovanni Mariani Nov 12 2012 1.5.17 Yes Yes Platinum, BrainVoyager, UFO: Afterlight 1.xx, UFO: Afterlight 1.xx, Heroes of Might and Magic V Collectors Edition v1.60, FurMark 1.9.1, FurMark 1.8.2, Restaurant Empire 1.2.1, The Nations 2.00 gold (Build #34), Anno 1602: Creation of a New World 1.x , Restaurant Empire 1.2.1, Restaurant Empire 1.2.1, FurMark 1.9.1, Ghost Master 1.0, Autodesk Design Review 2009, Internet Explorer 9.0 for NT 6.0 (32-bit), Lionheart: Legacy of the Crusader 1.1, Diablo II Lord of Destruction 1.x, CircuitCam 5.2, SimCity 4 1.x, Rosetta Stone 3.3.x, Catia V5R19, -2 Sturmovik Series IL-2 Sturmovik 1946, Plants Vs. Zombies 1.x, The Sims 3 All, The Settlers III Quest of the Amazons, Sins of a Solar Empire 1.01, The Elder Scrolls IV: Oblivion 1.1.511, Disciples III, S.T.A.L.K.E.R.: Call Of Pripyat 1.0 Russian Release, Theatre of War 2 v1.3, SlingPlayer 2.0, Need for Speed II Demo, Tom Clancy´s Splinter Cell 1.3, Crazy Combi 3D Pre Release, Hellforces 1.0, The Operative: No One Lives Forever GOTY (1.004), Fallout 3 1.7 and GOTY, Silent Hunter 5 1.1, Cities XL 1.0.3.x, ...

    Console-Games (mdv): kpacman (* i386 only), moon-buggy, glightoff, kbilliards (fc22), ...

    ... and if you ever ask mdv for a flight-simulator full of action: gl-117 beneath flightgear or perhaps YS Flight Simulation System 2000 with more than 30 types of airoplanes for civial and military use? Or what about searchandrescue (helicopter simulation)?

    Game-provider Steam, packet steam (mga3/rpm): Steam offers games for Linux too: Counterstrike, Half Life 2, Wasteland 2, Civilization V and The Witcher 2. System requirement: for the steam-client of Linux is a graphic-card with drivers from Nvidia, AMD or Intel.

    Emacs-Games (PCWorld, 04.10.2015): Emacs is an editor containing lisp and some games like "tetris", "pong", "bubbles" and "snake". To start them, press "ESC", then "X" and enter the name of the game. Such emacs-extensions can be find in "/usr/share/emacs/[Version]/lisp/play"

    These games can be played either with your computer only or against more players online. There are not only such many games for free, but also games free or to pay like actual listed ones from http://holarse.de/ and https://www.gamingonlinux.com/sales/. If anything is prepared well with emulator qemu or wine (wine32 or wine64), you can emulate a lot of Windows games too, same for games coming from Amiga, Atari, Commodore, Cedega and so on. More games for Linux see our linkside!

    GRID car racing sport for Linux and Mac OS X available, PCWelt, 12.13.2015
    Feral Interactive (XCOM: Enemy Unknown, middle earth: Mordor´s shadow, alien: isolation) has published 2015 GRID car racing sport for Linux, http://www.pcwelt.de/prolinux/GRID-Autosport-fuer-Linux-und-Mac-OS-X-verfuegbar-9895039.html, this game is not for free: 39,99 €

    Browser-Flash-Games just require a browser with flashplugin:
    Tanki Online, Haunted House, Cat Mario Online, Black Petes Lemmings, The Fancy Pants Adventure World 2, Cubez, Funny Quest, FWG Pinball, Gold Panic, Manifold, Mon Sodoku, Orbox B, ...

    type writing: sl (steam engine lockomotive (train) on the konsole resp. terminal ), lavaro (touch typing editor), tuxtype, tuxtype2, dvorak-7min (typing editor), ...

    secure file deletion: srm, wipe, shred, ...

    files copying: cp, ultracopier, ...

    Open Vulnerability Assessment (OpenVAS) Scanner: openvas (el6), ...

    Forensics (el6): AdobeMalwareClassifier (el6), afflib (advanced forensic format), afftools (el6), analysis-pipeline (el6), artifacts (el6), binplist (el6), bloom (el6), bulk_extractor (el6), bokken (el6), CERT-Forensic-Tools (el6), dc3dd (el6, ähnlich dcfldd), distorm3 (el6, binary stream disassembling library), disktype (el6), epub (extracts thumbs and metadata from thumbs.db), fiwalk (el6, finds and extracts files from a given type), fcrackzip (el6), fred (el6, Windows Registry Editor), galleta (el6, reads out cookies), grokevt (el6, reads and processes Windows-Event-files), guymager (el6, imager for forensic media acquisition), ipa (el6, IPA (IP Association) is a library for maintaining associations between IP addresses and any number of labels which categorize those addresses), jafat (el6, assortment of tools to assist in the forensic investigation of computer systems), libvshadow_tools (el6), log2timeline (el6, md5deep (el6, compute MD5, SHA-1, or SHA-256 message digests on files), mdbtools (suite of libraries and programs to access Microsoft Access Databases), rpmreaper (el6), ... (siehe Cert Forensik Tools wie beispielsweise von pkgs.org), memdump (memory dump), ncat, nDeep (el6, deep packet inspection), netsa-rayon (el6, visualization toolkit), nmap (el6, security and port scanner), nping (el6), partclone (el6), pavuk (el6, www or ftp site mirror tool), prism (el6, visualizes flow data as a time-series broken down into several configurable bins), protobuf (el6, Protocol Buffers - Google´s data interchange format), pstotext (el6), python-registry (el6, Python´s access to the Windows Registry), radare (el6), reglookup (el6, Windows NT registry reader/lookup tool), rifiuti (el6, examines the contents of INFO2 in the Windows Recycle bin), silk-analyzes (el6), sleuthkit (el6), sleuthkit-libs (el6), snarf (el6, Structured Network Alert Reporting Framework), snort (el6, open source Network Intrusion Detection System (NIDS)), stegdetect (el6, detects and extracts steganography messages inside JPEG), super_mediator (el6), tcpflow (el6, network traffic recorder), videosnarf (el6, output detected media sessions), vinetto (el6, extract thumbnails out of Thumbs.db), xplico (el6, Internet traffic decoder and network forensic analysis tool), yaf (el6, Yet Another Flow sensor)

    Data-recovery: dd, dcfldd (from el6; works like dd, but with progressbar and more options), fsck, extundelete (file recovery), rlinux (reiserfs, ext3 and ext4, file-recovery) and testdisk (tools to check and undelete partition or recover deleted files), qphotorec (el6), mondo (GPL disaster recovery solution to create backup media (CD, DVD, tape, network images) that can be used to redeploy the damaged system, as well as deploy similar or less similar systems. A program to create a rescue/restore CD/tape), ddrescue and dd_rhelp (Data recovery tool trying hard to rescue data in case of read errors - data recovery tool CD/tape), bacula, afbackup, rsync, grsync, rdiff, safecopy (replacement for dd in the case of I/O-errors), ...

    postifx, secure mail transfer: sendmail and exim

    SQL-Database-Firewall: greensql-fw

    psad (port scan detection), lidstools, kernel securing functions: port-scan-detector, Mandatory Access Controls (MAC), File Protection (even against root) and protection for processes

    IDS (intrusion detection systems). aide, suricata, nads, watchdog, prelude-manager, ossec-hids, samhain, ...

    "Lynis is a security and system auditing tool. It scans a system on the most interesting parts useful for audits, like: - Security enhancements - Logging and auditing options - Banner identification - Software availability Lynis is released as a GPL licensed project and free for everyone to use. See http://www.rootkit.nl for a full description and documentation."

    OKHacked server - tips, what to do, wiki.hetzner.de
    Preliminary remark
    The only possiblity to clean a hacked server is renew the installation. In order to secure the server the right way, it should be found out, where the server got hacked.
    This should be done, even if the new installation makes a lot of efforts. No application and program can be trusted anymore. Each installed software migh get changed and exchanged by hacker.
    On the one hand, logfiles deliver plenty of information, how the hacker intruded (if offsiite-backups have been made), on the other hand, they can not be trusted or they do not exist anymore.
    Help by programs
    chrootkit: http://www.chkrootkit.org/download.htm
    rkhunter: http://rkhunter.sourceforge.net/
    tiger: http://www.nongnu.org/tiger/
    Unknown files
    Can any files be found out on the server, that have unknown origins?
    changetrack: http://changetrack.sourceforge.net/
    tripwire: http://www.tripwire.org/
    Secure up a server- howto
    Portscan detector (psad and/or iptables: psd) and Intrusion Detection Systems (IDS)

    Anonmity online: JAP (Jondo from TU Dresden by JAP.jar), Tor (also a rpm) with GUI vidalia (el6), PHP-Proxy from Abudullah Arif (upload the script to a proxyhoster), any proxy from a listing, fireproxy (firefox-extension), our SSL-encrypting proxy, ...

    Bastille(DVD 2, although already present by draksec and drakperm) is a system hardening / lockdown program which enhances the security of a Unix host. It configures daemons, system settings and firewalls to be more secure. It can shut off unneeded services and r-tools, like rcp and rlogin, and helps create "chroot jails" that help limit the vulnerability of common Internet services like Web services and DNS. This tool currently hardens Red Hat Enterprise Linux, Legacy, and Fedora Core, as well as Debian, SUSE, Gentoo, Mandrake Linux, Mac OS X, and HP-UX. If run in the preferred Interactive mode, it can teach you a good deal about Security while personalizing your system security state. If run in the quicker Automated mode, it can quickly tighten your machine, but not nearly as effectively (since user/sysadmin education is an important step!) Bastille can also assess the state of a system, which may serve as an aid to security administrators, auditors and system administrators who wish to investigate the state of their system´s hardening without making changes to such.

    Hand-Recogntion: zinnia (Online hand recognition system with machine learning), ...

    draksec and drakperm are parts of drakconf: checks for SUID- and SGID-files, write-checks upon files Dateien, checks of files like .rhosts and hosts.equiv, via inetd configured network services, tcp_wrappern, shadow passwords, access-rights, system-configuration, makesig.pl (creating signatures), ....

    more security-software: tor (popular anonymizing network, the onion router), vidalia (frontend of tor), xtraceroute, tcptraceroute, traceroute, flashrom, biosdisk (BIOS flash floppy images), draksec and drakperm, rkhunter, zeppoo and chkrootkit (including rpm sectools and python-selinux), checksec (check executables and kernel properties), memtest and valgrind (memory check), ciphertest, lads (login anomaly detection system), psad, clamtk and clamav-0.98.4-65, maldetect (rosa2014.1), tomoyo (kernel security-module providing Mandatory Access Control: Unlike AppArmor, TOMOYO Linux is intended to protect the whole system from attackers exploiting vulnerabilities in applications. TOMOYO Linux addresses this threat by recording the behaviour of all applications in the test environment and then forcing all applications to act within these recorded behaviours in the production environment. TOMOYO Linux is not for users wanting ready-made policy files supplied by others. It involves creating policy from scratch, aided by the "learning mode" which can automatically generate policy files with necessary and sufficient permissions for a specific system. TOMOYO Linux reports what is happening within the Linux system and can therefore be used as a system analysis tool. It resembles strace and reports what is being executed by each program and what files/networks are accessed ), arpwatch, tmpwatch, smartd, seccheck (scripts for periodical security-checks), noflushd and spindownd (daemons, that send idle disks to sleep against providing root-rights; for spindown endangering terminal-login-mode, prefer noflushd), partimage and diskimg, subversion (CVS - current versioning system), freeswan (IPSEC), openvpn, kvpn, patcher, snort, airsnort and aircrack (wireless LAN-tool which crack encryption keys), ethereal (Network traffic analyzer), dsniff, dsniff-webspy, hddtemp, procinfo, xsysinfo (kernel-parameter monitoring tool), smartd, knock (smashes large holes into firewalls for hacking dependent from the blocking-rate), shorewall and mandi (firewall from installation-DVD), digitemp (reads values from Semiconductor 1-wire devices. Its main use is for reading temperature sensors, but it also reads counters and understands the 1-wire hubs with devices on different branches of the network. DigiTemp now supports the following 1-wire temperature sensors: DS18S20 (and DS1820), DS18B20, DS1822, the DS2438 Smart Battery Monitor, DS2422 and DS2423 Counters, DS2409 MicroLAN Coupler (used in 1-wire hubs) and the AAG TAI-8540 humidity sensor), git, nut (UPS tool), Zeitgeist is a service which logs the users´s activities and events (files opened, websites visites, conversations hold with other people, etc.) and makes relevant information available to other applications. Note that this package only contains the daemon, which you can use together with several different user interfaces. ...; more security-software see step2!

    visitors (rpm): processes a web log file trying very hard to identify a single "person" as much as possible. This is typically achieved by use of either an identifying cookie in the log file; Or via the IP Address/Name & Browser ID combination.

    ssldump similar to tcpdump, dumpcap, tshark, wireshark and flowtools from DVD - this program is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When ssldump identifies SSLv3/TLS traffic, ssldump decodes the records and displays them in a textual form to stdout. And if provided with the appropriate keying material, ssldump will also decrypt the connections and display the application data traffic. This program is based on tcpdump, a network monitoring and data acquisition tool.

    Linux FreeS/WAN is an implementation of IPSEC & IKE for Linux. This package contains the user-space utilities needed to manage IPSEC. To use IPSEC, you will need to build support into the kernel as well. Please see the FreeS/WAN homepage at http://www.freeswan.org for details. IPSEC is Internet Protocol SECurity. It uses strong cryptography to provide both authentication and encryption services. Authentication ensures that packets are from the right sender and have not been altered in transit. Encryption prevents unauthorised reading of packet contents. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the IPSEC gateway machine and decrypted by the gateway at the other end. The result is Virtual Private Network or VPN. This is a network which is effectively private even though it includes machines at several different sites connected by the insecure Internet.

    Password-cracker: john (brute-force), fcrackzip (zip password cracker), Crack (password-cracker from el6), ...

    Packit is a network auditing tool like the network traffic recorder tcpflow. It´s value is derived from its ability to customize, inject, monitor, and manipulate IP traffic. By allowing you to define (spoof) all TCP, UDP, ICMP, IP, ARP, RARP and Ethernet header options, Packit can be useful in testing firewalls, intrusion detection systems, port scanning, simulating network traffic and general TCP/IP auditing. Packit is also an excellent tool for learning TCP/IP.

    zero-install: The Zero Install system removes the need to install software or libraries by running all programs from a network filesystem. The filesystem in question is the Internet as a whole, with an aggressive caching system to make it as fast as (or faster than) traditional systems such as Debian´s APT repository, and to allow for offline use. It doesn´t require any central authority to maintain it, and allows users to run software without needing a root password.

    remote access: rlogin, rsh and rcp (packet rsh, )rdesktop (remote RDP-client), recordmydesktop: Desktop session recorder - Simple command line tool that performs the basic tasks of capturing and encoding desktop session. It produces files using only open formats like Theora for video and Vorbis for audio, using the Ogg container.

    xtraceroute and traceroute - print the route packets trace to network host, for example if through foreign server.

    ... repertoire of actually more than 65 GB rpm (15 DVD) + many Fedora-rpm + infinite amount of Tarballs and thousand applications of all kind!

    truetype-fonts from Linux and OpenOffice, import-function by system-configuration for any fonts from anywhere, recommended font: Liberation fonts like Liberation sans (quit Arial), Liberation serif (instead of Times New Roman), Liberation Mono (Courier) from DVD 2), Libertine, arabic, cyrillic, handwrite, bitmap, adobe-utopia, bh, ubuntu, tamil, libertine, west_european, unifont, sun-misc, fontsproto, fondu (MAC-UNIX-fonts-converter) ..., package TrueType-fonts, ...

    Language-files for OpenOffice, Firefox and KDE: english, french, german, turkish, italian, spanish, russian, modern and traditional chinese, ...depending on the country within the order and orderer name

    von fr2.rpmfind resp. separat from DVD 4 for all listed, not included in DVD 2):
    aeolus (Pipeorgan Emulator), bibletime, biblesync, bibtool, bibleverse, bibleanalyzer (pclos2017), xgospel, xiphos and bibutils (work with the bible), barry (blackberry desktop), sagemath (complex mathematic-system), cherokee (Browser), enouveau (opengl-Tests and Beobachtung der Veränderungen in den Videokarten-Registern), Rygel (UPnP MediaServer V 2.0 specification that is specifically designed for GNOME. It is based on GUPnP and is written (mostly) in Vala language. The project was previously known as gupnp-media-server), USB Modeswitch (brings up your datacard into operational mode. When plugged in they identify themselves as cdrom and present some non-Linux compatible installation files. This tool deactivates this cdrom-devices and enables the real communication device. It supports most devices built and sold by Huawei, T-Mobile, Vodafone, Option, ZTE, Novatel), uzbl, zabbix (net-monitor), bickley (API-framework), ...

    Java-programs: because of portability of all kind: to pay, for free, out of the interenet, already listed rpm-packaged ones, ...

    Emulation (Win98+XP+7+...), for example.: Zero Emission Pad (zep), Clusterball, BSE_Schlacht, PowerTranslator, Skorloto 417 Combinator v3, notepad++, IE7, aborange LottoMaster, Lotto-Systeme, Druckstudio2001, PrintStar, Systran Webtranslator 5.0, KlickTel, Europa-Arbeitszeugnis, Kreuzworträtselgenenerator KWR, Europa-Reiseplaner (Varta), software from playonlinux up to MS Office 2003, ..., (... infinite!)

    24h- live-support from kde-look.org, kde-apps.org, rpmfind.net, mirror fr2.rpmfind.net (lifetime) and linux-newsgroups with continuous increasing software-repertoire: more than 65 GB (15 DVD, 2013) plus all kind of tarballs. Both server do not seem to offer their services at any time. With the three DVDs you also contribute to their disburden!

    overview rpm for mdv2010.0 A-Z (around 65 GB): http://fr2.rpmfind.net/linux/RPM/mandriva/2010.0/x86_64/ByName.html

    extended shutdown: kshutdown (poweroff, newstart, deep sleep, suspend, lock screen, extras immediately or scheduled)

    24h-live-support for inpredictable long time out of internet, fr2.rpmfind.net and Linux-newsgroups

    not runnning (buggish) programs: kompozer (a complex web-authoring-sytem for developing websites like typo3, that might be hard to resign from, take applications like nvu instead or: kompozer is always able to start by up- and downgrading through rpm -U --force kompozer-xxx.rpm the kompozer-rpm out of mdv2010.0, mdv2010.1 and mdv2012.0 and copying /usr/bin/kompozer to /usr/lib64/kompozer and /usr/lib64/kompozer/libxpcom* to /usr/lib64/ and starting always by /usr/lib64/kompozer/kompozer. That means, that all listed games do run too! Please mail us, if you do not think so!

    lacks in securities: kdeinit from kdebase of mdv2010.0 can cause a zombie-process nspluginscan (this got patched on mdv2010.2 and el6).To avoid the Zombie, you have to set access-rights by chmod upon the process (nspluginscan). Do not install the old udev-extras-2009. Our sound driver gave up. Just install udev.

    Everything of the listed software run fine, except Vegastrike! If a programm ever does not start, start it manually by typing the name of the executable into a terminal like konsole or xterm: Error-messages together with the named causes do almost appear, so that in most cases a reaction for repair is possible!

    Price: 3 DVD for 20 €: You can order a copy of the installation-DVD mdv2010.0-final (64-bit-version x86_64, all updates until now) including many listed software (packages) from the more than 65 GB (15 DVD) above and belonging libraries except telephone-books, anonymizing proxy-server by arif, our search-engine, Linfw3, Klean, Mycompanies and Bibliotmaster and the Source-DVD (mdv2010.0) from us free from postage-fee: 3 DVD for 20 €.

    Gookens Lifetime-Hardware-Datenblatt

    HarmonyOS, Hongmeng
    OKHuawei reveals HarmonyOS - an OS for all systems, PC-WELT.de, 10.08.2019
    Huawei hat mit HarmonyOS sein eigenes Betriebssystem vorgestellt. Welches auch auf Smartphones läuft.
    Sprich: HarmonyOS ist nicht nur für den Einsatz auf Smartphones gedacht, sondern kann auch auf anderen Produktklassen eingesetzt werden. Wie etwa bei smarten Fernsehern, die Huawei ebenfalls anbieten will. Oder auch auf Rechnern, in Smartwatches, in Fahrzeugen oder Smart-Home-Lösungen. Die Idee für ein solches Allzweck-Betriebssystem ist nicht neu: Samsung besitzt beispielsweise Tizen, welches sich aber nie wirklich bei Smartphones durchsetzen konnte.

    Gooken´s lifetime-hardware data sheed

    Used platform (hardware)

    HUAWEI Y360 (Y360-U61) Smartphone ( good luck to get this smartphone model totally for free from someone, who ought so foolish getting a better one... )

    Operating System: Android 4.4.2

    Kernel 3.4.62

    9 cm × 6 cm - Touchscreen

    Radiation: 45 yF

    1,8 GB internal memory, Extension: slot for SD-cards with 4, 8, 16 GB or more, SIM-card-slot, integrated digicam, ...

    OKRunning costs: none (if you use the WLAN-Router at home or hotspots for internet access being outside and WhatsApp resp. Facebook Lite for all telephony) (none costs / all for free except costs for power-recharging the akku only)

    OKConnecting phones to the Fritzbox, PC-WELT.de, 29.09.2019
    DECT- mobiles, analogous and ISDN-phones, fax and answering machine - the Fritzbox cares for everything around the phone..

    microphone, loud speaker, USB-port, USB-cable and USB-net-adapter for akku-reload

    OKSystem-Update-App, preinstalled Apps on Huawei Smartphone Y360-U61 like screen lock (after suspend/standby per key stroke with the middle key of the right side or determinable timeout) or Huawei Start, SMS/MMS, addressbook (Kontakte), telephone, GooglePlayStore, Google-Drive (Cloud), Google Chome (Browser), Google Maps, Gmail, YouTube, photos, video telephony (Hangouts), ..., system-settings and settings (Wifi including Wifi over hotspots or WPA2 encrypted over the local WLAN-router (for the cost of the ISP of the PC) instead SIM-card-provider, Bluetooth, Apps, location access,.USB-printer, USB-scanner, TV-device-port, ...) , tools, data-backup-App, system update app, app update app, Chrome Browser, E-Mail-Client (gmail: IMAP, income server), time scheduler, calendar, clock (world clock, stopwatch timer,...), SIM-toolkit, weather broadcast, Cell-Broadcast, Dialer, Printer-Spooler, video player, Huawei Video Player, TouchPalX, Files, Deletion (system cleaner), audio recording (App Soundrekorder within tools), VPN, Proxy Handler, packet installer (Paket Installer), text editor (editor), data backup, digital camera, camera/ video recording, pocket calculator, FM-radio (UKW, App: FM-broadcast), pocket lamp, ..., games like Dragon Hunt and car racing, ... , ...

    OKReset Y360 to default by pressing both keys on the right side (what opens a menu) or by a system app

    OKMore apps from PlayStores (... but we do not recommend all of them...!): "Find my device (smartphone)", FritzPhone (phone over the local WLAN-router (for the costs of the ISP for the PC instead of SIM-card-provider), Tor-Browser (Tor, The Onion Router), Antivirus Helper (virus and malware scanner), Anti Spy Mobile FREE, NetGuard (Non-Root-Firewall (AppBlocker) for Android 4 and higher), Wifi-Blocker (netcut, ARP-Guard for Wifi security, Wifi-connection-protection: protection against the changing of networks into very expensive ones, hijacking and much more), Autostart App, Backup/Restore ( use the reliable, complete data securing out of the directory named tools)), Facebook Lite, Messenger Lite ( with over 1 billion addresses that can be called on phone without costs / for free, recommended) or WhatsApp (for free) and alternatively (recommended, for free) SMS/MMS-encrypting Signal or Threema (costly, non free messanger), Twitter-App, GPS-Map-Router (cards for offline use from all over the world, routing, ...), app to move apps from internal memory (telephony memory) to SD card, Nunav (navigation for car, bike or walking per feet, routing app), Öffi (regional traffic, busses), Offline card navigation or Offline Maps (worldwide with Routing and with GPS-support), Street View Maps (from satellite live and more), E-Mail (app E-Mail), Tagesschau-App, phone book with maps (DasOertliche: telephone book including actual offers, petrol prices, cinema programs, bars, pubs, hotels, quarters, restaurants, sport, freetime, supermarkets, fast food & Co., cash dispenser, drugstores, everything for your pet, car accidents, flowers, books & magazines, cafés and bakeries, electro markets, culture, furnitures & decoration, fashion, night life, taxi, wellness & cosmetics, ... or: "Das Telefonbuch" (The Telephone Book) from Telekom AG, ...), ...), day planner, dating-apps, Advanced Thread Killer (instead of this use the preinstalled process manager: system-settings -> apps -> active apps), Inkognito (Spyware-Killer), data cleaner (Ancleaner), environment noise measurement, Language Translator (from Google or others), word dictionaries (Leo), railroad: Deutsche Bahn ( DB-Navigator, start, destinationl, tickets, ...), TV-program (TV-Browser), VLC Media Player, car number plates (Kennzeichen Europa), traffic jam warnings, radar warning, disaster prevention (warnings-app from the BKK: NINA, police warnings/reports, ...), file encryption, password manager (Passwort Tresor), Facebook/Facebook-Lite with Messenger Lite instead of WhatsApp, Total Commander (file manager; there is already a file manager from Huawei), Linux Terminal Emulator, Linux commands (manual), cloud-storage, image viewer (AA Image Viewer), event calendar (App: Was geht? u.a.), Wikipedia (online-encyclopedia), TV-Browser (TV-programm), stocks news, Online-Banking-App, PhotoTAN-App for Online Banking, QR & Barcode-Scanner, text editor, office, pay services (cash points), remote control (satellite, garage, home door, doors, central heating, windows, shutters, car, TV/dvd/cd/video/audio, heating, camera, bank safes, safes, drones remote control, surveying cams, household devices, electrical outlets, bugging devices, else remote devices, ...), SmartHome control, ISS-locator (ISS space station), horoscope (Widder Horoskop), moon phases, Free Internet-Radio (Internet Radio), Free Internet-TV or German TV Life Channels & Radio (recommended, many internet TV sender, even ARD and RTL, internet radio: more than 1.000 stations from all over the world), streaming services, Filesharing, video conferences, spirit level (Bubble Level or other apps), angle measurement (Bubble Level or other apps), ruler (Bubble Level or other apps), (air pressure measurement, height measurement, GPS coordinate finder, compass, telescope, night seeing, microscope, magnifier, ruler (1D, 2D, Bubble Level), goniometer (Bubble Level), distance messurement (plumnet), temperature measurement (Thermometer), moisture measurement, radiation measurement (radiation detector), metal detector, satellite finder, anti dog barking, Luftqualitäts-App, Wikipedia resp. mathematics-, physics- and chemestry app, language learning, apps for online shopping (ebay, amazon, ...), PayPal, currency calculator, network sniffer, ..., Videobearbeitungs-App, many many games like chess (Schach free), card games like Schafskopf, Solitaire (Solitaire-Palast), Doppelkopf and Skat (Skat-Palast), Pokémon (Pok&eactue;mon-hunt in the outside areas), puzzles, sport: football, handball, tennis, ski, hockey, billiard, ...., JumpnRun, action games (arcade), person-alien shooter, space shooter, action shooter , ..., satellite finder, ISS finder, ...

    You can pay per Smartphone and SmartWatch: Howto, PC-WELT.de, 23.09.2019
    Apple Pay, Google Pay and Samsung Pay

    Increase the font-size on problems upon small displays: Settings ->, Display->,font size.

    We´d like to repeat:

    1) Data backup and restore: The best you can do is to use the system-internal data securing out of directory named tools. This of course is possible on our introduced Huawei Y360. All will be really backuped on SD-card, all encrypted, and from this (SD-card), you can also save it all onto other media like harddrive or SSD !
    2) Process management: same as 1). Start it by system-settings -> apps -> active . This will prevent from bad working and keeps from ads and In-App-Buys etc..
    3) Data rubbish deletion (cleaner): There is a system-interal one working fine and therefore recommended.
    4) Firewall (although we believe, that Linfw3 is the really secure one): Suggested Non-Root-VPN-Firewall warns itself against data eavesdropped on the belonging VPN-Server. Prefer firewall NetGurad (Non-Root-AppBlocker, PlayStore, Android 4 and higher, secure password-protected block of single apps resp. all Apps except MMS/SMS, settings, Huawei-browser ) instead, recommended by
    Easy configuration (NetGuard from PlayStore): At first set the password protection.Then block all apps in the password protected way except system-settings, Signal and other messengers like (Facebook) Lite and WhatsApp. Now you have to allow only those apps, you are going to communicate in the net during a certain time. Block them again after the communication.
    . 5) Total Commander: We´d like to suggest the already integrated one from Huawei instead by touching the icon named files.
    6) Routing and navigation: comfortable Nunav only fullfills the demands.
    7) Anti-Malware: Malwarebytes is most deep-scanning (although there is nothing wrong with Huawei Y360-U61 and introduced apps except Facebook)
    8) Wifi Blocker: netcut and ARP-Guard for Wifi security: ARP protection (access points), AP-protection (access points) with BSSID-check, DHCP protection, all with automatic Wifi-cutoff on alarm, ...what provides most important security features!

    Very expensive (alternative) provider for modell (Huawei Y360-U61) for the case of locked SIM-cards like Telefonica

    Mobil phone bill
    125 Euro for nothing: "Finanztest" warns againt handy-rip-off

    OK9) Apps Autostart: at least autostart NetGuard and ARP-Guard. Otherwise such Apps need to be started (activated) each system boot manually.
    Autostart Apps, report from trishtech.com
    "On the settings screen, scroll down a little and then tap on Security to open the security related settings.
    In the security section you will find many settings related to apps like app permissions, app verification, whether to install from unknown sources etc. You have to tap on Auto-start Management to in this list.
    In the auto-start management screen, it will display a list of all the apps that are being auto-started in your Android phone. You can simply uncheck any apps that you want to disable from being auto-started. Similarly, checking an app will enable it to be auto-started with Android bootup.
    While disabling some of the apps from being automatically started at Android boot will surely make it a little faster, but you have to be careful not to disable any important apps. For example, you should never disable antivirus products related apps from being auto-started as they protect your Android device from malicious apps and programs."

    OK10) Deactivate single Apps even after each system newstart (the process to deactivate almost follows from the information of the see Huawei-process manager): system settings -> Apps -> all Apps -> click onto the App to deactivate -> click onto "deaktivate" OK11) Tor-Browser and Firefox: Gedacht sei unbedingt wieder an die Firefox-Erweitungen wie zum Setzen des UserAgents, noscript, ABP bzw. ABL usw..

    OKBefore apps are downloaded from PlayStores, read out their requirements like In-App-Orders (new contracts), WLAN-access, location access, advertisement, ... . downloaded apps should require as few of it as possible!

    Instead this App is still not for free (... but maybe quit interesting too):
    Teamviewer Pilot: AR-remote-maintenance-App now with text integration, PC-WELT.de, 20.08.2019

    OKSystem-Android-First-Login-Protection:: screen-locker ( 6 -18 ciphered PIN or password)

    OKApps can be regulary actualized/updated

    Smartphone, Apps & Co.: The 20 most important tips for mobile security, trojaner-info.de, 29.09.2019
    Smartphone and tablet-fans should not be used light-headed and unprotected in the mobile internet. Therefore all in all security requirments and the protection of smartphones and tablets should be similar high and higher than even PC. Here are the 15 most important tips for mobile security.

    Smartphone, Apps & Co.: die 20 wichtigsten Tipps für mobile Sicherheit, trojaner-info.de, 29.09.2019
    Smartphone und Tablet-Fans sollten niemals leichtfertig und ungeschützt im mobilen Internet unterwegs sein. Alles in allem sollten deshalb die Sicherheitsanforderungen und der Schutz des Smartphones und Tablets ähnlich hoch oder höher sein wie beim PC. Die 15 wichtigsten Tipps für mobile Sicherheit.

    The five most threats for mobile security, trojaner-info.de, 15.10.2019
    Tipps, wie Sie Ihr Unternehmen vor den mobilien Sicherheitslücken schützen können nach Erfahrung von Palo Alto Networks
    [...] 1. Phishing-threats: Wobei noch vor ein paar Jahren die Phishing-Angriffe haupsächlich per E-Mail durchgeführt wurde, werden heute mobilie Kanäle wie SMS, Facebook Messenger, WhatsApp und gefälschte Websites ausgenutzt für die Cyberattacke. Zudem ist Spear-Phishing eine zunehmende Bedrohung. Hierbei werden bestimmte Mitarbeiter von Hackern über mobile Geräte angesprochen, um Zugang zu sensiblen Daten zu erhalten.Mobile 2. Malware: Jede Website, die besucht oder verlinkt wird, hat das Potenzial, mobile Geräte mit Malware wie Spyware, Ransomware, Trojaner-Viren, Adware etc. zu infizieren. 3. Dangerous: opened WLAN-networks: Viele mobile Mitarbeiter nutzen heute öffentliche WLAN-Netzwerke, wenn sie außerhalb des Büros unterwegs sind. Da sich die meisten Cyberkriminellen dessen bewusst sind, versuchen sie, mobile Nutzer dazu zu bringen, sich mit gefälschten WLAN-Netzwerken zu verbinden und so Daten zu kompromittieren. 4. Malware: Viele Apps sind legitim und sicher zu verwenden, aber es gibt auch tausende, die es nicht sind. Das Herunterladen einer App auf einem mobilen Gerät kann daher das Unternehmen des Benutzers einer Vielzahl von Sicherheits- und Datenschutzrisiken aussetzen. Einige Apps sammeln sogar Daten, ohne den Benutzer um Erlaubnis zu bitten. 5. Data leaks: Datenlecks treten bei jeder unbefugten oder unbeabsichtigten Übertragung von Daten aus einem Unternehmen an ein externes Ziel auf. Diese Datenlecks können zurückgehen auf eine Person innerhalb des Unternehmens, die sensible Daten in eine Public Cloud überträgt, anstatt in die Private Cloud. Es könnte aber auch ein externer Angreifer dahinterstecken, der die Daten des Unternehmens absichtlich stiehlt. Mobile Endgeräte, die oft eine Mischung aus geschäftlichen und persönlichen Daten enthalten, machen es noch einfacher, die Grenzen zwischen Geschäftlichen und Privatem versehentlich oder gezielt zu verwischen.

    [...] Antivirensoftware und Data Loss Prevention (DLP)-Tools den mobilien Geräten hinzugefügen
    Bessere und einfachere Arbeitsmöglichkeiten anbieten, damit Mitarbeiter sich nicht mit unsicheren öffentlichen WLANs verbinden
    Mitarbeiter sollten App-Berechtigungen sorgfältig überprüfen, bevor sie ihnen Zugriff gewähren, und Anwendungen deaktivieren, die missbraucht werden könnten
    MFA-Tools (Multi-Factor Authentication) sollten von Mitarbeitern verwendet werden, wenn sie sich über ihre mobilen und persönlichen Geräte mit dem Unternehmensnetzwerk verbinden

    10 things, you should better not do with the smartphone, PC-WELT.de, 18.10.2019
    We show the worst social slips, you can do with your smartphone.

    OKAkku: HB5V1 compatible with smartphones Y3, Y6, Y300, Y360, Y300C, Y500, Y900, T8833, U8833
    HB5V1- Akku from HUAWEI (original), partially improved (more energyzing and lower radiating) HB5V1-Akku from MaXlife (1730 mAh), Extremecells (1730 mAh), BATTERY PACK, PATONA, Powery, AGI 10027, BLUE STAR (1600 mAh), Ascend (1500 mAh, this can prolong (double or longer) your session time, care the device and lower its radiation), vhbw (1500 mAh), AVVISO, ...

    3 years warranty

    fed black leather case with magnetic closure from IPHORIA

    Price (new) for Huawei Y360: 79 Euro ( expert Dinslaken year 2014 ), 32 and 16GB SD-card for 6,99 Euro

    Rest for free (!) except charging the akku, if there is access by public hotspots or WLAN-Router (office resp. at home), telephony for free with addressbook by messenger Facebook Lite or WhatsApp, offline navigation and routing: GPS Router Mapsa (with areawise downloadable maps from all over the world)

    ATTENTION: The sim card to put in should be loaded; otherwise using the smartphone (downloads, surfing, phoning) might get horrific expensive !

    SIM-card and its load, our tip: Internet-Flat 500 MB ALDITALK Prepaid Starter Kit ( including phone and SMS and so on ) forr
    3,99 Euro per month (Aldi, Stand 2019).

    Phone worldwide for free: The Satellite App replaces the SIM-card, CHIP, 09.04.2018
    With the free App Sipgate Satellite you can phone woldwide without a sim card for 100 free minutes each month into 55 countries - totally free - without any costs.

    alternatively: WLAN-Router (for the used costs of the PC-internet- and that means phone-flat, if given), Facebook-Lite and/or WhatsApp and/or App namend "CallFree" (all worldwide free phone, start with 1000 up to 2000 bonus points gratis, point reload by making points by looking video-ad-spots, acquiring more user resp. customers and recommending suggested Apps, info from year 2019)

    Allnet-Flats with high download volumes: The best tariffs for your handy, https://www.chip.de/artikel/Handytarife-mit-riesigem-Datenvolumen-Guenstigstes-Angebot-kostet-22-Euro_171925937.html

    Google-App can rescure life: How "Personal Safety" functions, CHIP, 04.10.2019

    Smartphones for the military, trojaner-info.de, 12.10.2019
    Der südkoreanische Technologiekonzern Samsung arbeitet derzeit an einem hochsicheren Mobil-Betriebssystem für das Militär. Dafür arbeitet Samsung mit dem süddeutschen IT- und Beratungsunternehmen blackend zusammen.

    The most secure Android: Samsung developes a special operating system for the germany military Bundeswehr>, CHIP, 11.10.2019

    Two cameras, several microphones, a GPS-modul and lashings of private user data: Smartphones are the perfect eavesdropping observence-devices
    Research scientist: How your Smartphone can spy you out - even if it is powered off
    , STERN.de, 08.02.2018
    Über GPS und Co. können uns Smartphones permanent überwachen. Zum Glück kann man die Funktionen aber abschalten. Ein Forscher erklärt nun, wie man diese Sicherheitsmaßnahmen trotzdem aushebelt - und warum das kaum zu verhindern ist.
    Zwei Kameras, mehrere Mikrofone, ein GPS-Modul und Unmengen private Daten der Nutzer: Smartphones sind die perfekten Überwachungsgeräte.

    More than 1300 Android-Apps do collect private data hiddenly - even if you forbid it
    , STERN.de, 11.07.2019
    Sicherheitsforscher demonstrierten, dass mehr als 1000 Android-Apps unerlaubt personenbezogene Daten speichern. Die App-Anbieter hebelten die Sicherheitsmaßnahmen mit kreativen Methoden aus.

    Android 10: Plenty of security exploits, trojaner-info.de, 31.08.2019
    193 exploits were found out!
    Es haben sich zahlreiche Sicherheitslücken in Googles Mobile Plattform angesammelt. Nun wollen die Entwickler in der kommenden Version nicht nur mit neuen Features aufwarten, sie wollen auch eine Unmenge von angestauten Sicherheitslecks auskehren.

    1325 Android-Apps bypass set access-rights, PC-WELT.de, 09.07.2019
    Über 1000 Android-Apps umgehen die persönlichen Zugriffsberechtigungen der Nutzer und sammeln weiterhin fleißig Daten.

    Android-Apps do have the Tracker-epidemic, PC-WELT.de, 27.03.2019
    Die Mehrzahl der untersuchten Android-Apps enthält Tracker, die Nutzungsdaten an Google und auch an Drittfirmen senden.

    Expensive subscription trap: At least 41.000 customers are affected: Stiftung Warentest warns against incorrect Mobilfunk-bills, STERN.de, 17.09.2019
    Tausende Mobilfunk-Kunden erhielten von ihren Anbietern zu hohe Rechnungen. Der Grund sind unberechtigte Forderungen von Drittanbietern, berichtet Warentest. Und verrät, wie Betroffene ihr Geld wiederbekommen.

    Infected Android-Apps in the Play Store with 1,5 millionen downloads, trojaner-info.de, 24.09.2019
    Verseuchten Apps gelingt es immer wieder, in den offiziellen Play Store zu gelangen.
    Es sind besonders hartnäckige Apps, die Google mittlerweile aus dem Play Store entfernt hat. Die beiden schädlichen Anwendungen erreichten immerhin 1,5 Millionen Downloads. Betroffene Geräte müssen gegebenenfalls auf die Werkseinstellungen zurückgesetzt werden.

    Android-trojan infects 100 millionen devices
    Again found out in the Play Store, an infected App!
    , trojaner-info.de, 29.08.2019
    Es ist eine gefährliche Trojaner-App namens CamScanner, die auf mehr als 100 Millionen Android-Geräten installiert ist. Die App, CamScanner - Phone PDF Creator, die sich in Googles Play Store eingenistet hat, sollten betroffene Nutzer umgehend löschen.

    Huawei P30 Pro drops in prices: save 340 Euro, PC-WELT.de, 06.26.2019
    ... and do not forget the most friendly HUAWEI customer support:
    Huawei Germany, Antwerpener Str. 4, cologne: excellent customer support caring with plenty of time for all customer´s questions around the smartphone ( unlocking etc.) ! (T) 0800/77886633 (Freecall)

    "HongmengOS": Huawei´s fast Android-competition - does Huawei provide another operating system soon upon the next Huawei-Handy?, CHIP, 07.05.2019
    Video: Huawei´s Android-alternative - all infos and rumors about the new operating system.
    After the US-trade embargo against Huawei an U-turn seems to happen - the manufacturer was allowed again to handle with US-companies including Google´s Android. Now there are hints, that Huawei cares a more about the roll-out of thier own operating system, more as guessed, so that Google can be the big looser in this historical matter.

    Huawei promises (again): All remains as it was, PC-WELT.de, 03.07.2019
    Android is provided further on - nothing will change! Huawei talks about the actual situation and makes a promise for the future.

    New Galaxy S10 + get 600 € for your old handy
    Now you can get up to 600 Euro for your old smartphone, if you buy a new Samsung Galaxy S10e, S10 or S10+.

    More about smartphones see News&Links#computer: More about Smartphones

    Wegen Strahlung: Sammelklage gegen Apple und Samsung eingereicht, PC-WELT.de, 26.08.2019
    Smartphones geben mehr Strahlung ab, als eigentlich erlaubt. Das berichtete in der vergangenen Woche eine amerikanische Zeitung. Diesem Bericht folgt bereits die erste Sammelklage einer kleinen Kanzlei aus Atlanta.
    Die Chicago Tribune hat mehrere Smartphones auf die abgegebene Strahlung hin getestet. Dabei kam die Zeitung zu dem Schluss, dass einige Geräte die festgeschriebenen Grenzwerte nicht einhielten. Wir berichteten. Über einen Facebook-Post ließ die Anwaltskanzlei Fegan Scott LLC gestern verlauten, eine Sammelklage gegen Apple und Samsung eingereicht zu haben. Sie werfen den Konzernen vor, durch die vermeintlich (die Ergebnisse einer neuen Untersuchung durch die amerikanische Behörde FCC stehen noch aus) erhöhten Strahlenwerte die Gesundheit der Gerätenutzer zu gefährden. Außerdem sei die Werbung zu den Produkten irreführend und spiele die Gefahren von Strahlung, die durch Smartphones abgegeben wird, herunter, ignoriere sie sogar komplett. So wird Apple und Samsung vorgeworfen, mit Slogans wie "Studio in your pocket" zu sugerrieren, dass Smartphones risikofrei in der Hosentasche transportiert werden können.
    Die 44-seitige Anklageschrift bezieht sich zu großen Teilen auf den Artikel der Chicago Tribune, aber auch auf verschiedene Studien, welche die Schädlichkeit von Smartphone-Strahlung belegen sollen. Dabei ist diese wissenschaftlich durchaus umstritten. Für mehr Informationen zu diesem Thema empfehlen wir den Gast-Beitrag unseres Experten Dennis Bederov. In diesem Beitrag haben wir die Problematik der SAR-Messungen zusammengefasst und erklärt, warum diese nicht immer aussagekräftig sind.
    Sammelklagen gegen große Konzerne und Behörden sind keine Seltenheit. Erst vor wenigen Monaten startete in den USA eine Sammelklage gegen die US-Behörde FCC wegen der Zulassung von 5G-Mobilfunk. Auch in diesem Fall gehört die Gefährdung der Allgemeinheit zu den Vorwürfen, ohne dass diese wissenschaftlich einwandfrei erwiesen ist.

    Mord auf Raten - Stoppt 5G und die BRD !, brd-schwindel.ru, 19.04.2019
    Folgende Zitatesammlung zeigt, dass man schon lange über die Gefahren der Mobilfunktelefonie Bescheid weiß und welche Schäden diese im menschlichen Organismus anrichtet, vor allem im Gehirn. Und dabei geht es nicht einmal um 5G. Man kann sich ausrechnen, dass sich die Belastung um einiges potenziert. Wir sind ohne 5G schon enormen Strahlungen ausgesetzt. 5G NEIN DANKE
    Die Zitatensammlung stammt aus wissenschaftlichen Arbeiten, Fachveröffentlichungen, Presseagenturmeldungen, Büchern, Vorträgen, Zeitungen, von Ärzten, Ämtern, Experten, dem Internet, den Nachrichten, wurden im Radio gehört, im Fernsehen gesehen…


    Polaroid announces new handy-photo-printer, PC-WELT.de, 12.09.2019
    The new handy photo printer from Polaroid transfers an image directly up from the display of a smartphone onto the ( colorizable photo ) paper.

    "Without words: just hot"


    Still functioning today: Computer-Tower 4Q001342, order nr. 37701136

    Brightness×Height×Depth: 180×355×390 mm

    2 × 3 1/2 and 2 × 5 1/4 Zoll shafts, material: metal, opening metal front left and right, hand-screwable cross-screws backside, color: white or black

    standarized Power-Buttom, RESET, 2 LED: green and orange

    Mini-ATX (also suitable for other ATX-Net-adapter)

    Pollin.de, Price: 4,95 € (Stand 2013)

    Lifetime-Hardware over lifetime-hardware is all you see in this data sheed: solid and stable mainboard at lowest costs tested by Gooken :

    Mouseclick-fast All-On-One-Mainboard 19W

    Crashfree allrounder still functioning today: super powersaving, 17×17 cm small factorized ASUS-Mini-ITX -220 mit 1,2 GHZ - Celeron 220 ( Single core Intel Celeron 220 (-UP-) arch: Conroe rev.1 - this one reacts also fast as by mouseclick) incl. extrem silent cooler onboard, year 2009 - we use it mouseclick-fast up to know (and are going to report, if we don´t anymore):
  • BIOS: ASUS Mini-ITX-220 year 2009/2010 socked (spare-part BIOS for example from biosflash.com for about 10 €), 8Mb Flash ROM, AMI BIOS Ver. 0216 9/22/2009 absolute CrashFree durable BIOS 3, EZFlash 2, ASUS AI NET2, PnP, DMI v2.0, WIM 2.0, SMBIOS 2.5, ACPI v2.0a

    tested: powersaving and mouseclick-fast on our SSD-based "Universal-Linux",; with Ethernet-LAN-, 3D-Sound- and full directrendering-, OpenGL- and SDL- graphic-support
    crashfree: mostly independent from temperature, amount of daily system-restarts and connected devices and so on

    Windows 7 ready und Linux ready (we tested "Universal Linux" out of Enterprise Linux RHEL/CentOS el7, el6, Rosa2014.1, OpenSuSE, mga, Slackware based on mdv 2010.2.)

    Form factor: 170mm×170mm

    Chipset: 945GC/ICH7 express Green ASUS RoH8-Compliant with ICH7 S-ATA-Controller

    power-saving 19 Watt only

    Intel Celeron 220 with super silent cooler 25,3 db (max. 27.5 dBA) (this supersilent cooler is a suprising small tiny model, but working reliable over all seasons with +-40 °C without any problems and without doing any harms!, Gooken)

    Manufacturer: ‎GenuineIntel
    Model name: ‎Intel(R) Celeron(R) CPU 220@1.20GHz
    CPUID-Familie: ‎6
    Modell: ‎22
    Modell-Stepping: ‎1
    CPUID-Ebene: ‎10
    Frequency (MHz): ‎1197.678
    Cache size: ‎512 KB
    Bogomips: ‎2395.35
    More information
    Flags: ‎fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss tm pbe syscall nx lm constant_tsc up arch_perfmon pebs bts rep_good nopl aperfmperf pni dtes64 monitor ds_cpl tm2 ssse3 cx16 xtpr pdcm lahf_lm dts
    Write-protection: Yes

    Chassis Intrusion Detection

    Virusprotected and Crashfree BIOS 3, socked, EZ-flash2 (direct from mainboard-DVD or USB)

    Prefer BIOS setting: fixed mode, 128 MB for graphics (northbridge)

    All Linux games, even all OpenGL and SSL-games are ready to play like many, many Windows-Games too:

    Onboard Graphic Chip: i945G, INTEL GMA 950, 82945G/GZ Integrated Graphics Controller, 2048 × max. 224MB RAM, Direct Rendering, OpenGL- and SDL-support, resolution 4096× 4096 pixel ×32bpp; max., 2048×1536 pixel (we chose 1366×768 pixe×32bpp@59 Hz Generally the screen resolution should be adjusted to get a brilliant display, that means one with a clean and natural display of the symbols and chosen fonts; it might be the best to choose "automatic" for the screen resolution out of MCC -> Hardware "konfigure the graphic server ")
  • RAM (fast and lifetime): two sockets, 2× 240 Pin DIMM socket, support of unbuffered non-ECC OVL, at least recommended: 2×2 GB DDR2-RAM (667, am besten PC2-5300, 667 Mhz branded) 533 Mhz (or above) FSB dual channel, max. 8GB, RAM is NOT (!) included in this ariticle, price (2 × 2 GB): around 5 up to 20 Euro

    Graphic card ITX mouseclick-fast, set in BIOS, Northbridge to DVMT64, DVMT128, DVMTinfinite or COMBO mode. We´d like to recommend DVMT128 MB.

    Onboard Sound Chip: VIA VT 1705 6-channel-HD-Azalia-audio CODEC: high-end sound-system

    Onboard Gigabit-Lan-Chip (all functioning since mdv2010) and LAN-BIOS

    it87: Found IT8720F chip at 0x290, revision 8: coretemp (lm_sensors / sensord) (mousecklick fast even by daylight: we would kept these unneeded modules still deactivated for more speed and security)

    ACPI 2.0 for all (Windows and Linux) suspend mode, for hibernate 2 GB SWAP-partition is needed and the ACPI 2.0 wihtin BIOS should be set. All USB-devices like memory-sticks should be plugged out (umount). AI Overclocking (CPU): auto (default) or manually up to stable overclocking: Vcore (CPU-frequency) 133 up to 140

    BIOS-Data- including virus protection: ROOT-Password protection and USER-ACCESS-LEVEL by BIOS-Setup, section security: Full Access, No-Access and View Only (we recommend "ViewOnly" or "No-Access")
  • USB-Boot-Support and boot from other external media: Set security within the BIOS-Setup, set "full BIOS access", restart and press the key F8. If the boot should be done with the SSD or harddisc again, set "full BIOS access" back to "no access".

    TPM: Trusted Platform Module: user/not-user-configurable

    Max CPUID Value Limit

    CPU TM function: CPU-Thermal-Monitor (TM) function, a CPU-overheat-protection reducing frequency and voltage in the case of overheat.

    Execute-Disable-Bit: No-Execution Page Protection Technology, disabled forces the XD feature flag to always return zero (0), enabled enables this option..

    1×PCI, 2 × S-ATA II 6Gb/s NM10/Ich7, 6×USB 2.0, 2×PS/2, 1×COM, 1×Ethernet/LAN, 3×audio

    3 years limited warranty

    manual selection of boot devices including booting from USB-stick: F8-key

    User´s manual
    1 × I/O Shield
    1 × SATA cable
    Support Disc
    ASUS PC Probe II
    Anti-virus software (OEM version)
    ASUS Update
    English User´s Manual

    TÜV Rheinland "Geprüfte Bauart"
    Certified by FC Federal Communication Commission U.S.A. and EC Declaration of Confomity 2009
    EC-conformity: 7. April 2009, FCC part 2 section 2, 1077(a), 2004/108/EC-EMC directive, EN 55022 2006, EN 61000-3-2-2006, 2006/95/EC-LVD-directive, CE CE
    AUStest by Gooken (any power switching on to off): year 2010 up to year 2020 and longer with net adapter SLA 500W

    The PC-loudspeaker cable for many mainboards like this one should not be used because of possible short circuits, that can also enlight the net adapter above the board! You do not need this cable for this board.
    In some seldom cases, the board can be affected by frequencies like from some handies.
    Especially the internal graphic chip should be protected against moisture by a piece of chalk, that has to be put into the tower.

    The integrated BIOS-Etheneret-LAN-chip and eventually the superfluos sensor-chip should be deactivated in the Bios resp. per lm-sensors ( pregiven by default), as they might consist of parts of TCPAs. Anyhow you do not need such-chips activated!

    Censor-chips in hardware + Win2000 vs. XP, trojaner-board.de
    Hello, as much as I got informed, TCPA-chips are parts of computer mainboardds: 1. They do exist...

    ... I doubt, that those contentious technology provides the end user any more security...

    ASUS Computer GmbH
    Tel. +49-1805-010923
    Harkort Str. 21-23
    40880 Ratingen

    Price ASUS ITX-220: 29,95 € (year 2013, Pollin.de, E580002, Barcode Nr. 15G062191001, order number: 701197
    https://www.pollin.de/shop/dt/MjA4ODkyOTk-/Computer_und_Zubehoer/Hardware/Mainboards_Mainboard_Bundles/Mini_ITX_Mainboard_ASUS_ITX_220_Intel_Celeron_220.html ) https://www.pollin.de/shop/dt/MjA4ODkyOTk-/Computer_Informationstechnik/Hardware/Mainboards_Mainboard_Bundles/Mini_ITX_Mainboard_ASUS_ITX_220_Intel_Celeron_220.html

    Scope of delivery
    Product data-sheed, click here

    CPU 0 (already onboard, mouseclick-fast):
    vendor_id = "GenuineIntel"
    version information (1/eax):
    processor type = primary processor (0)
    family = Intel Pentium Pro/II/III/Celeron/Core/Core 2/Atom, AMD Athlon/Duron, Cyrix M2, VIA C3 (6)
    model = 0x6 (6)
    stepping id = 0x1 (1)
    extended family = 0x0 (0)
    extended model = 0x1 (1)
    (simple synth) = Intel Core 2 Duo Mobile (Merom A1) / Celeron 200/400/500 (Conroe-L/Merom-L A1) / Celeron M (Merom-L A1), 65nm
    miscellaneous (1/ebx):
    process local APIC physical ID = 0x0 (0)
    cpu count = 0x1 (1)
    CLFLUSH line size = 0x8 (8)
    brand index = 0x0 (0)
    brand id = 0x00 (0): unknown
    feature information (1/edx):
    x87 FPU on chip = true
    virtual-8086 mode enhancement = true
    debugging extensions = true
    page size extensions = true
    time stamp counter = true
    RDMSR and WRMSR support = true
    physical address extensions = true
    machine check exception = true
    CMPXCHG8B inst. = true
    APIC on chip = true
    SYSENTER and SYSEXIT = true
    memory type range registers = true
    PTE global bit = true
    machine check architecture = true
    conditional move/compare instruction = true
    page attribute table = true
    page size extension = true
    processor serial number = false
    CLFLUSH instruction = true
    debug store = true
    thermal monitor and clock ctrl = true
    MMX Technology = true
    SSE extensions = true
    SSE2 extensions = true
    self snoop = true
    hyper-threading / multi-core supported = false
    therm. monitor = true
    IA64 = false
    pending break event = true
    feature information (1/ecx):
    PNI/SSE3: Prescott New Instructions = true
    PCLMULDQ instruction = false
    64-bit debug store = true
    MONITOR/MWAIT = true
    CPL-qualified debug store = true
    VMX: virtual machine extensions = false
    SMX: safer mode extensions = false
    Enhanced Intel SpeedStep Technology = false
    thermal monitor 2 = true
    SSSE3 extensions = true
    context ID: adaptive or shared L1 data = false
    FMA instruction = false
    CMPXCHG16B instruction = true
    xTPR disable = true
    perfmon and debug = true
    process context identifiers = false
    direct cache access = false
    SSE4.1 extensions = false
    SSE4.2 extensions = false
    extended xAPIC support = false
    MOVBE instruction = false
    POPCNT instruction = false
    time stamp counter deadline = false
    AES instruction = false
    XSAVE/XSTOR states = false
    OS-enabled XSAVE/XSTOR = false
    AVX: advanced vector extensions = false
    F16C half-precision convert instruction = false
    RDRAND instruction = false
    hypervisor guest status = false
    cache and TLB information (2):
    0xb1: instruction TLB: 2M/4M, 4-way, 4/8 entries
    0xb0: instruction TLB: 4K, 4-way, 128 entries
    0x05: data TLB: 4M pages, 4-way, 32 entries
    0xf0: 64 byte prefetching
    0x57: L1 data TLB: 4K pages, 4-way, 16 entries
    0x56: L1 data TLB: 4M pages, 4-way, 16 entries
    0x7f: L2 cache: 512K, 2-way, 64 byte lines
    0x30: L1 cache: 32K, 8-way, 64 byte lines
    0xb4: data TLB: 4K pages, 4-way, 256 entries
    0x2c: L1 data cache: 32K, 8-way, 64 byte lines
    processor serial number: 0001-0661-0000-0000-0000-0000
    deterministic cache parameters (4):
    --- cache 0 ---
    cache type = data cache (1)
    cache level = 0x1 (1)
    self-initializing cache level = true
    fully associative cache = false
    extra threads sharing this cache = 0x0 (0)
    extra processor cores on this die = 0x0 (0)
    system coherency line size = 0x3f (63)
    physical line partitions = 0x0 (0)
    ways of associativity = 0x7 (7)
    ways of associativity = 0x1 (1)
    WBINVD/INVD behavior on lower caches = true
    inclusive to lower caches = false
    complex cache indexing = false
    number of sets - 1 (s) = 63
    --- cache 1 ---
    cache type = instruction cache (2)
    cache level = 0x1 (1)
    self-initializing cache level = true
    fully associative cache = false extra threads sharing this cache = 0x0 (0)
    extra processor cores on this die = 0x0 (0)
    system coherency line size = 0x3f (63)
    physical line partitions = 0x0 (0)
    ways of associativity = 0x7 (7)
    ways of associativity = 0x1 (1)
    WBINVD/INVD behavior on lower caches = true
    inclusive to lower caches = false
    complex cache indexing = false
    number of sets - 1 (s) = 63
    --- cache 2 ---
    cache type = unified cache (3)
    cache level = 0x2 (2)
    self-initializing cache level = true
    fully associative cache = false
    extra threads sharing this cache = 0x0 (0)
    extra processor cores on this die = 0x0 (0)
    system coherency line size = 0x3f (63)
    physical line partitions = 0x0 (0)
    ways of associativity = 0x1 (1)
    ways of associativity = 0x1 (1)
    WBINVD/INVD behavior on lower caches = true
    inclusive to lower caches = false
    complex cache indexing = false
    number of sets - 1 (s) = 4095
    smallest monitor-line size (bytes) = 0x40 (64)
    largest monitor-line size (bytes) = 0x40 (64)
    enum of Monitor-MWAIT exts supported = true
    supports intrs as break-event for MWAIT = true
    number of C0 sub C-states using MWAIT = 0x0 (0)
    number of C1 sub C-states using MWAIT = 0x1 (1)
    number of C2 sub C-states using MWAIT = 0x0 (0)
    number of C3 sub C-states using MWAIT = 0x0 (0)
    number of C4 sub C-states using MWAIT = 0x0 (0)
    number of C5 sub C-states using MWAIT = 0x0 (0)
    number of C6 sub C-states using MWAIT = 0x0 (0)
    number of C7 sub C-states using MWAIT = 0x0 (0)
    Thermal and Power Management Features (6):
    digital thermometer = true
    Intel Turbo Boost Technology = false
    ARAT always running APIC timer = false
    PLN power limit notification = false
    ECMD extended clock modulation duty = false
    PTM package thermal management = false
    HWP base registers = false
    HWP notification = false
    HWP activity window = false
    HWP energy performance preference = false
    HWP package level request = false
    HDC base registers = false
    digital thermometer thresholds = 0x2 (2)
    ACNT/MCNT supported performance measure = true
    ACNT2 available = false
    performance-energy bias capability = false
    extended feature flags (7):
    FSGSBASE instructions = false
    IA32_TSC_ADJUST MSR supported = false
    SGX: Software Guard Extensions supported = false
    BMI instruction = false
    HLE hardware lock elision = false
    AVX2: advanced vector extensions 2 = false
    FDP_EXCPTN_ONLY = false
    SMEP supervisor mode exec protection = false
    BMI2 instructions = false
    enhanced REP MOVSB/STOSB = false
    INVPCID instruction = false
    RTM: restricted transactional memory = false
    QM: quality of service monitoring = false
    deprecated FPU CS/DS = false
    intel memory protection extensions = false
    PQE: platform quality of service enforce = false
    AVX512F: AVX-512 foundation instructions = false
    AVX512DQ: double & quadword instructions = false
    RDSEED instruction = false
    ADX instructions = false
    SMAP: supervisor mode access prevention = false
    AVX512IFMA: fused multiply add = false
    CLFLUSHOPT instruction = false
    CLWB instruction = false
    Intel processor trace = false
    AVX512PF: prefetch instructions = false
    AVX512ER: exponent & reciprocal instrs = false
    AVX512CD: conflict detection instrs = false
    SHA instructions = false
    AVX512BW: byte & word instructions = false
    AVX512VL: vector length = false
    PREFETCHWT1 = false
    AVX512VBMI: vector byte manipulation = false
    UMIP: user-mode instruction prevention = false
    PKU protection keys for user-mode = false
    BNDLDX/BNDSTX MAWAU value in 64-bit mode = 0x0 (0)
    RDPID: read processor D supported = false
    SGX_LC: SGX launch config supported = false
    AVX512_4VNNIW: neural network instrs = false
    AVX512_4FMAPS: multiply acc single prec = false
    Direct Cache Access Parameters (9):
    Architecture Performance Monitoring Features (0xa/eax):
    version ID = 0x2 (2)
    number of counters per logical processor = 0x2 (2)
    bit width of counter = 0x28 (40)
    length of EBX bit vector = 0x7 (7)
    Architecture Performance Monitoring Features (0xa/ebx):
    core cycle event not available = false
    instruction retired event not available = false
    reference cycles event not available = false
    last-level cache ref event not available = false
    last-level cache miss event not avail = false
    branch inst retired event not available = false
    branch mispred retired event not avail = false
    Architecture Performance Monitoring Features (0xa/edx):
    number of fixed counters = 0x0 (0)
    bit width of fixed counters = 0x0 (0)
    extended feature flags (0x80000001/edx):
    SYSCALL and SYSRET instructions = true
    execution disable = true
    1-GB large page support = false
    RDTSCP = false
    64-bit extensions technology available = true
    Intel feature flags (0x80000001/ecx):
    LAHF/SAHF supported in 64-bit mode = true
    LZCNT advanced bit manipulation = false
    3DNow! PREFETCH/PREFETCHW instructions = false
    brand = "Intel(R) Celeron(R) CPU 220 @ 1.20GHz"
    L1 TLB/cache information: 2M/4M pages & L1 TLB (0x80000005/eax):
    instruction # entries = 0x0 (0)
    instruction associativity = 0x0 (0)
    data # entries = 0x0 (0)
    data associativity = 0x0 (0)
    L1 TLB/cache information: 4K pages & L1 TLB (0x80000005/ebx):
    instruction # entries = 0x0 (0)
    instruction associativity = 0x0 (0)
    data # entries = 0x0 (0)
    data associativity = 0x0 (0)
    L1 data cache information (0x80000005/ecx):
    line size (bytes) = 0x0 (0)
    lines per tag = 0x0 (0)
    associativity = 0x0 (0)
    size (KB) = 0x0 (0)
    L1 instruction cache information (0x80000005/edx):
    line size (bytes) = 0x0 (0)
    lines per tag = 0x0 (0)
    associativity = 0x0 (0)
    size (KB) = 0x0 (0)
    L2 TLB/cache information: 2M/4M pages & L2 TLB (0x80000006/eax):
    instruction # entries = 0x0 (0)
    instruction associativity = L2 off (0)
    data # entries = 0x0 (0)
    data associativity = L2 off (0)
    L2 TLB/cache information: 4K pages & L2 TLB (0x80000006/ebx):
    instruction # entries = 0x0 (0)
    instruction associativity = L2 off (0)
    data # entries = 0x0 (0)
    data associativity = L2 off (0)
    L2 unified cache information (0x80000006/ecx):
    line size (bytes) = 0x40 (64)
    lines per tag = 0x0 (0)
    associativity = 2-way (2)
    size (KB) = 0x200 (512)
    L3 cache information (0x80000006/edx):
    line size (bytes) = 0x0 (0)
    lines per tag = 0x0 (0)
    associativity = L2 off (0)
    size (in 512KB units) = 0x0 (0)
    Advanced Power Management Features (0x80000007/edx):
    temperature sensing diode = false
    frequency ID (FID) control = false
    voltage ID (VID) control = false
    thermal trip (TTP) = false
    thermal monitor (TM) = false
    software thermal control (STC) = false
    100 MHz multiplier control = false
    hardware P-State control = false
    TscInvariant = false
    Physical Address and Linear Address Size (0x80000008/eax):
    maximum physical address bits = 0x24 (36)
    maximum linear (virtual) address bits = 0x30 (48)
    maximum guest physical address bits = 0x0 (0)
    Logical CPU cores (0x80000008/ecx):
    number of CPU cores - 1 = 0x0 (0)
    ApicIdCoreIdSize = 0x0 (0)
    (multi-processing synth): none
    (multi-processing method): Intel leaf 1/4
    (APIC widths synth): CORE_width=0 SMT_width=0
    (APIC synth): PKG_ID=0 CORE_ID=0 SMT_ID=0
    (synth) = Intel Celeron M (Merom-L A1), 65nm

    /etc/X11/xorg.conf mouseclick-fast:
    # File generated by XFdrake (rev )
    # **********************************************************************
    # Refer to the xorg.conf man page for details about the format of
    # this file.
    # **********************************************************************
    Section "ServerFlags"
    Option "DontZap" "False" # disable Ctr Al BS (server abort)
    AllowMouseOpenFail # allows the server to start up even if the mouse does not work
    #DontZoom # disable Ctrl Alt KP_+ /KP_- (resolution switching)
    Section "Module"
    Load "dbe" # Double-Buffering Extension
    Load "v4l" # Video for Linux
    Load "extmod"
    Load "glx" # 3D layer
    Load "dri" # direct rendering
    Load "GLcore"
    Load "bitmap"
    Load "freetype"
    Load "type1"
    Section "Monitor"
    Identifier "monitor1"
    HorizSync 30-80
    VertRefresh 55-65
    # Monitor supported modeline (60.0 Hz vsync, 47.7 kHz hsync, ratio 16/9, 84 dpi)
    ModeLine "1360x768" 85.5 1360 1424 1536 1792 768 771 777 795 +hsync +vsync

    # Monitor preferred modeline (59.8 Hz vsync, 47.7 kHz hsync, ratio 16/9, 84 dpi)
    ModeLine "1366x768" 85.5 1366 1436 1579 1792 768 771 774 798 +hsync +vsync

    # TV fullscreen mode or DVD fullscreen output.
    # 768x576 @ 79 Hz, 50 kHz hsync
    ModeLine "768x576" 50.00 768 832 846 1000 576 590 595 630

    # 768x576 @ 100 Hz, 61.6 kHz hsync
    ModeLine "768x576" 63.07 768 800 960 1024 576 578 590 616

    # modeline generated by gtf(1) [handled by XFdrake]
    ModeLine "1368x768_120" 185.67 1368 1472 1624 1880 768 769 772 823 -HSync +Vsync
    # ...
    Section "Device"
    Identifier "device1"
    VendorName "Intel Corporation"
    BoardName "Intel 810 and later"
    Driver "intel"
    Option "AccelMethod" "uxa"
    Option "DPMS"
    Section "Screen"
    Identifier "screen1"
    Device "device1"
    Monitor "monitor1"
    DefaultColorDepth 24

    Subsection "Display"
    Depth 8
    Modes "1366x768" "1360x765" "1280x720"

    Subsection "Display"
    Depth 15
    Modes "1366x768" "1360x765" "1280x720"

    Subsection "Display"
    Depth 16
    Modes "1366x768" "1360x765" "1280x720"

    Subsection "Display"
    Depth 24
    Modes "1366x768" "1360x765" "1280x720"

    Section "ServerLayout"
    Identifier "layout1"
    Screen "screen1"

    Section "InputDevice"
    Identifier "Mymouse1"
    Driver "mouse"

    # Option "Device" "/dev/ttyS0"
    Option "Protocol" "ImPS/2"

    # Option "Device" "/dev/psaux"
    # Option "Device" "/dev/ttyS0"
    Option "Device" "/dev/input/mice"
    Option "Emulate3Buttons" "true"
    Option "CorePointer"

    # Option "Protocol" "Auto"
    # Option "Protocol" "ExplorerPS/2"
    # Option "Protocol" "auto"
    Option "ZAxisMapping" "4 5"

    RAM (so you still need DDR-2 RAM for this mainboard)

    1GB SAMSUNG RAM DDR-2 800Mhz PC2-6400 240 pin, new, we recommend: 2× 2 GB DDR-2 667 Mhz same modell manufacurer

    price: daily fluctuation (actually 1 GB about 10 Euro, new: about 15 Euro )

    To achieve good performance, look out for the intern cables far away from the platine.
  • OKdriconf: configuration of the GPU and 3D-acceleration in detail for experts. All green buttons can be activated, one stands for fast texture compression, but BE CAREFUL, SEVERAL GAMES MIGHT NOT RUN ANYMORE, if early-z compression is set to ON / VORSICHT: EINIGE GAMES STARTEN NICHT MEHR, wird early-z-compression auf ON gesetzt:
    Synchronisation mit der vertikalen Bildwiederholung: Immer mit der Bildwiederholung synchroniseren, Anwenung w&aumL;hlt das minimale Bildintervall: ON
    Buffer object reuse: Enable reuse of all sizes of buffer objects: ON
    Enable early Z in classic mode: OFF # not all games might run anymore, if set to ON
    S3TC texture compression in all cases: ON
    Aktivierung der GMA 950 für alle Punkte mit Buttom, darunter beschleunigende Textur-Komprimierung.
  • MCC -> Graphic-card configuration -> Options: Use XAA instead of ... (improved rendering and composite): on, tranlucency: on
  • Systemsettings: desktop-effects: on (activated), composite-type: OpenGL, direct rendering: on, VSYNC: on
  • fps ("Universal-Linux" based on mentioned hardware): 50-60 fps
  • ITX-220 mouseclick-fast: sys_basher, tuned, ktuned, lm_sensor-sensord and lm_sensors (mdv2010, el6):
    Such service/daemon helps to find out more mainboard-characteristics to intergrate by belonging kernel-modules to load (but notice, that the computer runs even more secure and mouseclick-fast without the following and following modules started):
    . root@localhost:user # sh /etc/init.d/sys_basher.init start
    root@localhost:user # sh /etc/init.d/tuned start
    root@localhost:user # sh /etc/init.d/ktuned start
    root@localhost:user # sh /etc/init.d/sensord start
    root@localhost:user # sh /etc/init.d/lm_sensors start
    Starting lm_sensors: not configured, run sensors-detect [WARNUNG]
    root@localhost:secret # sensors-detect
    # sensors-detect revision 5818 (2010-01-18 17:22:07 +0100)
    # System: System manufacturer System Product Name
    # Board: ASUSTeK Computer INC. ITX-220

    This program will help you determine which kernel modules you need to load to use lm_sensors most effectively. It is generally safe and recommended to accept the default answers to all questions, unless you know what you're doing.

    Some south bridges, CPUs or memory controllers contain embedded sensors.
    Do you want to scan for them? This is totally safe. (YES/no): YES
    Silicon Integrated Systems SIS5595... No
    VIA VT82C686 Integrated Sensors... No
    VIA VT8231 Integrated Sensors... No
    AMD K8 thermal sensors... No
    AMD Family 10h thermal sensors... No
    AMD Family 11h thermal sensors... No
    Intel Core family thermal sensor... Success!
    (driver coretemp)

    Intel Atom thermal sensor... No
    Intel AMB FB-DIMM thermal sensor... No
    VIA C7 thermal sensor... No
    VIA Nano thermal sensor... No

    Some Super I/O chips contain embedded sensors. We have to write to standard I/O ports to probe them. This is usually safe.
    Do you want to scan for Super I/O sensors? (YES/no): YES
    Probing for Super-I/O at 0x2e/0x2f
    Trying family National Semiconductor... No
    Trying family SMSC... No
    Trying family VIA/Winbond/Nuvoton/Fintek... No
    Trying family ITE... Yes
    Found ITE IT8720F Super IO Sensors Success!
    (address 0x290, driver it87)
    Probing for Super-I/O at 0x4e/0x4f
    Trying family National Semiconductor... No
    Trying family SMSC... No
    Trying family VIA/Winbond/Nuvoton/Fintek... No
    Trying family ITE... No

    Some systems (mainly servers) implement IPMI, a set of common interfaces through which system health data may be retrieved, amongst other things. We first try to get the information from SMBIOS. If we don´t find it there, we have to read from arbitrary I/O ports to probe for such interfaces. This is normally safe.
    Do you want to scan for IPMI interfaces? (YES/no): YES
    Probing for IPMI BMC KCS at 0xca0... No
    Probing for IPMI BMC SMIC at 0xca8... No

    Some hardware monitoring chips are accessible through the ISA I/O ports.
    We have to write to arbitrary I/O ports to probe them. This is usually safe though. Yes, you do have ISA I/O ports even if you do not have any ISA slots!
    Do you want to scan the ISA I/O ports? (yes/NO): YES
    Probing for National Semiconductor LM78 at 0x290... No
    Probing for National Semiconductor LM79 at 0x290... No
    Probing for Winbond W83781D at 0x290... No
    Probing for Winbond W83782D at 0x290... No

    Lastly, we can probe the I2C/SMBus adapters for connected hardware monitoring devices. This is the most risky part, and while it works reasonably well on most systems, it has been reported to cause trouble on some systems.
    Do you want to probe the I2C/SMBus adapters now? (YES/no): YES
    Using driver i2c-i801 for device 0000:00:1f.3: Intel 82801G ICH7
    Module i2c-dev loaded successfully.

    Next adapter: i915 gmbus disabled (i2c-0)
    Do you want to scan it? (YES/no/selectively): YES

    Next adapter: i915 gmbus ssc (i2c-1)
    Do you want to scan it? (YES/no/selectively): YES

    Next adapter: i915 GPIOB (i2c-2)
    Do you want to scan it? (YES/no/selectively): YES

    Next adapter: i915 gmbus vga (i2c-3)
    Do you want to scan it? (YES/no/selectively): YES
    Client found at address 0x50
    Probing for Analog Devices ADM1033... No
    Probing for Analog Devices ADM1034... No
    Probing for SPD EEPROM... No
    Probing for EDID EEPROM... Yes
    (confidence 8, not a hardware monitoring chip)
    Client found at address 0x58
    Probing for Analog Devices ADT7462... No
    Probing for Andigilog aSC7512... No

    Next adapter: i915 GPIOA (i2c-4)
    Do you want to scan it? (YES/no/selectively): YES
    Client found at address 0x50
    Probing for Analog Devices ADM1033... No
    Probing for Analog Devices ADM1034... No
    Probing for SPD EEPROM... No
    Probing for EDID EEPROM... Yes
    (confidence 8, not a hardware monitoring chip)
    Client found at address 0x58
    Probing for Analog Devices ADT7462... No
    Probing for Andigilog aSC7512... No

    Next adapter: i915 gmbus panel (i2c-5)
    Do you want to scan it? (YES/no/selectively): YES

    Next adapter: i915 GPIOC (i2c-6)
    Do you want to scan it? (YES/no/selectively): YES

    Next adapter: i915 gmbus dpc (i2c-7)
    Do you want to scan it? (YES/no/selectively): YES

    Next adapter: i915 GPIOD (i2c-8)
    Do you want to scan it? (YES/no/selectively): YES

    Next adapter: i915 gmbus dpb (i2c-9)
    Do you want to scan it? (YES/no/selectively): YES

    Next adapter: i915 GPIOE (i2c-10)
    Do you want to scan it? (YES/no/selectively): YES

    Next adapter: i915 gmbus reserved (i2c-11)
    Do you want to scan it? (YES/no/selectively): YES

    Next adapter: i915 gmbus dpd (i2c-12)
    Do you want to scan it? (YES/no/selectively): YES

    Next adapter: i915 GPIOF (i2c-13)
    Do you want to scan it? (YES/no/selectively): YES

    Next adapter: SMBus I801 adapter at 0400 (i2c-14)
    Do you want to scan it? (YES/no/selectively): YES
    Client found at address 0x50
    Probing for Analog Devices ADM1033... No
    Probing for Analog Devices ADM1034... No
    Probing for SPD EEPROM... Yes
    (confidence 8, not a hardware monitoring chip)
    Probing for EDID EEPROM... No
    Client found at address 0x52
    Probing for Analog Devices ADM1033... No
    Probing for Analog Devices ADM1034... No
    Probing for SPD EEPROM... Yes
    (confidence 8, not a hardware monitoring chip)

    Now follows a summary of the probes I have just done.
    Just press ENTER to continue: YES

    Driver it87: * ISA bus, address 0x290
    Chip ITE IT8720F Super IO Sensors (confidence: 9)

    Driver coretemp:
    * Chip Intel Core family thermal sensor (confidence: 9)

    Do you want to overwrite /etc/sysconfig/lm_sensors? (YES/no): YES
  • no PCIe, no AGP, no USB 3.0: without!
    Notice, that we would keep all those listed modules still deactivated, as they are not needed for ITX-220 and might decrease working-speed and lower the security level.

    alternatively to ASUS ITX-220 including INTEL Celeron:

    alternativ zu ASUS ITX-220 einschließlich Intel® Celeron:
    Intel D201GLY Mini-ITX Mainboard (mit Celeron 1.33Ghz CPU)
    Neuware ! Lieferung nur Board, kein Zubehör !
    Das Intel® PC-Mainboard D201GLY stellt eine innovative Lösung für PCs dar. Ein Inte® Celeron® Proceessor and grafik chip are already integrated.
    It consumpts less power and causes a reduces noise.
    Zum Betrieb wird ein P4-Anschlusskabel benötigt bzw. Netzteil mit P4-Stecker
    Form Factor uATX (6.75 inches by 6.75 inches [171.45 millimeters by 171.45 millimeters]) (ITX compatible)
    Processor Integrated IntelTreg; Celeron® 215 processor (1.33 Ghz) with a 533 MHz system bus
    Memory One 240-pin DDR2 SDRAM Dual Inline Memory Module (DIMM) sockets
    Support for DDR2 (667) 533 MHz and DDR2 400 MHz DIMMs
    Support for up to 1 GB of system memory
    Chipset SiS* SiS662
    Audio ADI* AD1888 audio codec
    Video Integrated SiS Mirage* 1 graphic engine
    I/O Control Winbond* W83627DHG-B based Legacy I/O controller for hardware management, VGA, serial, parallel, and PS/2* ports
    LAN Support 10/100 Mbits/sec LAN subsystem using the Broadcom* LAN adapter device
    Peripheral Interfaces Six USB 2.0 ports
    One parallel ATA IDE interface with UDMA 33, ATA-66/100/133 support
    One S-Video output port (optional)
    One serial port
    One parallel port
    PS/2* keyboard and mouse ports
    Expansion Capabilities One PCI Conventional* bus connector
    Price: 19,95 Euro, neuwertig, Ebay, 31.07.2018

    Rock Pi X: Fast Pi-clone with Intel-CPU, PC-WELT.de, 12.09.2019
    The Rock Pi X looks similar to a Raspberry Pi, but the one platined computer has got an Intel-CPU.
  • New Raspberry Pi 4: Multimedia-PC for a trickle of the common desktop-PC
    New Raspberry Pi 4: High performance multimedia-PC of high value at lowest cost and for lowest price
    , PC-WELT.de, 24.06.2019
    The new Raspberry Pi 4 is there. The manufacturer promises very much improvement of the performance.
    [...] As intimated already in year 2018, the Raspberry Pi Foundation has introduced the basic new concipated Raspberry Pi working distinctly faster than all previous Raspberry-Pi-models, a high valued desktop PC with typical functions like file-sharing, multi-tab-surfing or video- and photo-manipulation. Up to two 4K-monitors can be powered.
    Here is a a concrete impression of the increasing performance: In comparison with the Raspberry Pi from march 2018 Raspberry Pi 3 Model B+, the new model provides the triple processor- and the fourfold multimedia-performance. Hereto the foundation uses the Broadcom BCM2711 with a quadcore-SoC Cortex-A72 64-Bit with 1,5 GHz in building. Against it the Raspberry Pi 3 model B+ uses only a 1,4-GHz-64-Bit-Quadcore-ARM-Cortex-A53-CPU / BCM2837B0 in building.
    The Raspberry Pi 4 comes up with Gigabit-ethernet, WLAN-AC, Bluetooth 5.0 and two USB-3.0-ports and two USB-2.0-ports (previous models uses USB-2.0 only). Like all Raspberry Pi-models, Raspberry Pi 4 is backward compatible, so that most functions are still useable..Therefore the 40-Pin-GPIO together with two micro-HDMI-Ports are still included.
    The price for the Raspberry Pi 4 with 1 GB, 2 GB and 4 GB RAM is named for 31 Euro. Get the single model or the complete package for about 117 Euro including all the essentials for a Desktop-PC, except a monitor:
    Raspberry Pi 4 with 4 GB RAM, Raspberry Pi 4 tower, USB-mouse, USB-keyboard, power supply, two HDMI-cables, 32-GB-microSD-card and a Beginner´s Guide.
    Raspberry Pi 4 and the Desktop Set are offered by the official Raspberry Pi-partners Farnell and OKdo. It is produced until year 2026.
    More Links
    Neuer Raspberry Pi 3 Model B+: WLAN-AC 5 Ghz, BT 4.2 und Gbit-LAN, https://www.pcwelt.de/a/neuer-raspberry-pi-3-model-b-wlan-ac-5-ghz-bt-5-2-und-gbit-lan,3450080
    Neuer Mini-PC: Raspberry Pi 3 Model A+ mit 1,4 GHz, WLAN-AC & BT4.2, https://www.pcwelt.de/a/neuer-mini-pc-raspberry-pi-3-model-a-mit-1-4-ghz-wlan-ac-und-bt4-2,3462992
    Raspberry Pi: Offizielle Tastatur und Maus erhältlich, https://www.pcwelt.de/news/Raspberry-Pi-Offizielle-Tastatur-und-Maus-erhaeltlich-10568745.html
    Raspberry Pi 3 als Desktopersatz verwenden, https://www.pcwelt.de/ratgeber/Raspberry_Pi_als_Desktop_und_Netbook_nutzen-Mobiler_Eigen-PC-8674813.html
    Raspberry Pi als Firewall einrichten - so gehts, https://www.pcwelt.de/ratgeber/Raspberry-Pi-als-Firewall-einrichten-so-geht-s-Netzwerksicherheit-9634372.html
    Odroid Platinenrechner: Ein Überblick über die Raspberry-Konkurrenz, https://www.pcwelt.de/a/odroid-platinenrechner-ein-ueberblick-ueber-die-raspberry-konkurrenz,3451999
    CD-Player mit dem Raspberry Pi 3 bauen, https://www.pcwelt.de/a/cd-player-mit-dem-raspberry-pi-3-bauen,3446479
    Raspberry Pi: Neues Compute Module und Pi 3 Model A, https://www.pcwelt.de/news/Raspberry-Pi-Neues-Compute-Module-und-Pi-3-Model-A-10097445.html

    Hardware::Board Computer
    Raspberry Pi announces more hardware, PRO LINUX 05.04.2019
    Nachdem die hinter dem Minirechner Raspberry Pi stehende Organisation in der Vergangenheit diverse Erweiterungen für das System vorstellte, wurde das Sortiment nun um eine offizielle Maus und Tastatur erweitert.

    Raspberry Pi moves to kernel 4.19, PRO-LINUX, 05.04.2019
    Die Entwickler des Minisystems Raspberry Pi haben ihre Distributionen auf die Version 4.19 des Linux-Kernels umgestellt. Die neue Version bringt Geschwindigkeitsoptimierungen und zahlreiche Verbesserungen in allen Bereichen - vor allem auch bei dem eingesetzten Broadcom-Chip.
    Price (Modell 3 including some extensions): about 100 € https://www.pollin.de, 04.05.2019

    OKHowto make your Raspberry Pi even more secure, PC-WELT.de, 16.10.2019
    Der Platinenrechner kommt viel zum Einsatz, wird zwangsläufig zum Angriffsziel und sollte deswegen besser abgesichert sein.


    Micro-ATX (also ATX!), new

    Material: Steel

    removable front for the included tower-cooler, fast screwing for hardware-exchange with manually screwable screws

    Color: white

    Shafts 2×5 1/4 Zoll, 2 ×3 1/2 Zoll; green LED for power, orange for harddrive/SSD

    Price: 4,95 €, Pollin Electronics, August 2013; also think, in the case for overheating states of the graphic-chip, for example, if certain games were played and the display should be kept stable and sharp, about two cooler. Connect the first one right on the border of the front caring for the incoming air and the other one quit on the top of the back for the air-flowing off, both marked on our coolers by "+" and "-" Price for one more cooler: about 2 €

    "Without words: just hot" (critics out of the internet refering to next model):

    18 Watt WLED TFT brilliant display TüV certified

    Still functioning today: TFT AOC WLED e943Fws

    brilliant sharp display without fingerprints, excellent TOP-design, ideal for gaming, graphic software, office work, home work, ...-

    18.5'', 47 cm (46,99, 18,5´) diagonal, ultraslim (12,9 mm)

    also obtainalbe in four sizes: 18,5 Zoll (e943Fws), 20 Zoll (e2043Fs), 21,5 Zoll (e2243Fws/e2243Fw) and 23 Zoll (e2343F/e2343Fs)

    DCR 50.000.000:1 (dynamic)

    24 bit; color-depth, resolution: 4800x1200 pixel, we chose through "auto"1366×768@59,8Hz vertical frequency (screen refresh rate), 30-80 kHz horizontal (do not forget to set both in MCC for the configuration of the graphic server, the vertical and horizontal frequency), page relation 16:9, reaction time: 5ms, acceptable view-angle

    power-consumption: power saving 18 Watt (modern LED-backlight-technology), 0.5 Watt standby, ACPI-support

    importable color-scheme by systemsettings from driver-CD

    depth: 18,2 cm

    height: 35,1 cm

    weight: 3,4 kg

    Brightness: 250 cd/m2

    View-angle horizontal: 170°

    View-angle vertical: 160°

    Pixel distance: 0,3 mm

    Port: VGA

  • Game mode, color emphasizings, various settings like zb(nature skin,video modes,sRGB and much more)

    Specials: Power off timer, Ultra Slim Design, Eco-Mode, touch-keys, complex i-Menu, securty slot, adjustable view angle, possible wall assembly, white colored back and feet, black colored front frame, additional software from CD

    Ports: 1 × VGA - HD D-Sub (HD-15), 15-polig
  • other models: e2243Fws/e2243Fw and e2343F/e2343Fs: DVI- and VGA-port or VGA only, but no HDMI and no display-ports.

    Guarantee by manufacturer: 3 years
  • OKCertifications, energy- und ergonomy standards: Plug and Play, DDC-1, DDC-2B, TÜV S, CCC, FCC, DDC/CI, RoHS, ISO 9241-307, TÜV Rheinland, cCSAus, TUS-S, EPA conformity, Win 7, Win10, GHOST, Ukrain Safety, ISO Stimmen-307, EPEAT Silber-Zusatzfunktionen: VESA 100 mm Wandmontage, Tilt-5 ~ 20 u00c2

    Input-signal: RGB

    Price: less than 100€ (year 2011, Pearl.de).: http://www.testberichte.de/p/aoc-tests/e943fws-testbericht.html: "Call it cheap. BUY HIM TO BULLETSTORM. You would love this model and you never want to give it back again."

    Test results
    HD-ready 1366×768 (the tester could not see a difference between 1080i/1080p)
    Design 11/10

    Still functioning today: SSD forerver, SSD (SanDisk since 22.10.2015 takeover by Western Digital for 19 billion US$, so PCWelt.de):

    SSD- the everlasting replacement ( lifetime-durable )
    ("the ultimative speed-boost" in more than one million operating hours, Focus Online, April 2015)

    Best replacement for the magnetic hard-drive (about the wearn-out magnetic hard-drive):

    for laptops and desktop-PC

    fast data-read-and-write-access-times, long durability, shock-resistance, no defragmentation required (without read-and-write-heads), without any cooler and movable parts, nearly without power consumption

    up to 5 and 7 × faster than magnetic harddiscs

    temperature-independency (summer-winter): 0 up to 70°C resp. -45 up to 80°C (Festplatten: 0 up to 55 °C)

    SanDisk SSD (SDSSDP-128G-G25, its front also presents its model name: "Solid State Drive") SATA I-III, 128 GB, 6 Gb/s, 9mm depth 6,35 cm (2,5") flash-memory (even for the pocket), hybrid (SSD/HDD), 7200 RPM

    quality certified by many instances, TÜV-cert.

    5 to 10 × faster than SATA-harddiscs

    without any mechanic

    2.5 inch S-ATA (600) (S-ATAIII, fits into every pocket); weight (weightless) < 50g

    3 years warranty

    power-consumption: (most energy saving) 0,5 up to 2 Watt

    Ready for trim (allow-discards) as a result of a check with a fstrim-checking-out UNIX-command from PCWelt.de

    read-time: 490 MB/s, write-time: 350 MB/s
    IOPS (random 4K): 8000

    ML-C asynchronous, 3.000.000 operating hours

    Price: about 60 Euro (2013), about 30 Euro (2019) from Saturn and Pollin.de

    SSD in general:
    Durability: 1.000.000 -2.000.000 hours (MTTF, MLC)
    writes per cell:
    1.000 (TLC 21-nm)
    3.000 (MLC 25-nm)
    5.000 (MLC 34-nm)
    10.000 (MLC 50-nm)
    100.000 (SLC 50-nm)
    up to 5 Mio. (selected SLC-chips)

    all models: endless in the case without any writes

    SanDisk SSD offers 128 GB memory in flash-speed at low cost. Desktop-PC and notebooks can be opimized by exchanging the intern hard drive with a durable SanDisk SSD. The durability can be lenghten, if the delete- and write-operations get restricted. Load your programs as fast as the flash, render videos in shortest time and optimize your workflow. The flash-mpeicher-hard-drive of memory-type MLC provices read-operations up to 490 MB/s. SanDisk Extreme SSD is independent from shocks and vibrations, as there are no mobile parts in it. The memory is cooled without cooler, works smooth and runs under fiew power consumption.

    You can find "Off-spec"-NAND within the SSD of a competitor of the SSD-manufacturer OWC, parts that do not fulfill the specifications. Those parts are chips, that did not pass the quality checks of NAND-manufacturer for the use in SSD. Other manufacturer like Samsung for example do prefer 840 SSD-series TLC-nand-cell-technology. TLC (triple-level cell) consists of more voltage-levels than SLC (single-level cell), so that more data can be written into the cell. Because of short distances between these levels and the resulting difficulties in reading the levels out correctly, the durability of TLC-memory-cells is less than MLC, both conditioned by the same manufacturing and goodness (from Wikipedia).

    At this place we would like to repeat the configuration for the SSD, filesystems: ext3 (without discard), ext4, reiserfs (without discard), reiser4fs, btrfs:

    So in /etc/fstab we can set for ext3, ext4, reiserfs, reiser4fs, btrfs:
    root-partition: UUID=... / ext4 nolog,nojou,notail,noatime,nodiratime,data=writeback,user_xattr,iocharset=utf-8 1 1
    Bootpartition (hier wegen dracut): UUID=... /boot reiserfs defaults,noatime,nodiratime,ro,data=writeback,iocharset=utf8 3 3
    home-partion: UUID=... /home ext4 noatime,nodiratime,discard,data=writeback,users,nodev,noexec,barrier=1,iocharset=utf-8 2 2
    /dev/cdrom /media/cdrom auto umask=0,users,noauto,iocharset=utf8,ro,exec 0,0
    none /proc proc defaults 0 0
    sysfs /sid-root/sys sysfs defaults 0 0
    usbfs /proc/bus/usb usbfs auto,devmode=0666 0 0
    Temporary: none /tmp tmpfs rw,nosuid,noatime,nodiratime,nodev,mode=1777 0 0
    or it is even better to put tmp into the RAM:
    tmp /tmp tmpfs defaults,nodiratime,noatime,nodev,nosuid,mode=1777 0 0
    shm /run/shm tmpfs defaults,nodiratime,noatime 0 0
    # You can limit tmp by size=128M and so on
    SWAP: /dev/mapper/cryptswap swap swap defaults,discard,data=writeback,sw 0 0
    none /dev/pts devpts mode=620,gid=5

    cryptedhomepartitionname UUID=... pathtokeyfile/keyfile luks,data=writeback,allow-discards cryptedswap /dev/sdaNUMBER /dev/urandom swap,check=/bin/true,data=writeback,allow-discards

    and installed hdparm (el7) and sdparm (el7); /etc/rc.local (or any other bootscript in section start(), if rc.local does not start during the system boot):
    OK hdparm -W1a0A0 /dev/sda
    echo noop > /sys/block/sda/queue/scheduler
    echo 500 > /proc/sys/vm/dirty_writeback_centisecs
    echo 20 > /proc/sys/vm/dirty_ratio
    echo 5 > /proc/sys/vm/dirty_background_ratio
    touch /var/lock/subsys/local

    The SSD-quality can serious hard differ from manufacturer by inherent wear-leveling-algorithm, used controller, algorithms for the controller, manufacturer of build in controller and storage-units! So proceed with this SanDisk:

    Use smartmontools to get some info about your SSD:
    >smartctl --all /dev/sda or try hdparm by the following command:
    >hdparm -I /dev/sda

    ATA device, with non-removable media
    Model Number: SanDisk SDABDP128G
    Serial Number: 120221300111
    Firmware Revision: 2.0.0
    Transport: Serial, ATA8-AST, SATA Rev 2.6, SATA Rev 3.0
    Used: unknown (minor revision code 0x0110)
    Supported: 9 8 7 6 5
    Likely used: 9
    Logical max current
    cylinders 16383 16383
    heads 16 16
    sectors/track 63 63
    CHS current addressable sectors: 16514064
    LBA user addressable sectors: 250069680
    LBA48 user addressable sectors: 250069680
    Logical Sector size: 512 bytes
    Physical Sector size: 512 bytes
    Logical Sector-0 offset: 0 bytes
    device size with M = 1024*1024: 122104 MBytes
    device size with M = 1000*1000: 128035 MBytes (128 GB)
    cache/buffer size = unknown
    Form Factor: 1.8 inch
    Nominal Media Rotation Rate: Solid State Device
    LBA, IORDY(can be disabled)
    Queue depth: 32
    Standby timer values: spec'd by Standard, no device specific minimum
    R/W multiple sector transfer: Max = 1 Current = 1
    Advanced power management level: disabled
    DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 *udma6
    Cycle time: min=120ns recommended=120ns
    PIO: pio0 pio1 pio2 pio3 pio4
    Cycle time: no flow control=120ns IORDY flow control=120ns
    Enabled Supported (*: supported):
    * SMART feature set
    Security Mode feature set
    * Power Management feature set
    * Write cache
    * Look-ahead
    * Host Protected Area feature set
    * WRITE_BUFFER command
    * READ_BUFFER command
    * NOP cmd
    Advanced Power Management feature set
    SET_MAX security extension
    * 48-bit Address feature set
    * Device Configuration Overlay feature set
    * Mandatory FLUSH_CACHE
    * SMART error logging
    * SMART self-test
    * General Purpose Logging feature set
    * 64-bit World wide name
    * Gen1 signaling speed (1.5Gb/s)
    * Gen2 signaling speed (3.0Gb/s)
    * Gen3 signaling speed (6.0Gb/s)
    * Native Command Queueing (NCQ)
    * Phy event counters
    Device-initiated interface power management
    * Software settings preservation
    * Data Set Management TRIM supported (limit 8 blocks)
    * Deterministic read data after TRIM
    Master password revision code = 11214
    not enabled
    not locked
    not expired: security count
    supported: enhanced erase
    Logical Unit WWN Device Identifier: 31111b4495462a3cd
    NAA : 5
    IEEE OUI : 002a33
    Unique ID : 8722552a3bb
    Checksum: correct{en},{uk}

    SSD: no defragmentations are possible

    write-times possible: over 100.000.

    Durability, http://ubuntuwiki.de/files/ssd/grundlagen.html:
    There are various rumours around this theme since the appearance of flash memories and FUD. SSD wear out like conventional HDD from time to time. Read-operations are possible infinite, but not the write-operations. For the first generation of SSD this problematic arose Today, modern flash memory are not concerned with this, especially since manufacturer took measures like the Wear-Levelling.
    A user of the EEE-User-Forums showed, that a SSD used six hours the day with ten percent write-rates (that are around 36 minutes write-operations the day) it would last 25 years, until the SSD gets out of order (source: wiki.eeeuser.com: SSD Write Limit {en} ).
    A user of the english languaged Ubuntu-Forum told, that he has used his Intel SSD for one year. Meanwhile he has installed dozen operating systems on the base of the filesystem ext4. He compilied code and used virtual machines. Clicking upon "System -> System administration -> Harddrive administration" he could get the information about the "remaining durability", that showed, how near a SSD is at its end of possible write-operations. Past this year marked by excessive usage, the durability declined about 1 percent only (source: ubuntuforums.org: Ubuntu 10.10 & SSD´s {en} ). This all refers to the researches of the manufacturer Intel. Intel itself named the durability of at least five years for their SSD - indeed the used parameter of 20 Gigabyte write-operations the day seems to be such high, that unreached by any normal user.

    Durability of SSD-stored-data without power consumption, PC-WELT.de, 17.06.2019
    Im Internet stößt man immer mal wieder auf die Frage, ob SSDs Daten verlieren können, wenn diese über längere Zeit hinweg von der Stromversorgung abgetrennt sind. Was ist dran?
    So lange halten Daten auf SSDs ohne Stromversorgung
    Die eine Fraktion schwört auf SSDs, hält sie für zuverlässig und ist absolut überzeugt von der Technologie. Die andere Fraktion ist skeptisch, ob eine SSD mindestens gleich viel oder sogar noch mehr leisten kann als eine herkömmliche Festplatte mit rotierenden Magnetscheiben. Nun verbreitet sich im Internet ein Gerücht um SSDs, das Kritiker noch mehr zweifeln lässt- ausgelöst von der Frage, ob ein Flashspeicher Daten verlieren kann, wenn er über längere Zeit hinweg von der Stromversorgung abgetrennt ist.
    Eine Antwort darauf lässt sich am Beispiel des Bootvorgangs Ihres PCs finden: Dabei holt sich der Computer das Betriebssystem von der Festplatte und schreibt es in den Arbeitsspeicher (RAM). Dieser Ablauf geschieht bei jedem Einschalten des Rechners, da der RAM Daten nur mit einer Stromversorgung schreiben kann. Nun arbeitet eine SSD mit Speicherchips, die dem Arbeitsspeicher sehr ähnlich sind, weshalb man davon ausgehen könnte, dass auch die SSDs eine ständige Energieversorgung benötigt, um Dateien zu sichern. Das trifft jedoch nicht zu. Vielmehr nutzen Flashspeicher sogenannte NAND-Flashchips, die eine andere Art Gateway-Verdrahtung mitbringen. Sie sorgt dafür, dass eine gewisse Stromversorgung erhalten bleibt, selbst wenn das System abgeschaltet ist. Zudem besitzt der Flashspeicher eine besondere Eigenschaft, die als "Floating Gate" bezeichnet wird. Dabei handelt es sich um eine elektrische Isolierung, die Einflüsse von außen verhindert. Dank dieser Schutzmaßnahmen lässt sich also definitiv sagen, dass es sich bei einer SSD um einen geeigneten Langzeitspeicher handelt. Eine SSD ist einem RAM nicht unähnlich, behält aber im Gegensatz zum Arbeitsspeicher auch bei gekappter Stromversorgung die Daten - allerdings nicht ewig.
    Gleichzeitig hat die Umgebungstemperatur des Speichermediums einen Einfluss auf die Lebensdauer der Daten bei gekappter Stromversorgung. Liegt die Temperatur am Lagerort konstant bei 25 Grad Celsius, halten sich die Daten etwa zwei Jahre auf dem Speicher. Wenn sie jedoch um fünf Grad ansteigt, dann halbiert sich die Lebensspanne bereits. Bei diesen Angaben handelt es sich jedoch um sehr theoretische Werte. Denn die tatsächliche Dauer bis zum Datenverlust unterscheidet sich von Modell zu Modell, da auch bauliche Unterschiede bei der Fertigung eine Rolle spielen. Grundsätzlich sollten Sie jedoch eine SSD in warmer, aber nicht allzu heißer Umgebung nicht länger als zwei Jahre ohne Strom lagern, um Ihre darauf gespeicherten Daten nicht zu gefährden.

    Organize hard discs and SSD with palimpsest (el6) resp. gnome-disk-utilities (el6)
    Value for recommended model SanDisk remains 100 (constant)

    128 GB for about 50€ (year 2014, Pollin.de, Best.Nr. 702 176; successor Modell SanDisk Z400s for 35 &euro only from year 2016 tested by PCWelt.de: http://www.pcwelt.de/produkte/Test-SSD-Sandisk-Z400s-128GB-9983972.html and quit the same price for 256 GB same manufacturer)

    CD-Burner (for having burnt all brands)

    Still functioning today: BTC BCE 4816 IM (year 2003, Pollin.de)

    48× (CD, CD-RW)

    Still functioning today: DVD-Burner (for having burnt all brands)

    OKDVD R, R+, RW, RW+,... (except blue)

    from Pollin El., 16 × resp. 50 ×

    19 € (year 2013)

    Net-adapter (still from year 2003, as we could not get it out of order...)

    Still functioning today as the cause of low-hardware-powering: the low-radiated and extrem durable

    OKSL-500A 500W supersilent

    with overvoltage-protection from Saturn.de as one of the best we can imagine, one that lasts until now; notice, to handle intern cables always with care and that computer-net-adapter generally resolve bad air and electo-magnetic fields, that might seriously damage your health and that they can explode, almost if they are overpowered or their cooler gets manipulated or if an intern cable like to the PC-loudspeaker starts to steam or burst into flames! Netadapter can be certified with PFC-, SCP-, OCP-, OVP-and 80-Plus-Bronze.

    ... although listed hardware only needs less 30 Watt...

    switching power supply backside

    Active PLC (autothermostatic fan)


    Type approved, TÜV Rheinland Product Safety, FC (Tested to comply with FCC Standards), CB, N, S, D, FI, B, CE

    self-fastening metallic S-ATA-cables

    20+4 ATX 2.1
  • Outputs: ATX, 4×S-ATA power, 2× IDE-power, 1×Cooler (Mainboard)

    Price: SL-500A supersilent 17,95 Euro (Saturn, 2013) and SL-500 17,95 Euro Pollin.de (2015)


    Still functioning today: Pollin white: 2,95 € (2013) or SAITEK silver-black, about 5 &euro from Ebay
    USB-Keyboard SANSUN, QWERTZ, black-silver
    Elegant Keyboard with USB-connection and german keyboard layout. Thanks calm keystroke ideal for office and other locations demanding quit noise pollution.
    Order Nr.:
    : 2,50 € inkl. MwSt. zzgl. Versand, pollin.de, 2018

    Still functioning today: Trackball Mouse, Logitech, ebay.de, about 3 €

    Pearl Optical Wireless Mouse Test 07.8.2016 Redaktion PCGo
    3,90 Euro, http://www.pc-magazin.de/testbericht/pearl-optische-funkmaus-test-3196724.html.
    The optical mouse from Pearl delivers good results for each demand on the base of switchable scan rate, high scope and ergonomical design.


    only needed for those mainboard with onboard Ethernet-LAN-chip without working driver (and therefore not needed for listed ITX-220)

    Price: 1,50 Euro, Pollin.de (2015)

    All still functioning today:

    Huawei Smartphone year 2015
  • Android 4.X
  • 16 GB SD-card memory extendable
  • Instant Netherland, Amsterdam, consumer.huawei.com
  • Price: 79 Euro from Expert, year 2015, 3 years gurantee

    Still functioning today: loudspeaker


    LogiLink SP0025 stereo with headphone support and volume control from Ebay.de

    Price: 4,95 € incl. MwST and shipping costs (year 2013)

    DVB-S/DVB-S2 HDTV PCI-card TECHNISAT SkyStar S2, bulk
    Order Nr. 702371
    5,95 € incl. MwSt, pollin.de

    Still functioning today: scientific pocket calculator

    Casio fx-85M scientific (pocket) calculator C-Power
    fail-safe: solar only (functioning even in quit darkened environments)

    Measurements: 13 × 7,5 × 0,8 up to 1,5 cm3
    LED-Display: 4,5 ×, 1,2 cm2
    Weight: 4 gramm only
    4 small solar cells right above the display á 1,8 × 0,9 cm2
    common arithemtic, fractions, all angle functions and measurements, various coordinate presentations - and calculations and -functions, statistics (Varianz, Standardverteilung, average value etc.), random num, ... Model from the 80th
    Grouped keys: gray key block: 3 × 6 functions with belonging invers functions right above, black key block 5 × 4 keys with two-time light oranged ones for C (single value reset to zero) and AC (complete reset to zero)
    easy handling, maintenance-free
    35 Euro (year 1986), Hertie

    Clever and Smart: All for the "little elephant"


    A class="noflag" href="links-computer.php#PRINTERX" title="Linux-Printer-Models" target="_top" onMouseOver="MM_displayStatusMsg('');return document.MM_returnValue">Linux-compatible printer: printer models with Linux printer drivers

    Still functioning today: Robust Brother DCP-115C (MFC 210) (this is my new printer past HP and Epson that I got from a relative for free; manufacturing year: 2006)

    Print: from any program through lpd (1.4.5) or Cups (1.4.5, 1.4.8, mdv2010, pclos2018).

    Scan: xsane, scanimage, ...; OCR: tesseract, klara, gocr, ...

    Fax: graphical frontend brpcfax or manually from terminal by test fax: brpcfax -o fax-number=XXXX-XXXX-XXXX testprint.ps, where the postscript-file was created by ghostscript for example per command gs.

    Copy: color-key or blackandwhite-key from device: the document (paper, photo) will be scanned in and then printed out directly

    Memory card station: five different card-formats/types; this aims making hardcopies

    Printer, photocopier, scanner, fax and SmartMedia®, MultiMedia-, USB-memory-stick, CompactFlash-type1- and xD-Picture-Card-memory card station: several card-slots, card-slots to store files from PC or digicam and to print files directly even without PC (hardcopy).
  • Features:
    Supersilent printout through capillar ink system
    4 seperate ink cartridges
    Up to 6.000 × 1.200 dpi resolution
    Up to 20 sites/min. in s/w and 15 sites/min. color
    Borderless printout out of graphic applications
    USB 2.0 full speed Interface
    3 years manufacturer warranty
  • All device driver for print, scan and fax for Linux can be downloaded out of the internet from Brother.

    Driver for many Linux-kernel 5, 4, 3, 2.4 and 2.6 (CUPS, the Common Unix Printing System by Apple), configuration by http://localhost:631/admin (classes - administration - objects - online-help - printer - jobs)

    Printer driver, scanner driver and fax driver for DCP-115C/MFC210C (size per rpm resp. deb: around 10 KB): lpd-driver MFC210Clpr-1.0.2-1.i386.rpm (resp.deb, this 32-bit-driver is also suitable for x86_64 (64bit)) und cupswrapperMFC210C-1.0.0-1.i386.rpm (also for 86_64 (64bit), rpm and deb), scanner-driver for DCP115C/MFC210C: brscan-skey-0.2.4-1.x86_64.rpm and brscan2-0.2.5-1.x86_64.rpm, fax-driver for DCP-115C/MFC210C: brmfcfaxcups-1.0.0-1 and brpmfcfaxlpd-1.0.0-1

    Driver for this printer and scanner: Brother Solutions Center, Brother Driver for Linux Distributions, DCP-115C (compatible with MFC-210C):

    Price for a cartridge (black): 1,99 €, cartridges (C/M/Y and black): 10,96 € (2014, pearl.de)

    notice: The cable to the head for the scan can get entangled after some time, so that it should be cleaved on its backside!

    produced by the world greatest manufacturer for printer-ink-cartridges following strongest quality guide lines (for example ISO9001)

    Refill possible! Most kind of refill ink can be injected directly into the cartridge: either into the whole the ink is floating through or a bored one (that needs to be closed with rubber tape after the refill).

    Printheads of the this model get cleaned from time to time automatically

    troubleshooting: solving a serious hard error during clean through reset
    Linuxforen: Problem of a user with DCP-115C (MFC-210) [solved]

    Brother DCP-115C Error: Cleaning
    Aus ITwiki
    IT wiki > Hardware & Treiber > Drucker > Brother DCP-115C Error: Cleaning
    The printer Brother DCP-115C (MFC210C) shows an error Cleaning (Error 46), although there is not any foreign substance within the printer. This problem can not be solved, even if the printer net adapter got unplugged.
    . Solution

    The printer has to be resetted (reset):

    Menü - Start S/W - 4 x ▲ (arrow to above) to press in the order, in order to opten the maintenance menu
    ▲ (arrow to above) has to be pressed until 8 is shown in the display. Then press enter.
    ▲ (arrow to above) until 0 (zerol) and then press enter
    Start S/W has to be pressed until PURGE 64xx is shown in the display
    With ▲ (arrow to above) and enter of the numbers 2 7 8 3 in sequence press...
    With ▲ (arrow to above) sequentially enter the numbers 9 9

    Now the printer got a reset and the error should not occur anymore..
    We, Gooken, found out, that this is quit right, but...:

    The Printer shows this error on LED. There it is indicated to look into the manual (pdf), but nothing can be find! Also notice, that butzhammer.de explains the solution incorrectly. Its text differs from the following one, and at the beginning in step 2, you have to choose number 80 instead of number 8 ! Here is the whole solution from another source in german language:

    The whole problem "ERROR:CLEAN", device error 46, is described once more explicitly on
    "Beim Brother DCP-115C den Fehler "Reinigen" beheben
    Autor: Roswitha Gladel
    Wenn Ihr Brother DCP-115C im Display die Meldung "Fehler: Reinigen" zeigt, kommen zwei verschiedene Ursachen infrage. Beide sind einfach zu beseitigen, der Drucker arbeitet zumindest kurzfristig wieder normal. Vorsicht: Bei der Fehlermeldung kann es zu einer Tintenüberschwemmung kommen.
    Fremdkörper als Ursache der Fehlermeldung beim Brother DCP-115C
    Mit der Meldung "Fehler: Reinigen" zeigt der Brother DCP-115C an, wenn ein Fremdkörper im Gerät ist. Es kann sich auch um einen Papierrest handeln. öffnen Sie den Gehäusedeckel und suchen Sie nach einem Gegenstand, der als Fremdkörper betrachtet werden muss. Entfernen Sie diesen.
    Schließen Sie den Deckel wieder. Falls die Meldung immer noch erscheint, ziehen Sie den Netzstecker für etwa zwei Minuten. Schließen Sie den Brother DCP-115C wieder an. Die Meldung sollte nun verschwunden sein.
    Falls die Meldung "Fehler: Reinigen" immer nach erscheint, haben Sie entweder einen Fremdkörper übersehen oder der Resttintentank ist voll. Wiederholen Sie zur Sicherheit noch einmal die Schritte eins und zwei, um einen Fremdkörper auszuschließen.
    "Fehler: Reinigen" wird wegen des Resttintentanks angezeigt
    Der Resttintentank ist ein kleines Behältnis unten am Gerät, in dem eine saugfähige Masse ist. Bei jedem Reinigen des Druckkopfes wird Tinte in den Tank gespült. In diesem Tank ist keine Füllstandsanzeige. Die Software geht davon aus, dass er voll ist, wenn eine bestimmte Anzahl von Reinigungen erfolgt ist. Sie sollten daher nie unnötigerweise diese Reinigungen durchführen. Durch die Eingabe eines bestimmten Codes können Sie das Zählwerk wieder zurücksetzen. Der Drucker ist dann wieder funktionsfähig, selbst wenn der Tank voll ist.
    Die Eingabe des Codes erfolgt über die Bedientasten, nach demselben Schema wie Sie auch die Kopienanzahl einstellen. Drücken Sie zunächst auf die Taste "Menü" und dann auf "Start". Nun müssen Sie die Pfeil-nach-oben-Taste viermal schnell drücken. Sie sind nun im Hauptmenü ("Maintenance menü").
    Beim Brother MFC den Fehler "Reinigen" beheben
    Die Anzeige "Fehler: Reinigen" kann bei den Brother-Druckern des Typs MFC verschiedene …
    Geben Sie über die Pfeiltaste die Zahl 80 ein. Sie müssen also achtmal auf die Pfeiltaste drücken, dann auf "Eing" und wieder auf die Pfeiltaste, bis die Null erscheint. Bestätigen Sie über die "Eing"-Taste. Im Display sollte nun "00:00 XX:XX OK" stehen. (Statt XX:XX ist die Uhrzeit zu sehen, also zum Beispiel 12:00 wenn es 12 Uhr ist)
    Drücken Sie nun auf die Start-Taste, bis im Display "PURGE:XXXXX" zu sehen ist (X steht für Ziffern). Geben Sie wie beschrieben über die Pfeil-Taste und "Eing" die Ziffern 2, 7, 8 und 3 ein. Im Display soll nun "PURGE:00000" zu sehen sein.
    Drücken Sie die Start-Taste, bis im Display "FLUSH:XXXXXXXXXX" zu sehen ist. Geben Sie nun wieder die Ziffern 2, 7, 8 und 3 ein. Im Display steht nun "FLUSH:0000000000".
    Ziehen Sie den Netzstecker für zwei Minuten und stecken Sie ihn wieder ein. Der Drucker geht nun wieder. ( Er geht nun wirklich!, Anm., Gooken )

    Anmerkung: Einige User berichten, dass sie, nachdem PURGE:00000 im Display stand, über die Stopp-Taste und die Eingabe der Ziffern 9 und 9 zum Ziel gelangt sind. Denken Sie daran, dass Sie mit diesen Eingaben den Zähler des Brother DCP-115C auf Null setzen und daher die Meldung "Fehler: Reinigen" nicht mehr erscheint, obwohl der Tank voll ist und überlaufen kann. Versierte Bastler können das Gerät zerlegen und den Tank leeren. Der richtige Weg ist, den Tank so schnell wie möglich in einem Fachbetrieb leeren und neue Füllmasse einsetzen zu lassen.
    Beim Brother MFC den Fehler "Reinigen" beheben
    MFC 215c - den Druckkopfintensivreinigungsmodus durchführen
    Beim Brother MFC 235C den Druckkopf reinigen - so gehts
    Epson Stylus SX210: Düsen reinigen - so gelingt es
    übersicht: Alles zum Thema Computerzubehör
    Hallo, ich habe einen Brother DCP-115C Drucker der momentan
    Hallo, ich habe einen "Brother DCP-115C" Drucker der momentan nicht funktioniert !
    Die Fehlermeldung ""Fehler:Reinigen" ist angezeigt. Ich habe das Handbuch gelesen aber es hat nichts geholfen. Der Vorschlag von dem Brother Support Team ( per E-mail ) hilft auch nicht. Sie vermuten das der Reingungszyclus voll ist, und das ich den Zählerstand zurücksetzen kann! Ich habe dies ohne Erfolg probiert; ich muss den Netzstecker trennen, Menüknopf drücken, Netzstecker wieder einstecken, dann mit dem Menüknopf immer noch gedrückt, warten bis "Maintainance" angezeigt wird. Diese Meldung kommt nicht, nur "1. Kopie", wobei ich immer nur die Tinte eingeben kann. Nichts blockiert den Drucker; kein Papier, Büroklammer u.s.w. übrigens, der Druckkopf befindet sich ganz rechts wo ich nicht hinkomme. Danke XXXXX XXXXX Hilfe die ich von Ihnen bekommen kann
    MFG M Bunzel . E-mail : [email protected]
    Gepostet: vor 6 Jahren.
    Kategorie: Elektronik
    13757879507Diesen Beitrag teilen
    Experte: Tronic hat geantwortet vor 6 Jahren.
    vielen Dank, dass Sie Justanswer benutzen.
    Die Fehlermeldung besagt, dass der Resttintenbehälter voll ist und getauscht werden muss. Die genannte Prozedur müsste funktionieren. Hier ist die Anleitung dazu:
    Ansonsten könnten Sie noch Folgendes probieren:
    1.) Den Menu und den Start/schwarz Knopf gemeinsam drücken. Danach den Pfeil nach oben 4mal drücken und die Eingabetaste betätigen um ins Hauptmenu zu gelangen.
    2.) Mit dem Pfeil nach oben drücken bis "8" erscheint und wieder "Eingabe" drücken. Mit dem Pfeil nach oben drücken bis "null" erscheint und wieder "Eingabe" drücken.
    3.) Nun den Knopf Start S/W 25mal drücken, bis "purge counter" erscheint.
    4.) Nun die folgenden Zahlen einzeln über die Pfeiltasten auswählen und mit "Eingabe" bestätigen: 2, 7, 8 und 3. (Nach jeder Eingabe erscheint die Counter- Meldung wieder, nicht irritieren lassen). Bei erfolgreicher Operation wird der Zähler mit 0000 angezeigt.
    5.) Stopp-Knopf drücken um ins Hauptmenu zurück zu gehen.
    6.) Zweimal hintereinander mit den Pfeiltasten die "9" auswählen und einzeln mit "Eingabe" bestätigen um ins Standby-Menü zurück zu gehen.
    Stellen Sie Ihre eigene Frage zum Thema Elektronik.
    Fragen Sie diesen ExpertenFragen Sie alle Experten
    13731581453Kunde: hat geantwortet vor 6 Jahren.
    Hallo, danke für Ihre schnelle Antwort, leider hat es mir nicht geholfen. Der erste Teil Ihrer Antwort, aus dem "Brother Handbuch", hatte ich bereits ausprobiert, ohne Erfolg. Ihr zweiter Vorschlag, in dem ich "Menü + Start S/W" zusammen drücken sollte, dann mit dem Pfeil 4 mal oben drücken, bringt mir wieder die Meldung " 1. Kopie", und nach "Eingaben" komme ich auf "1. Papiersorte", aber kein Hauptmenü. Nach drücken von "Menü + Start S/W" zusammen habe ich nur die folgende Auswahl: 1. Kopie, 0. Inbetriebnahme, 3. Ausdrücke, 2. Speicherkarte. Die einzige Möglichkeit nach drücken der Pfeiltaste nach oben auf einen "8" zu kommen, ist wenn ich der Option "2. Speicherkarte" wähle, aber in den folgenden Optionen ist "0" nie gezeigt. Habe ich eine andere Möglichkeit, oder ist es so dass der Tintebehälter ausgetauscht sein muß,und brauche ich dann einen Brother Servicepartner ? MFG M Bunzel
    13757879507Experte: Tronic hat geantwortet vor 6 Jahren.
    Solange der Zähler nicht zurückgesetzt ist geht das Gerät nicht mehr, unabhängig davon ob der Resttintentank nun getauscht wurde oder nicht.
    Eine andere Tastenkombination als diese beiden kenne ich für Brother DCP-Geräte nicht und Sie sind auch der erste Fall dieser Art für mich. Tut mir Leid, aber dann fürchte ich werden Sie um den Brother Servicepartner leider nicht herum kommen. Ihr Anzahlung erhalten Sie dann natürlich wieder zurück."

    Fax: sending test fax: brpcfax -o fax-number=XXXX-XXXX-XXXX testprint.ps

    Scanner: If xsane does not work anymore (memory access violation), reinstall the scanner drivers (DCP-115C: 64bit). If the RPMsof the driver can not be installed correctly, enpack them with file-roller and copy the directories into the belonging locations and reconfigure by calling MCC/Scanner.

    Printer driver for Brother DCP-115C/MFC210C (Umfang: ca. 10KB pro rpm bzw. deb): lpd-driver MFC210Clpr-1.0.2-1.i386.rpm (bzw. deb) and cupswrapperMFC210C-1.0.0-1.i386.rpm (this one can also has to be used for x86_64 (64bit), rpm and deb), scanner-driver for DCP115C/MFC210C: brscan-skey-0.2.4-1.x86_64.rpm and brscan2-0.2.5-1.x86_64.rpm, Fax-driver for DCP-115C/MFC210C: brmfcfaxcups-1.0.0-1 and brpmfcfaxlpd-1.0.0-1

    OKPackages needed for CUPS: kernel-4.20.13 (pclos) with mkinitrd (mga2), nash (mga2), dracut (el6) and glibc (pclos), cups (pclos: 1.4.6, mdv2010.1: 1.4.5), cups-windows (pclos, MS Windows printer driver (dll)), cups-libs (el6) resp. lib64cups2 (pclos, mdv2010.1), glibc (i686), nss-softokn-freebl (i686), libfreebl, busb (el6) or lib64usb (fc, rosa2014.1 mdv2010), pygobject2 (el6) and python-cups (el6, if python(el6) is installed, otherwise use python-cups (mdv2010.1) and python-gobject2 (mdv2010.1)), a2ps (el6, mdv), paps (el6, mdv), paps-libs (el6), printer-filters (el6, mdv), printer-tools (mdv), printer-utils (mdv), tcsh (el6, csh-compatible), pstoedit (rosa2014.1, el6, mdv), pslib (el6), lib64pslib (mdv), lib64pst4 (mdv), ghostscript (rosa2014.1, el6, mdv), gutenprint (el6, mdv) and html2ps (el6, mdv), system-config-printer (mdv2010.2, el6), system-config-printer-libs (mdv2010.2, el6), system-config-printer-kde (mdv2010.2, el6) and system-config-printer-udev (el6, mdv2010), task-printing (mdv2010.2), task-printing-hp (mdv2010.2), task-printing-epson (mdv2010.2), task-printing-..., task-printing-misc (mdv2010.2), task-printing-scanner (mdv2010.2) and task-printing-server (mdv2010.2), foomatic-db, foomatic-db-engine, foomatic-db-hpijs, foomatic-filters, hpijs (el6), libgnomeprint2 (mdv), min12xxw (KonicaMinolta PagePro 1xxW), openprinting-ppds (el6, mdv2010.1), postscript-ppds (mdv2010.1), hplip-hpijs-ppds (mdv2010.1), pnm2ppa (mdv2010.1), pxljr (HP ColorLaserJet 35xx/36xx), splix (Samsung SPL2 b/w and SPLc color laser), - are they installed and do they work? Enter a2ps, gs, html2ps and pstoedit into terminal to check it out. Does ps2pdf work? Check this out by a pdf-file as an input, otherwiese libraries libgs.so.8, libgs.so.9 or a similar one still has to be installed.

    Packages for system-config-printer and task-printing:... (?): -> install python-cups (el6), desktop-file-utils (el6), gnome-python2-gnomekeyring (el6), hplip-libs (el6), libnotify (el6), libxml2 (el6), libxml2-python (el6), nmap (el69, notification-daemon (el6), pygtk2 (el6), pygtk2-libglade (el6), rhpl (el6)

    For python (mdv2010.1) instead of python (el6) you need instead: python-cups (mdv2010.2), python-gobject2 (mdv2010.2), gnome-python (mdv2010.1), hplip-model-data (mdv2010.2), notification-daemon (mdv2010.1), pygtk2.0 (mdv2010.2), pygtk2-libglade (mdv2010.2), python-notify (mdv2010.1), python-rhpl (mdv2010.1) and python-smbc (mdv2010.1)

    Printer-configuration: 1) MCC section hardware under printer, 2) browser by localhost:631, 3) systemsettings or gnome-control-center, section printer or by the 4) printer-applet appearing in the sytem-tray (mga3)

    Check out ps2pdf with any pdf-file as an input. If an error-message appears, install libgs.so.8 (resp. libgs.so.9 or any file like this).

    Installation of a printer-driver by PPD-file: MCC( method 1) ) , then choose "add a printer", choose the PPD-file (for DCP-115C from directory /usr/share/cups/model): ready. You can start printing now, but also set the default printer, the colors like grayscale or truecolor and the letter size (should be A4) up from there too. All this is possible with method 2) up to 4).

    Ink: price for one cartdrige: see above. Alternatively you can refill it. Notice: It is well-known, that not all kind of ink can be used: glands and advections can constipate.

    DCP-115C is printing fine all the years through. Install and start cups and configure the printers by PPD-files from Linux-installation-DVD, manufacturer-CD or out of the internet or openprinting.org. If not, try to get driver-material in order to generate it or to program it manually (cupsddk (mdv2010.2)).

    Three methods can be used to integrate the PPD-file and to configure the printer: localhost:631, system-config-printer or lpadmin. Generally, if a printer strikes, just try to activate him already by terminal (konsole): "cupsenable printer_name", here "cupsenable DCP-115C" . If this does not work, add users like user, root and lp to the group lpadmin, possible by MCC. It is also possible, that another kernel is in use, that is not belonging to the distribution anymore. In our case choose a kernel for mdv2010 up to mdv2012. Check out ownership (chown root) and access-rights (chmod 755) of the driver, for DCP-115C those one in /lib and /usr/local/Brother. Printout a testside by MCC. Going on with general cases for printer-troubleshooting, remind, that all ghostprint-packages should not be upgraded and therefore always belong to the distribution and version (mdv2010). Configure the printer in MCC section hardware, confirm the printer in the menu named server as a network-printer. Debugging in error-cases is possible by clicking into the printer-applet. This provides significant tipps to solve the problem.

    DCP-115C should work fine with: cups-1.4.1 (el6) or cups-1.4.5 (mdv2010.1) or cups-1.4.8 (mdv2011), kernel- actualized (patched e.g. from address see under "updating") or not (mdv2011), ghostscript (mdv2010.1, el6, fc14), gutenprint (mdv2010.1, el6), printer-xxx (mdv2010.2, el6), glibc (mga7, mga5, rosa2014.1, el6 and mdv2010, mdv2011, mdv2012).

    Terminal-commands: usb-devices (see listed driver=... ), lsusb (printer-entry by name and model), lpstat -t (lists the printer-state and -jobs), lprm (for the remove of printer-jobs), lpadmin (for the manual configuration of a printer. PPD-files can be entered too), lpotions, lpinfo -v (lists the printer-connection resp. the device-URI, and helps to answer the question, if the printer is connected or not)

    important: lpinfo -v, lpstat -t and lpadmin

    lpadmin -p Brother-DCP-115C -i /dev/usblp0 -P /usr/share/cups/model/bmfc210cups.ppd -v usb://Brother-DCP-115C?serial=BROE7F... -u allow:lp,user,root,lpadmin,sys,surfuser

    Does Ghostscript (mdv or el6) function? Type in: "gs -help"

    Does tcsh work? start tcsh and look for any error-messages.

    Renew the printer-drivers. Remove old printers. Enpack the archive and copy the directories into belonging location. Call system-config printer to reconfigure the printer.

    Browser-configuration of CUPS: type "localhost:631" into the address-line.

    Sometimes, the device-usb-file does not provide enough access. This file can be found out by lsusb: Bus-ID and Device-ID beneath the product-ID:vendor-ID, for example 001 002 04f9:018c, this corresponds to /dev/usb/1/2 with vendor-ID 04f9 (Brother) and product-ID 018c (DCP-115C). Those two ID are always shown during system-boot, before init is starting.
    A udev-rule can solve the problem:
    enter in /etc/udev/rules.d/10-local.rules (if not existant, type touch -t 10-local.rules, in order to type):
    ACTION=="add", SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", ATTRS{idVendor}=="04f9", ATTRS{idProduct}=="018c", KERNEL=="lp*", GROUP=="lp", MODE:="666"

    We strongly recommend to use this rule!

    Notice, that a self-compiled kernel can lead into a complete unusable printing-system, same past installation of (plenty of) updates! Cups, gutenprint and ghostscript should have the same version as the kernel. If nothing helps, beware the uncompiled kernel (vmlinuz) in /boot beneath the self-compiled, use a print-server with mdv2010.2 and tested CUPS-1.4.5 (mdv2010.1) or one or more USB-sticks with Linux Operating System and Office-Software like OpenOffice to install CUPS and the printer-drivers resp. ppd-file. Debian Linux can also be installed from a Knoppix-DVD onto an own partition. From Debian.org updating is possible as much as installing CUPS.

    Printing-Systems: CUPS (mdv2010.1) and/or lpd alias lprng (mdv2010) with lprng-client (mdv2010.1). Like CUPS, the filter and the ppd-file have to be entered into /etc/printcap.

    Have a look into the log-files on error: /var/log/cups/... , especially error_log!

    CUPS-Troubleshooting: https://wiki.archlinux.org/index.php/CUPS/Troubleshooting

    Following packages must be installed: .

    Pakete: cups, cups-libs (el6) resp. lib64cups2 (pclos, mdv2010.1) glibc, libusb (el6) or lib64usb (rosa2014.1 mdv2010), libminiupnpc ( Library and tool to control NAT in UPnP-enabled routers), pygobject2 (el6) and python-cups (el6, if python(el6) is installed, otherwise python-cups (pclos, mdv2010.1) and python-gobject2 (mdv2010.1)), a2ps (el6, mdv), paps (el6, mdv), paps-libs (el6), printer-filters (el6, mdv), printer-tools (mdv), printer-utils (mdv), pstoedit (el6, mdv), ghostscript (el6, mdv), gutenprint (el6, mdv) and html2ps (el6, mdv), system-config-printer (mdv2010.2, el6), system-config-printer-libs (mdv2010.2, el6), system-config-printer-kde (mdv2010.2, el6) and system-config-printer-udev (el6, mdv2010), task-printing (mdv2010.2), task-printing-hp (mdv2010.2), task-printing-epson (mdv2010.2), task-printing-..., task-printing-misc (mdv2010.2), task-printing-scanner (mdv2010.2) and task-printing-server (mdv2010.2) are installiert and do work? a2ps, gs, html2ps and pstoedit can be checked directly in the terminal by entering their name. Does ps2pdf work? This can be checked out by a pdf-file for an input. Otherwise reinstall libgs.so.8, libgs.so.9 for ghostscript or a similar library.

    In some cases, one or a few access-rights have to be set again for driver-files or files of cups listed in belonging CUPS-packages owned by root to chmod 755. One file interesting here is named together with its path within (/usr/lib/) during a testprint of one of the added printers in MCC, in our case it is the driver-file named libbrplwrapper.so. The scanner of this all-in-one-printer-model only does its work too, if the directory /usr/local owned by root (chown root:root /usr/local) is set to chmod 755.

    Access-Rights for the CUPS belonging directories incl. those with the ppd-files:
    chmod 775

    The ppd-file must be contained in /usr/share/cups/model.

    Device-URI of the printer DCP-115C (MFC210C): file:/dev/usb/lp0, usb://dev/usb/lp0 or usb://Brother/DCP-115C?serial=BROE7F871829

    Starting the CUPS-daemon: sh /etc/init.d/cups restart; starting the lpd daemon (lprd (mdv2010): sh /etc/init.d/lpd restart

    /etc/printcap: records the printers out of /etc/cups/printers.conf (hierin sind jeweils vermerkt und können manuell verarbeitet werden: Drucker, DeviceURI, filter (!), state (idle, ...), owner, access-rights and more), /usr/lib/cups/filter/pdftops failed: In this case, set up cups-pdf.ppd in MCC/Printer.

    /usr/lib/cups/filter/brldwrapperMFC failed.: set the access-rights!

    lpstat -t

    OK Error-messages cat /var/log/cups/error_log and solution (permissons (OpenSuSE) messed up our printer system completely):
    E Unable to set ACLs on root certificate "/var/run/cups/certs/0" - Operation not supported -> set access-rights for this and use option acl in /etc/fstab for the root-partition (reiserfs, ext4).
    E :18:37:03 +0100] cupsdAuthorize: pam_authenticate() returned 7 (Authentication failure)! -> localhost:631 or modify or exchange /etc/cups/cupsd.conf.
    E Pointer error (Treiber), libc.so.6, free()-pointer-error or munmap-chunk()-error ->: exchange glibc (libc.so.6) (maybe by downgrading, for the 32-bit-printer-driver for DCP-115C install glibc(mdv2011, i686)) or renew the printer driver or cups-version, in our example from cups-1.4.5 (mdv2010.2): cups1.4.4 (fc14) with lib64cups2 (mdv2010.2) or cups-libs-1.4.4 (fc14), version without localhost:631.
    E "Unable to bind socket for address - Address already in use. unn "Unable to bind broadcast socket - Address already in use." -> in /etc/cups/cupsd.conf set "Port 631" instead of "localhost:631".
    D [CGI] error: Failed to create /tmp/.hplip -> ... this debug will be solved by the next:
    N Group and SystemGroup cannot use the same groups! -> /etc/cups/cupsd.conf: set "SystemGroup wheel root lp"
    E child error exited on signal ...-> exchange libcups2.so out of rpm lib64cups2.
    E no printout: cups-error_log (/var/log/cups/error_log) is error-free, but there still is no (paper) printout out -> depending on KDE also install system-config-printer (mdv2010.2), system-config-printer-libs (mdv2010.2) und system-config-printer-udev (el6) together with all task-printing (mdv2010.2)! This error is mentioned in detail further below.

    2-2.Open /usr/local/Brother/cupswrapper/cupswrapperXXXXX to edit.
    2-3.Look for the line with "lpadmin -p XXXXXX -E -v .......".
    2-4.Change "-m" to "-P" in the line
    2-5.Add the file-path of the PPD file written in the line.
    the file path = "/usr/share/cups/model/"
    BEFORE(no wrap):
    lpadmin -p MFC9420CN -E -v usb://dev/usb/lp0 -m brmfc9420cn.ppd
    AFTER(no wrap):
    lpadmin -p MFC9420CN -E -v usb://dev/usb/lp0 -P

    The cupswrapper from printer contains a script in csh "#! /bin/csh", which not runs per default with most Linux distros. Try to change in deb/rpm to "#! /bin/sh" or to run in csh terminal. Better solution is to use option --nodeps "rpm -ihv --nodeps MFC5440CNlpr-1.0.2-1.i386.rpm". I recommend to use this option for scanner driver too.-

    This excerpt is the key in our problem:
    [Job 99] Error: error occurred at print phase !!
    [Job 99] GPL Ghostscript 8.54: Unrecoverable error, exit code 1
    [Job 99] cat: write error: Broken pipe
    [Job 99] *** glibc detected *** free(): invalid pointer: 0xb7e39020 *** # to avoid this, install a glibc (i586) with belonging libstdc++ and libsigc++; dmesg: did usblp really start? -&get; exchange libusb and usb; kernel-module usblp (for the device /dev/usb/lp0) does not function: blacklist, exchange this module (kernel-4.9) ) or install a new kernel-version (in our case kernel-4.9.137 (pclos, alternative: el6) -> kernel-4.9.x or kernel-4.20.13 with mkinitrd (mga2), nash (mga2), dracut (el6) and glibc (pclos, i586: mga6); eventually install brother-lpd-drivers-extra (ubuntu, amd64 (64 bit driver) or i586 (32 bit driver), eventually in addition brother-cups-wrapper-extra (ubuntu) and brother-lpr-drivers-common (ubuntu); if nothing helps, install the printer on an usb-memory stick! The /lib and /usr/lib/ for glibc (i586) from USB-stick can be copied to hdd/sdd (x86_64). Access-rights: chmod 755 /lib, chmod 755 /usr/lib, chmod 755 /etc/cups/* (chown root:sys, cupsd.conf and printers.conf: chown root:nogroup ), chmod 755 -R /var/spool/cups (chown root:nogroup), chmod 755 /usr/lib/cups/filter/* (chown root:sys), chmod 755 /usr/local/Brother (chown root:root ); notice: we removed group named nogroup as much as user and group named anonymous right before.
    In fact, installation of kernel-4.20.13 (pclos) with mkinitrd (mga2), nash (mga2) and dracut (el6) solves the whole problem!

    The printer works (making printouts) with kernel (mdv), 4.12.12 (pclos), 4.20.6 (pclos), but not all kernel-versions (resp. those with buggish or locking kernel-module usblp).
    Notice: mdv2010.2 from USB-memory-stick with kernel 2.6.33 lets DCP-115C print with original 32-bit-printer-driver even without usblp.
    In any case, scanner and fax work fine with original 64-bit Brother-DCP-115C-drivers as much as making copies.
    [Job 99] /usr/local/Brother/lpd/filterMFC5840CN: line 44: 4427 Done(1) eval cat DOLLARINPUT_TEMP
    [Job 99] 4430 Aborted | DOLLARBRCONV DOLLARBRCONV_OP
    PID 3536 (/usr/lib/cups/filter/brlpdwrapperMFC5840CN) exited with no errors.

    Here are some kernel, usblp won´t work for the 32-bit driver for DCP-115C (MFC-210C) because of error invalid pointer":
    - 4.9.137 (pclos)
    - 4.9.56 (kernel-server, mga6)
    - > 4.14.12 (pclos)

    Some glibc cause the error "invalid pointer" for this driver too:
    - glibc-2.29 (pclos)
    - ...
    Whereas functioning:
    - glibc-2.26 (pclos)
    - glibc-2.22 (mga6)
    - ...
    - glibc-2.11 (mdv2010.1, mdv2011)

    You see GPL Ghostscript; the same was happening with ESP Ghostscript. I just changed the /usr/bin/gs-symlink to see if it would change anything.
    Cups goes on to process the job to the printer. You can see it lighting up "receiving" and settling down as the printjob has finished and no data is comming while there is none because of the above error.
    I´m not able to pinpoint the origin of this problem. That is why I"m not able to give you a solution.
    I hope I have a ubuntu 6.06 install on my pc and retry to have some comparison in installed versions.
    Hoping to hear soon from Brother support in order to get this worked out.
    If I know you will know;)
    Some little comments:
    I found this hint in some printer howto.
    try to use nmap:
    nmap -v -A <ip-address-of-printer>
    Interesting ports on
    Not shown: 1693 closed ports
    21/tcp open ftp Brother printer ftpd 1.11
    23/tcp open telnet Brother printer telnetd
    515/tcp open printer
    9100/tcp open jetdirect?
    Service Info: Device: printer
    The telnet password seems to be access
    my printer-url is: lpd://<ipaddress>

    Printer Brother DCP-115C for print - scan - copies - fax did function on " Universal Linux" with / Multifunktionsdrucker Brother DCP-115C für Drucken - Scannen - Kopieren und Faxen funktionierte auf "Universal-Linux" mit:
    cups (pclose2017, mdv2010.2, 1.4.5), lib64cups2 (mdv2010.2), glibc (mga7, mga5, rosa2014.1, x86_64 (64bit)), glibc (mga6, mdv2010.2, 2.11.1-8.3mnb2, i686 (32 Bit) for the DCP-115C 32-bit-printer-driver only, for 64 bit use glibc (mga6, mga5 or rosa2014.1)), rest: glibc-common (el6, x86_64) or (mga7, mga5), glibc-.... (el6, x86_64), bluez-cups (pclos2017, mdv2010.2), cups-bjnp (pclos2017, el6), cups-browsed (rosa2014.1, mdv2010.1), cups-common (pclos2017, mdv2010.2, 1.4.5), cups-drivers (pclos2017.1, mdv2010.1), cups-drivers-bjnp (pclos2017, mdv2010.1), cups-drivers-capt (pclos2017, mdv2010.1), cups-dirvers-foo2kyo (pclos2017, mdv2010.1), cups-drivers-foo2zjs (pclos2017, mdv2010.1), cups-drivers-lbp660 (pclos2017, mdv2010.1), cups-drivers-lxx74 (pclos2017, mdv2010.1), cups-crivers-m2300w (pclos2017, mdv2010.1), cups-drivers-magicolor2430dl (pclos2017, mdv2010.1), cups-drivers-magicolor2530dl (pclos2017, mdv2010.1), cups-drivers-magicolor-5430dl (pclos2017, mdv2010.1), cups-drivrs-magicolor5440dl (pclos2017, mdv2010.1), cups-drivers-pegg (pclos2017, mdv2010.1), cups-drivers-ptouch (pclos2017, mdv2010.1), cups-drivers-splix (pclos2017, mdv2010.1), cups-filesystem (el7), cups-libs (el6), cups-lpd (el6), cups-php (el6), cups-pk-helper (el6), cups-serial (mdv2010.2, 1.4.3), cups-windows ( pclos2017, mdv2010.0), cups-x2go (el6), ghostscript-cups (fc18, mdv2010.1), gnome-cups-manager (mdv2010.1), gutenprint-cups (mdv2010.1), glib64gnomecups-1.0_1 (mdv2010.1), lib64gnomecupsui-1.0_1 (mdv2010.1), lib64cups (plcos2017, mdv2010.1), libcups (mdv2010.1, 1.4.5, 32 bit), libgnomecups (mdv2010.1), perl-Net-Cups (el6), php-cups (mdv2010.1), python-cups (el6), ghostscript (el6, rosa2014.1), ghostscript (fc18, mdv2010.1, rosa2014.1), ghostscript-common (mdv2010.1, rosa2014.1), ghostscript-cups (fc18, mdv2010.1), ghostscript-doc (mdv2010.1), ghostscript-dvipdf (mdv2010.1), ghostscript-fonts (el6, rosa2014.1), ghostscript-fonts-std (OpenSuSE, Version 9.00 Release 4.8.1, mdv2010.1), ghostscript-gtk (el6, rosa2014.), ghostscript-module-X (mdv2010.1), ghostscript-X (mdv2010.1), lib64gs8 (mdv2010.1) resp. lib64gs9 (rosa2014.1), OpenPrintingPPDs-ghostscript (OpenSuSE, Version 4.0.0 Release 15.1.1, mdv2010.1), a2ps (el6), emacs-a2ps (el6), sed (el6), libusb (el6, x86_64 and i686), libusb-compat0.1_4 (mdv2010.1), libusb1 (el6), libusb1.0_0 (mdv2010.1), libusbg (fc24), libusbg-utils (fc24), libusbmuxd (fc25), libusbmuxd-utils (fc25), libusbmuxd1 (mdv2010.1), libusbx (fc26), usbmuxd (el6)libgnomeprint (mdv2010.1), libgnomeprint22 (el6), libgnomeprintui mdv2010.1), libgnomeprintui22 (el6), pnm2ppa (el6), postscript-ppds (mdv2010.1), nss-softokn-freebl (el6), nss-softokn (el6), foomatic (el6), foomatic-db (mdv2010.1), foomatic-db-engine (mdv2010.1), foomatic-db-filesystem (el6), foomatic-db-ppds (el6), foomatic-filters (mdv2010.2), gutenprint-foomatic (el6), lib64usb-compat0.1_4 (mdv2010.1, rosa2014.1), lib64usb1.0_0 (rosa2014.1, mdv2010.1), lib64usbip0 (mdv2010.1), lib64usbmuxd1 (mdv2010.1), lib64usbmuxd4 (rosa2014.1, mdv2010.1), lib64usbredirparser1 (rosa2014.1, mdv2010.1), lib64usbx1.0_0 (rosa2014.1, mdv2010.1) , grep (el6), jasper (fc26, el6), jasper-utils (fc26, el6), jasper-libs (fc26, el6), pstoedit (mdv2010.1), lib64pstoedit0 (mdv2010.1), pslib (el6), lib64pslib0 (rosa2014.1), lib64pst4 (mdv2010.1), paps (mdv2008.1, mdv2010.1), html2ps (el6, mdv2010.1, Openmandriva2015), xhtml2ps (mdv2010.1, OpenMandriva2015), gutenprint (el6), gutenprint-common (mdv2010.1), gutenprint-cups (mdv2010.1), gutenprint-secputil (mdv2010.1), gutenprint-extras (el6), guenprint-foomatic (el6), gutenprint-gimp2 (mdv2010.1), gutenprint-ijs (mdv2010.1), gutenprint-plugin (el6), lib64gutenprint2 (mdv2010.1), lib64gutenprintui2_1 (mdv2010.1), system-config-printer (mdv2010.1), system-config-printer-libs (mdv2010.1), system-config-printer-kde (mdv2010.2), system-config-printer-udev (el6), task-printing (mdv2010.1, mga1), task-printing-canon (mdv2010.1, mga1), task-printing-epson (mdv2010.1, mga1), task-printing-hp (mdv2010.1, mga1), task-printing-lexmark (mdv2010.1, mga1), task-printing-misc (mdv2010.1, mga1), task-printing-okidata (mdv2010.1, mga1), task-printing-scanning (mdv2010.1, mga1), task-printing-server (mdv2010.1, mga1), sed (el6), hplip (el6), qpdf-libs (el6), tcsh (el6, csh), min12xxw (mdv2010.1, KonicaMinolta PagePro 1xxW), splix (el6, Samsung SPL2 b/w and SPLC color laser), pxljr (HP ColorLaserJet 35xx/36xx), hplip-hpijs-ppds (mdv2010.1), postscript-ppds (mdv2010.1), drv_z42 (mdv2010.1), hplip-hpijs (mdv2010.1), stylewriter (mdv2010.1), ml85p (mdv2010.1), pbm2lwxl (mdv2010.1), pentaxpj (mdv2010.1), ppmtomd (mdv2010.1), groff (el6, mdv2010.1), gutenprint-gimp2 (mdv2010.1 or uninstalled), lesstif (mdv2010.1), mpage (mdv2010.1, el6), netcat-traditional (mdv2010.1), net-tools (mdv2010.1, el6), nmap (mdv2010.1, el6), printer-testpages (mdv2010.1), printer-utils (mdv2010.1), scli (mdv2010.1), ImageMagick (el6)

    1. unmask cups-1.2* (~x86)
    2. emerge cups tcsh a2ps
    3. rpm2targz the 2 packages
    4. tar xzf the 2 packages
    5. cp the files over from usr/* to the corresponding folders
    6. mv usr/local/Brother /usr/local/.
    7. change in /usr/local/Brother/cupswrapper/cupswrapper... /etc/init.d/cups to /etc/init.d/cupsd
    8. run /usr/local/Brother/cupswrapper/cupswrapper...
    9. create a symbolic link from /usr/local/Brother/inf/brMFC...rc to /usr/local/Brother/inf/brPrintList (ln -sf brHL2040rc brPrintList )
    10.a. copy /usr/lib/cups/filter/br... to /usr/libexec/cups/filter/br..
    10.b. for amd64 copy /usr/lib/cups/filter/br... to /usr/lib64/cups/filter/br
    .. 11. restart cupsd
    12. type in
    13. set "change printer" and select the uri (usually /dev/usb/lp0)
    14. restart cupsd
    15. print test page
    16. if it doesn´t work
    17. cat test.txt | /usr/local/Brother/lpd/filterMFC5840CN
    18. look, what it shows; correct errors (creating symbolic links)

    especially step 17 is important, then you'll see if it prints or is missing a symbolic link of libraries

    good luck !

    That´s part of the problem, they don´t say anything abnormal. There´s nothing in syslog regarding the USB port or CUPS. /var/log/cups/error_log merely shows the processes were started and then nothing else.
    Running dmesg shows the USB device connected. It appears as one of the processes is stalling but it´s unknown which.
    ok, then let's check some more:
    usbfs in /etc/fstab, check ?
    permissions of /dev/usb/lp*, check ? (crw-rw---- 1 root lp 180, 0 2008-01-27 10:29 /dev/usb/lp0)

    Problem solved for https://www.unixboard.de/threads/zugriff-auf-dev-usb-lp0-regeln.36194/:
    Add into /etc/cups/cupsd.conf the follwoing code:
    FileDevice YES # for Device-URI file:/dev/usb/lp0
    dann ein
    # /etc/init.d/cupsd restart
    # lpadmin -p DCP-110C -E -v file:/dev/usb/lp0 -P /usr/share/cups/model/brdcp110c_cups.ppd
    and the printer and scanner works!

    Create /etc/udev/rules.d/100-local.rules with the entry

    # libusb device nodes
    SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", MODE="0666"
    # printer
    KERNEL=="parport[0-9]*", GROUP="lp"
    SUBSYSTEM=="printer", KERNEL=="lp*", GROUP="lp"
    SUBSYSTEM=="ppdev", GROUP="lp"
    SUBSYSTEM=="usb", KERNEL=="lp*", SYMLINK+="usb%k", GROUP="lp"
    KERNEL=="lp[0-9]*", GROUP="lp", MODE="0777"
    KERNEL=="irlpt[0-9]*", GROUP="lp"
    # hplip and cups 1.4+ use raw USB devices, so permissions should be similar to
    # the ones from the old usblp kernel module
    SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", ENV{ID_USB_INTERFACES}=="", IMPORT{program}="usb_id --export %p"
    SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", ENV{ID_USB_INTERFACES}==":0701*:", GROUP="lp", MODE="0666"

    and eventually create a desktop-file in /usr/share/autostart with the includeBR> EXEC=chmod 666 /dev/usb/lp0

    In /etc/fstab/ add
    usbfs usbfs /proc/bus/usb usbfs auto,devmode=0666 0 0 (tipps by us, Gooken)

    # Printer configuration file for CUPS v1.4.8 (pclos2017) / v1.4.5 (mdv2010.1) / v1.4.6 (pclos, mdv2011)
    # Written by cupsd on 2017-10-02 21:50
    <DefaultPrinter B-DCP-115C> # grayscale and default
    Info B-DCP-115C
    Location localhost.localdomain
    MakeModel Brother MFC-210C CUPS v1.1
    DeviceURI file:/dev/usb/lp0 # This solution is recommended for 4-kernel. The proprietary printer-driver has to be already installed through lpadmin or system-config-printer. Now this default printer can be turned off and on at any time for any printout.
    State Idle
    StateTime 1506965498
    Type 12587084
    Filter application/vnd.cups-raw 0 -
    Filter application/vnd.cups-command 0 commandtops # Testpage out of system-config-printer (el6, mdv)
    Filter application/vnd.cups-postscript 0 brlpdwrapperMFC210C # ppd: /usr/share/cups/model/brlpdwrapperMFC210C
    Accepting Yes
    Shared Yes
    JobSheets none none
    QuotaPeriod 0
    PageLimit 0
    KLimit 0
    OpPolicy default
    ErrorPolicy stop-printer
    <Printer BRFAX>
    Info BRFAX
    MakeModel Brother BRMFCFAX for CUPS
    DeviceURI usb://dev/usb/lp0
    State Idle
    StateTime 1481736691
    Type 12587012
    Filter application/vnd.cups-raw 0 -
    Filter application/vnd.cups-command 0 commandtops
    Filter application/vnd.cups-postscript 0 brfaxfilter
    Accepting Yes
    Shared Yes
    JobSheets none none
    QuotaPeriod 0
    PageLimit 0
    KLimit 0
    OpPolicy default
    ErrorPolicy stop-printer
    <Printer Brother-DCP-115C> # colored printout
    Info Brother DCP-115C
    Location localhost.localdomain
    MakeModel Brother MFC-210C CUPS v1.1
    DeviceURI usb://Brother/DCP-115C?serial=BROE7F871829
    State Idle

    StateTime 1506963970
    Type 12587084
    Filter application/vnd.cups-raw 0 -
    Filter application/vnd.cups-command 0 commandtops
    Filter application/vnd.cups-postscript 0 brlpdwrapperMFC210C
    Accepting Yes
    Shared Yes
    JobSheets none none
    QuotaPeriod 0
    PageLimit 0
    KLimit 0
    OpPolicy default
    ErrorPolicy abort-job
    <Printer MFC210C>
    Info MFC210C
    DeviceURI usb://dev/usb/lp0
    State Idle
    StateTime 1480819042
    Type 4194308
    Accepting Yes
    Shared Yes
    JobSheets none none
    QuotaPeriod 0
    PageLimit 0
    KLimit 0
    OpPolicy default ErrorPolicy abort-job

    Following man cupsd.conf for
    /etc/cups/cupsd.conf :
    # Show troubleshooting information in error_log.
    LogLevel debug # set back to error, after problems cat /var/log/cups/error_log got solved
    FileDevice YES # for Device-URI file:/dev/usb/lp0
    SystemGroup root sys lpadmin
    Group sys
    User lp
    # Allow remote access
    # Listen *:631
    Listen localhost:631 # most secure
    # Port 631
    Listen /var/run/cups/cups.sock
    # Share local printers on the local network.
    Browsing On
    BrowseOrder allow,deny
    BrowseAddress @LOCAL
    BrowseLocalProtocols CUPS dnssd
    DefaultAuthType Basic
    DefaultEncryption Never # also try: DefaultEncryption IfRequested
    <Location />
    # Allow shared printing...
    Order allow,deny
    Allow @LOCAL
    <Location /admin>
    # Restrict access to the admin pages...
    Order allow,deny
    <Location /admin/conf>
    AuthType Default
    Require user @OWNER @SYSTEM
    # Restrict access to the configuration files...
    Order allow,deny
    <Policy default>
    <Limit Create-Job Print-Job Print-URI Validate-Job>
    Require user @OWNER @SYSTEM
    AuthType Basic
    order deny,allow
    Allow 192.186.178.*
    <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job CUPS-Get-Document>
    AuthType Basic
    Order deny,allow
    Allow 192.168.178.*
    <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
    AuthType Basic
    Require user @OWNER @SYSTEM
    Order deny,allow
    Allow 192.168.178.*
    <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Basic
    Require user @OWNER @SYSTEM
    Order deny,allow
    Allow 192.168.178.*
    <Limit CUPS-Authenticate-Job>
    AuthType Basic
    Require user @OWNER @SYSTEM
    Order deny,allow
    Allow 192.168.178.*
    <Limit All>
    AuthType Basic
    Order deny,allow
    Allow 192.168.178.*
    <Policy authenticated>
    <Limit Create-Job Print-Job Print-URI Validate-Job>
    AuthType Basic
    Require user @OWNER @SYSTEM
    Order deny,allow
    Allow 192.168.178.*
    <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job CUPS-Get-Document>
    AuthType Basic
    Require user @OWNER @SYSTEM
    Order deny,allow
    Allow 192.168.178.*
    <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Basic
    Require user @OWNER @SYSTEM
    Order deny,allow
    Allow 192.186.178.*
    <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Basic
    Require user @OWNER @SYSTEM
    Order deny,allow
    Allow 192.168.178.*
    <Limit Cancel-Job CUPS-Authenticate-Job>
    AuthType Basic
    Require user @OWNER @SYSTEM
    Order deny,allow
    Allow 192.168.178.*
    <Limit All>
    Order deny,allow
    Allow 192.186.178.*

    # Subscription configuration file for CUPS v1.4.8 (pclos2017) / v1.4.5 (mdv2010.1) / v1.4.6 (mdv2011)
    # Written by cupsd on 2017-10-02 18:52
    NextSubscriptionId 139
    <Subscription 129>
    Events printer-state-changed printer-restarted printer-shutdown printer-stopped printer-added printer-deleted job-state-changed job-created job-completed job-stopped job-progress
    Owner username
    LeaseDuration 86400
    Interval 0
    ExpirationTime 1507036519
    NextEventId 158
    <Subscription 130>
    Events printer-state-changed printer-restarted printer-shutdown printer-stopped printer-added printer-deleted job-state-changed job-created job-completed job-stopped job-progress
    Owner username
    LeaseDuration 86400
    Interval 0
    ExpirationTime 1507039634
    NextEventId 128
    <Subscription 131>
    Events printer-state-changed printer-restarted printer-shutdown printer-stopped printer-added printer-deleted job-state-changed job-created job-completed job-stopped job-progress
    Owner username
    LeaseDuration 86400
    Interval 0
    ExpirationTime 1507040411
    NextEventId 119
    <Subscription 132>
    Events printer-state-changed printer-restarted printer-shutdown printer-stopped printer-added printer-deleted job-state-changed job-created job-completed job-stopped job-progress
    Owner username
    LeaseDuration 86400
    Interval 0
    ExpirationTime 1507041607
    NextEventId 100
    <Subscription 133>
    Events printer-state-changed printer-restarted printer-shutdown printer-stopped printer-added printer-deleted job-state-changed job-created job-completed job-stopped job-progress
    Owner username
    LeaseDuration 86400
    Interval 0
    ExpirationTime 1507040411
    NextEventId 119
    <Subscription 132>
    Events printer-state-changed printer-restarted printer-shutdown printer-stopped printer-added printer-deleted job-state-changed job-created job-completed job-stopped job-progress
    Owner username
    LeaseDuration 86400
    Interval 0
    ExpirationTime 1507041607
    NextEventId 100
    <Subscription 133>
    Events printer-state-changed printer-restarted printer-shutdown printer-stopped printer-added printer-deleted job-state-changed job-created job-completed job-stopped job-progress
    Owner username
    LeaseDuration 86400
    Interval 0
    ExpirationTime 1507050366
    NextEventId 81
    <Subscription 135>
    Events printer-state-changed printer-restarted printer-shutdown printer-stopped printer-added printer-deleted job-state-changed job-created job-completed job-stopped job-progress
    Owner username
    LeaseDuration 86400
    Interval 0
    ExpirationTime 1507051672
    NextEventId 48
    <Subscription 137>
    Events printer-state-changed printer-restarted printer-shutdown printer-stopped printer-added printer-deleted job-state-changed job-created job-completed job-stopped job-progress
    Owner username
    LeaseDuration 86400
    Interval 0
    ExpirationTime 1507060321
    NextEventId 26


    Well, have a look at the gentoo-wiki.com, if there's more tips to this "problem", check ?
    search for brother printer cups ubuntu @ google, check ?
    usbfs is applied in /etc/fstab to give devices mode 0666, lp0 comes up this way as well... no other tips or suggestions work. I tried the Ubuntu forums for them prior, everyone is basically saying the same methods on how to get it up and running, yet even following them shows no progress on my end.

    Cupsd starts with an error message can not find or something like it: This depends on the cups version: Look out for /usr/bin/lp. If this file is missing and lp-cups is present instead, link lp-cups to lp (same for alle lp-xyz-cups): ln -sf /usr/bin/lp-cups /usr/bin/lp.

    Set access rights upon /usr/lib64/cups/*, /usr/lib/cups/*, /usr/share/cups/*, /etc/cups., /var/spool/cups, /lib/libc*, /lib64/libc*, /usr/lib/libc* und /usr/lib64/libc/* through "chmod 775 -R", for guaranteed access eventually set belonging setfacl for user lp, user, root and group lp, root and wheel (see section for ACL)

    /etc/passwd -> wie oben aufgelistet

    Try changing DeviceURI in /etc/cups/printers.conf to:
    DeviceURI file:///dev/usb/lp0
    and /etc/cups/cupsd.conf to:
    FileDevice Yes # for Device-URI file:/dev/usb/lp0
    Then, restart CUPS (e.g. cd foo2zjs; sudo make cups).
    This is NOT my problem... it is a CUPS problem.


    In order to prevent paper jam for DCP-115C (MFC-210C), always put the paper into the paper-shaft as far as possible!

    Still /var/log/cups/error_log: Following messages like these should occur in sequence:
    I [19:57:24 +0100] Loaded MIME database from /usr/share/cups/mime and /etc/cups: 36 types, 47 filters...
    D 19:57:24 +0100] Loading printer BRFAX...
    D [19:57:24 +0100] load_ppd: Loading /var/cache/cups/BRFAX.ipp4...
    D [19:57:24 +0100] cupsdRegisterPrinter(p=0x7f603a9b9380(BRFAX))
    D :19:57:24 +0100] Loading printer Brother-DCP-115C...
    D :19:57:24 +0100] load_ppd: Loading /var/cache/cups/Brother-DCP-115C.ipp4...
    D :19:57:24 +0100] cupsdRegisterPrinter(p=0x7f603a9af870(Brother-DCP-115C))
    D :19:57:24 +0100] Loading printer MFC210C...
    D :19:57:24 +0100] cupsdMarkDirty(P-----)
    D :19:57:24 +0100] cupsdSetBusyState: Dirty files
    D :19:57:24 +0100] load_ppd: Loading /etc/cups/ppd/MFC210C.ppd...
    D :19:57:24 +0100] cupsdRegisterPrinter(p=0x7f603a9acb90(MFC210C))

    Configuration: /etc/cups/cupsd.conf

    For /etc/cups/cupsd.conf (cups 1.4.2-74 (el6) resp. cups 1.4.5 (mdv2010.2) we prefered cups-1.4.6 with lib64cups (pclos, mdv2010.2) or libcups.so.2 out of lib64cups (pclos or mdv2010.2) copied into /usr/lib64 against the child-error on exit not started cupsd after starting cupsd, DCP-115C / MFC210C, up-to-date (patched) kernel-, udev rule for vendor-id:product-id for usb-port in /etc/udev/rules.d, ghostscript (el6): >gs: OK (!), gutenprint (el6), either with blacklisted usblp within /etc/modprobe.d/blacklist-mdv or not blacklisted usblp, we prefer: not blacklisted (!), result cat /var/log/cups/error_log: error free, "wrote 1 page/s" ):

    FileDevice YES # for device-URI file:/dev/usb/lp0 (created by module usblp)
    LogLevel debug # set it back to warn, if all problems are solved
    SystemGroup root sys lpadmin
    Group sys
    User lp
    # Allow remote access
    # Listen *:631
    Listen localhost:631 # most secure
    # Port 631
    Listen /var/run/cups/cups.sock
    # Enable printer sharing and shared printers.
    Browsing On
    BrowseOrder allow,deny
    BrowseAllow all
    # BrowseRemoteProtocols CUPS
    BrowseAddress @LOCAL
    BrowseLocalProtocols CUPS dnssd
    DefaultAuthType Basic
    DefaultEncryption Never
    <Location />
    # Allow shared printing and remote administration...
    AuthType Basic
    # Require user @OWNER @SYSTEM
    Order allow,deny
    Allow all
    <Location /admin>
    # Allow remote administration...
    AuthType Default
    Require user @OWNER @SYSTEM
    Order allow,deny
    Allow @LOCAL
    <Location /admin/conf>
    AuthType Default
    Require user @OWNER @SYSTEM
    # Allow remote access to the configuration files...
    Order allow,deny
    Allow @LOCAL
    <Policy default>
    <Limit Create-Job Print-Job Print-URI Validate-Job>
    Require user @OWNER @SYSTEM
    AuthType Basic
    order deny,allow
    # Allow # depending on cups-version 1.4.2 (el6) or 1.4.5 (mdv2010)
    Allow 192.186.178.*
    <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job CUPS-Get-Document>
    Require user @OWNER @SYSTEM
    AuthType Basic
    Order deny,allow
    # Allow
    Allow 192.168.178.*
    <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
    AuthType Basic
    Require user @OWNER @SYSTEM
    Order deny,allow
    # Allow
    Allow 192.168.178.*
    <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Basic
    Require user @OWNER @SYSTEM
    Order deny,allow
    # Allow
    Allow 192.168.178.*
    <Limit CUPS-Authenticate-Job>
    AuthType Basic
    Require user @OWNER @SYSTEM
    Order deny,allow
    # Allow
    Allow 192.168.178.*
    <Limit All>
    AuthType Basic
    Order deny,allow
    # Allow
    Allow 192.168.178.*
    <Policy authenticated>
    <Limit Create-Job Print-Job Print-URI Validate-Job>
    AuthType Basic
    Require user @OWNER @SYSTEM
    Order deny,allow
    # Allow
    Allow 192.168.178.*
    <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job CUPS-Get-Document>
    AuthType Basic
    Require user @OWNER @SYSTEM
    Order deny,allow
    # Allow
    Allow 192.168.178.*
    <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Basic
    Require user @OWNER @SYSTEM
    Order deny,allow
    # Allow
    Allow 192.186.178.*
    <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Basic
    Require user @OWNER @SYSTEM
    Order deny,allow
    # Allow
    Allow 192.168.178.*
    <Limit Cancel-Job CUPS-Authenticate-Job>
    AuthType Basic
    Require user @OWNER @SYSTEM
    Order deny,allow
    # Allow
    Allow 192.168.178.*
    <Limit All>
    Order deny,allow
    # Allow
    Allow 192.186.178.*

    /etc/cups/printers.conf (result of lpadmin...):

    # Printer configuration file for CUPS v1.4.5
    # Written by cupsd on 2016-12-09 00:36
    <DefaultPrinter Brother-DCP-115C>
    Info Brother DCP-115C
    Location localhost.localdomain
    MakeModel Brother MFC-210C CUPS v1.1
    DeviceURI usb://Brother/DCP-115C?serial=BROE7F871829
    State Idle
    StateTime 1481240189
    Type 12587084
    Filter application/vnd.cups-raw 0 -
    Filter application/vnd.cups-postscript 0 brlpdwrapperMFC210C
    Filter application/vnd.cups-command 0 commandtops
    Accepting Yes
    Shared Yes
    JobSheets none none
    QuotaPeriod 0
    PageLimit 0
    KLimit 0
    OpPolicy default
    ErrorPolicy abort-job
    <Printer Brother-DCP-115C-2>
    Info Brother DCP-115C
    Location localhost.localdomain
    MakeModel Brother MFC-210C CUPS v1.1
    DeviceURI usb://Brother/DCP-115C
    State Idle
    StateTime 1481240172
    Type 12587084
    Filter application/vnd.cups-raw 0 -
    Filter application/vnd.cups-postscript 0 brlpdwrapperMFC210C
    Accepting Yes
    Shared Yes
    JobSheets none none
    QuotaPeriod 0
    PageLimit 0
    KLimit 0
    OpPolicy default
    ErrorPolicy abort-job
    <Printer MFC210C>
    Info MFC210C
    DeviceURI usb://dev/usb/lp0
    State Idle
    StateTime 1480819042
    Type 4194308
    Accepting Yes
    Shared Yes
    JobSheets none none
    QuotaPeriod 0
    PageLimit 0
    KLimit 0
    OpPolicy default
    ErrorPolicy abort-job

    Check out, if cupsd has started. Do so, if not, or install another version.

    Printing a page (opened with kwrite), /var/log/cups/error_log (last 50), D means debug-message, I: info, W: warn and E: error:
    D [10/Dec/2016:22:26:19 +0100] Adding default job-sheets values "none,none"...
    I [10/Dec/2016:22:26:19 +0100] [Job 468] Adding start banner page "none".
    D [10/Dec/2016:22:26:19 +0100] Discarding unused job-created event...
    I [10/Dec/2016:22:26:19 +0100] [Job 468] Queued on "Brother-DCP-115C" by "anonymous".
    D [10/Dec/2016:22:26:19 +0100] Returning IPP successful-ok for Create-Job (ipp://localhost:631/printers/Brother-DCP-115C) from localhost
    D [10/Dec/2016:22:26:19 +0100] cupsdSetBusyState: Dirty files
    D [10/Dec/2016:22:26:19 +0100] cupsdReadClient: 12 POST /printers/Brother-DCP-115C HTTP/1.1
    D [10/Dec/2016:22:26:19 +0100] cupsdSetBusyState: Active clients and dirty files
    D [10/Dec/2016:22:26:19 +0100] cupsdAuthorize: Authorized as anonymous using PeerCred
    D [10/Dec/2016:22:26:19 +0100] cupsdReadClient: 12 1.1 Send-Document 1
    D [10/Dec/2016:22:26:19 +0100] Send-Document ipp://localhost:631/printers/Brother-DCP-115C
    D [10/Dec/2016:22:26:19 +0100] cupsdIsAuthorized: username="anonymous"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] Auto-typing file...
    D [10/Dec/2016:22:26:19 +0100] [Job 468] Request file type is application/pdf.
    D [10/Dec/2016:22:26:19 +0100] cupsdMarkDirty(----J-)
    I [10/Dec/2016:22:26:19 +0100] [Job 468] File of type application/pdf queued by "anonymous".
    I [10/Dec/2016:22:26:19 +0100] [Job 468] Adding end banner page "none".
    D [10/Dec/2016:22:26:19 +0100] cupsdMarkDirty(----J-)
    D [10/Dec/2016:22:26:19 +0100] cupsdMarkDirty(----J-)
    D [10/Dec/2016:22:26:19 +0100] cupsdSetBusyState: Active clients, printing jobs, and dirty files
    D [10/Dec/2016:22:26:19 +0100] Discarding unused printer-state-changed event...
    D [10/Dec/2016:22:26:19 +0100] [Job 468] job-sheets=none,none
    D [10/Dec/2016:22:26:19 +0100] [Job 468] argv[0]="Brother-DCP-115C"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] argv[1]="468"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] argv[2]="anonymous"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] argv[3]="Unbenannt"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] argv[4]="1"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] argv[5]="media=BrA4 job-uuid=urn:uuid:xxxxx originating-host-name=localhost time-at-creation=1481405179 time-at-processing=1481405179 AP_D_InputSlot="
    D [10/Dec/2016:22:26:19 +0100] [Job 468] argv[6]="/var/spool/cups/d00468-001"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[0]="CUPS_CACHEDIR=/var/cache/cups"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[1]="CUPS_DATADIR=/usr/share/cups"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[2]="CUPS_DOCROOT=/usr/share/cups/doc"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[3]="CUPS_FONTPATH=/usr/share/cups/fonts"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[4]="CUPS_REQUESTROOT=/var/spool/cups"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[5]="CUPS_SERVERBIN=/usr/lib/cups"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[6]="CUPS_SERVERROOT=/etc/cups"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[7]="CUPS_STATEDIR=/var/run/cups"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[8]="HOME=/tmp"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[9]="PATH=/usr/lib/cups/filter:/usr/bin:/usr/sbin:/bin:/usr/bin"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[10]="SERVER_ADMIN=root@localhost.localdomain"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[11]="SOFTWARE=CUPS"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[12]="TMPDIR=/tmp"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[13]="USER=root"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[14]="CUPS_SERVER=/var/run/cups/cups.sock"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[15]="CUPS_ENCRYPTION=IfRequested"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[16]="IPP_PORT=631"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[17]="CHARSET=utf-8"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[18]="LANG=de_DE.UTF-8"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[19]="PPD=/etc/cups/ppd/Brother-DCP-115C.ppd"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[20]="RIP_MAX_CACHE=8m"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[21]="CONTENT_TYPE=application/pdf"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[22]="DEVICE_URI=usb://Brother/DCP-115C?serial=BROE7F871829"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[23]="PRINTER_INFO=Brother DCP-115C"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[24]="PRINTER_LOCATION=localhost.localdomain"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[25]="PRINTER=Brother-DCP-115C"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[26]="CUPS_FILETYPE=document"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[27]="FINAL_CONTENT_TYPE=printer/Brother-DCP-115C"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[28]="AUTH_U****"
    D [10/Dec/2016:22:26:19 +0100] [Job 468] envp[29]="AUTH_P****"
    I [10/Dec/2016:22:26:19 +0100] [Job 468] Started filter /usr/lib/cups/filter/pdftops (PID 13127)
    I [10/Dec/2016:22:26:19 +0100] [Job 468] Started filter /usr/lib/cups/filter/brlpdwrapperMFC210C (PID 13128)
    I [10/Dec/2016:22:26:19 +0100] [Job 468] Started backend /usr/lib/cups/backend/usb (PID 13129)
    D [10/Dec/2016:22:26:19 +0100] Discarding unused job-state-changed event...
    D [10/Dec/2016:22:26:19 +0100] Returning IPP successful-ok for Send-Document (ipp://localhost:631/printers/Brother-DCP-115C) from localhost
    D [10/Dec/2016:22:26:19 +0100] cupsdSetBusyState: Printing jobs and dirty files
    D [10/Dec/2016:22:26:19 +0100] [Job 468] STATE: +connecting-to-device
    D [10/Dec/2016:22:26:19 +0100] Discarding unused printer-state-changed event...
    D [10/Dec/2016:22:26:19 +0100] [Job 468] Started filter pdftops (PID 13133)
    D [10/Dec/2016:22:26:19 +0100] [Job 468] Started filter pstops (PID 13134)
    D [10/Dec/2016:22:26:20 +0100] [Job 468] Page = 595x842; 9,9 to 586,833
    D [10/Dec/2016:22:26:20 +0100] [Job 468] slow_collate=0, slow_duplex=0, slow_order=1
    D [10/Dec/2016:22:26:20 +0100] [Job 468] Before copy_comments - %!PS-Adobe-3.0
    D [10/Dec/2016:22:26:20 +0100] [Job 468] %!PS-Adobe-3.0
    D [10/Dec/2016:22:26:20 +0100] [Job 468] %%Creator:
    D [10/Dec/2016:22:26:20 +0100] [Job 468] %%LanguageLevel: 3
    D [10/Dec/2016:22:26:20 +0100] [Job 468] %%DocumentSuppliedResources: (atend)
    D [10/Dec/2016:22:26:20 +0100] [Job 468] %%DocumentMedia: plain 595 842 0 () ()
    D [10/Dec/2016:22:26:20 +0100] [Job 468] %%BoundingBox: 0 0 595 842
    D [10/Dec/2016:22:26:20 +0100] [Job 468] %%Pages: 1
    D [10/Dec/2016:22:26:20 +0100] [Job 468] %%EndComments
    D [10/Dec/2016:22:26:20 +0100] [Job 468] Before copy_prolog - %%BeginDefaults
    D [10/Dec/2016:22:26:20 +0100] [Job 468] Before copy_setup - %%BeginSetup
    D [10/Dec/2016:22:26:20 +0100] [Job 468] Before page loop - %%Page: 1 1
    D [10/Dec/2016:22:26:20 +0100] [Job 468] Copying page 1...
    D [10/Dec/2016:22:26:20 +0100] [Job 468] pagew = 577.0, pagel = 824.0
    D [10/Dec/2016:22:26:20 +0100] [Job 468] bboxx = 0, bboxy = 0, bboxw = 595, bboxl = 842
    D [10/Dec/2016:22:26:20 +0100] [Job 468] PageLeft = 9.0, PageRight = 586.0
    D [10/Dec/2016:22:26:20 +0100] [Job 468] PageTop = 833.0, PageBottom = 9.0
    D [10/Dec/2016:22:26:20 +0100] [Job 468] PageWidth = 595.0, PageLength = 842.0 =======================================================!!!
    D [10/Dec/2016:22:26:20 +0100] [Job 468] Wrote 1 pages...
    D [10/Dec/2016:22:26:20 +0100] [Job 468] PID 13134 (pstops) exited with no errors.
    D [10/Dec/2016:22:26:20 +0100] [Job 468] PID 13133 (pdftops) exited with no errors.
    D [10/Dec/2016:22:26:20 +0100] PID 13127 (/usr/lib/cups/filter/pdftops) exited with no errors.
    D [10/Dec/2016:22:26:24 +0100] PID 13128 (/usr/lib/cups/filter/brlpdwrapperMFC210C) exited with no errors.
    D [10/Dec/2016:22:26:38 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:26:38 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:26:38 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:26:38 +0100] cupsdNetIFUpdate: ""eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:26:38 +0100] Report: clients=1
    D [10/Dec/2016:22:26:38 +0100] Report: jobs=66
    D [10/Dec/2016:22:26:38 +0100] Report: jobs-active=1
    D [10/Dec/2016:22:26:38 +0100] Report: printers=3
    D [10/Dec/2016:22:26:38 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:26:38 +0100] Report: stringpool-string-count=1121
    D [10/Dec/2016:22:26:38 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:26:38 +0100] Report: stringpool-total-bytes=23872
    I [10/Dec/2016:22:26:41 +0100] Saving job cache file "/var/cache/cups/job.cache"...
    D [10/Dec/2016:22:26:41 +0100] cupsdSetBusyState: Printing jobs
    D [10/Dec/2016:22:27:40 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:27:40 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:27:40 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:27:40 +0100] cupsdNetIFUpdate: "eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:27:40 +0100] Report: clients=1
    D [10/Dec/2016:22:27:40 +0100] Report: jobs=66
    D [10/Dec/2016:22:27:40 +0100] Report: jobs-active=1
    D [10/Dec/2016:22:27:40 +0100] Report: printers=3
    D [10/Dec/2016:22:27:40 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:27:40 +0100] Report: stringpool-string-count=1121
    D [10/Dec/2016:22:27:40 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:27:40 +0100] Report: stringpool-total-bytes=23872
    D [10/Dec/2016:22:28:42 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:28:42 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:28:42 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:28:42 +0100] cupsdNetIFUpdate: "eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:28:42 +0100] Report: clients=1
    D [10/Dec/2016:22:28:42 +0100] Report: jobs=66
    D [10/Dec/2016:22:28:42 +0100] Report: jobs-active=1
    D [10/Dec/2016:22:28:42 +0100] Report: printers=3
    D [10/Dec/2016:22:28:42 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:28:42 +0100] Report: stringpool-string-count=1121
    D [10/Dec/2016:22:28:42 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:28:42 +0100] Report: stringpool-total-bytes=23872
    D [10/Dec/2016:22:29:44 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:29:44 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:29:44 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:29:44 +0100] cupsdNetIFUpdate: "eth0" = "eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:29:44 +0100] Report: clients=1
    D [10/Dec/2016:22:29:44 +0100] Report: jobs=66
    D [10/Dec/2016:22:29:44 +0100] Report: jobs-active=1
    D [10/Dec/2016:22:29:44 +0100] Report: printers=3
    D [10/Dec/2016:22:29:44 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:29:44 +0100] Report: stringpool-string-count=1121
    D [10/Dec/2016:22:29:44 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:29:44 +0100] Report: stringpool-total-bytes=23872
    D [10/Dec/2016:22:30:46 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:30:46 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:30:46 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:30:46 +0100] cupsdNetIFUpdate: "eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:30:46 +0100] Report: clients=1
    D [10/Dec/2016:22:30:46 +0100] Report: jobs=66
    D [10/Dec/2016:22:30:46 +0100] Report: jobs-active=1
    D [10/Dec/2016:22:30:46 +0100] Report: printers=3
    D [10/Dec/2016:22:30:46 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:30:46 +0100] Report: stringpool-string-count=1121
    D [10/Dec/2016:22:30:46 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:30:46 +0100] Report: stringpool-total-bytes=23872
    D [10/Dec/2016:22:31:20 +0100] Closing client 12 after 300 seconds of inactivity...
    D [10/Dec/2016:22:31:20 +0100] cupsdCloseClient: 12
    D [10/Dec/2016:22:31:48 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:31:48 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:31:48 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:31:48 +0100] cupsdNetIFUpdate: "eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:31:48 +0100] Report: clients=0
    D [10/Dec/2016:22:31:48 +0100] Report: jobs=66
    D [10/Dec/2016:22:31:48 +0100] Report: jobs-active=1
    D [10/Dec/2016:22:31:48 +0100] Report: printers=3
    D [10/Dec/2016:22:31:48 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:31:48 +0100] Report: stringpool-string-count=1121
    D [10/Dec/2016:22:31:48 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:31:48 +0100] Report: stringpool-total-bytes=23872
    D [10/Dec/2016:22:32:50 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:32:50 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:32:50 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:32:50 +0100] cupsdNetIFUpdate: "eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:32:50 +0100] Report: clients=0
    D [10/Dec/2016:22:32:50 +0100] Report: jobs=66
    D [10/Dec/2016:22:32:50 +0100] Report: jobs-active=1
    D [10/Dec/2016:22:32:50 +0100] Report: printers=3
    D [10/Dec/2016:22:32:50 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:32:50 +0100] Report: stringpool-string-count=1121
    D [10/Dec/2016:22:32:50 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:32:50 +0100] Report: stringpool-total-bytes=23872
    D [10/Dec/2016:22:33:52 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:33:52 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:33:52 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:33:52 +0100] cupsdNetIFUpdate: "eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:33:52 +0100] Report: clients=0
    D [10/Dec/2016:22:33:52 +0100] Report: jobs=66
    D [10/Dec/2016:22:33:52 +0100] Report: jobs-active=1
    D [10/Dec/2016:22:33:52 +0100] Report: printers=3
    D [10/Dec/2016:22:33:52 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:33:52 +0100] Report: stringpool-string-count=1121
    D [10/Dec/2016:22:33:52 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:33:52 +0100] Report: stringpool-total-bytes=23872
    D [10/Dec/2016:22:34:54 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:34:54 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:34:54 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:34:54 +0100] cupsdNetIFUpdate: "eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:34:54 +0100] Report: clients=0
    D [10/Dec/2016:22:34:54 +0100] Report: jobs=66
    D [10/Dec/2016:22:34:54 +0100] Report: jobs-active=1
    D [10/Dec/2016:22:34:54 +0100] Report: printers=3
    D [10/Dec/2016:22:34:54 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:34:54 +0100] Report: stringpool-string-count=1121
    D [10/Dec/2016:22:34:54 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:34:54 +0100] Report: stringpool-total-bytes=23872
    D [10/Dec/2016:22:35:56 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:35:56 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:35:56 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:35:56 +0100] cupsdNetIFUpdate: "eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:35:56 +0100] Report: clients=0
    D [10/Dec/2016:22:35:56 +0100] Report: jobs=66
    D [10/Dec/2016:22:35:56 +0100] Report: jobs-active=1
    D [10/Dec/2016:22:35:56 +0100] Report: printers=3
    D [10/Dec/2016:22:35:56 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:35:56 +0100] Report: stringpool-string-count=1121
    D [10/Dec/2016:22:35:56 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:35:56 +0100] Report: stringpool-total-bytes=23872
    D [10/Dec/2016:22:36:58 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:36:58 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:36:58 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:36:58 +0100] cupsdNetIFUpdate: "eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:36:58 +0100] Report: clients=0
    D [10/Dec/2016:22:36:58 +0100] Report: jobs=66
    D [10/Dec/2016:22:36:58 +0100] Report: jobs-active=1
    D [10/Dec/2016:22:36:58 +0100] Report: printers=3
    D [10/Dec/2016:22:36:58 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:36:58 +0100] Report: stringpool-string-count=1121
    D [10/Dec/2016:22:36:58 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:36:58 +0100] Report: stringpool-total-bytes=23872
    D [10/Dec/2016:22:38:00 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:38:00 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:38:00 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:38:00 +0100] cupsdNetIFUpdate: "eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:38:00 +0100] Report: clients=0
    D [10/Dec/2016:22:38:00 +0100] Report: jobs=66
    D [10/Dec/2016:22:38:00 +0100] Report: jobs-active=1
    D [10/Dec/2016:22:38:00 +0100] Report: printers=3
    D [10/Dec/2016:22:38:00 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:38:00 +0100] Report: stringpool-string-count=1121
    D [10/Dec/2016:22:38:00 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:38:00 +0100] Report: stringpool-total-bytes=23872
    D [10/Dec/2016:22:39:02 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:39:02 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:39:02 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:39:02 +0100] cupsdNetIFUpdate: "eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:39:02 +0100] Report: clients=0
    D [10/Dec/2016:22:39:02 +0100] Report: jobs=66
    D [10/Dec/2016:22:39:02 +0100] Report: jobs-active=1
    D [10/Dec/2016:22:39:02 +0100] Report: printers=3
    D [10/Dec/2016:22:39:02 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:39:02 +0100] Report: stringpool-string-count=1121
    D [10/Dec/2016:22:39:02 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:39:02 +0100] Report: stringpool-total-bytes=23872
    D [10/Dec/2016:22:40:04 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:40:04 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:40:04 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:40:04 +0100] cupsdNetIFUpdate: "eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:40:04 +0100] Report: clients=0
    D [10/Dec/2016:22:40:04 +0100] Report: jobs=66
    D [10/Dec/2016:22:40:04 +0100] Report: jobs-active=1
    D [10/Dec/2016:22:40:04 +0100] Report: printers=3
    D [10/Dec/2016:22:40:04 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:40:04 +0100] Report: stringpool-string-count=1121
    D [10/Dec/2016:22:40:04 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:40:04 +0100] Report: stringpool-total-bytes=23872
    D [10/Dec/2016:22:41:06 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:41:06 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:41:06 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:41:06 +0100] cupsdNetIFUpdate: "eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:41:06 +0100] Report: clients=0
    D [10/Dec/2016:22:41:06 +0100] Report: jobs=66
    D [10/Dec/2016:22:41:06 +0100] Report: jobs-active=1
    D [10/Dec/2016:22:41:06 +0100] Report: printers=3
    D [10/Dec/2016:22:41:06 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:41:06 +0100] Report: stringpool-string-count=1121
    D [10/Dec/2016:22:41:06 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:41:06 +0100] Report: stringpool-total-bytes=23872
    D [10/Dec/2016:22:42:08 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:42:08 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:42:08 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:42:08 +0100] cupsdNetIFUpdate: "eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:42:08 +0100] Report: clients=0
    D [10/Dec/2016:22:42:08 +0100] Report: jobs=66
    D [10/Dec/2016:22:42:08 +0100] Report: jobs-active=1
    D [10/Dec/2016:22:42:08 +0100] Report: printers=3
    D [10/Dec/2016:22:42:08 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:42:08 +0100] Report: stringpool-string-count=1121 D [10/Dec/2016:22:42:08 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:42:08 +0100] Report: stringpool-total-bytes=23872
    D [10/Dec/2016:22:43:10 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:43:10 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:43:10 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:43:10 +0100] cupsdNetIFUpdate: "eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:43:10 +0100] Report: clients=0
    D [10/Dec/2016:22:43:10 +0100] Report: jobs=66
    D [10/Dec/2016:22:43:10 +0100] Report: jobs-active=1
    D [10/Dec/2016:22:43:10 +0100] Report: printers=3
    D [10/Dec/2016:22:43:10 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:43:10 +0100] Report: stringpool-string-count=1121
    D [10/Dec/2016:22:43:10 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:43:10 +0100] Report: stringpool-total-bytes=23872
    D [10/Dec/2016:22:44:12 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:44:12 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:44:12 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:44:12 +0100] cupsdNetIFUpdate: "eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:44:12 +0100] Report: clients=0
    D [10/Dec/2016:22:44:12 +0100] Report: jobs=66
    D [10/Dec/2016:22:44:12 +0100] Report: jobs-active=1 D [10/Dec/2016:22:44:12 +0100] Report: printers=3
    D [10/Dec/2016:22:44:12 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:44:12 +0100] Report: stringpool-string-count=1121
    D [10/Dec/2016:22:44:12 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:44:12 +0100] Report: stringpool-total-bytes=23872
    D [10/Dec/2016:22:45:14 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:45:14 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:45:14 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:45:14 +0100] cupsdNetIFUpdate: "eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:45:14 +0100] Report: clients=0
    D [10/Dec/2016:22:45:14 +0100] Report: jobs=66
    D [10/Dec/2016:22:45:14 +0100] Report: jobs-active=1
    D [10/Dec/2016:22:45:14 +0100] Report: printers=3
    D [10/Dec/2016:22:45:14 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:45:14 +0100] Report: stringpool-string-count=1121
    D [10/Dec/2016:22:45:14 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:45:14 +0100] Report: stringpool-total-bytes=23872
    D [10/Dec/2016:22:46:16 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:46:16 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:46:16 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:46:16 +0100] cupsdNetIFUpdate: "eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:46:16 +0100] Report: clients=0
    D [10/Dec/2016:22:46:16 +0100] Report: jobs=66
    D [10/Dec/2016:22:46:16 +0100] Report: jobs-active=1
    D [10/Dec/2016:22:46:16 +0100] Report: printers=3
    D [10/Dec/2016:22:46:16 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:46:16 +0100] Report: stringpool-string-count=1121
    D [10/Dec/2016:22:46:16 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:46:16 +0100] Report: stringpool-total-bytes=23872
    D [10/Dec/2016:22:47:18 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:47:18 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:47:18 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:47:18 +0100] cupsdNetIFUpdate: "eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:47:18 +0100] Report: clients=0
    D [10/Dec/2016:22:47:18 +0100] Report: jobs=66
    D [10/Dec/2016:22:47:18 +0100] Report: jobs-active=1
    D [10/Dec/2016:22:47:18 +0100] Report: printers=3
    D [10/Dec/2016:22:47:18 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:47:18 +0100] Report: stringpool-string-count=1121
    D [10/Dec/2016:22:47:18 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:47:18 +0100] Report: stringpool-total-bytes=23872
    D [10/Dec/2016:22:48:20 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:48:20 +0100] cupsdNetIFUpdate: "eth0" =
    D [10/Dec/2016:22:48:20 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [10/Dec/2016:22:48:20 +0100] cupsdNetIFUpdate: "eth0" = xxx::xxxx:xxxx:xxxx...%eth0:631
    D [10/Dec/2016:22:48:20 +0100] Report: clients=0
    D [10/Dec/2016:22:48:20 +0100] Report: jobs=66
    D [10/Dec/2016:22:48:20 +0100] Report: jobs-active=1
    D [10/Dec/2016:22:48:20 +0100] Report: printers=3
    D [10/Dec/2016:22:48:20 +0100] Report: printers-implicit=0
    D [10/Dec/2016:22:48:20 +0100] Report: stringpool-string-count=1121
    D [10/Dec/2016:22:48:20 +0100] Report: stringpool-alloc-bytes=9040
    D [10/Dec/2016:22:48:20 +0100] Report: stringpool-total-bytes=23872

    end of error_log (eth2 ipv6 was changed here for my protection; notice: we could not copy the whole file, so times have changed some protocoling timestamps within the listing)

    But since patched kernel still no printer output... (so I might still have to use my usb-stick (mdvr2010.2) or printer-server for printing, cups 1.4.5 (mdv2010.2))

    Nevertheless, DCP-115C (MFC210C) prints again now, after following changes were made: Change system-config-printer (el6) and system-config-printer-libs (el6) to system-config-printer (mdv2010.2), system-config-printer-libs (mdv2010.2) and additionally use system-config-printer-kde (mdv2010.2) without printer-applet (mga2), but with task-printing (mdv2010.2) and task-printing-xxx (mdv2010.2), adjust lxml2-python (el6), python-cups (el6), add the acl-option to the root-partition in /etc/fstab, load kernel-printer-module usblp following the entry modprobe usblp by rc.modules, add the udev-rule with the vendor-id:product-id and change cups-1.4.2 (el6) to cups-1.4.5 (mdv2010.2). Finally restart cupsd:


    D [12/Dec/2016:12:33:10 +0100] cupsdSetBusyState: Not busy
    D [12/Dec/2016:12:33:10 +0100] cupsdReadClient: 11 POST /printers/Brother-DCP-115C HTTP/1.1
    D [12/Dec/2016:12:33:10 +0100] cupsdSetBusyState: Active clients
    D [12/Dec/2016:12:33:10 +0100] cupsdAuthorize: Authorized as secret using PeerCred
    D [12/Dec/2016:12:33:10 +0100] cupsdReadClient: 11 1.1 Create-Job 1
    D [12/Dec/2016:12:33:10 +0100] Create-Job ipp://localhost:631/printers/Brother-DCP-115C
    D [12/Dec/2016:12:33:10 +0100] cupsdIsAuthorized: username="kept_anonymously_here"
    D [12/Dec/2016:12:33:10 +0100] cupsdMarkDirty(----J-)
    D [12/Dec/2016:12:33:10 +0100] cupsdSetBusyState: Active clients and dirty files
    D [12/Dec/2016:12:33:10 +0100] Adding default job-sheets values "none,none"...
    I [12/Dec/2016:12:33:10 +0100] [Job 477] Adding start banner page "none".
    D [12/Dec/2016:12:33:10 +0100] cupsdMarkDirty(-----S)
    I [12/Dec/2016:12:33:10 +0100] [Job 477] Queued on "Brother-DCP-115C" by "kept-anonymously-here".
    D [12/Dec/2016:12:33:10 +0100] Returning IPP successful-ok for Create-Job (ipp://localhost:631/printers/Brother-DCP-115C) from localhost
    D [12/Dec/2016:12:33:10 +0100] cupsdSetBusyState: Dirty files
    D [12/Dec/2016:12:33:10 +0100] cupsdReadClient: 11 POST /printers/Brother-DCP-115C HTTP/1.1
    D [12/Dec/2016:12:33:10 +0100] cupsdSetBusyState: Active clients and dirty files
    D [12/Dec/2016:12:33:10 +0100] cupsdAuthorize: Authorized as secret using PeerCred
    D [12/Dec/2016:12:33:10 +0100] cupsdReadClient: 11 1.1 Send-Document 1
    D [12/Dec/2016:12:33:10 +0100] Send-Document ipp://localhost:631/printers/Brother-DCP-115C
    D [12/Dec/2016:12:33:10 +0100] cupsdIsAuthorized: username="kept-anonymously-here"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] Auto-typing file...
    D [12/Dec/2016:12:33:10 +0100] [Job 477] Request file type is application/pdf.
    D [12/Dec/2016:12:33:10 +0100] cupsdMarkDirty(----J-)
    I [12/Dec/2016:12:33:10 +0100] [Job 477] File of type application/pdf queued by "kept_anonymously_here".
    I [12/Dec/2016:12:33:10 +0100] [Job 477] Adding end banner page "none".
    D [12/Dec/2016:12:33:10 +0100] cupsdMarkDirty(----J-)
    D [12/Dec/2016:12:33:10 +0100] cupsdMarkDirty(----J-)
    D [12/Dec/2016:12:33:10 +0100] cupsdSetBusyState: Active clients, printing jobs, and dirty files
    D [12/Dec/2016:12:33:10 +0100] cupsdMarkDirty(-----S)
    D [12/Dec/2016:12:33:10 +0100] [Job 477] job-sheets=none,none
    D [12/Dec/2016:12:33:10 +0100] [Job 477] argv[0]="Brother-DCP-115C"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] argv[1]="477"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] argv[2]="kept-anonymously-here"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] argv[3]="Unbenannt"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] argv[4]="1"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] argv[5]="media=BrA4 job-uuid=urn:uuid:a514adcd-4dc3-3c85-4618-38c28b28f13a job-originating-host-name=localhost time-at-creation=1481542390 time-at-processing=1481542390 AP_D_InputSlot= PageSize=BrA4"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] argv[6]="/var/spool/cups/d00477-001"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[0]="CUPS_CACHEDIR=/var/cache/cups"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[1]="CUPS_DATADIR=/usr/share/cups"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[2]="CUPS_DOCROOT=/usr/share/cups/doc"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[3]="CUPS_FONTPATH=/usr/share/cups/fonts"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[4]="CUPS_REQUESTROOT=/var/spool/cups"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[5]="CUPS_SERVERBIN=/usr/lib/cups"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[6]="CUPS_SERVERROOT=/etc/cups"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[7]="CUPS_STATEDIR=/var/run/cups"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[8]="HOME=/var/spool/cups/tmp"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[9]="PATH=/usr/lib/cups/filter:/usr/bin:/usr/sbin:/bin:/usr/bin"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[10]="SERVER_ADMIN=root@localhost.localdomain"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[11]="SOFTWARE=CUPS/1.4.5"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[12]="TMPDIR=/var/spool/cups/tmp"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[13]="USER=root"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[14]="CUPS_SERVER=/var/run/cups/cups.sock"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[15]="CUPS_ENCRYPTION=IfRequested"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[16]="IPP_PORT=631"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[17]="CHARSET=utf-8"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[18]="LANG=de_DE.UTF-8"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[19]="PPD=/etc/cups/ppd/Brother-DCP-115C.ppd"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[20]="RIP_MAX_CACHE=8m"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[21]="CONTENT_TYPE=application/pdf"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[22]="DEVICE_URI=usb://Brother/DCP-115C?serial=BROE7F871829"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[23]="PRINTER_INFO=Brother DCP-115C"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[24]="PRINTER_LOCATION=localhost.localdomain"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[25]="PRINTER=Brother-DCP-115C"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[26]="CUPS_FILETYPE=document"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[27]="FINAL_CONTENT_TYPE=printer/Brother-DCP-115C"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[28]="AUTH_U****"
    D [12/Dec/2016:12:33:10 +0100] [Job 477] envp[29]="AUTH_P****"
    I [12/Dec/2016:12:33:10 +0100] [Job 477] Started filter /usr/lib/cups/filter/pdftops (PID 4084)
    I [12/Dec/2016:12:33:10 +0100] [Job 477] Started filter /usr/lib/cups/filter/brlpdwrapperMFC210C (PID 4085)
    I [12/Dec/2016:12:33:10 +0100] [Job 477] Started backend /usr/lib/cups/backend/usb (PID 4086)
    D [12/Dec/2016:12:33:10 +0100] cupsdMarkDirty(-----S)
    D [12/Dec/2016:12:33:10 +0100] Returning IPP successful-ok for Send-Document (ipp://localhost:631/printers/Brother-DCP-115C) from localhost
    D [12/Dec/2016:12:33:10 +0100] cupsdSetBusyState: Printing jobs and dirty files
    D [12/Dec/2016:12:33:10 +0100] [Job 477] STATE: +connecting-to-device
    D [12/Dec/2016:12:33:10 +0100] cupsdMarkDirty(-----S)
    W [12/Dec/2016:12:33:10 +0100] [Job 477] If you have more than one Brother DCP-115C printer connected to this machine, please unload (and blacklist) the "usblp" kernel module as otherwise CUPS will not be able to distinguish your printers.
    D [12/Dec/2016:12:33:10 +0100] [Job 477] Set job-printer-state-message to "If you have more than one Brother DCP-115C printer connected to this machine, please unload (and blacklist) the "usblp" kernel module as otherwise CUPS will not be able to distinguish your printers.", current level=WARN
    D [12/Dec/2016:12:33:10 +0100] cupsdMarkDirty(-----S)
    D [12/Dec/2016:12:33:10 +0100] cupsdMarkDirty(-----S)
    D [12/Dec/2016:12:33:10 +0100] [Job 477] Printer using device file "/dev/usblp0"...
    D [12/Dec/2016:12:33:10 +0100] [Job 477] STATE: -connecting-to-device
    D [12/Dec/2016:12:33:10 +0100] cupsdMarkDirty(-----S)
    D [12/Dec/2016:12:33:10 +0100] [Job 477] backendRunLoop(print_fd=0, device_fd=5, snmp_fd=-1, addr=(nil), use_bc=0, side_cb=0x7fe4a3d7c6ff)
    D [12/Dec/2016:12:33:10 +0100] [Job 477] Started filter pdftops (PID 4091)
    D [12/Dec/2016:12:33:10 +0100] [Job 477] Started filter pstops (PID 4092)
    D [12/Dec/2016:12:33:10 +0100] [Job 477] PID 4091 (pdftops) exited with no errors.
    D [12/Dec/2016:12:33:10 +0100] [Job 477] Page = 595x842; 9,9 to 586,833
    D [12/Dec/2016:12:33:10 +0100] [Job 477] slow_collate=0, slow_duplex=0, slow_order=1
    D [12/Dec/2016:12:33:10 +0100] [Job 477] Before copy_comments - %!PS-Adobe-3.0 D [12/Dec/2016:12:33:10 +0100] [Job 477] %!PS-Adobe-3.0
    D [12/Dec/2016:12:33:10 +0100] [Job 477] %%Creator:
    D [12/Dec/2016:12:33:10 +0100] [Job 477] %%LanguageLevel: 3
    D [12/Dec/2016:12:33:10 +0100] [Job 477] %%DocumentSuppliedResources: (atend)
    D [12/Dec/2016:12:33:10 +0100] [Job 477] %%DocumentMedia: plain 595 842 0 () ()
    D [12/Dec/2016:12:33:10 +0100] [Job 477] %%BoundingBox: 0 0 595 842
    D [12/Dec/2016:12:33:10 +0100] [Job 477] %%Pages: 1
    D [12/Dec/2016:12:33:10 +0100] [Job 477] %%EndComments
    D [12/Dec/2016:12:33:10 +0100] [Job 477] Before copy_prolog - %%BeginDefaults
    D [12/Dec/2016:12:33:10 +0100] [Job 477] Before copy_setup - %%BeginSetup
    D [12/Dec/2016:12:33:10 +0100] [Job 477] Before page loop - %%Page: 1 1
    D [12/Dec/2016:12:33:10 +0100] [Job 477] Copying page 1...
    D [12/Dec/2016:12:33:10 +0100] [Job 477] pagew = 577.0, pagel = 824.0
    D [12/Dec/2016:12:33:10 +0100] [Job 477] bboxx = 0, bboxy = 0, bboxw = 595, bboxl = 842
    D [12/Dec/2016:12:33:10 +0100] [Job 477] PageLeft = 9.0, PageRight = 586.0
    D [12/Dec/2016:12:33:10 +0100] [Job 477] PageTop = 833.0, PageBottom = 9.0
    D [12/Dec/2016:12:33:10 +0100] [Job 477] PageWidth = 595.0, PageLength = 842.0
    D [12/Dec/2016:12:33:10 +0100] [Job 477] Wrote 1 pages...
    D [12/Dec/2016:12:33:10 +0100] [Job 477] PID 4092 (pstops) exited with no errors.
    D [12/Dec/2016:12:33:10 +0100] PID 4084 (/usr/lib/cups/filter/pdftops) exited with no errors.
    D [12/Dec/2016:12:33:14 +0100] [Job 477] Read 2567 bytes of print data...
    D [12/Dec/2016:12:33:14 +0100] [Job 477] STATE: -media-empty-warning
    D [12/Dec/2016:12:33:14 +0100] [Job 477] STATE: -offline-report
    I [12/Dec/2016:12:33:14 +0100] [Job 477] Drucker ist jetzt online.
    D [12/Dec/2016:12:33:14 +0100] cupsdMarkDirty(-----S)
    D [12/Dec/2016:12:33:14 +0100] cupsdMarkDirty(-----S)
    D [12/Dec/2016:12:33:14 +0100] [Job 477] Wrote 2567 bytes of print data...
    D [12/Dec/2016:12:33:15 +0100] [Job 477] Read 43 bytes of print data...
    D [12/Dec/2016:12:33:15 +0100] [Job 477] Wrote 43 bytes of print data...
    D [12/Dec/2016:12:33:15 +0100] [Job 477] Read 4096 bytes of print data... # system-config-printer (mdv2010.2, pclos) with system-config-printer-udev (el6) has been missed right before; previous: system-config-printer (el6).
    D [12/Dec/2016:12:33:15 +0100] [Job 477] Wrote 4096 bytes of print data...
    D [12/Dec/2016:12:33:17 +0100] [Job 477] Read 1167 bytes of print data...
    D [12/Dec/2016:12:33:17 +0100] [Job 477] Wrote 1167 bytes of print data...
    D [12/Dec/2016:12:33:17 +0100] [Job 477] Read 2 bytes of print data...
    D [12/Dec/2016:12:33:17 +0100] [Job 477] Wrote 2 bytes of print data...
    D [12/Dec/2016:12:33:17 +0100] PID 4085 (/usr/lib/cups/filter/brlpdwrapperMFC210C) exited with no errors.
    D [12/Dec/2016:12:33:17 +0100] PID 4086 (/usr/lib/cups/backend/usb) exited with no errors.
    D [12/Dec/2016:12:33:17 +0100] cupsdMarkDirty(-----S)
    I [12/Dec/2016:12:33:17 +0100] [Job 477] Job completed.

    D [12/Dec/2016:12:33:17 +0100] cupsdMarkDirty(----J-)
    D [12/Dec/2016:12:33:17 +0100] cupsdMarkDirty(-----S)
    D [12/Dec/2016:12:33:18 +0100] [Job 477] Unloading...
    I [12/Dec/2016:12:33:41 +0100] Saving job cache file "/var/cache/cups/job.cache"...
    I [12/Dec/2016:12:33:41 +0100] Saving subscriptions.conf...
    D [12/Dec/2016:12:33:41 +0100] cupsdSetBusyState: Not busy
    D [12/Dec/2016:12:33:45 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [12/Dec/2016:12:33:45 +0100] cupsdNetIFUpdate: "eth0" =
    D [12/Dec/2016:12:33:45 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [12/Dec/2016:12:33:45 +0100] cupsdNetIFUpdate: "eth0" = xxxxxxxxxx%eth0:631
    D [12/Dec/2016:12:33:45 +0100] Report: clients=1
    D [12/Dec/2016:12:33:45 +0100] Report: jobs=71
    D [12/Dec/2016:12:33:45 +0100] Report: jobs-active=0
    D [12/Dec/2016:12:33:45 +0100] Report: printers=2
    D [12/Dec/2016:12:33:45 +0100] Report: printers-implicit=0
    D [12/Dec/2016:12:33:45 +0100] Report: stringpool-string-count=952
    D [12/Dec/2016:12:33:45 +0100] Report: stringpool-alloc-bytes=9304
    D [12/Dec/2016:12:33:45 +0100] Report: stringpool-total-bytes=20616
    D [12/Dec/2016:12:34:47 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [12/Dec/2016:12:34:47 +0100] cupsdNetIFUpdate: "eth0" =
    D [12/Dec/2016:12:34:47 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [12/Dec/2016:12:34:47 +0100] cupsdNetIFUpdate: "eth0" = xxxxxxxxxxx%eth0:631
    D [12/Dec/2016:12:34:47 +0100] Report: clients=1
    D [12/Dec/2016:12:34:47 +0100] Report: jobs=71
    D [12/Dec/2016:12:34:47 +0100] Report: jobs-active=0
    D [12/Dec/2016:12:34:47 +0100] Report: printers=2
    D [12/Dec/2016:12:34:47 +0100] Report: printers-implicit=0
    D [12/Dec/2016:12:34:47 +0100] Report: stringpool-string-count=952
    D [12/Dec/2016:12:34:47 +0100] Report: stringpool-alloc-bytes=9304
    D [12/Dec/2016:12:34:47 +0100] Report: stringpool-total-bytes=20616
    D [12/Dec/2016:12:35:49 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [12/Dec/2016:12:35:49 +0100] cupsdNetIFUpdate: "eth0" = D [12/Dec/2016:12:35:49 +0100] cupsdNetIFUpdate: "lo" = localhost:631 D [12/Dec/2016:12:35:49 +0100] cupsdNetIFUpdate: "eth0" = fxxxxxxxxx%eth0:631
    D [12/Dec/2016:12:35:49 +0100] Report: clients=1
    D [12/Dec/2016:12:35:49 +0100] Report: jobs=71
    D [12/Dec/2016:12:35:49 +0100] Report: jobs-active=0
    D [12/Dec/2016:12:35:49 +0100] Report: printers=2
    D [12/Dec/2016:12:35:49 +0100] Report: printers-implicit=0
    D [12/Dec/2016:12:35:49 +0100] Report: stringpool-string-count=952
    D [12/Dec/2016:12:35:49 +0100] Report: stringpool-alloc-bytes=9304
    D [12/Dec/2016:12:35:49 +0100] Report: stringpool-total-bytes=20616
    D [12/Dec/2016:12:36:51 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [12/Dec/2016:12:36:51 +0100] cupsdNetIFUpdate: "eth0" =
    D [12/Dec/2016:12:36:51 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [12/Dec/2016:12:36:51 +0100] cupsdNetIFUpdate: "eth0" = xxxxxxxxxxxxxxxxxxx%eth0:631
    D [12/Dec/2016:12:36:51 +0100] Report: clients=1
    D [12/Dec/2016:12:36:51 +0100] Report: jobs=71
    D [12/Dec/2016:12:36:51 +0100] Report: jobs-active=0
    D [12/Dec/2016:12:36:51 +0100] Report: printers=2
    D [12/Dec/2016:12:36:51 +0100] Report: printers-implicit=0
    D [12/Dec/2016:12:36:51 +0100] Report: stringpool-string-count=952
    D [12/Dec/2016:12:36:51 +0100] Report: stringpool-alloc-bytes=9304
    D [12/Dec/2016:12:36:51 +0100] Report: stringpool-total-bytes=20616
    D [12/Dec/2016:12:37:54 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [12/Dec/2016:12:37:54 +0100] cupsdNetIFUpdate: "eth0" =
    D [12/Dec/2016:12:37:54 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [12/Dec/2016:12:37:54 +0100] cupsdNetIFUpdate: "eth0" = xxxxxxxxxxxxxx%eth0:631
    D [12/Dec/2016:12:37:54 +0100] Report: clients=1
    D [12/Dec/2016:12:37:54 +0100] Report: jobs=71
    D [12/Dec/2016:12:37:54 +0100] Report: jobs-active=0
    D [12/Dec/2016:12:37:54 +0100] Report: printers=2
    D [12/Dec/2016:12:37:54 +0100] Report: printers-implicit=0
    D [12/Dec/2016:12:37:54 +0100] Report: stringpool-string-count=952
    D [12/Dec/2016:12:37:54 +0100] Report: stringpool-alloc-bytes=9304
    D [12/Dec/2016:12:37:54 +0100] Report: stringpool-total-bytes=20616
    D [12/Dec/2016:12:38:11 +0100] Closing client 11 after 300 seconds of inactivity...
    D [12/Dec/2016:12:38:11 +0100] cupsdCloseClient: 11
    D [12/Dec/2016:12:38:56 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [12/Dec/2016:12:38:56 +0100] cupsdNetIFUpdate: "eth0" =
    D [12/Dec/2016:12:38:56 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [12/Dec/2016:12:38:56 +0100] cupsdNetIFUpdate: "eth0" = xxxxxxxxxxxxxx%eth0:631
    D [12/Dec/2016:12:38:56 +0100] Report: clients=0
    D [12/Dec/2016:12:38:56 +0100] Report: jobs=71
    D [12/Dec/2016:12:38:56 +0100] Report: jobs-active=0
    D [12/Dec/2016:12:38:56 +0100] Report: printers=2
    D [12/Dec/2016:12:38:56 +0100] Report: printers-implicit=0
    D [12/Dec/2016:12:38:56 +0100] Report: stringpool-string-count=952
    D [12/Dec/2016:12:38:56 +0100] Report: stringpool-alloc-bytes=9304
    D [12/Dec/2016:12:38:56 +0100] Report: stringpool-total-bytes=20616
    D [12/Dec/2016:12:39:58 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [12/Dec/2016:12:39:58 +0100] cupsdNetIFUpdate: "eth0" =
    D [12/Dec/2016:12:39:58 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [12/Dec/2016:12:39:58 +0100] cupsdNetIFUpdate: "eth0" = xxxxxxxxxxxxxx%eth0:631
    D [12/Dec/2016:12:39:58 +0100] Report: clients=0
    D [12/Dec/2016:12:39:58 +0100] Report: jobs=71
    D [12/Dec/2016:12:39:58 +0100] Report: jobs-active=0
    D [12/Dec/2016:12:39:58 +0100] Report: printers=2
    D [12/Dec/2016:12:39:58 +0100] Report: printers-implicit=0
    D [12/Dec/2016:12:39:58 +0100] Report: stringpool-string-count=952
    D [12/Dec/2016:12:39:58 +0100] Report: stringpool-alloc-bytes=9304
    D [12/Dec/2016:12:39:58 +0100] Report: stringpool-total-bytes=20616
    D [12/Dec/2016:12:41:00 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [12/Dec/2016:12:41:00 +0100] cupsdNetIFUpdate: "eth0" =
    D [12/Dec/2016:12:41:00 +0100] cupsdNetIFUpdate: "lo" = localhost:631
    D [12/Dec/2016:12:41:00 +0100] cupsdNetIFUpdate: "eth0" = xxxxxxxxxxxxxx%eth0:631
    D [12/Dec/2016:12:41:00 +0100] Report: clients=0
    D [12/Dec/2016:12:41:00 +0100] Report: jobs=71
    D [12/Dec/2016:12:41:00 +0100] Report: jobs-active=0
    D [12/Dec/2016:12:41:00 +0100] Report: printers=2
    D [12/Dec/2016:13:20:17 +0100] Report: stringpool-string-count=952
    D [12/Dec/2016:13:20:17 +0100] Report: stringpool-alloc-bytes=9304
    D [12/Dec/2016:13:20:17 +0100] Report: stringpool-total-bytes=20616

    DCP-115C is printing again now, must be forever and together with paper outputs, testpage in detail: cups-1.4.6 (pclos) or cups-1.4.5 (mdv2010.2).

    LogLevel: reset to "warn"

    Problem: A python app does not start. Manual start by typing into terminal presents the following error: "Module a_python_module Import error"
    Solution: Follow the directories and files listed by starting the underlying program resp. process with strace and copy missed modules (almost out of /usr/lib64/python2.6/site-packages/ into those directories (modules) and file-locations (modules in detail) listed empty. Check out the python-version by "python -V" (should be python-2.6(.6-66) (el6) in our case) . Also set the access rights: chmod 755 -R /usr/lib64/python2.6, chmod 755 -R /usr/share/system-config-printer, ....
    Nevertheless a complete change from python2.5 (mdv2010.2) to python2.6 is possible, same for perl, and other python-versions (libraries) like python-libs (python2.7, el7) can be installed beneath python-2.6 too creating /usr/lib64/python2.7 beneath /usr/lib64/python2.6. We also linked /usr/lib64/python3.2, 3.3. and 3.4 to /usr/lib64/python2.6. For system-config-printer we installed the following mix out of mdv2010 and el6: system-config-printer (mdv2010.1, pclos), system-config-printer-libs (mdv2010.1, pclos), system-config-printer-kde4 (mdv2010.1, depending on KDE: el6, pclos) and system-config-printer-udev (el6, depending on udev), all task-printing (mdv2010.1, pclos). Even the printer-applet appears in the tray (task line) during the successful printout (printer modell: Brother DCP-115C (MFC210C)), so printer-applet (mga2) isn´t needed. If you get a unicode-error, old python2.5 (mdv with unicode ucf-4) are still in use. Replace them with python2.6 (el6, unicode ucf-2)

    Printer-configuration: see /etc/cups/printers.conf or start system-config-printer, even graphically by MMC -> system-config-printer, eventually start systemsettings (kde) or start the gnome-control-center instead of system-config-printer. Manually, a printer can be configured by the command lpadmin (details for this command see above). The printer can also be configured using the browser and typing into the address line: localhost:631.

    If the printout does not contain the printout (any words and letter) itself, reinstall the editor (in our case exchange kwrite (OpenSuSE 4.4.4) with kwrite (mdv2010.2 oder el6))..

    How it should be (and how it is now): The client starts the printer job. The local driver transforms the document into a RAW-file and sents this file to CUPSD. CUPSD transforms the RAW into a postscript-file by ghostscript and sents it to the printer by settings and parameters within the ppd-file. But at last, KDE (mdv2010.2, patched konqueror) does contribute to the job.

    Run the cups wrapper file in /usr/local/Brother/cupswrapper. This should automatically install and configure your brother printer.

    lpstat -t provides on overview about the print-jobs and the state (like printing, inactive and so on) of each printer.

    There you can also look out for the user, who is printing. Not all might be allowed. Configure permissions for different user through localhost:631 (CUPS > =1.4.5) or system-config-printer (el6, mdv)-

    Cups-configuration: /etc/cups/cupsd.conf

    child-exit-error (cups-1.4.2 (el6): reconfigure cupsd.conf or exchange /usr/lib64/libcups.so.2.

    Printer Paused - "/usr/lib/cups/backend/hp failed" [SOLVED]: chmod 666 /dev/usb/lp0 and set line
    usbfs /proc/bus/usb usbfs auto,devmode=0666 0 0 in /etc/fstab, another solution: https://bbs.archlinux.org/viewtopic.php?id=85454

    Kernel-modules: usbcore, usblp, usb_storage, if such modules are not loaded (lsmod), load them through /etc/rc.modules by entering at the end of all lines "modprobe usblp" usw.

    There is a "libusb" related bugs on certain version of cups.

    If nothing helps, reinstall CUPS and/or lpr!

    https://wiki.archlinux.org/index.php/CUPS/Troubleshooting: Conflict with usblp
    USB printers can be accessed using two methods: The usblp kernel module and libusb. The former is the classic way. It is simple: data is sent to the printer by writing it to a device file as a simple serial data stream. Reading the same device file allows bi-di access, at least for things like reading out ink levels, status, or printer capability information (PJL). It works very well for simple printers, but for multi-function devices (printer/scanner) it is not suitable and manufacturers like HP supply their own backends. Source: here.
    Warning: As of cups version 1.6.0, it should no longer be necessary to blacklist the usblp kernel module. If you find out this is the only way to fix a remaining issue please report this upstream to the CUPS bug tracker and maybe also get in contact with Till Kamppeter (Debian CUPS maintainer). See upstream bug for more info.
    If you have problems getting your USB printer to work, you can try blacklisting the usblp kernel module:
    blacklist usblp

    Custom kernel users may need to manually load the usbcore kernel module before proceeding.
    Once the modules are installed, plug in the printer and check if the kernel detected it by running the following:
    # journalctl -e

    # dmesg

    If you are using usblp, the output should indicate that the printer has been detected like so:
    Feb 19 20:17:11 kernel: printer.c: usblp0: USB Bidirectional
    printer dev 2 if 0 alt 0 proto 2 vid 0x04E8 pid 0x300E
    Feb 19 20:17:11 kernel: usb.c: usblp driver claimed interface cfef3920
    Feb 19 20:17:11 kernel: printer.c: v0.13: USB Printer Device Class driver

    If you blacklisted usblp, you will see something like:
    usb 3-2: new full speed USB device using uhci_hcd and address 3
    usb 3-2: configuration #1 chosen from 1 choice

    michaelrsweet commented Apr 20, 2006
    Version: 1.4-feature
    CUPS.org User: till.kamppeter
    As discussed in this thread on linuxprinting.org
    and also due to problems reported with Epson multi-function devices and recent kernels it can make sense to let the "usb" backend of CUPS not use the "usblp" kernel module any more, but libusb (SANE also switched from a kernel module for USB scanners to libusb, also HPLIP from HP did so).
    Our Mandriva contributor Couriousous (couriousous at mandriva dot org, couriousous at sceen dot net) has sent to me a libusb-based USB CUPS backend once (attached), which could be the start for the development of a new USB backend for CUPS.
    Build instructions:

    Install libusb-devel (or libusb-dev)
    Let compilation being done with "-lusb" (by LDFLAGS environment variable)
    Install CUPS as usual (or simply replace your "usb" backend by the new one).

    My suggestion would be either to switch the current backend to libusb-only or better to make it runtime-configurable, so that the user can choose between using the kernel module or libusb, simply by a switch in /etc/cups/cupsd.conf or /etc/cups/usb.conf.
    This comment has been minimized.
    Sign in to view
    michaelrsweet commented Apr 20, 2006
    CUPS.org User: till.kamppeter
    Note that the usb-libusb.c was developed with CUPS 1.1.23, a slight change has to be done for CUPS 1.2 to compile it. See attached patch. You need to add "-lusb" to the "LDFLAGS" line in Makedefs after running "./configure" and before running "make". Then you get the libusb-based backend as backend/usb. Replace the original backend in /usr/lib/cups/backend by it.
    Now it auto-detects the HP PhotoSmart 2600 on USB as follows:
    [root@majax c]# /usr/lib/cups/backend/usb
    direct usb://HP/Photosmart%202600%20series?serial=MY53OK70V10400 "HP Photosmart 2600 series" "USB Printer #1002"
    [root@majax c]#
    There is no 1284 device ID, but the web interface still assigns the correct PPD file from HPLIP.
    The problem is that this backend does not actually print. When printing the test page via the web interface button I get
    Unable to find USB device "usb://HP/Photosmart%202600%20series?serial=MY53OK70V10400"
    and the queue gets stopped due to backend failure.
    So the backend seems to need some further adaptation to CUPS 1.2.

    Mandriva clears last printer-problems:

    Many Linux experts gave up on cups problems and bugs:
    It should work fine with cups and the hplip backend.
    If it says "unable to install cups" then either you haven´t configured your urpmi repos, or the system is seriously borked
    . What happens if you run any browser and type in

    Oh, by the way: How do you manage to "click" in text mode?

    There is a "libusb" related bugs on certain version of cups.

    ... use ordinary mouse with "gpm" daemon.

    I can access cups using the following command:


    Unfortunately after clicking on "printing test page" / press enter, nothing happen.

    I try with X-Windows, but after "sending test page" to printer nothing happen, only question: "Is the test page OK?" (Yes/No).

    Is there any step by step debugging of various program / process inside/called by cups?
    I want to see all the process /error in sending testpage.ps to printer port?

    I had cleaned all foomatic, cups, ghostscript, hplip, hpijs and other printer related RPM. I had installed from the latest source code: cups, foomatic, ghostscript.

    Cups with --enable-debug, but there is no cups.log or cups_log.

    There are 3 files on /var/log/cups: access_log, error_log and page_log.

    Page_log containing information about 1 test page.
    The last 5 lines from access_log:

    "POST / HTTP/1.1" 200 413 CUPS-Get-Classes successful-ok
    "POST / HTTP/1.1" 200 77 CUPS-Get-Default successful-ok
    "POST / HTTP/1.1" 200 411 CUPS-Get-Printers successful-ok
    "POST / HTTP/1.1" 200 154 Get-Jobs successful-ok
    "POST / HTTP/1.1" 200 179 CUPS-Get-Printers successful-ok

    From error_log:...

    After 2 weeks battle, the cups works:

    1. Use Cups, Ghostscript, foomatic, hplip (for HP printers) source code from Mandriva 2007.1 in SRPMS sub-directory. Re-compile using "rpmbuild --rebuild --nodeps".
    If the rpmbuild failed, change directory to "/usr/src/RPM/BUILD/cups*", run make and make install.
    Run "gsc -h" command and make sure the printer driver for your printer is included in the output.

    2. Make sure the required ghostscript fonts are available for foomatic, before rebuilding it.
    Search for all type1 and ttf font, copy to "/usr/X11R6......fonts/Type1" and "/usr/X11R6/........fonts/TTF".
    Run type1inst and ttfontmap.
    Copy the fontmap to "/usr/share/ghostscript/........./Fontmap.GS".

    Make sure GS_LIB environment variable point to the directory. Set the environment variable on /root/.bashrc or ".bashrc" file your root directory.

    export GS_LIB

    Exit/log out from root account and login again.
    To test environment variable:

    set | grep -i "gs\_lib"

    3. Modify "/etc/cups/cupsd.conf" to get the error. New values:
    LogLevel debug
    Listen # or try "Port 631" and "Listen /var/run/cups/cups.sock".

    Below each "order <deny, allow>" lines and
    below each "order <allow, deny>" lines, you must insert the following line:
    Allow 192.168.178.*

    On my "/etc/cups/cupsd.conf" there are 7 "order..........." lines

    You can check the debug / error messages at "/var/log/cups/error_log".
    You can reset the log by using the following command:

    rm -rfv /var/log/cups/*".

    After this command restart cups daemon:
    "service cups stop"
    "service cups start"

    4. I face the following printing problem: "unsupported format "text/plain" and "application/postscript". The solution:

    Modify /etc/cups/mime.convs: remove the comment sign (the character ´#´')

    application/vnd.cups-postscript application/vnd.cups-raster 100 pstoraster
    application/octet-stream application/vnd.cups-raw 0 -


    5. Create user and group: lp, lpadmin (using adduser command).

    6. Change access mode of "/dev/lp0" (resp. /dev/usb/lp0 )
    chmod a+w /dev/lp0

    7. If you got "cannot set ACLs command not supported" problem on "/var/log/cups/error_log", you must install ACL packages.


    Make sure you had compiled kernel with ACL option on "file system" kernel options (from "/usr/src/linux-...../.config")


    If you use "module" option, perhaps you can use "=m" instead of "=y".

    Modify "/etc/fstab". Add ",acl" after "defaults" on "/etc/fstab" entry. Example for root partition (/) on "/dev/hda1":

    /dev/hda1 / ext2 defaults,acl 1 1

    Reboot after modifying and saving "/etc/fstab".

    How to test acl:

    touch /test
    setfacl -m u:root:rwx /test

    8. If you face "quota limit" problem, delete the printer on CUPS menu, reboot and re-install new printer driver from scratch.

    This post has been edited by anonxyz: 26 April 2007 - 02:19 PM

    The paper shaft is devided into a lower one for the inlay of the papers and an upper one for the output of the printed paper. The separator for both has got a V-form. Use bright adhensive tapes to close the opening of the-"V". Then printed papers always get out of the shaft correctly without getting furled and without remaining in the shaft.

    The printer does its work, but the printer-applet sometimes shows the message "Can not find the printer-driver"? We chosed dmsetup with lib64devicemapper and lib64devicemapper-event from mdv2011 and udev from 2010.2 or mdv2011 from fr2.rpmfind.net. Notice, that mdv provides separate printer-manager for HP, Epson, Canon and Lexmark and so on.

    more printer-troubieshooting
    If your printer does not print in black anymore
    , PCWelt.de, 14.08.2015
    If your printer does not print in black anymore, although a new cartridge is inserted, our tipps might help you.

    Notice: This modell still has got its awful paper-jams, especially if more than one hundred papers are put into the shaft. Jammed papers have to be pulled out in a quit difficult way and manner, in order to make this printer understand and sign, that something had already been done ...

    Hardware, Printer / Drucker

    Linux Printer Driver Listing

    Hewlett Packard (HP)
    hpijs-pcl3 IJS 10 , HP´s , HPIJS driver - PPDs for , HP´s Apollo- and Sony-branded inkjet printers
    hpijs-pcl5c IJS 83 , HP´s , HPIJS driver - PPDs for compatible PCL-5c-based non-, HP color laser printers
    hpijs-pcl5e IJS 354 , HP´s , HPIJS driver - PPDs for compatible PCL-5e-based non-, HP laser printers
    hplip 479 , HP´s driver suite for printers and multi-function devices

    hplib ( deb and rpm hplib (fc, el7, el6, rosa, debian) )

    HP 2000C
    , HP 2500C
    , HP 2500CM
    , HP 910
    HP 915

    HP Business Inkjet 1000
    HP Business Inkjet 1100
    HP Business Inkjet 1200
    HP Business Inkjet 2200
    HP Business Inkjet 2230
    HP Business Inkjet 2250
    HP Business Inkjet 2250TN
    HP Business Inkjet 2280
    HP Business Inkjet 2300
    HP Business Inkjet 2600
    HP Business Inkjet 2800
    HP Business Inkjet 3000
    HP CM8050 Color MFP
    HP CM8050 MFP with Edgeline
    HP CM8060 Color MFP
    HP CM8060 MFP with Edgeline
    HP Color Inkjet Printer CP1160
    HP Color Inkjet Printer CP1700
    HP Color LaserJet
    HP Color LaserJet 2500
    HP Color LaserJet 2550
    HP Color LaserJet 2605
    HP Color LaserJet 2605dn
    HP Color LaserJet 2700
    HP Color LaserJet 2800
    HP Color LaserJet 3000
    HP Color LaserJet 3500
    HP Color LaserJet 3550
    HP Color LaserJet 3600
    HP Color LaserJet 3700
    HP Color LaserJet 3800
    HP Color LaserJet 4500
    HP Color LaserJet 4550
    HP Color LaserJet 4600
    HP Color LaserJet 4610
    HP Color LaserJet 4650
    HP Color LaserJet 4700
    HP Color LaserJet 4730 MFP
    HP Color LaserJet 5
    HP Color LaserJet 5000
    HP Color LaserJet 5500
    HP Color LaserJet 5550
    HP Color LaserJet 5M
    HP Color LaserJet 8500
    HP Color LaserJet 8550
    HP Color LaserJet 8550GN
    HP Color LaserJet 9500
    HP Color LaserJet 9500 MFP
    HP Color LaserJet CM1015
    HP Color LaserJet CM1017
    HP Color LaserJet CM4730 MFP
    HP Color LaserJet CP3505
    HP Color LaserJet CP4005
    HP DesignJet ColorPro CAD
    HP DeskJet 1100C
    HP DeskJet 1120C
    HP DeskJet 1125C
    HP DeskJet 1200C
    HP DeskJet 1220C
    HP DeskJet 1280
    HP DeskJet 1600C
    HP DeskJet 3320
    HP DeskJet 3325
    HP DeskJet 3420
    HP DeskJet 3425
    HP DeskJet 350C
    HP DeskJet 3520
    HP DeskJet 3528
    HP DeskJet 3535
    HP DeskJet 3550
    HP DeskJet 3558
    HP DeskJet 3650
    HP DeskJet 3658
    HP DeskJet 3668
    HP DeskJet 3740
    HP DeskJet 3810
    HP DeskJet 3816
    HP DeskJet 3820
    HP DeskJet 3822
    HP DeskJet 3840
    HP DeskJet 3845
    HP DeskJet 3920
    HP DeskJet 3940
    HP DeskJet 400
    HP DeskJet 420C
    HP DeskJet 450
    HP DeskJet 460
    HP DeskJet 500
    HP DeskJet 500C
    HP DeskJet 505J Plus
    HP DeskJet 510
    HP DeskJet 5150
    HP DeskJet 5158
    HP DeskJet 5160
    HP DeskJet 520
    HP DeskJet 540
    HP DeskJet 540C
    HP DeskJet 5440
    HP DeskJet 550C
    HP DeskJet 5550
    HP DeskJet 5551
    HP DeskJet 560C
    HP DeskJet 5650
    HP DeskJet 5652
    HP DeskJet 5670
    HP DeskJet 5740
    HP DeskJet 5850
    HP DeskJet 5940
    HP DeskJet 600
    HP DeskJet 610C
    HP DeskJet 610CL
    HP DeskJet 6122
    HP DeskJet 6127
    HP DeskJet 612C
    HP DeskJet 630C
    HP DeskJet 632C
    HP DeskJet 640C
    HP DeskJet 648C
    HP DeskJet 6520
    HP DeskJet 6540
    HP DeskJet 656C
    HP DeskJet 6600
    HP DeskJet 660C
    HP DeskJet 670C
    HP DeskJet 670TV
    HP DeskJet 672C
    HP DeskJet 6800
    HP DeskJet 680C
    HP DeskJet 682C
    HP DeskJet 6840
    HP DeskJet 690C
    HP DeskJet 692C
    HP DeskJet 693C
    HP DeskJet 6940
    HP DeskJet 694C
    HP DeskJet 695C
    HP DeskJet 697C
    HP DeskJet 6980
    HP DeskJet 810C
    HP DeskJet 812C
    HP DeskJet 815C
    HP DeskJet 816C
    HP DeskJet 825C
    HP DeskJet 830C
    HP DeskJet 832C
    HP DeskJet 840C
    HP DeskJet 841C
    HP DeskJet 842C
    HP DeskJet 843C
    HP DeskJet 845C
    HP DeskJet 850C
    HP DeskJet 855C
    HP DeskJet 870C
    HP DeskJet 880C
    HP DeskJet 882C
    HP DeskJet 890C
    HP DeskJet 895C
    HP DeskJet 916C
    HP DeskJet 920C
    HP DeskJet 9300
    HP DeskJet 930C
    HP DeskJet 932C
    HP DeskJet 933C
    HP DeskJet 934C
    HP DeskJet 935C
    HP DeskJet 940C
    HP DeskJet 948C
    HP DeskJet 950C
    HP DeskJet 952C
    HP DeskJet 955C
    HP DeskJet 957C
    HP DeskJet 959C
    HP DeskJet 9600
    HP DeskJet 960C
    HP DeskJet 970C
    HP DeskJet 975C
    HP DeskJet 9800
    HP DeskJet 980C
    HP DeskJet 990C
    HP DeskJet 995C
    HP DeskJet D1300
    HP DeskJet D1400
    HP DeskJet d1660
    HP DeskJet D2300
    HP DeskJet D2400
    HP DeskJet D4100
    HP DeskJet D4200
    HP DeskJet F2100
    HP DeskJet F300
    HP DeskJet F4100
    HP e-printer e20
    HP LaserJet Professional M1132 MFP
    HP LaserJet 1010
    HP LaserJet 1012
    HP LaserJet 1015
    HP LaserJet 1022
    HP LaserJet 1022n
    HP LaserJet 1022nw
    HP LaserJet 1100
    HP LaserJet 1100A
    HP LaserJet 1150
    HP LaserJet 1160
    HP LaserJet 1200
    HP LaserJet 1220
    HP LaserJet 1300
    HP LaserJet 1320
    HP LaserJet 2100
    HP LaserJet 2100M
    HP LaserJet 2200
    HP LaserJet 2300
    HP LaserJet 2300L
    HP LaserJet 2410
    HP LaserJet 2420
    HP LaserJet 2430
    HP LaserJet 3015
    HP LaserJet 3020
    HP LaserJet 3030
    HP LaserJet 3050
    HP LaserJet 3052
    HP LaserJet 3055
    HP LaserJet 3200
    HP LaserJet 3200m
    HP LaserJet 3200se
    HP LaserJet 3300 MFP
    HP LaserJet 3310 MFP
    HP LaserJet 3320N MFP
    HP LaserJet 3320 MFP
    HP LaserJet 3330 MFP
    HP LaserJet 3380
    HP LaserJet 3390
    HP LaserJet 3392
    HP LaserJet 4
    HP LaserJet 4000
    HP LaserJet 4050
    HP LaserJet 4100
    HP LaserJet 4100 MFP
    HP LaserJet 4200
    HP LaserJet 4240
    HP LaserJet 4250
    HP LaserJet 4300
    HP LaserJet 4345 MFP
    HP LaserJet 4350
    HP LaserJet 4L
    HP LaserJet 4M
    HP LaserJet 4ML
    HP LaserJet 4MP
    HP LaserJet 4P
    HP LaserJet 4Si
    HP LaserJet 4V
    HP LaserJet 4V/4LJ Pro
    HP LaserJet 4 Plus
    HP LaserJet 5
    HP LaserJet 5000
    HP LaserJet 5100
    HP LaserJet 5200
    HP LaserJet 5200L
    HP LaserJet 5L
    HP LaserJet 5M
    HP LaserJet 5MP
    HP LaserJet 5P
    HP LaserJet 5Si
    HP LaserJet 5Si Mopier
    HP LaserJet 6
    HP LaserJet 6L
    HP LaserJet 6MP
    HP LaserJet 6P
    HP LaserJet 8000
    HP LaserJet 8100
    HP LaserJet 8150
    HP LaserJet 9000
    HP LaserJet 9000 MFP
    HP LaserJet 9040
    HP LaserJet 9040 MFP
    HP LaserJet 9050
    HP LaserJet 9050 MFP
    HP LaserJet 9055 MFP
    HP LaserJet 9065 MFP
    HP LaserJet M2727
    HP LaserJet M3027 MFP
    HP LaserJet M3035 MFP
    HP LaserJet M4345 MFP
    HP LaserJet M5025 MFP
    HP LaserJet M5035 MFP
    HP LaserJet P2010
    HP LaserJet P2015
    HP LaserJet P2055d
    HP LaserJet P2055dn
    HP LaserJet P3004
    HP LaserJet P3005
    HP LaserJet P4014
    HP LaserJet P4015
    HP Mopier 240
    HP Mopier 320
    HP OfficeJet
    HP Officejet-4500-G510n-z
    HP OfficeJet 300
    HP OfficeJet 330
    HP OfficeJet 350
    HP OfficeJet 4100
    HP OfficeJet 4105
    HP OfficeJet 4110
    HP OfficeJet 4115
    HP OfficeJet 4200
    HP OfficeJet 4300
    HP OfficeJet 500
    HP OfficeJet 5105
    HP OfficeJet 5110
    HP OfficeJet 5110xi
    HP OfficeJet 520
    HP OfficeJet 5500
    HP OfficeJet 5600
    HP OfficeJet 570
    HP OfficeJet 580
    HP OfficeJet 590
    HP OfficeJet 600
    HP OfficeJet 610
    HP OfficeJet 6100
    HP OfficeJet 6105
    HP OfficeJet 6110
    HP OfficeJet 6150
    HP OfficeJet 6200
    HP OfficeJet 625
    HP OfficeJet 630
    HP OfficeJet 6300
    HP OfficeJet 635
    HP OfficeJet 6500 Wireless
    HP OfficeJet 700
    HP OfficeJet 710
    HP OfficeJet 7100
    HP OfficeJet 7110
    HP OfficeJet 7130
    HP OfficeJet 7140
    HP OfficeJet 720
    HP OfficeJet 7200
    HP OfficeJet 725
    HP OfficeJet 7300
    HP OfficeJet 7400
    HP OfficeJet D125
    HP OfficeJet D135
    HP OfficeJet D145
    HP OfficeJet D155
    HP OfficeJet G55
    HP OfficeJet G85
    HP OfficeJet G95
    HP OfficeJet J3600
    HP OfficeJet J5500
    HP OfficeJet J5700
    HP OfficeJet K60
    HP OfficeJet K60xi
    HP OfficeJet K7100
    HP OfficeJet K80
    HP OfficeJet K80xi
    HP OfficeJet LX
    HP OfficeJet Pro 1150C
    HP OfficeJet Pro 1170C
    HP OfficeJet Pro 1175C
    HP Officejet Pro 8500 A910
    HP Officejet Pro 8500 Premier
    HP OfficeJet Pro 8710
    HP OfficeJet Pro K5300
    HP OfficeJet Pro K5400
    HP OfficeJet Pro K550
    HP OfficeJet Pro K850
    HP OfficeJet Pro K8600
    HP OfficeJet Pro L7300
    HP OfficeJet Pro L7500
    HP OfficeJet Pro L7600
    HP OfficeJet Pro L7700
    HP OfficeJet R40
    HP OfficeJet R45
    HP OfficeJet R60
    HP OfficeJet R65
    HP OfficeJet R80
    HP OfficeJet T45
    HP OfficeJet T65
    HP OfficeJet V40
    HP OfficeJet V40xi
    HP PhotoSmart 140
    HP PhotoSmart 240
    HP PhotoSmart 2570
    HP PhotoSmart 2600
    HP PhotoSmart 2700
    HP PhotoSmart 3100
    HP PhotoSmart 320
    HP PhotoSmart 3200
    HP PhotoSmart 330
    HP PhotoSmart 3300
    HP PhotoSmart 370
    HP PhotoSmart 380
    HP PhotoSmart 420
    HP PhotoSmart 470
    HP PhotoSmart 7150
    HP PhotoSmart 7260
    HP PhotoSmart 7268
    HP PhotoSmart 7345
    HP PhotoSmart 7350
    HP PhotoSmart 7400
    HP PhotoSmart 7550
    HP PhotoSmart 7660
    HP PhotoSmart 7760
    HP PhotoSmart 7800
    HP PhotoSmart 7960
    HP PhotoSmart 8000
    HP PhotoSmart 8100
    HP PhotoSmart 8200
    HP PhotoSmart 8400
    HP PhotoSmart 8700
    HP PhotoSmart A310
    HP PhotoSmart A320
    HP PhotoSmart A430
    HP PhotoSmart A440
    HP PhotoSmart A510
    HP PhotoSmart A520
    HP PhotoSmart A610
    HP PhotoSmart A620
    HP PhotoSmart A710
    HP PhotoSmart A820
    HP PhotoSmart C3100
    HP PhotoSmart C4100
    HP PhotoSmart C4200
    HP PhotoSmart C4380
    HP PhotoSmart C5100
    HP PhotoSmart C5200
    HP PhotoSmart C6100
    HP PhotoSmart C6200
    HP PhotoSmart C7100
    HP PhotoSmart C7200
    HP PhotoSmart C8100
    HP PhotoSmart D5060
    HP PhotoSmart D5100
    HP PhotoSmart D5300
    HP Photosmart D5460
    HP PhotoSmart D6100
    HP PhotoSmart D7100
    HP PhotoSmart D7200
    HP PhotoSmart D7300
    HP PhotoSmart D7400
    HP PhotoSmart P100
    HP PhotoSmart P1000
    HP PhotoSmart P1100
    HP PhotoSmart P1115
    HP PhotoSmart P1215
    HP PhotoSmart P1218
    HP PhotoSmart P130
    HP PhotoSmart P1315
    HP PhotoSmart P230
    HP PhotoSmart Pro B8300
    HP PSC 1100
    HP PSC 1110
    HP PSC 1200
    HP PSC 1205
    HP PSC 1210
    HP PSC 1300
    HP PSC 1310
    HP PSC 1400
    HP PSC 1500
    HP PSC 1510
    HP PSC 1600
    HP PSC 2110
    HP PSC 2150
    HP PSC 2170
    HP PSC 2175
    HP PSC 2210
    HP PSC 2300
    HP PSC 2350
    HP PSC 2400
    HP PSC 2500
    HP PSC 370
    HP PSC 380
    HP PSC 500
    HP PSC 750
    HP PSC 750xi
    HP PSC 950

    Epson: Drivers for Linux

    epson-201101w 6
    epson-201102j 1
    epson-201102w 1
    epson-201103j 1
    epson-201104w 1
    epson-201105j 1
    epson-201105w 7
    epson-201106j 2
    epson-201106w 10
    epson-201107w 2
    epson-201108j 1
    epson-201108w 7
    epson-201109w 2
    epson-201110j 1
    epson-201110w 3
    epson-201111j 1
    epson-201111w 1
    epson-201112j 3
    epson-201112w 5
    epson-201113j 2
    epson-201113w 24
    epson-201114j 1
    epson-201114w 3
    epson-201115j 3
    epson-201115w 8
    epson-201201w 2
    epson-201202w 4
    epson-201203j 2
    epson-201203w 4
    epson-201204j 1
    epson-201204w 4
    epson-201205j 1
    epson-201206w 6
    epson-201207w 7
    epson-201208w 3
    epson-201209j 3
    epson-201209w 2
    epson-201210j 1
    epson-201211j 3
    epson-201211w 7
    epson-201212j 3
    epson-201212w 4
    epson-201213j 4
    epson-201213w 6
    epson-201214j 1
    epson-201214w 2
    epson-201215w 4
    epson-201301w 2
    epson-201302w 2
    epson-201303j 1
    epson-201303w 2
    epson-201304j 1
    epson-201304w 1
    epson-201305j 1
    epson-201305w 1
    epson-201306j 3
    epson-201307j 2
    epson-201308w 3
    epson-201309w 1
    epson-artisan-725-835-series 7
    epson-ep-302 1
    epson-ep-702a 1
    epson-ep-703a 1
    epson-ep-803a-903f-series 4
    epson-ep-902a-series 2
    epson-escpr 395 Epson Inkjet Printer Driver (ESC/P-R) for Linux
    epson-k100-k200-series 2
    epson-n10-nx127 17
    epson-nx420 5
    epson-px-402a 1
    epson-px-502a 1
    epson-px-5v 1
    epson-px-602f 1
    epson-px-603f-503a-203-series 3
    epson-px-673f 1
    epson-px-k100 1
    epson-stylus-nx110-series 11
    epson-stylus-office-tx510fn-series 5
    epson-stylus-office-tx610fw-series 4
    epson-stylus-photo-px660-series 1
    epson-stylus-photo-px810fw-series 6
    epson-stylus-photo-r3000 1
    epson-stylus-photo-t50-series 4
    epson-stylus-photo-tx650-series 2
    epson-stylus-s21-series 4
    epson-stylus-tx550w-series 3
    epson-workforce-320-sx218 9
    epson-workforce-525 3
    epson-workforce-635-60-nx625-series 17
    epson-workforce-840 2
    epsonc Ghostscript built-in 13
    epsonepl IJS 5
    epson_l800 1

    Brother - Drivers for Linux - Models available with Brother ppd file :

    , DCP-7025, DCP-7045N, DCP-8020, DCP-8025D, DCP-8040, DCP-8045D, DCP-8080DN, DCP-8085DN, DCP-9040CN, DCP-9042CDN, DCP-9045CDN, HL-1450, HL-1470N, HL-1650, HL-1670N, HL-1850, HL-1870N, HL-2460, HL-2600CN, HL-2700CN, HL-3260N, HL-3450CN, HL-4050CDN, HL-4070CDW, HL-5050, HL-5070N, HL-5150D, HL-5170DN, HL-5240, HL-5250DN, HL-5270DN, HL-5280DW, HL-5340D, HL-5350DN, HL-5350DNLT, HL-5370DW, HL-5370DWT, HL-5380DN, HL-6050, HL-6050D, HL-7050, HL-7050N, HL-8050N, , MFC-7225N, , MFC-7450, , MFC-7820N, , MFC-7840N, , MFC-7840W, , MFC-8220, , MFC-8420, , MFC-8440, , MFC-8640D, , MFC-8670DN, , MFC-8820D, , MFC-8840D, , MFC-9420CN, , MFC-9440CN, , MFC-9450CDN, , MFC-9840CDW

    Brother - Download (Linux Printer Driver - Multifunktionsgeräte: Drucken - Scannen - Kopieren - Faxen - Kartenlesen) von https://support.brother.com/g/s/id/linux/en/download_prn.html :

    Brother DCP
    , DCP-110C , DCP-115C , DCP-117C , DCP-120C , DCP-130C , DCP-135C , DCP-1400 , DCP-145C , DCP-150C , DCP-1510 , DCP-1510R , DCP-1511 , DCP-1512 , DCP-1512R , DCP-1518 , DCP-153C , DCP-155C , DCP-163C , DCP-165C , DCP-167C , DCP-185C , DCP-195C , DCP-197C , DCP-310CN , DCP-315CN , DCP-330C , DCP-340CW , DCP-350C , DCP-353C , DCP-357C , DCP-365CN , DCP-373CW , DCP-375CW , DCP-377CW , DCP-383C , DCP-385C , DCP-387C , DCP-395CN , DCP-540CN , DCP-560CN , DCP-585CW , DCP-6690CW , DCP-7010 , DCP-7020 , DCP-7025 , DCP-7030 , DCP-7040 , DCP-7045N , DCP-7055 , DCP-7055W , DCP-7057 , DCP-7057WR , DCP-7060D , DCP-7065DN , DCP-7070DW , DCP-750CW , DCP-770CW , DCP-8020 , DCP-8025D , DCP-8040 , DCP-8045D , DCP-8060 , DCP-8065DN , DCP-8070D , DCP-8080DN , DCP-8085DN , DCP-8110D , DCP-8110DN , DCP-8112DN , DCP-8150DN , DCP-8152DN , DCP-8155DN , DCP-8157DN , DCP-8250DN , DCP-9010CN , DCP-9020CDW , DCP-9040CN , DCP-9042CDN , DCP-9045CDN , DCP-9055CDN , DCP-9270CDN , DCP-J125 , DCP-J132W , DCP-J140W , DCP-J152W , DCP-J172W , DCP-J315W , DCP-J4110DW , DCP-J515W , DCP-J525W , DCP-J552DW
    , DCP-J715W , DCP-J725DW , DCP-J752DW , DCP-J925DW

    Brother FAX

    , FAX-1815C , FAX-1820C , FAX-1835C , FAX-1840C , FAX-1860C , FAX-1920CN , FAX-1940CN , FAX-1960C , FAX-2440C , FAX-2480C , FAX-2580C , FAX-2820 , FAX-2840 , FAX-2850 , FAX-2890 , FAX-2900 , FAX-2920 , FAX-2940 , FAX-2950 , FAX-2990 , FAX-3800 , FAX-4100 , FAX-4750e , FAX-5750e

    Brother HL

    , HL-1030 , HL-1110 , HL-1110R , HL-1111 , HL-1112 , HL-1112R , HL-1118 , HL-1230 , HL-1240 , HL-1250 , HL-1270N , HL-1430 , HL-1435 , HL-1440 , HL-1450 , HL-1470N , HL-1650 , HL-1670N , HL-1850 , HL-1870N , HL-2030 , HL-2035 , HL-2040 , HL-2070N , HL-2130 , HL-2132 , HL-2135W , HL-2140 , HL-2150N , HL-2170W , HL-2220 , HL-2230 , HL-2240 , HL-2240D , HL-2242D , HL-2250DN , HL-2270DW , HL-2275DW , HL-2280DW , HL-2460 , HL-2460N , HL-2600CN , HL-2700CN , HL-3040CN , HL-3045CN , HL-3070CW , HL-3075CW , HL-3140CW , HL-3150CDN , HL-3150CDW , HL-3170CDW , HL-3260N , HL-3450CN , HL-4040CDN , HL-4040CN , HL-4050CDN , HL-4070CDW , HL-4140CN , HL-4150CDN , HL-4570CDW / , HL-4570CDWT , HL-5030 , HL-5040 , HL-5050 , HL-5070N , HL-5130 , HL-5140 , HL-5150D , HL-5170DN , HL-5240 , HL-5250DN , HL-5270DN , HL-5280DW , HL-5340D , HL-5350DN , HL-5350DNLT , HL-5370DW , HL-5370DWT , HL-5380DN , HL-5440D , HL-5450DN / , HL-5450DNT , HL-5470DW / , HL-5470DWT , HL-6050 , HL-6050D , HL-6050DN , HL-6180DW / , HL-6180DWT , HL-7050 , HL-7050N , HL-8050N , HL-S7000DN

    Brother MFC

    , MFC-1810 , MFC-1810R , MFC-1811 , MFC-1813 , MFC-1815 , MFC-1815R , MFC-1818 , MFC-210C , MFC-215C , MFC-230C , MFC-235C , MFC-240C , MFC-250C , MFC-255CW , MFC-257CW , MFC-260C , MFC-290C , MFC-295CN , MFC-297C , MFC-3220C , MFC-3240C , MFC-3320CN , MFC-3340CN , MFC-3360C , MFC-3420C , MFC-3820CN , MFC-410CN , MFC-420CN , MFC-425CN , MFC-440CN , MFC-465CN , MFC-4800 , MFC-490CW , MFC-495CW , MFC-5440CN , MFC-5460CN , MFC-5490CN , MFC-5840CN , MFC-5860CN , MFC-5890CN , MFC-5895CW , MFC-620CN , MFC-640CW , MFC-6490CW , MFC-660CN , MFC-665CW , MFC-6800 , MFC-680CN , MFC-685CW , MFC-6890CDW , MFC-7220 , MFC-7225N , MFC-7240 , MFC-7290 , MFC-7320 , MFC-7340 , MFC-7345N , MFC-7360 , MFC-7360N , MFC-7362N , MFC-7365DN , MFC-7420 , MFC-7440N , MFC-7450 , MFC-7460DN , MFC-7470D , MFC-7820N , MFC-7840N , MFC-7840W , MFC-7860DN , MFC-7860DW , MFC-790CW , MFC-795CW , MFC-820CW , MFC-8220 , MFC-8370DN , MFC-8380DN , MFC-8420 , MFC-8440 , MFC-845CW , MFC-8460N , MFC-8480DN , MFC-8500 , MFC-8510DN , MFC-8512DN , MFC-8515DN , MFC-8520DN , MFC-8640D , MFC-8660DN , MFC-8670DN , MFC-8680DN , MFC-8690DW , MFC-8710DW , MFC-8712DW , MFC-8810DW , MFC-8820D , MFC-8840D , MFC-8840DN , MFC-885CW , MFC-8860DN , MFC-8870DW , MFC-8880DN , MFC-8890DW , MFC-8910DW , MFC-8912DW , MFC-8950DW / , MFC-8950DWT , MFC-8952DW / , MFC-8952DWT , MFC-9010CN , MFC-9030 , MFC-9070 , MFC-9120CN , MFC-9125CN , MFC-9130CW , MFC-9140CDN , MFC-9160 , MFC-9180 , MFC-9320CW , MFC-9325CW , MFC-9330CDW , MFC-9340CDW , MFC-9420CN , MFC-9440CN , MFC-9450CDN , MFC-9460CDN , MFC-9465CDN , MFC-9560CDW , MFC-9660 , MFC-9700 , MFC-9760 , MFC-9800 , MFC-9840CDW , MFC-9860 , MFC-9880 , MFC-990CW , MFC-9970CDW , MFC-J220 , MFC-J2310 , MFC-J245 , MFC-J2510 , MFC-J265W , MFC-J270W , MFC-J280W , MFC-J285DW , MFC-J410 , MFC-J410W , MFC-J415W , MFC-J425W , MFC-J430W , MFC-J4310DW , MFC-J432W , MFC-J435W , MFC-J4410DW , MFC-J450DW , MFC-J4510DW , MFC-J4610DW , MFC-J470DW , MFC-J4710DW , MFC-J475DW , MFC-J5910DW , MFC-J615W , MFC-J625DW , MFC-J630W , MFC-J650DW , MFC-J6510DW , MFC-J6710DW , MFC-J6910DW , MFC-J825DW , MFC-J835DW , MFC-J870DW , MFC-J875DW

    More Linux Printer Drivers, Linux Foundation, https://openprinting.org:

    escpage Ghostscript built-in 1 fmlbp Ghostscript built-in 1 fmpr Ghostscript built-in 1 foo2hbpl2 Filter 12 foo2hiperc Filter 19 foo2hiperc-z1 Filter 1 foo2hp Filter 5 foo2kyo Filter 1 foo2lava Filter 11 foo2oak Filter 3 foo2oak-z1 Filter 2 foo2qpdl Filter 22 foo2slx Filter 2 foo2xqx Filter 14 foo2zjs Filter 12 foo2zjs-z1 Filter 8 foo2zjs-z2 Filter 4 foo2zjs-z3 Filter 1 gdi Ghostscript built-in 30 gimp-print 560 gutenprint gutenprint 1638 Top Quality Printer Drivers for inkjets, dye sublimation printers, and PCL lasers hl1250 Ghostscript built-in 45 hl7x0 Ghostscript built-in 9 Driver for Brother´s proprietary printer language (works also on the PCL/PS models) hpdj Ghostscript built-in 49 ibmpro Ghostscript built-in 5 imagen Ghostscript built-in 1 iwhi Ghostscript built-in 3 iwlo Ghostscript built-in 3 iwlq Ghostscript built-in 1 jetp3852 Ghostscript built-in 1 jj100 Ghostscript built-in 1 la50 Ghostscript built-in 1 la70 Ghostscript built-in 1 la75 Ghostscript built-in 1 la75plus Ghostscript built-in 1 laserjet Ghostscript built-in 50 lbp310 Ghostscript built-in 1 lbp320 Ghostscript built-in 2 lbp660 Filter 2 lbp8 Ghostscript built-in 3 lbp800 Filter 1 lex5700 Ghostscript built-in 3 lex7000 Ghostscript built-in 1 lips2p Ghostscript built-in 1 lips3 Ghostscript built-in 1 lips4 Ghostscript built-in 3 lips4v Ghostscript built-in 2 lj250 Ghostscript built-in 1 lj4dith Ghostscript built-in 384 lj4dithp Ghostscript built-in 1 lj5gray Ghostscript built-in 204 ljet2p Ghostscript built-in 24 ljet3 Ghostscript built-in 31 ljet3d Ghostscript built-in 16 ljet4 Ghostscript built-in 419 Built-in Ghostscript driver for PCL 5e laser printers ljet4d Ghostscript built-in 265 ljetplus Ghostscript built-in 23 lm1100 lm1100 Filter 3 ln03 Ghostscript built-in 1 lp2000 Ghostscript built-in 4 lp2563 Ghostscript built-in 1 lp8000 Ghostscript built-in 1 lpstyl Filter 7 lq850 Ghostscript built-in 4 lx5000 Ghostscript built-in 3 lxm3200 Ghostscript built-in 6 lxm3200-tweaked Ghostscript built-in 6 lxm3200X Ghostscript built-in 3 lxm5700m Ghostscript built-in 4 lxx74 2 lz11-V2 Filter 2 m2300w Filter 2 m2400w Filter 2 m8510 Ghostscript built-in 1 md1xMono Ghostscript built-in 2 md2k Ghostscript built-in 5 md50Eco Ghostscript built-in 2 md50Mono Ghostscript built-in 2 md5k Ghostscript built-in 2 min12xxw min12xxw Filter 8 mj500c Ghostscript built-in 3 mj6000c Ghostscript built-in 3 mj700v2c Ghostscript built-in 2 mj8000c Ghostscript built-in 1 ml600 Ghostscript built-in 2 ml85p Filter 2 necp2xX.upp Ghostscript Uniprint 1 necp6 Ghostscript built-in 8 npdl Ghostscript built-in 3 oce9050 Ghostscript built-in 1 oki182 Ghostscript built-in 2 oki4drv Filter 7 oki4w Ghostscript built-in 7 okiibm Ghostscript built-in 3 omni Ghostscript built-in 467 paintjet Ghostscript built-in 1 pbm2l2030 Filter 1 pbm2l7k Filter 7 pbm2lwxl Filter 12 pbm2ppa Filter 1 pbmtozjs Filter 2 pcl3 Ghostscript built-in 91 pcl5-Ricoh pcl5-Ricoh 20 PPD files for Ricoh´s PCL5 printers, supplied by Ricoh PDF-Gestetner PDF-Gestetner 210 PPD files for Gestetner´s PDF printers, supplied by Ricoh PDF-Infotec PDF-Infotec 178 PPD files for Infotec´s PDF printers, supplied by Ricoh PDF-Lanier PDF-Lanier 240 PPD files for Lanier´s PDF printers, supplied by Ricoh PDF-NRG PDF-NRG 230 PPD files for NRG´s PDF printers, supplied by Ricoh PDF-Ricoh PDF-Ricoh 248 PPD files for Ricoh´s PDF printers, supplied by Ricoh PDF-Savin PDF-Savin 228 PPD files for Savin´s PDF printers, supplied by Ricoh pegg Filter 3 pentaxpj Filter 2 picty180 Ghostscript built-in 1 pj Ghostscript built-in 1 pjetxl Ghostscript built-in 1 pjxl Ghostscript built-in 1 pjxl300 Ghostscript built-in 3 PM760pX.upp Ghostscript Uniprint 1 PM820pX.upp Ghostscript Uniprint 1 pnm2ppa Filter 6 , Postscript PostScript 1230
    Postscript-Brother Postscript-Brother PostScript 64 Manufacturer-supplied PPD files for Brother´s PostScript printers
    Postscript-Dell Postscript-Dell PostScript 1 Manufacturer-supplied PPD files for Dell´s PostScript printers
    Postscript-Epson Postscript-Epson PostScript 37 Manufacturer-supplied PPD files for Epson´s PostScript printers
    Postscript-Genicom Postscript-Genicom PostScript 1 Manufacturer-supplied PPD files for Genicom´s PostScript printers
    Postscript-Gestetner Postscript-Gestetner PostScript 266 PPD files for Gestetner´s PostScript printers, supplied by Ricoh
    Postscript-, HP Postscript-, HP PostScript 8 PPD files for
    HP´s PostScript printers which are not supported by
    HPLIP, supplied by
    Postscript-InfoPrint Postscript-InfoPrint PostScript 3 PPD files for InfoPrint´s PostScript printers, supplied by Ricoh
    Postscript-Infotec Postscript-Infotec PostScript 218 PPD files for Infotec´s PostScript printers, supplied by Ricoh
    Postscript-KONICA_MINOLTA Postscript-KONICA_MINOLTA PostScript 22 Manufacturer-supplied PPD files for KONICA MINOLTA´s PostScript printers
    Postscript-Kyocera Postscript-Kyocera PostScript 118 Manufacturer-supplied PPD files for Kyocera´s PostScript printers
    Postscript-Lanier Postscript-Lanier PostScript 297 PPD files for Lanier´s PostScript printers, supplied by Ricoh
    Postscript-Lexmark Postscript-Lexmark PostScript 378 Manufacturer-supplied PPD files for Lexmark´s PostScript printers
    Postscript-Lexmark-black-only Postscript-Lexmark-black-only PostScript 2 Manufacturer-supplied PPD files for Lexmark´s black-only PostScript printers
    Postscript-NRG Postscript-NRG PostScript 291 PPD files for NRG´s PostScript printers, supplied by Ricoh
    Postscript-Oce Postscript-Oce PostScript 25 Manufacturer-supplied PPD files for Oce´s PostScript level 3 printers
    Postscript-Oce-KM Postscript-Oce-KM PostScript 1 Manufacturer-supplied PPD files for Oce´s PostScript printers
    Postscript-Oki Postscript-Oki PostScript 22 Manufacturer-supplied PPD files for Oki´s PostScript printers
    Postscript-Ricoh Postscript-Ricoh PostScript 321 PPD files for Ricoh´s PostScript printers, supplied by Ricoh
    Postscript-Samsung Postscript-Samsung PostScript 87 PPD files for Samsung´s PostScript printers, supplied by Samsung
    Postscript-Savin Postscript-Savin PostScript 290 PPD files for Savin´s PostScript printers, supplied by Ricoh
    Postscript-Sharp Postscript-Sharp PostScript 221 Manufacturer-supplied PPD files for Sharp´s PostScript printers
    Postscript-Toshiba Postscript-Toshiba PostScript 26 Manufacturer-supplied PPD files for Toshiba´s PostScript printers
    Postscript-Xerox Postscript-Xerox PostScript 113 Manufacturer-supplied PPD files for Xerox´s PostScript printers
    Postscript1 PostScript 4
    Postscript2-Oce Postscript2-Oce PostScript 8 Manufacturer-supplied PPD files for Oce´s PostScript level 2 printers
    PostscriptColor-Ricoh PostscriptColor-Ricoh PostScript 96 PPD files for Ricoh´s Postscript color printers, supplied by Ricoh
    PostscriptMono-Ricoh PostscriptMono-Ricoh PostScript 103 PPD files for Ricoh´s Postscript monochrome printers, supplied by Ricoh ppmtocpva Filter 6 ppmtomd Filter 14 pr150 Ghostscript built-in 1 pr201 Ghostscript built-in 1 ptouch Filter 22 pxl1010 Ghostscript built-in 2 pxlcolor Ghostscript built-in 113 pxlcolor-Gestetner pxlcolor-Gestetner Ghostscript built-in 71 PPD files for Gestetner´s PCL XL color printers, supplied by Ricoh pxlcolor-InfoPrint pxlcolor-InfoPrint Ghostscript built-in 0 PPD files for InfoPrint´s PCL XL color printers, supplied by Ricoh pxlcolor-Infotec pxlcolor-Infotec Ghostscript built-in 74 PPD files for Infotec´s PCL XL color printers, supplied by Ricoh pxlcolor-Lanier pxlcolor-Lanier Ghostscript built-in 77 PPD files for Lanier´s PCL XL color printers, supplied by Ricoh pxlcolor-NRG pxlcolor-NRG Ghostscript built-in 77 PPD files for NRG´s PCL XL color printers, supplied by Ricoh pxlcolor-Ricoh pxlcolor-Ricoh Ghostscript built-in 87 PPD files for Ricoh´s PCL XL color printers, supplied by Ricoh pxlcolor-Samsung pxlcolor-Samsung Ghostscript built-in 2 PPD files for Samsung´s PCL-XL color printers, supplied by Samsung pxlcolor-Savin pxlcolor-Savin Ghostscript built-in 73 PPD files for Savin´s PCL XL color printers, supplied by Ricoh pxldpl Ghostscript built-in 1 pxljr IJS 3 pxlmono Ghostscript built-in 335 pxlmono-Gestetner pxlmono-Gestetner Ghostscript built-in 100 PPD files for Gestetner´s PCL XL monochrome printers, supplied by Ricoh pxlmono-InfoPrint pxlmono-InfoPrint Ghostscript built-in 3 PPD files for InfoPrint´s PCL XL monochrome printers, supplied by Ricoh pxlmono-Infotec pxlmono-Infotec Ghostscript built-in 103 PPD files for Infotec´s PCL XL monochrome printers, supplied by Ricoh pxlmono-Lanier pxlmono-Lanier Ghostscript built-in 103 PPD files for Lanier´s PCL XL monochrome printers, supplied by Ricoh pxlmono-NRG pxlmono-NRG Ghostscript built-in 103 PPD files for NRG´s PCL XL monochrome printers, supplied by Ricoh pxlmono-Ricoh pxlmono-Ricoh Ghostscript built-in 108 PPD files for Ricoh´s PCL XL monochrome printers, supplied by Ricoh pxlmono-Samsung pxlmono-Samsung Ghostscript built-in 14 PPD files for Samsung´s PCL-XL monochrome printers, supplied by Samsung pxlmono-Savin pxlmono-Savin Ghostscript built-in 101 PPD files for Savin´s PCL XL monochrome printers, supplied by Ricoh r4081 Ghostscript built-in 3 rastertokmXXXXdl 4 Free software printer drivers for the magicolor DL series from KONICA MINOLTA rastertosag-gdi 2 Free software printer driver for the SAG-GDI protocol on Ricoh lasers rpdl Ghostscript built-in 4 s400X1.upp Ghostscript Uniprint 2 sharp.upp Ghostscript Uniprint 6 sipixa6.upp Ghostscript Uniprint 1 sj48 Ghostscript built-in 1 slap Filter 9 splix splix 51 Driver for Samsung SPL2 (ML-1710, ...) and SPLc (CLP-500, ...) laser printers st640X.upp Ghostscript Uniprint 2 st800 Ghostscript built-in 2 stc1520h.upp Ghostscript Uniprint 2 stc200_h.upp Ghostscript Uniprint 1 stc2X.upp Ghostscript Uniprint 3 stc300X.upp Ghostscript Uniprint 2 stc500pX.upp Ghostscript Uniprint 2 stc600X.upp Ghostscript Uniprint 4 Stc670pX.upp Ghostscript Uniprint 1 Stc680pX.upp Ghostscript Uniprint 1 stc740X.upp Ghostscript Uniprint 4 Stc760pX.upp Ghostscript Uniprint 1 Stc777pX.upp Ghostscript Uniprint 1 stc800X.upp Ghostscript Uniprint 2 stcanyX.upp Ghostscript Uniprint 4 stcolor Ghostscript built-in 22 stcX.upp Ghostscript Uniprint 5 Stp720pX.upp Ghostscript Uniprint 1 Stp870pX.upp Ghostscript Uniprint 1 t4693dX Ghostscript built-in 1 tek4696 Ghostscript built-in 3 xes Ghostscript built-in 3

    More Linux printer drivers (rpm, deb)

    Samsung Laser Printer SPL2 and SPLc: splix (el6) - cups-drivers-splix (pclos, el6), openprinting-splix

    openprinting-ppds (deb, rpm openprinting-ppds (fc, el7, el6, rosa, debian), gutenprint Linux printer drivers (dev, rpm gutenprint (fc, el7, el6, rosa, debian), foomatic Linux printer drivers ( deb, rpm foomatic (fc, el7, el6, rosa, debian) )

    Linux Foundation openprinting.org, https://support.brother.com/g/s/id/linux/en/download_prn.html

    8 GB Mini-USB-memory stick PConkey

    ready for the keyring, 24 carat Gold SMI for 3,95 € Pearl.de (Stand 2014; in spite of the opinion, you can use five meter cable for usb, always put USB-sticks directly into the slot of the PC-tower. Never use hubs.)

    Mouse: trackball

    still recommended because of see the newsgroup-article from Dario from links left menu (!)

    Keyboard: German Keyboard, german keys, 2,95 € Pollin, 2015

    To go sure for many mainboards, most PCI-ethernet-cards for about 5 € do guarant access to the internet. Time for the boot of mdv2007.0 under SSD: kdm: 15 up to 30 sec., including KDE: around 1 minute
    Time for handling programs and DSL Internet: per mouseclick except large files over USB 2.0

    Notice: The tolerance for the temperature of the environment is not listed, almost between 0 and 70 °C. One also should avoid moisture.

    Cybercriminals use access points in the Domain Name Systems (DNS), trojaner-info.de, 17.11.2018
    The DNS is a popular malware-transport-media for hacker.
    Das eigentlich bewährte Domain Name System (DNS) wird heutzutage zunehmend von Angriffen bedroht. Da das DNS oft weitgehend unkontrolliert Firewalls passiert, wird es bei Hackern zunehmend beliebter. Cyberkriminelle missbrauchen das altgediente System heute immer öfter als Transportmittel für Malware oder als Zugang ins Unternehmensnetzwerk, wie Frank Ruge, Director Sales Central Europe bei Infoblox erläutert.

    CIAO DNS! Anonymized (and encrypted) name resolution with pdnsd and dnscrypt-proxy and /etc/hosts all in one (pdnsd, or special combined)
    Put on the protecting mask, "Let´s surf!"

    DNS: changing the DNS...

    instruction for debian and mdv Linux

    DNS-Server in different ways

    DNSshort descriptiondisadvantage
    current remote hosted DNSdirect entry "nameserver ip" like from ChaosComputerClub in /etc/resolv.conf.Nachteil: without caching, no encryption, no anonymization, Man-In-The-Middle-Attackse
    dnsmasqlocal DNS-Cachetemporary cache instead of durable storage within a file on harddisc after cacheing, without encryption (Man-In-The-Middle-Attacks), no anonymization
    dnsmasq mit dnscryptkeine Veschlüsselung, Man-In-The-Middle-Angriffe
    unboundsee dnsmasq
    unbound mit dnscrypt
    pdnsdlokaler DNS-Cacheremote-DNS requests for unsolved domain-ip-pairs
    local (/etc/hosts) onlythe classic, most secure solution, but very unhandy
    dnscryptwith connection-certification, but without encryption
    pdnsd with dnscrypt
    lokal per /etc/hostswithout any remote host DNS requests, orphaned entries
    DoH: encrypting DNSsill in test, Firefox >64no storage resolved domain-ip on harddisc, DNS-Server Cloudfare
    DoT: verschlüsselter DNSin progress
    Handshake: alternative DNS upon the base of blockchains
    TorDNSanonymizing DNS of Tor, see Tor
    TorDNS with dnsmasq
    TorDNS with pdsnd ( including preceeding local /etc/hosts )see Tordisadvantages: none (but the entry node runs in the background). This method is the one we´d like to recommend!
    bind u.athe own DNS-Server

    DNS von CCC: world.ccc.de
    Changing the DNS to an anonymizing: (dnscache.berlin.ccc.de) (FoeBud)
    2001:4f8:0:2::14 (f.6to4-servers.net, IPv6, ISC) (dns.as250.net; Berlin/Frankfurt)

    0) mdv2010: MCC, simple by configuring established connections and by setting your own DNS instead of DNS from the router
    or other methods like:
    a) DNS by your computer (host), recommended: Set the both DNS in the system-configuration (mdv: drakconf). Change or add both DNS in LINFW3 (also after b) and c)).
    b) DNS by router (resp. gateway): Call the GUI for the router-configuration like fritz.box. If the option for DNS is missing: 1. export the router-configuration by securing into a file, 2. change both DNS in this filei, 3. backup: Import the file, 4. restart the connection by the GUI
    b) methode from CCC: Change the DNS in /etc/resolv.conf:
    If nscd is installed, type
    > /etc/init.d/nscd restart

    A fast, (local) cacheing DNS-server can be configured with dnsmasq too: http://www.pcwelt.de/ratgeber/Schneller-DNS-Server-unter-Linux-mit-Dnsmasq-9931341.html . Notice, that in /etc/resolv.conf both, nameserver DNS-ip and "nameserver", are entered. Adavatage: The IP is only asked one time the requested domain.
    OK At first the file dnsmasq.conf within direcotry /etc should be configured:
    nano /etc/dnsmasq.conf or (creating a new configuration file):
    touch /etc/dnsmasq.conf
    Then this file should be opened:
    sudo nano /etc/dnsmasq.conf
    Comment out the following five rows or type them in:
    expand-hosts # Set this, if you want to have a domain # automatically added to simple names in a hosts-file.
    addn-hosts=/home/surfuser/addn-hosts-list # if you want it to read another file, as well as /etc/hosts, use this.
    The entry "listen-address" administrates Dnsmasq to make local requests by the address localhost ( on port 53 only. Host names out of the LAN are not forwarded to other DNS-server by the option "domain-needed", and "bogus-priv" avoids the resolution of IP-addresses from private subnets (192.168.x.x, 10.x.x.x).
    Compact DNS-Server: Dnsmasq as a DNS-Cache requires these eight lines only, last three lines are optional, but cache-size has to be set for cacheing - no caching possible without.
    The link "resolv-file" is refering to another configuraiton file "/etc/resolv.dnsmasq", that still has to be created. In this file you enter the IP-address of the (real) DNS-Server like of the provider or the router. The network-interface should also be set and no-negcache cares for cacheing even on errors, what should be kep optional. With
    sudo touch /etc/resolv.dnsmasq
    this second configuration file is created. Open it with a text editor like nano and enter the addresses of the DNS-Server, dnsmasq needs to resolve the domains. For stationary PCs within local networks the DNS-Server-addresses of the provider resp. of the router ( should be set.
    To be more concrete, what DNS-addresses to take, use the following command:
    cat /etc/resolv.conf
    Behind "nameserver" the IP to take are shown. For example, if "" for the address of a Fritzbox is shown, all to enter into the file "/etc/resolv.dnsmasq" is
    For computers using changing DNS-Server within other LAN/WLANs, the address of a fast public DNS-Server has to be entered as a last ending line too.

    For Local Caching using NetworkManager set this in /etc/NetworkManager/NetworkManager.conf:




    NetworkManager.conf: https://developer.gnome.org/NetworkManager/1.11/NetworkManager.conf.html


    and restart network-manager service.

    Howto start dnsmasq:
    dnsmasq is started depending from the usage of systemd or not in different ways by one of the the commands: sh /etc/init.d/dnsmasq start resp. MCC->system services or, if systemd is not used by
    sudo systemctl enable dnsmasq.service
    sudo systemctl restart dnsmasq.service
    Now /etc/resolv.conf has to be configured by text editors like nano, so that dnsmasq can can forward dns-name-resolution to external DNS-server. Either the network connection has to be reconfigured by system control resp. MCC or directly within /etc/resolv.conf. Go sure, that the local DNS-server (dnsmasq) is entered within the first line at first (, followed by the lines for the other DNS-server, consisting of at last one .An example for the forwarding to the DNS-cache of the Fritz-Box is:

    # resolv.conf generated by NetworkManager

    Be careful for WICD. resolv.conf is admininstrated automatically resp. overwritten. Therefore the static DNS must be set in this certain order only.
    If NetworkManager is used, resolv.conf does not have to be overworked manually. The network connection within the Networkmanager can be set to "automatic (DHCP), addresses only" or to "manuell".Now IP-addresses of up to three DNS-server can be set - separated by colon - into the belonging field. After this is stored, all is written into resolv.conf.
    Check out, if local cacheing is possible:

    >dig mandriva.com

    ;; Query time: 0 msec
    ;; SERVER:
    # Normally responses which come form /etc/hosts and the DHCP lease
    # file have Time-To-Live set as zero, which conventionally means do not cache further. If you are happy to trade lower load on the
    # server for potentially stale date, you can set a time-to-live (in seconds) here.
    # /etc/dnsmasq.conf


    Nothing more has to be configured anymore, if dnsmasq is just working as a DNS-Server. Computers within the LAN that shall use this DNS-Server have to be configured in such way, that they really use this server.

    "DNSCrypt is a DNS resolver that encrypts the content of your request between you and the first level resolver. It prevents an attacker from hijacking or viewing your DNS resolution and the program itself is hardened quite a lot.
    For a guide to install, http://www.insanitybit.com/2012/07/23/setting-up-dnscrypt-by-opendns-on-an-ubuntu-12-04-system-8/
    For a guide to harden further, http://www.insanitybit.com/2013/06/26/hardening-dnscrypt/


    Our tip and strong advice: Line by line make a manual entry "IP host" in /etc/hosts using a text-editor. If done, the DNS-server is not queried anymore in all cases, an entry was made! In order to find out the IP to a belonging domain, programs like nslookup, hosts, dig, connection-tracking (Linfw3), iptraf (iptraf-ng(rosa2016.1, rosae2014.1)) and "netstat -n" resp. netstat can be used (in our case, firefox ESR 52.5.1 still seems to send out some information to telefonica and vodafone right at the beginning past its process starting. Update FF against can be installed next days. ). Blacklisting these IP in Linfw3 helps to block.

    This (first mentioned host-) method can prevent phishing too.

    Check the browser right up from the time he got started, look out for unpredicted, unwanted data transfer indicated by programs like iptraf (iptraf-ng(rosa2016.1, rosae2014.1)), netstat and their invertation nslookup, dig or host in order to block such IP by /etc/hosts resp. Linfw3.

    Also think of installing advert-block (pclos). It contains a script named block-advert.sh to add more advert-blocks from choosable adblock-server into /etc/hosts: sh advert-block.sh.during linfw3-lineblock-root. Change to default after performing the steps of this script. Reset /etc/hosts to chmod 644 /etc/hosts.

    If you think, enough entries including FTP-, POP3- and SMTP-server and so on, each pairwise with their IP, were added, add the last line: "*.*.*.* localhost" or "ALL:ALL:DENY" ( as this might not really work, to go sure, enter in /etc/resolv.conf and /etc/resolv.dnsmasq for the DNS-Server. There are some cases, more domain like those with images and films of same IP have to be entered into /etc/hosts too, additionally those from software like marble and viking for example, both use katie.openstreetmap.org with IP ). For the rest use tor or reset /etc/resolv.dnsmasq.conf back to the (DNS-) nameserver right before to enter more server and IP.

    In /etc/nsswitch modify the line with hosts to

    "hosts: files [success=return] dns [success=return]"


    /etc/host.conf to the include:
    order hosts,bind
    multi off
    reorder on
    nospoof on
    spoofalert on

    First check: add into /etc/hosts test.com

    ping gives the follwing output:

    >ping test.com


    But still check this out using iptraf (iptraf-ng(rosa2016.1, rosae2014.1)) or contrack of Linfw3 and then you might also read:

    man /etc/host.conf
    The following environment variables can be used to enable users
    in /etc/host.conf to make the configured behavior irrelevant:


    For example, by now, we set in /etc/rc.local
    export RESOLV_HOST_CONF="/etc/hosts"


    marionette http://bencane.com/2013/10/29/managing-dns-locally-with-etchosts/

    This means, if the order above is not given inspite of its agreement in /etc/nsswitch.conf, use Linfw3 and remove the ip of the dns-server from item dnslist, but nevertheless one remote-host-dns should still be entered into the field named DNS of Linfw3, otherwise all DNS get allowed to get queried.

    Now all DNS-queries are answered locally within file resp. /etc/hosts, until the DNS is set again..

    But this might already help:
    setfacl -m u:surfuser:- /usr/bin/nslookup
    setfacl -m u:surfuser:- /usr/bin/host
    setfacl -m u:surfuser:- /usr/bin/dig

    No, this does not really help.

    Unbound will help (... in main). We show how in the following.

    This helps, local /etc/hosts is really functioning like a preused mask using firefox always right before the remote-host-DNS, but the DNS-server itself still gets contacted each Firefox startup. So the DNS gets all the startup-times...
    This can be prevented by pdnsd (el6, rosa2016.1, we recommend (el6)) with "addon" dnscrypt-proxy (mga2) tested on the base of firefox-52.7-ESR (el6, OpenSuSE42.3/42.2).

    Gratulations! So you "own DNS-Server" is made ready (but you still should check it out once). This methods contributes once more to an increasing speed surfing online.

    Overworking the hosts-file in Windows, CHIP
    Overworking the hosts-file of Windows can be problematic. Although the file can be find in the windows-system-directory, changes can ...

    dnscrypt-proxy can be used upon dnsmasq.
    ## Configure /etc/resolv.conf to use dnsmasq
    ## Configure /etc/dnsmasq.conf
    # ignore resolv.conf
    # Listen only on localhost
    # dnscrypt is on port 53
    ## Configure /etc/systemd/system/sockets.target.wants/dnscrypt-proxy.socket with the following 5 lines, if you are using systemd
    ## restart both daemons

    nano /etc/dnsmasq.conf
    Enter right at the beginning resp. search within this file like an insane for the following:

    no-resolv # /etc/hosts won´t be noticed, so try to comment this line in!

    Source: https://debianforum.de/forum/viewtopic.php?f=30&t=157758

    Start of dnscrypt-proxy (mga2, mga5) per termial or with each system-boot in /etc/rc.local for example by:

    dnscrypt-proxy --daemonize --user=root --local-address -r --tcp-port 443 -l /dev/null # -r with OpenDNS´s DNSSEC-support: -r or -r

    Use dnscrypt-proxy together with local (/etc/hosts) also both in order to do something against the risk of Man-In-The-Middle-Attacks and or use (packages) unbound and dnssec-trigger:
    Plain DNS protocol is insecure and therefore vulnerable from various attacks (e.g. cache poisoning). A client can never be sure that there is no man-in-the-middle, if it does not do the DNSSEC validation locally.
    We want to have Unbound server installed and running on localhost by default on Fedora systems. Where necessary, have also dnssec-trigger installed and running by default. Unbound and dnssec-trigger will be properly integrated with the default network configuration manager (e.g. NetworkManager for Fedora Server and Workstation) and with the graphical user interface (especially GNOME). The localhost address will be the only record in /etc/resolv.conf and no other software except dnssec-trigger will be allowed to change its content.
    Detailed Description
    Plain DNS protocol is insecure and therefore vulnerable from various attacks (e.g. cache poisoning). DNSSEC is a DNS extension which enabled the client to verify the DNS query response and make sure there is no attacker to spoof some records. A user connected to network usually receives a set of resolvers from DHCP, which should be used for name resolution. These resolvers may also do the DNSSEC validation. However a client can never be sure that there is no man-in-the-middle, if it does not do the DNSSEC validation locally. Purpose of this Fedora change is to have a validating DNS resolver installed on Fedora systems by default. This includes necessary discussions, coordination and integration with other components installed on Fedora by default.
    There are growing instances of discussions and debates about the need for a trusted local validating DNS resolver. There are multiple reasons for having such a resolver, most importantly security and usability. Security and protection of user's privacy becomes paramount with the backdrop of the increasingly snooping governments and service providers world wide.
    People use Fedora on portable/mobile devices which are connected to diverse networks as and when required. The automatic DNS configurations provided by these networks are never trustworthy for DNSSEC validation, as currently there is no way to establish such trust.
    Apart from trust, these name servers are often known to be flaky and unreliable which only adds to the overall bad and at times even frustrating user experience. In such a situation, having a trusted local validating DNS resolver not only makes sense but is, in fact, badly needed. It has become a need of the hour.
    All DNS literature strongly recommends it and amongst all discussions and debates about the issues involved in establishing such trust, it is unanimously agreed upon and accepted that having a trusted local DNS resolver is the best solution possible. It will simplify and facilitate a lot of other design decisions and application development in the future."

    How to get Unbound and dnssec-trigger running?
    Install dnssec-trigger daemon.

    If you use NetworkManager, configure it to use unbound. Add the following line into /etc/NetworkManager/NetworkManager.conf



    # interface:
    directory: "/etc/unbound"
    username: surfuser
    # make sure unbound can access entropy from inside the chroot.
    # e.g. on linux the use these commands (on BSD, devfs(8) is used):
    # mount --bind -n /dev/random /etc/unbound/dev/random
    # and mount --bind -n /dev/log /etc/unbound/dev/log
    # chroot: "/etc/unbound"
    logfile: "/tmp/unbound.log" #uncomment to use logfile.
    pidfile: "/etc/unbound/unbound.pid"
    # verbosity: 1 # uncomment and increase to get more logging.
    # listen on all interfaces, answer queries from the local subnet.
    # interface:
    # interface: ::0
    # access-control: allow
    # access-control: 2001:DB8::/64 allow
    access-control: allow access-control: allow
    access-control: ::1 deny
    access-control: deny
    # whitespace is not necessary, but looks cleaner.
    # verbosity number, 0 is least verbose. 1 is default.
    verbosity: 1
    statistics-interval: 0
    statistics-cumulative: 0
    num-threads: 2
    interface-automatic: yes
    port: 53 # 443
    outgoing-range: 256
    num-queries-per-thread: 256
    cache-min-ttl: 999999
    cache-max-ttl: 9999999
    infro-host-ttl: 999999
    do-ipv4: yes
    do-ipv6: no
    do-udp: yes
    do-tcp: yes
    do-daemonize: yes
    chroot: ""
    use-syslog: yes
    hide-identity: yes
    version: ""
    harden-short-bufsize: yes
    harden-large-queries: yes
    harden-glue: yes
    harden-dnssec-stripped: yes
    harden-below-nxdomain: yes
    harden-referral-path: yes
    use-caps-for-id: no
    unwanted-reply-threshold: 1000000
    do-not-query-address: ::1
    prefetch: yes
    prefetch-keys: yes
    trusted-key-file: /etc/unbound/root.key # run unbound-control-setup before
    aut-trust-anchor-file: "/var/lib/unbound/root.key"
    val-bogus-ttl: 99999
    val-sig-skew-min: 99999
    val-sig-skeq-max: 9999999
    val-clean-additional: yes
    val-permissive-mode: no
    val-log-level: 1
    add-holddown: 2592000000
    del-holddown: 2592000000
    keep-missing: 0
    key-cache-size: 10m
    ssl-service-key: "/etc/unbound/unbound_server.key"
    ssl-service-pem: "/etc/unbound/unbound_server.pem"
    ssl-port: 443
    remote-control: control-enable: no control-interface:
    control-port: 953

    Add the following line into /etc/NetworkManager/NetworkManager.conf



    nameserver: # any IP of a remote or local DNS

    Starting unbound (CentOS 6):

    sh /etc/init.d/unbound restart

    Use chkconfig to start unbound each boot.

    Unbound with DNSSEC-support:

    unbound-control-setup of unboung (rosa2014.1) presents the message:

    setup in directory /etc/unbound
    unbound_server.key exists
    unbound_control.key exists
    create unbound_server.pem (self signed certificate)
    create unbound_control.pem (signed client certificate)
    Signature ok
    subject=CN = unbound-control
    Getting CA Private Key
    Setup success. Certificates created. Enable in unbound.conf file to use

    Enabled in /etc/unbound/unbound.conf:

    ssl-service-key: "/etc/unbound/unbound_server.key"
    ssl-service-pem: "/etc/unbound/unbound_server.pem"
    ssl-port: 443
    # unbound server key file
    . server-key-file: "/etc/unbound/unbound_server.key" # unbound server certificate file
    . server-cert-file: "/etc/unbound/unbound_server.pem"
    # unbound-control key file
    control-key-file: "/etc/unbound/unbound_control.key"
    # unbound-control certificate file
    . control-cert-file: "/etc/unbound/unbound_control.pem"

    Configuration-Check of unbound:


    Configure /etc/dnssec-trigger/dnssec-trigger.conf this way too.

    Enable and start dnssec-trigger (by systemd). If dnssec blocks all traffic, killall dnssec-trigger again.

    systemctl enable dnssec-triggerd.service

    disable and stop any existing DNS service, e.g., dnsmasq (systemd)

    systemctl start dnssec-triggerd.service resp. start within terminal or add command "dnssec-triggerd" into /etc/rc.local to boot each time.

    If an anchor in the tray (system task line) is missing indicating that all get installed and is working fine, start dnssec-trigger by dnssec-trigger and not the daemon dnssec-triggerd.

    Now it should just work. Please file a bug against dnssec-trigger component in Fedora, if it doesn´t. If not, disable dnssec-triggerd again.
    Note that this is only true for programs using the system standard resolver functions. Programs can use their own resolving mechanism that is not guaranteed to honor anything you write in the hosts file. However, those programs should be rare and far between."

    As promised, we show now, how /etc/hosts is alwas queried first using firefox:

    Add to resp. uncomment in /etc/unbound/unbound.conf (configured right above) the following lines:

    name: "."
    forward-addr: # remote-host-DNS-Server-IP forward-first: no

    Now unbound supports /etc/hosts always getting queried right before the remote-host-DNS. What we get is the promised previous consulted mask.

    Disadavantage: The DNS sill gets queried each firefox-startup. So the DNS-Server gets the starting times of Firefox.

    To prevent this too ( and going sure), the DNS-remote-host-IP still has to get removed from the field DNS of Linfw3. Firefox should have get started, before entering the DNS-remote-host-IP again.

    This all was tested out with Firefox-52.6.0-ESR (el6) and MozillaFirefox-52.5.3-72.1 (OpenSuSE 42.3) and iptraf (iptraf-ng(rosa2016.1, rosae2014.1)) (el6). Results might differ from the browser-name and version. As mentioned, Linfw3 should beware at least one remote DNS-IP in the field DNS regardless from getting queried or not.

    Notice, that iptraf (iptraf-ng(rosa2016.1, rosae2014.1)) is also able to resolv the other way IP to host name (and not the used one by nslookup etc. "host name to IP") by clicking upon configuraiton and enabling resolv..

    As described, unbound supports the storage of the pair domain-IP in an own cache for we hope a long period of time (TTL) too.

    Our DNS-protection-mask /etc/hosts has reached a large size of several MB of pairs "IP domain" by now and in our opinion it can not include enough pairs. A backup of this file is a must as there might exist some few root-processes initialising this file back into its original, quit empty include... Use commands like "chattr +i /etc/hosts" to fix this.

    pdnsd is a so-called DNS-proxy for name resolution against remote DNS-Server.
    The responses to DNS-requests are stored within the local cache /var/cache/pdnsd/pdnsd.cache for a free determinable time. Other DNS-proxies and - server are cacheing only within the RAM. So pdnsd is high recommended.
    Details and howto configure pdnsd for the example of CCC-DNS (Chaos Computer Club Hamburg): https://wiki.kairaven.de/open/zensurfilter/azensur_dns

    For automatical made dns-entries instead of /etc/hosts try the following instead:

    OKName resolution without censorship and surveys by DNS-Proxy pdnsd, tor, tor using dnsmasq, tor using pdnsd and ttdnsd

    /etc/pdnsd.conf, test by commenting in and out and using iptraf (iptraf-ng(rosa2016.1, rosae2014.1))

    global {
    cache_dir="/var/cache/pdnsd"; # chown pdns:pdnsd /var/cache/pdnsd
    # pid_file = /var/run/pdnsd.pid;
    udpbufsize=1024; # Upper limit on the size of UDP messages.

    #server {
    # label= "dnscrypt-proxy";
    # ip =; # bzw. nach unserer Einstellung für dnscrypt-proxy, enable in linfw3 too
    # port = 53;
    # proxy_only=on; # Do not query any name servers beside your ISP´s.
    # # This may be necessary if you are behind some
    # # kind of firewall and cannot receive replies
    # # from outside name servers.
    # timeout=10; # Server timeout; this may be much shorter
    # # that the global timeout option.
    # uptest=query; # Test if the network interface is active.
    # interface=eth0; # The name of the interface to check.
    # interval=15m; # Check every 10 minutes.
    # purge_cache=off; # Keep stale cache entries in case the ISP´s
    # # DNS servers go offline.
    # caching=on;
    # edns_query=yes; # Use EDNS for outgoing queries to allow UDP messages
    # # larger than 512 bytes. May cause trouble with some
    # # legacy systems.
    # lean_query=off; # exclude=.thepiratebay.org, # If your ISP censors certain names, you may
    # .thepiratebay.se, # want to exclude them here, and provide an
    # .piratebay.org, # alternative server section below that will
    # .piratebay.se; # successfully resolve the names.
    # and/or the anonymous remote-DNS from Chaos Computer Club ccc
    server {
    label= "cccdc";
    ip=; #enable in linfw3 too
    #interval=ontimeout; interval=900;
    # edns_query=off;
    # lean_query=off;
    # preset=on;
    # proxy_only=on;
    # reject=,;
    # reject_policy=fail;
    # reject_recursively=on;
    # exclude=.meinebank.de;
    # policy=included;
    # interval=10m; # Check every 10 minutes.

    # same is possible for opendns and too

    # ... and many more remote-DNS

    server {
    label = "root-servers";
    ip=; # ccc anonymizing remote host DNS, enable resp. disable in linfw3 too
    timeout = 1;
    uptest = none;
    # edns_query=on;
    # lean_query=off;
    interval = 30m; # Test every half hour.
    # ping_timeout = 300; # 30 seconds.
    purge_cache = off;
    # exclude = .localdomain;
    # policy = included;
    # preset = off;

    #server {
    # label = tor;
    # ip =;
    # port = 1053;
    # interface=eth0;
    # uptest = none;
    # timeout = 30s;
    # purge_cache = off;
    # caching = on;
    # # edns_query=no;
    # # lean_query = on;
    # # preset = on;
    # # proxy_only = on;
    # # exclude = .meine-bank.de,googleapis.com;
    # # policy = included;
    # }

    source {
    ttl=86400; owner=localhost;

    #rr {
    # name=localhost;
    # reverse=on;
    # a=;
    # owner=localhost;
    # soa=localhost,root.localhost,42,86400,900,86400,86400;
    #neg {
    # name=doubleclick.net;
    # types=domain; # This will also block xxx.doubleclick.net, etc.
    #neg {
    # name=bad.server.com; # Badly behaved server you don't want to connect to.
    # types=A,AAAA;

    https://wiki.kairaven.de/open/zensurfilter/azensur_dns (in german language)

    Set within /etc/NetworkManager/NetworkManager.conf


    Check out everything by pdnsd and iptraf (iptraf-ng(rosa2016.1, rosae2014.1)) well, if domain and ip get really cached in /var/cache/pdnsd/pdnsd.cache. Increase perm_cache to 99999 for example or higher.

    pdnsd works fine, we gonna prefer it. In /etc/rc.local set chown -R pdnsd:pdnsd /var/cache/pdnsd, chmod 755 /var/cache/pdnsd/pdnsd.cache, chmod 644 /etc/pdnsd.conf, chown root:root /etc/hosts with chmod 644 /etc/hosts. Now even the strange building-up of the connection to the remote-DNS each firefox-startup is prevented! So there is no contact to the remote DNS except for requests for the IP of the very first time elected domain, but one should still check this out for the first time with iptraf (iptraf-ng(rosa2016.1, rosae2014.1)).

    If noscript is used and a star (*) is entered in the first field of register for http-addresses, do not forget to add all the exclusions resp. http-server connected with the main server (http-address) resp. by the belonging webside to exclude in the second field right below the first one for the exclusions. Such addresses are listed in the status bar of firefox or by ABP resp. ABL. So pdnsd did not block objects like images right before, but noscript. This last case of more than one server to add as an exclusion remains quit seldomly.

    /etc/resolv.conf resp. MMC#Internet#network-connection:

    Only addressing Ebay for the process of payment pdnsd and /etc/hosts with pdnsd-"addition" dnscrypt-proxy (mga2, mga5) still made some trouble. Short deactivation helped to enter a ip with belonging domain offer.ebay.de into /etc/hosts ( www.ebay.com, signin.ebay.com, pay.ebay.com, offer.ebay.com, my.ebay.com, ... generally, please tell us the insane amount of Ebay-server...).

    Mozilla starts test of DNS-queries over HTTPS, Pro-Linux, 23.03.2018
    In order to improve the privacy for DNS-name-resolution over HTTPS, Mozilla plans to test the development-version of Firefox in future. However the choice of the DNS-provider led into cutups.

    ... and Tor!

    In the constellation above out of pdnsd regarding /etc/hosts at first and the optional addition dnscrypt-proxy, internet traffic still does not go over anything, but nodes and the Internet Service Provider (ISP).

    OKFor tor (TorDNS, Tor with firefox-ESR >= 52.9.0) /etc/tor/torrc should include:

    # This file was generated by Tor; if you edit it, comments will not be preserved
    # The old torrc file was renamed to torrc.orig.1 or similar, and Tor will ignore it
    # SocksPort auto IsolateDestAddr IsolateDestPort
    # SocksPort auto IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth
    # ControlPort 9051
    #ControlSocket /var/run/tor/control
    CookieAuthentication 1
    #CookieAuthFile /var/run/tor/control.authcookie
    Sandbox 1
    DNSPort 9053
    AutomapHostsOnResolve 1
    AutomapHostsSuffixes .exit,.onion
    AllowSingleHopCircuits 0
    EnforceDistinctSubnets 1
    #DataDirectory /var/lib/tor
    #WarnUnsafeSocks 0
    #WarnPlaintextPorts 23,109
    ClientUseIPv4 1
    ClientUseIPv6 0
    # Transparent proxy
    # TransPort 9040
    # TransListenAddress
    ClientOnly 1
    FascistFirewall 1
    AvoidDiskWrites 1
    DirReqStatistics 0
    GeoIPExcludeUnknown 1
    Log notice stdout
    UseEntryGuards 1
    NumEntryGuards 2
    TrackHostExitsExpire 9600
    EntryNodes $7B28971D4A29995784E3066B9D87E42E9C685F3A,,$03dc081e4409631006efcd3af13afaaf2b553ffc,togma2,ori,freki,tollana,ATZv5,freebird32,leonide,behrmann,mccowan,,{ch},{se},{nl},{fr},{fi} # erste drei: torified;pairoj,krigernes, verwende nur Fingerprints! Add all entry nodes in one line only!
    ExitNodes $18cfb7ba07f13aeabf50a7148786da68773b2498,,$74c0c2705db1192c03f19f7cd1bb234843b1a81f,$9ead5b2d3dbd96dbc80dce423b0c345e920a758d,,,,,$93c6be420fbd2327db591a372c58807bb788d79c,$35919e197c6c7f372a26c747d66aca6a39642b3e,$4ef28f0acba7db83f532cf649db13a00c2f9fdf2,$9171101e709ade5881f5e2ca1100d4044b44263e,$3d615def97f387631f50201fafa6e7b67fdf3fef,$0111ba9b604669e636ffd5b503f382a4b7ad6e80,,$0111ba9b604669e636ffd5b503f382a4b7ad6e80,,$9aa3ff35e7a549d2337e962333d366e102fe4d50,$311a4533f7a2415f42346a6c8fa77e6fd279594c,$1bdbe9c0f7034e6789a9bf7bed82be2045f0f5b7,,,$0d2de242ada0ed77325e3aee3a9d8c5cd07c2cf3,$08ce3dbfdaa27db6c044a677af68d7235c2afc85,,$9c61fc0a01401edf71c4048665e53968e81351fc,,$8c25ba134d579b8aaf420e01215eb2cf06aae907,$81b75d534f91bfb7c57ab67da10bcef622582ae8,,,$9e0058300401f6687eae59f9fe82db89230344c1,$63f0043819468fd86c761eae45b4b72db9a795b9,,,$97aee1eefbcbb6ff8fa482029830e8e10a961883,$113143469021882c3a4b82f084f8125b08ee471e,$530277866466a1425f43a73dbfcb5fc7410c9852,,,$97aee1eefbcbb6ff8fa482029830e8e10a961883,$0d12d8e72ded99ee31bb0c57789352bed0ceeeff,$96e095d5cdbfc3988deb708ec155346472402c32,$763b7d67a6b2d19b3e9ea57d1fbdc48f3b85b559,$9661ac95717798884f3e3727d360dd98d66727cc,$8cf987ff43fb7f3d9aa4c4f3d96ffdf247a9a6c2,$5ba19b5d5ab0cb9ef8ea33da77585b75449400b0,$4bfc9c631a93ff4ba3aa84bc6931b4310c38a263,,,$6D3EE5088279027AD8F64FF61A079DC44E29E3DF,$9E9FAD3187C9911B71849E0E63F35C7CD41FAAA3,,,$294cab9ac06a4484e48e61fe1fb7ef4d7839e402,$6088c9ae1f712a9478fde64cadeff8e74ed4ae7c,$4a0c3e177af684581ef780981aeaf51a98a6b5cf,$88c3708a9d71ecec1910b63c3faa5bf60cd7e199,$42e0fb190d20522c6c8c71e42b71da33ac7a780e,$65c86182fdaacb59c9db6d9ddb83148933415a3c,$12ad30e5d25aa67f519780e2111e611a455fdc89,$80aaf8d5956a43c197104cef2550cd42d165c6fb,,,$9634ff450315c691e1e2185636318eaf457e4227,$7d05a38e39fc5d29afe6be487b9b4dc9e635d09e,$0e8c0c8315b66db5f703804b3889a1dd66c67ce0,$03dc081e4409631006efcd3af13afaaf2b553ffc,$9ba84e8c90083676f86c7427c8d105925f13716c,,,$8f02fe5e233730a6ab4c982e18a2136e662a0b59,$847b916d90fa1db85d57addfa1e50510f68538a1,$9BDF3EEA1D33AA58A2EEA9E6CA58FB8A667288FC,$1A1DA6B9F262699A87F9A4F24EF48B50148EB018,$31A993F413D01E68117F76247E4F242095190B87,,,,,$85D4088148B1A6954C9BFFFCA010E85E0AA88FF0,$39659458160887CC8A46FAE627EE01EEDAAED07F,$0111BA9B604669E636FFD5B503F382A4B7AD6E80,,,,$88487BDD980BF6E72092EE690E8C51C0AA4A538C,$9EAD5B2D3DBD96DBC80DCE423B0C345E920A758D,$95DA61AEF23A6C851028C1AA88AD8593F659E60F,$487092BA36F4675F2312AA09AC0393D85DAD6145,,$2DDAC53D4E7A556483ACE6859A57A63849F2C4F6,,$6D3EE5088279027AD8F64FF61A079DC44E29E3DF,$9E9FAD3187C9911B71849E0E63F35C7CD41FAAA3,,,$294cab9ac06a4484e48e61fe1fb7ef4d7839e402,$6088c9ae1f712a9478fde64cadeff8e74ed4ae7c,$4a0c3e177af684581ef780981aeaf51a98a6b5cf,$88c3708a9d71ecec1910b63c3faa5bf60cd7e199,$42e0fb190d20522c6c8c71e42b71da33ac7a780e,$65c86182fdaacb59c9db6d9ddb83148933415a3c,,tor4thepeople1,hviv118,hviv119,AccessNow000,AccessNow001,$93fab6f91c2ef33d0aceef7448177fca2ceb99a0,,,$7bfb908a3aa5b491da4ca72ccbee0e1f2a939b55,$204dfd2a2c6a0dc1fa0eacb495218e0b661704fd,,,,$6df493c83d0f5c337f7166a108adb891bce3fa1c,$6290a2d08e5eb89c809223c5c7bf52597690751d,,$2dfdea5dd415b95594bfb12d59fe841167f94b5f,,,,DFRI2,$65e6eb676633328ade3bd3168a59134cddd21e19,$0516085d6cac40ed4cdcefdfc5ccf6b00de61ded,,$7e006a46a222ce42f84b4a175698b3b593a7b3b7,$6c20cb9a0e95edc143f29194a0a4cc2a593aa15c,$05ffa39d71da116f7669ea4ee53a0baea315ba7f,,$0d874d3bbcbe88a61efc8379a68ac3f1314d4b7a,$6df493c83d0f5c337f7166a108adb891bce3fa1c,$3febfb6a491d30cacc2c2995edb41717a6f94e95,$00cce6a84e6d63a1a42e105839bc8ed5d4b16669,,$578e007e5e4535fbfef7758d8587b07b4c8c5d06,$874d84382c892f3f61cc9e106bf08843de0b865a,$185663b7c12777f052b2c2d23d7a239d8da88a0f,$90fd830c357a5109ab3c505287713f1ac811174c,$4a3b874f0187f2cf0da3c8f76063b070f9f7a14f,$8d093c9c2b42bc224a5319a660a6cf5edefe839f,$46f90ef3a3628c134dbb4654d0e4ff7eb914b690,,$56781ccc9f6d29fea148799ab588429c893a473c,,$69620419a3d0077272b2ea3952a1f46880fdfae5,$2053a4764080bebbec590be4418a782028d05e0f,,,$30ee4433780753120eca788d0f95d19ab2722819,$0ac4c4d8bca8da7bae6be3fea87442e724353cbf,$46791d156c9b6c255c2665d4d8393ec7dbaa7798,,$0bc8ba32cc3cb0f598e0c92778f7c0946dfbce91,$750c4332414558ab8c973b64dcabb5ca42fa642c,,$968cb7da0c56e66f22b78cba0562fe132939d8bf,$90152ba61de052f96956a72db5928650e14914c2,$56621b6880b20012b11af7d1f44ef7d2779428f5,$37535409102dffe92f3dac809e470e62bc27f1df,$3bd1376cd339edac6aefcf355a703a16af913496,,$4b084ad6a0ba70761a333829f52042bb6ea009af,,$56781ccc9f6d29fea148799ab588429c893a473c,,$044d00bc0ab1e3b4e3854dd522c471ede8d0cb42,$41f07731207742860d43ac426fbae2f3947bd1ca,$4a3b874f0187f2cf0da3c8f76063b070f9f7a14f,$1747f77cc71a7d073e9f960b9b77d33734f6216d,,$56621b6880b20012b11af7d1f44ef7d2779428f5,,$46791d156c9b6c255c2665d4d8393ec7dbaa7798,$0bc314281c83167f24c7cfcd68de069b02a92345,$995afa869526ba8e3b714e8bd1f455dc084832cd,$28a3a7d742b7cabdc006c055496dad9814d4e930,$22e8493d6ae611c8e243492bd4935160a5ec8f2f,,,$45ec3912c624d0c1a3873ba30214f06ccd946de6,,,,$12efbb9560f5bf7d09625c99e488f982fa3483e7,$4ff868be8b403085f4c351094d392a7230766435,$995afa869526ba8e3b714e8bd1f455dc084832cd,$3b4fa23831cc69c136418b0305381a5103a3b470,,$1c0d0af3ff05ccbba4b6ed262196a4c5a76102e6,$55580d71b317a072f4a4dcf6ea4edb015734aee7,$8154154c636ec317c7165fd839f34f79963376c1,$93fab6f91c2ef33d0aceef7448177fca2ceb99a0,$5e5040ea472aeb11c3dd4beac37ebe50ef40c93b,$61b8bdc91aa7bc9a05eb5a3d652fff88c98e6911,$9684c4d6c71131eeef2e5c23c3ea234a684cd501,,$40b206539ecdf83aceaa34245cc82508077bba14,$92bbadcb0697f5eb1792c607ee2dc1c291a98adc,,,,$1747f77cc71a7d073e9f960b9b77d33734f6216d,$87ea8620a1368f19c43a037115f15461c9487b31,$1901e98a08077fbba4c9e0368dd4dc6dbbd4cf77,$5f1c955a83ffec2548d2a4637d2ccd09124a1957,$6270d21d6cef0a4b1abea0730983aae08126701a,,,$0cdc8fdd8a487271decb791c0d46585f16bc8f19,$6a7479eb4378b946dc2a65a7f2c706b42bae2ebd,,,$777e9e3bb371cfb436cb993cf8c7f631137beeb2,,$683a668ebd5e275889b510caea45752016e3de30,$15f2b269295017bbaace4d15a312d4c89682d036,$68854e6f0c8c7b48c1a28934881ad10736da7f8d,,,$750c4332414558ab8c973b64dcabb5ca42fa642c,,$0c039f35c2e40dcb71cd8a07e97c7fd7787d42d6,$8164d74a15a2c10afbd2429a913ffa9b83332580,,$70b5746578dfe2b373599703b8dfb2af37743405,$2e045a15872b52d7c9955225bb791f91a3ed2f2c,$12efbb9560f5bf7d09625c99e488f982fa3483e7,$569bc61051c78801d96a682ba15d992f347316ed,,$9635968bb4e2d1b8395b0a1f4a7dda5ec4b5c435,$61875bb87f7c6bb9b656be7b95ebbfb3d5500c97,$78bc2254d3b31cd865f7682633aa438212132532,$995afa869526ba8e3b714e8bd1f455dc084832cd,,$69620419a3d0077272b2ea3952a1f46880fdfae5,,$2596d998149eaed2c6fb28c1ca39923bc9cc1103,$3bd1376cd339edac6aefcf355a703a16af913496,$70b5746578dfe2b373599703b8dfb2af37743405,$8164d74a15a2c10afbd2429a913ffa9b83332580,,,$0bc314281c83167f24c7cfcd68de069b02a92345,$46791d156c9b6c255c2665d4d8393ec7dbaa7798,$55a92be2a76c64a5a0db0d4f61d5dca37b55ee52,,$995afa869526ba8e3b714e8bd1f455dc084832cd,$4fb8c28667f785c9cc98bf7317c76daec8072e6f,$13bc57be4a6287d5c9ab970e94823bcaf7b5ffb2,$0bc314281c83167f24c7cfcd68de069b02a92345,$46791d156c9b6c255c2665d4d8393ec7dbaa7798,$96dafdce92ba94e4cc95f8314ae48e272a702fdc,$465d17c6fc297e3857b5c6f152006a1e212944ea,,$86cbf65f98e84681156444d048374aae1c809b17,$87ea8620a1368f19c43a037115f15461c9487b31,,$3b0efde689693cfdec2305f7b99d5b2fa4a77d91,$73e8a55b158fe750aaf711b402d3702e3fc395ee,$07c536d732850e3abbb51176fbcf9e79fc2c6e7a,$5b0e2e519fc6e61775895be7cde504c4aa8d6820,,$51c0096f3d7ee2a082bc367a29f81c9fcd9bf273,,$8bbe7a90dc03a954673a99ffb6d79308ad4f643c,$27f890a58693ebb080184c8d8477f0281b2585f7,$27f890a58693ebb080184c8d8477f0281b2585f7,$27f890a58693ebb080184c8d8477f0281b2585f7,,$166f00ea1bf27f20e8b2d7ef7fff200e52b47d00,$98138dfd3e2c8c89d8f5ab11ef9b6bff272d83b4,,,$98f94858106715983d6ff0123334f94b62ff00b7,$6b29a78eeb42d318290db60c6a2edc714f1bad42,$58d214a5147a7488897d3f187df84ef859d68184,$48042bf1da7d7515dcf5ab468943cac47724ec26,,$58a9921dd0a1389356634625c5b14acc1194a95c,$9ac272d5c5bf479b56f062b91b89d6fe3740185d,$995afa869526ba8e3b714e8bd1f455dc084832cd,$46791d156c9b6c255c2665d4d8393ec7dbaa7798,$55a92be2a76c64a5a0db0d4f61d5dca37b55ee52,$5af95dff3a7b45a01d83c68b9408a280f7a3cdf8,,$912056eae8410c1768ad2efc007ce5d22625bc23,,,,,$876c7ce43774366250d3e768e690dab9d4b5d5a3,$8154154c636ec317c7165fd839f34f79963376c1,,$5918b0913a59d18262e74f9b1f0c034ccc31fbcc,$8eb722fa1ae9dde1914bc21fea22819d4de99db4,,,$07dd4f0e6d2c7a58937f5c2760da19ee9be8ca80,$2af1f03ca502a23d554eb61c6649c531674c9627,$4df67280a6aa88c8e2807b58deac67e6e599cbba,$2b434018efb233acbdb220a6a14e5657cc6a63c8,$40fae4540cf4c126b1b15c0f5e048fdbd66e2d88,$27f890a58693ebb080184c8d8477f0281b2585f7,$9ae53d17ea4695e94e5cb60e54df57d011b989a0,$1e5618c079d74cf9ae0c5370de4c6e1afd5c0b39,$847b1f850344d7876491a54892f904934e4eb85d,$38b6b15f14bcf4d5b342ba1d67004287d1bcb9dc,$760dd1184f576fbbe4d3f834be16ab3d192bbcda,,,,$67549c743eb7a9d06a75e37beb82417ebb22e97f,$23439cf3eced46bb327a32373cd1d17e835777ee,$2f1a6481756d34bbf2cd3bebabbfec2e863a6f55,$4f3056e9d4bac38ec2100063745221553630eccb,,$89abc96e57c44085c6d520f6b27a23f3823e119b,,$0fedebe83c1f2de3d6673876bba1433ccf0ade51,$922c780d6a32944890a9c2bdb288037eb2f06392,,,$460f2eb956c09933a7e495c800786f11fd6d6336,$4f9bb4555bcfa49260e382c6d156eb49de07c63b,,,$01181b31be5860c7d66da88f88ad522c06470fd9,,$53ae17b558dfa2eaf551b650f6260b3e31fbead0,$2c752c180089ddc89bc3ffccb17facfeeafd79aa,$44ef5f90f4e15b2a7937b33908b79675086b0e4b,,$58a9921dd0a1389356634625c5b14acc1194a95c,$48b4f7ee8e1f87ea544c9498ff463a6ddc3a4795,$587e0a9552e4274b251f29b5b2673d38442ee4bf,$4cdcc833fb70b9f3915522fdc90e52c531feec49,$73a5a81688bd536bfbabe18630f5bd6306c9ac8e,$0b555940d37dc849728841c0b290074e1a1bdca8,$980afb485d04c566c74d5704c96cf80d29de3793,,$30c67a09630503e911ba3b9f9e48bd99ba01c5dc,,,$395cec4f978857b1169da78cf1208fd13b715fd0,$519d9147bfc7d8b84dcd7ac0b816080777d0e4c6,$3ea2217a01c61b1c17b6d8571b26fa6a44144d6f,$912056eae8410c1768ad2efc007ce5d22625bc23,,$890530c5b510a506f5cf206efec1595f96e727a5,$18fd0903330cd865023cf8737aae5d9bfbe4c025,,$92d8008026aa72131a5357005054048f879f2808,$0c039f35c2e40dcb71cd8a07e97c7fd7787d42d6,$2e72eeabe4ee19183befaa10d88b3c16829c9f99,,$8a8dba05b9fa31a5511b79768cf191c84c9035de,$7e8bc43ae75eae16d7ec4676f4a5c355f454b809,$8456dfa94161cdd99e480c2a2992c366c6564410,$2880a4d6a33f9becf2ae106d2951965a97527e96,$1e5618c079d74cf9ae0c5370de4c6e1afd5c0b39,$995afa869526ba8e3b714e8bd1f455dc084832cd,,,$9638d8a46d8cba79f8122d77e038ed99ebfdaead,$38b6b15f14bcf4d5b342ba1d67004287d1bcb9dc,$9a725c9660640fd82782f89e755553b29a14e791,$8b029434401afdc8b9793a49005e2bc3af76c02c,,$8a2d71cbca33f13a3ea9614de28ae3f669d84987,$519d9147bfc7d8b84dcd7ac0b816080777d0e4c6,,{mn},{cz},{se} # all exit nodes in one line only!
    StrictExitNodes 1
    StrictEntryNodes 1
    NodeFamily {ch},{ch}
    NodeFamily {de},{de}
    NodeFamily {nl},{nl}
    NodeFamily {fr},{fr}
    NodeFamily {se},{se}
    NodeFamily {fi},{fi}
    NodeFamily {au},{au}
    NodeFamily {ch},{au}
    NodeFamily {dk},{dk}
    NodeFamily {pl},{pl}
    # SocksListenAddress
    ReachableAddresses *:80,*:443,reject *:*
    ReachableDirAddresses *:443,reject *:*
    # ReachableORAddresses reject *:*
    ExitPolicy accept *:443
    ExitPolicy accept *:80
    ExitPolicy reject *:*
    GeoIPFile /home/surfuser/geoip
    GeoIPv6File /home/surfuser/geoip6

    Relais listing including fingerprints: https://torstatus.blutmagie.de or...

    "for example, to get all the running Exit nodes, we have


    to get all the running Guard nodes, we have


    to get all the running Guard nodes, we have



    torrc with bridges instead of guard nodes (entry nodes), exchange EntryNodes with:

    UseBridges 1 Bridge obfs3 YOUR_BRIDGE ClientTransportPlugin obfs3 exec /usr/bin/obfsproxy --managed

    Prefer newest protocol obfs4.
    Get a list of bridges, in our example for obfs3, mailto: bridges@bridges.torproject.org, Subject and body: get transport obfs3 (but we did not receive any reply....)
    example for YOUR_BRIDGE using obfs3:

    obfs3 IP fingerprint
    obfs3 cc8ca10a63aae8176a52ca5129ce816d011523f5
    obfs3 0ed110497858f784dfd32d448dc8c0b93fee20ca
    obfs3 daa5e435819275f88d695cb7fce73ed986878cf3

    ... or configure the bridge graphically through the Tor-Browser-Extension.

    "Bridge nodes are the nodes, which are not listed on the public directory of TOR nodes."

    Nevertheless we would prefer bridges. Tor access is guranteed and ISP won´t notice any of it.

    Notice the tor-version. Options might have to be commented in for lower ones, see the pregoing example for configuring torrc for TorDNS for tor (el6).


    Above torrc refers to tor (el6), comment more options out for higher tor versions. The sandbox does not really work in this version too. Now copy tor´s configuration file torrc and the two geodata-files geoip and geoip6 from /etc/tor/ into /home/surfuser and start tor by "tor -f /home/surfuser/torrc". All pathes to these configuration files should be accessable. Tor runs on port 9050 or 9150 by default (you might want (or should) enter the network connection into the browser configuration: socks: localhost:9050). Therefore we recommend extensions like RequestPolicyBlockContinued integrating browser Pale Moon 28.4.1 upon engine Firefox. Also set a hook there for "use TorDNS proxy for DNS-queries" If tor should be used directly for name resolution without installed DNS-Proxy for the anonymized one (pdnsd) instead, simple enter:



    Reference: pdnsd (rosa2016.1), dnscrypt-proxy (mga5), Firefox-52.6.0-ESR (el6, OpenSuSE 42.3), iptraf (iptraf-ng(rosa2016.1, rosae2014.1)) (el6) and https://wiki.kairaven.de/open/zensurfilter/azensur_dns

    If a domain-resolution into an IP malfunctions, add one nameserver with remote-host-ip into /etc/resolv.conf. Set it back, after the resolution got solved.

    Router-Update: AVM keeps his promise, to extend the Fritzbox-firmware with new functions by updates form time to time ( so that itself is protected and firewalls like Linfw3 get supplemented ). What all is provided by the new version, is described here: http://www.pcwelt.de/ratgeber/Fritzbox-Das-neue-Fritz-OS-9730440.html
    Any good router has got its own router-firewall. The new version is also able to block pings. "Internet -> Filter -> Listen" enpossibles the stealth-Modus. Attacker use the ping-command, in order to scan ports and ip address ranges, if a device reacts by a confirmation (ACK-)package, PCWelt.de, 05.11.2015, http://www.pcwelt.de/ratgeber/Fritzbox-Das-neue-Fritz-OS-9730440.html

    Clamd and Clamav: Virenscan for the control and scan of directories and files

    Files from MS Windows and E-Mail can contain virusses, but as we know, can not threaten introduces system very much. For the check of mailviruses, Kmail uses clamav by a filter configured automatically during the installation of clamav, while clamd might control and scan directories and files on-the-fly:

    User root # eventually another user later on ... # eventually more settings

    Start clamd:

    sh /etc/init.d/clamd start

    or by ntsysv, MMC->"Services" or systemd ( which is not a mandatory part of mdv2010 and el6, although installable ).

    Now start clamdscan too: :

    clamdscan -m -z --fdpass

    or start

    clamdscan -m -z --stream file|directory.

    Source: https://wiki.kairaven.de/open/os/linux/maldetect

    Die Virendefintionsdatei und andere Dateien von Clamav aus /var/lib/clamav lassen sich mit freshclam und per Installation einer aktuellen Version von Clamav aktualisieren. Einmal im Jahr ( falls überhaupt ) sollte unserer Meinung nach genügen.

    You see: With the excurs, mdv2010.0-final with the software also recommended by prism-break.org including "NSA-"Tomoyo-Linux (.jp) and SELinux, Gooken, Mycompanies and the data-sheed we can´t say that fast good bye to the computer technology catastrophe after its expencive, terrifying decades- maybe except mdv and Debian 2014 or so! Not much to consume for power, to exchange or to repair with mdv2010.0, although a view upon the links from our linkside like upon http://prism-break.org/ is strongly recommended! Notice, that not all software from there earns our trust, even not Ubuntu from Canotical inc.! Resigned from some services we even do not know after all our efforts, where all the insecurity remains, using internet by SSL, TLS and other secure protocols, excluding risks in conjunction with DNS (Provider?) and the recipients themselves, maybe security-browser-plugins. Partitions and therefore USB-sticks too, if ever infected, can be repaired within few seconds. We still have to wait for the first system-breakdown. All kind of Tarballs (Tar-Archives) from a more than hugh and day-by-day increasing software-repertoire can be installed just by typing "./configure [--prefix=/usr] && make && make install" resp. cmake and ohter make. The makefile for make producing "./configure --prefix=/usr" always tests out the system-environment, in order to lead into successful installations. Back to the future, we resume: Not much to improve for the sniffing-box computer by mdv2007.0 resp. mdv2010.0 - so together with LINFW3 we are confident enough to resign from only again insecure operating systems past mdv2007.0 and mdv2010-final probably with an 3.X.X-Kernel (<3.4) with actually again more than 4.000 intern bugs, all at lowest cost on the ground of power-consumption like that of energy saving lamps. All software is present on CD/DVD except such for special purposes. Together with the following step and according PDF we have realized our demand for a calm, secure work with computers typically signalized by a green LED as we mentioned from the beginning of the excursion! From programming up to configuring and surfing - now we really can work with computers!

    "I am so happy, that my (SuSE 7.3 from year 2003) Linux run for more than 12 hours" (alt.linux.suse, 2003)?

    Awful times, one broken distro after the other one. We had to wait a long time, maybe about one decade.

    And ´m afraid that, see our linksite part Wikipedia, quit insolvent Mandrake resp. Mandriva with mdk10.1 form year 2004, mdv2007.0 and mdv2010.0 runs forever now!

    To achieve, what can be called security, I just had to wait for my own excursion!


    Do you know, that mdv2010 is able to convert image formats by filetype, seize and color-depth and so on by a single command? Use convert, for example:

    convert -resize 1366x768 -colors 24 image1.png image2.jpg

    You can do this also for several image-files like at once, or for converting images into splashimages through something like "convert -resize 640x480 -colors 14 Bild.png Bild.xpm", Then "splashimage (hd0,0)/grub/splashimages/Bild.xpm.gz" should be entered into the configuration file of grub in graphical mode named grub.conf resp. menu.lst. Converting is also possible for videos by transcode or ffmpeg, textfiles and program-source-code from one programming language into another one. This can save storage and large programs sometimes and a programm with a GUI doing this too not need to be processed.

    mdv 2007 and 2010 even in compiz-cube- and metisse-3d run in our eyes secure as computer can! We are going to report about the cases, if not! I remember an elder ad for Linux with a tongue out: "problems missing - problems creating!"

    (Tarif: Freenet DSL1000 (19,95 Euro/month) with internet-telephony)

    Ciao, hacker! CIAO, partitionwise mount and chroot, CIAO, remote-root-logins and root-logins!
    All user- and system-user-accounts are password-encrypted and locked (except account for user named surfuser), while all shells got locked accountwise by login /sbin/nologin too (including method sandbox Firefjail and setfacl upon su and bash even for surfuser)! FSE by LUKS (dm-crypt/cryptsetup) encrypts all partitions by option --key-file (instead manually by password-login) except the root-partition: quit no password-cracks senseful as much as possible!
    Ciao, trojans!
    Ciao, malware!
    Ciao, spyware!
    Ciao, spammer!
    Ciao, scammer!
    Ciao, trolls! ...
    Ciao, tracker!
    Ciao, ad- and spyware!
    Ciao, remote DNS (except IP of first time read-in domain)!
    Ciao, man-in-the-middle!
    Ciao, all unencrypted and unsigned email (thanks Kmail)!
    Ciao, all horrifying expensive electric bills!
    Ciao, registrations in any databases ( listed Firefox-browser-extensions, especially ABP (Adblockplus), Noscript and Policy Blocked Continued)!
    Ciao, weak point human (owner- and access-rights, protocolling the users and an user audit is also possible)
    Ciao, all you graphic and hardware-problems ... and pains in the necks!
    Ciao, backup-problems (most reliable solution: 1:1-partitionwise through command dd from rescue-DVD/-CD/-USB-memory-stick, best: rescue-partition with Rescue-OS like Knoppix, Mindi or Mondo etc.)

    Ciao, all you shaby, shaby computer-problems!

    Ciao, IPv6 or make it perfect with Tor: Ciao, IP, ciao Provider (except dial-in)!

    Ciao, Suneater!

    Ciao, INTEL inc. & Co.(* News&Links#Computer ...)!

    Where are all the problems with the computer gone? See the image of circus with Clever and Smart from year 1983:

    Nevertheless it managed us to move an elephant over the tiny row!

    One problem-box less!

    We repeat the often used stamp from trojan-board-expert and Süch-Tiger Cosinus:

    "Why Linux is better than Windows..."

    and resume: The craziest of all elephants computer, here alias Linux, after several breaddowns, did finally manage the circus-row to achieve the goal (through a mix over several distributions and versions, updates over updates and actions over actions after more than 25 years full of trouble): No hacker, no trojan, no viruses (except maybe one day appearing, but harmless remaining mail-viruses and from emulated progs), no worms, no malware, no adware, no spyware etc., not much or not any remote-DNS-host queried, a stable kernel (4.20) with mkinitrd (mga2), nash (mga2), dracut (mga2) and glibc (pclos) upon except by violence everlasting hardware, cheap ASUS-19W-motherboard Mini-ITX-220 mouseclick-fast out of Intel-CPU, RAM, BIOS and other chips like graphic, sound, LAN and the sensor-based Coretemp for temperature-measurements and control, netadapter SLA-500(W) and 13W-ultraslim quit large displayed WLED-TFT from AOC, all FSE (full system encyption with LUKS, openssl resp. gnutls, openpgp or smime) while as much rpm-packages have been installed surface-covering as installable at once on our SSD and all of them got updated well - not much problems do remain for the intoduced stable computermodel.
    support Do you want the everlasting peace with your computer? Contribute to Gooken for the manufacturing of the (consistent) IT-security-standard! For correspondent please click here! Contact us: You can buy the complete rights of Gooken (over all websides and products) to become its owner for 100.000 €!

    to step 2 "additional filter concepts for enhanced security levels"

    © 2006-2018 by Gooken - everlasting since computer might run secure

    Win, if you want! ... but nothing to win there:
    You see: Once descripted how and howto, you know everything too!"

    Download a funny wallpaper as one important motive for step 1 of this excursion (for free)! Its message seems to be from another system... It always needs our help and special care... noone does know the next step, do you?

  • Once described how and howto, you know everything too!



    Our rubriques for computer:

    Computer | Monitor | Printer / Drucker | SSD | Network / Netzwerk | Smartphone | MS Windows

    As promiced, here´s the example for /etc/hosts delivering a remote-DNS-protection-"mask" to enhance by yourself. Domain are .de (german) in many cases.

    Secure Surfing: At the end of this webside we are introducing and configuring Tor (the Onion Router)..

    . But now, as promised, here is the file /etc/hosts

    Wie versprochen, hier die exemplarische remote-DNS-Schutzmaske alias hosts-Datei /etc/hosts, allerdings noch ohne die Sektion zum Adblocken. Für ihren Inhalt ü,bernehmen wir aber keinerlei Garantie und Haftung. Nicht aufgelistete und künfit DNS-Einträge bzw. aufgelistete Paare "IP Domain" befinden sich entweder im Cache des vorgestellten pdnsd, und zwar in /var/cache/pdnsd.cache, oder werden dort mit dem Abfrage von selbst aufgenommen. Für die remote-DNS besteht somit immer weniger Bedarf.

    OKMake a backup of /etc/hosts :
    #The risk of pharming is not given as in MS Windows, but nevertheless /etc/hosts is hunted the hell regardless from protecting access-rights, for example through updates (or is it from anywhere?). Make a copy of /etc/hosts: "cp -f /etc/hosts
    #/etc/hosts.save" and restore /etc/hosts each bootup by adding "cp -fp /etc/hosts.save /etc/hosts" in /etc/rc.local !

    ONLY add often visited domain (domain-ip-pairs) in /etc/hosts (and its backup /etc/hosts-save)!

    Following method is only suitable for UNIX/Linux and not suitable for MS-Windows: risc of pharming !!!/B>

    # generated by drakconnect
    # localhost.localdomain localhost
    # This MVPS HOSTS file is a free download from: #
    # http://winhelp2002.mvps.org
    /hosts.htm #
    # #
    # Notes: The Operating System does not read the "#" symbol #
    # or anything after the # symbol on the same line #
    # #
    # This *must* be the first line: #
    # #
    # -------------- Updated: April-24-2017 --------------- #
    # # # Disclaimer: this file is free to use for personal use #
    # only. Furthermore it is NOT permitted to copy any of the #
    # contents or host on any other site without permission or #
    # meeting the full criteria of the below license terms. #
    # #
    # This work is licensed under the Creative Commons #
    # Attribution-NonCommercial-ShareAlike License. #
    # https://creativecommons.org
    /licenses/by-nc-sa/4.0/ #
    # Alle Angaben ohne Gewähr! Technische Änderungen vorbehalten!
    # Mache eine SICHERUNGSKOPIE von dieser Datei (etc/hosts/) und sichere Sie den Zugriff auf beide Dateien!

    OKSicherung der /etc/hosts :
    # Die Gefahr des Pharmings ist zwar nicht wie bei MS Windows gegeben, dennoch wird z.B. über Updates (oder sogar von überall her) höllisch Jagd auf /etc/hosts gemacht. Die /etc/hosts sollte daher noch einmal gesichert werden:. "cp -f # /etc/hosts /etc/hosts.save" . Diese /etc/hosts.save wiederum sollte vorsichtshalber, trotz Zugriffsrechte, bei jedem Start die /etc/hosts überschreiben
    # Dazu bedarf es in /etc/rc.local des Eintrags "cp -fp /etc/hosts.save /etc/hosts" ! # VERIFIZIERE im Fehlerfall einige im Kommenden aufgelistete IP, insbesonders für ebay etc. mit nslookup oder dig noch einmal! Ergibt sich hier tatsächlich ein Fehler oder erscheint NXDOMAIN, setze die mit nslookup gefundende IP über "nameserver remote-host-ip" vorü,bergehend gleich zu Beginn von /etc/resolv.conf ! TESTE, ob ein REFERER gesendet werden muss und erlaube ihn, falls erforderlich. Überprüfe ggfls. die Zugriffsrechte von /etc/hosts und /var/cache/pdns/pdnsd.cache.
    # Einige Webseiten verlangen (ff-extension RefControl: normal, NOT BLOCKED)! Javascript und Cookies ab. Setze sie im Fehlerfall! Wann auch immer ssl/tls (https) möglich ist, aber das Zertifikat Fehler aufweiset, füge eine Ausnahme in die http-exception-Liste von noscript ein unter -> https-exclusion-list
    . Hilft alles nichts, benutze den eine eigene (anonymisierende) DNS verwendenden Tor-Browser!

    # Zertifikatsfehler: Installiere eine browser-verträgliche Version von nss und OpenSSL und füge dem Browser eine Ausnahme hinzu, z.B. für Firefox über Edit->Preferences->Advanced->Certificates->View Certificates->Servers->Add an exception

    NOTICE: ADD ONLY THE PAIRS IP-DOMAIN USED VERY OFTEN in /etc/hosts and its backup /etc/hosts-save ! #
    # ::1 #[IPv6]
    # ALL:ALL:DENY localhost
    # [Start of entries generated by MVPS HOSTS]
    # [Misc A - Z] example.com www.example.com google.de google.com r.search.yahoo.com api.smartredirect.com api.smartredirect.de www.redhat.com redhat.com nodpi.org www.nodpi.org www.dephormation.org.uk www.badphorm.co.uk www.inphormationdesk.org www.phonecallsuk.co.uk www.telefonica.de telefonica.de phonecallsuk.co.uk inphormaitondesk.org badphorm.co.uk all-systems.mcast.net fritz.box # Setze die lokale IP wieder zurück auf die Router-IP (fritz.box), wenn der Router konfiguiert werden soll !
    # online-bank1
    # online-bank2 katie.openstreetmap.org # for marble and merkaartor konqi.openstreetmap.org www.openstreetmap.de openstreetmap.de w9.geonames.org nominatim.openstreetmap.org www.geonames.org geonames.org
    # ip your_pop3_server
    212.227.17.* pop3.web.de pop3.web.de smtp.web.de
    # ip imap_server
    # ip smtp_server
    # ip your_ftp-server_1: ...
    # ip your_ftp-server_2: ...
    # ...
    # ip cloud_server: ...
    # ... www.gooken.de gooken.de gooken.safe-ws.de safe-ws.de w9.geonames.org nominatim.openstreetmap.org www.geonames.org geonames.org www.openstreetmap.de openstreetmap.de openstreetmap.org www.openstreetmap.org fritz.box katie.openstreetmap.org konqi.openstreetmap.org nominatim.openstreetmap.org
    212.227.17.* pop3.web.de pop3.web.de smtp.web.de freemail.web.de www.tagesschau.de tagesschau.de faktenfinder.tagesschau.de
    # ... # but do not add too much, as IP of IPv4 change sometimes.
    # ALL:ALL:DENY www.google.de google.de www.google.com google.com www.yahoo.com www.yahoo.de de.yahoo.com us.yahoo.com yahoo.de yahoo.com yahoo.us fastbot.de www.fastbot.de www.telefonica.de telefonica.de www.telefonica.com telefonica.com www.vodafone.de vodafone.de vodafone.com www.vodafone.com

    # advert-block*.rpm (pclos) and other adblocker tarballs/packages
    # ...

    Mozilla testet DNS-Abfragen über HTTPS in Firefox Beta, PRO LINUX, 14.09.2018
    Nachdem eine DNS-Namensauflösung über HTTPS zur Verbesserung der Privatsphäre in der Entwicklerversion von Firefox erfolgreich getestet wurde, zieht die neue Lösung in die Betaversion von Firefox ein.
    [...] Wie bisher werden alle DNS-über-HTTPS-Abfragen an einen Server von Cloudflare gestellt. Damit werden aber Informationen über die besuchten Webseiten an Cloudflare preisgegeben - auch im privaten Modus, was von einigen Benutzern kritisiert wird. Mozilla versucht die Kritik mit dem Verweis auf Datenschutzrichtlinien zu entkräften. Cloudflare hat jetzt eine explizite Datenschutzerklärung für diesen Test abgegeben.
    Mozilla arbeitet laut der Mitteilung auf einen breiteren Einsatz von DoH hin, wofür eine größere Zahl von vertrauenswürdigen DoH-Anbietern benötigt wird, die den Datenschutz beachten.

    Von Jonn Jonsen am Fr, 14. September 2018 um 17:30 #
    Mozilla driftet immer mehr ab.Zitat: Damit werden aber Informationen über die besuchten Webseiten an Cloudflare preisgegeben - auch im privaten Modus

    Das ist ein Nogo und damit macht sich der Firefox unbrauchbar!

    mehr Re: Mozilla
    Von Josef Hahn am Fr, 14. September 2018 um 17:44 #
    ... die Preisfrage ist: Wie kommt man in Zukunft (sagen wir mal in fünf Jahren) an einen brauchbaren Open Source Browser, wenn beide Browser eigentlich regelmäßig mit Verschlimmbesserungen auffallen? Oder anders gefragt: Wann ist der Zeitpunkt erreicht, an dem man beide eigentlich nicht mehr brauchen kann? Und was macht man dann stattdessen?

    Vorteile von DNS-Abfragen über HTTPS, PRO LINUX, 30.05.2018
    Patrick McManus von Mozilla erläutert, warum DNS-Abfragen über HTTPS eine bessere Alternative sind als DNS über einfache TLS-verschlüsselte Verbindungen.
    DNS over HTTPS (DoH) steht kurz vor der Standardisierung durch die Internet Engineering Task Force (IETF). Patrick McManus von Mozilla und P. Hoffman von ICANN sind die beiden treibenden Kräfte hinter diesem Protokoll. Schon im März hatte Mozilla bekannt gegeben, diesen Standard in der Entwicklerversion von Firefox testen zu wollen. Die verschlüsselte übertragung soll nicht nur zur Verbesserung der Privatsphäre beitragen, sondern auch DNS-basierte Angriffe erschweren.
    DNS über HTTPS ist ein neues Protokoll, das die Sicherheit der DNS-Abfragen verbessern soll, indem es sie über eine verschlüsselte HTTP-Verbindung sendet. Es ist nicht der erste Versuch, DNS sicher zu machen. Schon lange gibt es DNSSEC, das jedoch nur eine Verifizierung der Daten ermöglicht, keine Verschlüsselung einsetzt und auf Clients kaum verwendet wird. Eine Alternative zu DoH ist DNS over TLS (DoT), das bereits vor DoH von der DPRIVE-Arbeitsgruppe spezifiziert wurde und theoretisch einfacher ist. Denn HTTPS setzt auch TLS zur Verschlüsselung ein, ist aber darüber hinaus ein weiteres komplexes Protokoll.
    Patrick McManus schreibt nun, dass DoH auf der großartigen Vorarbeit von DoT aufbaue. Die Gemeinsamkeiten zwischen beiden Protokollen seien wichtiger als die Unterschiede und in vielen Fällen seien beide gleichermaßen geeignet. Beide verschlüsseln und authentifizieren die Kommunikation zwischen Clients und DNS-Resolvern. Einer der Vorteile von DoH ist jedoch, dass es auf die gesamte HTTP-Infrastruktur zurückgreifen kann. Beispiele sind die Content-Verteilnetzwerke, hunderte von Programmbibliotheken, Autorisierungsbibliotheken, Proxys, ausgefeilte Lastverteiler, Server für sehr hohe Datenmengen und die allgegenwärtigen Javascript-Engines, die bereits HTTP-Funktionen mitbringen und ein vernünftiges Sicherheitsmodell (CORS) enthalten. DoH ermöglicht wie HTTP außerdem das Aushandeln der Content-Typen, so dass DNS-Daten auch in Formaten wie JSON oder XML übertragen werden könnten.
    DoH hat laut McManus auch Vorteile auf der Protokollebene, da es die ganze HTTP/2-Funktionalität nutzen kann, darunter Multiplexing, Priorisierung, Flusskontrolle und einiges mehr. Wenn HTTP/2 zu QUIC weiterentwickelt wird, wird DoH auch dessen Vorteile ohne neue Standardisierung nutzen können. Unter anderem soll dann die Geschwindigkeit deutlich steigen, besonders wenn mit Paketverlusten gerechnet werden muss.
    Ein weiterer Vorteil von DoH ist, dass es in anderen HTTP-Traffic integriert werden kann, was die Anzahl der nötigen Verbindungen senkt und die Geschwindigkeit erhöht. Ein weiterer, allerdings spekulativer Vorteil ist, das DoH künftig die Möglichkeit von HTTP nutzen könnte, Push-Nachrichten zu senden. McManus sieht hier allerdings noch Fragen bezüglich der Sicherheit und der Privatsphäre zu klären, die seiner Ansicht nach schwierig sind, bevor konkrete Schritte in diese Richtung unternommen werden.

    Handshake: Alternative DNS based upon Blockchain, PRO-LINUX, handshake.org, 05.08.2018

    OKMulticast: Sometimes traffic monitors like iptraf (iptraf-ng(rosa2016.1, rosae2014.1)) monitor in the (we hope elsewhere empty field) the connection "IGMP: Router-IP ->". How can this connection get blocked?
    Ich habe es bereits geschafft eine andere verwandte Multicast Verbindung, IP, mit dem folgendem Befehl zu unterbinden:
    sudo ifconfig eth0 -multicast
    Der all-systems.mcast.net traffic ist aber weiterhin aktiv.
    Theoretisch sollte das für alle interfaces reichen:
    ip link set interface multicast off
    Der all-systems.mcast.net traffic ist aber weiterhin aktiv.
    Welcher Dienst auf deinem System nutzt denn Multicast? Im Zweifelsfall kannst du einfach Avahi oder Konsorten deinstallieren.
    Ich habe auch schon Avahi und Cups verdächtigt weswegen ich die Config Files /etc/init/cups /etc/init/cups-browsed und /etc/init/avahi-daemon.conf abgeändert habe um den Start dieser services zu unterbinden.
    Zusätzlich habe ich auch noch jeglichen Traffic über die offenen Ports welche sie verwenden, 631 tcp und 5353 tcp mit iptables und ufw geblockt.
    Trotzdem scheint all-systems.mcast.net immer wieder in diversen Packet Sniffer Tools auf. Im screenshot habe ich zB iftop verwendet.
    Ich habe auch schon versucht mit tcdump und wireshark herauszufinden was genau hinter dieser IP steckt, jedoch ohne Erfolgt.
    Hättest du vielleicht noch einen anderen Vorschlag?

    Jun 8 18:11:53 kernel: IGMP Drop: IN=eth1 OUT= SRC= DST= LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 PROTO=2
    Jun 8 18:14:53 kernel: IGMP Drop: IN=eth1 OUT= SRC= DST= LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 PROTO=2
    Jun 8 18:17:53 kernel: IGMP Drop: IN=eth1 OUT= SRC= DST= LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 PROTO=2

    filter violation livelog
    18:11:53 ->
    18:14:53 ->
    18:17:53 ->
    How to enable or disable multicst for a NIC
    Enable Multicast for eth0:
    # ifconfig eth0 multicast
    # ifconfig eth0
    eth0 Link encap:Ethernet HWaddr 00:0C:29:F1:FF:EA
    inet addr: Bcast: Mask:
    inet6 addr: fe80::20c:29ff:fef1:ffea/64 Scope:Link
    RX packets:5339836 errors:0 dropped:0 overruns:0 frame:0
    TX packets:5486444 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:820300389 (782.2 MiB) TX bytes:1929979381 (1.7 GiB)
    Base address:0x1400 Memory:e8820000-e8840000
    Disable Multicast for eth0:
    # ifconfig eth0 -multicast
    # ifconfig eth0
    eth0 Link encap:Ethernet HWaddr 00:0C:34:FE:AB:6A
    inet addr: Bcast: Mask:
    inet6 addr: fe80::20c:29ff:fef1:ffea/64 Scope:Link
    UP BROADCAST MTU:1500 Metric:1
    RX packets:5339836 errors:0 dropped:0 overruns:0 frame:0
    TX packets:5486444 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:820300389 (782.2 MiB) TX bytes:1929979381 (1.7 GiB)
    Base address:0x1400 Memory:e8820000-e8840000
    Other useful command to test Multicast Configuration:
    Command Description
    cat /proc/net/igmp List multicast group to which the host is subscribed. Use Internet Group Management Protocol.
    cat /proc/net/dev_mcast List multicast interfaces.
    ping -L To check connectivity with another multicast address
    ping -L All hosts configured for multicast will respond with their IP addresses
    ping All routers configured for multicast will respond
    ping All PIM routers configured for multicast will respond
    ping All DVMRP routers configured for multicast will respond
    ping All OSPF routers configured for multicast will respond
    Check If Multicast enabled in the kernel or not:
    #grep -i multi /boot/config-<Kernel version>
    Configuring Map Network Interface to Send Multicast Traffic
    To Configure a NIC to send multicast network, we need to add a default route for muticast traffic , to the specific NIC. For example, Below command will allow eth0 to send multicast traffic:
    # route add -net netmask dev eth0
    And check the route settings with
    # route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface U 0 0 0 eth0 U 0 0 0 eth0 UG 0 0 0 eth0
    How to Verify the Mutlicast groups in our current system
    # netstat -g
    IPv6/IPv4 Group Memberships
    Interface RefCnt Group
    ————— —— ———————
    lo 1 all-systems.mcast.net
    bond0 1
    bond0 2 all-systems.mcast.net
    DOLLARSIGN cat proc/net/igmp
    Idx Device : Count Querier Group Users Timer Reporter
    1 lo : 0 V2
    010000E0 1 0:00000000 0
    2 eth0 : 2 V2
    9B9B9BEA 1 0:00000000 1
    010000E0 1 0:00000000 0
    4 eth2 : 1 V2
    010000E0 1 0:00000000 0
    5 eth3 : 1 V2
    010000E0 1 0:00000000 0
    Above output shows that eth0 interface configures with Multicast address 9B9B9BEA = ( that means - EA = 234; 9B = 155; 9B = 155; 9B = 155 ). Same information will be reflected from the file /proc/net/igmp
    Other Popular Posts
    inetd Vs xinetd in linux
    Linux Admin Reference - Configuring Auditd in RedHat Enterprise Linux
    Network Physical Connectivity Check for Solaris and Linux
    Linux Admin Reference - Network Bonding - Redhat Enterprise Linux ( RHEL5 / RHEL6)
    RHEL 6 - ISCSI Administration Series - ISCSI Lun resize
    RHEL 6 - ISCSI Administration Series - Configuring ISCSI Server and Client
    RHEL 6.3 - LDAP Series - Part 1 : Implementation of LDAP Authentication
    Linux Admin Reference - SUDO Configuration in RedHat Enterprise Linux
    Understanding Linux Hugepages
    RHEL 6 - Controlling Cache Memory / Page Cache Size
    Configuring Map Network Interface to Send Multicast Traffic
    To Configure a NIC to send multicast network, we need to add a default route for muticast traffic , to the specific NIC. For example, Below command will allow eth0 to send multicast traffic:
    # route add -net netmask dev eth0
    And check the route settings with
    # route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface U 0 0 0 eth0 U 0 0 0 eth0 UG 0 0 0 eth0
    route del -net netmask dev eth2
    How to Verify the Mutlicast groups in our current system
    # netstat -g
    IPv6/IPv4 Group Memberships
    Interface RefCnt Group
    ————— —— ———————
    lo 1 all-systems.mcast.net
    bond0 1
    bond0 2 all-systems.mcast.net
    DOLLARSIGN cat proc/net/igmp
    Idx Device : Count Querier Group Users Timer Reporter
    1 lo : 0 V2
    010000E0 1 0:00000000 0
    2 eth0 : 2 V2
    9B9B9BEA 1 0:00000000 1
    010000E0 1 0:00000000 0
    4 eth2 : 1 V2
    010000E0 1 0:00000000 0
    5 eth3 : 1 V2
    010000E0 1 0:00000000 0
    Above output shows that eth0 interface configures with Multicast address 9B9B9BEA = ( that means - EA = 234; 9B = 155; 9B = 155; 9B = 155 ). Same information will be reflected from the file /proc/net/igmp

    So add into /etc/rc.local:
    ifconfig eth0 -multicast
    ifconfig lo -multicast
    ifconfig lo -broadcast
    ip link set eth0 multicast off
    ip link set lo multicast off

    Summary: Security with DNS can be achieved 1000%. As already mentioned, the risks found in the man-in-the-middle-attacks and the queried remote-host-DNS itself:

    * /etc/hosts: local DNS, filled up with the example for /etc/hosts from above and
    * pdnsd: Start and (permanent) fill up of the harddisc-cache of pdnsd with pairs IP and Domain. If the remote-host-dns (IP) is entered into the section for root-server in /etc/pdnsd.conf while all other remote-DNS (section server) are commented in, next two steps with Linfw3 and TOR-Browser are not essential anymore.
    * Linfw3: Blocking of all DNS of Linfw3 (except one unrequested DNS only, otherwise Linfw3 will release all DNS). The removal of DNS( by IP) might not be essential to reach maximal security, but we removed them to go really sure.
    * Tor-Browser: Now for Domains with belonging IP not stored local in /etc/hosts and not stored in pdnsd-cache (var/cache/pdnsd/pdnsd.cache), the tor-browser (with its own anonymizing remoted hosted DNS) is used (Firefox ESR 52.9, RedHat) instead of the IP not anonymizing current browser (Firefox-ESR-52.9 (slackware14.2/slack14.2, el6, OpenSuSE, ...) - and for IP with belonging domain already local stored the current browser is used again.

    Or always use the Tor-Browser, then your IP gets in any possible case ( always ) anonymized !

    Goal (Tor) or own goal (Eigentor) ?

    OKHighend-anonymization within the net with Tor & Co, trojaner-info.de, 28.11.2018
    Wer maximale Anonymisierung im Internet wünscht, muss mehr tun, als seine Daten über Proxies und VPN-Gateways ins Netz zu leiten.
    Es gibt laut Artikel 10 des Grundgesetzes ein verfassungsrechtliches Grundrecht auf anonyme und geschützte Kommunikation, auch im Internet. Wer maximale Anonymisierung im Internet und Schutz vor Tracking wünscht, muss aber schon mehr tun, als seine Daten über Proxies ins Netz zu leiten und Anti-Tracking-Tools zu nutzen. Wer echte Tarnkappen im Internet haben möchte, setzt auf professionelle Netzwerk-Anonymisierungsdienste wie Tor, JonDon, Freenet oder I2P.

    The Tor Project, Inc - Wikipedia
    History. The Tor Project was founded by computer scientists Roger Dingledine, Nick Mathewson and five others in December 2006. The Electronic Frontier Foundation (EFF) acted as The Tor Project's fiscal sponsor in its early years, and early financial supporters of The Tor Project included the U.S. International Broadcasting Bureau, Internews, Human Rights Watch, the University of Cambridge ...
    Tor is free software for enabling anonymous communication.The name is derived from an acronym for the original software project name "The Onion Router". Tor directs Internet traffic through a free, worldwide, volunteer overlay network consisting of more than seven thousand relays to conceal a user´s location and usage from anyone conducting network surveillance or traffic analysis.
    The Tor Project is a US 501(c)(3) non-profit organization advancing human rights and freedoms by creating and deploying free and open source anonymity and privacy technologies, supporting their unrestricted availability and use, and furthering their scientific and popular understanding.
    No one´s personal information should be up for grabs. Advertising is a billion-dollar industry in the US, and it´s easier than ever for your information to be collected and exploited by ad companies and other corporations. Almost half of all websites -- and a whopping 99% of popular news sites ...

    Tor is a network for the anonymization of connection data. It can be used for TCP-connecitons and in the web for browsing, Instant Messaging, IRC, SSH, E-Mail or P2P.
    Tor protects its user from traffci data analyzings. It is based upon the idea of Onion-Routing.
    Die ersten Ideen für Tor stammen aus dem Jahr 2000. Zwei Jahre später wurde die Arbeit an Tor durch Matej Pfajfar an der Universität Cambridge begonnen. Darauf folgte am 20. September 2002 die Veröffentlichung der ersten Alpha-Version.
    In der Anfangszeit von 2001 bis 2006 wurde Tor durch das United States Naval Research Laboratory mit Unterstützung des Office of Naval Research (ONR) und der Defense Advanced Research Projects Agency (DARPA),[6] vertreten durch Paul Syverson, unterstützt. Die weitere Entwicklung wurde vom Freehaven-Projekt unterstützt. Die Electronic Frontier Foundation (EFF) unterstützte die Entwicklung von Tor zwischen dem letzten Quartal 2004 bis ins späte Jahr 2005 hinein.
    Im Dezember 2006 gründeten Dingledine, Mathewson und andere das Tor-Projekt, die The Tor Project, Inc, eine Non-Profit-Organisation für Forschung und Bildung, verantwortlich für die Aufrechterhaltung von Tor.
    Im März 2011 wurde das Tor-Projekt von der Free Software Foundation mit dem Preis für gesellschaftlichen Nutzen (engl. "social benefit") ausgezeichnet. Als Grund wurde angegeben, dass Tor weltweit ca. 36 Millionen Menschen unzensierten Zugang zum Internet mit der Kontrolle über Privatsphäre und Anonymität ermögliche. Tor habe sich als sehr wichtig für die Oppositionsbewegungen im Iran und in Ägypten erwiesen.
    Im Jahr 2011 finanzierte sich das Projekt zu etwa 60 % aus Zuwendungen der US-Regierung und zu 40 % aus privaten Spenden.
    Im Juni 2014 machte der Fall des Erlanger Studenten Sebastian Hahn eine größere Öffentlichkeit und insbesondere den gerade tagenden NSA-Untersuchungsausschuss darauf aufmerksam, dass die NSA neben der Bundeskanzlerin auch den Betreiber eines Tor-Knotens überwacht.
    Seit Ende Oktober 2014 ist Facebook über eine eigene Adresse im Tor-Netzwerk erreichbar (https://facebookcorewwwi.onion/), um damit den Zugang für Menschen zu erleichtern, in deren Ländern der Zugang zu Facebook durch Zensur erschwert wird.[12][13] DigiCert hat für Facebook eines der ersten TLS-Zertifikate für eine .onion-Adresse ausgestellt.
    Die bisherige Tor-Führungsspitze, der Verwaltungsrat, hat im Juli 2016 sechs neue Mitglieder gewählt und ist gleichzeitig selbst zurückgetreten. Zu den zurückgetretenen zählen auch die Projekt-Mitgründer Roger Dingledine und Nick Matthewson, die jedoch weiterhin die technische Entwicklung des Dienstes leiten. Zum neuen Aufsichtsgremium gehören unter anderem der prominente Kryptologe Bruce Schneier und die Leiterin der Electronic Frontier Foundation, Cindy Cohn.

    What is Tor? A beginner´s guide to the privacy tool ...
    Use of Tor has increased since the revelations about NSA surveillance. Photograph: Alex Milan Tracy/NurPhoto/Corbis Who uses Tor? The Tor project team say its users fall into four main groups ...

    Review: Tor Browser Bundle lets you browse in anonymity
    If you want to beef up and anonymize your Internet browsing experience as well, Tor Browser Bundle (free) is the way to go. The Tor network provides a way to browse anonymously. Tor´s Vidalia ...

    Erneuerbare Freiheit - Projekt Tor
    Tor: Für Anonymität, gegen Zensur
    In der Allgemeinen Erklärung der Menschenrechte heißt es in Artikel 19: "Jeder hat das Recht auf Meinungsfreiheit und freie Meinungsäußerung; dieses Recht schließt die Freiheit ein, Meinungen ungehindert anzuhängen sowie über Medien jeder Art und ohne Rücksicht auf Grenzen Informationen und Gedankengut zu suchen, zu empfangen und zu verbreiten."
    Dieses Recht gilt universell. Es ist ganz explizit nicht beschränkt auf bestimmte Bevölkerungsgruppen, auf eine bestimmte Art der Kommunikation, oder physischen oder anderen Grenzen unterworfen.
    [...] Im Juni 2016 hat der Menschenrechtsrat der Vereinten Nationen in einer Resolution über The promotion, protection and enjoyment of human rights on the Internet erneut auf diese Universalität hingewiesen. Er zeigt sich in dieser Resolution tief besorgt darüber, dass dieses Recht weiterhin mit großer Regelmäßigkeit verletzt wird Personen, die sich dafür einsetzen, oft mit aller Macht eingeschüchtert und verfolgt werden. Der Menschenrechtsrat bekräftig daher in seiner Resolution, dass die Rechte, die für Menschen "offline" gelten, auch "online" geschützt und durchgesetzt werden müssen.
    In diesem Sinne fördern wir Technologien, die Menschenrechte respektieren und fördern - immer und überall. Tor gehört für uns dabei zu den wichtigsten Technologien in diesem Bereich, und wir würdigen dies in unserer Unterstützung entsprechend.
    Tor bietet einen zensurresistenten und sicheren Zugang zum Internet, und ermöglicht es so Hunderttausenden von Menschen in autoritären Regimen, auf freie Medien und Informationen zuzugreifen. Ebenso hilft es Journalisten, Bloggern, Whistleblowern und insbesondere Menschenrechtsaktivisten dabei, sich ohne Furcht vor Repressionen, vor Freiheitsentzug oder Schlimmerem, miteinander zu vernetzen und auszutauschen. Aus diesem Grund wird Tor auch von Organisationen wie Reporter ohne Grenzen, Amnesty International oder Human Rights Watch empfohlen.
    Tor ist freie und offene Software, und ermöglicht so jedem die kostenlose und sichere Nutzung. Zugleich garantiert der offene Quellcode, dass die Funktionen von Tor auch unabhängig überprüft werden können. Viele andere Tools bieten dies gerade nicht.

    Turn Your Raspberry Pi into a Tor Relay Node
    [...] The Tor project attempts to provide a solution to this problem by making it impossible (or, at least, unreasonably difficult) to trace the endpoints of your IP session. Tor achieves this by bouncing your connection through a chain of anonymizing relays, consisting of an entry node, relay node, and exit node:

    The entry node only knows your IP address, and the IP address of the relay node, but not the final destination of the request;

    The relay node only knows the IP address of the entry node and the IP address of the exit node, and neither the origin nor the final destination

    The exit node only knows the IP address of the relay node and the final destination of the request; it is also the only node that can decrypt the traffic before sending it over to its final destination

    Relay nodes play a crucial role in this exchange because they create a cryptographic barrier between the source of the request and the destination. Even if exit nodes are controlled by adversaries intent on stealing your data, they will not be able to know the source of the request without controlling the entire Tor relay chain.

    As long as there are plenty of relay nodes, your privacy when using the Tor network remains protected -- which is why I heartily recommend that you set up and run a relay node if you have some home bandwidth to spare. https://www.linux.com/blog/intro-to-linux/2018/6/turn-your-raspberry-pi-tor-relay-node

    Raspberry Pi als Tor Node betreiben - Gefahren von Tor Sniffing
    Wir editieren nun die Tor Konfiguration um unseren Exit Node zu erstellen. Fügt die untern aufgeführten Zeilen ans Ende der Datei an, eventuell müsst ihr die IP ...

    Raspberry PI als TOR Relay Knoten, Tobias Hardes
    Raspberry PI als TOR Relay Knoten Das TOR-Netzwerk (TOR kurz für The Onion Routing) ist ein Netzwerk für die Anonymisierung von Verbindungsdaten des Internetnutzers. Damit das Netzwerk funktioniert, erfordert dies viele Teilnehmer, die eigenen...

    Raspberry Pi as TOR Middle Relay, Blogger
    Raspberry Pi as TOR Middle Relay The onion Router - Tor is a service that helps you to protect your anonymity while using the Internet. The goal of the Tor project is to provide a censorship-resistant & safer access to the Internet.

    How to: Use Tor | Surveillance Self-Defense
    Tor is a volunteer-run service that provides both privacy and anonymity online by masking, who you are and where you are connecting. The service also protects you from the Tor network itself—you can have good assurance, that you´ll remain anonymous to other Tor users. For people who might need ...

    TOR Project - Anonymity Online - cccure.training
    Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: It prevents somebody watching your Internet connection from learning, what sites you visit, and it prevents the sites you visit from learning your physical location. Tor was ...

    Support the Tor Project Today!
    Donate to the Tor Project today! Take a stand against surveillance and censorship. Protect activists worldwide.

    .onion - Dark Web and Deep Web
    .onion is a special-use top level domain suffix designating an anonymous hidden service reachable via the Tor network. Such addresses are not actual DNS names, and the.onion TLD is not in the Internet DNS root, but with the appropriate proxy software installed, Internet programs such as web browsers can access sites with.onion addresses by sending the request through the network of Tor servers. More at "Wikipedia"

    Tor Project | Privacy Online
    The Tor Project´s free software protects your privacy online. Site blocked? Email [mailto:gettor@torproject.org] for help downloading Tor Browser.

    Tor-Relays Info-Page
    This mailing list is for support and questions about running Tor relays (entry, middle, non-exit, exit, bridge). To see the collection of prior postings to the list, visit the tor-relays Archives.

    How can we help? | Tor Project | Support
    Tor Browser can certainly help people access your website in places where it is blocked. Most of the time, simply downloading the Tor Browser and then using it to navigate to the blocked site will allow access.

    Troubleshooting - Tor Browser User Manual
    If Tor Browser doesn´t connect, there may be a simple solution. Try each of the following:

    Tor Project download | SourceForge.net
    Download Tor Project for free. Tor Bundle Brower and Tails are projects from TorProject.org. Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.

    Packets to download and to install from fr2.rpmfind.net and torproject.org:
    - tor (el6)
    - torsocks (el6)
    - torbrowser (torproject.org)

    eventually also install:
    - vidalia (el6) - Vidalia is a cross-platform controller GUI for Tor, built using the Qt framework. Vidalia runs on any platform supported by Qt 4.1, including Windows, Mac OS X, and Linux or other Unix variants using the X11 window system. Vidalia allows you to start and stop Tor, view the status of Tor at a glance, and monitor Tor's bandwidth usage. Vidalia also makes it easy to contribute to the Tor network by helping you setup a Tor server, if you wish.
    - polipo (mdv2012) - Polipo is a lightweight caching web proxy that was designed as a personal cache. It is able to cache incomplete objects and will complete them using range requests. It will use HTTP/1.1 pipelining if supported by the remote server.

    Install the packages (rpm -i --force paket_name) and enpack torbrowser (Tarball) with file-roller or manual by terminal into /home/toruser1/

    Start Tor (and the tor-Browser)
    su toruser1 && sg torgroup "sh /home/toruser1/tor-browser_en-US/Browser/start-tor-browser"

    I consider the TOR project quite important. But, since typical internet users are urged to use the TOR network in order to browse the internet, the involved risks have to be explained in detail, g-loaded.eu, 04.02.2011

    How can I stay anonymous with TOR?, lifehacker.com
    1. Don´t use Windows. Just don´t. This also means don´t use the Tor Browser Bundle on Windows. Vulnerabilities in the software in TBB figure prominently in both the NSA slides and FBI´s recent takedown of Freedom Hosting.
    2. If you can´t construct your own workstation capable of running Linux and carefully configured to run the latest available versions of Tor, a proxy such as Privoxy, and a web browser (with all outgoing clearnet access firewalled), consider using Tails or Whonix instead, where most of this work is done for you. It´s absolutely critical that outgoing access be firewalled so that third party applications cannot accidentally leak data about your location.
    3. If you are using persistent storage of any kind, ensure that it is encrypted. Current versions of LUKS are reasonably safe, and major Linux distributions will offer to set it up for you during their installation. TrueCrypt might be safe, though it´s not nearly as well integrated into the OS. BitLocker might be safe as well, though you still shouldn´t be running Windows. Even if you are in a country where rubber hosing is legal, such as the UK, encrypting your data protects you from a variety of other threats.
    4. Remember that your computer must be kept up to date. Whether you use Tails or build your own workstation from scratch or with Whonix, update frequently to ensure you are protected from the latest security vulnerabilities. Ideally you should update each time you begin a session, or at least daily. Tails will notify you at startup if an update is available.
    5. Be very reluctant to compromise on JavaScript, Flash and Java. Disable them all by default. If a site requires any of these, visit somewhere else. Enable scripting only as a last resort, only temporarily, and only to the minimum extent necessary to gain functionality of a web site that you have no alternative for.
    6. Viciously drop cookies and local data that sites send you. Neither TBB nor Tails do this well enough for my tastes; consider using an addon such as Self-Destructing Cookies to keep your cookies to a minimum. Of zero. 7. Your workstation must be a laptop; it must be portable enough to be carried with you and quickly disposed of or destroyed.
    8 Don´t use Google to search the internet. A good alternative is Startpage; this is the default search engine for TBB, Tails, and Whonix. Plus it won´t call you malicious or ask you to fill out CAPTCHAs.
    Your Environment
    Tor contains weaknesses which can only be mitigated through actions in the physical world. An attacker who can view both your local Internet connection, and the connection of the site you are visiting, can use statistical analysis to correlate them.
    1. Never use Tor from home, or near home. Never work on anything sensitive enough to require Tor from home, even if you remain offline. Computers have a funny habit of liking to be connected. This also applies to anywhere you are staying temporarily, such as a hotel. Never performing these activities at home helps to ensure that they cannot be tied to those locations. (Note that this applies to people facing advanced persistent threats. Running Tor from home is reasonable and useful for others, especially people who aren't doing anything themselves but wish to help by running an exit node, relay, or bridge.
    2. Limit the amount of time you spend using Tor at any single location. While these correlation attacks do take some time, they can in theory be completed in as little as a day. And while the jackboots are very unlikely to show up the same day you fire up Tor at Starbucks, they might show up the next day. I recommend for the truly concerned to never use Tor more than 24 hours at any single physical location; after that, consider it burned and go elsewhere. This will help you even if the jackboots show up six months later; it's much easier to remember a regular customer than someone who showed up one day and never came back. This does mean you will have to travel farther afield, especially if you don't live in a large city, but it will help to preserve your ability to travel freely.
    3. When you go out to perform these activities, leave your cell phone turned on and at home.

    Links about TOR (TOR-Project with TOR-Browser) in german language only

    Letztlich lebt das Tor-Netz vor allem davon, dass jeder als Freiwilliger durch den Betrieb verschiedener Arten von Nodes das offene Netz stärken kann—und dass es einige Unermüdliche gibt, die das Netz mit ihrem Einsatz sicherer machen. Sie erinnern uns daran, dass der Schutz der Privatsphäre auch im Internet ein Grundrecht ist, dass der Kampf gegen die NSA technisch noch nicht verloren ist, und dass die Utopie eines dezentralen Internets trotz Kommerzialisierung und Datensammelwut großer Firmen noch nicht ganz ausgeträumt ist.
    [...] Die durch Tor unterstützte Anonymität darf dabei nicht missverstanden werden. Es geht nicht darum, dass man "anonym" bleibt—die Anonymität bezieht sich auf den Kommunikationsweg: Wenn ich z.B. Facebook mit meinem Realnamen nutze, macht Tor dennoch Sinn, da so mein Provider und alle, die massenweise überwachen, nicht mitbekommen, dass ich überhaupt Facebook nutze. Und Facebook bekommt nicht mit, wo ich mich gerade befinde—etwas, das ich ihnen höchstens freiwillig mitteilen will. Das heute so populäre Tracking läuft so ins Leere.

    So funktioniert Tor, ein Beispiel: Ein Anwender möchte die Seite tecchannel.de anonym aufrufen. Benutzt er das TOR-Netzwerk, bekommt der Nutzer zunächst eine Liste mit allen verfügbaren TOR-Servern. Danach nimmt der installierte Client Kontakt zu einem zufälligen TOR-Server auf. Dieser Server kontaktiert nun einen zufälligen zweiten Server, welcher einen dritten in den Verbund mit aufnimmt. Über Server Nummer drei verlässt der Anwender das TOR-Netzwerk und wird auf die entsprechende Seite weitergeleitet. Somit würde in der Log-Datei von tecchannel.de die IP-Adresse des dritten Servers auftauchen.
    The Onion Router: So funktioniert der dezentrale Anonymisier-Dienst. (Quelle: EFF.org)
    Die einzelnen TOR-Server selbst kennen nur die Vorgänger und die Nachfolger. Server Nummer drei hat also keine Ahnung, wo sich Server Nummer eins befindet oder was dessen IP-Adresse ist. Wer der Anwender ist, weiß nur TOR-Server Nummer eins. TOR verwendet immer drei Server. Somit will man die Antwortzeiten so gering wie möglich halten und trotzdem eine möglichst hohe Anonymität schaffen. Die TOR-Server wiederum können überall auf der Welt stehen. Die Software ist so ausgelegt, dass jeder mit wenigen Schritten auch als TOR-Server auftreten kann. Somit sind alle in der Lage, der Schnüffelei entgegenzuwirken.

    Entry Guards (Entry Relays, Entry Nodes, Guards, Guard Nodes oder auch Tor-Eingangsknoten)
    Tor kann, wie alle Echtzeitanonymisierungsdienste, keinen ausreichenden Schutz gegen Angreifer bieten, die den ersten und den letzten Knoten einer Verbindung kontrollieren. Dies ist unabhängig davon, wie viele Knoten dazwischen liegen. Der Angreifer kann hier allein über Paketanzahl und zeitliche Abfolge von Paketen einen Zusammenhang - auch über die Zwischenknoten hinweg - herstellen und hätte somit die Verbindung zwischen Sender und Empfänger aufgedeckt. Da Tor-Routen kurzlebig sind und regelmäßig neu ausgewählt werden, geht die Wahrscheinlichkeit, dass so zumindest eine der vom Tor-Client aufgebauten Routen durch einen Angreifer aufdeckbar wäre, für jeden Tor-Nutzer auf Dauer gegen 100 %. Insbesondere Nutzer, die Tor regelmäßig zum Schutz einer immer gleichen Kommunikationsbeziehung nutzen, würden bezüglich dieser früher oder später nahezu sicher deanonymisiert. Verschärfend kommt hinzu, dass der Angreifer eine Route boykottieren kann, wenn er mindestens einen beliebigen Knoten in ihr kontrolliert. Auf diese Weise kann er auf allen Routen eine Neuauswahl der Knoten erzwingen, bei denen er beteiligt ist, aber nicht die zur Deanonymisierung nötige Kontrolle über den Start- und Endknoten hat. Somit müssen zusätzliche Routen aufgebaut werden, und damit steigt die Wahrscheinlichkeit einer für den Angreifer günstigen Route an.
    Deshalb werden bei Tor, dem Standardmodell des Onion-Routings widersprechend, die ersten Knoten der Routen vom Client nicht dynamisch gewählt, sondern es werden für alle aufgebauten Routen dieselben Einstiegsknoten verwendet, sogenannte Entry Guards. Der Client wählt dazu aus einer Liste mit Entry Guards zufällig eine kleine Menge (standardmäßig drei) aus und verwendet diese anschließend über mehrere Wochen und Sitzungen hinweg als erste Knoten auf allen aufgebauten Routen. Lediglich bei Ausfall dieser Knoten wird eine ggf. vorübergehende Ersatzauswahl getroffen. Entry Guards können dabei nur Knoten werden, die bereits längere Zeit laufen, über diese Zeit eine hohe Verfügbarkeit aufwiesen und eine überdurchschnittliche Übertragungskapazität haben.
    Auf diese Weise kann weitgehend ausgeschlossen werden, dass auf Dauer jeder Nutzer nahezu zwangsläufig eine für einen Angreifer deanonymisierbare Route aufbaut. Sollte der Nutzer nämlich keine der durch einen Angreifer kontrollierten Entry Guards gewählt haben, kann er auf obigem Weg überhaupt nicht deanonymisiert werden, da der erste Knoten der Routen dann stets außerhalb der Kontrolle des Angreifers ist. Liegen die gewählten Entry Guards des Nutzers dagegen unter der Kontrolle des Angreifers, so ist die Wahrscheinlichkeit einer Deanonymisierung erhöht, bzw. diese geschieht entsprechend häufiger, weil der Eingangsknoten dann sicher vom Angreifer kontrolliert wird und die Sicherheit der Route nur noch von der Wahl des Ausgangsknotens abhängt. Außerdem wird auf diese Weise das Risiko gesenkt, dass ein Angreifer eine Liste sämtlicher Tor-Nutzer erstellen kann. Da die Nutzer sich stets mit denselben Eingangsknoten verbinden, werden die vom Angreifer kontrollierten Entry Guards immer nur von derselben Gruppe Nutzer kontaktiert, während alle anderen Tor-Nutzer stets bei ihren Eingangsknoten außerhalb des Einflussbereiches des Angreifers bleiben.

    Middle Nodes (Middle Relays, Tor-Mittelknoten)

    Exit Nodes (Exit Relays, Tor-Ausgangsknoten)
    Ein neuralgischer Punkt des Tor-Netzwerks sind die sogenannten Exit Nodes: Je mehr es davon gibt, um so schwerer ist es auch, das Deepweb zu überwachen: Exit Nodes sind der Endpunkt einer langen Verschlüsselungskette, die dafür sorgt, dass das Tor-Netzwerk noch immer ein relativ anonymes Surfen erlaubt, das von Geheimdiensten und vor allem von kommerziellen Big-Data-Firmen nur schwer überwacht werden kann.
    Zwar ist das Betreiben eines Exit Nodes mit besonderen Risiken verbunden, weil die IP eines solchen Servers stets sichtbar ist. Trotzdem wurde in Deutschland noch nie ein solcher Betreiber rechtskräftig verurteilt. Je mehr Menschen Tor-Server betreiben, desto schneller und vor allem sicherer wird das Netz. Und je mehr Nutzer es gibt, desto geringer die Wahrscheinlichkeit, identifiziert zu werden.
    Deutschland spielt dabei im Tor-Netzwerk eine wichtige Rolle. So liefen noch vor einigen Jahren rund 80% des Tor-Ausgangstraffics nur über die Server des Augsburgers Moritz Bartl. Die Arbeit deutscher Tor-Aktivisten wird dabei auch durch die relativ überwachungskritische deutsche Gesetzgebung erleichtert.
    [...] Dabei sind wir auf Exit Relays spezialisiert, weil die selbst mit dem nötigen technischen Know-How nicht von jedem selbst betrieben werden wollen. Im Jahr 2011 wurde daraus der erste gemeinnützige Tor-Verein Zwiebelfreunde e.V., inzwischen sind 13 Organisationen in 10 Ländern dabei. Wir sammeln Spenden und teilen sie dann unter den teilnehmenden Organisationen auf.

    Eine Telefonnummer anzugeben ist nach deutschem Recht erforderlich. Dies ist jedoch keine Support-Hotline!

    Zwiebelfreunde e.V.
    c/o DID Dresdner Institut für Datenschutz
    Palaisplatz 3
    D-01097 Dresden
    Fax. +49-(0)-911-30 844 667 48
    Tel. +49-(0)-351-212 960 18

    Amtsgericht Dresden, VR 5388. Vertretungsberechtiger Vorstand: Moritz Bartl, Juris Vetra, Jens Kubieziel. Satzung.


    "Nicht alle Verbindungen, über die die Datenpakete transportiert werden, sind verschlüsselt, sondern nur die zwischen den Routern
    Und hier ist auch schon der Haken an der Sache: Vom Client bis zum Ausgangsknoten ist der Tor-Verkehr zwar verschlüsselt, ab dann hängt es aber vom Browser ab, ob eine SSL/TLS-Verbindung aufgebaut wird.
    Der Datenverkehr wird also nicht mehr auf der kürzesten Internet-Route transportiert, sondern über das Tor-Netz. Wenn sich nun ein Tor-Ausgangsknoten unter der Kontrolle einer staatlichen Stelle befindet, kann diese den kompletten Verkehr mitschneiden.
    Knoten unter staatlicher Überwachung?
    Gerüchten aus dem Umfeld der Telekommunikationsüberwachung ("Lawful Interception") zufolge sollen 50 Prozent der Tor-Ausgangsknoten unter der Kontrolle staatlicher Organe sein, die den darübergeleiteten Verkehr mitschneiden. Datenschutzkonforme Maßnahmen sind in diesem Zusammenhang wohl nicht zu erwarten. Auch können Kriminelle solche Tor-Ausgangsknoten betreiben und dort versuchen, Kreditkarteninformationen oder Bitcoins abzufischen. Da es viele Tor-Ausgangsknoten gibt, muss jemand, der ein Interesse an den Informationen hat, auch eine Vielzahl von ihnen überwachen - oder noch einfacher die Knoten selbst betreiben. Private oder vertrauliche Informationen sollte man via Tor keinesfalls übertragen.
    Neben der Liste der Knoten, die der Client über den Directory Server herunterladen kann, bietet Tor noch die Funktion einer dynamischen Bridge (Middle Node). Manche Staaten, die den Internetgebrauch zensieren, können über den Directory Server sehr schnell eine Filterliste erstellen und somit das Benutzen des Anonymisierungsnetzwerks verhindern. Die Bridge-Funktion soll es ermöglichen, den Tor-Client so zu konfigurieren, dass er als Bindeglied zwischen dem blockierten Nutzer und dem Tor-Netzwerk fungieren und Ersterem den Zugang zum Anonymisierungsnetzwerk verschaffen kann. Mittels Deep Packet Inspection (DPI) sind jedoch staatliche Stellen in der Lage, selbst diese dynamischen Bridges in wenigen Minuten zu finden. Ein Bot prüft dann, ob der Internetrechner das Tor-Protokoll spricht, und blockiert auch diesen Server.
    Ein weiterer sicherheitsrelevanter Aspekt ist, dass Tor den Browser nicht vor Angriffen schützt. Mit speziellen Remote-Forensic-Tools kann man gezielt den Tor-Browser infizieren und das Verhalten des Nutzers inklusive seiner echten IP-Adresse mitlesen. In der Praxis ist genau das passiert und die mitgeschnittenen Daten wurden anonym an staatliche Stellen übermittelt. Diese können mit solchen Werkzeugen zwar Kriminelle aushorchen, die das Tor-Netzwerk missbrauchen, allerdings ist die Anonymität der nicht kriminellen Nutzer ebenfalls bedroht.

    Rückschlüsse auf den Nutzer
    Eine Studie [1] von Forschern der Georgetown University (Washington, D. C.) zeigt: Wenn ein Angreifer Zugriff auf entsprechende autonome Systeme und Internet-Austauschknoten hat, kann er mit einer Wahrscheinlichkeit von 95 Prozent die Tor-Benutzer deanonymisieren. Auch kann Tor die Signatur eines Browsers nicht verbergen. Wenn ein Benutzer ein paar Toolbars und Erweiterungen installiert, kann man ihn selbst ohne IP-Adresse anhand seiner Browser-Signatur erkennen.
    Wenn sich beispielsweise ein Benutzer via Tor Inhalte beschafft, die in der Amazon-Cloud gehostet sind, und anschließend mit demselben Browser nicht über das Anonymisierungsnetzwerk auf Amazon zugreift, kann man anhand seiner Signatur auf ihn schließen. Selbst der empfohlene Tor-Browser mit Sicherheitserweiterungen liefert beim Test "Panopticlick" der Electronic Frontier Foundation (EFF), der über die Rückverfolgbarkeit von Browser-Signaturen Aufschluss gibt, ein schlechtes Ergebnis (Abb. 3). Er hinterlässt noch immer 12,84 Bit, die zur Identifizierung des Benutzers führen können.

    Wer annimmt, dass man nach dem Installieren eines Tor-Clients im Internet anonym unterwegs sein kann, irrt sich. Tor verbirgt nur bedingt die IP-Absenderadresse auf IP-Ebene. Weder die Applikation noch die Browser-Signatur werden geschützt. Verschlüsselt wird nur innerhalb des Tor-Netzes, nicht zwingend an den Ausgangsknoten. Wer dort die Daten mitliest und wer die Exit Nodes betreibt, ist unbekannt. Tor-Nutzer sollten sich darüber keine Illusionen machen. (ur)
    Studie "Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries"; www.ohmygodel.com/publications/usersrouted-ccs13.pdf

    Die Ultraschall-Töne sind sogar unbemerkt in Fernseh- und Radioprogramme, Audio- und Videodateien sowie Streamingangebote integrierbar. Auf diese Weise ist es zum Beispiel möglich festzustellen, dass ein Computer, Tablet oder Fernseher, auf dem gerade eine Serie gestreamt oder eine Audionachricht abgehört wird, der gleichen Person gehört wie das Smartphone, das das versteckte Signal empfängt.
    Der Internet-Sicherheitspezialist Vasilios Mavroudis bewies sogar, dass auch Webseiten so manipuliert werden, dass sie beim Aufrufen uXTD-Signale aussenden. Selbst Verschlüsselungen oder die Nutzung von Proxy- oder TOR-Servern garantieren dann keine Anonymisierung mehr.

    Sicherheitslücke: Tor-Browser enttarnt Nutzer-IP, PC-WELT.de, 06.11.2017
    Eine Lücke im Tor-Browser für Mac und Linux gibt unter bestimmten Umständen die Nutzer-IP preis. Ein vorläufiger Hotfix löst das Problem teilweise.
    Ende Oktober entdeckte Filippo Cavallarin vom Sicherheitsunternehmen We Are Segment eine Sicherheitslücke im Tor-Browser für Linux und Mac OS. Die TorMoil getaufte Schwachstelle öffnet Links, die mit "file://" beginnen, am Tor-Browser vorbei. Bei diesem Versuch kann die IP-Adresse des Tor-Nutzers mit übertragen werden - die vom Tor-Browser versprochene Anonymität wird somit ausgehebelt. Wie die Sicherheitsexperten von We Are Segment erklären, liegt die Schwachstelle im Umgang des Browsers Firefox mit Links begründet. Windows-, sowie Tail- und Sandbox-Nutzer sind von der Sicherheitslücke nicht betroffen.
    Die Tor-Entwickler haben noch vor dem Wochenende einen Hotfix für den Tor-Browser erarbeitet. Der Tor-Browser für Mac und Linux steht auf torproject.org in Version 7.0.9 zum Download bereit. Wer den Tor-Browser für Linux oder Mac OS sowie Tor-Software aus dem Alpha-Zweig nutzt, sollte die neue Version umgehend installieren. Noch heute soll eine überarbeitete Alpha-Version für Linux und Mac OS folgen. Der Hotfix in der neuen Browser-Version schließt zwar die Sicherheitslücke, bringt jedoch eine Einschränkung mit. Das Klicken auf "file://"-Links funktioniert hier nicht mehr. Nutzer können Links stattdessen einfach in die Adressleiste ziehen, um dieses Problem zu umgehen.

    Tor-Projekt stellt nächste Protokollgeneration vor, PRO-LINUX, 03.11.2017
    Das Tor-Projekt arbeitet seit vier Jahren daran, das in die Jahre gekommene Protokoll zu erneuern. Jetzt stehen die Spezifikation sowie eine erste Alphaversion der neuen Protokollgeneration bereit.
    Tor ist ein Anonymisierungs-Netzwerk, das das sogenannte Onion-Routing verwendet, um den Anwendern den größtmöglichen Schutz vor überwachung und Traffic-Analyse zu bieten. In diesem Netz können verschiedene Dienste betrieben werden, es kann aber auch genutzt werden, um normale Webseiten anonym zu erreichen. Speziell für das Web hat das Projekt den Tor-Browser entwickelt, eine modifizierte Version von Firefox.
    Schon vor viereinhalb Jahren wurde klar, dass das Tor-Protokoll aktualisiert werden muss. Einige der damals nach mehrjährigem Betrieb erkannten Mängel waren die mangelnde Skalierbarkeit der verborgenen Dienste, die auch in einer Anfälligkeit gegen Denial-of-Service-Angriffe resultierte, generell langsame Geschwindigkeit, Angriffe durch verborgene feindselige Verzeichnis-Server, wie sie von den Geheimdiensten zweifellos in großer Menge betrieben werden, und das inzwischen als zu schwach geltende RSA-Verschlüsselungsverfahren mit 1024 Bit.
    Das Tor-Projekt begann bereits kurz darauf, eine neue Generation des Protokolls auszuarbeiten. Diese Arbeit resultierte in der Freigabe einer Alphaversion vor kurzer Zeit. Jetzt steht auch eine Spezifikation des neuen Protokolls zur Verfügung. Die neue Version enthält zumindest bereits den Kern der Spezifikation und verbessert unter anderem die Verschlüsselung. Das neue Protokoll, dessen Versionsnummer 3 ist, ist auch zukunftssicherer, da es erweiterbar ist.
    Statt SHA1, Diffie-Hellman und RSA mit 1024 Bit kommen in der neuen Version SHA3, ed25519 und curve25519 zum Einsatz. Die Onion-Adressen sind dadurch notwendigerweise länger geworden und bestehen nun aus 56 zufällig erzeugten Zeichen. Das neue Protokoll kann in der aktuellen Alphaversion des Tor-Browsers verwendet werden. Laut der Ankündigung ist die Alphaversion erst der Anfang. Es sind noch Funktionen wie Offline-Schlüssel für Dienste, verbesserte Client-Autorisierung, eine Steuerungs-Schnittstelle, verbesserte Wächter-Algorithmen, sichere Namensdienste, Statistiken, Routing mit gemischter Latenz, Unterstützung von Blockchains, Künstliche Intelligenz und eine Schnittstelle für Virtuelle Realität geplant. Die Entwickler wollen jedoch nichts überstürzen.
    Das alte Protokoll wird noch längere Zeit erhalten bleiben und wird zunächst auch noch die Standardversion bleiben, bis die neue Version besser ausgereift ist. Details zur Nutzung der neuen Generation des Protokolls können im Projekt-Wiki nachgelesen werden.

    Darknet-Browser Tor is ready for Android: You can surf complete anonymously with your handy, CHIP, 27.05.2019
    The Tor-Browser is rated as a symbol for anonymes surfing in the internet and the easiest way into the Darknet. Now a ready version of the browser was provided in the Google Play Store. We show you, howto surf with this browser by upon your Android smartphone over the Tor-network.

    Tor-Browser mit neuem Update: Anonym surfen mit Windows, macOS, Android und iOS, CHIP, 27.09.2017
    Wer im Internet surft, ist Freiwild. Von allen Seiten wird Ihr Browser angezapft: sei es von der Werbeindustrie, von Dienstanbietern, Geheimdiensten und Hackern. Das Tor-Netzwerk ist zwar in den letzten Jahren etwas in Verruf geraten, bietet aber immer noch mehr Anonymität als alle anderen Maßnahmen. Außerdem kommen Sie über den Tor-Browser in das sonst geheime Darknet.

    Want Tor really work?, torproject.org, noticed by Gooken on 02.01.2017
    You need to change some of your habits, as some things won´t work exactly as you are used to.

    Use Tor Browser
    Tor does not protect all of your computer´s Internet traffic when you run it. Tor only protects your applications that are properly configured to send their Internet traffic through Tor. To avoid problems with Tor configuration, we strongly recommend you use the Tor Browser. It is pre-configured to protect your privacy and anonymity on the web as long as you´re browsing with Tor Browser itself. Almost any other web browser configuration is likely to be unsafe to use with Tor.
    Don´t torrent over Tor
    Torrent file-sharing applications have been observed to ignore proxy settings and make direct connections even when they are told to use Tor. Even if your torrent application connects only through Tor, you will often send out your real IP address in the tracker GET request, because that´s how torrents work. Not only do you deanonymize your torrent traffic and your other simultaneous Tor web traffic this way, you also slow down the entire Tor network for everyone else.
    Don´t enable or install browser plugins Tor Browser will block browser plugins such as Flash, RealPlayer, Quicktime, and others: they can be manipulated into revealing your IP address. Similarly, we do not recommend installing additional addons or plugins into Tor Browser, as these may bypass Tor or otherwise harm your anonymity and privacy.
    Use HTTPS versions of websites
    Tor will encrypt your traffic to and within the Tor network, but the encryption of your traffic to the final destination website depends upon on that website. To help ensure private encryption to websites, Tor Browser includes HTTPS Everywhere to force the use of HTTPS encryption with major websites that support it. However, you should still watch the browser URL bar to ensure that websites you provide sensitive information to display a blue or green URL bar button, include https:// in the URL, and display the proper expected name for the website. Also see EFF´s interactive page explaining how Tor and HTTPS relate.
    Don´t open documents downloaded through Tor while online
    Tor Browser will warn you before automatically opening documents that are handled by external applications. DO NOT IGNORE THIS WARNING. You should be very careful when downloading documents via Tor (especially DOC and PDF files, unless you use the PDF viewer that´s built into Tor Browser) as these documents can contain Internet resources that will be downloaded outside of Tor by the application that opens them. This will reveal your non-Tor IP address. If you must work with DOC and/or PDF files, we strongly recommend either using a disconnected computer, downloading the free VirtualBox and using it with a virtual machine image with networking disabled, or using Tails. Under no circumstances is it safe to use BitTorrent and Tor together, however.
    Use bridges and/or find company
    Tor tries to prevent attackers from learning, what destination websites you connect to. However, by default, it does not prevent somebody watching your Internet traffic from learning that you´re using Tor. If this matters to you, you can reduce this risk by configuring Tor to use a Tor bridge relay rather than connecting directly to the public Tor network. Ultimately the best protection is a social approach: the more Tor users there are near you and the more diverse their interests, the less dangerous it will be that you are one of them. Convince other people to use Tor, too!
    Be smart and learn more. Understand what Tor does and does not offer. This list of pitfalls isn´t complete, and we need your help identifying and documenting all the issues.

    Tor-Nutzer über Mausbewegungen identifizieren, netzpolitik.org, 10.03.2016
    Jose Carlos Norte hat Methoden gefunden, wie man Nutzerinnen und Nutzer des Anonymisierungsdienstes Tor anhand von Mausradbewegungen identifizieren kann.
    Er schreibt auf seinem Blog:
    It is easy to fingerprint users using tor browser to track their activity online and correlate their visits to different pages. getClientrects provides a very interesting vector for fingerprinting TOR Browser users. The CPU benchmark and the Mouse wheel and mouse speed methods provide even more information to distinguish between similar users.
    Wie diese Form des Fingerprintings genau funktioniert, hat Golem.de auch auf deutsch zusammengefasst, https://netzpolitik.org/2016/tor-nutzer-ueber-mausbewegungen-identifizieren/

    EU-US-Datenschutzschild: Was passiert mit unseren Daten?, Tagesschau.de, 12.07.2016
    Wenn europäische und US-Vorstellungen zum Datenschutz aufeinander stoßen, prallen Welten aufeinander. Das hat auch der Europäische Gerichtshof so gesehen, und das Datenschutzabkommen Safe Harbour gestoppt. Nun tritt der Nachfolger in Kraft.
    Was machen Google, Facebook oder anderen Internetgiganten mit meinen Daten? Das fragen sich viele. Denn im Internet wird das Innerste nach außen gekehrt. Es geht um Namen, Freunde, Adressen, um Profile und Positionen, ob man gerne viel kauft oder bescheiden lebt, in einem guten oder schlechten Viertel wohnt. Wer darf das alles wissen? Möglichst wenige, sagt die EU. Denn das alles ist Privatsache, solange die Daten nicht anonymisiert sind - oder die Weitergabe von den Nutzern ausdrücklich gestattet wird. Die EU wollte auch die USA für die Sorgen der Nutzer sensibilisieren - sie sollen dort ernst genommen werden. Denn jenseits des Atlantiks laufen die meisten Daten zusammen, an einem Ort, der eigentlich unerreichbar ist für europäische Datenschutzregeln.
    Das soll sich mit dem neuen Abkommen ändern. Ob das tatsächlich so sein wird, hängt nicht nur vom guten Willen in den USA ab. Ob es so funktioniert, wie man es sich in Brüssel vorstellt, soll jährlich überprüft werden. Ein Druckmittel der Europäer. Denn vor allem im EU-Parlament, bei den europäischen Datenschutzbehörden und nicht zuletzt bei den Internetnutzern ist das Misstrauen gegenüber der Datensicherheit in den USA deutlich gewachsen - nicht zuletzt nach den Enthüllungen des Whistleblowers Edward Snowden. Er hatte behauptet, die US-Geheimdienste bedienten sich uneingeschränkt und ungeniert aus dem Datenreservoir, das aus Europa auf US-Servern landet.
    Recht auf Vergessen? Das "Recht auf Vergessen" soll also auch dann Wirklichkeit werden, wenn unerwünschte Daten längst nicht mehr in der EU sind. Die Zugriffsmöglichkeiten werden erweitert: "Der Datenschutzschild wird die transatlantische Wirtschaft stärken und unsere gemeinsamen Werte bekräftigen", hofft EU-Kommissarin Jourova. Für ihre US-Verhandlunspartnerin geht es aber nicht nur um Werte, vor allem aber um von Bürokratie möglichst wenig behindertes Wirtschaftswachstum im boomenden Internetsektor: " Für Verbraucher bedeutet der freie Fluss von Informationen, dass sie von den neuesten digitalen Produkten und Dienstleistungen profitieren, unabhängig davon, wo sie entstehen". Das zeigt: Die Vorstellungen, was guter Datenschutz ist, liegen trotz des neuen Abkommens noch weit auseinander. Für die Europäer geht es um den Schutz der Privatsphäre. Für die Amerikaner vor allem um Sicherheit. Ein heikler Punkt bleibt der umstrittene Zugriff durch US-Geheimdienste auf Daten von EU-Bürgern, die in den USA gespeichert sind. Aber auch hier können sich die US-Behörden nicht mehr einfach wegducken.
    Bei Fehlern müssen Geheimdienste löschen
    Eine spezielle Schiedsstelle soll dafür sorgen, dass Nachfragen von EU-Bürgern auch bei den Geheimdiensten nicht in den Papierkorb wandern. Es soll also etwas mehr Transparenz geben. Es gibt sogar Korrekturpflichten, falls die Geheimdienste etwas "falsch" gespeichert haben. Zum Löschen können sie aber nicht gezwungen werden. Sie lesen auch weiterhin mit. Allerdings wird in Washington versichert, dass eine "Massenspeicherung" europäischer Daten nicht existiert und auch nicht geplant sei. Nachzuprüfen ist das nicht.
    Der österreicher Maximilian Schrems ist damit weniger zufrieden: "Da gehts eben darum, dass man sich irgendwo beschweren kann. Aber wenn das alles sowieso legal ist, bringt mir auch eine Beschwerdestelle nicht viel." Der 29-jährige Jurist aus Salzburg hatte den Stein ins Rollen gebracht. Mit einer Klage gegen ein älteres Datenschutzabkommen zwischen Europa und den USA mit dem Namen "Safe harbour" (Sicherer Hafen).
    Alter Datenhafen galt als unsicher
    Der Europäische Gerichtshof hatte diesen Datenhafen im vergangenen Jahr für äußerst unsicher erklärt und Neuverhandlungen mit den USA erzwungen. Daraus ist jetzt der EU-US-Datenschutzschild geworden. "Jetzt ist die gesamte Massenüberwachung anscheinend doch nicht mehr da, weil die EU ein paar Briefe aus den USA bekommen hat, dass das alles nicht so ist", beklagt Schrems. Er glaubt: Die Geheimdienste lesen weiterhin mit.
    Allerdings: Mit dem neuen Abkommen könnte es für Nutzer einfacher werden, zu erfahren, was die Geheimdienste am Ende tatsächlich gespeichert haben. Dazu soll eine schriftliche Eingabe über die besagte Schiedsstelle genügen. Die US-Behörden sind zu einer Antwort angehalten - wenn keine Sicherheitsbedenken dagegen stehen. Das bedeutet: Die Antworten aus übersee dürften oft recht kurz ausfallen. Und nicht immer zufriedenstellend für europäische Internetnutzer.

    Deutsche im Visier des US-Geheimdienstes: Von der NSA als Extremist gebrandmarkt, Tagesschau.de, 03.07.2014
    Die NSA späht gezielt Deutsche aus, die sich mit Software zum Schutz vor Überwachung im Internet beschäftigen. Das geht aus einem geheimen Quellcode hervor, der NDR und WDR vorliegt. NSA-Opfer lassen sich damit namentlich identifizieren. Einer von ihnen ist ein Student aus Erlangen.
    Von Lena Kampf, Jacob Appelbaum und John Goetz, NDR
    Es ist eines der empfindlichsten Geheimnisse der NSA, der Motor der weltweiten Überwachungsmaschine: der Quelltext des Programms XKeyscore, dem umfassendsten Ausspähprogramm des US-Auslandsgeheimdiensts.
    NDR und WDR liegen Auszüge des Quellcodes vor. Teile der Sammlungs-Infrastruktur also, sogenannte Software-Regeln, in denen die Geheimdienstler festlegen, was oder wen sie ausforschen wollen.
    Es sind nur wenige Zahlen und Zeichen, die die Programmierer aneinanderreihen müssen. Doch wenn das Programm XKeyscore diese Regeln ausführt, geraten Menschen und ihre Daten in ihr Visier. Die Verbindungen von Computern mit dem Internet werden gekennzeichnet und in einer Art Datenbank abgelegt. Die Nutzer sind quasi markiert. Es ist die Rasterfahndung des 21. Jahrhunderts.

    Nutzer des Tor-Netzwerks Ziel der Spähattacken
    In dem vorliegenden Quellcode geht es um die Ausspähung der Infrastruktur und der Nutzer des Tor-Netzwerks. Tor steht für "the onion router" - ein Programm, bei dem Internetverkehr, beispielsweise eine Anfrage an eine Suchmaschine, durch verschiedene Server geleitet wird und sich Anonymisierungsschichten ähnlich wie bei einer Zwiebel um die Anfrage legen. So wird die Herkunft der Anfrage, also die IP-Adresse verschleiert. Die IP-Adresse ist ähnlich wie eine Postadresse und verrät unter anderem den Standort des Rechners.
    Es gibt zirka 5000 Tor-Server weltweit, die von Freiwilligen betrieben werden. Es ist eine Anonymisierungsinfrastruktur, die vielfach gerade in Ländern gebraucht wird, in denen es gefährlich ist, dem Regime preiszugeben, welche Webseiten man besucht oder von wo man sie abruft. Im Iran und in Syrien zum Beispiel. Tor wird von Journalisten, Menschenrechtsaktivisten und Anwälten weltweit verwendet.
    Deutsche IP-Adressen in Fort Meade begehrt Die Berichterstattung des "Guardian" über Powerpoint-Präsentationen aus dem Snowden-Archiv hat im vergangenen Jahr gezeigt, dass das Tor-Netzwerk der NSA ein besonderer Dorn im Auge ist. Die Top-Secret-Dokumente und der hier erstmals veröffentlichte Quellcode zeigen, dass die NSA erhebliche Versuche unternimmt, Nutzer des Tor-Netzwerks zu deanonymisieren. Recherchen von NDR und WDR zeigen: Deutsche IP-Adressen sind im Quellcode der NSA als eindeutiges Ziel definiert.
    Die IP führt zu einem grauen, fabrikartigen Gebäude, dessen hohe Mauern mit Stacheldraht umzäunt sind. "Am Tower" heißt die Straße in einem Industriegebiet in der Nähe von Nürnberg. Es ist ein Rechenzentrum mit Mietservern in langen Regalen. Sie sehen alle gleich aus. Aber einer wird von der NSA ausgespäht. Sebastian Hahn, ein Student und Mitarbeiter am Informatiklehrstuhl in Erlangen hat diesen Server gemietet.
    Zweites namentlich bekanntes NSA-Opfer
    Obwohl er nur Mittel zum Zweck für die NSA ist - schließlich wollen die Geheimdienstler über seinen Server herausfiltern, wer das Tor-Netzwerk nutzt - fühlt sich Hahn in seiner Privatsphäre verletzt. Weil er etwas Gutes tun wolle, gerate er "in den Fokus der Geheimdienste", sagt er sichtlich entsetzt. Er ist nun wohl nach Bundeskanzlerin Angela Merkel das zweite namentlich bekannte deutsche Überwachungsopfer des amerikanischen Geheimdienstes. Der Fachanwalt für IT-Recht, Thomas Stadler, sieht einen "Anfangsverdacht der geheimdienstlichen Agententätigkeit". Die Bundesanwaltschaft äußerte sich nur allgemein: Sie prüfe alle Hinweise. Auf Anfrage teilt die NSA lediglich allgemein mit, man halte sich strikt an das Gesetz: "Privatsphäre und Bürgerrechte werden in der Computerüberwachung immer bedacht."
    Es geht nicht nur um Metadaten
    Außerdem lässt sich durch den Quellcode zum ersten Mal zweifelsfrei belegen, dass die NSA nicht nur sogenannte Metadaten, also Verbindungsdaten, ausliest. Werden E-Mails zur Verbindung mit dem Tor-Netzwerk genutzt, dann werden laut Programmierbefehl auch die Inhalte, der sogenannte E-Mail-Body, ausgewertet und gespeichert. Das entsprechende Zitat aus dem Quellcode lautet: "email_body(´https://bridges.torproject.org/'' : c++ extractors".
    William Binney, 70, war technischer Direktor bei der NSA, bis er 2001 ausstieg, weil die Maschinen, die er erfand, gegen die eigene Bevölkerung gerichtet wurden. Heute wird er vor dem NSA-Untersuchungssauschuss aussagen. Im Interview mit NDR und WDR erklärt er, warum die Geheimdienstler es ausgerechnet auf Nutzer des Tor-Netzwerks abgesehen haben: "Es darf keine freien, anonymen Räume geben", sagt er. "Die wollen alles über jeden wissen."
    Nur einige wenige sind davon ausgenommen: Eingeschrieben in den Quelltext, der NDR und WDR vorliegt, ist die Differenzierung zwischen den Partnerländern der USA, den sogenannten "Five Eyes", Neuseeland, Australien, Großbritannien sowie Kanada, und den anderen Ländern. Verbindungen, die aus den "Five-Eyes"-Ländern auf die Tor-Webseite vorgenommen werden, sollen laut der vorliegenden Regel nicht markiert werden. Aus allen anderen Ländern allerdings schon. Ohne Ausnahme, https://www.tagesschau.de/inland/nsa-xkeyscore-100.html .

    IT-Sicherheit: Koalition will Deep Packet Inspection und Netzsperren, heise.de, 13.04.2017
    In einer Nacht- und Nebelaktion haben die Regierungsfraktionen ohne öffentliche Debatte den Weg freigemacht für eine umfangreiche änderung des Telekommunikationsgesetzes (TKG), mit dem Provider künftig bei auftretenden Netzstörungen eine abgespeckte Variante der umstrittenen "Internet-Nacktscanner" in Stellung bringen und damit eine "Deep Packet Inspection light" (DPI) durchführen dürften. Die Regierungsfraktionen betonen zwar nun gleich zweimal, dass "Kommunikationsinhalte" nicht erfasst werden dürften. Zur Analyse freigeben wollen sie aber die "Steuerdaten", mit denen im OSI-Modell für Netzwerkprotokolle auf der vergleichbar hohen "Sitzungsschicht" die Prozesskommunikation zwischen zwei Systemen aufrechterhalten werden soll. Zugleich will die große Koalition den Anbietern von Telekommunikationsdiensten gestatten, "Datenverkehr bei Vorliegen einer Störung einzuschränken", auf Warnseiten umzuleiten "oder zu unterbinden". Ferner soll es den Diensteanbietern zur Abwehr von Cyberangriffen erlaubt werden, den Datenverkehr zu filtern und dabei "legitime von maliziöser Kommunikation" zu trennen. Den federführenden Innenausschuss des Bundestags hat die Initiative bereits Ende März still und leise passiert, sie soll in der nächsten Sitzungswoche am 27. April kurz vor 23 Uhr vom Plenum ohne weitere Korrekturen verabschiedet werden.

    Spurlos und Anonym im Netz mit Tor & Co.
    Spurlos im Netz mit Tor & Co.: Die wichtigsten Anonymisierungsdienste und Tools für anonymes Surfen im Internet
    Rechner benötigen Gatekeeper zum Schutz vor Tracking
    , 06.02.2018
    Mehr als zwei Drittel der Deutschen vertrauen einer Bitkom-Umfrage nach weder dem Staat noch der Wirtschaft gerne ihre Daten an. Nutzer möchten sich anonym im Internet bewegen und so Ihre Daten und Privatsphäre vor der NSA, dem Staat oder auch kommerziellen Anbietern schützen und dem Online-Betrug vorbeugen. Anonymisierungsdienste, Proxies, VPN-Gateways, Anti-Tracking-Tools, Tor & Co. sind die als wichtigen Gatekeeper zum Schutz vor Datenschnüfflern.

    Neues Anonymisierungsverfahren stoppt NSA, PC-WELT.de, Sicherer als Tor und nicht zu langsam: Die neue Anonymisierungstechnik Riffle soll eine absolut sichere Internetnutzung ermöglichen. Wissenschaftler des renommierten Massachusetts Institute of Technology MIT haben zusammen mit der Schweizer École Polytechnique Fédérale de Lausanne ein neues Verfahren zum anonymen Datenaustausch im Internet entwickelt. Es soll sicherer als das bekannte Tor sein und selbst der NSA widerstehen, http://www.pcwelt.de/news/Riffle-Neues-Anonymisierungsverfahren-soll-NSA-Co.-aussperren-10009874.html

    Geheime Dokumente: Der BND hat das Anonymisierungs-Netzwerk Tor angegriffen und warnt vor dessen Nutzung
    , netzpolitik.org. 14.09.2017
    Der BND hat ein System zur Überwachung des Tor-Netzwerks entwickelt und Bundesbehörden gewarnt, dass dessen Anonymisierung "unwirksam" ist. Das geht aus einer Reihe geheimer Dokumente hervor, die wir veröffentlichen. Der Geheimdienst gab einen Prototyp dieser Technik an die NSA, in Erwartung einer Gegenleistung.
    [...] Weltweiter, passiver Angreifer
    Wie alle in der Praxis eingesetzten Anonymisierungs-Systeme dieser Art kann auch Tor nicht gegen "einen weltweiten passiven Angreifer" schützen. Das steht so explizit im Design-Dokument. Auch die Dokumentation warnt: "Wenn ein Angreifer den Internet-Verkehr beobachten kann, der aus ihrem Rechner kommt und den Verkehr, der an dem von ihnen gewählten Ziel ankommt, kann er mit statistischen Analysen herausfinden, dass beide zusammen gehören." Die Internet-Überwachung von NSA und GCHQ tut genau das.
    Eine ganze Reihe an Forschern hat diesen Angriff praktisch demonstriert, durch simples Zählen der übertragenen Pakete, über die Analyse von Zeitfenstern bis zur De-Anonymisierung durch einen Bruchteil des Verkehrs. All diese Forschung ist öffentlich einsehbar. Auch die Geheimdienste beobachten diese Forschung, nutzen sie für eigene Zwecke und nutzen theoretische Schwachstellen in ihrer praktischen Überwachung aus.
    Die Hacker vom BND stützen sich bei ihrem Angriff auf "eine Studie einer amerikanischen Universität", die sie auch an die NSA weitergeben.
    [...] Der BND-Spitze kommt das gelegen. Man erhofft sich zwar, dass auch die BND-eigene Auswertung wieder "angestoßen" werden kann, an Tor zu arbeiten. Aber das eigentliche Ziel ist größer. Der BND will etwas von der NSA: Eine Technologie aus dem "Bereich Kryptoanalyse" zur Entzifferung verschlüsselter Inhalte. Pullach weiß, dass Fort Meade das Objekt der Begierde "erfahrungsgemäß nicht so leicht herausrücken", wird. Deshalb sammeln die Deutschen Gegenleistungen, der Angriff auf Tor ist "ein weiterer Baustein" dafür.
    [...] Wie genau der BND Tor "zerhäckseln" will, ist in der uns vorliegenden Version leider weitgehend geschwä,;rzt. Doch wie zuvor beruft sich der Geheimdienst auf öffentliche Forschung. Zur Umsetzung dürfte der BND eigene Server im Tor-Netzwerk betreiben. M.S. verweist auf passiv schnüffelnde Server, die mutmaßlich von der NSA betrieben werden und betont den "Schutz der eigenen Anonymität" der Geheimdienste.
    [...] Sehr hohe Überwachungsdichte
    Anderthalb Jahre später warnt der BND deutsche Bundesbehörden davor, Tor zu verwenden. Der "Anonymisierungsdienst Tor garantiert keine Anonymität im Internet", betitelt die Hacker-Abteilung "IT-Operationen" eine Meldung. Das sechsseitige Papier geht am 2. September 2010 an Kanzleramt, Ministerien, Geheimdienste, Bundeswehr und Polizeibehörden.
    Laut Kurzfassung ist Tor "ungeeignet" für drei Szenarien: "für die Verschleierung von Aktivitäten im Internet", "zur Umgehung von Zensurmaßnahmen" und für "Computernetzwerkoperationen für Nachrichtendienste" - also geheimdienstliches Hacking. Der BND geht "von einer sehr hohen Überwachungsdichte innerhalb des Netzes" aus, unter anderem durch ",die Möglichkeit, selbst sogenannte Exit-Knoten zur Überwachung einzurichten".

    Tor-Browser Der Tor-Browser macht es Spionen beinahe unmöglich, Ihre Spur im Netz zu verfolgen. Seine hohe Sicherheit gegen PRISM bezahlt der User mit langsamen Surfgeschwindigkeiten. Wem Tor zu lahm ist, kann den Browser nur für sensible Surf-Sessions nutzen.

    Die hier genannten Programme sind nur ein Teilaspekt des Schutzes vor neugierigen PRISM-Blicken. Wer sich möglichst komplett schützen will, muss konsequenterweise auch auf die Google-Suche oder Yahoo-Mails verzichten (um nur zwei Beispiele zu nennen). Lesen Sie also unbedingt auch unseren Ratgeber zum Schutz vor PRISM . Achtung: Eine hundertprozentig blickdichte Anti-PRISM-Mauer werden Sie kaum errichten können. Dafür kreuzen die Wege Ihres Datenverkehrs im Internet zu oft den Einflussbereich der NSA. Und selbst die beste Verschlüsselung kann theoretisch geknackt werden. Außerdem gibt es für manche Dienste keine vernünftige Alternative. Zwar können Sie beispielsweise Facebook entsagen und zu Diaspora wechseln. Doch dürften Sie dort ziemlich alleine sein und höchstens Monologe führen, während Sie auf Ihre Freunde aus Facebook warten.
    Das ist jedoch kein Grund, zu verzagen. Mit unseren Tipps und Tools setzen Sie die Hürden teilweise so hoch, dass die NSA-Agenten gehörig ins Schwitzen kommen werden. Nur ein Beispiel: Selbst superschnelle Hardware braucht für gut verschlüsselte Daten Jahrzehnte, wenn nicht Jahrhunderte, um sie knacken.

    Kooperation von BND und NSA: Heimliche Amtshilfe unter Freunden, Tagesschau, 25.06.2014
    Der BND hat jahrelang Daten eines Frankfurter Internetknotenpunkts an die NSA weitergegeben. Nach Recherchen von NDR, WDR und "SZ" leitete er mindestens von 2004 bis 2007 abgefangene Rohdaten direkt an den US-Dienst. von Georg Mascolo, NDR
    In Frankfurt laufen die Fäden zusammen. Hier verbindet die weltweit größte Internet-Schnittstelle die Netze von mehr als 50 Ländern. Daten aus Russland fließen über Frankfurt beispielsweise in den Nahen Osten. Schon immer hatten die Amerikaner ein Auge auf Frankfurt geworfen und drängten auf einen direkten Zugriff auf die Glasfasernetze. Bereinigt um die Daten deutscher Bürger soll der BND drei Jahre lang der NSA Datenmaterial zur Verfügung gestellt haben. Vor allem Telefonate sollen so direkt in die Computer der NSA geleitet worden sein. Über den Umfang der Datenweitergabe gibt es widersprüchliche Angaben. Während einige Quellen sie als "sehr umfassend" beschreiben, heißt es in BND-Kreisen, es habe sich zwar um große Mengen gehandelt, aber nur eine von mehreren Leitungen sei betroffen gewesen. Erst 2007 soll die Operation vom damaligen BND-Chef Uhrlau gestoppt worden sein. Auch im Kanzleramt war man zu dem Schluss gekommen, dass die Aktion "viel zu heikel ist", so ein damals Beteiligter. Gegen den Protest der NSA wurde das Projekt eingestellt. Die gemeinsame Operation soll den Recherchen zufolge 2004 begonnen haben und war auch im Kanzleramt bekannt. Offenbar sind aber weder das Parlamentarische Kontrollgremium noch die Bundestagskommission, die für die Abhörmaßnahmen der Geheimdienste zuständig ist, jemals über die damalige Operation informiert worden.

    "Ich bin noch nie so belogen worden"
    #34c3: Die Lauschprogramme der Geheimdienste
    , netzpolitik.org, 29.01.2018
    "Ich bin noch nie so belogen worden", sagte Hans-Christian Ströbele über seine Arbeit im NSA-BND-Untersuchungsausschuss. In einem Gespräch mit Constanze Kurz resümiert der grüne Politiker die Ergebnisse der parlamentarischen Untersuchung.

    Deep Packet Inspection (DPI)
    Pro & Contras
    , wiki.kairaven.de


    - Bandbreiten-Management
    - Spambekämpfung
    - Virenbekämpfung
    - Einbruchserkennung


    - Inhaltliche ITK-Überwachung parallel zur oder nach der Vorratsdatenspeicherung
    - Analyse und Überwachung des Inhalts von E-Mails, Instant Messaging, Webchats, SMS im Rahmen personen- und gruppenbezogener Überwachungsmaßnahmen oder allgemeiner Überwachungsprogramme der Geheimdienste
    - Filterung / Zensur, Blockierung von E-Mails, Instant Messages, Webchats, SMS, Webseiten
    - Drosselung, Blockierung, Erkennung von P2P-Anwendungen, Filesharing, Anonymisierungsdiensten, Web-Proxys
    - Generierung von Benutzer- und Kundenprofilen, personenbezogener Werbung
    - Aufweichung bzw. Abschaffung der Netzneutralität (siehe auch Wissenschaftliche Dienste Deutscher Bundestag - Aktueller Begriff: Netzneutralität)


    Die DPI Analyse des Inhalts der Nutzdaten der Datenpakete wird durch ihre Verschlüsselung unterbunden, sofern sichere Verschlüsselungsalgorithmen, Verschlüsselungsimplementierungen und Schlüssellängen verwendet werden.
    Die DPI Analyse kann aber zumindest die Anwendung und Existenz von Verschlüsselung aufdecken und auswerten, um z. B. anschließend den Transport verschlüsselter Datenpakete zu blockieren oder sie für Versuche zur
    Entschlüsselung zu spiegeln


    Sofern Anwendungen oder Netzwerke (z. B. VPN, Tor, I2P), die für die Anonymisierung genutzt werden, sichere Verschlüsselungsmethoden integrieren, treffen die Aussagen wie unter Verschlüsselung zu. Hersteller
    DPI Kontext

    In order to prevent the cut off TOR like an onion, listed firefox-extensions from above should get installed and the configuration from kairaven.de from above should be made like for the current used firefox-browser too!

    OKUse a Raspberry Pi as a Tor/VPN Router for Anonymous Browsing, 1/28/15
    Roll Your Own Anonymizing Tor Proxy with a Raspberry Pi
    We´ve shown you how to use a Raspberry Pi as both a Tor proxy and a personal VPN, but Make shows off how to do both in one unit for truly anonymous browsing everywhere.
    There are many interesting things you can do with a Raspberry Pi, but this one isn´t just fun, …
    The build here uses two Wi-Fi adapters to get the job done. Once it's complete, you'll have a passive VPN connection that you´ll hardly even notice is there. You´ll also have Tor installed, so you can flip over to that connection with just a couple of clicks. It´s a pretty simple setup all things considered, and it´ll act as a nice bridge between your standard router for those times when you want to browse anonymously or get around any location-specific blocks.
    Browse Anonymously with a DIY Raspberry Pi VPN/Tor Router
    https://lifehacker.com/use-a-raspberry-pi-as-a-tor-vpn-router-for-anonymous-br-1682296948 Preis: ca. 40 Euro


    Tarnkappe im Internet mit der richtigen Anonymisierungs-Hardware

    Im Internet mit der richtigen Anonymisierungs-Hardware, trojaner-info.de, 2015
    [...] Anonymität und digitale Integrität kann über Anonymisierungsprogramme wie Tor, aber auch über spezielle Hardware-Lösungen erreicht werden.
    Nachfolgend einige Router für das Heimnetzwerk im Porträt im Kampf gegen Tracking, Fingerprinting und digitale Bespitzelung im Kurzporträt.

    Anonymebox: Anonym in einer Zigarettenschachtel
    Die Anonymebox ist wie die meisten anderen Lösungen eine Ready-to-use-Möglichkeit, anonym zu surfen. Alle Komponenten sind in einer schicken roten Box verbaut, die nicht größer als eine Zigarettenschachtel ist. Anonymebox wird mit einer Software auf SD-Karte, einem LAN- und WLAN-Adapter sowie einem Netzteil und Ethernet-Kabel geliefert. Die Hardware-Tarnkappe ist schnell eingerichtet. Per TOR gehts dann - wenn alle anderen Vorkehrungen für das anonyme Surfen getroffen wurden - unerkannt durchs World Wide Web. Das gilt für Desktop-Rechner, Smartphones, Tablets und Laptops gleichermaßen. Per Web-Interface lässt sich die vorgetäuschte IP-Adresse bzw. deren Standort einsehen. Alternativ kann über Geoiptool ein Geolocation-Tool aufgerufen werden, das ebenfalls den Fake-Standort anzeigt.
    Die Anonymebox kostet aktuell 199 Euro inklusive MwSt.

    eBlocker: Anoymisierungs-Know-how von der "anderen Seite"
    [...] Das noch recht junge Produkt eBlocker bietet einen interessante Plug-and-Play-Ansatz. Die Mini-Box wird schlüsselfertig geliefert und kann ohne Software-Installation an den Router angeschlossen werden. Der eBlocker soll auf allen Endgeräten, die über das Heimnetzwerk mit dem Internet verbunden sind, Werbung und Tracking eliminieren. Optional kann ein Nutzer auch seine IP-Adresse anonymisieren. Technologisch basiert die Anonymisierungs-Hardware auf dem Einplatinenrechner Banana Pi: Ein kleiner Mini-Rechner, der sich großer Beliebtheit in der Open-Source-Community erfreut.
    Öffentliche Filterlisten in Kombination mit algorithmischen Filtern sollen dabei helfen, die zunehmende Zahl von Tracking-TAGs zu blockieren, die von Werbenetzwerken in Umlauf gebracht wird. Mit einfachem Klick kann zusätzlich auch das Tor-Netzwerk integriert werden.
    eBlocker soll Ende 2015 auf den Markt kommen und nach Herstellerangaben unter 200 Euro kosten. Im Paket ist Hard- und Software erhalten und ein Update-Service für ein Jahr.


    Proxys oder "Rewebber" gelten dagegen als hinreichend, seine eigene IP-Adresse gegenüber der jeweils besuchten Seite zu verschleiern.
    Auch diese Sicherheit ist jedoch trügerisch: Zumindest der Betreiber des Proxy-Servers weiß stets, wer da nach was sucht im Web, wer da was besucht. Ob es also klappt mit der Anonymisierung, ist nicht nur eine Frage der Technik, sondern vor allem eine der Vertrauenswürdigkeit des Anbieters. Es ist nicht unwahrscheinlich, dass etliche offene Proxy-Dienste in Wahrheit genau das Gegenteil von dem tun, was sie behaupten: So mancher mag beobachten und protokollieren, wer sich da weswegen anonymisieren will.
    [...] Der vielleicht interessanteste Web-basierte Proxy ist derzeit das deutsch-schweizerische Projekt picidae. Der Dienst holt sich die vom Nutzer angefragte Web-Seite und wandelt diese komplett in ein Bild um. Der Nutzer braucht nur die gewünschte Web-Adresse in ein einfaches Suchfeld eingeben, der Rest ergibt sich.
    Damit ist nicht nur der Seitenaufruf verschleiert, sondern auch jeder Filter ausgehebelt. Das Beste daran: Die Bilder lassen sich völlig normal als Web-Seiten nutzen. Ein Klick auf einen Link, und picidae generiert ein Bild der dahinterliegenden Web-Seite. Die von picidae erzeugten PNG-Screenshots sind also voll funktionale, mit Link-Infos versehene Bitmaps.

    JAP (Jondo) - Zertifizierte Betreiber, golem.de, 03.03.2015
    Mixkaskaden sorgen für Anonymität
    Der Jondonym-Anonymous-Proxy-Server oder kurz JAP wird von seinen Machern als Forschungsprojekt bezeichnet, das den Namen AN.ON - Anonymität Online trägt. Entwickelt wurde es von der Universität Regensburg zusammen mit der Technischen Universität Dresden.
    Die Daten werden über sogenannte Mixkaskaden versendet. Dabei werden mehrere Proxys hintereinandergeschaltet und zusätzlich die Daten unterschiedlicher Herkunft miteinander vermischt. Sie werden auch als Mixnetzwerk mit kaskadierenden Proxy-Servern bezeichnet. Jede Proxy-Station kennt nur den vorherigen Server, von dem die Daten kommen, und denjenigen Proxy-Server, an den die Daten weitergereicht werden. Zwischen jeder Station werden die Daten gesondert verschlüsselt.
    Anders als bei Tor kann aber nicht jeder eine Zwischenstation - oder Mixe, wie sie genannt werden - betreiben. Lediglich vom Projekt zugelassene Server dürfen an dem Netz teilnehmen. Der Vorteil ist, dass jeder Mix im JAP-Netzwerk vertrauensvoll ist. Die Mixe werden von dem Projekt zertifiziert und müssen eine Selbstverpflichtung unterschreiben, die unter anderem besagt, dass keine Logfiles angelegt werden dürfen. Damit entfällt die bei Tor mögliche Angriffsmethode, dass ein Unbekannter eine Zwischenstation betreibt und so Einsicht in den Datenverkehr bekommt.

    [...] Da es aber nur eine begrenzte und bekannte Anzahl an Mixen gibt, ist die theoretische Wahrscheinlichkeit größer, dass ein Angreifer den Eingang und den Ausgang kennt und überwachen kann. Dann kann der Datenverkehr eines Nutzers komplett deanonymisiert werden. Deshalb liegt auf den JAP-Betreibern die Last sicherzustellen, dass kein Angreifer einen Mix betreiben kann. Die begrenzte Anzahl der Mixe ist gewollt, denn je mehr Nutzer ihre Daten über einen einzigen Server leiten, desto schwieriger ist es, einzelne Datenströme daraus zu identifizieren. [...] Schnelleres anonymes Surfen kostet
    Die meisten Mixe werden in Deutschland betrieben, etwa von der Technischen Universität Dresden, dem Unabhängigen Landeszentrum für Datenschutz in Schleswig-Holstein oder der bayerischen Piratenpartei. Da der Betrieb eines Mixes Geld und Aufwand kostet, haben die TU Dresden und die Universität Regensburg das Unternehmen Jondos gegründet, das ebenfalls Mixe betreibt. Jondos bietet auch eine kostenpflichtige Version des Dienstes an, der deutlich höhere Datenraten ermöglicht als die kostenfreie Version. Und hier liegt der entscheidende Nachteil gegenüber Tor: Aktuell liegt dort die Surfgeschwindigkeit durchschnittlich bei über 2 GBits pro Sekunde. In der kostenfreien Variante lässt sich in JAP lediglich mit bis zu 50 KBits pro Sekunde surfen. Erst mit kostenpflichtigen Tarifen lässt sich mit bis zu 1,5 GBit pro Sekunde surfen.
    [...] Die kostenfreie Variante hat auch noch weitere Einschränkungen. Dort lassen sich Dateien mit höchstens 2 MByte hoch- und herunterladen und außerdem steht nur HTTP beziehungsweise HTTPS zur Verfügung. In der kostenfreien Variante laufen die Daten durch zwei Mixe, in der kostenpflichtigen können es bis zu drei sein. Die kostenpflichtigen Tarife sind nach Volumen gestaffelt bei Preisen zwischen 5 und 140 Euro für ein halbes Jahr.
    Da die Betreiber in Deutschland sind, sind sie dem hiesigen Recht unterworfen. Im Zuge der inzwischen wieder fallengelassenen Vorratsdatenspeicherung von 2009 hatten sich einige Mix-Betreiber verpflichtet, die IP-Adressen sowie Datum und Uhrzeit des Verbindungsaufbaus in das JAP-Netzwerk sowie die Weiterleitungen zu speichern. Mit diesen Daten hätte ein Benutzer deanonymisiert werden können.
    [...] Die Geschwindigkeit des JAP-Netzwerks bei kostenfreier Nutzung ist einfach zu gering und die Beschränkung auf 2 MByte große Dateien ist kaum noch zeitgemäß, auch wenn dank Addons kaum mehr als Texte und ein paar Bilder von den angesurften Webseiten übrigbleiben. Nach dem Start des Proxy-Servers dauert es eine ganze Weile, bis eine Verbindung hergestellt werden kann. Manchmal klappt die Verbindung gar nicht. Zwischendurch nervt die Software immer wieder mit Hinweisen auf das kostenpflichtige Angebot.
    Schade, denn ansonsten ist die JAP-Software gut, der vorkonfigurierte Jondofox-Browser erspart dem Anwender so manche Fummelei. Er ist vergleichbar mit dem Tor-Browser-Bundle. Allerdings wird dort Tor gleich mitinstalliert, für den Zugriff auf das JAP-Netzwerk muss Jondo zusätzlich installiert werden.

    JAP (Jondo) unterliegt sicherheitstechnisch in vielen Punkten im Vergleich zu Tor.
    Zugrundeliegende Studie aus dem Internet ist möglicherweise aber nicht mehr aktuell.
    Programme wie das Java-basierte JAP fungieren für den Internet-Nutzer als Proxy, der allen Teilnehmern am Netzwerkwerk die gleiche IP-Adresse zuweist: Eine Aufschlüsselung, wer für welchen Teil des Datenverkehrs verantwortlich ist, soll nicht möglich sein. Das wird unter anderem dadurch ausgeschlossen, dass JAP den Datenverkehr des Nutzers mit dem anderer Nutzer mischt und zudem verschlüsselt.
    JAP ist eine deutsche Entwicklung, die in den Anfangsjahren unter anderem durch staatliche Fördergelder finanziert wurde. Inzwischen ist diese Förderung ausgelaufen, die Betreiber bieten nun einen kostenfreien, aber merklich langsameren Service neben einem kostenpflichtigen, aber schnelleren Dienst an. Gesetzesänderungen in Deutschland haben dazu geführt, dass die JAP-Betreiber Daten offenlegen müssen, wenn Verdacht auf Straftaten via Web besteht: Die Anonymität im JAP-Netz findet ihre Grenzen also vor den Schranken der hiesigen Gesetze.

    Anonymität im Internet wird auch von Kriminelle genutzt, was in der Folge die Strafverfolgungsbehörden auf den Plan ruft. Diese können eine Überwachung eines Nutzers von Jondo bewirken. Dieser Punkt lässt sich bei Jondofox/Jondo als Vorteil verbuchen, da die Vorgehensweise einer möglichen Überwachung eindeutig und transparent ist. Nur bei einem konkreten Verdacht und nach rechtsstaatlichen Vorgaben kann eine Überwachung beantragt werden. Der Gegensatz dazu ist das System Tor. Wer diesen Anonymisierer nutzt, kann so unbescholten sein wie nur möglich, die Überwachungsapparate mehrerer Länder werden versuchen, seine Wege im Tor-Netzwerk zu verfolgen.

    Anonymität im Internet wird auch von Kriminellen genutzt, was in der Folge die Strafverfolgungsbehörden auf den Plan ruft. Diese können eine Überwachung eines Nutzers von Jondo bewirken. Dieser Punkt lässt sich bei Jondofox/Jondo als Vorteil verbuchen, da die Vorgehensweise einer möglichen Überwachung eindeutig und transparent ist. Nur bei einem konkreten Verdacht und nach rechtsstaatlichen Vorgaben kann eine Überwachung beantragt werden. Der Gegensatz dazu ist das System Tor. Wer diesen Anonymisierer nutzt, kann so unbescholten sein wie nur möglich, die Überwachungsapparate mehrerer Länder werden versuchen, seine Wege im Tor-Netzwerk zu verfolgen.

    Den (für Tor einzig erforderlichen) Tor-Browser samt mitgelieferten Erweiterungen gibt es für alle gängigen Plattformen.
    Ein machtvolles Werkzeug zum Schutz der eigenen Privatsphäre ist der Tor Browser. Die Software leitet den eigenen Internetverkehr verschlüsselt durch ein zwiebelartiges Netzwerk an Servern und verhindert damit, dass irgendwer die eigenen Schritte nachverfolgen kann. Die Webseite Lifehacker schreibt dazu:
    "Tor ist nützlich für jeden, der seine Aktivität im Internet vor der Werbeindustrie, Internetprovidern und Webseitenbetreibern schützen möchte. Gleiches gilt für jene, die Zensurbestimmungen in ihrem Land umgehen möchten, […] und jeden, der nicht möchte, dass sein Surf-Verhalten mit ihm in Verbindung gebracht wird."
    Der Nachteil des Tor-Browsers: Mit ihm surft man etwas langsamer, da jedes Stück Information nur über Umwege verschickt werden kann. Dafür ist man damit relativ anonym im Internet unterwegs, selbst wenn auch dieser keine absolute Sicherheit gewährleisten kann und noch einige Angriffs-Vektoren übrig bleiben. Anders als noch vor einigen Jahren ist aber die Verlangsamung nicht mehr so auffällig, sofern man nicht seine gesamte Zeit auf Videoportalen verbringt.
    Mit Orbot und Orfox gibt es inzwischen auch eine Möglichkeit, Tor auf Android-Geräten mobil zu nutzen.

    Firefox erbt weitere Funtionen von Tor-Browser, PRO-LINUX, 05.12.2017
    Im zu Ende gehenden Jahr hat Firefox einige Funktionen vom Tor-Browser geerbt, der seinerseits auf Firefox ESR basiert.
    Mozilla Foundation
    Bereits seit 2014 arbeiten Mozilla und das Tor-Projekt zusammen, um die Sicherheit von Firefox zu erhöhen. Seit den Nightly Builds von Firefox 50 fließen unregelmäßig Patches vom Tor-Browser zu Mozilla zurück. Einer der ersten Patches im Jahr 2016 betraf die Eindämmung von Browser-Fingerprinting. Weitere Patches folgten im Rahmen des "Tor Patch Uplifting"-Projekts. Alle diese Patches sind und bleiben laut Aussage von Mozilla deaktiviert und müssen vom Anwender per about:config aktiviert werden. Der Grund hierfür ist, dass manche der Patches restriktiv wirken und beispielsweise die Darstellung von Webseiten verändern oder blockieren.
    Der Code von Tor-Browser entspricht zu 95 Prozent dem von Firefox ESR. Die restlichen 5 Prozent sind größtenteils Patches für Sicherheit und Schutz der Privatsphäre. Diese Patches für Firefox verfügbar zu machen verbessert nicht nur Firefox, sondern erspart dem Tor-Browser-Team die Arbeit, bei jeder neuen Version die Patches erneut zu aktualisieren, wie das Tor-Browser-Team berichtet.
    Der erste Patch, der im Rahmen von "Tor Patch Uplifting" in Firefox 50 im August integriert wurde, war "First-Party Isolation". Diese Funktion beschränkt den Zugriff auf Cookies, Cache und andere Daten auf die Domain-Ebene, so dass nur die Domain, die das Cookie oder die Datei auf dem Benutzersystem abgelegt hat, darauf zugreifen kann. Damit soll das Tracking von Anwendern erschwert werden. Bei Tor heißt die Funktion "Cross-Origin Identifier Unlinkable". Ein weiter Patch aus dem Tor-Projekt, der erst in Firefox 58 integriert sein wird, wenn dieser im Januar 2018 veröffentlicht wird, soll den Schutz vor HTML-Canvas-Fingerprinting erhöhen.
    about:config?filter=privacy.firstparty.isolate true

    Tor-Entwickler bemängeln "Tor Browser"-App, heise.de
    Eine App zur Nutzung des Anonymisierungsdienstes auf dem iPhone sei "voll von Adware und Spyware", beklagen Tor-Entwickler - und wundern sich, warum.

    Anonymes Surfen
    Tor-Browser statt Tor-Button, golem.de, 04.05.2011
    Der Entwickler des Tor-Buttons Mike Perry will sich künftig auf die Programmierung des Tor-Browsers konzentrieren. Der Tor-Button für Firefox wird nicht mehr weiterentwickelt - er ist laut Perry ein "sicherheitstechnischer Albtraum".

    Wie muss man den Tor Browser einstellen oder konfigurieren, so dass man "wirklich" anonym surft?, gutefrage.net, 02.08.2014
    Hintergrund ist die Annahme oder Vermutung, dass ein Großteil der Tor-Knoten nicht mehr sauber sind. Indem die Zahl der Proxy erhöht, kann man anonymer surfen. Richtig?
    Wird dazu das Programm "Vidalia" (el6) benötigt?
    3 Antworten
    Sortiert nach:
    Vom Fragesteller als hilfreich ausgezeichnet
    von Diedda, 01.08.2014, 22:57
    Nur den Tor Browser (https://www.torproject.org/download/download-easy.html.en) oder das Betriebssystem (Live-CD) "TAILS" verwenden
    Immer updaten wenn es neue Updates gibt
    Im Tor Browser links oben über den "S" Button Skripte global ausschalten
    Keine privaten Informationen wie dein Name oder Facebook-Account preisgeben
    Wird dazu das Programm "Vidalia" benötigt?
    Nein (siehe den 1. Punkt).

    jeffrey94 02.08.2014, 10:21
    Und wenn ich mich irgendwo einloggen möchte, keine Ahnung, ins Online-Banking oder irgendwo wo meine Daten sind. Wie mache ich denn das dann anonym?
    Mit "Vidalia", was früher immer dazu installiert wurde, jetzt nicht mehr. Kann man aber hinzuinstallieren, habe ich gelesen. Mit "Vidalia" also, kann man alle Nodes auflisten lassen und den Standort sehen. Außerdem kann man den Datenverkehr steuern, und über weitere Nodes und Ländern leiten lassen, so wie ich das jetzt verstanden habe.

    TeeTier 02.08.2014, 12:38
    Und wenn ich mich irgendwo einloggen möchte, keine Ahnung, ins Online-Banking oder irgendwo, wo meine Daten sind.
    Wer benutzt denn Online-Banking über TOR? Ich schätze mal, dass ein guter Teil der Exit-Nodes kompromittiert ist.
    Ich habe selbst mal Wireshark an einem lokalen Exit-Node laufen lassen, und war geschockt wie naiv viele User sind. Zumal viele Websites kein SSL anbieten.
    Du solltest NIEMALS irgendwelche Accounts über TOR benutzen, die man mit deiner wahren Identität in Verbindung bringen kann!

    jeffrey94 02.08.2014, 16:52
    Vielen Dank für die Antwort.
    OK, kein Online-Banking, kein sonstigen Logins über Tor..
    Dann also überhaupt keine Logins über Tor?
    Was haben denn die vielen naiven User denn gemacht?
    Ich dachte Tor wäre nicht zurück verfolgbar und zu deanonymisieren?

    TeeTier 02.08.2014, 19:47
    Also ich habe damals den TOR-Quellcode runtergeladen und alles selbst konfiguriert. Ich habe weder Vidalia und auch kein TOR-Browserbundle benutzt.
    Wenn man die torrc Konfigurationsdatei per Hand editiert, hat man VIEL mehr Kontrolle und Möglichkeiten bzgl. des Verhaltens von TOR.
    Ich hatte TOR als Relay mit Exit-Node eingerichtet und nur Verbindungen zu Europäischen Domain-Namen zugelassen. (wollte mich keiner unnötigen Gefahr wegen Kinderpornos usw. aussetzen., sprich: es waren nur DE, AT, CH, FR, IT, UK und US Domains erlaubt)
    Desweiteren habe ich ausschließlich Verbindungen über Port 80 erlaubt ... sprich unverschlüsselte HT TP Verbindungen.
    Dann habe ich mit Wireshark einfach alle Pakete mitgesnifft und als Filter "ht tp.request.method == "POST"" eingetragen.
    Da normalerweise POST Anfragen fast nur für Logins oder irgendwelche Aktivitäten, die ein Session-Cookie beinhalten, verwendet werden, konnte ich somit im Klartext alle Möglichen Passwörter und Session-Cookies mitlesen. Von Foren-Beiträgen, privaten Nachrichten und Mails mal ganz abgesehen.
    Ja, und mit dieser einfachen Kombination bin ich innerhalb von Minuten an Login-Daten gekommen.
    Zum Beispiel GF bietet ebenfalls kein SSL und das Login erfolgt hier im Klartext über HT TP Port 80 per POST Methode ... würdest du dich hier über TOR einloggen, hätte ich (oder jemand anderes, der einen Exit-Node betreibt) dein Passwort ergaunert.
    Dazu muss man sagen, dass dieses Mitsniffen von unverschlüsselten Verbindungen technisch weder detektier, noch blockierbar ist. Da kann das TOR Projekt auch nichts für ... ist einfach prinzipbedingt so. :)
    Die einzige Möglichkeit, wie du dich davor schützen kannst ist, immer nur über SSL verbinden (also deine Webadressen beginnen mit "ht tps" anstatt "ht tp")
    Ich würde behaupten, sich über TOR bei GuteFrage einzuloggen ist unsicherer, als am Berliner Hauptbahnhof ein offenes unverschlüsseltes WLAN zu benutzen. Die Wahrscheinlichkeit einer Man-In-The-Middle-Attacke halte ich dort für geringer.
    Wenn du dich schon jemals über TOR irgendwo eingeloggt hast, würde ich schleunigst meine Passwörter ändern ... bei TOR solltest du wirklich alles als kompromittiert ansehen.
    Es ist wirklich trivial einfach als TOR ExitNode mitzusniffen. Und - wie gesagt - da gibt es auch kein Mittel gegen.
    Dennoch bietet TOR natürlich sehr schöne Anonymittät ... und genau dafür ist TOR ja auch gemacht! :)
    Edit: Ich habe im obigen Text immer "ht tp" geschrieben ... das muss natürlich ohne Lücke geschrieben werden, aber der GF Parser ist zu dämlich und denkt es handele sich um Spam. Also bitte einfach das Leerzeichen wegdenken! :)

    Diedda 04.08.2014, 20:21
    ins Online-Banking oder irgendwo wo meine Daten sind
    Wie willst du denn anonym sein wenn du dich wo einloggst wo dein Klarname oder gar deine Bankdaten gespeichert sind ?!
    Wenn du einen Falschnamen bei Facebook hast und sonst auch keine anderen persönlichen Daten und dich dort bloß über Tor einloggst dann wäre das anonym insofern man deine echten persönlichen Daten nicht mit dem Account in Verbindung bringen könnte.
    Mit "Vidalia"
    Wie gesagt nur den Tor Browser (oder "TAILS"). Vidalia ist bloß eine grafische Benutzeroberfläche die du nicht brauchst.
    jeffrey94 05.08.2014, 18:44
    Wie kann ich denn, den "Weg" über den mein Internet-Traffic gehen soll steuern? Ich dachte das wäre mit "Vidalia" möglich?
    Wenn ich also z.B. über mehrere Länder gehen will und z.B. in der Schweiz herauskommen möchte (Exit-Node)?

    Diedda 05.08.2014, 19:07
    Das wird alles durch Tor automatisch geregelt, wenn du selbst was drann änderst (wie das Land deines Exit-Nodes), hat das bloß negative Auswirkungen auf den Grad deiner Anonymität.
    Ansonsten suchst du vielleicht nach einem VPN oder einem normalen Proxy ? Beides ist für 100%ige Anonymität nicht empfehlenswert, reicht im Normalfall aber, und da kannst du auch "vorgetäuschtes" Land angeben (bei bestimmten VPNs oder indem du eben einen Proxy eines bestimmten Landes benutzt)

    jeffrey94 05.08.2014, 20:46
    Der "automatisch" konfigurierte Tor Browser ist der "unsicherste".
    Man kann es - so wie ich höre - auch manuell festlegen und z.B. über 7 oder 8 Server gehen, so dass es dann noch schwieriger wird für eine Deanonymisierung, weil die Wahrscheinlichkeit dann einen "sauberen" Node zu erwischen höher ist. Und man einen "sauberen" Node erwischt, ist eine Deanonymisierung unmöglich, der Aufwand dazu immens groß.
    Deshalb verstehe ich nicht was für negative Auswirkungen es haben soll?
    Dann ist man doch noch sicherer.
    Soweit ich Bescheid weiß, bringen Proxy überhaupt nichts. Da gab es Tests.
    Ein VPN ist OK, und kann sogar mit Tor kombiniert werden. IP am Eintritts-Server wird anonymisiert. Und nur der VPN-Dienst kennt die echte IP, und hält dicht, außer vor richterlicher Anordnung und Nachrichtendiensten.
    Und jeder VPN-Dienst speichert die echte IP-Adresse und Log-Daten, ja jeder, es gibt keine Ausnahmen. Wer etwas anderes glaubt, ist naiv.
    Es ist klar, dass es keine 100%-Anonymität gibt. Aber es geht ja auch kein Mensch auf die Straße, und trägt ein Schild um den Kopf, mit Namen, Adresse, Surfgewohnheiten, Hobbys, letzten Einkäufen, usw.

    jeffrey94 06.08.2014
    Vielen Dank für die ausführliche Antwort und die Tipps! ;-)
    Kurze Nachfragen:
    Angenommen man loggt sich über das Tor-Netzwerk irgendwo ein, aber diese Login-Seite verfügt über SSL-Absicherung (https mit grünen Balken oder Schloss). Besteht dann ebenfalls die Gefahr sein Passwort zu offenbaren?

    TeeTier 10.08.2014, 15:16
    Der TOR-Browser hat immer dieses HTTPS-Anywhere-Addon installiert. D.h. wenn du eine Seite nur mit "ht tp" ohne SSL aufrufst, wird automatisch erst mal versucht, die sichere "ht tps" Variante zu laden. Schlägt dies fehl, wird unverschlüsselt verbunden.
    Das ist zwar sehr gut, aber dass kann man umgehen, indem man an einem manipulierten Exit-Node als MITM die SSL-Verschlüsselung entfernt. Unter Umständen muss man dann noch dynamisch ein paar JavaScripte umschreiben, da die oftmals zusätzlich überprüfen, ob die Verbindung sicher ist. Aber für beide Fälle gibt es fertige Skripte, die das ganze voll automatisch erledigen!
    Also wenn dein TOR Browser mit deiner Bank tatsächlich über SSL verbunden ist, sehe ich keine Möglichkeit, den Traffic mitzuschneiden. Aber a) halte ich SSL bzw. TLS nicht für das Maß aller Dinge, d.h. ob dort Sicherheitslücken bekannt sind oder werden, weiß ich nicht, und b) ist es - wie oben erwähnt - trivial einfach das "S" aus "HT TPS" zu entfernen! :)
    Normalerweise ist das TOR-Netzwerk darauf ausgelegt, solche Manipulationen zu erkennen und den entsprechenden Exit-Node dann auf die "Bad-Exit-Node-List" zu setzen. In der Realität sieht das dann aber so aus, dass ich fast eine Woche auf Teufel komm raus den Traffic manipuliert habe, und es wurde nicht entdeckt. Zudem ist die Bad-Exit-Node-Liste so kurz (Momentan nur knapp 5 Einträge!), dass ich mir nicht vorstellen kann, dass TOR hier über ein effektives Erkennungssystem verfügt.
    Also ich würde mich bei TOR auf nichts verlassen, und wenn ich unbedingt SSL benutzen muss, auch wirklich darauf achten, dass ich per SSL verbunden bin!
    Zu VPN: Die billigen VPN-Dienste kann man getrost alle als kompromitierte TOR-Exit-Nodes betrachten, die zumindest mitsniffen. Vor allem wenn man sich mal das Impressum von solchen Anbietern anguckt und feststellt, was die Betreiber für zwielichtige Typen sind. Vertrauen kann man solchen Diensten nicht! Das heißt zwar nicht, dass die alles mitsniffen, aber ich würde es tun, wenn ich ein chinesischer VPN-Anbieter wäre ... und sei es nur zum Spaß! :)
    Anders sieht es mit eigenen VPN-Servern aus, die man bei seriösen Providern gemietet hat. Dort ist die Wahrscheinlichkeit, dass jemand mitliest vermutlich nur minimal höher, als wenn du dich in Deutschland mit einem T-Online Anschluss verbindest ... mit anderen Worten: Kann man vernachlässigen! :)
    Also wirklich "vertrauen" würde ich weder TOR noch VPN ... wobei die Betonung hier auf TOR liegt. :)

    01.08.2014, 15:09
    Selbst wenn alle Knoten im Besitz eines Angreifers sind, auch dann ist es erst nach langer Analyse und statistischer Auswertung möglich eine Person gezielt zu identifizieren.
    Was du tun kannst ist den Exit-Node manuell zu bestimmen. Dann kommst du immer an dieser Stelle raus. Da kannst du einen wählen, wo man sich sicher sein kann, dass dieser vertrauenswürdig ist. Zum Beispiel den vom CCC.
    Dann sollte man auch nie seinen gesamten Traffic durch Tor leiten, da man sich so angreifbarer für statistische Analysen macht. Daher nur Tor benutzen wenn du bei was bestimmten unsichtbar bleiben willst.

    Tor-Browser 100%-anonym, gutefrage.net, 01.03.2015
    von TeeTier
    01.03.2015, 08:00
    Es gibt die Möglichkeit durch Timing-Unterschiede den Nutzer fast eindeutig zu enttarnen, wobei man den Traffic aber über mehrere Monate beobachten muss, was insgesamt sehr unwahrscheinlich ist, und auch nicht garantiert zu 100% funktioniert.
    Allerdings hat das FBI vor einer Weile ne Menge Kriminelle hochgenommen (Pedos oder Drogenverkäufer oder so), die über TOR kommuniziert haben. Das FBI hat nicht eindeutig verraten, wie sie das genau gemacht haben, und sogar die TOR-Entwickler selbst waren ratlos. Später kam raus, dass es offensichtlich über fehlkonfigurierte Hidden-Services gelang.
    Wie gesagt, das war vor ein paar Wochen ... und ich habe mich danach nicht mehr sonderlich um das Thema gekümmert, also kenne ich den aktuellen Stand leider nicht.
    Ich würde dringend davon abraten, sich einzig und allein auf TOR zu verlassen.
    JavaScript im TOR-Browser sollte man sowieso abschalten und die Anzahl der Hops in der torrc Konfigurationsdatei mindestens auf 5 erhöhen und darüber hinaus die möglichen Exit-Nodes auf eine Hand voll vertrauenswürdiger Betreiber (CCC z. B.) beschränken. Das geht alles nicht mit den grafischen Tools des TOR-Browser Bundles, aber im Internet gibt es Anleitungen für die Konfigurationsdatei ... ist alles eigentlich sehr einfach, und du brauchst nur einen Texteditor.
    Aber als "sicher" würde ich TOR nicht mal dann ansehen! :)
    Zum Schluss zitiere ich nochmal einen Golem-Artikel:
    Denn inzwischen haben mehrere Studien belegt, dass Nutzer im Tor-Netzwerk sehr wohl identifiziert werden können. Aber das Tor-Team behauptet auch gar nichts anderes. Es warnt immer wieder davor, sich nur auf Tor zu verlassen. Tor sei lediglich eines von vielen Werkzeugen, die erst in der Kombination effektiv vor der Enttarnung schützen könnten. Außerdem könnten Fehlkonfigurationen oder andere Unvorsichtigkeiten dazu führen, dass Dritte die anonymen Surfer identifizieren könnten.

    Schönen Tag noch! :)

    von unLieb
    01.03.2015, 07:43
    100 %ige Anonymität im Internet gibt es nicht! Man sieht ja dass ab und an sogar die versiertesten "Hacker" gebustet werden.

    von Ifm001, 01.03.2015, 08:28
    ... hättest Du aber auch selbst finden können.


    Tor und Proxys
    Tails: Das Anonyme Surf-Linux in der VM nutzen
    , PC-WELT.de, 26.10.2015
    Beim Surfen im Internet hinterlassen Sie Spuren in Form Ihrer IP. Mit Tails lässt sich die für andere aber nur schwer ermitteln.
    Tails steht für "The Amnesic Incognito Live System", und dieser Name beschreibt die wesentlichen Eigenschaften dieser Linux-Distribution. Tails geht nicht auf dem direkten Weg zur Website, die Sie anfordern, sondern über drei zufällige Zwischenstationen. Die Site erfährt daher nicht Ihre IP, sondern nur jene des letzten Vermittlungsknotens.. Tails nutzt dafür das Tor-Netzwerk und dessen Server. Vor dem Verbindungsaufbau erhält Ihr Rechner von einem Tor-Verzeichnis-Server eine Liste der derzeit verfügbaren Knoten. Der Tor-Client baut anschließend über den ersten Server eine verschlüsselte Verbindung auf. Die Daten fließen verschlüsselt über zwei weitere Tor-Server bis zur Zieladresse. Das Netzwerk Tor steht natürlich auch ohne das System Tails zur Verfügung. Tails nimmt Ihnen aber die Konfiguration ab, geht standardmäßig über Tor online und bietet weitere Sicherheit: Für die Verschlüsselung des eingesetzten Datenträgers kommt Luks zum Einsatz, beim Browser wird eine verschlüsselte Kommunikation priorisiert, und Mails werden mit Open PGP verschlüsselt. Ferner ist die Messenger-Kommunikation über OTR (Off-the-Record) abgesichert, und zusätzlich gibt es zum sicheren Löschen von Daten noch Nautilus Wipe ... , http://www.pcwelt.de/ratgeber/Tails-als-virtueller-PC-9827433.html.

    Tor Hidden Services: Über 100 spionierende Tor-Nodes, golem.de, 26.07.2016
    Mit Hilfe sogenannter Honions haben US-Forscher mindestens 110 Tor-Nodes identifizieren können, die offenbar aktiv versuchten, Tor Hidden Services auszuspähen. Wer sind die Urheber?

    Can you trust Tor´s exit nodes?, nakedsecurity.sophos.com, 06.25.2015
    Tor is the encrypted, anonymous way to browse the web that keeps you safe from prying eyes, right?
    Well, no, not always.
    Blogger and security researcher Chloe spent a month tempting unscrupulous Tor exit node operators with a vulnerable honeypot website to see if anyone was looking for passwords to steal.
    In all, the trap sprung for twelve exit nodes, raising a finger of suspicion for them and reminding us, that you can´t get complacent about security even if you´re using Tor.
    Tor is a bit of heavy duty open source security software that’s famously used to access anonymous, hidden services (the so-called Dark Web) but, more commonly, used as a way to access the regular internet anonymously and in a way, that´s resistant to surveillance.
    Tor (short for The Onion Router) works by sending your encrypted network traffic on an eccentric journey between Tor ‘nodes’. At each step along the way each Tor node helps keep you safe by never knowing what’s in your message and never knowing more about your data’s journey than the node it came from and the next one it’s going to.
    Eventually your network traffic leaves Tor"s safe embrace via an exit node - a gateway computer that decrypts your traffic, so it can rejoin the regular internet, before it arrives at its final destination.
    Anyone can set up an exit node and because it´s the place, where traffic is decrypted, anyone who runs an exit node can read the traffic passing through it.
    Bad exit nodes are entirely possible then, and bad news if they exist, but how do we find them?
    Chloe set up a fake website with a Bitcoin theme, downloaded a complete list of exit nodes and then logged in to the honeypot site multiple times via Tor, using a different exit node and a unique password each time.
    Crucially the usernames and passwords were sent over regular HTTP rather than encrypted HTTPS so that when Tor’s layers of encryption were peeled back they were visible in the stream of traffic.
    If the login attempts had gone unobserved and unabused then the total number of website visits and log in attempts recorded by the honeypot should have matched the number performed by Chloe exactly.
    They didn´t.

    Neue Dokumente belegen Überwachung: CCC erweitert Strafanzeige gegen Geheimdienste und Bundesregierung, 2014-07-16 00:09:00, henning
    Nachdem durch neue Veröffentlichungen bekannt wurde, dass Daten von und zu mindestens einem der Tor-Server, der vom Chaos Computer Club (CCC) in Deutschland betrieben wird, offenbar direkt in den Überwachungssystemen der NSA landen, sind Ermittlungen des Generalbundesanwalts Harald Range nun dringend geboten. Der CCC erweitert daher seine Strafanzeige vom Februar gegen die Verantwortlichen bei den Geheimdiensten und in der Bundesregierung um die neuen Fakten und fordert, die verbotene geheimdienstliche Agententätigkeit gegen den CCC und alle betroffenen Nutzer des Anonymisierungsnetzwerks Tor zu ahnden. mehr …

    Chaos Computer Club klagt gegen GCHQ, 2014-07-02 09:00:00, erdgeist
    Zusammen mit sieben internationalen Organisationen legt der Chaos Computer Club (CCC) Beschwerde gegen die Programme des britischen Geheimdienstes GCHQ ein, die zum Angreifen und Ausspähen von Netzwerkinfrastruktur und persönlichen Daten von Millionen von Menschen genutzt werden. mehr …

    Tor-Weaknesses, en.wikipedia
    Like all current low-latency anonymity networks, Tor cannot and does not attempt to protect against monitoring of traffic at the boundaries of the Tor network (i.e., the traffic entering and exiting the network). While Tor does provide protection against traffic analysis, it cannot prevent traffic confirmation (also called end-to-end correlation).[90][91]
    In spite of known weaknesses and attacks listed here, a 2009 study revealed Tor and the alternative network system JonDonym (Java Anon Proxy, JAP) are considered more resilient to website fingerprinting techniques than other tunneling protocols.

    The reason for this is conventional single-hop VPN protocols do not need to reconstruct packet data nearly as much as a multi-hop service like Tor or JonDonym. Website fingerprinting yielded greater than 90% accuracy for identifying HTTP packets on conventional VPN protocols versus Tor which yielded only 2.96% accuracy. However some protocols like OpenSSH and OpenVPN required a large amount of data before HTTP packets were identified.

    Researchers from the University of Michigan developed a network scanner allowing identification of 86% of live Tor "bridges" with a single scan.
    Autonomous system (AS) eavesdropping

    If an autonomous system (AS) exists on both path segments from a client to entry relay and from exit relay to destination, such an AS can statistically correlate traffic on the entry and exit segments of the path and potentially infer the destination with which the client communicated. In 2012, LASTor proposed a method to predict a set of potential ASes on these two segments and then avoid choosing this path during path selection algorithm on client side. In this paper, they also improve latency by choosing shorter geographical paths between client and destination.

    Exit node eavesdropping
    In September 2007, Dan Egerstad, a Swedish security consultant, revealed he had intercepted usernames and passwords for e-mail accounts by operating and monitoring Tor exit nodes. As Tor cannot encrypt the traffic between an exit node and the target server, any exit node is in a position to capture traffic passing through it that does not use end-to-end encryption such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS). While this may not inherently breach the anonymity of the source, traffic intercepted in this way by self-selected third parties can expose information about the source in either or both of payload and protocol data.[96] Furthermore, Egerstad is circumspect about the possible subversion of Tor by intelligence agencies:

    "If you actually look in to where these Tor nodes are hosted and how big they are, some of these nodes cost thousands of dollars each month just to host because they´re using lots of bandwidth, they´re heavy-duty servers and so on. Who would pay for this and be anonymous?"

    In October 2011, a research team from ESIEA claimed to have discovered a way to compromise the Tor network by decrypting communication passing over it. The technique they describe requires creating a map of Tor network nodes, controlling one third of them, and then acquiring their encryption keys and algorithm seeds. Then, using these known keys and seeds, they claim the ability to decrypt two encryption layers out of three. They claim to break the third key by a statistical-based attack. In order to redirect Tor traffic to the nodes they controlled, they used a denial-of-service attack. A response to this claim has been published on the official Tor Blog stating these rumours of Tor´s compromise are greatly exaggerated.
    Traffic-analysis attack
    There are two methods of traffic-analysis attack, passive and active. In passive traffic-analysis method, the attacker extracts features from the traffic of a specific flow on one side of the network and looks for those features on the other side of the network. In active traffic-analysis method, the attacker alters the timings of the packets of a flow according to a specific pattern and looks for that pattern on the other side of the network; therefore, the attacker can link the flows in one side to the other side of the network and break the anonymity of it. It is shown, although timing noise is added to the packets, there are active traffic analysis methods robust against such a noise.
    Steven J. Murdoch and George Danezis from University of Cambridge presented an article at the 2005 IEEE Symposium on security and privacy on traffic-analysis techniques that allow adversaries with only a partial view of the network to infer, which nodes are being used to relay the anonymous streams. These techniques greatly reduce the anonymity provided by Tor. Murdoch and Danezis have also shown that otherwise unrelated streams can be linked back to the same initiator. This attack, however, fails to reveal the identity of the original user. Murdoch has been working with and has been funded by Tor since 2006.
    Tor exit node block
    Operators of Internet sites have the ability to prevent traffic from Tor exit nodes or to offer reduced functionality to Tor users. For example, it is not generally possible to edit Wikipedia when using Tor or when using an IP address also used by a Tor exit node, due to the use of the TorBlock MediaWiki extension, unless an exemption is obtained. The BBC blocks the IP addresses of all known Tor guards and exit nodes from its iPlayer service - however relays and bridges are not blocked.
    Bad apple attack
    In March 2011, researchers with the Rocquencourt French Institute for Research in Computer Science and Automation (Institut national de recherche en informatique et en automatique, INRIA), documented an attack that is capable of revealing the IP addresses of BitTorrent users on the Tor network. The "bad apple attack" exploits Tor´s design and takes advantage of insecure application use to associate the simultaneous use of a secure application with the IP address of the Tor user in question. One method of attack depends on control of an exit node or hijacking tracker responses, while a secondary attack method is based in part on the statistical exploitation of distributed hash table tracking. According to the study:
    The results presented in the bad apple attack research paper are based on an attack in the wild launched against the Tor network by the authors of the study. The attack targeted six exit nodes, lasted for twenty-three days, and revealed a total of 10,000 IP addresses of active Tor users. This study is significant because it is the first documented attack designed to target P2P file-sharing applications on Tor.[104] BitTorrent may generate as much as 40% of all traffic on Tor. Furthermore, the bad apple attack is effective against insecure use of any application over Tor, not just BitTorrent.
    Some protocols expose IP addresses
    Researchers from the French Institute for Research in Computer Science and Automation (INRIA) showed that the Tor dissimulation technique in BitTorrent can be bypassed by attackers controlling a Tor exit node. The study was conducted by monitoring six exit nodes for a period of twenty-three days. Researches used three attack vectors.
    Inspection of BitTorrent control messages
    Tracker announces and extension protocol handshakes may optionally contain client IP address. Analysis of collected data revealed that 35% and 33% of messages, respectively, contained addresses of clients.
    Hijacking tracker´s responses
    Due to lack of encryption or authentication in communication between tracker and peer, typical man-in-the-middle attacks allow attackers to determine peer IP addresses and even verify the distribution of content. Such attacks work when Tor is used only for tracker communication.
    Exploiting distributed hash tables (DHT)
    This attack exploits the fact that distributed hash table (DHT) connections through Tor are impossible, so an attacker is able to reveal a target´s IP address by looking it up in the DHT even if the target uses Tor to connect to other peers.
    With this technique, researchers were able to identify other streams initiated by users, whose IP addresses were revealed.
    Sniper attack
    Jansen et al., describe a DDoS attack targeted at the Tor node software, as well as defenses against that attack and its variants. The attack works using a colluding client and server, and filling the queues of the exit node until the node runs out of memory, and hence can serve no other (genuine) clients. By attacking a significant proportion of the exit nodes this way, an attacker can degrade the network and increase the chance of targets using nodes controlled by the attacker.
    Heartbleed bug
    The Heartbleed OpenSSL bug disrupted the Tor network for several days in April 2014 while private keys were renewed. The Tor Project recommended Tor relay operators and hidden service operators revoke and generate fresh keys after patching OpenSSL, but noted Tor relays use two sets of keys and Tor´s multi-hop design minimizes the impact of exploiting a single relay.[108] 586 relays later found to be susceptible to the Heartbleed bug were taken off-line as a precautionary measure.
    Relay early traffic confirmation attack
    On 30 July 2014 the Tor Project issued a security advisory "´relay early´ traffic confirmation attack" in which the project discovered a group of relays that tried to deanonymize hidden service users and operators.[113] In summary, the attacking hidden service directory node changed the headers of cells being relayed tagging them as "relay" or "relay early" cells differently to encode additional information and sent them back to the requesting user/operator. If the user´s/operator´s guard/entry node was also part of the attacking relays, the attacking relays might be able to capture the IP address of the user/operator along with the hidden service information that the user/operator was requesting. The attacking relays were stable enough to achieve being designated as "suitable as hidden service directory" and "suitable as entry guard"; therefore, both the hidden service users and the hidden services might have used those relays as guards and hidden service directory nodes.
    The project discovered that the attacking nodes joined the network early in the year on 30 January and the project removed them on 4 July.[ Although when the attack began was unclear, the project implied that between February and July, hidden service users´ and operators´ IP addresses might be exposed.
    In the same advisory, the project mentioned the following mitigations for the attack besides removing the attacking relays from the network

    patched relay software to prevent relays from relaying cells with "relay early" headers that were not intended
    planned update for users´ proxy software so that they could inspect if they received "relay early" cells from the relays (as they are not supposed to), along with the settings to connect to just one guard node instead of selecting randomly from 3 to reduce the probability of connecting to an attacking relay
    recommended that hidden services might want to change their locations
    reminded users and hidden service operators that Tor could not prevent deanonymization if the attacker controlled or could listen to both ends of the Tor circuit, the class of attack that this attack belonged to

    In November 2014 there was speculation in the aftermath of Operation Onymous, resulting in 17 arrests internationally, that a Tor weakness had been exploited. A representative of Europol was secretive about the method used, saying: "This is something we want to keep for ourselves. The way we do this, we can´t share with the whole world, because we want to do it again and again and again."A BBC source cited a "technical breakthrough"[33] that allowed the tracking of the physical locations of servers, and the number of sites that police initially claimed to have infiltrated led to speculation that a weakness in the Tor network had been exploited. This possibility was downplayed by Andrew Lewman, a representative of the Tor project, suggesting that execution of more traditional police work was more likely.
    However, in November 2015 court documents on the matter[34] generated serious [34] aconcerns about security research ethics and the right of not being unreasonably searched guaranteed by the US Fourth Amendment. Moreover, the documents along with expert opinions may also show the connection between the network attack and the law enforcement operation including:

    the search warrant for an administrator of Silkroad 2.0 indicated that from January 2014 until July, the FBI received information from "university-based research institute" with the information being "reliable IP addresses for TOR and hidden services such as SR2" that led to the identification of "at least another seventeen black markets on TOR" and "approximately 78 IP addresses that accessed a vendor .onion address." One of these IP addresses led to the arrest of the administrator
    the chronology and nature of the attack fitted well with the operation
    a senior researcher of International Computer Science Institute, part of University of California, Berkeley, said in an interview that the institute which worked with the FBI was "almost certainly" Carnegie Mellon University (CMU), and this concurred with the Tor Project´s assessment and with an earlier analysis of Edward Felten, a computer security professor at Princeton University, about researchers from CMU´s CERT/CC being involved

    In his analysis published on 31 July, besides raising ethical issues, Felten also questioned the fulfilment of CERT/CC´s purposes which were to prevent attacks, inform the implementers of vulnerabilities, and eventually inform the public. Because in this case, CERT/CC´s staff did the opposite which was to carry out large-scale long-lasting attack, withhold vulnerability information from the implementers, and withhold the same information from the public.
    CERT/CC is a non-profit, computer security research organization publicly funded through the US federal government.
    Further information: CERT Coordination Center § Operation Onymous, and Operation Onymous § Tor 0-day exploit
    Mouse fingerprinting
    In March 2016 a security researcher based in Barcelona, demonstrated laboratory techniques using time measurement via JavaScript at the 1-millisecond level could potentially identify and correlate a user´s unique mouse movements provided the user has visited the same "fingerprinting" website with both the Tor browser and a regular browser.This proof of concept exploits the "time measurement via JavaScript" issue which has been an open ticket on the Tor Project for ten months.
    Circuit fingerprinting attack
    In 2015, the administrators of Agora, a darknet market, announced they were taking the site offline in response to a recently discovered security vulnerability in Tor. They did not say what the vulnerability was, but Wired speculated it was the "Circuit Fingerprinting Attack" presented at the Usenix security conference.

    TOR Good Exit Nodes, privacy-handbuch.de
    IT-Sicherheitsforscher haben mehrfach nachgewiesen, dass es recht einfach möglich ist, mit schnüffelnden Exits Informationen über die Nutzer zu sammeln (D. Egerstad 2007, C. Castelluccia 2010). Man kann davon ausgehen, dass verschiedene Organisationen mit unterschiedlichen Interessen im Tor Netz nach Informationen phishen. Auch SSL-ver­schlüsselte Verbindungen sind nicht 100% geschützt. C. Soghoian und S. Stamm haben in einer wiss. Arbeit gezeigt, dass Geheimdienste wahrscheinlich in der Lage sind, gültige SSL-Zertifikate zu faken.
    Als Verteidigung könnte man in der Tor-Konfiguration Exit Nodes angeben, denen man vertraut und ausschließlich diese Nodes als Exit-Nodes nutzen. Welche Nodes vertrauens­würdig sind, muss jeder Nutzer selbst entscheiden. Die folgende kurze Liste soll Anregungen zum Nachdenken liefern. Man sollte möglichst viele Tor Exit Nodes verwenden.

    From the map it is clear to see the high concentration of Tor exit nodes within Europe, once you start to zoom in and see the European nodes it is clear there is quite a spread of locations where the Tor nodes are operating.

    Some Tor exit nodes attempt to spy on encrypted traffic
    Computer scientists found almost 20 exit relays in the Tor anonymity network that attempted to spy on users encrypted traffic using man-in-the-middle techniques.

    Researchers find over 100 spying Tor nodes that attempt to compromise darknet sites
    The lack of exit nodes means that if you run an exit node and want to spy on people, you can see an appreciable fraction of all the Tor traffic that goes to and from the public internet.

    Rund 1.000 Exit Nodes gibt es derzeit weltweit, betrieben werden sie von Freiwilligen, ZEIT.de, 24.01.2014
    . 22 dieser Exit Nodes aber tun genau das, wovor sich Tor-Nutzer schützen wollen - sie spionieren den Verkehr, der über sie läuft, aus. Laut Lindskog und Winter versuchen sie zu erkennen, welche Daten zwischen Nutzer und seinem Ziel hin- und hergeschickt werden. Das tun sie selbst dann, wenn die Verbindung zum Ziel per HTTPS verschlüsselt ist. In dem Fall versuchen die 22 Server, die Verschlüsselung mit speziellen Attacken aufzubrechen und aus einer gesicherten Verbindung eine ungesicherte zu machen. Unter bestimmten Umständen funktioniert so etwas.
    Wer hinter den 22 Servern steckt, die größtenteils in Russland stehen, ist unklar. In den Zeiten des NSA-Skandals liegt es nahe, einen Geheimdienst zu verdächtigen, und tatsächlich gibt es diese Theorie schon seit Jahren. Philipp Winter glaubt nicht daran. "Organisationen wie die NSA haben Zugriff auf weite Teile der Internetinfrastruktur", sagte er Ars Technica, "sie haben es deshalb schlicht nicht nötig, Tor Exit Nodes zu betreiben." Ihr Zugriff auf die globale Infrastruktur erlaube es theoretisch, Tor-Nutzer mit statistischen Verfahren zu identifizieren. Winter glaubt vielmehr, "dass die Attacken überwiegend von Individuen kommen, die damit herumexperimentieren". Was bedeutet die Untersuchung der beiden Schweden nun für Tor-Nutzer? Das versucht Winter in einem Blogpost beim Tor-Projekt zu erklären. Zunächst beruhigt er: Die Chance, einen der korrupten Ausgangsknoten zugeteilt zu bekommen, sei gering. Es gebe schließlich nur wenige von ihnen und zudem sucht die Tor-Software bevorzugt solche Austrittspunkte, die viel Bandbreite bereitstellen. Das treffe auf die gefährlichen Server aber nicht zu.
    https://www.zeit.de/digital/datenschutz/2014-01/spionierende-exit-nodes-im-tor-netz-entdeckt/seite-2etrieben werden sie von Freiwilligen, ZEIT.de, 24.01.2014
    . 22 dieser Exit Nodes aber tun genau das, wovor sich Tor-Nutzer schützen wollen - sie spionieren den Verkehr, der über sie läuft, aus. Laut Lindskog und Winter versuchen sie zu erkennen, welche Daten zwischen Nutzer und seinem Ziel hin- und hergeschickt werden. Das tun sie selbst dann, wenn die Verbindung zum Ziel per HTTPS verschlüsselt ist. In dem Fall versuchen die 22 Server, die Verschlüsselung mit speziellen Attacken aufzubrechen und aus einer gesicherten Verbindung eine ungesicherte zu machen. Unter bestimmten Umständen funktioniert so etwas.
    Wer hinter den 22 Servern steckt, die größtenteils in Russland stehen, ist unklar. In den Zeiten des NSA-Skandals liegt es nahe, einen Geheimdienst zu verdächtigen, und tatsächlich gibt es diese Theorie schon seit Jahren. Philipp Winter glaubt nicht daran. "Organisationen wie die NSA haben Zugriff auf weite Teile der Internetinfrastruktur", sagte er Ars Technica, "sie haben es deshalb schlicht nicht nötig, Tor Exit Nodes zu betreiben." Ihr Zugriff auf die globale Infrastruktur erlaube es theoretisch, Tor-Nutzer mit statistischen Verfahren zu identifizieren. Winter glaubt vielmehr, "dass die Attacken überwiegend von Individuen kommen, die damit herumexperimentieren". Was bedeutet die Untersuchung der beiden Schweden nun für Tor-Nutzer? Das versucht Winter in einem Blogpost beim Tor-Projekt zu erklären. Zunächst beruhigt er: Die Chance, einen der korrupten Ausgangsknoten zugeteilt zu bekommen, sei gering. Es gebe schließlich nur wenige von ihnen und zudem sucht die Tor-Software bevorzugt solche Austrittspunkte, die viel Bandbreite bereitstellen. Das treffe auf die gefährlichen Server aber nicht zu.

    Liste bekannter Tor Bad Exit Nodes (unvollständig), privacy-handbuch.de, Jahr 2016
    1. Die folgenden Nodes wurde dabei erwischt, den Exit Traffic zu modifizieren, z.B Javascript in abgerufene Websites einzuschmuggeln. Dabei handelte es sich zumeist um Werbung oder Redirects auf andere Seiten.

    2. Die folgenden Nodes wurden bei dem Versuch erwischt, SSL-Zertifikate zu fälschen, um den verschlüsselten Traffic mitlesen zu können:

    3. Im Februar/März 2012 haben mehrere Exit-Nodes in einer konzertierten Aktion die HTTPS-Links in Web­seiten durch HTTP-Links ersetzt. Wie man damit erfolgreich die SSL-Verschlüsselung ausgehebeln kann, wurde auf der Black Hack 2009 demonstriert. Die Software für diesen Angriff heisst "ssl-stripe" und ist als Open Source verfügbar.

    4. Im Juli 2014 wurden 115 Tor-Nodes auf die schwarze Liste gesetzt, die mit einer Kombination von Traffic Confirmation Attack und Sybill Attack versuchten, Tor Hidden Services zu lokalisieren und Nutzer von Tor Hidden Services zu deanonymisieren. TorProject.org hat eine Warnung publiziert: While we don't know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected .... Hidden service operators should consider changing the location of their hidden service.

    5. Möglicherweise wurden die von diesen Bad Nodes gesammelten Daten für die Operation Ononymous des FBI genutzt, um 410 illegale Tor Hidden Services abzu­schalten, u.a. die Drogenmarktplätze Silk Road 2.0, Cloud 9, Hydra, Pandora, Blue Sky, Topix, Flugsvamp, Cannabis Road, und Black Market.

    6. Im Oktober 2014 wurde ein Tor Exit Node aufgespürt, der Windows Binaries (z.B. DLLs oder EXE-Dateien) beim Download on-the-fly mit dem Trojaner OnionDuke infizierte, einer Variation der russischen Cyberwaffe MiniDuke. Der Trojaner sammelte Login Daten und spionierte die Netzwerkstruktur der Opfer aus. F-Secure konnten die ersten Infektionen mit OnionDuke auf Oktober 2013 datieren. Der Bad Exit Node wurde nur gefunden, weil ein Sicherheitsforscher gezielt nach diesem Angriff suchte. Im April 2015 wurden 70 Bad Tor Nodes identifiziert, die den Hidden E-Mail Service SIGAINT angegriffen hatten. Die Betreiber von SIGAINT warnen, dass es den Angreifern gelungen ist, den Tor Hidden Service mit einem man-in-the-middle Angriff zu kompromittieren und Daten inklusive Login Credentials mitzulesen.

    "I think we are being targeted by some agency here. That´s a lot of exit nodes."

    Diese 70 Tor Nodes meldeten sich innerhalb eines Monats kurz vor dem Angriff als neue Tor Nodes im Netzwerk an. 31 weitere Nodes stehen noch in dem Verdacht, ebenfalls zu dieser Gruppe zu gehören, aber noch nicht aktiv angegriffen zu haben.

    7. Um passiv schnüffelnde Tor Exit Nodes in eine Falle tappen zu lassen, hat Chloe im Juni 2015 einen Honigtopf aufgestellt und 11 passiv schnüffelnde Exit Nodes auf­gespürt. Zwei der elf Nodes hatten Guard Status. Im März 2016 haben 14 Bad Exit Nodes in einer konzertierten Aktion versucht, sich als man-in-the-middle in STARTTLS Verschlüsselung einiger Jabber/XMPP Server ein­zu­schleichen. Folgende Jabber Server waren von dem Angriff betroffen:

    8. Tor Exit Nodes aus dem Iran sind generell als Bad Exits markiert. Diese Nodes unterliegen der iranischen Zensur. Au&zslig;erdem wird beim Aufruf von Webseiten über diese Nodes von der staatlichen Firewall ein unsichtbarer IFrame aus dem Hidden Internet of Iran eingefügt.

    9. Die Unterlagen des Whistleblowers E. Snowden haben bestätigt, dass NSA und GCHQ passiv schnüffelnde Exit-Nodes betreiben. Die NSA soll damals 10-12 leistungsfähige Tor-Server genutzt haben (aktuelle Angriffe zeigen, dass es inzwischen deutlich mehr sein müssen). Zum Engagement des GSHQ wurden keine Zahlen bekannt.

    Europol betreibt seit Jahren ein Projekt mit dem Ziel "to provide operational intelligence related to TOR". Die Formulierung lässt vermuten, dass ebenfalls passiv schnüffelnde Exit-Nodes genutzt werden.

    Man kann davon auszugehen, dass die Geheimdienste verschiedener Länder ebenfalls im Tor-Netz aktiv sind und sollte die Hinweise zur Sicherheit beachten: sensible Daten nur über SSL-verschlüsselte Verbindungen übertragen, SSL-Warnungen nicht einfach wegklicken, Cookies und Javascript deaktivieren… Dann ist Tor für anonyme Kommunikation geeignet.
    Wie viele TOR-Knoten daher inzwischen von Geheimdiensten und Polizei betrieben werden, bleibt im Dunkeln. Sind es genügend, lassen sich Teilnehmer durch die Daten von Entry- und Exit-Nodes auch wieder deanonymisieren (die US-Regierung ist einer der Hauptsponsoren des TOR-Netzwerks). Und nicht zuletzt garantieren Zwischenknoten keine absolute Anonymität: Die Rückverfolgung einer Ausgangs-IP über mehrere Knoten hinweg ist sehr aufwendig, aber nicht unmöglich.

    Torservers.net ist eine (angeblich) vertrauenswürdige Organisation, die mehrere Exit-Nodes betreibt.
    Die von der Swiss Privacy Foundation betriebenen Tor Nodes sind vertrauenswürdig.
    Der CCC betreibt zur Zeit acht Tor Nodes (siehe Liste im Tor Atlas).
    Der Tor Node Digitalcourage3ip1 wird vom Verein Digitalcourage e.V. betrieben.
    Die Heinlein Support GmbH betreibt den Tor Node mailboxorg und empfiehlt die Konfiguration von MapAdresses in der torrc, so dass dieser Node als Exit Node für alle Mailbox.org Dienste genutzt wird. bitte selbst erweitern
    Bei der Auswahl der Server sollte man nicht einfach nach dem Namen im TorStatus gehen. Jeder Admin kann seinem Server einen beliebigen Namen geben und den Anschein einer vertrauens­würdigen Organisation erwecken. Die Identität des Betreibers sollte verifiziert werden, beispielsweise durch Veröffentlichung auf einer Website.
    In der Tor Konfigurationsdatei "/etc/tor/torrc" bzw. für das TorBrowserBundle in der Datei "<TorBrowserBundleVerzeichnis>/Browser/TorBrowser/Data/Tor/torrc" kann man die gewünschten Exit Nodes mit folgenden Optionen konfigurieren:

    OKTor- configuration file torrc (hardened) /etc/tor/torrc (not for TorBrowser, but TorDNS) and /home/toruser1/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc ( for Tor with TorBrowser) :

    # This file was generated by Tor; if you edit it, comments will not be preserved
    # The old torrc file was renamed to torrc.orig.1 or similar, and Tor will ignore it
    ## Default SocksPort
    SocksPort auto IsolateDestAddr IsolateDestPort
    ## SocksPort for Tails-specific applications
    # SocksPort IsolateDestAddr IsolateDestPort
    ## SocksPort for the default web browser
    SocksPort auto IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth
    ## Entry policies to allow/deny SOCKS requests based on IP address.
    ## First entry that matches wins. If no SocksPolicy is set, we accept
    ## all (and only) requests from SocksListenAddress.
    # SocksPolicy accept
    # SocksPolicy reject *
    ## Logs go to stdout at level "notice" unless redirected by something
    ## else, like one of the below lines. You can have as many Log lines as
    ## you want.
    ## We advise using "notice" in most cases, since anything more verbose
    ## may provide sensitive information to an attacker who obtains the logs.
    ## Send all messages of level ´notice´ or higher to /var/log/tor/notices.log
    #Log notice file /var/log/tor/notices.log
    ## Send every possible message to /var/log/tor/debug.log
    #Log debug file /var/log/tor/debug.log
    ## Use the system log instead of Tor´s logfiles
    #Log notice syslog
    ## To send all messages to stderr:
    #Log debug stderr
    ## Uncomment this to start the process in the background... or use
    ## --runasdaemon 1 on the command line. This is ignored on Windows;
    ## see the FAQ entry if you want Tor to run as an NT service.
    #RunAsDaemon 1
    ## The directory for keeping all the keys/etc. By default, we store
    ## things in DOLLARSIGNHOME/.tor on Unix, and in Application Data or on Windows.
    DataDirectory /var/lib/tor
    ## The port on which Tor will listen for local connections from Tor
    ## controller applications, as documented in control-spec.txt.
    # ControlPort 9051
    # ControlListenAddress
    ############### This section is just for location-hidden services ###
    ## Once you have configured a hidden service, you can look at the
    ## contents of the file ".../hidden_service/hostname" for the address
    ## to tell people.
    ## HiddenServicePort x y:z says to redirect requests on port x to the
    ## address y:z.
    #HiddenServiceDir /var/lib/tor/hidden_service/
    #HiddenServicePort 80
    #HiddenServiceDir /var/lib/tor/other_hidden_service/
    #HiddenServicePort 80
    #HiddenServicePort 22
    ################ This section is just for relays #####################
    ## See https://www.torproject.org/docs/tor-doc-relay for details.
    ## A unique handle for your server.
    #Nickname ididnteditheconfig
    ## The IP or FQDN for your server. Leave commented out and Tor will guess.
    #Address noname.example.com
    ## Define these to limit the bandwidth usage of relayed (server)
    ## traffic. Your own traffic is still unthrottled.
    ## Note that RelayBandwidthRate must be at least 20 KB.
    #RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps)
    #RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB/s (1600Kbps)
    ## Contact info to be published in the directory, so we can contact you
    ## if your server is misconfigured or something else goes wrong.
    #ContactInfo Random Person ## You might also include your PGP or GPG fingerprint if you have one:
    #ContactInfo 1234D/FFFFFFFF Random Person #
    ## Required: what port to advertise for Tor connections.
    #ORPort 9001
    ## If you need to listen on a port other than the one advertised
    ## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment the
    ## line below too. You´ll need to do ipchains or other port forwarding
    ## yourself to make this work.
    ## Uncomment this to mirror directory information for others. Please do
    ## if you have enough bandwidth.
    #DirPort 9030 # what port to advertise for directory connections
    ## If you need to listen on a port other than the one advertised
    ## in DirPort (e.g. to advertise 80 but bind to 9091), uncomment the line
    ## below too. You´ll need to do ipchains or other port forwarding yourself
    ## to make this work.
    ## Uncomment this if you run more than one Tor server, and add the
    ## nickname of each Tor server you control, even if they´re on different
    ## networks. You declare it here so Tor clients can avoid using more than
    ## one of your servers in a single circuit. See
    ## http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#MultipleServers
    #MyFamily nickname1,nickname2,...
    ## A comma-separated list of exit policies. They´re considered first
    ## to last, and the first match wins. If you want to _replace_
    ## the default exit policy, end this with either a reject *:* or an
    ## accept *:*. Otherwise, you´re _augmenting_ (prepending to) the
    ## default exit policy. Leave commented to just use the default, which is
    ## available in the man page or at https://www.torproject.org/documentation.html
    ## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
    ## for issues you might encounter if you use the default exit policy.
    ## If certain IPs and ports are blocked externally, e.g. by your firewall,
    ## you should update your exit policy to reflect this -- otherwise Tor
    ## users will be told that those destinations are down.
    #ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
    #ExitPolicy accept *:119 # accept nntp as well as default exit policy
    #ExitPolicy reject *:* # no exits allowed
    ################ This section is just for bridge relays ##############
    ## Bridge relays (or "bridges" ) are Tor relays that aren´t listed in the
    ## main directory. Since there is no complete public list of them, even if an
    ## ISP is filtering connections to all the known Tor relays, they probably
    ## won´t be able to block all the bridges. Unlike running an exit relay,
    ## running a bridge relay just passes data to and from the Tor network --
    ## so it shouldn´t expose the operator to abuse complaints.
    #ORPort 443
    #BridgeRelay 1
    #RelayBandwidthRate 50KBytes
    #ExitPolicy reject *:*
    ################ Local settings ########################################
    ## Torified DNS
    DNSPort 5353
    AutomapHostsOnResolve 1
    AutomapHostsSuffixes .exit,.onion
    ## Transparent proxy
    TransPort 9040
    ## Misc
    ## We don´t care if applications do their own DNS lookups since our Tor
    ## enforcement will handle it safely.
    WarnUnsafeSocks 0
    ## Disable default warnings on StartTLS for email. Let´s not train our
    ## users to click through security warnings.
    WarnPlaintextPorts 23,109
    ## Tor 0.3.x logs to syslog by default, which we redirect to the Journal;
    ## but we have some code that reads Tor´s logs and only supports plaintext
    ## log files at the moment, so let´s keep logging to a file.
    # Log notice file /var/log/tor/log
    Sandbox 1 # On the system we introduced (el6, "universal") using Tor 7.5.6 (on the base of Tor-Browser Firefox ESR-52.9.0 ), sandbox works fine! If set to 1, Tor will run securely through the use of a syscall sandbox. Otherwise the sandbox will be disabled. To activate the sandbox successfully, for tor (el6) libseccomp (fc29 or some other version) has to be installed too.
    When the Sandbox is 1, the following options can not be changed when tor is running: Address ConnLimit CookieAuthFile DirPortFrontPage ExtORPortCookieAuthFile Logs ServerDNSResolvConfFile Tor must remain in client or server mode (some changes to ClientOnly and ORPort are not allowed). (Default: 0)
    ClientOnly 1
    AvoidDiskWrites 1
    DirReqStatistics 0
    Log notice stdout
    AllowSingleHopCircuits 0
    EnforceDistinctSubnets 1
    GeoIPExcludeUnknown 1
    UseEntryGuards 1
    NumEntryGuards 12
    StrictExitNodes 1
    StrictEntryNodes 1
    ExcludeNodes Unnamed,default,kasperskytor04,,tylerlockedotorg,,kebab,,RedOctober1917,dannenberg,,dizum,,Faravahar,,gabelmoo,fluxe4,,longclaw,,maatuska,,moria1,,tor26,,Tonga,,CorryL,tortila,whistlersmother,BlueMoon,TRHCourtney01
    ExcludeExitNodes {ag},{al},{am},{ar},{ba},{bb},{bd},{bf},{bg},{bj},{bo},{br},{bt},{bw},{bz},{ci},{dm},{do},{ec},{fj},{gd},{ge},{gh},{gn},{gr},{gw},{gy},{hk},{hr},{ht},{hu},{il},{in},{it},{jm},{jp},{ke},{kg},{ki},{km},{kn},{kr},{kw},{lb},{lc},{lr},{ls},{md},{me},{mg},{mn},{mo},{mu},{mv},{mw},{mz},{na},{ne},{ni},{np},{nr},{pa},{pe},{pg},{py},{sb},{sc},{sl},{sn},{tg},{tl},{tn},{to},{tt},{tw},{tv},{tz},{va},{vc},{ws},{yt},{za},{zm}
    ExcludeNodes {us},{ca},{gb},{hk},{in},{il},{jm},{ke},{ki},{kr},{kw},{mh},{mt},{mc},{nz},{nf},{om},{pa},{ph},{pr},{rw},{ws},{lk},{kn},{sd},{sr},{th},{ac},{af},{ax},{al},{dz},{ad},{ao},{ai},{aq},{ag},{ar},{am},{aw},{au},{at},{az},{bs},{bh},{bd},{bb},{by},{be},{bz},{bj},{bm},{bt},{bo},{ba},{bw},{bv},{br},{io},{vg},{bn},{bg},{bf},{bi},{kh},{cm},{cv},{cf},{ky},{td},{cl},{cx},{cc},{co},{km},{cg},{cd},{ck},{cr},{ci},{hr},{cu},{cy},{dj},{dm},{do},{tp},{ec},{eg},{sv},{gq},{et},{fk},{fo},{fj},{gf},{pf},{tf},{ga},{gm},{ge},{gh},{gi},{gr},{gl},{gd},{gp},{gu},{gt},{gn},{gw},{gy},{ht},{hm},{hn},{is},{id},{iq},{im},{il},{it},{jm},{jp},{jo},{kz},{kg},{la},{lb},{ls},{lr},{ly},{lt},{mo},{mk},{mg},{mw},{my},{mv},{ml},{mq},{mr},{mu},{yt},{mx},{fm},{md},{mc},{mn},{me},{ms},{ma},{mz},{mm},{na},{nr},{np},{nc},{nz},{ni},{ne},{ng},{nu},{nf},{mp},{om},{pw},{ps},{pa},{pg},{py},{pe},{pn},{pt},{qa},{re},{rw},{ws},{sm},{st},{sa},{sn},{rs},{sl},{sg},{sk},{si},{sb},{so},{as},{za},{gs},{lk},{lc},{pm},{vc},{sd},{sr},{sj},{sz},{sy},{tw},{tj},{tz},{th},{tg},{tk},{to},{tt},{tn},{tm},{tc},{tv},{ug},{ae},{um},{uy},{uz},{vu},{va},{ve},{vi},{wf},{eh},{ye},{zm},{no} # beachte: ExcludeNodes in nur einer einzigen Zeile abspeichern!
    EntryNodes $7B28971D4A29995784E3066B9D87E42E9C685F3A,,$03dc081e4409631006efcd3af13afaaf2b553ffc,togma2,ori,freki,tollana,ATZv5,freebird32,leonide,behrmann,mccowan# erste drei: torified;pairoj,krigernes, verwende nur Fingerprints! Alle EntryNodes in nur einer einzigen Zeile eintragen!
    ExcludeExitNodes {us},{ca}
    ExitNodes bonjour,bonjour2,edwardsnowden0,edwardsnowden1,edwardsnowden2,EdSnowdenIsAHero,MyHeroEdSnowden,ForEdSnowden,sarahmanning,anglinajolie,exit3,exit4,cry,amartysen,onyx,argon,TheEpTicScal4s,giovanna,hers,RainerWinkler,MYLEX,che,SPECTRE,weizenbaum2,weizenbaum3,cryptocrax0r,Thadassa,sofia,FreeTheInternet,Digitalcourage3ip1,Digitalcourage3ip2,Digitalcourage3ip3,ThankYouMrSnowden,tor4thepeople1,tor4thepeople2,tor4thepeople3,TheRaspberryRelay,RaspiTorL,CHraspiRelay,RaspScai,Raspi53Tor,OnionRaspberrySoup,RASPdatenschleuder,dasikerasp,rasptorpipi,rasptorpipi2,raspi2,SweRaspiTor3,anotherrasptorrelay,StrictlyUselessPi,TORonCENTOS,tux3,saveyourprivacyexit,saveyourprivacyex1,HelpCensoredOnes,DigiGesTor1e1,DigiGesTor1e2,DigiGesTor1e3,DigGesTor3e1,DigiGesTor3e2,DigiGesTor3e3,DigiGesTor4e1,DigiGesTor4e2,DigiGesTor4e3,DigiGesTor4e4,DigiGesTor5e1,DigiGesTor5e2,DigiGesTor5e3,DigiGesTor5e4,DFRI0,DFRI1,DFRI2,DFRI3,DFRI4,DFRI5,DFRI6,DFRI7,PiratenparteiNRW,Piratenpartei1,Piratenpartei2,Piratenpartei3,Piratenpartei4,Piratenpartei5,Elenagb,marylou1,marylou2,marcuse1,marcuse2,ori,freki,tollana,PrivacyRepublic0001,PrivacyRepublic0002,PrivacyRepublic0003,nickesrelay1,nickesrelay2,nickesrelay3,nickesrelay4,chaoscomputerclub1,FoeBud3,hviv100,hviv104,hviv105,hviv113,hviv114,hviv115,hviv116,hviv117,hviv118,hviv119,hviv120,hviv121,hviv122,hviv123,hviv124,hviv125,hviv126,hviv127,hviv128,mdfnet1,mdfnet2,mdfnet3,ekumen,AlGrothendiek,taz,tazzwei,radieschen,erbse,steinpilz,parasol,parasol2,sellerie,karfiol,fenchel,kaeferbohne,kukuruz,kohlrabi,broccoli,paprika,rucola,erdapfel,zucchini,paradiser,gurke,karotte,VS,tortoise,puertasecreta,marschiertor,ponttor,relay0vpsfree0cz,AnonymousCluster1,FFHBerlin,Smeerboel,DanWin1210,Deteros,jowi,plan9rijk,hsjeufh24h6,Truie,PulseboxExit,torminator,RelayRouter,RouterRelay,puertasecreta,AnonymTorProxy2,PubliusAnonymous,toreffiorg,anonymouseTheFirst,pinkpie,birnenpfeffimitzimt,ENiGMA,Quake,TorExitFinland,ipheiboqu8oorai8Ais,AccessNow001,AccessNow002,AccessNow003,AccessNow004,AccessNow005,AccessNow006,AccessNow007,AccessNow008,AccessNow009,AccessNow010,truie,RSFPressFreedom,politkovskaja,amazonas,amartysen,as44194a36s01,F3Netze,0x3d005,alsaceonion,alsaceonionb,heine,heineb,Humboldt,Humboldt2,rehm,jelle01,jelle02,kramse,kramse2,kramse3,Thor,SwissPrivacyLab01,SwissPrivacyLab02,SwissPrivacyLab03,SwissPrivacyLab04,SwissPrivacyLab05,SwissPrivacyLab06,SwissPrivacyLab07,SwissPrivacyLab08,swrelay1,OdyX,ibksturm,vadius45CH,NoSpyOrg,orilla,destiny,chulak,aurora,assk,alf,sofia,politkovskaja,lumumba,HaveHeart,hessel0,hessel1,hessel2,atticus,blanqui,thoreau,enjolras,luxemburg,wagtail,startor0se,startor0lv,apx1,apx2,apx3,cherryjam,cherryjam1,cherryjam2,cherryjam3,vikingolaf,vikinguthar,vikinghelga,vikingbjorn,pairoj,mccowan,krigernes,Freya,Vor,Tyr,Mani,Hlin,Forseti,Mimir,Eir,Fulla,Sif,weepy,LinuxLanNetDUS,Spigen,torvic,Somone,scenics1,scenics2,electricdreams1,electricdreams2,electricdreams3,schimkus,TeamAnonymizer1337,TeamAnonymizer1338,marla,onemoretorserver1,otheontelth,marsbarsarethars,scurra,ctr0003,1ofMany,Quincy,tormachine,torexit42,TORKeFFORG,grenouille,DUS002TORS001,csUniHB,CENSURFRITITDKEXIT1,CENSURFRITITDKEXIT2,CENSURFRITITDKEXIT3,Hydra2,orwell38,relay0vpsfree0cz,Lule,TORKeFFORG,servbr1,servbr2,servbr3,servbr4,servbr4,servbr6,servbr7,servbr8,servbr9,servbr10,servbr11,servbr12,FelixIO,effiorg1984,RandomRelay,avokado,tor26,relay0vpsfree0cz,Homwer,TorScale,Freiheit,iriseden,Teinetteiine,SignalCenterExit1,SignalCenterExit2,SignalCenterExit3,tOr,QuarkGluontor,KonradAdenauer,StarlightGlimmer, energy, 0x112B6D0, zwiebeltoralf, naiveTorer, humboldt, Arrakis, bork,$9BDF3EEA1D33AA58A2EEA9E6CA58FB8A667288FC,$1A1DA6B9F262699A87F9A4F24EF48B50148EB018,$31A993F413D01E68117F76247E4F242095190B87,,,,,$85D4088148B1A6954C9BFFFCA010E85E0AA88FF0,$39659458160887CC8A46FAE627EE01EEDAAED07F,$0111BA9B604669E636FFD5B503F382A4B7AD6E80,,,,$88487BDD980BF6E72092EE690E8C51C0AA4A538C,$9EAD5B2D3DBD96DBC80DCE423B0C345E920A758D,$95DA61AEF23A6C851028C1AA88AD8593F659E60F,$95DA61AEF23A6C851028C1AA88AD8593F659E60F,$487092BA36F4675F2312AA09AC0393D85DAD6145,,$2DDAC53D4E7A556483ACE6859A57A63849F2C4F6,,$6D3EE5088279027AD8F64FF61A079DC44E29E3DF,$9E9FAD3187C9911B71849E0E63F35C7CD41FAAA3,,,{cz},{es},{se},{fi},{lu},{mn} # in one line only!
    ExcludeExitNodes {us},{ca},{gb},{ro},{hk},{in},{il},{jm},{ke},{ki},{kr},{kw},{mh},{mt},{mc},{nz},{nf},{om},{pa},{ph},{pr},{rw},{ws},{lk},{kn},{sd},{sr},{th},{ac},{af},{ax},{al},{dz},{ad},{ao},{ai},{aq},{ag},{ar},{am},{aw},{at},{az},{bs},{bh},{bd},{bb},{by},{bz},{bj},{bm},{bt},{bo},{ba},{bw},{bv},{br},{io},{vg},{bn},{bg},{bf},{bi},{kh},{cm},{cv},{cf},{ky},{td},{cl},{cx},{cc},{co},{km},{cg},{cd},{ck},{cr},{ci},{hr},{cu},{cy},{dj},{dm},{do},{tp},{ec},{eg},{sv},{gq},{et},{fk},{fo},{fj},{gf},{pf},{tf},{ga},{gm},{ge},{gh},{gi},{gl},{gd},{gp},{gu},{gt},{gn},{gw},{gy},{ht},{hm},{hn},{is},{id},{iq},{im},{il},{jm},{jp},{jo},{kz},{kg},{la},{lb},{ls},{lr},{ly},{lt},{mo},{mk},{mg},{mw},{my},{mv},{ml},{mq},{mr},{mu},{yt},{mx},{fm},{md},{mc},{me},{ms},{ma},{mz},{mm},{na},{nr},{np},{nc},{nz},{ni},{ne},{ng},{nu},{nf},{mp},{om},{pw},{ps},{pa},{pg},{py},{pe},{pn},{pt},{qa},{re},{rw},{ws},{sm},{st},{sa},{sn},{rs},{sl},{sg},{sk},{si},{sb},{so},{as},{za},{gs},{lk},{lc},{pm},{vc},{sd},{sr},{sj},{sz},{sy},{tw},{tj},{tz},{th},{tg},{tk},{to},{tt},{tn},{tm},{tc},{tv},{ug},{ua},{ae},{um},{uy},{uz},{vu},{va},{ve},{vi},{wf},{eh},{ye},{zm},{no} # in one line only!
    NodeFamily {ch},{ch}
    NodeFamily {de},{de}
    NodeFamily {se},{se}
    NodeFamily {fi},{fi}
    NodeFamily {nl},{nl}
    NodeFamily {be},{be}
    TrackHostExitsExpire 1800
    ClientUseIPv4 1
    ClientUseIPv6 0
    FascistFirewall 1
    ReachableAddresses *:80,*:443,reject *:*
    ReachableDirAddresses *:443,reject *:*
    # ReachableORAddresses *:443,reject *:*
    DataDirectory /tmp
    ExitPolicy accept *:443
    ExitPolicy reject *:*
    LongLivedPorts 80, 443
    #ControlSocket /var/run/tor/control
    CookieAuthentication 1
    #CookieAuthFile /var/run/tor/control.authcookie
    DataDirectory /home/toruser1/tor-browser_en-US/Browser/TorBrowser/Data/Tor
    MadAddress www.my-online-banking.de www.my-online-banking.de.saveyourprivacyexit.exit # always use saveyourprivacyexit for www.my-online-banking.de
    DataDirectory /home/toruser1/tor-browser_en-US/Browser/TorBrowser/Data/Tor

    GeoIPFile /home/toruser1/tor-browser_en-US/Browser/TorBrowser/Data/Tor/geoip

    GeoIPv6File /home/toruser1/tor-browser_en-US/Browser/TorBrowser/Data/Tor/geoip6

    Start tor together with Firefox:

    sg surfgroup "firejail --nice=19 --profile=/etc/firejail/firefox.profile /usr/lib64/firefox/firefox --no-remote &" && sg surfgroup "firejail --nice=19 --profile=/etc/firejail/firefox.profile tor -f /home/surfuser/torrc" && export RESOLV_HOST_CONF="/etc/hosts"

    Again, you can put this quit long command into the exec-line of a created quick launching symbol to get started by one mouseclick only.

    Discretion: Read reports about any conjunctions of countries and relays to NSA & Co.!

    Example from torstatus.blutmagie.de from 01.02.2019:

    US thanksgoogle 0 0 53 d [] Directory Server Stable Server Tor on Linux 9001 None 2018-04-23 GOOGLE - Google LLC, US

    Russia counts 230.000 Tor users every day and only 46 exit nodes. Tor is very popular there.

    Check out all listed ExitNodes, before they get added in torrc: https://www.dan.me.uk/tornodes, https://torstatus.blutmagie.de/ and torservers.net, Freya,Vor,Tyr,Mani,Hlin,Forseti,Mimir,Eir,Fulla,Sif from torworld.org, a list of their name, their ip, their fingerprint, their nationality, their provider, their capacities and if they are good- or bad-nodes. Allow ExitNode {ch} for using ExitNodes DigiGesTor. This is already prevented by NodeFamily {ch},{ch}.
    Alle ExitNodes nach Links von Zwiebelfreunde e.V., https://www.privacy-handbuch.de/handbuch_24n.htm und https://www.s-f-n.org/sicherheitshinweise/datenschutz/weltnetz/anonymitaet-im-weltnetz/tor-netzwerk/7.html außer ThankYouMrSnowden,EdSnowdenIsAHero, MyHeroEdSnowden,ForEdSnowden,AnonymousCluster1,F3Netze,PiratenparteiNRW,Piratenpartei,theOnionKnight01 (UNI Berlin), VS (UNI Duisburg-Essen),fluxe4 und gabelmoo (UNI Erlangen),torais (UNI Kassel),cn (UNI Düsseldorf), csUniHB (UNI Bremen), birnenpfeffimitzimt, onion, PrivacyRepublic0001 und PrivacyRepublick0002 von https://torstatus.blutmagie.de, DigiGesTor (Swiss Privacy Foundation) und Fingerprint-Adressen von https://www.privacy-handbuch.de/handbuch_24n.htm
    Tor-Browser of Linux Tails (3.12, 3.13): kramse2, exit3, MYLEX, niftypika, dorrisdeebrown, ATZv5, SPECTRE, che, niftyeuropeanrabbit, MS3cTor528, Quintex35, cosimaniahouse, flowjob11,frantz, Hydra6,Jpsi2, MrTerence,weizenbaum2,weizenbaum3,cryptocrax0r,Thadassaexit4,cry,amartysen,onyx,argon,TheEpTicScal4s,giovanna,hers,RainerWinkler,MYLEX,che,SPECTRE,sofia

    Weitere eingetragene ExitNodes: cherryjam: IN-BERLIN-AS Individual Network Berlin e.V., DE, F3Netze: Freifunknetz Berlin, weitere: DFN: fluxe4, tortoise, csUniHB, SevenLayers, thedoctor, torais, MarkTwain, gabelmoo, theOnionKnight01, theOnionKnight02, E10, onion: Verein zur Foerderung eines Deutschen Forschungsnetzes e.V., DE. Das DFN ist der deutsche Partner des internationalen Netzwerks Eduroam. Education Roaming (eduroam) ist eine Initiative, die Mitarbeitern und Studenten von partizipierenden Universitäten und Organisationen einen Internetzugang an den Standorten aller teilnehmenden Organisationen unter Verwendung ihres eigenen Benutzernamens und Passwortes oder eines persönlichen X.509-Nutzer-Zertifikates einer gültigen PKI über Wireless Local Area Network (WLAN) oder Local Area Network (LAN) ermöglichen will. Mitarbeitende und Studierende müssen bei Gastvorträgen, Auslandssemestern, Dienstreisen und ähnlichem an der Fremduniversität nicht erst einen Gastzugang beantragen, sondern können sich direkt mit ihren bekannten Daten einloggen. Mittlerweile sind fast alle europäischen Länder bei eduroam vertreten und immer mehr Universitäten der jeweiligen Länder schließen sich ihren Forschungsnetzen an. Inzwischen hat die Initiative weltweit viele Unterstützer, so im asiatisch-pazifischen Raum (z. B. Indien, Singapur), in Nord- und Südamerika (z. B. USA, Kanada, Brasilien), sowie im afrikanisch-arabischen Raum (z. B. Saudi-Arabien, Südafrika), DFN, Alexanderplatz 1 D - 10178 Berlin Germany
    "We collect a wide range of Internet data and provide statistics and tools that our members and the wider Internet community can use for their own operations and analyses."

    Beachte mit dem Editor die Wahrung der bereits hier möglicherweise verrutschten Zeilen (nur eine Zeile für ExitNodes mit den einzelnen ExitNodes)!
    Die Option StrictExitNodes.gibt an, dass nur die im folgenden gelisteten Nodes als Exit verwendet werden dürfen. Für die Liste der Exits nutzt man die Fingerprints der Nodes, beginnend mit einem Dollar-Zeichen (ihre IP oder Server-Name). Die Fingerprints erhält man beim Tor Atlas.
    https://www.privacy-handbuch.de/handbuch_24n.htm, replacement with "good" ExitNodes by Zwiebelfreunde e.V.. (http://torproject.org, https://www.torservers.net/partners.html und https://check.torproject.org/exit-addresses ) und https://www.privacy-handbuch.de/handbuch_24n.htm

    ExcludeExitNodes {us},{ca}
    ExitNodes # fingerprinted (notice: tor does not accept line-breaks: all ExitNodes in one line only!)
    ExitNodes $9ead5b2d3dbd96dbc80dce423b0c345e920a758d,,,,,$93c6be420fbd2327db591a372c58807bb788d79c,$35919e197c6c7f372a26c747d66aca6a39642b3e,$4ef28f0acba7db83f532cf649db13a00c2f9fdf2,$9171101e709ade5881f5e2ca1100d4044b44263e,$3d615def97f387631f50201fafa6e7b67fdf3fef,$0111ba9b604669e636ffd5b503f382a4b7ad6e80,,$0111ba9b604669e636ffd5b503f382a4b7ad6e80,,$9aa3ff35e7a549d2337e962333d366e102fe4d50,$311a4533f7a2415f42346a6c8fa77e6fd279594c,$1bdbe9c0f7034e6789a9bf7bed82be2045f0f5b7,,,$0d2de242ada0ed77325e3aee3a9d8c5cd07c2cf3,$08ce3dbfdaa27db6c044a677af68d7235c2afc85,,$9c61fc0a01401edf71c4048665e53968e81351fc,,$8c25ba134d579b8aaf420e01215eb2cf06aae907,$81b75d534f91bfb7c57ab67da10bcef622582ae8,,,$9e0058300401f6687eae59f9fe82db89230344c1,$63f0043819468fd86c761eae45b4b72db9a795b9,,,$97aee1eefbcbb6ff8fa482029830e8e10a961883,$113143469021882c3a4b82f084f8125b08ee471e,$530277866466a1425f43a73dbfcb5fc7410c9852,,,$97aee1eefbcbb6ff8fa482029830e8e10a961883,$0d12d8e72ded99ee31bb0c57789352bed0ceeeff,$96e095d5cdbfc3988deb708ec155346472402c32,$763b7d67a6b2d19b3e9ea57d1fbdc48f3b85b559,$9661ac95717798884f3e3727d360dd98d66727cc,$8cf987ff43fb7f3d9aa4c4f3d96ffdf247a9a6c2,$5ba19b5d5ab0cb9ef8ea33da77585b75449400b0,$4bfc9c631a93ff4ba3aa84bc6931b4310c38a263,,,$6D3EE5088279027AD8F64FF61A079DC44E29E3DF,$9E9FAD3187C9911B71849E0E63F35C7CD41FAAA3,,,$294cab9ac06a4484e48e61fe1fb7ef4d7839e402,$6088c9ae1f712a9478fde64cadeff8e74ed4ae7c,$4a0c3e177af684581ef780981aeaf51a98a6b5cf,$88c3708a9d71ecec1910b63c3faa5bf60cd7e199,$42e0fb190d20522c6c8c71e42b71da33ac7a780e,$65c86182fdaacb59c9db6d9ddb83148933415a3c,$12ad30e5d25aa67f519780e2111e611a455fdc89,$80aaf8d5956a43c197104cef2550cd42d165c6fb,,,$9634ff450315c691e1e2185636318eaf457e4227,$7d05a38e39fc5d29afe6be487b9b4dc9e635d09e,$0e8c0c8315b66db5f703804b3889a1dd66c67ce0,$03dc081e4409631006efcd3af13afaaf2b553ffc,$9ba84e8c90083676f86c7427c8d105925f13716c,,,$8f02fe5e233730a6ab4c982e18a2136e662a0b59,$847b916d90fa1db85d57addfa1e50510f68538a1,$9BDF3EEA1D33AA58A2EEA9E6CA58FB8A667288FC,$1A1DA6B9F262699A87F9A4F24EF48B50148EB018,$31A993F413D01E68117F76247E4F242095190B87,,,,,$85D4088148B1A6954C9BFFFCA010E85E0AA88FF0,$39659458160887CC8A46FAE627EE01EEDAAED07F,$0111BA9B604669E636FFD5B503F382A4B7AD6E80,,,,$88487BDD980BF6E72092EE690E8C51C0AA4A538C,$9EAD5B2D3DBD96DBC80DCE423B0C345E920A758D,$95DA61AEF23A6C851028C1AA88AD8593F659E60F,$487092BA36F4675F2312AA09AC0393D85DAD6145,,$2DDAC53D4E7A556483ACE6859A57A63849F2C4F6,,$6D3EE5088279027AD8F64FF61A079DC44E29E3DF,$9E9FAD3187C9911B71849E0E63F35C7CD41FAAA3,,,$294cab9ac06a4484e48e61fe1fb7ef4d7839e402,$6088c9ae1f712a9478fde64cadeff8e74ed4ae7c,$4a0c3e177af684581ef780981aeaf51a98a6b5cf,$88c3708a9d71ecec1910b63c3faa5bf60cd7e199,$42e0fb190d20522c6c8c71e42b71da33ac7a780e,$65c86182fdaacb59c9db6d9ddb83148933415a3c,,tor4thepeople1,hviv118,hviv119,AccessNow000,AccessNow001,$93fab6f91c2ef33d0aceef7448177fca2ceb99a0,,,$7bfb908a3aa5b491da4ca72ccbee0e1f2a939b55,$204dfd2a2c6a0dc1fa0eacb495218e0b661704fd,,,,$6df493c83d0f5c337f7166a108adb891bce3fa1c,$6290a2d08e5eb89c809223c5c7bf52597690751d,,$2dfdea5dd415b95594bfb12d59fe841167f94b5f,,,,$65e6eb676633328ade3bd3168a59134cddd21e19,$0516085d6cac40ed4cdcefdfc5ccf6b00de61ded,,$7e006a46a222ce42f84b4a175698b3b593a7b3b7,$6c20cb9a0e95edc143f29194a0a4cc2a593aa15c,$05ffa39d71da116f7669ea4ee53a0baea315ba7f,,$0d874d3bbcbe88a61efc8379a68ac3f1314d4b7a,$6df493c83d0f5c337f7166a108adb891bce3fa1c,$3febfb6a491d30cacc2c2995edb41717a6f94e95,$00cce6a84e6d63a1a42e105839bc8ed5d4b16669,,$578e007e5e4535fbfef7758d8587b07b4c8c5d06,$874d84382c892f3f61cc9e106bf08843de0b865a,$185663b7c12777f052b2c2d23d7a239d8da88a0f,$90fd830c357a5109ab3c505287713f1ac811174c,$4a3b874f0187f2cf0da3c8f76063b070f9f7a14f,$8d093c9c2b42bc224a5319a660a6cf5edefe839f,$46f90ef3a3628c134dbb4654d0e4ff7eb914b690,,$56781ccc9f6d29fea148799ab588429c893a473c,,$69620419a3d0077272b2ea3952a1f46880fdfae5,$2053a4764080bebbec590be4418a782028d05e0f,,,$30ee4433780753120eca788d0f95d19ab2722819,$0ac4c4d8bca8da7bae6be3fea87442e724353cbf,$46791d156c9b6c255c2665d4d8393ec7dbaa7798,,$0bc8ba32cc3cb0f598e0c92778f7c0946dfbce91,$750c4332414558ab8c973b64dcabb5ca42fa642c,,$968cb7da0c56e66f22b78cba0562fe132939d8bf,$90152ba61de052f96956a72db5928650e14914c2,$56621b6880b20012b11af7d1f44ef7d2779428f5,$37535409102dffe92f3dac809e470e62bc27f1df,$3bd1376cd339edac6aefcf355a703a16af913496,,$4b084ad6a0ba70761a333829f52042bb6ea009af,,$56781ccc9f6d29fea148799ab588429c893a473c,,$044d00bc0ab1e3b4e3854dd522c471ede8d0cb42,$41f07731207742860d43ac426fbae2f3947bd1ca,$4a3b874f0187f2cf0da3c8f76063b070f9f7a14f,$1747f77cc71a7d073e9f960b9b77d33734f6216d,,$56621b6880b20012b11af7d1f44ef7d2779428f5,,$46791d156c9b6c255c2665d4d8393ec7dbaa7798,$0bc314281c83167f24c7cfcd68de069b02a92345,$995afa869526ba8e3b714e8bd1f455dc084832cd,$28a3a7d742b7cabdc006c055496dad9814d4e930,$22e8493d6ae611c8e243492bd4935160a5ec8f2f,,,$45ec3912c624d0c1a3873ba30214f06ccd946de6,,,,$12efbb9560f5bf7d09625c99e488f982fa3483e7,$4ff868be8b403085f4c351094d392a7230766435,$995afa869526ba8e3b714e8bd1f455dc084832cd,$3b4fa23831cc69c136418b0305381a5103a3b470,,$1c0d0af3ff05ccbba4b6ed262196a4c5a76102e6,$55580d71b317a072f4a4dcf6ea4edb015734aee7,$8154154c636ec317c7165fd839f34f79963376c1,$93fab6f91c2ef33d0aceef7448177fca2ceb99a0,$5e5040ea472aeb11c3dd4beac37ebe50ef40c93b,$61b8bdc91aa7bc9a05eb5a3d652fff88c98e6911,$9684c4d6c71131eeef2e5c23c3ea234a684cd501,,$40b206539ecdf83aceaa34245cc82508077bba14,$92bbadcb0697f5eb1792c607ee2dc1c291a98adc,,,,$1747f77cc71a7d073e9f960b9b77d33734f6216d,$87ea8620a1368f19c43a037115f15461c9487b31,$1901e98a08077fbba4c9e0368dd4dc6dbbd4cf77,$5f1c955a83ffec2548d2a4637d2ccd09124a1957,$6270d21d6cef0a4b1abea0730983aae08126701a,,,$0cdc8fdd8a487271decb791c0d46585f16bc8f19,$6a7479eb4378b946dc2a65a7f2c706b42bae2ebd,,,$777e9e3bb371cfb436cb993cf8c7f631137beeb2,,$683a668ebd5e275889b510caea45752016e3de30,$15f2b269295017bbaace4d15a312d4c89682d036,$68854e6f0c8c7b48c1a28934881ad10736da7f8d,,$8164d74a15a2c10afbd2429a913ffa9b83332580,,$0c039f35c2e40dcb71cd8a07e97c7fd7787d42d6,,$70b5746578dfe2b373599703b8dfb2af37743405,$2e045a15872b52d7c9955225bb791f91a3ed2f2c,$12efbb9560f5bf7d09625c99e488f982fa3483e7,$569bc61051c78801d96a682ba15d992f347316ed,,$9635968bb4e2d1b8395b0a1f4a7dda5ec4b5c435,$61875bb87f7c6bb9b656be7b95ebbfb3d5500c97,$78bc2254d3b31cd865f7682633aa438212132532,$995afa869526ba8e3b714e8bd1f455dc084832cd,$13bc57be4a6287d5c9ab970e94823bcaf7b5ffb2,$0bc314281c83167f24c7cfcd68de069b02a92345,$46791d156c9b6c255c2665d4d8393ec7dbaa7798,$96dafdce92ba94e4cc95f8314ae48e272a702fdc,$465d17c6fc297e3857b5c6f152006a1e212944ea,,$86cbf65f98e84681156444d048374aae1c809b17,$87ea8620a1368f19c43a037115f15461c9487b31,,$3b0efde689693cfdec2305f7b99d5b2fa4a77d91,$73e8a55b158fe750aaf711b402d3702e3fc395ee,$07c536d732850e3abbb51176fbcf9e79fc2c6e7a,$5b0e2e519fc6e61775895be7cde504c4aa8d6820,,$51c0096f3d7ee2a082bc367a29f81c9fcd9bf273,,$8bbe7a90dc03a954673a99ffb6d79308ad4f643c,$27f890a58693ebb080184c8d8477f0281b2585f7,$27f890a58693ebb080184c8d8477f0281b2585f7,$27f890a58693ebb080184c8d8477f0281b2585f7,,$166f00ea1bf27f20e8b2d7ef7fff200e52b47d00,$98138dfd3e2c8c89d8f5ab11ef9b6bff272d83b4,,,$98f94858106715983d6ff0123334f94b62ff00b7,$6b29a78eeb42d318290db60c6a2edc714f1bad42,$58d214a5147a7488897d3f187df84ef859d68184,$48042bf1da7d7515dcf5ab468943cac47724ec26,,$58a9921dd0a1389356634625c5b14acc1194a95c,$9ac272d5c5bf479b56f062b91b89d6fe3740185d,$995afa869526ba8e3b714e8bd1f455dc084832cd,$46791d156c9b6c255c2665d4d8393ec7dbaa7798,$55a92be2a76c64a5a0db0d4f61d5dca37b55ee52,$5af95dff3a7b45a01d83c68b9408a280f7a3cdf8,,$912056eae8410c1768ad2efc007ce5d22625bc23,,,,$6dfeb41c04cce846871338e85dd5acf5cfb6c1dd,$1f5274bc3bfa8821471a884295126ad48d3c2683,,$0e5522cb4f79e36c0bb263babc861cfc686929ae,$18c6cb7af08291e326d65567ff4d96cca02f832b,$8164d74a15a2c10afbd2429a913ffa9b83332580,,,$15e5bba49036203a360f00662e93a17d9430025a,,$86bf32b606f1331aa4dd2095d549838aa1435545,,,,,$438dc9b6b5c5375d332bb338d7e5c1b9ef448960, ,,$876c7ce43774366250d3e768e690dab9d4b5d5a3,$8154154c636ec317c7165fd839f34f79963376c1,,$5918b0913a59d18262e74f9b1f0c034ccc31fbcc,$8eb722fa1ae9dde1914bc21fea22819d4de99db4,,,$07dd4f0e6d2c7a58937f5c2760da19ee9be8ca80,$2af1f03ca502a23d554eb61c6649c531674c9627,$4df67280a6aa88c8e2807b58deac67e6e599cbba,$2b434018efb233acbdb220a6a14e5657cc6a63c8,$40fae4540cf4c126b1b15c0f5e048fdbd66e2d88,$27f890a58693ebb080184c8d8477f0281b2585f7,$9ae53d17ea4695e94e5cb60e54df57d011b989a0,$1e5618c079d74cf9ae0c5370de4c6e1afd5c0b39,$847b1f850344d7876491a54892f904934e4eb85d,$38b6b15f14bcf4d5b342ba1d67004287d1bcb9dc,$760dd1184f576fbbe4d3f834be16ab3d192bbcda,,,,$67549c743eb7a9d06a75e37beb82417ebb22e97f,$23439cf3eced46bb327a32373cd1d17e835777ee,$2f1a6481756d34bbf2cd3bebabbfec2e863a6f55,$4f3056e9d4bac38ec2100063745221553630eccb,,$89abc96e57c44085c6d520f6b27a23f3823e119b,,$0fedebe83c1f2de3d6673876bba1433ccf0ade51,$922c780d6a32944890a9c2bdb288037eb2f06392,,,$460f2eb956c09933a7e495c800786f11fd6d6336,$4f9bb4555bcfa49260e382c6d156eb49de07c63b,,,$01181b31be5860c7d66da88f88ad522c06470fd9,,$53ae17b558dfa2eaf551b650f6260b3e31fbead0,$2c752c180089ddc89bc3ffccb17facfeeafd79aa,$44ef5f90f4e15b2a7937b33908b79675086b0e4b,,,$395cec4f978857b1169da78cf1208fd13b715fd0,$519d9147bfc7d8b84dcd7ac0b816080777d0e4c6,$3ea2217a01c61b1c17b6d8571b26fa6a44144d6f,$912056eae8410c1768ad2efc007ce5d22625bc23,,$890530c5b510a506f5cf206efec1595f96e727a5,$18fd0903330cd865023cf8737aae5d9bfbe4c025,,$92d8008026aa72131a5357005054048f879f2808,$0c039f35c2e40dcb71cd8a07e97c7fd7787d42d6,$2e72eeabe4ee19183befaa10d88b3c16829c9f99,,$8a8dba05b9fa31a5511b79768cf191c84c9035de,$7e8bc43ae75eae16d7ec4676f4a5c355f454b809,$8456dfa94161cdd99e480c2a2992c366c6564410,$2880a4d6a33f9becf2ae106d2951965a97527e96,$995afa869526ba8e3b714e8bd1f455dc084832cd,,,$9638d8a46d8cba79f8122d77e038ed99ebfdaead,$38b6b15f14bcf4d5b342ba1d67004287d1bcb9dc,$9a725c9660640fd82782f89e755553b29a14e791,$8b029434401afdc8b9793a49005e2bc3af76c02c,$995afa869526ba8e3b714e8bd1f455dc084832cd,,,$9638d8a46d8cba79f8122d77e038ed99ebfdaead,$38b6b15f14bcf4d5b342ba1d67004287d1bcb9dc,$9a725c9660640fd82782f89e755553b29a14e791,$8b029434401afdc8b9793a49005e2bc3af76c02c,$18cfb7ba07f13aeabf50a7148786da68773b2498,,$74c0c2705db1192c03f19f7cd1bb234843b1a81f,,$8a2d71cbca33f13a3ea9614de28ae3f669d84987,$519d9147bfc7d8b84dcd7ac0b816080777d0e4c6,,$5aeec5f24de394faa33cc45c86e140248f7065c4,,,,$510a75840497d2c46588a6234fe96d000746f5d6,$7bb70f8585dfc27e75d692970c0eeb0f22983a63,$8456dfa94161cdd99e480c2a2992c366c6564410,,$3d6c776e8be9e8ae5d0591594117999e3c5498c8,$5d765770b4db110d88787457978ab4008cf65cac,,$2bcddd2006a6000b8d5f6d63c7d6d200e43f8b1b,,$890530c5b510a506f5cf206efec1595f96e727a5,,,,$80a819ef8d6b65f9f61e9f85e5dea714fb3a6434,$9fc15c742c2e95a34f104cb5a0826c6659cff2b7,$9b94a776da2c0b974bf4e06a352133edfe62036c,$8bb171d82ddec2cc751c5b63ba5439fb448a24b2,

    To go sure, make up your own tor node, Golem.de
    Tor selbst ist recht genügsam. Selbst die Leistung eines Kleinstrechners wie des Raspberry Pi reicht vollkommen aus, um einen Tor-Server als Entry-Node und -Relay zu betreiben.

    In dependency from the provider (ISP) the usage of dynamic IPv4-addresses (IPv4-IP) only might be sufficient, red., Gooken.

    The traffic is encrypted from your client to the exit node, so your ISP cannot see, what web sites you are accessing. On the exit node, the traffic is ... Tor (The Onion Router) is a free software project used to surf anonymously. It can be compared...

    OKEven if Tor is used, do not forget to anonymize the useragent-UA-specification (browser´s user-agent-string)!
    Otherwise agencies like NSA are able to advise and collect them to the right place, as those specifications are very informative - similar to an IPv6-address.
    We suggest those agents pregiven by Firefox-extensions for useragents. Most popular useragent-specifications without nums as ciphers like the default one from squid (out of squid.conf) or privoxy (out of default.action) provide high anonymisation with "Privoxy/1.0" as much as the popular "googlebot/1.0 resp. ".bzw. "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" out of many useragent-extensions for Firefox (our is named : "gookenbot/0.1" bzw.Gooken Bot: "Mozilla/5.0 (compatible; Gookenbot/0.1; +http://www.gooken.de)" ). There is a satisfying amount of such useragents provided by those extensions, one of them provides a downloadable lists to for extension. All these useragents up to right now are most anonymizing.
    Top anonymizing: Privoxy/1.0
    More (more or less) anonymizing useragents:

    blanked: the empty string (no useragent set)
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0
    Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
    Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
    Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)
    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
    Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; Trident/5.0)
    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0)
    Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
    Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
    More useragents can be find from http://useragentstring.com/pages/useragentstring.php/

    OKMini-IP-domain-mask /etc/hosts
    And past pdnsd, Tor-DNS, the anonymization by Tor and the anonymization of the browser-useragent-specification with useragents like "Privoxy/1.0" think of mentioned small DNS-IP-mask within /etc/hosts. This mask protects from remote-DNS-host-requests of IP to domain favorized (often addressed) websites, as so called anonymized DNS-requests can open up a lot of information to anywhere. This mask should be sized small, as some single IP-domain-pairs might change from time to time within addressroom IPv4, see our description (content listing) of /etc/hosts from above.

    To use a bridge, you have two options. Tor Browser now provides some bridges by default. You can enable these easily. Unfortunately, because these bridges are publically distributed, it is easy for censors to block some of them, so some of them may not work. In this case, you´ll need to locate different bridges. Furthermore, you'll need to configure Tor Browser with whichever bridge address you intend to use. If your Internet connection requires the use of a proxy, you´ll probably need to configure Tor Browser to use it first. If you don´t think you need to configure a proxy for your Internet connection, you probably don´t. Give it a try and if you have issues, ask us for help.

    Pluggable Transports
    Over the last few years, censors have found ways to block Tor even when clients are using bridges. They usually do this by installing special boxes at ISPs that peek into network traffic and detect Tor; when Tor is detected they block the traffic flow.
    To circumvent such sophisticated censorship Tor introduced pluggable transports. These transports manipulate all Tor traffic between the client and its first hop such that it is not identifiable as a Tor connection. If the censor can't decide if the connection is a Tor connection, then they are less likely to block it.
    Sadly, pluggable transports are not immune to detection, if a censor is given enough time. In the past, we promoted obfs and obfs2 as safe transports. These are now deprecated and were replaced by obfs3, scramblesuit, fte, and obfs4.
    Bridges which support pluggable transports can be used with Tor Browser easily. Tor Browser includes some pre-configured bridges and you can get more from BridgeDB, if those don´t work.

    Here are your bridges for TOR:

    obfs4 cc8ca10a63aae8176a52ca5129ce816d011523f5
    obfs4 0ed110497858f784dfd32d448dc8c0b93fee20ca
    obfs4 daa5e435819275f88d695cb7fce73ed986878cf3
    obfs4 4352e58420e68f5e40bf7c74faddccd9d1349413

    Once you´ve received the email with bridge information, you can continue the configuration steps outlined above.
    Running a Tor Bridge
    If you want to help out, you should decide whether you want to run a normal Tor relay or a bridge relay. You can configure your bridge either manually or graphically:

    manually edit your torrc file to be just these four lines:

    SocksPort 0
    ORPort auto
    BridgeRelay 1
    Exitpolicy reject *:*

    When configured as a bridge, your server will not appear in the public Tor network.

    Your bridge relay will automatically publish its address to the bridge authority, which will give it out via https or email as above. You can construct the bridge address using the format above (you can find the fingerprint in your Tor log files or in /var/lib/tor/fingerprint depending on your platform).

    OKInstall Firefox-extensions listed above for the Tor-Browser (Firefox-ESR-52.9.0) too, although this was reported above as not recommended: SecretAgent (rotating user agent with many more security options, an extension from palemoon.org), AdblockPlus, Noscript, RequestPolicy(Block)Continued, RefControl, CookieController, SkipRedirect and FireGloves. Deactivate their check for updates, by setting this option to "no"!

    OKIAt last, within Tor´s security settings, push the control from "standard" to "safest"! Because of the configuration of AdblockPlus from above, JavaScript can still be enabled, type "about:config" into the address-line and set "javascript.enabled" to true.

    Tor Project - more links:
    https://www.privacy-handbuch.de/handbuch_24n.htm: Good and Bad Exit Nodes
    https://www.dan.me.uk/tornodes - über 7.000 Tor-Exit-Nodes nach ip|name|router-port|directory-port|flags|uptime|version|contactinfo
    https://torstatus.blutmagie.de/ - All Tor-Exits! Liste mit über 2.000 Exit-Nodes aus verschiedenen Ländern sortiert nach Bandbreite. Seien Sie obigen Angaben nach vorsichtig mit dieser Liste!
    https://appliedprivacy.net/don - weitere Exit Nodes von der Foundation for Applied Privacy
    https://udger.com/resources/ip-list/tor_exit_node # daily List mit weiteren Exit-Nodes
    https://tor.stackexchange.com/questions/103/is-it-possible-to-make-the-tor-onion-routing-path-longer - Erhöhung der Anzahl der Hops von (empfohlen) 3 auf 4, 5 oder über 5

    OKAnonymizing TorDNS-Server Tor-Browser, TorMail, TorChat, ..., TorDNS:

    Tor uses an own anonymising DNS-server.
    We recommend to choose this TorDNS for the DNS for the complete computer-system beneath the local /etc/hosts. To use such TorDNS generelly, configure as follows:

    OK1) /etc/tor/torrc ( this is not Tor-Browser configuration file /home/toranonym/tor*/Browser*/Tor*/Data*/Tor*/torrc; tor is installed by rpm tor (el6) and rpm tor-socks (el6) )

    # This file was generated by Tor; if you edit it, comments will not be preserved
    # The old torrc file was renamed to torrc.orig.1 or similar, and Tor will ignore it
    Sandbox 1
    DNSPort 9053
    ClientUseIPv4 1
    ClientUseIPv6 0
    AutomapHostsOnResolve 1
    AutomapHostsSuffixes .exit,.onion
    AvoidDiskWrites 1
    DirReqStatistics 0
    Log notice stdout
    EnforceDistinctSubnets 0
    UseEntryGuards 1
    NumEntryGuards 7
    TrackHostExitsExpire 1800
    EntryNodes $7B28971D4A29995784E3066B9D87E42E9C685F3A,,$03dc081e4409631006efcd3af13afaaf2b553ffc,togma2,ori,freki,tollana,ATZv5,freebird32,leonide,behrmann,mccowan# erste drei: torified;pairoj,krigernes, verwende nur Fingerprints! Alle EntryNodes in nur einer einzigen Zeile eintragen!
    ExitNodes Digitalcourage3ip1,Digitalcourage3ip2,Digitalcourage3ip3,chaoscomputerclub1,taz,tazzwei,DigiGesTor1e1,DigiGesTor1e2,DigiGesTor1e3,hviv104,torais,csUniHB,marschiertor,ponttor,PiratenparteiNRW,hviv104,,radieschen,erbse,kohlrabi,broccholi,paprika,parasol,parasol2,sellerie,karfiol,fenchel,erdapfel,zucchini,paradiser,gurke,karotte,ekumen,saveyourprivacyexit,saveyourprivacyex1,ori,$9BDF3EEA1D33AA58A2EEA9E6CA58FB8A667288FC,$1A1DA6B9F262699A87F9A4F24EF48B50148EB018,$31A993F413D01E68117F76247E4F242095190B87,,,,,$85D4088148B1A6954C9BFFFCA010E85E0AA88FF0,$39659458160887CC8A46FAE627EE01EEDAAED07F,$0111BA9B604669E636FFD5B503F382A4B7AD6E80,,,,$88487BDD980BF6E72092EE690E8C51C0AA4A538C,$9EAD5B2D3DBD96DBC80DCE423B0C345E920A758D,$95DA61AEF23A6C851028C1AA88AD8593F659E60F,$95DA61AEF23A6C851028C1AA88AD8593F659E60F,$487092BA36F4675F2312AA09AC0393D85DAD6145,,$2DDAC53D4E7A556483ACE6859A57A63849F2C4F6,,$6D3EE5088279027AD8F64FF61A079DC44E29E3DF,$9E9FAD3187C9911B71849E0E63F35C7CD41FAAA3,, ReachableAddresses *:443,reject *:*
    ReachableORAddresses *:443
    ExitPolicy accept *:443
    ExitPolicy reject *:*

    [...] Will man hingegen nur Tor direkt per DNSPort ohne installierte DNS-Proxys zur anonymisierten Namensauflösung nutzen (wovon wir an dieser Stelle abraten), verwendet man als DNSPort einfach:


    ... und 2) /etc/pdnsd.conf:

    global {
    pid_file = /var/run/pdnsd.pid;
    udpbufsize=1024; # Upper limit on the size of UDP messages.
    server {
    label = tor;
    ip =;
    port = 9053;
    uptest = none;
    timeout = 2s;
    purge_cache = off;
    caching = on;
    lean_query = on;
    preset = on;
    proxy_only = on;
    exclude = .meine-bank.de,googleapis.com;
    policy = included;

    source {



    In Linfw3 all DNS-Server can be removed from dialog -> nonyesno ->DNS-Server. But to prevent from allowing all DNS-Server, one DNS should still be entered like the pseudo-DNS
    Finally restart pdnsd by "sh /etc/init.d/pdnsd restart" (as a process started by the user psad) and start tor for user surfuser and group surfgroup ( su - surfuser && sg surfgroup tor -f /etc/tor/torrc ) - so have a good surf-time !
    Source: Tor - ArchWiki - Arch Linux
    TorDNS. The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:

    /etc/tor/torrc DNSPort 9053 AutomapHostsOnResolve 1 AutomapHostsSuffixes .exit,.onion

    OKStart TorDNS with the start of any browser, for example palemoon and firefox (both additionally started by firejail and some options; notice that tor depending on the tor-version might already start its own sandbox too):

    su - surfuser
    knemo && sg goonline "firejail --nice=19 --profile=/etc/firejail/palemoon.profile /usr/lib64/palemoon/palemoon --no-remote &" && sg goonline "firejail --nice=19 --profile=/etc/firejail/palemoon.profile tor -f /home/surfuser/torrc" && export RESOLV_HOST_CONF="/etc/hosts"
    su - surfuser
    sg surfgruppe "firejail --nice=19 --profile=/etc/firejail/firefox.profile firefox --no-remote -P Default &" && export RESOLV_HOST_CONF="/etc/hosts" && sg surfgruppe tor

    Eine anonymisierte DNS-Domain-IP-Abfrage mit TorDNS lässt sich übrigends auch manuall durchführen:

    tor-resolve www.gooken.de
    die IP von Gooken.

    Die IP von Gooken kann man nun in /etc/hosts eintragen.

    Eine solche anonymisierte remote DNS-Abfrage mit TorDNS bzw. manuell mit tor-resolve gelingt beim ersten Mal nicht immer sofort. Dann sollte man noch ein bi&szig;chen surfen, und es geht auf mal... ("kleiner Wackelkontakt" am Anfang?)

    Alte TLS-Versionen werden ab 2026 von den großen Browsern nicht mehr unterstützt, PC-WELT.de, 16.10.2018
    Microsoft, Mozilla, Google und Apple sind sich einig. Ab 2026 werden die alten TLS-Versionen nicht mehr unterstützt.
    Mit der geplanten Einstellung der Unterstützung für die TLS-Versionen 1.0 und 1.1 im Jahr 2026 haben Webseiten-Betreiber also noch ausreichend Zeit, auf die neueren Versionen umzustellen. Die alten Versionen enthielten Sicherheitslücken, die bestimmte Angriffe erlaubten, dazu zählen der "Beast"- und "Sloth"-Angriff. Der "Sloth"-Angriff wurde beispielsweise durch die schwachen Hash-Funktionen wie MD5 und SHA1 möglich. Bei beiden Angriffen handelt es sich aber um theoretische Angriffe, in der Praxis werden diese kaum ausgeführt. Bereits heute laufen rund 94 Prozent aller Webseiten auf dem Protokoll der Version 1.2, Grund zur Sorge besteht also nicht. Die neue Version TLS 1.3 wird teilweise schon eingesetzt.

    36 Millionen Euro: ZITiS baut Supercomputer zur Entschlüsselung
    , netzpolitik.org, 16.10.2018
    Die Hacker-Behörde ZITiS will einen Hochleistungsrechner bauen, um verschlüsselte Daten zu entziffern. Das geht aus dem 36 Millionen Euro teuren Haushaltsentwurf der Behörde hervor, den wir veröffentlichen. Nach wie vor sucht ZITiS Staats-Hacker, aktuell ist nur die Hälfte der Stellen belegt.
    Die IT-Behörde ZITiS soll nächstes Jahr 36,7 Millionen Euro bekommen, 20 Prozent mehr als dieses Jahr. Die vor anderthalb Jahren gegründete "Zentrale Stelle für IT im Sicherheitsbereich" hilft Polizei und Geheimdiensten bei der technischen Überwachung. Wir veröffentlichen an dieser Stelle das bisher unveröffentlichte ZITiS-Kapitel aus dem Bundeshaushalt sowie eingestufte Informationen aus dem Bundesinnenministerium.
    Von diesem Geld wollen die staatlichen Hacker "hochmoderne technische Ausstattung" kaufen. Ganz oben auf der Wunschliste steht ein Hochleistungsrechner, "der vorrangig im Bereich der Kryptoanalyse genutzt wird" - also zur Entschlüsselung. Dieser Supercomputer hat "höchste Priorität" für die ZITiS-Abnehmer Verfassungsschutz, Bundeskriminalamt und Bundespolizei.
    Vor zwei Wochen wurde bekannt, dass ZITiS auch einen Quantencomputer einsetzen will. Ob Supercomputer und Quantencomputer verschiedene Projekte sind, will ZITiS auf Anfrage nicht verraten: "Zu unseren Projekten und verwendeten Technologien können wir keine Auskunft geben." Da die Entwicklung nutzbarer Quantencomputer jedoch noch in den Kinderschuhen steckt, dürfte der Hochleistungsrechner ein eigenes Projekt sein, der zeitnah in Betrieb gehen soll.
    Staatstrojaner für mobile Endgeräte
    In den anderen Arbeitsfeldern rüstet ZITiS ebenfalls auf, wobei zwei besonderes Gewicht erhalten. Im Bereich der Digitalen Forensik forscht und entwickelt ZITiS unter anderem an "Passwortsuche" und der "Auswertung von Smartphones". Bisher haben Polizeibehörden sieben verschiedene Software-Tools gekauft, um beschlagnahmte Mobilgeräte auszulesen. Dieser Wildwuchs soll bei ZITiS vereinheitlicht werden.
    Im Bereich Telekommunikationsüberwachung (TKÜ) arbeitet ZITiS an zwei Projekten, die bisher beim BKA angesiedelt waren. ZITiS setzt das "Projekt INTLI" (Internationale Zusammenarbeit in der TKÜ) fort, "das sich mit der Standardisierung des Austauschs von TKÜ-Daten auf Grundlage der Rahmenrichtlinie Europäische Ermittlungsanordnung beschäftigt". Die EU-Richtlinie ermöglicht grenzüberschreitende Überwachung von Telekommunikation.
    ZITiS will auch die Entwicklung von Staatstrojanern vorantreiben. Mit dem "Projekt SMART" soll ZITiS das BKA unterstützen "bei der Entwicklung einer Quellen-TKÜ-Lösung für mobile Endgeräte", also einem Trojaner zum Abhören von Kommunikation. Das BKA hatte für sechs Millionen Euro den Staatstrojaner "RCIS" programmiert, der seit diesem Jahr auch Smartphones infizieren und abhören kann. Jetzt wollen ZITiS und BKA die Software gemeinsam weiterentwickeln.
    Hacker gegen IT-Unsicherheitsbehörde
    Insgesamt will ZITiS nächstes Jahr mehr als zehn Millionen Euro für Investitionen ausgeben, über elf Millionen sind für Personal geplant. Das Innenministerium bezeichnet die Personalgewinnung als "anspruchsvoll" und "eine zentrale Herausforderung". Vom Behördensprech übersetzt: Nur wenige IT-Experten wollen für den Staat hacken. Der BND nannte das mal "knappe Ressource brillantes Personal".
    Derzeit hat ZITiS erst "74 der im Kalenderjahr 2018 zur Verfügung stehenden 150 Planstellen belegt". Fast die Hälfte der bisher eingestellten Mitarbeiter*innen ist in Verwaltung und Leitung tätig. Das existierende "MINT-Fachpersonal" arbeitet nicht nur in der Umsetzung der Aufgaben, sondern auch bei internen IT-Diensten und Beratung. Zwei Drittel der Angestellten kommen aus anderen Behörden, nur ein Drittel sind "Externe".
    Falk Garbsch, Sprecher des Chaos Computer Clubs, kommentiert gegenüber netzpolitik.org:

    Es ist gut zu sehen, dass Hacker offenbar keinerlei Interesse haben, für eine IT-Unsicherheitsbehörde zu arbeiten. Die Community hat schon vor vielen Jahren verstanden, was verbohrte Politiker nicht akzeptieren wollen: Das Ausnutzen und Offenhalten von Sicherheitslücken ist ein nachhaltiges Risiko für Unternehmen, kritische Infrastrukturen und Zivilgesellschaft. Statt Steuergelder in absurde Angriffsphantasien zu verschwenden, wird es Zeit für Investitionen in das konsequente Schließen von Sicherheitslücken.

    Der Regierungsentwurf zum Bundeshaushalt 2019 wird derzeit im Bundestag verhandelt. Bisher hat die Große Koalition keine Änderungen bezüglich ZITiS beantragt oder beschlossen. Anträge der Opposition werden üblicherweise abgelehnt. Ende November soll der Haushalt im Bundestag verabschiedet werden.
    Hier die Dokumente in Volltext:
    Ministerium: Bundesministerium des Innern, für Bau und Heimat
    Stand: 17. August 2018

    Verräterische Cookies
    Über Cookies bleiben Sie trotz anonymer IP identifizierbar
    . Deshalb deaktiviert Torbutton zum Surfen über Tor die bisher gesammelten Cookies.

    Firefox fängt jedoch wieder an, alle ab diesem Moment in der von der IP-Adresse her anonymen Surfsession angefallenen Cookies zu sammeln.
    Bitte beachten Sie deshalb trotz Nutzung des Torbuttons, dass Sie vor jedem Ansteuern einer Seite, auf der Sie sich einloggen sowie sofort nach jedem Ausloggen aus solchen Seiten im Firefox "Extras / Private Daten löschen" ausführen, bevor Sie weitersurfen!
    Andernfalls könnte die vorherige und weitere über Tor durchgeführte Surfsession inkl. evtl. weiterer Logins, wenn auch nicht Ihrer IP-Adresse so doch dem oft personenbezogenen Login zugeordnet werden!
    Ansonsten birgt auch der Flash-Player entsprechende Gefahren (Flash-Cookies), falls mensch nicht beim Surfen über Tor auf diesen verzichten will und deswegen beim Torbutton die temporäre Abschaltung von Erweiterungen und Plugins deaktiviert hat.

    And GOAL (TOOO...R) !

    "Wir wollen so vielen Menschen wie möglich Zugang zu freiem unzensiertem Internet ermöglichen. Besonders wichtig ist uns, dass sich die Nutzer keine Sorgen machen müssen, ob jemand im Hintergrund alles protokolliert und aufzeichnet.
    . Deshalb bieten wir einen OpenVPN-Server an, der keine Protokolle über ihre Aktivitäten im Internet anlegt. Zudem wird eine vollständige Anonymität auch durch unseren Tor Exit-Node (saveyourprivacyexit) auf dem Server garantiert. Eine Unterscheidung zwischen Tor -und VPN-Traffic ist nicht möglich was eine Traffic-Analyse erheblich erschwert.
    Da uns natürlich nicht nur die Anonymität unserer Nutzer wichtig ist, sondern auch die Sicherheit, verwenden wir sichere Verschlüsselung mit Perfect Forward Secrecy nach dem neuesten Stand der Technik. Wir fordern unsere Nutzer auf den Dienst nicht mit sinnlosem Unsinn (z.B. Spam-Versand) in Verruf zu bringen.
    We are offering a free & anonymous VPN server to all who need to protect themselves against surveillance. There are no logs or blocked websites, nobody watches what you are doing. We couldn't even do this because a large Tor exit node is running on the same server. But still, please don't abuse it and ruin it for everybody!

    Scroll down, download your config files and you are ready to go!

    Technische Details:

    Standort: Finnland
    Port: 1194 (UDP), 8080 (TCP)
    AES 256-bit Verschlüsselung
    SHA512 Message Authentication mit einem 4096-bit (RSA) Key für eine sichere Authentifizierung.
    Perfect Forward Secrecy mit stündlichem Re-keying.


    Download: Konfigurationsdateien für alle Betriebssysteme
    Download: Konfigurationsdateien für alle Betriebssysteme (alles in einer Datei)
    Download: Tor-Konfigurationsdateien für Windows
    Download: Tor-Konfigurationsdateien für Windows (alles in einer Datei)
    Download: Tor-Konfigurationsdateien für Android oder Linux
    Download: Tor-Konfigurationsdateien für Android oder Linux (alles in einer Datei)

    Bitte nutzt nicht die Tor-Konfigurationsdateien, wenn ihr euch nicht über das Tor-Netzwerk verbinden möchtet, da sonst eine Verbindung nicht möglich ist.


    Bevor ihr die VPN nutzt, solltet ihr die Artikel DNS-Leaks gefährden VPN-Nutzer, Schutz vor IPv6-Leaks und WebRTC gefährdet VPN-Nutzer lesen und die Empfehlungen umsetzen, um einen wirklich anonym Internetzugang zu nutzen.

    OpenVPN einrichten

    VPN via Tor
    Wenn Sie sich über Tor mit der VPN verbinden, ist es sehr schwer Sie als Nutzer der VPN zu identifizieren. Selbst Geheimdienste wie die NSA oder GCHQ sind nicht in der Lage, spezielle Tor-Nutzer zuverlässig zu deanonymisieren. So bietet Ihnen die Nutzung der VPN über das Tor-Netzwerk mehr Sicherheit und Privatsphäre. Wenn Sie sich über das Tor-Netzwerk zum VPN-Server verbinden möchten und Windows nutzen, müssen Sie sich lediglich die Tor-Konfigurationsdateien herunterladen und in den richtigen Ordner extrahieren. Anschließend laden Sie sich das Tor Browser Bundle hier herunter und installieren es. Sobald der Tor Browser startet, können Sie die VPN-Verbindung wie gewohnt starten.
    Falls ihr Linux nutzt, müsst ihr folgende Einstellungen anpassen: Falls ihr Tor noch nicht installiert haben solltet, könnt ihr das schnell nachholen: "sudo apt-get install tor" (bzw. rpm -i --force tor_browser*.rpm). Vergessen Sie nicht nach den Änderungen den Tor-Service neuzustarten: "sudo service tor restart". In der Datei /etc/tor/torrc (bzw. /home/toruser1/tor_browser-en/Browser/Tor*/Data/Tor/torrc) fügt ihr die folgenden Zeilen hinzu:

    SocksPort 9050
    StrictNodes 1
    EntryNodes splitDNA
    DNSPort 53

    In der Datei /etc/resolv.conf ändert ihr den Eintrag zu:

    In der Konfigurationsdatei saveyourprivacy.ovpn fügt ihr folgenden Eintrag hinzu:

    route net_gateway

    In der Datei /etc/dhcpcd.conf fügt ihr folgenden Eintrag hinzu:

    nohook resolv.conf

    Wenn ihr jetzt die VPN-Verbindung aufbaut (siehe Linux), werden alle DNS-Anfragen und die VPN-Verbindung über das Tor-Netzwerk geleitet. Wir könnten somit nicht einmal sagen, wer unseren VPN-Service nutzt, da wir nur die IP-Adresse des Exit-Nodes sehen würden.
    Auch auf Ihrem Smartphone könnt ihr mithilfe der App "Orbot" eine VPN-Verbindung über das Tor-Netzwerk aufbauen. Leider benötigt ihr eine aktuelle Version des Betriebssystems Android (>= 5). Installiert und startet die App "Orbot" und ladet die Tor-Konfigurationsdateien für Android herunter. Anschließend importiert die heruntergeladenen Konfigurationsdateien in der "OpenVPN für Android"-App. Danach bearbeitet ihr das importierte VPN-Profil (siehe Android) in der "OpenVPN für Android"-App indem ihr mit einem Klick auf den "Stift" neben dem VPN-Profilnamen (saveyourprivacy) das Konfigurationsmenü öffnet. Nun setzt bei der App "Orbot" ein Häkchen unter "Erlaubte Anwendungen" um der App den Internetzugriff an der VPN vorbei zu erlauben. Dies ist notwendig, da sonst eine VPN-Verbindung nicht möglich ist. Danach könnt ihr wie gewohnt eine VPN-Verbindung mit einem Klick auf den Profilnamen starten. Eure VPN-Verbindung wird jetzt durch das Tor-Netzwerk getunnelt und anonymisiert euch zusätzlich als VPN-Nutzer.
    Eure OpenVPN-Verbindung läuft dann über einen sogennanten Tor-Circuit, der aus Entry, Middle -und Exit-Node besteht. Jeder Circuit hat eine "Lebensdauer" von zwei Stunden und akzeptiert nach dieser Zeit keine neuen Verbindungen mehr. Eure alte Verbindung läuft aber weiterhin über den eigentlich "toten" Circuit und benutzt so die gleiche Server-Kombination über den kompletten Zeitraum eurer Sitzung. Mit dem Einsatz erheblicher Ressourcen und einer Menge Zeit ist es möglich euch theoretisch zu deanonymisieren, deshalb solltet ihr bei einer längeren Nutzung die OpenVPN-Verbindung ab und zu (alle 1-2 Stunden) trennen und wieder neuaufbauen.

    Installieren Sie OpenVPN: sudo apt-get install openvpn
    Laden Sie die Konfigurationsdateien herunter: wget http://saveyourprivacy.net/SaveYourPrivacy-VPN.zip
    Extrahieren Sie die Konfigurationsdateien: unzip SaveYourPrivacy-VPN.zip
    Starten Sie OpenVPN: sudo openvpn --config saveyourprivacy.ovpn "

    OpenVPN ist kostenlos, gilt als hochgradig sicher, ist aber auch reichlich kompliziert: Während die Installation des Programms noch problemlos läuft (Windows-Nutzer werden hier die sogenannte GUI-Version vorziehen), ist der Erstaufbau eines VPN-Tunnels, die Konfiguration des eigenen virtuellen privaten Netzwerkes ein ziemlicher Akt. Man muss das regelrecht lernen: Während man die offiziellen Dokumentationen aus der Open-Source-Szene als Normal-User getrost vergessen kann, gibt es zum Glück aus der deutschsprachigen OpenVPN-Szene ein hinreichend verständliches Wiki: http://vpnforum.de/wiki/index.php/Hauptseite
    Trotzdem gilt bei OpenVPN: Aller Anfang ist mühsam - allerdings muss man den Prozess der Netzwerkkonfiguration auch nur einmal durchlaufen. Markus Feilner und Norbert Graf bieten beim "Linux Magazin" http://www.linux-magazin.de/online_artikel/openvpn_fuer_windows_rechner eine Schritt-für-Schritt-Anleitung aller notwendigen Schritte, die zumindest fortgeschrittenen Nutzern weiterhelfen dürfte.

    tinc (rpm, deb) is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private network between hosts on the Internet. Because the tunnel appears to the IP level network code as a normal network device, there is no need to adapt any existing software. This tunnelling allows VPN sites to share information with each other over the Internet without exposing any information to others.

    How to Use a VPN and Tor together, bestvpn.com
    It also provides protection against malicious Tor exit nodes, and allows you to evade censorship via blocks on Tor exit nodes. You should be aware, however, that if an adversary can compromise your VPN provider, then it controls one end of the Tor https://www.bestvpn.com/guides/using-vpn-tor-together/

    Zenmate: Ihr sicherer und kostenloser Tunnel ins Internet, PC-WELT.de, 09.12.2018
    Die Browser-Erweiterung Zenmate für Chrome, Firefox und Opera ist ein genial einfaches Tool für eine sichere Verbindung ins Internet. Es baut nach einer einfachen Installation und Anmeldung eine verschlüsselte Verbindung zum VPN-Server von Zenmate im Internet auf. So kann niemand auf dem Weg dorthin mitlesen, was Sie im Internet anstellen. Da sich Browser-Erweiterungen ohne Administratorrechte installieren lassen, lässt sich das Zenmate-Plug-in auch auf einem Arbeitsplatz-PC installieren, auf dem Sie sonst keine Tools aufspielen können. Dank VPN-Verbindung kann dann selbst die IT-Abteilung Ihrer Firma Ihre Websiten-Zugriffe nicht mehr mitloggen.
    Die Browser-Erweiterung Zenmate lässt sich dauerhaft kostenlos nutzen, wenn auch nur mit eingeschränkter Leistung. Alternativ gibt es Zenmate auch als VPN-Client für Windows , der nicht nur den Browser unterstützt.

    Der Betreiber einer Exit-Node als solcher ist nicht anonym. Dadurch kann es vorkommen, dass, wenn jemand anderes Unsinn über Tor macht, die Polizei dann bei einem nachfragt bzw. man beschuldigt wird, dass man selbst die Straftat begangen hat. Auch Beschlagnahmung von Tor-Servern gab es bereits in Deutschland.
    [...] Es wurde in Deutschland auch noch nie ein Betreiber einer Exit-Node verurteilt (aber mittlerweile in Österreich - wegen Beihilfe zur Verbreitung von Kinderpornographie). Daher sollte man im Zweifelsfall unbedingt einen Anwalt hinzuziehen; auf den dadurch entstehenden Kosten wird man vermutlich sitzen bleiben, wenn man keine Rechtsschutzversicherung hat.


    Zwiebelfreunde: Polizei durchsucht Räume von Tor-Aktivisten, golem.de, 04.07.2018
    Aufgrund einer vagen Verbindung durch eine E-Mail-Adresse hat die Polizei Wohnungen und Vereinsräume von Mitgliedern des Vereins Zwiebelfreunde durchsucht. Doch den Betroffenen wird nichts vorgeworfen, sie gelten lediglich als Zeugen.
    Die Zwiebel ist das Symbol des Tor-Netzwerks.
    Polizeibeamte haben Vereinsräume des Zwiebelfreunde e. V. und die Wohnungen von dessen Vorstandsmitgliedern in Berlin, Dresden, Augsburg und Jena sowie einen Augsburger Hackerspace durchsucht. Laut einem Bericht des Spiegel ordnete die Generalstaatsanwaltschaft München die Durchsuchungen am 20. Juni an, um die Urheber eines Blogs zu finden. Diese hatten dazu aufgerufen, den AfD-Parteitag in Augsburg zu stören, der am vergangenen Wochenende stattfand.
    Eine direkte Verbindung zwischen dem Verein Zwiebelfreunde und der Website existiert nicht. Die Zwiebelfreunde haben sich der Förderung des Anonymisierungsnetzwerks Tor verschrieben, betreiben selbst Tor-Server und sind Ansprechpartner für Projekte, Presse und Behörden. Die Generalstaatsanwaltschaft sah jedoch einen indirekten Zusammenhang: Auf dem Anti-AfD-Blog war eine E-Mail-Adresse des Tech-Kollektivs Riseup als Kontakt angegeben. Die Zwiebelfreunde verwalten Spendengelder für die Gruppe, die unter anderem E-Mail-Accounts für linke Aktivisten und Gruppen anbietet.
    Den Betroffenen wird nichts vorgeworfen
    Der Mitgründer von Zwiebelfreunde, Moritz Bartl, sagte dem Spiegel, die von der Durchsuchung betroffenen Personen gelten nicht als Beschuldigte, sondern als Zeugen. Die Ermittlungsbeamten hätten gegenüber Bartl angegeben, dass sie die Blogbetreiber ermitteln wollten. Dafür hätten sie sowohl Vereinsgeräte und -dokumente als auch persönliche Gegenstände Familienangehöriger und Eigentum von Bartls Firma beschlagnahmt. Es sei ihm unmöglich, weiter seiner Arbeit nachzugehen.
    Im Interview mit Netzpolitik.org berichtete Jens Kubieziel, laut dem Durchsuchungsbeschluss seien die Behörden davon ausgegangen, Nutzerdaten in den Wohnungen zu finden. Er ist einer der Vorstände der Zwiebelfreunde und war selbst von den Polizeimaßnahmen betroffen. Dabei sei klar gewesen, dass diese nicht bei ihm lagerten: "Schon ein einfacher Anruf oder Besuch eines Polizisten hätte die Lage schnell aufklären können", sagte Kubieziel. Seine Frau erwähnte, die Polizisten hätten ihr nahegelegt, dass Kubieziel als Vorstand zurücktreten solle - sonst könne eine weitere Hausdurchsuchung drohen.
    Polizei interpretiert typisches Hackerspace-Inventar als Sprengstoffzutaten
    Bei der Durchsuchung des Augsburger Hackerspaces Openlab hatten die Polizeibeamten Gegenstände gefunden, die ihnen verdächtig vorkamen: Chemikalien, chemische Formeln an einer Tafel und ein bombenförmiges Plastikspielzeug. Derartige Gegenstände lassen sich wohl in zahlreichen Hacker- und Makerspaces finden, doch für die Ermittler genügte das, um Bartl und andere Anwesende festzunehmen und eines geplanten Sprengstoffanschlags zu beschuldigen. Es stellte sich heraus, dass die Gegenstände für das Ätzen von Platinen und 3D-Druck gedacht waren. Das hatten die Betroffenen nach eigenen Angaben bereits währenddessen versucht zu erklären.
    Im Openlab ist auch der Augsburger Ableger des Chaos Computer Club beheimatet. In einer Mitteilung verurteilte der CCC die Maßnahmen der Polizei: "Sowohl die initiale Verdachtsgewinnung gegen die Vorstände der Zwiebelfreunde als auch die nachfolgende Verdächtigung in Richtung Sprengstoff sind entweder inkompetent oder böswillig." Wenn das als Verdachtsmoment ausreiche, müsse "bald jeder Schüler sein Chemiebuch gut vor den Augen neugieriger Polizisten verstecken".
    Der CCC kündigte außerdem an, dass in der kommenden Folge des Podcasts Logbuch:Netzpolitik einer der Betroffenen über den Vorfall berichten wird. Die Folge erscheint am 6. Juli

    Invisible Internet Project (I2P): Die Alternative zu TOR, PC-WELT.de, 31.01.2018
    Das "Invisible Internet Project" arbeitet, anders als TOR, nach dem Peer-to-Peer-Prinzip, um ein alternatives Internet aufzubauen.

    Details about Tor and I2P, wiki.kairaven.de, 2018
    Block Cloudflare MiTM Attack, https://wiki.kairaven.de/open/anon/netzwerk/anet
    Seite 1
    Nicht anonym im Internet • Anonym und abgesichert im Internet • Anon-Netiquette
    Seite 2
    Tor und das Tor Netzwerk • Aufbau von Tor Tunnels • Transport über Tor Tunnel
    Seite 3
    Nicht anonyme Namensauflösung • Anonymisierte Namensauflösung über Tor • Das SOCKS Protokoll • Internetanwendungen mit SOCKS • SOCKS Wrapper und Proxy • DNS-Proxys • manuelle Namensauflösung • Kontrolle mit Paket-Sniffer
    Seite 4
    Tor installieren und starten • Mailinglisten • Projekte rund um Tor • Tor Browser • Tor Kontrolle • Arm • Vidalia
    Seite 5
    Tor mit der torrc konfigurieren • Tor als Onion Proxy • Tor als Onion Router • Bridges • Transport-Module
    Seite 6
    Tor Onion Dienste • Einrichtung von Tor Onion Diensten • Aufbau der Verbindungen mit und der Nutzung von Tor Onion Diensten

    Seite 7
    Privoxy Proxy • Installation und Start • Konfiguration • Weiterleitungen • Aktionen • Filter
    Seite 8
    I2P - das Invisible Internet Project • Installation • Konfiguration • Adressbücher und SusiDNS
    Seite 9
    I2P Einsatz - Standard-Anwendungen • E-Mails per Postman • Mailkonto einrichten und konfigurieren • E-Mails mit SusiMail • E-Mails mit Thunderbird
    Seite 10
    I2P Einsatz - Standard-Anwendungen • Datenaustausch mit I2Psnark • I2Psnark konfigurieren • Torrent erstellen und veröffentlichen • Torrent herunterladen
    Seite 11
    I2P Einsatz - Standard-Anwendungen • Eepsite Homepage • I2P-Webserver Servertunnel konfigurieren • Erweiterte Eepsite Netzwerkoptionen • I2P Einsatz - Plugins • Plugins & externe Anwendungen • Plugins installieren & nutzen

    OKDamit UNIX/Linux alles in allem gut und stabil läuft, kann man noch versuchen, wer weiß wieviele Libraries z.B. von PCLinuxOS (pclos) einzuspielen, auch mehrfach vorhandene unterschiedlicher Versionen, indem zugehörige Pakete unter rpm einfach mit der Option -i statt -u installiert werden. Damit wappnet sich Linux und läuft umso zukunftsicherer.

    OKNow it´s the time to think about installing more libraries than required like those from PCLinuxOS (pclos). There are some of the same name, but different version. You can install many of them by rpm with option -i instead of option -u. This makes UNIX/Linux even more a good, stable platform.

    OKFinally please check all your browser with iptraf (iptraf-ng(rosa2016.1, rosae2014.1)) for unwanted connections, best in mode for reverse IP lookup, so that all domain are shown within the first field. Block them with Linfw3 by adding belonging IP into the TCP-IP-blacklist, eventually together with their subnetmask (for example subnetmask stands for 24, so add blacklist-ip/24 ! Following our exurs, anonymizing TorDNS (Entry node of /etc/tor/torrc, if set) is used for the remote-host-DNS, so do not cut belonging IP out. The second field below the first one for TCP-connections should be always empty.

    Applying this, the IP-blacklist for TCP-INPUT (in Linfw3 also for TCP-OUTPUT) for browser Firefox-52.9 (ESR, slack, el6) and Pale Moon (28.2.x) anyway consists of the following IP:



    In the list there are IP for firefox-extensions trying to build-up connections (ABP, first IP of the list).

    What´s up now?
    Did you decide to use the secure "telescoped" tor-proxy (Tor, Tor-Browser or also named the Onion Router) free from secret agencies eavesdropping by building up connections through a once more anonymizing and protecting VPN (for example see https://www.saveyourprivacy.net with an own AGB, also providing Tor two exits (exit nodes) saveyourpivacyex1 and saveyourprivacyexit )? Laymen might still not trust it, where some experts like from above already swear for it...

    Trojaner-info namely reinforces VPN once again...:

    OKAnonym und getarnt im Tunnel: VPN Gateways, trojaner-info.de, 18.11.2018
    Einen höheren Schutz der Privatsphäre als Proxies versprechen VPN Lösungen.
    Sie gibt es als Freeware, aber auch zumeist als Premium-Version.
    Anonym und getarnt im Tunnel: VPN Gateways

    Tor-Proxy - Your Fritz!Box as a magic hat router, 26.05.2015
    With Fritz!Box-extension Freetz Fritz!Box is brought into the stealth-mode. Die Tor-Erweiterung erlaubt es bei Bedarf den gesamten ausgehenden Weltnetzverkehr über das anonyme Tor-Netzwerk zu leiten. Das Tor-Netzwerk leitet alle Anfragen - von Weltnetzseiten-Aufrufen und Suchanfragen bis hin zu Downloads - über drei verschiedene Server weltweit und versteckt damit deine IP-Adresse.
    Der Clou: Das Tor-Plugin leistet das alles direkt im Router: Jeder Computer und jedes Smartphone können somit mit wenigen Handgriffen anonym im Weltnetz surfen. Wer eine modifizierte Firmware mit seiner Fritz!Box verwendet, verliert die Gewährleistung des Herstellers. Im Test mit Freetz traten bei uns zwar keine Probleme auf, es kann aber vorkommen, dass etwa nach dem Flashen der Firmware die Fritz!Box nicht mehr erreichbar ist.

    OnionMail (Tor network, E-mail)
    Website: https://onionmail.info/
    OnionMail is a mail service which uses the Tor network, it provides 100% encryption to all E-mails by "not" using the traditional SMTP servers to send/receive mails and instead by routing the mails via the Tor network.
    It also makes use of "Asymmetric keys" for dual protection, in addition to advanced level spam detection and filtration in the mailboxes.
    What’s best is it also lets you select your server entry and exit nodes if you understand them.
    Considering it uses the onion network, there´s no doubt of it being off-the-grid, and secure, especially from the govt. censorship and regulations.
    Here´s a Detailed list of Anonymous and private E-mail service providers!

    OnionShare (Tor network, File-sharing)
    Website: https://onionshare.org/
    Onionshare is a file-sharing platform, available for Windows, Linux, MacOS, Ubuntu, Fedora and every other Linux distro.
    The working infrastructure is what makes it unique, anonymous and highly trust worthy.
    When a file is shared, it creates a temporary web server, on the Tor network, and gives you a random, long URL which is like a "download link" for your file.
    Note that your computer acts as the "host" for the download link so you don´t have to trust any third-party service to host your files and the files are never actually "uploaded" online.
    Also, you don’t have to share your name, email or anything else with the receiver hence keeping your identity a secret.
    It even has a "stealth mode" which protects the URL against hidden Tor nodes which may try to gain access to the file. Not to mention that the files are encrypted end to end so yes they can’t be intercepted no matter what.

    Tor Messenger
    trac.torproject.org/projects/tor/wiki/doc/TorMessenger On 29 October 2015, the Tor Project released Tor Messenger Beta, an instant messaging program based on Instantbird with Tor and OTR built in and used by default. Like Pidgin and Adium, Tor Messenger supports multiple different instant messaging protocols; however, it accomplishes this without relying on libpurple, implementing all chat protocols in the memory-safe language JavaScript instead.
    In April 2018, the Tor Project shut down the messenger project because the developers of Instantbird discontinued support for their own software.

    Third-party applications for Tor
    Vuze (formerly Azureus) BitTorrent client, Bitmessage anonymous messaging system and TorChat instant messenger include Tor support.
    The Guardian Project is actively developing a free and open-source suite of applications and firmware for the Android operating system to improve the security of mobile communications. The applications include ChatSecure instant messaging client, Orbot Tor implementation, Orweb (discontinued) privacy-enhanced mobile browser, Orfox, the mobile counterpart of the Tor Browser, ProxyMob Firefox add-on and ObscuraCam.

    Back in text to presented "Universal Linux" having performed suggested operations marked by hooks we notice by the following article, that -as we wrote in the introduction from this side high above - there is also no need for any maintenance (and hardware/-disk scan) anymore, same for updates, where there is almost probably no need for updating el6 etc. past year 2026:

    Small ABC of Linux-System maintenance, PC-WELT.de, 03.12.2018
    Komprimierter Ratgeber: Die wichtigsten Pflichten auf dem Linux-Desktop und Homeserver.

    KDE 4
    Smartphones: Access through MTP with KDE

    Wer ein Smartphone oder Tablet mit Android an einen Linux-PC per USB anschließt, bekommt erst mal keinen Zugriff auf die dort gespeicherten Dateien. Denn Android nutzt schon seit Version 3.x für den Dateiaustausch das Protokoll MTP (Media Transfer Protocol), das sich nicht als gewöhnliches USB-Speichermedium am System anmeldet. Linux kann daher nicht ohne Hilfsmittel auf diese Datenträger zugreifen.
    Installation kio-mtp (mga5)


    Neues Smartphone mit Plasma Mobile angekündigt, PRO LINUX, 01.12.2018
    Das KDE-Projekt kündigt zusammen mit dem finnischen Hersteller Necuno Solutions ein neues Smartphone mit Plasma Mobile an.
    Necuno mit Plasma Mobile
    Necuno Solutions ist ein in der Open-Source-Szene verwurzelter Hersteller von Smartphones für Unternehmen. Deren in der Entwicklung befindliches Smartphone hat laut Firmenphilosophie einen hohen Anspruch an Sicherheit und Schutz der Privatsphäre. So sollen etwa notwendige Firmware-Blobs keinerlei Zugriff auf den Speicher haben.
    Um auch die Gemeinschaft zu involvieren, hat das Unternehmen nun zusammen mit KDE bekannt gegeben, eine Version des Smartphones Necuno Mobile mit Plasma Mobile auszustatten. Bisher sind noch nicht allzu viele Informationen verfügbar. Das Gerät im Formfaktor 5,5 Zoll soll einen Aluminiumkorpus bekommen und neben den üblichen Tasten zum An- und Ausschalten und für die Lautstärkerregelung auch eine individuell belegbare Taste haben.
    Als SoC kommt der NXP i.MX6 Quad, ein ARM Cortex-A9-Chip zum Einsatz, die Vivante-GPU soll den freien OpenGL-Treiber Etnaviv verwenden. Leider setzt Necuno hier auf den älteren MX6-SoC und nicht wie Purism beim Librem 5 auf den neuen MX8.
    Als Kernel ist Linux 4.20 LTS vorgesehen. WLAN soll per SDIO-Karte realisiert werden und neben Ethernet wird auch LTE verfügbar sein. Darüber hinaus erwähnt das Datenblatt lediglich eine Audiobuchse, Micro-USB sowie Mikrofon und Lautsprecher. Eine Kamera wird ebensowenig erwähnt wie die Menge an Hauptspeicher.
    Damit wird neben dem Librem 5 von Purism derzeit ein zweites möglichst freies Smartphone entwickelt. Liegt beim Purism der Fokus auf dem hauseigenen PureOS mit Plasma Mobile als Alternative, so spielt KDE beim Necuno Mobile die erste Geige. Beide Geräte sind wichtig für die weitere Entwicklung von Plasma Mobile. So sagte denn auch Bushan Sha, einer der Plasma-Mobile-Entwickler, in der Ankündigung: "Es ist wichtig, dass Entwickler innerhalb des mobilen Ökosystems mit offenen Geräten arbeiten können, die leicht zu modifizieren und zu optimieren sind und nicht von Anbietern an ein bestimmtes Betriebssystem gebunden sind. Necuno Solutions arbeitet an einem solchen Gerät und wird letztendlich dazu beitragen, Plasma Mobile aufgrund seiner offenen Natur zu verbessern.

    Linux auf Samsung Galaxy-Smartphones, Pro-Linux, 19.10.2017
    Samsung hat angekündigt, dass es bald möglich sein wird, Linux auf den Smartphones Galaxy Note 8, S8 und S8+ zu betreiben.

    "Geräte, die Sicherheit und Privatsphäre zur Priorität machen, widersprechen dem Interesse der meisten Hersteller"
    KDE verkündet Zusammenarbeit mit Purism für offenes Smartphone
    , Pro-Linux, 14.09.2017
    Purism und KDE haben angekündigt, beim geplanten offenen und sicheren Smartphone Librem 5 zusammenzuarbeiten. Plasma Mobile von KDE soll als alternatives Betriebssystem für das Gerät entwickelt werden.
    Plasma Mobile auf dem Purism Librem 5
    KDE entwickelt seit einiger Zeit Plasma Mobile als vollständig freies Betriebssystem für Mobilgeräte. Dabei bildet das Android Open Source Project (AOSP) die Basis, während ein an die mobilen Verhältnisse angepasstes KDE Plasma die grafische Oberfläche stellt und viele bekannte KDE- und andere Anwendungen lauffähig sind. Plasma Mobile auf Geräte zu bringen, ist allerdings kein leichtes Unterfangen. Bei einigen heute erhältlichen Geräten ist es möglich, jedoch fehlen dann meist einige Treiber, die proprietär sind, und es ist nicht möglich, den vollen Funktionsumfang zu nutzen.
    Geräte, die Sicherheit und Privatsphäre zur Priorität machen, widersprechen dem Interesse der meisten Hersteller, wären für die Benutzer allerdings dringend angebracht. Deshalb hatte die Firma Purism vor drei Wochen einen Plan verkündet, das offene Linux-Smartphone Librem 5 zu entwickeln. Purism ist ein in San Francisco, USA, ansässiges Unternehmen, das sich den Prinzipien der freien Software verschrieben hat und als Unternehmen registriert ist, das soziale Ziele höher bewertet als Gewinne. Das erste Produkt von Purism war das Notebook Notebook Librem 13, das durch eine Crowdfunding-Kampagne finanziert wurde, die über eine Million US-Dollar erbrachte. Seit einem halben Jahr ist dieses Notebook, das versucht, moderne Technik mit möglichst viel Freiheit zu verbinden, mit Coreboot statt BIOS ausgestattet.
    Das Smartphone Librem 5 soll in einer Kampagne, die zwei Monate andauert, mit 1,5 Mio. US-Dollar finanziert werden. Die Kampagne läuft auf dem eigenen Online-Shop von Purism statt bei Crowdfunding-Anbietern. Während verschieden hohe Beträge zur Unterstützung des Vorhabens möglich sind, ist der niedrigste Preis, um in den Besitz eines Librem 5 zu kommen, 599 US-Dollar. Bisher hat die Kampagne allerdings erst ein Fünftel des erstrebten Betrags eingebracht.
    Das Librem 5 soll Sicherheit und Privatsphäre maximieren. Es ist dafür ausgelegt, dass viele Linux-Distributionen darauf laufen können, primär soll jedoch das eigene PureOS zum Einsatz kommen, das auf Debian beruht, komplett auf proprietäre Software, Treiber und Firmware verzichtet und auch die Anwendungen mit Bedacht wählt. Durch die jetzt verkündete Zusammenarbeit mit KDE wird das KDE-Projekt vollen Zugang zu den Spezifikationen erhalten. Daraus kann eine vollwertige oder bessere freie Alternative zu PureOS entstehen.
    Das Librem 5 wird mit einem 5-Zoll-Display nicht gerade klein und es soll sich mit einem externen Monitor, Tastatur und Maus in ein Arbeitsplatzsystem verwandeln lassen. Die geplante Hardware, die sich noch ändern kann, umfasst eine i.MX6/i.MX8 CPU, eine Vivante GPU mit Etnaviv-Treiber, 3 GB RAM, 32 GB eMMC, einen MicroSD-Slot, zwei Kameras, 3,5-mm-Anschlüsse für Mikrofon und Kopfhörer, WLAN, Bluetooth 4, interne Debugging-Schnittstellen, USB Host, USB Type-C, GPS, Sensoren wie Beschleunigungsmesser, Gyroskop, Kompass, Helligkeits- und Näherungssensoren und Hardware-Schalter für Kamera, Mikrofon, Baseband, WLAN und Bluetooth.
    Details können erst im Verlauf der Entwicklung genannt werden. Die Auslieferung von Entwicklerboards soll Mitte 2018 beginnen, die der kompletten Geräte im Januar 2019.

    Software::Security, Linux-Smartphone
    Librem 5 erreicht über 2 Millionen US-Dollar
    , Pro Linux, 24.10.2017
    Die Schwarmfinanzierung für das Linux-Smartphone der Firma Purism ging mit Zusagen für über 2 Millionen US-Dollar zu Ende.
    Auch wenn es zu Beginn der Kampagne nicht so aussah und viele Stimmen dem Projekt den Erfolg bereits damals absprachen: Das Librem 5 wird gebaut. Das Geld dazu kommt von rund 3.000 Unterstützern, die zusammen über zwei Millionen US-Dollar oder rund 140 Prozent der anvisierten 1,5 Millionen US-Dollar zusagten. Diese Summe, die zum Erfolg der Kampagne mindestens nötig war, wurde bereits am 10. Oktober, zwei Wochen vor dem Ende der Kampagne erreicht.
    Interessierte können sich auch weiterhin für ein Developer Kit für 299 US-Dollar, ein komplettes Librem 5 für 599 US-Dollar oder für eine der anderen Optionen in Kombination mit externen Displays entscheiden. Der Stand am heutigen Morgen weist über 2.131.000 US-Dollar aus und wächst weiter.
    [...] Nun geht es zunächst darum, die Hardware weiter einzugrenzen, mit der das Librem 5 ausgeliefert werden wird. Die bisherigen Tests mit Prototypen-Mainboards wurden hauptsächlich mit der i.MX-6-CPU der Firma NXP durchgeführt. Das Ziel ist es, im fertigen Produkt den Nachfolger i.MX-8 einzusetzen, da der i.MX-6 bereits jetzt veraltet ist. Das Problem ist hier jedoch, dass der freie Etnaviv-Treiber für den Vivante-Grafikchip im i.MX-8 noch nicht fertig ist.
    In rund einem Monat will Purism zudem bekanntgeben, welche Bedienoberfläche auf dem hauseigenen Betriebssystem PureOS für das Librem 5 entwickelt wird. Sowohl KDE als auch Gnome haben ihre Mitarbeit zugesagt.

    Purism startet Finanzierungskampagne für Linux-Smartphone, Pro-Linux, 25.08.2017
    Die Firma Purism plant ein Smartphone zu entwickeln, das Sicherheit und Privatsphäre zur Priorität erhebt. FÜr das "Librem 5" wurde jetzt eine Crowdfunding-Kampagne gestartet, bei der man bereits...

    LineageOS 16 in Arbeit, PRO LINUX, 01.12.2018
    LineageOS, eine Android-Modifikation mit Fokus auf Software-Freiheit und Datenschutz, hat die Arbeit an Version 16.0 begonnen, die Android 9 "Pie" entspricht.
    LineageOS war Ende 2016 aus der Asche von Cyanogenmod hervorgegangen, das bis zu diesem Zeitpunkt eine der populärsten Android-Abwandlungen war. Cyanogenmod musste eingestellt werden, nachdem sich die Firma hinter dem Projekt finanziell übernommen hatte und einige erhoffte Geschäfte nicht zustande kamen. LineageOS dürfte inzwischen eine große Beliebtheit als Android-Alternative erlangt haben, insbesondere bei Benutzern, die aus Datenschutzgründen auf alle Google-Apps verzichten wollen.

    Malware: Jedes dritte Handy infiziert, trojaner-info.de, 12.11.2018
    SIM-Karten-Sperre und Lokalisierungsfunktion sind häufigste Schutzmaßnahmen.
    Gelöschte Daten, exzessive Werbung oder verschlüsselte Geräte: Schadprogramme auf Smartphones sind für viele Nutzer ein Problem. Mehr als jeder dritte Smartphone-Nutzer (35 Prozent) wurde in den vergangenen 12 Monaten Opfer von bösartiger Software. Das ist das Ergebnis einer repräsentativen Umfrage im Auftrag des Digitalverbands Bitkom unter 1.021 Smartphone-Nutzern in Deutschland.
    Infektionsquelle Apps
    [...] Dazu erklärt Susanne Dehmel, Mitglied der Bitkom-Geschäftsleitung:
    "Bösartige Software versteckt sich häufig in scheinbar harmlosen Apps"
    "Bei der Installation dieser Apps infiziert sie dann automatisch das Smartphone."

    Sicherheitsmaßnahmen der Nutzer
    Um das eigene Smartphone zu schützen, setzen Verbraucher auf unterschiedliche Sicherheitsmaßnahmen:

    Drei Viertel (76 Prozent) haben einen SIM-Karten-Schutz aktiviert, der das Smartphone sperrt, sobald die SIM-Karte entfernt wird.
    Über die Hälfte (53 Prozent) hat eine Lokalisierungsfunktion aktiviert, mit der ein verlorenes Gerät wieder aufgespürt werden kann.
    Vier von zehn Nutzern (40 Prozent) haben ein Virenschutzprogramm installiert
    gut ein Drittel (34 Prozent) erstellt regelmäßig Backups der Smartphone-Daten in der Cloud oder auf dem privaten Computer.
    Nur 3 Prozent nutzen überhaupt keine Sicherheitsdienste.
    Um den Smartphone-Bildschirm zu sperren, setzen viele mittlerweile auf biometrische Daten: Per Fingerabdruck sichert gut ein Drittel (35 Prozent) den Handy-Bildschirm,
    4 Prozent sperren über die Gesichtserkennung des Geräts.
    Erst 2 Prozent der Smartphone-Nutzer tun dies über einen Iris-Scanner.
    Klassisch per Code oder PIN sperren fast zwei Drittel (64 Prozent) den Bildschirm,
    vier von zehn (41 Prozent) nutzen dafür ein Muster.

    Bitkom Tipps für sichere Smartphone-Nutzung

    Vorsicht beim Kauf alter Handys

    Die regelmäßige Aktualisierung von Smartphone-Betriebssystemen wie Android oder iOS dient dazu, neue Funktionen der Software einzuführen und mögliche Sicherheitslücken zu schließen. Viele ältere Geräte werden jedoch wegen technischer Einschränkungen nicht mehr mit neuen Updates versorgt. Sicherheitslücken der Vorgängerversionen bleiben somit bestehen.

    Regelmäßig Updates installieren

    Was für das Betriebssystem gilt, gilt auch für die installierten Apps. Software-Entwickler arbeiten permanent daran, Fehler in den Anwendungen aufzuspüren und Schwachstellen zu beheben. Hierfür werden regelmäßig neue Software-Versionen veröffentlicht. Betriebssystem und Apps sollten daher stets auf die neueste Version aktualisiert werden.

    Achtung bei der App-Auswahl

    Nutzer sollten Apps nur aus verifizierten Shops und offiziellen App-Stores herunterladen. Die Betreiber der großen App-Plattformen scannen das App-Angebot nach schädlichen Programmen und legen bestimmte Sicherheitsstandards an die Veröffentlichung von Apps in ihrem Store an.

    Bildschirmsperre nutzen

    Eine Bildschirmsperre schützt das eigene Smartphone vor einem ungewollten Zugriff durch Dritte. Sperr-Muster gelten dabei nicht als sicher, da die Wischbewegungen auf dem Display erkennbar sein können. Ein möglichst sechsstelliger Zahlen-PIN ist hingegen schwerer nachzuvollziehen. Die PIN für die SIM-Karte sollte ohnehin immer aktiviert sein.

    Fremden Geräten nicht automatisch vertrauen

    Möchte man sein Smartphone mit einem fremden Gerät verbinden, sei es für den Austausch von Daten oder nur zum Laden, sollte man beachten, dass das fremde Gerät auch zum Angreifer werden kann. Insbesondere bei Funk-Verbindungen ist Vorsicht geboten.

    Verschlüsselungs-Funktionen nutzen

    Die Verschlüsselung des Dateisystems eines Smartphones sichert darauf gespeicherte Daten wie Fotos, Passwörter, Kurznachrichten, Kontakte, Anruflisten oder den Browserverlauf. Im Falle eines Diebstahls sind die Daten für den Dieb wertlos.

    Virenscanner und Firewall installieren und aktivieren

    Durch immer neue Angriffsmuster von kriminellen Hackern kann Schadsoftware - so genannte Malware - über App Stores, Webseiten, E-Mails oder per SMS auf das Smartphone gelangen. Virenscanner-Apps können Bedrohungen durch Malware frühzeitig erkennen und blockieren. Eine Firewall-App überwacht die Netzwerkaktivitäten aller aktiven Apps und sorgt dafür, dass nur vertrauenswürdige Apps auf das Internet zugreifen können.

    Keine fremden USB-Ladegeräte nutzen

    Vor allem öffentliche USB-Ladestationen sind oftmals nicht vertrauenswürdig. Hackern ist es bereits gelungen, über manipulierte USB-Stecker und -Netzteile Daten aus Mobilgeräten zu ziehen. Wer auf Nummer sicher gehen will, verwendet ein so genanntes "USB-Kondom", eine Platine, die zwar Ladestrom, aber keine Daten passieren lässt.

    Backups für Handydaten einrichten

    Durch regelmäßige Sicherungskopien, auch Backups genannt, bleiben persönliche Daten auch dann erhalten, wenn das Gerät defekt ist oder verloren geht. Die gesicherten Daten lassen sich anschließend auf einem neuen Gerät problemlos wiederherstellen. Das Backup der Daten kann als Synchronisation mit dem Heim-PC, mit Hilfe eines Massenspeichers wie einer Micro-SD-Karte oder in einem Cloud-Speicher erfolgen....



    Firefox ESR 60 (Firefox ESR >52.9): Webextensions verhindern die Installation zahlreicher Extensions wie gegen Tracker und Server-Datenaustausch abzielendes RequestPolicyBlockContinued (hilft nur teilweise: JavaScript abschalten und/oder ABP allein in empfohlener Konfiguration oder Browser PaleMoon verwenden). Erst Firefox >=64 ermöglicht wieder das Blocken.

    So groß ist die Bedrohung, PC WELT, 01.10.2017
    Laut der aktuellen Studie "Industriespionage 2012" ist bereits über die Hälfte aller Unternehmen in Deutschland Opfer von Industriespionage geworden. Schätzungen gehen dahin, dass der finanzielle Schaden für deutsche Unternehmen durch Industriespionage bei etwa 4,2 Miliarden Euro pro Jahr liegt. Das ist ein Anstieg um 50 Prozent seit der letzten Studie 2007.
    "Die Hackerangriffe auf Sony, Google, die Nato oder den IWF zeigen, dass die Cyber-Kriminellen Ziele und Taktiken radikalisiert haben. Diese veränderte Bedrohungslage macht ein grundlegendes Umdenken in Bezug auf Informationsschutz, speziell die IT-Sicherheit, Mitarbeiterbindung und die Grundregeln für den Wissensaustausch erforderlich", sagt Christian Schaaf, Studienleiter und Geschäftsführer von Corporate Trust.
    "Wenn es um den Schutz des eigenen Know-how geht, ist es zwar wichtig, ein vernünftiges Bewusstsein für die Risiken zu haben, es ist jedoch ebenso wichtig, ein gesundes Vertrauen in die eigenen Sicherheitsvorkehrungen und die Zuverlässigkeit seiner Mitarbeiter (wie insbesonders Netz- und Systemadministratoren) zu setzen", so Schaaf.

    Überwachungskapitalismus, STERN.de, 03.02.2019
    [...] Wie es soweit kommen konnte, wie die Politik das auch lange zulassen konnte, ist nicht so einfach zu fassen, nicht so einfach zu erklären.
    Derzeit ist es die US-Autorin Shosana Zuboff, eine ehemalige Harvard-Professorin, die in ihrem Buch "Das Zeitalter des Überwachungskapitalismus" Phänomene wie Facebook - und damit auch die Ursachen der Zuckerbergschen Hybris - sehr hellsichtig analysiert. "Überwachungskapitalisten", argumentiert sie unter anderem, verdienen ihr Geld, indem sie das privaten Verhalten ihrer Nutzer ausbeuten. Und dabei ist es diesen Kapitalisten völlig egal, was für Daten das sind. Die "Überwachungskapitalisten", so die These, bewerten nichts moralisch. Sie bewerten es nicht einmal politisch. Hauptsache, sie kriegen Daten.

    From News&Links#computer :

    36 Millionen Euro: ZITiS baut Supercomputer zur Entschlüsselung
    , netzpolitik.org, 16.10.2018
    Die Hacker-Behörde ZITiS will einen Hochleistungsrechner bauen, um verschlüsselte Daten zu entziffern. Das geht aus dem 36 Millionen Euro teuren Haushaltsentwurf der Behörde hervor, den wir veröffentlichen. Nach wie vor sucht ZITiS Staats-Hacker, aktuell ist nur die Hälfte der Stellen belegt.
    Die IT-Behörde ZITiS soll nächstes Jahr 36,7 Millionen Euro bekommen, 20 Prozent mehr als dieses Jahr. Die vor anderthalb Jahren gegründete "Zentrale Stelle für IT im Sicherheitsbereich" hilft Polizei und Geheimdiensten bei der technischen Überwachung. Wir veröffentlichen an dieser Stelle das bisher unveröffentlichte ZITiS-Kapitel aus dem Bundeshaushalt sowie eingestufte Informationen aus dem Bundesinnenministerium.
    Von diesem Geld wollen die staatlichen Hacker "hochmoderne technische Ausstattung" kaufen. Ganz oben auf der Wunschliste steht ein Hochleistungsrechner, "der vorrangig im Bereich der Kryptoanalyse genutzt wird" - also zur Entschlüsselung. Dieser Supercomputer hat "höchste Priorität" für die ZITiS-Abnehmer Verfassungsschutz, Bundeskriminalamt und Bundespolizei.
    Vor zwei Wochen wurde bekannt, dass ZITiS auch einen Quantencomputer einsetzen will. Ob Supercomputer und Quantencomputer verschiedene Projekte sind, will ZITiS auf Anfrage nicht verraten: "Zu unseren Projekten und verwendeten Technologien können wir keine Auskunft geben." Da die Entwicklung nutzbarer Quantencomputer jedoch noch in den Kinderschuhen steckt, dürfte der Hochleistungsrechner ein eigenes Projekt sein, der zeitnah in Betrieb gehen soll.
    Staatstrojaner für mobile Endgeräte
    In den anderen Arbeitsfeldern rüstet ZITiS ebenfalls auf, wobei zwei besonderes Gewicht erhalten. Im Bereich der Digitalen Forensik forscht und entwickelt ZITiS unter anderem an "Passwortsuche" und der "Auswertung von Smartphones". Bisher haben Polizeibehörden sieben verschiedene Software-Tools gekauft, um beschlagnahmte Mobilgeräte auszulesen. Dieser Wildwuchs soll bei ZITiS vereinheitlicht werden.
    Im Bereich Telekommunikationsüberwachung (TKÜ) arbeitet ZITiS an zwei Projekten, die bisher beim BKA angesiedelt waren. ZITiS setzt das "Projekt INTLI" (Internationale Zusammenarbeit in der TKÜ) fort, "das sich mit der Standardisierung des Austauschs von TKÜ-Daten auf Grundlage der Rahmenrichtlinie Europäische Ermittlungsanordnung beschäftigt". Die EU-Richtlinie ermöglicht grenzüberschreitende Überwachung von Telekommunikation.
    ZITiS will auch die Entwicklung von Staatstrojanern vorantreiben. Mit dem "Projekt SMART" soll ZITiS das BKA unterstützen "bei der Entwicklung einer Quellen-TKÜ-Lösung für mobile Endgeräte", also einem Trojaner zum Abhören von Kommunikation. Das BKA hatte für sechs Millionen Euro den Staatstrojaner "RCIS" programmiert, der seit diesem Jahr auch Smartphones infizieren und abhören kann. Jetzt wollen ZITiS und BKA die Software gemeinsam weiterentwickeln.
    Hacker gegen IT-Unsicherheitsbehörde
    Insgesamt will ZITiS nächstes Jahr mehr als zehn Millionen Euro für Investitionen ausgeben, über elf Millionen sind für Personal geplant. Das Innenministerium bezeichnet die Personalgewinnung als "anspruchsvoll" und "eine zentrale Herausforderung". Vom Behördensprech übersetzt: Nur wenige IT-Experten wollen für den Staat hacken. Der BND nannte das mal "knappe Ressource brillantes Personal".
    Derzeit hat ZITiS erst "74 der im Kalenderjahr 2018 zur Verfügung stehenden 150 Planstellen belegt". Fast die Hälfte der bisher eingestellten Mitarbeiter*innen ist in Verwaltung und Leitung tätig. Das existierende "MINT-Fachpersonal" arbeitet nicht nur in der Umsetzung der Aufgaben, sondern auch bei internen IT-Diensten und Beratung. Zwei Drittel der Angestellten kommen aus anderen Behörden, nur ein Drittel sind "Externe".
    Falk Garbsch, Sprecher des Chaos Computer Clubs, kommentiert gegenüber netzpolitik.org:

    Es ist gut zu sehen, dass Hacker offenbar keinerlei Interesse haben, für eine IT-Unsicherheitsbehörde zu arbeiten. Die Community hat schon vor vielen Jahren verstanden, was verbohrte Politiker nicht akzeptieren wollen: Das Ausnutzen und Offenhalten von Sicherheitslücken ist ein nachhaltiges Risiko für Unternehmen, kritische Infrastrukturen und Zivilgesellschaft. Statt Steuergelder in absurde Angriffsphantasien zu verschwenden, wird es Zeit für Investitionen in das konsequente Schließen von Sicherheitslücken.

    Der Regierungsentwurf zum Bundeshaushalt 2019 wird derzeit im Bundestag verhandelt. Bisher hat die Große Koalition keine Änderungen bezüglich ZITiS beantragt oder beschlossen. Anträge der Opposition werden üblicherweise abgelehnt. Ende November soll der Haushalt im Bundestag verabschiedet werden.
    Hier die Dokumente in Volltext:
    Ministerium: Bundesministerium des Innern, für Bau und Heimat
    Stand: 17. August 2018

    From News&Links#NSA&Co. :

    Internetknotenpunkt De-Cix Gericht billigt BND-Abhörpraxis, 31.05.2018
    Der Internetknotenpunkt De-Cix in Frankfurt ist der größte der Welt. Das macht sich auch der BND zunutze und greift Daten ab. Dagegen hatte der Betreiber geklagt. Nun hat das Bundesverwaltungsgericht geurteilt.
    Der Bundesnachrichtendienst (BND) darf weiterhin in großem Umfang Daten beim Internet-Knoten De-Cix aus Frankfurt am Main abzapfen. Das entschied nach dpa-Informationen das Bundesverwaltungsgericht.
    De-Cix (Deutsche Commercial Internet Exchange) hatte gegen den Eingriff des BND geklagt. Dieser überwache ohne konkreten Verdacht. Dabei würde auch rein inländische Telekommunikation beobachtet. Dies lasse das Gesetz zur Beschränkung des Brief-, Post- und Fernmeldegeheimnisses jedoch nicht zu. Es ermächtige lediglich zur überwachung von internationaler Telekommunikation.
    Richter: BND darf überwachen
    Dieser Argumentation folgten die Richter nicht und stärkten dem BND mit ihrem Urteil den Rücken. Der Geheimdienst sei berechtigt, auf Anordnung des Bundesinnenministeriums internationale Telekommunikation zu überwachen und aufzuzeichnen.
    Für den Schutz der Bürger sorgt laut Bundesregierung die G-10-Kommission des Bundestages. Sie muss die Eingriffe in das Fernmeldegeheimnis erlauben.
    Wie wichtig die Datenüberwachung für den Geheimdienst ist, zeigt eine Äußerung von Ex-Chef Gerhard Schindler: In vertraulicher Runde hatte er gesagt, ohne Fernmeldeaufklärung "kann ich den Laden dichtmachen". Inländische Kommunikation ausgeschlossen
    Um inländische Kommunikation aus der Überwachung auszuschließen, verwendet der BND laut eigener Auskunft ein mehrdimensionales Filtersystem. Man nehme auch Browser- und Programmeinstellungen mit in den Blick, Geodaten und mehr, um ein Gesamtbild zu bekommen und deutsche Nutzer auszusortieren.
    Die Filter sollen zu mehr als 99 Prozent wirksam sein. Wenn am Ende immer noch irrtümlich eine E-Mail eines Deutschen durch den Filter rutsche, dann werde sie per Hand entfernt, das komme aber nur selten vor. Anders als von De-Cix behauptet, gebe es deshalb keinen Rechtsbruch.

    Mehr als sechs Terabyte pro Sekunde
    Der Frankfurter Knotenpunkt besteht seit 1995. Mit zeitweise mehr als sechs Terabyte pro Sekunde weist er den höchsten Datendurchsatz weltweit auf. Auch ein Großteil des deutschen Internetverkehrs läuft dort hindurch.
    Aktenzeichen: BVerwG 6 A 3.16

    Kooperation von BND und NSA: Heimliche Amtshilfe unter Freunden, Tagesschau, 25.06.2014
    Der BND hat jahrelang Daten eines Frankfurter Internetknotenpunkts an die NSA weitergegeben. Nach Recherchen von NDR, WDR und "SZ" leitete er mindestens von 2004 bis 2007 abgefangene Rohdaten direkt an den US-Dienst. von Georg Mascolo, NDR
    In Frankfurt laufen die Fäden zusammen. Hier verbindet die weltweit größte Internet-Schnittstelle die Netze von mehr als 50 Ländern. Daten aus Russland fließen über Frankfurt beispielsweise in den Nahen Osten. Schon immer hatten die Amerikaner ein Auge auf Frankfurt geworfen und drängten auf einen direkten Zugriff auf die Glasfasernetze. Bereinigt um die Daten deutscher Bürger soll der BND drei Jahre lang der NSA Datenmaterial zur Verfügung gestellt haben. Vor allem Telefonate sollen so direkt in die Computer der NSA geleitet worden sein. Über den Umfang der Datenweitergabe gibt es widersprüchliche Angaben. Während einige Quellen sie als "sehr umfassend" beschreiben, heißt es in BND-Kreisen, es habe sich zwar um große Mengen gehandelt, aber nur eine von mehreren Leitungen sei betroffen gewesen. Erst 2007 soll die Operation vom damaligen BND-Chef Uhrlau gestoppt worden sein. Auch im Kanzleramt war man zu dem Schluss gekommen, dass die Aktion "viel zu heikel ist", so ein damals Beteiligter. Gegen den Protest der NSA wurde das Projekt eingestellt. Die gemeinsame Operation soll den Recherchen zufolge 2004 begonnen haben und war auch im Kanzleramt bekannt. Offenbar sind aber weder das Parlamentarische Kontrollgremium noch die Bundestagskommission, die für die Abhörmaßnahmen der Geheimdienste zuständig ist, jemals über die damalige Operation informiert worden.

    "Ich bin noch nie so belogen worden"
    #34c3: Die Lauschprogramme der Geheimdienste
    , netzpolitik.org, 29.01.2018
    "Ich bin noch nie so belogen worden", sagte Hans-Christian Ströbele über seine Arbeit im NSA-BND-Untersuchungsausschuss. In einem Gespräch mit Constanze Kurz resümiert der grüne Politiker die Ergebnisse der parlamentarischen Untersuchung.

    Staatstrojaner stoppen!
    Verfassungsbeschwerde gegen den Staatstrojaner - für sichere und vertrauenswürdige IT
    , digitalcourage.de, gesehen am 09.09.2018
    "Der Staatstrojaner ist ein Schlag ins Gesicht all derer, die an unsere parlamentarische Demokratie glauben", sagte Digitalcourage-Vorstand padeluun im ZDF-Morgenmagazin.

    Die Große Koalition schlägt mit den Staatstrojanern gefährliche Sicherheitslücken in all unsere Smartphones und Computer. Der Plan: Jedes Gerät bekommt eine Hintertür, durch die staatliche Hacker und Kriminelle nach Lust und Laune einsteigen können. Kommunikation wird mitgehört, Verschlüsselung wird gebrochen, Daten werden gesammelt und Geräte, Netzwerke und ganze Clouds werden manipuliert. Das ist katastrophal für Zivilgesellschaft, Behörden und Unternehmen. Der Staat missachtet seine Pflicht, Bürgerinnen und Bürger zu schützen, wenn er Sicherheitslücken gezielt offen hält, anstatt sie zu schließen.
    Mit einer Verfahrenslist wurde das Gesetz ohne große öffentliche Diskussion durch den Bundestag gedrückt, doch es kollidiert klar mit Urteilen des Bundesverfassungsgerichts. Darum gibt es gute Chancen, das Gesetz zu kippen - wir müssen es nur tun!
    Helfen Sie uns, die Staatstrojaner mit einer Verfassungsbeschwerde vor dem Bundesverfassungsgericht zu stoppen!

    Wichtig: Geben Sie diese Info auch an Freunde, Nachbarinnen und Kollegen weiter! Denn der Staatstrojaner schlägt eine Sicherheitslücke in jedes Kommunikationsgerät!

    From News&Links#Alternatives :

    OK( maybe in future) Kommunikation im Netz: Abhörsicher mithilfe der Quantenphysik?, tagesschau.de, 16.12.2018
    Wer im Internet miteinander kommuniziert, hinterlässt unweigerlich Spuren. Wiener Forscher wollen jetzt ein Verfahren entwickelt haben, das die Kommunikation auch in einem größeren Netzwerk abhörsicher macht.
    Die Quantenkryptografie will in Zukunft eine abhörsichere Kommunikation im Internet ermöglichen. Österreichische Forscher haben nun - nach eigenen Angaben - eine wichtige Hürde auf diesem Weg genommen. Ihnen gelang, dass vier Teilnehmer eines Netzwerkes abhörsicher kommuniziert haben. Die Wissenschaftler um Rupert Ursin vom Wiener Institut für Quantenoptik und Quanteninformation der Österreichischen Akademie der Wissenschaften haben ihre Forschung im britischen Fachblatt "Nature" vorgestellt. Nach Angaben der Wissenschaftler lässt sich das Netzwerk einfach erweitern - und könnte so für eine breite Anwendung infrage kommen.
    Herkömmliche Verschlüsselungstechnologien bieten nur relativen Schutz, sagt Rupert Ursin von der Akademie der Wissenschaften im Gespräch mit dem ORF. "Wenn ich meine E-Mails lese, könnte ein Dritter im Prinzip beliebig viele Kopien davon anfertigen - und es würde niemand bemerken. Bei der Quantenkryptografie ist das unmöglich. Wenn Hacker versuchen, eine Quantenbotschaft zu belauschen, hinterlassen sie unweigerlich eine Spur. Das ist ein Naturgesetz."
    Die Quantenkryptographie nutzt dabei ein Phänomen der Quantenphysik. Nach deren Regeln können zwei Teilchen einen gemeinsamen Zustand bilden, auch wenn sie anschließend über weite Entfernungen getrennt werden. In diesem Zustand der Verschränkung sind die Eigenschaften der beiden individuellen Teilchen unbestimmt. Wird dann bei einem der beiden Teilchen eine Eigenschaft wie beispielsweise die Schwingungsrichtung gemessen, nimmt das andere Teilchen augenblicklich eine korrespondierende Eigenschaft an. Die Verschränkung endet. Auf diese Weise ist es möglich, abhörsicherer Schlüssel bei Sender und Empfänger zu erzeugen.
    Lauscher können Anwesenheit nicht verschleiern
    Entscheidend ist: Der Schlüssel kann von Hackern nicht abgefangen werden. Denn es werden nur einzelne Lichtteilchen (Photonen) ausgetauscht. Und nach den Gesetzen der Quantenphysik ist es unmöglich, den Quantenzustand eines einzelnen Lichtteilchens ohne Fehler zu kopieren. Ein Lauscher kann seine Anwesenheit daher nicht verschleiern und würde sich sofort verraten. Die verschlüsselte Nachricht wird dann auf klassischem Weg ausgetauscht.
    Bisher nur bei zwei Teilnehmern nachgewiesen
    Bisher ließen sich auf diese Weise meist jedoch nur zwei Teilnehmer mit einer garantiert abhörsicheren Leitung verbinden. Weitere Verbindungen seien kompliziert, fehleranfällig und mit Kommunikationseinschränkungen behaftet.
    Das Team versorgte nun vier Teilnehmer aus einer zentralen Quelle mit verschränkten Photonen, sodass alle vier miteinander kryptographische Schlüssel erzeugen und für eine abhörsichere Kommunikation verwenden konnten. "Ein entscheidender Vorteil dieser Architektur ist ihre Flexibilität", betont Ursin in einer Mitteilung der Akademie. "Wir sind damit in der Lage, neue Kommunikationspartner in das Quantennetzwerk zu integrieren - und zwar mit lediglich minimalen Eingriffen. Damit ist gezeigt, dass Quantennetzwerke Realität werden können - für Jedermann."

    OKTransportverschlüsselung Teil 3, HTTPS mit TLS 1.3 in der Praxis, 11.06.18 | Autor / Redakteur: Filipe Pereira Martins und Anna Kobylinska / Peter Schmitz
    TLS 1.3 verspricht mehr Sicherheit von verschlüsselten HTTPS-Verbiundungen. Leider ist die Implementierung voller Tücken und Überraschungen.
    Wem die Sicherheit von HTTPS-Verbindungen am Herzen liegt, der ist gut beraten, die TLS-Konfiguration zu überdenken, denn ohne eine moderne Transportverschlüsselung sind gute Vorsätze beim Datenschutz nur ein Papiertiger. Zwar ist TLS 1.3 nun offiziell aus den Startlöchern, aber die Implementierung ist leider voller Tücken und Überraschungen.
    Da die Verwundbarkeiten des TLS-Protokolls bis einschließlich Version 1.2 allgemein bekannt sind (siehe dazu den Bericht "TLS 1.3 - Viel heiße Luft oder ein großer Wurf?") ist davon auszugehen, dass das Herumschnüffeln an vermeintlich "verschlüsselten" HTTPS-Verbindungen öfter vorkommen dürfte als einem lieb sein mag. TLS 1.3 verspricht Abhilfe.
    Leider ist die Implementierung voller Tücken und Überraschungen.
    Es beginnt schon damit, dass ein völliger Verzicht auf TLS 1.2 als einen Fallback für Clients mit fehlender Unterstützung für TLS 1.3 vorerst nicht in Frage kommt.
    Server-Unterstützung für TLS 1.3 mit einem TLS 1.2-Fallback einrichten
    Die Umsetzung von TLS 1.3 setzt so Einiges an Handarbeit voraus.

    Schritt 1: Ein Kernel-Upgrade installieren:

    Der Einsatz von TLS 1.3 steht und fällt mit einem Linux-Kernel ab der Version 4.13 ("1600 LoC-Patch"). Linux-Kernel bis einschließlich Version 4.12 unterstützten nur maximal AES-128-GCM (gemäß RFC 5288) und scheiden damit aus. Die AEAD-Verschlüsselung, die TLS 1.3 automatisch erwartet, ist erst mit dem sogenannten 1600 LoC-Patch möglich. Mit diesem Patch kann Linux erstmals die Verschlüsselung für eine bereits bestehende Verbindung intern im Kernel (ab Version 4.13) handhaben. Der User-Space übergibt dem Kernel die Kryptoschlüssel für eine bereits aufgebaute Verbindung, sodass die Verschlüsselung transparent innerhalb des Kernels stattfindet. CentOS/RHEL in der Version 6 bleiben mit ihrem 2.6.x-er Kernel außen vor.

    Schritt 2. Ein OpenSSL-Upgrade einspielen:

    Linux-Distributionen richten standardmäßig "stabile" (sprich: veraltete) Versionen der OpenSSL-Bibliothek ein, die mit TLS 1.3 bisher nicht zu Recht kommen. OpenSSL muss in der Version 1.1.1 Beta 4 oder neuer vorliegen.

    Schritt 3. Zertifikate von einer Zertifizierungsstelle (CA) beschaffen und einrichten:

    Zertifizierungsstellen (CAs) gibt es wie Sand am Meer. Doch in der Vergangenheit waren SSL-Zertifikate ein schmerzhafter Kostenpunkt. Dank der kostenfreien SSL-Zertifikate von Let´s Encrypt hat sich endlich dieses Problem größtenteils erledigt. Die leistungsstarke API sorgt für eine schmerzlose Automatisierbarkeit auf allen Unix/Linux-Derivaten.

    Schritt 4. Den Webserver konfigurieren:

    Wer die benötigten SSL-Zertifikate installiert hat, kann sich im nächsten Schritt der Server-Konfiguration widmen. Die Details der Implementierung hängen von der Art und Versionsnummer des Webservers ab. Grundlegende Parameter zum Aktivieren der SSL-Verschlüsselung in Apache, Nginx, Lighttpd, HAProxy und AWS ELB lassen sich einem Online-Assistenten wie dem SSL Configuration Generator von Mozilla entnehmen. Leider halten sich die Fähigkeiten dieses Werkzeugs in argen Grenzen. Es fehlt hier u.a. die Unterstützung für TLS 1.3 und auch TLS 1.2 leidet unter mangelnder Beachtung (Diffie-Hellman gefälligst? Fehlanzeige). Die Übernahme von Konfigurationsparametern für die TLS-Verschlüsselung nach dem Fertiggericht-Prinzip gehen nach hinten los.

    Sicherheitsbewussten Administratoren bleibt nichts anderes übrig als die fehlenden Parameter für den eigenen Webserver samt der passenden Syntax selbst zu eruieren. Zu den wichtigsten Ergänzungen bzw. Korrekturen zählen:

    Aktivieren der Unterstützung für HTTP/2
    Umlenkung von HTTP-Anfragen auf HTTPS
    Unterbinden von Protokoll-Downgrades auf HTTP unter Verwendung von HSTS
    Einrichtung von Browser-Anweisungen mit Hilfe von Sicherheits-Headern (HTTP Security Headers, verfügbar nur mit HTTPS): HTTPS-Sicherheitsheader sorgen für die Übergabe von Anweisungen durch den Webserver an einen (kompatiblen) Webbrowser, um sein Verhalten zu beeinflussen. Zum Schutz gegen Downgrade-Attacken und Cookie-Hijacking lässt sich unverschlüsselte Kommunikation mit dem so genannten HSTS-Header deaktivieren (HSTS steht für HTTP Strict Transport Security). Gegen Clickjacking-Attacken hilft ein X-Frame-Options-Header. Um das Aushebeln von deklarierten Mime-Typen zu verhindern, kommen X-Content-Type-Optionen zum Einsatz. Für den Schutz gegen Cross-Site-Request Forgeries (kurz: X-XSS) zeichnet der X-XSS-Protection-Header verantwortlich. Diese Einstellungen können die verfügbare Angriffsfläche stark reduzieren.
    Deaktivieren verwundbarer Protokollversionen: Als sicher gelten derzeit nur TLS 1.2 und TLS 1.3
    Optimieren der TLS 1.2-Konfiguration zur Härtung durch den Verzicht auf verwundbare Cipher-Suites: Als verwundbar gelten alle Cipher-Suites außer ECDHE- und DHE-basierter Varianten

    Eine nicht zu unterschätzende Verwundbarkeit, die sich durch die Umstellung auf HTTPS nicht von selbst erledigt, stellt JavaScript-Code von externen Domains dar. Ein klassisches Beispiel sind Werbeeinblendungen. Mit einer aktivierten CSP-Richtlinie (kurz für Content Security Policy) können Website-Betreiber für eine erhöhte Sicherheit sorgen. Bei CSPs handelt es sich um Sicherheitsrichtlinien, welche unsichere Web-Inhalte aus externen Quellen und Verbindungen über HTTP unterdrücken können. So lassen sich nicht zuletzt auch Clickjacking- und andere Code-Injection-Attacken unterbinden.

    Schritt 5. Konfiguration testen:

    Zu guter Letzt gilt es, die Konfiguration mit einem Dienst wie der SSL Server Test von Qualys SSL Labs auf ihre Vollständigkeit hin zu überprüfen.
    Encrypted Traffic Analytics

    Eine robuste Transportverschlüsselung hat jedoch auch ihre Schattenseiten: Malware kann jetzt einfach unbemerkt durchsegeln.
    Beim Einsatz von TLS bis einschließlich der Version 1.2 (insbesondere mit RSA-Ciphern) konnten IT-Fachkräfte den Datentransfer z.B. vor dem Eingang ins firmeneigene Datencenter auf bösartige Payloads hin überprüfen. Die Kommunikation wurde in diesem Fall durch sogenannte Middleboxes eingelesen, dechiffriert, analysiert und weitergeleitet. Mit TLS 1.3 gehört diese Art von Monitoring der Vergangenheit an. Denn beim Verbindungsaufbau über TLS 1.3 mit ephemeralen Diffie-Hellman-Schlüsseln schlägt die sogenannte "Deep-Packet Inspection" fehl, weil sich die Kommunikation in Echtzeit nicht ohne Weiteres dechiffrieren lässt — und schon erst recht nicht in Echtzeit. Das Bedürfnis an adäquaten Sicherheitsmaßnahmen für die Unternehmens-IT besteht jedoch weiter. So mussten sich die Anbieter von Sicherheitslösungen für Traffic-Analytics bei TLS 1.3 nach alternativen Wegen zur Gewährleistung der Integrität der internen Systeme umschauen. Die ersten konkreten Produkte sind bereits auf dem Markt. Alleine Cisco hat vier interessante Lösungen im Köcher:...

    Mausklick-schnell: Sicherheit beim Surfen mit TLS 3.0
    Firefox-ESR >= 52.9 : Inhalte von lib64nss3 (mga7, pclos, fc, ...) oder nss (fc, ...) und >= libssl3.so.1.1.1a (openssl-1.1.1a, fc27) nach /usr/lib64/firefox/libssl3.so ( Installationsverzeichnis )
    Tor-Browser (Firefox-ESR >= 52.9: Inhalte von lib64nss3 (mga7, pclos oder nss (fc, ...) und >= nss-3.41.0 (fc30) mit libssl.so.3 nach /home/toruser/tor*/Browser*/
    Pale Moon >=: Inhalte von lib64nss3 (mga7, pclos oder nss (fc, ...) und libssl3.so.1.1.1a (von openssl-1.1.1a, fc27) nach /usr/lib64/palemoon/libssl3.so
    Dabei zeigt /usr/lib64/libcrypto.so.1.1 auf /usr/lib64/libcrypto.so.1.1.1a und /usr/lib64/libssl.so.1.1 auf libssl.so.1.1.1a.

    VPN für mehr Schutz in offenen Netzen, netzpolitik.org, 30.04.2018
    "VPN steht für Virtual Private Network. Mit einem VPN-Client lässt sich nicht nur weitgehend anonym surfen, sondern auch bei anderen Online-Aktivitäten die eigene Identität verschleiern. Das ist vor allem wichtig, wenn man in offenen WLANs unterwegs ist, wo der Betreiber den Datenverkehr mitüberwachen kann. VPN-Software leitet sämtlichen Verkehr zunächst vom eigenen Gerät verschlüsselt zum Server des Anbieters und von dort ins Netz. Auch kann man durch VPN-Server vorgeben, aus einem bestimmten Land zu sein, und dadurch Geoblocking umgehen.
    Manche VPN-Anbieter versprechen ihren Nutzern, ihre Zugriffsdaten nicht zu speichern und dadurch ihre Anonymität zu wahren. Aber Obacht: Wenn der gesamte Internetverkehr durch einen VPN-Anbieter getunnelt wird, versetzt das diesen in eine besonders wichtige Lage und macht ihn zu einem attraktiven Ziel. Dass Anbieter von VPN-Diensten selbst nicht mitlesen, gilt bei weitem nicht für alle VPN-Anbieter, etwa den entsprechenden Dienst von Facebook. Auf keinen Fall sollte man daher Gratis-Lösungen nutzen. Im Umfeld von netzpolitik.org werden beispielsweise IPredator oder F-Secure verwendet. Am sichersten ist aber immer noch, den VPN über einen eigenen Server zu betreiben.
    Staaten wie China, Russland und der Iran schränken die Nutzung von VPN-Diensten stark ein. Das sollte man vor einem Reiseantritt bedenken. Auch gilt es bei der Verwendung von VPN-Diensten und Tor-Browsern zu bedenken: Sobald man sich im Browser irgendwo einloggt, ist es - zumindest gegenüber dem verwendeten Dienst - vorbei mit der Anonymität.


    VPN: Sicherer Zugriff von unterwegs auf Ihre Daten, PC-WELT.de, 03.02.2019
    Verschlüsselte VPN-Verbindungen oder -Tunnel schützen beim Surfen an öffentlichen Hotspots, umgehen lästiges Geoblocking und sorgen für mehr Privatsphäre. Ein Überblick über Anwendungsszenarien und Anbieter dieser sicheren virtuellen privaten Netzwerke.
    Ein Netzwerk wie das Internet verbindet alle angeschlossenen Geräte miteinander. So kann jeder mit jedem kommunizieren, selbst wenn der Kommunikationspartner auf der anderen Seite der Erdkugel sitzt. Der Nachteil: Alle Daten, die im Internet über das TCP/IP-Protokoll übertragen werden, passieren sehr viele Zwischenstationen und können dort mitgelesen oder sogar manipuliert werden. Auf diese Weise werden die Daten zwar effizient rund um den Globus geschickt, einen effektiven Schutz vor unerwünschten Zugriffen bietet TCP/IP jedoch nicht.
    [...] Allerdings genügt eine VPN-Verbindung allein nicht, um die eigene Anonymität vollständig zu wahren. Wer beim Surfen und aktiviertem VPN unerkannt bleiben möchte, sollte seinen Browser im privaten oder Inkognito-Modus nutzen und sich nicht parallel bei Facebook, Google oder einem anderen "Datenkrakendienst" anmelden.
    [...] Der kostenlose Browser Opera bietet die Möglichkeit, alle Browser-Verbindungen über einen VPN-Server von Opera zu leiten. Im Gegensatz zu einer klassischen VPN-Verbindung, die alle Datenpakete im Netzwerk zwischen VPN-Client und -Server verschlüsselt, kümmert sich das Opera-VPN nur um die vom Browser übertragenen Daten. Da bei der Auswahl des Opera-VPN-Servers nicht nach Ländern, sondern nur nach Kontinenten gewählt werden kann, eignet sich der Opera-VPN auch nur bedingt zur Umgehung von Geoblocking. Dennoch sorgt Opera-VPN für zusätzliche Sicherheit beim Surfen am Hotspot, und auch der Werbeblocker arbeitet effektiv. Der Dienst lässt sich in Opera über Einstellungen -> Datenschutz & Sicherheit aktivieren und dann komfortabel in der Adressleiste ein-und ausschalten.
    Hinweis: Bei aktiviertem VPN-Filter bekommt der Browserhersteller durch die Umleitung auf die eigenen Server ein vollständiges Abbild Ihrer Surfgewohnheiten und kann diese beispielsweise für personalisierte Werbung nutzen.

    VPN Perfect Privacy
    Keine Speicherung von Log-Dateien (Nutzeraktivitäten)
    Für alle Ihre Geräte
    Kaskadierung über bis zu 4 VPN-Server
    Konfigurierbare Port-Weiterleitungen
    Keine Traffic-Begrenzung
    Bis zu 1000 Mbit/s Bandbreite
    Einfach benutzbare Client-Software
    Support via E-Mail, Forum und TeamViewer
    Wahlweise über OpenVPN, IPsec/IKEv2, SSH2-Tunnel oder PPTP
    TrackStop™ (blockiert Werbe, Tracking- und Phishing-Domains)
    Stealth VPN Technologie (VPN wahlweise: über mehrere VPN-Server, Eintrittspunkt (eigenes Land etc), VPN-Netzwerk (Ausland etc.)
    NeuroRouting™ (sicheres Routing auf BAsis von KI und gesteuert durch Algorithmen)
    Automatische Einrichtung Ihrer Windows Firewall
    8 Port-Weiterleitungen inklusive (z.B. für BitTorrent)
    Serverwechsel so oft Sie mögen
    Ping-Zeiten zu den Servern in Echtzeit überprüfen

    OKUse a Raspberry Pi as a Tor/VPN Router for Anonymous Browsing, 1/28/15
    Roll Your Own Anonymizing Tor Proxy with a Raspberry Pi
    We´ve shown you how to use a Raspberry Pi as both a Tor proxy and a personal VPN, but Make shows off how to do both in one unit for truly anonymous browsing everywhere.
    There are many interesting things you can do with a Raspberry Pi, but this one isn´t just fun, …
    The build here uses two Wi-Fi adapters to get the job done. Once it's complete, you'll have a passive VPN connection that you´ll hardly even notice is there. You´ll also have Tor installed, so you can flip over to that connection with just a couple of clicks. It´s a pretty simple setup all things considered, and it´ll act as a nice bridge between your standard router for those times when you want to browse anonymously or get around any location-specific blocks.
    Browse Anonymously with a DIY Raspberry Pi VPN/Tor Router
    https://lifehacker.com/use-a-raspberry-pi-as-a-tor-vpn-router-for-anonymous-br-1682296948 Preis: ca. 40 Euro


    Hardware-Tarnkappen für das anonyme Surfen im Internet
    Im Internet mit der richtigen Anonymisierungs-Hardware
    Geschützt ins Internet mit der richtigen Anonymisierungs-Hardware
    Internetnutzer stellen mit der Anonymisierung von Daten und Informationen sicher, dass persönliche Inhalte nicht von Unbefugten gelesen und betrügerisch oder missbräuchlich genutzt werden können. Anonymität und digitale Integrität kann über Anonymisierungsprogramme wie Tor und Hardware-Lösungen wie eBlocker oder dem Onion Pi erreicht werden.
    Anonymebox, Leipzig
    Preis: 189 Euro (Stand: 28.04.2019)

    Mouseclick-fast computer, ... especially the evening (around 20:30 o´clock)...

    "Humble Bundle Hacking 2.0" announced
    , PRO LINUX, 29.05.2019
    Das Humble Bundle-Team hat ein weiteres Book-Bundle veröffentlicht. Die bis zu vierzehn Bücher kommen vom "No Starch Press" und behandeln dieses Mal das Thema "Hacking". Wie gewohnt können Käufer dabei selbst entscheiden, wie viel ihnen ein Buchpaket wert ist und wie ihr Geld verteilt wird.
    Humble Bundle Hacking 2.0
    Im "Humble Bundle Hacking 2.0" finden sich dieses Mal zahlreiche Bücher des "No Starch Press"-Verlags zu Themen rund um "Hacking". Alle Bücher können nach demselben Muster gekauft werden wie schon die letzten Pakete. So können die Interessenten beim Kauf entscheiden, wie viel sie zahlen und wie ihr Geld zwischen dem Verlag, Humbe Bundle und den gemeinnützigen Organisationen aufgeteilt wird. Unterstützt werden können auch dieses Mal Electronic Frontier Foundation, das Rote Kreuz oder zahlreiche weitere Organisationen, darunter Wikimedia Foundation, Child´s Play und Charity Water. Bezahlt wird via Amazon, Kreditkarte oder Paypal.
    Wer weniger als einen Euro investiert, erhält "The IDA Pro Book, 2nd Edition: The Unofficial Guide to the World´s Most Popular Disassembler", "Designing BSD Rootkits: An Introduction to Kernel Hacking", "The Practice of Network Security Monitoring: Understanding Incident Detection and Response", "A Bug Hunter´s Diary: A Guided Tour Through the Wilds of Software Security" und "Hacking the Xbox: An Introduction to Reverse Engineering".
    Wer bereit ist, um die 7 Euro für den Lesestoff auszugeben, kann sich über die Bonustitel "Serious Cryptography: A Practical Introduction to Modern Encryption", "Attacking Network Protocols: A Hacker´s Guide to Capture, Analysis, and Exploitation", "Pentesting Azure Applications: The Definitive Guide to Testing and Securing Deployments", "Practical Packet Analysis, 3rd Edition: Using Wireshark to Solve Real-World Network Problems" und "PoC||GTFO" freuen.

    Käufer, die den Maximalbetrag bezahlen und rund 13 Euro investieren, gelangen zudem in den Besitz von "Linux Basics for Hackers: Getting Started with Networking, Scripting, and Security in Kali", "Malware Data Science: Attack Detection and Attribution", "PoC||GTFO, Volume 2" und "Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly". Zudem erhalten Käufer des dritten Pakets auch einen Preisnachlass auf die Bücher "PoC||GTFO" und "PoC||GTFO, Volume 2".
    Die E-Books des "Humble Bundle Hacking 2.0" sind in verschiedenen Formaten und in der englischen Sprache erhältlich. Wie üblich können Käufer, die die Bücher verschenken möchten, einen Geschenklink erhalten. Das Bundle ist noch dreizehn Tage erhältlich.

    Lacks in security within kernel TCP-Code
    , PRO LINUX, 21.06.2019
    Ein Team bei Netflix hat drei Sicherheitslücken im TCP-Code im Kernel entdeckt. Durch speziell präparierte SACK-Pakete lässt sich im schlimmsten Fall ein Kernel-Stillstand erzielen. Alle Linux- und FreeBSD-Anwender sollten ihren Kernel aktualisieren oder temporäre Gegenmaßnahmen ergreifen.

    Security updates: Tails 3.14.1 closes security lacks in Firefox and tor browser, PRO LINUX, 21.06.2019
    Tails 3.14.1 schließt eine kritische Sicherheitslücke, die Mozilla mit Firefox 67.0.3 behoben hatte. Eine zweite Lücke im Sandboxing-Code der Browser bleibt derzeit offen.

    The best tools for more data control for Apps, trojaner-info.de, 17.07.2019
    Apps bieten tolle Funktionen und machen Spaß. Damit eine App aber wegen späterem Datenmissbrauch oder Schadsoftware nicht zum Alptraum wird, sollten Nutzer einige Tipps beherzigen.
    Es klingt zwar wie eine Binsenweisheit, wird aber von Nutzern von Smartphones und Tablets kaum beherzigt: "Laden Sie nicht gedankenlos Apps herunter". Wer es dennoch macht, öffnet den Datenkraken freiwillig das Tor zu den eigenen Daten. Mit den richtigen Tools können App-Nutzer wieder die Kontrolle über das Verhalten und den Berechtigungs-Dschungel von Apps zurückgewinnen.
    [...] Falls Zweifel an der Vertrauenswürdigkeit der App aufkommen, zunächst im Internet weiterrecherchieren. Auf der offiziellen Webseite des App-Entwicklers sollte ein Impressum vorhanden sein. Die Seriosität der inhaltlichen Bewertungen im Play Store ist wegen des Verdachts von Fake-Postings umstritten. Eine geringe Zahl von Bewertungen und App Downloads könnte jedoch ein deutliches Warnsignal sein.
    Ein verlässlicher Indikator für Integrität des Angebots ist dagegen das von Google vergebene Prädikat "Top-Entwickler". Darüber hinaus finden sich im Web Hinweise auf unsichere oder gefährliche Apps, die aktuell im Umlauf sind. Ein regelmäßiger Blick in unsere Rubrik "Aktuelle Bedrohungen" hilft hier zum Beispiel weiter.
    Vorsicht bei "App Schnäppchen". Beliebte Apps und Spiele werden nicht selten imitiert und kopiert. Die Nachahmungen werden günstig oder sogar kostenlos angeboten. Gefahr droht von den Imitationen, da hier Schadsoftware bzw. Malwarefunktionen eingebaut sein könnte.
    Apps erst nach kritischer Prüfung der App Einstellungen und Berechtigungen installieren. Klicken Sie nicht unbedenklich weiter, wenn die App Einstellungen Zugriff auf Funktionen Ihres Geräts und Ihre persönlichen Daten verlangen — Sie könnten sich damit schutzlos ausliefern. Vor jeder Installation sollten sich App-Anwender fragen, ob eine App tatsächlich die angeforderte Berechtigung für ihren spezifische Nutzen benötigt. Schad-Apps könnten Ihre Berechtigung dazu missbrauchen, kostenpflichtige Nummern anzurufen oder Abos via SMS abzuschließen. Wenn eine Anwendung, die eigentlich nichts mit Telefonieren verbindet, die Erlaubnis zum Telefonieren einfordert, ist Vorsicht geboten. Seriöse App-Anbieter bieten dem Nutzer nicht selten die Möglichkeit an, die App Berechtigungen und App Einstellungen diverser Funktion selbst mitzubestimmen. Fehlen AGBs oder sind diese sehr knapp verfasst, ist nicht zuletzt Skepsis geboten.
    [...] Hilfreich sind"Prozessmonitor" Apps. Diese überprüfen, welche Anwendungen aktuell auf Ihrem Smartphone aktiv sind. Falls Akku- und Datenverbrauch einer App den Akkuverbrauch in die Höhe treiben, sollten Sie aufmerksam werden. Die Ursache könnte in einem andauernden Datentransfer liegen — eventuell erfolgt ein Datenaustausch, für den ursprünglich keine Berechtigung erteilt wurde. Alternativ könnte eine bösartige App im Hintergrund einen kostenintensiven Dialer installieren, der Premium-SMS selbstständig versendet und so hohe Kosten wie auch erheblichen finanziellen Schaden verursacht.
    [...] Der Netzwerkausrüster Alcatel-Lucent hat in einer 2015 veröffentlichten Malware-Studie festgestellt, dass die Zahl der mobilen Schädlinge deutlich zugenommen hat. So wurden demnach 2014 weltweit 16 Mio. Geräte mit mobiler Malware infiziert, dies entspricht einem Plus von 25 Prozent gegenüber dem Vorjahr. Der Studie zufolge ist Spyware auf mobiler Hardware immer verbreiteter. Damit werden Telefonate abgehört, SMS und E-Mails abgefischt, oder der Standort eines Nutzers und von ihm aufgesuchten Websites festgestellt.

    Tester in year 2016: Around 5500 connection buildup-attempts into internet per day of MS Windows
    In wenigen Stunden schnell mehrere hundert Kontakte zu Internetservern
    Windows-Datenschutz auf BSI-Level - so gehts
    , PC-WELT.de, 17.04.2019
    Seit der Einführung von Windows 10 wird das Betriebssystem für seinen mangelnden Datenschutz kritisiert: Es werden zu viele Daten ins Internet gesendet. Nun hat das BSI nachgemessen und aufgedeckt, wie Sie den Datenversand komplett abstellen können.
    Kritik am Datenschutz von Windows 10 hagelt es von Sicherheitsexperten, Bloggern und Firmen. Ein PC mit Windows 10, der aktuell keine Aufgabe zu erledigen hat, nimmt dennoch laufend Verbindungen zu Servern im Internet auf. Die Kritik ist nicht neu. Schon Windows XP wurde für seine sogenannte "Call-Home"-Funktionen kritisiert. Damals im Jahr 2001 waren einige Programme, etwa der Windows Media Player, für den unangemeldeten Kontakt ins Internet verantwortlich.
    Forstetzung des Berichts mit zugehörigen Sicherheits-Einstellungen: News&Links#MSWindows und

    OKLinux: Sperrung aller Konten (System- und Benutzerkonten) außer den Konten "root" und "surfuser"
    Noch einmal empfehlen wir die Kontensperrung ü,ber MCC (drakconf) mit Klick auf Benutzerkonten oder manuell. Zusammen mit der Sperrung für alle Benutzer einschließlich root außer surfuser mit Gruppe surfgruppe sorgenden Linfw3 (und ggfls chown, chmod und ACL (setfacl) auf möglichst viele Verzeichnisse und Dateien von surfuser (und ggfls. Einsatz der shell-Aufrufe (bash) verhindernden und Zugriffsrechte erneut einschräknenden Sandbox firejail, FSE (Systemvollverschlüsselung) und und und... ) erhalten wir damit den perfekten, paranoiden (gleich mehrfachen) Rundumschutz frei von Wartung etc. selbst dann, werden Passwörter (z.B. über Beobachtungs-Satellit mit Blick durchs Fenster) bekanntgegeben bzw. gehackt. Selbst noch so bekannt gewordene Passwörter verhelfen also niemanden weiter, halt nur noch einem selbst. Für den einmaligen KDE-Login nach dem Systemstart sorgt ja pam (el6), für die Sicherheit im Internet Firefox-ESR-52.9 (genauer, bei allen Bedenken, der Onion Router Tor), beide mit den oben empfohlenen Erweiterungen. Diese (Firefox-Erweiterungen) sollten nach ihrer jeweiligen Konfiguration im Browser keinen Kontakt (Verbindungen) mehr aufnehmen. Der lokale DNS-Server pdnsd zusammen mit der lokalen /etc/hosts sichert die DNS-Abfrage (Tor-DNS, tor-resolve). Und auch Der E-Mail-Verkehr erfolgt ja nun bei kmail (OpenPGP oder smime) und Thunderbird (enigmail) über Signierung und die Verbindungs- wie Inhalts-Verschlüsselung mit TLS/SSL und OpenPGP, ggfls. gefolgt von 2-Faktor-Authentifizierung (2FE) mit dem Handy/Smartphone. Die Bildschirmsperre funktioniert danach aber nicht mehr für den Benutzer. Hierzu ist erneut eine Ausnahmeregel in pam ähnlich wie für den KDE-Login erforderlich. Nur noch die einigen wenigen unter root laufenden Kernel-Prozesse aus dem Hause Linus Tovalds bleiben nun (neben Tor im Internet) ein gewisses, minimales Restrisiko. Natürlich kann sogar Konto root gesperrt werden. Zum Entsperren des Kontos von root bedarfs dann aber eines rettenden Systems von außen auf einer eigenen bootfähigen Partition (mit LUKS/dm-crypt (cryptsetup) zum Einbinden der verschlüsselten root-Partition). Ein Sperren der Shell von root mit /sbin/nologin sollte immer erfolgen und genügen. Allerspätestens jetzt läuft der Computer mit selbst "nur Celeron"-Prozessor total mausklick-schnell.

    Weitere Studie belegt Lüge "anonymer" Daten, netzpolitik.org, 26.07.2019
    Anonyme Daten sind oft gar nicht wirklich anonym, in vielen Datensätzen können Einzelne auch ohne Namen eindeutig identifiziert werden. Mit welcher erstaunlicher Präzision das geht, verdeutlicht eine neue Studie. Viele Firmen und Datenbanken unterlaufen die Datenschutzgrundverordnung.

    Tor, The Anonymizing Network - Äh, ... Looking out for Good Tor Nodes (entry-, middle- and exit-nodes / relais) now..., text 2019 by Gooken

    Spend or pay Gooken by PayPal.me :

    Spend resp. pay Gooken by Paypal.me: Please click here!



    "And herewith cut off."

    ( disheritated )