Privacy Idea — Step 3b

This post is part of my ongoing privacy series.  Main post is here.

In the first step, we installed, configured, and test-ran openVPN.  In this step, we are going to configure IP tables (this program allows a linux computer to act like a firewall) to make sure we have only open what we want to have open and then run openVPN as a service (aka daemon).

Text in the Courrier New font is what you should type in.
Text in the Comic Sans MS font is output.
Text in italics are notes.

  1. iptables -P INPUT ACCEPT” — this line will configure ip tables to accept all connections.  Since we are connected over ssh, we don’t want to lock ourselves out of the server.
  2. iptables -F” flush everything to start fresh.
  3. iptables -A INPUT -i lo -j ACCEPT” we want to accept everything directed to the loopback localhome address
  4. iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT” anything that is already established, we are going to allow
  5. iptables -A INPUT -p tcp –dport 22 -j ACCEPT” we are going to explicitly allow ssh to come in
  6. iptables -P INPUT DROP” if it hasn’t been allowed, we are just going to drop the packets.  No response no nothing.
  7. iptables -P OUTPUT ACCEPT” anything going out is ok
  8. iptables -A INPUT -p udp –dport 1194 -j ACCEPT” we are going to allow udp port 1194 in.  This is the port and protocol used by openVPN.  If you changed the port or protocol that openVPN runs on, make this agree with that.
  9. iptables -A FORWARD -s  -j ACCEPT” we are going to accept anything from the 192.168.27.x subnet for forwarding.  This needs to agree with the ip address you used in the server section of the config file.
  10. iptables -A FORWARD -d -m state –state RELATED,ESTABLISHED -j ACCEPT” anything that is established headed to our vpn subnet, we are going to accept for forwarding
  11. iptables -A FORWARD -s -m state –state RELATED,ESTABLISHED -j ACCEPT” anything headed from our vpn subnet that is already established, we are going to accept and forward
  12. iptables -t nat -A POSTROUTING -s -j SNAT –to-source AAA.BBB.CCC.DDD” make sure AAA.BBB.CCC.DDD agrees with the IP address of your server.  I beat my head against the wall for an hour or so trying to sort out why I could talk to my sever but nothing else.  The instructions I found talking about using MASQUERADE only threw errors.
  13. /sbin/service iptables save” let’s save our iptables configuration
  14. nano /etc/sysctl.conf” we need to edit “net.ipv4.ip_forward = 1” (it should = 0 set it to equal 1).  This sets up networking on the server to forward.
  15. sysctl -p” this will restart networking to see the config file change
  16. iptables -L -v” this will show you something like 

    Chain INPUT (policy DROP 2552 packets, 163K bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all — lo any anywhere anywhere
    93343 24M ACCEPT all — any any anywhere anywhere state RELATED,ESTABLISHED
    3218 198K ACCEPT tcp — any any anywhere anywhere tcp dpt:ssh
    20 840 ACCEPT udp — any any anywhere anywhere udp dpt:openvpn

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    36358 13M ACCEPT all — any any anywhere
    41184 41M ACCEPT all — any any anywhere anywhere state RELATED,ESTABLISHED

    Chain OUTPUT (policy ACCEPT 104K packets, 56M bytes)
    pkts bytes target prot opt in out source destination

  17. /etc/init.d/openvpn start” this starts the openVPN daemon.  It scans /etc/openvpn/ for any .conf files.  It starts them all

References: — this is a really good page on iptables — I beat my head against the wall trying to get NATting to work.  This page helped me sort it out.

Privacy Idea — Step 3a

This is part of my privacy series.  Main post is here.

I haven’t written about steps 1 or 2 yet.  Step 1 is fairly easy:  get a server.  Right now, I have a VPS through 1and1 (the same company that currently hosts

Step 2 doesn’t make sense on a vps with limited disk space.  Although, part of me says I should try.  But, it may be easier with real disks so I’m planning to wait.

This is what I did to get OpenVPN installed and working.  YMMV.

Text in the Courrier New font is what you should type in.
Text in the Comic Sans MS font is output.
Text in italics are notes.

No, I’m not going to show you how to SSH into your server, install putty, or use the command line ssh.  Go google those things. Ask if you need help (I won’t not help) but I consider those things prerequisites for this howto.

  1. Since this is a new server, I ran “yum update” to make sure my server was up to date.  It was.
  2. I ran the command “passwd” and set the password for the root user to something strong
  3. run “cat /dev/net/tun” to make sure that my vps supported TUN (required for openVPN).  If this command returns “cat: /dev/net/tun: File descriptor in bad state” if TUN is supported.
  4. yum install nano” . Yum is a text editor on linux.  You can use anything you like.  The guides I reference below do all the installs at once with a -y at the end.  I don’t trust computers (and you shouldn’t either).  Read the output, make sure they are doing what you want and you understand what is going on!
  5. yum install openssl” You need this package as a prerequisite for openVPN
  6. yum install lzo” another prerequisite for openVPN
  7.  “yum install pam” yet another prereq
  8. At this point, I thought I could find an up-to-date rpm for openVPN and install it.  I only was installing the minimum I needed (or thought I needed).  I futzed around for a while here trying to find a binary and get it installed.  No luck.  I also futzed around adding some yum repositories to my config.  I did sort of succede in getting a binary…but I kept getting an error:  Requires:  I fiddle-farted around for a bit trying to solve that on it’s own.  
  9. yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel” this command installs gcc; make; rpm-build; dev tools for zlib, pam, and openssl; along with autoconf.  This is a bunch of dev tools I was trying to avoid installing by simply getting binaries
  10. wget” this is a binary for lzo from openVPN
  11. wget” I have no idea but the instructions I was following said I needed it.
  12. rpmbuild –rebuild lzo-1.08-4.rf.src.rpm” this rebuilds the lzo binary I downloaded earlier.
  13. rpm -Uvh lzo-*.rpm” this installs the lzo binaries
  14. rpm -Uvh rpmforge-release*” this installs the rpm downloaded from rpmforge above
  15. yum install openvpn” — finally we get to install openVPN
  16. I ended up and got openVPN 2.3.2 which differs from 2.2.2 and earlier in a significant way:  it doesn’t include the easy-rsa application used to generate keys.
  17. yum install easy-rsa” will install this.  If you get an error, you’ll probably need to run steps 18, 19, and 20
  18. cd /etc/yum.repos.d
  19. wget
  20. wget
  21. openVPN has been “installed” into /usr/share/doc/openvpn-2.3.2/
  22. easy-rsa has been “installed” into /usr/share/easy-rsa/
  23. copy the easy-rsa files into /etc/openvpn/:  “cp -r /usr/share/easy-rsa/* /etc/openvpn/
  24. now go into that directory:  “cd /etc/openvpn/
  25. you can edit the vars file.  it is used to set up the defaults you need to generate your keys.  I changed a few things.  This step is optional…but if you edit it, you can just go through some future steps hitting enter.
    export KEY_SIZE=2048 (default was 1024.  Bigger is better)
    export KEY_COUNTRY=”XX” (your country)
    export KEY_PROVINCE=”XX” (state)
    export KEY_CITY=”XXXXXXXX” (city)
    export KEY_ORG=”XXXXXXXXX” (organization)
    export KEY_EMAIL=XXXXXX@XXXXXXXXX.XXX (email again…no quotes)
  26. Now run it “./vars
  27. Run “./clean-all” to make sure there’s no junk around
  28. Run “./build-ca” to start the process of making your “master” certificate.  This will take a while since you are making a 2048 bit key.  Let it run.  Mine took about 5 min or so to finish
  29. When it finishes, build the key for your server “./build-key-server server
  30. Build the keys for each client you want “./build-key client1”  You can replace client1 with whatever you want the client called.  It just needs to be unique
  31. Copy the sample server config file into /etc/openvpn/.  “cp /usr/share/doc/openvpn-2.3.2/sample-config-files/server.conf /etc/openvpn/server.conf”  When I did this at first, I put it into a subdirectory called conf.  Don’t do this.  Just put your conf file into /etc/openvpn/.  This becomes important when it comes time to run it as a service.
  32. Now, edit the file “nano server.conf
  33. You’ll have to make some changes in the file.  Read the comments and everything should become clear.  Here’s my file:

    # Sample OpenVPN 2.0 config file for #
    # multi-client server. #
    # #
    # This file is for the server side #
    # of a many-clients <-> one-server #
    # OpenVPN configuration. #
    # #
    # OpenVPN also supports #
    # single-machine <-> single-machine #
    # configurations (See the Examples page #
    # on the web site for more info). #
    # #
    # This config should work on Windows #
    # or Linux/BSD systems. Remember on #
    # Windows to quote pathnames and use #
    # double backslashes, e.g.: #
    # “C:\\Program Files\\OpenVPN\\config\\foo.key” #
    # #
    # Comments are preceded with ‘#’ or ‘;’ #

    # Which local IP address should OpenVPN
    # listen on? (optional)
    ;local a.b.c.d

    # Which TCP/UDP port should OpenVPN listen on?
    # If you want to run multiple OpenVPN instances
    # on the same machine, use a different port
    # number for each one. You will need to
    # open up this port on your firewall.
    port 1194

    # TCP or UDP server?
    ;proto tcp
    proto udp

    # “dev tun” will create a routed IP tunnel,
    # “dev tap” will create an ethernet tunnel.
    # Use “dev tap0” if you are ethernet bridging
    # and have precreated a tap0 virtual interface
    # and bridged it with your ethernet interface.
    # If you want to control access policies
    # over the VPN, you must create firewall
    # rules for the the TUN/TAP interface.
    # On non-Windows systems, you can give
    # an explicit unit number, such as tun0.
    # On Windows, use “dev-node” for this.
    # On most systems, the VPN will not function
    # unless you partially or fully disable
    # the firewall for the TUN/TAP interface.
    ;dev tap
    dev tun
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450

    # Windows needs the TAP-Win32 adapter name
    # from the Network Connections panel if you
    # have more than one. On XP SP2 or higher,
    # you may need to selectively disable the
    # Windows firewall for the TAP adapter.
    # Non-Windows systems usually don’t need this.
    ;dev-node MyTap

    # SSL/TLS root certificate (ca), certificate
    # (cert), and private key (key). Each client
    # and the server must have their own cert and
    # key file. The server and all clients will
    # use the same ca file.
    # See the “easy-rsa” directory for a series
    # of scripts for generating RSA certificates
    # and private keys. Remember to use
    # a unique Common Name for the server
    # and each of the client certificates.
    # Any X509 key management system can be used.
    # OpenVPN can also use a PKCS #12 formatted key file
    # (see “pkcs12” directive in man page).
    ca /etc/openvpn/keys/ca.crt
    cert /etc/openvpn/keys/server.crt
    key /etc/openvpn/keys/server.key # This file should be kept secret

    # Diffie hellman parameters.
    # Generate your own with:
    # openssl dhparam -out dh1024.pem 1024
    # Substitute 2048 for 1024 if you are using
    # 2048 bit keys.
    dh /etc/openvpn/keys/dh2048.pem

    # Configure server mode and supply a VPN subnet
    # for OpenVPN to draw client addresses from.
    # The server will take for itself,
    # the rest will be made available to clients.
    # Each client will be able to reach the server
    # on Comment this line out if you are
    # ethernet bridging. See the man page for more info.

    # Maintain a record of client <-> virtual IP address
    # associations in this file. If OpenVPN goes down or
    # is restarted, reconnecting clients can be assigned
    # the same virtual IP address from the pool that was
    # previously assigned.
    ifconfig-pool-persist ipp.txt

    # Configure server mode for ethernet bridging.
    # You must first use your OS’s bridging capability
    # to bridge the TAP interface with the ethernet
    # NIC interface. Then you must manually set the
    # IP/netmask on the bridge interface, here we
    # assume Finally we
    # must set aside an IP range in this subnet
    # (start= end= to allocate
    # to connecting clients. Leave this line commented
    # out unless you are ethernet bridging.

    # Configure server mode for ethernet bridging
    # using a DHCP-proxy, where clients talk
    # to the OpenVPN server-side DHCP server
    # to receive their IP address allocation
    # and DNS server addresses. You must first use
    # your OS’s bridging capability to bridge the TAP
    # interface with the ethernet NIC interface.
    # Note: this mode only works on clients (such as
    # Windows), where the client-side TAP adapter is
    # bound to a DHCP client.

    # Push routes to the client to allow it
    # to reach other private subnets behind
    # the server. Remember that these
    # private subnets will also need
    # to know to route the OpenVPN client
    # address pool (
    # back to the OpenVPN server.
    ;push “route”
    ;push “route”

    # To assign specific IP addresses to specific
    # clients or if a connecting client has a private
    # subnet behind it that should also have VPN access,
    # use the subdirectory “ccd” for client-specific
    # configuration files (see man page for more info).

    # EXAMPLE: Suppose the client
    # having the certificate common name “Thelonious”
    # also has a small subnet behind his connecting
    # machine, such as
    # First, uncomment out these lines:
    ;client-config-dir ccd
    # Then create a file ccd/Thelonious with this line:
    # iroute
    # This will allow Thelonious’ private subnet to
    # access the VPN. This example will only work
    # if you are routing, not bridging, i.e. you are
    # using “dev tun” and “server” directives.

    # EXAMPLE: Suppose you want to give
    # Thelonious a fixed VPN IP address of
    # First uncomment out these lines:
    ;client-config-dir ccd
    # Then add this line to ccd/Thelonious:
    # ifconfig-push

    # Suppose that you want to enable different
    # firewall access policies for different groups
    # of clients. There are two methods:
    # (1) Run multiple OpenVPN daemons, one for each
    # group, and firewall the TUN/TAP interface
    # for each group/daemon appropriately.
    # (2) (Advanced) Create a script to dynamically
    # modify the firewall in response to access
    # from different clients. See man
    # page for more info on learn-address script.
    ;learn-address ./script

    # If enabled, this directive will configure
    # all clients to redirect their default
    # network gateway through the VPN, causing
    # all IP traffic such as web browsing and
    # and DNS lookups to go through the VPN
    # (The OpenVPN server machine may need to NAT
    # or bridge the TUN/TAP interface to the internet
    # in order for this to work properly).
    push “redirect-gateway def1”

    # Certain Windows-specific network settings
    # can be pushed to clients, such as DNS
    # or WINS server addresses. CAVEAT:
    # The addresses below refer to the public
    # DNS servers provided by
    push “dhcp-option DNS”
    push “dhcp-option DNS”

    # Uncomment this directive to allow different
    # clients to be able to “see” each other.
    # By default, clients will only see the server.
    # To force clients to only see the server, you
    # will also need to appropriately firewall the
    # server’s TUN/TAP interface.

    # Uncomment this directive if multiple clients
    # might connect with the same certificate/key
    # files or common names. This is recommended
    # only for testing purposes. For production use,
    # each client should have its own certificate/key
    # pair.

    # The keepalive directive causes ping-like
    # messages to be sent back and forth over
    # the link so that each side knows when
    # the other side has gone down.
    # Ping every 10 seconds, assume that remote
    # peer is down if no ping received during
    # a 120 second time period.
    keepalive 10 120

    # For extra security beyond that provided
    # by SSL/TLS, create an “HMAC firewall”
    # to help block DoS attacks and UDP port flooding.
    # Generate with:
    # openvpn –genkey –secret ta.key
    # The server and each client must have
    # a copy of this key.
    # The second parameter should be ‘0’
    # on the server and ‘1’ on the clients.
    ;tls-auth ta.key 0 # This file is secret

    # Select a cryptographic cipher.
    # This config item must be copied to
    # the client config file as well.
    ;cipher BF-CBC # Blowfish (default)
    ;cipher AES-128-CBC # AES
    ;cipher DES-EDE3-CBC # Triple-DES

    # Enable compression on the VPN link.
    # If you enable it here, you must also
    # enable it in the client config file.

    # The maximum number of concurrently connected
    # clients we want to allow.
    max-clients 3

    # It’s a good idea to reduce the OpenVPN
    # daemon’s privileges after initialization.
    # You can uncomment this out on
    # non-Windows systems.
    user nobody
    group nobody

    # The persist options will try to avoid
    # accessing certain resources on restart
    # that may no longer be accessible because
    # of the privilege downgrade.

    # Output a short status file showing
    # current connections, truncated
    # and rewritten every minute.
    status openvpn-status.log

    # By default, log messages will go to the syslog (or
    # on Windows, if running as a service, they will go to
    # the “\Program Files\OpenVPN\log” directory).
    # Use log or log-append to override this default.
    # “log” will truncate the log file on OpenVPN startup,
    # while “log-append” will append to it. Use one
    # or the other (but not both).
    ;log openvpn.log
    ;log-append openvpn.log

    # Set the appropriate level of log
    # file verbosity.
    # 0 is silent, except for fatal errors
    # 4 is reasonable for general usage
    # 5 and 6 can help to debug connection problems
    # 9 is extremely verbose
    verb 4

    # Silence repeating messages. At most 20
    # sequential messages of the same message
    # category will be output to the log.
    ;mute 20

  34. you can now run the server by “openvpn server.conf

I’ll do another post detailing firewall changes and then a third detailing client configuration.

References: — main guide I used — another howto I used — openVPN docs I referred to — big BIG huge help with getting iptables set up right

[Update 2013-06-30 07:14:07] Edited step 34

[Update 2013-06-30 07:53:27] I’ve finished step 3b detailing firewall changes with iptables and starting the server as a daemon

Privacy Idea

In this post, I ask for some help figuring out how I can secure my communications.  In this post, I talk about some ideas I’m currently doing.  Right now, I’m working on a proof-of-concept (to prove that I can do what I want and that it works how I want).  In this post, I’m going to outline what I’m going to do, why, and what I hope to gain.  As I accomplish things, I’ll link to detailed articles about what I did (partially so I can duplicate it later but also to help anyone who is trying to do something similar).

Goal What I hope to accomplish Rationale Instructions
 1. Get my own server hosted in a datacenter somewhere
1a. Use a VPS for testing purposes
 Have a server with a dedicated internet address and domain name.  It needs to have at least 10Mb/sec internet access (preferably unlimited is terms of data transfer limits)  a VPS is ok for testing purposes but the ONLY way to really guarantee no one else has access to my critical data (encryption keys, logs, archives, etc…) is to run my own.  Anything else and there is the risk that someone else can access my keys.  
2. Encrypt the drives

Encrypt everything but the boot partition*

I’m thinking about doing something really crazy like encrypting portions of the drive and destroying the keys.  That way, if the machine is powered off, I don’t have them any more.  I haven’t figured out how this might actually work though because I want to keep some of the stuff

 If it is mine and no one but me has access to the server, the government has 2 options:
  a) arrest me and make me turn over the keys
  b) seize the server and get the keys.  

If everything is encrypted and they seize the servers, they get nothing unless they arrest me.  If they arrest me, then I’ve got all kinds of other legal protections

  3. Get a VPN running  

 Yes, I can ssh into the server and do things.  But I want to be able to 
  a) replace the vpn I’m using right now
  b) run things (like minecraft) on my sever but not have them open to the public
  c) have access to the VPN from my tablet and phone too.

 Since I have a server (and my goal isn’t to hide where I am) I might as well use it.  I’ve always wanted to make it so my phone, tablet, and the rest of my devices can use the VPN.  With my current provider, I have to pay extra to have multiple devices connected.  I also have to trust them with my data.  This limits who I have to “trust” to a single ISP (from the datacenter).

Instructions for getting the server installed, configured, and running.

Instructions for configuring iptables to work with openVPN

 4. Get minecraft running  So I can move my minecraft server off my home computer  Might as well  
 5. Get some sort of VoIP server running  Secure voice communications (including logs).  The encryption will be handled by zrtp, I think on the client.  The server may be asterick or something else.  Since the keys are on the client, this isn’t so bad to have externally.  But I can’t rely on a service provider like Silent Circle to do it for me since they may have the ability to be a MiTM.  If I do it, even the logs are under my control  
 6. Get a secure chat server running same as above.     
 7. Backups  Use the server for off-site backups.  I plan on getting about 4 TB in a RAID configuration.  Why not use it for this too.  
 8. WebHosting  Again, I might as well use it if I have it.  THis will be secure with https    
 9. ownCloud  cloud storage baby  dropbox type functionality only on my server with me in control of the data.  THis means the files don’t have to be encrypted before I upload them  
 10. Email  I want the police to come to me if they want my email.  I’ll also use PGP for any secure coms  Right now, anything older than 180 days is not subject to 4th Amendment protections on an external service.  If I control it myself…they have to atleast come to me for it  

we’re running out of land?

You’ll get me to believe that when you get me to believe we are running out of trees, corn, or grass.

West Virginia bike race

Looks interesting….

NSA, Security, And More


I’ve written before about encrypting email, why you should, yet more reasons to encrypt your email (this one is interesting.  A link in 2010 about barry wanting backdoors in encryption products), keeping the IRS out of your inbox, and encrypting your computer.  I’ve even written a how-to on encrypting your email.  Heck, I’ve even blogged about ways to encrypt your voice traffic on mobile networks (although, I wonder about backdoors).

That got me thinking:  “What do I need to do to beat NSA monitoring?”  Now, I’m sure they can throw tons of computing power at problems and break whatever I can throw at them; however, if I can make them spend 2-5 seconds doing it…it may be worthwhile.  In this post, I wonder about options.

At the moment, I’ve settled on some off-the-shelf open source apps:

GibberBot (mobile chat encryption)
Adium / Pidgin
GPG (encrypted email)

However, I’m still at the mercy of others.  Do I trust the Adium/Pidgin/GibberBot developers to be independent?  Yes (especially since their code is open source).  TextSecure, I also trust.  Redphone is a bit iffy.  Sure their code is open source; however, I think they route the calls through their network instead of peer-to-peer somehow.

I think the only way to KNOW you are secure is to do it yourself.  Use opensource software, hosted on a server you own (not a managed server, etc…), with encryption keys you control.  Then, if the police raid the colocation facility, take your server, all they get is a box…you would have to decrypt it yourself.  I’m really thinking about doing this…I just need to find a VoIP app that will let me do encrypted voice mobile and on a computer (too bad Google shut down Gizmo)

Image from trevor blake via flickr

Last Week….

Alcohol stove take 1

…I made an alcohol stove.  Here in England, I haven’t found a source for HEET so I tried test firing it with rubbing alcohol but it didn’t do too much.  So, I did some looking and yesterday bought some methylated spirits (basically ethanol that has anti-drinking agents in it.  Found out about it from Adventures in Stoving).  The stove finally lit and the holes on the outside got fire…but it wasn’t very much.  When I set a pot on top, the fire was snuffed out.

Well, I thought the problem was I didn’t have it together good enough so I pushed down on the top.  Long story short, I ended up and crushed it (the picture to the left is after I pulled it back out).  I decided it was ruined too bad so I’m going to make another.

Here’s some videos showing what I used as the basis for mine:


And because you tube videos have a bad habit of disappearing, here are local mirrors of pt1, pt2, and pt3.

[Update 2013-06-25 06:50:42] Here’s a link to my new stove burning nicely.

For Father’s Day

Tassimo-T42sort med drik

Cyndi and the kids got me a Tassimo coffee machine.  Costa was running a special:  £30 for the machine.  I then got a £20 off my first order of coffee from their web store.  That works out to £0.50 (aka 50p) each for some hot chocolate I bought and £0.25 (25p) for a coffee/tea assortment.

Now, I’ve always wanted one of the all-in-one espresso machines; however, I wouldn’t spend the money.  This offer for the tassimo made it within my price range.  So far, I’ve had the following drinks:

* Costa Americano
* Costa Late
* Earl Grey Tea
* 100% Columbian

The one thing I’ve found is that the coffee is rather strong if I don’t give it extra water.  At first, I was confused about how to do that.  The instructions seemed to indicate that you push the start button after the brew cycle for an extra “shot” of water.  Well, it turns out you have to push and hold the button and it “doses” hot water as long as you hold the button.

I give the machine 7 out of 10 overall.  I wouldn’t have paid full price for it; however, the special made it a nice purchase. I think once my major order runs out, I’ll buy my coffee direct from Costa.  I’ll get costa points and give the Redhill store some traffic.

Image from Tassimo Danmark via flickr

I want to weigh in

UK biometric passport on pile of Euro currency

on this immigration debate.  But first, realize that I have lived and worked outside the US in 2 different countries over the past 6 years.  In one, Serbia, I didn’t speak the “official” language we had to deal with the government in.  In the second, I did; however, not everyone got a “pass” on the English Language test necessary to get a visa.  Here’s what I think we should do (and why):

  1. If you get caught in the US illegally, you get sent back to your home country.  You are forever denied a legal entry visa.
  2. If you get caught overstaying your visa, you get sent back to your home country.  You will be denied a legal entry visa for a period of time (10 years perhaps).
  3. If you want a visa to come work, you (or your employer/sponsor) must prove you can provide for your needs for 6-8 months (either by pledging to support you or showing bank statements)
  4. Your visa will be marked as “no public funds” or “assistance.”  Only citizens are eligible for welfare (I’d make exceptions for genuine refugees)
  5. If your parents are illegally here and are caught (but you were born here) you can stay as long as any rules are met (regarding care for minors, etc…).  If you are an adult, you can stay no problem.  You can even apply to sponsor your parents (but see numbers 1 and 2).
  6. There’s only one pathway to citizenship and that starts with a legal visa.

I don’t get why this is so hard.  Sure, people want to come to the US.  Sure they can get work in the US but not their own country.  Sure it isn’t nice.  But getting to go to another country isn’t a right….it is a privilege.  Living and working in another country isn’t a right…it too is a privilege.  I don’t understand the move for amnesty and legalization.

[Update 2013-06-22 10:34:23] I just wrote both of my senators and urged them to vote NO on Monday.  Is reform needed?  Yes!  But making a whole segment of lawbreakers legal isn’t the answer.

Image from Christopher Elison via flickr

this is cool

I remember my dad talking about how much fuel they saved with a one engine taxi.  This is really interesting.