A webtool to check the usage of Modern and Reliable internet standards by your Website and Email

on  
internet.nl , an initiative of the Dutch Internet Standards Platform, allows you to check whether your email and website use modern and reliable Internet standards.

To test an email id, go to this site and enter your email address. It will run all tests and provide a score and other details.

To test any website, go to this site  and enter the website url. It will run all tests and provide a score and other details.
Share:

Installation of SSL on Ubuntu 7.04

on  
First Get Open SSL installed on the server
sudo apt-get install openssl
This will install the latest openssl library that is been tested on the Ubuntu server version you are using. For example, if your are using 7.07, the above command will install openssl0.98 version. If you want to install any other version then you have to specify the exact version name while you install
Creating a Self-Signed ( Private) Root Certificate
A brief primer on certificates in Layman terms.
Suppose let us say that a Client C wants to access a Server S for some transaction. Now Client C wants to make sure that it is indeed connecting to Server S. There are many ways to do it but most common way is through Digital Certificates. I dont want to get into details of the theory behind the technologies behind Digital Certificates. Let us assume that Server S and Client C has a digital certificate. Now Client C connects to the Server S and Server S sends its certificate. But the catch here is that how can Client C trust that Server S is indeed what it claims to be. If Client C and Server S are known to each other, then there is trust established. In a scenario, where Client C and Server S do not know each other, a third party ( Certificate Authority CA) who is trusted by both Client C and Server S will establish the trust.
Difference Between Self-signed Certificates and Authorized Certifiers
The main difference is that in self-signed Certificates, there is no third party involved. So if you are connecting to a Server that you do not trust, you are at risk. There is absolutely no difference in the Certificates you privately sign and the one signed by authorized certifiers like Verizone. (Note: Assuming that you create the certificates properly )
When Can use Self-Signed Certificates and When to go for Commercial Certificates
As i said earlier, when Client C knows the Server S, then you can go for Self-signed certificates. When i say “know” i mean either you own Client C and Server S or Server S is maintained by someone you personally know. For others, i personally feel you should go for a commercial certificates.
What are the steps involved in creating self-signed authority
  • Here is the very simple way of creating a Self signed certificate.
enter the command as follows to generate a certificate valid for 365 days
sudo apache2-ssl-certificate -days 365
The program asks for few inputs. Please enter as required. It is shown below
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Singapore
Organization Name (eg, company; recommended) []:
Organizational Unit Name (eg, section) []:
server name (eg. ssl.domain.tld; required!!!) []:enter your domain name here

Email Address []:
Now you should have your certificate ready to use.
(NOTE: Ubuntu Feisty has a bug where the command apache2-ssl-certificate is missing. This is a well documented bug. Here is the file you need to download to overcome this defect to create a self signed certificate. After you download, follow the notes below to copy the downloaded files to the location where they are supposed to be present.
Extract the package and put ssleay.cnf to /usr/share/apache2/ and apache2-ssl-certificate to /usr/sbin.
Create /etc/apache2/ssl directory. Then apache2-ssl-certificate script should work.)
Once you have your certificate ready, then you need to configure you apache2.conf file. In this case, the configuration is very simple. Here is an example on how to do it:
NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName securedomain
ServerAlias securedomain www.domain3.com
DocumentRoot /var/www/ssl_securearea

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem

<Directory /var/www/ssl_securearea>
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
above i have shown the whole virtual host configuration to be complete. But i hope you get an idea where to put it.
Share:

Setting up a Home Server with LAMP Stack In Ubuntu

on  
Note:This write up describes how i wished to run my Home server and how i did it. Hence the description heavily focuses on settings that are very specific to my requirements. However, you can find bits and pieces that may be usefult to you.
How i want to Run My Homeserver
Homeserver Shall Serve the Following
  1. Have three virtual hosts, each of them serving different audiences. One of the three is purely https host for server admin remotely.
  2. Redirect to a SSL connection and with a Basic User/Group authentication system when anyone access the File Respositry and Image Gallery link on my home page
  3. Home server Adminstration will be allowed only with in the Local Internet. Like PhpMyAdmin and Blog Configuration.
How i went about setting up the Home Server to achieve my Goal?
  1. Installing the LAMP stack
I installed Ubuntu Server Edition. Ubuntu Server edition provides an option to install LAMP stact during the installation phase. Choose this option as it saves you the trouble of configuring later.
2. Setting up the Root password for MYSQL database
The default installation of LAMP stack will not set the Root password for the MYSQL Database. It is essential that you set the Root password or you will not be able to create any database or create databases from PHPMYADMIN.
3. Installing PhpMyAdmin
Ubuntu has a nice way of installing new packages. All i did was:
sudo apt-get update
sudo apt-get install phpmyadmin
Voila!! PhpMyAdmin was downloaded from ubuntu site and installed automatically. Automatic installation has one limitation though. PhpMyAdmin is linked to your DocumentRoot of Apache.
That is if the Document Root is /var/www. then a symbolic link to PhpMyAdmin is created in /var/www.
So if a anyone can access php just by typing www.yourdomain.com/phpmyadmin. The phpmyadmin user interface shows up. Hence you need to be careful. Please read further down how i am handling the phpmyadmin feature.
4. Creating Directory structures
This is not necessary if you are a casual user or an enthusiast. But if you are about running your own server either in home or in data centers, then i would strongly recommend to put some thoughts on the Directory structures, users and groups. There are no set rules that the directories needs to be in particular order.
This is the way i am doing it:
Each virtual Host will have its own Document root pointing to seperate location as shown below.
The default directory is
/var/www
…………./default
The default catches all those requests where no signle VHost can serve. This could happen if someone connects to your IP address at Port 80. Since there will be no Host header, Apache will serve from this default root. Other could some one has configured a domain name that resolves to your IP address. In this case, you would not have that domainname in your VHOST, and hence apache will serve from default root. More about Vhosts below.
Now, the Virtual Host directories. I am configuring Two Virtual Hosts.It is a good idea to create directories in the Home directory of the user who hosts that domain.
/home/”username”
……………………/”domainname1″/www
……………………………………………./cgibin
……………………………………………../securearea ( Secure using a htpassword )
…………………………………………………………../MediaStore/photos ( Symbolic Link )
……………………………………………………………/MediaStore/videos ( Symbolic Link )
/home/”username”
……………………/”domainname2″/www
……………………………………………./cgibin
……………………………………………../securearea ( Secure using a htpassword )
……………………………………………………………/MediaStore/videos ( Symbolic Link )
Now setup a Secure area for system admin over internet. This area could be used for running PhpMyAdmin, or a file valut or some thing you want absolute security.
The following is only via SSL
/var/www
………./ssl_securearea
……………………./phpMyadmin ( Symbolic Link )
……………………./MediaStore/files ( Symbolic Link )
……………………./MediaStore/Copyrighted Ebooks
You may notice that the way i have created the directory structure is to seperate your secure area and Non-secure area. For me this is very important as i am overly security consiuos. So ssl_securearea can only be accessed by https and authentication. Securearea under the virtual host is a place where you want to have some kind of user athuentication to maintain your privacy but still contents are not classified in nature. Say, your photo album. You dont want any tom,dick and harry see it. And hence you have some basic athuentication. But at the same time you dont want your photos be encrypted/decrypted before the user sees.
5.VHOSTS Configuration
Before we jump into Vhost configuration some basic understanding of Hostname, domain name, FQDN ( Fully qualified Domain name ) , CNAME alias is required. This post assumes that you have an understanding of this. VHOST configuration can be daunting if you have not set up your machine properly. i nearly spent 2 days to get it setup properly.
I am going to explain with an example. This example is based on how i configured my system with the hostname and domain names changed .
Linux Host Name : HomeServer
Domain Name For First Virtual Host: www.domain1.com
Alias Name for First Virtual Host: localdomain1
Domain Name for Second Virtual Host: www.doman2.com
Alias Name for Second Virtual Host: localdomain2
Domain name for Third Virtual Host: www.domain3.com
Alias Name for Third Virtual Host: SecureDomain
First make sure that HomeServer is configured properly in your setup. When you type the command hostname, you should Get “HomeServer”. When you do a ping `hostname`, the hostname should resolve to either 127.0.1.1 or the static address you have configured for your interface or the DHCP address provided by your DHCP server. In my case, and most probably your case as well, it resolves to 127.0.1.1. if it does not resolve than please check your network setup.
These are the areas you my need to check for trouble shooting
/etc/hosts
/etc/resolve.conf
/etc/hostname
Second make sure that your aliases and domain names are resolvable. In my case, and in most case, domain names are hosted outside so DNS resloving is not an issue. But the issue could alias resolving. All the alias i have mentioned above is for local use only. In my case, the router i have allowed me to configure these alias name and its IP address. If not, then you have to change your /etc/hosts file as follows
127.0.1.1 localdomain1
127.0.1.1 localdomain2
127.0.1.1 securedomain
Now you are set to configure your apache2.conf for virtual hosts.
A word before we jump into that. If you notice, for each virtual host i have a domain alias as well. I did this for two reasons. And i encourage others as well. One is that if i want to access my virtual host with in my netowrk, that is behind the firewall, then i just use local alias rather than using the fully qualified domain name. Some of the router, the one i have, does not even allow to access my local machine via a fully qualified domain name. Second, when you are configuring your virtual hosts, i assign these alias to the ServerName directive. As you might know, when apache reads the configuration file, it does host name resolution to resolve all hostnames into IP address. Irrespetive of whether your DNS host is up or down, apache will be able to resolve the alias names as these are locally configured in your /etc/hosts file. Please read this article to know more about this issue.
This is for ubuntu Linux server .
Make sure your /etc/apache2/apache2.conf has the following lines at the end. ( By default it is present )
# Include the virtual host configurations:
Include /etc/apache2/sites-enabled/
Now in /etc/apache2/sites-avilable, crete three files with the following. Backup the defaul file that is already in this directory.
default
www.domain1.com
www.domain2.com
www.domain3.com
Open the “default” file copy the following into it. Change the names and directory according to your setup
ServerName HomeServer

NameVirtualHost *
<VirtualHost *>
ServerAdmin webmaster@localhost
ServerName HomeServer
DocumentRoot /var/www/default
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /var/www/default>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
</VirtualHost>
Now open the second file which i have named here as www.domain1.com ( You can name whatever you want. For me this is simpler to keep track of what is inside the file )
The file should have the following
<VirtualHost *>
ServerName localdomain1
ServerAlias lingams www.domain1.com
DocumentRoot /home/”username”/www.domain1.com/www
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /var>
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /var/www>
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /home/”username”/www.domain1.com/www>
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory “/usr/lib/cgi-bin”>
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /doc/ “/usr/share/doc/”
<Directory “/usr/share/doc/”>
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
~
For the second virtual host same as above, only thing changes is the DocumentRoot, Servername and ServerAlias directives.
Now, the following shows how to configure for a VHOST, that allows only SSL traffic
<VirtualHost *>
ServerAdmin webmaster@localhost
ServerName securedomain
ServerAlias securedomain www.domain3.com
DocumentRoot /var/www/ssl_securearea
RewriteEngine on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R]
</VirtualHost>
NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName securedomain
ServerAlias securedomain www.domain3.com
DocumentRoot /var/www/ssl_securearea
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /var>
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /var/www>
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /var/www/ssl_securearea>
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory “/usr/lib/cgi-bin”>
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /doc/ “/usr/share/doc/”
<Directory “/usr/share/doc/”>
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
Now all the vhost has been configured. You need to enable it. Use the ubuntu provided commands to enable the sites.
default is already enabled. So just enable others
sudo a2ensite www.domain1.com ( This is a filename. If you are using a different name, then use that name )
sudo a2ensite www.domain2.com ( Same as above )
sudo a2ensite www.domain3.com ( Same as above )
Also make sure rewrite engine is enabled.
sudo a2enmod rewrite
Also make sure that ssl engine is enabled
sudo a2enmod ssl
You are set to restart apache. Do as follows
/etc/init.d/apache2 reload
If there are no error, everything is done. If there is an error, please refer to apache documentation for trouble shooting. The following section has some trouble shooting info for few deciptive warnings that teased for 2 days.
6. Troubleshooting VHost Configuration
The following warnings are deceptive. It does not break your Vhost configuration, but it hoses up the way Apache understands the Vhost configuration . So if you see the following warning signs, better resolve it.
Warning 1
apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1 for ServerName
This is becuase apache is unable to resolve the default hostname of the machine it is running on. To solve this problem, look at the first 5 lines in the “default” file configuration. I am cutting it and pasting it here for your reference
ServerName HomeServer

NameVirtualHost *
<VirtualHost *>
ServerAdmin webmaster@localhost
ServerName HomeServer
The above two made the problem go away for me.
Warning 2
[warn] NameVirtualHost *:80 has no VirtualHosts….
This is becuase somewhere in your configuration file you have the same NameVirtualHost:* entered more than once. Apache document clearly state that you can only have one NameVirtualHost per IP address port combination. That is if you have NameVirtualHost *, then you cannot redefine it in some other place. It has to be a different combination. You can see in my securedomain configuration. The last is NameVirtualHost *:443 is ok, becuase it is different port. But i cannot repeat this defination again.
Share:

Securing Linux with Netfilter, IPTABLES and Tcp Wrappers

on  
First, Netfilter, IPTables are huge subjects that requires lots of time and practice to master it and i don’t claim to be a master of this art. Hence, this post is targeted towards those people who subscribe to a Virtual Private Server (VPS) plan and need to secure their instance against unwanted intruders.
Even though Netfilter and IPTABLES are pretty involved subjects, it turns out that for filtering out unwanted packets it is pretty straight forward, at least in my case.
Before venturing into IPTABLE configuration, i would like to provide few links that i referred to setup my firewall rules.
IPTABLE Tutorial
A Neat write up on securing Cent OS
Example Filter Script
Here is the filter rule that I use. The filter rule must be in /etc/sysconfig/iptables for CentOS. i have tested it on CentOS only.
*filter
# By Default Drop all incoming and forwarded packets
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
#By default allow all packets that originates from your machine to the outside world
:OUTPUT ACCEPT [0:0]
#now allow the incoming packets from an established outgoing connection from your machine
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
# Allow required Incoming ports. Here  i am allowing packets whose destination port is for
# http, https, and SSH
-A INPUT -p tcp –dport 80 -j ACCEPT
-A INPUT -p tcp –dport 443 -j ACCEPT
-A INPUT -p tcp –dport 22 -j ACCEPT
# accept from local host.
-A INPUT -i lo -j ACCEPT
# accept echo requests. This will be good to test whether your server is alive
-A INPUT -p icmp –icmp-type ping -j ACCEPT
COMMIT

Save the file
To be safe make the file readable only by root
$chmod 600 /etc/sysconfig/iptables

Now restart iptables service as follows in CentOS. This should be similar in other flavours as well.
$service iptables restart  /* if you are a root*/
OR
$sudo service iptables restart  /*if you have privilege to gain root permission*/

Test it out
Enabling TCP WRAPPERS TO Add Another Layer of Security
 Many network applications consults two files named hosts.deny and hosts.allow before granting access to the users who want to use those network applications. In securing linux, it is recommended to add several layers of security. So even if one is compromised, others could hold gaurd. TCP Wrappers is another layer of security against the network intruders.
Any application that consults these two files has the following flow:
  1. hosts.allow is checked for “service name:connection address” pair match
  2. If it matches then access is granted.
  3. if it does not match then hosts.deny is checked. If “service name:connection address” pari matches, then access is denied.
  4. If it does not match in hosts.deny as well, then access is granted.

Here are  the basic rules for hosts.allow
#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the ‘/usr/sbin/tcpd’ server.
#
#allow connection from 127.0.0.1 (localhost) to all INET services
ALL: 127.0.0.1
#Allow connection from all internet address to sshd service
sshd: ALL

Here are the basic rules for hosts.deny

# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the ‘/usr/sbin/tcpd’ server.
#
#Simple Deny access from any address to any service. This is like “Deny first, allow required” #policy
ALL: ALL

Saves the files. Now you are set.
Share:

A good resource for Generating very highly secure WPA-PSK Keys

on  

I recently came across a website called www.grc.com. When you click on this link it will generate a ultra high secure WPA-PSK keys. Then you can cut and paste into your WIFI base stations and the computers that would like to join your network. I highly recommend this site if you have any Wireless/Network security concerns.

Also they have network port scanner which will scan how vulnerable your network is. I highly recommend you run the tool and close the holes in the firewall. Here is the link for this tool SheildsUp

This site also has software for recovering data from crashed hard drives. It is called SpinRite

Share:

How to derive 256 bit WPA-PSK key from pass phrase entered by the User

on  

WPA-PSK key need to be 256 bits in lenght. Somesoftware, allow the user to enter 256 Key directly by allowing to enter 64 Hexadecimal numbers. But many of them asks for a pass phrase that are between 8 to 63 character in lenght and then convert it into 256 bit Keylength.

This article briefly mentions how this is done.

A key derivation function named PBKDF2 from RSA securities is been standardised by the Wifi alliance for deriving the key from pass phrase.

To know more about the PBKDF2 click RFC2898

PBKDF2 hashes with the SSID of the Access point that we want to join to produce the 256 bit key. The hash function used is SHA1-HMAC. SHA1 computes a 160 bit hash function. And HMAC creates the Message authentication function.

The SHA1-HMAC is iterated over 4096 time to produce the Key. To know more about SHA1 click SHA1 RFC. To knoe more about HMAC, clickHMAC RFC

The Algorithm from top level looks as follows

key = PBKDF2( Pass phrase, SSID, Interation count = 4096, Key length = 256 )

Hope this helps some one.

Share:

Doing Away with the Need for Root Account in Linux

on   in  

After your installation of Linux, it is a better idea to do away with root account. This is part of making your system as secure as possible. Almost all Linux installations comes with a program named sudo that provides root privileges to normal users without knowing the root password. This way you can execute commands that are meant to be executed by root. Please follow the steps below to enable any user to obtain the root privileges:

    • Need to enable any user or group, who want to gain root privileges, in /etc/sudoers. The normal practice is to enable the users belonging to group wheel to run all root privileged commands.
    • /etc/sudoers is edited by visudo. You need to be root to edit this file.
$visudo
=========== File snippet below =====================
# sudoers file.
#
# This file MUST be edited with the ‘visudo’ command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
# # Host alias specification # User alias specification # Cmnd alias specification

 

# Defaults specification

# User privilege specification
root ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands. Uncomment the following line
 %wheel ALL=(ALL) ALL

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
  • Now add the user you want to have root privilege into group wheel
$usermod -a -G wheel “username here without the quotes”
    Now test whether that particular user can gain root privilege. First login to the system with username you want to test
$wc /etc/sudoers
wc: /etc/sudoers: Permission denied
$sudo wc /etc/sudoers
password: # enter your account password here
28 94 579 /etc/sudoers
    if you can count the words in that file, that means you can any command that requires root privilege.

If you are using SSH to login to your machine remotely, then follow the procedure below to disallow “root” to login

    • Again it is a good practice to create a group whose users will be allowed SSH access.
    • create a group named sshusers.
$sudo groupadd sshusers
$sudo usermod -a -G sshusers “username who needs to ssh access without quotes”
      Now open /etc/ssh/sshd_config to diable
root
      login and enable the group
sshusers
$sudo vi /etc/sshd/sshd_config=========== File snippet. Only the required portion is shown=
#LoginGraceTime 2m
PermitRootLogin no #Add this line into the file AllowGroups sshusers

Test it out just by logging in as root. You should get Access Denied message

Now try to login using a user that belongs to sshusers group. You should be able to login

Share:

Euro English.. Let us Take a break and read this hilarious Stuff

on  

One of my friends forwarded this joke and it is really hilarious. This blog is more about technical stuff. But once in a while a dose of humor is good for you. read on and laugh heartily

ENGLISH OF TOMORROW EU ANNOUNCEMENT
The European Commission has just announced an agreement whereby English will
be the official language of the European Union rather than German, which was
the other possibility.
As part of the negotiations, the British Government conceded that English
spelling had some room for improvement and has accepted a 5- year phase-in
plan that would become known as “Euro-English”.
In the first year, “s” will replace the soft “c”. Sertainly, this will make
the sivil servants jump with joy.
The hard “c” will be dropped in favour of “k”. This should klear up
konfusion, and
keyboards kan have one less letter.
There will be growing publik enthusiasm in the sekond year when the
troublesome “ph” will be replaced with “f”. This will make words like
fotograf 20% shorter.
 In the 3rd year, publik akseptanse of the new spelling kan be expekted to
reach the stage where more komplikated changes are possible.
Governments will enkourage the removal of double letters which have always
ben a deterent to akurate
speling.
Also, al wil agre that the horibl mes of the silent “e” in the languag is
disgrasful and it should go away.
By the 4th yer people wil be reseptiv to steps such as replasing “th” with
“z” and “w” with “v”.
During ze fifz yer, ze unesesary “o” kan be dropd from vords kontaining “ou”
and after ziz fifz yer, ve vil hav a reil sensi bl riten styl.
Zer vil be no mor trubl or difikultis and evrivun vil find it ezi tu
understand ech oza. Ze drem of a united urop vil finali kum tru.
Und efter ze fifz yer, ve vil al be speking German like zey vunted in ze
forst plas.
If zis mad you smil, pleas pas on to oza pepl.

Share: