Episode1 for Safety Nets: Let Me Zine

Transcript

Episode 1. Infrastructure of servus.at and how they deal with server safety with Davide Bevilacqua & Michal Klodner from servus.at

* Click or Tab    to see its meaning.

Safety Nets: Let Me Zine project is funded by Talent Development grant from Stimuleringsfond, Creative Industries Fund NL. Thank you, Stimuleringsfonds and the Netherlands for making this possible.

Nami (Hereafter referred to as N): Welcome to the first episode of Safety Nets: Let Me Zine. My name is Nami, a host of the show and an artist, and an admin of HTML Zine Club. This episode is about infrastructure of servus.at, which is a non-profit net culture initiative in Linz, and how they deal with security of their server as an organisation running their own data center.

[Intro music]

N: Hello, today I'm in Linz. I'm here at servus.at. Now I would like to talk with Davide and Michal. They are core members. So yea, can you please introduce yourself and also servus.at to our listeners?

Davide (Hereafter referred to as D): Hi everybody, my name is Davide Bevilacqua. I'm working at servus at since few years. I'm not a system admin. I'm a power user. I'm a notorious case study for the infrastructure. I'm an organiser and a coordinator for cultural programs of servus. Also, the administration part, not the systsem. Well it's also the system but more about the financial and application, etc. And the connection of community. This is what I mostly do. Whatever stays unclear who does it is mostly me.

N: Okay, I think that explains a lot. Hello Michal. Can you please introduce yourself?

Michal (Hereafter referred to as M): Hello everybody I'm Michal, servus' system admin. I'm running for long time some online services and websites for artists and the culture, and streaming, and things like that. Also now email, things like that everybody needs.

N: So how long have you been working for servus.at?

D: I started collaborating from 2017. Now it sounds long. I did a residency here and I liked to stick around. Three years ago I took over the administrative part, because the person who did it before quitted. And we didn't find anybody else. Well, somehow it has to run. In the worse case I'd break it. But so far it didn't happened yet.

N: Okay, thanks. How about you Michal. So how long have you been working at servus.at?

M: Yea, directly in servus it's one year now. Before I was running for long time my online gallery in Prague. I came to servus which is even bigger and even longer history. So, it is an amazing environment and a cultural context in Linz.

N: Yea, thanks. So since my questions today are how to run your own server as cultural practitioners, plus how you deal with security matters on your server, I've thought it would be nice to talk about your recent project Artists Running Data Center. I know servus is running a data centerA data center is a centralized physical facility where corporate computers, network, storage, and other IT equipment that support business operations live. and this data center hosts web spaces. I saw many collectives and cultural practitioners and even institutions are using servers from servus at. How come was actually the concept of data center arisen here? It's really about you are sharing something with others. What kinds of mind is it behind of this?

D: So, I answer because I did the publication and I was interviewing a lot of people. I was puzzled by the same question as well. And Michal also can provide other perspectives later. So servus was started, important to say; servus is physically located in Stadwerksttat, which is a building, which is a very central in the independent art scene. Many sees it almost an institution. And Stadwerksttat hates to be called the institution, because they are like a collective, they run their own house they run their own club, they do artistic projects with Media Art. This idea about autonomy is very important for them and it was always like clean spaces and uses and occupies and gets whatyou need as an artist or cultural producer/person. And they started almost 45 years ago. Not in the same building, some rest moved here and continued like this. And they experimented with a lot of media all the time. Because for them, especially in Austria, also in the 80's and 90's media and radio communication frequencies were very closed. So they were pushing, and also legally through law, but also through practice and also through activism to get radio frequencies. And this is where for example where Radio Fro came to be through Stadtwerkstatt and thier work. And then it grew autonomous, but still in a collaboration with servus.at. Servus was the same. When the first Internet protocols and mail programs, and things were coming together. The house had always a need of being touched by others, same minded people. And also keeping up with your own infrastructure, and doing so. Because you want to be autonomous. Or you need to be autonomous. Because the state doesn't allow you to stay free freequency. That was the begining. But it was the neccessity from the house. And there were already many people. It was first running its own infrastructure for what you do. And the community continues to grow, and at some point servus was autonomous. I don't know why, to be honest, it started to have members and membership. It naturally distincts a form and a shape of the association, also legally. So you have members. Back then it was 1996 and next year is 30 years. There was no free email account you could do. So it was actually for them easier to... for people in the city, was one of a few reference points to get an email address. We have people from that time still. We're still using the services, still from there.

N: But why specifically for artists? What is the meaning, you know? Because the server can be actually run by almost everyone. I read the publication and I don't remember who, but someone said administrating a server is itself; He considers it a form of art in a way. There are so many things to configure on his own. Is there anything for you'd like add, Michal?

M: Yea, in terms of running a server, of course you can run it at home. But actually, and you can run a kind of small data center in a residential building, like you use some space like basement. And by the time I started a data center and also there was a phase that nodline in a cultural institution where I was admining. But actually you can use the network of the institution with your mobile phone. It's a principle of bringing your own device. So I said, as an admin, I will bring my own server. And somebody called this shadow idea, like putting in universities and in the server in the network that nobody is knowing. And using it a bit paradoxically. But you are not harming anyone. And of course you can run it at home.

N: I see, thanks. By the way, now I'm questioning to myself. Have we ever introduced servus.at properly in this recording?

D: I'm not sure. We're running around that anyways. I can say three words about that. Servus is a cultural association that does mostly with media art productions, and organises a festival called AMRO (Art Meets Radical Openness), which is a second festival is an edition called Design Week. We're currently developing it. This is what we do as a cultural institution you produce Arts. And then we're doing a critical media arts. And we research what are the phenomena network culture and communities. In general, digitalisation... So all these kinds of things. We have a clear critical point and an approach to that. And as we are critical, but also mildly touching the activist work, we want to not only talk but also to do things in a critical way, which I think connects back the question why artists?. And yea, trying to keep the consistency and also do the consistency... If you're criticising big tech then you want to have an alternative. That's why we also operate the data center. That's it. This is servus. It's very difficult to describe because of these two souls. Art production media and Internet infrastructure. They come into one.

N: And yea, now I would like to ask Michal. How is the day of an administrator of servus at? What do you do? What kinds of works are involved in?

M: First, the day of the admin, a Lot of people are doing this remotely. A Lot of system admin works are sitting at the terminal, often in night, because you do some operations on some software you don't want to disrupt people using it. So you have to do something in times that are not used too much. To re-struct something, you start it in midnight. Even later. So that's a part of it. The other part is, of course, to talk to people. We're talking to Davide and others about what they expect and would it need to run. We're discussing about how this organisations and cultural initiatives develop by the software you allowed to do some activities. So it starts to how the cultural organisations communicate, how they organise. That's what we talk about a lot. Of course there's a lot of studying knowledge about network, running things, about programming languages and deployment, and set-ups... What to know... such as routing... things like that.

N: How many admins are there at servus at?

M: I think we are two-internal. And some others participating in helping to run some of the systems, or we have a technical board, discussing strategic decisions. That's also helpful to talk how to solve things. And What's the directions we're heading, what's the strategies for infrastructure, building other perspectives...

D: I wanted to add that around servus there are many other system admins. The core, as Michal said, it's two in the team, and other four, which are in the board of the association and together the technical board. Then we have many small-scaled admins, but small admins. We are also doing some housings. A few specific projects are harboured in data center, but basically we just provide them with routing and electricity.And so there are admins by others. Some of these are, for example, the Radio. There is a cultural broadcasting archive, which is some platform collecting all the radio shows in Austria, in the independent scene, with I don't know 200000 podcasts. A few projects are like this. All of these have their own admins. Stadtwerkstatt has, also some servus has.. This is also what they're administrated by others. And this is a sort of like Grey areas in our tool box. It's not super publicly advertised, but we also have Virtual MachinesA virtual machine (VM) is a software-based computer that runs inside another physical computer, creating an isolated environment with its own operating system and applications. and VPS.VPS stands for Virtual Private Server. It is the same as having your own virtual computer on the internet. Even though it shares a physical server with others, it is isolated and customizable, allowing for more control and resources for hosting websites or applications. We don't really announce it like this because not it's very common to spin off the VPS at any other big company that are very automatised. So with a few minutes you have your machines. Here we have some artisan approach / we're not that automatised yet. So yea this is a lot of work. And then we do it for projects. It really makes sense. We want and they want to be at servus because of some specific reasons. I's very fine for us to do that. All the machines are also given by the administrating rights to.

N: Actually maybe ARDC I read that there are system administrators here who have stayed for so long from the beginning. What makes them keep working for this?

D: There is one person that is since the beginning, who is Didi. Didi was circulating the house across different associations since the beginning, since the mid late 90's. Stadtwerkstatt, Fro...And then at some point it was employed from a bit everybody. And then it became clear, his job within servus. He kept on doing mostly same things from servus to other associations. And in his case, umm.. he is not so talkative. Maybe a bit stereotypically. But he has been around since ever. And I think he cares a lot and a lot and a lot about the machines. So not even so much what is done with them, he's not very much aware the projects but he's much aware about the house and the need. And I think it's very bound to this project because it's something very special, unique. He's been following that as well. The others who are around since long time is the technical board, which are older employees and system admins. It was basically, I think pretty much all of them were like Michal, before Michal, before Michal, before Michal. So there has been one Didi. And then many other Michal.

N: Aha. Sounds funny but that's a very easy way to explaining it. Thanks.

D: And of course it's overlapping and changing over time but they all still stick around, because they get attached to the server.

N: Well, we've been already recording for a while. I don't want to drag it too much. Maybe now it's time to jump to the main point of this episode. So my main issue as an admin of HTML Zine Club is that I'd like to make webspace safe, as people are mostly concerned with like what if my websites or webpages are scrapped or crawled by AI bots or other big tech bots, because it's very personal materials. I was wondering if there's any technical or even conceptual strategies for you to deal with the security matter of servus.at.

M: Sure, this is not a new thing with AI robbers, stealing the data. I'm watching and dealing with this for 20 years. Because this fights with the crawler, hacking and attacks are constantly present on the Internet. It's kinda on invisible sides, but when you're in the server, it's constantly being attacked by something. So the AI is another thing linked to that, which you can actually scrapping webpages loading with such high demand that people experience caches, and it starts to be very problematic running this sites they are under so heavy load. And AI is using the services so page data and, not sending like the search engines before, sending the people to this website where the information are, but using them.. Like no more dealing the website traffic. And the personal thing, it's kinda different threat which is coming in digital sphere. It's not just attacks on the servers and security attacks, things like that. But people have more and more personal data in digital spaces and they are being very vulnerable by that. By construction of the spaces, media-wise and information-wise, they can be manipulated in different kinds of bubbles, manipulated information. So this is kind of a new threat where the personal data are misused. They are used in political communications. There was a project detecting 500 PR (Public Relations) companies using people's personal data for political communication, which influence them so... We can have some defend. Of course there are some strategies to detect these attacks, how to make a firewallA firewall is a network security device designed to monitor, filter, and control incoming and outgoing network traffic based on predetermined security rules. The primary purpose of a firewall is to establish a barrier between a trusted internal network and untrusted external networks. and how to control how many requests that anybody do, which IP addresses are used. There are many intrusions. because people have their passwords stored on their computers and they got some malwareMalware is malicious software that is purposefully designed to cause harm to a device. That's the simplest definition, however, to truly understand a malware meaning, it is important to state that “malware” is an umbrella term used to describe a wide range of malicious software that operate in different ways. and virus and it steals the account data, and spamming on the server, or accessing an authorised thing like that. Or sharing they upload to a website some bad stuffs they abuse your server, because they're not running their own. They just abuse all the server they can accessible by scripts. And how to make techniques getting accessed.

D: Michal, maybe I interrupt you, because I think we were also looking into ways how to actively protect from scrapping. Maybe not from the side, but more about making things less searchable and less scrappable, there was some discussions online some weeks or months ago, how many what are the main instances of that are being scrapped. And there are also a lot of artists, developers and activists that are trying to build tools that prevent the AI scrapping crawlers to get to your machine and your materials. We found out a list. There's usually one great list from the Algorithmic Sabotage Research Group (ASRG). They were posting like 10 or different tools or methods how to protect servers from the scrappers. Some of them go to more a defensive mode. Like, I'm going to detect.. Like there's an AI, re-route it or trap it into some sorts of endless lists of links... Or some others are trying to attack against and try to poison the AI. And we were looking into the list and also with Michal. He did a few steps and started implementing some of these measures. That's why I interrupted him, cus I thought Maybe it's interesting to hear little bit how it works.

N: Yes, this kinds of strategies are very helpful for other site operators. Maybe they also want to protect from such attacks. For instance I also have a robots.txtA robots.txt file is a set of guidelines for bots. This file is included in the source files of most websites. Robots.txt files are intended for managing the activities of bots like web crawlers, although not all bots will follow the instructions., and I tested, like I'm pretending a different agent bot, and so on. It seems like it works but my friends knowing this side says this will not really do its jobs properly. Then I was wondering what could I do else.

M: Yea, there are technical strategies, but first you can put some sensitive data or start discussing behind a login box and make it not public. You close the discussion forum and that's a strategy some people use. But, of course, lose your participation in some public discourse, and how to influence public interest things... So you want to have some information public and stay opened. In this opened things, you have some policies and licenses, and the scrappers are using like a grey area, because if you have something online, they say you can use it. You'd say it's under kind of policies and you start enforce your rules by the technical measures. And this area, you can block IP addresses if you detect too many requests or if you detect some attacks by some IP addresses, you can put it in the black list. Or if you detect some user agents, which are scrappers or bots you don't want, you can block them and do whatever... You can send them a response from a web server saying that there are too many requests. There are a lot of communications that are on a https level you can use a lot of techniques. Or you can redirect them to some websites which is used to catch them. Or you can detect them if they don't respect your robots.txt file. You can take them kinds of malicious actors. But yea user agent detecting and blocking are not perfect, because anybody can use whatever detects for users they want. So it's just the voluntary thing to put some strings they use. Some are using just the mimicking the browser; So you can stay with this detection of how many requests they make and what actually they are scrapping. You can also make a honey pot pages or URLA URL (Uniform Resource Locator) is the address of a unique resource on the internet. It is one of the key mechanisms used by browsers to retrieve published resources, such as HTML pages, CSS documents, images, and so on. that...

N: Honey pot?

M: You prepare for a honey pot for them. When they go there, you catch them.

N: aha it's more a metaphor.

M: You put on your website some invisible link that people do not see visually, they do not see it. But the bots do not see the webpage visually. And they think it's some link on the website and they go there, they even see the page you prepared as a honey pot, they are the bots. So there are different techniques. And you can also watch logs and a matrix and detects unusual patterns in the network on a professional level. You can use Network traffic analyses and monitors, thing like that. So you can detect any unusual patterns in the network communications.

N: Okay, thank you for such tips from the technical side. It seems Davide wants so add something on it?

D: Yea, but this is also what Michal was mentioning, no? That put things behind login in a way. I think there is some sort of cultural shifts towards less visible less opened social infrastructure in a way, not meaning social media , but more between people organise in groups that are not super public. And this has been something that is evolved over the last years. People realise how toxic it is. Hyper-visibility, hyper-tension, the need of constantly being online, how you quickly lose your control about your things. That's why we see in general not only that critical area but also in mainstream social media that people want to be more private. They don't make it very manifesting. Not all the people, there are still many people that are still making everything very visible. But I see that there's a growing amount of people who have private profiles, and some sort of go into some sort of dark forest modes. With closed group, Signal groups. This is interesting, because it's also covered in more cultural dimensional. Like Maybe not being so visible all the time.

N: Yes, this is very interesting.

D: Yes, It is. You put things behind the login page, or you work on a local network. For us as a network, servus, for example, we also started implementing the last year social protocols to try to involve specific members, but like not necessarily not in super public surface. Also there is a space talk to each other in non public ways with the rest of the members. I think there will be more and more of this in the future. But also as Michal said, interacting with the public sphere that is still important. So I think both directions are very endangered but also important to maintain.

M: I can also add maybe about this. There is a big need nowadays to create a kind o safe digital spaces. For people who are hosting websites and maybe people struggling with doing that individually, of course there are some services on the Internet which is for protecting your website from AI and whatever like DDoSA distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic attack.So we are talking with Davide about putting, operating also to members, like you can use it as safer access those and those things for you. Because actually when you running VPS, you do everything from the Internet by yourself. So we can help people use this.. Maybe that's what can be done in the near future.

N: Indeed... Wow, in the last minutes I've learned a lot already. Thank you for sharing your insights with me and the listeners. I have one last question. There' s a clear urgency to run a data center like servus.at, but I guess it's not easy. What would you recommend others who would like to start running a data center like you? This is actually a broad questions. So maybe when it comes to working together, or how to finance things...

D: I think, I would say: Not try to follow what servus at is doing. Specifically about what we offer members and how we operate. Because... we do this because we try to answer a question or some needs that are not always very clear. And so... we are very rooted the situated in a house with specific demands. Or like.. they operate things. And they need digital layers to do their things. To sum it up, what technology-wise servus is doing, it's always an answers to what the members need and what our house needs, and there is an access point to whatever. So this is always some sort of answer for something external. Therefore, suggestion would be find the space that needs such a thing and then work yourself around that. That needs the community or space, I don't say institution, cus institution sounds structured. But maybe the collective needs. It doesn't have to be a collective. Safe technologies... Maybe there's a community that needs. Very often you don't do this because you're interested in. But because some other people need it and need help. I think that is something that would make your project more reliable and long-lasting, because people would still need that.

N: Okay, so the pinpoint is what people need.

D: Yes, try to find ways to ask. And cipher these needs. Cus maybe if people who are not in this kind of community, like one that is not very technical, they would not know how to articulate that. So you as a system admin or as a person who is in the background who'll have to do a lot of non-system or non-technical works to decipher what is actually necessary, what is people need. Then a lot of information and exchange... It's not only one way. It's always both ways.

N: Yes, if you question this way, you could find your ways more naturally. Of course there will be trials and errors. Is there anything for you Michal to add?

M: Yea, anyone interested in running a server or a data center, I would say... Look around others who are already doing then and you can network. See what and how they are doing. Enjoying this, already it's a kind of a network of such community. I think that's how it becomes more personal relation in the future, all the information sphere.

N: Indeed, eventually you learn things from others.

N: So, it's been a while that we have been recordoing. And now maybe I think it's okay to wrap it up. Thanks for joining me. I hope I manage this radio editing (haha), because now I'm already getting worried. But it was a really nice learning from you! There were some abstract parts on my side about servus. I visited your website. I read your publication, but there were some small details I was wondering. I can say I learned a lot today. Also thanks, Michal for your inputs, strategies and methods as a system admin.

M: Thank you.

D: Thanks Nami for the questions! And joining here.

N: I wished that I was able to throw these questions in a more organised way. But, I'll see. We have a method of editing. So let's rely on it :)
Thank you so much for join today. I hope you have a nice rest of the day. And also hope we see soon!

M: Bye!

N & D: Bye bye! :D

[Outro music]

Safety Nets: Let Me Zine project is funded by Talent Development grant from Stimuleringsfond, Creative Industries Fund NL. Thank you, Stimuleringsfonds and the Netherlands for making this possible.