1 <?xml version=
"1.0" encoding=
"utf-8"?>
2 <rss version='
2.0' xmlns:lj='http://www.livejournal.org/rss/lj/
1.0/' xmlns:
atom=
"http://www.w3.org/2005/Atom">
4 <title>Petter Reinholdtsen
</title>
5 <description></description>
6 <link>http://people.skolelinux.org/pere/blog/
</link>
7 <atom:link href=
"http://people.skolelinux.org/pere/blog/index.rss" rel=
"self" type=
"application/rss+xml" />
10 <title>Detecting NFS hangs on Linux without hanging yourself...
</title>
11 <link>http://people.skolelinux.org/pere/blog/Detecting_NFS_hangs_on_Linux_without_hanging_yourself___.html
</link>
12 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Detecting_NFS_hangs_on_Linux_without_hanging_yourself___.html
</guid>
13 <pubDate>Thu,
9 Mar
2017 15:
20:
00 +
0100</pubDate>
14 <description><p
>Over the years, administrating thousand of NFS mounting linux
15 computers at the time, I often needed a way to detect if the machine
16 was experiencing NFS hang. If you try to use
<tt
>df
</tt
> or look at a
17 file or directory affected by the hang, the process (and possibly the
18 shell) will hang too. So you want to be able to detect this without
19 risking the detection process getting stuck too. It has not been
20 obvious how to do this. When the hang has lasted a while, it is
21 possible to find messages like these in dmesg:
</p
>
23 <p
><blockquote
>
24 nfs: server nfsserver not responding, still trying
25 <br
>nfs: server nfsserver OK
26 </blockquote
></p
>
28 <p
>It is hard to know if the hang is still going on, and it is hard to
29 be sure looking in dmesg is going to work. If there are lots of other
30 messages in dmesg the lines might have rotated out of site before they
31 are noticed.
</p
>
33 <p
>While reading through the nfs client implementation in linux kernel
34 code, I came across some statistics that seem to give a way to detect
35 it. The om_timeouts sunrpc value in the kernel will increase every
36 time the above log entry is inserted into dmesg. And after digging a
37 bit further, I discovered that this value show up in
38 /proc/self/mountstats on Linux.
</p
>
40 <p
>The mountstats content seem to be shared between files using the
41 same file system context, so it is enough to check one of the
42 mountstats files to get the state of the mount point for the machine.
43 I assume this will not show lazy umounted NFS points, nor NFS mount
44 points in a different process context (ie with a different filesystem
45 view), but that does not worry me.
</p
>
47 <p
>The content for a NFS mount point look similar to this:
</p
>
49 <p
><blockquote
><pre
>
51 device /dev/mapper/Debian-var mounted on /var with fstype ext3
52 device nfsserver:/mnt/nfsserver/home0 mounted on /mnt/nfsserver/home0 with fstype nfs statvers=
1.1
53 opts: rw,vers=
3,rsize=
65536,wsize=
65536,namlen=
255,acregmin=
3,acregmax=
60,acdirmin=
30,acdirmax=
60,soft,nolock,proto=tcp,timeo=
600,retrans=
2,sec=sys,mountaddr=
129.240.3.145,mountvers=
3,mountport=
4048,mountproto=udp,local_lock=all
55 caps: caps=
0x3fe7,wtmult=
4096,dtsize=
8192,bsize=
0,namlen=
255
56 sec: flavor=
1,pseudoflavor=
1
57 events:
61063112 732346265 1028140 35486205 16220064 8162542 761447191 71714012 37189 3891185 45561809 110486139 4850138 420353 15449177 296502 52736725 13523379 0 52182 9016896 1231 0 0 0 0 0
58 bytes:
166253035039 219519120027 0 0 40783504807 185466229638 11677877 45561809
59 RPC iostats version:
1.0 p/v:
100003/
3 (nfs)
60 xprt: tcp
925 1 6810 0 0 111505412 111480497 109 2672418560317 0 248 53869103 22481820
63 GETATTR:
61063106 61063108 0 9621383060 6839064400 453650 77291321 78926132
64 SETATTR:
463469 463470 0 92005440 66739536 63787 603235 687943
65 LOOKUP:
17021657 17021657 0 3354097764 4013442928 57216 35125459 35566511
66 ACCESS:
14281703 14290009 5 2318400592 1713803640 1709282 4865144 7130140
67 READLINK:
125 125 0 20472 18620 0 1112 1118
68 READ:
4214236 4214237 0 715608524 41328653212 89884 22622768 22806693
69 WRITE:
8479010 8494376 22 187695798568 1356087148 178264904 51506907 231671771
70 CREATE:
171708 171708 0 38084748 46702272 873 1041833 1050398
71 MKDIR:
3680 3680 0 773980 993920 26 23990 24245
72 SYMLINK:
903 903 0 233428 245488 6 5865 5917
73 MKNOD:
80 80 0 20148 21760 0 299 304
74 REMOVE:
429921 429921 0 79796004 61908192 3313 2710416 2741636
75 RMDIR:
3367 3367 0 645112 484848 22 5782 6002
76 RENAME:
466201 466201 0 130026184 121212260 7075 5935207 5961288
77 LINK:
289155 289155 0 72775556 67083960 2199 2565060 2585579
78 READDIR:
2933237 2933237 0 516506204 13973833412 10385 3190199 3297917
79 READDIRPLUS:
1652839 1652839 0 298640972 6895997744 84735 14307895 14448937
80 FSSTAT:
6144 6144 0 1010516 1032192 51 9654 10022
81 FSINFO:
2 2 0 232 328 0 1 1
82 PATHCONF:
1 1 0 116 140 0 0 0
83 COMMIT:
0 0 0 0 0 0 0 0
85 device binfmt_misc mounted on /proc/sys/fs/binfmt_misc with fstype binfmt_misc
87 </pre
></blockquote
></p
>
89 <p
>The key number to look at is the third number in the per-op list.
90 It is the number of NFS timeouts experiences per file system
91 operation. Here
22 write timeouts and
5 access timeouts. If these
92 numbers are increasing, I believe the machine is experiencing NFS
93 hang. Unfortunately the timeout value do not start to increase right
94 away. The NFS operations need to time out first, and this can take a
95 while. The exact timeout value depend on the setup. For example the
96 defaults for TCP and UDP mount points are quite different, and the
97 timeout value is affected by the soft, hard, timeo and retrans NFS
98 mount options.
</p
>
100 <p
>The only way I have been able to get working on Debian and RedHat
101 Enterprise Linux for getting the timeout count is to peek in /proc/.
103 <ahref=
"http://docs.oracle.com/cd/E19253-
01/
816-
4555/netmonitor-
12/index.html
">Solaris
104 10 System Administration Guide: Network Services
</a
>, the
'nfsstat -c
'
105 command can be used to get these timeout values. But this do not work
106 on Linux, as far as I can tell. I
107 <ahref=
"http://bugs.debian.org/
857043">asked Debian about this
</a
>,
108 but have not seen any replies yet.
</p
>
110 <p
>Is there a better way to figure out if a Linux NFS client is
111 experiencing NFS hangs? Is there a way to detect which processes are
112 affected? Is there a way to get the NFS mount going quickly once the
113 network problem causing the NFS hang has been cleared? I would very
114 much welcome some clues, as we regularly run into NFS hangs.
</p
>
119 <title>How does it feel to be wiretapped, when you should be doing the wiretapping...
</title>
120 <link>http://people.skolelinux.org/pere/blog/How_does_it_feel_to_be_wiretapped__when_you_should_be_doing_the_wiretapping___.html
</link>
121 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/How_does_it_feel_to_be_wiretapped__when_you_should_be_doing_the_wiretapping___.html
</guid>
122 <pubDate>Wed,
8 Mar
2017 11:
50:
00 +
0100</pubDate>
123 <description><p
>So the new president in the United States of America claim to be
124 surprised to discover that he was wiretapped during the election
125 before he was elected president. He even claim this must be illegal.
126 Well, doh, if it is one thing the confirmations from Snowden
127 documented, it is that the entire population in USA is wiretapped, one
128 way or another. Of course the president candidates were wiretapped,
129 alongside the senators, judges and the rest of the people in USA.
</p
>
131 <p
>Next, the Federal Bureau of Investigation ask the Department of
132 Justice to go public rejecting the claims that Donald Trump was
133 wiretapped illegally. I fail to see the relevance, given that I am
134 sure the surveillance industry in USA believe they have all the legal
135 backing they need to conduct mass surveillance on the entire
138 <p
>There is even the director of the FBI stating that he never saw an
139 order requesting wiretapping of Donald Trump. That is not very
140 surprising, given how the FISA court work, with all its activity being
141 secret. Perhaps he only heard about it?
</p
>
143 <p
>What I find most sad in this story is how Norwegian journalists
144 present it. In a news reports the other day in the radio from the
145 Norwegian National broadcasting Company (NRK), I heard the journalist
146 claim that
'the FBI denies any wiretapping
', while the reality is that
147 'the FBI denies any illegal wiretapping
'. There is a fundamental and
148 important difference, and it make me sad that the journalists are
149 unable to grasp it.
</p
>
154 <title>Norwegian Bokmål translation of The Debian Administrator
's Handbook complete, proofreading in progress
</title>
155 <link>http://people.skolelinux.org/pere/blog/Norwegian_Bokm_l_translation_of_The_Debian_Administrator_s_Handbook_complete__proofreading_in_progress.html
</link>
156 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Norwegian_Bokm_l_translation_of_The_Debian_Administrator_s_Handbook_complete__proofreading_in_progress.html
</guid>
157 <pubDate>Fri,
3 Mar
2017 14:
50:
00 +
0100</pubDate>
158 <description><p
>For almost a year now, we have been working on making a Norwegian
159 Bokmål edition of
<a href=
"https://debian-handbook.info/
">The Debian
160 Administrator
's Handbook
</a
>. Now, thanks to the tireless effort of
161 Ole-Erik, Ingrid and Andreas, the initial translation is complete, and
162 we are working on the proof reading to ensure consistent language and
163 use of correct computer science terms. The plan is to make the book
164 available on paper, as well as in electronic form. For that to
165 happen, the proof reading must be completed and all the figures need
166 to be translated. If you want to help out, get in touch.
</p
>
168 <p
><a href=
"http://people.skolelinux.org/pere/debian-handbook/debian-handbook-nb-NO.pdf
">A
170 fresh PDF edition
</a
> in A4 format (the final book will have smaller
171 pages) of the book created every morning is available for
172 proofreading. If you find any errors, please
173 <a href=
"https://hosted.weblate.org/projects/debian-handbook/
">visit
174 Weblate and correct the error
</a
>. The
175 <a href=
"http://l.github.io/debian-handbook/stat/nb-NO/index.html
">state
176 of the translation including figures
</a
> is a useful source for those
177 provide Norwegian bokmål screen shots and figures.
</p
>
182 <title>Unlimited randomness with the ChaosKey?
</title>
183 <link>http://people.skolelinux.org/pere/blog/Unlimited_randomness_with_the_ChaosKey_.html
</link>
184 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Unlimited_randomness_with_the_ChaosKey_.html
</guid>
185 <pubDate>Wed,
1 Mar
2017 20:
50:
00 +
0100</pubDate>
186 <description><p
>A few days ago I ordered a small batch of
187 <a href=
"http://altusmetrum.org/ChaosKey/
">the ChaosKey
</a
>, a small
188 USB dongle for generating entropy created by Bdale Garbee and Keith
189 Packard. Yesterday it arrived, and I am very happy to report that it
190 work great! According to its designers, to get it to work out of the
191 box, you need the Linux kernel version
4.1 or later. I tested on a
192 Debian Stretch machine (kernel version
4.9), and there it worked just
193 fine, increasing the available entropy very quickly. I wrote a small
194 test oneliner to test. It first print the current entropy level,
195 drain /dev/random, and then print the entropy level for five seconds.
196 Here is the situation without the ChaosKey inserted:
</p
>
198 <blockquote
><pre
>
199 % cat /proc/sys/kernel/random/entropy_avail; \
200 dd bs=
1M if=/dev/random of=/dev/null count=
1; \
201 for n in $(seq
1 5); do \
202 cat /proc/sys/kernel/random/entropy_avail; \
208 28 byte kopiert,
0,
000264565 s,
106 kB/s
215 </pre
></blockquote
>
217 <p
>The entropy level increases by
3-
4 every second. In such case any
218 application requiring random bits (like a HTTPS enabled web server)
219 will halt and wait for more entrpy. And here is the situation with
220 the ChaosKey inserted:
</p
>
222 <blockquote
><pre
>
223 % cat /proc/sys/kernel/random/entropy_avail; \
224 dd bs=
1M if=/dev/random of=/dev/null count=
1; \
225 for n in $(seq
1 5); do \
226 cat /proc/sys/kernel/random/entropy_avail; \
232 104 byte kopiert,
0,
000487647 s,
213 kB/s
239 </pre
></blockquote
>
241 <p
>Quite the difference. :) I bought a few more than I need, in case
242 someone want to buy one here in Norway. :)
</p
>
244 <p
>Update: The dongle was presented at Debconf last year. You might
245 find
<a href=
"https://debconf16.debconf.org/talks/
94/
">the talk
246 recording illuminating
</a
>. It explains exactly what the source of
247 randomness is, if you are unable to spot it from the schema drawing
248 available from the ChaosKey web site linked at the start of this blog
254 <title>Detect OOXML files with undefined behaviour?
</title>
255 <link>http://people.skolelinux.org/pere/blog/Detect_OOXML_files_with_undefined_behaviour_.html
</link>
256 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Detect_OOXML_files_with_undefined_behaviour_.html
</guid>
257 <pubDate>Tue,
21 Feb
2017 00:
20:
00 +
0100</pubDate>
258 <description><p
>I just noticed
259 <a href=
"http://www.arkivrad.no/aktuelt/riksarkivarens-forskrift-pa-horing
">the
260 new Norwegian proposal for archiving rules in the goverment
</a
> list
261 <a href=
"http://www.ecma-international.org/publications/standards/Ecma-
376.htm
">ECMA-
376</a
>
262 / ISO/IEC
29500 (aka OOXML) as valid formats to put in long term
263 storage. Luckily such files will only be accepted based on
264 pre-approval from the National Archive. Allowing OOXML files to be
265 used for long term storage might seem like a good idea as long as we
266 forget that there are plenty of ways for a
"valid
" OOXML document to
267 have content with no defined interpretation in the standard, which
268 lead to a question and an idea.
</p
>
270 <p
>Is there any tool to detect if a OOXML document depend on such
271 undefined behaviour? It would be useful for the National Archive (and
272 anyone else interested in verifying that a document is well defined)
273 to have such tool available when considering to approve the use of
274 OOXML. I
'm aware of the
275 <a href=
"https://github.com/arlm/officeotron/
">officeotron OOXML
276 validator
</a
>, but do not know how complete it is nor if it will
277 report use of undefined behaviour. Are there other similar tools
278 available? Please send me an email if you know of any such tool.
</p
>
283 <title>Ruling ignored our objections to the seizure of popcorn-time.no (#domstolkontroll)
</title>
284 <link>http://people.skolelinux.org/pere/blog/Ruling_ignored_our_objections_to_the_seizure_of_popcorn_time_no___domstolkontroll_.html
</link>
285 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Ruling_ignored_our_objections_to_the_seizure_of_popcorn_time_no___domstolkontroll_.html
</guid>
286 <pubDate>Mon,
13 Feb
2017 21:
30:
00 +
0100</pubDate>
287 <description><p
>A few days ago, we received the ruling from
288 <a href=
"http://people.skolelinux.org/pere/blog/A_day_in_court_challenging_seizure_of_popcorn_time_no_for__domstolkontroll.html
">my
289 day in court
</a
>. The case in question is a challenge of the seizure
290 of the DNS domain popcorn-time.no. The ruling simply did not mention
291 most of our arguments, and seemed to take everything ØKOKRIM said at
292 face value, ignoring our demonstration and explanations. But it is
293 hard to tell for sure, as we still have not seen most of the documents
294 in the case and thus were unprepared and unable to contradict several
295 of the claims made in court by the opposition. We are considering an
296 appeal, but it is partly a question of funding, as it is costing us
297 quite a bit to pay for our lawyer. If you want to help, please
298 <a href=
"http://www.nuug.no/dns-beslag-donasjon.shtml
">donate to the
299 NUUG defense fund
</a
>.
</p
>
301 <p
>The details of the case, as far as we know it, is available in
303 <a href=
"https://www.nuug.no/news/tags/dns-domenebeslag/
">the NUUG
304 blog
</a
>. This also include
305 <a href=
"https://www.nuug.no/news/Avslag_etter_rettslig_h_ring_om_DNS_beslaget___vurderer_veien_videre.shtml
">the
306 ruling itself
</a
>.
</p
>
311 <title>A day in court challenging seizure of popcorn-time.no for #domstolkontroll
</title>
312 <link>http://people.skolelinux.org/pere/blog/A_day_in_court_challenging_seizure_of_popcorn_time_no_for__domstolkontroll.html
</link>
313 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/A_day_in_court_challenging_seizure_of_popcorn_time_no_for__domstolkontroll.html
</guid>
314 <pubDate>Fri,
3 Feb
2017 11:
10:
00 +
0100</pubDate>
315 <description><p align=
"center
"><img width=
"70%
" src=
"http://people.skolelinux.org/pere/blog/images/
2017-
02-
01-popcorn-time-in-court.jpeg
"></p
>
317 <p
>On Wednesday, I spent the entire day in court in Follo Tingrett
318 representing
<a href=
"https://www.nuug.no/
">the member association
319 NUUG
</a
>, alongside
<a href=
"https://www.efn.no/
">the member
320 association EFN
</a
> and
<a href=
"http://www.imc.no
">the DNS registrar
321 IMC
</a
>, challenging the seizure of the DNS name popcorn-time.no. It
322 was interesting to sit in a court of law for the first time in my
323 life. Our team can be seen in the picture above: attorney Ola
324 Tellesbø, EFN board member Tom Fredrik Blenning, IMC CEO Morten Emil
325 Eriksen and NUUG board member Petter Reinholdtsen.
</p
>
327 <p
><a href=
"http://www.domstol.no/no/Enkelt-domstol/follo-tingrett/Nar-gar-rettssaken/Beramming/?cid=AAAA1701301512081262234UJFBVEZZZZZEJBAvtale
">The
328 case at hand
</a
> is that the Norwegian National Authority for
329 Investigation and Prosecution of Economic and Environmental Crime (aka
330 Økokrim) decided on their own, to seize a DNS domain early last
331 year, without following
332 <a href=
"https://www.norid.no/no/regelverk/navnepolitikk/#link12
">the
333 official policy of the Norwegian DNS authority
</a
> which require a
334 court decision. The web site in question was a site covering Popcorn
335 Time. And Popcorn Time is the name of a technology with both legal
336 and illegal applications. Popcorn Time is a client combining
337 searching a Bittorrent directory available on the Internet with
338 downloading/distribute content via Bittorrent and playing the
339 downloaded content on screen. It can be used illegally if it is used
340 to distribute content against the will of the right holder, but it can
341 also be used legally to play a lot of content, for example the
343 <a href=
"https://archive.org/details/movies
">available from the
344 Internet Archive
</a
> or the collection
345 <a href=
"http://vodo.net/films/
">available from Vodo
</a
>. We created
346 <a href=
"magnet:?xt=urn:btih:
86c1802af5a667ca56d3918aecb7d3c0f7173084
&dn=PresentasjonFolloTingrett.mov
&tr=udp%
3A%
2F%
2Fpublic.popcorn-tracker.org%
3A6969%
2Fannounce
">a
347 video demonstrating legally use of Popcorn Time
</a
> and played it in
348 Court. It can of course be downloaded using Bittorrent.
</p
>
350 <p
>I did not quite know what to expect from a day in court. The
351 government held on to their version of the story and we held on to
352 ours, and I hope the judge is able to make sense of it all. We will
353 know in two weeks time. Unfortunately I do not have high hopes, as
354 the Government have the upper hand here with more knowledge about the
355 case, better training in handling criminal law and in general higher
356 standing in the courts than fairly unknown DNS registrar and member
357 associations. It is expensive to be right also in Norway. So far the
358 case have cost more than NOK
70 000,-. To help fund the case, NUUG
359 and EFN have asked for donations, and managed to collect around NOK
25
360 000,- so far. Given the presentation from the Government, I expect
361 the government to appeal if the case go our way. And if the case do
362 not go our way, I hope we have enough funding to appeal.
</p
>
364 <p
>From the other side came two people from Økokrim. On the benches,
365 appearing to be part of the group from the government were two people
366 from the Simonsen Vogt Wiik lawyer office, and three others I am not
367 quite sure who was. Økokrim had proposed to present two witnesses
368 from The Motion Picture Association, but this was rejected because
369 they did not speak Norwegian and it was a bit late to bring in a
370 translator, but perhaps the two from MPA were present anyway. All
371 seven appeared to know each other. Good to see the case is take
374 <p
>If you, like me, believe the courts should be involved before a DNS
375 domain is hijacked by the government, or you believe the Popcorn Time
376 technology have a lot of useful and legal applications, I suggest you
377 too
<a href=
"http://www.nuug.no/dns-beslag-donasjon.shtml
">donate to
378 the NUUG defense fund
</a
>. Both Bitcoin and bank transfer are
379 available. If NUUG get more than we need for the legal action (very
380 unlikely), the rest will be spend promoting free software, open
381 standards and unix-like operating systems in Norway, so no matter what
382 happens the money will be put to good use.
</p
>
384 <p
>If you want to lean more about the case, I recommend you check out
385 <a href=
"https://www.nuug.no/news/tags/dns-domenebeslag/
">the blog
386 posts from NUUG covering the case
</a
>. They cover the legal arguments
387 on both sides.
</p
>
392 <title>Nasjonalbiblioteket avslutter sin ulovlige bruk av Google Skjemaer
</title>
393 <link>http://people.skolelinux.org/pere/blog/Nasjonalbiblioteket_avslutter_sin_ulovlige_bruk_av_Google_Skjemaer.html
</link>
394 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Nasjonalbiblioteket_avslutter_sin_ulovlige_bruk_av_Google_Skjemaer.html
</guid>
395 <pubDate>Thu,
12 Jan
2017 09:
40:
00 +
0100</pubDate>
396 <description><p
>I dag fikk jeg en skikkelig gladmelding. Bakgrunnen er at før jul
397 arrangerte Nasjonalbiblioteket
398 <a href=
"http://www.nb.no/Bibliotekutvikling/Kunnskapsorganisering/Nasjonalt-verksregister/Seminar-om-verksregister
">et
399 seminar om sitt knakende gode tiltak «verksregister»
</a
>. Eneste
400 måten å melde seg på dette seminaret var å sende personopplysninger
401 til Google via Google Skjemaer. Dette syntes jeg var tvilsom praksis,
402 da det bør være mulig å delta på seminarer arrangert av det offentlige
403 uten å måtte dele sine interesser, posisjon og andre
404 personopplysninger med Google. Jeg ba derfor om innsyn via
405 <a href=
"https://www.mimesbronn.no/
">Mimes brønn
</a
> i
406 <a href=
"https://www.mimesbronn.no/request/personopplysninger_til_google_sk
">avtaler
407 og vurderinger Nasjonalbiblioteket hadde rundt dette
</a
>.
408 Personopplysningsloven legger klare rammer for hva som må være på
409 plass før en kan be tredjeparter, spesielt i utlandet, behandle
410 personopplysninger på sine vegne, så det burde eksistere grundig
411 dokumentasjon før noe slikt kan bli lovlig. To jurister hos
412 Nasjonalbiblioteket mente først dette var helt i orden, og at Googles
413 standardavtale kunne brukes som databehandlingsavtale. Det syntes jeg
414 var merkelig, men har ikke hatt kapasitet til å følge opp saken før
415 for to dager siden.
</p
>
417 <p
>Gladnyheten i dag, som kom etter at jeg tipset Nasjonalbiblioteket
418 om at Datatilsynet underkjente Googles standardavtaler som
419 databehandleravtaler i
2011, er at Nasjonalbiblioteket har bestemt seg
420 for å avslutte bruken av Googles Skjemaer/Apps og gå i dialog med DIFI
421 for å finne bedre måter å håndtere påmeldinger i tråd med
422 personopplysningsloven. Det er fantastisk å se at av og til hjelper
423 det å spørre hva i alle dager det offentlige holder på med.
</p
>
428 <title>Bryter NAV sin egen personvernerklæring?
</title>
429 <link>http://people.skolelinux.org/pere/blog/Bryter_NAV_sin_egen_personvernerkl_ring_.html
</link>
430 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Bryter_NAV_sin_egen_personvernerkl_ring_.html
</guid>
431 <pubDate>Wed,
11 Jan
2017 06:
50:
00 +
0100</pubDate>
432 <description><p
>Jeg leste med interesse en nyhetssak hos
433 <a href=
"http://www.digi.no/artikler/nav-avslorer-trygdemisbruk-ved-a-spore-ip-adresser/
367394">digi.no
</a
>
435 <a href=
"https://www.nrk.no/buskerud/trygdesvindlere-avslores-av-utenlandske-ip-adresser-
1.13313461">NRK
</a
>
436 om at det ikke bare er meg, men at også NAV bedriver geolokalisering
437 av IP-adresser, og at det gjøres analyse av IP-adressene til de som
438 sendes inn meldekort for å se om meldekortet sendes inn fra
439 utenlandske IP-adresser. Politiadvokat i Drammen, Hans Lyder Haare,
440 er sitert i NRK på at «De to er jo blant annet avslørt av
441 IP-adresser. At man ser at meldekortet kommer fra utlandet.»
</p
>
443 <p
>Jeg synes det er fint at det blir bedre kjent at IP-adresser
444 knyttes til enkeltpersoner og at innsamlet informasjon brukes til å
445 stedsbestemme personer også av aktører her i Norge. Jeg ser det som
446 nok et argument for å bruke
447 <a href=
"https://www.torproject.org/
">Tor
</a
> så mye som mulig for å
448 gjøre gjøre IP-lokalisering vanskeligere, slik at en kan beskytte sin
449 privatsfære og unngå å dele sin fysiske plassering med
450 uvedkommede.
</p
>
452 <P
>Men det er en ting som bekymrer meg rundt denne nyheten. Jeg ble
453 tipset (takk #nuug) om
454 <a href=
"https://www.nav.no/no/NAV+og+samfunn/Kontakt+NAV/Teknisk+brukerstotte/Snarveier/personvernerkl%C3%A6ring-for-arbeids-og-velferdsetaten
">NAVs
455 personvernerklæring
</a
>, som under punktet «Personvern og statistikk»
458 <p
><blockquote
>
460 <p
>«Når du besøker nav.no, etterlater du deg elektroniske spor. Sporene
461 dannes fordi din nettleser automatisk sender en rekke opplysninger til
462 NAVs tjener (server-maskin) hver gang du ber om å få vist en side. Det
463 er eksempelvis opplysninger om hvilken nettleser og -versjon du
464 bruker, og din internettadresse (ip-adresse). For hver side som vises,
465 lagres følgende opplysninger:
</p
>
468 <li
>hvilken side du ser på
</li
>
469 <li
>dato og tid
</li
>
470 <li
>hvilken nettleser du bruker
</li
>
471 <li
>din ip-adresse
</li
>
474 <p
>Ingen av opplysningene vil bli brukt til å identifisere
475 enkeltpersoner. NAV bruker disse opplysningene til å generere en
476 samlet statistikk som blant annet viser hvilke sider som er mest
477 populære. Statistikken er et redskap til å forbedre våre
478 tjenester.»
</p
>
480 </blockquote
></p
>
482 <p
>Jeg klarer ikke helt å se hvordan analyse av de besøkendes
483 IP-adresser for å se hvem som sender inn meldekort via web fra en
484 IP-adresse i utlandet kan gjøres uten å komme i strid med påstanden om
485 at «ingen av opplysningene vil bli brukt til å identifisere
486 enkeltpersoner». Det virker dermed for meg som at NAV bryter sine
487 egen personvernerklæring, hvilket
488 <a href=
"http://people.skolelinux.org/pere/blog/Er_lover_brutt_n_r_personvernpolicy_ikke_stemmer_med_praksis_.html
">Datatilsynet
489 fortalte meg i starten av desember antagelig er brudd på
490 personopplysningsloven
</a
>.
492 <p
>I tillegg er personvernerklæringen ganske misvisende i og med at
493 NAVs nettsider ikke bare forsyner NAV med personopplysninger, men i
494 tillegg ber brukernes nettleser kontakte fem andre nettjenere
495 (script.hotjar.com, static.hotjar.com, vars.hotjar.com,
496 www.google-analytics.com og www.googletagmanager.com), slik at
497 personopplysninger blir gjort tilgjengelig for selskapene Hotjar og
498 Google , og alle som kan lytte på trafikken på veien (som FRA, GCHQ og
499 NSA). Jeg klarer heller ikke se hvordan slikt spredning av
500 personopplysninger kan være i tråd med kravene i
501 personopplysningloven, eller i tråd med NAVs personvernerklæring.
</p
>
503 <p
>Kanskje NAV bør ta en nøye titt på sin personvernerklæring? Eller
504 kanskje Datatilsynet bør gjøre det?
</p
>
509 <title>Where did that package go?
&mdash; geolocated IP traceroute
</title>
510 <link>http://people.skolelinux.org/pere/blog/Where_did_that_package_go___mdash__geolocated_IP_traceroute.html
</link>
511 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Where_did_that_package_go___mdash__geolocated_IP_traceroute.html
</guid>
512 <pubDate>Mon,
9 Jan
2017 12:
20:
00 +
0100</pubDate>
513 <description><p
>Did you ever wonder where the web trafic really flow to reach the
514 web servers, and who own the network equipment it is flowing through?
515 It is possible to get a glimpse of this from using traceroute, but it
516 is hard to find all the details. Many years ago, I wrote a system to
517 map the Norwegian Internet (trying to figure out if our plans for a
518 network game service would get low enough latency, and who we needed
519 to talk to about setting up game servers close to the users. Back
520 then I used traceroute output from many locations (I asked my friends
521 to run a script and send me their traceroute output) to create the
522 graph and the map. The output from traceroute typically look like
526 traceroute to www.stortinget.no (
85.88.67.10),
30 hops max,
60 byte packets
527 1 uio-gw10.uio.no (
129.240.202.1)
0.447 ms
0.486 ms
0.621 ms
528 2 uio-gw8.uio.no (
129.240.24.229)
0.467 ms
0.578 ms
0.675 ms
529 3 oslo-gw1.uninett.no (
128.39.65.17)
0.385 ms
0.373 ms
0.358 ms
530 4 te3-
1-
2.br1.fn3.as2116.net (
193.156.90.3)
1.174 ms
1.172 ms
1.153 ms
531 5 he16-
1-
1.cr1.san110.as2116.net (
195.0.244.234)
2.627 ms he16-
1-
1.cr2.oslosda310.as2116.net (
195.0.244.48)
3.172 ms he16-
1-
1.cr1.san110.as2116.net (
195.0.244.234)
2.857 ms
532 6 ae1.ar8.oslosda310.as2116.net (
195.0.242.39)
0.662 ms
0.637 ms ae0.ar8.oslosda310.as2116.net (
195.0.242.23)
0.622 ms
533 7 89.191.10.146 (
89.191.10.146)
0.931 ms
0.917 ms
0.955 ms
537 </pre
></p
>
539 <p
>This show the DNS names and IP addresses of (at least some of the)
540 network equipment involved in getting the data traffic from me to the
541 www.stortinget.no server, and how long it took in milliseconds for a
542 package to reach the equipment and return to me. Three packages are
543 sent, and some times the packages do not follow the same path. This
544 is shown for hop
5, where three different IP addresses replied to the
545 traceroute request.
</p
>
547 <p
>There are many ways to measure trace routes. Other good traceroute
548 implementations I use are traceroute (using ICMP packages) mtr (can do
549 both ICMP, UDP and TCP) and scapy (python library with ICMP, UDP, TCP
550 traceroute and a lot of other capabilities). All of them are easily
551 available in
<a href=
"https://www.debian.org/
">Debian
</a
>.
</p
>
553 <p
>This time around, I wanted to know the geographic location of
554 different route points, to visualize how visiting a web page spread
555 information about the visit to a lot of servers around the globe. The
556 background is that a web site today often will ask the browser to get
557 from many servers the parts (for example HTML, JSON, fonts,
558 JavaScript, CSS, video) required to display the content. This will
559 leak information about the visit to those controlling these servers
560 and anyone able to peek at the data traffic passing by (like your ISP,
561 the ISPs backbone provider, FRA, GCHQ, NSA and others).
</p
>
563 <p
>Lets pick an example, the Norwegian parliament web site
564 www.stortinget.no. It is read daily by all members of parliament and
565 their staff, as well as political journalists, activits and many other
566 citizens of Norway. A visit to the www.stortinget.no web site will
567 ask your browser to contact
8 other servers: ajax.googleapis.com,
568 insights.hotjar.com, script.hotjar.com, static.hotjar.com,
569 stats.g.doubleclick.net, www.google-analytics.com,
570 www.googletagmanager.com and www.netigate.se. I extracted this by
571 asking
<a href=
"http://phantomjs.org/
">PhantomJS
</a
> to visit the
572 Stortinget web page and tell me all the URLs PhantomJS downloaded to
573 render the page (in HAR format using
574 <a href=
"https://github.com/ariya/phantomjs/blob/master/examples/netsniff.js
">their
575 netsniff example
</a
>. I am very grateful to Gorm for showing me how
576 to do this). My goal is to visualize network traces to all IP
577 addresses behind these DNS names, do show where visitors personal
578 information is spread when visiting the page.
</p
>
580 <p align=
"center
"><a href=
"www.stortinget.no-geoip.kml
"><img
581 src=
"http://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-geoip-small.png
" alt=
"map of combined traces for URLs used by www.stortinget.no using GeoIP
"/
></a
></p
>
583 <p
>When I had a look around for options, I could not find any good
584 free software tools to do this, and decided I needed my own traceroute
585 wrapper outputting KML based on locations looked up using GeoIP. KML
586 is easy to work with and easy to generate, and understood by several
587 of the GIS tools I have available. I got good help from by NUUG
588 colleague Anders Einar with this, and the result can be seen in
589 <a href=
"https://github.com/petterreinholdtsen/kmltraceroute
">my
590 kmltraceroute git repository
</a
>. Unfortunately, the quality of the
591 free GeoIP databases I could find (and the for-pay databases my
592 friends had access to) is not up to the task. The IP addresses of
593 central Internet infrastructure would typically be placed near the
594 controlling companies main office, and not where the router is really
595 located, as you can see from
<a href=
"www.stortinget.no-geoip.kml
">the
596 KML file I created
</a
> using the GeoLite City dataset from MaxMind.
598 <p align=
"center
"><a href=
"http://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-scapy.svg
"><img
599 src=
"http://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-scapy-small.png
" alt=
"scapy traceroute graph for URLs used by www.stortinget.no
"/
></a
></p
>
601 <p
>I also had a look at the visual traceroute graph created by
602 <a href=
"http://www.secdev.org/projects/scapy/
">the scrapy project
</a
>,
603 showing IP network ownership (aka AS owner) for the IP address in
605 <a href=
"http://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-scapy.svg
">The
606 graph display a lot of useful information about the traceroute in SVG
607 format
</a
>, and give a good indication on who control the network
608 equipment involved, but it do not include geolocation. This graph
609 make it possible to see the information is made available at least for
610 UNINETT, Catchcom, Stortinget, Nordunet, Google, Amazon, Telia, Level
611 3 Communications and NetDNA.
</p
>
613 <p align=
"center
"><a href=
"https://geotraceroute.com/index.php?node=
4&host=www.stortinget.no
"><img
614 src=
"http://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-geotraceroute-small.png
" alt=
"example geotraceroute view for www.stortinget.no
"/
></a
></p
>
616 <p
>In the process, I came across the
617 <a href=
"https://geotraceroute.com/
">web service GeoTraceroute
</a
> by
618 Salim Gasmi. Its methology of combining guesses based on DNS names,
619 various location databases and finally use latecy times to rule out
620 candidate locations seemed to do a very good job of guessing correct
621 geolocation. But it could only do one trace at the time, did not have
622 a sensor in Norway and did not make the geolocations easily available
623 for postprocessing. So I contacted the developer and asked if he
624 would be willing to share the code (he refused until he had time to
625 clean it up), but he was interested in providing the geolocations in a
626 machine readable format, and willing to set up a sensor in Norway. So
627 since yesterday, it is possible to run traces from Norway in this
628 service thanks to a sensor node set up by
629 <a href=
"https://www.nuug.no/
">the NUUG assosiation
</a
>, and get the
630 trace in KML format for further processing.
</p
>
632 <p align=
"center
"><a href=
"http://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-geotraceroute-kml-join.kml
"><img
633 src=
"http://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-geotraceroute-kml-join.png
" alt=
"map of combined traces for URLs used by www.stortinget.no using geotraceroute
"/
></a
></p
>
635 <p
>Here we can see a lot of trafic passes Sweden on its way to
636 Denmark, Germany, Holland and Ireland. Plenty of places where the
637 Snowden confirmations verified the traffic is read by various actors
638 without your best interest as their top priority.
</p
>
640 <p
>Combining KML files is trivial using a text editor, so I could loop
641 over all the hosts behind the urls imported by www.stortinget.no and
642 ask for the KML file from GeoTraceroute, and create a combined KML
643 file with all the traces (unfortunately only one of the IP addresses
644 behind the DNS name is traced this time. To get them all, one would
645 have to request traces using IP number instead of DNS names from
646 GeoTraceroute). That might be the next step in this project.
</p
>
648 <p
>Armed with these tools, I find it a lot easier to figure out where
649 the IP traffic moves and who control the boxes involved in moving it.
650 And every time the link crosses for example the Swedish border, we can
651 be sure Swedish Signal Intelligence (FRA) is listening, as GCHQ do in
652 Britain and NSA in USA and cables around the globe. (Hm, what should
653 we tell them? :) Keep that in mind if you ever send anything
654 unencrypted over the Internet.
</p
>
656 <p
>PS: KML files are drawn using
657 <a href=
"http://ivanrublev.me/kml/
">the KML viewer from Ivan
658 Rublev
<a/
>, as it was less cluttered than the local Linux application
659 Marble. There are heaps of other options too.
</p
>
661 <p
>As usual, if you use Bitcoin and want to show your support of my
662 activities, please send Bitcoin donations to my address
663 <b
><a href=
"bitcoin:
15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b
&label=PetterReinholdtsenBlog
">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b
</a
></b
>.
</p
>
projects / homepage.git / blob