X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/4d34951bf7d9e561941571c2abb79ac9b4035705..53798080ccfe7c0d9ad356a83ded5b219b186c9b:/blog/index.rss diff --git a/blog/index.rss b/blog/index.rss index 70ab4d9344..0a657f587a 100644 --- a/blog/index.rss +++ b/blog/index.rss @@ -7,903 +7,664 @@ - Hvordan enkelt laste ned filmer fra NRK med den "nye" løsningen - http://people.skolelinux.org/pere/blog/Hvordan_enkelt_laste_ned_filmer_fra_NRK_med_den__nye__l_sningen.html - http://people.skolelinux.org/pere/blog/Hvordan_enkelt_laste_ned_filmer_fra_NRK_med_den__nye__l_sningen.html - Mon, 16 Jun 2014 19:20:00 +0200 - <p>Jeg har fortsatt behov for å kunne laste ned innslag fra NRKs -nettsted av og til for å se senere når jeg ikke er på nett, men -<a href="http://people.skolelinux.org/pere/blog/Hvordan_enkelt_laste_ned_filmer_fra_NRK.html">min -oppskrift fra 2011</a> sluttet å fungere da NRK byttet -avspillermetode. I dag fikk jeg endelig lett etter oppdatert løsning, -og jeg er veldig glad for å fortelle at den enkleste måten å laste ned -innslag er å bruke siste versjon 2014.06.07 av youtube-dl. Støtten i -youtube-dl <a href="https://github.com/rg3/youtube-dl/issues/2980">kom -inn for 23 dager siden</a> og -<a href="http://packages.qa.debian.org/y/youtube-dl.html">versjonen i -Debian</a> fungerer fint også som backport til Debian Wheezy. Det er -et lite problem, det håndterer kun URLer med små bokstaver, men hvis -en har en URL med store bokstaver kan en bare gjøre alle store om til -små bokstaver for å få youtube-dl til å laste ned. Rapporterte -problemet nettopp til utviklerne, og antar de får fikset det -snart.</p> - -<p>Dermed er alt klart til å laste ned dokumentarene om -<a href="http://tv.nrk.no/program/KOID23005014/usas-hemmelige-avlytting">USAs -hemmelige avlytting</a> og -<a href="http://tv.nrk.no/program/KOID23005114/selskapene-bak-usas-avlytting">Selskapene -bak USAs avlytting</a>, i tillegg til -<a href="http://tv.nrk.no/program/KOID20005814/et-moete-med-edward-snowden">intervjuet -med Edward Snowden gjort av den tyske tv-kanalen ARD</a>. Anbefaler -alle å se disse, sammen med -<a href="http://media.ccc.de/browse/congress/2013/30C3_-_5713_-_en_-_saal_2_-_201312301130_-_to_protect_and_infect_part_2_-_jacob.html">foredraget -til Jacob Appelbaum på siste CCC-konferanse</a>, for å forstå mer om -hvordan overvåkningen av borgerne brer om seg.</p> + Detecting NFS hangs on Linux without hanging yourself... + http://people.skolelinux.org/pere/blog/Detecting_NFS_hangs_on_Linux_without_hanging_yourself___.html + http://people.skolelinux.org/pere/blog/Detecting_NFS_hangs_on_Linux_without_hanging_yourself___.html + Thu, 9 Mar 2017 15:20:00 +0100 + <p>Over the years, administrating thousand of NFS mounting linux +computers at the time, I often needed a way to detect if the machine +was experiencing NFS hang. If you try to use <tt>df</tt> or look at a +file or directory affected by the hang, the process (and possibly the +shell) will hang too. So you want to be able to detect this without +risking the detection process getting stuck too. It has not been +obvious how to do this. When the hang has lasted a while, it is +possible to find messages like these in dmesg:</p> + +<p><blockquote> +nfs: server nfsserver not responding, still trying +<br>nfs: server nfsserver OK +</blockquote></p> + +<p>It is hard to know if the hang is still going on, and it is hard to +be sure looking in dmesg is going to work. If there are lots of other +messages in dmesg the lines might have rotated out of site before they +are noticed.</p> + +<p>While reading through the nfs client implementation in linux kernel +code, I came across some statistics that seem to give a way to detect +it. The om_timeouts sunrpc value in the kernel will increase every +time the above log entry is inserted into dmesg. And after digging a +bit further, I discovered that this value show up in +/proc/self/mountstats on Linux.</p> + +<p>The mountstats content seem to be shared between files using the +same file system context, so it is enough to check one of the +mountstats files to get the state of the mount point for the machine. +I assume this will not show lazy umounted NFS points, nor NFS mount +points in a different process context (ie with a different filesystem +view), but that does not worry me.</p> + +<p>The content for a NFS mount point look similar to this:</p> + +<p><blockquote><pre> +[...] +device /dev/mapper/Debian-var mounted on /var with fstype ext3 +device nfsserver:/mnt/nfsserver/home0 mounted on /mnt/nfsserver/home0 with fstype nfs statvers=1.1 + opts: rw,vers=3,rsize=65536,wsize=65536,namlen=255,acregmin=3,acregmax=60,acdirmin=30,acdirmax=60,soft,nolock,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=129.240.3.145,mountvers=3,mountport=4048,mountproto=udp,local_lock=all + age: 7863311 + caps: caps=0x3fe7,wtmult=4096,dtsize=8192,bsize=0,namlen=255 + sec: flavor=1,pseudoflavor=1 + events: 61063112 732346265 1028140 35486205 16220064 8162542 761447191 71714012 37189 3891185 45561809 110486139 4850138 420353 15449177 296502 52736725 13523379 0 52182 9016896 1231 0 0 0 0 0 + bytes: 166253035039 219519120027 0 0 40783504807 185466229638 11677877 45561809 + RPC iostats version: 1.0 p/v: 100003/3 (nfs) + xprt: tcp 925 1 6810 0 0 111505412 111480497 109 2672418560317 0 248 53869103 22481820 + per-op statistics + NULL: 0 0 0 0 0 0 0 0 + GETATTR: 61063106 61063108 0 9621383060 6839064400 453650 77291321 78926132 + SETATTR: 463469 463470 0 92005440 66739536 63787 603235 687943 + LOOKUP: 17021657 17021657 0 3354097764 4013442928 57216 35125459 35566511 + ACCESS: 14281703 14290009 5 2318400592 1713803640 1709282 4865144 7130140 + READLINK: 125 125 0 20472 18620 0 1112 1118 + READ: 4214236 4214237 0 715608524 41328653212 89884 22622768 22806693 + WRITE: 8479010 8494376 22 187695798568 1356087148 178264904 51506907 231671771 + CREATE: 171708 171708 0 38084748 46702272 873 1041833 1050398 + MKDIR: 3680 3680 0 773980 993920 26 23990 24245 + SYMLINK: 903 903 0 233428 245488 6 5865 5917 + MKNOD: 80 80 0 20148 21760 0 299 304 + REMOVE: 429921 429921 0 79796004 61908192 3313 2710416 2741636 + RMDIR: 3367 3367 0 645112 484848 22 5782 6002 + RENAME: 466201 466201 0 130026184 121212260 7075 5935207 5961288 + LINK: 289155 289155 0 72775556 67083960 2199 2565060 2585579 + READDIR: 2933237 2933237 0 516506204 13973833412 10385 3190199 3297917 + READDIRPLUS: 1652839 1652839 0 298640972 6895997744 84735 14307895 14448937 + FSSTAT: 6144 6144 0 1010516 1032192 51 9654 10022 + FSINFO: 2 2 0 232 328 0 1 1 + PATHCONF: 1 1 0 116 140 0 0 0 + COMMIT: 0 0 0 0 0 0 0 0 + +device binfmt_misc mounted on /proc/sys/fs/binfmt_misc with fstype binfmt_misc +[...] +</pre></blockquote></p> + +<p>The key number to look at is the third number in the per-op list. +It is the number of NFS timeouts experiences per file system +operation. Here 22 write timeouts and 5 access timeouts. If these +numbers are increasing, I believe the machine is experiencing NFS +hang. Unfortunately the timeout value do not start to increase right +away. The NFS operations need to time out first, and this can take a +while. The exact timeout value depend on the setup. For example the +defaults for TCP and UDP mount points are quite different, and the +timeout value is affected by the soft, hard, timeo and retrans NFS +mount options.</p> + +<p>The only way I have been able to get working on Debian and RedHat +Enterprise Linux for getting the timeout count is to peek in /proc/. +But according to +<ahref="http://docs.oracle.com/cd/E19253-01/816-4555/netmonitor-12/index.html">Solaris +10 System Administration Guide: Network Services</a>, the 'nfsstat -c' +command can be used to get these timeout values. But this do not work +on Linux, as far as I can tell. I +<ahref="http://bugs.debian.org/857043">asked Debian about this</a>, +but have not seen any replies yet.</p> + +<p>Is there a better way to figure out if a Linux NFS client is +experiencing NFS hangs? Is there a way to detect which processes are +affected? Is there a way to get the NFS mount going quickly once the +network problem causing the NFS hang has been cleared? I would very +much welcome some clues, as we regularly run into NFS hangs.</p> - Free software car computer solution? - http://people.skolelinux.org/pere/blog/Free_software_car_computer_solution_.html - http://people.skolelinux.org/pere/blog/Free_software_car_computer_solution_.html - Thu, 29 May 2014 18:45:00 +0200 - <p>Dear lazyweb. I'm planning to set up a small Raspberry Pi computer -in my car, connected to -<a href="http://www.dx.com/p/400a-4-0-tft-lcd-digital-monitor-for-vehicle-parking-reverse-camera-1440x272-12v-dc-57776">a -small screen</a> next to the rear mirror. I plan to hook it up with a -GPS and a USB wifi card too. The idea is to get my own -"<a href="http://en.wikipedia.org/wiki/Carputer">Carputer</a>". But I -wonder if someone already created a good free software solution for -such car computer.</p> - -<p>This is my current wish list for such system:</p> - -<ul> - - <li>Work on Raspberry Pi.</li> - - <li>Show current speed limit based on location, and warn if going too - fast (for example using color codes yellow and red on the screen, - or make a sound). This could be done either using either data from - <a href="http://www.openstreetmap.org/">Openstreetmap</a> or OCR - info gathered from a dashboard camera.</li> - - <li>Track automatic toll road passes and their cost, show total spent - and make it possible to calculate toll costs for planned - route.</li> - - <li>Collect GPX tracks for use with OpenStreetMap.</li> - - <li>Automatically detect and use any wireless connection to connect - to home server. Try IP over DNS - (<a href="http://dev.kryo.se/iodine/">iodine</a>) or ICMP - (<a href="http://code.gerade.org/hans/">Hans</a>) if direct - connection do not work.</li> - - <li>Set up mesh network to talk to other cars with the same system, - or some standard car mesh protocol.</li> - - <li>Warn when approaching speed cameras and speed camera ranges - (speed calculated between two cameras).</li> - - <li>Suport dashboard/front facing camera to discover speed limits and - run OCR to track registration number of passing cars.</li> - -</ul> - -<p>If you know of any free software car computer system supporting -some or all of these features, please let me know.</p> + How does it feel to be wiretapped, when you should be doing the wiretapping... + http://people.skolelinux.org/pere/blog/How_does_it_feel_to_be_wiretapped__when_you_should_be_doing_the_wiretapping___.html + http://people.skolelinux.org/pere/blog/How_does_it_feel_to_be_wiretapped__when_you_should_be_doing_the_wiretapping___.html + Wed, 8 Mar 2017 11:50:00 +0100 + <p>So the new president in the United States of America claim to be +surprised to discover that he was wiretapped during the election +before he was elected president. He even claim this must be illegal. +Well, doh, if it is one thing the confirmations from Snowden +documented, it is that the entire population in USA is wiretapped, one +way or another. Of course the president candidates were wiretapped, +alongside the senators, judges and the rest of the people in USA.</p> + +<p>Next, the Federal Bureau of Investigation ask the Department of +Justice to go public rejecting the claims that Donald Trump was +wiretapped illegally. I fail to see the relevance, given that I am +sure the surveillance industry in USA believe they have all the legal +backing they need to conduct mass surveillance on the entire +world.</p> + +<p>There is even the director of the FBI stating that he never saw an +order requesting wiretapping of Donald Trump. That is not very +surprising, given how the FISA court work, with all its activity being +secret. Perhaps he only heard about it?</p> + +<p>What I find most sad in this story is how Norwegian journalists +present it. In a news reports the other day in the radio from the +Norwegian National broadcasting Company (NRK), I heard the journalist +claim that 'the FBI denies any wiretapping', while the reality is that +'the FBI denies any illegal wiretapping'. There is a fundamental and +important difference, and it make me sad that the journalists are +unable to grasp it.</p> + +<p><strong>Update 2017-03-13:</strong> Look like +<a href="https://theintercept.com/2017/03/13/rand-paul-is-right-nsa-routinely-monitors-americans-communications-without-warrants/">The +Intercept report that US Senator Rand Paul confirm what I state above</a>.</p> - Half the Coverity issues in Gnash fixed in the next release - http://people.skolelinux.org/pere/blog/Half_the_Coverity_issues_in_Gnash_fixed_in_the_next_release.html - http://people.skolelinux.org/pere/blog/Half_the_Coverity_issues_in_Gnash_fixed_in_the_next_release.html - Tue, 29 Apr 2014 14:20:00 +0200 - <p>I've been following <a href="http://www.getgnash.org/">the Gnash -project</a> for quite a while now. It is a free software -implementation of Adobe Flash, both a standalone player and a browser -plugin. Gnash implement support for the AVM1 format (and not the -newer AVM2 format - see -<a href="http://lightspark.github.io/">Lightspark</a> for that one), -allowing several flash based sites to work. Thanks to the friendly -developers at Youtube, it also work with Youtube videos, because the -Javascript code at Youtube detect Gnash and serve a AVM1 player to -those users. :) Would be great if someone found time to implement AVM2 -support, but it has not happened yet. If you install both Lightspark -and Gnash, Lightspark will invoke Gnash if it find a AVM1 flash file, -so you can get both handled as free software. Unfortunately, -Lightspark so far only implement a small subset of AVM2, and many -sites do not work yet.</p> - -<p>A few months ago, I started looking at -<a href="http://scan.coverity.com/">Coverity</a>, the static source -checker used to find heaps and heaps of bugs in free software (thanks -to the donation of a scanning service to free software projects by the -company developing this non-free code checker), and Gnash was one of -the projects I decided to check out. Coverity is able to find lock -errors, memory errors, dead code and more. A few days ago they even -extended it to also be able to find the heartbleed bug in OpenSSL. -There are heaps of checks being done on the instrumented code, and the -amount of bogus warnings is quite low compared to the other static -code checkers I have tested over the years.</p> - -<p>Since a few weeks ago, I've been working with the other Gnash -developers squashing bugs discovered by Coverity. I was quite happy -today when I checked the current status and saw that of the 777 issues -detected so far, 374 are marked as fixed. This make me confident that -the next Gnash release will be more stable and more dependable than -the previous one. Most of the reported issues were and are in the -test suite, but it also found a few in the rest of the code.</p> - -<p>If you want to help out, you find us on -<a href="https://lists.gnu.org/mailman/listinfo/gnash-dev">the -gnash-dev mailing list</a> and on -<a href="irc://irc.freenode.net/#gnash">the #gnash channel on -irc.freenode.net IRC server</a>.</p> + Norwegian Bokmål translation of The Debian Administrator's Handbook complete, proofreading in progress + http://people.skolelinux.org/pere/blog/Norwegian_Bokm_l_translation_of_The_Debian_Administrator_s_Handbook_complete__proofreading_in_progress.html + http://people.skolelinux.org/pere/blog/Norwegian_Bokm_l_translation_of_The_Debian_Administrator_s_Handbook_complete__proofreading_in_progress.html + Fri, 3 Mar 2017 14:50:00 +0100 + <p>For almost a year now, we have been working on making a Norwegian +Bokmål edition of <a href="https://debian-handbook.info/">The Debian +Administrator's Handbook</a>. Now, thanks to the tireless effort of +Ole-Erik, Ingrid and Andreas, the initial translation is complete, and +we are working on the proof reading to ensure consistent language and +use of correct computer science terms. The plan is to make the book +available on paper, as well as in electronic form. For that to +happen, the proof reading must be completed and all the figures need +to be translated. If you want to help out, get in touch.</p> + +<p><a href="http://people.skolelinux.org/pere/debian-handbook/debian-handbook-nb-NO.pdf">A + +fresh PDF edition</a> in A4 format (the final book will have smaller +pages) of the book created every morning is available for +proofreading. If you find any errors, please +<a href="https://hosted.weblate.org/projects/debian-handbook/">visit +Weblate and correct the error</a>. The +<a href="http://l.github.io/debian-handbook/stat/nb-NO/index.html">state +of the translation including figures</a> is a useful source for those +provide Norwegian bokmål screen shots and figures.</p> - Install hardware dependent packages using tasksel (Isenkram 0.7) - http://people.skolelinux.org/pere/blog/Install_hardware_dependent_packages_using_tasksel__Isenkram_0_7_.html - http://people.skolelinux.org/pere/blog/Install_hardware_dependent_packages_using_tasksel__Isenkram_0_7_.html - Wed, 23 Apr 2014 14:50:00 +0200 - <p>It would be nice if it was easier in Debian to get all the hardware -related packages relevant for the computer installed automatically. -So I implemented one, using -<a href="http://packages.qa.debian.org/isenkram">my Isenkram -package</a>. To use it, install the tasksel and isenkram packages and -run tasksel as user root. You should be presented with a new option, -"Hardware specific packages (autodetected by isenkram)". When you -select it, tasksel will install the packages isenkram claim is fit for -the current hardware, hot pluggable or not.<p> - -<p>The implementation is in two files, one is the tasksel menu entry -description, and the other is the script used to extract the list of -packages to install. The first part is in -<tt>/usr/share/tasksel/descs/isenkram.desc</tt> and look like -this:</p> - -<p><blockquote><pre> -Task: isenkram -Section: hardware -Description: Hardware specific packages (autodetected by isenkram) - Based on the detected hardware various hardware specific packages are - proposed. -Test-new-install: mark show -Relevance: 8 -Packages: for-current-hardware -</pre></blockquote></p> - -<p>The second part is in -<tt>/usr/lib/tasksel/packages/for-current-hardware</tt> and look like -this:</p> - -<p><blockquote><pre> -#!/bin/sh -# -( - isenkram-lookup - isenkram-autoinstall-firmware -l -) | sort -u -</pre></blockquote></p> - -<p>All in all, a very short and simple implementation making it -trivial to install the hardware dependent package we all may want to -have installed on our machines. I've not been able to find a way to -get tasksel to tell you exactly which packages it plan to install -before doing the installation. So if you are curious or careful, -check the output from the isenkram-* command line tools first.</p> - -<p>The information about which packages are handling which hardware is -fetched either from the isenkram package itself in -/usr/share/isenkram/, from git.debian.org or from the APT package -database (using the Modaliases header). The APT package database -parsing have caused a nasty resource leak in the isenkram daemon (bugs -<a href="http://bugs.debian.org/719837">#719837</a> and -<a href="http://bugs.debian.org/730704">#730704</a>). The cause is in -the python-apt code (bug -<a href="http://bugs.debian.org/745487">#745487</a>), but using a -workaround I was able to get rid of the file descriptor leak and -reduce the memory leak from ~30 MiB per hardware detection down to -around 2 MiB per hardware detection. It should make the desktop -daemon a lot more useful. The fix is in version 0.7 uploaded to -unstable today.</p> - -<p>I believe the current way of mapping hardware to packages in -Isenkram is is a good draft, but in the future I expect isenkram to -use the AppStream data source for this. A proposal for getting proper -AppStream support into Debian is floating around as -<a href="https://wiki.debian.org/DEP-11">DEP-11</a>, and -<a href="https://wiki.debian.org/SummerOfCode2014/Projects#SummerOfCode2014.2FProjects.2FAppStreamDEP11Implementation.AppStream.2FDEP-11_for_the_Debian_Archive">GSoC -project</a> will take place this summer to improve the situation. I -look forward to seeing the result, and welcome patches for isenkram to -start using the information when it is ready.</p> - -<p>If you want your package to map to some specific hardware, either -add a "Xb-Modaliases" header to your control file like I did in -<a href="http://packages.qa.debian.org/pymissile">the pymissile -package</a> or submit a bug report with the details to the isenkram -package. See also -<a href="http://people.skolelinux.org/pere/blog/tags/isenkram/">all my -blog posts tagged isenkram</a> for details on the notation. I expect -the information will be migrated to AppStream eventually, but for the -moment I got no better place to store it.</p> + Unlimited randomness with the ChaosKey? + http://people.skolelinux.org/pere/blog/Unlimited_randomness_with_the_ChaosKey_.html + http://people.skolelinux.org/pere/blog/Unlimited_randomness_with_the_ChaosKey_.html + Wed, 1 Mar 2017 20:50:00 +0100 + <p>A few days ago I ordered a small batch of +<a href="http://altusmetrum.org/ChaosKey/">the ChaosKey</a>, a small +USB dongle for generating entropy created by Bdale Garbee and Keith +Packard. Yesterday it arrived, and I am very happy to report that it +work great! According to its designers, to get it to work out of the +box, you need the Linux kernel version 4.1 or later. I tested on a +Debian Stretch machine (kernel version 4.9), and there it worked just +fine, increasing the available entropy very quickly. I wrote a small +test oneliner to test. It first print the current entropy level, +drain /dev/random, and then print the entropy level for five seconds. +Here is the situation without the ChaosKey inserted:</p> + +<blockquote><pre> +% cat /proc/sys/kernel/random/entropy_avail; \ + dd bs=1M if=/dev/random of=/dev/null count=1; \ + for n in $(seq 1 5); do \ + cat /proc/sys/kernel/random/entropy_avail; \ + sleep 1; \ + done +300 +0+1 oppføringer inn +0+1 oppføringer ut +28 byte kopiert, 0,000264565 s, 106 kB/s +4 +8 +12 +17 +21 +% +</pre></blockquote> + +<p>The entropy level increases by 3-4 every second. In such case any +application requiring random bits (like a HTTPS enabled web server) +will halt and wait for more entrpy. And here is the situation with +the ChaosKey inserted:</p> + +<blockquote><pre> +% cat /proc/sys/kernel/random/entropy_avail; \ + dd bs=1M if=/dev/random of=/dev/null count=1; \ + for n in $(seq 1 5); do \ + cat /proc/sys/kernel/random/entropy_avail; \ + sleep 1; \ + done +1079 +0+1 oppføringer inn +0+1 oppføringer ut +104 byte kopiert, 0,000487647 s, 213 kB/s +433 +1028 +1031 +1035 +1038 +% +</pre></blockquote> + +<p>Quite the difference. :) I bought a few more than I need, in case +someone want to buy one here in Norway. :)</p> + +<p>Update: The dongle was presented at Debconf last year. You might +find <a href="https://debconf16.debconf.org/talks/94/">the talk +recording illuminating</a>. It explains exactly what the source of +randomness is, if you are unable to spot it from the schema drawing +available from the ChaosKey web site linked at the start of this blog +post.</p> - FreedomBox milestone - all packages now in Debian Sid - http://people.skolelinux.org/pere/blog/FreedomBox_milestone___all_packages_now_in_Debian_Sid.html - http://people.skolelinux.org/pere/blog/FreedomBox_milestone___all_packages_now_in_Debian_Sid.html - Tue, 15 Apr 2014 22:10:00 +0200 - <p>The <a href="https://wiki.debian.org/FreedomBox">Freedombox -project</a> is working on providing the software and hardware to make -it easy for non-technical people to host their data and communication -at home, and being able to communicate with their friends and family -encrypted and away from prying eyes. It is still going strong, and -today a major mile stone was reached.</p> - -<p>Today, the last of the packages currently used by the project to -created the system images were accepted into Debian Unstable. It was -the freedombox-setup package, which is used to configure the images -during build and on the first boot. Now all one need to get going is -the build code from the freedom-maker git repository and packages from -Debian. And once the freedombox-setup package enter testing, we can -build everything directly from Debian. :)</p> - -<p>Some key packages used by Freedombox are -<a href="http://packages.qa.debian.org/freedombox-setup">freedombox-setup</a>, -<a href="http://packages.qa.debian.org/plinth">plinth</a>, -<a href="http://packages.qa.debian.org/pagekite">pagekite</a>, -<a href="http://packages.qa.debian.org/tor">tor</a>, -<a href="http://packages.qa.debian.org/privoxy">privoxy</a>, -<a href="http://packages.qa.debian.org/owncloud">owncloud</a> and -<a href="http://packages.qa.debian.org/dnsmasq">dnsmasq</a>. There -are plans to integrate more packages into the setup. User -documentation is maintained on the Debian wiki. Please -<a href="https://wiki.debian.org/FreedomBox/Manual/Jessie">check out -the manual</a> and help us improve it.</p> - -<p>To test for yourself and create boot images with the FreedomBox -setup, run this on a Debian machine using a user with sudo rights to -become root:</p> - -<p><pre> -sudo apt-get install git vmdebootstrap mercurial python-docutils \ - mktorrent extlinux virtualbox qemu-user-static binfmt-support \ - u-boot-tools -git clone http://anonscm.debian.org/git/freedombox/freedom-maker.git \ - freedom-maker -make -C freedom-maker dreamplug-image raspberry-image virtualbox-image -</pre></p> - -<p>Root access is needed to run debootstrap and mount loopback -devices. See the README in the freedom-maker git repo for more -details on the build. If you do not want all three images, trim the -make line. Note that the virtualbox-image target is not really -virtualbox specific. It create a x86 image usable in kvm, qemu, -vmware and any other x86 virtual machine environment. You might need -the version of vmdebootstrap in Jessie to get the build working, as it -include fixes for a race condition with kpartx.</p> - -<p>If you instead want to install using a Debian CD and the preseed -method, boot a Debian Wheezy ISO and use this boot argument to load -the preseed values:</p> - -<p><pre> -url=<a href="http://www.reinholdtsen.name/freedombox/preseed-jessie.dat">http://www.reinholdtsen.name/freedombox/preseed-jessie.dat</a> -</pre></p> - -<p>I have not tested it myself the last few weeks, so I do not know if -it still work.</p> - -<p>If you wonder how to help, one task you could look at is using -systemd as the boot system. It will become the default for Linux in -Jessie, so we need to make sure it is usable on the Freedombox. I did -a simple test a few weeks ago, and noticed dnsmasq failed to start -during boot when using systemd. I suspect there are other problems -too. :) To detect problems, there is a test suite included, which can -be run from the plinth web interface.</p> - -<p>Give it a go and let us know how it goes on the mailing list, and help -us get the new release published. :) Please join us on -<a href="irc://irc.debian.org:6667/%23freedombox">IRC (#freedombox on -irc.debian.org)</a> and -<a href="http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss">the -mailing list</a> if you want to help make this vision come true.</p> + Detect OOXML files with undefined behaviour? + http://people.skolelinux.org/pere/blog/Detect_OOXML_files_with_undefined_behaviour_.html + http://people.skolelinux.org/pere/blog/Detect_OOXML_files_with_undefined_behaviour_.html + Tue, 21 Feb 2017 00:20:00 +0100 + <p>I just noticed +<a href="http://www.arkivrad.no/aktuelt/riksarkivarens-forskrift-pa-horing">the +new Norwegian proposal for archiving rules in the goverment</a> list +<a href="http://www.ecma-international.org/publications/standards/Ecma-376.htm">ECMA-376</a> +/ ISO/IEC 29500 (aka OOXML) as valid formats to put in long term +storage. Luckily such files will only be accepted based on +pre-approval from the National Archive. Allowing OOXML files to be +used for long term storage might seem like a good idea as long as we +forget that there are plenty of ways for a "valid" OOXML document to +have content with no defined interpretation in the standard, which +lead to a question and an idea.</p> + +<p>Is there any tool to detect if a OOXML document depend on such +undefined behaviour? It would be useful for the National Archive (and +anyone else interested in verifying that a document is well defined) +to have such tool available when considering to approve the use of +OOXML. I'm aware of the +<a href="https://github.com/arlm/officeotron/">officeotron OOXML +validator</a>, but do not know how complete it is nor if it will +report use of undefined behaviour. Are there other similar tools +available? Please send me an email if you know of any such tool.</p> - Språkkoder for POSIX locale i Norge - http://people.skolelinux.org/pere/blog/Spr_kkoder_for_POSIX_locale_i_Norge.html - http://people.skolelinux.org/pere/blog/Spr_kkoder_for_POSIX_locale_i_Norge.html - Fri, 11 Apr 2014 21:30:00 +0200 - <p>For 12 år siden, skrev jeg et lite notat om -<a href="http://i18n.skolelinux.no/localekoder.txt">bruk av språkkoder -i Norge</a>. Jeg ble nettopp minnet på dette da jeg fikk spørsmål om -notatet fortsatt var aktuelt, og tenkte det var greit å repetere hva -som fortsatt gjelder. Det jeg skrev da er fortsatt like aktuelt.</p> - -<p>Når en velger språk i programmer på unix, så velger en blant mange -språkkoder. For språk i Norge anbefales følgende språkkoder (anbefalt -locale i parantes):</p> - -<p><dl> -<dt>nb (nb_NO)</dt><dd>Bokmål i Norge</dd> -<dt>nn (nn_NO)</dt><dd>Nynorsk i Norge</dd> -<dt>se (se_NO)</dt><dd>Nordsamisk i Norge</dd> -</dl></p> - -<p>Alle programmer som bruker andre koder bør endres.</p> - -<p>Språkkoden bør brukes når .po-filer navngis og installeres. Dette -er ikke det samme som locale-koden. For Norsk Bokmål, så bør filene -være navngitt nb.po, mens locale (LANG) bør være nb_NO.</p> - -<p>Hvis vi ikke får standardisert de kodene i alle programmene med -norske oversettelser, så er det umulig å gi LANG-variablen ett innhold -som fungerer for alle programmer.</p> - -<p>Språkkodene er de offisielle kodene fra ISO 639, og bruken av dem i -forbindelse med POSIX localer er standardisert i RFC 3066 og ISO -15897. Denne anbefalingen er i tråd med de angitte standardene.</p> - -<p>Følgende koder er eller har vært i bruk som locale-verdier for -"norske" språk. Disse bør unngås, og erstattes når de oppdages:</p> - -<p><table> -<tr><td>norwegian</td><td>-> nb_NO</td></tr> -<tr><td>bokmål </td><td>-> nb_NO</td></tr> -<tr><td>bokmal </td><td>-> nb_NO</td></tr> -<tr><td>nynorsk </td><td>-> nn_NO</td></tr> -<tr><td>no </td><td>-> nb_NO</td></tr> -<tr><td>no_NO </td><td>-> nb_NO</td></tr> -<tr><td>no_NY </td><td>-> nn_NO</td></tr> -<tr><td>sme_NO </td><td>-> se_NO</td></tr> -</table></p> - -<p>Merk at når det gjelder de samiske språkene, at se_NO i praksis -henviser til nordsamisk i Norge, mens f.eks. smj_NO henviser til -lulesamisk. Dette notatet er dog ikke ment å gi råd rundt samiske -språkkoder, der gjør -<a href="http://www.divvun.no/">Divvun-prosjektet</a> en bedre -jobb.</p> - -<p><strong>Referanser:</strong></p> - -<ul> - - <li><a href="http://www.rfc-base.org/rfc-3066.html">RFC 3066 - Tags - for the Identification of Languages</a> (Erstatter RFC 1766)</li> - - <li><a href="http://www.loc.gov/standards/iso639-2/langcodes.html">ISO - 639</a> - Codes for the Representation of Names of Languages</li> - - <li><a href="http://std.dkuug.dk/jtc1/sc22/wg20/docs/n897-14652w25.pdf">ISO - DTR 14652</a> - locale-standard Specification method for cultural - conventions</li> - - <li><a href="http://std.dkuug.dk/jtc1/sc22/wg20/docs/n610.pdf">ISO - 15897: Registration procedures for cultural elements (cultural - registry)</a>, - <a href="http://std.dkuug.dk/jtc1/sc22/wg20/docs/n849-15897wd6.pdf">(nytt - draft)</a></li> - - <li><a href="http://std.dkuug.dk/jtc1/sc22/wg20/">ISO/IEC - JTC1/SC22/WG20</a> - Gruppen for i18n-standardisering i ISO</li> - -<ul> + Ruling ignored our objections to the seizure of popcorn-time.no (#domstolkontroll) + http://people.skolelinux.org/pere/blog/Ruling_ignored_our_objections_to_the_seizure_of_popcorn_time_no___domstolkontroll_.html + http://people.skolelinux.org/pere/blog/Ruling_ignored_our_objections_to_the_seizure_of_popcorn_time_no___domstolkontroll_.html + Mon, 13 Feb 2017 21:30:00 +0100 + <p>A few days ago, we received the ruling from +<a href="http://people.skolelinux.org/pere/blog/A_day_in_court_challenging_seizure_of_popcorn_time_no_for__domstolkontroll.html">my +day in court</a>. The case in question is a challenge of the seizure +of the DNS domain popcorn-time.no. The ruling simply did not mention +most of our arguments, and seemed to take everything ØKOKRIM said at +face value, ignoring our demonstration and explanations. But it is +hard to tell for sure, as we still have not seen most of the documents +in the case and thus were unprepared and unable to contradict several +of the claims made in court by the opposition. We are considering an +appeal, but it is partly a question of funding, as it is costing us +quite a bit to pay for our lawyer. If you want to help, please +<a href="http://www.nuug.no/dns-beslag-donasjon.shtml">donate to the +NUUG defense fund</a>.</p> + +<p>The details of the case, as far as we know it, is available in +Norwegian from +<a href="https://www.nuug.no/news/tags/dns-domenebeslag/">the NUUG +blog</a>. This also include +<a href="https://www.nuug.no/news/Avslag_etter_rettslig_h_ring_om_DNS_beslaget___vurderer_veien_videre.shtml">the +ruling itself</a>.</p> - S3QL, a locally mounted cloud file system - nice free software - http://people.skolelinux.org/pere/blog/S3QL__a_locally_mounted_cloud_file_system___nice_free_software.html - http://people.skolelinux.org/pere/blog/S3QL__a_locally_mounted_cloud_file_system___nice_free_software.html - Wed, 9 Apr 2014 11:30:00 +0200 - <p>For a while now, I have been looking for a sensible offsite backup -solution for use at home. My requirements are simple, it must be -cheap and locally encrypted (in other words, I keep the encryption -keys, the storage provider do not have access to my private files). -One idea me and my friends had many years ago, before the cloud -storage providers showed up, was to use Google mail as storage, -writing a Linux block device storing blocks as emails in the mail -service provided by Google, and thus get heaps of free space. On top -of this one can add encryption, RAID and volume management to have -lots of (fairly slow, I admit that) cheap and encrypted storage. But -I never found time to implement such system. But the last few weeks I -have looked at a system called -<a href="https://bitbucket.org/nikratio/s3ql/">S3QL</a>, a locally -mounted network backed file system with the features I need.</p> - -<p>S3QL is a fuse file system with a local cache and cloud storage, -handling several different storage providers, any with Amazon S3, -Google Drive or OpenStack API. There are heaps of such storage -providers. S3QL can also use a local directory as storage, which -combined with sshfs allow for file storage on any ssh server. S3QL -include support for encryption, compression, de-duplication, snapshots -and immutable file systems, allowing me to mount the remote storage as -a local mount point, look at and use the files as if they were local, -while the content is stored in the cloud as well. This allow me to -have a backup that should survive fire. The file system can not be -shared between several machines at the same time, as only one can -mount it at the time, but any machine with the encryption key and -access to the storage service can mount it if it is unmounted.</p> - -<p>It is simple to use. I'm using it on Debian Wheezy, where the -package is included already. So to get started, run <tt>apt-get -install s3ql</tt>. Next, pick a storage provider. I ended up picking -Greenqloud, after reading their nice recipe on -<a href="https://greenqloud.zendesk.com/entries/44611757-How-To-Use-S3QL-to-mount-a-StorageQloud-bucket-on-Debian-Wheezy">how -to use S3QL with their Amazon S3 service</a>, because I trust the laws -in Iceland more than those in USA when it come to keeping my personal -data safe and private, and thus would rather spend money on a company -in Iceland. Another nice recipe is available from the article -<a href="http://www.admin-magazine.com/HPC/Articles/HPC-Cloud-Storage">S3QL -Filesystem for HPC Storage</a> by Jeff Layton in the HPC section of -Admin magazine. When the provider is picked, figure out how to get -the API key needed to connect to the storage API. With Greencloud, -the key did not show up until I had added payment details to my -account.</p> - -<p>Armed with the API access details, it is time to create the file -system. First, create a new bucket in the cloud. This bucket is the -file system storage area. I picked a bucket name reflecting the -machine that was going to store data there, but any name will do. -I'll refer to it as <tt>bucket-name</tt> below. In addition, one need -the API login and password, and a locally created password. Store it -all in ~root/.s3ql/authinfo2 like this: - -<p><blockquote><pre> -[s3c] -storage-url: s3c://s.greenqloud.com:443/bucket-name -backend-login: API-login -backend-password: API-password -fs-passphrase: local-password -</pre></blockquote></p> - -<p>I create my local passphrase using <tt>pwget 50</tt> or similar, -but any sensible way to create a fairly random password should do it. -Armed with these details, it is now time to run mkfs, entering the API -details and password to create it:</p> - -<p><blockquote><pre> -# mkdir -m 700 /var/lib/s3ql-cache -# mkfs.s3ql --cachedir /var/lib/s3ql-cache --authfile /root/.s3ql/authinfo2 \ - --ssl s3c://s.greenqloud.com:443/bucket-name -Enter backend login: -Enter backend password: -Before using S3QL, make sure to read the user's guide, especially -the 'Important Rules to Avoid Loosing Data' section. -Enter encryption password: -Confirm encryption password: -Generating random encryption key... -Creating metadata tables... -Dumping metadata... -..objects.. -..blocks.. -..inodes.. -..inode_blocks.. -..symlink_targets.. -..names.. -..contents.. -..ext_attributes.. -Compressing and uploading metadata... -Wrote 0.00 MB of compressed metadata. -# </pre></blockquote></p> - -<p>The next step is mounting the file system to make the storage available. - -<p><blockquote><pre> -# mount.s3ql --cachedir /var/lib/s3ql-cache --authfile /root/.s3ql/authinfo2 \ - --ssl --allow-root s3c://s.greenqloud.com:443/bucket-name /s3ql -Using 4 upload threads. -Downloading and decompressing metadata... -Reading metadata... -..objects.. -..blocks.. -..inodes.. -..inode_blocks.. -..symlink_targets.. -..names.. -..contents.. -..ext_attributes.. -Mounting filesystem... -# df -h /s3ql -Filesystem Size Used Avail Use% Mounted on -s3c://s.greenqloud.com:443/bucket-name 1.0T 0 1.0T 0% /s3ql -# -</pre></blockquote></p> - -<p>The file system is now ready for use. I use rsync to store my -backups in it, and as the metadata used by rsync is downloaded at -mount time, no network traffic (and storage cost) is triggered by -running rsync. To unmount, one should not use the normal umount -command, as this will not flush the cache to the cloud storage, but -instead running the umount.s3ql command like this: - -<p><blockquote><pre> -# umount.s3ql /s3ql -# -</pre></blockquote></p> - -<p>There is a fsck command available to check the file system and -correct any problems detected. This can be used if the local server -crashes while the file system is mounted, to reset the "already -mounted" flag. This is what it look like when processing a working -file system:</p> - -<p><blockquote><pre> -# fsck.s3ql --force --ssl s3c://s.greenqloud.com:443/bucket-name -Using cached metadata. -File system seems clean, checking anyway. -Checking DB integrity... -Creating temporary extra indices... -Checking lost+found... -Checking cached objects... -Checking names (refcounts)... -Checking contents (names)... -Checking contents (inodes)... -Checking contents (parent inodes)... -Checking objects (reference counts)... -Checking objects (backend)... -..processed 5000 objects so far.. -..processed 10000 objects so far.. -..processed 15000 objects so far.. -Checking objects (sizes)... -Checking blocks (referenced objects)... -Checking blocks (refcounts)... -Checking inode-block mapping (blocks)... -Checking inode-block mapping (inodes)... -Checking inodes (refcounts)... -Checking inodes (sizes)... -Checking extended attributes (names)... -Checking extended attributes (inodes)... -Checking symlinks (inodes)... -Checking directory reachability... -Checking unix conventions... -Checking referential integrity... -Dropping temporary indices... -Backing up old metadata... -Dumping metadata... -..objects.. -..blocks.. -..inodes.. -..inode_blocks.. -..symlink_targets.. -..names.. -..contents.. -..ext_attributes.. -Compressing and uploading metadata... -Wrote 0.89 MB of compressed metadata. -# -</pre></blockquote></p> - -<p>Thanks to the cache, working on files that fit in the cache is very -quick, about the same speed as local file access. Uploading large -amount of data is to me limited by the bandwidth out of and into my -house. Uploading 685 MiB with a 100 MiB cache gave me 305 kiB/s, -which is very close to my upload speed, and downloading the same -Debian installation ISO gave me 610 kiB/s, close to my download speed. -Both were measured using <tt>dd</tt>. So for me, the bottleneck is my -network, not the file system code. I do not know what a good cache -size would be, but suspect that the cache should e larger than your -working set.</p> - -<p>I mentioned that only one machine can mount the file system at the -time. If another machine try, it is told that the file system is -busy:</p> - -<p><blockquote><pre> -# mount.s3ql --cachedir /var/lib/s3ql-cache --authfile /root/.s3ql/authinfo2 \ - --ssl --allow-root s3c://s.greenqloud.com:443/bucket-name /s3ql -Using 8 upload threads. -Backend reports that fs is still mounted elsewhere, aborting. -# -</pre></blockquote></p> - -<p>The file content is uploaded when the cache is full, while the -metadata is uploaded once every 24 hour by default. To ensure the -file system content is flushed to the cloud, one can either umount the -file system, or ask S3QL to flush the cache and metadata using -s3qlctrl: - -<p><blockquote><pre> -# s3qlctrl upload-meta /s3ql -# s3qlctrl flushcache /s3ql -# -</pre></blockquote></p> - -<p>If you are curious about how much space your data uses in the -cloud, and how much compression and deduplication cut down on the -storage usage, you can use s3qlstat on the mounted file system to get -a report:</p> - -<p><blockquote><pre> -# s3qlstat /s3ql -Directory entries: 9141 -Inodes: 9143 -Data blocks: 8851 -Total data size: 22049.38 MB -After de-duplication: 21955.46 MB (99.57% of total) -After compression: 21877.28 MB (99.22% of total, 99.64% of de-duplicated) -Database size: 2.39 MB (uncompressed) -(some values do not take into account not-yet-uploaded dirty blocks in cache) -# -</pre></blockquote></p> - -<p>I mentioned earlier that there are several possible suppliers of -storage. I did not try to locate them all, but am aware of at least -<a href="https://www.greenqloud.com/">Greenqloud</a>, -<a href="http://drive.google.com/">Google Drive</a>, -<a href="http://aws.amazon.com/s3/">Amazon S3 web serivces</a>, -<a href="http://www.rackspace.com/">Rackspace</a> and -<a href="http://crowncloud.net/">Crowncloud</A>. The latter even -accept payment in Bitcoin. Pick one that suit your need. Some of -them provide several GiB of free storage, but the prize models are -quite different and you will have to figure out what suits you -best.</p> - -<p>While researching this blog post, I had a look at research papers -and posters discussing the S3QL file system. There are several, which -told me that the file system is getting a critical check by the -science community and increased my confidence in using it. One nice -poster is titled -"<a href="http://www.lanl.gov/orgs/adtsc/publications/science_highlights_2013/docs/pg68_69.pdf">An -Innovative Parallel Cloud Storage System using OpenStack’s SwiftObject -Store and Transformative Parallel I/O Approach</a>" by Hsing-Bung -Chen, Benjamin McClelland, David Sherrill, Alfred Torrez, Parks Fields -and Pamela Smith. Please have a look.</p> - -<p>Given my problems with different file systems earlier, I decided to -check out the mounted S3QL file system to see if it would be usable as -a home directory (in other word, that it provided POSIX semantics when -it come to locking and umask handling etc). Running -<a href="http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html">my -test code to check file system semantics</a>, I was happy to discover that -no error was found. So the file system can be used for home -directories, if one chooses to do so.</p> - -<p>If you do not want a locally file system, and want something that -work without the Linux fuse file system, I would like to mention the -<a href="http://www.tarsnap.com/">Tarsnap service</a>, which also -provide locally encrypted backup using a command line client. It have -a nicer access control system, where one can split out read and write -access, allowing some systems to write to the backup and others to -only read from it.</p> - -<p>As usual, if you use Bitcoin and want to show your support of my -activities, please send Bitcoin donations to my address -<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&label=PetterReinholdtsenBlog">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p> + A day in court challenging seizure of popcorn-time.no for #domstolkontroll + http://people.skolelinux.org/pere/blog/A_day_in_court_challenging_seizure_of_popcorn_time_no_for__domstolkontroll.html + http://people.skolelinux.org/pere/blog/A_day_in_court_challenging_seizure_of_popcorn_time_no_for__domstolkontroll.html + Fri, 3 Feb 2017 11:10:00 +0100 + <p align="center"><img width="70%" src="http://people.skolelinux.org/pere/blog/images/2017-02-01-popcorn-time-in-court.jpeg"></p> + +<p>On Wednesday, I spent the entire day in court in Follo Tingrett +representing <a href="https://www.nuug.no/">the member association +NUUG</a>, alongside <a href="https://www.efn.no/">the member +association EFN</a> and <a href="http://www.imc.no">the DNS registrar +IMC</a>, challenging the seizure of the DNS name popcorn-time.no. It +was interesting to sit in a court of law for the first time in my +life. Our team can be seen in the picture above: attorney Ola +Tellesbø, EFN board member Tom Fredrik Blenning, IMC CEO Morten Emil +Eriksen and NUUG board member Petter Reinholdtsen.</p> + +<p><a href="http://www.domstol.no/no/Enkelt-domstol/follo-tingrett/Nar-gar-rettssaken/Beramming/?cid=AAAA1701301512081262234UJFBVEZZZZZEJBAvtale">The +case at hand</a> is that the Norwegian National Authority for +Investigation and Prosecution of Economic and Environmental Crime (aka +Økokrim) decided on their own, to seize a DNS domain early last +year, without following +<a href="https://www.norid.no/no/regelverk/navnepolitikk/#link12">the +official policy of the Norwegian DNS authority</a> which require a +court decision. The web site in question was a site covering Popcorn +Time. And Popcorn Time is the name of a technology with both legal +and illegal applications. Popcorn Time is a client combining +searching a Bittorrent directory available on the Internet with +downloading/distribute content via Bittorrent and playing the +downloaded content on screen. It can be used illegally if it is used +to distribute content against the will of the right holder, but it can +also be used legally to play a lot of content, for example the +millions of movies +<a href="https://archive.org/details/movies">available from the +Internet Archive</a> or the collection +<a href="http://vodo.net/films/">available from Vodo</a>. We created +<a href="magnet:?xt=urn:btih:86c1802af5a667ca56d3918aecb7d3c0f7173084&dn=PresentasjonFolloTingrett.mov&tr=udp%3A%2F%2Fpublic.popcorn-tracker.org%3A6969%2Fannounce">a +video demonstrating legally use of Popcorn Time</a> and played it in +Court. It can of course be downloaded using Bittorrent.</p> + +<p>I did not quite know what to expect from a day in court. The +government held on to their version of the story and we held on to +ours, and I hope the judge is able to make sense of it all. We will +know in two weeks time. Unfortunately I do not have high hopes, as +the Government have the upper hand here with more knowledge about the +case, better training in handling criminal law and in general higher +standing in the courts than fairly unknown DNS registrar and member +associations. It is expensive to be right also in Norway. So far the +case have cost more than NOK 70 000,-. To help fund the case, NUUG +and EFN have asked for donations, and managed to collect around NOK 25 +000,- so far. Given the presentation from the Government, I expect +the government to appeal if the case go our way. And if the case do +not go our way, I hope we have enough funding to appeal.</p> + +<p>From the other side came two people from Økokrim. On the benches, +appearing to be part of the group from the government were two people +from the Simonsen Vogt Wiik lawyer office, and three others I am not +quite sure who was. Økokrim had proposed to present two witnesses +from The Motion Picture Association, but this was rejected because +they did not speak Norwegian and it was a bit late to bring in a +translator, but perhaps the two from MPA were present anyway. All +seven appeared to know each other. Good to see the case is take +seriously.</p> + +<p>If you, like me, believe the courts should be involved before a DNS +domain is hijacked by the government, or you believe the Popcorn Time +technology have a lot of useful and legal applications, I suggest you +too <a href="http://www.nuug.no/dns-beslag-donasjon.shtml">donate to +the NUUG defense fund</a>. Both Bitcoin and bank transfer are +available. If NUUG get more than we need for the legal action (very +unlikely), the rest will be spend promoting free software, open +standards and unix-like operating systems in Norway, so no matter what +happens the money will be put to good use.</p> + +<p>If you want to lean more about the case, I recommend you check out +<a href="https://www.nuug.no/news/tags/dns-domenebeslag/">the blog +posts from NUUG covering the case</a>. They cover the legal arguments +on both sides.</p> - EU-domstolen bekreftet i dag at datalagringsdirektivet er ulovlig - http://people.skolelinux.org/pere/blog/EU_domstolen_bekreftet_i_dag_at_datalagringsdirektivet_er_ulovlig.html - http://people.skolelinux.org/pere/blog/EU_domstolen_bekreftet_i_dag_at_datalagringsdirektivet_er_ulovlig.html - Tue, 8 Apr 2014 11:30:00 +0200 - <p>I dag kom endelig avgjørelsen fra EU-domstolen om -datalagringsdirektivet, som ikke overraskende ble dømt ulovlig og i -strid med borgernes grunnleggende rettigheter. Hvis du lurer på hva -datalagringsdirektivet er for noe, så er det -<a href="http://tv.nrk.no/program/koid75005313/tema-dine-digitale-spor-datalagringsdirektivet">en -flott dokumentar tilgjengelig hos NRK</a> som jeg tidligere -<a href="http://people.skolelinux.org/pere/blog/Dokumentaren_om_Datalagringsdirektivet_sendes_endelig_p__NRK.html">har -anbefalt</a> alle å se.</p> - -<p>Her er et liten knippe nyhetsoppslag om saken, og jeg regner med at -det kommer flere ut over dagen. Flere kan finnes -<a href="http://www.mylder.no/?drill=datalagringsdirektivet&intern=1">via -mylder</a>.</p> - -<p><ul> - -<li><a href="http://e24.no/digital/eu-domstolen-datalagringsdirektivet-er-ugyldig/22879592">EU-domstolen: -Datalagringsdirektivet er ugyldig</a> - e24.no 2014-04-08 - -<li><a href="http://www.aftenposten.no/nyheter/iriks/EU-domstolen-Datalagringsdirektivet-er-ulovlig-7529032.html">EU-domstolen: -Datalagringsdirektivet er ulovlig</a> - aftenposten.no 2014-04-08 - -<li><a href="http://www.aftenposten.no/nyheter/iriks/politikk/Krever-DLD-stopp-i-Norge-7530086.html">Krever -DLD-stopp i Norge</a> - aftenposten.no 2014-04-08 - -<li><a href="http://www.p4.no/story.aspx?id=566431">Apenes: - En -gledens dag</a> - p4.no 2014-04-08 - -<li><a href="http://www.nrk.no/norge/_-datalagringsdirektivet-er-ugyldig-1.11655929">EU-domstolen: -– Datalagringsdirektivet er ugyldig</a> - nrk.no 2014-04-08</li> - -<li><a href="http://www.vg.no/nyheter/utenriks/data-og-nett/eu-domstolen-datalagringsdirektivet-er-ugyldig/a/10130280/">EU-domstolen: -Datalagringsdirektivet er ugyldig</a> - vg.no 2014-04-08</li> - -<li><a href="http://www.dagbladet.no/2014/04/08/nyheter/innenriks/datalagringsdirektivet/personvern/32711646/">- -Vi bør skrote hele datalagringsdirektivet</a> - dagbladet.no -2014-04-08</li> - -<li><a href="http://www.digi.no/928137/eu-domstolen-dld-er-ugyldig">EU-domstolen: -DLD er ugyldig</a> - digi.no 2014-04-08</li> - -<li><a href="http://www.irishtimes.com/business/sectors/technology/european-court-declares-data-retention-directive-invalid-1.1754150">European -court declares data retention directive invalid</a> - irishtimes.com -2014-04-08</li> - -<li><a href="http://www.reuters.com/article/2014/04/08/us-eu-data-ruling-idUSBREA370F020140408?feedType=RSS">EU -court rules against requirement to keep data of telecom users</a> - -reuters.com 2014-04-08</li> - -</ul> -</p> - -<p>Jeg synes det er veldig fint at nok en stemme slår fast at -totalitær overvåkning av befolkningen er uakseptabelt, men det er -fortsatt like viktig å beskytte privatsfæren som før, da de -teknologiske mulighetene fortsatt finnes og utnyttes, og jeg tror -innsats i prosjekter som -<a href="https://wiki.debian.org/FreedomBox">Freedombox</a> og -<a href="http://www.dugnadsnett.no/">Dugnadsnett</a> er viktigere enn -noen gang.</p> - -<p><strong>Update 2014-04-08 12:10</strong>: Kronerullingen for å -stoppe datalagringsdirektivet i Norge gjøres hos foreningen -<a href="http://www.digitaltpersonvern.no/">Digitalt Personvern</a>, -som har samlet inn 843 215,- så langt men trenger nok mye mer hvis - -ikke Høyre og Arbeiderpartiet bytter mening i saken. Det var -<a href="http://www.holderdeord.no/parliament-issues/48650">kun -partinene Høyre og Arbeiderpartiet</a> som stemte for -Datalagringsdirektivet, og en av dem må bytte mening for at det skal -bli flertall mot i Stortinget. Se mer om saken -<a href="http://www.holderdeord.no/issues/69-innfore-datalagringsdirektivet">Holder -de ord</a>.</p> + Nasjonalbiblioteket avslutter sin ulovlige bruk av Google Skjemaer + http://people.skolelinux.org/pere/blog/Nasjonalbiblioteket_avslutter_sin_ulovlige_bruk_av_Google_Skjemaer.html + http://people.skolelinux.org/pere/blog/Nasjonalbiblioteket_avslutter_sin_ulovlige_bruk_av_Google_Skjemaer.html + Thu, 12 Jan 2017 09:40:00 +0100 + <p>I dag fikk jeg en skikkelig gladmelding. Bakgrunnen er at før jul +arrangerte Nasjonalbiblioteket +<a href="http://www.nb.no/Bibliotekutvikling/Kunnskapsorganisering/Nasjonalt-verksregister/Seminar-om-verksregister">et +seminar om sitt knakende gode tiltak «verksregister»</a>. Eneste +måten å melde seg på dette seminaret var å sende personopplysninger +til Google via Google Skjemaer. Dette syntes jeg var tvilsom praksis, +da det bør være mulig å delta på seminarer arrangert av det offentlige +uten å måtte dele sine interesser, posisjon og andre +personopplysninger med Google. Jeg ba derfor om innsyn via +<a href="https://www.mimesbronn.no/">Mimes brønn</a> i +<a href="https://www.mimesbronn.no/request/personopplysninger_til_google_sk">avtaler +og vurderinger Nasjonalbiblioteket hadde rundt dette</a>. +Personopplysningsloven legger klare rammer for hva som må være på +plass før en kan be tredjeparter, spesielt i utlandet, behandle +personopplysninger på sine vegne, så det burde eksistere grundig +dokumentasjon før noe slikt kan bli lovlig. To jurister hos +Nasjonalbiblioteket mente først dette var helt i orden, og at Googles +standardavtale kunne brukes som databehandlingsavtale. Det syntes jeg +var merkelig, men har ikke hatt kapasitet til å følge opp saken før +for to dager siden.</p> + +<p>Gladnyheten i dag, som kom etter at jeg tipset Nasjonalbiblioteket +om at Datatilsynet underkjente Googles standardavtaler som +databehandleravtaler i 2011, er at Nasjonalbiblioteket har bestemt seg +for å avslutte bruken av Googles Skjemaer/Apps og gå i dialog med DIFI +for å finne bedre måter å håndtere påmeldinger i tråd med +personopplysningsloven. Det er fantastisk å se at av og til hjelper +det å spørre hva i alle dager det offentlige holder på med.</p> - ReactOS Windows clone - nice free software - http://people.skolelinux.org/pere/blog/ReactOS_Windows_clone___nice_free_software.html - http://people.skolelinux.org/pere/blog/ReactOS_Windows_clone___nice_free_software.html - Tue, 1 Apr 2014 12:10:00 +0200 - <p>Microsoft have announced that Windows XP reaches its end of life -2014-04-08, in 7 days. But there are heaps of machines still running -Windows XP, and depending on Windows XP to run their applications, and -upgrading will be expensive, both when it comes to money and when it -comes to the amount of effort needed to migrate from Windows XP to a -new operating system. Some obvious options (buy new a Windows -machine, buy a MacOSX machine, install Linux on the existing machine) -are already well known and covered elsewhere. Most of them involve -leaving the user applications installed on Windows XP behind and -trying out replacements or updated versions. In this blog post I want -to mention one strange bird that allow people to keep the hardware and -the existing Windows XP applications and run them on a free software -operating system that is Windows XP compatible.</p> - -<p><a href="http://www.reactos.org/">ReactOS</a> is a free software -operating system (GNU GPL licensed) working on providing a operating -system that is binary compatible with Windows, able to run windows -programs directly and to use Windows drivers for hardware directly. -The project goal is for Windows user to keep their existing machines, -drivers and software, and gain the advantages from user a operating -system without usage limitations caused by non-free licensing. It is -a Windows clone running directly on the hardware, so quite different -from the approach taken by <a href="http://www.winehq.org/">the Wine -project</a>, which make it possible to run Windows binaries on -Linux.</p> - -<p>The ReactOS project share code with the Wine project, so most -shared libraries available on Windows are already implemented already. -There is also a software manager like the one we are used to on Linux, -allowing the user to install free software applications with a simple -click directly from the Internet. Check out the -<a href="http://www.reactos.org/screenshots">screen shots on the -project web site</a> for an idea what it look like (it looks just like -Windows before metro).</p> - -<p>I do not use ReactOS myself, preferring Linux and Unix like -operating systems. I've tested it, and it work fine in a virt-manager -virtual machine. The browser, minesweeper, notepad etc is working -fine as far as I can tell. Unfortunately, my main test application -is the software included on a CD with the Lego Mindstorms NXT, which -seem to install just fine from CD but fail to leave any binaries on -the disk after the installation. So no luck with that test software. -No idea why, but hope someone else figure out and fix the problem. -I've tried the ReactOS Live ISO on a physical machine, and it seemed -to work just fine. If you like Windows and want to keep running your -old Windows binaries, check it out by -<a href="http://www.reactos.org/download">downloading</a> the -installation CD, the live CD or the preinstalled virtual machine -image.</p> + Bryter NAV sin egen personvernerklæring? + http://people.skolelinux.org/pere/blog/Bryter_NAV_sin_egen_personvernerkl_ring_.html + http://people.skolelinux.org/pere/blog/Bryter_NAV_sin_egen_personvernerkl_ring_.html + Wed, 11 Jan 2017 06:50:00 +0100 + <p>Jeg leste med interesse en nyhetssak hos +<a href="http://www.digi.no/artikler/nav-avslorer-trygdemisbruk-ved-a-spore-ip-adresser/367394">digi.no</a> +og +<a href="https://www.nrk.no/buskerud/trygdesvindlere-avslores-av-utenlandske-ip-adresser-1.13313461">NRK</a> +om at det ikke bare er meg, men at også NAV bedriver geolokalisering +av IP-adresser, og at det gjøres analyse av IP-adressene til de som +sendes inn meldekort for å se om meldekortet sendes inn fra +utenlandske IP-adresser. Politiadvokat i Drammen, Hans Lyder Haare, +er sitert i NRK på at «De to er jo blant annet avslørt av +IP-adresser. At man ser at meldekortet kommer fra utlandet.»</p> + +<p>Jeg synes det er fint at det blir bedre kjent at IP-adresser +knyttes til enkeltpersoner og at innsamlet informasjon brukes til å +stedsbestemme personer også av aktører her i Norge. Jeg ser det som +nok et argument for å bruke +<a href="https://www.torproject.org/">Tor</a> så mye som mulig for å +gjøre gjøre IP-lokalisering vanskeligere, slik at en kan beskytte sin +privatsfære og unngå å dele sin fysiske plassering med +uvedkommede.</p> + +<P>Men det er en ting som bekymrer meg rundt denne nyheten. Jeg ble +tipset (takk #nuug) om +<a href="https://www.nav.no/no/NAV+og+samfunn/Kontakt+NAV/Teknisk+brukerstotte/Snarveier/personvernerkl%C3%A6ring-for-arbeids-og-velferdsetaten">NAVs +personvernerklæring</a>, som under punktet «Personvern og statistikk» +lyder:</p> + +<p><blockquote> + +<p>«Når du besøker nav.no, etterlater du deg elektroniske spor. Sporene +dannes fordi din nettleser automatisk sender en rekke opplysninger til +NAVs tjener (server-maskin) hver gang du ber om å få vist en side. Det +er eksempelvis opplysninger om hvilken nettleser og -versjon du +bruker, og din internettadresse (ip-adresse). For hver side som vises, +lagres følgende opplysninger:</p> + +<ul> +<li>hvilken side du ser på</li> +<li>dato og tid</li> +<li>hvilken nettleser du bruker</li> +<li>din ip-adresse</li> +</ul> + +<p>Ingen av opplysningene vil bli brukt til å identifisere +enkeltpersoner. NAV bruker disse opplysningene til å generere en +samlet statistikk som blant annet viser hvilke sider som er mest +populære. Statistikken er et redskap til å forbedre våre +tjenester.»</p> + +</blockquote></p> + +<p>Jeg klarer ikke helt å se hvordan analyse av de besøkendes +IP-adresser for å se hvem som sender inn meldekort via web fra en +IP-adresse i utlandet kan gjøres uten å komme i strid med påstanden om +at «ingen av opplysningene vil bli brukt til å identifisere +enkeltpersoner». Det virker dermed for meg som at NAV bryter sine +egen personvernerklæring, hvilket +<a href="http://people.skolelinux.org/pere/blog/Er_lover_brutt_n_r_personvernpolicy_ikke_stemmer_med_praksis_.html">Datatilsynet +fortalte meg i starten av desember antagelig er brudd på +personopplysningsloven</a>. + +<p>I tillegg er personvernerklæringen ganske misvisende i og med at +NAVs nettsider ikke bare forsyner NAV med personopplysninger, men i +tillegg ber brukernes nettleser kontakte fem andre nettjenere +(script.hotjar.com, static.hotjar.com, vars.hotjar.com, +www.google-analytics.com og www.googletagmanager.com), slik at +personopplysninger blir gjort tilgjengelig for selskapene Hotjar og +Google , og alle som kan lytte på trafikken på veien (som FRA, GCHQ og +NSA). Jeg klarer heller ikke se hvordan slikt spredning av +personopplysninger kan være i tråd med kravene i +personopplysningloven, eller i tråd med NAVs personvernerklæring.</p> + +<p>Kanskje NAV bør ta en nøye titt på sin personvernerklæring? Eller +kanskje Datatilsynet bør gjøre det?</p> - Debian Edu interview: Roger Marsal - http://people.skolelinux.org/pere/blog/Debian_Edu_interview__Roger_Marsal.html - http://people.skolelinux.org/pere/blog/Debian_Edu_interview__Roger_Marsal.html - Sun, 30 Mar 2014 11:40:00 +0200 - <p><a href="http://www.skolelinux.org/">Debian Edu / Skolelinux</a> -keep gaining new users. Some weeks ago, a person showed up on IRC, -<a href="irc://irc.debian.org/#debian-edu">#debian-edu</a>, with a -wish to contribute, and I managed to get a interview with this great -contributor Roger Marsal to learn more about his background.</p> - -<p><strong>Who are you, and how do you spend your days?</strong></p> - -<p>My name is Roger Marsal, I'm 27 years old (1986 generation) and I -live in Barcelona, Spain. I've got a strong business background and I -work as a patrimony manager and as a real estate agent. Additionally, -I've co-founded a British based tech company that is nowadays on the -last development phase of a new social networking concept.</p> - -<p>I'm a Linux enthusiast that started its journey with Ubuntu four years -ago and have recently switched to Debian seeking rock solid stability -and as a necessary step to gain expertise.</p> - -<p>In a nutshell, I spend my days working and learning as much as I -can to face both my job, entrepreneur project and feed my Linux -hunger.</p> - -<p><strong>How did you get in contact with the Skolelinux / Debian Edu -project?</strong></p> - -<p>I discovered the <a href="http://www.ltsp.org/">LTSP</a> advantages -with "Ubuntu 12.04 alternate install" and after a year of use I -started looking for an alternative. Even though I highly value and -respect the Ubuntu project, I thought it was necessary for me to -change to a more robust and stable alternative. As far as I was using -Debian on my personal laptop I thought it would be fine to install -Debian and configure an LTSP server myself. Surprised, I discovered -that the Debian project also supported a kind of Edubuntu equivalent, -and after having some pain I obtained a Debian Edu network up and -running. I just loved it.</p> - -<p><strong>What do you see as the advantages of Skolelinux / Debian -Edu?</strong></p> - -<p>I found a main advantage in that, once you know "the tips and -tricks", a new installation just works out of the box. It's the most -complete alternative I've found to create an LTSP network. All the -other distributions seems to be made of plastic, Debian Edu seems to -be made of steel.</p> - -<p><strong>What do you see as the disadvantages of Skolelinux / Debian -Edu?</strong></p> - -<p>I found two main disadvantages.</p> - -<p>I'm not an expert but I've got notions and I had to spent a considerable -amount of time trying to bring up a standard network topology. I'm quite -stubborn and I just worked until I did but I'm sure many people with few -resources (not big schools, but academies for example) would have switched -or dropped.</p> - -<p>It's amazing how such a complex system like Debian Edu has achieved -this out-of-the-box state. Even though tweaking without breaking gets -more difficult, as more factors have to be considered. This can -discourage many people too.</p> - -<p><strong>Which free software do you use daily?</strong></p> - -<p>I use Debian, Firefox, Okular, Inkscape, LibreOffice and -Virtualbox.</p> - - -<p><strong>Which strategy do you believe is the right one to use to -get schools to use free software?</strong></p> - -<p>I don't think there is a need for a particular strategy. The free -attribute in both "freedom" and "no price" meanings is what will -really bring free software to schools. In my experience I can think of -the <a href="http://www.r-project.org/">"R" statistical language</a>; a -few years a ago was an extremely nerd tool for university people. -Today it's being increasingly used to teach statistics at many -different level of studies. I believe free and open software will -increasingly gain popularity, but I'm sure schools will be one of the -first scenarios where this will happen.</p> + Where did that package go? &mdash; geolocated IP traceroute + http://people.skolelinux.org/pere/blog/Where_did_that_package_go___mdash__geolocated_IP_traceroute.html + http://people.skolelinux.org/pere/blog/Where_did_that_package_go___mdash__geolocated_IP_traceroute.html + Mon, 9 Jan 2017 12:20:00 +0100 + <p>Did you ever wonder where the web trafic really flow to reach the +web servers, and who own the network equipment it is flowing through? +It is possible to get a glimpse of this from using traceroute, but it +is hard to find all the details. Many years ago, I wrote a system to +map the Norwegian Internet (trying to figure out if our plans for a +network game service would get low enough latency, and who we needed +to talk to about setting up game servers close to the users. Back +then I used traceroute output from many locations (I asked my friends +to run a script and send me their traceroute output) to create the +graph and the map. The output from traceroute typically look like +this: + +<p><pre> +traceroute to www.stortinget.no (85.88.67.10), 30 hops max, 60 byte packets + 1 uio-gw10.uio.no (129.240.202.1) 0.447 ms 0.486 ms 0.621 ms + 2 uio-gw8.uio.no (129.240.24.229) 0.467 ms 0.578 ms 0.675 ms + 3 oslo-gw1.uninett.no (128.39.65.17) 0.385 ms 0.373 ms 0.358 ms + 4 te3-1-2.br1.fn3.as2116.net (193.156.90.3) 1.174 ms 1.172 ms 1.153 ms + 5 he16-1-1.cr1.san110.as2116.net (195.0.244.234) 2.627 ms he16-1-1.cr2.oslosda310.as2116.net (195.0.244.48) 3.172 ms he16-1-1.cr1.san110.as2116.net (195.0.244.234) 2.857 ms + 6 ae1.ar8.oslosda310.as2116.net (195.0.242.39) 0.662 ms 0.637 ms ae0.ar8.oslosda310.as2116.net (195.0.242.23) 0.622 ms + 7 89.191.10.146 (89.191.10.146) 0.931 ms 0.917 ms 0.955 ms + 8 * * * + 9 * * * +[...] +</pre></p> + +<p>This show the DNS names and IP addresses of (at least some of the) +network equipment involved in getting the data traffic from me to the +www.stortinget.no server, and how long it took in milliseconds for a +package to reach the equipment and return to me. Three packages are +sent, and some times the packages do not follow the same path. This +is shown for hop 5, where three different IP addresses replied to the +traceroute request.</p> + +<p>There are many ways to measure trace routes. Other good traceroute +implementations I use are traceroute (using ICMP packages) mtr (can do +both ICMP, UDP and TCP) and scapy (python library with ICMP, UDP, TCP +traceroute and a lot of other capabilities). All of them are easily +available in <a href="https://www.debian.org/">Debian</a>.</p> + +<p>This time around, I wanted to know the geographic location of +different route points, to visualize how visiting a web page spread +information about the visit to a lot of servers around the globe. The +background is that a web site today often will ask the browser to get +from many servers the parts (for example HTML, JSON, fonts, +JavaScript, CSS, video) required to display the content. This will +leak information about the visit to those controlling these servers +and anyone able to peek at the data traffic passing by (like your ISP, +the ISPs backbone provider, FRA, GCHQ, NSA and others).</p> + +<p>Lets pick an example, the Norwegian parliament web site +www.stortinget.no. It is read daily by all members of parliament and +their staff, as well as political journalists, activits and many other +citizens of Norway. A visit to the www.stortinget.no web site will +ask your browser to contact 8 other servers: ajax.googleapis.com, +insights.hotjar.com, script.hotjar.com, static.hotjar.com, +stats.g.doubleclick.net, www.google-analytics.com, +www.googletagmanager.com and www.netigate.se. I extracted this by +asking <a href="http://phantomjs.org/">PhantomJS</a> to visit the +Stortinget web page and tell me all the URLs PhantomJS downloaded to +render the page (in HAR format using +<a href="https://github.com/ariya/phantomjs/blob/master/examples/netsniff.js">their +netsniff example</a>. I am very grateful to Gorm for showing me how +to do this). My goal is to visualize network traces to all IP +addresses behind these DNS names, do show where visitors personal +information is spread when visiting the page.</p> + +<p align="center"><a href="www.stortinget.no-geoip.kml"><img +src="http://people.skolelinux.org/pere/blog/images/2017-01-09-www.stortinget.no-geoip-small.png" alt="map of combined traces for URLs used by www.stortinget.no using GeoIP"/></a></p> + +<p>When I had a look around for options, I could not find any good +free software tools to do this, and decided I needed my own traceroute +wrapper outputting KML based on locations looked up using GeoIP. KML +is easy to work with and easy to generate, and understood by several +of the GIS tools I have available. I got good help from by NUUG +colleague Anders Einar with this, and the result can be seen in +<a href="https://github.com/petterreinholdtsen/kmltraceroute">my +kmltraceroute git repository</a>. Unfortunately, the quality of the +free GeoIP databases I could find (and the for-pay databases my +friends had access to) is not up to the task. The IP addresses of +central Internet infrastructure would typically be placed near the +controlling companies main office, and not where the router is really +located, as you can see from <a href="www.stortinget.no-geoip.kml">the +KML file I created</a> using the GeoLite City dataset from MaxMind. + +<p align="center"><a href="http://people.skolelinux.org/pere/blog/images/2017-01-09-www.stortinget.no-scapy.svg"><img +src="http://people.skolelinux.org/pere/blog/images/2017-01-09-www.stortinget.no-scapy-small.png" alt="scapy traceroute graph for URLs used by www.stortinget.no"/></a></p> + +<p>I also had a look at the visual traceroute graph created by +<a href="http://www.secdev.org/projects/scapy/">the scrapy project</a>, +showing IP network ownership (aka AS owner) for the IP address in +question. +<a href="http://people.skolelinux.org/pere/blog/images/2017-01-09-www.stortinget.no-scapy.svg">The +graph display a lot of useful information about the traceroute in SVG +format</a>, and give a good indication on who control the network +equipment involved, but it do not include geolocation. This graph +make it possible to see the information is made available at least for +UNINETT, Catchcom, Stortinget, Nordunet, Google, Amazon, Telia, Level +3 Communications and NetDNA.</p> + +<p align="center"><a href="https://geotraceroute.com/index.php?node=4&host=www.stortinget.no"><img +src="http://people.skolelinux.org/pere/blog/images/2017-01-09-www.stortinget.no-geotraceroute-small.png" alt="example geotraceroute view for www.stortinget.no"/></a></p> + +<p>In the process, I came across the +<a href="https://geotraceroute.com/">web service GeoTraceroute</a> by +Salim Gasmi. Its methology of combining guesses based on DNS names, +various location databases and finally use latecy times to rule out +candidate locations seemed to do a very good job of guessing correct +geolocation. But it could only do one trace at the time, did not have +a sensor in Norway and did not make the geolocations easily available +for postprocessing. So I contacted the developer and asked if he +would be willing to share the code (he refused until he had time to +clean it up), but he was interested in providing the geolocations in a +machine readable format, and willing to set up a sensor in Norway. So +since yesterday, it is possible to run traces from Norway in this +service thanks to a sensor node set up by +<a href="https://www.nuug.no/">the NUUG assosiation</a>, and get the +trace in KML format for further processing.</p> + +<p align="center"><a href="http://people.skolelinux.org/pere/blog/images/2017-01-09-www.stortinget.no-geotraceroute-kml-join.kml"><img +src="http://people.skolelinux.org/pere/blog/images/2017-01-09-www.stortinget.no-geotraceroute-kml-join.png" alt="map of combined traces for URLs used by www.stortinget.no using geotraceroute"/></a></p> + +<p>Here we can see a lot of trafic passes Sweden on its way to +Denmark, Germany, Holland and Ireland. Plenty of places where the +Snowden confirmations verified the traffic is read by various actors +without your best interest as their top priority.</p> + +<p>Combining KML files is trivial using a text editor, so I could loop +over all the hosts behind the urls imported by www.stortinget.no and +ask for the KML file from GeoTraceroute, and create a combined KML +file with all the traces (unfortunately only one of the IP addresses +behind the DNS name is traced this time. To get them all, one would +have to request traces using IP number instead of DNS names from +GeoTraceroute). That might be the next step in this project.</p> + +<p>Armed with these tools, I find it a lot easier to figure out where +the IP traffic moves and who control the boxes involved in moving it. +And every time the link crosses for example the Swedish border, we can +be sure Swedish Signal Intelligence (FRA) is listening, as GCHQ do in +Britain and NSA in USA and cables around the globe. (Hm, what should +we tell them? :) Keep that in mind if you ever send anything +unencrypted over the Internet.</p> + +<p>PS: KML files are drawn using +<a href="http://ivanrublev.me/kml/">the KML viewer from Ivan +Rublev<a/>, as it was less cluttered than the local Linux application +Marble. There are heaps of other options too.</p> + +<p>As usual, if you use Bitcoin and want to show your support of my +activities, please send Bitcoin donations to my address +<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&label=PetterReinholdtsenBlog">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>