X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/a3b8e7e9516fff5033605ecd8e806629ab2007e9..ae5db6d19f3d85fdd5e7bd4c12be28fa3f15fc43:/blog/index.html diff --git a/blog/index.html b/blog/index.html index d65ede4eb7..96c2134fd9 100644 --- a/blog/index.html +++ b/blog/index.html @@ -19,6 +19,266 @@ +
+
Aktivitetsbånd som beskytter privatsfæren
+
3rd November 2016
+

Jeg ble så imponert over +dagens +gladnyhet på NRK, om at Forbrukerrådet klager inn vilkårene for +bruk av aktivitetsbånd fra Fitbit, Garmin, Jawbone og Mio til +Datatilsynet og forbrukerombudet, at jeg sendte følgende brev til +forbrukerrådet for å uttrykke min støtte: + +

+ +

Jeg ble veldig glad over å lese at Forbrukerrådet +klager +inn flere aktivitetsbånd til Datatilsynet for dårlige vilkår. Jeg +har ønsket meg et aktivitetsbånd som kan måle puls, bevegelse og +gjerne også andre helserelaterte indikatorer en stund nå. De eneste +jeg har funnet i salg gjør, som dere også har oppdaget, graverende +inngrep i privatsfæren og sender informasjonen ut av huset til folk og +organisasjoner jeg ikke ønsker å dele aktivitets- og helseinformasjon +med. Jeg ønsker et alternativ som _ikke_ sender informasjon til +skyen, men derimot bruker +en +fritt og åpent standardisert protokoll (eller i det minste en +dokumentert protokoll uten patent- og opphavsrettslige +bruksbegrensinger) til å kommunisere med datautstyr jeg kontrollerer. +Er jo ikke interessert i å betale noen for å tilrøve seg +personopplysninger fra meg. Desverre har jeg ikke funnet noe +alternativ så langt.

+ +

Det holder ikke å endre på bruksvilkårene for enhetene, slik +Datatilsynet ofte legger opp til i sin behandling, når de gjør slik +f.eks. Fitbit (den jeg har sett mest på). Fitbit krypterer +informasjonen på enheten og sender den kryptert til leverandøren. Det +gjør det i praksis umulig både å sjekke hva slags informasjon som +sendes over, og umulig å ta imot informasjonen selv i stedet for +Fitbit. Uansett hva slags historie som forteller i bruksvilkårene er +en jo både prisgitt leverandørens godvilje og at de ikke tvinges av +sitt lands myndigheter til å lyve til sine kunder om hvorvidt +personopplysninger spres ut over det bruksvilkårene sier. Det er +veldokumentert hvordan f.eks. USA tvinger selskaper vha. såkalte +National security letters til å utlevere personopplysninger samtidig +som de ikke får lov til å fortelle dette til kundene sine.

+ +

Stå på, jeg er veldig glade for at dere har sett på saken. Vet +dere om aktivitetsbånd i salg i dag som ikke tvinger en til å utlevere +aktivitets- og helseopplysninger med leverandøren?

+ +
+ +

Jeg håper en konkurrent som respekterer kundenes privatliv klarer å +nå opp i markedet, slik at det finnes et reelt alternativ for oss som +har full tillit til at skyleverandører vil prioritere egen inntjening +og myndighetspålegg langt over kundenes rett til privatliv. Jeg har +ingen tiltro til at Datatilsynet vil kreve noe mer enn at vilkårene +endres slik at de forklarer eksplisitt i hvor stor grad bruk av +produktene utraderer privatsfæren til kundene. Det vil nok gjøre de +innklagede armbåndene "lovlige", men fortsatt tvinge kundene til å +dele sine personopplysninger med leverandøren.

+
+
+ + + Tags: norsk, personvern, sikkerhet, surveillance. + + +
+
+
+ +
+
Experience and updated recipe for using the Signal app without a mobile phone
+
10th October 2016
+

In July +I +wrote how to get the Signal Chrome/Chromium app working without +the ability to receive SMS messages (aka without a cell phone). It is +time to share some experiences and provide an updated setup.

+ +

The Signal app have worked fine for several months now, and I use +it regularly to chat with my loved ones. I had a major snag at the +end of my summer vacation, when the the app completely forgot my +setup, identity and keys. The reason behind this major mess was +running out of disk space. To avoid that ever happening again I have +started storing everything in userdata/ in git, to be able to +roll back to an earlier version if the files are wiped by mistake. I +had to use it once after introducing the git backup. When rolling +back to an earlier version, one need to use the 'reset session' option +in Signal to get going, and notify the people you talk with about the +problem. I assume there is some sequence number tracking in the +protocol to detect rollback attacks. The git repository is rather big +(674 MiB so far), but I have not tried to figure out if some of the +content can be added to a .gitignore file due to lack of spare +time.

+ +

I've also hit the 90 days timeout blocking, and noticed that this +make it impossible to send messages using Signal. I could still +receive them, but had to patch the code with a new timestamp to send. +I believe the timeout is added by the developers to force people to +upgrade to the latest version of the app, even when there is no +protocol changes, to reduce the version skew among the user base and +thus try to keep the number of support requests down.

+ +

Since my original recipe, the Signal source code changed slightly, +making the old patch fail to apply cleanly. Below is an updated +patch, including the shell wrapper I use to start Signal. The +original version required a new user to locate the JavaScript console +and call a function from there. I got help from a friend with more +JavaScript knowledge than me to modify the code to provide a GUI +button instead. This mean that to get started you just need to run +the wrapper and click the 'Register without mobile phone' to get going +now. I've also modified the timeout code to always set it to 90 days +in the future, to avoid having to patch the code regularly.

+ +

So, the updated recipe for Debian Jessie:

+ +
    + +
  1. First, install required packages to get the source code and the +browser you need. Signal only work with Chrome/Chromium, as far as I +know, so you need to install it. + +
    +apt install git tor chromium
+git clone https://github.com/WhisperSystems/Signal-Desktop.git
+
    2. + +
  2. Modify the source code using command listed in the the patch +block below.
    3. + +
  3. Start Signal using the run-signal-app wrapper (for example using +`pwd`/run-signal-app). + +
  4. Click on the 'Register without mobile phone', will in a phone +number you can receive calls to the next minute, receive the +verification code and enter it into the form field and press +'Register'. Note, the phone number you use will be user Signal +username, ie the way others can find you on Signal.
    5. + +
  5. You can now use Signal to contact others. Note, new contacts do +not show up in the contact list until you restart Signal, and there is +no way to assign names to Contacts. There is also no way to create or +update chat groups. I suspect this is because the web app do not have +a associated contact database.
    6. + +
+ +

I am still a bit uneasy about using Signal, because of the way its +main author moxie0 reject federation and accept dependencies to major +corporations like Google (part of the code is fetched from Google) and +Amazon (the central coordination point is owned by Amazon). See for +example +the +LibreSignal issue tracker for a thread documenting the authors +view on these issues. But the network effect is strong in this case, +and several of the people I want to communicate with already use +Signal. Perhaps we can all move to Ring +once it work on my +laptop? It already work on Windows and Android, and is included +in Debian and +Ubuntu, but not +working on Debian Stable.

+ +

Anyway, this is the patch I apply to the Signal code to get it +working. It switch to the production servers, disable to timeout, +make registration easier and add the shell wrapper:

+ +
+cd Signal-Desktop; cat <<EOF | patch -p1
+diff --git a/js/background.js b/js/background.js
+index 24b4c1d..579345f 100644
+--- a/js/background.js
++++ b/js/background.js
+@@ -33,9 +33,9 @@
+         });
+     });
+ 
+-    var SERVER_URL = 'https://textsecure-service-staging.whispersystems.org';
++    var SERVER_URL = 'https://textsecure-service-ca.whispersystems.org';
+     var SERVER_PORTS = [80, 4433, 8443];
+-    var ATTACHMENT_SERVER_URL = 'https://whispersystems-textsecure-attachments-staging.s3.amazonaws.com';
++    var ATTACHMENT_SERVER_URL = 'https://whispersystems-textsecure-attachments.s3.amazonaws.com';
+     var messageReceiver;
+     window.getSocketStatus = function() {
+         if (messageReceiver) {
+diff --git a/js/expire.js b/js/expire.js
+index 639aeae..beb91c3 100644
+--- a/js/expire.js
++++ b/js/expire.js
+@@ -1,6 +1,6 @@
+ ;(function() {
+     'use strict';
+-    var BUILD_EXPIRATION = 0;
++    var BUILD_EXPIRATION = Date.now() + (90 * 24 * 60 * 60 * 1000);
+ 
+     window.extension = window.extension || {};
+ 
+diff --git a/js/views/install_view.js b/js/views/install_view.js
+index 7816f4f..1d6233b 100644
+--- a/js/views/install_view.js
++++ b/js/views/install_view.js
+@@ -38,7 +38,8 @@
+             return {
+                 'click .step1': this.selectStep.bind(this, 1),
+                 'click .step2': this.selectStep.bind(this, 2),
+-                'click .step3': this.selectStep.bind(this, 3)
++                'click .step3': this.selectStep.bind(this, 3),
++                'click .callreg': function() { extension.install('standalone') },
+             };
+         },
+         clearQR: function() {
+diff --git a/options.html b/options.html
+index dc0f28e..8d709f6 100644
+--- a/options.html
++++ b/options.html
+@@ -14,7 +14,10 @@
+         <div class='nav'>
+           <h1>{{ installWelcome }}</h1>
+           <p>{{ installTagline }}</p>
+-          <div> <a class='button step2'>{{ installGetStartedButton }}</a> </div>
++          <div> <a class='button step2'>{{ installGetStartedButton }}</a>
++	    <br> <a class="button callreg">Register without mobile phone</a>
++
++	  </div>
+           <span class='dot step1 selected'></span>
+           <span class='dot step2'></span>
+           <span class='dot step3'></span>
+--- /dev/null   2016-10-07 09:55:13.730181472 +0200
++++ b/run-signal-app   2016-10-10 08:54:09.434172391 +0200
+@@ -0,0 +1,12 @@
++#!/bin/sh
++set -e
++cd $(dirname $0)
++mkdir -p userdata
++userdata="`pwd`/userdata"
++if [ -d "$userdata" ] && [ ! -d "$userdata/.git" ] ; then
++    (cd $userdata && git init)
++fi
++(cd $userdata && git add . && git commit -m "Current status." || true)
++exec chromium \
++  --proxy-server="socks://localhost:9050" \
++  --user-data-dir=$userdata --load-and-launch-app=`pwd`
+EOF
+chmod a+rx run-signal-app
+
+ +

As usual, if you use Bitcoin and want to show your support of my +activities, please send Bitcoin donations to my address +15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.

+
+
+ + + Tags: debian, english, sikkerhet, surveillance. + + +
+
+
+
NRKs kildevern når NRK-epost deles med utenlands etterretning?
8th October 2016
@@ -693,149 +953,6 @@ administratoren der, så hadde jeg brukt weblate i stedet.

-
-
Techno TV broadcasting live across Norway and the Internet (#debconf16, #nuug) on @frikanalen
-
1st August 2016
-

Did you know there is a TV channel broadcasting talks from DebConf -16 across an entire country? Or that there is a TV channel -broadcasting talks by or about -Linus Torvalds, -Tor, -OpenID, -Common Lisp, -Civic Tech, -EFF founder John Barlow, -how to make 3D -printer electronics and many more fascinating topics? It works -using only free software (all of it -available from Github), and -is administrated using a web browser and a web API.

- -

The TV channel is the Norwegian open channel -Frikanalen, and I am involved -via the NUUG member association in -running and developing the software for the channel. The channel is -organised as a member organisation where its members can upload and -broadcast what they want (think of it as Youtube for national -broadcasting television). Individuals can broadcast too. The time -slots are handled on a first come, first serve basis. Because the -channel have almost no viewers and very few active members, we can -experiment with TV technology without too much flack when we make -mistakes. And thanks to the few active members, most of the slots on -the schedule are free. I see this as an opportunity to spread -knowledge about technology and free software, and have a script I run -regularly to fill up all the open slots the next few days with -technology related video. The end result is a channel I like to -describe as Techno TV - filled with interesting talks and -presentations.

- -

It is available on channel 50 on the Norwegian national digital TV -network (RiksTV). It is also available as a multicast stream on -Uninett. And finally, it is available as -a WebM unicast stream from -Frikanalen and NUUG. Check it out. :)

-
-
- - - Tags: english, frikanalen, nuug, video. - - -
-
-
- -
-
Unlocking HTC Desire HD on Linux using unruu and fastboot
-
7th July 2016
-

Yesterday, I tried to unlock a HTC Desire HD phone, and it proved -to be a slight challenge. Here is the recipe if I ever need to do it -again. It all started by me wanting to try the recipe to set up -an -hardened Android installation from the Tor project blog on a -device I had access to. It is a old mobile phone with a broken -microphone The initial idea had been to just -install -CyanogenMod on it, but did not quite find time to start on it -until a few days ago.

- -

The unlock process is supposed to be simple: (1) Boot into the boot -loader (press volume down and power at the same time), (2) select -'fastboot' before (3) connecting the device via USB to a Linux -machine, (4) request the device identifier token by running 'fastboot -oem get_identifier_token', (5) request the device unlocking key using -the HTC developer web -site and unlock the phone using the key file emailed to you.

- -

Unfortunately, this only work fi you have hboot version 2.00.0029 -or newer, and the device I was working on had 2.00.0027. This -apparently can be easily fixed by downloading a Windows program and -running it on your Windows machine, if you accept the terms Microsoft -require you to accept to use Windows - which I do not. So I had to -come up with a different approach. I got a lot of help from AndyCap -on #nuug, and would not have been able to get this working without -him.

- -

First I needed to extract the hboot firmware from -the -windows binary for HTC Desire HD downloaded as 'the RUU' from HTC. -For this there is is a github -project named unruu using libunshield. The unshield tool did not -recognise the file format, but unruu worked and extracted rom.zip, -containing the new hboot firmware and a text file describing which -devices it would work for.

- -

Next, I needed to get the new firmware into the device. For this I -followed some instructions -available -from HTC1Guru.com, and ran these commands as root on a Linux -machine with Debian testing:

- -

-adb reboot-bootloader
-fastboot oem rebootRUU
-fastboot flash zip rom.zip
-fastboot flash zip rom.zip
-fastboot reboot
-

- -

The flash command apparently need to be done twice to take effect, -as the first is just preparations and the second one do the flashing. -The adb command is just to get to the boot loader menu, so turning the -device on while holding volume down and the power button should work -too.

- -

With the new hboot version in place I could start following the -instructions on the HTC developer web site. I got the device token -like this:

- -

-fastboot oem get_identifier_token 2>&1 | sed 's/(bootloader) //'
-
- -

And once I got the unlock code via email, I could use it like -this:

- -

-fastboot flash unlocktoken Unlock_code.bin
-

- -

And with that final step in place, the phone was unlocked and I -could start stuffing the software of my own choosing into the device. -So far I only inserted a replacement recovery image to wipe the phone -before I start. We will see what happen next. Perhaps I should -install Debian on it. :)

-
-
- - - Tags: bootsystem, debian, english, opphavsrett, sikkerhet. - - -
-
-
-

RSS feed