X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/a3b8e7e9516fff5033605ecd8e806629ab2007e9..ae5db6d19f3d85fdd5e7bd4c12be28fa3f15fc43:/blog/index.rss diff --git a/blog/index.rss b/blog/index.rss index 5bd94c6de6..b4880a0717 100644 --- a/blog/index.rss +++ b/blog/index.rss @@ -6,6 +6,254 @@ http://people.skolelinux.org/pere/blog/ + + Aktivitetsbånd som beskytter privatsfæren + http://people.skolelinux.org/pere/blog/Aktivitetsb_nd_som_beskytter_privatsf_ren.html + http://people.skolelinux.org/pere/blog/Aktivitetsb_nd_som_beskytter_privatsf_ren.html + Thu, 3 Nov 2016 09:55:00 +0100 + <p>Jeg ble så imponert over +<a href="https://www.nrk.no/norge/forbrukerradet-mener-aktivitetsarmband-strider-mot-norsk-lov-1.13209079">dagens +gladnyhet på NRK</a>, om at Forbrukerrådet klager inn vilkårene for +bruk av aktivitetsbånd fra Fitbit, Garmin, Jawbone og Mio til +Datatilsynet og forbrukerombudet, at jeg sendte følgende brev til +forbrukerrådet for å uttrykke min støtte: + +<blockquote> + +<p>Jeg ble veldig glad over å lese at Forbrukerrådet +<a href="http://www.forbrukerradet.no/siste-nytt/klager-inn-aktivitetsarmband-for-brudd-pa-norsk-lov/">klager +inn flere aktivitetsbånd til Datatilsynet for dårlige vilkår</a>. Jeg +har ønsket meg et aktivitetsbånd som kan måle puls, bevegelse og +gjerne også andre helserelaterte indikatorer en stund nå. De eneste +jeg har funnet i salg gjør, som dere også har oppdaget, graverende +inngrep i privatsfæren og sender informasjonen ut av huset til folk og +organisasjoner jeg ikke ønsker å dele aktivitets- og helseinformasjon +med. Jeg ønsker et alternativ som _ikke_ sender informasjon til +skyen, men derimot bruker +<a href="http://people.skolelinux.org/pere/blog/Fri_og__pen_standard__slik_Digistan_ser_det.html">en +fritt og åpent standardisert</a> protokoll (eller i det minste en +dokumentert protokoll uten patent- og opphavsrettslige +bruksbegrensinger) til å kommunisere med datautstyr jeg kontrollerer. +Er jo ikke interessert i å betale noen for å tilrøve seg +personopplysninger fra meg. Desverre har jeg ikke funnet noe +alternativ så langt.</p> + +<p>Det holder ikke å endre på bruksvilkårene for enhetene, slik +Datatilsynet ofte legger opp til i sin behandling, når de gjør slik +f.eks. Fitbit (den jeg har sett mest på). Fitbit krypterer +informasjonen på enheten og sender den kryptert til leverandøren. Det +gjør det i praksis umulig både å sjekke hva slags informasjon som +sendes over, og umulig å ta imot informasjonen selv i stedet for +Fitbit. Uansett hva slags historie som forteller i bruksvilkårene er +en jo både prisgitt leverandørens godvilje og at de ikke tvinges av +sitt lands myndigheter til å lyve til sine kunder om hvorvidt +personopplysninger spres ut over det bruksvilkårene sier. Det er +veldokumentert hvordan f.eks. USA tvinger selskaper vha. såkalte +National security letters til å utlevere personopplysninger samtidig +som de ikke får lov til å fortelle dette til kundene sine.</p> + +<p>Stå på, jeg er veldig glade for at dere har sett på saken. Vet +dere om aktivitetsbånd i salg i dag som ikke tvinger en til å utlevere +aktivitets- og helseopplysninger med leverandøren?</p> + +</blockquote> + +<p>Jeg håper en konkurrent som respekterer kundenes privatliv klarer å +nå opp i markedet, slik at det finnes et reelt alternativ for oss som +har full tillit til at skyleverandører vil prioritere egen inntjening +og myndighetspålegg langt over kundenes rett til privatliv. Jeg har +ingen tiltro til at Datatilsynet vil kreve noe mer enn at vilkårene +endres slik at de forklarer eksplisitt i hvor stor grad bruk av +produktene utraderer privatsfæren til kundene. Det vil nok gjøre de +innklagede armbåndene "lovlige", men fortsatt tvinge kundene til å +dele sine personopplysninger med leverandøren.</p> + + + + + Experience and updated recipe for using the Signal app without a mobile phone + http://people.skolelinux.org/pere/blog/Experience_and_updated_recipe_for_using_the_Signal_app_without_a_mobile_phone.html + http://people.skolelinux.org/pere/blog/Experience_and_updated_recipe_for_using_the_Signal_app_without_a_mobile_phone.html + Mon, 10 Oct 2016 11:30:00 +0200 + <p>In July +<a href="http://people.skolelinux.org/pere/blog/How_to_use_the_Signal_app_if_you_only_have_a_land_line__ie_no_mobile_phone_.html">I +wrote how to get the Signal Chrome/Chromium app working</a> without +the ability to receive SMS messages (aka without a cell phone). It is +time to share some experiences and provide an updated setup.</p> + +<p>The Signal app have worked fine for several months now, and I use +it regularly to chat with my loved ones. I had a major snag at the +end of my summer vacation, when the the app completely forgot my +setup, identity and keys. The reason behind this major mess was +running out of disk space. To avoid that ever happening again I have +started storing everything in <tt>userdata/</tt> in git, to be able to +roll back to an earlier version if the files are wiped by mistake. I +had to use it once after introducing the git backup. When rolling +back to an earlier version, one need to use the 'reset session' option +in Signal to get going, and notify the people you talk with about the +problem. I assume there is some sequence number tracking in the +protocol to detect rollback attacks. The git repository is rather big +(674 MiB so far), but I have not tried to figure out if some of the +content can be added to a .gitignore file due to lack of spare +time.</p> + +<p>I've also hit the 90 days timeout blocking, and noticed that this +make it impossible to send messages using Signal. I could still +receive them, but had to patch the code with a new timestamp to send. +I believe the timeout is added by the developers to force people to +upgrade to the latest version of the app, even when there is no +protocol changes, to reduce the version skew among the user base and +thus try to keep the number of support requests down.</p> + +<p>Since my original recipe, the Signal source code changed slightly, +making the old patch fail to apply cleanly. Below is an updated +patch, including the shell wrapper I use to start Signal. The +original version required a new user to locate the JavaScript console +and call a function from there. I got help from a friend with more +JavaScript knowledge than me to modify the code to provide a GUI +button instead. This mean that to get started you just need to run +the wrapper and click the 'Register without mobile phone' to get going +now. I've also modified the timeout code to always set it to 90 days +in the future, to avoid having to patch the code regularly.</p> + +<p>So, the updated recipe for Debian Jessie:</p> + +<ol> + +<li>First, install required packages to get the source code and the +browser you need. Signal only work with Chrome/Chromium, as far as I +know, so you need to install it. + +<pre> +apt install git tor chromium +git clone https://github.com/WhisperSystems/Signal-Desktop.git +</pre></li> + +<li>Modify the source code using command listed in the the patch +block below.</li> + +<li>Start Signal using the run-signal-app wrapper (for example using +<tt>`pwd`/run-signal-app</tt>). + +<li>Click on the 'Register without mobile phone', will in a phone +number you can receive calls to the next minute, receive the +verification code and enter it into the form field and press +'Register'. Note, the phone number you use will be user Signal +username, ie the way others can find you on Signal.</li> + +<li>You can now use Signal to contact others. Note, new contacts do +not show up in the contact list until you restart Signal, and there is +no way to assign names to Contacts. There is also no way to create or +update chat groups. I suspect this is because the web app do not have +a associated contact database.</li> + +</ol> + +<p>I am still a bit uneasy about using Signal, because of the way its +main author moxie0 reject federation and accept dependencies to major +corporations like Google (part of the code is fetched from Google) and +Amazon (the central coordination point is owned by Amazon). See for +example +<a href="https://github.com/LibreSignal/LibreSignal/issues/37">the +LibreSignal issue tracker</a> for a thread documenting the authors +view on these issues. But the network effect is strong in this case, +and several of the people I want to communicate with already use +Signal. Perhaps we can all move to <a href="https://ring.cx/">Ring</a> +once it <a href="https://bugs.debian.org/830265">work on my +laptop</a>? It already work on Windows and Android, and is included +in <a href="https://tracker.debian.org/pkg/ring">Debian</a> and +<a href="https://launchpad.net/ubuntu/+source/ring">Ubuntu</a>, but not +working on Debian Stable.</p> + +<p>Anyway, this is the patch I apply to the Signal code to get it +working. It switch to the production servers, disable to timeout, +make registration easier and add the shell wrapper:</p> + +<pre> +cd Signal-Desktop; cat &lt;&lt;EOF | patch -p1 +diff --git a/js/background.js b/js/background.js +index 24b4c1d..579345f 100644 +--- a/js/background.js ++++ b/js/background.js +@@ -33,9 +33,9 @@ + }); + }); + +- var SERVER_URL = 'https://textsecure-service-staging.whispersystems.org'; ++ var SERVER_URL = 'https://textsecure-service-ca.whispersystems.org'; + var SERVER_PORTS = [80, 4433, 8443]; +- var ATTACHMENT_SERVER_URL = 'https://whispersystems-textsecure-attachments-staging.s3.amazonaws.com'; ++ var ATTACHMENT_SERVER_URL = 'https://whispersystems-textsecure-attachments.s3.amazonaws.com'; + var messageReceiver; + window.getSocketStatus = function() { + if (messageReceiver) { +diff --git a/js/expire.js b/js/expire.js +index 639aeae..beb91c3 100644 +--- a/js/expire.js ++++ b/js/expire.js +@@ -1,6 +1,6 @@ + ;(function() { + 'use strict'; +- var BUILD_EXPIRATION = 0; ++ var BUILD_EXPIRATION = Date.now() + (90 * 24 * 60 * 60 * 1000); + + window.extension = window.extension || {}; + +diff --git a/js/views/install_view.js b/js/views/install_view.js +index 7816f4f..1d6233b 100644 +--- a/js/views/install_view.js ++++ b/js/views/install_view.js +@@ -38,7 +38,8 @@ + return { + 'click .step1': this.selectStep.bind(this, 1), + 'click .step2': this.selectStep.bind(this, 2), +- 'click .step3': this.selectStep.bind(this, 3) ++ 'click .step3': this.selectStep.bind(this, 3), ++ 'click .callreg': function() { extension.install('standalone') }, + }; + }, + clearQR: function() { +diff --git a/options.html b/options.html +index dc0f28e..8d709f6 100644 +--- a/options.html ++++ b/options.html +@@ -14,7 +14,10 @@ + &lt;div class='nav'> + &lt;h1>{{ installWelcome }}&lt;/h1> + &lt;p>{{ installTagline }}&lt;/p> +- &lt;div> &lt;a class='button step2'>{{ installGetStartedButton }}&lt;/a> &lt;/div> ++ &lt;div> &lt;a class='button step2'>{{ installGetStartedButton }}&lt;/a> ++ &lt;br> &lt;a class="button callreg">Register without mobile phone&lt;/a> ++ ++ &lt;/div> + &lt;span class='dot step1 selected'>&lt;/span> + &lt;span class='dot step2'>&lt;/span> + &lt;span class='dot step3'>&lt;/span> +--- /dev/null 2016-10-07 09:55:13.730181472 +0200 ++++ b/run-signal-app 2016-10-10 08:54:09.434172391 +0200 +@@ -0,0 +1,12 @@ ++#!/bin/sh ++set -e ++cd $(dirname $0) ++mkdir -p userdata ++userdata="`pwd`/userdata" ++if [ -d "$userdata" ] && [ ! -d "$userdata/.git" ] ; then ++ (cd $userdata && git init) ++fi ++(cd $userdata && git add . && git commit -m "Current status." || true) ++exec chromium \ ++ --proxy-server="socks://localhost:9050" \ ++ --user-data-dir=$userdata --load-and-launch-app=`pwd` +EOF +chmod a+rx run-signal-app +</pre> + +<p>As usual, if you use Bitcoin and want to show your support of my +activities, please send Bitcoin donations to my address +<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&label=PetterReinholdtsenBlog">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p> + + + NRKs kildevern når NRK-epost deles med utenlands etterretning? http://people.skolelinux.org/pere/blog/NRKs_kildevern_n_r_NRK_epost_deles_med_utenlands_etterretning_.html @@ -632,136 +880,5 @@ administratoren der, så hadde jeg brukt weblate i stedet.</p> - - Techno TV broadcasting live across Norway and the Internet (#debconf16, #nuug) on @frikanalen - http://people.skolelinux.org/pere/blog/Techno_TV_broadcasting_live_across_Norway_and_the_Internet___debconf16___nuug__on__frikanalen.html - http://people.skolelinux.org/pere/blog/Techno_TV_broadcasting_live_across_Norway_and_the_Internet___debconf16___nuug__on__frikanalen.html - Mon, 1 Aug 2016 10:30:00 +0200 - <p>Did you know there is a TV channel broadcasting talks from DebConf -16 across an entire country? Or that there is a TV channel -broadcasting talks by or about -<a href="http://beta.frikanalen.no/video/625529/">Linus Torvalds</a>, -<a href="http://beta.frikanalen.no/video/625599/">Tor</a>, -<a href="http://beta.frikanalen.no/video/624019/">OpenID</A>, -<a href="http://beta.frikanalen.no/video/625624/">Common Lisp</a>, -<a href="http://beta.frikanalen.no/video/625446/">Civic Tech</a>, -<a href="http://beta.frikanalen.no/video/625090/">EFF founder John Barlow</a>, -<a href="http://beta.frikanalen.no/video/625432/">how to make 3D -printer electronics</a> and many more fascinating topics? It works -using only free software (all of it -<a href="http://github.com/Frikanalen">available from Github</a>), and -is administrated using a web browser and a web API.</p> - -<p>The TV channel is the Norwegian open channel -<a href="http://www.frikanalen.no/">Frikanalen</a>, and I am involved -via <a href="https://www.nuug.no/">the NUUG member association</a> in -running and developing the software for the channel. The channel is -organised as a member organisation where its members can upload and -broadcast what they want (think of it as Youtube for national -broadcasting television). Individuals can broadcast too. The time -slots are handled on a first come, first serve basis. Because the -channel have almost no viewers and very few active members, we can -experiment with TV technology without too much flack when we make -mistakes. And thanks to the few active members, most of the slots on -the schedule are free. I see this as an opportunity to spread -knowledge about technology and free software, and have a script I run -regularly to fill up all the open slots the next few days with -technology related video. The end result is a channel I like to -describe as Techno TV - filled with interesting talks and -presentations.</p> - -<p>It is available on channel 50 on the Norwegian national digital TV -network (RiksTV). It is also available as a multicast stream on -Uninett. And finally, it is available as -<a href="http://beta.frikanalen.no/">a WebM unicast stream</a> from -Frikanalen and NUUG. Check it out. :)</p> - - - - - Unlocking HTC Desire HD on Linux using unruu and fastboot - http://people.skolelinux.org/pere/blog/Unlocking_HTC_Desire_HD_on_Linux_using_unruu_and_fastboot.html - http://people.skolelinux.org/pere/blog/Unlocking_HTC_Desire_HD_on_Linux_using_unruu_and_fastboot.html - Thu, 7 Jul 2016 11:30:00 +0200 - <p>Yesterday, I tried to unlock a HTC Desire HD phone, and it proved -to be a slight challenge. Here is the recipe if I ever need to do it -again. It all started by me wanting to try the recipe to set up -<a href="https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy">an -hardened Android installation</a> from the Tor project blog on a -device I had access to. It is a old mobile phone with a broken -microphone The initial idea had been to just -<a href="http://wiki.cyanogenmod.org/w/Install_CM_for_ace">install -CyanogenMod on it</a>, but did not quite find time to start on it -until a few days ago.</p> - -<p>The unlock process is supposed to be simple: (1) Boot into the boot -loader (press volume down and power at the same time), (2) select -'fastboot' before (3) connecting the device via USB to a Linux -machine, (4) request the device identifier token by running 'fastboot -oem get_identifier_token', (5) request the device unlocking key using -the <a href="http://www.htcdev.com/bootloader/">HTC developer web -site</a> and unlock the phone using the key file emailed to you.</p> - -<p>Unfortunately, this only work fi you have hboot version 2.00.0029 -or newer, and the device I was working on had 2.00.0027. This -apparently can be easily fixed by downloading a Windows program and -running it on your Windows machine, if you accept the terms Microsoft -require you to accept to use Windows - which I do not. So I had to -come up with a different approach. I got a lot of help from AndyCap -on #nuug, and would not have been able to get this working without -him.</p> - -<p>First I needed to extract the hboot firmware from -<a href="http://www.htcdev.com/ruu/PD9810000_Ace_Sense30_S_hboot_2.00.0029.exe">the -windows binary for HTC Desire HD</a> downloaded as 'the RUU' from HTC. -For this there is is <a href="https://github.com/kmdm/unruu/">a github -project named unruu</a> using libunshield. The unshield tool did not -recognise the file format, but unruu worked and extracted rom.zip, -containing the new hboot firmware and a text file describing which -devices it would work for.</p> - -<p>Next, I needed to get the new firmware into the device. For this I -followed some instructions -<a href="http://www.htc1guru.com/2013/09/new-ruu-zips-posted/">available -from HTC1Guru.com</a>, and ran these commands as root on a Linux -machine with Debian testing:</p> - -<p><pre> -adb reboot-bootloader -fastboot oem rebootRUU -fastboot flash zip rom.zip -fastboot flash zip rom.zip -fastboot reboot -</pre></p> - -<p>The flash command apparently need to be done twice to take effect, -as the first is just preparations and the second one do the flashing. -The adb command is just to get to the boot loader menu, so turning the -device on while holding volume down and the power button should work -too.</p> - -<p>With the new hboot version in place I could start following the -instructions on the HTC developer web site. I got the device token -like this:</p> - -<p><pre> -fastboot oem get_identifier_token 2>&1 | sed 's/(bootloader) //' -</pre> - -<p>And once I got the unlock code via email, I could use it like -this:</p> - -<p><pre> -fastboot flash unlocktoken Unlock_code.bin -</pre></p> - -<p>And with that final step in place, the phone was unlocked and I -could start stuffing the software of my own choosing into the device. -So far I only inserted a replacement recovery image to wipe the phone -before I start. We will see what happen next. Perhaps I should -install <a href="https://www.debian.org/">Debian</a> on it. :)</p> - - -