X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/c30ecc6ac781252aba5722ca7953cc4a4483f469..077b7dd8148096600292d947669ddbfd0180f6f4:/blog/index.rss diff --git a/blog/index.rss b/blog/index.rss index 2cc8fa6f3c..530fc6ddc3 100644 --- a/blog/index.rss +++ b/blog/index.rss @@ -7,609 +7,623 @@ - Unlocking HTC Desire HD on Linux using unruu and fastboot - http://people.skolelinux.org/pere/blog/Unlocking_HTC_Desire_HD_on_Linux_using_unruu_and_fastboot.html - http://people.skolelinux.org/pere/blog/Unlocking_HTC_Desire_HD_on_Linux_using_unruu_and_fastboot.html - Thu, 7 Jul 2016 11:30:00 +0200 - <p>Yesterday, I tried to unlock a HTC Desire HD phone, and it proved -to be a slight challenge. Here is the recipe if I ever need to do it -again. It all started by me wanting to try the recipe to set up -<a href="https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy">an -hardened Android installation</a> from the Tor project blog on a -device I had access to. It is a old mobile phone with a broken -microphone The initial idea had been to just -<a href="http://wiki.cyanogenmod.org/w/Install_CM_for_ace">install -CyanogenMod on it</a>, but did not quite find time to start on it -until a few days ago.</p> - -<p>The unlock process is supposed to be simple: (1) Boot into the boot -loader (press volume down and power at the same time), (2) select -'fastboot' before (3) connecting the device via USB to a Linux -machine, (4) request the device identifier token by running 'fastboot -oem get_identifier_token', (5) request the device unlocking key using -the <a href="http://www.htcdev.com/bootloader/">HTC developer web -site</a> and unlock the phone using the key file emailed to you.</p> - -<p>Unfortunately, this only work fi you have hboot version 2.00.0029 -or newer, and the device I was working on had 2.00.0027. This -apparently can be easily fixed by downloading a Windows program and -running it on your Windows machine, if you accept the terms Microsoft -require you to accept to use Windows - which I do not. So I had to -come up with a different approach. I got a lot of help from AndyCap -on #nuug, and would not have been able to get this working without -him.</p> - -<p>First I needed to extract the hboot firmware from -<a href="http://www.htcdev.com/ruu/PD9810000_Ace_Sense30_S_hboot_2.00.0029.exe">the -windows binary for HTC Desire HD</a> downloaded as 'the RUU' from HTC. -For this there is is <a href="https://github.com/kmdm/unruu/">a github -project named unruu</a> using libunshield. The unshield tool did not -recognise the file format, but unruu worked and extracted rom.zip, -containing the new hboot firmware and a text file describing which -devices it would work for.</p> - -<p>Next, I needed to get the new firmware into the device. For this I -followed some instructions -<a href="http://www.htc1guru.com/2013/09/new-ruu-zips-posted/">available -from HTC1Guru.com</a>, and ran these commands as root on a Linux -machine with Debian testing:</p> - -<p><pre> -adb reboot-bootloader -fastboot oem rebootRUU -fastboot flash zip rom.zip -fastboot flash zip rom.zip -fastboot reboot -</pre></p> - -<p>The flash command apparently need to be done twice to take effect, -as the first is just preparations and the second one do the flashing. -The adb command is just to get to the boot loader menu, so turning the -device on while holding volume down and the power button should work -too.</p> - -<p>With the new hboot version in place I could start following the -instructions on the HTC developer web site. I got the device token -like this:</p> - -<p><pre> -fastboot oem get_identifier_token 2>&1 | sed 's/(bootloader) //' -</pre> - -<p>And once I got the unlock code via email, I could use it like -this:</p> - -<p><pre> -fastboot flash unlocktoken Unlock_code.bin -</pre></p> - -<p>And with that final step in place, the phone was unlocked and I -could start stuffing the software of my own choosing into the device. -So far I only inserted a replacement recovery image to wipe the phone -before I start. We will see what happen next. Perhaps I should -install <a href="https://www.debian.org/">Debian</a> on it. :)</p> + How does it feel to be wiretapped, when you should be doing the wiretapping... + http://people.skolelinux.org/pere/blog/How_does_it_feel_to_be_wiretapped__when_you_should_be_doing_the_wiretapping___.html + http://people.skolelinux.org/pere/blog/How_does_it_feel_to_be_wiretapped__when_you_should_be_doing_the_wiretapping___.html + Wed, 8 Mar 2017 11:50:00 +0100 + <p>So the new president in the United States of America claim to be +surprised to discover that he was wiretapped during the election +before he was elected president. He even claim this must be illegal. +Well, doh, if it is one thing the confirmations from Snowden +documented, it is that the entire population in USA is wiretapped, one +way or another. Of course the president candidates were wiretapped, +alongside the senators, judges and the rest of the people in USA.</p> + +<p>Next, the Federal Bureau of Investigation ask the Department of +Justice to go public rejecting the claims that Donald Trump was +wiretapped illegally. I fail to see the relevance, given that I am +sure the surveillance industry in USA believe they have all the legal +backing they need to conduct mass surveillance on the entire +world.</p> + +<p>There is even the director of the FBI stating that he never saw an +order requesting wiretapping of Donald Trump. That is not very +surprising, given how the FISA court work, with all its activity being +secret. Perhaps he only heard about it?</p> + +<p>What I find most sad in this story is how Norwegian journalists +present it. In a news reports the other day in the radio from the +Norwegian National broadcasting Company (NRK), I heard the journalist +claim that 'the FBI denies any wiretapping', while the reality is that +'the FBI denies any illegal wiretapping'. There is a fundamental and +important difference, and it make me sad that the journalists are +unable to grasp it.</p> - How to use the Signal app if you only have a land line (ie no mobile phone) - http://people.skolelinux.org/pere/blog/How_to_use_the_Signal_app_if_you_only_have_a_land_line__ie_no_mobile_phone_.html - http://people.skolelinux.org/pere/blog/How_to_use_the_Signal_app_if_you_only_have_a_land_line__ie_no_mobile_phone_.html - Sun, 3 Jul 2016 14:20:00 +0200 - <p>For a while now, I have wanted to test -<a href="https://whispersystems.org/">the Signal app</a>, as it is -said to provide end to end encrypted communication and several of my -friends and family are already using it. As I by choice do not own a -mobile phone, this proved to be harder than expected. And I wanted to -have the source of the client and know that it was the code used on my -machine. But yesterday I managed to get it working. I used the -Github source, compared it to the source in -<a href="https://chrome.google.com/webstore/detail/signal-private-messenger/bikioccmkafdpakkkcpdbppfkghcmihk?hl=en-US">the -Signal Chrome app</a> available from the Chrome web store, applied -patches to use the production Signal servers, started the app and -asked for the hidden "register without a smart phone" form. Here is -the recipe how I did it.</p> - -<p>First, I fetched the Signal desktop source from Github, using - -<pre> -git clone https://github.com/WhisperSystems/Signal-Desktop.git -</pre> - -<p>Next, I patched the source to use the production servers, to be -able to talk to other Signal users:</p> - -<pre> -cat &lt;&lt;EOF | patch -p0 -diff -ur ./js/background.js userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/background.js ---- ./js/background.js 2016-06-29 13:43:15.630344628 +0200 -+++ userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/background.js 2016-06-29 14:06:29.530300934 +0200 -@@ -47,8 +47,8 @@ - }); - }); - -- var SERVER_URL = 'https://textsecure-service-staging.whispersystems.org'; -- var ATTACHMENT_SERVER_URL = 'https://whispersystems-textsecure-attachments-staging.s3.amazonaws.com'; -+ var SERVER_URL = 'https://textsecure-service-ca.whispersystems.org:4433'; -+ var ATTACHMENT_SERVER_URL = 'https://whispersystems-textsecure-attachments.s3.amazonaws.com'; - var messageReceiver; - window.getSocketStatus = function() { - if (messageReceiver) { -diff -ur ./js/expire.js userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/expire.js ---- ./js/expire.js 2016-06-29 13:43:15.630344628 +0200 -+++ userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/expire.js2016-06-29 14:06:29.530300934 +0200 -@@ -1,6 +1,6 @@ - ;(function() { - 'use strict'; -- var BUILD_EXPIRATION = 0; -+ var BUILD_EXPIRATION = 1474492690000; - - window.extension = window.extension || {}; - -EOF -</pre> - -<p>The first part is changing the servers, and the second is updating -an expiration timestamp. This timestamp need to be updated regularly. -It is set 90 days in the future by the build process (Gruntfile.js). -The value is seconds since 1970 times 1000, as far as I can tell.</p> - -<p>Based on a tip and good help from the #nuug IRC channel, I wrote a -script to launch Signal in Chromium.</p> - -<pre> -#!/bin/sh -cd $(dirname $0) -mkdir -p userdata -exec chromium \ - --proxy-server="socks://localhost:9050" \ - --user-data-dir=`pwd`/userdata --load-and-launch-app=`pwd` -</pre> - -<p> The script start the app and configure Chromium to use the Tor -SOCKS5 proxy to make sure those controlling the Signal servers (today -Amazon and Whisper Systems) as well as those listening on the lines -will have a harder time location my laptop based on the Signal -connections if they use source IP address.</p> - -<p>When the script starts, one need to follow the instructions under -"Standalone Registration" in the CONTRIBUTING.md file in the git -repository. I right clicked on the Signal window to get up the -Chromium debugging tool, visited the 'Console' tab and wrote -'extension.install("standalone")' on the console prompt to get the -registration form. Then I entered by land line phone number and -pressed 'Call'. 5 seconds later the phone rang and a robot voice -repeated the verification code three times. After entering the number -into the verification code field in the form, I could start using -Signal from my laptop. - -<p>As far as I can tell, The Signal app will leak who is talking to -whom and thus who know who to those controlling the central server, -but such leakage is hard to avoid with a centrally controlled server -setup. It is something to keep in mind when using Signal - the -content of your chats are harder to intercept, but the meta data -exposing your contact network is available to people you do not know. -So better than many options, but not great. And sadly the usage is -connected to my land line, thus allowing those controlling the server -to associate it to my home and person. I would prefer it if only -those I knew could tell who I was on Signal. There are options -avoiding such information leakage, but most of my friends are not -using them, so I am stuck with Signal for now.</p> + Norwegian Bokmål translation of The Debian Administrator's Handbook complete, proofreading in progress + http://people.skolelinux.org/pere/blog/Norwegian_Bokm_l_translation_of_The_Debian_Administrator_s_Handbook_complete__proofreading_in_progress.html + http://people.skolelinux.org/pere/blog/Norwegian_Bokm_l_translation_of_The_Debian_Administrator_s_Handbook_complete__proofreading_in_progress.html + Fri, 3 Mar 2017 14:50:00 +0100 + <p>For almost a year now, we have been working on making a Norwegian +Bokmål edition of <a href="https://debian-handbook.info/">The Debian +Administrator's Handbook</a>. Now, thanks to the tireless effort of +Ole-Erik, Ingrid and Andreas, the initial translation is complete, and +we are working on the proof reading to ensure consistent language and +use of correct computer science terms. The plan is to make the book +available on paper, as well as in electronic form. For that to +happen, the proof reading must be completed and all the figures need +to be translated. If you want to help out, get in touch.</p> + +<p><a href="http://people.skolelinux.org/pere/debian-handbook/debian-handbook-nb-NO.pdf">A + +fresh PDF edition</a> in A4 format (the final book will have smaller +pages) of the book created every morning is available for +proofreading. If you find any errors, please +<a href="https://hosted.weblate.org/projects/debian-handbook/">visit +Weblate and correct the error</a>. The +<a href="http://l.github.io/debian-handbook/stat/nb-NO/index.html">state +of the translation including figures</a> is a useful source for those +provide Norwegian bokmål screen shots and figures.</p> - The new "best" multimedia player in Debian? - http://people.skolelinux.org/pere/blog/The_new__best__multimedia_player_in_Debian_.html - http://people.skolelinux.org/pere/blog/The_new__best__multimedia_player_in_Debian_.html - Mon, 6 Jun 2016 12:50:00 +0200 - <p>When I set out a few weeks ago to figure out -<a href="http://people.skolelinux.org/pere/blog/What_is_the_best_multimedia_player_in_Debian_.html">which -multimedia player in Debian claimed to support most file formats / -MIME types</a>, I was a bit surprised how varied the sets of MIME types -the various players claimed support for. The range was from 55 to 130 -MIME types. I suspect most media formats are supported by all -players, but this is not really reflected in the MimeTypes values in -their desktop files. There are probably also some bogus MIME types -listed, but it is hard to identify which one this is.</p> - -<p>Anyway, in the mean time I got in touch with upstream for some of -the players suggesting to add more MIME types to their desktop files, -and decided to spend some time myself improving the situation for my -favorite media player VLC. The fixes for VLC entered Debian unstable -yesterday. The complete list of MIME types can be seen on the -<a href="https://wiki.debian.org/DebianMultimedia/PlayerSupport">Multimedia -player MIME type support status</a> Debian wiki page.</p> - -<p>The new "best" multimedia player in Debian? It is VLC, followed by -totem, parole, kplayer, gnome-mpv, mpv, smplayer, mplayer-gui and -kmplayer. I am sure some of the other players desktop files support -several of the formats currently listed as working only with vlc, -toten and parole.</p> - -<p>A sad observation is that only 14 MIME types are listed as -supported by all the tested multimedia players in Debian in their -desktop files: audio/mpeg, audio/vnd.rn-realaudio, audio/x-mpegurl, -audio/x-ms-wma, audio/x-scpls, audio/x-wav, video/mp4, video/mpeg, -video/quicktime, video/vnd.rn-realvideo, video/x-matroska, -video/x-ms-asf, video/x-ms-wmv and video/x-msvideo. Personally I find -it sad that video/ogg and video/webm is not supported by all the media -players in Debian. As far as I can tell, all of them can handle both -formats.</p> + Unlimited randomness with the ChaosKey? + http://people.skolelinux.org/pere/blog/Unlimited_randomness_with_the_ChaosKey_.html + http://people.skolelinux.org/pere/blog/Unlimited_randomness_with_the_ChaosKey_.html + Wed, 1 Mar 2017 20:50:00 +0100 + <p>A few days ago I ordered a small batch of +<a href="http://altusmetrum.org/ChaosKey/">the ChaosKey</a>, a small +USB dongle for generating entropy created by Bdale Garbee and Keith +Packard. Yesterday it arrived, and I am very happy to report that it +work great! According to its designers, to get it to work out of the +box, you need the Linux kernel version 4.1 or later. I tested on a +Debian Stretch machine (kernel version 4.9), and there it worked just +fine, increasing the available entropy very quickly. I wrote a small +test oneliner to test. It first print the current entropy level, +drain /dev/random, and then print the entropy level for five seconds. +Here is the situation without the ChaosKey inserted:</p> + +<blockquote><pre> +% cat /proc/sys/kernel/random/entropy_avail; \ + dd bs=1M if=/dev/random of=/dev/null count=1; \ + for n in $(seq 1 5); do \ + cat /proc/sys/kernel/random/entropy_avail; \ + sleep 1; \ + done +300 +0+1 oppføringer inn +0+1 oppføringer ut +28 byte kopiert, 0,000264565 s, 106 kB/s +4 +8 +12 +17 +21 +% +</pre></blockquote> + +<p>The entropy level increases by 3-4 every second. In such case any +application requiring random bits (like a HTTPS enabled web server) +will halt and wait for more entrpy. And here is the situation with +the ChaosKey inserted:</p> + +<blockquote><pre> +% cat /proc/sys/kernel/random/entropy_avail; \ + dd bs=1M if=/dev/random of=/dev/null count=1; \ + for n in $(seq 1 5); do \ + cat /proc/sys/kernel/random/entropy_avail; \ + sleep 1; \ + done +1079 +0+1 oppføringer inn +0+1 oppføringer ut +104 byte kopiert, 0,000487647 s, 213 kB/s +433 +1028 +1031 +1035 +1038 +% +</pre></blockquote> + +<p>Quite the difference. :) I bought a few more than I need, in case +someone want to buy one here in Norway. :)</p> + +<p>Update: The dongle was presented at Debconf last year. You might +find <a href="https://debconf16.debconf.org/talks/94/">the talk +recording illuminating</a>. It explains exactly what the source of +randomness is, if you are unable to spot it from the schema drawing +available from the ChaosKey web site linked at the start of this blog +post.</p> - A program should be able to open its own files on Linux - http://people.skolelinux.org/pere/blog/A_program_should_be_able_to_open_its_own_files_on_Linux.html - http://people.skolelinux.org/pere/blog/A_program_should_be_able_to_open_its_own_files_on_Linux.html - Sun, 5 Jun 2016 08:30:00 +0200 - <p>Many years ago, when koffice was fresh and with few users, I -decided to test its presentation tool when making the slides for a -talk I was giving for NUUG on Japhar, a free Java virtual machine. I -wrote the first draft of the slides, saved the result and went to bed -the day before I would give the talk. The next day I took a plane to -the location where the meeting should take place, and on the plane I -started up koffice again to polish the talk a bit, only to discover -that kpresenter refused to load its own data file. I cursed a bit and -started making the slides again from memory, to have something to -present when I arrived. I tested that the saved files could be -loaded, and the day seemed to be rescued. I continued to polish the -slides until I suddenly discovered that the saved file could no longer -be loaded into kpresenter. In the end I had to rewrite the slides -three times, condensing the content until the talk became shorter and -shorter. After the talk I was able to pinpoint the problem &ndash; -kpresenter wrote inline images in a way itself could not understand. -Eventually that bug was fixed and kpresenter ended up being a great -program to make slides. The point I'm trying to make is that we -expect a program to be able to load its own data files, and it is -embarrassing to its developers if it can't.</p> - -<p>Did you ever experience a program failing to load its own data -files from the desktop file browser? It is not a uncommon problem. A -while back I discovered that the screencast recorder -gtk-recordmydesktop would save an Ogg Theora video file the KDE file -browser would refuse to open. No video player claimed to understand -such file. I tracked down the cause being <tt>file --mime-type</tt> -returning the application/ogg MIME type, which no video player I had -installed listed as a MIME type they would understand. I asked for -<a href="http://bugs.gw.com/view.php?id=382">file to change its -behavour</a> and use the MIME type video/ogg instead. I also asked -several video players to add video/ogg to their desktop files, to give -the file browser an idea what to do about Ogg Theora files. After a -while, the desktop file browsers in Debian started to handle the -output from gtk-recordmydesktop properly.</p> - -<p>But history repeats itself. A few days ago I tested the music -system Rosegarden again, and I discovered that the KDE and xfce file -browsers did not know what to do with the Rosegarden project files -(*.rg). I've reported <a href="http://bugs.debian.org/825993">the -rosegarden problem to BTS</a> and a fix is commited to git and will be -included in the next upload. To increase the chance of me remembering -how to fix the problem next time some program fail to load its files -from the file browser, here are some notes on how to fix it.</p> - -<p>The file browsers in Debian in general operates on MIME types. -There are two sources for the MIME type of a given file. The output from -<tt>file --mime-type</tt> mentioned above, and the content of the -shared MIME type registry (under /usr/share/mime/). The file MIME -type is mapped to programs supporting the MIME type, and this -information is collected from -<a href="https://www.freedesktop.org/wiki/Specifications/desktop-entry-spec/">the -desktop files</a> available in /usr/share/applications/. If there is -one desktop file claiming support for the MIME type of the file, it is -activated when asking to open a given file. If there are more, one -can normally select which one to use by right-clicking on the file and -selecting the wanted one using 'Open with' or similar. In general -this work well. But it depend on each program picking a good MIME -type (preferably -<a href="http://www.iana.org/assignments/media-types/media-types.xhtml">a -MIME type registered with IANA</a>), file and/or the shared MIME -registry recognizing the file and the desktop file to list the MIME -type in its list of supported MIME types.</p> - -<p>The <tt>/usr/share/mime/packages/rosegarden.xml</tt> entry for -<a href="http://www.freedesktop.org/wiki/Specifications/shared-mime-info-spec">the -Shared MIME database</a> look like this:</p> - -<p><blockquote><pre> -&lt;?xml version="1.0" encoding="UTF-8"?&gt; -&lt;mime-info xmlns="http://www.freedesktop.org/standards/shared-mime-info"&gt; - &lt;mime-type type="audio/x-rosegarden"&gt; - &lt;sub-class-of type="application/x-gzip"/&gt; - &lt;comment&gt;Rosegarden project file&lt;/comment&gt; - &lt;glob pattern="*.rg"/&gt; - &lt;/mime-type&gt; -&lt;/mime-info&gt; -</pre></blockquote></p> - -<p>This states that audio/x-rosegarden is a kind of application/x-gzip -(it is a gzipped XML file). Note, it is much better to use an -official MIME type registered with IANA than it is to make up ones own -unofficial ones like the x-rosegarden type used by rosegarden.</p> - -<p>The desktop file of the rosegarden program failed to list -audio/x-rosegarden in its list of supported MIME types, causing the -file browsers to have no idea what to do with *.rg files:</p> - -<p><blockquote><pre> -% grep Mime /usr/share/applications/rosegarden.desktop -MimeType=audio/x-rosegarden-composition;audio/x-rosegarden-device;audio/x-rosegarden-project;audio/x-rosegarden-template;audio/midi; -X-KDE-NativeMimeType=audio/x-rosegarden-composition -% -</pre></blockquote></p> - -<p>The fix was to add "audio/x-rosegarden;" at the end of the -MimeType= line.</p> - -<p>If you run into a file which fail to open the correct program when -selected from the file browser, please check out the output from -<tt>file --mime-type</tt> for the file, ensure the file ending and -MIME type is registered somewhere under /usr/share/mime/ and check -that some desktop file under /usr/share/applications/ is claiming -support for this MIME type. If not, please report a bug to have it -fixed. :)</p> + Detect OOXML files with undefined behaviour? + http://people.skolelinux.org/pere/blog/Detect_OOXML_files_with_undefined_behaviour_.html + http://people.skolelinux.org/pere/blog/Detect_OOXML_files_with_undefined_behaviour_.html + Tue, 21 Feb 2017 00:20:00 +0100 + <p>I just noticed +<a href="http://www.arkivrad.no/aktuelt/riksarkivarens-forskrift-pa-horing">the +new Norwegian proposal for archiving rules in the goverment</a> list +<a href="http://www.ecma-international.org/publications/standards/Ecma-376.htm">ECMA-376</a> +/ ISO/IEC 29500 (aka OOXML) as valid formats to put in long term +storage. Luckily such files will only be accepted based on +pre-approval from the National Archive. Allowing OOXML files to be +used for long term storage might seem like a good idea as long as we +forget that there are plenty of ways for a "valid" OOXML document to +have content with no defined interpretation in the standard, which +lead to a question and an idea.</p> + +<p>Is there any tool to detect if a OOXML document depend on such +undefined behaviour? It would be useful for the National Archive (and +anyone else interested in verifying that a document is well defined) +to have such tool available when considering to approve the use of +OOXML. I'm aware of the +<a href="https://github.com/arlm/officeotron/">officeotron OOXML +validator</a>, but do not know how complete it is nor if it will +report use of undefined behaviour. Are there other similar tools +available? Please send me an email if you know of any such tool.</p> - Tor - from its creators mouth 11 years ago - http://people.skolelinux.org/pere/blog/Tor___from_its_creators_mouth_11_years_ago.html - http://people.skolelinux.org/pere/blog/Tor___from_its_creators_mouth_11_years_ago.html - Sat, 28 May 2016 14:20:00 +0200 - <p>A little more than 11 years ago, one of the creators of Tor, and -the current President of <a href="https://www.torproject.org/">the Tor -project</a>, Roger Dingledine, gave a talk for the members of the -<a href="http://www.nuug.no/">Norwegian Unix User group</a> (NUUG). A -video of the talk was recorded, and today, thanks to the great help -from David Noble, I finally was able to publish the video of the talk -on Frikanalen, the Norwegian open channel TV station where NUUG -currently publishes its talks. You can -<a href="http://frikanalen.no/se">watch the live stream using a web -browser</a> with WebM support, or check out the recording on the video -on demand page for the talk -"<a href="http://beta.frikanalen.no/video/625599">Tor: Anonymous -communication for the US Department of Defence...and you.</a>".</p> - -<p>Here is the video included for those of you using browsers with -HTML video and Ogg Theora support:</p> - -<p><video width="70%" poster="http://simula.gunkies.org/media/625599/large_thumb/20050421-tor-frikanalen.jpg" controls> - <source src="http://simula.gunkies.org/media/625599/theora/20050421-tor-frikanalen.ogv" type="video/ogg"/> -</video></p> - -<p>I guess the gist of the talk can be summarised quite simply: If you -want to help the military in USA (and everyone else), use Tor. :)</p> + Ruling ignored our objections to the seizure of popcorn-time.no (#domstolkontroll) + http://people.skolelinux.org/pere/blog/Ruling_ignored_our_objections_to_the_seizure_of_popcorn_time_no___domstolkontroll_.html + http://people.skolelinux.org/pere/blog/Ruling_ignored_our_objections_to_the_seizure_of_popcorn_time_no___domstolkontroll_.html + Mon, 13 Feb 2017 21:30:00 +0100 + <p>A few days ago, we received the ruling from +<a href="http://people.skolelinux.org/pere/blog/A_day_in_court_challenging_seizure_of_popcorn_time_no_for__domstolkontroll.html">my +day in court</a>. The case in question is a challenge of the seizure +of the DNS domain popcorn-time.no. The ruling simply did not mention +most of our arguments, and seemed to take everything ØKOKRIM said at +face value, ignoring our demonstration and explanations. But it is +hard to tell for sure, as we still have not seen most of the documents +in the case and thus were unprepared and unable to contradict several +of the claims made in court by the opposition. We are considering an +appeal, but it is partly a question of funding, as it is costing us +quite a bit to pay for our lawyer. If you want to help, please +<a href="http://www.nuug.no/dns-beslag-donasjon.shtml">donate to the +NUUG defense fund</a>.</p> + +<p>The details of the case, as far as we know it, is available in +Norwegian from +<a href="https://www.nuug.no/news/tags/dns-domenebeslag/">the NUUG +blog</a>. This also include +<a href="https://www.nuug.no/news/Avslag_etter_rettslig_h_ring_om_DNS_beslaget___vurderer_veien_videre.shtml">the +ruling itself</a>.</p> - Isenkram with PackageKit support - new version 0.23 available in Debian unstable - http://people.skolelinux.org/pere/blog/Isenkram_with_PackageKit_support___new_version_0_23_available_in_Debian_unstable.html - http://people.skolelinux.org/pere/blog/Isenkram_with_PackageKit_support___new_version_0_23_available_in_Debian_unstable.html - Wed, 25 May 2016 10:20:00 +0200 - <p><a href="https://tracker.debian.org/pkg/isenkram">The isenkram -system</a> is a user-focused solution in Debian for handling hardware -related packages. The idea is to have a database of mappings between -hardware and packages, and pop up a dialog suggesting for the user to -install the packages to use a given hardware dongle. Some use cases -are when you insert a Yubikey, it proposes to install the software -needed to control it; when you insert a braille reader list it -proposes to install the packages needed to send text to the reader; -and when you insert a ColorHug screen calibrator it suggests to -install the driver for it. The system work well, and even have a few -command line tools to install firmware packages and packages for the -hardware already in the machine (as opposed to hotpluggable hardware).</p> - -<p>The system was initially written using aptdaemon, because I found -good documentation and example code on how to use it. But aptdaemon -is going away and is generally being replaced by -<a href="http://www.freedesktop.org/software/PackageKit/">PackageKit</a>, -so Isenkram needed a rewrite. And today, thanks to the great patch -from my college Sunil Mohan Adapa in the FreedomBox project, the -rewrite finally took place. I've just uploaded a new version of -Isenkram into Debian Unstable with the patch included, and the default -for the background daemon is now to use PackageKit. To check it out, -install the <tt>isenkram</tt> package and insert some hardware dongle -and see if it is recognised.</p> - -<p>If you want to know what kind of packages isenkram would propose for -the machine it is running on, you can check out the isenkram-lookup -program. This is what it look like on a Thinkpad X230:</p> - -<p><blockquote><pre> -% isenkram-lookup -bluez -cheese -fprintd -fprintd-demo -gkrellm-thinkbat -hdapsd -libpam-fprintd -pidgin-blinklight -thinkfan -tleds -tp-smapi-dkms -tp-smapi-source -tpb -%p -</pre></blockquote></p> - -<p>The hardware mappings come from several places. The preferred way -is for packages to announce their hardware support using -<a href="https://www.freedesktop.org/software/appstream/docs/">the -cross distribution appstream system</a>. -See -<a href="http://people.skolelinux.org/pere/blog/tags/isenkram/">previous -blog posts about isenkram</a> to learn how to do that.</p> + A day in court challenging seizure of popcorn-time.no for #domstolkontroll + http://people.skolelinux.org/pere/blog/A_day_in_court_challenging_seizure_of_popcorn_time_no_for__domstolkontroll.html + http://people.skolelinux.org/pere/blog/A_day_in_court_challenging_seizure_of_popcorn_time_no_for__domstolkontroll.html + Fri, 3 Feb 2017 11:10:00 +0100 + <p align="center"><img width="70%" src="http://people.skolelinux.org/pere/blog/images/2017-02-01-popcorn-time-in-court.jpeg"></p> + +<p>On Wednesday, I spent the entire day in court in Follo Tingrett +representing <a href="https://www.nuug.no/">the member association +NUUG</a>, alongside <a href="https://www.efn.no/">the member +association EFN</a> and <a href="http://www.imc.no">the DNS registrar +IMC</a>, challenging the seizure of the DNS name popcorn-time.no. It +was interesting to sit in a court of law for the first time in my +life. Our team can be seen in the picture above: attorney Ola +Tellesbø, EFN board member Tom Fredrik Blenning, IMC CEO Morten Emil +Eriksen and NUUG board member Petter Reinholdtsen.</p> + +<p><a href="http://www.domstol.no/no/Enkelt-domstol/follo-tingrett/Nar-gar-rettssaken/Beramming/?cid=AAAA1701301512081262234UJFBVEZZZZZEJBAvtale">The +case at hand</a> is that the Norwegian National Authority for +Investigation and Prosecution of Economic and Environmental Crime (aka +Økokrim) decided on their own, to seize a DNS domain early last +year, without following +<a href="https://www.norid.no/no/regelverk/navnepolitikk/#link12">the +official policy of the Norwegian DNS authority</a> which require a +court decision. The web site in question was a site covering Popcorn +Time. And Popcorn Time is the name of a technology with both legal +and illegal applications. Popcorn Time is a client combining +searching a Bittorrent directory available on the Internet with +downloading/distribute content via Bittorrent and playing the +downloaded content on screen. It can be used illegally if it is used +to distribute content against the will of the right holder, but it can +also be used legally to play a lot of content, for example the +millions of movies +<a href="https://archive.org/details/movies">available from the +Internet Archive</a> or the collection +<a href="http://vodo.net/films/">available from Vodo</a>. We created +<a href="magnet:?xt=urn:btih:86c1802af5a667ca56d3918aecb7d3c0f7173084&dn=PresentasjonFolloTingrett.mov&tr=udp%3A%2F%2Fpublic.popcorn-tracker.org%3A6969%2Fannounce">a +video demonstrating legally use of Popcorn Time</a> and played it in +Court. It can of course be downloaded using Bittorrent.</p> + +<p>I did not quite know what to expect from a day in court. The +government held on to their version of the story and we held on to +ours, and I hope the judge is able to make sense of it all. We will +know in two weeks time. Unfortunately I do not have high hopes, as +the Government have the upper hand here with more knowledge about the +case, better training in handling criminal law and in general higher +standing in the courts than fairly unknown DNS registrar and member +associations. It is expensive to be right also in Norway. So far the +case have cost more than NOK 70 000,-. To help fund the case, NUUG +and EFN have asked for donations, and managed to collect around NOK 25 +000,- so far. Given the presentation from the Government, I expect +the government to appeal if the case go our way. And if the case do +not go our way, I hope we have enough funding to appeal.</p> + +<p>From the other side came two people from Økokrim. On the benches, +appearing to be part of the group from the government were two people +from the Simonsen Vogt Wiik lawyer office, and three others I am not +quite sure who was. Økokrim had proposed to present two witnesses +from The Motion Picture Association, but this was rejected because +they did not speak Norwegian and it was a bit late to bring in a +translator, but perhaps the two from MPA were present anyway. All +seven appeared to know each other. Good to see the case is take +seriously.</p> + +<p>If you, like me, believe the courts should be involved before a DNS +domain is hijacked by the government, or you believe the Popcorn Time +technology have a lot of useful and legal applications, I suggest you +too <a href="http://www.nuug.no/dns-beslag-donasjon.shtml">donate to +the NUUG defense fund</a>. Both Bitcoin and bank transfer are +available. If NUUG get more than we need for the legal action (very +unlikely), the rest will be spend promoting free software, open +standards and unix-like operating systems in Norway, so no matter what +happens the money will be put to good use.</p> + +<p>If you want to lean more about the case, I recommend you check out +<a href="https://www.nuug.no/news/tags/dns-domenebeslag/">the blog +posts from NUUG covering the case</a>. They cover the legal arguments +on both sides.</p> - Discharge rate estimate in new battery statistics collector for Debian - http://people.skolelinux.org/pere/blog/Discharge_rate_estimate_in_new_battery_statistics_collector_for_Debian.html - http://people.skolelinux.org/pere/blog/Discharge_rate_estimate_in_new_battery_statistics_collector_for_Debian.html - Mon, 23 May 2016 09:35:00 +0200 - <p>Yesterday I updated the -<a href="https://tracker.debian.org/pkg/battery-stats">battery-stats -package in Debian</a> with a few patches sent to me by skilled and -enterprising users. There were some nice user and visible changes. -First of all, both desktop menu entries now work. A design flaw in -one of the script made the history graph fail to show up (its PNG was -dumped in ~/.xsession-errors) if no controlling TTY was available. -The script worked when called from the command line, but not when -called from the desktop menu. I changed this to look for a DISPLAY -variable or a TTY before deciding where to draw the graph, and now the -graph window pop up as expected.</p> - -<p>The next new feature is a discharge rate estimator in one of the -graphs (the one showing the last few hours). New is also the user of -colours showing charging in blue and discharge in red. The percentages -of this graph is relative to last full charge, not battery design -capacity.</p> - -<p align="center"><img src="http://people.skolelinux.org/pere/blog/images/2016-05-23-battery-stats-rate.png"/></p> - -<p>The other graph show the entire history of the collected battery -statistics, comparing it to the design capacity of the battery to -visualise how the battery life time get shorter over time. The red -line in this graph is what the previous graph considers 100 percent: - -<p align="center"><img src="http://people.skolelinux.org/pere/blog/images/2016-05-23-battery-stats-history.png"/></p> - -<p>In this graph you can see that I only charge the battery to 80 -percent of last full capacity, and how the capacity of the battery is -shrinking. :(</p> - -<p>The last new feature is in the collector, which now will handle -more hardware models. On some hardware, Linux power supply -information is stored in /sys/class/power_supply/ACAD/, while the -collector previously only looked in /sys/class/power_supply/AC/. Now -both are checked to figure if there is power connected to the -machine.</p> - -<p>If you are interested in how your laptop battery is doing, please -check out the -<a href="https://tracker.debian.org/pkg/battery-stats">battery-stats</a> -in Debian unstable, or rebuild it on Jessie to get it working on -Debian stable. :) The upstream source is available from <a -href="https://github.com/petterreinholdtsen/battery-stats">github</a>. -Patches are very welcome.</p> - -<p>As usual, if you use Bitcoin and want to show your support of my -activities, please send Bitcoin donations to my address -<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p> + Nasjonalbiblioteket avslutter sin ulovlige bruk av Google Skjemaer + http://people.skolelinux.org/pere/blog/Nasjonalbiblioteket_avslutter_sin_ulovlige_bruk_av_Google_Skjemaer.html + http://people.skolelinux.org/pere/blog/Nasjonalbiblioteket_avslutter_sin_ulovlige_bruk_av_Google_Skjemaer.html + Thu, 12 Jan 2017 09:40:00 +0100 + <p>I dag fikk jeg en skikkelig gladmelding. Bakgrunnen er at før jul +arrangerte Nasjonalbiblioteket +<a href="http://www.nb.no/Bibliotekutvikling/Kunnskapsorganisering/Nasjonalt-verksregister/Seminar-om-verksregister">et +seminar om sitt knakende gode tiltak «verksregister»</a>. Eneste +måten å melde seg på dette seminaret var å sende personopplysninger +til Google via Google Skjemaer. Dette syntes jeg var tvilsom praksis, +da det bør være mulig å delta på seminarer arrangert av det offentlige +uten å måtte dele sine interesser, posisjon og andre +personopplysninger med Google. Jeg ba derfor om innsyn via +<a href="https://www.mimesbronn.no/">Mimes brønn</a> i +<a href="https://www.mimesbronn.no/request/personopplysninger_til_google_sk">avtaler +og vurderinger Nasjonalbiblioteket hadde rundt dette</a>. +Personopplysningsloven legger klare rammer for hva som må være på +plass før en kan be tredjeparter, spesielt i utlandet, behandle +personopplysninger på sine vegne, så det burde eksistere grundig +dokumentasjon før noe slikt kan bli lovlig. To jurister hos +Nasjonalbiblioteket mente først dette var helt i orden, og at Googles +standardavtale kunne brukes som databehandlingsavtale. Det syntes jeg +var merkelig, men har ikke hatt kapasitet til å følge opp saken før +for to dager siden.</p> + +<p>Gladnyheten i dag, som kom etter at jeg tipset Nasjonalbiblioteket +om at Datatilsynet underkjente Googles standardavtaler som +databehandleravtaler i 2011, er at Nasjonalbiblioteket har bestemt seg +for å avslutte bruken av Googles Skjemaer/Apps og gå i dialog med DIFI +for å finne bedre måter å håndtere påmeldinger i tråd med +personopplysningsloven. Det er fantastisk å se at av og til hjelper +det å spørre hva i alle dager det offentlige holder på med.</p> - French edition of Lawrence Lessigs book Cultura Libre on Amazon and Barnes & Noble - http://people.skolelinux.org/pere/blog/French_edition_of_Lawrence_Lessigs_book_Cultura_Libre_on_Amazon_and_Barnes___Noble.html - http://people.skolelinux.org/pere/blog/French_edition_of_Lawrence_Lessigs_book_Cultura_Libre_on_Amazon_and_Barnes___Noble.html - Sat, 21 May 2016 10:50:00 +0200 - <p>A few weeks ago the French paperback edition of Lawrence Lessigs -2004 book Cultura Libre was published. Today I noticed that the book -is now available from book stores. You can now buy it from -<a href="http://www.amazon.com/Culture-Libre-French-Lawrence-Lessig/dp/8269018260">Amazon</a> -($19.99), -<a href="http://www.barnesandnoble.com/w/culture-libre-lawrence-lessig/1123776705">Barnes -& Noble</a> ($?) and as always from -<a href="http://www.lulu.com/shop/lawrence-lessig/culture-libre/paperback/product-22645082.html">Lulu.com</a> -($19.99). The revenue is donated to the Creative Commons project. If -you buy from Lulu.com, they currently get $10.59, while if you buy -from one of the book stores most of the revenue go to the book store -and the Creative Commons project get much (not sure how much -less).</p> - -<p>I was a bit surprised to discover that there is a kindle edition -sold by Amazon Digital Services LLC on Amazon. Not quite sure how -that edition was created, but if you want to download a electronic -edition (PDF, EPUB, Mobi) generated from the same files used to create -the paperback edition, they are -<a href="https://github.com/petterreinholdtsen/free-culture-lessig">available -from github</a>.</p> + Bryter NAV sin egen personvernerklæring? + http://people.skolelinux.org/pere/blog/Bryter_NAV_sin_egen_personvernerkl_ring_.html + http://people.skolelinux.org/pere/blog/Bryter_NAV_sin_egen_personvernerkl_ring_.html + Wed, 11 Jan 2017 06:50:00 +0100 + <p>Jeg leste med interesse en nyhetssak hos +<a href="http://www.digi.no/artikler/nav-avslorer-trygdemisbruk-ved-a-spore-ip-adresser/367394">digi.no</a> +og +<a href="https://www.nrk.no/buskerud/trygdesvindlere-avslores-av-utenlandske-ip-adresser-1.13313461">NRK</a> +om at det ikke bare er meg, men at også NAV bedriver geolokalisering +av IP-adresser, og at det gjøres analyse av IP-adressene til de som +sendes inn meldekort for å se om meldekortet sendes inn fra +utenlandske IP-adresser. Politiadvokat i Drammen, Hans Lyder Haare, +er sitert i NRK på at «De to er jo blant annet avslørt av +IP-adresser. At man ser at meldekortet kommer fra utlandet.»</p> + +<p>Jeg synes det er fint at det blir bedre kjent at IP-adresser +knyttes til enkeltpersoner og at innsamlet informasjon brukes til å +stedsbestemme personer også av aktører her i Norge. Jeg ser det som +nok et argument for å bruke +<a href="https://www.torproject.org/">Tor</a> så mye som mulig for å +gjøre gjøre IP-lokalisering vanskeligere, slik at en kan beskytte sin +privatsfære og unngå å dele sin fysiske plassering med +uvedkommede.</p> + +<P>Men det er en ting som bekymrer meg rundt denne nyheten. Jeg ble +tipset (takk #nuug) om +<a href="https://www.nav.no/no/NAV+og+samfunn/Kontakt+NAV/Teknisk+brukerstotte/Snarveier/personvernerkl%C3%A6ring-for-arbeids-og-velferdsetaten">NAVs +personvernerklæring</a>, som under punktet «Personvern og statistikk» +lyder:</p> + +<p><blockquote> + +<p>«Når du besøker nav.no, etterlater du deg elektroniske spor. Sporene +dannes fordi din nettleser automatisk sender en rekke opplysninger til +NAVs tjener (server-maskin) hver gang du ber om å få vist en side. Det +er eksempelvis opplysninger om hvilken nettleser og -versjon du +bruker, og din internettadresse (ip-adresse). For hver side som vises, +lagres følgende opplysninger:</p> + +<ul> +<li>hvilken side du ser på</li> +<li>dato og tid</li> +<li>hvilken nettleser du bruker</li> +<li>din ip-adresse</li> +</ul> + +<p>Ingen av opplysningene vil bli brukt til å identifisere +enkeltpersoner. NAV bruker disse opplysningene til å generere en +samlet statistikk som blant annet viser hvilke sider som er mest +populære. Statistikken er et redskap til å forbedre våre +tjenester.»</p> + +</blockquote></p> + +<p>Jeg klarer ikke helt å se hvordan analyse av de besøkendes +IP-adresser for å se hvem som sender inn meldekort via web fra en +IP-adresse i utlandet kan gjøres uten å komme i strid med påstanden om +at «ingen av opplysningene vil bli brukt til å identifisere +enkeltpersoner». Det virker dermed for meg som at NAV bryter sine +egen personvernerklæring, hvilket +<a href="http://people.skolelinux.org/pere/blog/Er_lover_brutt_n_r_personvernpolicy_ikke_stemmer_med_praksis_.html">Datatilsynet +fortalte meg i starten av desember antagelig er brudd på +personopplysningsloven</a>. + +<p>I tillegg er personvernerklæringen ganske misvisende i og med at +NAVs nettsider ikke bare forsyner NAV med personopplysninger, men i +tillegg ber brukernes nettleser kontakte fem andre nettjenere +(script.hotjar.com, static.hotjar.com, vars.hotjar.com, +www.google-analytics.com og www.googletagmanager.com), slik at +personopplysninger blir gjort tilgjengelig for selskapene Hotjar og +Google , og alle som kan lytte på trafikken på veien (som FRA, GCHQ og +NSA). Jeg klarer heller ikke se hvordan slikt spredning av +personopplysninger kan være i tråd med kravene i +personopplysningloven, eller i tråd med NAVs personvernerklæring.</p> + +<p>Kanskje NAV bør ta en nøye titt på sin personvernerklæring? Eller +kanskje Datatilsynet bør gjøre det?</p> - I want the courts to be involved before the police can hijack a news site DNS domain (#domstolkontroll) - http://people.skolelinux.org/pere/blog/I_want_the_courts_to_be_involved_before_the_police_can_hijack_a_news_site_DNS_domain___domstolkontroll_.html - http://people.skolelinux.org/pere/blog/I_want_the_courts_to_be_involved_before_the_police_can_hijack_a_news_site_DNS_domain___domstolkontroll_.html - Thu, 19 May 2016 14:00:00 +0200 - <p>I just donated to the -<a href="http://www.nuug.no/dns-beslag-donasjon.shtml">NUUG defence -"fond"</a> to fund the effort in Norway to get the seizure of the news -site popcorn-time.no tested in court. I hope everyone that agree with -me will do the same.</p> - -<p>Would you be worried if you knew the police in your country could -hijack DNS domains of news sites covering free software system without -talking to a judge first? I am. What if the free software system -combined search engine lookups, bittorrent downloads and video playout -and was called Popcorn Time? Would that affect your view? It still -make me worried.</p> - -<p>In March 2016, the Norwegian police seized (as in forced NORID to -change the IP address pointed to by it to one controlled by the -police) the DNS domain popcorn-time.no, without any supervision from -the courts. I did not know about the web site back then, and assumed -the courts had been involved, and was very surprised when I discovered -that the police had hijacked the DNS domain without asking a judge for -permission first. I was even more surprised when I had a look at -<a href="https://web.archive.org/web/*/http://popcorn-time.no">the web -site content on the Internet Archive</A>, and only found news coverage -about Popcorn Time, not any material published without the right -holders permissions.</p> - -<p>The seizure was widely covered in the Norwegian press (see for -example <a href="http://www.hegnar.no/Nyheter/Naeringsliv/2016/03/Popcorn-time.no-beslaglagt-av-OEkokrim">Hegnar Online</a> and -<a href="http://itavisen.no/2016/03/08/okokrim-har-beslaglagt-popcorn-time-no/">ITavisen<a/> -and -<a href="http://www.nrk.no/kultur/okokrim-gar-til-aksjon-mot-popcorn-time-1.12842452">NRK</a>), -at first due to the press release sent out by Økokrim, but then based -on -<a href="http://blogg.torvund.net/2016/03/09/okokrims-beslag-i-domenet-popcorn-time-no/">protests -from the law professor Olav Torvund</a> and -<a href="http://www.klassekampen.no/article/20160311/ARTICLE/160319995">lawyer -Jon Wessel-Aas</a>. It even got some -<a href="https://torrentfreak.com/norwegian-authorities-sued-over-popcorn-time-domain-seizure-160418/">coverage -on TorrentFreak</a>.</p> - -<p>I -<a href="http://people.skolelinux.org/pere/blog/NUUG_contests_Norwegian_police_DNS_seizure_of_popcorn_time_no.html"> -wrote about the case a month ago</a>, when the -<a href="http://www.nuug.no/">Norwegian Unix User Group</a> (NUUG), -where I am an active member, decided to ask the courts to test this seizure. -The request was denied, but NUUG and its co-requestor EFN have not -given up, and now they are rallying for support to get the seizure -legally challenged. They accept both bank and Bitcoin transfer for -those that want to support the request.</p> - -<p>If you as me believe news sites about free software should not be -censored, even if the free software have both legal and illegal -applications, and that DNS hijacking should be tested by the courts, I -suggest you <a href="http://www.nuug.no/dns-beslag-donasjon.shtml">show -your support by donating to NUUG</a>.</a> + Where did that package go? &mdash; geolocated IP traceroute + http://people.skolelinux.org/pere/blog/Where_did_that_package_go___mdash__geolocated_IP_traceroute.html + http://people.skolelinux.org/pere/blog/Where_did_that_package_go___mdash__geolocated_IP_traceroute.html + Mon, 9 Jan 2017 12:20:00 +0100 + <p>Did you ever wonder where the web trafic really flow to reach the +web servers, and who own the network equipment it is flowing through? +It is possible to get a glimpse of this from using traceroute, but it +is hard to find all the details. Many years ago, I wrote a system to +map the Norwegian Internet (trying to figure out if our plans for a +network game service would get low enough latency, and who we needed +to talk to about setting up game servers close to the users. Back +then I used traceroute output from many locations (I asked my friends +to run a script and send me their traceroute output) to create the +graph and the map. The output from traceroute typically look like +this: + +<p><pre> +traceroute to www.stortinget.no (85.88.67.10), 30 hops max, 60 byte packets + 1 uio-gw10.uio.no (129.240.202.1) 0.447 ms 0.486 ms 0.621 ms + 2 uio-gw8.uio.no (129.240.24.229) 0.467 ms 0.578 ms 0.675 ms + 3 oslo-gw1.uninett.no (128.39.65.17) 0.385 ms 0.373 ms 0.358 ms + 4 te3-1-2.br1.fn3.as2116.net (193.156.90.3) 1.174 ms 1.172 ms 1.153 ms + 5 he16-1-1.cr1.san110.as2116.net (195.0.244.234) 2.627 ms he16-1-1.cr2.oslosda310.as2116.net (195.0.244.48) 3.172 ms he16-1-1.cr1.san110.as2116.net (195.0.244.234) 2.857 ms + 6 ae1.ar8.oslosda310.as2116.net (195.0.242.39) 0.662 ms 0.637 ms ae0.ar8.oslosda310.as2116.net (195.0.242.23) 0.622 ms + 7 89.191.10.146 (89.191.10.146) 0.931 ms 0.917 ms 0.955 ms + 8 * * * + 9 * * * +[...] +</pre></p> + +<p>This show the DNS names and IP addresses of (at least some of the) +network equipment involved in getting the data traffic from me to the +www.stortinget.no server, and how long it took in milliseconds for a +package to reach the equipment and return to me. Three packages are +sent, and some times the packages do not follow the same path. This +is shown for hop 5, where three different IP addresses replied to the +traceroute request.</p> + +<p>There are many ways to measure trace routes. Other good traceroute +implementations I use are traceroute (using ICMP packages) mtr (can do +both ICMP, UDP and TCP) and scapy (python library with ICMP, UDP, TCP +traceroute and a lot of other capabilities). All of them are easily +available in <a href="https://www.debian.org/">Debian</a>.</p> + +<p>This time around, I wanted to know the geographic location of +different route points, to visualize how visiting a web page spread +information about the visit to a lot of servers around the globe. The +background is that a web site today often will ask the browser to get +from many servers the parts (for example HTML, JSON, fonts, +JavaScript, CSS, video) required to display the content. This will +leak information about the visit to those controlling these servers +and anyone able to peek at the data traffic passing by (like your ISP, +the ISPs backbone provider, FRA, GCHQ, NSA and others).</p> + +<p>Lets pick an example, the Norwegian parliament web site +www.stortinget.no. It is read daily by all members of parliament and +their staff, as well as political journalists, activits and many other +citizens of Norway. A visit to the www.stortinget.no web site will +ask your browser to contact 8 other servers: ajax.googleapis.com, +insights.hotjar.com, script.hotjar.com, static.hotjar.com, +stats.g.doubleclick.net, www.google-analytics.com, +www.googletagmanager.com and www.netigate.se. I extracted this by +asking <a href="http://phantomjs.org/">PhantomJS</a> to visit the +Stortinget web page and tell me all the URLs PhantomJS downloaded to +render the page (in HAR format using +<a href="https://github.com/ariya/phantomjs/blob/master/examples/netsniff.js">their +netsniff example</a>. I am very grateful to Gorm for showing me how +to do this). My goal is to visualize network traces to all IP +addresses behind these DNS names, do show where visitors personal +information is spread when visiting the page.</p> + +<p align="center"><a href="www.stortinget.no-geoip.kml"><img +src="http://people.skolelinux.org/pere/blog/images/2017-01-09-www.stortinget.no-geoip-small.png" alt="map of combined traces for URLs used by www.stortinget.no using GeoIP"/></a></p> + +<p>When I had a look around for options, I could not find any good +free software tools to do this, and decided I needed my own traceroute +wrapper outputting KML based on locations looked up using GeoIP. KML +is easy to work with and easy to generate, and understood by several +of the GIS tools I have available. I got good help from by NUUG +colleague Anders Einar with this, and the result can be seen in +<a href="https://github.com/petterreinholdtsen/kmltraceroute">my +kmltraceroute git repository</a>. Unfortunately, the quality of the +free GeoIP databases I could find (and the for-pay databases my +friends had access to) is not up to the task. The IP addresses of +central Internet infrastructure would typically be placed near the +controlling companies main office, and not where the router is really +located, as you can see from <a href="www.stortinget.no-geoip.kml">the +KML file I created</a> using the GeoLite City dataset from MaxMind. + +<p align="center"><a href="http://people.skolelinux.org/pere/blog/images/2017-01-09-www.stortinget.no-scapy.svg"><img +src="http://people.skolelinux.org/pere/blog/images/2017-01-09-www.stortinget.no-scapy-small.png" alt="scapy traceroute graph for URLs used by www.stortinget.no"/></a></p> + +<p>I also had a look at the visual traceroute graph created by +<a href="http://www.secdev.org/projects/scapy/">the scrapy project</a>, +showing IP network ownership (aka AS owner) for the IP address in +question. +<a href="http://people.skolelinux.org/pere/blog/images/2017-01-09-www.stortinget.no-scapy.svg">The +graph display a lot of useful information about the traceroute in SVG +format</a>, and give a good indication on who control the network +equipment involved, but it do not include geolocation. This graph +make it possible to see the information is made available at least for +UNINETT, Catchcom, Stortinget, Nordunet, Google, Amazon, Telia, Level +3 Communications and NetDNA.</p> + +<p align="center"><a href="https://geotraceroute.com/index.php?node=4&host=www.stortinget.no"><img +src="http://people.skolelinux.org/pere/blog/images/2017-01-09-www.stortinget.no-geotraceroute-small.png" alt="example geotraceroute view for www.stortinget.no"/></a></p> + +<p>In the process, I came across the +<a href="https://geotraceroute.com/">web service GeoTraceroute</a> by +Salim Gasmi. Its methology of combining guesses based on DNS names, +various location databases and finally use latecy times to rule out +candidate locations seemed to do a very good job of guessing correct +geolocation. But it could only do one trace at the time, did not have +a sensor in Norway and did not make the geolocations easily available +for postprocessing. So I contacted the developer and asked if he +would be willing to share the code (he refused until he had time to +clean it up), but he was interested in providing the geolocations in a +machine readable format, and willing to set up a sensor in Norway. So +since yesterday, it is possible to run traces from Norway in this +service thanks to a sensor node set up by +<a href="https://www.nuug.no/">the NUUG assosiation</a>, and get the +trace in KML format for further processing.</p> + +<p align="center"><a href="http://people.skolelinux.org/pere/blog/images/2017-01-09-www.stortinget.no-geotraceroute-kml-join.kml"><img +src="http://people.skolelinux.org/pere/blog/images/2017-01-09-www.stortinget.no-geotraceroute-kml-join.png" alt="map of combined traces for URLs used by www.stortinget.no using geotraceroute"/></a></p> + +<p>Here we can see a lot of trafic passes Sweden on its way to +Denmark, Germany, Holland and Ireland. Plenty of places where the +Snowden confirmations verified the traffic is read by various actors +without your best interest as their top priority.</p> + +<p>Combining KML files is trivial using a text editor, so I could loop +over all the hosts behind the urls imported by www.stortinget.no and +ask for the KML file from GeoTraceroute, and create a combined KML +file with all the traces (unfortunately only one of the IP addresses +behind the DNS name is traced this time. To get them all, one would +have to request traces using IP number instead of DNS names from +GeoTraceroute). That might be the next step in this project.</p> + +<p>Armed with these tools, I find it a lot easier to figure out where +the IP traffic moves and who control the boxes involved in moving it. +And every time the link crosses for example the Swedish border, we can +be sure Swedish Signal Intelligence (FRA) is listening, as GCHQ do in +Britain and NSA in USA and cables around the globe. (Hm, what should +we tell them? :) Keep that in mind if you ever send anything +unencrypted over the Internet.</p> + +<p>PS: KML files are drawn using +<a href="http://ivanrublev.me/kml/">the KML viewer from Ivan +Rublev<a/>, as it was less cluttered than the local Linux application +Marble. There are heaps of other options too.</p> + +<p>As usual, if you use Bitcoin and want to show your support of my +activities, please send Bitcoin donations to my address +<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&label=PetterReinholdtsenBlog">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p> - Debian now with ZFS on Linux included - http://people.skolelinux.org/pere/blog/Debian_now_with_ZFS_on_Linux_included.html - http://people.skolelinux.org/pere/blog/Debian_now_with_ZFS_on_Linux_included.html - Thu, 12 May 2016 07:30:00 +0200 - <p>Today, after many years of hard work from many people, -<a href="http://zfsonlinux.org/">ZFS for Linux</a> finally entered -Debian. The package status can be seen on -<a href="https://tracker.debian.org/pkg/zfs-linux">the package tracker -for zfs-linux</a>. and -<a href="https://qa.debian.org/developer.php?login=pkg-zfsonlinux-devel@lists.alioth.debian.org">the -team status page</a>. If you want to help out, please join us. -<a href="http://anonscm.debian.org/gitweb/?p=pkg-zfsonlinux/zfs.git">The -source code</a> is available via git on Alioth. It would also be -great if you could help out with -<a href="https://tracker.debian.org/pkg/dkms">the dkms package</a>, as -it is an important piece of the puzzle to get ZFS working.</p> + Introducing ical-archiver to split out old iCalendar entries + http://people.skolelinux.org/pere/blog/Introducing_ical_archiver_to_split_out_old_iCalendar_entries.html + http://people.skolelinux.org/pere/blog/Introducing_ical_archiver_to_split_out_old_iCalendar_entries.html + Wed, 4 Jan 2017 12:20:00 +0100 + <p>Do you have a large <a href="https://icalendar.org/">iCalendar</a> +file with lots of old entries, and would like to archive them to save +space and resources? At least those of us using KOrganizer know that +turning on and off an event set become slower and slower the more +entries are in the set. While working on migrating our calendars to a +<a href="http://radicale.org/">Radicale CalDAV server</a> on our +<a href="https://freedomboxfoundation.org/">Freedombox server</a/>, my +loved one wondered if I could find a way to split up the calendar file +she had in KOrganizer, and I set out to write a tool. I spent a few +days writing and polishing the system, and it is now ready for general +consumption. The +<a href="https://github.com/petterreinholdtsen/ical-archiver">code for +ical-archiver</a> is publicly available from a git repository on +github. The system is written in Python and depend on +<a href="http://eventable.github.io/vobject/">the vobject Python +module</a>.</p> + +<p>To use it, locate the iCalendar file you want to operate on and +give it as an argument to the ical-archiver script. This will +generate a set of new files, one file per component type per year for +all components expiring more than two years in the past. The vevent, +vtodo and vjournal entries are handled by the script. The remaining +entries are stored in a 'remaining' file.</p> + +<p>This is what a test run can look like: + +<p><pre> +% ical-archiver t/2004-2016.ics +Found 3612 vevents +Found 6 vtodos +Found 2 vjournals +Writing t/2004-2016.ics-subset-vevent-2004.ics +Writing t/2004-2016.ics-subset-vevent-2005.ics +Writing t/2004-2016.ics-subset-vevent-2006.ics +Writing t/2004-2016.ics-subset-vevent-2007.ics +Writing t/2004-2016.ics-subset-vevent-2008.ics +Writing t/2004-2016.ics-subset-vevent-2009.ics +Writing t/2004-2016.ics-subset-vevent-2010.ics +Writing t/2004-2016.ics-subset-vevent-2011.ics +Writing t/2004-2016.ics-subset-vevent-2012.ics +Writing t/2004-2016.ics-subset-vevent-2013.ics +Writing t/2004-2016.ics-subset-vevent-2014.ics +Writing t/2004-2016.ics-subset-vjournal-2007.ics +Writing t/2004-2016.ics-subset-vjournal-2011.ics +Writing t/2004-2016.ics-subset-vtodo-2012.ics +Writing t/2004-2016.ics-remaining.ics +% +</pre></p> + +<p>As you can see, the original file is untouched and new files are +written with names derived from the original file. If you are happy +with their content, the *-remaining.ics file can replace the original +the the others can be archived or imported as historical calendar +collections.</p> + +<p>The script should probably be improved a bit. The error handling +when discovering broken entries is not good, and I am not sure yet if +it make sense to split different entry types into separate files or +not. The program is thus likely to change. If you find it +interesting, please get in touch. :)</p> + +<p>As usual, if you use Bitcoin and want to show your support of my +activities, please send Bitcoin donations to my address +<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&label=PetterReinholdtsenBlog">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>