X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/feb473cda9dc7b09ddc973f7b10e8ee0d15f60ee..6f2eff6f2c1badf27a0a32707a40d70c77c7b149:/blog/index.rss diff --git a/blog/index.rss b/blog/index.rss index 624313ff46..f0465a445f 100644 --- a/blog/index.rss +++ b/blog/index.rss @@ -7,589 +7,590 @@ - Epost inn som arkivformat i Riksarkivarens forskrift? - http://people.skolelinux.org/pere/blog/Epost_inn_som_arkivformat_i_Riksarkivarens_forskrift_.html - http://people.skolelinux.org/pere/blog/Epost_inn_som_arkivformat_i_Riksarkivarens_forskrift_.html - Thu, 27 Apr 2017 11:30:00 +0200 - <p>I disse dager, med frist 1. mai, har Riksarkivaren ute en høring på -sin forskrift. Som en kan se er det ikke mye tid igjen før fristen -som går ut på søndag. Denne forskriften er det som lister opp hvilke -formater det er greit å arkivere i -<a href="http://www.arkivverket.no/arkivverket/Offentleg-forvalting/Noark/Noark-5">Noark -5-løsninger</a> i Norge.</p> - -<p>Jeg fant høringsdokumentene hos -<a href="https://www.arkivrad.no/aktuelt/riksarkivarens-forskrift-pa-horing">Norsk -Arkivråd</a> etter å ha blitt tipset på epostlisten til -<a href="https://github.com/hiOA-ABI/nikita-noark5-core">fri -programvareprosjektet Nikita Noark5-Core</a>, som lager et Noark 5 -Tjenestegresesnitt. Jeg er involvert i Nikita-prosjektet og takket -være min interesse for tjenestegrensesnittsprosjektet har jeg lest en -god del Noark 5-relaterte dokumenter, og til min overraskelse oppdaget -at standard epost ikke er på listen over godkjente formater som kan -arkiveres. Høringen med frist søndag er en glimrende mulighet til å -forsøke å gjøre noe med det. Jeg holder på med -<a href="https://github.com/petterreinholdtsen/noark5-tester/blob/master/docs/hoering-arkivforskrift.md">egen -høringsuttalelse</a>, og lurer på om andre er interessert i å støtte -forslaget om å tillate arkivering av epost som epost i arkivet.</p> - -<p>Er du igang med å skrive egen høringsuttalelse allerede? I så fall -kan du jo vurdere å ta med en formulering om epost-lagring. Jeg tror -ikke det trengs så mye. Her et kort forslag til tekst:</p> - -<p><blockquote> - - <p>Viser til høring sendt ut 2017-02-17 (Riksarkivarens referanse - 2016/9840 HELHJO), og tillater oss å sende inn noen innspill om - revisjon av Forskrift om utfyllende tekniske og arkivfaglige - bestemmelser om behandling av offentlige arkiver (Riksarkivarens - forskrift).</p> - - <p>Svært mye av vår kommuikasjon foregår i dag på e-post.  Vi - foreslår derfor at Internett-e-post, slik det er beskrevet i IETF - RFC 5322, - <a href="https://tools.ietf.org/html/rfc5322">https://tools.ietf.org/html/rfc5322</a>. bør - inn som godkjent dokumentformat.  Vi foreslår at forskriftens - oversikt over godkjente dokumentformater ved innlevering i § 5-16 - endres til å ta med Internett-e-post.</p> - -</blockquote></p> - -<p>Som del av arbeidet med tjenestegrensesnitt har vi testet hvordan -epost kan lagres i en Noark 5-struktur, og holder på å skrive et -forslag om hvordan dette kan gjøres som vil bli sendt over til -arkivverket så snart det er ferdig. De som er interesserte kan -<a href="https://github.com/petterreinholdtsen/noark5-tester/blob/master/docs/epostlagring.md">følge -fremdriften på web</a>.</p> + Mangler du en skrue, eller har du en skrue løs? + http://people.skolelinux.org/pere/blog/Mangler_du_en_skrue__eller_har_du_en_skrue_l_s_.html + http://people.skolelinux.org/pere/blog/Mangler_du_en_skrue__eller_har_du_en_skrue_l_s_.html + Wed, 4 Oct 2017 09:40:00 +0200 + Når jeg holder på med ulike prosjekter, så trenger jeg stadig ulike +skruer. Det siste prosjektet jeg holder på med er å lage +<a href="https://www.thingiverse.com/thing:676916">en boks til en +HDMI-touch-skjerm</a> som skal brukes med Raspberry Pi. Boksen settes +sammen med skruer og bolter, og jeg har vært i tvil om hvor jeg kan +få tak i de riktige skruene. Clas Ohlson og Jernia i nærheten har +sjelden hatt det jeg trenger. Men her om dagen fikk jeg et fantastisk +tips for oss som bor i Oslo. +<a href="http://www.zachskruer.no/">Zachariassen Jernvare AS</a> i +<a href="http://www.openstreetmap.org/?mlat=59.93421&mlon=10.76795#map=19/59.93421/10.76795">Hegermannsgate +23A på Torshov</a> har et fantastisk utvalg, og åpent mellom 09:00 og +17:00. De selger skruer, muttere, bolter, skiver etc i løs vekt, og +så langt har jeg fått alt jeg har lett etter. De har i tillegg det +meste av annen jernvare, som verktøy, lamper, ledninger, etc. Jeg +håper de har nok kunder til å holde det gående lenge, da dette er en +butikk jeg kommer til å besøke ofte. Butikken er et funn å ha i +nabolaget for oss som liker å bygge litt selv. :)</p> - Offentlig elektronisk postjournal blokkerer tilgang for utvalgte webklienter - http://people.skolelinux.org/pere/blog/Offentlig_elektronisk_postjournal_blokkerer_tilgang_for_utvalgte_webklienter.html - http://people.skolelinux.org/pere/blog/Offentlig_elektronisk_postjournal_blokkerer_tilgang_for_utvalgte_webklienter.html - Thu, 20 Apr 2017 13:00:00 +0200 - <p>Jeg oppdaget i dag at <a href="https://www.oep.no/">nettstedet som -publiserer offentlige postjournaler fra statlige etater</a>, OEP, har -begynt å blokkerer enkelte typer webklienter fra å få tilgang. Vet -ikke hvor mange det gjelder, men det gjelder i hvert fall libwww-perl -og curl. For å teste selv, kjør følgende:</p> - -<blockquote><pre> -% curl -v -s https://www.oep.no/pub/report.xhtml?reportId=3 2>&1 |grep '< HTTP' -< HTTP/1.1 404 Not Found -% curl -v -s --header 'User-Agent:Opera/12.0' https://www.oep.no/pub/report.xhtml?reportId=3 2>&1 |grep '< HTTP' -< HTTP/1.1 200 OK -% -</pre></blockquote> - -<p>Her kan en se at tjenesten gir «404 Not Found» for curl i -standardoppsettet, mens den gir «200 OK» hvis curl hevder å være Opera -versjon 12.0. Offentlig elektronisk postjournal startet blokkeringen -2017-03-02.</p> - -<p>Blokkeringen vil gjøre det litt vanskeligere å maskinelt hente -informasjon fra oep.no. Kan blokkeringen være gjort for å hindre -automatisert innsamling av informasjon fra OEP, slik Pressens -Offentlighetsutvalg gjorde for å dokumentere hvordan departementene -hindrer innsyn i -<a href="http://presse.no/dette-mener-np/undergraver-offentlighetsloven/">rapporten -«Slik hindrer departementer innsyn» som ble publiserte i januar -2017</a>. Det virker usannsynlig, da det jo er trivielt å bytte -User-Agent til noe nytt.</p> - -<p>Finnes det juridisk grunnlag for det offentlige å diskriminere -webklienter slik det gjøres her? Der tilgang gis eller ikke alt etter -hva klienten sier at den heter? Da OEP eies av DIFI og driftes av -Basefarm, finnes det kanskje noen dokumenter sendt mellom disse to -aktørene man kan be om innsyn i for å forstå hva som har skjedd. Men -<a href="https://www.oep.no/search/result.html?period=dateRange&fromDate=01.01.2016&toDate=01.04.2017&dateType=documentDate&caseDescription=&descType=both&caseNumber=&documentNumber=&sender=basefarm&senderType=both&documentType=all&legalAuthority=&archiveCode=&list2=196&searchType=advanced&Search=Search+in+records">postjournalen -til DIFI viser kun to dokumenter</a> det siste året mellom DIFI og -Basefarm. -<a href="https://www.mimesbronn.no/request/blokkering_av_tilgang_til_oep_fo">Mimes brønn neste</a>, -tenker jeg.</p> + Visualizing GSM radio chatter using gr-gsm and Hopglass + http://people.skolelinux.org/pere/blog/Visualizing_GSM_radio_chatter_using_gr_gsm_and_Hopglass.html + http://people.skolelinux.org/pere/blog/Visualizing_GSM_radio_chatter_using_gr_gsm_and_Hopglass.html + Fri, 29 Sep 2017 10:30:00 +0200 + <p>Every mobile phone announce its existence over radio to the nearby +mobile cell towers. And this radio chatter is available for anyone +with a radio receiver capable of receiving them. Details about the +mobile phones with very good accuracy is of course collected by the +phone companies, but this is not the topic of this blog post. The +mobile phone radio chatter make it possible to figure out when a cell +phone is nearby, as it include the SIM card ID (IMSI). By paying +attention over time, one can see when a phone arrive and when it leave +an area. I believe it would be nice to make this information more +available to the general public, to make more people aware of how +their phones are announcing their whereabouts to anyone that care to +listen.</p> + +<p>I am very happy to report that we managed to get something +visualizing this information up and running for +<a href="http://norwaymakers.org/osf17">Oslo Skaperfestival 2017</a> +(Oslo Makers Festival) taking place today and tomorrow at Deichmanske +library. The solution is based on the +<a href="http://people.skolelinux.org/pere/blog/Easier_recipe_to_observe_the_cell_phones_around_you.html">simple +recipe for listening to GSM chatter</a> I posted a few days ago, and +will show up at the stand of <a href="http://sonen.ifi.uio.no/">Åpen +Sone from the Computer Science department of the University of +Oslo</a>. The presentation will show the nearby mobile phones (aka +IMSIs) as dots in a web browser graph, with lines to the dot +representing mobile base station it is talking to. It was working in +the lab yesterday, and was moved into place this morning.</p> + +<p>We set up a fairly powerful desktop machine using Debian +Buster/Testing with several (five, I believe) RTL2838 DVB-T receivers +connected and visualize the visible cell phone towers using an +<a href="https://github.com/marlow925/hopglass">English version of +Hopglass</a>. A fairly powerfull machine is needed as the +grgsm_livemon_headless processes from +<a href="https://tracker.debian.org/pkg/gr-gsm">gr-gsm</a> converting +the radio signal to data packages is quite CPU intensive.</p> + +<p>The frequencies to listen to, are identified using a slightly +patched scan-and-livemon (to set the --args values for each receiver), +and the Hopglass data is generated using the +<a href="https://github.com/petterreinholdtsen/IMSI-catcher/tree/meshviewer-output">patches +in my meshviewer-output branch</a>. For some reason we could not get +more than four SDRs working. There is also a geographical map trying +to show the location of the base stations, but I believe their +coordinates are hardcoded to some random location in Germany, I +believe. The code should be replaced with code to look up location in +a text file, a sqlite database or one of the online databases +mentioned in +<a href="https://github.com/Oros42/IMSI-catcher/issues/14">the github +issue for the topic</a>. + +<p>If this sound interesting, visit the stand at the festival!</p> - Free software archive system Nikita now able to store documents - http://people.skolelinux.org/pere/blog/Free_software_archive_system_Nikita_now_able_to_store_documents.html - http://people.skolelinux.org/pere/blog/Free_software_archive_system_Nikita_now_able_to_store_documents.html - Sun, 19 Mar 2017 08:00:00 +0100 - <p>The <a href="https://github.com/hiOA-ABI/nikita-noark5-core">Nikita -Noark 5 core project</a> is implementing the Norwegian standard for -keeping an electronic archive of government documents. -<a href="http://www.arkivverket.no/arkivverket/Offentlig-forvaltning/Noark/Noark-5/English-version">The -Noark 5 standard</a> document the requirement for data systems used by -the archives in the Norwegian government, and the Noark 5 web interface -specification document a REST web service for storing, searching and -retrieving documents and metadata in such archive. I've been involved -in the project since a few weeks before Christmas, when the Norwegian -Unix User Group -<a href="https://www.nuug.no/news/NOARK5_kjerne_som_fri_programvare_f_r_epostliste_hos_NUUG.shtml">announced -it supported the project</a>. I believe this is an important project, -and hope it can make it possible for the government archives in the -future to use free software to keep the archives we citizens depend -on. But as I do not hold such archive myself, personally my first use -case is to store and analyse public mail journal metadata published -from the government. I find it useful to have a clear use case in -mind when developing, to make sure the system scratches one of my -itches.</p> - -<p>If you would like to help make sure there is a free software -alternatives for the archives, please join our IRC channel -(<a href="irc://irc.freenode.net/%23nikita"">#nikita on -irc.freenode.net</a>) and -<a href="https://lists.nuug.no/mailman/listinfo/nikita-noark">the -project mailing list</a>.</p> - -<p>When I got involved, the web service could store metadata about -documents. But a few weeks ago, a new milestone was reached when it -became possible to store full text documents too. Yesterday, I -completed an implementation of a command line tool -<tt>archive-pdf</tt> to upload a PDF file to the archive using this -API. The tool is very simple at the moment, and find existing -<a href="https://en.wikipedia.org/wiki/Fonds">fonds</a>, series and -files while asking the user to select which one to use if more than -one exist. Once a file is identified, the PDF is associated with the -file and uploaded, using the title extracted from the PDF itself. The -process is fairly similar to visiting the archive, opening a cabinet, -locating a file and storing a piece of paper in the archive. Here is -a test run directly after populating the database with test data using -our API tester:</p> - -<p><blockquote><pre> -~/src//noark5-tester$ ./archive-pdf mangelmelding/mangler.pdf -using arkiv: Title of the test fonds created 2017-03-18T23:49:32.103446 -using arkivdel: Title of the test series created 2017-03-18T23:49:32.103446 - - 0 - Title of the test case file created 2017-03-18T23:49:32.103446 - 1 - Title of the test file created 2017-03-18T23:49:32.103446 -Select which mappe you want (or search term): 0 -Uploading mangelmelding/mangler.pdf - PDF title: Mangler i spesifikasjonsdokumentet for NOARK 5 Tjenestegrensesnitt - File 2017/1: Title of the test case file created 2017-03-18T23:49:32.103446 -~/src//noark5-tester$ -</pre></blockquote></p> - -<p>You can see here how the fonds (arkiv) and serie (arkivdel) only had -one option, while the user need to choose which file (mappe) to use -among the two created by the API tester. The <tt>archive-pdf</tt> -tool can be found in the git repository for the API tester.</p> - -<p>In the project, I have been mostly working on -<a href="https://github.com/petterreinholdtsen/noark5-tester">the API -tester</a> so far, while getting to know the code base. The API -tester currently use -<a href="https://en.wikipedia.org/wiki/HATEOAS">the HATEOAS links</a> -to traverse the entire exposed service API and verify that the exposed -operations and objects match the specification, as well as trying to -create objects holding metadata and uploading a simple XML file to -store. The tester has proved very useful for finding flaws in our -implementation, as well as flaws in the reference site and the -specification.</p> - -<p>The test document I uploaded is a summary of all the specification -defects we have collected so far while implementing the web service. -There are several unclear and conflicting parts of the specification, -and we have -<a href="https://github.com/petterreinholdtsen/noark5-tester/tree/master/mangelmelding">started -writing down</a> the questions we get from implementing it. We use a -format inspired by how <a href="http://www.opengroup.org/austin/">The -Austin Group</a> collect defect reports for the POSIX standard with -<a href="http://www.opengroup.org/austin/mantis.html">their -instructions for the MANTIS defect tracker system</a>, in lack of an official way to structure defect reports for Noark 5 (our first submitted defect report was a <a href="https://github.com/petterreinholdtsen/noark5-tester/blob/master/mangelmelding/sendt/2017-03-15-mangel-prosess.md">request for a procedure for submitting defect reports</a> :). - -<p>The Nikita project is implemented using Java and Spring, and is -fairly easy to get up and running using Docker containers for those -that want to test the current code base. The API tester is -implemented in Python.</p> + Easier recipe to observe the cell phones around you + http://people.skolelinux.org/pere/blog/Easier_recipe_to_observe_the_cell_phones_around_you.html + http://people.skolelinux.org/pere/blog/Easier_recipe_to_observe_the_cell_phones_around_you.html + Sun, 24 Sep 2017 08:30:00 +0200 + <p>A little more than a month ago I wrote +<a href="http://people.skolelinux.org/pere/blog/Simpler_recipe_on_how_to_make_a_simple__7_IMSI_Catcher_using_Debian.html">how +to observe the SIM card ID (aka IMSI number) of mobile phones talking +to nearby mobile phone base stations using Debian GNU/Linux and a +cheap USB software defined radio</a>, and thus being able to pinpoint +the location of people and equipment (like cars and trains) with an +accuracy of a few kilometer. Since then we have worked to make the +procedure even simpler, and it is now possible to do this without any +manual frequency tuning and without building your own packages.</p> + +<p>The <a href="https://tracker.debian.org/pkg/gr-gsm">gr-gsm</a> +package is now included in Debian testing and unstable, and the +IMSI-catcher code no longer require root access to fetch and decode +the GSM data collected using gr-gsm.</p> + +<p>Here is an updated recipe, using packages built by Debian and a git +clone of two python scripts:</p> + +<ol> + +<li>Start with a Debian machine running the Buster version (aka + testing).</li> + +<li>Run '<tt>apt install gr-gsm python-numpy python-scipy + python-scapy</tt>' as root to install required packages.</li> + +<li>Fetch the code decoding GSM packages using '<tt>git clone + github.com/Oros42/IMSI-catcher.git</tt>'.</li> + +<li>Insert USB software defined radio supported by GNU Radio.</li> + +<li>Enter the IMSI-catcher directory and run '<tt>python + scan-and-livemon</tt>' to locate the frequency of nearby base + stations and start listening for GSM packages on one of them.</li> + +<li>Enter the IMSI-catcher directory and run '<tt>python + simple_IMSI-catcher.py</tt>' to display the collected information.</li> + +</ol> + +<p>Note, due to a bug somewhere the scan-and-livemon program (actually +<a href="https://github.com/ptrkrysik/gr-gsm/issues/336">its underlying +program grgsm_scanner</a>) do not work with the HackRF radio. It does +work with RTL 8232 and other similar USB radio receivers you can get +very cheaply +(<a href="https://www.ebay.com/sch/items/?_nkw=rtl+2832">for example +from ebay</a>), so for now the solution is to scan using the RTL radio +and only use HackRF for fetching GSM data.</p> + +<p>As far as I can tell, a cell phone only show up on one of the +frequencies at the time, so if you are going to track and count every +cell phone around you, you need to listen to all the frequencies used. +To listen to several frequencies, use the --numrecv argument to +scan-and-livemon to use several receivers. Further, I am not sure if +phones using 3G or 4G will show as talking GSM to base stations, so +this approach might not see all phones around you. I typically see +0-400 IMSI numbers an hour when looking around where I live.</p> + +<p>I've tried to run the scanner on a +<a href="https://wiki.debian.org/RaspberryPi">Raspberry Pi 2 and 3 +running Debian Buster</a>, but the grgsm_livemon_headless process seem +to be too CPU intensive to keep up. When GNU Radio print 'O' to +stdout, I am told there it is caused by a buffer overflow between the +radio and GNU Radio, caused by the program being unable to read the +GSM data fast enough. If you see a stream of 'O's from the terminal +where you started scan-and-livemon, you need a give the process more +CPU power. Perhaps someone are able to optimize the code to a point +where it become possible to set up RPi3 based GSM sniffers? I tried +using Raspbian instead of Debian, but there seem to be something wrong +with GNU Radio on raspbian, causing glibc to abort().</p> - Detecting NFS hangs on Linux without hanging yourself... - http://people.skolelinux.org/pere/blog/Detecting_NFS_hangs_on_Linux_without_hanging_yourself___.html - http://people.skolelinux.org/pere/blog/Detecting_NFS_hangs_on_Linux_without_hanging_yourself___.html - Thu, 9 Mar 2017 15:20:00 +0100 - <p>Over the years, administrating thousand of NFS mounting linux -computers at the time, I often needed a way to detect if the machine -was experiencing NFS hang. If you try to use <tt>df</tt> or look at a -file or directory affected by the hang, the process (and possibly the -shell) will hang too. So you want to be able to detect this without -risking the detection process getting stuck too. It has not been -obvious how to do this. When the hang has lasted a while, it is -possible to find messages like these in dmesg:</p> - -<p><blockquote> -nfs: server nfsserver not responding, still trying -<br>nfs: server nfsserver OK -</blockquote></p> - -<p>It is hard to know if the hang is still going on, and it is hard to -be sure looking in dmesg is going to work. If there are lots of other -messages in dmesg the lines might have rotated out of site before they -are noticed.</p> - -<p>While reading through the nfs client implementation in linux kernel -code, I came across some statistics that seem to give a way to detect -it. The om_timeouts sunrpc value in the kernel will increase every -time the above log entry is inserted into dmesg. And after digging a -bit further, I discovered that this value show up in -/proc/self/mountstats on Linux.</p> - -<p>The mountstats content seem to be shared between files using the -same file system context, so it is enough to check one of the -mountstats files to get the state of the mount point for the machine. -I assume this will not show lazy umounted NFS points, nor NFS mount -points in a different process context (ie with a different filesystem -view), but that does not worry me.</p> - -<p>The content for a NFS mount point look similar to this:</p> - -<p><blockquote><pre> -[...] -device /dev/mapper/Debian-var mounted on /var with fstype ext3 -device nfsserver:/mnt/nfsserver/home0 mounted on /mnt/nfsserver/home0 with fstype nfs statvers=1.1 - opts: rw,vers=3,rsize=65536,wsize=65536,namlen=255,acregmin=3,acregmax=60,acdirmin=30,acdirmax=60,soft,nolock,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=129.240.3.145,mountvers=3,mountport=4048,mountproto=udp,local_lock=all - age: 7863311 - caps: caps=0x3fe7,wtmult=4096,dtsize=8192,bsize=0,namlen=255 - sec: flavor=1,pseudoflavor=1 - events: 61063112 732346265 1028140 35486205 16220064 8162542 761447191 71714012 37189 3891185 45561809 110486139 4850138 420353 15449177 296502 52736725 13523379 0 52182 9016896 1231 0 0 0 0 0 - bytes: 166253035039 219519120027 0 0 40783504807 185466229638 11677877 45561809 - RPC iostats version: 1.0 p/v: 100003/3 (nfs) - xprt: tcp 925 1 6810 0 0 111505412 111480497 109 2672418560317 0 248 53869103 22481820 - per-op statistics - NULL: 0 0 0 0 0 0 0 0 - GETATTR: 61063106 61063108 0 9621383060 6839064400 453650 77291321 78926132 - SETATTR: 463469 463470 0 92005440 66739536 63787 603235 687943 - LOOKUP: 17021657 17021657 0 3354097764 4013442928 57216 35125459 35566511 - ACCESS: 14281703 14290009 5 2318400592 1713803640 1709282 4865144 7130140 - READLINK: 125 125 0 20472 18620 0 1112 1118 - READ: 4214236 4214237 0 715608524 41328653212 89884 22622768 22806693 - WRITE: 8479010 8494376 22 187695798568 1356087148 178264904 51506907 231671771 - CREATE: 171708 171708 0 38084748 46702272 873 1041833 1050398 - MKDIR: 3680 3680 0 773980 993920 26 23990 24245 - SYMLINK: 903 903 0 233428 245488 6 5865 5917 - MKNOD: 80 80 0 20148 21760 0 299 304 - REMOVE: 429921 429921 0 79796004 61908192 3313 2710416 2741636 - RMDIR: 3367 3367 0 645112 484848 22 5782 6002 - RENAME: 466201 466201 0 130026184 121212260 7075 5935207 5961288 - LINK: 289155 289155 0 72775556 67083960 2199 2565060 2585579 - READDIR: 2933237 2933237 0 516506204 13973833412 10385 3190199 3297917 - READDIRPLUS: 1652839 1652839 0 298640972 6895997744 84735 14307895 14448937 - FSSTAT: 6144 6144 0 1010516 1032192 51 9654 10022 - FSINFO: 2 2 0 232 328 0 1 1 - PATHCONF: 1 1 0 116 140 0 0 0 - COMMIT: 0 0 0 0 0 0 0 0 - -device binfmt_misc mounted on /proc/sys/fs/binfmt_misc with fstype binfmt_misc -[...] -</pre></blockquote></p> - -<p>The key number to look at is the third number in the per-op list. -It is the number of NFS timeouts experiences per file system -operation. Here 22 write timeouts and 5 access timeouts. If these -numbers are increasing, I believe the machine is experiencing NFS -hang. Unfortunately the timeout value do not start to increase right -away. The NFS operations need to time out first, and this can take a -while. The exact timeout value depend on the setup. For example the -defaults for TCP and UDP mount points are quite different, and the -timeout value is affected by the soft, hard, timeo and retrans NFS -mount options.</p> - -<p>The only way I have been able to get working on Debian and RedHat -Enterprise Linux for getting the timeout count is to peek in /proc/. -But according to -<ahref="http://docs.oracle.com/cd/E19253-01/816-4555/netmonitor-12/index.html">Solaris -10 System Administration Guide: Network Services</a>, the 'nfsstat -c' -command can be used to get these timeout values. But this do not work -on Linux, as far as I can tell. I -<ahref="http://bugs.debian.org/857043">asked Debian about this</a>, -but have not seen any replies yet.</p> - -<p>Is there a better way to figure out if a Linux NFS client is -experiencing NFS hangs? Is there a way to detect which processes are -affected? Is there a way to get the NFS mount going quickly once the -network problem causing the NFS hang has been cleared? I would very -much welcome some clues, as we regularly run into NFS hangs.</p> + Datalagringsdirektivet kaster skygger over Høyre og Arbeiderpartiet + http://people.skolelinux.org/pere/blog/Datalagringsdirektivet_kaster_skygger_over_H_yre_og_Arbeiderpartiet.html + http://people.skolelinux.org/pere/blog/Datalagringsdirektivet_kaster_skygger_over_H_yre_og_Arbeiderpartiet.html + Thu, 7 Sep 2017 21:35:00 +0200 + <p>For noen dager siden publiserte Jon Wessel-Aas en bloggpost om +«<a href="http://www.uhuru.biz/?p=1821">Konklusjonen om datalagring som +EU-kommisjonen ikke ville at vi skulle få se</a>». Det er en +interessant gjennomgang av EU-domstolens syn på snurpenotovervåkning +av befolkningen, som er klar på at det er i strid med +EU-lovgivingen.</p> + +<p>Valgkampen går for fullt i Norge, og om noen få dager er siste +frist for å avgi stemme. En ting er sikkert, Høyre og Arbeiderpartiet +får ikke min stemme +<a href="http://people.skolelinux.org/pere/blog/Datalagringsdirektivet_gj_r_at_Oslo_H_yre_og_Arbeiderparti_ikke_f_r_min_stemme_i__r.html">denne +gangen heller</a>. Jeg har ikke glemt at de tvang igjennom loven som +skulle pålegge alle data- og teletjenesteleverandører å overvåke alle +sine kunder. En lov som er vedtatt, og aldri opphevet igjen.</p> + +<p>Det er tydelig fra diskusjonen rundt grenseløs digital overvåkning +(eller "Digital Grenseforsvar" som det kalles i Orvellisk nytale) at +hverken Høyre og Arbeiderpartiet har noen prinsipielle sperrer mot å +overvåke hele befolkningen, og diskusjonen så langt tyder på at flere +av de andre partiene heller ikke har det. Mange av +<a href="https://data.holderdeord.no/votes/1301946411e">de som stemte +for Datalagringsdirektivet i Stortinget</a> (64 fra Arbeiderpartiet, +25 fra Høyre) er fortsatt aktive og argumenterer fortsatt for å radere +vekk mer av innbyggernes privatsfære.</p> + +<p>Når myndighetene demonstrerer sin mistillit til folket, tror jeg +folket selv bør legge litt innsats i å verne sitt privatliv, ved å ta +i bruk ende-til-ende-kryptert kommunikasjon med sine kjente og kjære, +og begrense hvor mye privat informasjon som deles med uvedkommende. +Det er jo ingenting som tyder på at myndighetene kommer til å være vår +privatsfære. +<a href="http://people.skolelinux.org/pere/blog/How_to_talk_with_your_loved_ones_in_private.html">Det +er mange muligheter</a>. Selv har jeg litt sans for +<a href="https://ring.cx/">Ring</a>, som er basert på p2p-teknologi +uten sentral kontroll, er fri programvare, og støtter meldinger, tale +og video. Systemet er tilgjengelig ut av boksen fra +<a href="https://tracker.debian.org/pkg/ring">Debian</a> og +<a href="https://launchpad.net/ubuntu/+source/ring">Ubuntu</a>, og det +finnes pakker for Android, MacOSX og Windows. Foreløpig er det få +brukere med Ring, slik at jeg også bruker +<a href="https://signal.org/">Signal</a> som nettleserutvidelse.</p> - How does it feel to be wiretapped, when you should be doing the wiretapping... - http://people.skolelinux.org/pere/blog/How_does_it_feel_to_be_wiretapped__when_you_should_be_doing_the_wiretapping___.html - http://people.skolelinux.org/pere/blog/How_does_it_feel_to_be_wiretapped__when_you_should_be_doing_the_wiretapping___.html - Wed, 8 Mar 2017 11:50:00 +0100 - <p>So the new president in the United States of America claim to be -surprised to discover that he was wiretapped during the election -before he was elected president. He even claim this must be illegal. -Well, doh, if it is one thing the confirmations from Snowden -documented, it is that the entire population in USA is wiretapped, one -way or another. Of course the president candidates were wiretapped, -alongside the senators, judges and the rest of the people in USA.</p> - -<p>Next, the Federal Bureau of Investigation ask the Department of -Justice to go public rejecting the claims that Donald Trump was -wiretapped illegally. I fail to see the relevance, given that I am -sure the surveillance industry in USA believe they have all the legal -backing they need to conduct mass surveillance on the entire -world.</p> - -<p>There is even the director of the FBI stating that he never saw an -order requesting wiretapping of Donald Trump. That is not very -surprising, given how the FISA court work, with all its activity being -secret. Perhaps he only heard about it?</p> - -<p>What I find most sad in this story is how Norwegian journalists -present it. In a news reports the other day in the radio from the -Norwegian National broadcasting Company (NRK), I heard the journalist -claim that 'the FBI denies any wiretapping', while the reality is that -'the FBI denies any illegal wiretapping'. There is a fundamental and -important difference, and it make me sad that the journalists are -unable to grasp it.</p> - -<p><strong>Update 2017-03-13:</strong> Look like -<a href="https://theintercept.com/2017/03/13/rand-paul-is-right-nsa-routinely-monitors-americans-communications-without-warrants/">The -Intercept report that US Senator Rand Paul confirm what I state above</a>.</p> + Simpler recipe on how to make a simple $7 IMSI Catcher using Debian + http://people.skolelinux.org/pere/blog/Simpler_recipe_on_how_to_make_a_simple__7_IMSI_Catcher_using_Debian.html + http://people.skolelinux.org/pere/blog/Simpler_recipe_on_how_to_make_a_simple__7_IMSI_Catcher_using_Debian.html + Wed, 9 Aug 2017 23:59:00 +0200 + <p>On friday, I came across an interesting article in the Norwegian +web based ICT news magazine digi.no on +<a href="https://www.digi.no/artikler/sikkerhetsforsker-lagde-enkel-imsi-catcher-for-60-kroner-na-kan-mobiler-kartlegges-av-alle/398588">how +to collect the IMSI numbers of nearby cell phones</a> using the cheap +DVB-T software defined radios. The article refered to instructions +and <a href="https://www.youtube.com/watch?v=UjwgNd_as30">a recipe by +Keld Norman on Youtube on how to make a simple $7 IMSI Catcher</a>, and I decided to test them out.</p> + +<p>The instructions said to use Ubuntu, install pip using apt (to +bypass apt), use pip to install pybombs (to bypass both apt and pip), +and the ask pybombs to fetch and build everything you need from +scratch. I wanted to see if I could do the same on the most recent +Debian packages, but this did not work because pybombs tried to build +stuff that no longer build with the most recent openssl library or +some other version skew problem. While trying to get this recipe +working, I learned that the apt->pip->pybombs route was a long detour, +and the only piece of software dependency missing in Debian was the +gr-gsm package. I also found out that the lead upstream developer of +gr-gsm (the name stand for GNU Radio GSM) project already had a set of +Debian packages provided in an Ubuntu PPA repository. All I needed to +do was to dget the Debian source package and built it.</p> + +<p>The IMSI collector is a python script listening for packages on the +loopback network device and printing to the terminal some specific GSM +packages with IMSI numbers in them. The code is fairly short and easy +to understand. The reason this work is because gr-gsm include a tool +to read GSM data from a software defined radio like a DVB-T USB stick +and other software defined radios, decode them and inject them into a +network device on your Linux machine (using the loopback device by +default). This proved to work just fine, and I've been testing the +collector for a few days now.</p> + +<p>The updated and simpler recipe is thus to</p> + +<ol> + +<li>start with a Debian machine running Stretch or newer,</li> + +<li>build and install the gr-gsm package available from +<a href="http://ppa.launchpad.net/ptrkrysik/gr-gsm/ubuntu/pool/main/g/gr-gsm/">http://ppa.launchpad.net/ptrkrysik/gr-gsm/ubuntu/pool/main/g/gr-gsm/</a>,</li> + +<li>clone the git repostory from <a href="https://github.com/Oros42/IMSI-catcher">https://github.com/Oros42/IMSI-catcher</a>,</li> + +<li>run grgsm_livemon and adjust the frequency until the terminal +where it was started is filled with a stream of text (meaning you +found a GSM station).</li> + +<li>go into the IMSI-catcher directory and run 'sudo python simple_IMSI-catcher.py' to extract the IMSI numbers.</li> + +</ol> + +<p>To make it even easier in the future to get this sniffer up and +running, I decided to package +<a href="https://github.com/ptrkrysik/gr-gsm/">the gr-gsm project</a> +for Debian (<a href="https://bugs.debian.org/871055">WNPP +#871055</a>), and the package was uploaded into the NEW queue today. +Luckily the gnuradio maintainer has promised to help me, as I do not +know much about gnuradio stuff yet.</p> + +<p>I doubt this "IMSI cacher" is anywhere near as powerfull as +commercial tools like +<a href="https://www.thespyphone.com/portable-imsi-imei-catcher/">The +Spy Phone Portable IMSI / IMEI Catcher</a> or the +<a href="https://en.wikipedia.org/wiki/Stingray_phone_tracker">Harris +Stingray</a>, but I hope the existance of cheap alternatives can make +more people realise how their whereabouts when carrying a cell phone +is easily tracked. Seeing the data flow on the screen, realizing that +I live close to a police station and knowing that the police is also +wearing cell phones, I wonder how hard it would be for criminals to +track the position of the police officers to discover when there are +police near by, or for foreign military forces to track the location +of the Norwegian military forces, or for anyone to track the location +of government officials...</p> + +<p>It is worth noting that the data reported by the IMSI-catcher +script mentioned above is only a fraction of the data broadcasted on +the GSM network. It will only collect one frequency at the time, +while a typical phone will be using several frequencies, and not all +phones will be using the frequencies tracked by the grgsm_livemod +program. Also, there is a lot of radio chatter being ignored by the +simple_IMSI-catcher script, which would be collected by extending the +parser code. I wonder if gr-gsm can be set up to listen to more than +one frequency?</p> - Norwegian Bokmål translation of The Debian Administrator's Handbook complete, proofreading in progress - http://people.skolelinux.org/pere/blog/Norwegian_Bokm_l_translation_of_The_Debian_Administrator_s_Handbook_complete__proofreading_in_progress.html - http://people.skolelinux.org/pere/blog/Norwegian_Bokm_l_translation_of_The_Debian_Administrator_s_Handbook_complete__proofreading_in_progress.html - Fri, 3 Mar 2017 14:50:00 +0100 - <p>For almost a year now, we have been working on making a Norwegian -Bokmål edition of <a href="https://debian-handbook.info/">The Debian -Administrator's Handbook</a>. Now, thanks to the tireless effort of -Ole-Erik, Ingrid and Andreas, the initial translation is complete, and -we are working on the proof reading to ensure consistent language and -use of correct computer science terms. The plan is to make the book -available on paper, as well as in electronic form. For that to -happen, the proof reading must be completed and all the figures need -to be translated. If you want to help out, get in touch.</p> - -<p><a href="http://people.skolelinux.org/pere/debian-handbook/debian-handbook-nb-NO.pdf">A - -fresh PDF edition</a> in A4 format (the final book will have smaller -pages) of the book created every morning is available for -proofreading. If you find any errors, please -<a href="https://hosted.weblate.org/projects/debian-handbook/">visit -Weblate and correct the error</a>. The -<a href="http://l.github.io/debian-handbook/stat/nb-NO/index.html">state -of the translation including figures</a> is a useful source for those -provide Norwegian bokmål screen shots and figures.</p> + Norwegian Bokmål edition of Debian Administrator's Handbook is now available + http://people.skolelinux.org/pere/blog/Norwegian_Bokm_l_edition_of_Debian_Administrator_s_Handbook_is_now_available.html + http://people.skolelinux.org/pere/blog/Norwegian_Bokm_l_edition_of_Debian_Administrator_s_Handbook_is_now_available.html + Tue, 25 Jul 2017 21:10:00 +0200 + <p align="center"><img align="center" src="http://people.skolelinux.org/pere/blog/images/2017-07-25-debian-handbook-nb-testprint.png"/></p> + +<p>I finally received a copy of the Norwegian Bokmål edition of +"<a href="https://debian-handbook.info/">The Debian Administrator's +Handbook</a>". This test copy arrived in the mail a few days ago, and +I am very happy to hold the result in my hand. We spent around one and a half year translating it. This paperbook edition +<a href="https://debian-handbook.info/get/#norwegian">is available +from lulu.com</a>. If you buy it quickly, you save 25% on the list +price. The book is also available for download in electronic form as +PDF, EPUB and Mobipocket, as can be +<a href="https://debian-handbook.info/browse/nb-NO/stable/">read online +as a web page</a>.</p> + +<p>This is the second book I publish (the first was the book +"<a href="http://free-culture.cc/">Free Culture</a>" by Lawrence Lessig +in +<a href="http://www.lulu.com/shop/lawrence-lessig/free-culture/paperback/product-22440520.html">English</a>, +<a href="http://www.lulu.com/shop/lawrence-lessig/culture-libre/paperback/product-22645082.html">French</a> +and +<a href="http://www.lulu.com/shop/lawrence-lessig/fri-kultur/paperback/product-22441576.html">Norwegian +Bokmål</a>), and I am very excited to finally wrap up this +project. I hope +"<a href="http://www.lulu.com/shop/rapha%C3%ABl-hertzog-and-roland-mas/h%C3%A5ndbok-for-debian-administratoren/paperback/product-23262290.html">Håndbok +for Debian-administratoren</a>" will be well received.</p> - Unlimited randomness with the ChaosKey? - http://people.skolelinux.org/pere/blog/Unlimited_randomness_with_the_ChaosKey_.html - http://people.skolelinux.org/pere/blog/Unlimited_randomness_with_the_ChaosKey_.html - Wed, 1 Mar 2017 20:50:00 +0100 - <p>A few days ago I ordered a small batch of -<a href="http://altusmetrum.org/ChaosKey/">the ChaosKey</a>, a small -USB dongle for generating entropy created by Bdale Garbee and Keith -Packard. Yesterday it arrived, and I am very happy to report that it -work great! According to its designers, to get it to work out of the -box, you need the Linux kernel version 4.1 or later. I tested on a -Debian Stretch machine (kernel version 4.9), and there it worked just -fine, increasing the available entropy very quickly. I wrote a small -test oneliner to test. It first print the current entropy level, -drain /dev/random, and then print the entropy level for five seconds. -Here is the situation without the ChaosKey inserted:</p> - -<blockquote><pre> -% cat /proc/sys/kernel/random/entropy_avail; \ - dd bs=1M if=/dev/random of=/dev/null count=1; \ - for n in $(seq 1 5); do \ - cat /proc/sys/kernel/random/entropy_avail; \ - sleep 1; \ - done -300 -0+1 oppføringer inn -0+1 oppføringer ut -28 byte kopiert, 0,000264565 s, 106 kB/s -4 -8 -12 -17 -21 -% -</pre></blockquote> - -<p>The entropy level increases by 3-4 every second. In such case any -application requiring random bits (like a HTTPS enabled web server) -will halt and wait for more entrpy. And here is the situation with -the ChaosKey inserted:</p> - -<blockquote><pre> -% cat /proc/sys/kernel/random/entropy_avail; \ - dd bs=1M if=/dev/random of=/dev/null count=1; \ - for n in $(seq 1 5); do \ - cat /proc/sys/kernel/random/entropy_avail; \ - sleep 1; \ - done -1079 -0+1 oppføringer inn -0+1 oppføringer ut -104 byte kopiert, 0,000487647 s, 213 kB/s -433 -1028 -1031 -1035 -1038 -% -</pre></blockquote> - -<p>Quite the difference. :) I bought a few more than I need, in case -someone want to buy one here in Norway. :)</p> - -<p>Update: The dongle was presented at Debconf last year. You might -find <a href="https://debconf16.debconf.org/talks/94/">the talk -recording illuminating</a>. It explains exactly what the source of -randomness is, if you are unable to spot it from the schema drawing -available from the ChaosKey web site linked at the start of this blog -post.</p> + «Rapporten ser ikke på informasjonssikkerhet knyttet til personlig integritet» + http://people.skolelinux.org/pere/blog/_Rapporten_ser_ikke_p__informasjonssikkerhet_knyttet_til_personlig_integritet_.html + http://people.skolelinux.org/pere/blog/_Rapporten_ser_ikke_p__informasjonssikkerhet_knyttet_til_personlig_integritet_.html + Tue, 27 Jun 2017 17:50:00 +0200 + <p>Jeg kom over teksten +«<a href="https://freedom-to-tinker.com/2017/06/21/killing-car-privacy-by-federal-mandate/">Killing +car privacy by federal mandate</a>» av Leonid Reyzin på Freedom to +Tinker i dag, og det gleder meg å se en god gjennomgang om hvorfor det +er et urimelig inngrep i privatsfæren å la alle biler kringkaste sin +posisjon og bevegelse via radio. Det omtalte forslaget basert på +Dedicated Short Range Communication (DSRC) kalles Basic Safety Message +(BSM) i USA og Cooperative Awareness Message (CAM) i Europa, og det +norske Vegvesenet er en av de som ser ut til å kunne tenke seg å +pålegge alle biler å fjerne nok en bit av innbyggernes privatsfære. +Anbefaler alle å lese det som står der. + +<p>Mens jeg tittet litt på DSRC på biler i Norge kom jeg over et sitat +jeg synes er illustrativt for hvordan det offentlige Norge håndterer +problemstillinger rundt innbyggernes privatsfære i SINTEF-rapporten +«<a href="https://www.sintef.no/publikasjoner/publikasjon/Download/?pubid=SINTEF+A23933">Informasjonssikkerhet +i AutoPASS-brikker</a>» av Trond Foss:</p> + +<p><blockquote> +«Rapporten ser ikke på informasjonssikkerhet knyttet til personlig + integritet.» +</blockquote></p> + +<p>Så enkelt kan det tydeligvis gjøres når en vurderer +informasjonssikkerheten. Det holder vel at folkene på toppen kan si +at «Personvernet er ivaretatt», som jo er den populære intetsigende +frasen som gjør at mange tror enkeltindividers integritet tas vare på. +Sitatet fikk meg til å undres på hvor ofte samme tilnærming, å bare se +bort fra behovet for personlig itegritet, blir valgt når en velger å +legge til rette for nok et inngrep i privatsfæren til personer i +Norge. Det er jo sjelden det får reaksjoner. Historien om +reaksjonene på Helse Sør-Østs tjenesteutsetting er jo sørgelig nok et +unntak og toppen av isfjellet, desverre. Tror jeg fortsatt takker nei +til både AutoPASS og holder meg så langt unna det norske helsevesenet +som jeg kan, inntil de har demonstrert og dokumentert at de verdsetter +individets privatsfære og personlige integritet høyere enn kortsiktig +gevist og samfunnsnytte.</p> - Detect OOXML files with undefined behaviour? - http://people.skolelinux.org/pere/blog/Detect_OOXML_files_with_undefined_behaviour_.html - http://people.skolelinux.org/pere/blog/Detect_OOXML_files_with_undefined_behaviour_.html - Tue, 21 Feb 2017 00:20:00 +0100 - <p>I just noticed -<a href="http://www.arkivrad.no/aktuelt/riksarkivarens-forskrift-pa-horing">the -new Norwegian proposal for archiving rules in the goverment</a> list -<a href="http://www.ecma-international.org/publications/standards/Ecma-376.htm">ECMA-376</a> -/ ISO/IEC 29500 (aka OOXML) as valid formats to put in long term -storage. Luckily such files will only be accepted based on -pre-approval from the National Archive. Allowing OOXML files to be -used for long term storage might seem like a good idea as long as we -forget that there are plenty of ways for a "valid" OOXML document to -have content with no defined interpretation in the standard, which -lead to a question and an idea.</p> - -<p>Is there any tool to detect if a OOXML document depend on such -undefined behaviour? It would be useful for the National Archive (and -anyone else interested in verifying that a document is well defined) -to have such tool available when considering to approve the use of -OOXML. I'm aware of the -<a href="https://github.com/arlm/officeotron/">officeotron OOXML -validator</a>, but do not know how complete it is nor if it will -report use of undefined behaviour. Are there other similar tools -available? Please send me an email if you know of any such tool.</p> + Updated sales number for my Free Culture paper editions + http://people.skolelinux.org/pere/blog/Updated_sales_number_for_my_Free_Culture_paper_editions.html + http://people.skolelinux.org/pere/blog/Updated_sales_number_for_my_Free_Culture_paper_editions.html + Mon, 12 Jun 2017 11:40:00 +0200 + <p>It is pleasing to see that the work we put down in publishing new +editions of the classic <a href="http://www.free-culture.cc/">Free +Culture book</a> by the founder of the Creative Commons movement, +Lawrence Lessig, is still being appreciated. I had a look at the +latest sales numbers for the paper edition today. Not too impressive, +but happy to see some buyers still exist. All the revenue from the +books is sent to the <a href="https://creativecommons.org/">Creative +Commons Corporation</a>, and they receive the largest cut if you buy +directly from Lulu. Most books are sold via Amazon, with Ingram +second and only a small fraction directly from Lulu. The ebook +edition is available for free from +<a href="https://github.com/petterreinholdtsen/free-culture-lessig">Github</a>.</p> + +<table border="0"> +<tr><th rowspan="2" valign="bottom">Title / language</th><th colspan="3">Quantity</th></tr> +<tr><th>2016 jan-jun</th><th>2016 jul-dec</th><th>2017 jan-may</th></tr> + +<tr> + <td><a href="http://www.lulu.com/shop/lawrence-lessig/culture-libre/paperback/product-22645082.html">Culture Libre / French</a></td> + <td align="right">3</td> + <td align="right">6</td> + <td align="right">15</td> +</tr> + +<tr> + <td><a href="http://www.lulu.com/shop/lawrence-lessig/fri-kultur/paperback/product-22441576.html">Fri kultur / Norwegian</a></td> + <td align="right">7</td> + <td align="right">1</td> + <td align="right">0</td> +</tr> + +<tr> + <td><a href="http://www.lulu.com/shop/lawrence-lessig/free-culture/paperback/product-22440520.html">Free Culture / English</a></td> + <td align="right">14</td> + <td align="right">27</td> + <td align="right">16</td> +</tr> + +<tr> + <td>Total</td> + <td align="right">24</td> + <td align="right">34</td> + <td align="right">31</td> +</tr> + +</table> + +<p>A bit sad to see the low sales number on the Norwegian edition, and +a bit surprising the English edition still selling so well.</p> + +<p>If you would like to translate and publish the book in your native +language, I would be happy to help make it happen. Please get in +touch.</p> - Ruling ignored our objections to the seizure of popcorn-time.no (#domstolkontroll) - http://people.skolelinux.org/pere/blog/Ruling_ignored_our_objections_to_the_seizure_of_popcorn_time_no___domstolkontroll_.html - http://people.skolelinux.org/pere/blog/Ruling_ignored_our_objections_to_the_seizure_of_popcorn_time_no___domstolkontroll_.html - Mon, 13 Feb 2017 21:30:00 +0100 - <p>A few days ago, we received the ruling from -<a href="http://people.skolelinux.org/pere/blog/A_day_in_court_challenging_seizure_of_popcorn_time_no_for__domstolkontroll.html">my -day in court</a>. The case in question is a challenge of the seizure -of the DNS domain popcorn-time.no. The ruling simply did not mention -most of our arguments, and seemed to take everything ØKOKRIM said at -face value, ignoring our demonstration and explanations. But it is -hard to tell for sure, as we still have not seen most of the documents -in the case and thus were unprepared and unable to contradict several -of the claims made in court by the opposition. We are considering an -appeal, but it is partly a question of funding, as it is costing us -quite a bit to pay for our lawyer. If you want to help, please -<a href="http://www.nuug.no/dns-beslag-donasjon.shtml">donate to the -NUUG defense fund</a>.</p> - -<p>The details of the case, as far as we know it, is available in -Norwegian from -<a href="https://www.nuug.no/news/tags/dns-domenebeslag/">the NUUG -blog</a>. This also include -<a href="https://www.nuug.no/news/Avslag_etter_rettslig_h_ring_om_DNS_beslaget___vurderer_veien_videre.shtml">the -ruling itself</a>.</p> + Release 0.1.1 of free software archive system Nikita announced + http://people.skolelinux.org/pere/blog/Release_0_1_1_of_free_software_archive_system_Nikita_announced.html + http://people.skolelinux.org/pere/blog/Release_0_1_1_of_free_software_archive_system_Nikita_announced.html + Sat, 10 Jun 2017 00:40:00 +0200 + <p>I am very happy to report that the +<a href="https://github.com/hiOA-ABI/nikita-noark5-core">Nikita Noark 5 +core project</a> tagged its second release today. The free software +solution is an implementation of the Norwegian archive standard Noark +5 used by government offices in Norway. These were the changes in +version 0.1.1 since version 0.1.0 (from NEWS.md): + +<ul> + + <li>Continued work on the angularjs GUI, including document upload.</li> + <li>Implemented correspondencepartPerson, correspondencepartUnit and + correspondencepartInternal</li> + <li>Applied for coverity coverage and started submitting code on + regualr basis.</li> + <li>Started fixing bugs reported by coverity</li> + <li>Corrected and completed HATEOAS links to make sure entire API is + available via URLs in _links.</li> + <li>Corrected all relation URLs to use trailing slash.</li> + <li>Add initial support for storing data in ElasticSearch.</li> + <li>Now able to receive and store uploaded files in the archive.</li> + <li>Changed JSON output for object lists to have relations in _links.</li> + <li>Improve JSON output for empty object lists.</li> + <li>Now uses correct MIME type application/vnd.noark5-v4+json.</li> + <li>Added support for docker container images.</li> + <li>Added simple API browser implemented in JavaScript/Angular.</li> + <li>Started on archive client implemented in JavaScript/Angular.</li> + <li>Started on prototype to show the public mail journal.</li> + <li>Improved performance by disabling Sprint FileWatcher.</li> + <li>Added support for 'arkivskaper', 'saksmappe' and 'journalpost'.</li> + <li>Added support for some metadata codelists.</li> + <li>Added support for Cross-origin resource sharing (CORS).</li> + <li>Changed login method from Basic Auth to JSON Web Token (RFC 7519) + style.</li> + <li>Added support for GET-ing ny-* URLs.</li> + <li>Added support for modifying entities using PUT and eTag.</li> + <li>Added support for returning XML output on request.</li> + <li>Removed support for English field and class names, limiting ourself + to the official names.</li> + <li>...</li> + +</ul> + +<p>If this sound interesting to you, please contact us on IRC (#nikita +on irc.freenode.net) or email +(<a href="https://lists.nuug.no/mailman/listinfo/nikita-noark">nikita-noark +mailing list).</p> - A day in court challenging seizure of popcorn-time.no for #domstolkontroll - http://people.skolelinux.org/pere/blog/A_day_in_court_challenging_seizure_of_popcorn_time_no_for__domstolkontroll.html - http://people.skolelinux.org/pere/blog/A_day_in_court_challenging_seizure_of_popcorn_time_no_for__domstolkontroll.html - Fri, 3 Feb 2017 11:10:00 +0100 - <p align="center"><img width="70%" src="http://people.skolelinux.org/pere/blog/images/2017-02-01-popcorn-time-in-court.jpeg"></p> - -<p>On Wednesday, I spent the entire day in court in Follo Tingrett -representing <a href="https://www.nuug.no/">the member association -NUUG</a>, alongside <a href="https://www.efn.no/">the member -association EFN</a> and <a href="http://www.imc.no">the DNS registrar -IMC</a>, challenging the seizure of the DNS name popcorn-time.no. It -was interesting to sit in a court of law for the first time in my -life. Our team can be seen in the picture above: attorney Ola -Tellesbø, EFN board member Tom Fredrik Blenning, IMC CEO Morten Emil -Eriksen and NUUG board member Petter Reinholdtsen.</p> - -<p><a href="http://www.domstol.no/no/Enkelt-domstol/follo-tingrett/Nar-gar-rettssaken/Beramming/?cid=AAAA1701301512081262234UJFBVEZZZZZEJBAvtale">The -case at hand</a> is that the Norwegian National Authority for -Investigation and Prosecution of Economic and Environmental Crime (aka -Økokrim) decided on their own, to seize a DNS domain early last -year, without following -<a href="https://www.norid.no/no/regelverk/navnepolitikk/#link12">the -official policy of the Norwegian DNS authority</a> which require a -court decision. The web site in question was a site covering Popcorn -Time. And Popcorn Time is the name of a technology with both legal -and illegal applications. Popcorn Time is a client combining -searching a Bittorrent directory available on the Internet with -downloading/distribute content via Bittorrent and playing the -downloaded content on screen. It can be used illegally if it is used -to distribute content against the will of the right holder, but it can -also be used legally to play a lot of content, for example the -millions of movies -<a href="https://archive.org/details/movies">available from the -Internet Archive</a> or the collection -<a href="http://vodo.net/films/">available from Vodo</a>. We created -<a href="magnet:?xt=urn:btih:86c1802af5a667ca56d3918aecb7d3c0f7173084&dn=PresentasjonFolloTingrett.mov&tr=udp%3A%2F%2Fpublic.popcorn-tracker.org%3A6969%2Fannounce">a -video demonstrating legally use of Popcorn Time</a> and played it in -Court. It can of course be downloaded using Bittorrent.</p> - -<p>I did not quite know what to expect from a day in court. The -government held on to their version of the story and we held on to -ours, and I hope the judge is able to make sense of it all. We will -know in two weeks time. Unfortunately I do not have high hopes, as -the Government have the upper hand here with more knowledge about the -case, better training in handling criminal law and in general higher -standing in the courts than fairly unknown DNS registrar and member -associations. It is expensive to be right also in Norway. So far the -case have cost more than NOK 70 000,-. To help fund the case, NUUG -and EFN have asked for donations, and managed to collect around NOK 25 -000,- so far. Given the presentation from the Government, I expect -the government to appeal if the case go our way. And if the case do -not go our way, I hope we have enough funding to appeal.</p> - -<p>From the other side came two people from Økokrim. On the benches, -appearing to be part of the group from the government were two people -from the Simonsen Vogt Wiik lawyer office, and three others I am not -quite sure who was. Økokrim had proposed to present two witnesses -from The Motion Picture Association, but this was rejected because -they did not speak Norwegian and it was a bit late to bring in a -translator, but perhaps the two from MPA were present anyway. All -seven appeared to know each other. Good to see the case is take -seriously.</p> - -<p>If you, like me, believe the courts should be involved before a DNS -domain is hijacked by the government, or you believe the Popcorn Time -technology have a lot of useful and legal applications, I suggest you -too <a href="http://www.nuug.no/dns-beslag-donasjon.shtml">donate to -the NUUG defense fund</a>. Both Bitcoin and bank transfer are -available. If NUUG get more than we need for the legal action (very -unlikely), the rest will be spend promoting free software, open -standards and unix-like operating systems in Norway, so no matter what -happens the money will be put to good use.</p> - -<p>If you want to lean more about the case, I recommend you check out -<a href="https://www.nuug.no/news/tags/dns-domenebeslag/">the blog -posts from NUUG covering the case</a>. They cover the legal arguments -on both sides.</p> + Idea for storing trusted timestamps in a Noark 5 archive + http://people.skolelinux.org/pere/blog/Idea_for_storing_trusted_timestamps_in_a_Noark_5_archive.html + http://people.skolelinux.org/pere/blog/Idea_for_storing_trusted_timestamps_in_a_Noark_5_archive.html + Wed, 7 Jun 2017 21:40:00 +0200 + <p><em>This is a copy of +<a href="https://lists.nuug.no/pipermail/nikita-noark/2017-June/000297.html">an +email I posted to the nikita-noark mailing list</a>. Please follow up +there if you would like to discuss this topic. The background is that +we are making a free software archive system based on the Norwegian +<a href="https://www.arkivverket.no/forvaltning-og-utvikling/regelverk-og-standarder/noark-standarden">Noark +5 standard</a> for government archives.</em></p> + +<p>I've been wondering a bit lately how trusted timestamps could be +stored in Noark 5. +<a href="https://en.wikipedia.org/wiki/Trusted_timestamping">Trusted +timestamps</a> can be used to verify that some information +(document/file/checksum/metadata) have not been changed since a +specific time in the past. This is useful to verify the integrity of +the documents in the archive.</p> + +<p>Then it occured to me, perhaps the trusted timestamps could be +stored as dokument variants (ie dokumentobjekt referered to from +dokumentbeskrivelse) with the filename set to the hash it is +stamping?</p> + +<p>Given a "dokumentbeskrivelse" with an associated "dokumentobjekt", +a new dokumentobjekt is associated with "dokumentbeskrivelse" with the +same attributes as the stamped dokumentobjekt except these +attributes:</p> + +<ul> + +<li>format -> "RFC3161" +<li>mimeType -> "application/timestamp-reply" +<li>formatDetaljer -> "&lt;source URL for timestamp service&gt;" +<li>filenavn -> "&lt;sjekksum&gt;.tsr" + +</ul> + +<p>This assume a service following +<a href="https://tools.ietf.org/html/rfc3161">IETF RFC 3161</a> is +used, which specifiy the given MIME type for replies and the .tsr file +ending for the content of such trusted timestamp. As far as I can +tell from the Noark 5 specifications, it is OK to have several +variants/renderings of a dokument attached to a given +dokumentbeskrivelse objekt. It might be stretching it a bit to make +some of these variants represent crypto-signatures useful for +verifying the document integrity instead of representing the dokument +itself.</p> + +<p>Using the source of the service in formatDetaljer allow several +timestamping services to be used. This is useful to spread the risk +of key compromise over several organisations. It would only be a +problem to trust the timestamps if all of the organisations are +compromised.</p> + +<p>The following oneliner on Linux can be used to generate the tsr +file. $input is the path to the file to checksum, and $sha256 is the +SHA-256 checksum of the file (ie the "<sjekksum>.tsr" value mentioned +above).</p> + +<p><blockquote><pre> +openssl ts -query -data "$inputfile" -cert -sha256 -no_nonce \ + | curl -s -H "Content-Type: application/timestamp-query" \ + --data-binary "@-" http://zeitstempel.dfn.de > $sha256.tsr +</pre></blockquote></p> + +<p>To verify the timestamp, you first need to download the public key +of the trusted timestamp service, for example using this command:</p> + +<p><blockquote><pre> +wget -O ca-cert.txt \ + https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt +</pre></blockquote></p> + +<p>Note, the public key should be stored alongside the timestamps in +the archive to make sure it is also available 100 years from now. It +is probably a good idea to standardise how and were to store such +public keys, to make it easier to find for those trying to verify +documents 100 or 1000 years from now. :)</p> + +<p>The verification itself is a simple openssl command:</p> + +<p><blockquote><pre> +openssl ts -verify -data $inputfile -in $sha256.tsr \ + -CAfile ca-cert.txt -text +</pre></blockquote></p> + +<p>Is there any reason this approach would not work? Is it somehow against +the Noark 5 specification?</p>