1 <?xml version=
"1.0" encoding=
"utf-8"?>
2 <rss version='
2.0' xmlns:lj='http://www.livejournal.org/rss/lj/
1.0/' xmlns:
atom=
"http://www.w3.org/2005/Atom">
4 <title>Petter Reinholdtsen
</title>
5 <description></description>
6 <link>http://people.skolelinux.org/pere/blog/
</link>
7 <atom:link href=
"http://people.skolelinux.org/pere/blog/index.rss" rel=
"self" type=
"application/rss+xml" />
10 <title>syslog-trusted-timestamp - chain of trusted timestamps for your syslog
</title>
11 <link>http://people.skolelinux.org/pere/blog/syslog_trusted_timestamp___chain_of_trusted_timestamps_for_your_syslog.html
</link>
12 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/syslog_trusted_timestamp___chain_of_trusted_timestamps_for_your_syslog.html
</guid>
13 <pubDate>Fri,
1 Apr
2016 09:
50:
00 +
0200</pubDate>
14 <description><p
>Two years ago, I had
15 <a href=
"http://people.skolelinux.org/pere/blog/Public_Trusted_Timestamping_services_for_everyone.html
">a
16 look at trusted timestamping options available
</a
>, and among
17 other things noted a still open
18 <a href=
"https://bugs.debian.org/
742553">bug in the tsget script
</a
>
19 included in openssl that made it harder than necessary to use openssl
20 as a trusted timestamping client. A few days ago I was told
21 <a href=
"https::/www.difi.no/
">the Norwegian government office DIFI
</a
> is
22 close to releasing their own trusted timestamp service, and in the
23 process I was happy to learn about a replacement for the tsget script
24 using only curl:
</p
>
27 openssl ts -query -data
"/etc/shells
" -cert -sha256 -no_nonce \
28 | curl -s -H
"Content-Type: application/timestamp-query
" \
29 --data-binary
"@-
" http://zeitstempel.dfn.de
> etc-shells.tsr
30 openssl ts -reply -text -in etc-shells.tsr
31 </pre
></p
>
33 <p
>This produces a binary timestamp file (etc-shells.tsr) which can be
34 used to verify that the content of the file /etc/shell with the
35 calculated sha256 hash existed at the point in time when the request
36 was made. The last command extract the content of the etc-shells.tsr
37 in human readable form. The idea behind such timestamp is to be able
38 to prove using cryptography that the content of a file have not
39 changed since the file was stamped.
</p
>
41 <p
>To verify that the file on disk match the public key signature in
42 the timestamp file, run the following commands. It make sure you have
43 the required certificate for the trusted timestamp service available
44 and use it to compare the file content with the timestamp. In
45 production, one should of course use a better method to verify the
46 service certificate.
</p
>
49 wget -O ca-cert.txt https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt
50 openssl ts -verify -data /etc/shells -in etc-shells.tsr -CAfile ca-cert.txt -text
51 </pre
></p
>
53 <p
>Wikipedia have a lot more information about
54 <a href=
"https://en.wikipedia.org/wiki/Trusted_timestamping
">trusted
55 Timestamping
</a
> and
56 <a href=
"https://en.wikipedia.org/wiki/Linked_timestamping
">linked
57 timestamping
</a
>, and there are several trusted timestamping services
58 around, both as commercial services and as free and public services.
60 <a href=
"https://www.pki.dfn.de/zeitstempeldienst/
">the
61 zeitstempel.dfn.de service
</a
> mentioned above and
62 <a href=
"https://freetsa.org/
">freetsa.org service
</a
> linked to from the
63 wikipedia web site. I believe the DIFI service should show up on
64 https://tsa.difi.no, but it is not available to the public at the
65 moment. I hope this will change when it is into production. The
66 <a href=
"https://tools.ietf.org/html/rfc3161
">RFC
3161</a
> trusted
67 timestamping protocol standard is even implemented in LibreOffice,
68 Microsoft Office and Adobe Acrobat, making it possible to verify when
69 a document was created.
</p
>
71 <p
>I would find it useful to be able to use such trusted timestamp
72 service to make it possible to verify that my stored syslog files have
73 not been tampered with. This is not a new idea. I found one example
74 implemented on the Endian network appliances where
75 <a href=
"http://help.endian.com/entries/
21518508-Enabling-Timestamping-on-log-files-
">the
76 configuration of such feature was described in
2012</a
>.
</p
>
78 <p
>But I could not find any free implementation of such feature when I
79 searched, so I decided to try to
80 <a href=
"https://github.com/petterreinholdtsen/syslog-trusted-timestamp
">build
81 a prototype named syslog-trusted-timestamp
</a
>. My idea is to
82 generate a timestamp of the old log files after they are rotated, and
83 store the timestamp in the new log file just after rotation. This
84 will form a chain that would make it possible to see if any old log
85 files are tampered with. But syslog is bad at handling kilobytes of
86 binary data, so I decided to base64 encode the timestamp and add an ID
87 and line sequence numbers to the base64 data to make it possible to
88 reassemble the timestamp file again. To use it, simply run it like
92 syslog-trusted-timestamp /path/to/list-of-log-files
93 </pre
></p
>
95 <p
>This will send a timestamp from one or more timestamp services (not
96 yet decided nor implemented) for each listed file to the syslog using
97 logger(
1). To verify the timestamp, the same program is used with the
98 --verify option:
</p
>
101 syslog-trusted-timestamp --verify /path/to/log-file /path/to/log-with-timestamp
102 </pre
></p
>
104 <p
>The verification step is not yet well designed. The current
105 implementation depend on the file path being unique and unchanging,
106 and this is not a solid assumption. It also uses process number as
107 timestamp ID, and this is bound to create ID collisions. I hope to
108 have time to come up with a better way to handle timestamp IDs and
109 verification later.
</p
>
111 <p
>Please check out
112 <a href=
"https://github.com/petterreinholdtsen/syslog-trusted-timestamp
">the
113 prototype for syslog-trusted-timestamp on github
</a
> and send
114 suggestions and improvement, or let me know if there already exist a
115 similar system for timestamping logs already to allow me to join
116 forces with others with the same interest.
</p
>
118 <p
>As usual, if you use Bitcoin and want to show your support of my
119 activities, please send Bitcoin donations to my address
120 <b
><a href=
"bitcoin:
15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b
">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b
</a
></b
>.
</p
>
125 <title>Full battery stats collector is now available in Debian
</title>
126 <link>http://people.skolelinux.org/pere/blog/Full_battery_stats_collector_is_now_available_in_Debian.html
</link>
127 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Full_battery_stats_collector_is_now_available_in_Debian.html
</guid>
128 <pubDate>Wed,
23 Mar
2016 22:
10:
00 +
0100</pubDate>
129 <description><p
>Since this morning, the battery-stats package in Debian include an
130 extended collector that will collect the complete battery history for
131 later processing and graphing. The original collector store the
132 battery level as percentage of last full level, while the new
133 collector also record battery vendor, model, serial number, design
134 full level, last full level and current battery level. This make it
135 possible to predict the lifetime of the battery as well as visualise
136 the energy flow when the battery is charging or discharging.
</p
>
138 <p
>The new tools are available in
<tt
>/usr/share/battery-stats/
</tt
>
139 in the version
0.5.1 package in unstable. Get the new battery level graph
140 and lifetime prediction by running:
143 /usr/share/battery-stats/battery-stats-graph /var/log/battery-stats.csv
144 </pre
></p
>
146 <p
>Or select the
'Battery Level Graph
' from your application menu.
</p
>
148 <p
>The flow in/out of the battery can be seen by running (no menu
149 entry yet):
</p
>
152 /usr/share/battery-stats/battery-stats-graph-flow
153 </pre
></p
>
155 <p
>I
'm not quite happy with the way the data is visualised, at least
156 when there are few data points. The graphs look a bit better with a
157 few years of data.
</p
>
159 <p
>A while back one important feature I use in the battery stats
160 collector broke in Debian. The scripts in
161 <tt
>/usr/lib/pm-utils/power.d/
</tt
> were no longer executed. I
162 suspect it happened when Jessie started using systemd, but I do not
163 know. The issue is reported as
164 <a href=
"https://bugs.debian.org/
818649">bug #
818649</a
> against
165 pm-utils. I managed to work around it by adding an udev rule to call
166 the collector script every time the power connector is connected and
167 disconnected. With this fix in place it was finally time to make a
168 new release of the package, and get it into Debian.
</p
>
170 <p
>If you are interested in how your laptop battery is doing, please
172 <a href=
"https://tracker.debian.org/pkg/battery-stats
">battery-stats
</a
>
173 in Debian unstable, or rebuild it on Jessie to get it working on
174 Debian stable. :) The upstream source is available from
175 <a href=
"https://github.com/petterreinholdtsen/battery-stats
">github
</a
>.
176 As always, patches are very welcome.
</p
>
181 <title>UsingQR -
"Electronic
" paper invoices using JSON and QR codes
</title>
182 <link>http://people.skolelinux.org/pere/blog/UsingQR____Electronic__paper_invoices_using_JSON_and_QR_codes.html
</link>
183 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/UsingQR____Electronic__paper_invoices_using_JSON_and_QR_codes.html
</guid>
184 <pubDate>Sat,
19 Mar
2016 09:
40:
00 +
0100</pubDate>
185 <description><p
>Back in
2013 I proposed
186 <a href=
"http://people.skolelinux.org/pere/blog/_Electronic__paper_invoices___using_vCard_in_a_QR_code.html
">a
187 way to make paper and PDF invoices easier to process electronically by
188 adding a QR code with the key information about the invoice
</a
>. I
189 suggested using vCard field definition, to get some standard format
190 for name and address, but any format would work. I did not do
191 anything about the proposal, but hoped someone one day would make
192 something like it. It would make it possible to efficiently send
193 machine readable invoices directly between seller and buyer.
</p
>
195 <p
>This was the background when I came across a proposal and
196 specification from the web based accounting and invoicing supplier
197 <a href=
"http://www.visma.com/
">Visma
</a
> in Sweden called
198 <a href=
"http://usingqr.com/
">UsingQR
</a
>. Their PDF invoices contain
199 a QR code with the key information of the invoice in JSON format.
200 This is the typical content of a QR code following the UsingQR
201 specification (based on a real world example, some numbers replaced to
202 get a more bogus entry). I
've reformatted the JSON to make it easier
203 to read. Normally this is all on one long line:
</p
>
205 <p
><img src=
"http://people.skolelinux.org/pere/blog/images/
2016-
03-
19-qr-invoice.png
" align=
"right
"><pre
>
207 "vh
":
500.00,
212 "nme
":
"Din Leverandør
",
213 "cc
":
"NO
",
214 "cid
":
"997912345 MVA
",
215 "iref
":
"12300001",
216 "idt
":
"20151022",
217 "ddt
":
"20151105",
218 "due
":
2500.0000,
219 "cur
":
"NOK
",
220 "pt
":
"BBAN
",
221 "acc
":
"17202612345",
222 "bc
":
"BIENNOK1
",
223 "adr
":
"0313 OSLO
"
225 </pre
></p
>
227 </p
>The interpretation of the fields can be found in the
228 <a href=
"http://usingqr.com/wp-content/uploads/
2014/
06/UsingQR_specification1.pdf
">format
229 specification
</a
> (revision
2 from june
2014). The format seem to
230 have most of the information needed to handle accounting and payment
231 of invoices, at least the fields I have needed so far here in
234 <p
>Unfortunately, the site and document do not mention anything about
235 the patent, trademark and copyright status of the format and the
236 specification. Because of this, I asked the people behind it back in
237 November to clarify. Ann-Christine Savlid (ann-christine.savlid (at)
238 visma.com) replied that Visma had not applied for patent or trademark
239 protection for this format, and that there were no copyright based
240 usage limitations for the format. I urged her to make sure this was
241 explicitly written on the web pages and in the specification, but
242 unfortunately this has not happened yet. So I guess if there is
243 submarine patents, hidden trademarks or a will to sue for copyright
244 infringements, those starting to use the UsingQR format might be at
245 risk, but if this happen there is some legal defense in the fact that
246 the people behind the format claimed it was safe to do so. At least
247 with patents, there is always
248 <a href=
"http://www.paperspecs.com/paper-news/beware-the-qr-code-patent-trap/
">a
249 chance of getting sued...
</a
></p
>
251 <p
>I also asked if they planned to maintain the format in an
252 independent standard organization to give others more confidence that
253 they would participate in the standardization process on equal terms
254 with Visma, but they had no immediate plans for this. Their plan was
255 to work with banks to try to get more users of the format, and
256 evaluate the way forward if the format proved to be popular. I hope
257 they conclude that using an open standard organisation like
258 <a href=
"http://www.ietf.org/
">IETF
</a
> is the correct place to
259 maintain such specification.
</p
>
261 <p
><strong
>Update
2016-
03-
20</strong
>: Via Twitter I became aware of
262 <a href=
"https://news.ycombinator.com/item?id=
11319492">some comments
263 about this blog post
</a
> that had several useful links and references to
264 similar systems. In the Czech republic, the Czech Banking Association
265 standard #
26, with short name SPAYD, uses QR codes with payment
266 information. More information is available from the Wikipedia page on
267 <a href=
"https://en.wikipedia.org/wiki/Short_Payment_Descriptor
">Short
268 Payment Descriptor
</a
>. And in Germany, there is a system named
269 <a href=
"http://www.bezahlcode.de/
">BezahlCode
</a
>,
270 (
<a href=
"http://www.bezahlcode.de/wp-content/uploads/BezahlCode_TechDok.pdf
">specification
271 v1.8
2013-
12-
05 available as PDF
</a
>), which uses QR codes with
272 URL-like formatting using
"bank:
" as the URI schema/protocol to
273 provide the payment information. There is also the
274 <a href=
"http://www.ferd-net.de/front_content.php?idcat=
231">ZUGFeRD
</a
>
275 file format that perhaps could be transfered using QR codes, but I am
276 not sure if it is done already. Last, in Bolivia there are reports
277 that tax information since november
2014 need to be printed in QR
278 format on invoices. I have not been able to track down a
279 specification for this format, because of my limited language skill
285 <title>Making battery measurements a little easier in Debian
</title>
286 <link>http://people.skolelinux.org/pere/blog/Making_battery_measurements_a_little_easier_in_Debian.html
</link>
287 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Making_battery_measurements_a_little_easier_in_Debian.html
</guid>
288 <pubDate>Tue,
15 Mar
2016 15:
00:
00 +
0100</pubDate>
289 <description><p
>Back in September, I blogged about
290 <a href=
"http://people.skolelinux.org/pere/blog/The_life_and_death_of_a_laptop_battery.html
">the
291 system I wrote to collect statistics about my laptop battery
</a
>, and
292 how it showed the decay and death of this battery (now replaced). I
293 created a simple deb package to handle the collection and graphing,
294 but did not want to upload it to Debian as there were already
295 <a href=
"https://tracker.debian.org/pkg/battery-stats
">a battery-stats
296 package in Debian
</a
> that should do the same thing, and I did not see
297 a point of uploading a competing package when battery-stats could be
298 fixed instead. I reported a few bugs about its non-function, and
299 hoped someone would step in and fix it. But no-one did.
</p
>
301 <p
>I got tired of waiting a few days ago, and took matters in my own
302 hands. The end result is that I am now the new upstream developer of
303 battery stats (
<a href=
"https://github.com/petterreinholdtsen/battery-stats
">available from github
</a
>) and part of the team maintaining
304 battery-stats in Debian, and the package in Debian unstable is finally
305 able to collect battery status using the
<tt
>/sys/class/power_supply/
</tt
>
306 information provided by the Linux kernel. If you install the
307 battery-stats package from unstable now, you will be able to get a
308 graph of the current battery fill level, to get some idea about the
309 status of the battery. The source package build and work just fine in
310 Debian testing and stable (and probably oldstable too, but I have not
311 tested). The default graph you get for that system look like this:
</p
>
313 <p align=
"center
"><img src=
"http://people.skolelinux.org/pere/blog/images/
2016-
03-
15-battery-stats-graph-example.png
" width=
"70%
" align=
"center
"></p
>
315 <p
>My plans for the future is to merge my old scripts into the
316 battery-stats package, as my old scripts collected a lot more details
317 about the battery. The scripts are merged into the upstream
318 battery-stats git repository already, but I am not convinced they work
319 yet, as I changed a lot of paths along the way. Will have to test a
320 bit more before I make a new release.
</p
>
322 <p
>I will also consider changing the file format slightly, as I
323 suspect the way I combine several values into one field might make it
324 impossible to know the type of the value when using it for processing
325 and graphing.
</p
>
327 <p
>If you would like I would like to keep an close eye on your laptop
328 battery, check out the battery-stats package in
329 <a href=
"https://tracker.debian.org/pkg/battery-stats
">Debian
</a
> and
331 <a href=
"https://github.com/petterreinholdtsen/battery-stats
">github
</a
>.
332 I would love some help to improve the system further.
</p
>
337 <title>Creating, updating and checking debian/copyright semi-automatically
</title>
338 <link>http://people.skolelinux.org/pere/blog/Creating__updating_and_checking_debian_copyright_semi_automatically.html
</link>
339 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Creating__updating_and_checking_debian_copyright_semi_automatically.html
</guid>
340 <pubDate>Fri,
19 Feb
2016 15:
00:
00 +
0100</pubDate>
341 <description><p
>Making packages for Debian requires quite a lot of attention to
342 details. And one of the details is the content of the
343 debian/copyright file, which should list all relevant licenses used by
344 the code in the package in question, preferably in
345 <a href=
"https://www.debian.org/doc/packaging-manuals/copyright-format/
1.0/
">machine
346 readable DEP5 format
</a
>.
</p
>
348 <p
>For large packages with lots of contributors it is hard to write
349 and update this file manually, and if you get some detail wrong, the
350 package is normally rejected by the ftpmasters. So getting it right
351 the first time around get the package into Debian faster, and save
352 both you and the ftpmasters some work.. Today, while trying to figure
353 out what was wrong with
354 <a href=
"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=
686447">the
355 zfsonlinux copyright file
</a
>, I decided to spend some time on
356 figuring out the options for doing this job automatically, or at least
357 semi-automatically.
</p
>
359 <p
>Lucikly, there are at least two tools available for generating the
360 file based on the code in the source package,
361 <tt
><a href=
"https://tracker.debian.org/pkg/debmake
">debmake
</a
></tt
>
362 and
<tt
><a href=
"https://tracker.debian.org/pkg/cme
">cme
</a
></tt
>. I
'm
363 not sure which one of them came first, but both seem to be able to
364 create a sensible draft file. As far as I can tell, none of them can
365 be trusted to get the result just right, so the content need to be
366 polished a bit before the file is OK to upload. I found the debmake
368 <a href=
"http://goofying-with-debian.blogspot.com/
2014/
07/debmake-checking-source-against-dep-
5.html
">a
369 blog posts from
2014</a
>.
371 <p
>To generate using debmake, use the -cc option:
374 debmake -cc
> debian/copyright
375 </pre
></p
>
377 <p
>Note there are some problems with python and non-ASCII names, so
378 this might not be the best option.
</p
>
380 <p
>The cme option is based on a config parsing library, and I found
382 <a href=
"https://ddumont.wordpress.com/
2015/
04/
05/improving-creation-of-debian-copyright-file/
">a
383 blog post from
2015</a
>. To generate using cme, use the
'update
384 dpkg-copyright
' option:
387 cme update dpkg-copyright
388 </pre
></p
>
390 <p
>This will create or update debian/copyright. The cme tool seem to
391 handle UTF-
8 names better than debmake.
</p
>
393 <p
>When the copyright file is created, I would also like some help to
394 check if the file is correct. For this I found two good options,
395 <tt
>debmake -k
</tt
> and
<tt
>license-reconcile
</tt
>. The former seem
396 to focus on license types and file matching, and is able to detect
397 ineffective blocks in the copyright file. The latter reports missing
398 copyright holders and years, but was confused by inconsistent license
399 names (like CDDL vs. CDDL-
1.0). I suspect it is good to use both and
400 fix all issues reported by them before uploading. But I do not know
401 if the tools and the ftpmasters agree on what is important to fix in a
402 copyright file, so the package might still be rejected.
</p
>
404 <p
>The devscripts tool
<tt
>licensecheck
</tt
> deserve mentioning. It
405 will read through the source and try to find all copyright statements.
406 It is not comparing the result to the content of debian/copyright, but
407 can be useful when verifying the content of the copyright file.
</p
>
409 <p
>Are you aware of better tools in Debian to create and update
410 debian/copyright file. Please let me know, or blog about it on
411 planet.debian.org.
</p
>
413 <p
>As usual, if you use Bitcoin and want to show your support of my
414 activities, please send Bitcoin donations to my address
415 <b
><a href=
"bitcoin:
15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b
">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b
</a
></b
>.
</p
>
417 <p
><strong
>Update
2016-
02-
20</strong
>: I got a tip from Mike Gabriel
418 on how to use licensecheck and cdbs to create a draft copyright file
421 licensecheck --copyright -r `find * -type f` | \
422 /usr/lib/cdbs/licensecheck2dep5
> debian/copyright.auto
423 </pre
></p
>
425 <p
>He mentioned that he normally check the generated file into the
426 version control system to make it easier to discover license and
427 copyright changes in the upstream source. I will try to do the same
428 with my packages in the future.
</p
>
430 <p
><strong
>Update
2016-
02-
21</strong
>: The cme author recommended
431 against using -quiet for new users, so I removed it from the proposed
432 command line.
</p
>
437 <title>Using appstream in Debian to locate packages with firmware and mime type support
</title>
438 <link>http://people.skolelinux.org/pere/blog/Using_appstream_in_Debian_to_locate_packages_with_firmware_and_mime_type_support.html
</link>
439 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Using_appstream_in_Debian_to_locate_packages_with_firmware_and_mime_type_support.html
</guid>
440 <pubDate>Thu,
4 Feb
2016 16:
40:
00 +
0100</pubDate>
441 <description><p
>The
<a href=
"https://wiki.debian.org/DEP-
11">appstream system
</a
>
442 is taking shape in Debian, and one provided feature is a very
443 convenient way to tell you which package to install to make a given
444 firmware file available when the kernel is looking for it. This can
445 be done using apt-file too, but that is for someone else to blog
448 <p
>Here is a small recipe to find the package with a given firmware
449 file, in this example I am looking for ctfw-
3.2.3.0.bin, randomly
450 picked from the set of firmware announced using appstream in Debian
451 unstable. In general you would be looking for the firmware requested
452 by the kernel during kernel module loading. To find the package
453 providing the example file, do like this:
</p
>
455 <blockquote
><pre
>
456 % apt install appstream
460 % appstreamcli what-provides firmware:runtime ctfw-
3.2.3.0.bin | \
461 awk
'/Package:/ {print $
2}
'
464 </pre
></blockquote
>
466 <p
>See
<a href=
"https://wiki.debian.org/AppStream/Guidelines
">the
467 appstream wiki
</a
> page to learn how to embed the package metadata in
468 a way appstream can use.
</p
>
470 <p
>This same approach can be used to find any package supporting a
471 given MIME type. This is very useful when you get a file you do not
472 know how to handle. First find the mime type using
<tt
>file
473 --mime-type
</tt
>, and next look up the package providing support for
474 it. Lets say you got an SVG file. Its MIME type is image/svg+xml,
475 and you can find all packages handling this type like this:
</p
>
477 <blockquote
><pre
>
478 % apt install appstream
482 % appstreamcli what-provides mimetype image/svg+xml | \
483 awk
'/Package:/ {print $
2}
'
505 </pre
></blockquote
>
507 <p
>I believe the MIME types are fetched from the desktop file for
508 packages providing appstream metadata.
</p
>
513 <title>Creepy, visualise geotagged social media information - nice free software
</title>
514 <link>http://people.skolelinux.org/pere/blog/Creepy__visualise_geotagged_social_media_information___nice_free_software.html
</link>
515 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Creepy__visualise_geotagged_social_media_information___nice_free_software.html
</guid>
516 <pubDate>Sun,
24 Jan
2016 10:
50:
00 +
0100</pubDate>
517 <description><p
>Most people seem not to realise that every time they walk around
518 with the computerised radio beacon known as a mobile phone their
519 position is tracked by the phone company and often stored for a long
520 time (like every time a SMS is received or sent). And if their
521 computerised radio beacon is capable of running programs (often called
522 mobile apps) downloaded from the Internet, these programs are often
523 also capable of tracking their location (if the app requested access
524 during installation). And when these programs send out information to
525 central collection points, the location is often included, unless
526 extra care is taken to not send the location. The provided
527 information is used by several entities, for good and bad (what is
528 good and bad, depend on your point of view). What is certain, is that
529 the private sphere and the right to free movement is challenged and
530 perhaps even eradicated for those announcing their location this way,
531 when they share their whereabouts with private and public
534 <p align=
"center
"><img width=
"70%
" src=
"http://people.skolelinux.org/pere/blog/images/
2016-
01-
24-nice-creepy-desktop-window.png
"></p
>
536 <p
>The phone company logs provide a register of locations to check out
537 when one want to figure out what the tracked person was doing. It is
538 unavailable for most of us, but provided to selected government
539 officials, company staff, those illegally buying information from
540 unfaithful servants and crackers stealing the information. But the
541 public information can be collected and analysed, and a free software
542 tool to do so is called
543 <a href=
"http://www.geocreepy.com/
">Creepy or Cree.py
</a
>. I
544 discovered it when I read
545 <a href=
"http://www.aftenposten.no/kultur/Slik-kan-du-bli-overvaket-pa-Twitter-og-Instagram-uten-a-ane-det-
7787884.html
">an
546 article about Creepy
</a
> in the Norwegian newspaper Aftenposten i
547 November
2014, and decided to check if it was available in Debian.
548 The python program was in Debian, but
549 <a href=
"https://tracker.debian.org/pkg/creepy
">the version in
550 Debian
</a
> was completely broken and practically unmaintained. I
551 uploaded a new version which did not work quite right, but did not
552 have time to fix it then. This Christmas I decided to finally try to
553 get Creepy operational in Debian. Now a fixed version is available in
554 Debian unstable and testing, and almost all Debian specific patches
556 <a href=
"https://github.com/jkakavas/creepy
">upstream
</a
>.
</p
>
558 <p
>The Creepy program visualises geolocation information fetched from
559 Twitter, Instagram, Flickr and Google+, and allow one to get a
560 complete picture of every social media message posted recently in a
561 given area, or track the movement of a given individual across all
562 these services. Earlier it was possible to use the search API of at
563 least some of these services without identifying oneself, but these
564 days it is impossible. This mean that to use Creepy, you need to
565 configure it to log in as yourself on these services, and provide
566 information to them about your search interests. This should be taken
567 into account when using Creepy, as it will also share information
568 about yourself with the services.
</p
>
570 <p
>The picture above show the twitter messages sent from (or at least
571 geotagged with a position from) the city centre of Oslo, the capital
572 of Norway. One useful way to use Creepy is to first look at
573 information tagged with an area of interest, and next look at all the
574 information provided by one or more individuals who was in the area.
575 I tested it by checking out which celebrity provide their location in
576 twitter messages by checkout out who sent twitter messages near a
577 Norwegian TV station, and next could track their position over time,
578 making it possible to locate their home and work place, among other
579 things. A similar technique have been
580 <a href=
"http://www.buzzfeed.com/maxseddon/does-this-soldiers-instagram-account-prove-russia-is-covertl
">used
581 to locate Russian soldiers in Ukraine
</a
>, and it is both a powerful
582 tool to discover lying governments, and a useful tool to help people
583 understand the value of the private information they provide to the
586 <p
>The package is not trivial to backport to Debian Stable/Jessie, as
587 it depend on several python modules currently missing in Jessie (at
588 least python-instagram, python-flickrapi and
589 python-requests-toolbelt).
</p
>
591 <p
>(I have uploaded
592 <a href=
"https://screenshots.debian.net/package/creepy
">the image to
593 screenshots.debian.net
</a
> and licensed it under the same terms as the
594 Creepy program in Debian.)
</p
>
599 <title>Always download Debian packages using Tor - the simple recipe
</title>
600 <link>http://people.skolelinux.org/pere/blog/Always_download_Debian_packages_using_Tor___the_simple_recipe.html
</link>
601 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Always_download_Debian_packages_using_Tor___the_simple_recipe.html
</guid>
602 <pubDate>Fri,
15 Jan
2016 00:
30:
00 +
0100</pubDate>
603 <description><p
>During his DebConf15 keynote, Jacob Appelbaum
604 <a href=
"https://summit.debconf.org/debconf15/meeting/
331/what-is-to-be-done/
">observed
605 that those listening on the Internet lines would have good reason to
606 believe a computer have a given security hole
</a
> if it download a
607 security fix from a Debian mirror. This is a good reason to always
608 use encrypted connections to the Debian mirror, to make sure those
609 listening do not know which IP address to attack. In August, Richard
610 Hartmann observed that encryption was not enough, when it was possible
611 to interfere download size to security patches or the fact that
612 download took place shortly after a security fix was released, and
613 <a href=
"http://richardhartmann.de/blog/posts/
2015/
08/
24-Tor-enabled_Debian_mirror/
">proposed
614 to always use Tor to download packages from the Debian mirror
</a
>. He
615 was not the first to propose this, as the
616 <tt
><a href=
"https://tracker.debian.org/pkg/apt-transport-tor
">apt-transport-tor
</a
></tt
>
617 package by Tim Retout already existed to make it easy to convince apt
618 to use
<a href=
"https://www.torproject.org/
">Tor
</a
>, but I was not
619 aware of that package when I read the blog post from Richard.
</p
>
621 <p
>Richard discussed the idea with Peter Palfrader, one of the Debian
622 sysadmins, and he set up a Tor hidden service on one of the central
623 Debian mirrors using the address vwakviie2ienjx6t.onion, thus making
624 it possible to download packages directly between two tor nodes,
625 making sure the network traffic always were encrypted.
</p
>
627 <p
>Here is a short recipe for enabling this on your machine, by
628 installing
<tt
>apt-transport-tor
</tt
> and replacing http and https
629 urls with tor+http and tor+https, and using the hidden service instead
630 of the official Debian mirror site. I recommend installing
631 <tt
>etckeeper
</tt
> before you start to have a history of the changes
632 done in /etc/.
</p
>
634 <blockquote
><pre
>
635 apt install apt-transport-tor
636 sed -i
's% http://ftp.debian.org/% tor+http://vwakviie2ienjx6t.onion/%
' /etc/apt/sources.list
637 sed -i
's% http% tor+http%
' /etc/apt/sources.list
638 </pre
></blockquote
>
640 <p
>If you have more sources listed in /etc/apt/sources.list.d/, run
641 the sed commands for these too. The sed command is assuming your are
642 using the ftp.debian.org Debian mirror. Adjust the command (or just
643 edit the file manually) to match your mirror.
</p
>
645 <p
>This work in Debian Jessie and later. Note that tools like
646 <tt
>apt-file
</tt
> only recently started using the apt transport
647 system, and do not work with these tor+http URLs. For
648 <tt
>apt-file
</tt
> you need the version currently in experimental,
649 which need a recent apt version currently only in unstable. So if you
650 need a working
<tt
>apt-file
</tt
>, this is not for you.
</p
>
652 <p
>Another advantage from this change is that your machine will start
653 using Tor regularly and at fairly random intervals (every time you
654 update the package lists or upgrade or install a new package), thus
655 masking other Tor traffic done from the same machine. Using Tor will
656 become normal for the machine in question.
</p
>
658 <p
>On
<a href=
"https://wiki.debian.org/FreedomBox
">Freedombox
</a
>, APT
659 is set up by default to use
<tt
>apt-transport-tor
</tt
> when Tor is
660 enabled. It would be great if it was the default on any Debian
666 <title>Nedlasting fra NRK, som Matroska med undertekster
</title>
667 <link>http://people.skolelinux.org/pere/blog/Nedlasting_fra_NRK__som_Matroska_med_undertekster.html
</link>
668 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Nedlasting_fra_NRK__som_Matroska_med_undertekster.html
</guid>
669 <pubDate>Sat,
2 Jan
2016 13:
50:
00 +
0100</pubDate>
670 <description><p
>Det kommer stadig nye løsninger for å ta lagre unna innslag fra NRK
671 for å se på det senere. For en stund tilbake kom jeg over et script
672 nrkopptak laget av Ingvar Hagelund. Han fjernet riktignok sitt script
673 etter forespørsel fra Erik Bolstad i NRK, men noen tok heldigvis og
674 gjorde det
<a href=
"https://github.com/liangqi/nrkopptak
">tilgjengelig
675 via github
</a
>.
</p
>
677 <p
>Scriptet kan lagre som MPEG4 eller Matroska, og bake inn
678 undertekster i fila på et vis som blant annet VLC forstår. For å
679 bruke scriptet, kopier ned git-arkivet og kjør
</p
>
682 nrkopptak/bin/nrk-opptak k
<ahref=
"https://tv.nrk.no/serie/bmi-turne/MUHH45000115/sesong-
1/episode-
1">https://tv.nrk.no/serie/bmi-turne/MUHH45000115/sesong-
1/episode-
1</a
>
683 </pre
></p
>
685 <p
>URL-eksemplet er dagens toppsak på tv.nrk.no. Argument
'k
' ber
686 scriptet laste ned og lagre som Matroska. Det finnes en rekke andre
687 muligheter for valg av kvalitet og format.
</p
>
689 <p
>Jeg foretrekker dette scriptet fremfor youtube-dl, som
690 <a href=
"http://people.skolelinux.org/pere/blog/Hvordan_enkelt_laste_ned_filmer_fra_NRK_med_den__nye__l_sningen.html
">
691 nevnt i
2014 støtter NRK
</a
> og en rekke andre videokilder, på grunn
692 av at nrkopptak samler undertekster og video i en enkelt fil, hvilket
693 gjør håndtering enklere på disk.
</p
>
698 <title>OpenALPR, find car license plates in video streams - nice free software
</title>
699 <link>http://people.skolelinux.org/pere/blog/OpenALPR__find_car_license_plates_in_video_streams___nice_free_software.html
</link>
700 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/OpenALPR__find_car_license_plates_in_video_streams___nice_free_software.html
</guid>
701 <pubDate>Wed,
23 Dec
2015 01:
00:
00 +
0100</pubDate>
702 <description><p
>When I was a kid, we used to collect
"car numbers
", as we used to
703 call the car license plate numbers in those days. I would write the
704 numbers down in my little book and compare notes with the other kids
705 to see how many region codes we had seen and if we had seen some
706 exotic or special region codes and numbers. It was a fun game to pass
707 time, as we kids have plenty of it.
</p
>
709 <p
>A few days I came across
710 <a href=
"https://github.com/openalpr/openalpr
">the OpenALPR
711 project
</a
>, a free software project to automatically discover and
712 report license plates in images and video streams, and provide the
713 "car numbers
" in a machine readable format. I
've been looking for
714 such system for a while now, because I believe it is a bad idea that the
715 <a href=
"https://en.wikipedia.org/wiki/Automatic_number_plate_recognition
">automatic
716 number plate recognition
</a
> tool only is available in the hands of
717 the powerful, and want it to be available also for the powerless to
718 even the score when it comes to surveillance and sousveillance. I
719 discovered the developer
720 <a href=
"https://bugs.debian.org/
747509">wanted to get the tool into
721 Debian
</a
>, and as I too wanted it to be in Debian, I volunteered to
722 help him get it into shape to get the package uploaded into the Debian
725 <p
>Today we finally managed to get the package into shape and uploaded
726 it into Debian, where it currently
727 <a href=
"https://ftp-master.debian.org//new/openalpr_2.2
.1-
1.html
">waits
728 in the NEW queue
</a
> for review by the Debian ftpmasters.
</p
>
730 <p
>I guess you are wondering why on earth such tool would be useful
731 for the common folks, ie those not running a large government
732 surveillance system? Well, I plan to put it in a computer on my bike
733 and in my car, tracking the cars nearby and allowing me to be notified
734 when number plates on my watch list are discovered. Another use case
735 was suggested by a friend of mine, who wanted to set it up at his home
736 to open the car port automatically when it discovered the plate on his
737 car. When I mentioned it perhaps was a bit foolhardy to allow anyone
738 capable of placing his license plate number of a piece of cardboard to
739 open his car port, men replied that it was always unlocked anyway. I
740 guess for such use case it make sense. I am sure there are other use
741 cases too, for those with imagination and a vision.
</p
>
743 <p
>If you want to build your own version of the Debian package, check
744 out the upstream git source and symlink ./distros/debian to ./debian/
745 before running
"debuild
" to build the source. Or wait a bit until the
746 package show up in unstable.
</p
>
projects / homepage.git / blob