1 <?xml version=
"1.0" encoding=
"ISO-8859-1"?>
2 <rss version='
2.0' xmlns:lj='http://www.livejournal.org/rss/lj/
1.0/'
>
4 <title>Petter Reinholdtsen - Entries from January
2017</title>
5 <description>Entries from January
2017</description>
6 <link>https://www.hungry.com/~pere/blog/
</link>
10 <title>Nasjonalbiblioteket avslutter sin ulovlige bruk av Google Skjemaer
</title>
11 <link>https://www.hungry.com/~pere/blog/Nasjonalbiblioteket_avslutter_sin_ulovlige_bruk_av_Google_Skjemaer.html
</link>
12 <guid isPermaLink=
"true">https://www.hungry.com/~pere/blog/Nasjonalbiblioteket_avslutter_sin_ulovlige_bruk_av_Google_Skjemaer.html
</guid>
13 <pubDate>Thu,
12 Jan
2017 09:
40:
00 +
0100</pubDate>
14 <description><p
>I dag fikk jeg en skikkelig gladmelding. Bakgrunnen er at før jul
15 arrangerte Nasjonalbiblioteket
16 <a href=
"http://www.nb.no/Bibliotekutvikling/Kunnskapsorganisering/Nasjonalt-verksregister/Seminar-om-verksregister
">et
17 seminar om sitt knakende gode tiltak «verksregister»
</a
>. Eneste
18 måten å melde seg på dette seminaret var å sende personopplysninger
19 til Google via Google Skjemaer. Dette syntes jeg var tvilsom praksis,
20 da det bør være mulig å delta på seminarer arrangert av det offentlige
21 uten å måtte dele sine interesser, posisjon og andre
22 personopplysninger med Google. Jeg ba derfor om innsyn via
23 <a href=
"https://www.mimesbronn.no/
">Mimes brønn
</a
> i
24 <a href=
"https://www.mimesbronn.no/request/personopplysninger_til_google_sk
">avtaler
25 og vurderinger Nasjonalbiblioteket hadde rundt dette
</a
>.
26 Personopplysningsloven legger klare rammer for hva som må være på
27 plass før en kan be tredjeparter, spesielt i utlandet, behandle
28 personopplysninger på sine vegne, så det burde eksistere grundig
29 dokumentasjon før noe slikt kan bli lovlig. To jurister hos
30 Nasjonalbiblioteket mente først dette var helt i orden, og at Googles
31 standardavtale kunne brukes som databehandlingsavtale. Det syntes jeg
32 var merkelig, men har ikke hatt kapasitet til å følge opp saken før
33 for to dager siden.
</p
>
35 <p
>Gladnyheten i dag, som kom etter at jeg tipset Nasjonalbiblioteket
36 om at Datatilsynet underkjente Googles standardavtaler som
37 databehandleravtaler i
2011, er at Nasjonalbiblioteket har bestemt seg
38 for å avslutte bruken av Googles Skjemaer/Apps og gå i dialog med DIFI
39 for å finne bedre måter å håndtere påmeldinger i tråd med
40 personopplysningsloven. Det er fantastisk å se at av og til hjelper
41 det å spørre hva i alle dager det offentlige holder på med.
</p
>
46 <title>Bryter NAV sin egen personvernerklæring?
</title>
47 <link>https://www.hungry.com/~pere/blog/Bryter_NAV_sin_egen_personvernerkl_ring_.html
</link>
48 <guid isPermaLink=
"true">https://www.hungry.com/~pere/blog/Bryter_NAV_sin_egen_personvernerkl_ring_.html
</guid>
49 <pubDate>Wed,
11 Jan
2017 06:
50:
00 +
0100</pubDate>
50 <description><p
>Jeg leste med interesse en nyhetssak hos
51 <a href=
"http://www.digi.no/artikler/nav-avslorer-trygdemisbruk-ved-a-spore-ip-adresser/
367394">digi.no
</a
>
53 <a href=
"https://www.nrk.no/buskerud/trygdesvindlere-avslores-av-utenlandske-ip-adresser-
1.13313461">NRK
</a
>
54 om at det ikke bare er meg, men at også NAV bedriver geolokalisering
55 av IP-adresser, og at det gjøres analyse av IP-adressene til de som
56 sendes inn meldekort for å se om meldekortet sendes inn fra
57 utenlandske IP-adresser. Politiadvokat i Drammen, Hans Lyder Haare,
58 er sitert i NRK på at «De to er jo blant annet avslørt av
59 IP-adresser. At man ser at meldekortet kommer fra utlandet.»
</p
>
61 <p
>Jeg synes det er fint at det blir bedre kjent at IP-adresser
62 knyttes til enkeltpersoner og at innsamlet informasjon brukes til å
63 stedsbestemme personer også av aktører her i Norge. Jeg ser det som
64 nok et argument for å bruke
65 <a href=
"https://www.torproject.org/
">Tor
</a
> så mye som mulig for å
66 gjøre gjøre IP-lokalisering vanskeligere, slik at en kan beskytte sin
67 privatsfære og unngå å dele sin fysiske plassering med
68 uvedkommede.
</p
>
70 <P
>Men det er en ting som bekymrer meg rundt denne nyheten. Jeg ble
71 tipset (takk #nuug) om
72 <a href=
"https://www.nav.no/no/NAV+og+samfunn/Kontakt+NAV/Teknisk+brukerstotte/Snarveier/personvernerkl%C3%A6ring-for-arbeids-og-velferdsetaten
">NAVs
73 personvernerklæring
</a
>, som under punktet «Personvern og statistikk»
76 <p
><blockquote
>
78 <p
>«Når du besøker nav.no, etterlater du deg elektroniske spor. Sporene
79 dannes fordi din nettleser automatisk sender en rekke opplysninger til
80 NAVs tjener (server-maskin) hver gang du ber om å få vist en side. Det
81 er eksempelvis opplysninger om hvilken nettleser og -versjon du
82 bruker, og din internettadresse (ip-adresse). For hver side som vises,
83 lagres følgende opplysninger:
</p
>
86 <li
>hvilken side du ser på
</li
>
87 <li
>dato og tid
</li
>
88 <li
>hvilken nettleser du bruker
</li
>
89 <li
>din ip-adresse
</li
>
92 <p
>Ingen av opplysningene vil bli brukt til å identifisere
93 enkeltpersoner. NAV bruker disse opplysningene til å generere en
94 samlet statistikk som blant annet viser hvilke sider som er mest
95 populære. Statistikken er et redskap til å forbedre våre
98 </blockquote
></p
>
100 <p
>Jeg klarer ikke helt å se hvordan analyse av de besøkendes
101 IP-adresser for å se hvem som sender inn meldekort via web fra en
102 IP-adresse i utlandet kan gjøres uten å komme i strid med påstanden om
103 at «ingen av opplysningene vil bli brukt til å identifisere
104 enkeltpersoner». Det virker dermed for meg som at NAV bryter sine
105 egen personvernerklæring, hvilket
106 <a href=
"https://people.skolelinux.org/pere/blog/Er_lover_brutt_n_r_personvernpolicy_ikke_stemmer_med_praksis_.html
">Datatilsynet
107 fortalte meg i starten av desember antagelig er brudd på
108 personopplysningsloven
</a
>.
110 <p
>I tillegg er personvernerklæringen ganske misvisende i og med at
111 NAVs nettsider ikke bare forsyner NAV med personopplysninger, men i
112 tillegg ber brukernes nettleser kontakte fem andre nettjenere
113 (script.hotjar.com, static.hotjar.com, vars.hotjar.com,
114 www.google-analytics.com og www.googletagmanager.com), slik at
115 personopplysninger blir gjort tilgjengelig for selskapene Hotjar og
116 Google , og alle som kan lytte på trafikken på veien (som FRA, GCHQ og
117 NSA). Jeg klarer heller ikke se hvordan slikt spredning av
118 personopplysninger kan være i tråd med kravene i
119 personopplysningloven, eller i tråd med NAVs personvernerklæring.
</p
>
121 <p
>Kanskje NAV bør ta en nøye titt på sin personvernerklæring? Eller
122 kanskje Datatilsynet bør gjøre det?
</p
>
127 <title>Where did that package go?
&mdash; geolocated IP traceroute
</title>
128 <link>https://www.hungry.com/~pere/blog/Where_did_that_package_go___mdash__geolocated_IP_traceroute.html
</link>
129 <guid isPermaLink=
"true">https://www.hungry.com/~pere/blog/Where_did_that_package_go___mdash__geolocated_IP_traceroute.html
</guid>
130 <pubDate>Mon,
9 Jan
2017 12:
20:
00 +
0100</pubDate>
131 <description><p
>Did you ever wonder where the web trafic really flow to reach the
132 web servers, and who own the network equipment it is flowing through?
133 It is possible to get a glimpse of this from using traceroute, but it
134 is hard to find all the details. Many years ago, I wrote a system to
135 map the Norwegian Internet (trying to figure out if our plans for a
136 network game service would get low enough latency, and who we needed
137 to talk to about setting up game servers close to the users. Back
138 then I used traceroute output from many locations (I asked my friends
139 to run a script and send me their traceroute output) to create the
140 graph and the map. The output from traceroute typically look like
144 traceroute to www.stortinget.no (
85.88.67.10),
30 hops max,
60 byte packets
145 1 uio-gw10.uio.no (
129.240.202.1)
0.447 ms
0.486 ms
0.621 ms
146 2 uio-gw8.uio.no (
129.240.24.229)
0.467 ms
0.578 ms
0.675 ms
147 3 oslo-gw1.uninett.no (
128.39.65.17)
0.385 ms
0.373 ms
0.358 ms
148 4 te3-
1-
2.br1.fn3.as2116.net (
193.156.90.3)
1.174 ms
1.172 ms
1.153 ms
149 5 he16-
1-
1.cr1.san110.as2116.net (
195.0.244.234)
2.627 ms he16-
1-
1.cr2.oslosda310.as2116.net (
195.0.244.48)
3.172 ms he16-
1-
1.cr1.san110.as2116.net (
195.0.244.234)
2.857 ms
150 6 ae1.ar8.oslosda310.as2116.net (
195.0.242.39)
0.662 ms
0.637 ms ae0.ar8.oslosda310.as2116.net (
195.0.242.23)
0.622 ms
151 7 89.191.10.146 (
89.191.10.146)
0.931 ms
0.917 ms
0.955 ms
155 </pre
></p
>
157 <p
>This show the DNS names and IP addresses of (at least some of the)
158 network equipment involved in getting the data traffic from me to the
159 www.stortinget.no server, and how long it took in milliseconds for a
160 package to reach the equipment and return to me. Three packages are
161 sent, and some times the packages do not follow the same path. This
162 is shown for hop
5, where three different IP addresses replied to the
163 traceroute request.
</p
>
165 <p
>There are many ways to measure trace routes. Other good traceroute
166 implementations I use are traceroute (using ICMP packages) mtr (can do
167 both ICMP, UDP and TCP) and scapy (python library with ICMP, UDP, TCP
168 traceroute and a lot of other capabilities). All of them are easily
169 available in
<a href=
"https://www.debian.org/
">Debian
</a
>.
</p
>
171 <p
>This time around, I wanted to know the geographic location of
172 different route points, to visualize how visiting a web page spread
173 information about the visit to a lot of servers around the globe. The
174 background is that a web site today often will ask the browser to get
175 from many servers the parts (for example HTML, JSON, fonts,
176 JavaScript, CSS, video) required to display the content. This will
177 leak information about the visit to those controlling these servers
178 and anyone able to peek at the data traffic passing by (like your ISP,
179 the ISPs backbone provider, FRA, GCHQ, NSA and others).
</p
>
181 <p
>Lets pick an example, the Norwegian parliament web site
182 www.stortinget.no. It is read daily by all members of parliament and
183 their staff, as well as political journalists, activits and many other
184 citizens of Norway. A visit to the www.stortinget.no web site will
185 ask your browser to contact
8 other servers: ajax.googleapis.com,
186 insights.hotjar.com, script.hotjar.com, static.hotjar.com,
187 stats.g.doubleclick.net, www.google-analytics.com,
188 www.googletagmanager.com and www.netigate.se. I extracted this by
189 asking
<a href=
"http://phantomjs.org/
">PhantomJS
</a
> to visit the
190 Stortinget web page and tell me all the URLs PhantomJS downloaded to
191 render the page (in HAR format using
192 <a href=
"https://github.com/ariya/phantomjs/blob/master/examples/netsniff.js
">their
193 netsniff example
</a
>. I am very grateful to Gorm for showing me how
194 to do this). My goal is to visualize network traces to all IP
195 addresses behind these DNS names, do show where visitors personal
196 information is spread when visiting the page.
</p
>
198 <p align=
"center
"><a href=
"www.stortinget.no-geoip.kml
"><img
199 src=
"https://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-geoip-small.png
" alt=
"map of combined traces for URLs used by www.stortinget.no using GeoIP
"/
></a
></p
>
201 <p
>When I had a look around for options, I could not find any good
202 free software tools to do this, and decided I needed my own traceroute
203 wrapper outputting KML based on locations looked up using GeoIP. KML
204 is easy to work with and easy to generate, and understood by several
205 of the GIS tools I have available. I got good help from by NUUG
206 colleague Anders Einar with this, and the result can be seen in
207 <a href=
"https://github.com/petterreinholdtsen/kmltraceroute
">my
208 kmltraceroute git repository
</a
>. Unfortunately, the quality of the
209 free GeoIP databases I could find (and the for-pay databases my
210 friends had access to) is not up to the task. The IP addresses of
211 central Internet infrastructure would typically be placed near the
212 controlling companies main office, and not where the router is really
213 located, as you can see from
<a href=
"www.stortinget.no-geoip.kml
">the
214 KML file I created
</a
> using the GeoLite City dataset from MaxMind.
216 <p align=
"center
"><a href=
"https://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-scapy.svg
"><img
217 src=
"https://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-scapy-small.png
" alt=
"scapy traceroute graph for URLs used by www.stortinget.no
"/
></a
></p
>
219 <p
>I also had a look at the visual traceroute graph created by
220 <a href=
"http://www.secdev.org/projects/scapy/
">the scrapy project
</a
>,
221 showing IP network ownership (aka AS owner) for the IP address in
223 <a href=
"https://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-scapy.svg
">The
224 graph display a lot of useful information about the traceroute in SVG
225 format
</a
>, and give a good indication on who control the network
226 equipment involved, but it do not include geolocation. This graph
227 make it possible to see the information is made available at least for
228 UNINETT, Catchcom, Stortinget, Nordunet, Google, Amazon, Telia, Level
229 3 Communications and NetDNA.
</p
>
231 <p align=
"center
"><a href=
"https://geotraceroute.com/index.php?node=
4&host=www.stortinget.no
"><img
232 src=
"https://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-geotraceroute-small.png
" alt=
"example geotraceroute view for www.stortinget.no
"/
></a
></p
>
234 <p
>In the process, I came across the
235 <a href=
"https://geotraceroute.com/
">web service GeoTraceroute
</a
> by
236 Salim Gasmi. Its methology of combining guesses based on DNS names,
237 various location databases and finally use latecy times to rule out
238 candidate locations seemed to do a very good job of guessing correct
239 geolocation. But it could only do one trace at the time, did not have
240 a sensor in Norway and did not make the geolocations easily available
241 for postprocessing. So I contacted the developer and asked if he
242 would be willing to share the code (he refused until he had time to
243 clean it up), but he was interested in providing the geolocations in a
244 machine readable format, and willing to set up a sensor in Norway. So
245 since yesterday, it is possible to run traces from Norway in this
246 service thanks to a sensor node set up by
247 <a href=
"https://www.nuug.no/
">the NUUG assosiation
</a
>, and get the
248 trace in KML format for further processing.
</p
>
250 <p align=
"center
"><a href=
"https://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-geotraceroute-kml-join.kml
"><img
251 src=
"https://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-geotraceroute-kml-join.png
" alt=
"map of combined traces for URLs used by www.stortinget.no using geotraceroute
"/
></a
></p
>
253 <p
>Here we can see a lot of trafic passes Sweden on its way to
254 Denmark, Germany, Holland and Ireland. Plenty of places where the
255 Snowden confirmations verified the traffic is read by various actors
256 without your best interest as their top priority.
</p
>
258 <p
>Combining KML files is trivial using a text editor, so I could loop
259 over all the hosts behind the urls imported by www.stortinget.no and
260 ask for the KML file from GeoTraceroute, and create a combined KML
261 file with all the traces (unfortunately only one of the IP addresses
262 behind the DNS name is traced this time. To get them all, one would
263 have to request traces using IP number instead of DNS names from
264 GeoTraceroute). That might be the next step in this project.
</p
>
266 <p
>Armed with these tools, I find it a lot easier to figure out where
267 the IP traffic moves and who control the boxes involved in moving it.
268 And every time the link crosses for example the Swedish border, we can
269 be sure Swedish Signal Intelligence (FRA) is listening, as GCHQ do in
270 Britain and NSA in USA and cables around the globe. (Hm, what should
271 we tell them? :) Keep that in mind if you ever send anything
272 unencrypted over the Internet.
</p
>
274 <p
>PS: KML files are drawn using
275 <a href=
"http://ivanrublev.me/kml/
">the KML viewer from Ivan
276 Rublev
<a/
>, as it was less cluttered than the local Linux application
277 Marble. There are heaps of other options too.
</p
>
279 <p
>As usual, if you use Bitcoin and want to show your support of my
280 activities, please send Bitcoin donations to my address
281 <b
><a href=
"bitcoin:
15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b
">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b
</a
></b
>.
</p
>
286 <title>Introducing ical-archiver to split out old iCalendar entries
</title>
287 <link>https://www.hungry.com/~pere/blog/Introducing_ical_archiver_to_split_out_old_iCalendar_entries.html
</link>
288 <guid isPermaLink=
"true">https://www.hungry.com/~pere/blog/Introducing_ical_archiver_to_split_out_old_iCalendar_entries.html
</guid>
289 <pubDate>Wed,
4 Jan
2017 12:
20:
00 +
0100</pubDate>
290 <description><p
>Do you have a large
<a href=
"https://icalendar.org/
">iCalendar
</a
>
291 file with lots of old entries, and would like to archive them to save
292 space and resources? At least those of us using KOrganizer know that
293 turning on and off an event set become slower and slower the more
294 entries are in the set. While working on migrating our calendars to a
295 <a href=
"http://radicale.org/
">Radicale CalDAV server
</a
> on our
296 <a href=
"https://freedomboxfoundation.org/
">Freedombox server
</a/
>, my
297 loved one wondered if I could find a way to split up the calendar file
298 she had in KOrganizer, and I set out to write a tool. I spent a few
299 days writing and polishing the system, and it is now ready for general
301 <a href=
"https://github.com/petterreinholdtsen/ical-archiver
">code for
302 ical-archiver
</a
> is publicly available from a git repository on
303 github. The system is written in Python and depend on
304 <a href=
"http://eventable.github.io/vobject/
">the vobject Python
305 module
</a
>.
</p
>
307 <p
>To use it, locate the iCalendar file you want to operate on and
308 give it as an argument to the ical-archiver script. This will
309 generate a set of new files, one file per component type per year for
310 all components expiring more than two years in the past. The vevent,
311 vtodo and vjournal entries are handled by the script. The remaining
312 entries are stored in a
'remaining
' file.
</p
>
314 <p
>This is what a test run can look like:
317 % ical-archiver t/
2004-
2016.ics
321 Writing t/
2004-
2016.ics-subset-vevent-
2004.ics
322 Writing t/
2004-
2016.ics-subset-vevent-
2005.ics
323 Writing t/
2004-
2016.ics-subset-vevent-
2006.ics
324 Writing t/
2004-
2016.ics-subset-vevent-
2007.ics
325 Writing t/
2004-
2016.ics-subset-vevent-
2008.ics
326 Writing t/
2004-
2016.ics-subset-vevent-
2009.ics
327 Writing t/
2004-
2016.ics-subset-vevent-
2010.ics
328 Writing t/
2004-
2016.ics-subset-vevent-
2011.ics
329 Writing t/
2004-
2016.ics-subset-vevent-
2012.ics
330 Writing t/
2004-
2016.ics-subset-vevent-
2013.ics
331 Writing t/
2004-
2016.ics-subset-vevent-
2014.ics
332 Writing t/
2004-
2016.ics-subset-vjournal-
2007.ics
333 Writing t/
2004-
2016.ics-subset-vjournal-
2011.ics
334 Writing t/
2004-
2016.ics-subset-vtodo-
2012.ics
335 Writing t/
2004-
2016.ics-remaining.ics
337 </pre
></p
>
339 <p
>As you can see, the original file is untouched and new files are
340 written with names derived from the original file. If you are happy
341 with their content, the *-remaining.ics file can replace the original
342 the the others can be archived or imported as historical calendar
343 collections.
</p
>
345 <p
>The script should probably be improved a bit. The error handling
346 when discovering broken entries is not good, and I am not sure yet if
347 it make sense to split different entry types into separate files or
348 not. The program is thus likely to change. If you find it
349 interesting, please get in touch. :)
</p
>
351 <p
>As usual, if you use Bitcoin and want to show your support of my
352 activities, please send Bitcoin donations to my address
353 <b
><a href=
"bitcoin:
15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b
">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b
</a
></b
>.
</p
>
projects / homepage.git / blob