1 <?xml version=
"1.0" encoding=
"utf-8"?>
2 <rss version='
2.0' xmlns:lj='http://www.livejournal.org/rss/lj/
1.0/' xmlns:
atom=
"http://www.w3.org/2005/Atom">
4 <title>Petter Reinholdtsen
</title>
5 <description></description>
6 <link>http://people.skolelinux.org/pere/blog/
</link>
7 <atom:link href=
"http://people.skolelinux.org/pere/blog/index.rss" rel=
"self" type=
"application/rss+xml" />
10 <title>Norwegian Bokmål translation of The Debian Administrator
's Handbook complete, proofreading in progress
</title>
11 <link>http://people.skolelinux.org/pere/blog/Norwegian_Bokm_l_translation_of_The_Debian_Administrator_s_Handbook_complete__proofreading_in_progress.html
</link>
12 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Norwegian_Bokm_l_translation_of_The_Debian_Administrator_s_Handbook_complete__proofreading_in_progress.html
</guid>
13 <pubDate>Fri,
3 Mar
2017 14:
50:
00 +
0100</pubDate>
14 <description><p
>For almost a year now, we have been working on making a Norwegian
15 Bokmål edition of
<a href=
"https://debian-handbook.info/
">The Debian
16 Administrator
's Handbook
</a
>. Now, thanks to the tireless effort of
17 Ole-Erik, Ingrid and Andreas, the initial translation is complete, and
18 we are working on the proof reading to ensure consistent language and
19 use of correct computer science terms. The plan is to make the book
20 available on paper, as well as in electronic form. For that to
21 happen, the proof reading must be completed and all the figures need
22 to be translated. If you want to help out, get in touch.
</p
>
24 <p
><a href=
"http://people.skolelinux.org/pere/debian-handbook/debian-handbook-nb-NO.pdf
">A
26 fresh PDF edition
</a
> in A4 format (the final book will have smaller
27 pages) of the book created every morning is available for
28 proofreading. If you find any errors, please
29 <a href=
"https://hosted.weblate.org/translate/debian-handbook/
">visit
30 Weblate and correct the error
</a
>. The
31 <a href=
"http://l.github.io/debian-handbook/stat/nb-NO/index.html
">state
32 of the translation including figures
</a
> is a useful source for those
33 provide Norwegian bokmål screen shots and figures.
</p
>
38 <title>Unlimited randomness with the ChaosKey?
</title>
39 <link>http://people.skolelinux.org/pere/blog/Unlimited_randomness_with_the_ChaosKey_.html
</link>
40 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Unlimited_randomness_with_the_ChaosKey_.html
</guid>
41 <pubDate>Wed,
1 Mar
2017 20:
50:
00 +
0100</pubDate>
42 <description><p
>A few days ago I ordered a small batch of
43 <a href=
"http://altusmetrum.org/ChaosKey/
">the ChaosKey
</a
>, a small
44 USB dongle for generating entropy created by Bdale Garbee and Keith
45 Packard. Yesterday it arrived, and I am very happy to report that it
46 work great! According to its designers, to get it to work out of the
47 box, you need the Linux kernel version
4.1 or later. I tested on a
48 Debian Stretch machine (kernel version
4.9), and there it worked just
49 fine, increasing the available entropy very quickly. I wrote a small
50 test oneliner to test. It first print the current entropy level,
51 drain /dev/random, and then print the entropy level for five seconds.
52 Here is the situation without the ChaosKey inserted:
</p
>
54 <blockquote
><pre
>
55 % cat /proc/sys/kernel/random/entropy_avail; \
56 dd bs=
1M if=/dev/random of=/dev/null count=
1; \
57 for n in $(seq
1 5); do \
58 cat /proc/sys/kernel/random/entropy_avail; \
64 28 byte kopiert,
0,
000264565 s,
106 kB/s
71 </pre
></blockquote
>
73 <p
>The entropy level increases by
3-
4 every second. In such case any
74 application requiring random bits (like a HTTPS enabled web server)
75 will halt and wait for more entrpy. And here is the situation with
76 the ChaosKey inserted:
</p
>
78 <blockquote
><pre
>
79 % cat /proc/sys/kernel/random/entropy_avail; \
80 dd bs=
1M if=/dev/random of=/dev/null count=
1; \
81 for n in $(seq
1 5); do \
82 cat /proc/sys/kernel/random/entropy_avail; \
88 104 byte kopiert,
0,
000487647 s,
213 kB/s
95 </pre
></blockquote
>
97 <p
>Quite the difference. :) I bought a few more than I need, in case
98 someone want to buy one here in Norway. :)
</p
>
100 <p
>Update: The dongle was presented at Debconf last year. You might
101 find
<a href=
"https://debconf16.debconf.org/talks/
94/
">the talk
102 recording illuminating
</a
>. It explains exactly what the source of
103 randomness is, if you are unable to spot it from the schema drawing
104 available from the ChaosKey web site linked at the start of this blog
110 <title>Detect OOXML files with undefined behaviour?
</title>
111 <link>http://people.skolelinux.org/pere/blog/Detect_OOXML_files_with_undefined_behaviour_.html
</link>
112 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Detect_OOXML_files_with_undefined_behaviour_.html
</guid>
113 <pubDate>Tue,
21 Feb
2017 00:
20:
00 +
0100</pubDate>
114 <description><p
>I just noticed
115 <a href=
"http://www.arkivrad.no/aktuelt/riksarkivarens-forskrift-pa-horing
">the
116 new Norwegian proposal for archiving rules in the goverment
</a
> list
117 <a href=
"http://www.ecma-international.org/publications/standards/Ecma-
376.htm
">ECMA-
376</a
>
118 / ISO/IEC
29500 (aka OOXML) as valid formats to put in long term
119 storage. Luckily such files will only be accepted based on
120 pre-approval from the National Archive. Allowing OOXML files to be
121 used for long term storage might seem like a good idea as long as we
122 forget that there are plenty of ways for a
"valid
" OOXML document to
123 have content with no defined interpretation in the standard, which
124 lead to a question and an idea.
</p
>
126 <p
>Is there any tool to detect if a OOXML document depend on such
127 undefined behaviour? It would be useful for the National Archive (and
128 anyone else interested in verifying that a document is well defined)
129 to have such tool available when considering to approve the use of
130 OOXML. I
'm aware of the
131 <a href=
"https://github.com/arlm/officeotron/
">officeotron OOXML
132 validator
</a
>, but do not know how complete it is nor if it will
133 report use of undefined behaviour. Are there other similar tools
134 available? Please send me an email if you know of any such tool.
</p
>
139 <title>Ruling ignored our objections to the seizure of popcorn-time.no (#domstolkontroll)
</title>
140 <link>http://people.skolelinux.org/pere/blog/Ruling_ignored_our_objections_to_the_seizure_of_popcorn_time_no___domstolkontroll_.html
</link>
141 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Ruling_ignored_our_objections_to_the_seizure_of_popcorn_time_no___domstolkontroll_.html
</guid>
142 <pubDate>Mon,
13 Feb
2017 21:
30:
00 +
0100</pubDate>
143 <description><p
>A few days ago, we received the ruling from
144 <a href=
"http://people.skolelinux.org/pere/blog/A_day_in_court_challenging_seizure_of_popcorn_time_no_for__domstolkontroll.html
">my
145 day in court
</a
>. The case in question is a challenge of the seizure
146 of the DNS domain popcorn-time.no. The ruling simply did not mention
147 most of our arguments, and seemed to take everything ØKOKRIM said at
148 face value, ignoring our demonstration and explanations. But it is
149 hard to tell for sure, as we still have not seen most of the documents
150 in the case and thus were unprepared and unable to contradict several
151 of the claims made in court by the opposition. We are considering an
152 appeal, but it is partly a question of funding, as it is costing us
153 quite a bit to pay for our lawyer. If you want to help, please
154 <a href=
"http://www.nuug.no/dns-beslag-donasjon.shtml
">donate to the
155 NUUG defense fund
</a
>.
</p
>
157 <p
>The details of the case, as far as we know it, is available in
159 <a href=
"https://www.nuug.no/news/tags/dns-domenebeslag/
">the NUUG
160 blog
</a
>. This also include
161 <a href=
"https://www.nuug.no/news/Avslag_etter_rettslig_h_ring_om_DNS_beslaget___vurderer_veien_videre.shtml
">the
162 ruling itself
</a
>.
</p
>
167 <title>A day in court challenging seizure of popcorn-time.no for #domstolkontroll
</title>
168 <link>http://people.skolelinux.org/pere/blog/A_day_in_court_challenging_seizure_of_popcorn_time_no_for__domstolkontroll.html
</link>
169 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/A_day_in_court_challenging_seizure_of_popcorn_time_no_for__domstolkontroll.html
</guid>
170 <pubDate>Fri,
3 Feb
2017 11:
10:
00 +
0100</pubDate>
171 <description><p align=
"center
"><img width=
"70%
" src=
"http://people.skolelinux.org/pere/blog/images/
2017-
02-
01-popcorn-time-in-court.jpeg
"></p
>
173 <p
>On Wednesday, I spent the entire day in court in Follo Tingrett
174 representing
<a href=
"https://www.nuug.no/
">the member association
175 NUUG
</a
>, alongside
<a href=
"https://www.efn.no/
">the member
176 association EFN
</a
> and
<a href=
"http://www.imc.no
">the DNS registrar
177 IMC
</a
>, challenging the seizure of the DNS name popcorn-time.no. It
178 was interesting to sit in a court of law for the first time in my
179 life. Our team can be seen in the picture above: attorney Ola
180 Tellesbø, EFN board member Tom Fredrik Blenning, IMC CEO Morten Emil
181 Eriksen and NUUG board member Petter Reinholdtsen.
</p
>
183 <p
><a href=
"http://www.domstol.no/no/Enkelt-domstol/follo-tingrett/Nar-gar-rettssaken/Beramming/?cid=AAAA1701301512081262234UJFBVEZZZZZEJBAvtale
">The
184 case at hand
</a
> is that the Norwegian National Authority for
185 Investigation and Prosecution of Economic and Environmental Crime (aka
186 Økokrim) decided on their own, to seize a DNS domain early last
187 year, without following
188 <a href=
"https://www.norid.no/no/regelverk/navnepolitikk/#link12
">the
189 official policy of the Norwegian DNS authority
</a
> which require a
190 court decision. The web site in question was a site covering Popcorn
191 Time. And Popcorn Time is the name of a technology with both legal
192 and illegal applications. Popcorn Time is a client combining
193 searching a Bittorrent directory available on the Internet with
194 downloading/distribute content via Bittorrent and playing the
195 downloaded content on screen. It can be used illegally if it is used
196 to distribute content against the will of the right holder, but it can
197 also be used legally to play a lot of content, for example the
199 <a href=
"https://archive.org/details/movies
">available from the
200 Internet Archive
</a
> or the collection
201 <a href=
"http://vodo.net/films/
">available from Vodo
</a
>. We created
202 <a href=
"magnet:?xt=urn:btih:
86c1802af5a667ca56d3918aecb7d3c0f7173084
&dn=PresentasjonFolloTingrett.mov
&tr=udp%
3A%
2F%
2Fpublic.popcorn-tracker.org%
3A6969%
2Fannounce
">a
203 video demonstrating legally use of Popcorn Time
</a
> and played it in
204 Court. It can of course be downloaded using Bittorrent.
</p
>
206 <p
>I did not quite know what to expect from a day in court. The
207 government held on to their version of the story and we held on to
208 ours, and I hope the judge is able to make sense of it all. We will
209 know in two weeks time. Unfortunately I do not have high hopes, as
210 the Government have the upper hand here with more knowledge about the
211 case, better training in handling criminal law and in general higher
212 standing in the courts than fairly unknown DNS registrar and member
213 associations. It is expensive to be right also in Norway. So far the
214 case have cost more than NOK
70 000,-. To help fund the case, NUUG
215 and EFN have asked for donations, and managed to collect around NOK
25
216 000,- so far. Given the presentation from the Government, I expect
217 the government to appeal if the case go our way. And if the case do
218 not go our way, I hope we have enough funding to appeal.
</p
>
220 <p
>From the other side came two people from Økokrim. On the benches,
221 appearing to be part of the group from the government were two people
222 from the Simonsen Vogt Wiik lawyer office, and three others I am not
223 quite sure who was. Økokrim had proposed to present two witnesses
224 from The Motion Picture Association, but this was rejected because
225 they did not speak Norwegian and it was a bit late to bring in a
226 translator, but perhaps the two from MPA were present anyway. All
227 seven appeared to know each other. Good to see the case is take
230 <p
>If you, like me, believe the courts should be involved before a DNS
231 domain is hijacked by the government, or you believe the Popcorn Time
232 technology have a lot of useful and legal applications, I suggest you
233 too
<a href=
"http://www.nuug.no/dns-beslag-donasjon.shtml
">donate to
234 the NUUG defense fund
</a
>. Both Bitcoin and bank transfer are
235 available. If NUUG get more than we need for the legal action (very
236 unlikely), the rest will be spend promoting free software, open
237 standards and unix-like operating systems in Norway, so no matter what
238 happens the money will be put to good use.
</p
>
240 <p
>If you want to lean more about the case, I recommend you check out
241 <a href=
"https://www.nuug.no/news/tags/dns-domenebeslag/
">the blog
242 posts from NUUG covering the case
</a
>. They cover the legal arguments
243 on both sides.
</p
>
248 <title>Nasjonalbiblioteket avslutter sin ulovlige bruk av Google Skjemaer
</title>
249 <link>http://people.skolelinux.org/pere/blog/Nasjonalbiblioteket_avslutter_sin_ulovlige_bruk_av_Google_Skjemaer.html
</link>
250 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Nasjonalbiblioteket_avslutter_sin_ulovlige_bruk_av_Google_Skjemaer.html
</guid>
251 <pubDate>Thu,
12 Jan
2017 09:
40:
00 +
0100</pubDate>
252 <description><p
>I dag fikk jeg en skikkelig gladmelding. Bakgrunnen er at før jul
253 arrangerte Nasjonalbiblioteket
254 <a href=
"http://www.nb.no/Bibliotekutvikling/Kunnskapsorganisering/Nasjonalt-verksregister/Seminar-om-verksregister
">et
255 seminar om sitt knakende gode tiltak «verksregister»
</a
>. Eneste
256 måten å melde seg på dette seminaret var å sende personopplysninger
257 til Google via Google Skjemaer. Dette syntes jeg var tvilsom praksis,
258 da det bør være mulig å delta på seminarer arrangert av det offentlige
259 uten å måtte dele sine interesser, posisjon og andre
260 personopplysninger med Google. Jeg ba derfor om innsyn via
261 <a href=
"https://www.mimesbronn.no/
">Mimes brønn
</a
> i
262 <a href=
"https://www.mimesbronn.no/request/personopplysninger_til_google_sk
">avtaler
263 og vurderinger Nasjonalbiblioteket hadde rundt dette
</a
>.
264 Personopplysningsloven legger klare rammer for hva som må være på
265 plass før en kan be tredjeparter, spesielt i utlandet, behandle
266 personopplysninger på sine vegne, så det burde eksistere grundig
267 dokumentasjon før noe slikt kan bli lovlig. To jurister hos
268 Nasjonalbiblioteket mente først dette var helt i orden, og at Googles
269 standardavtale kunne brukes som databehandlingsavtale. Det syntes jeg
270 var merkelig, men har ikke hatt kapasitet til å følge opp saken før
271 for to dager siden.
</p
>
273 <p
>Gladnyheten i dag, som kom etter at jeg tipset Nasjonalbiblioteket
274 om at Datatilsynet underkjente Googles standardavtaler som
275 databehandleravtaler i
2011, er at Nasjonalbiblioteket har bestemt seg
276 for å avslutte bruken av Googles Skjemaer/Apps og gå i dialog med DIFI
277 for å finne bedre måter å håndtere påmeldinger i tråd med
278 personopplysningsloven. Det er fantastisk å se at av og til hjelper
279 det å spørre hva i alle dager det offentlige holder på med.
</p
>
284 <title>Bryter NAV sin egen personvernerklæring?
</title>
285 <link>http://people.skolelinux.org/pere/blog/Bryter_NAV_sin_egen_personvernerkl_ring_.html
</link>
286 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Bryter_NAV_sin_egen_personvernerkl_ring_.html
</guid>
287 <pubDate>Wed,
11 Jan
2017 06:
50:
00 +
0100</pubDate>
288 <description><p
>Jeg leste med interesse en nyhetssak hos
289 <a href=
"http://www.digi.no/artikler/nav-avslorer-trygdemisbruk-ved-a-spore-ip-adresser/
367394">digi.no
</a
>
291 <a href=
"https://www.nrk.no/buskerud/trygdesvindlere-avslores-av-utenlandske-ip-adresser-
1.13313461">NRK
</a
>
292 om at det ikke bare er meg, men at også NAV bedriver geolokalisering
293 av IP-adresser, og at det gjøres analyse av IP-adressene til de som
294 sendes inn meldekort for å se om meldekortet sendes inn fra
295 utenlandske IP-adresser. Politiadvokat i Drammen, Hans Lyder Haare,
296 er sitert i NRK på at «De to er jo blant annet avslørt av
297 IP-adresser. At man ser at meldekortet kommer fra utlandet.»
</p
>
299 <p
>Jeg synes det er fint at det blir bedre kjent at IP-adresser
300 knyttes til enkeltpersoner og at innsamlet informasjon brukes til å
301 stedsbestemme personer også av aktører her i Norge. Jeg ser det som
302 nok et argument for å bruke
303 <a href=
"https://www.torproject.org/
">Tor
</a
> så mye som mulig for å
304 gjøre gjøre IP-lokalisering vanskeligere, slik at en kan beskytte sin
305 privatsfære og unngå å dele sin fysiske plassering med
306 uvedkommede.
</p
>
308 <P
>Men det er en ting som bekymrer meg rundt denne nyheten. Jeg ble
309 tipset (takk #nuug) om
310 <a href=
"https://www.nav.no/no/NAV+og+samfunn/Kontakt+NAV/Teknisk+brukerstotte/Snarveier/personvernerkl%C3%A6ring-for-arbeids-og-velferdsetaten
">NAVs
311 personvernerklæring
</a
>, som under punktet «Personvern og statistikk»
314 <p
><blockquote
>
316 <p
>«Når du besøker nav.no, etterlater du deg elektroniske spor. Sporene
317 dannes fordi din nettleser automatisk sender en rekke opplysninger til
318 NAVs tjener (server-maskin) hver gang du ber om å få vist en side. Det
319 er eksempelvis opplysninger om hvilken nettleser og -versjon du
320 bruker, og din internettadresse (ip-adresse). For hver side som vises,
321 lagres følgende opplysninger:
</p
>
324 <li
>hvilken side du ser på
</li
>
325 <li
>dato og tid
</li
>
326 <li
>hvilken nettleser du bruker
</li
>
327 <li
>din ip-adresse
</li
>
330 <p
>Ingen av opplysningene vil bli brukt til å identifisere
331 enkeltpersoner. NAV bruker disse opplysningene til å generere en
332 samlet statistikk som blant annet viser hvilke sider som er mest
333 populære. Statistikken er et redskap til å forbedre våre
334 tjenester.»
</p
>
336 </blockquote
></p
>
338 <p
>Jeg klarer ikke helt å se hvordan analyse av de besøkendes
339 IP-adresser for å se hvem som sender inn meldekort via web fra en
340 IP-adresse i utlandet kan gjøres uten å komme i strid med påstanden om
341 at «ingen av opplysningene vil bli brukt til å identifisere
342 enkeltpersoner». Det virker dermed for meg som at NAV bryter sine
343 egen personvernerklæring, hvilket
344 <a href=
"http://people.skolelinux.org/pere/blog/Er_lover_brutt_n_r_personvernpolicy_ikke_stemmer_med_praksis_.html
">Datatilsynet
345 fortalte meg i starten av desember antagelig er brudd på
346 personopplysningsloven
</a
>.
348 <p
>I tillegg er personvernerklæringen ganske misvisende i og med at
349 NAVs nettsider ikke bare forsyner NAV med personopplysninger, men i
350 tillegg ber brukernes nettleser kontakte fem andre nettjenere
351 (script.hotjar.com, static.hotjar.com, vars.hotjar.com,
352 www.google-analytics.com og www.googletagmanager.com), slik at
353 personopplysninger blir gjort tilgjengelig for selskapene Hotjar og
354 Google , og alle som kan lytte på trafikken på veien (som FRA, GCHQ og
355 NSA). Jeg klarer heller ikke se hvordan slikt spredning av
356 personopplysninger kan være i tråd med kravene i
357 personopplysningloven, eller i tråd med NAVs personvernerklæring.
</p
>
359 <p
>Kanskje NAV bør ta en nøye titt på sin personvernerklæring? Eller
360 kanskje Datatilsynet bør gjøre det?
</p
>
365 <title>Where did that package go?
&mdash; geolocated IP traceroute
</title>
366 <link>http://people.skolelinux.org/pere/blog/Where_did_that_package_go___mdash__geolocated_IP_traceroute.html
</link>
367 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Where_did_that_package_go___mdash__geolocated_IP_traceroute.html
</guid>
368 <pubDate>Mon,
9 Jan
2017 12:
20:
00 +
0100</pubDate>
369 <description><p
>Did you ever wonder where the web trafic really flow to reach the
370 web servers, and who own the network equipment it is flowing through?
371 It is possible to get a glimpse of this from using traceroute, but it
372 is hard to find all the details. Many years ago, I wrote a system to
373 map the Norwegian Internet (trying to figure out if our plans for a
374 network game service would get low enough latency, and who we needed
375 to talk to about setting up game servers close to the users. Back
376 then I used traceroute output from many locations (I asked my friends
377 to run a script and send me their traceroute output) to create the
378 graph and the map. The output from traceroute typically look like
382 traceroute to www.stortinget.no (
85.88.67.10),
30 hops max,
60 byte packets
383 1 uio-gw10.uio.no (
129.240.202.1)
0.447 ms
0.486 ms
0.621 ms
384 2 uio-gw8.uio.no (
129.240.24.229)
0.467 ms
0.578 ms
0.675 ms
385 3 oslo-gw1.uninett.no (
128.39.65.17)
0.385 ms
0.373 ms
0.358 ms
386 4 te3-
1-
2.br1.fn3.as2116.net (
193.156.90.3)
1.174 ms
1.172 ms
1.153 ms
387 5 he16-
1-
1.cr1.san110.as2116.net (
195.0.244.234)
2.627 ms he16-
1-
1.cr2.oslosda310.as2116.net (
195.0.244.48)
3.172 ms he16-
1-
1.cr1.san110.as2116.net (
195.0.244.234)
2.857 ms
388 6 ae1.ar8.oslosda310.as2116.net (
195.0.242.39)
0.662 ms
0.637 ms ae0.ar8.oslosda310.as2116.net (
195.0.242.23)
0.622 ms
389 7 89.191.10.146 (
89.191.10.146)
0.931 ms
0.917 ms
0.955 ms
393 </pre
></p
>
395 <p
>This show the DNS names and IP addresses of (at least some of the)
396 network equipment involved in getting the data traffic from me to the
397 www.stortinget.no server, and how long it took in milliseconds for a
398 package to reach the equipment and return to me. Three packages are
399 sent, and some times the packages do not follow the same path. This
400 is shown for hop
5, where three different IP addresses replied to the
401 traceroute request.
</p
>
403 <p
>There are many ways to measure trace routes. Other good traceroute
404 implementations I use are traceroute (using ICMP packages) mtr (can do
405 both ICMP, UDP and TCP) and scapy (python library with ICMP, UDP, TCP
406 traceroute and a lot of other capabilities). All of them are easily
407 available in
<a href=
"https://www.debian.org/
">Debian
</a
>.
</p
>
409 <p
>This time around, I wanted to know the geographic location of
410 different route points, to visualize how visiting a web page spread
411 information about the visit to a lot of servers around the globe. The
412 background is that a web site today often will ask the browser to get
413 from many servers the parts (for example HTML, JSON, fonts,
414 JavaScript, CSS, video) required to display the content. This will
415 leak information about the visit to those controlling these servers
416 and anyone able to peek at the data traffic passing by (like your ISP,
417 the ISPs backbone provider, FRA, GCHQ, NSA and others).
</p
>
419 <p
>Lets pick an example, the Norwegian parliament web site
420 www.stortinget.no. It is read daily by all members of parliament and
421 their staff, as well as political journalists, activits and many other
422 citizens of Norway. A visit to the www.stortinget.no web site will
423 ask your browser to contact
8 other servers: ajax.googleapis.com,
424 insights.hotjar.com, script.hotjar.com, static.hotjar.com,
425 stats.g.doubleclick.net, www.google-analytics.com,
426 www.googletagmanager.com and www.netigate.se. I extracted this by
427 asking
<a href=
"http://phantomjs.org/
">PhantomJS
</a
> to visit the
428 Stortinget web page and tell me all the URLs PhantomJS downloaded to
429 render the page (in HAR format using
430 <a href=
"https://github.com/ariya/phantomjs/blob/master/examples/netsniff.js
">their
431 netsniff example
</a
>. I am very grateful to Gorm for showing me how
432 to do this). My goal is to visualize network traces to all IP
433 addresses behind these DNS names, do show where visitors personal
434 information is spread when visiting the page.
</p
>
436 <p align=
"center
"><a href=
"www.stortinget.no-geoip.kml
"><img
437 src=
"http://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-geoip-small.png
" alt=
"map of combined traces for URLs used by www.stortinget.no using GeoIP
"/
></a
></p
>
439 <p
>When I had a look around for options, I could not find any good
440 free software tools to do this, and decided I needed my own traceroute
441 wrapper outputting KML based on locations looked up using GeoIP. KML
442 is easy to work with and easy to generate, and understood by several
443 of the GIS tools I have available. I got good help from by NUUG
444 colleague Anders Einar with this, and the result can be seen in
445 <a href=
"https://github.com/petterreinholdtsen/kmltraceroute
">my
446 kmltraceroute git repository
</a
>. Unfortunately, the quality of the
447 free GeoIP databases I could find (and the for-pay databases my
448 friends had access to) is not up to the task. The IP addresses of
449 central Internet infrastructure would typically be placed near the
450 controlling companies main office, and not where the router is really
451 located, as you can see from
<a href=
"www.stortinget.no-geoip.kml
">the
452 KML file I created
</a
> using the GeoLite City dataset from MaxMind.
454 <p align=
"center
"><a href=
"http://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-scapy.svg
"><img
455 src=
"http://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-scapy-small.png
" alt=
"scapy traceroute graph for URLs used by www.stortinget.no
"/
></a
></p
>
457 <p
>I also had a look at the visual traceroute graph created by
458 <a href=
"http://www.secdev.org/projects/scapy/
">the scrapy project
</a
>,
459 showing IP network ownership (aka AS owner) for the IP address in
461 <a href=
"http://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-scapy.svg
">The
462 graph display a lot of useful information about the traceroute in SVG
463 format
</a
>, and give a good indication on who control the network
464 equipment involved, but it do not include geolocation. This graph
465 make it possible to see the information is made available at least for
466 UNINETT, Catchcom, Stortinget, Nordunet, Google, Amazon, Telia, Level
467 3 Communications and NetDNA.
</p
>
469 <p align=
"center
"><a href=
"https://geotraceroute.com/index.php?node=
4&host=www.stortinget.no
"><img
470 src=
"http://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-geotraceroute-small.png
" alt=
"example geotraceroute view for www.stortinget.no
"/
></a
></p
>
472 <p
>In the process, I came across the
473 <a href=
"https://geotraceroute.com/
">web service GeoTraceroute
</a
> by
474 Salim Gasmi. Its methology of combining guesses based on DNS names,
475 various location databases and finally use latecy times to rule out
476 candidate locations seemed to do a very good job of guessing correct
477 geolocation. But it could only do one trace at the time, did not have
478 a sensor in Norway and did not make the geolocations easily available
479 for postprocessing. So I contacted the developer and asked if he
480 would be willing to share the code (he refused until he had time to
481 clean it up), but he was interested in providing the geolocations in a
482 machine readable format, and willing to set up a sensor in Norway. So
483 since yesterday, it is possible to run traces from Norway in this
484 service thanks to a sensor node set up by
485 <a href=
"https://www.nuug.no/
">the NUUG assosiation
</a
>, and get the
486 trace in KML format for further processing.
</p
>
488 <p align=
"center
"><a href=
"http://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-geotraceroute-kml-join.kml
"><img
489 src=
"http://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-geotraceroute-kml-join.png
" alt=
"map of combined traces for URLs used by www.stortinget.no using geotraceroute
"/
></a
></p
>
491 <p
>Here we can see a lot of trafic passes Sweden on its way to
492 Denmark, Germany, Holland and Ireland. Plenty of places where the
493 Snowden confirmations verified the traffic is read by various actors
494 without your best interest as their top priority.
</p
>
496 <p
>Combining KML files is trivial using a text editor, so I could loop
497 over all the hosts behind the urls imported by www.stortinget.no and
498 ask for the KML file from GeoTraceroute, and create a combined KML
499 file with all the traces (unfortunately only one of the IP addresses
500 behind the DNS name is traced this time. To get them all, one would
501 have to request traces using IP number instead of DNS names from
502 GeoTraceroute). That might be the next step in this project.
</p
>
504 <p
>Armed with these tools, I find it a lot easier to figure out where
505 the IP traffic moves and who control the boxes involved in moving it.
506 And every time the link crosses for example the Swedish border, we can
507 be sure Swedish Signal Intelligence (FRA) is listening, as GCHQ do in
508 Britain and NSA in USA and cables around the globe. (Hm, what should
509 we tell them? :) Keep that in mind if you ever send anything
510 unencrypted over the Internet.
</p
>
512 <p
>PS: KML files are drawn using
513 <a href=
"http://ivanrublev.me/kml/
">the KML viewer from Ivan
514 Rublev
<a/
>, as it was less cluttered than the local Linux application
515 Marble. There are heaps of other options too.
</p
>
517 <p
>As usual, if you use Bitcoin and want to show your support of my
518 activities, please send Bitcoin donations to my address
519 <b
><a href=
"bitcoin:
15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b
&label=PetterReinholdtsenBlog
">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b
</a
></b
>.
</p
>
524 <title>Introducing ical-archiver to split out old iCalendar entries
</title>
525 <link>http://people.skolelinux.org/pere/blog/Introducing_ical_archiver_to_split_out_old_iCalendar_entries.html
</link>
526 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Introducing_ical_archiver_to_split_out_old_iCalendar_entries.html
</guid>
527 <pubDate>Wed,
4 Jan
2017 12:
20:
00 +
0100</pubDate>
528 <description><p
>Do you have a large
<a href=
"https://icalendar.org/
">iCalendar
</a
>
529 file with lots of old entries, and would like to archive them to save
530 space and resources? At least those of us using KOrganizer know that
531 turning on and off an event set become slower and slower the more
532 entries are in the set. While working on migrating our calendars to a
533 <a href=
"http://radicale.org/
">Radicale CalDAV server
</a
> on our
534 <a href=
"https://freedomboxfoundation.org/
">Freedombox server
</a/
>, my
535 loved one wondered if I could find a way to split up the calendar file
536 she had in KOrganizer, and I set out to write a tool. I spent a few
537 days writing and polishing the system, and it is now ready for general
539 <a href=
"https://github.com/petterreinholdtsen/ical-archiver
">code for
540 ical-archiver
</a
> is publicly available from a git repository on
541 github. The system is written in Python and depend on
542 <a href=
"http://eventable.github.io/vobject/
">the vobject Python
543 module
</a
>.
</p
>
545 <p
>To use it, locate the iCalendar file you want to operate on and
546 give it as an argument to the ical-archiver script. This will
547 generate a set of new files, one file per component type per year for
548 all components expiring more than two years in the past. The vevent,
549 vtodo and vjournal entries are handled by the script. The remaining
550 entries are stored in a
'remaining
' file.
</p
>
552 <p
>This is what a test run can look like:
555 % ical-archiver t/
2004-
2016.ics
559 Writing t/
2004-
2016.ics-subset-vevent-
2004.ics
560 Writing t/
2004-
2016.ics-subset-vevent-
2005.ics
561 Writing t/
2004-
2016.ics-subset-vevent-
2006.ics
562 Writing t/
2004-
2016.ics-subset-vevent-
2007.ics
563 Writing t/
2004-
2016.ics-subset-vevent-
2008.ics
564 Writing t/
2004-
2016.ics-subset-vevent-
2009.ics
565 Writing t/
2004-
2016.ics-subset-vevent-
2010.ics
566 Writing t/
2004-
2016.ics-subset-vevent-
2011.ics
567 Writing t/
2004-
2016.ics-subset-vevent-
2012.ics
568 Writing t/
2004-
2016.ics-subset-vevent-
2013.ics
569 Writing t/
2004-
2016.ics-subset-vevent-
2014.ics
570 Writing t/
2004-
2016.ics-subset-vjournal-
2007.ics
571 Writing t/
2004-
2016.ics-subset-vjournal-
2011.ics
572 Writing t/
2004-
2016.ics-subset-vtodo-
2012.ics
573 Writing t/
2004-
2016.ics-remaining.ics
575 </pre
></p
>
577 <p
>As you can see, the original file is untouched and new files are
578 written with names derived from the original file. If you are happy
579 with their content, the *-remaining.ics file can replace the original
580 the the others can be archived or imported as historical calendar
581 collections.
</p
>
583 <p
>The script should probably be improved a bit. The error handling
584 when discovering broken entries is not good, and I am not sure yet if
585 it make sense to split different entry types into separate files or
586 not. The program is thus likely to change. If you find it
587 interesting, please get in touch. :)
</p
>
589 <p
>As usual, if you use Bitcoin and want to show your support of my
590 activities, please send Bitcoin donations to my address
591 <b
><a href=
"bitcoin:
15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b
&label=PetterReinholdtsenBlog
">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b
</a
></b
>.
</p
>
596 <title>Appstream just learned how to map hardware to packages too!
</title>
597 <link>http://people.skolelinux.org/pere/blog/Appstream_just_learned_how_to_map_hardware_to_packages_too_.html
</link>
598 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Appstream_just_learned_how_to_map_hardware_to_packages_too_.html
</guid>
599 <pubDate>Fri,
23 Dec
2016 10:
30:
00 +
0100</pubDate>
600 <description><p
>I received a very nice Christmas present today. As my regular
601 readers probably know, I have been working on the
602 <a href=
"http://packages.qa.debian.org/isenkram
">the Isenkram
603 system
</a
> for many years. The goal of the Isenkram system is to make
604 it easier for users to figure out what to install to get a given piece
605 of hardware to work in Debian, and a key part of this system is a way
606 to map hardware to packages. Isenkram have its own mapping database,
607 and also uses data provided by each package using the AppStream
608 metadata format. And today,
609 <a href=
"https://tracker.debian.org/pkg/appstream
">AppStream
</a
> in
610 Debian learned to look up hardware the same way Isenkram is doing it,
611 ie using fnmatch():
</p
>
614 % appstreamcli what-provides modalias \
615 usb:v1130p0202d0100dc00dsc00dp00ic03isc00ip00in00
616 Identifier: pymissile [generic]
618 Summary: Control original Striker USB Missile Launcher
620 % appstreamcli what-provides modalias usb:v0694p0002d0000
621 Identifier: libnxt [generic]
623 Summary: utility library for talking to the LEGO Mindstorms NXT brick
626 Identifier: t2n [generic]
628 Summary: Simple command-line tool for Lego NXT
631 Identifier: python-nxt [generic]
633 Summary: Python driver/interface/wrapper for the Lego Mindstorms NXT robot
636 Identifier: nbc [generic]
638 Summary: C compiler for LEGO Mindstorms NXT bricks
641 </pre
></p
>
643 <p
>A similar query can be done using the combined AppStream and
644 Isenkram databases using the isenkram-lookup tool:
</p
>
647 % isenkram-lookup usb:v1130p0202d0100dc00dsc00dp00ic03isc00ip00in00
649 % isenkram-lookup usb:v0694p0002d0000
655 </pre
></p
>
657 <p
>You can find modalias values relevant for your machine using
658 <tt
>cat $(find /sys/devices/ -name modalias)
</tt
>.
660 <p
>If you want to make this system a success and help Debian users
661 make the most of the hardware they have, please
662 help
<a href=
"https://wiki.debian.org/AppStream/Guidelines
">add
663 AppStream metadata for your package following the guidelines
</a
>
664 documented in the wiki. So far only
11 packages provide such
665 information, among the several hundred hardware specific packages in
666 Debian. The Isenkram database on the other hand contain
101 packages,
667 mostly related to USB dongles. Most of the packages with hardware
668 mapping in AppStream are LEGO Mindstorms related, because I have, as
669 part of my involvement in
670 <a href=
"https://wiki.debian.org/LegoDesigners
">the Debian LEGO
671 team
</a
> given priority to making sure LEGO users get proposed the
672 complete set of packages in Debian for that particular hardware. The
673 team also got a nice Christmas present today. The
674 <a href=
"https://tracker.debian.org/pkg/nxt-firmware
">nxt-firmware
675 package
</a
> made it into Debian. With this package in place, it is
676 now possible to use the LEGO Mindstorms NXT unit with only free
677 software, as the nxt-firmware package contain the source and firmware
678 binaries for the NXT brick.
</p
>
680 <p
>As usual, if you use Bitcoin and want to show your support of my
681 activities, please send Bitcoin donations to my address
682 <b
><a href=
"bitcoin:
15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b
&label=PetterReinholdtsenBlog
">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b
</a
></b
>.
</p
>
projects / homepage.git / blob