Generated.

[homepage.git] / blog / index.rss

<?xml version="1.0" encoding="utf-8"?>
<rss version='2.0' xmlns:lj='http://www.livejournal.org/rss/lj/1.0/' xmlns:atom="http://www.w3.org/2005/Atom">
        <channel>
                <title>Petter Reinholdtsen</title>
                <description></description>
                <link>http://people.skolelinux.org/pere/blog/</link>
                <atom:link href="http://people.skolelinux.org/pere/blog/index.rss" rel="self" type="application/rss+xml" />
        
        <item>
                <title>Unlimited randomness with the ChaosKey?</title>
                <link>http://people.skolelinux.org/pere/blog/Unlimited_randomness_with_the_ChaosKey_.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Unlimited_randomness_with_the_ChaosKey_.html</guid>
                <pubDate>Wed, 1 Mar 2017 20:50:00 +0100</pubDate>
                <description>&lt;p&gt;A few days ago I ordered a small batch of
&lt;a href=&quot;http://altusmetrum.org/ChaosKey/&quot;&gt;the ChaosKey&lt;/a&gt;, a small
USB dongle for generating entropy created by Bdale Garbee and Keith
Packard.  Yesterday it arrived, and I am very happy to report that it
work great!  According to its designers, to get it to work out of the
box, you need the Linux kernel version 4.1 or later.  I tested on a
Debian Stretch machine (kernel version 4.9), and there it worked just
fine, increasing the available entropy very quickly.  I wrote a small
test oneliner to test.  It first print the current entropy level,
drain /dev/random, and then print the entropy level for five seconds.
Here is the situation without the ChaosKey inserted:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
% cat /proc/sys/kernel/random/entropy_avail; \
  dd bs=1M if=/dev/random of=/dev/null count=1; \
  for n in $(seq 1 5); do \
     cat /proc/sys/kernel/random/entropy_avail; \
     sleep 1; \
  done
300
0+1 oppføringer inn
0+1 oppføringer ut
28 byte kopiert, 0,000264565 s, 106 kB/s
4
8
12
17
21
%
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;The entropy level increases by 3-4 every second.  In such case any
application requiring random bits (like a HTTPS enabled web server)
will halt and wait for more entrpy.  And here is the situation with
the ChaosKey inserted:&lt;/p&gt;

&lt;blockquote&gt;&lt;pre&gt;
% cat /proc/sys/kernel/random/entropy_avail; \
  dd bs=1M if=/dev/random of=/dev/null count=1; \
  for n in $(seq 1 5); do \
     cat /proc/sys/kernel/random/entropy_avail; \
     sleep 1; \
  done
1079
0+1 oppføringer inn
0+1 oppføringer ut
104 byte kopiert, 0,000487647 s, 213 kB/s
433
1028
1031
1035
1038
%
&lt;/pre&gt;&lt;/blockquote&gt;

&lt;p&gt;Quite the difference. :) I bought a few more than I need, in case
someone want to buy one her in Norway. :)&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Detect OOXML files with undefined behaviour?</title>
                <link>http://people.skolelinux.org/pere/blog/Detect_OOXML_files_with_undefined_behaviour_.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Detect_OOXML_files_with_undefined_behaviour_.html</guid>
                <pubDate>Tue, 21 Feb 2017 00:20:00 +0100</pubDate>
                <description>&lt;p&gt;I just noticed
&lt;a href=&quot;http://www.arkivrad.no/aktuelt/riksarkivarens-forskrift-pa-horing&quot;&gt;the
new Norwegian proposal for archiving rules in the goverment&lt;/a&gt; list
&lt;a href=&quot;http://www.ecma-international.org/publications/standards/Ecma-376.htm&quot;&gt;ECMA-376&lt;/a&gt;
/ ISO/IEC 29500 (aka OOXML) as valid formats to put in long term
storage.  Luckily such files will only be accepted based on
pre-approval from the National Archive.  Allowing OOXML files to be
used for long term storage might seem like a good idea as long as we
forget that there are plenty of ways for a &quot;valid&quot; OOXML document to
have content with no defined interpretation in the standard, which
lead to a question and an idea.&lt;/p&gt;

&lt;p&gt;Is there any tool to detect if a OOXML document depend on such
undefined behaviour?  It would be useful for the National Archive (and
anyone else interested in verifying that a document is well defined)
to have such tool available when considering to approve the use of
OOXML.  I&#39;m aware of the
&lt;a href=&quot;https://github.com/arlm/officeotron/&quot;&gt;officeotron OOXML
validator&lt;/a&gt;, but do not know how complete it is nor if it will
report use of undefined behaviour.  Are there other similar tools
available?  Please send me an email if you know of any such tool.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Ruling ignored our objections to the seizure of popcorn-time.no (#domstolkontroll)</title>
                <link>http://people.skolelinux.org/pere/blog/Ruling_ignored_our_objections_to_the_seizure_of_popcorn_time_no___domstolkontroll_.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Ruling_ignored_our_objections_to_the_seizure_of_popcorn_time_no___domstolkontroll_.html</guid>
                <pubDate>Mon, 13 Feb 2017 21:30:00 +0100</pubDate>
                <description>&lt;p&gt;A few days ago, we received the ruling from
&lt;a href=&quot;http://people.skolelinux.org/pere/blog/A_day_in_court_challenging_seizure_of_popcorn_time_no_for__domstolkontroll.html&quot;&gt;my
day in court&lt;/a&gt;.  The case in question is a challenge of the seizure
of the DNS domain popcorn-time.no.  The ruling simply did not mention
most of our arguments, and seemed to take everything ØKOKRIM said at
face value, ignoring our demonstration and explanations.  But it is
hard to tell for sure, as we still have not seen most of the documents
in the case and thus were unprepared and unable to contradict several
of the claims made in court by the opposition.  We are considering an
appeal, but it is partly a question of funding, as it is costing us
quite a bit to pay for our lawyer.  If you want to help, please
&lt;a href=&quot;http://www.nuug.no/dns-beslag-donasjon.shtml&quot;&gt;donate to the
NUUG defense fund&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;The details of the case, as far as we know it, is available in
Norwegian from
&lt;a href=&quot;https://www.nuug.no/news/tags/dns-domenebeslag/&quot;&gt;the NUUG
blog&lt;/a&gt;.  This also include
&lt;a href=&quot;https://www.nuug.no/news/Avslag_etter_rettslig_h_ring_om_DNS_beslaget___vurderer_veien_videre.shtml&quot;&gt;the
ruling itself&lt;/a&gt;.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>A day in court challenging seizure of popcorn-time.no for #domstolkontroll</title>
                <link>http://people.skolelinux.org/pere/blog/A_day_in_court_challenging_seizure_of_popcorn_time_no_for__domstolkontroll.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/A_day_in_court_challenging_seizure_of_popcorn_time_no_for__domstolkontroll.html</guid>
                <pubDate>Fri, 3 Feb 2017 11:10:00 +0100</pubDate>
                <description>&lt;p align=&quot;center&quot;&gt;&lt;img width=&quot;70%&quot; src=&quot;http://people.skolelinux.org/pere/blog/images/2017-02-01-popcorn-time-in-court.jpeg&quot;&gt;&lt;/p&gt;

&lt;p&gt;On Wednesday, I spent the entire day in court in Follo Tingrett
representing &lt;a href=&quot;https://www.nuug.no/&quot;&gt;the member association
NUUG&lt;/a&gt;, alongside &lt;a href=&quot;https://www.efn.no/&quot;&gt;the member
association EFN&lt;/a&gt; and &lt;a href=&quot;http://www.imc.no&quot;&gt;the DNS registrar
IMC&lt;/a&gt;, challenging the seizure of the DNS name popcorn-time.no.  It
was interesting to sit in a court of law for the first time in my
life.  Our team can be seen in the picture above: attorney Ola
Tellesbø, EFN board member Tom Fredrik Blenning, IMC CEO Morten Emil
Eriksen and NUUG board member Petter Reinholdtsen.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;http://www.domstol.no/no/Enkelt-domstol/follo-tingrett/Nar-gar-rettssaken/Beramming/?cid=AAAA1701301512081262234UJFBVEZZZZZEJBAvtale&quot;&gt;The
case at hand&lt;/a&gt; is that the Norwegian National Authority for
Investigation and Prosecution of Economic and Environmental Crime (aka
Økokrim) decided on their own, to seize a DNS domain early last
year, without following
&lt;a href=&quot;https://www.norid.no/no/regelverk/navnepolitikk/#link12&quot;&gt;the
official policy of the Norwegian DNS authority&lt;/a&gt; which require a
court decision.  The web site in question was a site covering Popcorn
Time.  And Popcorn Time is the name of a technology with both legal
and illegal applications.  Popcorn Time is a client combining
searching a Bittorrent directory available on the Internet with
downloading/distribute content via Bittorrent and playing the
downloaded content on screen.  It can be used illegally if it is used
to distribute content against the will of the right holder, but it can
also be used legally to play a lot of content, for example the
millions of movies
&lt;a href=&quot;https://archive.org/details/movies&quot;&gt;available from the
Internet Archive&lt;/a&gt; or the collection
&lt;a href=&quot;http://vodo.net/films/&quot;&gt;available from Vodo&lt;/a&gt;.  We created
&lt;a href=&quot;magnet:?xt=urn:btih:86c1802af5a667ca56d3918aecb7d3c0f7173084&amp;dn=PresentasjonFolloTingrett.mov&amp;tr=udp%3A%2F%2Fpublic.popcorn-tracker.org%3A6969%2Fannounce&quot;&gt;a
video demonstrating legally use of Popcorn Time&lt;/a&gt; and played it in
Court.  It can of course be downloaded using Bittorrent.&lt;/p&gt;

&lt;p&gt;I did not quite know what to expect from a day in court.  The
government held on to their version of the story and we held on to
ours, and I hope the judge is able to make sense of it all.  We will
know in two weeks time.  Unfortunately I do not have high hopes, as
the Government have the upper hand here with more knowledge about the
case, better training in handling criminal law and in general higher
standing in the courts than fairly unknown DNS registrar and member
associations.  It is expensive to be right also in Norway.  So far the
case have cost more than NOK 70 000,-.  To help fund the case, NUUG
and EFN have asked for donations, and managed to collect around NOK 25
000,- so far.  Given the presentation from the Government, I expect
the government to appeal if the case go our way.  And if the case do
not go our way, I hope we have enough funding to appeal.&lt;/p&gt;

&lt;p&gt;From the other side came two people from Økokrim.  On the benches,
appearing to be part of the group from the government were two people
from the Simonsen Vogt Wiik lawyer office, and three others I am not
quite sure who was.  Økokrim had proposed to present two witnesses
from The Motion Picture Association, but this was rejected because
they did not speak Norwegian and it was a bit late to bring in a
translator, but perhaps the two from MPA were present anyway.  All
seven appeared to know each other.  Good to see the case is take
seriously.&lt;/p&gt;

&lt;p&gt;If you, like me, believe the courts should be involved before a DNS
domain is hijacked by the government, or you believe the Popcorn Time
technology have a lot of useful and legal applications, I suggest you
too &lt;a href=&quot;http://www.nuug.no/dns-beslag-donasjon.shtml&quot;&gt;donate to
the NUUG defense fund&lt;/a&gt;.  Both Bitcoin and bank transfer are
available. If NUUG get more than we need for the legal action (very
unlikely), the rest will be spend promoting free software, open
standards and unix-like operating systems in Norway, so no matter what
happens the money will be put to good use.&lt;/p&gt;

&lt;p&gt;If you want to lean more about the case, I recommend you check out
&lt;a href=&quot;https://www.nuug.no/news/tags/dns-domenebeslag/&quot;&gt;the blog
posts from NUUG covering the case&lt;/a&gt;.  They cover the legal arguments
on both sides.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Nasjonalbiblioteket avslutter sin ulovlige bruk av Google Skjemaer</title>
                <link>http://people.skolelinux.org/pere/blog/Nasjonalbiblioteket_avslutter_sin_ulovlige_bruk_av_Google_Skjemaer.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Nasjonalbiblioteket_avslutter_sin_ulovlige_bruk_av_Google_Skjemaer.html</guid>
                <pubDate>Thu, 12 Jan 2017 09:40:00 +0100</pubDate>
                <description>&lt;p&gt;I dag fikk jeg en skikkelig gladmelding.  Bakgrunnen er at før jul
arrangerte Nasjonalbiblioteket
&lt;a href=&quot;http://www.nb.no/Bibliotekutvikling/Kunnskapsorganisering/Nasjonalt-verksregister/Seminar-om-verksregister&quot;&gt;et
seminar om sitt knakende gode tiltak «verksregister»&lt;/a&gt;.  Eneste
måten å melde seg på dette seminaret var å sende personopplysninger
til Google via Google Skjemaer.  Dette syntes jeg var tvilsom praksis,
da det bør være mulig å delta på seminarer arrangert av det offentlige
uten å måtte dele sine interesser, posisjon og andre
personopplysninger med Google.  Jeg ba derfor om innsyn via
&lt;a href=&quot;https://www.mimesbronn.no/&quot;&gt;Mimes brønn&lt;/a&gt; i
&lt;a href=&quot;https://www.mimesbronn.no/request/personopplysninger_til_google_sk&quot;&gt;avtaler
og vurderinger Nasjonalbiblioteket hadde rundt dette&lt;/a&gt;.
Personopplysningsloven legger klare rammer for hva som må være på
plass før en kan be tredjeparter, spesielt i utlandet, behandle
personopplysninger på sine vegne, så det burde eksistere grundig
dokumentasjon før noe slikt kan bli lovlig.  To jurister hos
Nasjonalbiblioteket mente først dette var helt i orden, og at Googles
standardavtale kunne brukes som databehandlingsavtale.  Det syntes jeg
var merkelig, men har ikke hatt kapasitet til å følge opp saken før
for to dager siden.&lt;/p&gt;

&lt;p&gt;Gladnyheten i dag, som kom etter at jeg tipset Nasjonalbiblioteket
om at Datatilsynet underkjente Googles standardavtaler som
databehandleravtaler i 2011, er at Nasjonalbiblioteket har bestemt seg
for å avslutte bruken av Googles Skjemaer/Apps og gå i dialog med DIFI
for å finne bedre måter å håndtere påmeldinger i tråd med
personopplysningsloven.  Det er fantastisk å se at av og til hjelper
det å spørre hva i alle dager det offentlige holder på med.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Bryter NAV sin egen personvernerklæring?</title>
                <link>http://people.skolelinux.org/pere/blog/Bryter_NAV_sin_egen_personvernerkl_ring_.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Bryter_NAV_sin_egen_personvernerkl_ring_.html</guid>
                <pubDate>Wed, 11 Jan 2017 06:50:00 +0100</pubDate>
                <description>&lt;p&gt;Jeg leste med interesse en nyhetssak hos
&lt;a href=&quot;http://www.digi.no/artikler/nav-avslorer-trygdemisbruk-ved-a-spore-ip-adresser/367394&quot;&gt;digi.no&lt;/a&gt;
og
&lt;a href=&quot;https://www.nrk.no/buskerud/trygdesvindlere-avslores-av-utenlandske-ip-adresser-1.13313461&quot;&gt;NRK&lt;/a&gt;
om at det ikke bare er meg, men at også NAV bedriver geolokalisering
av IP-adresser, og at det gjøres analyse av IP-adressene til de som
sendes inn meldekort for å se om meldekortet sendes inn fra
utenlandske IP-adresser.  Politiadvokat i Drammen, Hans Lyder Haare,
er sitert i NRK på at «De to er jo blant annet avslørt av
IP-adresser. At man ser at meldekortet kommer fra utlandet.»&lt;/p&gt;

&lt;p&gt;Jeg synes det er fint at det blir bedre kjent at IP-adresser
knyttes til enkeltpersoner og at innsamlet informasjon brukes til å
stedsbestemme personer også av aktører her i Norge.  Jeg ser det som
nok et argument for å bruke
&lt;a href=&quot;https://www.torproject.org/&quot;&gt;Tor&lt;/a&gt; så mye som mulig for å
gjøre gjøre IP-lokalisering vanskeligere, slik at en kan beskytte sin
privatsfære og unngå å dele sin fysiske plassering med
uvedkommede.&lt;/p&gt;

&lt;P&gt;Men det er en ting som bekymrer meg rundt denne nyheten.  Jeg ble
tipset (takk #nuug) om
&lt;a href=&quot;https://www.nav.no/no/NAV+og+samfunn/Kontakt+NAV/Teknisk+brukerstotte/Snarveier/personvernerkl%C3%A6ring-for-arbeids-og-velferdsetaten&quot;&gt;NAVs
personvernerklæring&lt;/a&gt;, som under punktet «Personvern og statistikk»
lyder:&lt;/p&gt;

&lt;p&gt;&lt;blockquote&gt;

&lt;p&gt;«Når du besøker nav.no, etterlater du deg elektroniske spor. Sporene
dannes fordi din nettleser automatisk sender en rekke opplysninger til
NAVs tjener (server-maskin) hver gang du ber om å få vist en side. Det
er eksempelvis opplysninger om hvilken nettleser og -versjon du
bruker, og din internettadresse (ip-adresse). For hver side som vises,
lagres følgende opplysninger:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;hvilken side du ser på&lt;/li&gt;
&lt;li&gt;dato og tid&lt;/li&gt;
&lt;li&gt;hvilken nettleser du bruker&lt;/li&gt;
&lt;li&gt;din ip-adresse&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Ingen av opplysningene vil bli brukt til å identifisere
enkeltpersoner. NAV bruker disse opplysningene til å generere en
samlet statistikk som blant annet viser hvilke sider som er mest
populære. Statistikken er et redskap til å forbedre våre
tjenester.»&lt;/p&gt;

&lt;/blockquote&gt;&lt;/p&gt;

&lt;p&gt;Jeg klarer ikke helt å se hvordan analyse av de besøkendes
IP-adresser for å se hvem som sender inn meldekort via web fra en
IP-adresse i utlandet kan gjøres uten å komme i strid med påstanden om
at «ingen av opplysningene vil bli brukt til å identifisere
enkeltpersoner».  Det virker dermed for meg som at NAV bryter sine
egen personvernerklæring, hvilket
&lt;a href=&quot;http://people.skolelinux.org/pere/blog/Er_lover_brutt_n_r_personvernpolicy_ikke_stemmer_med_praksis_.html&quot;&gt;Datatilsynet
fortalte meg i starten av desember antagelig er brudd på
personopplysningsloven&lt;/a&gt;.

&lt;p&gt;I tillegg er personvernerklæringen ganske misvisende i og med at
NAVs nettsider ikke bare forsyner NAV med personopplysninger, men i
tillegg ber brukernes nettleser kontakte fem andre nettjenere
(script.hotjar.com, static.hotjar.com, vars.hotjar.com,
www.google-analytics.com og www.googletagmanager.com), slik at
personopplysninger blir gjort tilgjengelig for selskapene Hotjar og
Google , og alle som kan lytte på trafikken på veien (som FRA, GCHQ og
NSA).  Jeg klarer heller ikke se hvordan slikt spredning av
personopplysninger kan være i tråd med kravene i
personopplysningloven, eller i tråd med NAVs personvernerklæring.&lt;/p&gt;

&lt;p&gt;Kanskje NAV bør ta en nøye titt på sin personvernerklæring?  Eller
kanskje Datatilsynet bør gjøre det?&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Where did that package go? &amp;mdash; geolocated IP traceroute</title>
                <link>http://people.skolelinux.org/pere/blog/Where_did_that_package_go___mdash__geolocated_IP_traceroute.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Where_did_that_package_go___mdash__geolocated_IP_traceroute.html</guid>
                <pubDate>Mon, 9 Jan 2017 12:20:00 +0100</pubDate>
                <description>&lt;p&gt;Did you ever wonder where the web trafic really flow to reach the
web servers, and who own the network equipment it is flowing through?
It is possible to get a glimpse of this from using traceroute, but it
is hard to find all the details.  Many years ago, I wrote a system to
map the Norwegian Internet (trying to figure out if our plans for a
network game service would get low enough latency, and who we needed
to talk to about setting up game servers close to the users.  Back
then I used traceroute output from many locations (I asked my friends
to run a script and send me their traceroute output) to create the
graph and the map.  The output from traceroute typically look like
this:

&lt;p&gt;&lt;pre&gt;
traceroute to www.stortinget.no (85.88.67.10), 30 hops max, 60 byte packets
 1  uio-gw10.uio.no (129.240.202.1)  0.447 ms  0.486 ms  0.621 ms
 2  uio-gw8.uio.no (129.240.24.229)  0.467 ms  0.578 ms  0.675 ms
 3  oslo-gw1.uninett.no (128.39.65.17)  0.385 ms  0.373 ms  0.358 ms
 4  te3-1-2.br1.fn3.as2116.net (193.156.90.3)  1.174 ms  1.172 ms  1.153 ms
 5  he16-1-1.cr1.san110.as2116.net (195.0.244.234)  2.627 ms he16-1-1.cr2.oslosda310.as2116.net (195.0.244.48)  3.172 ms he16-1-1.cr1.san110.as2116.net (195.0.244.234)  2.857 ms
 6  ae1.ar8.oslosda310.as2116.net (195.0.242.39)  0.662 ms  0.637 ms ae0.ar8.oslosda310.as2116.net (195.0.242.23)  0.622 ms
 7  89.191.10.146 (89.191.10.146)  0.931 ms  0.917 ms  0.955 ms
 8  * * *
 9  * * *
[...]
&lt;/pre&gt;&lt;/p&gt;

&lt;p&gt;This show the DNS names and IP addresses of (at least some of the)
network equipment involved in getting the data traffic from me to the
www.stortinget.no server, and how long it took in milliseconds for a
package to reach the equipment and return to me.  Three packages are
sent, and some times the packages do not follow the same path.  This
is shown for hop 5, where three different IP addresses replied to the
traceroute request.&lt;/p&gt;

&lt;p&gt;There are many ways to measure trace routes.  Other good traceroute
implementations I use are traceroute (using ICMP packages) mtr (can do
both ICMP, UDP and TCP) and scapy (python library with ICMP, UDP, TCP
traceroute and a lot of other capabilities).  All of them are easily
available in &lt;a href=&quot;https://www.debian.org/&quot;&gt;Debian&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;This time around, I wanted to know the geographic location of
different route points, to visualize how visiting a web page spread
information about the visit to a lot of servers around the globe.  The
background is that a web site today often will ask the browser to get
from many servers the parts (for example HTML, JSON, fonts,
JavaScript, CSS, video) required to display the content.  This will
leak information about the visit to those controlling these servers
and anyone able to peek at the data traffic passing by (like your ISP,
the ISPs backbone provider, FRA, GCHQ, NSA and others).&lt;/p&gt;

&lt;p&gt;Lets pick an example, the Norwegian parliament web site
www.stortinget.no.  It is read daily by all members of parliament and
their staff, as well as political journalists, activits and many other
citizens of Norway.  A visit to the www.stortinget.no web site will
ask your browser to contact 8 other servers: ajax.googleapis.com,
insights.hotjar.com, script.hotjar.com, static.hotjar.com,
stats.g.doubleclick.net, www.google-analytics.com,
www.googletagmanager.com and www.netigate.se.  I extracted this by
asking &lt;a href=&quot;http://phantomjs.org/&quot;&gt;PhantomJS&lt;/a&gt; to visit the
Stortinget web page and tell me all the URLs PhantomJS downloaded to
render the page (in HAR format using
&lt;a href=&quot;https://github.com/ariya/phantomjs/blob/master/examples/netsniff.js&quot;&gt;their
netsniff example&lt;/a&gt;.  I am very grateful to Gorm for showing me how
to do this).  My goal is to visualize network traces to all IP
addresses behind these DNS names, do show where visitors personal
information is spread when visiting the page.&lt;/p&gt;

&lt;p align=&quot;center&quot;&gt;&lt;a href=&quot;www.stortinget.no-geoip.kml&quot;&gt;&lt;img
src=&quot;http://people.skolelinux.org/pere/blog/images/2017-01-09-www.stortinget.no-geoip-small.png&quot; alt=&quot;map of combined traces for URLs used by www.stortinget.no using GeoIP&quot;/&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;When I had a look around for options, I could not find any good
free software tools to do this, and decided I needed my own traceroute
wrapper outputting KML based on locations looked up using GeoIP.  KML
is easy to work with and easy to generate, and understood by several
of the GIS tools I have available.  I got good help from by NUUG
colleague Anders Einar with this, and the result can be seen in
&lt;a href=&quot;https://github.com/petterreinholdtsen/kmltraceroute&quot;&gt;my
kmltraceroute git repository&lt;/a&gt;.  Unfortunately, the quality of the
free GeoIP databases I could find (and the for-pay databases my
friends had access to) is not up to the task.  The IP addresses of
central Internet infrastructure would typically be placed near the
controlling companies main office, and not where the router is really
located, as you can see from &lt;a href=&quot;www.stortinget.no-geoip.kml&quot;&gt;the
KML file I created&lt;/a&gt; using the GeoLite City dataset from MaxMind.

&lt;p align=&quot;center&quot;&gt;&lt;a href=&quot;http://people.skolelinux.org/pere/blog/images/2017-01-09-www.stortinget.no-scapy.svg&quot;&gt;&lt;img
src=&quot;http://people.skolelinux.org/pere/blog/images/2017-01-09-www.stortinget.no-scapy-small.png&quot; alt=&quot;scapy traceroute graph for URLs used by www.stortinget.no&quot;/&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;I also had a look at the visual traceroute graph created by
&lt;a href=&quot;http://www.secdev.org/projects/scapy/&quot;&gt;the scrapy project&lt;/a&gt;,
showing IP network ownership (aka AS owner) for the IP address in
question.
&lt;a href=&quot;http://people.skolelinux.org/pere/blog/images/2017-01-09-www.stortinget.no-scapy.svg&quot;&gt;The
graph display a lot of useful information about the traceroute in SVG
format&lt;/a&gt;, and give a good indication on who control the network
equipment involved, but it do not include geolocation.  This graph
make it possible to see the information is made available at least for
UNINETT, Catchcom, Stortinget, Nordunet, Google, Amazon, Telia, Level
3 Communications and NetDNA.&lt;/p&gt;

&lt;p align=&quot;center&quot;&gt;&lt;a href=&quot;https://geotraceroute.com/index.php?node=4&amp;host=www.stortinget.no&quot;&gt;&lt;img
src=&quot;http://people.skolelinux.org/pere/blog/images/2017-01-09-www.stortinget.no-geotraceroute-small.png&quot; alt=&quot;example geotraceroute view for www.stortinget.no&quot;/&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;In the process, I came across the
&lt;a href=&quot;https://geotraceroute.com/&quot;&gt;web service GeoTraceroute&lt;/a&gt; by
Salim Gasmi.  Its methology of combining guesses based on DNS names,
various location databases and finally use latecy times to rule out
candidate locations seemed to do a very good job of guessing correct
geolocation.  But it could only do one trace at the time, did not have
a sensor in Norway and did not make the geolocations easily available
for postprocessing.  So I contacted the developer and asked if he
would be willing to share the code (he refused until he had time to
clean it up), but he was interested in providing the geolocations in a
machine readable format, and willing to set up a sensor in Norway.  So
since yesterday, it is possible to run traces from Norway in this
service thanks to a sensor node set up by
&lt;a href=&quot;https://www.nuug.no/&quot;&gt;the NUUG assosiation&lt;/a&gt;, and get the
trace in KML format for further processing.&lt;/p&gt;

&lt;p align=&quot;center&quot;&gt;&lt;a href=&quot;http://people.skolelinux.org/pere/blog/images/2017-01-09-www.stortinget.no-geotraceroute-kml-join.kml&quot;&gt;&lt;img
src=&quot;http://people.skolelinux.org/pere/blog/images/2017-01-09-www.stortinget.no-geotraceroute-kml-join.png&quot; alt=&quot;map of combined traces for URLs used by www.stortinget.no using geotraceroute&quot;/&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Here we can see a lot of trafic passes Sweden on its way to
Denmark, Germany, Holland and Ireland.  Plenty of places where the
Snowden confirmations verified the traffic is read by various actors
without your best interest as their top priority.&lt;/p&gt;

&lt;p&gt;Combining KML files is trivial using a text editor, so I could loop
over all the hosts behind the urls imported by www.stortinget.no and
ask for the KML file from GeoTraceroute, and create a combined KML
file with all the traces (unfortunately only one of the IP addresses
behind the DNS name is traced this time.  To get them all, one would
have to request traces using IP number instead of DNS names from
GeoTraceroute).  That might be the next step in this project.&lt;/p&gt;

&lt;p&gt;Armed with these tools, I find it a lot easier to figure out where
the IP traffic moves and who control the boxes involved in moving it.
And every time the link crosses for example the Swedish border, we can
be sure Swedish Signal Intelligence (FRA) is listening, as GCHQ do in
Britain and NSA in USA and cables around the globe.  (Hm, what should
we tell them? :) Keep that in mind if you ever send anything
unencrypted over the Internet.&lt;/p&gt;

&lt;p&gt;PS: KML files are drawn using
&lt;a href=&quot;http://ivanrublev.me/kml/&quot;&gt;the KML viewer from Ivan
Rublev&lt;a/&gt;, as it was less cluttered than the local Linux application
Marble.  There are heaps of other options too.&lt;/p&gt;

&lt;p&gt;As usual, if you use Bitcoin and want to show your support of my
activities, please send Bitcoin donations to my address
&lt;b&gt;&lt;a href=&quot;bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&amp;label=PetterReinholdtsenBlog&quot;&gt;15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&lt;/a&gt;&lt;/b&gt;.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Introducing ical-archiver to split out old iCalendar entries</title>
                <link>http://people.skolelinux.org/pere/blog/Introducing_ical_archiver_to_split_out_old_iCalendar_entries.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Introducing_ical_archiver_to_split_out_old_iCalendar_entries.html</guid>
                <pubDate>Wed, 4 Jan 2017 12:20:00 +0100</pubDate>
                <description>&lt;p&gt;Do you have a large &lt;a href=&quot;https://icalendar.org/&quot;&gt;iCalendar&lt;/a&gt;
file with lots of old entries, and would like to archive them to save
space and resources?  At least those of us using KOrganizer know that
turning on and off an event set become slower and slower the more
entries are in the set.  While working on migrating our calendars to a
&lt;a href=&quot;http://radicale.org/&quot;&gt;Radicale CalDAV server&lt;/a&gt; on our
&lt;a href=&quot;https://freedomboxfoundation.org/&quot;&gt;Freedombox server&lt;/a/&gt;, my
loved one wondered if I could find a way to split up the calendar file
she had in KOrganizer, and I set out to write a tool.  I spent a few
days writing and polishing the system, and it is now ready for general
consumption.  The
&lt;a href=&quot;https://github.com/petterreinholdtsen/ical-archiver&quot;&gt;code for
ical-archiver&lt;/a&gt; is publicly available from a git repository on
github.  The system is written in Python and depend on
&lt;a href=&quot;http://eventable.github.io/vobject/&quot;&gt;the vobject Python
module&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;To use it, locate the iCalendar file you want to operate on and
give it as an argument to the ical-archiver script.  This will
generate a set of new files, one file per component type per year for
all components expiring more than two years in the past.  The vevent,
vtodo and vjournal entries are handled by the script.  The remaining
entries are stored in a &#39;remaining&#39; file.&lt;/p&gt;

&lt;p&gt;This is what a test run can look like:

&lt;p&gt;&lt;pre&gt;
% ical-archiver t/2004-2016.ics 
Found 3612 vevents
Found 6 vtodos
Found 2 vjournals
Writing t/2004-2016.ics-subset-vevent-2004.ics
Writing t/2004-2016.ics-subset-vevent-2005.ics
Writing t/2004-2016.ics-subset-vevent-2006.ics
Writing t/2004-2016.ics-subset-vevent-2007.ics
Writing t/2004-2016.ics-subset-vevent-2008.ics
Writing t/2004-2016.ics-subset-vevent-2009.ics
Writing t/2004-2016.ics-subset-vevent-2010.ics
Writing t/2004-2016.ics-subset-vevent-2011.ics
Writing t/2004-2016.ics-subset-vevent-2012.ics
Writing t/2004-2016.ics-subset-vevent-2013.ics
Writing t/2004-2016.ics-subset-vevent-2014.ics
Writing t/2004-2016.ics-subset-vjournal-2007.ics
Writing t/2004-2016.ics-subset-vjournal-2011.ics
Writing t/2004-2016.ics-subset-vtodo-2012.ics
Writing t/2004-2016.ics-remaining.ics
%
&lt;/pre&gt;&lt;/p&gt;

&lt;p&gt;As you can see, the original file is untouched and new files are
written with names derived from the original file.  If you are happy
with their content, the *-remaining.ics file can replace the original
the the others can be archived or imported as historical calendar
collections.&lt;/p&gt;

&lt;p&gt;The script should probably be improved a bit.  The error handling
when discovering broken entries is not good, and I am not sure yet if
it make sense to split different entry types into separate files or
not.  The program is thus likely to change.  If you find it
interesting, please get in touch. :)&lt;/p&gt;

&lt;p&gt;As usual, if you use Bitcoin and want to show your support of my
activities, please send Bitcoin donations to my address
&lt;b&gt;&lt;a href=&quot;bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&amp;label=PetterReinholdtsenBlog&quot;&gt;15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&lt;/a&gt;&lt;/b&gt;.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Appstream just learned how to map hardware to packages too!</title>
                <link>http://people.skolelinux.org/pere/blog/Appstream_just_learned_how_to_map_hardware_to_packages_too_.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Appstream_just_learned_how_to_map_hardware_to_packages_too_.html</guid>
                <pubDate>Fri, 23 Dec 2016 10:30:00 +0100</pubDate>
                <description>&lt;p&gt;I received a very nice Christmas present today.  As my regular
readers probably know, I have been working on the
&lt;a href=&quot;http://packages.qa.debian.org/isenkram&quot;&gt;the Isenkram
system&lt;/a&gt; for many years.  The goal of the Isenkram system is to make
it easier for users to figure out what to install to get a given piece
of hardware to work in Debian, and a key part of this system is a way
to map hardware to packages.  Isenkram have its own mapping database,
and also uses data provided by each package using the AppStream
metadata format.  And today,
&lt;a href=&quot;https://tracker.debian.org/pkg/appstream&quot;&gt;AppStream&lt;/a&gt; in
Debian learned to look up hardware the same way Isenkram is doing it,
ie using fnmatch():&lt;/p&gt;

&lt;p&gt;&lt;pre&gt;
% appstreamcli what-provides modalias \
  usb:v1130p0202d0100dc00dsc00dp00ic03isc00ip00in00
Identifier: pymissile [generic]
Name: pymissile
Summary: Control original Striker USB Missile Launcher
Package: pymissile
% appstreamcli what-provides modalias usb:v0694p0002d0000
Identifier: libnxt [generic]
Name: libnxt
Summary: utility library for talking to the LEGO Mindstorms NXT brick
Package: libnxt
---
Identifier: t2n [generic]
Name: t2n
Summary: Simple command-line tool for Lego NXT
Package: t2n
---
Identifier: python-nxt [generic]
Name: python-nxt
Summary: Python driver/interface/wrapper for the Lego Mindstorms NXT robot
Package: python-nxt
---
Identifier: nbc [generic]
Name: nbc
Summary: C compiler for LEGO Mindstorms NXT bricks
Package: nbc
%
&lt;/pre&gt;&lt;/p&gt;

&lt;p&gt;A similar query can be done using the combined AppStream and
Isenkram databases using the isenkram-lookup tool:&lt;/p&gt;

&lt;p&gt;&lt;pre&gt;
% isenkram-lookup usb:v1130p0202d0100dc00dsc00dp00ic03isc00ip00in00
pymissile
% isenkram-lookup usb:v0694p0002d0000
libnxt
nbc
python-nxt
t2n
%
&lt;/pre&gt;&lt;/p&gt;

&lt;p&gt;You can find modalias values relevant for your machine using
&lt;tt&gt;cat $(find /sys/devices/ -name modalias)&lt;/tt&gt;.

&lt;p&gt;If you want to make this system a success and help Debian users
make the most of the hardware they have, please
help&lt;a href=&quot;https://wiki.debian.org/AppStream/Guidelines&quot;&gt;add
AppStream metadata for your package following the guidelines&lt;/a&gt;
documented in the wiki.  So far only 11 packages provide such
information, among the several hundred hardware specific packages in
Debian. The Isenkram database on the other hand contain 101 packages,
mostly related to USB dongles.  Most of the packages with hardware
mapping in AppStream are LEGO Mindstorms related, because I have, as
part of my involvement in
&lt;a href=&quot;https://wiki.debian.org/LegoDesigners&quot;&gt;the Debian LEGO
team&lt;/a&gt; given priority to making sure LEGO users get proposed the
complete set of packages in Debian for that particular hardware.  The
team also got a nice Christmas present today.  The
&lt;a href=&quot;https://tracker.debian.org/pkg/nxt-firmware&quot;&gt;nxt-firmware
package&lt;/a&gt; made it into Debian.  With this package in place, it is
now possible to use the LEGO Mindstorms NXT unit with only free
software, as the nxt-firmware package contain the source and firmware
binaries for the NXT brick.&lt;/p&gt;

&lt;p&gt;As usual, if you use Bitcoin and want to show your support of my
activities, please send Bitcoin donations to my address
&lt;b&gt;&lt;a href=&quot;bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&amp;label=PetterReinholdtsenBlog&quot;&gt;15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&lt;/a&gt;&lt;/b&gt;.&lt;/p&gt;
</description>
        </item>
        
        <item>
                <title>Isenkram updated with a lot more hardware-package mappings</title>
                <link>http://people.skolelinux.org/pere/blog/Isenkram_updated_with_a_lot_more_hardware_package_mappings.html</link>
                <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Isenkram_updated_with_a_lot_more_hardware_package_mappings.html</guid>
                <pubDate>Tue, 20 Dec 2016 11:55:00 +0100</pubDate>
                <description>&lt;p&gt;&lt;a href=&quot;http://packages.qa.debian.org/isenkram&quot;&gt;The Isenkram
system&lt;/a&gt; I wrote two years ago to make it easier in Debian to find
and install packages to get your hardware dongles to work, is still
going strong.  It is a system to look up the hardware present on or
connected to the current system, and map the hardware to Debian
packages.  It can either be done using the tools in isenkram-cli or
using the user space daemon in the isenkram package.  The latter will
notify you, when inserting new hardware, about what packages to
install to get the dongle working.  It will even provide a button to
click on to ask packagekit to install the packages.&lt;/p&gt;

&lt;p&gt;Here is an command line example from my Thinkpad laptop:&lt;/p&gt;

&lt;p&gt;&lt;pre&gt;
% isenkram-lookup  
bluez
cheese
ethtool
fprintd
fprintd-demo
gkrellm-thinkbat
hdapsd
libpam-fprintd
pidgin-blinklight
thinkfan
tlp
tp-smapi-dkms
tp-smapi-source
tpb
%
&lt;/pre&gt;&lt;/p&gt;

&lt;p&gt;It can also list the firware package providing firmware requested
by the load kernel modules, which in my case is an empty list because
I have all the firmware my machine need:

&lt;p&gt;&lt;pre&gt;
% /usr/sbin/isenkram-autoinstall-firmware -l
info: did not find any firmware files requested by loaded kernel modules.  exiting
%
&lt;/pre&gt;&lt;/p&gt;

&lt;p&gt;The last few days I had a look at several of the around 250
packages in Debian with udev rules.  These seem like good candidates
to install when a given hardware dongle is inserted, and I found
several that should be proposed by isenkram.  I have not had time to
check all of them, but am happy to report that now there are 97
packages packages mapped to hardware by Isenkram.  11 of these
packages provide hardware mapping using AppStream, while the rest are
listed in the modaliases file provided in isenkram.&lt;/p&gt;

&lt;p&gt;These are the packages with hardware mappings at the moment.  The
&lt;strong&gt;marked packages&lt;/strong&gt; are also announcing their hardware
support using AppStream, for everyone to use:&lt;/p&gt;

&lt;p&gt;air-quality-sensor, alsa-firmware-loaders, argyll,
&lt;strong&gt;array-info&lt;/strong&gt;, avarice, avrdude, b43-fwcutter,
bit-babbler, bluez, bluez-firmware, &lt;strong&gt;brltty&lt;/strong&gt;,
&lt;strong&gt;broadcom-sta-dkms&lt;/strong&gt;, calibre, cgminer, cheese, colord,
&lt;strong&gt;colorhug-client&lt;/strong&gt;, dahdi-firmware-nonfree, dahdi-linux,
dfu-util, dolphin-emu, ekeyd, ethtool, firmware-ipw2x00, fprintd,
fprintd-demo, &lt;strong&gt;galileo&lt;/strong&gt;, gkrellm-thinkbat, gphoto2,
gpsbabel, gpsbabel-gui, gpsman, gpstrans, gqrx-sdr, gr-fcdproplus,
gr-osmosdr, gtkpod, hackrf, hdapsd, hdmi2usb-udev, hpijs-ppds, hplip,
ipw3945-source, ipw3945d, kde-config-tablet, kinect-audio-setup,
&lt;strong&gt;libnxt&lt;/strong&gt;, libpam-fprintd, &lt;strong&gt;lomoco&lt;/strong&gt;,
madwimax, minidisc-utils, mkgmap, msi-keyboard, mtkbabel,
&lt;strong&gt;nbc&lt;/strong&gt;, &lt;strong&gt;nqc&lt;/strong&gt;, nut-hal-drivers, ola,
open-vm-toolbox, open-vm-tools, openambit, pcgminer, pcmciautils,
pcscd, pidgin-blinklight, printer-driver-splix,
&lt;strong&gt;pymissile&lt;/strong&gt;, python-nxt, qlandkartegt,
qlandkartegt-garmin, rosegarden, rt2x00-source, sispmctl,
soapysdr-module-hackrf, solaar, squeak-plugins-scratch, sunxi-tools,
&lt;strong&gt;t2n&lt;/strong&gt;, thinkfan, thinkfinger-tools, tlp, tp-smapi-dkms,
tp-smapi-source, tpb, tucnak, uhd-host, usbmuxd, viking,
virtualbox-ose-guest-x11, w1retap, xawtv, xserver-xorg-input-vmmouse,
xserver-xorg-input-wacom, xserver-xorg-video-qxl,
xserver-xorg-video-vmware, yubikey-personalization and
zd1211-firmware&lt;/p&gt;

&lt;p&gt;If you know of other packages, please let me know with a wishlist
bug report against the isenkram-cli package, and ask the package
maintainer to
&lt;a href=&quot;https://wiki.debian.org/AppStream/Guidelines&quot;&gt;add AppStream
metadata according to the guidelines&lt;/a&gt; to provide the information
for everyone.  In time, I hope to get rid of the isenkram specific
hardware mapping and depend exclusively on AppStream.&lt;/p&gt;

&lt;p&gt;Note, the AppStream metadata for broadcom-sta-dkms is matching too
much hardware, and suggest that the package with with any ethernet
card.  See &lt;a href=&quot;http://bugs.debian.org/838735&quot;&gt;bug #838735&lt;/a&gt; for
the details.  I hope the maintainer find time to address it soon.  In
the mean time I provide an override in isenkram.&lt;/p&gt;
</description>
        </item>
        
        </channel>
</rss>