]> pere.pagekite.me Git - homepage.git/blob - blog/tags/sikkerhet/sikkerhet.rss
c785186f48e8b21806c25b279f7719ebb6d3abb6
[homepage.git] / blog / tags / sikkerhet / sikkerhet.rss
1 <?xml version="1.0" encoding="utf-8"?>
2 <rss version='2.0' xmlns:lj='http://www.livejournal.org/rss/lj/1.0/'>
3 <channel>
4 <title>Petter Reinholdtsen - Entries tagged sikkerhet</title>
5 <description>Entries tagged sikkerhet</description>
6 <link>https://people.skolelinux.org/pere/blog/</link>
7
8
9 <item>
10 <title>Latest Jami back in Debian Testing, and scriptable using dbus</title>
11 <link>https://people.skolelinux.org/pere/blog/Latest_Jami_back_in_Debian_Testing__and_scriptable_using_dbus.html</link>
12 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Latest_Jami_back_in_Debian_Testing__and_scriptable_using_dbus.html</guid>
13 <pubDate>Tue, 12 Jan 2021 17:00:00 +0100</pubDate>
14 <description>&lt;p&gt;After a lot of hard work by its maintainer Alexandre Viau and
15 others, the decentralized communication platform
16 &lt;a href=&quot;https://en.wikipedia.org/wiki/Jami_(software)&quot;&gt;Jami&lt;/a&gt;
17 (earlier known as Ring), managed to get
18 &lt;a href=&quot;https://tracker.debian.org/pkg/ring&quot;&gt;its latest version&lt;/a&gt;
19 into Debian Testing. Several of its dependencies has caused build and
20 propagation problems, which all seem to be solved now.&lt;/p&gt;
21
22 &lt;p&gt;In addition to the fact that Jami is decentralized, similar to how
23 bittorrent is decentralized, I first of all like how it is not
24 connected to external IDs like phone numbers. This allow me to set up
25 computers to send me notifications using Jami without having to find
26 get a phone number for each computer. Automatic notification via Jami
27 is also made trivial thanks to the provided client side API (as a DBus
28 service). Here is my bourne shell script demonstrating how to let any
29 system send a message to any Jami address. It will create a new
30 identity before sending the message, if no Jami identity exist
31 already:&lt;/p&gt;
32
33 &lt;p&gt;&lt;pre&gt;
34 #!/bin/sh
35 #
36 # Usage: $0 &lt;jami-address&gt; &lt;message&gt;
37 #
38 # Send &lt;message&gt; to &lt;jami-address&gt;, create local jami account if
39 # missing.
40 #
41 # License: GPL v2 or later at your choice
42 # Author: Petter Reinholdtsen
43
44
45 if [ -z &quot;$HOME&quot; ] ; then
46 echo &quot;error: missing \$HOME, required for dbus to work&quot;
47 exit 1
48 fi
49
50 # First, get dbus running if not already running
51 DBUSLAUNCH=/usr/bin/dbus-launch
52 PIDFILE=/run/asterisk/dbus-session.pid
53 if [ -e $PIDFILE ] ; then
54 . $PIDFILE
55 if ! kill -0 $DBUS_SESSION_BUS_PID 2&gt;/dev/null ; then
56 unset DBUS_SESSION_BUS_ADDRESS
57 fi
58 fi
59 if [ -z &quot;$DBUS_SESSION_BUS_ADDRESS&quot; ] &amp;&amp; [ -x &quot;$DBUSLAUNCH&quot; ]; then
60 DBUS_SESSION_BUS_ADDRESS=&quot;unix:path=$HOME/.dbus&quot;
61 dbus-daemon --session --address=&quot;$DBUS_SESSION_BUS_ADDRESS&quot; --nofork --nopidfile --syslog-only &lt; /dev/null &gt; /dev/null 2&gt;&amp;1 3&gt;&amp;1 &amp;
62 DBUS_SESSION_BUS_PID=$!
63 (
64 echo DBUS_SESSION_BUS_PID=$DBUS_SESSION_BUS_PID
65 echo DBUS_SESSION_BUS_ADDRESS=\&quot;&quot;$DBUS_SESSION_BUS_ADDRESS&quot;\&quot;
66 echo export DBUS_SESSION_BUS_ADDRESS
67 ) &gt; $PIDFILE
68 . $PIDFILE
69 fi &amp;
70
71 dringop() {
72 part=&quot;$1&quot;; shift
73 op=&quot;$1&quot;; shift
74 dbus-send --session \
75 --dest=&quot;cx.ring.Ring&quot; /cx/ring/Ring/$part cx.ring.Ring.$part.$op $*
76 }
77
78 dringopreply() {
79 part=&quot;$1&quot;; shift
80 op=&quot;$1&quot;; shift
81 dbus-send --session --print-reply \
82 --dest=&quot;cx.ring.Ring&quot; /cx/ring/Ring/$part cx.ring.Ring.$part.$op $*
83 }
84
85 firstaccount() {
86 dringopreply ConfigurationManager getAccountList | \
87 grep string | awk -F&#39;&quot;&#39; &#39;{print $2}&#39; | head -n 1
88 }
89
90 account=$(firstaccount)
91
92 if [ -z &quot;$account&quot; ] ; then
93 echo &quot;Missing local account, trying to create it&quot;
94 dringop ConfigurationManager addAccount \
95 dict:string:string:&quot;Account.type&quot;,&quot;RING&quot;,&quot;Account.videoEnabled&quot;,&quot;false&quot;
96 account=$(firstaccount)
97 if [ -z &quot;$account&quot; ] ; then
98 echo &quot;unable to create local account&quot;
99 exit 1
100 fi
101 fi
102
103 # Not using dringopreply to ensure $2 can contain spaces
104 dbus-send --print-reply --session \
105 --dest=cx.ring.Ring \
106 /cx/ring/Ring/ConfigurationManager \
107 cx.ring.Ring.ConfigurationManager.sendTextMessage \
108 string:&quot;$account&quot; string:&quot;$1&quot; \
109 dict:string:string:&quot;text/plain&quot;,&quot;$2&quot;
110 &lt;/pre&gt;&lt;/p&gt;
111
112 &lt;p&gt;If you want to check it out yourself, visit the
113 &lt;a href=&quot;https://jami.net/&quot;&gt;the Jami system project page&lt;/a&gt; to learn
114 more, and install the latest Jami client from Debian Unstable or
115 Testing.&lt;/p&gt;
116
117 &lt;p&gt;As usual, if you use Bitcoin and want to show your support of my
118 activities, please send Bitcoin donations to my address
119 &lt;b&gt;&lt;a href=&quot;bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&quot;&gt;15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&lt;/a&gt;&lt;/b&gt;.&lt;/p&gt;
120 </description>
121 </item>
122
123 <item>
124 <title>Secure Socket API - a simple and powerful approach for TLS support in software</title>
125 <link>https://people.skolelinux.org/pere/blog/Secure_Socket_API___a_simple_and_powerful_approach_for_TLS_support_in_software.html</link>
126 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Secure_Socket_API___a_simple_and_powerful_approach_for_TLS_support_in_software.html</guid>
127 <pubDate>Sat, 6 Jun 2020 12:40:00 +0200</pubDate>
128 <description>&lt;p&gt;As a member of the &lt;a href=&quot;https://www.nuug.no/&quot;&gt;Norwegian Unix
129 User Group&lt;/a&gt;, I have the pleasure of receiving the
130 &lt;a href=&quot;https://www.usenix.org/&quot;&gt;USENIX&lt;/a&gt; magazine
131 &lt;a href=&quot;https://www.usenix.org/publications/login/&quot;&gt;;login:&lt;/a&gt;
132 several times a year. I rarely have time to read all the articles,
133 but try to at least skim through them all as there is a lot of nice
134 knowledge passed on there. I even carry the latest issue with me most
135 of the time to try to get through all the articles when I have a few
136 spare minutes.&lt;/p&gt;
137
138 &lt;p&gt;The other day I came across a nice article titled
139 &quot;&lt;a href=&quot;https://www.usenix.org/publications/login/winter2018/oneill&quot;&gt;The
140 Secure Socket API: TLS as an Operating System Service&lt;/a&gt;&quot; with a
141 marvellous idea I hope can make it all the way into the POSIX standard.
142 The idea is as simple as it is powerful. By introducing a new
143 socket() option IPPROTO_TLS to use TLS, and a system wide service to
144 handle setting up TLS connections, one both make it trivial to add TLS
145 support to any program currently using the POSIX socket API, and gain
146 system wide control over certificates, TLS versions and encryption
147 systems used. Instead of doing this:&lt;/p&gt;
148
149 &lt;p&gt;&lt;blockquote&gt;&lt;pre&gt;
150 int socket = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
151 &lt;/pre&gt;&lt;/blockquote&gt;&lt;/p&gt;
152
153 &lt;p&gt;the program code would be doing this:&lt;p&gt;
154
155 &lt;p&gt;&lt;blockquote&gt;&lt;pre&gt;
156 int socket = socket(PF_INET, SOCK_STREAM, IPPROTO_TLS);
157 &lt;/pre&gt;&lt;/blockquote&gt;&lt;/p&gt;
158
159 &lt;p&gt;According to the ;login: article, converting a C program to use TLS
160 would normally modify only 5-10 lines in the code, which is amazing
161 when compared to using for example the OpenSSL API.&lt;/p&gt;
162
163 &lt;p&gt;The project has set up the
164 &lt;a href=&quot;https://securesocketapi.org/&quot;&gt;https://securesocketapi.org/&lt;/a&gt;
165 web site to spread the idea, and the code for a kernel module and the
166 associated system daemon is available from two github repositories:
167 &lt;a href=&quot;https://github.com/markoneill/ssa&quot;&gt;ssa&lt;/a&gt; and
168 &lt;a href=&quot;https://github.com/markoneill/ssa-daemon&quot;&gt;ssa-daemon&lt;/a&gt;.
169 Unfortunately there is no explicit license information with the code,
170 so its copyright status is unclear. A
171 &lt;a href=&quot;https://github.com/markoneill/ssa/issues/2&quot;&gt;request to solve
172 this&lt;/a&gt; about it has been unsolved since 2018-08-17.&lt;/p&gt;
173
174 &lt;p&gt;I love the idea of extending socket() to gain TLS support, and
175 understand why it is an advantage to implement this as a kernel module
176 and system wide service daemon, but can not help to think that it
177 would be a lot easier to get projects to move to this way of setting
178 up TLS if it was done with a user space approach where programs
179 wanting to use this API approach could just link with a wrapper
180 library.&lt;/p&gt;
181
182 &lt;p&gt;I recommend you check out this simple and powerful approach to more
183 secure network connections. :)&lt;/p&gt;
184
185 &lt;p&gt;As usual, if you use Bitcoin and want to show your support of my
186 activities, please send Bitcoin donations to my address
187 &lt;b&gt;&lt;a href=&quot;bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&quot;&gt;15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&lt;/a&gt;&lt;/b&gt;.&lt;/p&gt;
188 </description>
189 </item>
190
191 <item>
192 <title>Jami as a Zoom client, a trick for password protected rooms...</title>
193 <link>https://people.skolelinux.org/pere/blog/Jami_as_a_Zoom_client__a_trick_for_password_protected_rooms___.html</link>
194 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Jami_as_a_Zoom_client__a_trick_for_password_protected_rooms___.html</guid>
195 <pubDate>Fri, 8 May 2020 13:30:00 +0200</pubDate>
196 <description>&lt;p&gt;Half a year ago,
197 &lt;a href=&quot;http://people.skolelinux.org/pere/blog/Jami_Ring__finally_functioning_peer_to_peer_communication_client.html&quot;&gt;I
198 wrote&lt;/a&gt; about &lt;a href=&quot;https://jami.net/&quot;&gt;the Jami communication
199 client&lt;/a&gt;, capable of peer-to-peer encrypted communication. It
200 handle both messages, audio and video. It uses distributed hash
201 tables instead of central infrastructure to connect its users to each
202 other, which in my book is a plus. I mentioned briefly that it could
203 also work as a SIP client, which came in handy when the higher
204 educational sector in Norway started to promote Zoom as its video
205 conferencing solution. I am reluctant to use the official Zoom client
206 software, due to their &lt;a href=&quot;https://zoom.us/terms&quot;&gt;copyright
207 license clauses&lt;/a&gt; prohibiting users to reverse engineer (for example
208 to check the security) and benchmark it, and thus prefer to connect to
209 Zoom meetings with free software clients.&lt;/p&gt;
210
211 &lt;p&gt;Jami worked OK as a SIP client to Zoom as long as there was no
212 password set on the room. The Jami daemon leak memory like crazy
213 (approximately 1 GiB a minute) when I am connected to the video
214 conference, so I had to restart the client every 7-10 minutes, which
215 is not great. I tried to get other SIP Linux clients to work
216 without success, so I decided I would have to live with this wart
217 until someone managed to fix the leak in the dring code base. But
218 another problem showed up once the rooms were password protected. I
219 could not get my dial tone signaling through from Jami to Zoom, and
220 dial tone signaling is used to enter the password when connecting to
221 Zoom. I tried a lot of different permutations with my Jami and
222 Asterisk setup to try to figure out why the signaling did not get
223 through, only to finally discover that the fundamental problem seem to
224 be that Zoom is simply not able to receive dial tone signaling when
225 connecting via SIP. There seem to be nothing wrong with the Jami and
226 Asterisk end, it is simply broken in the Zoom end. I got help from a
227 very skilled VoIP engineer figuring out this last part. And being a
228 very skilled engineer, he was also able to locate a solution for me.
229 Or to be exact, a workaround that solve my initial problem of
230 connecting to password protected Zoom rooms using Jami.&lt;/p&gt;
231
232 &lt;p&gt;So, how do you do this, I am sure you are wondering by now. The
233 trick is already
234 &lt;a href=&quot;https://support.zoom.us/hc/en-us/articles/202405539-H-323-SIP-Room-Connector-Dial-Strings#sip&quot;&gt;documented
235 from Zoom&lt;/a&gt;, and it is to modify the SIP address to include the room
236 password. What is most surprising about this is that the
237 automatically generated email from Zoom with instructions on how to
238 connect via SIP do not mention this. The SIP address to use normally
239 consist of the room ID (a number), an @ character and the IP address
240 of the Zoom SIP gateway. But Zoom understand a lot more than just the
241 room ID in front of the at sign. The format is &quot;&lt;tt&gt;[Meeting
242 ID].[Password].[Layout].[Host Key]&lt;/tt&gt;&quot;, and you can here see how you
243 can both enter password, control the layout (full screen, active
244 presence and gallery) and specify the host key to start the meeting.
245 The full SIP address entered into Jami to provide the password will
246 then look like this (all using made up numbers):&lt;/p&gt;
247
248 &lt;p&gt;&lt;blockquote&gt;
249 &lt;tt&gt;sip:657837644.522827@192.168.169.170&lt;/tt&gt;
250 &lt;/blockquote&gt;&lt;/p&gt;
251
252 &lt;p&gt;Now if only jami would reduce its memory usage, I could even
253 recommend this setup to others. :)&lt;/p&gt;
254
255 &lt;p&gt;As usual, if you use Bitcoin and want to show your support of my
256 activities, please send Bitcoin donations to my address
257 &lt;b&gt;&lt;a href=&quot;bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&quot;&gt;15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&lt;/a&gt;&lt;/b&gt;.&lt;/p&gt;
258 </description>
259 </item>
260
261 <item>
262 <title>Jami/Ring, finally functioning peer to peer communication client</title>
263 <link>https://people.skolelinux.org/pere/blog/Jami_Ring__finally_functioning_peer_to_peer_communication_client.html</link>
264 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Jami_Ring__finally_functioning_peer_to_peer_communication_client.html</guid>
265 <pubDate>Wed, 19 Jun 2019 08:50:00 +0200</pubDate>
266 <description>&lt;p&gt;Some years ago, in 2016, I
267 &lt;a href=&quot;http://people.skolelinux.org/pere/blog/Experience_and_updated_recipe_for_using_the_Signal_app_without_a_mobile_phone.html&quot;&gt;wrote
268 for the first time about&lt;/a&gt; the Ring peer to peer messaging system.
269 It would provide messaging without any central server coordinating the
270 system and without requiring all users to register a phone number or
271 own a mobile phone. Back then, I could not get it to work, and put it
272 aside until it had seen more development. A few days ago I decided to
273 give it another try, and am happy to report that this time I am able
274 to not only send and receive messages, but also place audio and video
275 calls. But only if UDP is not blocked into your network.&lt;/p&gt;
276
277 &lt;p&gt;The Ring system changed name earlier this year to
278 &lt;a href=&quot;https://en.wikipedia.org/wiki/Jami_(software)&quot;&gt;Jami&lt;/a&gt;. I
279 tried doing web search for &#39;ring&#39; when I discovered it for the first
280 time, and can only applaud this change as it is impossible to find
281 something called Ring among the noise of other uses of that word. Now
282 you can search for &#39;jami&#39; and this client and
283 &lt;a href=&quot;https://jami.net/&quot;&gt;the Jami system&lt;/a&gt; is the first hit at
284 least on duckduckgo.&lt;/p&gt;
285
286 &lt;p&gt;Jami will by default encrypt messages as well as audio and video
287 calls, and try to send them directly between the communicating parties
288 if possible. If this proves impossible (for example if both ends are
289 behind NAT), it will use a central SIP TURN server maintained by the
290 Jami project. Jami can also be a normal SIP client. If the SIP
291 server is unencrypted, the audio and video calls will also be
292 unencrypted. This is as far as I know the only case where Jami will
293 do anything without encryption.&lt;/p&gt;
294
295 &lt;p&gt;Jami is available for several platforms: Linux, Windows, MacOSX,
296 Android, iOS, and Android TV. It is included in Debian already. Jami
297 also work for those using F-Droid without any Google connections,
298 while Signal do not.
299 &lt;a href=&quot;https://git.jami.net/savoirfairelinux/ring-project/wikis/technical/Protocol&quot;&gt;The
300 protocol&lt;/a&gt; is described in the Ring project wiki. The system uses a
301 distributed hash table (DHT) system (similar to BitTorrent) running
302 over UDP. On one of the networks I use, I discovered Jami failed to
303 work. I tracked this down to the fact that incoming UDP packages
304 going to ports 1-49999 were blocked, and the DHT would pick a random
305 port and end up in the low range most of the time. After talking to
306 the developers, I solved this by enabling the dhtproxy in the
307 settings, thus using TCP to talk to a central DHT proxy instead of
308
309 peering directly with others. I&#39;ve been told the developers are
310 working on allowing DHT to use TCP to avoid this problem. I also ran
311 into a problem when trying to talk to the version of Ring included in
312 Debian Stable (Stretch). Apparently the protocol changed between
313 beta2 and the current version, making these clients incompatible.
314 Hopefully the protocol will not be made incompatible in the
315 future.&lt;/p&gt;
316
317 &lt;p&gt;It is worth noting that while looking at Jami and its features, I
318 came across another communication platform I have not tested yet. The
319 &lt;a href=&quot;https://en.wikipedia.org/wiki/Tox_(protocol)&quot;&gt;Tox protocol&lt;/a&gt;
320 and &lt;a href=&quot;https://tox.chat/&quot;&gt;family of Tox clients&lt;/a&gt;. It might
321 become the topic of a future blog post.&lt;/p&gt;
322
323 &lt;p&gt;As usual, if you use Bitcoin and want to show your support of my
324 activities, please send Bitcoin donations to my address
325 &lt;b&gt;&lt;a href=&quot;bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&quot;&gt;15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&lt;/a&gt;&lt;/b&gt;.&lt;/p&gt;
326 </description>
327 </item>
328
329 <item>
330 <title>Fetching trusted timestamps using the rfc3161ng python module</title>
331 <link>https://people.skolelinux.org/pere/blog/Fetching_trusted_timestamps_using_the_rfc3161ng_python_module.html</link>
332 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Fetching_trusted_timestamps_using_the_rfc3161ng_python_module.html</guid>
333 <pubDate>Mon, 8 Oct 2018 12:30:00 +0200</pubDate>
334 <description>&lt;p&gt;I have earlier covered the basics of trusted timestamping using the
335 &#39;openssl ts&#39; client. See blog post for
336 &lt;a href=&quot;http://people.skolelinux.org/pere/blog/Public_Trusted_Timestamping_services_for_everyone.html&quot;&gt;2014&lt;/a&gt;,
337 &lt;a href=&quot;http://people.skolelinux.org/pere/blog/syslog_trusted_timestamp___chain_of_trusted_timestamps_for_your_syslog.html&quot;&gt;2016&lt;/a&gt;
338 and
339 &lt;a href=&quot;http://people.skolelinux.org/pere/blog/Idea_for_storing_trusted_timestamps_in_a_Noark_5_archive.html&quot;&gt;2017&lt;/a&gt;
340 for those stories. But some times I want to integrate the timestamping
341 in other code, and recently I needed to integrate it into Python.
342 After searching a bit, I found
343 &lt;a href=&quot;https://dev.entrouvert.org/projects/python-rfc3161&quot;&gt;the
344 rfc3161 library&lt;/a&gt; which seemed like a good fit, but I soon
345 discovered it only worked for python version 2, and I needed something
346 that work with python version 3. Luckily I next came across
347 &lt;a href=&quot;https://github.com/trbs/rfc3161ng/&quot;&gt;the rfc3161ng library&lt;/a&gt;,
348 a fork of the original rfc3161 library. Not only is it working with
349 python 3, it have fixed a few of the bugs in the original library, and
350 it has an active maintainer. I decided to wrap it up and make it
351 &lt;a href=&quot;https://tracker.debian.org/pkg/python-rfc3161ng&quot;&gt;available in
352 Debian&lt;/a&gt;, and a few days ago it entered Debian unstable and testing.&lt;/p&gt;
353
354 &lt;p&gt;Using the library is fairly straight forward. The only slightly
355 problematic step is to fetch the required certificates to verify the
356 timestamp. For some services it is straight forward, while for others
357 I have not yet figured out how to do it. Here is a small standalone
358 code example based on of the integration tests in the library code:&lt;/p&gt;
359
360 &lt;pre&gt;
361 #!/usr/bin/python3
362
363 &quot;&quot;&quot;
364
365 Python 3 script demonstrating how to use the rfc3161ng module to
366 get trusted timestamps.
367
368 The license of this code is the same as the license of the rfc3161ng
369 library, ie MIT/BSD.
370
371 &quot;&quot;&quot;
372
373 import os
374 import pyasn1.codec.der
375 import rfc3161ng
376 import subprocess
377 import tempfile
378 import urllib.request
379
380 def store(f, data):
381 f.write(data)
382 f.flush()
383 f.seek(0)
384
385 def fetch(url, f=None):
386 response = urllib.request.urlopen(url)
387 data = response.read()
388 if f:
389 store(f, data)
390 return data
391
392 def main():
393 with tempfile.NamedTemporaryFile() as cert_f,\
394 tempfile.NamedTemporaryFile() as ca_f,\
395 tempfile.NamedTemporaryFile() as msg_f,\
396 tempfile.NamedTemporaryFile() as tsr_f:
397
398 # First fetch certificates used by service
399 certificate_data = fetch(&#39;https://freetsa.org/files/tsa.crt&#39;, cert_f)
400 ca_data_data = fetch(&#39;https://freetsa.org/files/cacert.pem&#39;, ca_f)
401
402 # Then timestamp the message
403 timestamper = \
404 rfc3161ng.RemoteTimestamper(&#39;http://freetsa.org/tsr&#39;,
405 certificate=certificate_data)
406 data = b&quot;Python forever!\n&quot;
407 tsr = timestamper(data=data, return_tsr=True)
408
409 # Finally, convert message and response to something &#39;openssl ts&#39; can verify
410 store(msg_f, data)
411 store(tsr_f, pyasn1.codec.der.encoder.encode(tsr))
412 args = [&quot;openssl&quot;, &quot;ts&quot;, &quot;-verify&quot;,
413 &quot;-data&quot;, msg_f.name,
414 &quot;-in&quot;, tsr_f.name,
415 &quot;-CAfile&quot;, ca_f.name,
416 &quot;-untrusted&quot;, cert_f.name]
417 subprocess.check_call(args)
418
419 if &#39;__main__&#39; == __name__:
420 main()
421 &lt;/pre&gt;
422
423 &lt;p&gt;The code fetches the required certificates, store them as temporary
424 files, timestamp a simple message, store the message and timestamp to
425 disk and ask &#39;openssl ts&#39; to verify the timestamp. A timestamp is
426 around 1.5 kiB in size, and should be fairly easy to store for future
427 use.&lt;/p&gt;
428
429 &lt;p&gt;As usual, if you use Bitcoin and want to show your support of my
430 activities, please send Bitcoin donations to my address
431 &lt;b&gt;&lt;a href=&quot;bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&quot;&gt;15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&lt;/a&gt;&lt;/b&gt;.&lt;/p&gt;
432 </description>
433 </item>
434
435 <item>
436 <title>Stortingsflertallet går inn for ny IP-basert sensurinfrastruktur i Norge</title>
437 <link>https://people.skolelinux.org/pere/blog/Stortingsflertallet_g_r_inn_for_ny_IP_basert_sensurinfrastruktur_i_Norge.html</link>
438 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Stortingsflertallet_g_r_inn_for_ny_IP_basert_sensurinfrastruktur_i_Norge.html</guid>
439 <pubDate>Tue, 24 Apr 2018 15:00:00 +0200</pubDate>
440 <description>&lt;p&gt;&lt;a href=&quot;https://www.vg.no/sport/i/J1g8zj/stortingsvedtak-snart-ip-blokkerer-utenlandske-spillselskaper&quot;&gt;VG&lt;/a&gt;,
441 &lt;a href=&quot;https://www.dagbladet.no/nyheter/stortinget-blokkerer-utenlandske-spillselskaper/69740219&quot;&gt;Dagbladet&lt;/a&gt;
442 og
443 &lt;a href=&quot;https://www.nrk.no/ostfold/tar-opp-kampen-mot-utenlandske-spillselskap-1.14021381&quot;&gt;NRK&lt;/a&gt;
444 melder i dag at flertallet i Familie- og kulturkomiteen på Stortinget
445 har bestemt seg for å introdusere en ny sensurinfrastruktur i Norge.
446 Fra før har Norge en «frivillig» sensurinfrastruktur basert på
447 DNS-navn, der de største ISP-ene basert på en liste med DNS-navn
448 forgifter DNS-svar og omdirigerer til et annet IP-nummer enn det som
449 ligger i DNS. Nå kommer altså IP-basert omdirigering i tillegg. Når
450 infrastrukturen er på plass, er sensur av IP-adresser redusert et
451 spørsmål om hvilke IP-nummer som skal blokkeres. Listen over
452 IP-adresser vil naturligvis endre seg etter hvert som myndighetene
453 endrer seg. Det er ingen betryggende tanke.&lt;/p&gt;
454 </description>
455 </item>
456
457 <item>
458 <title>«Rapporten ser ikke på informasjonssikkerhet knyttet til personlig integritet»</title>
459 <link>https://people.skolelinux.org/pere/blog/_Rapporten_ser_ikke_p__informasjonssikkerhet_knyttet_til_personlig_integritet_.html</link>
460 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/_Rapporten_ser_ikke_p__informasjonssikkerhet_knyttet_til_personlig_integritet_.html</guid>
461 <pubDate>Tue, 27 Jun 2017 17:50:00 +0200</pubDate>
462 <description>&lt;p&gt;Jeg kom over teksten
463 «&lt;a href=&quot;https://freedom-to-tinker.com/2017/06/21/killing-car-privacy-by-federal-mandate/&quot;&gt;Killing
464 car privacy by federal mandate&lt;/a&gt;» av Leonid Reyzin på Freedom to
465 Tinker i dag, og det gleder meg å se en god gjennomgang om hvorfor det
466 er et urimelig inngrep i privatsfæren å la alle biler kringkaste sin
467 posisjon og bevegelse via radio. Det omtalte forslaget basert på
468 Dedicated Short Range Communication (DSRC) kalles Basic Safety Message
469 (BSM) i USA og Cooperative Awareness Message (CAM) i Europa, og det
470 norske Vegvesenet er en av de som ser ut til å kunne tenke seg å
471 pålegge alle biler å fjerne nok en bit av innbyggernes privatsfære.
472 Anbefaler alle å lese det som står der.
473
474 &lt;p&gt;Mens jeg tittet litt på DSRC på biler i Norge kom jeg over et sitat
475 jeg synes er illustrativt for hvordan det offentlige Norge håndterer
476 problemstillinger rundt innbyggernes privatsfære i SINTEF-rapporten
477 «&lt;a href=&quot;https://www.sintef.no/publikasjoner/publikasjon/Download/?pubid=SINTEF+A23933&quot;&gt;Informasjonssikkerhet
478 i AutoPASS-brikker&lt;/a&gt;» av Trond Foss:&lt;/p&gt;
479
480 &lt;p&gt;&lt;blockquote&gt;
481 «Rapporten ser ikke på informasjonssikkerhet knyttet til personlig
482 integritet.»
483 &lt;/blockquote&gt;&lt;/p&gt;
484
485 &lt;p&gt;Så enkelt kan det tydeligvis gjøres når en vurderer
486 informasjonssikkerheten. Det holder vel at folkene på toppen kan si
487 at «Personvernet er ivaretatt», som jo er den populære intetsigende
488 frasen som gjør at mange tror enkeltindividers integritet tas vare på.
489 Sitatet fikk meg til å undres på hvor ofte samme tilnærming, å bare se
490 bort fra behovet for personlig itegritet, blir valgt når en velger å
491 legge til rette for nok et inngrep i privatsfæren til personer i
492 Norge. Det er jo sjelden det får reaksjoner. Historien om
493 reaksjonene på Helse Sør-Østs tjenesteutsetting er jo sørgelig nok et
494 unntak og toppen av isfjellet, desverre. Tror jeg fortsatt takker nei
495 til både AutoPASS og holder meg så langt unna det norske helsevesenet
496 som jeg kan, inntil de har demonstrert og dokumentert at de verdsetter
497 individets privatsfære og personlige integritet høyere enn kortsiktig
498 gevist og samfunnsnytte.&lt;/p&gt;
499 </description>
500 </item>
501
502 <item>
503 <title>How to talk with your loved ones in private</title>
504 <link>https://people.skolelinux.org/pere/blog/How_to_talk_with_your_loved_ones_in_private.html</link>
505 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/How_to_talk_with_your_loved_ones_in_private.html</guid>
506 <pubDate>Mon, 7 Nov 2016 10:25:00 +0100</pubDate>
507 <description>&lt;p&gt;A few days ago I ran a very biased and informal survey to get an
508 idea about what options are being used to communicate with end to end
509 encryption with friends and family. I explicitly asked people not to
510 list options only used in a work setting. The background is the
511 uneasy feeling I get when using Signal, a feeling shared by others as
512 a blog post from Sander Venima about
513 &lt;a href=&quot;https://sandervenema.ch/2016/11/why-i-wont-recommend-signal-anymore/&quot;&gt;why
514 he do not recommend Signal anymore&lt;/a&gt; (with
515 &lt;a href=&quot;https://news.ycombinator.com/item?id=12883410&quot;&gt;feedback from
516 the Signal author available from ycombinator&lt;/a&gt;). I wanted an
517 overview of the options being used, and hope to include those options
518 in a less biased survey later on. So far I have not taken the time to
519 look into the individual proposed systems. They range from text
520 sharing web pages, via file sharing and email to instant messaging,
521 VOIP and video conferencing. For those considering which system to
522 use, it is also useful to have a look at
523 &lt;a href=&quot;https://www.eff.org/secure-messaging-scorecard&quot;&gt;the EFF Secure
524 messaging scorecard&lt;/a&gt; which is slightly out of date but still
525 provide valuable information.&lt;/p&gt;
526
527 &lt;p&gt;So, on to the list. There were some used by many, some used by a
528 few, some rarely used ones and a few mentioned but without anyone
529 claiming to use them. Notice the grouping is in reality quite random
530 given the biased self selected set of participants. First the ones
531 used by many:&lt;/p&gt;
532
533 &lt;ul&gt;
534
535 &lt;li&gt;&lt;a href=&quot;https://whispersystems.org/&quot;&gt;Signal&lt;/a&gt;&lt;/li&gt;
536 &lt;li&gt;Email w/&lt;a href=&quot;http://openpgp.org/&quot;&gt;OpenPGP&lt;/a&gt; (Enigmail, GPGSuite,etc)&lt;/li&gt;
537 &lt;li&gt;&lt;a href=&quot;https://www.whatsapp.com/&quot;&gt;Whatsapp&lt;/a&gt;&lt;/li&gt;
538 &lt;li&gt;IRC w/&lt;a href=&quot;https://otr.cypherpunks.ca/&quot;&gt;OTR&lt;/a&gt;&lt;/li&gt;
539 &lt;li&gt;XMPP w/&lt;a href=&quot;https://otr.cypherpunks.ca/&quot;&gt;OTR&lt;/a&gt;&lt;/li&gt;
540
541 &lt;/ul&gt;
542
543 &lt;p&gt;Then the ones used by a few.&lt;/p&gt;
544
545 &lt;ul&gt;
546
547 &lt;li&gt;&lt;a href=&quot;https://wiki.mumble.info/wiki/Main_Page&quot;&gt;Mumble&lt;/a&gt;&lt;/li&gt;
548 &lt;li&gt;iMessage (included in iOS from Apple)&lt;/li&gt;
549 &lt;li&gt;&lt;a href=&quot;https://telegram.org/&quot;&gt;Telegram&lt;/a&gt;&lt;/li&gt;
550 &lt;li&gt;&lt;a href=&quot;https://jitsi.org/&quot;&gt;Jitsi&lt;/a&gt;&lt;/li&gt;
551 &lt;li&gt;&lt;a href=&quot;https://keybase.io/download&quot;&gt;Keybase file&lt;/a&gt;&lt;/li&gt;
552
553 &lt;/ul&gt;
554
555 &lt;p&gt;Then the ones used by even fewer people&lt;/p&gt;
556
557 &lt;ul&gt;
558
559 &lt;li&gt;&lt;a href=&quot;https://ring.cx/&quot;&gt;Ring&lt;/a&gt;&lt;/li&gt;
560 &lt;li&gt;&lt;a href=&quot;https://bitmessage.org/&quot;&gt;Bitmessage&lt;/a&gt;&lt;/li&gt;
561 &lt;li&gt;&lt;a href=&quot;https://wire.com/&quot;&gt;Wire&lt;/a&gt;&lt;/li&gt;
562 &lt;li&gt;VoIP w/&lt;a href=&quot;https://en.wikipedia.org/wiki/ZRTP&quot;&gt;ZRTP&lt;/a&gt; or controlled &lt;a href=&quot;https://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol&quot;&gt;SRTP&lt;/a&gt; (e.g using &lt;a href=&quot;https://en.wikipedia.org/wiki/CSipSimple&quot;&gt;CSipSimple&lt;/a&gt;, &lt;a href=&quot;https://en.wikipedia.org/wiki/Linphone&quot;&gt;Linphone&lt;/a&gt;)&lt;/li&gt;
563 &lt;li&gt;&lt;a href=&quot;https://matrix.org/&quot;&gt;Matrix&lt;/a&gt;&lt;/li&gt;
564 &lt;li&gt;&lt;a href=&quot;https://kontalk.org/&quot;&gt;Kontalk&lt;/a&gt;&lt;/li&gt;
565 &lt;li&gt;&lt;a href=&quot;https://0bin.net/&quot;&gt;0bin&lt;/a&gt; (encrypted pastebin)&lt;/li&gt;
566 &lt;li&gt;&lt;a href=&quot;https://appear.in&quot;&gt;Appear.in&lt;/a&gt;&lt;/li&gt;
567 &lt;li&gt;&lt;a href=&quot;https://riot.im/&quot;&gt;riot&lt;/a&gt;&lt;/li&gt;
568 &lt;li&gt;&lt;a href=&quot;https://www.wickr.com/&quot;&gt;Wickr Me&lt;/a&gt;&lt;/li&gt;
569
570 &lt;/ul&gt;
571
572 &lt;p&gt;And finally the ones mentioned by not marked as used by
573 anyone. This might be a mistake, perhaps the person adding the entry
574 forgot to flag it as used?&lt;/p&gt;
575
576 &lt;ul&gt;
577
578 &lt;li&gt;Email w/Certificates &lt;a href=&quot;https://en.wikipedia.org/wiki/S/MIME&quot;&gt;S/MIME&lt;/a&gt;&lt;/li&gt;
579 &lt;li&gt;&lt;a href=&quot;https://www.crypho.com/&quot;&gt;Crypho&lt;/a&gt;&lt;/li&gt;
580 &lt;li&gt;&lt;a href=&quot;https://cryptpad.fr/&quot;&gt;CryptPad&lt;/a&gt;&lt;/li&gt;
581 &lt;li&gt;&lt;a href=&quot;https://github.com/ricochet-im/ricochet&quot;&gt;ricochet&lt;/a&gt;&lt;/li&gt;
582
583 &lt;/ul&gt;
584
585 &lt;p&gt;Given the network effect it seem obvious to me that we as a society
586 have been divided and conquered by those interested in keeping
587 encrypted and secure communication away from the masses. The
588 finishing remarks &lt;a href=&quot;https://vimeo.com/97505679&quot;&gt;from Aral Balkan
589 in his talk &quot;Free is a lie&quot;&lt;/a&gt; about the usability of free software
590 really come into effect when you want to communicate in private with
591 your friends and family. We can not expect them to allow the
592 usability of communication tool to block their ability to talk to
593 their loved ones.&lt;/p&gt;
594
595 &lt;p&gt;Note for example the option IRC w/OTR. Most IRC clients do not
596 have OTR support, so in most cases OTR would not be an option, even if
597 you wanted to. In my personal experience, about 1 in 20 I talk to
598 have a IRC client with OTR. For private communication to really be
599 available, most people to talk to must have the option in their
600 currently used client. I can not simply ask my family to install an
601 IRC client. I need to guide them through a technical multi-step
602 process of adding extensions to the client to get them going. This is
603 a non-starter for most.&lt;/p&gt;
604
605 &lt;p&gt;I would like to be able to do video phone calls, audio phone calls,
606 exchange instant messages and share files with my loved ones, without
607 being forced to share with people I do not know. I do not want to
608 share the content of the conversations, and I do not want to share who
609 I communicate with or the fact that I communicate with someone.
610 Without all these factors in place, my private life is being more or
611 less invaded.&lt;/p&gt;
612
613 &lt;p&gt;&lt;strong&gt;Update 2019-10-08&lt;/strong&gt;: Børge Dvergsdal, who told me he
614 is Customer Relationship Manager @ Whereby (formerly appear.in),
615 asked if I could mention that appear.in is now renamed and found at
616 &lt;a href=&quot;https://whereby.com/&quot;&gt;https://whereby.com/&lt;/a&gt;. And sure,
617 why not. Apparently they changed the name because they were unable
618 to trademark appear.in somewhere... While I am at it, I can mention
619 that Ring changed name to Jami, now available from &lt;a
620 href=&quot;https://jami.net/&quot;&gt;https://jami.net/&lt;/a&gt;. Luckily they were
621 able to have a direct redirect from ring.cx to jami.net, so the user
622 experience is almost the same.&lt;/p&gt;
623 </description>
624 </item>
625
626 <item>
627 <title>Aktivitetsbånd som beskytter privatsfæren</title>
628 <link>https://people.skolelinux.org/pere/blog/Aktivitetsb_nd_som_beskytter_privatsf_ren.html</link>
629 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Aktivitetsb_nd_som_beskytter_privatsf_ren.html</guid>
630 <pubDate>Thu, 3 Nov 2016 09:55:00 +0100</pubDate>
631 <description>&lt;p&gt;Jeg ble så imponert over
632 &lt;a href=&quot;https://www.nrk.no/norge/forbrukerradet-mener-aktivitetsarmband-strider-mot-norsk-lov-1.13209079&quot;&gt;dagens
633 gladnyhet på NRK&lt;/a&gt;, om at Forbrukerrådet klager inn vilkårene for
634 bruk av aktivitetsbånd fra Fitbit, Garmin, Jawbone og Mio til
635 Datatilsynet og forbrukerombudet, at jeg sendte følgende brev til
636 forbrukerrådet for å uttrykke min støtte:
637
638 &lt;blockquote&gt;
639
640 &lt;p&gt;Jeg ble veldig glad over å lese at Forbrukerrådet
641 &lt;a href=&quot;http://www.forbrukerradet.no/siste-nytt/klager-inn-aktivitetsarmband-for-brudd-pa-norsk-lov/&quot;&gt;klager
642 inn flere aktivitetsbånd til Datatilsynet for dårlige vilkår&lt;/a&gt;. Jeg
643 har ønsket meg et aktivitetsbånd som kan måle puls, bevegelse og
644 gjerne også andre helserelaterte indikatorer en stund nå. De eneste
645 jeg har funnet i salg gjør, som dere også har oppdaget, graverende
646 inngrep i privatsfæren og sender informasjonen ut av huset til folk og
647 organisasjoner jeg ikke ønsker å dele aktivitets- og helseinformasjon
648 med. Jeg ønsker et alternativ som &lt;em&gt;ikke&lt;/em&gt; sender informasjon til
649 skyen, men derimot bruker
650 &lt;a href=&quot;http://people.skolelinux.org/pere/blog/Fri_og__pen_standard__slik_Digistan_ser_det.html&quot;&gt;en
651 fritt og åpent standardisert&lt;/a&gt; protokoll (eller i det minste en
652 dokumentert protokoll uten patent- og opphavsrettslige
653 bruksbegrensinger) til å kommunisere med datautstyr jeg kontrollerer.
654 Er jo ikke interessert i å betale noen for å tilrøve seg
655 personopplysninger fra meg. Desverre har jeg ikke funnet noe
656 alternativ så langt.&lt;/p&gt;
657
658 &lt;p&gt;Det holder ikke å endre på bruksvilkårene for enhetene, slik
659 Datatilsynet ofte legger opp til i sin behandling, når de gjør slik
660 f.eks. Fitbit (den jeg har sett mest på). Fitbit krypterer
661 informasjonen på enheten og sender den kryptert til leverandøren. Det
662 gjør det i praksis umulig både å sjekke hva slags informasjon som
663 sendes over, og umulig å ta imot informasjonen selv i stedet for
664 Fitbit. Uansett hva slags historie som forteller i bruksvilkårene er
665 en jo både prisgitt leverandørens godvilje og at de ikke tvinges av
666 sitt lands myndigheter til å lyve til sine kunder om hvorvidt
667 personopplysninger spres ut over det bruksvilkårene sier. Det er
668 veldokumentert hvordan f.eks. USA tvinger selskaper vha. såkalte
669 National security letters til å utlevere personopplysninger samtidig
670 som de ikke får lov til å fortelle dette til kundene sine.&lt;/p&gt;
671
672 &lt;p&gt;Stå på, jeg er veldig glade for at dere har sett på saken. Vet
673 dere om aktivitetsbånd i salg i dag som ikke tvinger en til å utlevere
674 aktivitets- og helseopplysninger med leverandøren?&lt;/p&gt;
675
676 &lt;/blockquote&gt;
677
678 &lt;p&gt;Jeg håper en konkurrent som respekterer kundenes privatliv klarer å
679 nå opp i markedet, slik at det finnes et reelt alternativ for oss som
680 har full tillit til at skyleverandører vil prioritere egen inntjening
681 og myndighetspålegg langt foran kundenes rett til privatliv. Jeg har
682 ingen tiltro til at Datatilsynet vil kreve noe mer enn at vilkårene
683 endres slik at de forklarer eksplisitt i hvor stor grad bruk av
684 produktene utraderer privatsfæren til kundene. Det vil nok gjøre de
685 innklagede armbåndene «lovlige», men fortsatt tvinge kundene til å
686 dele sine personopplysninger med leverandøren.&lt;/p&gt;
687 </description>
688 </item>
689
690 <item>
691 <title>Experience and updated recipe for using the Signal app without a mobile phone</title>
692 <link>https://people.skolelinux.org/pere/blog/Experience_and_updated_recipe_for_using_the_Signal_app_without_a_mobile_phone.html</link>
693 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Experience_and_updated_recipe_for_using_the_Signal_app_without_a_mobile_phone.html</guid>
694 <pubDate>Mon, 10 Oct 2016 11:30:00 +0200</pubDate>
695 <description>&lt;p&gt;In July
696 &lt;a href=&quot;http://people.skolelinux.org/pere/blog/How_to_use_the_Signal_app_if_you_only_have_a_land_line__ie_no_mobile_phone_.html&quot;&gt;I
697 wrote how to get the Signal Chrome/Chromium app working&lt;/a&gt; without
698 the ability to receive SMS messages (aka without a cell phone). It is
699 time to share some experiences and provide an updated setup.&lt;/p&gt;
700
701 &lt;p&gt;The Signal app have worked fine for several months now, and I use
702 it regularly to chat with my loved ones. I had a major snag at the
703 end of my summer vacation, when the the app completely forgot my
704 setup, identity and keys. The reason behind this major mess was
705 running out of disk space. To avoid that ever happening again I have
706 started storing everything in &lt;tt&gt;userdata/&lt;/tt&gt; in git, to be able to
707 roll back to an earlier version if the files are wiped by mistake. I
708 had to use it once after introducing the git backup. When rolling
709 back to an earlier version, one need to use the &#39;reset session&#39; option
710 in Signal to get going, and notify the people you talk with about the
711 problem. I assume there is some sequence number tracking in the
712 protocol to detect rollback attacks. The git repository is rather big
713 (674 MiB so far), but I have not tried to figure out if some of the
714 content can be added to a .gitignore file due to lack of spare
715 time.&lt;/p&gt;
716
717 &lt;p&gt;I&#39;ve also hit the 90 days timeout blocking, and noticed that this
718 make it impossible to send messages using Signal. I could still
719 receive them, but had to patch the code with a new timestamp to send.
720 I believe the timeout is added by the developers to force people to
721 upgrade to the latest version of the app, even when there is no
722 protocol changes, to reduce the version skew among the user base and
723 thus try to keep the number of support requests down.&lt;/p&gt;
724
725 &lt;p&gt;Since my original recipe, the Signal source code changed slightly,
726 making the old patch fail to apply cleanly. Below is an updated
727 patch, including the shell wrapper I use to start Signal. The
728 original version required a new user to locate the JavaScript console
729 and call a function from there. I got help from a friend with more
730 JavaScript knowledge than me to modify the code to provide a GUI
731 button instead. This mean that to get started you just need to run
732 the wrapper and click the &#39;Register without mobile phone&#39; to get going
733 now. I&#39;ve also modified the timeout code to always set it to 90 days
734 in the future, to avoid having to patch the code regularly.&lt;/p&gt;
735
736 &lt;p&gt;So, the updated recipe for Debian Jessie:&lt;/p&gt;
737
738 &lt;ol&gt;
739
740 &lt;li&gt;First, install required packages to get the source code and the
741 browser you need. Signal only work with Chrome/Chromium, as far as I
742 know, so you need to install it.
743
744 &lt;pre&gt;
745 apt install git tor chromium
746 git clone https://github.com/WhisperSystems/Signal-Desktop.git
747 &lt;/pre&gt;&lt;/li&gt;
748
749 &lt;li&gt;Modify the source code using command listed in the the patch
750 block below.&lt;/li&gt;
751
752 &lt;li&gt;Start Signal using the run-signal-app wrapper (for example using
753 &lt;tt&gt;`pwd`/run-signal-app&lt;/tt&gt;).
754
755 &lt;li&gt;Click on the &#39;Register without mobile phone&#39;, will in a phone
756 number you can receive calls to the next minute, receive the
757 verification code and enter it into the form field and press
758 &#39;Register&#39;. Note, the phone number you use will be user Signal
759 username, ie the way others can find you on Signal.&lt;/li&gt;
760
761 &lt;li&gt;You can now use Signal to contact others. Note, new contacts do
762 not show up in the contact list until you restart Signal, and there is
763 no way to assign names to Contacts. There is also no way to create or
764 update chat groups. I suspect this is because the web app do not have
765 a associated contact database.&lt;/li&gt;
766
767 &lt;/ol&gt;
768
769 &lt;p&gt;I am still a bit uneasy about using Signal, because of the way its
770 main author moxie0 reject federation and accept dependencies to major
771 corporations like Google (part of the code is fetched from Google) and
772 Amazon (the central coordination point is owned by Amazon). See for
773 example
774 &lt;a href=&quot;https://github.com/LibreSignal/LibreSignal/issues/37&quot;&gt;the
775 LibreSignal issue tracker&lt;/a&gt; for a thread documenting the authors
776 view on these issues. But the network effect is strong in this case,
777 and several of the people I want to communicate with already use
778 Signal. Perhaps we can all move to &lt;a href=&quot;https://ring.cx/&quot;&gt;Ring&lt;/a&gt;
779 once it &lt;a href=&quot;https://bugs.debian.org/830265&quot;&gt;work on my
780 laptop&lt;/a&gt;? It already work on Windows and Android, and is included
781 in &lt;a href=&quot;https://tracker.debian.org/pkg/ring&quot;&gt;Debian&lt;/a&gt; and
782 &lt;a href=&quot;https://launchpad.net/ubuntu/+source/ring&quot;&gt;Ubuntu&lt;/a&gt;, but not
783 working on Debian Stable.&lt;/p&gt;
784
785 &lt;p&gt;Anyway, this is the patch I apply to the Signal code to get it
786 working. It switch to the production servers, disable to timeout,
787 make registration easier and add the shell wrapper:&lt;/p&gt;
788
789 &lt;pre&gt;
790 cd Signal-Desktop; cat &amp;lt;&amp;lt;EOF | patch -p1
791 diff --git a/js/background.js b/js/background.js
792 index 24b4c1d..579345f 100644
793 --- a/js/background.js
794 +++ b/js/background.js
795 @@ -33,9 +33,9 @@
796 });
797 });
798
799 - var SERVER_URL = &#39;https://textsecure-service-staging.whispersystems.org&#39;;
800 + var SERVER_URL = &#39;https://textsecure-service-ca.whispersystems.org&#39;;
801 var SERVER_PORTS = [80, 4433, 8443];
802 - var ATTACHMENT_SERVER_URL = &#39;https://whispersystems-textsecure-attachments-staging.s3.amazonaws.com&#39;;
803 + var ATTACHMENT_SERVER_URL = &#39;https://whispersystems-textsecure-attachments.s3.amazonaws.com&#39;;
804 var messageReceiver;
805 window.getSocketStatus = function() {
806 if (messageReceiver) {
807 diff --git a/js/expire.js b/js/expire.js
808 index 639aeae..beb91c3 100644
809 --- a/js/expire.js
810 +++ b/js/expire.js
811 @@ -1,6 +1,6 @@
812 ;(function() {
813 &#39;use strict&#39;;
814 - var BUILD_EXPIRATION = 0;
815 + var BUILD_EXPIRATION = Date.now() + (90 * 24 * 60 * 60 * 1000);
816
817 window.extension = window.extension || {};
818
819 diff --git a/js/views/install_view.js b/js/views/install_view.js
820 index 7816f4f..1d6233b 100644
821 --- a/js/views/install_view.js
822 +++ b/js/views/install_view.js
823 @@ -38,7 +38,8 @@
824 return {
825 &#39;click .step1&#39;: this.selectStep.bind(this, 1),
826 &#39;click .step2&#39;: this.selectStep.bind(this, 2),
827 - &#39;click .step3&#39;: this.selectStep.bind(this, 3)
828 + &#39;click .step3&#39;: this.selectStep.bind(this, 3),
829 + &#39;click .callreg&#39;: function() { extension.install(&#39;standalone&#39;) },
830 };
831 },
832 clearQR: function() {
833 diff --git a/options.html b/options.html
834 index dc0f28e..8d709f6 100644
835 --- a/options.html
836 +++ b/options.html
837 @@ -14,7 +14,10 @@
838 &amp;lt;div class=&#39;nav&#39;&gt;
839 &amp;lt;h1&gt;{{ installWelcome }}&amp;lt;/h1&gt;
840 &amp;lt;p&gt;{{ installTagline }}&amp;lt;/p&gt;
841 - &amp;lt;div&gt; &amp;lt;a class=&#39;button step2&#39;&gt;{{ installGetStartedButton }}&amp;lt;/a&gt; &amp;lt;/div&gt;
842 + &amp;lt;div&gt; &amp;lt;a class=&#39;button step2&#39;&gt;{{ installGetStartedButton }}&amp;lt;/a&gt;
843 + &amp;lt;br&gt; &amp;lt;a class=&quot;button callreg&quot;&gt;Register without mobile phone&amp;lt;/a&gt;
844 +
845 + &amp;lt;/div&gt;
846 &amp;lt;span class=&#39;dot step1 selected&#39;&gt;&amp;lt;/span&gt;
847 &amp;lt;span class=&#39;dot step2&#39;&gt;&amp;lt;/span&gt;
848 &amp;lt;span class=&#39;dot step3&#39;&gt;&amp;lt;/span&gt;
849 --- /dev/null 2016-10-07 09:55:13.730181472 +0200
850 +++ b/run-signal-app 2016-10-10 08:54:09.434172391 +0200
851 @@ -0,0 +1,12 @@
852 +#!/bin/sh
853 +set -e
854 +cd $(dirname $0)
855 +mkdir -p userdata
856 +userdata=&quot;`pwd`/userdata&quot;
857 +if [ -d &quot;$userdata&quot; ] &amp;&amp; [ ! -d &quot;$userdata/.git&quot; ] ; then
858 + (cd $userdata &amp;&amp; git init)
859 +fi
860 +(cd $userdata &amp;&amp; git add . &amp;&amp; git commit -m &quot;Current status.&quot; || true)
861 +exec chromium \
862 + --proxy-server=&quot;socks://localhost:9050&quot; \
863 + --user-data-dir=$userdata --load-and-launch-app=`pwd`
864 EOF
865 chmod a+rx run-signal-app
866 &lt;/pre&gt;
867
868 &lt;p&gt;As usual, if you use Bitcoin and want to show your support of my
869 activities, please send Bitcoin donations to my address
870 &lt;b&gt;&lt;a href=&quot;bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&quot;&gt;15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&lt;/a&gt;&lt;/b&gt;.&lt;/p&gt;
871 </description>
872 </item>
873
874 <item>
875 <title>NRKs kildevern når NRK-epost deles med utenlands etterretning?</title>
876 <link>https://people.skolelinux.org/pere/blog/NRKs_kildevern_n_r_NRK_epost_deles_med_utenlands_etterretning_.html</link>
877 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/NRKs_kildevern_n_r_NRK_epost_deles_med_utenlands_etterretning_.html</guid>
878 <pubDate>Sat, 8 Oct 2016 08:15:00 +0200</pubDate>
879 <description>&lt;p&gt;NRK
880 &lt;a href=&quot;https://nrkbeta.no/2016/09/02/securing-whistleblowers/&quot;&gt;lanserte
881 for noen uker siden&lt;/a&gt; en ny
882 &lt;a href=&quot;https://www.nrk.no/varsle/&quot;&gt;varslerportal som bruker
883 SecureDrop til å ta imot tips&lt;/a&gt; der det er vesentlig at ingen
884 utenforstående får vite at NRK er tipset. Det er et langt steg
885 fremover for NRK, og når en leser bloggposten om hva de har tenkt på
886 og hvordan løsningen er satt opp virker det som om de har gjort en
887 grundig jobb der. Men det er ganske mye ekstra jobb å motta tips via
888 SecureDrop, så varslersiden skriver &quot;Nyhetstips som ikke krever denne
889 typen ekstra vern vil vi gjerne ha på nrk.no/03030&quot;, og 03030-siden
890 foreslår i tillegg til et webskjema å bruke epost, SMS, telefon,
891 personlig oppmøte og brevpost. Denne artikkelen handler disse andre
892 metodene.&lt;/p&gt;
893
894 &lt;p&gt;Når en sender epost til en @nrk.no-adresse så vil eposten sendes ut
895 av landet til datamaskiner kontrollert av Microsoft. En kan sjekke
896 dette selv ved å slå opp epostleveringsadresse (MX) i DNS. For NRK er
897 dette i dag &quot;nrk-no.mail.protection.outlook.com&quot;. NRK har som en ser
898 valgt å sette bort epostmottaket sitt til de som står bak outlook.com,
899 dvs. Microsoft. En kan sjekke hvor nettverkstrafikken tar veien
900 gjennom Internett til epostmottaket vha. programmet
901 &lt;tt&gt;traceroute&lt;/tt&gt;, og finne ut hvem som eier en Internett-adresse
902 vha. whois-systemet. Når en gjør dette for epost-trafikk til @nrk.no
903 ser en at trafikken fra Norge mot nrk-no.mail.protection.outlook.com
904 går via Sverige mot enten Irland eller Tyskland (det varierer fra gang
905 til gang og kan endre seg over tid).&lt;/p&gt;
906
907 &lt;p&gt;Vi vet fra
908 &lt;a href=&quot;https://no.wikipedia.org/wiki/FRA-loven&quot;&gt;introduksjonen av
909 FRA-loven&lt;/a&gt; at IP-trafikk som passerer grensen til Sverige avlyttes
910 av Försvarets radioanstalt (FRA). Vi vet videre takket være
911 Snowden-bekreftelsene at trafikk som passerer grensen til
912 Storbritannia avlyttes av Government Communications Headquarters
913 (GCHQ). I tillegg er er det nettopp lansert et forslag i Norge om at
914 forsvarets E-tjeneste skal få avlytte trafikk som krysser grensen til
915 Norge. Jeg er ikke kjent med dokumentasjon på at Irland og Tyskland
916 gjør det samme. Poenget er uansett at utenlandsk etterretning har
917 mulighet til å snappe opp trafikken når en sender epost til @nrk.no.
918 I tillegg er det selvsagt tilgjengelig for Microsoft som er underlagt USAs
919 jurisdiksjon og
920 &lt;a href=&quot;https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data&quot;&gt;samarbeider
921 med USAs etterretning på flere områder&lt;/a&gt;. De som tipser NRK om
922 nyheter via epost kan dermed gå ut fra at det blir kjent for mange
923 andre enn NRK at det er gjort.&lt;/p&gt;
924
925 &lt;p&gt;Bruk av SMS og telefon registreres av blant annet telefonselskapene
926 og er tilgjengelig i følge lov og forskrift for blant annet Politi,
927 NAV og Finanstilsynet, i tillegg til IT-folkene hos telefonselskapene
928 og deres overordnede. Hvis innringer eller mottaker bruker
929 smarttelefon vil slik kontakt også gjøres tilgjengelig for ulike
930 app-leverandører og de som lytter på trafikken mellom telefon og
931 app-leverandør, alt etter hva som er installert på telefonene som
932 brukes.&lt;/p&gt;
933
934 &lt;p&gt;Brevpost kan virke trygt, og jeg vet ikke hvor mye som registreres
935 og lagres av postens datastyrte postsorteringssentraler. Det vil ikke
936 overraske meg om det lagres hvor i landet hver konvolutt kommer fra og
937 hvor den er adressert, i hvert fall for en kortere periode. Jeg vet
938 heller ikke hvem slik informasjon gjøres tilgjengelig for. Det kan
939 være nok til å ringe inn potensielle kilder når det krysses med hvem
940 som kjente til aktuell informasjon og hvor de befant seg (tilgjengelig
941 f.eks. hvis de bærer mobiltelefon eller bor i nærheten).&lt;/p&gt;
942
943 &lt;p&gt;Personlig oppmøte hos en NRK-journalist er antagelig det tryggeste,
944 men en bør passe seg for å bruke NRK-kantina. Der bryter de nemlig
945 &lt;a href=&quot;http://www.lovdata.no/all/hl-19850524-028.html#14&quot;&gt;Sentralbanklovens
946 paragraf 14&lt;/a&gt; og nekter folk å betale med kontanter. I stedet
947 krever de at en varsle sin bankkortutsteder om hvor en befinner seg
948 ved å bruke bankkort. Banktransaksjoner er tilgjengelig for
949 bankkortutsteder (det være seg VISA, Mastercard, Nets og/eller en
950 bank) i tillegg til politiet og i hvert fall tidligere med Se &amp; Hør
951 (via utro tjenere, slik det ble avslørt etter utgivelsen av boken
952 «Livet, det forbannede» av Ken B. Rasmussen). Men hvor mange kjenner
953 en NRK-journalist personlig? Besøk på NRK på Marienlyst krever at en
954 registrerer sin ankost elektronisk i besøkssystemet. Jeg vet ikke hva
955 som skjer med det datasettet, men har grunn til å tro at det sendes ut
956 SMS til den en skal besøke med navnet som er oppgitt. Kanskje greit å
957 oppgi falskt navn.&lt;/p&gt;
958
959 &lt;p&gt;Når så tipset er kommet frem til NRK skal det behandles
960 redaksjonelt i NRK. Der vet jeg via ulike kilder at de fleste
961 journalistene bruker lokalt installert programvare, men noen bruker
962 Google Docs og andre skytjenester i strid med interne retningslinjer
963 når de skriver. Hvordan vet en hvem det gjelder? Ikke vet jeg, men
964 det kan være greit å spørre for å sjekke at journalisten har tenkt på
965 problemstillingen, før en gir et tips. Og hvis tipset omtales internt
966 på epost, er det jo grunn til å tro at også intern eposten vil deles
967 med Microsoft og utenlands etterretning, slik tidligere nevnt, men det
968 kan hende at det holdes internt i NRKs interne MS Exchange-løsning.
969 Men Microsoft ønsker å få alle Exchange-kunder over &quot;i skyen&quot; (eller
970 andre folks datamaskiner, som det jo innebærer), så jeg vet ikke hvor
971 lenge det i så fall vil vare.&lt;/p&gt;
972
973 &lt;p&gt;I tillegg vet en jo at
974 &lt;a href=&quot;https://www.nrk.no/ytring/elektronisk-kildevern-i-nrk-1.11941196&quot;&gt;NRK
975 har valgt å gi nasjonal sikkerhetsmyndighet (NSM) tilgang til å se på
976 intern og ekstern Internett-trafikk&lt;/a&gt; hos NRK ved oppsett av såkalte
977 VDI-noder, på tross av
978 &lt;a href=&quot;https://www.nrk.no/ytring/bekymring-for-nrks-kildevern-1.11941584&quot;&gt;protester
979 fra NRKs journalistlag&lt;/a&gt;. Jeg vet ikke om den vil kunne snappe opp
980 dokumenter som lagres på interne filtjenere eller dokumenter som lages
981 i de interne webbaserte publiseringssystemene, men vet at hva noden
982 ser etter på nettet kontrolleres av NSM og oppdateres automatisk, slik
983 at det ikke gir så mye mening å sjekke hva noden ser etter i dag når
984 det kan endres automatisk i morgen.&lt;/p&gt;
985
986 &lt;p&gt;Personlig vet jeg ikke om jeg hadde turt tipse NRK hvis jeg satt på
987 noe som kunne være en trussel mot den bestående makten i Norge eller
988 verden. Til det virker det å være for mange åpninger for
989 utenforstående med andre prioriteter enn NRKs journalistiske fokus.
990 Og den største truslen for en varsler er jo om metainformasjon kommer
991 på avveie, dvs. informasjon om at en har vært i kontakt med en
992 journalist. Det kan være nok til at en kommer i myndighetenes
993 søkelys, og de færreste har nok operasjonell sikkerhet til at vil tåle
994 slik flombelysning på sitt privatliv.&lt;/p&gt;
995 </description>
996 </item>
997
998 <item>
999 <title>Unlocking HTC Desire HD on Linux using unruu and fastboot</title>
1000 <link>https://people.skolelinux.org/pere/blog/Unlocking_HTC_Desire_HD_on_Linux_using_unruu_and_fastboot.html</link>
1001 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Unlocking_HTC_Desire_HD_on_Linux_using_unruu_and_fastboot.html</guid>
1002 <pubDate>Thu, 7 Jul 2016 11:30:00 +0200</pubDate>
1003 <description>&lt;p&gt;Yesterday, I tried to unlock a HTC Desire HD phone, and it proved
1004 to be a slight challenge. Here is the recipe if I ever need to do it
1005 again. It all started by me wanting to try the recipe to set up
1006 &lt;a href=&quot;https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy&quot;&gt;an
1007 hardened Android installation&lt;/a&gt; from the Tor project blog on a
1008 device I had access to. It is a old mobile phone with a broken
1009 microphone The initial idea had been to just
1010 &lt;a href=&quot;http://wiki.cyanogenmod.org/w/Install_CM_for_ace&quot;&gt;install
1011 CyanogenMod on it&lt;/a&gt;, but did not quite find time to start on it
1012 until a few days ago.&lt;/p&gt;
1013
1014 &lt;p&gt;The unlock process is supposed to be simple: (1) Boot into the boot
1015 loader (press volume down and power at the same time), (2) select
1016 &#39;fastboot&#39; before (3) connecting the device via USB to a Linux
1017 machine, (4) request the device identifier token by running &#39;fastboot
1018 oem get_identifier_token&#39;, (5) request the device unlocking key using
1019 the &lt;a href=&quot;http://www.htcdev.com/bootloader/&quot;&gt;HTC developer web
1020 site&lt;/a&gt; and unlock the phone using the key file emailed to you.&lt;/p&gt;
1021
1022 &lt;p&gt;Unfortunately, this only work fi you have hboot version 2.00.0029
1023 or newer, and the device I was working on had 2.00.0027. This
1024 apparently can be easily fixed by downloading a Windows program and
1025 running it on your Windows machine, if you accept the terms Microsoft
1026 require you to accept to use Windows - which I do not. So I had to
1027 come up with a different approach. I got a lot of help from AndyCap
1028 on #nuug, and would not have been able to get this working without
1029 him.&lt;/p&gt;
1030
1031 &lt;p&gt;First I needed to extract the hboot firmware from
1032 &lt;a href=&quot;http://www.htcdev.com/ruu/PD9810000_Ace_Sense30_S_hboot_2.00.0029.exe&quot;&gt;the
1033 windows binary for HTC Desire HD&lt;/a&gt; downloaded as &#39;the RUU&#39; from HTC.
1034 For this there is is &lt;a href=&quot;https://github.com/kmdm/unruu/&quot;&gt;a github
1035 project named unruu&lt;/a&gt; using libunshield. The unshield tool did not
1036 recognise the file format, but unruu worked and extracted rom.zip,
1037 containing the new hboot firmware and a text file describing which
1038 devices it would work for.&lt;/p&gt;
1039
1040 &lt;p&gt;Next, I needed to get the new firmware into the device. For this I
1041 followed some instructions
1042 &lt;a href=&quot;http://www.htc1guru.com/2013/09/new-ruu-zips-posted/&quot;&gt;available
1043 from HTC1Guru.com&lt;/a&gt;, and ran these commands as root on a Linux
1044 machine with Debian testing:&lt;/p&gt;
1045
1046 &lt;p&gt;&lt;pre&gt;
1047 adb reboot-bootloader
1048 fastboot oem rebootRUU
1049 fastboot flash zip rom.zip
1050 fastboot flash zip rom.zip
1051 fastboot reboot
1052 &lt;/pre&gt;&lt;/p&gt;
1053
1054 &lt;p&gt;The flash command apparently need to be done twice to take effect,
1055 as the first is just preparations and the second one do the flashing.
1056 The adb command is just to get to the boot loader menu, so turning the
1057 device on while holding volume down and the power button should work
1058 too.&lt;/p&gt;
1059
1060 &lt;p&gt;With the new hboot version in place I could start following the
1061 instructions on the HTC developer web site. I got the device token
1062 like this:&lt;/p&gt;
1063
1064 &lt;p&gt;&lt;pre&gt;
1065 fastboot oem get_identifier_token 2&gt;&amp;1 | sed &#39;s/(bootloader) //&#39;
1066 &lt;/pre&gt;
1067
1068 &lt;p&gt;And once I got the unlock code via email, I could use it like
1069 this:&lt;/p&gt;
1070
1071 &lt;p&gt;&lt;pre&gt;
1072 fastboot flash unlocktoken Unlock_code.bin
1073 &lt;/pre&gt;&lt;/p&gt;
1074
1075 &lt;p&gt;And with that final step in place, the phone was unlocked and I
1076 could start stuffing the software of my own choosing into the device.
1077 So far I only inserted a replacement recovery image to wipe the phone
1078 before I start. We will see what happen next. Perhaps I should
1079 install &lt;a href=&quot;https://www.debian.org/&quot;&gt;Debian&lt;/a&gt; on it. :)&lt;/p&gt;
1080 </description>
1081 </item>
1082
1083 <item>
1084 <title>How to use the Signal app if you only have a land line (ie no mobile phone)</title>
1085 <link>https://people.skolelinux.org/pere/blog/How_to_use_the_Signal_app_if_you_only_have_a_land_line__ie_no_mobile_phone_.html</link>
1086 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/How_to_use_the_Signal_app_if_you_only_have_a_land_line__ie_no_mobile_phone_.html</guid>
1087 <pubDate>Sun, 3 Jul 2016 14:20:00 +0200</pubDate>
1088 <description>&lt;p&gt;For a while now, I have wanted to test
1089 &lt;a href=&quot;https://whispersystems.org/&quot;&gt;the Signal app&lt;/a&gt;, as it is
1090 said to provide end to end encrypted communication and several of my
1091 friends and family are already using it. As I by choice do not own a
1092 mobile phone, this proved to be harder than expected. And I wanted to
1093 have the source of the client and know that it was the code used on my
1094 machine. But yesterday I managed to get it working. I used the
1095 Github source, compared it to the source in
1096 &lt;a href=&quot;https://chrome.google.com/webstore/detail/signal-private-messenger/bikioccmkafdpakkkcpdbppfkghcmihk?hl=en-US&quot;&gt;the
1097 Signal Chrome app&lt;/a&gt; available from the Chrome web store, applied
1098 patches to use the production Signal servers, started the app and
1099 asked for the hidden &quot;register without a smart phone&quot; form. Here is
1100 the recipe how I did it.&lt;/p&gt;
1101
1102 &lt;p&gt;First, I fetched the Signal desktop source from Github, using
1103
1104 &lt;pre&gt;
1105 git clone https://github.com/WhisperSystems/Signal-Desktop.git
1106 &lt;/pre&gt;
1107
1108 &lt;p&gt;Next, I patched the source to use the production servers, to be
1109 able to talk to other Signal users:&lt;/p&gt;
1110
1111 &lt;pre&gt;
1112 cat &amp;lt;&amp;lt;EOF | patch -p0
1113 diff -ur ./js/background.js userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/background.js
1114 --- ./js/background.js 2016-06-29 13:43:15.630344628 +0200
1115 +++ userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/background.js 2016-06-29 14:06:29.530300934 +0200
1116 @@ -47,8 +47,8 @@
1117 });
1118 });
1119
1120 - var SERVER_URL = &#39;https://textsecure-service-staging.whispersystems.org&#39;;
1121 - var ATTACHMENT_SERVER_URL = &#39;https://whispersystems-textsecure-attachments-staging.s3.amazonaws.com&#39;;
1122 + var SERVER_URL = &#39;https://textsecure-service-ca.whispersystems.org:4433&#39;;
1123 + var ATTACHMENT_SERVER_URL = &#39;https://whispersystems-textsecure-attachments.s3.amazonaws.com&#39;;
1124 var messageReceiver;
1125 window.getSocketStatus = function() {
1126 if (messageReceiver) {
1127 diff -ur ./js/expire.js userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/expire.js
1128 --- ./js/expire.js 2016-06-29 13:43:15.630344628 +0200
1129 +++ userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/expire.js2016-06-29 14:06:29.530300934 +0200
1130 @@ -1,6 +1,6 @@
1131 ;(function() {
1132 &#39;use strict&#39;;
1133 - var BUILD_EXPIRATION = 0;
1134 + var BUILD_EXPIRATION = 1474492690000;
1135
1136 window.extension = window.extension || {};
1137
1138 EOF
1139 &lt;/pre&gt;
1140
1141 &lt;p&gt;The first part is changing the servers, and the second is updating
1142 an expiration timestamp. This timestamp need to be updated regularly.
1143 It is set 90 days in the future by the build process (Gruntfile.js).
1144 The value is seconds since 1970 times 1000, as far as I can tell.&lt;/p&gt;
1145
1146 &lt;p&gt;Based on a tip and good help from the #nuug IRC channel, I wrote a
1147 script to launch Signal in Chromium.&lt;/p&gt;
1148
1149 &lt;pre&gt;
1150 #!/bin/sh
1151 cd $(dirname $0)
1152 mkdir -p userdata
1153 exec chromium \
1154 --proxy-server=&quot;socks://localhost:9050&quot; \
1155 --user-data-dir=`pwd`/userdata --load-and-launch-app=`pwd`
1156 &lt;/pre&gt;
1157
1158 &lt;p&gt; The script start the app and configure Chromium to use the Tor
1159 SOCKS5 proxy to make sure those controlling the Signal servers (today
1160 Amazon and Whisper Systems) as well as those listening on the lines
1161 will have a harder time location my laptop based on the Signal
1162 connections if they use source IP address.&lt;/p&gt;
1163
1164 &lt;p&gt;When the script starts, one need to follow the instructions under
1165 &quot;Standalone Registration&quot; in the CONTRIBUTING.md file in the git
1166 repository. I right clicked on the Signal window to get up the
1167 Chromium debugging tool, visited the &#39;Console&#39; tab and wrote
1168 &#39;extension.install(&quot;standalone&quot;)&#39; on the console prompt to get the
1169 registration form. Then I entered by land line phone number and
1170 pressed &#39;Call&#39;. 5 seconds later the phone rang and a robot voice
1171 repeated the verification code three times. After entering the number
1172 into the verification code field in the form, I could start using
1173 Signal from my laptop.
1174
1175 &lt;p&gt;As far as I can tell, The Signal app will leak who is talking to
1176 whom and thus who know who to those controlling the central server,
1177 but such leakage is hard to avoid with a centrally controlled server
1178 setup. It is something to keep in mind when using Signal - the
1179 content of your chats are harder to intercept, but the meta data
1180 exposing your contact network is available to people you do not know.
1181 So better than many options, but not great. And sadly the usage is
1182 connected to my land line, thus allowing those controlling the server
1183 to associate it to my home and person. I would prefer it if only
1184 those I knew could tell who I was on Signal. There are options
1185 avoiding such information leakage, but most of my friends are not
1186 using them, so I am stuck with Signal for now.&lt;/p&gt;
1187
1188 &lt;p&gt;&lt;strong&gt;Update 2017-01-10&lt;/strong&gt;: There is an updated blog post
1189 on this topic in
1190 &lt;a href=&quot;http://people.skolelinux.org/pere/blog/Experience_and_updated_recipe_for_using_the_Signal_app_without_a_mobile_phone.html&quot;&gt;Experience
1191 and updated recipe for using the Signal app without a mobile
1192 phone&lt;/a&gt;.&lt;/p&gt;
1193 </description>
1194 </item>
1195
1196 <item>
1197 <title>syslog-trusted-timestamp - chain of trusted timestamps for your syslog</title>
1198 <link>https://people.skolelinux.org/pere/blog/syslog_trusted_timestamp___chain_of_trusted_timestamps_for_your_syslog.html</link>
1199 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/syslog_trusted_timestamp___chain_of_trusted_timestamps_for_your_syslog.html</guid>
1200 <pubDate>Sat, 2 Apr 2016 09:50:00 +0200</pubDate>
1201 <description>&lt;p&gt;Two years ago, I had
1202 &lt;a href=&quot;http://people.skolelinux.org/pere/blog/Public_Trusted_Timestamping_services_for_everyone.html&quot;&gt;a
1203 look at trusted timestamping options available&lt;/a&gt;, and among
1204 other things noted a still open
1205 &lt;a href=&quot;https://bugs.debian.org/742553&quot;&gt;bug in the tsget script&lt;/a&gt;
1206 included in openssl that made it harder than necessary to use openssl
1207 as a trusted timestamping client. A few days ago I was told
1208 &lt;a href=&quot;https:/www.difi.no/&quot;&gt;the Norwegian government office DIFI&lt;/a&gt; is
1209 close to releasing their own trusted timestamp service, and in the
1210 process I was happy to learn about a replacement for the tsget script
1211 using only curl:&lt;/p&gt;
1212
1213 &lt;p&gt;&lt;pre&gt;
1214 openssl ts -query -data &quot;/etc/shells&quot; -cert -sha256 -no_nonce \
1215 | curl -s -H &quot;Content-Type: application/timestamp-query&quot; \
1216 --data-binary &quot;@-&quot; http://zeitstempel.dfn.de &gt; etc-shells.tsr
1217 openssl ts -reply -text -in etc-shells.tsr
1218 &lt;/pre&gt;&lt;/p&gt;
1219
1220 &lt;p&gt;This produces a binary timestamp file (etc-shells.tsr) which can be
1221 used to verify that the content of the file /etc/shell with the
1222 calculated sha256 hash existed at the point in time when the request
1223 was made. The last command extract the content of the etc-shells.tsr
1224 in human readable form. The idea behind such timestamp is to be able
1225 to prove using cryptography that the content of a file have not
1226 changed since the file was stamped.&lt;/p&gt;
1227
1228 &lt;p&gt;To verify that the file on disk match the public key signature in
1229 the timestamp file, run the following commands. It make sure you have
1230 the required certificate for the trusted timestamp service available
1231 and use it to compare the file content with the timestamp. In
1232 production, one should of course use a better method to verify the
1233 service certificate.&lt;/p&gt;
1234
1235 &lt;p&gt;&lt;pre&gt;
1236 wget -O ca-cert.txt https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt
1237 openssl ts -verify -data /etc/shells -in etc-shells.tsr -CAfile ca-cert.txt -text
1238 &lt;/pre&gt;&lt;/p&gt;
1239
1240 &lt;p&gt;Wikipedia have a lot more information about
1241 &lt;a href=&quot;https://en.wikipedia.org/wiki/Trusted_timestamping&quot;&gt;trusted
1242 Timestamping&lt;/a&gt; and
1243 &lt;a href=&quot;https://en.wikipedia.org/wiki/Linked_timestamping&quot;&gt;linked
1244 timestamping&lt;/a&gt;, and there are several trusted timestamping services
1245 around, both as commercial services and as free and public services.
1246 Among the latter is
1247 &lt;a href=&quot;https://www.pki.dfn.de/zeitstempeldienst/&quot;&gt;the
1248 zeitstempel.dfn.de service&lt;/a&gt; mentioned above and
1249 &lt;a href=&quot;https://freetsa.org/&quot;&gt;freetsa.org service&lt;/a&gt; linked to from the
1250 wikipedia web site. I believe the DIFI service should show up on
1251 https://tsa.difi.no, but it is not available to the public at the
1252 moment. I hope this will change when it is into production. The
1253 &lt;a href=&quot;https://tools.ietf.org/html/rfc3161&quot;&gt;RFC 3161&lt;/a&gt; trusted
1254 timestamping protocol standard is even implemented in LibreOffice,
1255 Microsoft Office and Adobe Acrobat, making it possible to verify when
1256 a document was created.&lt;/p&gt;
1257
1258 &lt;p&gt;I would find it useful to be able to use such trusted timestamp
1259 service to make it possible to verify that my stored syslog files have
1260 not been tampered with. This is not a new idea. I found one example
1261 implemented on the Endian network appliances where
1262 &lt;a href=&quot;http://help.endian.com/entries/21518508-Enabling-Timestamping-on-log-files-&quot;&gt;the
1263 configuration of such feature was described in 2012&lt;/a&gt;.&lt;/p&gt;
1264
1265 &lt;p&gt;But I could not find any free implementation of such feature when I
1266 searched, so I decided to try to
1267 &lt;a href=&quot;https://github.com/petterreinholdtsen/syslog-trusted-timestamp&quot;&gt;build
1268 a prototype named syslog-trusted-timestamp&lt;/a&gt;. My idea is to
1269 generate a timestamp of the old log files after they are rotated, and
1270 store the timestamp in the new log file just after rotation. This
1271 will form a chain that would make it possible to see if any old log
1272 files are tampered with. But syslog is bad at handling kilobytes of
1273 binary data, so I decided to base64 encode the timestamp and add an ID
1274 and line sequence numbers to the base64 data to make it possible to
1275 reassemble the timestamp file again. To use it, simply run it like
1276 this:
1277
1278 &lt;p&gt;&lt;pre&gt;
1279 syslog-trusted-timestamp /path/to/list-of-log-files
1280 &lt;/pre&gt;&lt;/p&gt;
1281
1282 &lt;p&gt;This will send a timestamp from one or more timestamp services (not
1283 yet decided nor implemented) for each listed file to the syslog using
1284 logger(1). To verify the timestamp, the same program is used with the
1285 --verify option:&lt;/p&gt;
1286
1287 &lt;p&gt;&lt;pre&gt;
1288 syslog-trusted-timestamp --verify /path/to/log-file /path/to/log-with-timestamp
1289 &lt;/pre&gt;&lt;/p&gt;
1290
1291 &lt;p&gt;The verification step is not yet well designed. The current
1292 implementation depend on the file path being unique and unchanging,
1293 and this is not a solid assumption. It also uses process number as
1294 timestamp ID, and this is bound to create ID collisions. I hope to
1295 have time to come up with a better way to handle timestamp IDs and
1296 verification later.&lt;/p&gt;
1297
1298 &lt;p&gt;Please check out
1299 &lt;a href=&quot;https://github.com/petterreinholdtsen/syslog-trusted-timestamp&quot;&gt;the
1300 prototype for syslog-trusted-timestamp on github&lt;/a&gt; and send
1301 suggestions and improvement, or let me know if there already exist a
1302 similar system for timestamping logs already to allow me to join
1303 forces with others with the same interest.&lt;/p&gt;
1304
1305 &lt;p&gt;As usual, if you use Bitcoin and want to show your support of my
1306 activities, please send Bitcoin donations to my address
1307 &lt;b&gt;&lt;a href=&quot;bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&quot;&gt;15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&lt;/a&gt;&lt;/b&gt;.&lt;/p&gt;
1308 </description>
1309 </item>
1310
1311 <item>
1312 <title>Always download Debian packages using Tor - the simple recipe</title>
1313 <link>https://people.skolelinux.org/pere/blog/Always_download_Debian_packages_using_Tor___the_simple_recipe.html</link>
1314 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Always_download_Debian_packages_using_Tor___the_simple_recipe.html</guid>
1315 <pubDate>Fri, 15 Jan 2016 00:30:00 +0100</pubDate>
1316 <description>&lt;p&gt;During his DebConf15 keynote, Jacob Appelbaum
1317 &lt;a href=&quot;https://summit.debconf.org/debconf15/meeting/331/what-is-to-be-done/&quot;&gt;observed
1318 that those listening on the Internet lines would have good reason to
1319 believe a computer have a given security hole&lt;/a&gt; if it download a
1320 security fix from a Debian mirror. This is a good reason to always
1321 use encrypted connections to the Debian mirror, to make sure those
1322 listening do not know which IP address to attack. In August, Richard
1323 Hartmann observed that encryption was not enough, when it was possible
1324 to interfere download size to security patches or the fact that
1325 download took place shortly after a security fix was released, and
1326 &lt;a href=&quot;http://richardhartmann.de/blog/posts/2015/08/24-Tor-enabled_Debian_mirror/&quot;&gt;proposed
1327 to always use Tor to download packages from the Debian mirror&lt;/a&gt;. He
1328 was not the first to propose this, as the
1329 &lt;tt&gt;&lt;a href=&quot;https://tracker.debian.org/pkg/apt-transport-tor&quot;&gt;apt-transport-tor&lt;/a&gt;&lt;/tt&gt;
1330 package by Tim Retout already existed to make it easy to convince apt
1331 to use &lt;a href=&quot;https://www.torproject.org/&quot;&gt;Tor&lt;/a&gt;, but I was not
1332 aware of that package when I read the blog post from Richard.&lt;/p&gt;
1333
1334 &lt;p&gt;Richard discussed the idea with Peter Palfrader, one of the Debian
1335 sysadmins, and he set up a Tor hidden service on one of the central
1336 Debian mirrors using the address vwakviie2ienjx6t.onion, thus making
1337 it possible to download packages directly between two tor nodes,
1338 making sure the network traffic always were encrypted.&lt;/p&gt;
1339
1340 &lt;p&gt;Here is a short recipe for enabling this on your machine, by
1341 installing &lt;tt&gt;apt-transport-tor&lt;/tt&gt; and replacing http and https
1342 urls with tor+http and tor+https, and using the hidden service instead
1343 of the official Debian mirror site. I recommend installing
1344 &lt;tt&gt;etckeeper&lt;/tt&gt; before you start to have a history of the changes
1345 done in /etc/.&lt;/p&gt;
1346
1347 &lt;blockquote&gt;&lt;pre&gt;
1348 apt install apt-transport-tor
1349 sed -i &#39;s% http://ftp.debian.org/% tor+http://vwakviie2ienjx6t.onion/%&#39; /etc/apt/sources.list
1350 sed -i &#39;s% http% tor+http%&#39; /etc/apt/sources.list
1351 &lt;/pre&gt;&lt;/blockquote&gt;
1352
1353 &lt;p&gt;If you have more sources listed in /etc/apt/sources.list.d/, run
1354 the sed commands for these too. The sed command is assuming your are
1355 using the ftp.debian.org Debian mirror. Adjust the command (or just
1356 edit the file manually) to match your mirror.&lt;/p&gt;
1357
1358 &lt;p&gt;This work in Debian Jessie and later. Note that tools like
1359 &lt;tt&gt;apt-file&lt;/tt&gt; only recently started using the apt transport
1360 system, and do not work with these tor+http URLs. For
1361 &lt;tt&gt;apt-file&lt;/tt&gt; you need the version currently in experimental,
1362 which need a recent apt version currently only in unstable. So if you
1363 need a working &lt;tt&gt;apt-file&lt;/tt&gt;, this is not for you.&lt;/p&gt;
1364
1365 &lt;p&gt;Another advantage from this change is that your machine will start
1366 using Tor regularly and at fairly random intervals (every time you
1367 update the package lists or upgrade or install a new package), thus
1368 masking other Tor traffic done from the same machine. Using Tor will
1369 become normal for the machine in question.&lt;/p&gt;
1370
1371 &lt;p&gt;On &lt;a href=&quot;https://wiki.debian.org/FreedomBox&quot;&gt;Freedombox&lt;/a&gt;, APT
1372 is set up by default to use &lt;tt&gt;apt-transport-tor&lt;/tt&gt; when Tor is
1373 enabled. It would be great if it was the default on any Debian
1374 system.&lt;/p&gt;
1375 </description>
1376 </item>
1377
1378 <item>
1379 <title>PGP key transition statement for key EE4E02F9</title>
1380 <link>https://people.skolelinux.org/pere/blog/PGP_key_transition_statement_for_key_EE4E02F9.html</link>
1381 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/PGP_key_transition_statement_for_key_EE4E02F9.html</guid>
1382 <pubDate>Tue, 17 Nov 2015 10:50:00 +0100</pubDate>
1383 <description>&lt;p&gt;I&#39;ve needed a new OpenPGP key for a while, but have not had time to
1384 set it up properly. I wanted to generate it offline and have it
1385 available on &lt;a href=&quot;http://shop.kernelconcepts.de/#openpgp&quot;&gt;a OpenPGP
1386 smart card&lt;/a&gt; for daily use, and learning how to do it and finding
1387 time to sit down with an offline machine almost took forever. But
1388 finally I&#39;ve been able to complete the process, and have now moved
1389 from my old GPG key to a new GPG key. See
1390 &lt;a href=&quot;http://people.skolelinux.org/pere/blog/images/2015-11-17-new-gpg-key-transition.txt&quot;&gt;the
1391 full transition statement, signed with both my old and new key&lt;/a&gt; for
1392 the details. This is my new key:&lt;/p&gt;
1393
1394 &lt;pre&gt;
1395 pub 3936R/&lt;a href=&quot;http://pgp.cs.uu.nl/stats/111D6B29EE4E02F9.html&quot;&gt;111D6B29EE4E02F9&lt;/a&gt; 2015-11-03 [expires: 2019-11-14]
1396 Key fingerprint = 3AC7 B2E3 ACA5 DF87 78F1 D827 111D 6B29 EE4E 02F9
1397 uid Petter Reinholdtsen &amp;lt;pere@hungry.com&amp;gt;
1398 uid Petter Reinholdtsen &amp;lt;pere@debian.org&amp;gt;
1399 sub 4096R/87BAFB0E 2015-11-03 [expires: 2019-11-02]
1400 sub 4096R/F91E6DE9 2015-11-03 [expires: 2019-11-02]
1401 sub 4096R/A0439BAB 2015-11-03 [expires: 2019-11-02]
1402 &lt;/pre&gt;
1403
1404 &lt;p&gt;The key can be downloaded from the OpenPGP key servers, signed by
1405 my old key.&lt;/p&gt;
1406
1407 &lt;p&gt;If you signed my old key
1408 (&lt;a href=&quot;http://pgp.cs.uu.nl/stats/DB4CCC4B2A30D729.html&quot;&gt;DB4CCC4B2A30D729&lt;/a&gt;),
1409 I&#39;d very much appreciate a signature on my new key, details and
1410 instructions in the transition statement. I m happy to reciprocate if
1411 you have a similarly signed transition statement to present.&lt;/p&gt;
1412 </description>
1413 </item>
1414
1415 <item>
1416 <title>Lawrence Lessig interviewed Edward Snowden a year ago</title>
1417 <link>https://people.skolelinux.org/pere/blog/Lawrence_Lessig_interviewed_Edward_Snowden_a_year_ago.html</link>
1418 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Lawrence_Lessig_interviewed_Edward_Snowden_a_year_ago.html</guid>
1419 <pubDate>Mon, 19 Oct 2015 11:50:00 +0200</pubDate>
1420 <description>&lt;p&gt;Last year, &lt;a href=&quot;https://lessig2016.us/&quot;&gt;US president candidate
1421 in the Democratic Party&lt;/a&gt; Lawrence interviewed Edward Snowden. The
1422 one hour interview was
1423 &lt;a href=&quot;https://www.youtube.com/watch?v=o_Sr96TFQQE&quot;&gt;published by
1424 Harvard Law School 2014-10-23 on Youtube&lt;/a&gt;, and the meeting took
1425 place 2014-10-20.&lt;/p&gt;
1426
1427 &lt;p&gt;The questions are very good, and there is lots of useful
1428 information to be learned and very interesting issues to think about
1429 being raised. Please check it out.&lt;/p&gt;
1430
1431 &lt;iframe width=&quot;560&quot; height=&quot;315&quot; src=&quot;https://www.youtube.com/embed/o_Sr96TFQQE&quot; frameborder=&quot;0&quot; allowfullscreen&gt;&lt;/iframe&gt;
1432
1433 &lt;p&gt;I find it especially interesting to hear again that Snowden did try
1434 to bring up his reservations through the official channels without any
1435 luck. It is in sharp contrast to the answers made 2013-11-06 by the
1436 Norwegian prime minister Erna Solberg to the Norwegian Parliament,
1437 &lt;a href=&quot;https://tale.holderdeord.no/speeches/s131106/68&quot;&gt;claiming
1438 Snowden is no Whistle-Blower&lt;/a&gt; because he should have taken up his
1439 concerns internally and using official channels. It make me sad
1440 that this is the political leadership we have here in Norway.&lt;/p&gt;
1441 </description>
1442 </item>
1443
1444 <item>
1445 <title>Alle Stortingets mobiltelefoner kontrolleres fra USA...</title>
1446 <link>https://people.skolelinux.org/pere/blog/Alle_Stortingets_mobiltelefoner_kontrolleres_fra_USA___.html</link>
1447 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Alle_Stortingets_mobiltelefoner_kontrolleres_fra_USA___.html</guid>
1448 <pubDate>Wed, 7 Oct 2015 09:55:00 +0200</pubDate>
1449 <description>&lt;p&gt;Jeg lot meg fascinere av
1450 &lt;a href=&quot;http://www.aftenposten.no/nyheter/iriks/politikk/Stortinget-har-tilgang-til-a-fjernstyre-600-mobiler-8192692.html&quot;&gt;en
1451 artikkel i Aftenposten&lt;/a&gt; der det fortelles at «over 600 telefoner som
1452 benyttes av stortingsrepresentanter, rådgivere og ansatte på
1453 Stortinget, kan «fjernstyres» ved hjelp av
1454 &lt;a href=&quot;https://play.google.com/store/apps/details?id=com.airwatch.androidagent&quot;&gt;programvaren
1455 Airwatch&lt;/a&gt;, et såkalte MDM-program (Mobile Device Managment)». Det
1456 hele bagatelliseres av Stortingets IT-stab, men det er i hovedsak på
1457 grunn av at journalisten ikke stiller de relevante spørsmålene. For
1458 meg er det relevante spørsmålet hvem som har lovlig tilgang (i henhold
1459 til lokal lovgiving, dvs. i hvert fall i Norge, Sverige, UK og USA)
1460 til informasjon om og på telefonene, og hvor enkelt det er å skaffe
1461 seg tilgang til hvor mobilene befinner seg og informasjon som befinner
1462 seg på telefonene ved hjelp av utro tjenere, trusler, innbrudd og
1463 andre ulovlige metoder.&lt;/p&gt;
1464
1465 &lt;p&gt;Bruken av AirWatch betyr i realiteten at USAs etteretning og
1466 politimyndigheter har full tilgang til stortingets mobiltelefoner,
1467 inkludert posisjon og innhold, takket være
1468 &lt;a href=&quot;https://en.wikipedia.org/wiki/Foreign_Intelligence_Surveillance_Act_of_1978_Amendments_Act_of_2008&quot;&gt;FISAAA-loven&lt;/a&gt;
1469 og
1470 &quot;&lt;a href=&quot;https://en.wikipedia.org/wiki/National_security_letter&quot;&gt;National
1471 Security Letters&lt;/a&gt;&quot; og det enkle faktum at selskapet
1472 &lt;a href=&quot;http://www.airwatch.com/&quot;&gt;AirWatch&lt;/a&gt; er kontrollert av et
1473 selskap i USA. I tillegg er det kjent at flere lands
1474 etterretningstjenester kan lytte på trafikken når den passerer
1475 landegrensene.&lt;/p&gt;
1476
1477 &lt;p&gt;Jeg har bedt om mer informasjon
1478 &lt;a href=&quot;https://www.mimesbronn.no/request/saksnummer_for_saker_anganede_br&quot;&gt;fra
1479 Stortinget om bruken av AirWatch&lt;/a&gt; via Mimes brønn så får vi se hva
1480 de har å fortelle om saken. Fant ingenting om &#39;airwatch&#39; i
1481 postjournalen til Stortinget, så jeg trenger hjelp før jeg kan be om
1482 innsyn i konkrete dokumenter.&lt;/p&gt;
1483
1484 &lt;p&gt;Oppdatering 2015-10-07: Jeg er blitt spurt hvorfor jeg antar at
1485 AirWatch-agenten rapporterer til USA og ikke direkte til Stortingets
1486 egen infrastruktur. Det stemmer at det er teknisk mulig å sette
1487 opp mobiltelefonene til å rapportere til datamaskiner som eies av
1488 Stortinget. Jeg antar det rapporteres til AirWatch sine sentrale
1489 tjenester basert på det jeg leste fra beskrivelsen av
1490 &lt;a href=&quot;http://www.airwatch.com/solutions/mobile-device-management/&quot;&gt;Mobile
1491 Device Management&lt;/A&gt; på AirWatch sine egne nettsider, koblet med at
1492 det brukes en standard app som kan hentes fra &quot;app-butikkene&quot; for å få
1493 tilgang. Enten må app-en settes opp individuelt hos Stortinget, eller
1494 så får den beskjed fra AirWatch i USA om hvor den skal koble seg opp.
1495 I det første tilfellet vil den ikke rapportere direkte til USA, men
1496 til programvare utviklet av AirWatch som kjører på en maskin under
1497 Stortingets kontroll. Det er litt bedre, men fortsatt vil det være
1498 umulig for Stortinget å være sikker på hva programvaren som tar imot
1499 forbindelser gjør. Jeg ser fra beskrivelsen av
1500 &lt;a href=&quot;http://www.airwatch.com/differentiators/enterprise-integration/&quot;&gt;Enterprice
1501 Integration&lt;/a&gt; hos AirWatch at det er mulig å ha lokal installasjon,
1502 og håper innsynsforespørsler mot Stortinget kan fortelle mer om
1503 hvordan ting konkret fungerer der.&lt;/p&gt;
1504 </description>
1505 </item>
1506
1507 <item>
1508 <title>Good bye subkeys.pgp.net, welcome pool.sks-keyservers.net</title>
1509 <link>https://people.skolelinux.org/pere/blog/Good_bye_subkeys_pgp_net__welcome_pool_sks_keyservers_net.html</link>
1510 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Good_bye_subkeys_pgp_net__welcome_pool_sks_keyservers_net.html</guid>
1511 <pubDate>Wed, 10 Sep 2014 13:10:00 +0200</pubDate>
1512 <description>&lt;p&gt;Yesterday, I had the pleasure of attending a talk with the
1513 &lt;a href=&quot;http://www.nuug.no/&quot;&gt;Norwegian Unix User Group&lt;/a&gt; about
1514 &lt;a href=&quot;http://www.nuug.no/aktiviteter/20140909-sks-keyservers/&quot;&gt;the
1515 OpenPGP keyserver pool sks-keyservers.net&lt;/a&gt;, and was very happy to
1516 learn that there is a large set of publicly available key servers to
1517 use when looking for peoples public key. So far I have used
1518 subkeys.pgp.net, and some times wwwkeys.nl.pgp.net when the former
1519 were misbehaving, but those days are ended. The servers I have used
1520 up until yesterday have been slow and some times unavailable. I hope
1521 those problems are gone now.&lt;/p&gt;
1522
1523 &lt;p&gt;Behind the round robin DNS entry of the
1524 &lt;a href=&quot;https://sks-keyservers.net/&quot;&gt;sks-keyservers.net&lt;/a&gt; service
1525 there is a pool of more than 100 keyservers which are checked every
1526 day to ensure they are well connected and up to date. It must be
1527 better than what I have used so far. :)&lt;/p&gt;
1528
1529 &lt;p&gt;Yesterdays speaker told me that the service is the default
1530 keyserver provided by the default configuration in GnuPG, but this do
1531 not seem to be used in Debian. Perhaps it should?&lt;/p&gt;
1532
1533 &lt;p&gt;Anyway, I&#39;ve updated my ~/.gnupg/options file to now include this
1534 line:&lt;/p&gt;
1535
1536 &lt;p&gt;&lt;blockquote&gt;&lt;pre&gt;
1537 keyserver pool.sks-keyservers.net
1538 &lt;/pre&gt;&lt;/blockquote&gt;&lt;/p&gt;
1539
1540 &lt;p&gt;With GnuPG version 2 one can also locate the keyserver using SRV
1541 entries in DNS. Just for fun, I did just that at work, so now every
1542 user of GnuPG at the University of Oslo should find a OpenGPG
1543 keyserver automatically should their need it:&lt;/p&gt;
1544
1545 &lt;p&gt;&lt;blockquote&gt;&lt;pre&gt;
1546 % host -t srv _pgpkey-http._tcp.uio.no
1547 _pgpkey-http._tcp.uio.no has SRV record 0 100 11371 pool.sks-keyservers.net.
1548 %
1549 &lt;/pre&gt;&lt;/blockquote&gt;&lt;/p&gt;
1550
1551 &lt;p&gt;Now if only
1552 &lt;a href=&quot;http://ietfreport.isoc.org/idref/draft-shaw-openpgp-hkp/&quot;&gt;the
1553 HKP lookup protocol&lt;/a&gt; supported finding signature paths, I would be
1554 very happy. It can look up a given key or search for a user ID, but I
1555 normally do not want that, but to find a trust path from my key to
1556 another key. Given a user ID or key ID, I would like to find (and
1557 download) the keys representing a signature path from my key to the
1558 key in question, to be able to get a trust path between the two keys.
1559 This is as far as I can tell not possible today. Perhaps something
1560 for a future version of the protocol?&lt;/p&gt;
1561 </description>
1562 </item>
1563
1564 <item>
1565 <title>FreedomBox milestone - all packages now in Debian Sid</title>
1566 <link>https://people.skolelinux.org/pere/blog/FreedomBox_milestone___all_packages_now_in_Debian_Sid.html</link>
1567 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/FreedomBox_milestone___all_packages_now_in_Debian_Sid.html</guid>
1568 <pubDate>Tue, 15 Apr 2014 22:10:00 +0200</pubDate>
1569 <description>&lt;p&gt;The &lt;a href=&quot;https://wiki.debian.org/FreedomBox&quot;&gt;Freedombox
1570 project&lt;/a&gt; is working on providing the software and hardware to make
1571 it easy for non-technical people to host their data and communication
1572 at home, and being able to communicate with their friends and family
1573 encrypted and away from prying eyes. It is still going strong, and
1574 today a major mile stone was reached.&lt;/p&gt;
1575
1576 &lt;p&gt;Today, the last of the packages currently used by the project to
1577 created the system images were accepted into Debian Unstable. It was
1578 the freedombox-setup package, which is used to configure the images
1579 during build and on the first boot. Now all one need to get going is
1580 the build code from the freedom-maker git repository and packages from
1581 Debian. And once the freedombox-setup package enter testing, we can
1582 build everything directly from Debian. :)&lt;/p&gt;
1583
1584 &lt;p&gt;Some key packages used by Freedombox are
1585 &lt;a href=&quot;http://packages.qa.debian.org/freedombox-setup&quot;&gt;freedombox-setup&lt;/a&gt;,
1586 &lt;a href=&quot;http://packages.qa.debian.org/plinth&quot;&gt;plinth&lt;/a&gt;,
1587 &lt;a href=&quot;http://packages.qa.debian.org/pagekite&quot;&gt;pagekite&lt;/a&gt;,
1588 &lt;a href=&quot;http://packages.qa.debian.org/tor&quot;&gt;tor&lt;/a&gt;,
1589 &lt;a href=&quot;http://packages.qa.debian.org/privoxy&quot;&gt;privoxy&lt;/a&gt;,
1590 &lt;a href=&quot;http://packages.qa.debian.org/owncloud&quot;&gt;owncloud&lt;/a&gt; and
1591 &lt;a href=&quot;http://packages.qa.debian.org/dnsmasq&quot;&gt;dnsmasq&lt;/a&gt;. There
1592 are plans to integrate more packages into the setup. User
1593 documentation is maintained on the Debian wiki. Please
1594 &lt;a href=&quot;https://wiki.debian.org/FreedomBox/Manual/Jessie&quot;&gt;check out
1595 the manual&lt;/a&gt; and help us improve it.&lt;/p&gt;
1596
1597 &lt;p&gt;To test for yourself and create boot images with the FreedomBox
1598 setup, run this on a Debian machine using a user with sudo rights to
1599 become root:&lt;/p&gt;
1600
1601 &lt;p&gt;&lt;pre&gt;
1602 sudo apt-get install git vmdebootstrap mercurial python-docutils \
1603 mktorrent extlinux virtualbox qemu-user-static binfmt-support \
1604 u-boot-tools
1605 git clone http://anonscm.debian.org/git/freedombox/freedom-maker.git \
1606 freedom-maker
1607 make -C freedom-maker dreamplug-image raspberry-image virtualbox-image
1608 &lt;/pre&gt;&lt;/p&gt;
1609
1610 &lt;p&gt;Root access is needed to run debootstrap and mount loopback
1611 devices. See the README in the freedom-maker git repo for more
1612 details on the build. If you do not want all three images, trim the
1613 make line. Note that the virtualbox-image target is not really
1614 virtualbox specific. It create a x86 image usable in kvm, qemu,
1615 vmware and any other x86 virtual machine environment. You might need
1616 the version of vmdebootstrap in Jessie to get the build working, as it
1617 include fixes for a race condition with kpartx.&lt;/p&gt;
1618
1619 &lt;p&gt;If you instead want to install using a Debian CD and the preseed
1620 method, boot a Debian Wheezy ISO and use this boot argument to load
1621 the preseed values:&lt;/p&gt;
1622
1623 &lt;p&gt;&lt;pre&gt;
1624 url=&lt;a href=&quot;http://www.reinholdtsen.name/freedombox/preseed-jessie.dat&quot;&gt;http://www.reinholdtsen.name/freedombox/preseed-jessie.dat&lt;/a&gt;
1625 &lt;/pre&gt;&lt;/p&gt;
1626
1627 &lt;p&gt;I have not tested it myself the last few weeks, so I do not know if
1628 it still work.&lt;/p&gt;
1629
1630 &lt;p&gt;If you wonder how to help, one task you could look at is using
1631 systemd as the boot system. It will become the default for Linux in
1632 Jessie, so we need to make sure it is usable on the Freedombox. I did
1633 a simple test a few weeks ago, and noticed dnsmasq failed to start
1634 during boot when using systemd. I suspect there are other problems
1635 too. :) To detect problems, there is a test suite included, which can
1636 be run from the plinth web interface.&lt;/p&gt;
1637
1638 &lt;p&gt;Give it a go and let us know how it goes on the mailing list, and help
1639 us get the new release published. :) Please join us on
1640 &lt;a href=&quot;irc://irc.debian.org:6667/%23freedombox&quot;&gt;IRC (#freedombox on
1641 irc.debian.org)&lt;/a&gt; and
1642 &lt;a href=&quot;http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss&quot;&gt;the
1643 mailing list&lt;/a&gt; if you want to help make this vision come true.&lt;/p&gt;
1644 </description>
1645 </item>
1646
1647 <item>
1648 <title>S3QL, a locally mounted cloud file system - nice free software</title>
1649 <link>https://people.skolelinux.org/pere/blog/S3QL__a_locally_mounted_cloud_file_system___nice_free_software.html</link>
1650 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/S3QL__a_locally_mounted_cloud_file_system___nice_free_software.html</guid>
1651 <pubDate>Wed, 9 Apr 2014 11:30:00 +0200</pubDate>
1652 <description>&lt;p&gt;For a while now, I have been looking for a sensible offsite backup
1653 solution for use at home. My requirements are simple, it must be
1654 cheap and locally encrypted (in other words, I keep the encryption
1655 keys, the storage provider do not have access to my private files).
1656 One idea me and my friends had many years ago, before the cloud
1657 storage providers showed up, was to use Google mail as storage,
1658 writing a Linux block device storing blocks as emails in the mail
1659 service provided by Google, and thus get heaps of free space. On top
1660 of this one can add encryption, RAID and volume management to have
1661 lots of (fairly slow, I admit that) cheap and encrypted storage. But
1662 I never found time to implement such system. But the last few weeks I
1663 have looked at a system called
1664 &lt;a href=&quot;https://bitbucket.org/nikratio/s3ql/&quot;&gt;S3QL&lt;/a&gt;, a locally
1665 mounted network backed file system with the features I need.&lt;/p&gt;
1666
1667 &lt;p&gt;S3QL is a fuse file system with a local cache and cloud storage,
1668 handling several different storage providers, any with Amazon S3,
1669 Google Drive or OpenStack API. There are heaps of such storage
1670 providers. S3QL can also use a local directory as storage, which
1671 combined with sshfs allow for file storage on any ssh server. S3QL
1672 include support for encryption, compression, de-duplication, snapshots
1673 and immutable file systems, allowing me to mount the remote storage as
1674 a local mount point, look at and use the files as if they were local,
1675 while the content is stored in the cloud as well. This allow me to
1676 have a backup that should survive fire. The file system can not be
1677 shared between several machines at the same time, as only one can
1678 mount it at the time, but any machine with the encryption key and
1679 access to the storage service can mount it if it is unmounted.&lt;/p&gt;
1680
1681 &lt;p&gt;It is simple to use. I&#39;m using it on Debian Wheezy, where the
1682 package is included already. So to get started, run &lt;tt&gt;apt-get
1683 install s3ql&lt;/tt&gt;. Next, pick a storage provider. I ended up picking
1684 Greenqloud, after reading their nice recipe on
1685 &lt;a href=&quot;https://greenqloud.zendesk.com/entries/44611757-How-To-Use-S3QL-to-mount-a-StorageQloud-bucket-on-Debian-Wheezy&quot;&gt;how
1686 to use S3QL with their Amazon S3 service&lt;/a&gt;, because I trust the laws
1687 in Iceland more than those in USA when it come to keeping my personal
1688 data safe and private, and thus would rather spend money on a company
1689 in Iceland. Another nice recipe is available from the article
1690 &lt;a href=&quot;http://www.admin-magazine.com/HPC/Articles/HPC-Cloud-Storage&quot;&gt;S3QL
1691 Filesystem for HPC Storage&lt;/a&gt; by Jeff Layton in the HPC section of
1692 Admin magazine. When the provider is picked, figure out how to get
1693 the API key needed to connect to the storage API. With Greencloud,
1694 the key did not show up until I had added payment details to my
1695 account.&lt;/p&gt;
1696
1697 &lt;p&gt;Armed with the API access details, it is time to create the file
1698 system. First, create a new bucket in the cloud. This bucket is the
1699 file system storage area. I picked a bucket name reflecting the
1700 machine that was going to store data there, but any name will do.
1701 I&#39;ll refer to it as &lt;tt&gt;bucket-name&lt;/tt&gt; below. In addition, one need
1702 the API login and password, and a locally created password. Store it
1703 all in ~root/.s3ql/authinfo2 like this:
1704
1705 &lt;p&gt;&lt;blockquote&gt;&lt;pre&gt;
1706 [s3c]
1707 storage-url: s3c://s.greenqloud.com:443/bucket-name
1708 backend-login: API-login
1709 backend-password: API-password
1710 fs-passphrase: local-password
1711 &lt;/pre&gt;&lt;/blockquote&gt;&lt;/p&gt;
1712
1713 &lt;p&gt;I create my local passphrase using &lt;tt&gt;pwget 50&lt;/tt&gt; or similar,
1714 but any sensible way to create a fairly random password should do it.
1715 Armed with these details, it is now time to run mkfs, entering the API
1716 details and password to create it:&lt;/p&gt;
1717
1718 &lt;p&gt;&lt;blockquote&gt;&lt;pre&gt;
1719 # mkdir -m 700 /var/lib/s3ql-cache
1720 # mkfs.s3ql --cachedir /var/lib/s3ql-cache --authfile /root/.s3ql/authinfo2 \
1721 --ssl s3c://s.greenqloud.com:443/bucket-name
1722 Enter backend login:
1723 Enter backend password:
1724 Before using S3QL, make sure to read the user&#39;s guide, especially
1725 the &#39;Important Rules to Avoid Loosing Data&#39; section.
1726 Enter encryption password:
1727 Confirm encryption password:
1728 Generating random encryption key...
1729 Creating metadata tables...
1730 Dumping metadata...
1731 ..objects..
1732 ..blocks..
1733 ..inodes..
1734 ..inode_blocks..
1735 ..symlink_targets..
1736 ..names..
1737 ..contents..
1738 ..ext_attributes..
1739 Compressing and uploading metadata...
1740 Wrote 0.00 MB of compressed metadata.
1741 # &lt;/pre&gt;&lt;/blockquote&gt;&lt;/p&gt;
1742
1743 &lt;p&gt;The next step is mounting the file system to make the storage available.
1744
1745 &lt;p&gt;&lt;blockquote&gt;&lt;pre&gt;
1746 # mount.s3ql --cachedir /var/lib/s3ql-cache --authfile /root/.s3ql/authinfo2 \
1747 --ssl --allow-root s3c://s.greenqloud.com:443/bucket-name /s3ql
1748 Using 4 upload threads.
1749 Downloading and decompressing metadata...
1750 Reading metadata...
1751 ..objects..
1752 ..blocks..
1753 ..inodes..
1754 ..inode_blocks..
1755 ..symlink_targets..
1756 ..names..
1757 ..contents..
1758 ..ext_attributes..
1759 Mounting filesystem...
1760 # df -h /s3ql
1761 Filesystem Size Used Avail Use% Mounted on
1762 s3c://s.greenqloud.com:443/bucket-name 1.0T 0 1.0T 0% /s3ql
1763 #
1764 &lt;/pre&gt;&lt;/blockquote&gt;&lt;/p&gt;
1765
1766 &lt;p&gt;The file system is now ready for use. I use rsync to store my
1767 backups in it, and as the metadata used by rsync is downloaded at
1768 mount time, no network traffic (and storage cost) is triggered by
1769 running rsync. To unmount, one should not use the normal umount
1770 command, as this will not flush the cache to the cloud storage, but
1771 instead running the umount.s3ql command like this:
1772
1773 &lt;p&gt;&lt;blockquote&gt;&lt;pre&gt;
1774 # umount.s3ql /s3ql
1775 #
1776 &lt;/pre&gt;&lt;/blockquote&gt;&lt;/p&gt;
1777
1778 &lt;p&gt;There is a fsck command available to check the file system and
1779 correct any problems detected. This can be used if the local server
1780 crashes while the file system is mounted, to reset the &quot;already
1781 mounted&quot; flag. This is what it look like when processing a working
1782 file system:&lt;/p&gt;
1783
1784 &lt;p&gt;&lt;blockquote&gt;&lt;pre&gt;
1785 # fsck.s3ql --force --ssl s3c://s.greenqloud.com:443/bucket-name
1786 Using cached metadata.
1787 File system seems clean, checking anyway.
1788 Checking DB integrity...
1789 Creating temporary extra indices...
1790 Checking lost+found...
1791 Checking cached objects...
1792 Checking names (refcounts)...
1793 Checking contents (names)...
1794 Checking contents (inodes)...
1795 Checking contents (parent inodes)...
1796 Checking objects (reference counts)...
1797 Checking objects (backend)...
1798 ..processed 5000 objects so far..
1799 ..processed 10000 objects so far..
1800 ..processed 15000 objects so far..
1801 Checking objects (sizes)...
1802 Checking blocks (referenced objects)...
1803 Checking blocks (refcounts)...
1804 Checking inode-block mapping (blocks)...
1805 Checking inode-block mapping (inodes)...
1806 Checking inodes (refcounts)...
1807 Checking inodes (sizes)...
1808 Checking extended attributes (names)...
1809 Checking extended attributes (inodes)...
1810 Checking symlinks (inodes)...
1811 Checking directory reachability...
1812 Checking unix conventions...
1813 Checking referential integrity...
1814 Dropping temporary indices...
1815 Backing up old metadata...
1816 Dumping metadata...
1817 ..objects..
1818 ..blocks..
1819 ..inodes..
1820 ..inode_blocks..
1821 ..symlink_targets..
1822 ..names..
1823 ..contents..
1824 ..ext_attributes..
1825 Compressing and uploading metadata...
1826 Wrote 0.89 MB of compressed metadata.
1827 #
1828 &lt;/pre&gt;&lt;/blockquote&gt;&lt;/p&gt;
1829
1830 &lt;p&gt;Thanks to the cache, working on files that fit in the cache is very
1831 quick, about the same speed as local file access. Uploading large
1832 amount of data is to me limited by the bandwidth out of and into my
1833 house. Uploading 685 MiB with a 100 MiB cache gave me 305 kiB/s,
1834 which is very close to my upload speed, and downloading the same
1835 Debian installation ISO gave me 610 kiB/s, close to my download speed.
1836 Both were measured using &lt;tt&gt;dd&lt;/tt&gt;. So for me, the bottleneck is my
1837 network, not the file system code. I do not know what a good cache
1838 size would be, but suspect that the cache should e larger than your
1839 working set.&lt;/p&gt;
1840
1841 &lt;p&gt;I mentioned that only one machine can mount the file system at the
1842 time. If another machine try, it is told that the file system is
1843 busy:&lt;/p&gt;
1844
1845 &lt;p&gt;&lt;blockquote&gt;&lt;pre&gt;
1846 # mount.s3ql --cachedir /var/lib/s3ql-cache --authfile /root/.s3ql/authinfo2 \
1847 --ssl --allow-root s3c://s.greenqloud.com:443/bucket-name /s3ql
1848 Using 8 upload threads.
1849 Backend reports that fs is still mounted elsewhere, aborting.
1850 #
1851 &lt;/pre&gt;&lt;/blockquote&gt;&lt;/p&gt;
1852
1853 &lt;p&gt;The file content is uploaded when the cache is full, while the
1854 metadata is uploaded once every 24 hour by default. To ensure the
1855 file system content is flushed to the cloud, one can either umount the
1856 file system, or ask S3QL to flush the cache and metadata using
1857 s3qlctrl:
1858
1859 &lt;p&gt;&lt;blockquote&gt;&lt;pre&gt;
1860 # s3qlctrl upload-meta /s3ql
1861 # s3qlctrl flushcache /s3ql
1862 #
1863 &lt;/pre&gt;&lt;/blockquote&gt;&lt;/p&gt;
1864
1865 &lt;p&gt;If you are curious about how much space your data uses in the
1866 cloud, and how much compression and deduplication cut down on the
1867 storage usage, you can use s3qlstat on the mounted file system to get
1868 a report:&lt;/p&gt;
1869
1870 &lt;p&gt;&lt;blockquote&gt;&lt;pre&gt;
1871 # s3qlstat /s3ql
1872 Directory entries: 9141
1873 Inodes: 9143
1874 Data blocks: 8851
1875 Total data size: 22049.38 MB
1876 After de-duplication: 21955.46 MB (99.57% of total)
1877 After compression: 21877.28 MB (99.22% of total, 99.64% of de-duplicated)
1878 Database size: 2.39 MB (uncompressed)
1879 (some values do not take into account not-yet-uploaded dirty blocks in cache)
1880 #
1881 &lt;/pre&gt;&lt;/blockquote&gt;&lt;/p&gt;
1882
1883 &lt;p&gt;I mentioned earlier that there are several possible suppliers of
1884 storage. I did not try to locate them all, but am aware of at least
1885 &lt;a href=&quot;https://www.greenqloud.com/&quot;&gt;Greenqloud&lt;/a&gt;,
1886 &lt;a href=&quot;http://drive.google.com/&quot;&gt;Google Drive&lt;/a&gt;,
1887 &lt;a href=&quot;http://aws.amazon.com/s3/&quot;&gt;Amazon S3 web serivces&lt;/a&gt;,
1888 &lt;a href=&quot;http://www.rackspace.com/&quot;&gt;Rackspace&lt;/a&gt; and
1889 &lt;a href=&quot;http://crowncloud.net/&quot;&gt;Crowncloud&lt;/A&gt;. The latter even
1890 accept payment in Bitcoin. Pick one that suit your need. Some of
1891 them provide several GiB of free storage, but the prize models are
1892 quite different and you will have to figure out what suits you
1893 best.&lt;/p&gt;
1894
1895 &lt;p&gt;While researching this blog post, I had a look at research papers
1896 and posters discussing the S3QL file system. There are several, which
1897 told me that the file system is getting a critical check by the
1898 science community and increased my confidence in using it. One nice
1899 poster is titled
1900 &quot;&lt;a href=&quot;http://www.lanl.gov/orgs/adtsc/publications/science_highlights_2013/docs/pg68_69.pdf&quot;&gt;An
1901 Innovative Parallel Cloud Storage System using OpenStack’s SwiftObject
1902 Store and Transformative Parallel I/O Approach&lt;/a&gt;&quot; by Hsing-Bung
1903 Chen, Benjamin McClelland, David Sherrill, Alfred Torrez, Parks Fields
1904 and Pamela Smith. Please have a look.&lt;/p&gt;
1905
1906 &lt;p&gt;Given my problems with different file systems earlier, I decided to
1907 check out the mounted S3QL file system to see if it would be usable as
1908 a home directory (in other word, that it provided POSIX semantics when
1909 it come to locking and umask handling etc). Running
1910 &lt;a href=&quot;http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html&quot;&gt;my
1911 test code to check file system semantics&lt;/a&gt;, I was happy to discover that
1912 no error was found. So the file system can be used for home
1913 directories, if one chooses to do so.&lt;/p&gt;
1914
1915 &lt;p&gt;If you do not want a locally file system, and want something that
1916 work without the Linux fuse file system, I would like to mention the
1917 &lt;a href=&quot;http://www.tarsnap.com/&quot;&gt;Tarsnap service&lt;/a&gt;, which also
1918 provide locally encrypted backup using a command line client. It have
1919 a nicer access control system, where one can split out read and write
1920 access, allowing some systems to write to the backup and others to
1921 only read from it.&lt;/p&gt;
1922
1923 &lt;p&gt;As usual, if you use Bitcoin and want to show your support of my
1924 activities, please send Bitcoin donations to my address
1925 &lt;b&gt;&lt;a href=&quot;bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&quot;&gt;15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&lt;/a&gt;&lt;/b&gt;.&lt;/p&gt;
1926 </description>
1927 </item>
1928
1929 <item>
1930 <title>EU-domstolen bekreftet i dag at datalagringsdirektivet er ulovlig</title>
1931 <link>https://people.skolelinux.org/pere/blog/EU_domstolen_bekreftet_i_dag_at_datalagringsdirektivet_er_ulovlig.html</link>
1932 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/EU_domstolen_bekreftet_i_dag_at_datalagringsdirektivet_er_ulovlig.html</guid>
1933 <pubDate>Tue, 8 Apr 2014 11:30:00 +0200</pubDate>
1934 <description>&lt;p&gt;I dag kom endelig avgjørelsen fra EU-domstolen om
1935 datalagringsdirektivet, som ikke overraskende ble dømt ulovlig og i
1936 strid med borgernes grunnleggende rettigheter. Hvis du lurer på hva
1937 datalagringsdirektivet er for noe, så er det
1938 &lt;a href=&quot;http://tv.nrk.no/program/koid75005313/tema-dine-digitale-spor-datalagringsdirektivet&quot;&gt;en
1939 flott dokumentar tilgjengelig hos NRK&lt;/a&gt; som jeg tidligere
1940 &lt;a href=&quot;http://people.skolelinux.org/pere/blog/Dokumentaren_om_Datalagringsdirektivet_sendes_endelig_p__NRK.html&quot;&gt;har
1941 anbefalt&lt;/a&gt; alle å se.&lt;/p&gt;
1942
1943 &lt;p&gt;Her er et liten knippe nyhetsoppslag om saken, og jeg regner med at
1944 det kommer flere ut over dagen. Flere kan finnes
1945 &lt;a href=&quot;http://www.mylder.no/?drill=datalagringsdirektivet&amp;intern=1&quot;&gt;via
1946 mylder&lt;/a&gt;.&lt;/p&gt;
1947
1948 &lt;p&gt;&lt;ul&gt;
1949
1950 &lt;li&gt;&lt;a href=&quot;http://e24.no/digital/eu-domstolen-datalagringsdirektivet-er-ugyldig/22879592&quot;&gt;EU-domstolen:
1951 Datalagringsdirektivet er ugyldig&lt;/a&gt; - e24.no 2014-04-08
1952
1953 &lt;li&gt;&lt;a href=&quot;http://www.aftenposten.no/nyheter/iriks/EU-domstolen-Datalagringsdirektivet-er-ulovlig-7529032.html&quot;&gt;EU-domstolen:
1954 Datalagringsdirektivet er ulovlig&lt;/a&gt; - aftenposten.no 2014-04-08
1955
1956 &lt;li&gt;&lt;a href=&quot;http://www.aftenposten.no/nyheter/iriks/politikk/Krever-DLD-stopp-i-Norge-7530086.html&quot;&gt;Krever
1957 DLD-stopp i Norge&lt;/a&gt; - aftenposten.no 2014-04-08
1958
1959 &lt;li&gt;&lt;a href=&quot;http://www.p4.no/story.aspx?id=566431&quot;&gt;Apenes: - En
1960 gledens dag&lt;/a&gt; - p4.no 2014-04-08
1961
1962 &lt;li&gt;&lt;a href=&quot;http://www.nrk.no/norge/_-datalagringsdirektivet-er-ugyldig-1.11655929&quot;&gt;EU-domstolen:
1963 – Datalagringsdirektivet er ugyldig&lt;/a&gt; - nrk.no 2014-04-08&lt;/li&gt;
1964
1965 &lt;li&gt;&lt;a href=&quot;http://www.vg.no/nyheter/utenriks/data-og-nett/eu-domstolen-datalagringsdirektivet-er-ugyldig/a/10130280/&quot;&gt;EU-domstolen:
1966 Datalagringsdirektivet er ugyldig&lt;/a&gt; - vg.no 2014-04-08&lt;/li&gt;
1967
1968 &lt;li&gt;&lt;a href=&quot;http://www.dagbladet.no/2014/04/08/nyheter/innenriks/datalagringsdirektivet/personvern/32711646/&quot;&gt;-
1969 Vi bør skrote hele datalagringsdirektivet&lt;/a&gt; - dagbladet.no
1970 2014-04-08&lt;/li&gt;
1971
1972 &lt;li&gt;&lt;a href=&quot;http://www.digi.no/928137/eu-domstolen-dld-er-ugyldig&quot;&gt;EU-domstolen:
1973 DLD er ugyldig&lt;/a&gt; - digi.no 2014-04-08&lt;/li&gt;
1974
1975 &lt;li&gt;&lt;a href=&quot;http://www.irishtimes.com/business/sectors/technology/european-court-declares-data-retention-directive-invalid-1.1754150&quot;&gt;European
1976 court declares data retention directive invalid&lt;/a&gt; - irishtimes.com
1977 2014-04-08&lt;/li&gt;
1978
1979 &lt;li&gt;&lt;a href=&quot;http://www.reuters.com/article/2014/04/08/us-eu-data-ruling-idUSBREA370F020140408?feedType=RSS&quot;&gt;EU
1980 court rules against requirement to keep data of telecom users&lt;/a&gt; -
1981 reuters.com 2014-04-08&lt;/li&gt;
1982
1983 &lt;/ul&gt;
1984 &lt;/p&gt;
1985
1986 &lt;p&gt;Jeg synes det er veldig fint at nok en stemme slår fast at
1987 totalitær overvåkning av befolkningen er uakseptabelt, men det er
1988 fortsatt like viktig å beskytte privatsfæren som før, da de
1989 teknologiske mulighetene fortsatt finnes og utnyttes, og jeg tror
1990 innsats i prosjekter som
1991 &lt;a href=&quot;https://wiki.debian.org/FreedomBox&quot;&gt;Freedombox&lt;/a&gt; og
1992 &lt;a href=&quot;http://www.dugnadsnett.no/&quot;&gt;Dugnadsnett&lt;/a&gt; er viktigere enn
1993 noen gang.&lt;/p&gt;
1994
1995 &lt;p&gt;&lt;strong&gt;Update 2014-04-08 12:10&lt;/strong&gt;: Kronerullingen for å
1996 stoppe datalagringsdirektivet i Norge gjøres hos foreningen
1997 &lt;a href=&quot;http://www.digitaltpersonvern.no/&quot;&gt;Digitalt Personvern&lt;/a&gt;,
1998 som har samlet inn 843 215,- så langt men trenger nok mye mer hvis
1999
2000 ikke Høyre og Arbeiderpartiet bytter mening i saken. Det var
2001 &lt;a href=&quot;http://www.holderdeord.no/parliament-issues/48650&quot;&gt;kun
2002 partinene Høyre og Arbeiderpartiet&lt;/a&gt; som stemte for
2003 Datalagringsdirektivet, og en av dem må bytte mening for at det skal
2004 bli flertall mot i Stortinget. Se mer om saken
2005 &lt;a href=&quot;http://www.holderdeord.no/issues/69-innfore-datalagringsdirektivet&quot;&gt;Holder
2006 de ord&lt;/a&gt;.&lt;/p&gt;
2007 </description>
2008 </item>
2009
2010 <item>
2011 <title>Dokumentaren om Datalagringsdirektivet sendes endelig på NRK</title>
2012 <link>https://people.skolelinux.org/pere/blog/Dokumentaren_om_Datalagringsdirektivet_sendes_endelig_p__NRK.html</link>
2013 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Dokumentaren_om_Datalagringsdirektivet_sendes_endelig_p__NRK.html</guid>
2014 <pubDate>Wed, 26 Mar 2014 09:50:00 +0100</pubDate>
2015 <description>&lt;p&gt;&lt;a href=&quot;http://www.nuug.no/&quot;&gt;Foreningen NUUG&lt;/a&gt; melder i natt at
2016 NRK nå har bestemt seg for
2017 &lt;a href=&quot;http://www.nuug.no/news/NRK_viser_filmen_om_Datalagringsdirektivet_f_rste_gang_2014_03_31.shtml&quot;&gt;når
2018 den norske dokumentarfilmen om datalagringsdirektivet skal
2019 sendes&lt;/a&gt; (se &lt;a href=&quot;http://www.imdb.com/title/tt2832844/&quot;&gt;IMDB&lt;/a&gt;
2020 for detaljer om filmen) . Første visning blir på NRK2 mandag
2021 2014-03-31 kl. 19:50, og deretter visninger onsdag 2014-04-02
2022 kl. 12:30, fredag 2014-04-04 kl. 19:40 og søndag 2014-04-06 kl. 15:10.
2023 Jeg har sett dokumentaren, og jeg anbefaler enhver å se den selv. Som
2024 oppvarming mens vi venter anbefaler jeg Bjørn Stærks kronikk i
2025 Aftenposten fra i går,
2026 &lt;a href=&quot;http://www.aftenposten.no/meninger/kronikker/Autoritar-gjokunge-7514915.html&quot;&gt;Autoritær
2027 gjøkunge&lt;/a&gt;, der han gir en grei skisse av hvor ille det står til med
2028 retten til privatliv og beskyttelsen av demokrati i Norge og resten
2029 verden, og helt riktig slår fast at det er vi i databransjen som
2030 sitter med nøkkelen til å gjøre noe med dette. Jeg har involvert meg
2031 i prosjektene &lt;a href=&quot;http://www.dugnadsnett.no/&quot;&gt;dugnadsnett.no&lt;/a&gt;
2032 og &lt;a href=&quot;https://wiki.debian.org/FreedomBox&quot;&gt;FreedomBox&lt;/a&gt; for å
2033 forsøke å gjøre litt selv for å bedre situasjonen, men det er mye
2034 hardt arbeid fra mange flere enn meg som gjenstår før vi kan sies å ha
2035 gjenopprettet balansen.&lt;/p&gt;
2036
2037 &lt;p&gt;Jeg regner med at nettutgaven dukker opp på
2038 &lt;a href=&quot;http://tv.nrk.no/program/koid75005313/tema-dine-digitale-spor-datalagringsdirektivet&quot;&gt;NRKs
2039 side om filmen om datalagringsdirektivet&lt;/a&gt; om fem dager. Hold et
2040 øye med siden, og tips venner og slekt om at de også bør se den.&lt;/p&gt;
2041 </description>
2042 </item>
2043
2044 <item>
2045 <title>Public Trusted Timestamping services for everyone</title>
2046 <link>https://people.skolelinux.org/pere/blog/Public_Trusted_Timestamping_services_for_everyone.html</link>
2047 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Public_Trusted_Timestamping_services_for_everyone.html</guid>
2048 <pubDate>Tue, 25 Mar 2014 12:50:00 +0100</pubDate>
2049 <description>&lt;p&gt;Did you ever need to store logs or other files in a way that would
2050 allow it to be used as evidence in court, and needed a way to
2051 demonstrate without reasonable doubt that the file had not been
2052 changed since it was created? Or, did you ever need to document that
2053 a given document was received at some point in time, like some
2054 archived document or the answer to an exam, and not changed after it
2055 was received? The problem in these settings is to remove the need to
2056 trust yourself and your computers, while still being able to prove
2057 that a file is the same as it was at some given time in the past.&lt;/p&gt;
2058
2059 &lt;p&gt;A solution to these problems is to have a trusted third party
2060 &quot;stamp&quot; the document and verify that at some given time the document
2061 looked a given way. Such
2062 &lt;a href=&quot;https://en.wikipedia.org/wiki/Notarius&quot;&gt;notarius&lt;/a&gt; service
2063 have been around for thousands of years, and its digital equivalent is
2064 called a
2065 &lt;a href=&quot;http://en.wikipedia.org/wiki/Trusted_timestamping&quot;&gt;trusted
2066 timestamping service&lt;/a&gt;. &lt;a href=&quot;http://www.ietf.org/&quot;&gt;The Internet
2067 Engineering Task Force&lt;/a&gt; standardised how such service could work a
2068 few years ago as &lt;a href=&quot;http://tools.ietf.org/html/rfc3161&quot;&gt;RFC
2069 3161&lt;/a&gt;. The mechanism is simple. Create a hash of the file in
2070 question, send it to a trusted third party which add a time stamp to
2071 the hash and sign the result with its private key, and send back the
2072 signed hash + timestamp. Both email, FTP and HTTP can be used to
2073 request such signature, depending on what is provided by the service
2074 used. Anyone with the document and the signature can then verify that
2075 the document matches the signature by creating their own hash and
2076 checking the signature using the trusted third party public key.
2077 There are several commercial services around providing such
2078 timestamping. A quick search for
2079 &quot;&lt;a href=&quot;https://duckduckgo.com/?q=rfc+3161+service&quot;&gt;rfc 3161
2080 service&lt;/a&gt;&quot; pointed me to at least
2081 &lt;a href=&quot;https://www.digistamp.com/technical/how-a-digital-time-stamp-works/&quot;&gt;DigiStamp&lt;/a&gt;,
2082 &lt;a href=&quot;http://www.quovadisglobal.co.uk/CertificateServices/SigningServices/TimeStamp.aspx&quot;&gt;Quo
2083 Vadis&lt;/a&gt;,
2084 &lt;a href=&quot;https://www.globalsign.com/timestamp-service/&quot;&gt;Global Sign&lt;/a&gt;
2085 and &lt;a href=&quot;http://www.globaltrustfinder.com/TSADefault.aspx&quot;&gt;Global
2086 Trust Finder&lt;/a&gt;. The system work as long as the private key of the
2087 trusted third party is not compromised.&lt;/p&gt;
2088
2089 &lt;p&gt;But as far as I can tell, there are very few public trusted
2090 timestamp services available for everyone. I&#39;ve been looking for one
2091 for a while now. But yesterday I found one over at
2092 &lt;a href=&quot;https://www.pki.dfn.de/zeitstempeldienst/&quot;&gt;Deutches
2093 Forschungsnetz&lt;/a&gt; mentioned in
2094 &lt;a href=&quot;http://www.d-mueller.de/blog/dealing-with-trusted-timestamps-in-php-rfc-3161/&quot;&gt;a
2095 blog by David Müller&lt;/a&gt;. I then found
2096 &lt;a href=&quot;http://www.rz.uni-greifswald.de/support/dfn-pki-zertifikate/zeitstempeldienst.html&quot;&gt;a
2097 good recipe on how to use the service&lt;/a&gt; over at the University of
2098 Greifswald.&lt;/p&gt;
2099
2100 &lt;p&gt;&lt;a href=&quot;http://www.openssl.org/&quot;&gt;The OpenSSL library&lt;/a&gt; contain
2101 both server and tools to use and set up your own signing service. See
2102 the ts(1SSL), tsget(1SSL) manual pages for more details. The
2103 following shell script demonstrate how to extract a signed timestamp
2104 for any file on the disk in a Debian environment:&lt;/p&gt;
2105
2106 &lt;p&gt;&lt;blockquote&gt;&lt;pre&gt;
2107 #!/bin/sh
2108 set -e
2109 url=&quot;http://zeitstempel.dfn.de&quot;
2110 caurl=&quot;https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt&quot;
2111 reqfile=$(mktemp -t tmp.XXXXXXXXXX.tsq)
2112 resfile=$(mktemp -t tmp.XXXXXXXXXX.tsr)
2113 cafile=chain.txt
2114 if [ ! -f $cafile ] ; then
2115 wget -O $cafile &quot;$caurl&quot;
2116 fi
2117 openssl ts -query -data &quot;$1&quot; -cert | tee &quot;$reqfile&quot; \
2118 | /usr/lib/ssl/misc/tsget -h &quot;$url&quot; -o &quot;$resfile&quot;
2119 openssl ts -reply -in &quot;$resfile&quot; -text 1&gt;&amp;2
2120 openssl ts -verify -data &quot;$1&quot; -in &quot;$resfile&quot; -CAfile &quot;$cafile&quot; 1&gt;&amp;2
2121 base64 &lt; &quot;$resfile&quot;
2122 rm &quot;$reqfile&quot; &quot;$resfile&quot;
2123 &lt;/pre&gt;&lt;/blockquote&gt;&lt;/p&gt;
2124
2125 &lt;p&gt;The argument to the script is the file to timestamp, and the output
2126 is a base64 encoded version of the signature to STDOUT and details
2127 about the signature to STDERR. Note that due to
2128 &lt;a href=&quot;http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742553&quot;&gt;a bug
2129 in the tsget script&lt;/a&gt;, you might need to modify the included script
2130 and remove the last line. Or just write your own HTTP uploader using
2131 curl. :) Now you too can prove and verify that files have not been
2132 changed.&lt;/p&gt;
2133
2134 &lt;p&gt;But the Internet need more public trusted timestamp services.
2135 Perhaps something for &lt;a href=&quot;http://www.uninett.no/&quot;&gt;Uninett&lt;/a&gt; or
2136 my work place the &lt;a href=&quot;http://www.uio.no/&quot;&gt;University of Oslo&lt;/a&gt;
2137 to set up?&lt;/p&gt;
2138 </description>
2139 </item>
2140
2141 <item>
2142 <title>Freedombox on Dreamplug, Raspberry Pi and virtual x86 machine</title>
2143 <link>https://people.skolelinux.org/pere/blog/Freedombox_on_Dreamplug__Raspberry_Pi_and_virtual_x86_machine.html</link>
2144 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Freedombox_on_Dreamplug__Raspberry_Pi_and_virtual_x86_machine.html</guid>
2145 <pubDate>Fri, 14 Mar 2014 11:00:00 +0100</pubDate>
2146 <description>&lt;p&gt;The &lt;a href=&quot;https://wiki.debian.org/FreedomBox&quot;&gt;Freedombox
2147 project&lt;/a&gt; is working on providing the software and hardware for
2148 making it easy for non-technical people to host their data and
2149 communication at home, and being able to communicate with their
2150 friends and family encrypted and away from prying eyes. It has been
2151 going on for a while, and is slowly progressing towards a new test
2152 release (0.2).&lt;/p&gt;
2153
2154 &lt;p&gt;And what day could be better than the Pi day to announce that the
2155 new version will provide &quot;hard drive&quot; / SD card / USB stick images for
2156 Dreamplug, Raspberry Pi and VirtualBox (or any other virtualization
2157 system), and can also be installed using a Debian installer preseed
2158 file. The Debian based Freedombox is now based on Debian Jessie,
2159 where most of the needed packages used are already present. Only one,
2160 the freedombox-setup package, is missing. To try to build your own
2161 boot image to test the current status, fetch the freedom-maker scripts
2162 and build using
2163 &lt;a href=&quot;http://packages.qa.debian.org/vmdebootstrap&quot;&gt;vmdebootstrap&lt;/a&gt;
2164 with a user with sudo access to become root:
2165
2166 &lt;pre&gt;
2167 git clone http://anonscm.debian.org/git/freedombox/freedom-maker.git \
2168 freedom-maker
2169 sudo apt-get install git vmdebootstrap mercurial python-docutils \
2170 mktorrent extlinux virtualbox qemu-user-static binfmt-support \
2171 u-boot-tools
2172 make -C freedom-maker dreamplug-image raspberry-image virtualbox-image
2173 &lt;/pre&gt;
2174
2175 &lt;p&gt;Root access is needed to run debootstrap and mount loopback
2176 devices. See the README for more details on the build. If you do not
2177 want all three images, trim the make line. But note that thanks to &lt;a
2178 href=&quot;https://bugs.debian.org/741407&quot;&gt;a race condition in
2179 vmdebootstrap&lt;/a&gt;, the build might fail without the patch to the
2180 kpartx call.&lt;/p&gt;
2181
2182 &lt;p&gt;If you instead want to install using a Debian CD and the preseed
2183 method, boot a Debian Wheezy ISO and use this boot argument to load
2184 the preseed values:&lt;/p&gt;
2185
2186 &lt;pre&gt;
2187 url=&lt;a href=&quot;http://www.reinholdtsen.name/freedombox/preseed-jessie.dat&quot;&gt;http://www.reinholdtsen.name/freedombox/preseed-jessie.dat&lt;/a&gt;
2188 &lt;/pre&gt;
2189
2190 &lt;p&gt;But note that due to &lt;a href=&quot;https://bugs.debian.org/740673&quot;&gt;a
2191 recently introduced bug in apt in Jessie&lt;/a&gt;, the installer will
2192 currently hang while setting up APT sources. Killing the
2193 &#39;&lt;tt&gt;apt-cdrom ident&lt;/tt&gt;&#39; process when it hang a few times during the
2194 installation will get the installation going. This affect all
2195 installations in Jessie, and I expect it will be fixed soon.&lt;/p&gt;
2196
2197 &lt;p&gt;Give it a go and let us know how it goes on the mailing list, and help
2198 us get the new release published. :) Please join us on
2199 &lt;a href=&quot;irc://irc.debian.org:6667/%23freedombox&quot;&gt;IRC (#freedombox on
2200 irc.debian.org)&lt;/a&gt; and
2201 &lt;a href=&quot;http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss&quot;&gt;the
2202 mailing list&lt;/a&gt; if you want to help make this vision come true.&lt;/p&gt;
2203 </description>
2204 </item>
2205
2206 <item>
2207 <title>A fist full of non-anonymous Bitcoins</title>
2208 <link>https://people.skolelinux.org/pere/blog/A_fist_full_of_non_anonymous_Bitcoins.html</link>
2209 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/A_fist_full_of_non_anonymous_Bitcoins.html</guid>
2210 <pubDate>Wed, 29 Jan 2014 14:10:00 +0100</pubDate>
2211 <description>&lt;p&gt;Bitcoin is a incredible use of peer to peer communication and
2212 encryption, allowing direct and immediate money transfer without any
2213 central control. It is sometimes claimed to be ideal for illegal
2214 activity, which I believe is quite a long way from the truth. At least
2215 I would not conduct illegal money transfers using a system where the
2216 details of every transaction are kept forever. This point is
2217 investigated in
2218 &lt;a href=&quot;https://www.usenix.org/publications/login&quot;&gt;USENIX ;login:&lt;/a&gt;
2219 from December 2013, in the article
2220 &quot;&lt;a href=&quot;https://www.usenix.org/system/files/login/articles/03_meiklejohn-online.pdf&quot;&gt;A
2221 Fistful of Bitcoins - Characterizing Payments Among Men with No
2222 Names&lt;/a&gt;&quot; by Sarah Meiklejohn, Marjori Pomarole,Grant Jordan, Kirill
2223 Levchenko, Damon McCoy, Geoffrey M. Voelker, and Stefan Savage. They
2224 analyse the transaction log in the Bitcoin system, using it to find
2225 addresses belong to individuals and organisations and follow the flow
2226 of money from both Bitcoin theft and trades on Silk Road to where the
2227 money end up. This is how they wrap up their article:&lt;/p&gt;
2228
2229 &lt;p&gt;&lt;blockquote&gt;
2230 &lt;p&gt;&quot;To demonstrate the usefulness of this type of analysis, we turned
2231 our attention to criminal activity. In the Bitcoin economy, criminal
2232 activity can appear in a number of forms, such as dealing drugs on
2233 Silk Road or simply stealing someone else’s bitcoins. We followed the
2234 flow of bitcoins out of Silk Road (in particular, from one notorious
2235 address) and from a number of highly publicized thefts to see whether
2236 we could track the bitcoins to known services. Although some of the
2237 thieves attempted to use sophisticated mixing techniques (or possibly
2238 mix services) to obscure the flow of bitcoins, for the most part
2239 tracking the bitcoins was quite straightforward, and we ultimately saw
2240 large quantities of bitcoins flow to a variety of exchanges directly
2241 from the point of theft (or the withdrawal from Silk Road).&lt;/p&gt;
2242
2243 &lt;p&gt;As acknowledged above, following stolen bitcoins to the point at
2244 which they are deposited into an exchange does not in itself identify
2245 the thief; however, it does enable further de-anonymization in the
2246 case in which certain agencies can determine (through, for example,
2247 subpoena power) the real-world owner of the account into which the
2248 stolen bitcoins were deposited. Because such exchanges seem to serve
2249 as chokepoints into and out of the Bitcoin economy (i.e., there are
2250 few alternative ways to cash out), we conclude that using Bitcoin for
2251 money laundering or other illicit purposes does not (at least at
2252 present) seem to be particularly attractive.&quot;&lt;/p&gt;
2253 &lt;/blockquote&gt;&lt;p&gt;
2254
2255 &lt;p&gt;These researches are not the first to analyse the Bitcoin
2256 transaction log. The 2011 paper
2257 &quot;&lt;a href=&quot;http://arxiv.org/abs/1107.4524&quot;&gt;An Analysis of Anonymity in
2258 the Bitcoin System&lt;/A&gt;&quot; by Fergal Reid and Martin Harrigan is
2259 summarized like this:&lt;/p&gt;
2260
2261 &lt;p&gt;&lt;blockquote&gt;
2262 &quot;Anonymity in Bitcoin, a peer-to-peer electronic currency system, is a
2263 complicated issue. Within the system, users are identified by
2264 public-keys only. An attacker wishing to de-anonymize its users will
2265 attempt to construct the one-to-many mapping between users and
2266 public-keys and associate information external to the system with the
2267 users. Bitcoin tries to prevent this attack by storing the mapping of
2268 a user to his or her public-keys on that user&#39;s node only and by
2269 allowing each user to generate as many public-keys as required. In
2270 this chapter we consider the topological structure of two networks
2271 derived from Bitcoin&#39;s public transaction history. We show that the
2272 two networks have a non-trivial topological structure, provide
2273 complementary views of the Bitcoin system and have implications for
2274 anonymity. We combine these structures with external information and
2275 techniques such as context discovery and flow analysis to investigate
2276 an alleged theft of Bitcoins, which, at the time of the theft, had a
2277 market value of approximately half a million U.S. dollars.&quot;
2278 &lt;/blockquote&gt;&lt;/p&gt;
2279
2280 &lt;p&gt;I hope these references can help kill the urban myth that Bitcoin
2281 is anonymous. It isn&#39;t really a good fit for illegal activites. Use
2282 cash if you need to stay anonymous, at least until regular DNA
2283 sampling of notes and coins become the norm. :)&lt;/p&gt;
2284
2285 &lt;p&gt;As usual, if you use Bitcoin and want to show your support of my
2286 activities, please send Bitcoin donations to my address
2287 &lt;b&gt;&lt;a href=&quot;bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&quot;&gt;15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&lt;/a&gt;&lt;/b&gt;.&lt;/p&gt;
2288 </description>
2289 </item>
2290
2291 <item>
2292 <title>All drones should be radio marked with what they do and who they belong to</title>
2293 <link>https://people.skolelinux.org/pere/blog/All_drones_should_be_radio_marked_with_what_they_do_and_who_they_belong_to.html</link>
2294 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/All_drones_should_be_radio_marked_with_what_they_do_and_who_they_belong_to.html</guid>
2295 <pubDate>Thu, 21 Nov 2013 15:40:00 +0100</pubDate>
2296 <description>&lt;p&gt;Drones, flying robots, are getting more and more popular. The most
2297 know ones are the killer drones used by some government to murder
2298 people they do not like without giving them the chance of a fair
2299 trial, but the technology have many good uses too, from mapping and
2300 forest maintenance to photography and search and rescue. I am sure it
2301 is just a question of time before &quot;bad drones&quot; are in the hands of
2302 private enterprises and not only state criminals but petty criminals
2303 too. The drone technology is very useful and very dangerous. To have
2304 some control over the use of drones, I agree with Daniel Suarez in his
2305 TED talk
2306 &quot;&lt;a href=&quot;https://archive.org/details/DanielSuarez_2013G&quot;&gt;The kill
2307 decision shouldn&#39;t belong to a robot&lt;/a&gt;&quot;, where he suggested this
2308 little gem to keep the good while limiting the bad use of drones:&lt;/p&gt;
2309
2310 &lt;blockquote&gt;
2311
2312 &lt;p&gt;Each robot and drone should have a cryptographically signed
2313 I.D. burned in at the factory that can be used to track its movement
2314 through public spaces. We have license plates on cars, tail numbers on
2315 aircraft. This is no different. And every citizen should be able to
2316 download an app that shows the population of drones and autonomous
2317 vehicles moving through public spaces around them, both right now and
2318 historically. And civic leaders should deploy sensors and civic drones
2319 to detect rogue drones, and instead of sending killer drones of their
2320 own up to shoot them down, they should notify humans to their
2321 presence. And in certain very high-security areas, perhaps civic
2322 drones would snare them and drag them off to a bomb disposal facility.&lt;/p&gt;
2323
2324 &lt;p&gt;But notice, this is more an immune system than a weapons system. It
2325 would allow us to avail ourselves of the use of autonomous vehicles
2326 and drones while still preserving our open, civil society.&lt;/p&gt;
2327
2328 &lt;/blockquote&gt;
2329
2330 &lt;p&gt;The key is that &lt;em&gt;every citizen&lt;/em&gt; should be able to read the
2331 radio beacons sent from the drones in the area, to be able to check
2332 both the government and others use of drones. For such control to be
2333 effective, everyone must be able to do it. What should such beacon
2334 contain? At least formal owner, purpose, contact information and GPS
2335 location. Probably also the origin and target position of the current
2336 flight. And perhaps some registration number to be able to look up
2337 the drone in a central database tracking their movement. Robots
2338 should not have privacy. It is people who need privacy.&lt;/p&gt;
2339 </description>
2340 </item>
2341
2342 <item>
2343 <title>Det er jo makta som er mest sårbar ved massiv overvåkning av Internett</title>
2344 <link>https://people.skolelinux.org/pere/blog/Det_er_jo_makta_som_er_mest_s_rbar_ved_massiv_overv_kning_av_Internett.html</link>
2345 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Det_er_jo_makta_som_er_mest_s_rbar_ved_massiv_overv_kning_av_Internett.html</guid>
2346 <pubDate>Sat, 26 Oct 2013 20:30:00 +0200</pubDate>
2347 <description>&lt;p&gt;De siste måneders eksponering av
2348 &lt;a href=&quot;http://www.aftenposten.no/nyheter/uriks/Her-er-Edvard-Snowdens-mest-omtalte-avsloringer-7351734.html&quot;&gt;den
2349 totale overvåkningen som foregår i den vestlige verden dokumenterer
2350 hvor sårbare vi er&lt;/a&gt;. Men det slår meg at de som er mest sårbare
2351 for dette, myndighetspersoner på alle nivåer, neppe har innsett at de
2352 selv er de mest interessante personene å lage profiler på, for å kunne
2353 påvirke dem.&lt;/p&gt;
2354
2355 &lt;p&gt;For å ta et lite eksempel: Stortingets nettsted,
2356 &lt;a href=&quot;http://www.stortinget.no/&quot;&gt;www.stortinget.no&lt;/a&gt; (og
2357 forsåvidt også
2358 &lt;a href=&quot;http://data.stortinget.no/&quot;&gt;data.stortinget.no&lt;/a&gt;),
2359 inneholder informasjon om det som foregår på Stortinget, og jeg antar
2360 de største brukerne av informasjonen der er representanter og
2361 rådgivere på Stortinget. Intet overraskende med det. Det som derimot
2362 er mer skjult er at Stortingets nettsted bruker
2363 &lt;a href=&quot;http://en.wikipedia.org/wiki/Google_Analytics&quot;&gt;Google
2364 Analytics&lt;/a&gt;, hvilket gjør at enhver som besøker nettsidene der også
2365 rapporterer om besøket via Internett-linjer som passerer Sverige,
2366 England og videre til USA. Det betyr at informasjon om ethvert besøk
2367 på stortingets nettsider kan snappes opp av svensk, britisk og USAs
2368 etterretningsvesen. De kan dermed holde et øye med hvilke
2369 Stortingssaker stortingsrepresentantene synes er interessante å sjekke
2370 ut, og hvilke sider rådgivere og andre på stortinget synes er
2371 interessant å besøke, når de gjør det og hvilke andre representanter
2372 som sjekker de samme sidene omtrent samtidig. Stortingets bruk av
2373 Google Analytics gjør det dermed enkelt for utenlands etteretning å
2374 spore representantenes aktivitet og interesse. Hvis noen av
2375 representantene bruker Google Mail eller noen andre tjenestene som
2376 krever innlogging, så vil det være enda enklere å finne ut nøyaktig
2377 hvilke personer som bruker hvilke nettlesere og dermed knytte
2378 informasjonen opp til enkeltpersoner på Stortinget.&lt;/p&gt;
2379
2380 &lt;p&gt;Og jo flere nettsteder som bruker Google Analytics, jo bedre
2381 oversikt over stortingsrepresentantenes lesevaner og interesse blir
2382 tilgjengelig for svensk, britisk og USAs etterretning. Hva de kan
2383 bruke den informasjonen til overlater jeg til leseren å undres
2384 over.&lt;/p&gt;
2385 </description>
2386 </item>
2387
2388 <item>
2389 <title>Videos about the Freedombox project - for inspiration and learning</title>
2390 <link>https://people.skolelinux.org/pere/blog/Videos_about_the_Freedombox_project___for_inspiration_and_learning.html</link>
2391 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Videos_about_the_Freedombox_project___for_inspiration_and_learning.html</guid>
2392 <pubDate>Fri, 27 Sep 2013 14:10:00 +0200</pubDate>
2393 <description>&lt;p&gt;The &lt;a href=&quot;http://www.freedomboxfoundation.org/&quot;&gt;Freedombox
2394 project&lt;/a&gt; have been going on for a while, and have presented the
2395 vision, ideas and solution several places. Here is a little
2396 collection of videos of talks and presentation of the project.&lt;/p&gt;
2397
2398 &lt;ul&gt;
2399
2400 &lt;li&gt;&lt;a href=&quot;http://www.youtube.com/watch?v=ukvUz5taxvA&quot;&gt;FreedomBox -
2401 2,5 minute marketing film&lt;/a&gt; (Youtube)&lt;/li&gt;
2402
2403 &lt;li&gt;&lt;a href=&quot;http://www.youtube.com/watch?v=SzW25QTVWsE&quot;&gt;Eben Moglen
2404 discusses the Freedombox on CBS news 2011&lt;/a&gt; (Youtube)&lt;/li&gt;
2405
2406 &lt;li&gt;&lt;a href=&quot;http://www.youtube.com/watch?v=Ae8SZbxfE0g&quot;&gt;Eben Moglen -
2407 Freedom in the Cloud - Software Freedom, Privacy and and Security for
2408 Web 2.0 and Cloud computing at ISOC-NY Public Meeting 2010&lt;/a&gt;
2409 (Youtube)&lt;/li&gt;
2410
2411 &lt;li&gt;&lt;a href=&quot;http://www.youtube.com/watch?v=vNaIji_3xBE&quot;&gt;Fosdem 2011
2412 Keynote by Eben Moglen presenting the Freedombox&lt;/a&gt; (Youtube)&lt;/li&gt;
2413
2414 &lt;li&gt;&lt;a href=&quot;http://www.youtube.com/watch?v=9bDDUyJSQ9s&quot;&gt;Presentation of
2415 the Freedombox by James Vasile at Elevate in Gratz 2011&lt;/a&gt; (Youtube)&lt;/li&gt;
2416
2417 &lt;li&gt;&lt;a href=&quot;http://www.youtube.com/watch?v=zQTmnk27g9s&quot;&gt; Freedombox -
2418 Discovery, Identity, and Trust by Nick Daly at Freedombox Hackfest New
2419 York City in 2012&lt;/a&gt; (Youtube)&lt;/li&gt;
2420
2421 &lt;li&gt;&lt;a href=&quot;http://www.youtube.com/watch?v=tkbSB4Ba7Ck&quot;&gt;Introduction
2422 to the Freedombox at Freedombox Hackfest New York City in 2012&lt;/a&gt;
2423 (Youtube)&lt;/li&gt;
2424
2425 &lt;li&gt;&lt;a href=&quot;http://www.youtube.com/watch?v=z-P2Jaeg0aQ&quot;&gt;Freedom, Out
2426 of the Box! by Bdale Garbee at linux.conf.au Ballarat, 2012&lt;/a&gt; (Youtube) &lt;/li&gt;
2427
2428 &lt;li&gt;&lt;a href=&quot;https://archive.fosdem.org/2013/schedule/event/freedombox/&quot;&gt;Freedombox
2429 1.0 by Eben Moglen and Bdale Garbee at Fosdem 2013&lt;/a&gt; (FOSDEM) &lt;/li&gt;
2430
2431 &lt;li&gt;&lt;a href=&quot;http://www.youtube.com/watch?v=e1LpYX2zVYg&quot;&gt;What is the
2432 FreedomBox today by Bdale Garbee at Debconf13 in Vaumarcus
2433 2013&lt;/a&gt; (Youtube)&lt;/li&gt;
2434
2435 &lt;/ul&gt;
2436
2437 &lt;p&gt;A larger list is available from
2438 &lt;a href=&quot;https://wiki.debian.org/FreedomBox/TalksAndPresentations&quot;&gt;the
2439 Freedombox Wiki&lt;/a&gt;.&lt;/p&gt;
2440
2441 &lt;p&gt;On other news, I am happy to report that Freedombox based on Debian
2442 Jessie is coming along quite well, and soon both Owncloud and using
2443 Tor should be available for testers of the Freedombox solution. :) In
2444 a few weeks I hope everything needed to test it is included in Debian.
2445 The withsqlite package is already in Debian, and the plinth package is
2446 pending in NEW. The third and vital part of that puzzle is the
2447 metapackage/setup framework, which is still pending an upload. Join
2448 us on &lt;a href=&quot;irc://irc.debian.org:6667/%23freedombox&quot;&gt;IRC
2449 (#freedombox on irc.debian.org)&lt;/a&gt; and
2450 &lt;a href=&quot;http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss&quot;&gt;the
2451 mailing list&lt;/a&gt; if you want to help make this vision come true.&lt;/p&gt;
2452 </description>
2453 </item>
2454
2455 <item>
2456 <title>Recipe to test the Freedombox project on amd64 or Raspberry Pi</title>
2457 <link>https://people.skolelinux.org/pere/blog/Recipe_to_test_the_Freedombox_project_on_amd64_or_Raspberry_Pi.html</link>
2458 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Recipe_to_test_the_Freedombox_project_on_amd64_or_Raspberry_Pi.html</guid>
2459 <pubDate>Tue, 10 Sep 2013 14:20:00 +0200</pubDate>
2460 <description>&lt;p&gt;I was introduced to the
2461 &lt;a href=&quot;http://www.freedomboxfoundation.org/&quot;&gt;Freedombox project&lt;/a&gt;
2462 in 2010, when Eben Moglen presented his vision about serving the need
2463 of non-technical people to keep their personal information private and
2464 within the legal protection of their own homes. The idea is to give
2465 people back the power over their network and machines, and return
2466 Internet back to its intended peer-to-peer architecture. Instead of
2467 depending on a central service, the Freedombox will give everyone
2468 control over their own basic infrastructure.&lt;/p&gt;
2469
2470 &lt;p&gt;I&#39;ve intended to join the effort since then, but other tasks have
2471 taken priority. But this summers nasty news about the misuse of trust
2472 and privilege exercised by the &quot;western&quot; intelligence gathering
2473 communities increased my eagerness to contribute to a point where I
2474 actually started working on the project a while back.&lt;/p&gt;
2475
2476 &lt;p&gt;The &lt;a href=&quot;https://alioth.debian.org/projects/freedombox/&quot;&gt;initial
2477 Debian initiative&lt;/a&gt; based on the vision from Eben Moglen, is to
2478 create a simple and cheap Debian based appliance that anyone can hook
2479 up in their home and get access to secure and private services and
2480 communication. The initial deployment platform have been the
2481 &lt;a href=&quot;http://www.globalscaletechnologies.com/t-dreamplugdetails.aspx&quot;&gt;Dreamplug&lt;/a&gt;,
2482 which is a piece of hardware I do not own. So to be able to test what
2483 the current Freedombox setup look like, I had to come up with a way to install
2484 it on some hardware I do have access to. I have rewritten the
2485 &lt;a href=&quot;https://github.com/NickDaly/freedom-maker&quot;&gt;freedom-maker&lt;/a&gt;
2486 image build framework to use .deb packages instead of only copying
2487 setup into the boot images, and thanks to this rewrite I am able to
2488 set up any machine supported by Debian Wheezy as a Freedombox, using
2489 the previously mentioned deb (and a few support debs for packages
2490 missing in Debian).&lt;/p&gt;
2491
2492 &lt;p&gt;The current Freedombox setup consist of a set of bootstrapping
2493 scripts
2494 (&lt;a href=&quot;https://github.com/petterreinholdtsen/freedombox-setup&quot;&gt;freedombox-setup&lt;/a&gt;),
2495 and a administrative web interface
2496 (&lt;a href=&quot;https://github.com/NickDaly/Plinth&quot;&gt;plinth&lt;/a&gt; + exmachina +
2497 withsqlite), as well as a privacy enhancing proxy based on
2498 &lt;a href=&quot;http://packages.qa.debian.org/privoxy&quot;&gt;privoxy&lt;/a&gt;
2499 (freedombox-privoxy). There is also a web/javascript based XMPP
2500 client (&lt;a href=&quot;http://packages.qa.debian.org/jwchat&quot;&gt;jwchat&lt;/a&gt;)
2501 trying (unsuccessfully so far) to talk to the XMPP server
2502 (&lt;a href=&quot;http://packages.qa.debian.org/ejabberd&quot;&gt;ejabberd&lt;/a&gt;). The
2503 web interface is pluggable, and the goal is to use it to enable OpenID
2504 services, mesh network connectivity, use of TOR, etc, etc. Not much of
2505 this is really working yet, see
2506 &lt;a href=&quot;https://github.com/NickDaly/freedombox-todos/blob/master/TODO&quot;&gt;the
2507 project TODO&lt;/a&gt; for links to GIT repositories. Most of the code is
2508 on github at the moment. The HTTP proxy is operational out of the
2509 box, and the admin web interface can be used to add/remove plinth
2510 users. I&#39;ve not been able to do anything else with it so far, but
2511 know there are several branches spread around github and other places
2512 with lots of half baked features.&lt;/p&gt;
2513
2514 &lt;p&gt;Anyway, if you want to have a look at the current state, the
2515 following recipes should work to give you a test machine to poke
2516 at.&lt;/p&gt;
2517
2518 &lt;p&gt;&lt;strong&gt;Debian Wheezy amd64&lt;/strong&gt;&lt;/p&gt;
2519
2520 &lt;ol&gt;
2521
2522 &lt;li&gt;Fetch normal Debian Wheezy installation ISO.&lt;/li&gt;
2523 &lt;li&gt;Boot from it, either as CD or USB stick.&lt;/li&gt;
2524 &lt;li&gt;&lt;p&gt;Press [tab] on the boot prompt and add this as a boot argument
2525 to the Debian installer:&lt;p&gt;
2526 &lt;pre&gt;url=&lt;a href=&quot;http://www.reinholdtsen.name/freedombox/preseed-wheezy.dat&quot;&gt;http://www.reinholdtsen.name/freedombox/preseed-wheezy.dat&lt;/a&gt;&lt;/pre&gt;&lt;/li&gt;
2527
2528 &lt;li&gt;Answer the few language/region/password questions and pick disk to
2529 install on.&lt;/li&gt;
2530
2531 &lt;li&gt;When the installation is finished and the machine have rebooted a
2532 few times, your Freedombox is ready for testing.&lt;/li&gt;
2533
2534 &lt;/ol&gt;
2535
2536 &lt;p&gt;&lt;strong&gt;Raspberry Pi Raspbian&lt;/strong&gt;&lt;/p&gt;
2537
2538 &lt;ol&gt;
2539
2540 &lt;li&gt;Fetch a Raspbian SD card image, create SD card.&lt;/li&gt;
2541 &lt;li&gt;Boot from SD card, extend file system to fill the card completely.&lt;/li&gt;
2542 &lt;li&gt;&lt;p&gt;Log in and add this to /etc/sources.list:&lt;/p&gt;
2543 &lt;pre&gt;
2544 deb &lt;a href=&quot;http://www.reinholdtsen.name/freedombox/&quot;&gt;http://www.reinholdtsen.name/freedombox&lt;/a&gt; wheezy main
2545 &lt;/pre&gt;&lt;/li&gt;
2546 &lt;li&gt;&lt;p&gt;Run this as root:&lt;/p&gt;
2547 &lt;pre&gt;
2548 wget -O - http://www.reinholdtsen.name/freedombox/BE1A583D.asc | \
2549 apt-key add -
2550 apt-get update
2551 apt-get install freedombox-setup
2552 /usr/lib/freedombox/setup
2553 &lt;/pre&gt;&lt;/li&gt;
2554 &lt;li&gt;Reboot into your freshly created Freedombox.&lt;/li&gt;
2555
2556 &lt;/ol&gt;
2557
2558 &lt;p&gt;You can test it on other architectures too, but because the
2559 freedombox-privoxy package is binary, it will only work as intended on
2560 the architectures where I have had time to build the binary and put it
2561 in my APT repository. But do not let this stop you. It is only a
2562 short &quot;&lt;tt&gt;apt-get source -b freedombox-privoxy&lt;/tt&gt;&quot; away. :)&lt;/p&gt;
2563
2564 &lt;p&gt;Note that by default Freedombox is a DHCP server on the
2565 192.168.1.0/24 subnet, so if this is your subnet be careful and turn
2566 off the DHCP server by running &quot;&lt;tt&gt;update-rc.d isc-dhcp-server
2567 disable&lt;/tt&gt;&quot; as root.&lt;/p&gt;
2568
2569 &lt;p&gt;Please let me know if this works for you, or if you have any
2570 problems. We gather on the IRC channel
2571 &lt;a href=&quot;irc://irc.debian.org:6667/%23freedombox&quot;&gt;#freedombox&lt;/a&gt; on
2572 irc.debian.org and the
2573 &lt;a href=&quot;http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss&quot;&gt;project
2574 mailing list&lt;/a&gt;.&lt;/p&gt;
2575
2576 &lt;p&gt;Once you get your freedombox operational, you can visit
2577 &lt;tt&gt;http://your-host-name:8001/&lt;/tt&gt; to see the state of the plint
2578 welcome screen (dead end - do not be surprised if you are unable to
2579 get past it), and next visit &lt;tt&gt;http://your-host-name:8001/help/&lt;/tt&gt;
2580 to look at the rest of plinth. The default user is &#39;admin&#39; and the
2581 default password is &#39;secret&#39;.&lt;/p&gt;
2582 </description>
2583 </item>
2584
2585 <item>
2586 <title>Dr. Richard Stallman, founder of Free Software Foundation, give a talk in Oslo March 1st 2013</title>
2587 <link>https://people.skolelinux.org/pere/blog/Dr__Richard_Stallman__founder_of_Free_Software_Foundation__give_a_talk_in_Oslo_March_1st_2013.html</link>
2588 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Dr__Richard_Stallman__founder_of_Free_Software_Foundation__give_a_talk_in_Oslo_March_1st_2013.html</guid>
2589 <pubDate>Wed, 27 Feb 2013 20:20:00 +0100</pubDate>
2590 <description>&lt;p&gt;Dr. &lt;a href=&quot;http://www.stallman.org/&quot;&gt;Richard Stallman&lt;/a&gt;,
2591 founder of &lt;a href=&quot;http://www.fsf.org/&quot;&gt;Free Software Foundation&lt;/a&gt;,
2592 is giving &lt;a href=&quot;http://www.nuug.no/aktiviteter/20130301-rms/&quot;&gt;a
2593 talk in Oslo March 1st 2013 17:00 to 19:00&lt;/a&gt;. The event is public
2594 and organised by &lt;a href=&quot;&quot;&gt;Norwegian Unix Users Group (NUUG)&lt;/a&gt;
2595 (where I am the chair of the board) and
2596 &lt;a href=&quot;http://www.friprog.no/&quot;&gt;The Norwegian Open Source Competence
2597 Center&lt;/a&gt;. The title of the talk is «The Free Software Movement and
2598 GNU», with this description:
2599
2600 &lt;p&gt;&lt;blockquote&gt;
2601 The Free Software Movement campaigns for computer users&#39; freedom to
2602 cooperate and control their own computing. The Free Software Movement
2603 developed the GNU operating system, typically used together with the
2604 kernel Linux, specifically to make these freedoms possible.
2605 &lt;/blockquote&gt;&lt;/p&gt;
2606
2607 &lt;p&gt;The meeting is open for everyone. Due to space limitations, the
2608 doors opens for NUUG members at 16:15, and everyone else at 16:45. I
2609 am really curious how many will show up. See
2610 &lt;a href=&quot;http://www.nuug.no/aktiviteter/20130301-rms/&quot;&gt;the event
2611 page&lt;/a&gt; for the location details.&lt;/p&gt;
2612 </description>
2613 </item>
2614
2615 <item>
2616 <title>1.4 millioner potensielle journalistsamtaler i politiets hender</title>
2617 <link>https://people.skolelinux.org/pere/blog/1_4_millioner_potensielle_journalistsamtaler_i_politiets_hender.html</link>
2618 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/1_4_millioner_potensielle_journalistsamtaler_i_politiets_hender.html</guid>
2619 <pubDate>Tue, 27 Nov 2012 15:20:00 +0100</pubDate>
2620 <description>&lt;p&gt;I fjor meldte Dagbladet og andre medier at
2621 &lt;a href=&quot;http://www.dagbladet.no/2011/09/27/nyheter/innenriks/terror/anders_behring_breivik/18323147/&quot;&gt;politiet
2622 hadde samlet inn informasjon om 1.4 millioner telefonsamtaler&lt;/a&gt; i
2623 området rundt Akersgata, regjeringskvartalet og Utøya, i forbindelse
2624 med etterforskningen rundt bombeattentatet og massemordet 22. juli
2625 2011. Politiadvokat Pål-Fredrik Hjort Kraby fortalte i følge
2626 artikkelen at&lt;/p&gt;
2627
2628 &lt;blockquote&gt;
2629 - «Dette er ikke kun samtaler som knyttes til Breivik. Dette er alle
2630 samtaler som er registrert på basestasjoner i tilknytning til både
2631 bomba i Regjeringskvartalet og aksjonen på Utøya. Vi må analysere tid,
2632 lengde og fra hvilke basestasjoner de er registrert på. Vi prøver å
2633 finne ut hvem som har ringt til en hver tid, også i dagene før.»
2634 &lt;/blockquote&gt;
2635
2636 &lt;p&gt;Det triste og merkelige er at ingen presseoppslag tok opp hva dette
2637 egentlig betød for kildevernet. Et stenkast fra regjeringskvartalet
2638 befinner redaksjonene til blant annet VG, Dagbladet og Aftenposten
2639 seg. Det betyr at et betydelig antall av journalisters samtaler var
2640 og er tilgjengelig for politiet. Og dette var ikke en unik hendelse.
2641 Politiet henter rutinemessig ut informasjon om telefonsamtaler i
2642 kriminaletterforskningen, og en kan gå ut ifra at det ofte vil være
2643 noe kriminelt å undersøke nær en redaksjon da redaksjoner holder til i
2644 sentrum og tettsteder, der det meste av annen aktivitet i et område
2645 også foregår. F.eks. befinner Aftenposten seg like ved Oslo
2646 Sentralstasjon, et ganske kriminelt belastet område, der jeg mistenker
2647 politiet ofte hente ut samtaleinformasjon. Og avisen Aftenposten
2648 annonserte jo for noen år siden at ansatte kun skulle ha mobiltelefon
2649 (noe de kanskje angret på
2650 &lt;a href=&quot;http://www.digi.no/216833/raadlose-bedrifter-uten-sikkerhetsnett&quot;&gt;da
2651 mobilnettet brøt sammen&lt;/a&gt;), hvilket betyr at alle samtaler
2652 journalistene gjennomfører går via nabolagets mobilbasestasjoner og
2653 dermed blir med og analysert når politiet ber om informasjon om
2654 mobilsamtaler i området. Det samme gjelder antagelig de fleste
2655 mediehus nå for tiden.&lt;/p&gt;
2656
2657 &lt;p&gt;Konsekvensen er at en må gå ut i fra at politiet kan få tilgang til
2658 informasjon om alle samtaler med journalister, hvilket bør få varslere
2659 og andre som vil tipse journalister til å tenke seg to ganger før de
2660 ringer en journalist. Det er for meg en svært uheldig situasjon.&lt;/p&gt;
2661
2662 &lt;p&gt;Anders Brenne tipset meg om dette tidligere i år, og har skrevet om
2663 problemstillingen i sin bok
2664 &lt;a href=&quot;http://www.hoyskoleforlaget.no/index.asp?template=40&amp;bokId=978-82-7147-358-7&quot;&gt;Digitalt
2665 kildevern&lt;/a&gt; som ble lansert i år og
2666 &lt;a href=&quot;http://www.netthoder.no/2012/04/dette-ma-du-vite-om-du-vil-sikre-kildevernet-referat/&quot;&gt;presentert
2667 på et NONA-møte i april&lt;/a&gt;. Oppsummeringen fra møtet inneholder
2668 flere detaljer og bakgrunnsinformasjon. Jeg synes det er besynderlig
2669 at så få journalister tar opp denne problemstillingen, og ikke stiller
2670 flere kritiske spørsmål til innføringen av datalagringsdirektivet og
2671 den raderingen av personvernet som har foregått i Norge i løpet av
2672 mange år nå.&lt;/p&gt;
2673 </description>
2674 </item>
2675
2676 <item>
2677 <title>FAD tvinger igjennom BankID-tilgang til personsensitiv informasjon om meg</title>
2678 <link>https://people.skolelinux.org/pere/blog/FAD_tvinger_igjennom_BankID_tilgang_til_personsensitiv_informasjon_om_meg.html</link>
2679 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/FAD_tvinger_igjennom_BankID_tilgang_til_personsensitiv_informasjon_om_meg.html</guid>
2680 <pubDate>Wed, 21 Nov 2012 17:10:00 +0100</pubDate>
2681 <description>&lt;p&gt;I dag fikk jeg svar fra fornyingsdepartementet på min
2682 &lt;a href=&quot;http://people.skolelinux.org/pere/blog/BankID_skal_ikke_gi_tilgang_til_min_personsensitive_informasjon.html&quot;&gt;forespørsel
2683 om å reservere meg mot at BankID&lt;/a&gt; brukes til å få tilgang til
2684 informasjon om meg via ID-porten. Like etter at svaret kom fikk jeg
2685 beskjed om at min henvendelse har fått
2686 &lt;a href=&quot;http://www.oep.no/search/result.html?caseNumber=2012/3446&amp;searchType=advanced&amp;list2=94&amp;caseSearch=true&amp;sortField=doknr&quot;&gt;saksnummer
2687 12/3446 hos FAD&lt;/a&gt;, som dessverre ikke har dukket opp i Offentlig
2688 Elektronisk Postjournal ennå. Her er svaret jeg fikk:&lt;/p&gt;
2689
2690 &lt;blockquote&gt;
2691 &lt;p&gt;Date: Wed, 21 Nov 2012 11:18:52 +0000
2692 &lt;br&gt;From: Hornnes Stig &amp;lt;Stig.Hornnes (at) fad.dep.no&amp;gt;
2693 &lt;br&gt;To: Petter Reinholdtsen
2694 &lt;br&gt;Subject: Reservasjon mot BankID&lt;/p&gt;
2695
2696 &lt;p&gt;Hei Petter,&lt;/p&gt;
2697
2698 &lt;p&gt;Du har sendt oss forespørsel om at din bruker blir reservert mot bruk
2699 av BankID i ID-porten. Det er ikke lagt opp til at enkeltpersoner kan
2700 reservere seg på denne måten.&lt;/p&gt;
2701
2702 &lt;p&gt;Tanken bak ID-porten er at innbyggerne skal kunne velge hvilken eID de
2703 ønsker å bruke for å logge på offentlige tjenester. For å sikre
2704 valgfriheten har vi inngått avtaler med BankID, Buypass og
2705 Commfides. I tillegg har vi den offentlige MinID, men hvor utstedelse
2706 skjer til adresse registrert i folkeregisteret, og derfor ikke er
2707 egnet til tjenestene med det høyeste sikkerhetsbehovet.&lt;/p&gt;
2708
2709 &lt;p&gt;Sikkerhet er et viktig tema for oss. Alle leverandørene som er i
2710 ID-porten i dag, inkl. BankID, har oppfylt både kravene som fremgår av
2711 Kravspek PKI (pluss noen tilleggskrav fra Difi i anskaffelsen) og er
2712 selvdeklarerte hos Post og Teletilsynet (PT) som har tilsynsansvar for
2713 denne typen virksomheter. For BankID sin del ble det gjennomført
2714 revisjon av løsningen i 2009, på bestilling fra PT etter en del
2715 negative oppslag knyttet til nettopp sikkerheten i løsningen. Det
2716 fremkom ingen alvorlige sikkerhetsproblemer i revisjonen.&lt;/p&gt;
2717
2718 &lt;p&gt;Når dette er sagt; Ingen løsninger er 100 prosent sikre, verken
2719 papirbaserte systemer eller elektroniske. Eksempelvis vil misbruk av
2720 identitetsbevis for å urettmessig skaffe seg en e-ID, alltid være en
2721 risiko. Men det er en generell risiko for alle nivå 4-e-id-er vi har i
2722 Norge per i dag. Det er kriminelt, men det er umulig å være ett
2723 hundre prosent sikker på at det ikke kan skje. Vi har imidlertid fokus
2724 på å redusere risikoen så mye som mulig, og skal jobbe videre sammen
2725 med blant annet Justisdepartementet med ulike tiltak som vil bidra til
2726 bedre grunnidentifisering av innbyggere.&lt;/p&gt;
2727
2728 &lt;p&gt;Mvh
2729 &lt;br&gt;Stig Hornnes
2730 &lt;br&gt;Rådgiver - FAD&lt;/p&gt;
2731 &lt;/blockquote&gt;
2732
2733 &lt;p&gt;Litt merkelig at de har glemt å legge opp til at enkeltpersoner kan
2734 reservere seg på denne måten. FAD burde være klar over
2735 problemstillingen med reservasjon, da jeg tok det opp med dem da de
2736 presenterte MinID på en presentasjon de holdt på Gardermoen for noen
2737 år siden. Det burde jo også være teknisk svært enkelt å få støtte for
2738 slikt i en ID-portal. Her må det visst tyngre virkemidler til enn en
2739 vennlig forespørsel om å reservere seg. Får tenke igjennom neste
2740 steg.&lt;/p&gt;
2741
2742 &lt;p&gt;Du lurer kanskje på hva som er problemet med BankID? For å
2743 forklare det, er det greit å gå et steg tilbake og beskrive offentlig
2744 nøkkel-kryptering, eller
2745 &lt;a href=&quot;http://snl.no/asymmetrisk_kryptografi&quot;&gt;asymmetrisk
2746 kryptografi&lt;/a&gt; som det også kalles. En fin beskrivelse
2747 &lt;a href=&quot;http://www.matematikk.org/artikkel.html?tid=63068&quot;&gt;finnes på
2748 matematikk.org&lt;/a&gt;:&lt;/p&gt;
2749
2750 &lt;blockquote&gt;
2751 Se for deg at person A har en hengelås og at han sender den til deg (i
2752 åpen tilstand), men beholder nøkkelen. Du kan dermed låse inn en
2753 hemmelighet ved hjelp av hengelåsen og sende den til A. Bare A kan
2754 låse opp igjen, siden bare A har den riktige nøkkelen.
2755 &lt;/blockquote&gt;
2756
2757 &lt;p&gt;Signering med asymmetrisk kryptering gjør at en kan vite at kun de
2758 som har tilgang til nøkkelen har signert et gitt dokument. Mitt
2759 problem med BankID er det er utformet slik at banken beholder nøkkelen
2760 til hengelåsen og kontraktsmessig har lovet å kun bruke den når jeg
2761 ber om det. Det er ikke godt nok for meg. Jeg forventer et system
2762 der kun jeg har nøkkelen hvis det skal kunne brukes til å inngå
2763 avtaler på mine vegne eller få tilgang til min personsensitive
2764 informasjon. Jeg forventer at det velges en teknisk løsning der det
2765 er tvingende nødvendig at jeg er involvert når det skal signeres noe
2766 på mine vegne. BankID er ikke en slik.&lt;/p&gt;
2767 </description>
2768 </item>
2769
2770 <item>
2771 <title>BankID skal ikke gi tilgang til min personsensitive informasjon</title>
2772 <link>https://people.skolelinux.org/pere/blog/BankID_skal_ikke_gi_tilgang_til_min_personsensitive_informasjon.html</link>
2773 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/BankID_skal_ikke_gi_tilgang_til_min_personsensitive_informasjon.html</guid>
2774 <pubDate>Fri, 16 Nov 2012 12:30:00 +0100</pubDate>
2775 <description>&lt;p&gt;Onsdag i denne uka annonserte
2776 &lt;a href=&quot;http://www.fad.dep.no/&quot;&gt;Fornyingsdepartementet&lt;/a&gt; at de har
2777 inngått kontrakt med BankID Norge om bruk av BankID for å la borgerne
2778 logge inn på offentlige nettsider der en kan få tilgang til
2779 personsensitiv informasjon. Jeg skrev i 2009 litt om
2780 &lt;a href=&quot;http://people.skolelinux.org/pere/blog/Jeg_vil_ikke_ha_BankID.html&quot;&gt;hvorfor
2781 jeg ikke vil ha BankID&lt;/a&gt; &amp;mdash; jeg stoler ikke nok på en bank til
2782 å gi dem mulighet til å inngå avtaler på mine vegne. Jeg forlanger at
2783 jeg skal være involvert når det skal inngås avtaler på mine vegne.&lt;/p&gt;
2784
2785 &lt;p&gt;Jeg har derfor valgt å bruke
2786 &lt;a href=&quot;http://www.skandibanken.no/&quot;&gt;Skandiabanken&lt;/a&gt; (det er flere
2787 banker som ikke krever BankID, se
2788 &lt;a href=&quot;http://no.wikipedia.org/wiki/BankID&quot;&gt;Wikipedia for en
2789 liste&lt;/a&gt;) på grunn av at de ikke tvinger sine kunder til å bruke
2790 BankID. I motsetning til Postbanken, som løy til meg i 2009 da
2791 kundestøtten der sa at det var blitt et krav fra Kreditttilsynet og
2792 BBS om at norske banker måtte innføre BankID, har ikke Skandiabanken
2793 forsøkt å tvinge meg til å ta i bruk BankID. Jeg fikk nylig endelig
2794 spurt Finanstilsynet (de har byttet navn siden 2009), og fikk beskjed
2795 fra Frank Robert Berg hos Finanstilsynet i epost 2012-09-17 at
2796 Finanstilsynet ikke har fremsatt slike krav. Med andre ord snakket
2797 ikke Postbankens kundestøtte sant i 2009.&lt;/p&gt;
2798
2799 &lt;p&gt;Når en i tillegg fra
2800 &lt;a href=&quot;http://www.aftenposten.no/nyheter/iriks/Tyver-kan-tappe-kontoen-din---selv-uten-passord-og-pinkode--6989793.html&quot;&gt;oppslag
2801 i Aftenposten&lt;/a&gt; vet at de som jobber i alle bankene som bruker
2802 BankID i dag, det være seg utro tjenere, eller de som lar seg lure av
2803 falsk legitimasjon, kan lage og dele ut en BankID som gir tilgang til
2804 mine kontoer og rett til å inngå avtaler på mine vegne, blir det
2805 viktigere enn noen gang å få reservert seg mot BankID. Det holder
2806 ikke å la være å bruke det selv. Jeg sendte derfor følgende
2807 epost-brev til Fornyingsdepartementet i går:&lt;/p&gt;
2808
2809 &lt;p&gt;&lt;blockquote&gt;
2810 &lt;p&gt;Date: Thu, 15 Nov 2012 11:08:31 +0100
2811 &lt;br&gt;From: Petter Reinholdtsen &amp;lt;pere (at) hungry.com&amp;gt;
2812 &lt;br&gt;To: postmottak (at) fad.dep.no
2813 &lt;br&gt;Subject: Forespørsel om reservasjon mot bruk av BankID i ID-porten&lt;/p&gt;
2814
2815 &lt;p&gt;Jeg viser til nyheten om at staten har tildelt kontrakt for å
2816 levere elektronisk ID for offentlige digitale tjenester til BankID
2817 Norge, referert til blant annet i Digi[1] og i FADs
2818 pressemelding[2].&lt;/p&gt;
2819
2820 &lt;p&gt;1) &amp;lt;URL: &lt;a href=&quot;http://www.digi.no/906093/staten-gaar-for-bankid&quot;&gt;http://www.digi.no/906093/staten-gaar-for-bankid&lt;/a&gt; &amp;gt;
2821 &lt;br&gt;2) &amp;lt;URL: &lt;a href=&quot;http://www.regjeringen.no/nb/dep/fad/pressesenter/pressemeldinger/2012/staten-inngar-avtale-med-bankid.html&quot;&gt;http://www.regjeringen.no/nb/dep/fad/pressesenter/pressemeldinger/2012/staten-inngar-avtale-med-bankid.html&lt;/a&gt; &amp;gt;&lt;/p&gt;
2822
2823 &lt;p&gt;Gitt BankIDs utforming, der BankID-utsteder har både privat og
2824 offentlig del av kundens nøkkel hos seg, er jeg ikke villig til å gi
2825 tilgang til informasjon som hører til min min privatsfære ved hjelp av
2826 innlogging med BankID.&lt;/p&gt;
2827
2828 &lt;p&gt;Jeg ber derfor herved om at løsningen settes opp slik at ingen kan
2829 logge inn som meg på offentlige digitale tjenester ved hjelp av
2830 BankID, det vil si at jeg reserverer meg mot enhver bruk av BankID for
2831 å logge meg inn på slike tjenester som kan inneholde personsensitiv
2832 informasjon om meg.&lt;/p&gt;
2833
2834 &lt;p&gt;Jeg har ikke BankID i dag, men som en kan se i oppslag i Aftenposten
2835 2012-09-13[3] er det ikke til hindrer for at andre kan bruke BankID på
2836 mine vegne for å få tilgang. Det sikkerhetsproblemet kommer i tillegg
2837 til utformingsproblemet omtalt over, og forsterker bare mitt syn på at
2838 BankID ikke er aktuelt for meg til noe annet enn å logge inn i en
2839 nettbank der banken i større grad bærer risikoen ved misbruk.&lt;/p&gt;
2840
2841 &lt;p&gt;3) &amp;lt;URL: &lt;a href=&quot;http://www.aftenposten.no/nyheter/iriks/Tyver-kan-tappe-kontoen-din---selv-uten-passord-og-pinkode--6989793.html&quot;&gt;http://www.aftenposten.no/nyheter/iriks/Tyver-kan-tappe-kontoen-din---selv-uten-passord-og-pinkode--6989793.html&lt;/a&gt; &amp;gt;&lt;/p&gt;
2842
2843 &lt;p&gt;Jeg ber om rask tilbakemelding med saksnummer for min henvendelse.
2844 Jeg ber videre om bekreftelse på at BankID-innlogging er blokkert når
2845 det gjelder tilgang til &quot;min&quot; informasjon hos det offentlige, i
2846 forkant av BankID-integrasjon mot ID-porten som i følge
2847 pressemeldingen skal komme på plass i løpet av et par uker.&lt;/p&gt;
2848
2849 &lt;p&gt;--
2850 &lt;br&gt;Vennlig hilsen
2851 &lt;br&gt;Petter Reinholdtsen&lt;/p&gt;
2852 &lt;/blockquote&gt;
2853
2854 &lt;p&gt;Jeg venter spent på svaret. Jeg mistenker jeg må sende tilsvarende
2855 beskjed til mine bankforbindelser for å sikre mine bankkontoer.&lt;/p&gt;
2856
2857 &lt;p&gt;Hvis det skal brukes offentlig nøkkel-teknologi til å inngå avtaler
2858 på mine vegne og skaffe seg personsensitiv informasjon om meg, så er
2859 mitt krav at det kun er jeg som har tilgang på min private nøkkel.
2860 Alt annet blir å gi for mye tillit til andre. Med BankID sitter andre
2861 på både &quot;min&quot; offentlige og private nøkkel.&lt;/p&gt;
2862 </description>
2863 </item>
2864
2865 <item>
2866 <title>The European Central Bank (ECB) take a look at bitcoin</title>
2867 <link>https://people.skolelinux.org/pere/blog/The_European_Central_Bank__ECB__take_a_look_at_bitcoin.html</link>
2868 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/The_European_Central_Bank__ECB__take_a_look_at_bitcoin.html</guid>
2869 <pubDate>Sun, 4 Nov 2012 08:30:00 +0100</pubDate>
2870 <description>&lt;p&gt;Slashdot just ran a story about the European Central Bank (ECB)
2871 &lt;a href=&quot;http://www.ecb.europa.eu/pub/pdf/other/virtualcurrencyschemes201210en.pdf&quot;&gt;releasing
2872 a report (PDF)&lt;/a&gt; about virtual currencies and
2873 &lt;a href=&quot;http://www.bitcoin.org/&quot;&gt;bitcoin&lt;/a&gt;. It is interesting to
2874 see how a member of the bitcoin community
2875 &lt;a href=&quot;http://blog.bitinstant.com/blog/2012/10/30/the-ecb-report-on-bitcoin-and-virtual-currencies.html&quot;&gt;receive
2876 the report&lt;/a&gt;. As for the future, I suspect the central banks and
2877 the governments will outlaw bitcoin if it gain any popularity, to avoid
2878 competition. My thoughts go to the
2879 &lt;a href=&quot;http://en.wikipedia.org/wiki/Wörgl&quot;&gt;Wörgl experiment&lt;/a&gt; with
2880 negative inflation on cash which was such a success that it was
2881 terminated by the Austrian National Bank in 1933. A successful
2882 alternative would be a threat to the current money system and gain
2883 powerful forces to work against it.&lt;/p&gt;
2884
2885 &lt;p&gt;While checking out the current status of bitcoin, I also discovered
2886 that the community already seem to have
2887 &lt;a href=&quot;http://www.theverge.com/2012/8/27/3271637/bitcoin-savings-trust-pyramid-scheme-shuts-down&quot;&gt;experienced
2888 its first pyramid game / Ponzi scheme&lt;/a&gt;. Not very surprising, given
2889 how members of &quot;small&quot; communities tend to trust each other. I guess
2890 enterprising crocks will try again and again, as they do anywhere
2891 wealth is available.&lt;/p&gt;
2892 </description>
2893 </item>
2894
2895 <item>
2896 <title>The fight for freedom and privacy</title>
2897 <link>https://people.skolelinux.org/pere/blog/The_fight_for_freedom_and_privacy.html</link>
2898 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/The_fight_for_freedom_and_privacy.html</guid>
2899 <pubDate>Thu, 18 Oct 2012 10:50:00 +0200</pubDate>
2900 <description>&lt;p&gt;Civil liberties and privacy in the western world are going down the
2901 drain, and it is hard to fight against it. I try to do my best, but
2902 time is limited. I hope you do your best too. A few years ago I came
2903 across a marvellous drawing by
2904 &lt;a href=&quot;http://www.claybennett.com/about.html&quot;&gt;Clay Bennett&lt;/a&gt;
2905 visualising some of what is going on.
2906
2907 &lt;p&gt;&lt;a href=&quot;http://www.claybennett.com/pages/security_fence.html&quot;&gt;
2908 &lt;img src=&quot;http://www.claybennett.com/images/archivetoons/security_fence.jpg&quot;&gt;&lt;/a&gt;&lt;/p&gt;
2909
2910 &lt;blockquote&gt;
2911 «They who can give up essential liberty to obtain a little temporary
2912 safety, deserve neither liberty nor safety.» - Benjamin Franklin
2913 &lt;/blockquote&gt;
2914
2915 &lt;p&gt;Do you feel safe at the airport? I do not. Do you feel safe when
2916 you see a surveillance camera? I do not. Do you feel safe when you
2917 leave electronic traces of your behaviour and opinions? I do not. I
2918 just remember &lt;a href=&quot;http://en.wikipedia.org/wiki/Panopticon&quot;&gt;the
2919 Panopticon&lt;/a&gt;, and can not help to think that we are slowly
2920 transforming our society to a huge Panopticon on our own.&lt;/p&gt;
2921 </description>
2922 </item>
2923
2924 <item>
2925 <title>Using NVD and CPE to track CVEs in locally maintained software</title>
2926 <link>https://people.skolelinux.org/pere/blog/Using_NVD_and_CPE_to_track_CVEs_in_locally_maintained_software.html</link>
2927 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Using_NVD_and_CPE_to_track_CVEs_in_locally_maintained_software.html</guid>
2928 <pubDate>Fri, 28 Jan 2011 15:40:00 +0100</pubDate>
2929 <description>&lt;p&gt;The last few days I have looked at ways to track open security
2930 issues here at my work with the University of Oslo. My idea is that
2931 it should be possible to use the information about security issues
2932 available on the Internet, and check our locally
2933 maintained/distributed software against this information. It should
2934 allow us to verify that no known security issues are forgotten. The
2935 CVE database listing vulnerabilities seem like a great central point,
2936 and by using the package lists from Debian mapped to CVEs provided by
2937 the testing security team, I believed it should be possible to figure
2938 out which security holes were present in our free software
2939 collection.&lt;/p&gt;
2940
2941 &lt;p&gt;After reading up on the topic, it became obvious that the first
2942 building block is to be able to name software packages in a unique and
2943 consistent way across data sources. I considered several ways to do
2944 this, for example coming up with my own naming scheme like using URLs
2945 to project home pages or URLs to the Freshmeat entries, or using some
2946 existing naming scheme. And it seem like I am not the first one to
2947 come across this problem, as MITRE already proposed and implemented a
2948 solution. Enter the &lt;a href=&quot;http://cpe.mitre.org/index.html&quot;&gt;Common
2949 Platform Enumeration&lt;/a&gt; dictionary, a vocabulary for referring to
2950 software, hardware and other platform components. The CPE ids are
2951 mapped to CVEs in the &lt;a href=&quot;http://web.nvd.nist.gov/&quot;&gt;National
2952 Vulnerability Database&lt;/a&gt;, allowing me to look up know security
2953 issues for any CPE name. With this in place, all I need to do is to
2954 locate the CPE id for the software packages we use at the university.
2955 This is fairly trivial (I google for &#39;cve cpe $package&#39; and check the
2956 NVD entry if a CVE for the package exist).&lt;/p&gt;
2957
2958 &lt;p&gt;To give you an example. The GNU gzip source package have the CPE
2959 name cpe:/a:gnu:gzip. If the old version 1.3.3 was the package to
2960 check out, one could look up
2961 &lt;a href=&quot;http://web.nvd.nist.gov/view/vuln/search?cpe=cpe%3A%2Fa%3Agnu%3Agzip:1.3.3&quot;&gt;cpe:/a:gnu:gzip:1.3.3
2962 in NVD&lt;/a&gt; and get a list of 6 security holes with public CVE entries.
2963 The most recent one is
2964 &lt;a href=&quot;http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0001&quot;&gt;CVE-2010-0001&lt;/a&gt;,
2965 and at the bottom of the NVD page for this vulnerability the complete
2966 list of affected versions is provided.&lt;/p&gt;
2967
2968 &lt;p&gt;The NVD database of CVEs is also available as a XML dump, allowing
2969 for offline processing of issues. Using this dump, I&#39;ve written a
2970 small script taking a list of CPEs as input and list all CVEs
2971 affecting the packages represented by these CPEs. One give it CPEs
2972 with version numbers as specified above and get a list of open
2973 security issues out.&lt;/p&gt;
2974
2975 &lt;p&gt;Of course for this approach to be useful, the quality of the NVD
2976 information need to be high. For that to happen, I believe as many as
2977 possible need to use and contribute to the NVD database. I notice
2978 RHEL is providing
2979 &lt;a href=&quot;https://www.redhat.com/security/data/metrics/rhsamapcpe.txt&quot;&gt;a
2980 map from CVE to CPE&lt;/a&gt;, indicating that they are using the CPE
2981 information. I&#39;m not aware of Debian and Ubuntu doing the same.&lt;/p&gt;
2982
2983 &lt;p&gt;To get an idea about the quality for free software, I spent some
2984 time making it possible to compare the CVE database from Debian with
2985 the CVE database in NVD. The result look fairly good, but there are
2986 some inconsistencies in NVD (same software package having several
2987 CPEs), and some inaccuracies (NVD not mentioning buggy packages that
2988 Debian believe are affected by a CVE). Hope to find time to improve
2989 the quality of NVD, but that require being able to get in touch with
2990 someone maintaining it. So far my three emails with questions and
2991 corrections have not seen any reply, but I hope contact can be
2992 established soon.&lt;/p&gt;
2993
2994 &lt;p&gt;An interesting application for CPEs is cross platform package
2995 mapping. It would be useful to know which packages in for example
2996 RHEL, OpenSuSe and Mandriva are missing from Debian and Ubuntu, and
2997 this would be trivial if all linux distributions provided CPE entries
2998 for their packages.&lt;/p&gt;
2999 </description>
3000 </item>
3001
3002 <item>
3003 <title>Some thoughts on BitCoins</title>
3004 <link>https://people.skolelinux.org/pere/blog/Some_thoughts_on_BitCoins.html</link>
3005 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Some_thoughts_on_BitCoins.html</guid>
3006 <pubDate>Sat, 11 Dec 2010 15:10:00 +0100</pubDate>
3007 <description>&lt;p&gt;As I continue to explore
3008 &lt;a href=&quot;http://www.bitcoin.org/&quot;&gt;BitCoin&lt;/a&gt;, I&#39;ve starting to wonder
3009 what properties the system have, and how it will be affected by laws
3010 and regulations here in Norway. Here are some random notes.&lt;/p&gt;
3011
3012 &lt;p&gt;One interesting thing to note is that since the transactions are
3013 verified using a peer to peer network, all details about a transaction
3014 is known to everyone. This means that if a BitCoin address has been
3015 published like I did with mine in my initial post about BitCoin, it is
3016 possible for everyone to see how many BitCoins have been transfered to
3017 that address. There is even a web service to look at the details for
3018 all transactions. There I can see that my address
3019 &lt;a href=&quot;http://blockexplorer.com/address/15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&quot;&gt;15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&lt;/a&gt;
3020 have received 16.06 Bitcoin, the
3021 &lt;a href=&quot;http://blockexplorer.com/address/1LfdGnGuWkpSJgbQySxxCWhv8MHqvwst3&quot;&gt;1LfdGnGuWkpSJgbQySxxCWhv8MHqvwst3&lt;/a&gt;
3022 address of Simon Phipps have received 181.97 BitCoin and the address
3023 &lt;a href=&quot;http://blockexplorer.com/address/1MCwBbhNGp5hRm5rC1Aims2YFRe2SXPYKt&quot;&gt;1MCwBbhNGp5hRm5rC1Aims2YFRe2SXPYKt&lt;/A&gt;
3024 of EFF have received 2447.38 BitCoins so far. Thank you to each and
3025 every one of you that donated bitcoins to support my activity. The
3026 fact that anyone can see how much money was transfered to a given
3027 address make it more obvious why the BitCoin community recommend to
3028 generate and hand out a new address for each transaction. I&#39;m told
3029 there is no way to track which addresses belong to a given person or
3030 organisation without the person or organisation revealing it
3031 themselves, as Simon, EFF and I have done.&lt;/p&gt;
3032
3033 &lt;p&gt;In Norway, and in most other countries, there are laws and
3034 regulations limiting how much money one can transfer across the border
3035 without declaring it. There are money laundering, tax and accounting
3036 laws and regulations I would expect to apply to the use of BitCoin.
3037 If the Skolelinux foundation
3038 (&lt;a href=&quot;http://linuxiskolen.no/slxdebianlabs/donations.html&quot;&gt;SLX
3039 Debian Labs&lt;/a&gt;) were to accept donations in BitCoin in addition to
3040 normal bank transfers like EFF is doing, how should this be accounted?
3041 Given that it is impossible to know if money can cross the border or
3042 not, should everything or nothing be declared? What exchange rate
3043 should be used when calculating taxes? Would receivers have to pay
3044 income tax if the foundation were to pay Skolelinux contributors in
3045 BitCoin? I have no idea, but it would be interesting to know.&lt;/p&gt;
3046
3047 &lt;p&gt;For a currency to be useful and successful, it must be trusted and
3048 accepted by a lot of users. It must be possible to get easy access to
3049 the currency (as a wage or using currency exchanges), and it must be
3050 easy to spend it. At the moment BitCoin seem fairly easy to get
3051 access to, but there are very few places to spend it. I am not really
3052 a regular user of any of the vendor types currently accepting BitCoin,
3053 so I wonder when my kind of shop would start accepting BitCoins. I
3054 would like to buy electronics, travels and subway tickets, not herbs
3055 and books. :) The currency is young, and this will improve over time
3056 if it become popular, but I suspect regular banks will start to lobby
3057 to get BitCoin declared illegal if it become popular. I&#39;m sure they
3058 will claim it is helping fund terrorism and money laundering (which
3059 probably would be true, as is any currency in existence), but I
3060 believe the problems should be solved elsewhere and not by blaming
3061 currencies.&lt;/p&gt;
3062
3063 &lt;p&gt;The process of creating new BitCoins is called mining, and it is
3064 CPU intensive process that depend on a bit of luck as well (as one is
3065 competing against all the other miners currently spending CPU cycles
3066 to see which one get the next lump of cash). The &quot;winner&quot; get 50
3067 BitCoin when this happen. Yesterday I came across the obvious way to
3068 join forces to increase ones changes of getting at least some coins,
3069 by coordinating the work on mining BitCoins across several machines
3070 and people, and sharing the result if one is lucky and get the 50
3071 BitCoins. Check out
3072 &lt;a href=&quot;http://www.bluishcoder.co.nz/bitcoin-pool/&quot;&gt;BitCoin Pool&lt;/a&gt;
3073 if this sounds interesting. I have not had time to try to set up a
3074 machine to participate there yet, but have seen that running on ones
3075 own for a few days have not yield any BitCoins througth mining
3076 yet.&lt;/p&gt;
3077
3078 &lt;p&gt;Update 2010-12-15: Found an &lt;a
3079 href=&quot;http://inertia.posterous.com/reply-to-the-underground-economist-why-bitcoi&quot;&gt;interesting
3080 criticism&lt;/a&gt; of bitcoin. Not quite sure how valid it is, but thought
3081 it was interesting to read. The arguments presented seem to be
3082 equally valid for gold, which was used as a currency for many years.&lt;/p&gt;
3083 </description>
3084 </item>
3085
3086 <item>
3087 <title>Pornoskannerne på flyplassene bedrer visst ikke sikkerheten</title>
3088 <link>https://people.skolelinux.org/pere/blog/Pornoskannerne_p__flyplassene_bedrer_visst_ikke_sikkerheten.html</link>
3089 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Pornoskannerne_p__flyplassene_bedrer_visst_ikke_sikkerheten.html</guid>
3090 <pubDate>Sat, 11 Dec 2010 10:45:00 +0100</pubDate>
3091 <description>&lt;p&gt;Via &lt;a href=&quot;http://webmink.com/2010/12/10/links-for-2010-12-10/&quot;&gt;en
3092 blogpost fra Simon Phipps i går&lt;/a&gt;, fant jeg en referanse til
3093 &lt;a href=&quot;http://www.washingtontimes.com/news/2010/dec/9/exposed-tsas-x-rated-scanner-fraud/&quot;&gt;en
3094 artikkel i Washington Times&lt;/a&gt; som igjen refererer til en artikkel i
3095 det fagfellevurderte tidsskriftet Journal of Transportation Security
3096 med tittelen
3097 &quot;&lt;a href=&quot;http://springerlink.com/content/g6620thk08679160/fulltext.html&quot;&gt;An
3098 evaluation of airport x-ray backscatter units based on image
3099 characteristics&lt;/a&gt;&quot; som enkelt konstaterer at
3100 &lt;a href=&quot;http://www.dailysquib.co.uk/?a=2389&amp;c=124&quot;&gt;pornoscannerne&lt;/a&gt;
3101 som kler av reisende på flyplasser ikke er i stand til å avsløre det
3102 produsenten og amerikanske myndigheter sier de skal avsløre. Kort
3103 sagt, de bedrer ikke sikkerheten. Reisende må altså la ansatte på
3104 flyplasser &lt;a href=&quot;http://www.thousandsstandingaround.org/&quot;&gt;se dem
3105 nakne eller la seg beføle i skrittet&lt;/a&gt; uten grunn. Jeg vil
3106 fortsette å nekte å bruke disse pornoskannerne, unngå flyplasser der
3107 de er tatt i bruk, og reise med andre transportmidler enn fly hvis jeg
3108 kan.&lt;/p&gt;
3109 </description>
3110 </item>
3111
3112 <item>
3113 <title>Now accepting bitcoins - anonymous and distributed p2p crypto-money</title>
3114 <link>https://people.skolelinux.org/pere/blog/Now_accepting_bitcoins___anonymous_and_distributed_p2p_crypto_money.html</link>
3115 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Now_accepting_bitcoins___anonymous_and_distributed_p2p_crypto_money.html</guid>
3116 <pubDate>Fri, 10 Dec 2010 08:20:00 +0100</pubDate>
3117 <description>&lt;p&gt;With this weeks lawless
3118 &lt;a href=&quot;http://www.salon.com/news/opinion/glenn_greenwald/2010/12/06/wikileaks/index.html&quot;&gt;governmental
3119 attacks&lt;/a&gt; on Wikileak and
3120 &lt;a href=&quot;http://www.salon.com/technology/dan_gillmor/2010/12/06/war_on_speech&quot;&gt;free
3121 speech&lt;/a&gt;, it has become obvious that PayPal, visa and mastercard can
3122 not be trusted to handle money transactions.
3123 A blog post from
3124 &lt;a href=&quot;http://webmink.com/2010/12/06/now-accepting-bitcoin/&quot;&gt;Simon
3125 Phipps on bitcoin&lt;/a&gt; reminded me about a project that a friend of
3126 mine mentioned earlier. I decided to follow Simon&#39;s example, and get
3127 involved with &lt;a href=&quot;http://www.bitcoin.org/&quot;&gt;BitCoin&lt;/a&gt;. I got
3128 some help from my friend to get it all running, and he even handed me
3129 some bitcoins to get started. I even donated a few bitcoins to Simon
3130 for helping me remember BitCoin.&lt;/p&gt;
3131
3132 &lt;p&gt;So, what is bitcoins, you probably wonder? It is a digital
3133 crypto-currency, decentralised and handled using peer-to-peer
3134 networks. It allows anonymous transactions and prohibits central
3135 control over the transactions, making it impossible for governments
3136 and companies alike to block donations and other transactions. The
3137 source is free software, and while the key dependency wxWidgets 2.9
3138 for the graphical user interface is missing in Debian, the command
3139 line client builds just fine. Hopefully Jonas
3140 &lt;a href=&quot;http://bugs.debian.org/578157&quot;&gt;will get the package into
3141 Debian&lt;/a&gt; soon.&lt;/p&gt;
3142
3143 &lt;p&gt;Bitcoins can be converted to other currencies, like USD and EUR.
3144 There are &lt;a href=&quot;http://www.bitcoin.org/trade&quot;&gt;companies accepting
3145 bitcoins&lt;/a&gt; when selling services and goods, and there are even
3146 currency &quot;stock&quot; markets where the exchange rate is decided. There
3147 are not many users so far, but the concept seems promising. If you
3148 want to get started and lack a friend with any bitcoins to spare,
3149 you can even get
3150 &lt;a href=&quot;https://freebitcoins.appspot.com/&quot;&gt;some for free&lt;/a&gt; (0.05
3151 bitcoin at the time of writing). Use
3152 &lt;a href=&quot;http://www.bitcoinwatch.com/&quot;&gt;BitcoinWatch&lt;/a&gt; to keep an eye
3153 on the current exchange rates.&lt;/p&gt;
3154
3155 &lt;p&gt;As an experiment, I have decided to set up bitcoind on one of my
3156 machines. If you want to support my activity, please send Bitcoin
3157 donations to the address
3158 &lt;b&gt;15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&lt;/b&gt;. Thank you!&lt;/p&gt;
3159 </description>
3160 </item>
3161
3162 <item>
3163 <title>DND hedrer overvåkning av barn med Rosingsprisen</title>
3164 <link>https://people.skolelinux.org/pere/blog/DND_hedrer_overv_kning_av_barn_med_Rosingsprisen.html</link>
3165 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/DND_hedrer_overv_kning_av_barn_med_Rosingsprisen.html</guid>
3166 <pubDate>Tue, 23 Nov 2010 14:15:00 +0100</pubDate>
3167 <description>&lt;p&gt;Jeg registrerer med vond smak i munnen at Den Norske Dataforening
3168 &lt;a
3169 href=&quot;http://www.dataforeningen.no/hedret-med-rosingprisen.4849070-133913.html&quot;&gt;hedrer
3170 overvåkning av barn med Rosingsprisen for kreativitet i år&lt;/a&gt;. Jeg
3171 er glad jeg nå er meldt ut av DND.&lt;/p&gt;
3172
3173 &lt;p&gt;Å elektronisk overvåke sine barn er ikke å gjøre dem en tjeneste,
3174 men et overgrep mot individer i utvikling som bør læres opp til å ta
3175 egne valg.&lt;/p&gt;
3176
3177 &lt;p&gt;For å sitere Datatilsynets nye leder, Bjørn Erik Thon, i
3178 &lt;a href=&quot;http://www.idg.no/computerworld/article174262.ece&quot;&gt;et intervju
3179 med Computerworld Norge&lt;/A&gt;:&lt;/p&gt;
3180
3181 &lt;p&gt;&lt;blockquote&gt;
3182 - For alle som har barn, meg selv inkludert, er førstetanken at det
3183 hadde vært fint å vite hvor barnet sitt er til enhver tid. Men ungene
3184 har ikke godt av det. De er små individer som skal søke rundt og finne
3185 sine små gjemmesteder og utvide horisonten, uten at foreldrene ser dem
3186 i kortene. Det kan være fristende, men jeg ville ikke gått inn i
3187 dette.
3188 &lt;/blockquote&gt;&lt;/p&gt;
3189
3190 &lt;p&gt;Det er skremmende å se at DND mener en tjeneste som legger opp til
3191 slike overgrep bør hedres. Å flytte oppveksten for barn inn i en
3192 virtuell
3193 &lt;a href=&quot;http://en.wikipedia.org/wiki/Panopticon&quot;&gt;Panopticon&lt;/a&gt; er et
3194 grovt overgrep og vil gjøre skade på barnenes utvikling, og foreldre
3195 burde tenke seg godt om før de gir etter for sine instinkter her.&lt;/p&gt;
3196
3197 &lt;p&gt;Blipper-tjenesten får meg til å tenke på bøkene til
3198 &lt;a href=&quot;http://en.wikipedia.org/wiki/John_Twelve_Hawks&quot;&gt;John Twelve
3199 Hawks&lt;/a&gt;, som forbilledlig beskriver hvordan et totalitært
3200 overvåkningssamfunn bygges sakte men sikkert rundt oss, satt sammen av
3201 gode intensjoner og manglende bevissthet om hvilke prinsipper et
3202 liberalt demokrati er fundamentert på. Jeg har hatt stor glede av å
3203 lese alle de tre bøkene.&lt;/p&gt;
3204 </description>
3205 </item>
3206
3207 <item>
3208 <title>Datatilsynet mangler verktøyet som trengs for å kontrollere kameraovervåkning</title>
3209 <link>https://people.skolelinux.org/pere/blog/Datatilsynet_mangler_verkt_yet_som_trengs_for___kontrollere_kameraoverv_kning.html</link>
3210 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Datatilsynet_mangler_verkt_yet_som_trengs_for___kontrollere_kameraoverv_kning.html</guid>
3211 <pubDate>Tue, 9 Nov 2010 14:35:00 +0100</pubDate>
3212 <description>&lt;p&gt;En stund tilbake ble jeg oppmerksom på at Datatilsynets verktøy for
3213 å holde rede på overvåkningskamera i Norge ikke var egnet til annet
3214 enn å lage statistikk, og ikke kunne brukes for å kontrollere om et
3215 overvåkningskamera i det offentlige rom er lovlig satt opp og
3216 registrert. For å teste hypotesen sendte jeg for noen dager siden
3217 følgende spørsmål til datatilsynet. Det omtalte kameraet står litt
3218 merkelig plassert i veigrøften ved gangstien langs Sandakerveien, og
3219 jeg lurer oppriktig på om det er lovlig plassert og registrert.&lt;/p&gt;
3220
3221 &lt;p&gt;&lt;blockquote&gt;
3222 &lt;p&gt;Date: Tue, 2 Nov 2010 16:08:20 +0100
3223 &lt;br&gt;From: Petter Reinholdtsen &amp;lt;pere (at) hungry.com&amp;gt;
3224 &lt;br&gt;To: postkasse (at) datatilsynet.no
3225 &lt;br&gt;Subject: Er overvåkningskameraet korrekt registrert?&lt;/p&gt;
3226
3227 &lt;p&gt;Hei.&lt;/p&gt;
3228
3229 &lt;p&gt;I Nydalen i Oslo er det mange overvåkningskamera, og et av dem er
3230 spesielt merkelig plassert like over et kumlokk. Jeg lurer på om
3231 dette kameraet er korrekt registrert og i henhold til lovverket.&lt;/p&gt;
3232
3233 &lt;p&gt;Finner ingen eierinformasjon på kameraet, og dermed heller ingenting å
3234 søke på i &amp;lt;URL:
3235 &lt;a href=&quot;http://hetti.datatilsynet.no/melding/report_search.pl&quot;&gt;http://hetti.datatilsynet.no/melding/report_search.pl&lt;/a&gt; &amp;gt;.
3236 Kartreferanse for kameraet er tilgjengelig fra
3237 &amp;lt;URL:
3238 &lt;a href=&quot;http://people.skolelinux.no/pere/surveillance-norway/?zoom=17&amp;lat=59.94918&amp;lon=10.76962&amp;layers=B0T&quot;&gt;http://people.skolelinux.no/pere/surveillance-norway/?zoom=17&amp;lat=59.94918&amp;lon=10.76962&amp;layers=B0T&lt;/a&gt; &amp;gt;.
3239
3240 &lt;p&gt;Kan dere fortelle meg om dette kameraet er registrert hos
3241 Datatilsynet som det skal være i henhold til lovverket?&lt;/p&gt;
3242
3243 &lt;p&gt;Det hadde forresten vært fint om rådata fra kameraregisteret var
3244 tilgjengelig på web og regelmessig oppdatert, for å kunne søke på
3245 andre ting enn organisasjonsnavn og -nummer ved å laste det ned og
3246 gjøre egne søk.&lt;/p&gt;
3247
3248 &lt;p&gt;Vennlig hilsen,
3249 &lt;br&gt;--
3250 &lt;br&gt;Petter Reinholdtsen
3251 &lt;/blockquote&gt;&lt;/p&gt;
3252
3253 &lt;p&gt;Her er svaret som kom dagen etter:&lt;/p&gt;
3254
3255 &lt;p&gt;&lt;blockquote&gt;
3256 &lt;p&gt;Date: Wed, 3 Nov 2010 14:44:09 +0100
3257 &lt;br&gt;From: &quot;juridisk&quot; &amp;lt;juridisk (at) Datatilsynet.no&amp;gt;
3258 &lt;br&gt;To: Petter Reinholdtsen
3259 &lt;br&gt;Subject: VS: Er overvåkningskameraet korrekt registrert?
3260
3261 &lt;p&gt;Viser til e-post av 2. november.
3262
3263 &lt;p&gt;Datatilsynet er det forvaltningsorganet som skal kontrollere at
3264 personopplysningsloven blir fulgt. Formålet med loven er å verne
3265 enkeltpersoner mot krenking av personvernet gjennom behandling av
3266 personopplysninger.&lt;/p&gt;
3267
3268 &lt;p&gt;Juridisk veiledningstjeneste hos Datatilsynet gir råd og veiledning
3269 omkring personopplysningslovens regler på generelt grunnlag.&lt;/p&gt;
3270
3271 &lt;p&gt;Datatilsynet har dessverre ikke en fullstendig oversikt over alle
3272 kameraer, den oversikten som finner er i vår meldingsdatabase som du
3273 finner her:
3274 &lt;a href=&quot;http://www.datatilsynet.no/templates/article____211.aspx&quot;&gt;http://www.datatilsynet.no/templates/article____211.aspx&lt;/a&gt;&lt;/p&gt;
3275
3276 &lt;p&gt;Denne databasen gir en oversikt over virksomheter som har meldt inn
3277 kameraovervåkning. Dersom man ikek vet hvilken virksomhet som er
3278 ansvarlig, er det heller ikke mulig for Datatilsynet å søke dette
3279 opp.&lt;/p&gt;
3280
3281 &lt;p&gt;Webkameraer som har så dårlig oppløsning at man ikke kan gjenkjenne
3282 enkeltpersoner er ikke meldepliktige, da dette ikke anses som
3283 kameraovervåkning i personopplysningslovens forstand. Dersom kameraet
3284 du sikter til er et slikt webkamera, vil det kanskje ikke finnes i
3285 meldingsdatabasen på grunn av dette. Også dersom et kamera med god
3286 oppløsning ikke filmer mennesker, faller det utenfor loven.&lt;/p&gt;
3287
3288 &lt;p&gt;Datatilsynet har laget en veileder som gjennomgår når det er lov å
3289 overvåke med kamera, se lenke:
3290 &lt;a href=&quot;http://www.datatilsynet.no/templates/article____401.aspx&quot;&gt;http://www.datatilsynet.no/templates/article____401.aspx&lt;/a&gt;&lt;/p&gt;
3291
3292 &lt;p&gt;Dersom det ikke er klart hvem som er ansvarlig for kameraet, er det
3293 vanskelig for Datatilsynet å ta kontakt med den ansvarlige for å få
3294 avklart om kameraet er satt opp i tråd med tilsynets regelverk. Dersom
3295 du mener at kameraet ikke er lovlig ut fra informasjonen ovenfor, kan
3296 kameraet anmeldes til politiet.&lt;/p&gt;
3297
3298 &lt;p&gt;Med vennlig hilsen&lt;/p&gt;
3299
3300 &lt;p&gt;Maria Bakke
3301 &lt;br&gt;Juridisk veiledningstjeneste
3302 &lt;br&gt;Datatilsynet&lt;/p&gt;
3303 &lt;/blockquote&gt;&lt;/p&gt;
3304
3305 &lt;p&gt;Personlig synes jeg det bør være krav om å registrere hvert eneste
3306 overvåkningskamera i det offentlige rom hos Datatilsynet, med
3307 kartreferanse og begrunnelse om hvorfor det er satt opp, slik at
3308 enhver borger enkelt kan hente ut kart over områder vi er interessert
3309 i og sjekke om det er overvåkningskamera der som er satt opp uten å
3310 være registert. Slike registreringer skal jo i dag fornyes
3311 regelmessing, noe jeg mistenker ikke blir gjort. Dermed kan kamera
3312 som en gang var korrekt registrert nå være ulovlig satt opp. Det
3313 burde også være bøter for å ha kamera som ikke er korrekt registrert,
3314 slik at en ikke kan ignorere registrering uten at det får
3315 konsekvenser.&lt;/p&gt;
3316
3317 &lt;p&gt;En ide fra England som jeg har sans (lite annet jeg har sans for
3318 når det gjelder overvåkningskamera i England) for er at enhver borger
3319 kan be om å få kopi av det som er tatt opp med et overvåkningskamera i
3320 det offentlige rom, noe som gjør at det kan komme løpende utgifter ved
3321 å sette overvåkningskamera. Jeg tror alt som gjør det mindre
3322 attraktivt å ha overvåkningskamera i det offentlige rom er en god
3323 ting, så et slikt lovverk i Norge tror jeg hadde vært nyttig.&lt;/p&gt;
3324 </description>
3325 </item>
3326
3327 <item>
3328 <title>Datatilsynet svarer om Bilkollektivets ønske om GPS-sporing</title>
3329 <link>https://people.skolelinux.org/pere/blog/Datatilsynet_svarer_om_Bilkollektivets__nske_om_GPS_sporing.html</link>
3330 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Datatilsynet_svarer_om_Bilkollektivets__nske_om_GPS_sporing.html</guid>
3331 <pubDate>Thu, 14 Oct 2010 15:00:00 +0200</pubDate>
3332 <description>&lt;p&gt;I forbindelse med Bilkollektivets plan om å skaffe seg mulighet til
3333 å GPS-spore sine medlemmers bevegelser
3334 (&lt;a href=&quot;http://people.skolelinux.org/pere/blog/Bilkollektivet_vil_ha_retten_til____se_hvor_jeg_kj__rer___.html&quot;&gt;omtalt
3335 tidligere&lt;/a&gt;), sendte jeg avgårde et spørsmål til &lt;a
3336 href=&quot;http://www.datatilsynet.no/&quot;&gt;Datatilsynet&lt;/a&gt; for å gjøre dem
3337 oppmerksom på saken og høre hva de hadde å si. Her er korrespondansen
3338 så langt.&lt;/p&gt;
3339
3340 &lt;p&gt;&lt;blockquote&gt;
3341 Date: Thu, 23 Sep 2010 13:38:55 +0200
3342 &lt;br&gt;From: Petter Reinholdtsen
3343 &lt;br&gt;To: postkasse@datatilsynet.no
3344 &lt;br&gt;Subject: GPS-sporing av privatpersoners bruk av bil?
3345
3346 &lt;p&gt;Hei. Jeg er med i Bilkollektivet[1] her i Oslo, og ble i dag
3347 orientert om at de har tenkt å innføre GPS-sporing av bilene og krever
3348 at en for fremtidig bruk skal godkjenne følgende klausul i
3349 bruksvilkårene[2]:&lt;/p&gt;
3350
3351 &lt;p&gt;&lt;blockquote&gt;
3352 Andelseier er med dette gjort kjent med at bilene er utstyrt med
3353 sporingsutstyr, som kan benyttes av Bilkollektivet til å spore biler
3354 som brukes utenfor gyldig reservasjon.
3355 &lt;/blockquote&gt;&lt;/p&gt;
3356
3357 &lt;p&gt;Er slik sporing meldepliktig til datatilsynet? Har Bilkollektivet
3358 meldt dette til Datatilsynet? Forsøkte å søke på orgnr. 874 538 892
3359 på søkesiden for meldinger[3], men fant intet der.&lt;/p&gt;
3360
3361 &lt;p&gt;Hva er datatilsynets syn på slik sporing av privatpersoners bruk av
3362 bil?&lt;/p&gt;
3363
3364 &lt;p&gt;Jeg må innrømme at jeg forventer å kunne ferdes anonymt og uten
3365 radiomerking i Norge, og synes GPS-sporing av bilen jeg ønsker å bruke
3366 i så måte er et overgrep mot privatlivets fred. For meg er det et
3367 prinsipielt spørsmål og det er underordnet hvem og med hvilket formål
3368 som i første omgang sies å skulle ha tilgang til
3369 sporingsinformasjonen. Jeg vil ikke ha mulighet til å sjekke eller
3370 kontrollere når bruksområdene utvides, og erfaring viser jo at
3371 bruksområder utvides når informasjon først er samlet inn.&lt;p&gt;
3372
3373 &lt;p&gt;1 &amp;lt;URL: http://www.bilkollektivet.no/ &gt;
3374 &lt;br&gt;2 &amp;lt;URL: http://www.bilkollektivet.no/bilbruksregler.26256.no.html &gt;
3375 &lt;br&gt;3 &amp;lt;URL: http://hetti.datatilsynet.no/melding/report_search.pl &gt;
3376
3377 &lt;p&gt;Vennlig hilsen,
3378 &lt;br&gt;--
3379 &lt;br&gt;Petter Reinholdtsen
3380 &lt;/blockquote&gt;&lt;/p&gt;
3381
3382 &lt;p&gt;Svaret fra Datatilsynet kom dagen etter:&lt;/p&gt;
3383
3384 &lt;p&gt;&lt;blockquote&gt;
3385 Date: Fri, 24 Sep 2010 11:24:17 +0200
3386 &lt;br&gt;From: Henok Tesfazghi
3387 &lt;br&gt;To: Petter Reinholdtsen
3388 &lt;br&gt;Subject: VS: GPS-sporing av privatpersoners bruk av bil?
3389
3390 &lt;p&gt;Viser til e-post av 23. september 2010.&lt;/p&gt;
3391
3392 &lt;p&gt;Datatilsynet er det forvaltningsorganet som skal kontrollere at
3393 personopplysningsloven blir fulgt. Formålet med loven er å verne
3394 enkeltpersoner mot krenking av personvernet gjennom behandling av
3395 personopplysninger. Vi gjør oppmerksom på at vår e-post svartjeneste
3396 er ment å være en kortfattet rådgivningstjeneste, slik at vi av den
3397 grunn ikke kan konkludere i din sak, men gi deg innledende råd og
3398 veiledning. Vårt syn er basert på din fremstilling av saksforholdet,
3399 andre opplysninger vi eventuelt ikke kjenner til og som kan være
3400 relevante, vil kunne medføre et annet resultat.&lt;/p&gt;
3401
3402 &lt;p&gt;Det er uklart for Datatilsynet hva slags GPS-sporing Bilkollektivet
3403 her legger opp til. Dette skyldes blant annet manglende informasjon i
3404 forhold til hvilket formål GPS-sporingen har, hvordan det er ment å
3405 fungere, hvilket behandlingsgrunnlag som ligger til grunn, samt om
3406 opplysningene skal lagres eller ikke.&lt;/p&gt;
3407
3408 &lt;p&gt;Behandlingen vil i utgangspunket være meldepliktig etter
3409 personopplysningslovens § 31. Det finnes en rekke unntak fra
3410 meldeplikten som er hjemlet i personopplysningsforskriftens kapittel
3411 7. Da dette er et andelslag, og andelseiere i en utstrekning også kan
3412 karakteriseres som kunder, vil unntak etter
3413 personopplysningsforskriftens § 7-7 kunne komme til anvendelse, se
3414 lenke: &lt;a href=&quot;http://lovdata.no/for/sf/fa/ta-20001215-1265-009.html#7-7&quot;&gt;http://lovdata.no/for/sf/fa/ta-20001215-1265-009.html#7-7&lt;/a&gt;&lt;/p&gt;
3415
3416 &lt;p&gt;Datatilsynet har til orientering en rekke artikler som omhandler
3417 henholdsvis sporing og lokalisering, samt trafikanter og passasjerer,
3418 se lenke:
3419 &lt;br&gt;&lt;a href=&quot;http://www.datatilsynet.no/templates/article____1730.aspx&quot;&gt;http://www.datatilsynet.no/templates/article____1730.aspx&lt;/a&gt; og
3420 &lt;br&gt;&lt;a href=&quot;http://www.datatilsynet.no/templates/article____1098.aspx&quot;&gt;http://www.datatilsynet.no/templates/article____1098.aspx&lt;/a&gt;&lt;/p&gt;
3421
3422
3423 &lt;p&gt;Vennlig hilsen
3424 &lt;br&gt;Henok Tesfazghi
3425 &lt;br&gt;Rådgiver, Datatilsynet
3426 &lt;/blockquote&gt;&lt;/p&gt;
3427
3428 &lt;p&gt;Vet ennå ikke om jeg har overskudd til å ta opp kampen i
3429 Bilkollektivet, mellom barnepass og alt det andre som spiser opp
3430 dagene, eller om jeg bare finner et annet alternativ.&lt;/p&gt;
3431 </description>
3432 </item>
3433
3434 <item>
3435 <title>Bilkollektivet vil ha retten til å se hvor jeg kjører...</title>
3436 <link>https://people.skolelinux.org/pere/blog/Bilkollektivet_vil_ha_retten_til___se_hvor_jeg_kj_rer___.html</link>
3437 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Bilkollektivet_vil_ha_retten_til___se_hvor_jeg_kj_rer___.html</guid>
3438 <pubDate>Thu, 23 Sep 2010 11:55:00 +0200</pubDate>
3439 <description>&lt;p&gt;Jeg er med i
3440 &lt;a href=&quot;http://www.bilkollektivet.no/&quot;&gt;Bilkollektivet&lt;/a&gt; her i Oslo,
3441 og har inntil i dag vært fornøyd med opplegget. I dag kom det brev
3442 fra bilkollektivet, der de forteller om nytt webopplegg og nye
3443 rutiner, og at de har tenkt å angripe min rett til å ferdes anonymt
3444 som bruker av Bilkollektivet. Det gjorde meg virkelig trist å
3445 lese.&lt;/p&gt;
3446
3447 &lt;p&gt;Brevet datert 2010-09-16 forteller at Bilkollektivet har tenkt å gå
3448 over til biler med &quot;bilcomputer&quot; og innebygget sporings-GPS som lar
3449 administrasjonen i bilkollektivet se hvor bilene er til en hver tid,
3450 noe som betyr at de også kan se hvor jeg kjører når jeg bruker
3451 Bilkollektivet.
3452 &lt;a href=&quot;http://people.skolelinux.org/pere/blog/Anonym_ferdsel_er_en_menneskerett.html&quot;&gt;Retten
3453 til å ferdes anonymt&lt;/a&gt; er som tidligere nevnt viktig for meg, og jeg
3454 finner det uakseptabelt å måtte godta å bli radiomerket for å kunne
3455 bruke bil. Har ikke satt meg inn i hva som er historien for denne
3456 endringen, så jeg vet ikke om det er godkjent av
3457 f.eks. andelseiermøtet. Ser at
3458 &lt;a href=&quot;http://www.bilkollektivet.no/bilbruksregler.26256.no.html&quot;&gt;nye
3459 bilbruksregler&lt;/a&gt; med følgende klausul ble vedtatt av styret
3460 2010-08-26:&lt;/p&gt;
3461
3462 &lt;blockquote&gt;&lt;p&gt;Andelseier er med dette gjort kjent med at bilene er
3463 utstyrt med sporingsutstyr, som kan benyttes av Bilkollektivet til å
3464 spore biler som brukes utenfor gyldig reservasjon.&lt;/p&gt;&lt;/blockquote&gt;
3465
3466 &lt;p&gt;For meg er det prinsipielt uakseptabelt av Bilkollektivet å skaffe
3467 seg muligheten til å se hvor jeg befinner meg, og det er underordnet
3468 når informasjonen blir brukt og hvem som får tilgang til den. Får se
3469 om jeg har energi til å forsøke å endre planene til Bilkollektivet
3470 eller bare ser meg om etter alternativer.&lt;/p&gt;
3471 </description>
3472 </item>
3473
3474 <item>
3475 <title>Anonym ferdsel er en menneskerett</title>
3476 <link>https://people.skolelinux.org/pere/blog/Anonym_ferdsel_er_en_menneskerett.html</link>
3477 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Anonym_ferdsel_er_en_menneskerett.html</guid>
3478 <pubDate>Wed, 15 Sep 2010 12:15:00 +0200</pubDate>
3479 <description>&lt;p&gt;Debatten rundt sporveiselskapet i Oslos (Ruter AS) ønske om
3480 &lt;a href=&quot;http://www.aftenposten.no/nyheter/iriks/article3808135.ece&quot;&gt;å
3481 radiomerke med RFID&lt;/a&gt; alle sine kunder og
3482 &lt;a href=&quot;http://www.aftenposten.no/nyheter/article3809746.ece&quot;&gt;registrere
3483 hvor hver og en av oss beveger oss&lt;/a&gt; pågår, og en ting som har
3484 kommet lite frem i debatten er at det faktisk er en menneskerett å
3485 kunne ferdes anonymt internt i ens eget land.&lt;/p&gt;
3486
3487 &lt;p&gt;Fant en grei kilde for dette i et
3488 &lt;a href=&quot;http://www.datatilsynet.no/upload/Microsoft%20Word%20-%2009-01399-2%20H+%C2%A9ringsnotat%20-%20Samferdselsdepartementet%20-%20Utkas%C3%94%C3%87%C2%AA.pdf&quot;&gt;skriv
3489 fra Datatilsynet&lt;/a&gt; til Samferdselsdepartementet om tema:&lt;/p&gt;
3490
3491 &lt;blockquote&gt;&lt;p&gt;Retten til å ferdes anonymt kan utledes av
3492 menneskerettskonvensjonen artikkel 8 og av EUs personverndirektiv.
3493 Her heter det at enkeltpersoners grunnleggende rettigheter og frihet
3494 må respekteres, særlig retten til privatlivets fred. I både
3495 personverndirektivet og i den norske personopplysningsloven er
3496 selvråderetten til hver enkelt et av grunnprinsippene, hovedsaklig
3497 uttrykt ved at en må gi et frivillig, informert og uttrykkelig
3498 samtykke til behandling av personopplysninger.&lt;/p&gt;&lt;/blockquote&gt;
3499
3500 &lt;p&gt;For meg er det viktig at jeg kan ferdes anonymt, og det er litt av
3501 bakgrunnen til at jeg handler med kontanter, ikke har mobiltelefon og
3502 forventer å kunne reise med bil og kollektivtrafikk uten at det blir
3503 registrert hvor jeg har vært. Ruter angriper min rett til å ferdes
3504 uten radiopeiler med sin innføring av RFID-kort, og dokumenterer sitt
3505 ønske om å registrere hvor kundene befant seg ved å ønske å gebyrlegge
3506 oss som ikke registrerer oss hver gang vi beveger oss med
3507 kollektivtrafikken i Oslo. Jeg synes det er hårreisende.&lt;/p&gt;
3508 </description>
3509 </item>
3510
3511 <item>
3512 <title>Forslag i stortinget om å stoppe elektronisk stemmegiving i Norge</title>
3513 <link>https://people.skolelinux.org/pere/blog/Forslag_i_stortinget_om___stoppe_elektronisk_stemmegiving_i_Norge.html</link>
3514 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Forslag_i_stortinget_om___stoppe_elektronisk_stemmegiving_i_Norge.html</guid>
3515 <pubDate>Tue, 31 Aug 2010 21:00:00 +0200</pubDate>
3516 <description>&lt;p&gt;Ble tipset i dag om at et forslag om å stoppe forsøkene med
3517 elektronisk stemmegiving utenfor valglokaler er
3518 &lt;a href=&quot;http://www.stortinget.no/no/Saker-og-publikasjoner/Saker/Sak/?p=46616&quot;&gt;til
3519 behandling&lt;/a&gt; i Stortinget.
3520 &lt;a href=&quot;http://www.stortinget.no/Global/pdf/Representantforslag/2009-2010/dok8-200910-128.pdf&quot;&gt;Forslaget&lt;/a&gt;
3521 er fremmet av Erna Solberg, Michael Tetzschner og Trond Helleland.&lt;/p&gt;
3522
3523 &lt;p&gt;Håper det får flertall.&lt;/p&gt;
3524 </description>
3525 </item>
3526
3527 <item>
3528 <title>Sikkerhetsteateret på flyplassene fortsetter</title>
3529 <link>https://people.skolelinux.org/pere/blog/Sikkerhetsteateret_p__flyplassene_fortsetter.html</link>
3530 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Sikkerhetsteateret_p__flyplassene_fortsetter.html</guid>
3531 <pubDate>Sat, 28 Aug 2010 10:40:00 +0200</pubDate>
3532 <description>&lt;p&gt;Jeg skrev for et halvt år siden hvordan
3533 &lt;a href=&quot;http://people.skolelinux.org/pere/blog/Sikkerhet__teater__og_hvordan_gj__re_verden_sikrere.html&quot;&gt;samfunnet
3534 kaster bort ressurser på sikkerhetstiltak som ikke fungerer&lt;/a&gt;. Kom
3535 nettopp over en
3536 &lt;a href=&quot;http://www.askthepilot.com/essays-and-stories/terrorism-tweezers-and-terminal-madness-an-essay-on-security/&quot;&gt;historie
3537 fra en pilot fra USA&lt;/a&gt; som kommenterer det samme. Jeg mistenker det
3538 kun er uvitenhet og autoritetstro som gjør at så få protesterer. Har
3539 veldig sans for piloten omtalt i &lt;a
3540 href=&quot;http://www.aftenposten.no/nyheter/iriks/article2057501.ece&quot;&gt;Aftenposten&lt;/a&gt; 2007-10-23,
3541 og skulle ønske flere rettet oppmerksomhet mot problemet. Det gir
3542 ikke meg trygghetsfølelse på flyplassene når jeg ser at
3543 flyplassadministrasjonen kaster bort folk, penger og tid på tull i
3544 stedet for ting som bidrar til reell økning av sikkerheten. Det
3545 forteller meg jo at vurderingsevnen til de som burde bidra til økt
3546 sikkerhet er svært sviktende, noe som ikke taler godt for de andre
3547 tiltakene.&lt;/p&gt;
3548
3549 &lt;p&gt;Mon tro hva som skjer hvis det fantes en enkel brosjyre å skrive ut
3550 fra Internet som forklarte hva som er galt med sikkerhetsopplegget på
3551 flyplassene, og folk skrev ut og la en bunke på flyplassene når de
3552 passerte. Kanskje det ville fått flere til å få øynene opp for
3553 problemet.&lt;/p&gt;
3554
3555 &lt;p&gt;Personlig synes jeg flyopplevelsen er blitt så avskyelig at jeg
3556 forsøker å klare meg med tog, bil og båt for å slippe ubehaget. Det
3557 er dog noe vanskelig i det langstrakte Norge og for å kunne besøke de
3558 delene av verden jeg ønsker å nå. Mistenker at flere har det slik, og
3559 at dette går ut over inntjeningen til flyselskapene. Det er antagelig
3560 en god ting sett fra et miljøperspektiv, men det er en annen sak.&lt;/p&gt;
3561 </description>
3562 </item>
3563
3564 <item>
3565 <title>Elektronisk stemmegiving er ikke til å stole på - heller ikke i Norge</title>
3566 <link>https://people.skolelinux.org/pere/blog/Elektronisk_stemmegiving_er_ikke_til___stole_p____heller_ikke_i_Norge.html</link>
3567 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Elektronisk_stemmegiving_er_ikke_til___stole_p____heller_ikke_i_Norge.html</guid>
3568 <pubDate>Mon, 23 Aug 2010 19:30:00 +0200</pubDate>
3569 <description>&lt;p&gt;I Norge pågår en prosess for å
3570 &lt;a href=&quot;http://www.e-valg.dep.no/&quot;&gt;innføre elektronisk
3571 stemmegiving&lt;/a&gt; ved kommune- og stortingsvalg. Dette skal
3572 introduseres i 2011. Det er all grunn til å tro at valg i Norge ikke
3573 vil være til å stole på hvis dette blir gjennomført. Da det hele var
3574 oppe til høring i 2006 forfattet jeg
3575 &lt;a href=&quot;http://www.nuug.no/dokumenter/valg-horing-2006-09.pdf&quot;&gt;en
3576 høringsuttalelse fra NUUG&lt;/a&gt; (og EFN som hengte seg på) som skisserte
3577 hvilke punkter som må oppfylles for at en skal kunne stole på et valg,
3578 og elektronisk stemmegiving mangler flere av disse. Elektronisk
3579 stemmegiving er for alle praktiske formål å putte ens stemme i en sort
3580 boks under andres kontroll, og satse på at de som har kontroll med
3581 boksen er til å stole på - uten at en har mulighet til å verifisere
3582 dette selv. Det er ikke slik en gjennomfører demokratiske valg.&lt;/p&gt;
3583
3584 &lt;p&gt;Da problemet er fundamentalt med hvordan elektronisk stemmegiving
3585 må fungere for at også ikke-krypografer skal kunne delta, har det vært
3586 mange rapporter om hvordan elektronisk stemmegiving har sviktet i land
3587 etter land. En
3588 &lt;a href=&quot;http://wiki.nuug.no/uttalelser/2006-elektronisk-stemmegiving&quot;&gt;liten
3589 samling referanser&lt;/a&gt; finnes på NUUGs wiki. Den siste er fra India,
3590 der valgkomisjonen har valgt
3591 &lt;a href=&quot;http://www.freedom-to-tinker.com/blog/jhalderm/electronic-voting-researcher-arrested-over-anonymous-source&quot;&gt;å
3592 pusse politiet på en forsker&lt;/a&gt; som har dokumentert svakheter i
3593 valgsystemet.&lt;/p&gt;
3594
3595 &lt;p&gt;Her i Norge har en valgt en annen tilnærming, der en forsøker seg
3596 med teknobabbel for å få befolkningen til å tro at dette skal bli
3597 sikkert. Husk, elektronisk stemmegiving underminerer de demokratiske
3598 valgene i Norge, og bør ikke innføres.&lt;/p&gt;
3599
3600 &lt;p&gt;Den offentlige diskusjonen blir litt vanskelig av at media har
3601 valgt å kalle dette &quot;evalg&quot;, som kan sies å både gjelde elektronisk
3602 opptelling av valget som Norge har gjort siden 60-tallet og som er en
3603 svært god ide, og elektronisk opptelling som er en svært dårlig ide.
3604 Diskusjonen gir ikke mening hvis en skal diskutere om en er for eller
3605 mot &quot;evalg&quot;, og jeg forsøker derfor å være klar på at jeg snakker om
3606 elektronisk stemmegiving og unngå begrepet &quot;evalg&quot;.&lt;/p&gt;
3607 </description>
3608 </item>
3609
3610 <item>
3611 <title>Rob Weir: How to Crush Dissent</title>
3612 <link>https://people.skolelinux.org/pere/blog/Rob_Weir__How_to_Crush_Dissent.html</link>
3613 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Rob_Weir__How_to_Crush_Dissent.html</guid>
3614 <pubDate>Sun, 15 Aug 2010 22:20:00 +0200</pubDate>
3615 <description>&lt;p&gt;I found the notes from Rob Weir on
3616 &lt;a href=&quot;http://feedproxy.google.com/~r/robweir/antic-atom/~3/VGb23-kta8c/how-to-crush-dissent.html&quot;&gt;how
3617 to crush dissent&lt;/a&gt; matching my own thoughts on the matter quite
3618 well. Highly recommended for those wondering which road our society
3619 should go down. In my view we have been heading the wrong way for a
3620 long time.&lt;/p&gt;
3621 </description>
3622 </item>
3623
3624 <item>
3625 <title>One step closer to single signon in Debian Edu</title>
3626 <link>https://people.skolelinux.org/pere/blog/One_step_closer_to_single_signon_in_Debian_Edu.html</link>
3627 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/One_step_closer_to_single_signon_in_Debian_Edu.html</guid>
3628 <pubDate>Sun, 25 Jul 2010 10:00:00 +0200</pubDate>
3629 <description>&lt;p&gt;The last few months me and the other Debian Edu developers have
3630 been working hard to get the Debian/Squeeze based version of Debian
3631 Edu/Skolelinux into shape. This future version will use Kerberos for
3632 authentication, and services are slowly migrated to single signon,
3633 getting rid of password questions one at the time.&lt;/p&gt;
3634
3635 &lt;p&gt;It will also feature a roaming workstation profile with local home
3636 directory, for laptops that are only some times on the Skolelinux
3637 network, and for this profile a shortcut is created in Gnome and KDE
3638 to gain access to the users home directory on the file server. This
3639 shortcut uses SMB at the moment, and yesterday I had time to test if
3640 SMB mounting had started working in KDE after we added the cifs-utils
3641 package. I was pleasantly surprised how well it worked.&lt;/p&gt;
3642
3643 &lt;p&gt;Thanks to the recent changes to our samba configuration to get it
3644 to use Kerberos for authentication, there were no question about user
3645 password when mounting the SMB volume. A simple click on the shortcut
3646 in the KDE menu, and a window with the home directory popped
3647 up. :)&lt;/p&gt;
3648
3649 &lt;p&gt;One step closer to a single signon solution out of the box in
3650 Debian Edu. We already had PAM, LDAP, IMAP and SMTP in place, and now
3651 also Samba. Next step is Cups and hopefully also NFS.&lt;/p&gt;
3652
3653 &lt;p&gt;We had planned a alpha0 release of Debian Edu for today, but thanks
3654 to the autobuilder administrators for some architectures being slow to
3655 sign packages, we are still missing the fixed LTSP package we need for
3656 the release. It was uploaded three days ago with urgency=high, and if
3657 it had entered testing yesterday we would have been able to test it in
3658 time for a alpha0 release today. As the binaries for ia64 and powerpc
3659 still not uploaded to the Debian archive, we need to delay the alpha
3660 release another day.&lt;/p&gt;
3661
3662 &lt;p&gt;If you want to help out with implementing Kerberos for Debian Edu,
3663 please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
3664 </description>
3665 </item>
3666
3667 <item>
3668 <title>Åpne trådløsnett er et samfunnsgode</title>
3669 <link>https://people.skolelinux.org/pere/blog/_pne_tr_dl_snett_er_et_samfunnsgode.html</link>
3670 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/_pne_tr_dl_snett_er_et_samfunnsgode.html</guid>
3671 <pubDate>Sat, 12 Jun 2010 12:45:00 +0200</pubDate>
3672 <description>&lt;p&gt;Veldig glad for å oppdage via
3673 &lt;a href=&quot;http://yro.slashdot.org/story/10/06/11/1841256/Finland-To-Legalize-Use-of-Unsecured-Wi-Fi&quot;&gt;Slashdot&lt;/a&gt;
3674 at folk i Finland har forstått at åpne trådløsnett er et samfunnsgode.
3675 Jeg ser på åpne trådløsnett som et fellesgode på linje med retten til
3676 ferdsel i utmark og retten til å bevege seg i strandsonen. Jeg har
3677 glede av åpne trådløsnett når jeg finner dem, og deler gladelig nett
3678 med andre så lenge de ikke forstyrrer min bruk av eget nett.
3679 Nettkapasiteten er sjelden en begrensning ved normal browsing og enkel
3680 SSH-innlogging (som er min vanligste nettbruk), og nett kan brukes til
3681 så mye positivt og nyttig (som nyhetslesing, sjekke været, kontakte
3682 slekt og venner, holde seg oppdatert om politiske saker, kontakte
3683 organisasjoner og politikere, etc), at det for meg er helt urimelig å
3684 blokkere dette for alle som ikke gjør en flue fortred. De som mener
3685 at potensialet for misbruk er grunn nok til å hindre all den positive
3686 og lovlydige bruken av et åpent trådløsnett har jeg dermed ingen
3687 forståelse for. En kan ikke la eksistensen av forbrytere styre hvordan
3688 samfunnet skal organiseres. Da får en et kontrollsamfunn de færreste
3689 ønsker å leve i, og det at vi har et samfunn i Norge der tilliten til
3690 hverandre er høy gjør at samfunnet fungerer ganske godt. Det bør vi
3691 anstrenge oss for å beholde.&lt;/p&gt;
3692 </description>
3693 </item>
3694
3695 <item>
3696 <title>Magnetstripeinnhold i billetter fra Flytoget og Hurtigruten</title>
3697 <link>https://people.skolelinux.org/pere/blog/Magnetstripeinnhold_i_billetter_fra_Flytoget_og_Hurtigruten.html</link>
3698 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Magnetstripeinnhold_i_billetter_fra_Flytoget_og_Hurtigruten.html</guid>
3699 <pubDate>Fri, 21 May 2010 16:00:00 +0200</pubDate>
3700 <description>&lt;p&gt;For en stund tilbake kjøpte jeg en magnetkortleser for å kunne
3701 titte på hva som er skrevet inn på magnetstripene til ulike kort. Har
3702 ikke hatt tid til å analysere mange kort så langt, men tenkte jeg
3703 skulle dele innholdet på to kort med mine lesere.&lt;/p&gt;
3704
3705 &lt;p&gt;For noen dager siden tok jeg flyet til Harstad og Hurtigruten til
3706 Bergen. Flytoget fra Oslo S til flyplassen ga meg en billett med
3707 magnetstripe. Påtrykket finner jeg følgende informasjon:&lt;/p&gt;
3708
3709 &lt;pre&gt;
3710 Flytoget Airport Express Train
3711
3712 Fra - Til : Oslo Sentralstasjon
3713 Kategori : Voksen
3714 Pris : Nok 170,00
3715 Herav mva. 8,00% : NOK 12,59
3716 Betaling : Kontant
3717 Til - Fra : Oslo Lufthavn
3718 Utstedt: : 08.05.10
3719 Gyldig Fra-Til : 08.05.10-07.11.10
3720 Billetttype : Enkeltbillett
3721
3722 102-1015-100508-48382-01-08
3723 &lt;/pre&gt;
3724
3725 &lt;p&gt;På selve magnetstripen er innholdet
3726 &lt;tt&gt;;E?+900120011=23250996541068112619257138248441708433322932704083389389062603279671261502492655?&lt;/tt&gt;.
3727 Aner ikke hva innholdet representerer, og det er lite overlapp mellom
3728 det jeg ser trykket på billetten og det jeg ser av tegn i
3729 magnetstripen. Håper det betyr at de bruker kryptografiske metoder
3730 for å gjøre det vanskelig å forfalske billetter.&lt;/p&gt;
3731
3732 &lt;p&gt;Den andre billetten er fra Hurtigruten, der jeg mistenker at
3733 strekkoden på fronten er mer brukt enn magnetstripen (det var i hvert
3734 fall den biten vi stakk inn i dørlåsen).&lt;/p&gt;
3735
3736 &lt;p&gt;Påtrykket forsiden er følgende:&lt;/p&gt;
3737
3738 &lt;pre&gt;
3739 Romnummer 727
3740 Hurtigruten
3741 Midnatsol
3742 Reinholdtsen
3743 Petter
3744 Bookingno: SAX69 0742193
3745 Harstad-Bergen
3746 Dep: 09.05.2010 Arr: 12.05.2010
3747 Lugar fra Risøyhamn
3748 Kost: FRO=4
3749 &lt;/pre&gt;
3750
3751 &lt;p&gt;På selve magnetstripen er innholdet
3752 &lt;tt&gt;;1316010007421930=00000000000000000000?+E?&lt;/tt&gt;. Heller ikke her
3753 ser jeg mye korrespondanse mellom påtrykk og magnetstripe.&lt;/p&gt;
3754 </description>
3755 </item>
3756
3757 <item>
3758 <title>Forcing new users to change their password on first login</title>
3759 <link>https://people.skolelinux.org/pere/blog/Forcing_new_users_to_change_their_password_on_first_login.html</link>
3760 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Forcing_new_users_to_change_their_password_on_first_login.html</guid>
3761 <pubDate>Sun, 2 May 2010 13:47:00 +0200</pubDate>
3762 <description>&lt;p&gt;One interesting feature in Active Directory, is the ability to
3763 create a new user with an expired password, and thus force the user to
3764 change the password on the first login attempt.&lt;/p&gt;
3765
3766 &lt;p&gt;I&#39;m not quite sure how to do that with the LDAP setup in Debian
3767 Edu, but did some initial testing with a local account. The account
3768 and password aging information is available in /etc/shadow, but
3769 unfortunately, it is not possible to specify an expiration time for
3770 passwords, only a maximum age for passwords.&lt;/p&gt;
3771
3772 &lt;p&gt;A freshly created account (using adduser test) will have these
3773 settings in /etc/shadow:&lt;/p&gt;
3774
3775 &lt;blockquote&gt;&lt;pre&gt;
3776 root@tjener:~# chage -l test
3777 Last password change : May 02, 2010
3778 Password expires : never
3779 Password inactive : never
3780 Account expires : never
3781 Minimum number of days between password change : 0
3782 Maximum number of days between password change : 99999
3783 Number of days of warning before password expires : 7
3784 root@tjener:~#
3785 &lt;/pre&gt;&lt;/blockquote&gt;
3786
3787 &lt;p&gt;The only way I could come up with to create a user with an expired
3788 account, is to change the date of the last password change to the
3789 lowest value possible (January 1th 1970), and the maximum password age
3790 to the difference in days between that date and today. To make it
3791 simple, I went for 30 years (30 * 365 = 10950) and January 2th (to
3792 avoid testing if 0 is a valid value).&lt;/p&gt;
3793
3794 &lt;p&gt;After using these commands to set it up, it seem to work as
3795 intended:&lt;/p&gt;
3796
3797 &lt;blockquote&gt;&lt;pre&gt;
3798 root@tjener:~# chage -d 1 test; chage -M 10950 test
3799 root@tjener:~# chage -l test
3800 Last password change : Jan 02, 1970
3801 Password expires : never
3802 Password inactive : never
3803 Account expires : never
3804 Minimum number of days between password change : 0
3805 Maximum number of days between password change : 10950
3806 Number of days of warning before password expires : 7
3807 root@tjener:~#
3808 &lt;/pre&gt;&lt;/blockquote&gt;
3809
3810 &lt;p&gt;So far I have tested this with ssh and console, and kdm (in
3811 Squeeze) login, and all ask for a new password before login in the
3812 user (with ssh, I was thrown out and had to log in again).&lt;/p&gt;
3813
3814 &lt;p&gt;Perhaps we should set up something similar for Debian Edu, to make
3815 sure only the user itself have the account password?&lt;/p&gt;
3816
3817 &lt;p&gt;If you want to comment on or help out with implementing this for
3818 Debian Edu, please contact us on debian-edu@lists.debian.org.&lt;/p&gt;
3819
3820 &lt;p&gt;Update 2010-05-02 17:20: Paul Tötterman tells me on IRC that the
3821 shadow(8) page in Debian/testing now state that setting the date of
3822 last password change to zero (0) will force the password to be changed
3823 on the first login. This was not mentioned in the manual in Lenny, so
3824 I did not notice this in my initial testing. I have tested it on
3825 Squeeze, and &#39;&lt;tt&gt;chage -d 0 username&lt;/tt&gt;&#39; do work there. I have not
3826 tested it on Lenny yet.&lt;/p&gt;
3827
3828 &lt;p&gt;Update 2010-05-02-19:05: Jim Paris tells me via email that an
3829 equivalent command to expire a password is &#39;&lt;tt&gt;passwd -e
3830 username&lt;/tt&gt;&#39;, which insert zero into the date of the last password
3831 change.&lt;/p&gt;
3832 </description>
3833 </item>
3834
3835 <item>
3836 <title>Great book: &quot;Content: Selected Essays on Technology, Creativity, Copyright, and the Future of the Future&quot;</title>
3837 <link>https://people.skolelinux.org/pere/blog/Great_book___Content__Selected_Essays_on_Technology__Creativity__Copyright__and_the_Future_of_the_Future_.html</link>
3838 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Great_book___Content__Selected_Essays_on_Technology__Creativity__Copyright__and_the_Future_of_the_Future_.html</guid>
3839 <pubDate>Mon, 19 Apr 2010 17:10:00 +0200</pubDate>
3840 <description>&lt;p&gt;The last few weeks i have had the pleasure of reading a
3841 thought-provoking collection of essays by Cory Doctorow, on topics
3842 touching copyright, virtual worlds, the future of man when the
3843 conscience mind can be duplicated into a computer and many more. The
3844 book titled &quot;Content: Selected Essays on Technology, Creativity,
3845 Copyright, and the Future of the Future&quot; is available with few
3846 restrictions on the web, for example from
3847 &lt;a href=&quot;http://craphound.com/content/&quot;&gt;his own site&lt;/a&gt;. I read the
3848 epub-version from
3849 &lt;a href=&quot;http://www.feedbooks.com/book/2883&quot;&gt;feedbooks&lt;/a&gt; using
3850 &lt;a href=&quot;http://www.fbreader.org/&quot;&gt;fbreader&lt;/a&gt; and my N810. I
3851 strongly recommend this book.&lt;/p&gt;
3852 </description>
3853 </item>
3854
3855 <item>
3856 <title>Sikkerhet, teater, og hvordan gjøre verden sikrere</title>
3857 <link>https://people.skolelinux.org/pere/blog/Sikkerhet__teater__og_hvordan_gj_re_verden_sikrere.html</link>
3858 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Sikkerhet__teater__og_hvordan_gj_re_verden_sikrere.html</guid>
3859 <pubDate>Wed, 30 Dec 2009 16:35:00 +0100</pubDate>
3860 <description>&lt;p&gt;Via Slashdot fant jeg en
3861 &lt;a href=&quot;http://www.cnn.com/2009/OPINION/12/29/schneier.air.travel.security.theater/index.html&quot;&gt;nydelig
3862 kommentar fra Bruce Schneier&lt;/a&gt; som ble publisert hos CNN i går. Den
3863 forklarer forbilledlig hvorfor sikkerhetsteater og innføring av
3864 totalitære politistatmetoder ikke er løsningen for å gjøre verden
3865 sikrere. Anbefales på det varmeste.&lt;/p&gt;
3866
3867 &lt;p&gt;Oppdatering: Kom over
3868 &lt;a href=&quot;http://gizmodo.com/5435675/president-obama-its-time-to-fire-the-tsa&quot;&gt;nok
3869 en kommentar&lt;/a&gt; om den manglende effekten av dagens sikkerhetsteater
3870 på flyplassene.&lt;/p&gt;
3871 </description>
3872 </item>
3873
3874 <item>
3875 <title>Jeg vil ikke ha BankID</title>
3876 <link>https://people.skolelinux.org/pere/blog/Jeg_vil_ikke_ha_BankID.html</link>
3877 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Jeg_vil_ikke_ha_BankID.html</guid>
3878 <pubDate>Fri, 30 Oct 2009 13:05:00 +0100</pubDate>
3879 <description>&lt;p&gt;Min hovedbankforbindelse,
3880 &lt;a href=&quot;http://www.postbanken.no/&quot;&gt;Postbanken&lt;/a&gt;, har fra 1. oktober
3881 blokkert tilgangen min til nettbanken hvis jeg ikke godtar vilkårene
3882 for &lt;a href=&quot;https://www.bankid.no/&quot;&gt;BankID&lt;/a&gt; og går over til å
3883 bruke BankID for tilgangskontroll. Tidligere kunne jeg bruke en
3884 kodekalkulator som ga tilgang til nettbanken, men nå er dette ikke
3885 lenger mulig. Jeg blokkeres ute fra nettbanken og mine egne penger
3886 hvis jeg ikke godtar det jeg anser som urimelige vilkår i
3887 BankID-avtalen.&lt;/p&gt;
3888
3889 &lt;p&gt;BankID er en løsning der banken gis rett til å handle på vegne av
3890 meg, med avtalemessig forutsetning at jeg i hvert enkelt tilfelle har
3891 bedt banken gjøre dette. BankID kan brukes til å signere avtaler,
3892 oppta lån og andre handlinger som har alvorlige følger for meg.
3893 Problemet slik jeg ser det er at BankID er lagt opp slik at banken har
3894 all informasjon og tilgang som den trenger for å bruke BankID, også
3895 uten at jeg er involvert. Avtalemessing og juridisk skal de kun bruke
3896 min BankID når jeg har oppgitt pinkode og passord, men praktisk og
3897 konkret kan de gjøre dette også uten at min pinkode eller mitt passord
3898 er oppgitt, da de allerede har min pinkode og passord tilgjengelig hos
3899 seg for å kunne sjekke at riktig pinkode og passord er oppgitt av meg
3900 (eller kan skaffe seg det ved behov). Jeg ønsker ikke å gi banken
3901 rett til å inngå avtaler på vegne av meg.&lt;/p&gt;
3902
3903 &lt;p&gt;Rent teknisk er BankID et offentlig nøkkelpar, en privat og en
3904 offentlig nøkkel, der den private nøkkelen er nødvendig for å
3905 &quot;signere&quot; på vegne av den nøkkelen gjelder for, og den offentlige
3906 nøkkelen er nødvendig for å sjekke hvem som har signert. Banken
3907 sitter på både den private og den offentlige nøkkelen, og sier de kun
3908 skal bruke den private hvis kunden ber dem om det og oppgir pinkode og
3909 passord.&lt;/p&gt;
3910
3911
3912 &lt;p&gt;I postbankens
3913 &lt;a href=&quot;https://www.postbanken.no//portalfront/nedlast/no/person/avtaler/BankID_avtale.pdf&quot;&gt;vilkår
3914 for BankID&lt;/a&gt; står følgende:&lt;/p&gt;
3915
3916 &lt;blockquote&gt;
3917 &lt;p&gt;&quot;6. Anvendelsesområdet for BankID&lt;/p&gt;
3918
3919 &lt;p&gt;PersonBankID kan benyttes fra en datamaskin, eller etter nærmere
3920 avtale fra en mobiltelefon/SIM-kort, for pålogging i nettbank og til
3921 identifisering og signering i forbindelse med elektronisk
3922 meldingsforsendelse, avtaleinngåelse og annen form for nettbasert
3923 elektronisk kommunikasjon med Banken og andre brukersteder som har
3924 tilrettelagt for bruk av BankID. Dette forutsetter at brukerstedet
3925 har inngått avtale med bank om bruk av BankID.&quot;&lt;/p&gt;
3926 &lt;/blockquote&gt;
3927
3928 &lt;p&gt;Det er spesielt retten til &quot;avtaleinngåelse&quot; jeg synes er urimelig
3929 å kreve for at jeg skal få tilgang til mine penger via nettbanken, men
3930 også retten til å kommunisere på vegne av meg med andre brukersteder og
3931 signering av meldinger synes jeg er problematisk. Jeg må godta at
3932 banken skal kunne signere for meg på avtaler og annen kommunikasjon
3933 for å få BankID.&lt;/p&gt;
3934
3935 &lt;p&gt;På spørsmål om hvordan jeg kan få tilgang til nettbank uten å gi
3936 banken rett til å inngå avtaler på vegne av meg svarer Postbankens
3937 kundestøtte at &quot;Postbanken har valgt BankID for bl.a. pålogging i
3938 nettbank , så her må du nok ha hele denne løsningen&quot;. Jeg nektes
3939 altså tilgang til nettbanken inntil jeg godtar at Postbanken kan
3940 signere avtaler på vegne av meg.&lt;/p&gt;
3941
3942 &lt;p&gt;Postbankens kundestøtte sier videre at &quot;Det har blitt et krav til
3943 alle norske banker om å innføre BankID, bl.a på grunn av
3944 sikkerhet&quot;, uten at jeg her helt sikker på hvem som har framsatt
3945 dette kravet. [Oppdatering: Postbankens kundestøtte sier kravet er
3946 fastsatt av &lt;a href=&quot;http://www.kredittilsynet.no/&quot;&gt;kreditttilsynet&lt;/a&gt;
3947 og &lt;a href=&quot;http://www.bbs.no/&quot;&gt;BBS&lt;/a&gt;.] Det som er situasjonen er
3948 dog at det er svært få banker igjen som ikke bruker BankID, og jeg
3949 vet ikke hvilken bank som er et godt alternativ for meg som ikke vil
3950 gi banken rett til å signere avtaler på mine vegne.&lt;/p&gt;
3951
3952 &lt;p&gt;Jeg ønsker mulighet til å reservere meg mot at min BankID brukes
3953 til annet enn å identifisere meg overfor nettbanken før jeg vil ta i
3954 bruk BankID. Ved nettbankbruk er det begrenset hvor store skader som
3955 kan oppstå ved misbruk, mens avtaleinngåelse ikke har tilsvarende
3956 begrensing.&lt;/p&gt;
3957
3958 &lt;p&gt;Jeg har klaget vilkårene inn for &lt;a
3959 href=&quot;http://www.forbrukerombudet.no/&quot;&gt;forbrukerombudet&lt;/a&gt;, men
3960 regner ikke med at de vil kunne bidra til en rask løsning som gir meg
3961 nettbankkontroll over egne midler. :(
3962
3963 &lt;p&gt;Oppdatering 2012-09-13: Aftenposten melder i dag at det er
3964 &lt;a href=&quot;http://www.aftenposten.no/nyheter/iriks/Tyver-kan-tappe-kontoen-din---selv-uten-passord-og-pinkode--6989793.html&quot;&gt;sikkerhetsproblem
3965 med BankID&lt;/a&gt; som gjør at ens bankkonto kan tappes helt uten at en
3966 har delt passord og pinkode med noen. Dette illustrerer veldig bra
3967 mitt poeng om at banken kan operere på kontoen (og signere avtaler
3968 etc) helt uten at jeg er involvert. Jeg takker derfor fortsatt nei
3969 til BankID-modellen.&lt;/p&gt;
3970
3971 &lt;p&gt;Oppdatering 2015-11-17: Fant en
3972 &lt;a href=&quot;http://1and1are2.blogspot.no/2014/05/bankid-elektronisk-sppel.html&quot;&gt;bloggpost
3973 fra Britt Lysaa som belyser hvilke inngrep i privatsfæren bruken av
3974 BankID utgjør&lt;/a&gt;, i tillegg til de sikkerhetsmessige vurderingene
3975 omtalt over. Anbefalt lesning.&lt;/p&gt;
3976 </description>
3977 </item>
3978
3979 <item>
3980 <title>Sikkerhet til sjøs trenger sjøkart uten bruksbegresninger</title>
3981 <link>https://people.skolelinux.org/pere/blog/Sikkerhet_til_sj_s_trenger_sj_kart_uten_bruksbegresninger.html</link>
3982 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Sikkerhet_til_sj_s_trenger_sj_kart_uten_bruksbegresninger.html</guid>
3983 <pubDate>Sun, 23 Aug 2009 10:00:00 +0200</pubDate>
3984 <description>&lt;p&gt;Sikkerhet til sjøs burde være noe som opptar mange etter den siste
3985 oljeutslippsulykken med Full City, som har drept mye liv langs sjøen.
3986 En viktig faktor for å bedre sikkerheten til sjøs er at alle som
3987 ferdes på sjøen har tilgang til oppdaterte sjøkart som forteller hvor
3988 det grunner og annet en må ta hensyn til på sjøen.&lt;/p&gt;
3989
3990 &lt;p&gt;Hvis en er enig i at tilgang til oppdaterte sjøkart er viktig for
3991 sikkerheten på sjøen, så er det godt å vite at det i dag er teknisk
3992 mulig å sikre alle enkel tilgang til oppdaterte digitale kart over
3993 Internet. Det trenger heller ikke være spesielt kostbart.&lt;/p&gt;
3994
3995 &lt;p&gt;Både ved Rocknes-ulykken i Vatlestraumen, der 18 mennesker mistet
3996 livet, og ved Full City-ulykken utenfor Langesund, der mange tonn olje
3997 lekket ut i havet, var det registrert problemer relatert til
3998 oppdaterte sjøkart. Ved Rocknes-ulykken var de elektroniske kartene
3999 som ble brukt ikke oppdatert med informasjon om nyoppdagede grunner og
4000 losen kjente visst ikke til disse nye grunnene. Papirkartene var dog
4001 oppdaterte. Ved Full City-ulykken hadde en kontroll av skipet noen
4002 uker tidligere konstatert manglende sjøkart.&lt;/p&gt;
4003
4004 &lt;p&gt;Jeg tror en løsning der digitale sjøkart kunne lastes ned direkte
4005 fra sjøkartverket av alle som ønsket oppdaterte sjøkart, uten
4006 brukerbetaling og uten bruksbegresninger knyttet til kartene, vil
4007 gjøre at flere folk på sjøen vil holde seg med oppdaterte sjøkart,
4008 eller sjøkart i det hele tatt. Resultatet av dette vil være økt
4009 sikkerhet på sjøen. En undersøkelse gjennomført av Opinion for
4010 Gjensidige i 2008 fortalte at halvparten av alle båteierne i landet
4011 ikke har sjøkart i båten.&lt;/p&gt;
4012
4013 &lt;p&gt;Formatet på de digitale sjøkartene som gjøres tilgjengelig fra
4014 sjøkartverket må være i henhold til en fri og åpen standard, slik at
4015 en ikke er låst til enkeltaktørers godvilje når datafilene skal tolkes
4016 og forstås, men trenger ikke publiseres fra sjøkartverket i alle
4017 formatene til verdens skips-GPS-er i tillegg. Hvis det ikke er
4018 kostbart for sjøkartverket bør de gjerne gjøre det selv, men slik
4019 konvertering kan andre ta seg av hvis det er et marked for det.&lt;/p&gt;
4020
4021 &lt;p&gt;Hvis staten mener alvor med å forbedre sikkerheten til sjøs, må de
4022 gjøre sitt for at alle båteiere har oppdaterte kart, ikke bare snakke
4023 om hvor viktig det er at de har oppdaterte kart. Det bør være
4024 viktigere for staten at båtene &lt;strong&gt;har&lt;/strong&gt; oppdaterte kart
4025 enn at de er pålagt å ha oppdaterte kart.&lt;/p&gt;
4026
4027 &lt;p&gt;Sjøkartene er &lt;a href=&quot;http://kart.kystverket.no/&quot;&gt;tilgjengelig på web
4028 fra kystverket&lt;/a&gt;, men så vidt jeg har klart å finne, uten
4029 bruksvilkår som muliggjør gjenbruk uten bruksbegresninger.&lt;/p&gt;
4030
4031 &lt;p&gt;OpenStreetmap.org-folk er lei av mangel på sjøkart, og har startet
4032 på et dugnadsbasert fribrukskart for havet,
4033 &lt;a href=&quot;http://openseamap.org/&quot;&gt;OpenSeaMap&lt;/a&gt;. Datagrunnlaget er
4034 OpenStreetmap, mens framvisningen er tilpasset bruk på sjøen. Det
4035 gjenstår mye før en kan bruke dette til å seile sikkert på havet, men
4036 det viser at behovet for fribruks-sjøkart er til stedet.&lt;/p&gt;
4037 </description>
4038 </item>
4039
4040 <item>
4041 <title>Litt om valgfusk og problemet med elektronisk stemmegiving</title>
4042 <link>https://people.skolelinux.org/pere/blog/Litt_om_valgfusk_og_problemet_med_elektronisk_stemmegiving.html</link>
4043 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Litt_om_valgfusk_og_problemet_med_elektronisk_stemmegiving.html</guid>
4044 <pubDate>Wed, 17 Jun 2009 14:20:00 +0200</pubDate>
4045 <description>&lt;p&gt;&lt;a href=&quot;http://www.aftenposten.no/nyheter/uriks/article3127058.ece&quot;&gt;Aftenposten
4046 melder&lt;/a&gt; at det kan se ut til at Iran ikke har lært av USA når det
4047 gjelder valgfusk. En bør endre tallene før de publiseres, slik at en
4048 kandidat aldri får færre stemmer under opptellingen, ellers blir det
4049 veldig tydelig at tallene ikke er til å stole på. I USA er det
4050 derimot &lt;a href=&quot;http://www.blackboxvoting.org/&quot;&gt;rapporter om at
4051 tallene har vært endret&lt;/a&gt; på tur mot opptellingen, ikke etter at
4052 tallene er publiserte (i tillegg til en rekke andre irregulariteter).
4053 En ting Iran åpenbart har forstått, er verdien av å kunne
4054 kontrolltelle stemmer. Det ligger an til kontrolltelling i hvert fall
4055 i noen områder. Hvorvidt det har verdi, kommer an på hvordan
4056 stemmene har vært oppbevart.&lt;/p&gt;
4057
4058 &lt;p&gt;&lt;a href=&quot;http://universitas.no/kronikk/48334/kan-vi-stole-pa-universitetets-elektroniske-valgsystem-/&quot;&gt;Universitetet
4059 i Oslo derimot&lt;/a&gt;, har ikke forstått verdien av å kunne
4060 kontrolltelle. Her har en valgt å ta i bruk elektronisk stemmegiving
4061 over Internet, med et system som ikke kan kontrolltelles hvis det
4062 kommer anklager om juks med stemmene. Systemet har flere kjente
4063 problemer og er i mine øyne ikke bedre enn en spørreundersøkelse, og
4064 jeg har derfor latt være å stemme ved valg på UiO siden det ble
4065 innført.&lt;/p&gt;
4066
4067 &lt;p&gt;Universitet i Bergen derimot har klart det kunststykket å aktivt gå
4068 inn for å gjøre det kjent at det elektroniske stemmegivingssystemet
4069 over Internet &lt;a href=&quot;http://nyheter.uib.no/?modus=vis_nyhet&amp;id=43404&quot;&gt;kan
4070 spore hvem som stemmer hva&lt;/a&gt; (det kan en forøvrig også ved UiO), og tatt
4071 kontakt med stemmegivere for å spørre hvorfor de stemte som de gjorde.
4072 Hemmelige valg står for fall. Mon tro hva stemmesedlenne hadde
4073 inneholdt i Iran hvis de ikke hadde hemmelige valg?&lt;/p&gt;
4074 </description>
4075 </item>
4076
4077 <item>
4078 <title>Kryptert harddisk - naturligvis</title>
4079 <link>https://people.skolelinux.org/pere/blog/Kryptert_harddisk___naturligvis.html</link>
4080 <guid isPermaLink="true">https://people.skolelinux.org/pere/blog/Kryptert_harddisk___naturligvis.html</guid>
4081 <pubDate>Sat, 2 May 2009 15:30:00 +0200</pubDate>
4082 <description>&lt;p&gt;&lt;a href=&quot;http://www.dagensit.no/trender/article1658676.ece&quot;&gt;Dagens
4083 IT melder&lt;/a&gt; at Intel hevder at det er dyrt å miste en datamaskin,
4084 når en tar tap av arbeidstid, fortrolige dokumenter,
4085 personopplysninger og alt annet det innebærer. Det er ingen tvil om
4086 at det er en kostbar affære å miste sin datamaskin, og det er årsaken
4087 til at jeg har kryptert harddisken på både kontormaskinen og min
4088 bærbare. Begge inneholder personopplysninger jeg ikke ønsker skal
4089 komme på avveie, den første informasjon relatert til jobben min ved
4090 Universitetet i Oslo, og den andre relatert til blant annet
4091 foreningsarbeide. Kryptering av diskene gjør at det er lite
4092 sannsynlig at dophoder som kan finne på å rappe maskinene får noe ut
4093 av dem. Maskinene låses automatisk etter noen minutter uten bruk,
4094 og en reboot vil gjøre at de ber om passord før de vil starte opp.
4095 Jeg bruker Debian på begge maskinene, og installasjonssystemet der
4096 gjør det trivielt å sette opp krypterte disker. Jeg har LVM på toppen
4097 av krypterte partisjoner, slik at alt av datapartisjoner er kryptert.
4098 Jeg anbefaler alle å kryptere diskene på sine bærbare. Kostnaden når
4099 det er gjort slik jeg gjør det er minimale, og gevinstene er
4100 betydelige. En bør dog passe på passordet. Hvis det går tapt, må
4101 maskinen reinstalleres og alt er tapt.&lt;/p&gt;
4102
4103 &lt;p&gt;Krypteringen vil ikke stoppe kompetente angripere som f.eks. kjøler
4104 ned minnebrikkene før maskinen rebootes med programvare for å hente ut
4105 krypteringsnøklene. Kostnaden med å forsvare seg mot slike angripere
4106 er for min del høyere enn gevinsten. Jeg tror oddsene for at
4107 f.eks. etteretningsorganisasjoner har glede av å titte på mine
4108 maskiner er minimale, og ulempene jeg ville oppnå ved å forsøke å
4109 gjøre det vanskeligere for angripere med kompetanse og ressurser er
4110 betydelige.&lt;/p&gt;
4111 </description>
4112 </item>
4113
4114 </channel>
4115 </rss>