1 <?xml version=
"1.0" encoding=
"utf-8"?>
2 <rss version='
2.0' xmlns:lj='http://www.livejournal.org/rss/lj/
1.0/' xmlns:
atom=
"http://www.w3.org/2005/Atom">
4 <title>Petter Reinholdtsen
</title>
5 <description></description>
6 <link>http://people.skolelinux.org/pere/blog/
</link>
7 <atom:link href=
"http://people.skolelinux.org/pere/blog/index.rss" rel=
"self" type=
"application/rss+xml" />
10 <title>Detecting NFS hangs on Linux without hanging yourself...
</title>
11 <link>http://people.skolelinux.org/pere/blog/Detecting_NFS_hangs_on_Linux_without_hanging_yourself___.html
</link>
12 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Detecting_NFS_hangs_on_Linux_without_hanging_yourself___.html
</guid>
13 <pubDate>Thu,
9 Mar
2017 15:
20:
00 +
0100</pubDate>
14 <description><p
>Over the years, administrating thousand of NFS mounting linux
15 computers at the time, I often needed a way to detect if the machine
16 was experiencing NFS hang. If you try to use
<tt
>df
</tt
> or look at a
17 file or directory affected by the hang, the process (and possibly the
18 shell) will hang too. So you want to be able to detect this without
19 risking the detection process getting stuck too. It has not been
20 obvious how to do this. When the hang has lasted a while, it is
21 possible to find messages like these in dmesg:
</p
>
23 <p
><blockquote
>
24 nfs: server nfsserver not responding, still trying
25 <br
>nfs: server nfsserver OK
26 </blockquote
></p
>
28 <p
>It is hard to know if the hang is still going on, and it is hard to
29 be sure looking in dmesg is going to work. If there are lots of other
30 messages in dmesg the lines might have rotated out of site before they
31 are noticed.
</p
>
33 <p
>While reading through the nfs client implementation in linux kernel
34 code, I came across some statistics that seem to give a way to detect
35 it. The om_timeouts sunrpc value in the kernel will increase every
36 time the above log entry is inserted into dmesg. And after digging a
37 bit further, I discovered that this value show up in
38 /proc/self/mountstats on Linux.
</p
>
40 <p
>The mountstats content seem to be shared between files using the
41 same file system context, so it is enough to check one of the
42 mountstats files to get the state of the mount point for the machine.
43 I assume this will not show lazy umounted NFS points, nor NFS mount
44 points in a different process context (ie with a different filesystem
45 view), but that does not worry me.
</p
>
47 <p
>The content for a NFS mount point look similar to this:
</p
>
49 <p
><blockquote
><pre
>
51 device /dev/mapper/Debian-var mounted on /var with fstype ext3
52 device nfsserver:/mnt/nfsserver/home0 mounted on /mnt/nfsserver/home0 with fstype nfs statvers=
1.1
53 opts: rw,vers=
3,rsize=
65536,wsize=
65536,namlen=
255,acregmin=
3,acregmax=
60,acdirmin=
30,acdirmax=
60,soft,nolock,proto=tcp,timeo=
600,retrans=
2,sec=sys,mountaddr=
129.240.3.145,mountvers=
3,mountport=
4048,mountproto=udp,local_lock=all
55 caps: caps=
0x3fe7,wtmult=
4096,dtsize=
8192,bsize=
0,namlen=
255
56 sec: flavor=
1,pseudoflavor=
1
57 events:
61063112 732346265 1028140 35486205 16220064 8162542 761447191 71714012 37189 3891185 45561809 110486139 4850138 420353 15449177 296502 52736725 13523379 0 52182 9016896 1231 0 0 0 0 0
58 bytes:
166253035039 219519120027 0 0 40783504807 185466229638 11677877 45561809
59 RPC iostats version:
1.0 p/v:
100003/
3 (nfs)
60 xprt: tcp
925 1 6810 0 0 111505412 111480497 109 2672418560317 0 248 53869103 22481820
63 GETATTR:
61063106 61063108 0 9621383060 6839064400 453650 77291321 78926132
64 SETATTR:
463469 463470 0 92005440 66739536 63787 603235 687943
65 LOOKUP:
17021657 17021657 0 3354097764 4013442928 57216 35125459 35566511
66 ACCESS:
14281703 14290009 5 2318400592 1713803640 1709282 4865144 7130140
67 READLINK:
125 125 0 20472 18620 0 1112 1118
68 READ:
4214236 4214237 0 715608524 41328653212 89884 22622768 22806693
69 WRITE:
8479010 8494376 22 187695798568 1356087148 178264904 51506907 231671771
70 CREATE:
171708 171708 0 38084748 46702272 873 1041833 1050398
71 MKDIR:
3680 3680 0 773980 993920 26 23990 24245
72 SYMLINK:
903 903 0 233428 245488 6 5865 5917
73 MKNOD:
80 80 0 20148 21760 0 299 304
74 REMOVE:
429921 429921 0 79796004 61908192 3313 2710416 2741636
75 RMDIR:
3367 3367 0 645112 484848 22 5782 6002
76 RENAME:
466201 466201 0 130026184 121212260 7075 5935207 5961288
77 LINK:
289155 289155 0 72775556 67083960 2199 2565060 2585579
78 READDIR:
2933237 2933237 0 516506204 13973833412 10385 3190199 3297917
79 READDIRPLUS:
1652839 1652839 0 298640972 6895997744 84735 14307895 14448937
80 FSSTAT:
6144 6144 0 1010516 1032192 51 9654 10022
81 FSINFO:
2 2 0 232 328 0 1 1
82 PATHCONF:
1 1 0 116 140 0 0 0
83 COMMIT:
0 0 0 0 0 0 0 0
85 device binfmt_misc mounted on /proc/sys/fs/binfmt_misc with fstype binfmt_misc
87 </pre
></blockquote
></p
>
89 <p
>The key number to look at is the third number in the per-op list.
90 It is the number of NFS timeouts experiences per file system
91 operation. Here
22 write timeouts and
5 access timeouts. If these
92 numbers are increasing, I believe the machine is experiencing NFS
93 hang. Unfortunately the timeout value do not start to increase right
94 away. The NFS operations need to time out first, and this can take a
95 while. The exact timeout value depend on the setup. For example the
96 defaults for TCP and UDP mount points are quite different, and the
97 timeout value is affected by the soft, hard, timeo and retrans NFS
98 mount options.
</p
>
100 <p
>The only way I have been able to get working on Debian and RedHat
101 Enterprise Linux for getting the timeout count is to peek in /proc/.
103 <ahref=
"http://docs.oracle.com/cd/E19253-
01/
816-
4555/netmonitor-
12/index.html
">Solaris
104 10 System Administration Guide: Network Services
</a
>, the
'nfsstat -c
'
105 command can be used to get these timeout values. But this do not work
106 on Linux, as far as I can tell. I
107 <ahref=
"http://bugs.debian.org/
857043">asked Debian about this
</a
>,
108 but have not seen any replies yet.
</p
>
110 <p
>Is there a better way to figure out if a Linux NFS client is
111 experiencing NFS hangs? Is there a way to detect which processes are
112 affected? Is there a way to get the NFS mount going quickly once the
113 network problem causing the NFS hang has been cleared? I would very
114 much welcome some clues, as we regularly run into NFS hangs.
</p
>
119 <title>How does it feel to be wiretapped, when you should be doing the wiretapping...
</title>
120 <link>http://people.skolelinux.org/pere/blog/How_does_it_feel_to_be_wiretapped__when_you_should_be_doing_the_wiretapping___.html
</link>
121 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/How_does_it_feel_to_be_wiretapped__when_you_should_be_doing_the_wiretapping___.html
</guid>
122 <pubDate>Wed,
8 Mar
2017 11:
50:
00 +
0100</pubDate>
123 <description><p
>So the new president in the United States of America claim to be
124 surprised to discover that he was wiretapped during the election
125 before he was elected president. He even claim this must be illegal.
126 Well, doh, if it is one thing the confirmations from Snowden
127 documented, it is that the entire population in USA is wiretapped, one
128 way or another. Of course the president candidates were wiretapped,
129 alongside the senators, judges and the rest of the people in USA.
</p
>
131 <p
>Next, the Federal Bureau of Investigation ask the Department of
132 Justice to go public rejecting the claims that Donald Trump was
133 wiretapped illegally. I fail to see the relevance, given that I am
134 sure the surveillance industry in USA believe they have all the legal
135 backing they need to conduct mass surveillance on the entire
138 <p
>There is even the director of the FBI stating that he never saw an
139 order requesting wiretapping of Donald Trump. That is not very
140 surprising, given how the FISA court work, with all its activity being
141 secret. Perhaps he only heard about it?
</p
>
143 <p
>What I find most sad in this story is how Norwegian journalists
144 present it. In a news reports the other day in the radio from the
145 Norwegian National broadcasting Company (NRK), I heard the journalist
146 claim that
'the FBI denies any wiretapping
', while the reality is that
147 'the FBI denies any illegal wiretapping
'. There is a fundamental and
148 important difference, and it make me sad that the journalists are
149 unable to grasp it.
</p
>
151 <p
><strong
>Update
2017-
03-
13:
</strong
> Look like
152 <a href=
"https://theintercept.com/
2017/
03/
13/rand-paul-is-right-nsa-routinely-monitors-americans-communications-without-warrants/
">The
153 Intercept report that US Senator Rand Paul confirm what I state above
</a
>.
</p
>
158 <title>Norwegian Bokmål translation of The Debian Administrator
's Handbook complete, proofreading in progress
</title>
159 <link>http://people.skolelinux.org/pere/blog/Norwegian_Bokm_l_translation_of_The_Debian_Administrator_s_Handbook_complete__proofreading_in_progress.html
</link>
160 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Norwegian_Bokm_l_translation_of_The_Debian_Administrator_s_Handbook_complete__proofreading_in_progress.html
</guid>
161 <pubDate>Fri,
3 Mar
2017 14:
50:
00 +
0100</pubDate>
162 <description><p
>For almost a year now, we have been working on making a Norwegian
163 Bokmål edition of
<a href=
"https://debian-handbook.info/
">The Debian
164 Administrator
's Handbook
</a
>. Now, thanks to the tireless effort of
165 Ole-Erik, Ingrid and Andreas, the initial translation is complete, and
166 we are working on the proof reading to ensure consistent language and
167 use of correct computer science terms. The plan is to make the book
168 available on paper, as well as in electronic form. For that to
169 happen, the proof reading must be completed and all the figures need
170 to be translated. If you want to help out, get in touch.
</p
>
172 <p
><a href=
"http://people.skolelinux.org/pere/debian-handbook/debian-handbook-nb-NO.pdf
">A
174 fresh PDF edition
</a
> in A4 format (the final book will have smaller
175 pages) of the book created every morning is available for
176 proofreading. If you find any errors, please
177 <a href=
"https://hosted.weblate.org/projects/debian-handbook/
">visit
178 Weblate and correct the error
</a
>. The
179 <a href=
"http://l.github.io/debian-handbook/stat/nb-NO/index.html
">state
180 of the translation including figures
</a
> is a useful source for those
181 provide Norwegian bokmål screen shots and figures.
</p
>
186 <title>Unlimited randomness with the ChaosKey?
</title>
187 <link>http://people.skolelinux.org/pere/blog/Unlimited_randomness_with_the_ChaosKey_.html
</link>
188 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Unlimited_randomness_with_the_ChaosKey_.html
</guid>
189 <pubDate>Wed,
1 Mar
2017 20:
50:
00 +
0100</pubDate>
190 <description><p
>A few days ago I ordered a small batch of
191 <a href=
"http://altusmetrum.org/ChaosKey/
">the ChaosKey
</a
>, a small
192 USB dongle for generating entropy created by Bdale Garbee and Keith
193 Packard. Yesterday it arrived, and I am very happy to report that it
194 work great! According to its designers, to get it to work out of the
195 box, you need the Linux kernel version
4.1 or later. I tested on a
196 Debian Stretch machine (kernel version
4.9), and there it worked just
197 fine, increasing the available entropy very quickly. I wrote a small
198 test oneliner to test. It first print the current entropy level,
199 drain /dev/random, and then print the entropy level for five seconds.
200 Here is the situation without the ChaosKey inserted:
</p
>
202 <blockquote
><pre
>
203 % cat /proc/sys/kernel/random/entropy_avail; \
204 dd bs=
1M if=/dev/random of=/dev/null count=
1; \
205 for n in $(seq
1 5); do \
206 cat /proc/sys/kernel/random/entropy_avail; \
212 28 byte kopiert,
0,
000264565 s,
106 kB/s
219 </pre
></blockquote
>
221 <p
>The entropy level increases by
3-
4 every second. In such case any
222 application requiring random bits (like a HTTPS enabled web server)
223 will halt and wait for more entrpy. And here is the situation with
224 the ChaosKey inserted:
</p
>
226 <blockquote
><pre
>
227 % cat /proc/sys/kernel/random/entropy_avail; \
228 dd bs=
1M if=/dev/random of=/dev/null count=
1; \
229 for n in $(seq
1 5); do \
230 cat /proc/sys/kernel/random/entropy_avail; \
236 104 byte kopiert,
0,
000487647 s,
213 kB/s
243 </pre
></blockquote
>
245 <p
>Quite the difference. :) I bought a few more than I need, in case
246 someone want to buy one here in Norway. :)
</p
>
248 <p
>Update: The dongle was presented at Debconf last year. You might
249 find
<a href=
"https://debconf16.debconf.org/talks/
94/
">the talk
250 recording illuminating
</a
>. It explains exactly what the source of
251 randomness is, if you are unable to spot it from the schema drawing
252 available from the ChaosKey web site linked at the start of this blog
258 <title>Detect OOXML files with undefined behaviour?
</title>
259 <link>http://people.skolelinux.org/pere/blog/Detect_OOXML_files_with_undefined_behaviour_.html
</link>
260 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Detect_OOXML_files_with_undefined_behaviour_.html
</guid>
261 <pubDate>Tue,
21 Feb
2017 00:
20:
00 +
0100</pubDate>
262 <description><p
>I just noticed
263 <a href=
"http://www.arkivrad.no/aktuelt/riksarkivarens-forskrift-pa-horing
">the
264 new Norwegian proposal for archiving rules in the goverment
</a
> list
265 <a href=
"http://www.ecma-international.org/publications/standards/Ecma-
376.htm
">ECMA-
376</a
>
266 / ISO/IEC
29500 (aka OOXML) as valid formats to put in long term
267 storage. Luckily such files will only be accepted based on
268 pre-approval from the National Archive. Allowing OOXML files to be
269 used for long term storage might seem like a good idea as long as we
270 forget that there are plenty of ways for a
"valid
" OOXML document to
271 have content with no defined interpretation in the standard, which
272 lead to a question and an idea.
</p
>
274 <p
>Is there any tool to detect if a OOXML document depend on such
275 undefined behaviour? It would be useful for the National Archive (and
276 anyone else interested in verifying that a document is well defined)
277 to have such tool available when considering to approve the use of
278 OOXML. I
'm aware of the
279 <a href=
"https://github.com/arlm/officeotron/
">officeotron OOXML
280 validator
</a
>, but do not know how complete it is nor if it will
281 report use of undefined behaviour. Are there other similar tools
282 available? Please send me an email if you know of any such tool.
</p
>
287 <title>Ruling ignored our objections to the seizure of popcorn-time.no (#domstolkontroll)
</title>
288 <link>http://people.skolelinux.org/pere/blog/Ruling_ignored_our_objections_to_the_seizure_of_popcorn_time_no___domstolkontroll_.html
</link>
289 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Ruling_ignored_our_objections_to_the_seizure_of_popcorn_time_no___domstolkontroll_.html
</guid>
290 <pubDate>Mon,
13 Feb
2017 21:
30:
00 +
0100</pubDate>
291 <description><p
>A few days ago, we received the ruling from
292 <a href=
"http://people.skolelinux.org/pere/blog/A_day_in_court_challenging_seizure_of_popcorn_time_no_for__domstolkontroll.html
">my
293 day in court
</a
>. The case in question is a challenge of the seizure
294 of the DNS domain popcorn-time.no. The ruling simply did not mention
295 most of our arguments, and seemed to take everything ØKOKRIM said at
296 face value, ignoring our demonstration and explanations. But it is
297 hard to tell for sure, as we still have not seen most of the documents
298 in the case and thus were unprepared and unable to contradict several
299 of the claims made in court by the opposition. We are considering an
300 appeal, but it is partly a question of funding, as it is costing us
301 quite a bit to pay for our lawyer. If you want to help, please
302 <a href=
"http://www.nuug.no/dns-beslag-donasjon.shtml
">donate to the
303 NUUG defense fund
</a
>.
</p
>
305 <p
>The details of the case, as far as we know it, is available in
307 <a href=
"https://www.nuug.no/news/tags/dns-domenebeslag/
">the NUUG
308 blog
</a
>. This also include
309 <a href=
"https://www.nuug.no/news/Avslag_etter_rettslig_h_ring_om_DNS_beslaget___vurderer_veien_videre.shtml
">the
310 ruling itself
</a
>.
</p
>
315 <title>A day in court challenging seizure of popcorn-time.no for #domstolkontroll
</title>
316 <link>http://people.skolelinux.org/pere/blog/A_day_in_court_challenging_seizure_of_popcorn_time_no_for__domstolkontroll.html
</link>
317 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/A_day_in_court_challenging_seizure_of_popcorn_time_no_for__domstolkontroll.html
</guid>
318 <pubDate>Fri,
3 Feb
2017 11:
10:
00 +
0100</pubDate>
319 <description><p align=
"center
"><img width=
"70%
" src=
"http://people.skolelinux.org/pere/blog/images/
2017-
02-
01-popcorn-time-in-court.jpeg
"></p
>
321 <p
>On Wednesday, I spent the entire day in court in Follo Tingrett
322 representing
<a href=
"https://www.nuug.no/
">the member association
323 NUUG
</a
>, alongside
<a href=
"https://www.efn.no/
">the member
324 association EFN
</a
> and
<a href=
"http://www.imc.no
">the DNS registrar
325 IMC
</a
>, challenging the seizure of the DNS name popcorn-time.no. It
326 was interesting to sit in a court of law for the first time in my
327 life. Our team can be seen in the picture above: attorney Ola
328 Tellesbø, EFN board member Tom Fredrik Blenning, IMC CEO Morten Emil
329 Eriksen and NUUG board member Petter Reinholdtsen.
</p
>
331 <p
><a href=
"http://www.domstol.no/no/Enkelt-domstol/follo-tingrett/Nar-gar-rettssaken/Beramming/?cid=AAAA1701301512081262234UJFBVEZZZZZEJBAvtale
">The
332 case at hand
</a
> is that the Norwegian National Authority for
333 Investigation and Prosecution of Economic and Environmental Crime (aka
334 Økokrim) decided on their own, to seize a DNS domain early last
335 year, without following
336 <a href=
"https://www.norid.no/no/regelverk/navnepolitikk/#link12
">the
337 official policy of the Norwegian DNS authority
</a
> which require a
338 court decision. The web site in question was a site covering Popcorn
339 Time. And Popcorn Time is the name of a technology with both legal
340 and illegal applications. Popcorn Time is a client combining
341 searching a Bittorrent directory available on the Internet with
342 downloading/distribute content via Bittorrent and playing the
343 downloaded content on screen. It can be used illegally if it is used
344 to distribute content against the will of the right holder, but it can
345 also be used legally to play a lot of content, for example the
347 <a href=
"https://archive.org/details/movies
">available from the
348 Internet Archive
</a
> or the collection
349 <a href=
"http://vodo.net/films/
">available from Vodo
</a
>. We created
350 <a href=
"magnet:?xt=urn:btih:
86c1802af5a667ca56d3918aecb7d3c0f7173084
&dn=PresentasjonFolloTingrett.mov
&tr=udp%
3A%
2F%
2Fpublic.popcorn-tracker.org%
3A6969%
2Fannounce
">a
351 video demonstrating legally use of Popcorn Time
</a
> and played it in
352 Court. It can of course be downloaded using Bittorrent.
</p
>
354 <p
>I did not quite know what to expect from a day in court. The
355 government held on to their version of the story and we held on to
356 ours, and I hope the judge is able to make sense of it all. We will
357 know in two weeks time. Unfortunately I do not have high hopes, as
358 the Government have the upper hand here with more knowledge about the
359 case, better training in handling criminal law and in general higher
360 standing in the courts than fairly unknown DNS registrar and member
361 associations. It is expensive to be right also in Norway. So far the
362 case have cost more than NOK
70 000,-. To help fund the case, NUUG
363 and EFN have asked for donations, and managed to collect around NOK
25
364 000,- so far. Given the presentation from the Government, I expect
365 the government to appeal if the case go our way. And if the case do
366 not go our way, I hope we have enough funding to appeal.
</p
>
368 <p
>From the other side came two people from Økokrim. On the benches,
369 appearing to be part of the group from the government were two people
370 from the Simonsen Vogt Wiik lawyer office, and three others I am not
371 quite sure who was. Økokrim had proposed to present two witnesses
372 from The Motion Picture Association, but this was rejected because
373 they did not speak Norwegian and it was a bit late to bring in a
374 translator, but perhaps the two from MPA were present anyway. All
375 seven appeared to know each other. Good to see the case is take
378 <p
>If you, like me, believe the courts should be involved before a DNS
379 domain is hijacked by the government, or you believe the Popcorn Time
380 technology have a lot of useful and legal applications, I suggest you
381 too
<a href=
"http://www.nuug.no/dns-beslag-donasjon.shtml
">donate to
382 the NUUG defense fund
</a
>. Both Bitcoin and bank transfer are
383 available. If NUUG get more than we need for the legal action (very
384 unlikely), the rest will be spend promoting free software, open
385 standards and unix-like operating systems in Norway, so no matter what
386 happens the money will be put to good use.
</p
>
388 <p
>If you want to lean more about the case, I recommend you check out
389 <a href=
"https://www.nuug.no/news/tags/dns-domenebeslag/
">the blog
390 posts from NUUG covering the case
</a
>. They cover the legal arguments
391 on both sides.
</p
>
396 <title>Nasjonalbiblioteket avslutter sin ulovlige bruk av Google Skjemaer
</title>
397 <link>http://people.skolelinux.org/pere/blog/Nasjonalbiblioteket_avslutter_sin_ulovlige_bruk_av_Google_Skjemaer.html
</link>
398 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Nasjonalbiblioteket_avslutter_sin_ulovlige_bruk_av_Google_Skjemaer.html
</guid>
399 <pubDate>Thu,
12 Jan
2017 09:
40:
00 +
0100</pubDate>
400 <description><p
>I dag fikk jeg en skikkelig gladmelding. Bakgrunnen er at før jul
401 arrangerte Nasjonalbiblioteket
402 <a href=
"http://www.nb.no/Bibliotekutvikling/Kunnskapsorganisering/Nasjonalt-verksregister/Seminar-om-verksregister
">et
403 seminar om sitt knakende gode tiltak «verksregister»
</a
>. Eneste
404 måten å melde seg på dette seminaret var å sende personopplysninger
405 til Google via Google Skjemaer. Dette syntes jeg var tvilsom praksis,
406 da det bør være mulig å delta på seminarer arrangert av det offentlige
407 uten å måtte dele sine interesser, posisjon og andre
408 personopplysninger med Google. Jeg ba derfor om innsyn via
409 <a href=
"https://www.mimesbronn.no/
">Mimes brønn
</a
> i
410 <a href=
"https://www.mimesbronn.no/request/personopplysninger_til_google_sk
">avtaler
411 og vurderinger Nasjonalbiblioteket hadde rundt dette
</a
>.
412 Personopplysningsloven legger klare rammer for hva som må være på
413 plass før en kan be tredjeparter, spesielt i utlandet, behandle
414 personopplysninger på sine vegne, så det burde eksistere grundig
415 dokumentasjon før noe slikt kan bli lovlig. To jurister hos
416 Nasjonalbiblioteket mente først dette var helt i orden, og at Googles
417 standardavtale kunne brukes som databehandlingsavtale. Det syntes jeg
418 var merkelig, men har ikke hatt kapasitet til å følge opp saken før
419 for to dager siden.
</p
>
421 <p
>Gladnyheten i dag, som kom etter at jeg tipset Nasjonalbiblioteket
422 om at Datatilsynet underkjente Googles standardavtaler som
423 databehandleravtaler i
2011, er at Nasjonalbiblioteket har bestemt seg
424 for å avslutte bruken av Googles Skjemaer/Apps og gå i dialog med DIFI
425 for å finne bedre måter å håndtere påmeldinger i tråd med
426 personopplysningsloven. Det er fantastisk å se at av og til hjelper
427 det å spørre hva i alle dager det offentlige holder på med.
</p
>
432 <title>Bryter NAV sin egen personvernerklæring?
</title>
433 <link>http://people.skolelinux.org/pere/blog/Bryter_NAV_sin_egen_personvernerkl_ring_.html
</link>
434 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Bryter_NAV_sin_egen_personvernerkl_ring_.html
</guid>
435 <pubDate>Wed,
11 Jan
2017 06:
50:
00 +
0100</pubDate>
436 <description><p
>Jeg leste med interesse en nyhetssak hos
437 <a href=
"http://www.digi.no/artikler/nav-avslorer-trygdemisbruk-ved-a-spore-ip-adresser/
367394">digi.no
</a
>
439 <a href=
"https://www.nrk.no/buskerud/trygdesvindlere-avslores-av-utenlandske-ip-adresser-
1.13313461">NRK
</a
>
440 om at det ikke bare er meg, men at også NAV bedriver geolokalisering
441 av IP-adresser, og at det gjøres analyse av IP-adressene til de som
442 sendes inn meldekort for å se om meldekortet sendes inn fra
443 utenlandske IP-adresser. Politiadvokat i Drammen, Hans Lyder Haare,
444 er sitert i NRK på at «De to er jo blant annet avslørt av
445 IP-adresser. At man ser at meldekortet kommer fra utlandet.»
</p
>
447 <p
>Jeg synes det er fint at det blir bedre kjent at IP-adresser
448 knyttes til enkeltpersoner og at innsamlet informasjon brukes til å
449 stedsbestemme personer også av aktører her i Norge. Jeg ser det som
450 nok et argument for å bruke
451 <a href=
"https://www.torproject.org/
">Tor
</a
> så mye som mulig for å
452 gjøre gjøre IP-lokalisering vanskeligere, slik at en kan beskytte sin
453 privatsfære og unngå å dele sin fysiske plassering med
454 uvedkommede.
</p
>
456 <P
>Men det er en ting som bekymrer meg rundt denne nyheten. Jeg ble
457 tipset (takk #nuug) om
458 <a href=
"https://www.nav.no/no/NAV+og+samfunn/Kontakt+NAV/Teknisk+brukerstotte/Snarveier/personvernerkl%C3%A6ring-for-arbeids-og-velferdsetaten
">NAVs
459 personvernerklæring
</a
>, som under punktet «Personvern og statistikk»
462 <p
><blockquote
>
464 <p
>«Når du besøker nav.no, etterlater du deg elektroniske spor. Sporene
465 dannes fordi din nettleser automatisk sender en rekke opplysninger til
466 NAVs tjener (server-maskin) hver gang du ber om å få vist en side. Det
467 er eksempelvis opplysninger om hvilken nettleser og -versjon du
468 bruker, og din internettadresse (ip-adresse). For hver side som vises,
469 lagres følgende opplysninger:
</p
>
472 <li
>hvilken side du ser på
</li
>
473 <li
>dato og tid
</li
>
474 <li
>hvilken nettleser du bruker
</li
>
475 <li
>din ip-adresse
</li
>
478 <p
>Ingen av opplysningene vil bli brukt til å identifisere
479 enkeltpersoner. NAV bruker disse opplysningene til å generere en
480 samlet statistikk som blant annet viser hvilke sider som er mest
481 populære. Statistikken er et redskap til å forbedre våre
482 tjenester.»
</p
>
484 </blockquote
></p
>
486 <p
>Jeg klarer ikke helt å se hvordan analyse av de besøkendes
487 IP-adresser for å se hvem som sender inn meldekort via web fra en
488 IP-adresse i utlandet kan gjøres uten å komme i strid med påstanden om
489 at «ingen av opplysningene vil bli brukt til å identifisere
490 enkeltpersoner». Det virker dermed for meg som at NAV bryter sine
491 egen personvernerklæring, hvilket
492 <a href=
"http://people.skolelinux.org/pere/blog/Er_lover_brutt_n_r_personvernpolicy_ikke_stemmer_med_praksis_.html
">Datatilsynet
493 fortalte meg i starten av desember antagelig er brudd på
494 personopplysningsloven
</a
>.
496 <p
>I tillegg er personvernerklæringen ganske misvisende i og med at
497 NAVs nettsider ikke bare forsyner NAV med personopplysninger, men i
498 tillegg ber brukernes nettleser kontakte fem andre nettjenere
499 (script.hotjar.com, static.hotjar.com, vars.hotjar.com,
500 www.google-analytics.com og www.googletagmanager.com), slik at
501 personopplysninger blir gjort tilgjengelig for selskapene Hotjar og
502 Google , og alle som kan lytte på trafikken på veien (som FRA, GCHQ og
503 NSA). Jeg klarer heller ikke se hvordan slikt spredning av
504 personopplysninger kan være i tråd med kravene i
505 personopplysningloven, eller i tråd med NAVs personvernerklæring.
</p
>
507 <p
>Kanskje NAV bør ta en nøye titt på sin personvernerklæring? Eller
508 kanskje Datatilsynet bør gjøre det?
</p
>
513 <title>Where did that package go?
&mdash; geolocated IP traceroute
</title>
514 <link>http://people.skolelinux.org/pere/blog/Where_did_that_package_go___mdash__geolocated_IP_traceroute.html
</link>
515 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Where_did_that_package_go___mdash__geolocated_IP_traceroute.html
</guid>
516 <pubDate>Mon,
9 Jan
2017 12:
20:
00 +
0100</pubDate>
517 <description><p
>Did you ever wonder where the web trafic really flow to reach the
518 web servers, and who own the network equipment it is flowing through?
519 It is possible to get a glimpse of this from using traceroute, but it
520 is hard to find all the details. Many years ago, I wrote a system to
521 map the Norwegian Internet (trying to figure out if our plans for a
522 network game service would get low enough latency, and who we needed
523 to talk to about setting up game servers close to the users. Back
524 then I used traceroute output from many locations (I asked my friends
525 to run a script and send me their traceroute output) to create the
526 graph and the map. The output from traceroute typically look like
530 traceroute to www.stortinget.no (
85.88.67.10),
30 hops max,
60 byte packets
531 1 uio-gw10.uio.no (
129.240.202.1)
0.447 ms
0.486 ms
0.621 ms
532 2 uio-gw8.uio.no (
129.240.24.229)
0.467 ms
0.578 ms
0.675 ms
533 3 oslo-gw1.uninett.no (
128.39.65.17)
0.385 ms
0.373 ms
0.358 ms
534 4 te3-
1-
2.br1.fn3.as2116.net (
193.156.90.3)
1.174 ms
1.172 ms
1.153 ms
535 5 he16-
1-
1.cr1.san110.as2116.net (
195.0.244.234)
2.627 ms he16-
1-
1.cr2.oslosda310.as2116.net (
195.0.244.48)
3.172 ms he16-
1-
1.cr1.san110.as2116.net (
195.0.244.234)
2.857 ms
536 6 ae1.ar8.oslosda310.as2116.net (
195.0.242.39)
0.662 ms
0.637 ms ae0.ar8.oslosda310.as2116.net (
195.0.242.23)
0.622 ms
537 7 89.191.10.146 (
89.191.10.146)
0.931 ms
0.917 ms
0.955 ms
541 </pre
></p
>
543 <p
>This show the DNS names and IP addresses of (at least some of the)
544 network equipment involved in getting the data traffic from me to the
545 www.stortinget.no server, and how long it took in milliseconds for a
546 package to reach the equipment and return to me. Three packages are
547 sent, and some times the packages do not follow the same path. This
548 is shown for hop
5, where three different IP addresses replied to the
549 traceroute request.
</p
>
551 <p
>There are many ways to measure trace routes. Other good traceroute
552 implementations I use are traceroute (using ICMP packages) mtr (can do
553 both ICMP, UDP and TCP) and scapy (python library with ICMP, UDP, TCP
554 traceroute and a lot of other capabilities). All of them are easily
555 available in
<a href=
"https://www.debian.org/
">Debian
</a
>.
</p
>
557 <p
>This time around, I wanted to know the geographic location of
558 different route points, to visualize how visiting a web page spread
559 information about the visit to a lot of servers around the globe. The
560 background is that a web site today often will ask the browser to get
561 from many servers the parts (for example HTML, JSON, fonts,
562 JavaScript, CSS, video) required to display the content. This will
563 leak information about the visit to those controlling these servers
564 and anyone able to peek at the data traffic passing by (like your ISP,
565 the ISPs backbone provider, FRA, GCHQ, NSA and others).
</p
>
567 <p
>Lets pick an example, the Norwegian parliament web site
568 www.stortinget.no. It is read daily by all members of parliament and
569 their staff, as well as political journalists, activits and many other
570 citizens of Norway. A visit to the www.stortinget.no web site will
571 ask your browser to contact
8 other servers: ajax.googleapis.com,
572 insights.hotjar.com, script.hotjar.com, static.hotjar.com,
573 stats.g.doubleclick.net, www.google-analytics.com,
574 www.googletagmanager.com and www.netigate.se. I extracted this by
575 asking
<a href=
"http://phantomjs.org/
">PhantomJS
</a
> to visit the
576 Stortinget web page and tell me all the URLs PhantomJS downloaded to
577 render the page (in HAR format using
578 <a href=
"https://github.com/ariya/phantomjs/blob/master/examples/netsniff.js
">their
579 netsniff example
</a
>. I am very grateful to Gorm for showing me how
580 to do this). My goal is to visualize network traces to all IP
581 addresses behind these DNS names, do show where visitors personal
582 information is spread when visiting the page.
</p
>
584 <p align=
"center
"><a href=
"www.stortinget.no-geoip.kml
"><img
585 src=
"http://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-geoip-small.png
" alt=
"map of combined traces for URLs used by www.stortinget.no using GeoIP
"/
></a
></p
>
587 <p
>When I had a look around for options, I could not find any good
588 free software tools to do this, and decided I needed my own traceroute
589 wrapper outputting KML based on locations looked up using GeoIP. KML
590 is easy to work with and easy to generate, and understood by several
591 of the GIS tools I have available. I got good help from by NUUG
592 colleague Anders Einar with this, and the result can be seen in
593 <a href=
"https://github.com/petterreinholdtsen/kmltraceroute
">my
594 kmltraceroute git repository
</a
>. Unfortunately, the quality of the
595 free GeoIP databases I could find (and the for-pay databases my
596 friends had access to) is not up to the task. The IP addresses of
597 central Internet infrastructure would typically be placed near the
598 controlling companies main office, and not where the router is really
599 located, as you can see from
<a href=
"www.stortinget.no-geoip.kml
">the
600 KML file I created
</a
> using the GeoLite City dataset from MaxMind.
602 <p align=
"center
"><a href=
"http://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-scapy.svg
"><img
603 src=
"http://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-scapy-small.png
" alt=
"scapy traceroute graph for URLs used by www.stortinget.no
"/
></a
></p
>
605 <p
>I also had a look at the visual traceroute graph created by
606 <a href=
"http://www.secdev.org/projects/scapy/
">the scrapy project
</a
>,
607 showing IP network ownership (aka AS owner) for the IP address in
609 <a href=
"http://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-scapy.svg
">The
610 graph display a lot of useful information about the traceroute in SVG
611 format
</a
>, and give a good indication on who control the network
612 equipment involved, but it do not include geolocation. This graph
613 make it possible to see the information is made available at least for
614 UNINETT, Catchcom, Stortinget, Nordunet, Google, Amazon, Telia, Level
615 3 Communications and NetDNA.
</p
>
617 <p align=
"center
"><a href=
"https://geotraceroute.com/index.php?node=
4&host=www.stortinget.no
"><img
618 src=
"http://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-geotraceroute-small.png
" alt=
"example geotraceroute view for www.stortinget.no
"/
></a
></p
>
620 <p
>In the process, I came across the
621 <a href=
"https://geotraceroute.com/
">web service GeoTraceroute
</a
> by
622 Salim Gasmi. Its methology of combining guesses based on DNS names,
623 various location databases and finally use latecy times to rule out
624 candidate locations seemed to do a very good job of guessing correct
625 geolocation. But it could only do one trace at the time, did not have
626 a sensor in Norway and did not make the geolocations easily available
627 for postprocessing. So I contacted the developer and asked if he
628 would be willing to share the code (he refused until he had time to
629 clean it up), but he was interested in providing the geolocations in a
630 machine readable format, and willing to set up a sensor in Norway. So
631 since yesterday, it is possible to run traces from Norway in this
632 service thanks to a sensor node set up by
633 <a href=
"https://www.nuug.no/
">the NUUG assosiation
</a
>, and get the
634 trace in KML format for further processing.
</p
>
636 <p align=
"center
"><a href=
"http://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-geotraceroute-kml-join.kml
"><img
637 src=
"http://people.skolelinux.org/pere/blog/images/
2017-
01-
09-www.stortinget.no-geotraceroute-kml-join.png
" alt=
"map of combined traces for URLs used by www.stortinget.no using geotraceroute
"/
></a
></p
>
639 <p
>Here we can see a lot of trafic passes Sweden on its way to
640 Denmark, Germany, Holland and Ireland. Plenty of places where the
641 Snowden confirmations verified the traffic is read by various actors
642 without your best interest as their top priority.
</p
>
644 <p
>Combining KML files is trivial using a text editor, so I could loop
645 over all the hosts behind the urls imported by www.stortinget.no and
646 ask for the KML file from GeoTraceroute, and create a combined KML
647 file with all the traces (unfortunately only one of the IP addresses
648 behind the DNS name is traced this time. To get them all, one would
649 have to request traces using IP number instead of DNS names from
650 GeoTraceroute). That might be the next step in this project.
</p
>
652 <p
>Armed with these tools, I find it a lot easier to figure out where
653 the IP traffic moves and who control the boxes involved in moving it.
654 And every time the link crosses for example the Swedish border, we can
655 be sure Swedish Signal Intelligence (FRA) is listening, as GCHQ do in
656 Britain and NSA in USA and cables around the globe. (Hm, what should
657 we tell them? :) Keep that in mind if you ever send anything
658 unencrypted over the Internet.
</p
>
660 <p
>PS: KML files are drawn using
661 <a href=
"http://ivanrublev.me/kml/
">the KML viewer from Ivan
662 Rublev
<a/
>, as it was less cluttered than the local Linux application
663 Marble. There are heaps of other options too.
</p
>
665 <p
>As usual, if you use Bitcoin and want to show your support of my
666 activities, please send Bitcoin donations to my address
667 <b
><a href=
"bitcoin:
15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b
&label=PetterReinholdtsenBlog
">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b
</a
></b
>.
</p
>
projects / homepage.git / blob