+ <a href="https://people.skolelinux.org/pere/blog/Latest_Jami_back_in_Debian_Testing__and_scriptable_using_dbus.html">Latest Jami back in Debian Testing, and scriptable using dbus</a>
+ </div>
+ <div class="date">
+ 12th January 2021
+ </div>
+ <div class="body">
+ <p>After a lot of hard work by its maintainer Alexandre Viau and
+others, the decentralized communication platform
+<a href="https://en.wikipedia.org/wiki/Jami_(software)">Jami</a>
+(earlier known as Ring), managed to get
+<a href="https://tracker.debian.org/pkg/ring">its latest version</a>
+into Debian Testing. Several of its dependencies has caused build and
+propagation problems, which all seem to be solved now.</p>
+
+<p>In addition to the fact that Jami is decentralized, similar to how
+bittorrent is decentralized, I first of all like how it is not
+connected to external IDs like phone numbers. This allow me to set up
+computers to send me notifications using Jami without having to find
+get a phone number for each computer. Automatic notification via Jami
+is also made trivial thanks to the provided client side API (as a DBus
+service). Here is my bourne shell script demonstrating how to let any
+system send a message to any Jami address. It will create a new
+identity before sending the message, if no Jami identity exist
+already:</p>
+
+<p><pre>
+#!/bin/sh
+#
+# Usage: $0 <jami-address> <message>
+#
+# Send <message> to <jami-address>, create local jami account if
+# missing.
+#
+# License: GPL v2 or later at your choice
+# Author: Petter Reinholdtsen
+
+
+if [ -z "$HOME" ] ; then
+ echo "error: missing \$HOME, required for dbus to work"
+ exit 1
+fi
+
+# First, get dbus running if not already running
+DBUSLAUNCH=/usr/bin/dbus-launch
+PIDFILE=/run/asterisk/dbus-session.pid
+if [ -e $PIDFILE ] ; then
+ . $PIDFILE
+ if ! kill -0 $DBUS_SESSION_BUS_PID 2>/dev/null ; then
+ unset DBUS_SESSION_BUS_ADDRESS
+ fi
+fi
+if [ -z "$DBUS_SESSION_BUS_ADDRESS" ] && [ -x "$DBUSLAUNCH" ]; then
+ DBUS_SESSION_BUS_ADDRESS="unix:path=$HOME/.dbus"
+ dbus-daemon --session --address="$DBUS_SESSION_BUS_ADDRESS" --nofork --nopidfile --syslog-only < /dev/null > /dev/null 2>&1 3>&1 &
+ DBUS_SESSION_BUS_PID=$!
+ (
+ echo DBUS_SESSION_BUS_PID=$DBUS_SESSION_BUS_PID
+ echo DBUS_SESSION_BUS_ADDRESS=\""$DBUS_SESSION_BUS_ADDRESS"\"
+ echo export DBUS_SESSION_BUS_ADDRESS
+ ) > $PIDFILE
+ . $PIDFILE
+fi &
+
+dringop() {
+ part="$1"; shift
+ op="$1"; shift
+ dbus-send --session \
+ --dest="cx.ring.Ring" /cx/ring/Ring/$part cx.ring.Ring.$part.$op $*
+}
+
+dringopreply() {
+ part="$1"; shift
+ op="$1"; shift
+ dbus-send --session --print-reply \
+ --dest="cx.ring.Ring" /cx/ring/Ring/$part cx.ring.Ring.$part.$op $*
+}
+
+firstaccount() {
+ dringopreply ConfigurationManager getAccountList | \
+ grep string | awk -F'"' '{print $2}' | head -n 1
+}
+
+account=$(firstaccount)
+
+if [ -z "$account" ] ; then
+ echo "Missing local account, trying to create it"
+ dringop ConfigurationManager addAccount \
+ dict:string:string:"Account.type","RING","Account.videoEnabled","false"
+ account=$(firstaccount)
+ if [ -z "$account" ] ; then
+ echo "unable to create local account"
+ exit 1
+ fi
+fi
+
+# Not using dringopreply to ensure $2 can contain spaces
+dbus-send --print-reply --session \
+ --dest=cx.ring.Ring \
+ /cx/ring/Ring/ConfigurationManager \
+ cx.ring.Ring.ConfigurationManager.sendTextMessage \
+ string:"$account" string:"$1" \
+ dict:string:string:"text/plain","$2"
+</pre></p>
+
+<p>If you want to check it out yourself, visit the
+<a href="https://jami.net/">the Jami system project page</a> to learn
+more, and install the latest Jami client from Debian Unstable or
+Testing.</p>
+
+<p>As usual, if you use Bitcoin and want to show your support of my
+activities, please send Bitcoin donations to my address
+<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>
+
+ </div>
+ <div class="tags">
+
+
+ Tags: <a href="https://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="https://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>, <a href="https://people.skolelinux.org/pere/blog/tags/surveillance">surveillance</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
+ <div class="entry">
+ <div class="title">
+ <a href="https://people.skolelinux.org/pere/blog/Secure_Socket_API___a_simple_and_powerful_approach_for_TLS_support_in_software.html">Secure Socket API - a simple and powerful approach for TLS support in software</a>
+ </div>
+ <div class="date">
+ 6th June 2020
+ </div>
+ <div class="body">
+ <p>As a member of the <a href="https://www.nuug.no/">Norwegian Unix
+User Group</a>, I have the pleasure of receiving the
+<a href="https://www.usenix.org/">USENIX</a> magazine
+<a href="https://www.usenix.org/publications/login/">;login:</a>
+several times a year. I rarely have time to read all the articles,
+but try to at least skim through them all as there is a lot of nice
+knowledge passed on there. I even carry the latest issue with me most
+of the time to try to get through all the articles when I have a few
+spare minutes.</p>
+
+<p>The other day I came across a nice article titled
+"<a href="https://www.usenix.org/publications/login/winter2018/oneill">The
+Secure Socket API: TLS as an Operating System Service</a>" with a
+marvellous idea I hope can make it all the way into the POSIX standard.
+The idea is as simple as it is powerful. By introducing a new
+socket() option IPPROTO_TLS to use TLS, and a system wide service to
+handle setting up TLS connections, one both make it trivial to add TLS
+support to any program currently using the POSIX socket API, and gain
+system wide control over certificates, TLS versions and encryption
+systems used. Instead of doing this:</p>
+
+<p><blockquote><pre>
+int socket = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
+</pre></blockquote></p>
+
+<p>the program code would be doing this:<p>
+
+<p><blockquote><pre>
+int socket = socket(PF_INET, SOCK_STREAM, IPPROTO_TLS);
+</pre></blockquote></p>
+
+<p>According to the ;login: article, converting a C program to use TLS
+would normally modify only 5-10 lines in the code, which is amazing
+when compared to using for example the OpenSSL API.</p>
+
+<p>The project has set up the
+<a href="https://securesocketapi.org/">https://securesocketapi.org/</a>
+web site to spread the idea, and the code for a kernel module and the
+associated system daemon is available from two github repositories:
+<a href="https://github.com/markoneill/ssa">ssa</a> and
+<a href="https://github.com/markoneill/ssa-daemon">ssa-daemon</a>.
+Unfortunately there is no explicit license information with the code,
+so its copyright status is unclear. A
+<a href="https://github.com/markoneill/ssa/issues/2">request to solve
+this</a> about it has been unsolved since 2018-08-17.</p>
+
+<p>I love the idea of extending socket() to gain TLS support, and
+understand why it is an advantage to implement this as a kernel module
+and system wide service daemon, but can not help to think that it
+would be a lot easier to get projects to move to this way of setting
+up TLS if it was done with a user space approach where programs
+wanting to use this API approach could just link with a wrapper
+library.</p>
+
+<p>I recommend you check out this simple and powerful approach to more
+secure network connections. :)</p>
+
+<p>As usual, if you use Bitcoin and want to show your support of my
+activities, please send Bitcoin donations to my address
+<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>
+
+ </div>
+ <div class="tags">
+
+
+ Tags: <a href="https://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="https://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sysadmin">sysadmin</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
+ <div class="entry">
+ <div class="title">
+ <a href="https://people.skolelinux.org/pere/blog/Jami_as_a_Zoom_client__a_trick_for_password_protected_rooms___.html">Jami as a Zoom client, a trick for password protected rooms...</a>
+ </div>
+ <div class="date">
+ 8th May 2020
+ </div>
+ <div class="body">
+ <p>Half a year ago,
+<a href="http://people.skolelinux.org/pere/blog/Jami_Ring__finally_functioning_peer_to_peer_communication_client.html">I
+wrote</a> about <a href="https://jami.net/">the Jami communication
+client</a>, capable of peer-to-peer encrypted communication. It
+handle both messages, audio and video. It uses distributed hash
+tables instead of central infrastructure to connect its users to each
+other, which in my book is a plus. I mentioned briefly that it could
+also work as a SIP client, which came in handy when the higher
+educational sector in Norway started to promote Zoom as its video
+conferencing solution. I am reluctant to use the official Zoom client
+software, due to their <a href="https://zoom.us/terms">copyright
+license clauses</a> prohibiting users to reverse engineer (for example
+to check the security) and benchmark it, and thus prefer to connect to
+Zoom meetings with free software clients.</p>
+
+<p>Jami worked OK as a SIP client to Zoom as long as there was no
+password set on the room. The Jami daemon leak memory like crazy
+(approximately 1 GiB a minute) when I am connected to the video
+conference, so I had to restart the client every 7-10 minutes, which
+is not great. I tried to get other SIP Linux clients to work
+without success, so I decided I would have to live with this wart
+until someone managed to fix the leak in the dring code base. But
+another problem showed up once the rooms were password protected. I
+could not get my dial tone signaling through from Jami to Zoom, and
+dial tone signaling is used to enter the password when connecting to
+Zoom. I tried a lot of different permutations with my Jami and
+Asterisk setup to try to figure out why the signaling did not get
+through, only to finally discover that the fundamental problem seem to
+be that Zoom is simply not able to receive dial tone signaling when
+connecting via SIP. There seem to be nothing wrong with the Jami and
+Asterisk end, it is simply broken in the Zoom end. I got help from a
+very skilled VoIP engineer figuring out this last part. And being a
+very skilled engineer, he was also able to locate a solution for me.
+Or to be exact, a workaround that solve my initial problem of
+connecting to password protected Zoom rooms using Jami.</p>
+
+<p>So, how do you do this, I am sure you are wondering by now. The
+trick is already
+<a href="https://support.zoom.us/hc/en-us/articles/202405539-H-323-SIP-Room-Connector-Dial-Strings#sip">documented
+from Zoom</a>, and it is to modify the SIP address to include the room
+password. What is most surprising about this is that the
+automatically generated email from Zoom with instructions on how to
+connect via SIP do not mention this. The SIP address to use normally
+consist of the room ID (a number), an @ character and the IP address
+of the Zoom SIP gateway. But Zoom understand a lot more than just the
+room ID in front of the at sign. The format is "<tt>[Meeting
+ID].[Password].[Layout].[Host Key]</tt>", and you can here see how you
+can both enter password, control the layout (full screen, active
+presence and gallery) and specify the host key to start the meeting.
+The full SIP address entered into Jami to provide the password will
+then look like this (all using made up numbers):</p>
+
+<p><blockquote>
+<tt>sip:657837644.522827@192.168.169.170</tt>
+</blockquote></p>
+
+<p>Now if only jami would reduce its memory usage, I could even
+recommend this setup to others. :)</p>
+
+<p>As usual, if you use Bitcoin and want to show your support of my
+activities, please send Bitcoin donations to my address
+<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>
+
+ </div>
+ <div class="tags">
+
+
+ Tags: <a href="https://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="https://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>, <a href="https://people.skolelinux.org/pere/blog/tags/surveillance">surveillance</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
+ <div class="entry">
+ <div class="title">
+ <a href="https://people.skolelinux.org/pere/blog/Jami_Ring__finally_functioning_peer_to_peer_communication_client.html">Jami/Ring, finally functioning peer to peer communication client</a>
+ </div>
+ <div class="date">
+ 19th June 2019
+ </div>
+ <div class="body">
+ <p>Some years ago, in 2016, I
+<a href="http://people.skolelinux.org/pere/blog/Experience_and_updated_recipe_for_using_the_Signal_app_without_a_mobile_phone.html">wrote
+for the first time about</a> the Ring peer to peer messaging system.
+It would provide messaging without any central server coordinating the
+system and without requiring all users to register a phone number or
+own a mobile phone. Back then, I could not get it to work, and put it
+aside until it had seen more development. A few days ago I decided to
+give it another try, and am happy to report that this time I am able
+to not only send and receive messages, but also place audio and video
+calls. But only if UDP is not blocked into your network.</p>
+
+<p>The Ring system changed name earlier this year to
+<a href="https://en.wikipedia.org/wiki/Jami_(software)">Jami</a>. I
+tried doing web search for 'ring' when I discovered it for the first
+time, and can only applaud this change as it is impossible to find
+something called Ring among the noise of other uses of that word. Now
+you can search for 'jami' and this client and
+<a href="https://jami.net/">the Jami system</a> is the first hit at
+least on duckduckgo.</p>
+
+<p>Jami will by default encrypt messages as well as audio and video
+calls, and try to send them directly between the communicating parties
+if possible. If this proves impossible (for example if both ends are
+behind NAT), it will use a central SIP TURN server maintained by the
+Jami project. Jami can also be a normal SIP client. If the SIP
+server is unencrypted, the audio and video calls will also be
+unencrypted. This is as far as I know the only case where Jami will
+do anything without encryption.</p>
+
+<p>Jami is available for several platforms: Linux, Windows, MacOSX,
+Android, iOS, and Android TV. It is included in Debian already. Jami
+also work for those using F-Droid without any Google connections,
+while Signal do not.
+<a href="https://git.jami.net/savoirfairelinux/ring-project/wikis/technical/Protocol">The
+protocol</a> is described in the Ring project wiki. The system uses a
+distributed hash table (DHT) system (similar to BitTorrent) running
+over UDP. On one of the networks I use, I discovered Jami failed to
+work. I tracked this down to the fact that incoming UDP packages
+going to ports 1-49999 were blocked, and the DHT would pick a random
+port and end up in the low range most of the time. After talking to
+the developers, I solved this by enabling the dhtproxy in the
+settings, thus using TCP to talk to a central DHT proxy instead of
+
+peering directly with others. I've been told the developers are
+working on allowing DHT to use TCP to avoid this problem. I also ran
+into a problem when trying to talk to the version of Ring included in
+Debian Stable (Stretch). Apparently the protocol changed between
+beta2 and the current version, making these clients incompatible.
+Hopefully the protocol will not be made incompatible in the
+future.</p>
+
+<p>It is worth noting that while looking at Jami and its features, I
+came across another communication platform I have not tested yet. The
+<a href="https://en.wikipedia.org/wiki/Tox_(protocol)">Tox protocol</a>
+and <a href="https://tox.chat/">family of Tox clients</a>. It might
+become the topic of a future blog post.</p>
+
+<p>As usual, if you use Bitcoin and want to show your support of my
+activities, please send Bitcoin donations to my address
+<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>
+
+ </div>
+ <div class="tags">
+
+
+ Tags: <a href="https://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="https://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>, <a href="https://people.skolelinux.org/pere/blog/tags/surveillance">surveillance</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
+ <div class="entry">
+ <div class="title">
+ <a href="https://people.skolelinux.org/pere/blog/Fetching_trusted_timestamps_using_the_rfc3161ng_python_module.html">Fetching trusted timestamps using the rfc3161ng python module</a>
+ </div>
+ <div class="date">
+ 8th October 2018
+ </div>
+ <div class="body">
+ <p>I have earlier covered the basics of trusted timestamping using the
+'openssl ts' client. See blog post for
+<a href="http://people.skolelinux.org/pere/blog/Public_Trusted_Timestamping_services_for_everyone.html">2014</a>,
+<a href="http://people.skolelinux.org/pere/blog/syslog_trusted_timestamp___chain_of_trusted_timestamps_for_your_syslog.html">2016</a>
+and
+<a href="http://people.skolelinux.org/pere/blog/Idea_for_storing_trusted_timestamps_in_a_Noark_5_archive.html">2017</a>
+for those stories. But some times I want to integrate the timestamping
+in other code, and recently I needed to integrate it into Python.
+After searching a bit, I found
+<a href="https://dev.entrouvert.org/projects/python-rfc3161">the
+rfc3161 library</a> which seemed like a good fit, but I soon
+discovered it only worked for python version 2, and I needed something
+that work with python version 3. Luckily I next came across
+<a href="https://github.com/trbs/rfc3161ng/">the rfc3161ng library</a>,
+a fork of the original rfc3161 library. Not only is it working with
+python 3, it have fixed a few of the bugs in the original library, and
+it has an active maintainer. I decided to wrap it up and make it
+<a href="https://tracker.debian.org/pkg/python-rfc3161ng">available in
+Debian</a>, and a few days ago it entered Debian unstable and testing.</p>
+
+<p>Using the library is fairly straight forward. The only slightly
+problematic step is to fetch the required certificates to verify the
+timestamp. For some services it is straight forward, while for others
+I have not yet figured out how to do it. Here is a small standalone
+code example based on of the integration tests in the library code:</p>
+
+<pre>
+#!/usr/bin/python3
+
+"""
+
+Python 3 script demonstrating how to use the rfc3161ng module to
+get trusted timestamps.
+
+The license of this code is the same as the license of the rfc3161ng
+library, ie MIT/BSD.
+
+"""
+
+import os
+import pyasn1.codec.der
+import rfc3161ng
+import subprocess
+import tempfile
+import urllib.request
+
+def store(f, data):
+ f.write(data)
+ f.flush()
+ f.seek(0)
+
+def fetch(url, f=None):
+ response = urllib.request.urlopen(url)
+ data = response.read()
+ if f:
+ store(f, data)
+ return data
+
+def main():
+ with tempfile.NamedTemporaryFile() as cert_f,\
+ tempfile.NamedTemporaryFile() as ca_f,\
+ tempfile.NamedTemporaryFile() as msg_f,\
+ tempfile.NamedTemporaryFile() as tsr_f:
+
+ # First fetch certificates used by service
+ certificate_data = fetch('https://freetsa.org/files/tsa.crt', cert_f)
+ ca_data_data = fetch('https://freetsa.org/files/cacert.pem', ca_f)
+
+ # Then timestamp the message
+ timestamper = \
+ rfc3161ng.RemoteTimestamper('http://freetsa.org/tsr',
+ certificate=certificate_data)
+ data = b"Python forever!\n"
+ tsr = timestamper(data=data, return_tsr=True)
+
+ # Finally, convert message and response to something 'openssl ts' can verify
+ store(msg_f, data)
+ store(tsr_f, pyasn1.codec.der.encoder.encode(tsr))
+ args = ["openssl", "ts", "-verify",
+ "-data", msg_f.name,
+ "-in", tsr_f.name,
+ "-CAfile", ca_f.name,
+ "-untrusted", cert_f.name]
+ subprocess.check_call(args)
+
+if '__main__' == __name__:
+ main()
+</pre>
+
+<p>The code fetches the required certificates, store them as temporary
+files, timestamp a simple message, store the message and timestamp to
+disk and ask 'openssl ts' to verify the timestamp. A timestamp is
+around 1.5 kiB in size, and should be fairly easy to store for future
+use.</p>
+
+<p>As usual, if you use Bitcoin and want to show your support of my
+activities, please send Bitcoin donations to my address
+<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>
+
+ </div>
+ <div class="tags">
+
+
+ Tags: <a href="https://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="https://people.skolelinux.org/pere/blog/tags/noark5">noark5</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
+ <div class="entry">
+ <div class="title">
+ <a href="https://people.skolelinux.org/pere/blog/Stortingsflertallet_g_r_inn_for_ny_IP_basert_sensurinfrastruktur_i_Norge.html">Stortingsflertallet går inn for ny IP-basert sensurinfrastruktur i Norge</a>
+ </div>
+ <div class="date">
+ 24th April 2018
+ </div>
+ <div class="body">
+ <p><a href="https://www.vg.no/sport/i/J1g8zj/stortingsvedtak-snart-ip-blokkerer-utenlandske-spillselskaper">VG</a>,
+<a href="https://www.dagbladet.no/nyheter/stortinget-blokkerer-utenlandske-spillselskaper/69740219">Dagbladet</a>
+og
+<a href="https://www.nrk.no/ostfold/tar-opp-kampen-mot-utenlandske-spillselskap-1.14021381">NRK</a>
+melder i dag at flertallet i Familie- og kulturkomiteen på Stortinget
+har bestemt seg for å introdusere en ny sensurinfrastruktur i Norge.
+Fra før har Norge en «frivillig» sensurinfrastruktur basert på
+DNS-navn, der de største ISP-ene basert på en liste med DNS-navn
+forgifter DNS-svar og omdirigerer til et annet IP-nummer enn det som
+ligger i DNS. Nå kommer altså IP-basert omdirigering i tillegg. Når
+infrastrukturen er på plass, er sensur av IP-adresser redusert et
+spørsmål om hvilke IP-nummer som skal blokkeres. Listen over
+IP-adresser vil naturligvis endre seg etter hvert som myndighetene
+endrer seg. Det er ingen betryggende tanke.</p>
+
+ </div>
+ <div class="tags">
+
+
+ Tags: <a href="https://people.skolelinux.org/pere/blog/tags/norsk">norsk</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
+ <div class="entry">
+ <div class="title">
+ <a href="https://people.skolelinux.org/pere/blog/_Rapporten_ser_ikke_p__informasjonssikkerhet_knyttet_til_personlig_integritet_.html">«Rapporten ser ikke på informasjonssikkerhet knyttet til personlig integritet»</a>
+ </div>
+ <div class="date">
+ 27th June 2017
+ </div>
+ <div class="body">
+ <p>Jeg kom over teksten
+«<a href="https://freedom-to-tinker.com/2017/06/21/killing-car-privacy-by-federal-mandate/">Killing
+car privacy by federal mandate</a>» av Leonid Reyzin på Freedom to
+Tinker i dag, og det gleder meg å se en god gjennomgang om hvorfor det
+er et urimelig inngrep i privatsfæren å la alle biler kringkaste sin
+posisjon og bevegelse via radio. Det omtalte forslaget basert på
+Dedicated Short Range Communication (DSRC) kalles Basic Safety Message
+(BSM) i USA og Cooperative Awareness Message (CAM) i Europa, og det
+norske Vegvesenet er en av de som ser ut til å kunne tenke seg å
+pålegge alle biler å fjerne nok en bit av innbyggernes privatsfære.
+Anbefaler alle å lese det som står der.
+
+<p>Mens jeg tittet litt på DSRC på biler i Norge kom jeg over et sitat
+jeg synes er illustrativt for hvordan det offentlige Norge håndterer
+problemstillinger rundt innbyggernes privatsfære i SINTEF-rapporten
+«<a href="https://www.sintef.no/publikasjoner/publikasjon/Download/?pubid=SINTEF+A23933">Informasjonssikkerhet
+i AutoPASS-brikker</a>» av Trond Foss:</p>
+
+<p><blockquote>
+«Rapporten ser ikke på informasjonssikkerhet knyttet til personlig
+ integritet.»
+</blockquote></p>
+
+<p>Så enkelt kan det tydeligvis gjøres når en vurderer
+informasjonssikkerheten. Det holder vel at folkene på toppen kan si
+at «Personvernet er ivaretatt», som jo er den populære intetsigende
+frasen som gjør at mange tror enkeltindividers integritet tas vare på.
+Sitatet fikk meg til å undres på hvor ofte samme tilnærming, å bare se
+bort fra behovet for personlig itegritet, blir valgt når en velger å
+legge til rette for nok et inngrep i privatsfæren til personer i
+Norge. Det er jo sjelden det får reaksjoner. Historien om
+reaksjonene på Helse Sør-Østs tjenesteutsetting er jo sørgelig nok et
+unntak og toppen av isfjellet, desverre. Tror jeg fortsatt takker nei
+til både AutoPASS og holder meg så langt unna det norske helsevesenet
+som jeg kan, inntil de har demonstrert og dokumentert at de verdsetter
+individets privatsfære og personlige integritet høyere enn kortsiktig
+gevist og samfunnsnytte.</p>
+
+ </div>
+ <div class="tags">
+
+
+ Tags: <a href="https://people.skolelinux.org/pere/blog/tags/norsk">norsk</a>, <a href="https://people.skolelinux.org/pere/blog/tags/personvern">personvern</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
+ <div class="entry">
+ <div class="title">
+ <a href="https://people.skolelinux.org/pere/blog/How_to_talk_with_your_loved_ones_in_private.html">How to talk with your loved ones in private</a>
+ </div>
+ <div class="date">
+ 7th November 2016
+ </div>
+ <div class="body">
+ <p>A few days ago I ran a very biased and informal survey to get an
+idea about what options are being used to communicate with end to end
+encryption with friends and family. I explicitly asked people not to
+list options only used in a work setting. The background is the
+uneasy feeling I get when using Signal, a feeling shared by others as
+a blog post from Sander Venima about
+<a href="https://sandervenema.ch/2016/11/why-i-wont-recommend-signal-anymore/">why
+he do not recommend Signal anymore</a> (with
+<a href="https://news.ycombinator.com/item?id=12883410">feedback from
+the Signal author available from ycombinator</a>). I wanted an
+overview of the options being used, and hope to include those options
+in a less biased survey later on. So far I have not taken the time to
+look into the individual proposed systems. They range from text
+sharing web pages, via file sharing and email to instant messaging,
+VOIP and video conferencing. For those considering which system to
+use, it is also useful to have a look at
+<a href="https://www.eff.org/secure-messaging-scorecard">the EFF Secure
+messaging scorecard</a> which is slightly out of date but still
+provide valuable information.</p>
+
+<p>So, on to the list. There were some used by many, some used by a
+few, some rarely used ones and a few mentioned but without anyone
+claiming to use them. Notice the grouping is in reality quite random
+given the biased self selected set of participants. First the ones
+used by many:</p>
+
+<ul>
+
+<li><a href="https://whispersystems.org/">Signal</a></li>
+<li>Email w/<a href="http://openpgp.org/">OpenPGP</a> (Enigmail, GPGSuite,etc)</li>
+<li><a href="https://www.whatsapp.com/">Whatsapp</a></li>
+<li>IRC w/<a href="https://otr.cypherpunks.ca/">OTR</a></li>
+<li>XMPP w/<a href="https://otr.cypherpunks.ca/">OTR</a></li>
+
+</ul>
+
+<p>Then the ones used by a few.</p>
+
+<ul>
+
+<li><a href="https://wiki.mumble.info/wiki/Main_Page">Mumble</a></li>
+<li>iMessage (included in iOS from Apple)</li>
+<li><a href="https://telegram.org/">Telegram</a></li>
+<li><a href="https://jitsi.org/">Jitsi</a></li>
+<li><a href="https://keybase.io/download">Keybase file</a></li>
+
+</ul>
+
+<p>Then the ones used by even fewer people</p>
+
+<ul>
+
+<li><a href="https://ring.cx/">Ring</a></li>
+<li><a href="https://bitmessage.org/">Bitmessage</a></li>
+<li><a href="https://wire.com/">Wire</a></li>
+<li>VoIP w/<a href="https://en.wikipedia.org/wiki/ZRTP">ZRTP</a> or controlled <a href="https://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol">SRTP</a> (e.g using <a href="https://en.wikipedia.org/wiki/CSipSimple">CSipSimple</a>, <a href="https://en.wikipedia.org/wiki/Linphone">Linphone</a>)</li>
+<li><a href="https://matrix.org/">Matrix</a></li>
+<li><a href="https://kontalk.org/">Kontalk</a></li>
+<li><a href="https://0bin.net/">0bin</a> (encrypted pastebin)</li>
+<li><a href="https://appear.in">Appear.in</a></li>
+<li><a href="https://riot.im/">riot</a></li>
+<li><a href="https://www.wickr.com/">Wickr Me</a></li>
+
+</ul>
+
+<p>And finally the ones mentioned by not marked as used by
+anyone. This might be a mistake, perhaps the person adding the entry
+forgot to flag it as used?</p>
+
+<ul>
+
+<li>Email w/Certificates <a href="https://en.wikipedia.org/wiki/S/MIME">S/MIME</a></li>
+<li><a href="https://www.crypho.com/">Crypho</a></li>
+<li><a href="https://cryptpad.fr/">CryptPad</a></li>
+<li><a href="https://github.com/ricochet-im/ricochet">ricochet</a></li>
+
+</ul>
+
+<p>Given the network effect it seem obvious to me that we as a society
+have been divided and conquered by those interested in keeping
+encrypted and secure communication away from the masses. The
+finishing remarks <a href="https://vimeo.com/97505679">from Aral Balkan
+in his talk "Free is a lie"</a> about the usability of free software
+really come into effect when you want to communicate in private with
+your friends and family. We can not expect them to allow the
+usability of communication tool to block their ability to talk to
+their loved ones.</p>
+
+<p>Note for example the option IRC w/OTR. Most IRC clients do not
+have OTR support, so in most cases OTR would not be an option, even if
+you wanted to. In my personal experience, about 1 in 20 I talk to
+have a IRC client with OTR. For private communication to really be
+available, most people to talk to must have the option in their
+currently used client. I can not simply ask my family to install an
+IRC client. I need to guide them through a technical multi-step
+process of adding extensions to the client to get them going. This is
+a non-starter for most.</p>
+
+<p>I would like to be able to do video phone calls, audio phone calls,
+exchange instant messages and share files with my loved ones, without
+being forced to share with people I do not know. I do not want to
+share the content of the conversations, and I do not want to share who
+I communicate with or the fact that I communicate with someone.
+Without all these factors in place, my private life is being more or
+less invaded.</p>
+
+<p><strong>Update 2019-10-08</strong>: Børge Dvergsdal, who told me he
+ is Customer Relationship Manager @ Whereby (formerly appear.in),
+ asked if I could mention that appear.in is now renamed and found at
+ <a href="https://whereby.com/">https://whereby.com/</a>. And sure,
+ why not. Apparently they changed the name because they were unable
+ to trademark appear.in somewhere... While I am at it, I can mention
+ that Ring changed name to Jami, now available from <a
+ href="https://jami.net/">https://jami.net/</a>. Luckily they were
+ able to have a direct redirect from ring.cx to jami.net, so the user
+ experience is almost the same.</p>
+
+ </div>
+ <div class="tags">
+
+
+ Tags: <a href="https://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="https://people.skolelinux.org/pere/blog/tags/personvern">personvern</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>, <a href="https://people.skolelinux.org/pere/blog/tags/surveillance">surveillance</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
+ <div class="entry">
+ <div class="title">
+ <a href="https://people.skolelinux.org/pere/blog/Aktivitetsb_nd_som_beskytter_privatsf_ren.html">Aktivitetsbånd som beskytter privatsfæren</a>
+ </div>
+ <div class="date">
+ 3rd November 2016
+ </div>
+ <div class="body">
+ <p>Jeg ble så imponert over
+<a href="https://www.nrk.no/norge/forbrukerradet-mener-aktivitetsarmband-strider-mot-norsk-lov-1.13209079">dagens
+gladnyhet på NRK</a>, om at Forbrukerrådet klager inn vilkårene for
+bruk av aktivitetsbånd fra Fitbit, Garmin, Jawbone og Mio til
+Datatilsynet og forbrukerombudet, at jeg sendte følgende brev til
+forbrukerrådet for å uttrykke min støtte:
+
+<blockquote>
+
+<p>Jeg ble veldig glad over å lese at Forbrukerrådet
+<a href="http://www.forbrukerradet.no/siste-nytt/klager-inn-aktivitetsarmband-for-brudd-pa-norsk-lov/">klager
+inn flere aktivitetsbånd til Datatilsynet for dårlige vilkår</a>. Jeg
+har ønsket meg et aktivitetsbånd som kan måle puls, bevegelse og
+gjerne også andre helserelaterte indikatorer en stund nå. De eneste
+jeg har funnet i salg gjør, som dere også har oppdaget, graverende
+inngrep i privatsfæren og sender informasjonen ut av huset til folk og
+organisasjoner jeg ikke ønsker å dele aktivitets- og helseinformasjon
+med. Jeg ønsker et alternativ som <em>ikke</em> sender informasjon til
+skyen, men derimot bruker
+<a href="http://people.skolelinux.org/pere/blog/Fri_og__pen_standard__slik_Digistan_ser_det.html">en
+fritt og åpent standardisert</a> protokoll (eller i det minste en
+dokumentert protokoll uten patent- og opphavsrettslige
+bruksbegrensinger) til å kommunisere med datautstyr jeg kontrollerer.
+Er jo ikke interessert i å betale noen for å tilrøve seg
+personopplysninger fra meg. Desverre har jeg ikke funnet noe
+alternativ så langt.</p>
+
+<p>Det holder ikke å endre på bruksvilkårene for enhetene, slik
+Datatilsynet ofte legger opp til i sin behandling, når de gjør slik
+f.eks. Fitbit (den jeg har sett mest på). Fitbit krypterer
+informasjonen på enheten og sender den kryptert til leverandøren. Det
+gjør det i praksis umulig både å sjekke hva slags informasjon som
+sendes over, og umulig å ta imot informasjonen selv i stedet for
+Fitbit. Uansett hva slags historie som forteller i bruksvilkårene er
+en jo både prisgitt leverandørens godvilje og at de ikke tvinges av
+sitt lands myndigheter til å lyve til sine kunder om hvorvidt
+personopplysninger spres ut over det bruksvilkårene sier. Det er
+veldokumentert hvordan f.eks. USA tvinger selskaper vha. såkalte
+National security letters til å utlevere personopplysninger samtidig
+som de ikke får lov til å fortelle dette til kundene sine.</p>
+
+<p>Stå på, jeg er veldig glade for at dere har sett på saken. Vet
+dere om aktivitetsbånd i salg i dag som ikke tvinger en til å utlevere
+aktivitets- og helseopplysninger med leverandøren?</p>
+
+</blockquote>
+
+<p>Jeg håper en konkurrent som respekterer kundenes privatliv klarer å
+nå opp i markedet, slik at det finnes et reelt alternativ for oss som
+har full tillit til at skyleverandører vil prioritere egen inntjening
+og myndighetspålegg langt foran kundenes rett til privatliv. Jeg har
+ingen tiltro til at Datatilsynet vil kreve noe mer enn at vilkårene
+endres slik at de forklarer eksplisitt i hvor stor grad bruk av
+produktene utraderer privatsfæren til kundene. Det vil nok gjøre de
+innklagede armbåndene «lovlige», men fortsatt tvinge kundene til å
+dele sine personopplysninger med leverandøren.</p>
+
+ </div>
+ <div class="tags">
+
+
+ Tags: <a href="https://people.skolelinux.org/pere/blog/tags/norsk">norsk</a>, <a href="https://people.skolelinux.org/pere/blog/tags/personvern">personvern</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>, <a href="https://people.skolelinux.org/pere/blog/tags/surveillance">surveillance</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
+ <div class="entry">
+ <div class="title">
+ <a href="https://people.skolelinux.org/pere/blog/Experience_and_updated_recipe_for_using_the_Signal_app_without_a_mobile_phone.html">Experience and updated recipe for using the Signal app without a mobile phone</a>
+ </div>
+ <div class="date">
+ 10th October 2016
+ </div>
+ <div class="body">
+ <p>In July
+<a href="http://people.skolelinux.org/pere/blog/How_to_use_the_Signal_app_if_you_only_have_a_land_line__ie_no_mobile_phone_.html">I
+wrote how to get the Signal Chrome/Chromium app working</a> without
+the ability to receive SMS messages (aka without a cell phone). It is
+time to share some experiences and provide an updated setup.</p>
+
+<p>The Signal app have worked fine for several months now, and I use
+it regularly to chat with my loved ones. I had a major snag at the
+end of my summer vacation, when the the app completely forgot my
+setup, identity and keys. The reason behind this major mess was
+running out of disk space. To avoid that ever happening again I have
+started storing everything in <tt>userdata/</tt> in git, to be able to
+roll back to an earlier version if the files are wiped by mistake. I
+had to use it once after introducing the git backup. When rolling
+back to an earlier version, one need to use the 'reset session' option
+in Signal to get going, and notify the people you talk with about the
+problem. I assume there is some sequence number tracking in the
+protocol to detect rollback attacks. The git repository is rather big
+(674 MiB so far), but I have not tried to figure out if some of the
+content can be added to a .gitignore file due to lack of spare
+time.</p>
+
+<p>I've also hit the 90 days timeout blocking, and noticed that this
+make it impossible to send messages using Signal. I could still
+receive them, but had to patch the code with a new timestamp to send.
+I believe the timeout is added by the developers to force people to
+upgrade to the latest version of the app, even when there is no
+protocol changes, to reduce the version skew among the user base and
+thus try to keep the number of support requests down.</p>
+
+<p>Since my original recipe, the Signal source code changed slightly,
+making the old patch fail to apply cleanly. Below is an updated
+patch, including the shell wrapper I use to start Signal. The
+original version required a new user to locate the JavaScript console
+and call a function from there. I got help from a friend with more
+JavaScript knowledge than me to modify the code to provide a GUI
+button instead. This mean that to get started you just need to run
+the wrapper and click the 'Register without mobile phone' to get going
+now. I've also modified the timeout code to always set it to 90 days
+in the future, to avoid having to patch the code regularly.</p>
+
+<p>So, the updated recipe for Debian Jessie:</p>
+
+<ol>
+
+<li>First, install required packages to get the source code and the
+browser you need. Signal only work with Chrome/Chromium, as far as I
+know, so you need to install it.
+
+<pre>
+apt install git tor chromium
+git clone https://github.com/WhisperSystems/Signal-Desktop.git
+</pre></li>
+
+<li>Modify the source code using command listed in the the patch
+block below.</li>
+
+<li>Start Signal using the run-signal-app wrapper (for example using
+<tt>`pwd`/run-signal-app</tt>).
+
+<li>Click on the 'Register without mobile phone', will in a phone
+number you can receive calls to the next minute, receive the
+verification code and enter it into the form field and press
+'Register'. Note, the phone number you use will be user Signal
+username, ie the way others can find you on Signal.</li>
+
+<li>You can now use Signal to contact others. Note, new contacts do
+not show up in the contact list until you restart Signal, and there is
+no way to assign names to Contacts. There is also no way to create or
+update chat groups. I suspect this is because the web app do not have
+a associated contact database.</li>
+
+</ol>
+
+<p>I am still a bit uneasy about using Signal, because of the way its
+main author moxie0 reject federation and accept dependencies to major
+corporations like Google (part of the code is fetched from Google) and
+Amazon (the central coordination point is owned by Amazon). See for
+example
+<a href="https://github.com/LibreSignal/LibreSignal/issues/37">the
+LibreSignal issue tracker</a> for a thread documenting the authors
+view on these issues. But the network effect is strong in this case,
+and several of the people I want to communicate with already use
+Signal. Perhaps we can all move to <a href="https://ring.cx/">Ring</a>
+once it <a href="https://bugs.debian.org/830265">work on my
+laptop</a>? It already work on Windows and Android, and is included
+in <a href="https://tracker.debian.org/pkg/ring">Debian</a> and
+<a href="https://launchpad.net/ubuntu/+source/ring">Ubuntu</a>, but not
+working on Debian Stable.</p>
+
+<p>Anyway, this is the patch I apply to the Signal code to get it
+working. It switch to the production servers, disable to timeout,
+make registration easier and add the shell wrapper:</p>
+
+<pre>
+cd Signal-Desktop; cat <<EOF | patch -p1
+diff --git a/js/background.js b/js/background.js
+index 24b4c1d..579345f 100644
+--- a/js/background.js
++++ b/js/background.js
+@@ -33,9 +33,9 @@
+ });
+ });
+
+- var SERVER_URL = 'https://textsecure-service-staging.whispersystems.org';
++ var SERVER_URL = 'https://textsecure-service-ca.whispersystems.org';
+ var SERVER_PORTS = [80, 4433, 8443];
+- var ATTACHMENT_SERVER_URL = 'https://whispersystems-textsecure-attachments-staging.s3.amazonaws.com';
++ var ATTACHMENT_SERVER_URL = 'https://whispersystems-textsecure-attachments.s3.amazonaws.com';
+ var messageReceiver;
+ window.getSocketStatus = function() {
+ if (messageReceiver) {
+diff --git a/js/expire.js b/js/expire.js
+index 639aeae..beb91c3 100644
+--- a/js/expire.js
++++ b/js/expire.js
+@@ -1,6 +1,6 @@
+ ;(function() {
+ 'use strict';
+- var BUILD_EXPIRATION = 0;
++ var BUILD_EXPIRATION = Date.now() + (90 * 24 * 60 * 60 * 1000);
+
+ window.extension = window.extension || {};
+
+diff --git a/js/views/install_view.js b/js/views/install_view.js
+index 7816f4f..1d6233b 100644
+--- a/js/views/install_view.js
++++ b/js/views/install_view.js
+@@ -38,7 +38,8 @@
+ return {
+ 'click .step1': this.selectStep.bind(this, 1),
+ 'click .step2': this.selectStep.bind(this, 2),
+- 'click .step3': this.selectStep.bind(this, 3)
++ 'click .step3': this.selectStep.bind(this, 3),
++ 'click .callreg': function() { extension.install('standalone') },
+ };
+ },
+ clearQR: function() {
+diff --git a/options.html b/options.html
+index dc0f28e..8d709f6 100644
+--- a/options.html
++++ b/options.html
+@@ -14,7 +14,10 @@
+ <div class='nav'>
+ <h1>{{ installWelcome }}</h1>
+ <p>{{ installTagline }}</p>
+- <div> <a class='button step2'>{{ installGetStartedButton }}</a> </div>
++ <div> <a class='button step2'>{{ installGetStartedButton }}</a>
++ <br> <a class="button callreg">Register without mobile phone</a>
++
++ </div>
+ <span class='dot step1 selected'></span>
+ <span class='dot step2'></span>
+ <span class='dot step3'></span>
+--- /dev/null 2016-10-07 09:55:13.730181472 +0200
++++ b/run-signal-app 2016-10-10 08:54:09.434172391 +0200
+@@ -0,0 +1,12 @@
++#!/bin/sh
++set -e
++cd $(dirname $0)
++mkdir -p userdata
++userdata="`pwd`/userdata"
++if [ -d "$userdata" ] && [ ! -d "$userdata/.git" ] ; then
++ (cd $userdata && git init)
++fi
++(cd $userdata && git add . && git commit -m "Current status." || true)
++exec chromium \
++ --proxy-server="socks://localhost:9050" \
++ --user-data-dir=$userdata --load-and-launch-app=`pwd`
+EOF
+chmod a+rx run-signal-app
+</pre>
+
+<p>As usual, if you use Bitcoin and want to show your support of my
+activities, please send Bitcoin donations to my address
+<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>
+
+ </div>
+ <div class="tags">
+
+
+ Tags: <a href="https://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="https://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>, <a href="https://people.skolelinux.org/pere/blog/tags/surveillance">surveillance</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
+ <div class="entry">
+ <div class="title">
+ <a href="https://people.skolelinux.org/pere/blog/NRKs_kildevern_n_r_NRK_epost_deles_med_utenlands_etterretning_.html">NRKs kildevern når NRK-epost deles med utenlands etterretning?</a>
+ </div>
+ <div class="date">
+ 8th October 2016
+ </div>
+ <div class="body">
+ <p>NRK
+<a href="https://nrkbeta.no/2016/09/02/securing-whistleblowers/">lanserte
+for noen uker siden</a> en ny
+<a href="https://www.nrk.no/varsle/">varslerportal som bruker
+SecureDrop til å ta imot tips</a> der det er vesentlig at ingen
+utenforstående får vite at NRK er tipset. Det er et langt steg
+fremover for NRK, og når en leser bloggposten om hva de har tenkt på
+og hvordan løsningen er satt opp virker det som om de har gjort en
+grundig jobb der. Men det er ganske mye ekstra jobb å motta tips via
+SecureDrop, så varslersiden skriver "Nyhetstips som ikke krever denne
+typen ekstra vern vil vi gjerne ha på nrk.no/03030", og 03030-siden
+foreslår i tillegg til et webskjema å bruke epost, SMS, telefon,
+personlig oppmøte og brevpost. Denne artikkelen handler disse andre
+metodene.</p>
+
+<p>Når en sender epost til en @nrk.no-adresse så vil eposten sendes ut
+av landet til datamaskiner kontrollert av Microsoft. En kan sjekke
+dette selv ved å slå opp epostleveringsadresse (MX) i DNS. For NRK er
+dette i dag "nrk-no.mail.protection.outlook.com". NRK har som en ser
+valgt å sette bort epostmottaket sitt til de som står bak outlook.com,
+dvs. Microsoft. En kan sjekke hvor nettverkstrafikken tar veien
+gjennom Internett til epostmottaket vha. programmet
+<tt>traceroute</tt>, og finne ut hvem som eier en Internett-adresse
+vha. whois-systemet. Når en gjør dette for epost-trafikk til @nrk.no
+ser en at trafikken fra Norge mot nrk-no.mail.protection.outlook.com
+går via Sverige mot enten Irland eller Tyskland (det varierer fra gang
+til gang og kan endre seg over tid).</p>
+
+<p>Vi vet fra
+<a href="https://no.wikipedia.org/wiki/FRA-loven">introduksjonen av
+FRA-loven</a> at IP-trafikk som passerer grensen til Sverige avlyttes
+av Försvarets radioanstalt (FRA). Vi vet videre takket være
+Snowden-bekreftelsene at trafikk som passerer grensen til
+Storbritannia avlyttes av Government Communications Headquarters
+(GCHQ). I tillegg er er det nettopp lansert et forslag i Norge om at
+forsvarets E-tjeneste skal få avlytte trafikk som krysser grensen til
+Norge. Jeg er ikke kjent med dokumentasjon på at Irland og Tyskland
+gjør det samme. Poenget er uansett at utenlandsk etterretning har
+mulighet til å snappe opp trafikken når en sender epost til @nrk.no.
+I tillegg er det selvsagt tilgjengelig for Microsoft som er underlagt USAs
+jurisdiksjon og
+<a href="https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data">samarbeider
+med USAs etterretning på flere områder</a>. De som tipser NRK om
+nyheter via epost kan dermed gå ut fra at det blir kjent for mange
+andre enn NRK at det er gjort.</p>
+
+<p>Bruk av SMS og telefon registreres av blant annet telefonselskapene
+og er tilgjengelig i følge lov og forskrift for blant annet Politi,
+NAV og Finanstilsynet, i tillegg til IT-folkene hos telefonselskapene
+og deres overordnede. Hvis innringer eller mottaker bruker
+smarttelefon vil slik kontakt også gjøres tilgjengelig for ulike
+app-leverandører og de som lytter på trafikken mellom telefon og
+app-leverandør, alt etter hva som er installert på telefonene som
+brukes.</p>
+
+<p>Brevpost kan virke trygt, og jeg vet ikke hvor mye som registreres
+og lagres av postens datastyrte postsorteringssentraler. Det vil ikke
+overraske meg om det lagres hvor i landet hver konvolutt kommer fra og
+hvor den er adressert, i hvert fall for en kortere periode. Jeg vet
+heller ikke hvem slik informasjon gjøres tilgjengelig for. Det kan
+være nok til å ringe inn potensielle kilder når det krysses med hvem
+som kjente til aktuell informasjon og hvor de befant seg (tilgjengelig
+f.eks. hvis de bærer mobiltelefon eller bor i nærheten).</p>
+
+<p>Personlig oppmøte hos en NRK-journalist er antagelig det tryggeste,
+men en bør passe seg for å bruke NRK-kantina. Der bryter de nemlig
+<a href="http://www.lovdata.no/all/hl-19850524-028.html#14">Sentralbanklovens
+paragraf 14</a> og nekter folk å betale med kontanter. I stedet
+krever de at en varsle sin bankkortutsteder om hvor en befinner seg
+ved å bruke bankkort. Banktransaksjoner er tilgjengelig for
+bankkortutsteder (det være seg VISA, Mastercard, Nets og/eller en
+bank) i tillegg til politiet og i hvert fall tidligere med Se & Hør
+(via utro tjenere, slik det ble avslørt etter utgivelsen av boken
+«Livet, det forbannede» av Ken B. Rasmussen). Men hvor mange kjenner
+en NRK-journalist personlig? Besøk på NRK på Marienlyst krever at en
+registrerer sin ankost elektronisk i besøkssystemet. Jeg vet ikke hva
+som skjer med det datasettet, men har grunn til å tro at det sendes ut
+SMS til den en skal besøke med navnet som er oppgitt. Kanskje greit å
+oppgi falskt navn.</p>
+
+<p>Når så tipset er kommet frem til NRK skal det behandles
+redaksjonelt i NRK. Der vet jeg via ulike kilder at de fleste
+journalistene bruker lokalt installert programvare, men noen bruker
+Google Docs og andre skytjenester i strid med interne retningslinjer
+når de skriver. Hvordan vet en hvem det gjelder? Ikke vet jeg, men
+det kan være greit å spørre for å sjekke at journalisten har tenkt på
+problemstillingen, før en gir et tips. Og hvis tipset omtales internt
+på epost, er det jo grunn til å tro at også intern eposten vil deles
+med Microsoft og utenlands etterretning, slik tidligere nevnt, men det
+kan hende at det holdes internt i NRKs interne MS Exchange-løsning.
+Men Microsoft ønsker å få alle Exchange-kunder over "i skyen" (eller
+andre folks datamaskiner, som det jo innebærer), så jeg vet ikke hvor
+lenge det i så fall vil vare.</p>
+
+<p>I tillegg vet en jo at
+<a href="https://www.nrk.no/ytring/elektronisk-kildevern-i-nrk-1.11941196">NRK
+har valgt å gi nasjonal sikkerhetsmyndighet (NSM) tilgang til å se på
+intern og ekstern Internett-trafikk</a> hos NRK ved oppsett av såkalte
+VDI-noder, på tross av
+<a href="https://www.nrk.no/ytring/bekymring-for-nrks-kildevern-1.11941584">protester
+fra NRKs journalistlag</a>. Jeg vet ikke om den vil kunne snappe opp
+dokumenter som lagres på interne filtjenere eller dokumenter som lages
+i de interne webbaserte publiseringssystemene, men vet at hva noden
+ser etter på nettet kontrolleres av NSM og oppdateres automatisk, slik
+at det ikke gir så mye mening å sjekke hva noden ser etter i dag når
+det kan endres automatisk i morgen.</p>
+
+<p>Personlig vet jeg ikke om jeg hadde turt tipse NRK hvis jeg satt på
+noe som kunne være en trussel mot den bestående makten i Norge eller
+verden. Til det virker det å være for mange åpninger for
+utenforstående med andre prioriteter enn NRKs journalistiske fokus.
+Og den største truslen for en varsler er jo om metainformasjon kommer
+på avveie, dvs. informasjon om at en har vært i kontakt med en
+journalist. Det kan være nok til at en kommer i myndighetenes
+søkelys, og de færreste har nok operasjonell sikkerhet til at vil tåle
+slik flombelysning på sitt privatliv.</p>
+
+ </div>
+ <div class="tags">
+
+
+ Tags: <a href="https://people.skolelinux.org/pere/blog/tags/betalkontant">betalkontant</a>, <a href="https://people.skolelinux.org/pere/blog/tags/dld">dld</a>, <a href="https://people.skolelinux.org/pere/blog/tags/norsk">norsk</a>, <a href="https://people.skolelinux.org/pere/blog/tags/personvern">personvern</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>, <a href="https://people.skolelinux.org/pere/blog/tags/surveillance">surveillance</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
+ <div class="entry">
+ <div class="title">
+ <a href="https://people.skolelinux.org/pere/blog/Unlocking_HTC_Desire_HD_on_Linux_using_unruu_and_fastboot.html">Unlocking HTC Desire HD on Linux using unruu and fastboot</a>
+ </div>
+ <div class="date">
+ 7th July 2016
+ </div>
+ <div class="body">
+ <p>Yesterday, I tried to unlock a HTC Desire HD phone, and it proved
+to be a slight challenge. Here is the recipe if I ever need to do it
+again. It all started by me wanting to try the recipe to set up
+<a href="https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy">an
+hardened Android installation</a> from the Tor project blog on a
+device I had access to. It is a old mobile phone with a broken
+microphone The initial idea had been to just
+<a href="http://wiki.cyanogenmod.org/w/Install_CM_for_ace">install
+CyanogenMod on it</a>, but did not quite find time to start on it
+until a few days ago.</p>
+
+<p>The unlock process is supposed to be simple: (1) Boot into the boot
+loader (press volume down and power at the same time), (2) select
+'fastboot' before (3) connecting the device via USB to a Linux
+machine, (4) request the device identifier token by running 'fastboot
+oem get_identifier_token', (5) request the device unlocking key using
+the <a href="http://www.htcdev.com/bootloader/">HTC developer web
+site</a> and unlock the phone using the key file emailed to you.</p>
+
+<p>Unfortunately, this only work fi you have hboot version 2.00.0029
+or newer, and the device I was working on had 2.00.0027. This
+apparently can be easily fixed by downloading a Windows program and
+running it on your Windows machine, if you accept the terms Microsoft
+require you to accept to use Windows - which I do not. So I had to
+come up with a different approach. I got a lot of help from AndyCap
+on #nuug, and would not have been able to get this working without
+him.</p>
+
+<p>First I needed to extract the hboot firmware from
+<a href="http://www.htcdev.com/ruu/PD9810000_Ace_Sense30_S_hboot_2.00.0029.exe">the
+windows binary for HTC Desire HD</a> downloaded as 'the RUU' from HTC.
+For this there is is <a href="https://github.com/kmdm/unruu/">a github
+project named unruu</a> using libunshield. The unshield tool did not
+recognise the file format, but unruu worked and extracted rom.zip,
+containing the new hboot firmware and a text file describing which
+devices it would work for.</p>
+
+<p>Next, I needed to get the new firmware into the device. For this I
+followed some instructions
+<a href="http://www.htc1guru.com/2013/09/new-ruu-zips-posted/">available
+from HTC1Guru.com</a>, and ran these commands as root on a Linux
+machine with Debian testing:</p>
+
+<p><pre>
+adb reboot-bootloader
+fastboot oem rebootRUU
+fastboot flash zip rom.zip
+fastboot flash zip rom.zip
+fastboot reboot
+</pre></p>
+
+<p>The flash command apparently need to be done twice to take effect,
+as the first is just preparations and the second one do the flashing.
+The adb command is just to get to the boot loader menu, so turning the
+device on while holding volume down and the power button should work
+too.</p>
+
+<p>With the new hboot version in place I could start following the
+instructions on the HTC developer web site. I got the device token
+like this:</p>
+
+<p><pre>
+fastboot oem get_identifier_token 2>&1 | sed 's/(bootloader) //'
+</pre>
+
+<p>And once I got the unlock code via email, I could use it like
+this:</p>
+
+<p><pre>
+fastboot flash unlocktoken Unlock_code.bin
+</pre></p>
+
+<p>And with that final step in place, the phone was unlocked and I
+could start stuffing the software of my own choosing into the device.
+So far I only inserted a replacement recovery image to wipe the phone
+before I start. We will see what happen next. Perhaps I should
+install <a href="https://www.debian.org/">Debian</a> on it. :)</p>
+
+ </div>
+ <div class="tags">
+
+
+ Tags: <a href="https://people.skolelinux.org/pere/blog/tags/bootsystem">bootsystem</a>, <a href="https://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="https://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="https://people.skolelinux.org/pere/blog/tags/opphavsrett">opphavsrett</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
+ <div class="entry">
+ <div class="title">
+ <a href="https://people.skolelinux.org/pere/blog/How_to_use_the_Signal_app_if_you_only_have_a_land_line__ie_no_mobile_phone_.html">How to use the Signal app if you only have a land line (ie no mobile phone)</a>
+ </div>
+ <div class="date">
+ 3rd July 2016
+ </div>
+ <div class="body">
+ <p>For a while now, I have wanted to test
+<a href="https://whispersystems.org/">the Signal app</a>, as it is
+said to provide end to end encrypted communication and several of my
+friends and family are already using it. As I by choice do not own a
+mobile phone, this proved to be harder than expected. And I wanted to
+have the source of the client and know that it was the code used on my
+machine. But yesterday I managed to get it working. I used the
+Github source, compared it to the source in
+<a href="https://chrome.google.com/webstore/detail/signal-private-messenger/bikioccmkafdpakkkcpdbppfkghcmihk?hl=en-US">the
+Signal Chrome app</a> available from the Chrome web store, applied
+patches to use the production Signal servers, started the app and
+asked for the hidden "register without a smart phone" form. Here is
+the recipe how I did it.</p>
+
+<p>First, I fetched the Signal desktop source from Github, using
+
+<pre>
+git clone https://github.com/WhisperSystems/Signal-Desktop.git
+</pre>
+
+<p>Next, I patched the source to use the production servers, to be
+able to talk to other Signal users:</p>
+
+<pre>
+cat <<EOF | patch -p0
+diff -ur ./js/background.js userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/background.js
+--- ./js/background.js 2016-06-29 13:43:15.630344628 +0200
++++ userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/background.js 2016-06-29 14:06:29.530300934 +0200
+@@ -47,8 +47,8 @@
+ });
+ });
+
+- var SERVER_URL = 'https://textsecure-service-staging.whispersystems.org';
+- var ATTACHMENT_SERVER_URL = 'https://whispersystems-textsecure-attachments-staging.s3.amazonaws.com';
++ var SERVER_URL = 'https://textsecure-service-ca.whispersystems.org:4433';
++ var ATTACHMENT_SERVER_URL = 'https://whispersystems-textsecure-attachments.s3.amazonaws.com';
+ var messageReceiver;
+ window.getSocketStatus = function() {
+ if (messageReceiver) {
+diff -ur ./js/expire.js userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/expire.js
+--- ./js/expire.js 2016-06-29 13:43:15.630344628 +0200
++++ userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/expire.js2016-06-29 14:06:29.530300934 +0200
+@@ -1,6 +1,6 @@
+ ;(function() {
+ 'use strict';
+- var BUILD_EXPIRATION = 0;
++ var BUILD_EXPIRATION = 1474492690000;
+
+ window.extension = window.extension || {};
+
+EOF
+</pre>
+
+<p>The first part is changing the servers, and the second is updating
+an expiration timestamp. This timestamp need to be updated regularly.
+It is set 90 days in the future by the build process (Gruntfile.js).
+The value is seconds since 1970 times 1000, as far as I can tell.</p>
+
+<p>Based on a tip and good help from the #nuug IRC channel, I wrote a
+script to launch Signal in Chromium.</p>
+
+<pre>
+#!/bin/sh
+cd $(dirname $0)
+mkdir -p userdata
+exec chromium \
+ --proxy-server="socks://localhost:9050" \
+ --user-data-dir=`pwd`/userdata --load-and-launch-app=`pwd`
+</pre>
+
+<p> The script start the app and configure Chromium to use the Tor
+SOCKS5 proxy to make sure those controlling the Signal servers (today
+Amazon and Whisper Systems) as well as those listening on the lines
+will have a harder time location my laptop based on the Signal
+connections if they use source IP address.</p>
+
+<p>When the script starts, one need to follow the instructions under
+"Standalone Registration" in the CONTRIBUTING.md file in the git
+repository. I right clicked on the Signal window to get up the
+Chromium debugging tool, visited the 'Console' tab and wrote
+'extension.install("standalone")' on the console prompt to get the
+registration form. Then I entered by land line phone number and
+pressed 'Call'. 5 seconds later the phone rang and a robot voice
+repeated the verification code three times. After entering the number
+into the verification code field in the form, I could start using
+Signal from my laptop.
+
+<p>As far as I can tell, The Signal app will leak who is talking to
+whom and thus who know who to those controlling the central server,
+but such leakage is hard to avoid with a centrally controlled server
+setup. It is something to keep in mind when using Signal - the
+content of your chats are harder to intercept, but the meta data
+exposing your contact network is available to people you do not know.
+So better than many options, but not great. And sadly the usage is
+connected to my land line, thus allowing those controlling the server
+to associate it to my home and person. I would prefer it if only
+those I knew could tell who I was on Signal. There are options
+avoiding such information leakage, but most of my friends are not
+using them, so I am stuck with Signal for now.</p>
+
+<p><strong>Update 2017-01-10</strong>: There is an updated blog post
+on this topic in
+<a href="http://people.skolelinux.org/pere/blog/Experience_and_updated_recipe_for_using_the_Signal_app_without_a_mobile_phone.html">Experience
+and updated recipe for using the Signal app without a mobile
+phone</a>.</p>
+
+ </div>
+ <div class="tags">
+
+
+ Tags: <a href="https://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="https://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>, <a href="https://people.skolelinux.org/pere/blog/tags/surveillance">surveillance</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
+ <div class="entry">
+ <div class="title">
+ <a href="https://people.skolelinux.org/pere/blog/syslog_trusted_timestamp___chain_of_trusted_timestamps_for_your_syslog.html">syslog-trusted-timestamp - chain of trusted timestamps for your syslog</a>
+ </div>
+ <div class="date">
+ 2nd April 2016
+ </div>
+ <div class="body">
+ <p>Two years ago, I had
+<a href="http://people.skolelinux.org/pere/blog/Public_Trusted_Timestamping_services_for_everyone.html">a
+look at trusted timestamping options available</a>, and among
+other things noted a still open
+<a href="https://bugs.debian.org/742553">bug in the tsget script</a>
+included in openssl that made it harder than necessary to use openssl
+as a trusted timestamping client. A few days ago I was told
+<a href="https:/www.difi.no/">the Norwegian government office DIFI</a> is
+close to releasing their own trusted timestamp service, and in the
+process I was happy to learn about a replacement for the tsget script
+using only curl:</p>
+
+<p><pre>
+openssl ts -query -data "/etc/shells" -cert -sha256 -no_nonce \
+ | curl -s -H "Content-Type: application/timestamp-query" \
+ --data-binary "@-" http://zeitstempel.dfn.de > etc-shells.tsr
+openssl ts -reply -text -in etc-shells.tsr
+</pre></p>
+
+<p>This produces a binary timestamp file (etc-shells.tsr) which can be
+used to verify that the content of the file /etc/shell with the
+calculated sha256 hash existed at the point in time when the request
+was made. The last command extract the content of the etc-shells.tsr
+in human readable form. The idea behind such timestamp is to be able
+to prove using cryptography that the content of a file have not
+changed since the file was stamped.</p>
+
+<p>To verify that the file on disk match the public key signature in
+the timestamp file, run the following commands. It make sure you have
+the required certificate for the trusted timestamp service available
+and use it to compare the file content with the timestamp. In
+production, one should of course use a better method to verify the
+service certificate.</p>
+
+<p><pre>
+wget -O ca-cert.txt https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt
+openssl ts -verify -data /etc/shells -in etc-shells.tsr -CAfile ca-cert.txt -text
+</pre></p>
+
+<p>Wikipedia have a lot more information about
+<a href="https://en.wikipedia.org/wiki/Trusted_timestamping">trusted
+Timestamping</a> and
+<a href="https://en.wikipedia.org/wiki/Linked_timestamping">linked
+timestamping</a>, and there are several trusted timestamping services
+around, both as commercial services and as free and public services.
+Among the latter is
+<a href="https://www.pki.dfn.de/zeitstempeldienst/">the
+zeitstempel.dfn.de service</a> mentioned above and
+<a href="https://freetsa.org/">freetsa.org service</a> linked to from the
+wikipedia web site. I believe the DIFI service should show up on
+https://tsa.difi.no, but it is not available to the public at the
+moment. I hope this will change when it is into production. The
+<a href="https://tools.ietf.org/html/rfc3161">RFC 3161</a> trusted
+timestamping protocol standard is even implemented in LibreOffice,
+Microsoft Office and Adobe Acrobat, making it possible to verify when
+a document was created.</p>
+
+<p>I would find it useful to be able to use such trusted timestamp
+service to make it possible to verify that my stored syslog files have
+not been tampered with. This is not a new idea. I found one example
+implemented on the Endian network appliances where
+<a href="http://help.endian.com/entries/21518508-Enabling-Timestamping-on-log-files-">the
+configuration of such feature was described in 2012</a>.</p>
+
+<p>But I could not find any free implementation of such feature when I
+searched, so I decided to try to
+<a href="https://github.com/petterreinholdtsen/syslog-trusted-timestamp">build
+a prototype named syslog-trusted-timestamp</a>. My idea is to
+generate a timestamp of the old log files after they are rotated, and
+store the timestamp in the new log file just after rotation. This
+will form a chain that would make it possible to see if any old log
+files are tampered with. But syslog is bad at handling kilobytes of
+binary data, so I decided to base64 encode the timestamp and add an ID
+and line sequence numbers to the base64 data to make it possible to
+reassemble the timestamp file again. To use it, simply run it like
+this:
+
+<p><pre>
+syslog-trusted-timestamp /path/to/list-of-log-files
+</pre></p>
+
+<p>This will send a timestamp from one or more timestamp services (not
+yet decided nor implemented) for each listed file to the syslog using
+logger(1). To verify the timestamp, the same program is used with the
+--verify option:</p>
+
+<p><pre>
+syslog-trusted-timestamp --verify /path/to/log-file /path/to/log-with-timestamp
+</pre></p>
+
+<p>The verification step is not yet well designed. The current
+implementation depend on the file path being unique and unchanging,
+and this is not a solid assumption. It also uses process number as
+timestamp ID, and this is bound to create ID collisions. I hope to
+have time to come up with a better way to handle timestamp IDs and
+verification later.</p>
+
+<p>Please check out
+<a href="https://github.com/petterreinholdtsen/syslog-trusted-timestamp">the
+prototype for syslog-trusted-timestamp on github</a> and send
+suggestions and improvement, or let me know if there already exist a
+similar system for timestamping logs already to allow me to join
+forces with others with the same interest.</p>
+
+<p>As usual, if you use Bitcoin and want to show your support of my
+activities, please send Bitcoin donations to my address
+<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>
+
+ </div>
+ <div class="tags">
+
+
+ Tags: <a href="https://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
+ <div class="entry">
+ <div class="title">
+ <a href="https://people.skolelinux.org/pere/blog/Always_download_Debian_packages_using_Tor___the_simple_recipe.html">Always download Debian packages using Tor - the simple recipe</a>
+ </div>
+ <div class="date">
+ 15th January 2016
+ </div>
+ <div class="body">
+ <p>During his DebConf15 keynote, Jacob Appelbaum
+<a href="https://summit.debconf.org/debconf15/meeting/331/what-is-to-be-done/">observed
+that those listening on the Internet lines would have good reason to
+believe a computer have a given security hole</a> if it download a
+security fix from a Debian mirror. This is a good reason to always
+use encrypted connections to the Debian mirror, to make sure those
+listening do not know which IP address to attack. In August, Richard
+Hartmann observed that encryption was not enough, when it was possible
+to interfere download size to security patches or the fact that
+download took place shortly after a security fix was released, and
+<a href="http://richardhartmann.de/blog/posts/2015/08/24-Tor-enabled_Debian_mirror/">proposed
+to always use Tor to download packages from the Debian mirror</a>. He
+was not the first to propose this, as the
+<tt><a href="https://tracker.debian.org/pkg/apt-transport-tor">apt-transport-tor</a></tt>
+package by Tim Retout already existed to make it easy to convince apt
+to use <a href="https://www.torproject.org/">Tor</a>, but I was not
+aware of that package when I read the blog post from Richard.</p>
+
+<p>Richard discussed the idea with Peter Palfrader, one of the Debian
+sysadmins, and he set up a Tor hidden service on one of the central
+Debian mirrors using the address vwakviie2ienjx6t.onion, thus making
+it possible to download packages directly between two tor nodes,
+making sure the network traffic always were encrypted.</p>
+
+<p>Here is a short recipe for enabling this on your machine, by
+installing <tt>apt-transport-tor</tt> and replacing http and https
+urls with tor+http and tor+https, and using the hidden service instead
+of the official Debian mirror site. I recommend installing
+<tt>etckeeper</tt> before you start to have a history of the changes
+done in /etc/.</p>
+
+<blockquote><pre>
+apt install apt-transport-tor
+sed -i 's% http://ftp.debian.org/% tor+http://vwakviie2ienjx6t.onion/%' /etc/apt/sources.list
+sed -i 's% http% tor+http%' /etc/apt/sources.list
+</pre></blockquote>
+
+<p>If you have more sources listed in /etc/apt/sources.list.d/, run
+the sed commands for these too. The sed command is assuming your are
+using the ftp.debian.org Debian mirror. Adjust the command (or just
+edit the file manually) to match your mirror.</p>
+
+<p>This work in Debian Jessie and later. Note that tools like
+<tt>apt-file</tt> only recently started using the apt transport
+system, and do not work with these tor+http URLs. For
+<tt>apt-file</tt> you need the version currently in experimental,
+which need a recent apt version currently only in unstable. So if you
+need a working <tt>apt-file</tt>, this is not for you.</p>
+
+<p>Another advantage from this change is that your machine will start
+using Tor regularly and at fairly random intervals (every time you
+update the package lists or upgrade or install a new package), thus
+masking other Tor traffic done from the same machine. Using Tor will
+become normal for the machine in question.</p>
+
+<p>On <a href="https://wiki.debian.org/FreedomBox">Freedombox</a>, APT
+is set up by default to use <tt>apt-transport-tor</tt> when Tor is
+enabled. It would be great if it was the default on any Debian
+system.</p>
+
+ </div>
+ <div class="tags">
+
+
+ Tags: <a href="https://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="https://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
+ <div class="entry">
+ <div class="title">
+ <a href="https://people.skolelinux.org/pere/blog/PGP_key_transition_statement_for_key_EE4E02F9.html">PGP key transition statement for key EE4E02F9</a>
projects / homepage.git / blobdiff