+

+ Dokumentaren om Datalagringsdirektivet sendes endelig pÃ¥ NRK +

+

+ 26th March 2014 +

+

Foreningen NUUG melder i natt at +NRK nÃ¥ har bestemt seg for +nÃ¥r +den norske dokumentarfilmen om datalagringsdirektivet skal +sendes (se IMDB +for detaljer om filmen) . FÃ¸rste visning blir pÃ¥ NRK2 mandag +2014-03-31 kl. 19:50, og deretter visninger onsdag 2014-04-02 +kl. 12:30, fredag 2014-04-04 kl. 19:40 og sÃ¸ndag 2014-04-06 kl. 15:10. +Jeg har sett dokumentaren, og jeg anbefaler enhver Ã¥ se den selv. Som +oppvarming mens vi venter anbefaler jeg BjÃ¸rn StÃ¦rks kronikk i +Aftenposten fra i gÃ¥r, +AutoritÃ¦r +gjÃ¸kunge, der han gir en grei skisse av hvor ille det stÃ¥r til med +retten til privatliv og beskyttelsen av demokrati i Norge og resten +verden, og helt riktig slÃ¥r fast at det er vi i databransjen som +sitter med nÃ¸kkelen til Ã¥ gjÃ¸re noe med dette. Jeg har involvert meg +i prosjektene dugnadsnett.no +og FreedomBox for Ã¥ +forsÃ¸ke Ã¥ gjÃ¸re litt selv for Ã¥ bedre situasjonen, men det er mye +hardt arbeid fra mange flere enn meg som gjenstÃ¥r fÃ¸r vi kan sies Ã¥ ha +gjenopprettet balansen.

+ +

Jeg regner med at nettutgaven dukker opp pÃ¥ +NRKs +side om filmen om datalagringsdirektivet om frem dager. Hold et +Ã¸ye med siden, og tips venner og slekt om at de ogsÃ¥ bÃ¸r se den.

+ +

+

+ + + Tags: freedombox, mesh network, norsk, personvern, sikkerhet, surveillance. + + +

+

+ Public Trusted Timestamping services for everyone +

+

+ 25th March 2014 +

+

Did you ever need to store logs or other files in a way that would +allow it to be used as evidence in court, and needed a way to +demonstrate without reasonable doubt that the file had not been +changed since it was created? Or, did you ever need to document that +a given document was received at some point in time, like some +archived document or the answer to an exam, and not changed after it +was received? The problem in these settings is to remove the need to +trust yourself and your computers, while still being able to prove +that a file is the same as it was at some given time in the past.

+ +

A solution to these problems is to have a trusted third party +"stamp" the document and verify that at some given time the document +looked a given way. Such +notarius service +have been around for thousands of years, and its digital equivalent is +called a +trusted +timestamping service. The Internet +Engineering Task Force standardised how such service could work a +few years ago as RFC +3161. The mechanism is simple. Create a hash of the file in +question, send it to a trusted third party which add a time stamp to +the hash and sign the result with its private key, and send back the +signed hash + timestamp. Both email, FTP and HTTP can be used to +request such signature, depending on what is provided by the service +used. Anyone with the document and the signature can then verify that +the document matches the signature by creating their own hash and +checking the signature using the trusted third party public key. +There are several commercial services around providing such +timestamping. A quick search for +"rfc 3161 +service" pointed me to at least +DigiStamp, +Quo +Vadis, +Global Sign +and Global +Trust Finder. The system work as long as the private key of the +trusted third party is not compromised.

+ +

But as far as I can tell, there are very few public trusted +timestamp services available for everyone. I've been looking for one +for a while now. But yesterday I found one over at +Deutches +Forschungsnetz mentioned in +a +blog by David MÃ¼ller. I then found +a +good recipe on how to use the service over at the University of +Greifswald.

+ +

The OpenSSL library contain +both server and tools to use and set up your own signing service. See +the ts(1SSL), tsget(1SSL) manual pages for more details. The +following shell script demonstrate how to extract a signed timestamp +for any file on the disk in a Debian environment:

+ +

+#!/bin/sh
+set -e
+url="http://zeitstempel.dfn.de"
+caurl="https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt"
+reqfile=$(mktemp -t tmp.XXXXXXXXXX.tsq)
+resfile=$(mktemp -t tmp.XXXXXXXXXX.tsr)
+cafile=chain.txt
+if [ ! -f $cafile ] ; then
+    wget -O $cafile "$caurl"
+fi
+openssl ts -query -data "$1" -cert | tee "$reqfile" \
+    | /usr/lib/ssl/misc/tsget -h "$url" -o "$resfile"
+openssl ts -reply -in "$resfile" -text 1>&2
+openssl ts -verify -data "$1" -in "$resfile" -CAfile "$cafile" 1>&2
+base64 < "$resfile"
+rm "$reqfile" "$resfile"
+

+ +

The argument to the script is the file to timestamp, and the output +is a base64 encoded version of the signature to STDOUT and details +about the signature to STDERR. Note that due to +a bug +in the tsget script, you might need to modify the included script +and remove the last line. Or just write your own HTTP uploader using +curl. :) Now you too can prove and verify that files have not been +changed.

+ +

But the Internet need more public trusted timestamp services. +Perhaps something for Uninett or +my work place the University of Oslo +to set up?

+ +

+

+ + + Tags: english, sikkerhet. + + +

+

+ Freedombox on Dreamplug, Raspberry Pi and virtual x86 machine +

+

+ 14th March 2014 +

+

The Freedombox +project is working on providing the software and hardware for +making it easy for non-technical people to host their data and +communication at home, and being able to communicate with their +friends and family encrypted and away from prying eyes. It has been +going on for a while, and is slowly progressing towards a new test +release (0.2).

+ +

And what day could be better than the Pi day to announce that the +new version will provide "hard drive" / SD card / USB stick images for +Dreamplug, Raspberry Pi and VirtualBox (or any other virtualization +system), and can also be installed using a Debian installer preseed +file. The Debian based Freedombox is now based on Debian Jessie, +where most of the needed packages used are already present. Only one, +the freedombox-setup package, is missing. To try to build your own +boot image to test the current status, fetch the freedom-maker scripts +and build using +vmdebootstrap +with a user with sudo access to become root: + +

+git clone http://anonscm.debian.org/git/freedombox/freedom-maker.git \
+  freedom-maker
+sudo apt-get install git vmdebootstrap mercurial python-docutils \
+  mktorrent extlinux virtualbox qemu-user-static binfmt-support \
+  u-boot-tools
+make -C freedom-maker dreamplug-image raspberry-image virtualbox-image
+

+ +

Root access is needed to run debootstrap and mount loopback +devices. See the README for more details on the build. If you do not +want all three images, trim the make line. But note that thanks to a race condition in +vmdebootstrap, the build might fail without the patch to the +kpartx call.

+ +

If you instead want to install using a Debian CD and the preseed +method, boot a Debian Wheezy ISO and use this boot argument to load +the preseed values:

+ +

+url=http://www.reinholdtsen.name/freedombox/preseed-jessie.dat
+

+ +

But note that due to a +recently introduced bug in apt in Jessie, the installer will +currently hang while setting up APT sources. Killing the +'apt-cdrom ident' process when it hang a few times during the +installation will get the installation going. This affect all +installations in Jessie, and I expect it will be fixed soon.

+ +Give it a go and let us know how it goes on the mailing list, and help +us get the new release published. :) Please join us on +IRC (#freedombox on +irc.debian.org) and +the +mailing list if you want to help make this vision come true.

+ +

+

+ + + Tags: debian, english, freedombox, sikkerhet, surveillance, web. + + +

+

+ A fist full of non-anonymous Bitcoins +

+

+ 29th January 2014 +

+

Bitcoin is a incredible use of peer to peer communication and +encryption, allowing direct and immediate money transfer without any +central control. It is sometimes claimed to be ideal for illegal +activity, which I believe is quite a long way from the truth. At least +I would not conduct illegal money transfers using a system where the +details of every transaction are kept forever. This point is +investigated in +USENIX ;login: +from December 2013, in the article +"A +Fistful of Bitcoins - Characterizing Payments Among Men with No +Names" by Sarah Meiklejohn, Marjori Pomarole,Grant Jordan, Kirill +Levchenko, Damon McCoy, Geoffrey M. Voelker, and Stefan Savage. They +analyse the transaction log in the Bitcoin system, using it to find +addresses belong to individuals and organisations and follow the flow +of money from both Bitcoin theft and trades on Silk Road to where the +money end up. This is how they wrap up their article:

+ +

+
"To demonstrate the usefulness of this type of analysis, we turned +our attention to criminal activity. In the Bitcoin economy, criminal +activity can appear in a number of forms, such as dealing drugs on +Silk Road or simply stealing someone elseâs bitcoins. We followed the +flow of bitcoins out of Silk Road (in particular, from one notorious +address) and from a number of highly publicized thefts to see whether +we could track the bitcoins to known services. Although some of the +thieves attempted to use sophisticated mixing techniques (or possibly +mix services) to obscure the flow of bitcoins, for the most part +tracking the bitcoins was quite straightforward, and we ultimately saw +large quantities of bitcoins flow to a variety of exchanges directly +from the point of theft (or the withdrawal from Silk Road).
+ +
As acknowledged above, following stolen bitcoins to the point at +which they are deposited into an exchange does not in itself identify +the thief; however, it does enable further de-anonymization in the +case in which certain agencies can determine (through, for example, +subpoena power) the real-world owner of the account into which the +stolen bitcoins were deposited. Because such exchanges seem to serve +as chokepoints into and out of the Bitcoin economy (i.e., there are +few alternative ways to cash out), we conclude that using Bitcoin for +money laundering or other illicit purposes does not (at least at +present) seem to be particularly attractive."
+

+ +

These researches are not the first to analyse the Bitcoin +transaction log. The 2011 paper +"An Analysis of Anonymity in +the Bitcoin System" by Fergal Reid and Martin Harrigan is +summarized like this:

+ +

+"Anonymity in Bitcoin, a peer-to-peer electronic currency system, is a +complicated issue. Within the system, users are identified by +public-keys only. An attacker wishing to de-anonymize its users will +attempt to construct the one-to-many mapping between users and +public-keys and associate information external to the system with the +users. Bitcoin tries to prevent this attack by storing the mapping of +a user to his or her public-keys on that user's node only and by +allowing each user to generate as many public-keys as required. In +this chapter we consider the topological structure of two networks +derived from Bitcoin's public transaction history. We show that the +two networks have a non-trivial topological structure, provide +complementary views of the Bitcoin system and have implications for +anonymity. We combine these structures with external information and +techniques such as context discovery and flow analysis to investigate +an alleged theft of Bitcoins, which, at the time of the theft, had a +market value of approximately half a million U.S. dollars." +

+ +

I hope these references can help kill the urban myth that Bitcoin +is anonymous. It isn't really a good fit for illegal activites. Use +cash if you need to stay anonymous, at least until regular DNA +sampling of notes and coins become the norm. :)

+ +

As usual, if you use Bitcoin and want to show your support of my +activities, please send Bitcoin donations to my address +15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.

+ +

+

+ + + Tags: bitcoin, english, personvern, sikkerhet. + + +

+

+ All drones should be radio marked with what they do and who they belong to +

+

+ 21st November 2013 +

+

Drones, flying robots, are getting more and more popular. The most +know ones are the killer drones used by some government to murder +people they do not like without giving them the chance of a fair +trial, but the technology have many good uses too, from mapping and +forest maintenance to photography and search and rescue. I am sure it +is just a question of time before "bad drones" are in the hands of +private enterprises and not only state criminals but petty criminals +too. The drone technology is very useful and very dangerous. To have +some control over the use of drones, I agree with Daniel Suarez in his +TED talk +"The kill +decision shouldn't belong to a robot", where he suggested this +little gem to keep the good while limiting the bad use of drones:

+ +

+ +
Each robot and drone should have a cryptographically signed +I.D. burned in at the factory that can be used to track its movement +through public spaces. We have license plates on cars, tail numbers on +aircraft. This is no different. And every citizen should be able to +download an app that shows the population of drones and autonomous +vehicles moving through public spaces around them, both right now and +historically. And civic leaders should deploy sensors and civic drones +to detect rogue drones, and instead of sending killer drones of their +own up to shoot them down, they should notify humans to their +presence. And in certain very high-security areas, perhaps civic +drones would snare them and drag them off to a bomb disposal facility.
+ +
But notice, this is more an immune system than a weapons system. It +would allow us to avail ourselves of the use of autonomous vehicles +and drones while still preserving our open, civil society.
+ +

+ +

The key is that every citizen should be able to read the +radio beacons sent from the drones in the area, to be able to check +both the government and others use of drones. For such control to be +effective, everyone must be able to do it. What should such beacon +contain? At least formal owner, purpose, contact information and GPS +location. Probably also the origin and target position of the current +flight. And perhaps some registration number to be able to look up +the drone in a central database tracking their movement. Robots +should not have privacy. It is people who need privacy.

+ +

+

+ + + Tags: english, robot, sikkerhet, surveillance. + + +

+

+ Det er jo makta som er mest sÃ¥rbar ved massiv overvÃ¥kning av Internett +

+

+ 26th October 2013 +

+

De siste mÃ¥neders eksponering av +den +totale overvÃ¥kningen som foregÃ¥r i den vestlige verden dokumenterer +hvor sÃ¥rbare vi er. Men det slÃ¥r meg at de som er mest sÃ¥rbare +for dette, myndighetspersoner pÃ¥ alle nivÃ¥er, neppe har innsett at de +selv er de mest interessante personene Ã¥ lage profiler pÃ¥, for Ã¥ kunne +pÃ¥virke dem.

+ +

For Ã¥ ta et lite eksempel: Stortingets nettsted, +www.stortinget.no (og +forsÃ¥vidt ogsÃ¥ +data.stortinget.no), +inneholder informasjon om det som foregÃ¥r pÃ¥ Stortinget, og jeg antar +de stÃ¸rste brukerne av informasjonen der er representanter og +rÃ¥dgivere pÃ¥ Stortinget. Intet overraskende med det. Det som derimot +er mer skjult er at Stortingets nettsted bruker +Google +Analytics, hvilket gjÃ¸r at enhver som besÃ¸ker nettsidene der ogsÃ¥ +rapporterer om besÃ¸ket via Internett-linjer som passerer Sverige, +England og videre til USA. Det betyr at informasjon om ethvert besÃ¸k +pÃ¥ stortingets nettsider kan snappes opp av svensk, britisk og USAs +etterretningsvesen. De kan dermed holde et Ã¸ye med hvilke +Stortingssaker stortingsrepresentantene synes er interessante Ã¥ sjekke +ut, og hvilke sider rÃ¥dgivere og andre pÃ¥ stortinget synes er +interessant Ã¥ besÃ¸ke, nÃ¥r de gjÃ¸r det og hvilke andre representanter +som sjekker de samme sidene omtrent samtidig. Stortingets bruk av +Google Analytics gjÃ¸r det dermed enkelt for utenlands etteretning Ã¥ +spore representantenes aktivitet og interesse. Hvis noen av +representantene bruker Google Mail eller noen andre tjenestene som +krever innlogging, sÃ¥ vil det vÃ¦re enda enklere Ã¥ finne ut nÃ¸yaktig +hvilke personer som bruker hvilke nettlesere og dermed knytte +informasjonen opp til enkeltpersoner pÃ¥ Stortinget.

+ +

Og jo flere nettsteder som bruker Google Analytics, jo bedre +oversikt over stortingsrepresentantenes lesevaner og interesse blir +tilgjengelig for svensk, britisk og USAs etterretning. Hva de kan +bruke den informasjonen til overlater jeg til leseren Ã¥ undres +over.

+ +

+

+ + + Tags: norsk, personvern, sikkerhet, stortinget, surveillance. + + +

+

+ Videos about the Freedombox project - for inspiration and learning +

+

+ 27th September 2013 +

+

The Freedombox +project have been going on for a while, and have presented the +vision, ideas and solution several places. Here is a little +collection of videos of talks and presentation of the project.

+ +

FreedomBox - +2,5 minute marketing film (Youtube)
Eben Moglen +discusses the Freedombox on CBS news 2011 (Youtube)
Eben Moglen - +Freedom in the Cloud - Software Freedom, Privacy and and Security for +Web 2.0 and Cloud computing at ISOC-NY Public Meeting 2010 +(Youtube)
Fosdem 2011 +Keynote by Eben Moglen presenting the Freedombox (Youtube)
Presentation of +the Freedombox by James Vasile at Elevate in Gratz 2011 (Youtube)
Freedombox - +Discovery, Identity, and Trust by Nick Daly at Freedombox Hackfest New +York City in 2012 (Youtube)
Introduction +to the Freedombox at Freedombox Hackfest New York City in 2012 +(Youtube)
Freedom, Out +of the Box! by Bdale Garbee at linux.conf.au Ballarat, 2012 (Youtube)
Freedombox +1.0 by Eben Moglen and Bdale Garbee at Fosdem 2013 (FOSDEM)
What is the +FreedomBox today by Bdale Garbee at Debconf13 in Vaumarcus +2013 (Youtube)

+ +

A larger list is available from +the +Freedombox Wiki.

+ +

On other news, I am happy to report that Freedombox based on Debian +Jessie is coming along quite well, and soon both Owncloud and using +Tor should be available for testers of the Freedombox solution. :) In +a few weeks I hope everything needed to test it is included in Debian. +The withsqlite package is already in Debian, and the plinth package is +pending in NEW. The third and vital part of that puzzle is the +metapackage/setup framework, which is still pending an upload. Join +us on IRC +(#freedombox on irc.debian.org) and +the +mailing list if you want to help make this vision come true.

+ +

+

+ + + Tags: debian, english, freedombox, sikkerhet, surveillance, web. + + +

+

+ Recipe to test the Freedombox project on amd64 or Raspberry Pi +

+

+ 10th September 2013 +

+

I was introduced to the +Freedombox project +in 2010, when Eben Moglen presented his vision about serving the need +of non-technical people to keep their personal information private and +within the legal protection of their own homes. The idea is to give +people back the power over their network and machines, and return +Internet back to its intended peer-to-peer architecture. Instead of +depending on a central service, the Freedombox will give everyone +control over their own basic infrastructure.

+ +

I've intended to join the effort since then, but other tasks have +taken priority. But this summers nasty news about the misuse of trust +and privilege exercised by the "western" intelligence gathering +communities increased my eagerness to contribute to a point where I +actually started working on the project a while back.

+ +

The initial +Debian initiative based on the vision from Eben Moglen, is to +create a simple and cheap Debian based appliance that anyone can hook +up in their home and get access to secure and private services and +communication. The initial deployment platform have been the +Dreamplug, +which is a piece of hardware I do not own. So to be able to test what +the current Freedombox setup look like, I had to come up with a way to install +it on some hardware I do have access to. I have rewritten the +freedom-maker +image build framework to use .deb packages instead of only copying +setup into the boot images, and thanks to this rewrite I am able to +set up any machine supported by Debian Wheezy as a Freedombox, using +the previously mentioned deb (and a few support debs for packages +missing in Debian).

+ +

The current Freedombox setup consist of a set of bootstrapping +scripts +(freedombox-setup), +and a administrative web interface +(plinth + exmachina + +withsqlite), as well as a privacy enhancing proxy based on +privoxy +(freedombox-privoxy). There is also a web/javascript based XMPP +client (jwchat) +trying (unsuccessfully so far) to talk to the XMPP server +(ejabberd). The +web interface is pluggable, and the goal is to use it to enable OpenID +services, mesh network connectivity, use of TOR, etc, etc. Not much of +this is really working yet, see +the +project TODO for links to GIT repositories. Most of the code is +on github at the moment. The HTTP proxy is operational out of the +box, and the admin web interface can be used to add/remove plinth +users. I've not been able to do anything else with it so far, but +know there are several branches spread around github and other places +with lots of half baked features.

+ +

Anyway, if you want to have a look at the current state, the +following recipes should work to give you a test machine to poke +at.

+ +

Debian Wheezy amd64

+ +

Fetch normal Debian Wheezy installation ISO.
Boot from it, either as CD or USB stick.
Press [tab] on the boot prompt and add this as a boot argument +to the Debian installer:
+
```
url=http://www.reinholdtsen.name/freedombox/preseed-wheezy.dat
```
Answer the few language/region/password questions and pick disk to +install on.
When the installation is finished and the machine have rebooted a +few times, your Freedombox is ready for testing.

+ +

Raspberry Pi Raspbian

+ +

Fetch a Raspbian SD card image, create SD card.
Boot from SD card, extend file system to fill the card completely.

Log in and add this to /etc/sources.list:

+

+deb http://www.reinholdtsen.name/freedombox wheezy main
+

Run this as root:

+

+wget -O - http://www.reinholdtsen.name/freedombox/BE1A583D.asc | \
+   apt-key add -
+apt-get update
+apt-get install freedombox-setup
+/usr/lib/freedombox/setup
+

Reboot into your freshly created Freedombox.

+ +

You can test it on other architectures too, but because the +freedombox-privoxy package is binary, it will only work as intended on +the architectures where I have had time to build the binary and put it +in my APT repository. But do not let this stop you. It is only a +short "apt-get source -b freedombox-privoxy" away. :)

+ +

Note that by default Freedombox is a DHCP server on the +192.168.1.0/24 subnet, so if this is your subnet be careful and turn +off the DHCP server by running "update-rc.d isc-dhcp-server +disable" as root.

+ +

Please let me know if this works for you, or if you have any +problems. We gather on the IRC channel +#freedombox on +irc.debian.org and the +project +mailing list.

+ +

Once you get your freedombox operational, you can visit +http://your-host-name:8001/ to see the state of the plint +welcome screen (dead end - do not be surprised if you are unable to +get past it), and next visit http://your-host-name:8001/help/ +to look at the rest of plinth. The default user is 'admin' and the +default password is 'secret'.

+ +

+

+ + + Tags: debian, english, freedombox, sikkerhet, surveillance, web. + + +

+

Dr. Richard Stallman, founder of Free Software Foundation, give a talk in Oslo March 1st 2013 @@ -1899,6 +2570,17 @@ betydelige.

Entries tagged "sikkerhet".

Archive