As Theresa May moves from the Home Office to Number 10, it is perhaps timely to reflect on public attitudes to surveillance as evidenced in Liberty’s campaign film “Show me yours” in April of this year. In the film (shown below), comedian Olivia Lee pursues members of the public with the intention of taking details from their mobile phones of all their recent communications or browsing activity. The reactions of the people approached speak for themselves. Unfortunately, Liberty research suggests that 75% of adults in the UK had never heard of the impending legislation laid out in the Investigatory Powers Bill.
I get lots of odd connections to my servers – particularly to my tor relay. Mostly my firewalls bin the rubbish but my web server logs still show all sorts of junk. Occasionally I get interested (or possibly bored) enough to do more than just scan the logs and I follow up the connection traces …View full post
Like most email users I get my fair share of spam and other internet crud. Mostly I ignore it, but I received an intriguing email a couple of days ago which purported to be a mailer daemon “Delivery Status Notification” informing me of a failed delivery to some address I had not even heard of. …View full post
The BBC has today commented on the Guardian story about David Miranda’s detention for nearly nine hours at Heathrow under Schedule 7 of the UK Terrorism Act 2000. The BBC’s on-line report ends with a web feedback form asking: Have you been detained under schedule 7 of the Terrorism Act 2000 at a British airport, …View full post
In an earlier post I speculated that the CherryPal PC might be a possible option for users considering replacements for the slug. But that device has still yet to hit the streets and is beginning to look suspiciously like vapourware. However, linuxdevices, the site devoted to linux on embedded devices, wrote about the interesting looking …View full post
I am a paying member of both Amnesty International and the Open Rights Group. Both those organisations, along with many other Civil Rights organisations, technology companies and concerned individuals are signatories to an open letter to Governments across the world demanding that we retain the right to strong encryption in order to protect our privacy. …View full post
A slightly breathless new post over at omgubuntu proudly boasts that the market share of Linux on the desktop jumped “from 0.96% in January 2011 to 1.41% by the year’s end.” (That could equally be be written as a close to 50% rise in Linux’ popularity). No doubt this will scare the pants off Steve …View full post
At this time of year it is traditional to receive christmas cards from people with whom you may have only infrequent, if any, contact on a normal daily basis. If you are in a relationship, these cards will often be addressed to you as a couple or family, and be signed on behalf of other …View full post
In response to the news of Dennis Ritchie’s death, Ted Harding, a long time member of the anglia linux users group posted an interesting comment to the list this morning. Ted has kindly given me permission to link to that comment. Like Ted, I too hope we shall be seeing proper tributes to both Dennis …View full post
I’m still having a variety of problems with my sheevaplug. Not least of which is the fact that SDHC cards don’t seem to be the best choice of boot medium. I have had failures with two cards now and some searching of the various on-line fora suggests that I am not alone here. In particular, …View full post
I have recently been building a new NAS box (of which, possibly, more later). In fact the build is really a rebuild because I initially built the server about three years ago in order to consolidate a bunch of services I was running on assorted separate servers into one place. That first build was a …View full post
In July I noted that a company calling itself Ninjastik had popped up selling what looked to be essentially the Tor Browser Bundle on an 8 Gig stick for $56.95 or a 16 Gig stick for $69.95. As I expected, we have now seen one or two more companies attempting to sell products which leverage …View full post
For completeness, my post below should have pointed to the scroogle search engine which purportedly allows you to search google without google being able to profile you. Neat idea if you must use google (why?) but it still fails the Hal Roberts test of what to do if the intermediate search engine is prepared to …View full post
The Guardian and the Washington Post have been jointly awarded the Pulitzer prize for public service for their reporting of Edward Snowden’s whistleblowing on the NSA’s surveillance activities. The Guardian reports: The Pulitzer committee praised the Guardian for its “revelation of widespread secret surveillance by the National Security Agency, helping through aggressive reporting to spark …View full post
My newspaper of choice is the Guardian. Recently they were forced to increase the cover price and ever since have been running a series of advertisements for various forms of subscription which will lower the cost from some £35.00 pcm (if you include its sister paper the Observer on sundays) to as little as £9.99 …View full post
I have recently built an egroupware system to be used as a social networking site. The application suite itself is relatively easy to install and configure, but the webmail system it offers (a fork of squirrelmail called felamimail) is rather poorly documented. It took me some time to figure out how to authenticate mail users …View full post
In my post of 8 May I said it was now time to encrypt much, much more of my everyday activity. One big, and obvious, hole in this policy decision was the fact that the public face of this blog itself has remained unencrypted since I first created it way back in 2006. Back in …View full post
For any readers uncertain of exactly how the heartbleed vulberability in openssl might be exploitable, Sean Cassidy over at existential type has a good explanation. And if you find that difficult to follow, Randall Munroe over at xkcd covers it quite nicely. My thanks, and appreciation as always, to a great artist. Of course, Randall …View full post
My last post showed the huge growth in the number of Tor clients since 19 August. Despite much speculation and discussion on the Tor email lists there is still, as yet, no definitive consensus on what is causing the rise. Many commentators seem to favour the botnet theory. Personally I’m still puzzled by the apparent …View full post
but I cannot let her passing go unremarked. Yesterday even the Guardian devoted 15 pages, plus the centre spread and a separate 16 page supplement to Margaret Thatcher. The usual suspects on the right wing tabloids were, predictably, particularly revisionist and swivel eyed. We are in danger of letting the death of one ex prime …View full post
At about the time I decided to move trivia to my own VPS, there was a lot of fuss about a new worm which was reportedly exploiting a vulnerability in all versions <= 2.8.3. Even the Grauniad carried some (rather inaccurate) breathless reporting about how the wordpress world was about to end and maybe we …View full post
In the past couple of days I have received some amusing email spam. I own ten different domain names, mostly in the .net TLD. The spam emails in question all offered to sell me the domain “exnic.com” on the grounds that I already own “exnic.net” (not an unreasonable sales pitch). It turns out that this …View full post
I have been making some changes to my domestic network of late which I will write about later. However, one of the main changes has been an upgrade from 10/100 switches to gigabit – mainly to improve throughput between my central filestore and desktop machines. For cosmetic reasons (and to keep my wife happy) I …View full post
Last month Troy Hunt posted an interesting comment on his blog about the problems around the etiquette of allowing guests onto your home wifi network. In his post, Hunt notes that guests can be deeply offended at being refused access. This is understandable. If they are guests in your home then they are probably close …View full post
Along with the longer term upward trend in the usage in tor I noted below, there has now been a large, rapid rise in the number of connected tor clients in the last week or so. The tor usage statistics graphs show a dramatic doubling of daily connected clients (from around the 500,000 mark to …View full post
The lastest LTS version of ubuntu (10.04, or lucid lynx according to your naming preferences) was released to an eagerly waiting public on 29 April. Long term support (LTS) versions are supported for three years on the desktop and five years on the server instead of the usual 18 months for the normal releases. My …View full post
As I have noted before, 24 December is trivia’s birthday. Since my first post dates from 24 December 2006, today is trivia’s eighth birthday. It seems like only yesterday. I haven’t posted much in the last few months. I have a lot of material I need to cover, and a backlog of articles I want …View full post
I mentioned in an earlier post that I had recently acquired an Acer Aspire One (AAO) netbook. I chose the AAO in preference to any other of the netbooks on the market for two reasons – firstly it looks a lot cooler than most of the competition (particularly in blue – see below), but secondly, …View full post
I read today that Harry Harrison has died at the age of 87. Harrison was one of the greats of the SF glory years. Alongside Heinlein (whose work he spoofed mercilessly) Philip Dick, Asimov, van Vogt, Ray Bradbury, Bob Sheckley, Doc Smith and a host of others I grew up with in the 60s and …View full post
Being a linux and FLOSS fan has its advantages, not least the fact that most, if not all of the software I would want to use (and indeed, /all/ of the software that I actually do use) is free as in beer as well as free as in speech. And given the much smaller target …View full post
This afternoon I received an email from Andrew Sinclair at thrustVPS in response to my post below. In the interests of openness I have added his email as a comment to the post. My thanks to Andrew for that email. It is just a shame that I did not get such a helpful response in …View full post
Collin Anderson on tor-talk posted a nice graphic showing tor usage in the top 50 states since the appearance of the huge rise in the number of tor clients on the network. With the exception of Syria, the slopes of all those graphs looks much the same. But as a few people have noticed, the …View full post
You could regard this as another pointless entry to go alongside the webcam. But hey – so what. I had cause to check the uptime on my slugs a little while ago now that they are largely stable and providing the services I want. After doing so I thought it would be good to be …View full post
Jul 13 2016
Permanent link to this article: http://baldric.net/2016/07/13/show-me-yours/
May 02 2016
I have recently been building a new NAS box (of which, possibly, more later). In fact the build is really a rebuild because I initially built the server about three years ago in order to consolidate a bunch of services I was running on assorted separate servers into one place. That first build was a RAID 1 array of two 2 TB disks (to give me a mirrored setup with a total of 2 TB store). At the time that was sufficient to hold all my important data (backed up both to other networked devices and to standalone USB disks for safety). But I have just upgraded my main desktop machine to a nice shiny new core i7 Skylake box with 16 GB of DDR4 and a 3 TB disk. That disk is already two thirds full (my old machine had a rather full 2 TB disk). This meant that my NAS backup storage requirements exceeded the capacity of my RAID 1 setup. Adding disks wouldn’t help of course because all that would do is add mirror capability rather than capacity. So I decided to upgrade the NAS and bought a bunch of new 2 TB disks with the intention of setting up a RAID 5 array of 4 disks, thus giving a total storage capacity of 6 TB (8 TB minus 2 TB for parity). Furthermore I initially looked at using FreeNAS rather than my usual debian or ubuntu server with software RAID simply because it looked interesting and, with plugins, could probably meet most of my requirements. But I could not get the software to install properly and after three abortive attempts I gave up and decided that I didn’t really like freeBSD anyway….
So I opted to go back to mdadm on linux – at least I know that works. Better still I would be able to retain all my old setup from the old RAID 1 system without having to worry about finding plugins to handle my media streaming requirements, or owncloud installation, for example.
My previous build was on debian (which is by far my preferred server OS) but ubuntu server has recently been released in a LTS version at 16.04 and I thought it might be fun to try that instead. So I did. (For any readers who have not tried installing linux on a RAID system there are plenty of sites offering advice, but the official ubuntu pages are pretty good). During the build I hit what I initially thought was a snag because the installation seemed to get stuck at around the 83% level when it was apparently installing the linux kernel image and headers. Indeed I confess that on the first such installation I pulled the plug after about three hours of no apparent activity because I was beginning to think that there might be something wrong with my hardware (the earlier FreeNAS failures worried me). My on-line searches for assistance were initially not particularly helpful since none of the huge number of sites advising on software RAID installation bothered to mention that initial RAID 5 build (or rebuild) using large capacity disks takes a very long time because of the need to calculate the parity data. Incidentally, it is this parity data and its layout that gives RAID 5 its write performance penalty.
One useful outcome of my research about RAID 5 build times (which in my case eventually took just over 6 hours) was my discovery of the wintelguy’s site providing an on-line calculator (and much more besides) for RAID performance and capacity. There is even a very useful page allowing you to compare two separate configurations side by side – thoroughly recommended. More worrying, and thought provoking, is the reclaime.com calculator for RAID failure. That site suggests that the probability of successfully rebuilding a RAID 5 array of 4 * 2 TB disks after a failure is only 52.8%.
That is why you need to keep backups…….
Permanent link to this article: http://baldric.net/2016/05/02/raid-performance/
Mar 30 2016
For some time mow I have been increasingly fed up with the poor service offered by SMS on my mobile phone. I’m not a hugely prolific sender of text messages, and those I do send are primarily aimed at my wife and kids, but when I do send them, I expect them to get there, on time and reliably. I also expect to be able to send and receive images (by MMS) because that is what I have paid for in my contract. Oh, and I would also like to do this securely, and in privacy.
Guess what? I can’t.
My wife and kids want me to use Facebook’s messenger because that is what they use and they are happy with it. I have signally failed to convince them /not/ to use that application, largely because they already have it installed and use it to send messages to everyone else they know. But then I have also failed to get my kids to understand my concerns about wider Facebook usage. (“There Dad goes again, off on one about Facebook.”).
So, what to do? Answer, set up my own XMPP server and use that. XMPP is an open standard, there are plenty of good FOSS XMPP servers about (jabberd, ejabberd, prosody etc.) and there are also plenty of reasonable looking XMPP clients for both android and linux (the OS’s I care about). And better yet, it is perfectly possible (and relatively easy) to set up the server to accept only TLS encrypted connections so that conversations take place in private. Many clients also now support OTR or OMEMO encryption so the conversations can be made completely secure through end-to-end encryption. Yes, I am aware that OTR is a bit of a kludge, but it is infinitely preferable to clear text SMS over the mobile network. And I like my privacy. Better yet, unlike GPG which I use for email, OTR also provides forward secrecy, so even if my keys should be compromised, my conversations won’t be.
And yes I also know that Facebook messenger itself offers “security and pivacy”, but it also used to be capable of interacting with the open XMPP standard before Zuckerberg made it proprietary a few years ago. And I just don’t trust Facebook. For anything.
So for some time now I have been using my own XMPP server alongside my mail server. It works just fine, and I have even convinced my wife and kids to use it when they converse with me.
I may now move away from using GPG to using OTR in preference. Anyone wishing to contact me can now do so at my XMPP address and may also encrypt messages to me using my OTR key. My fingerprints are published here.
Permanent link to this article: http://baldric.net/2016/03/30/jibber-jabber/
Jan 24 2016
Last month Troy Hunt posted an interesting comment on his blog about the problems around the etiquette of allowing guests onto your home wifi network. In his post, Hunt notes that guests can be deeply offended at being refused access. This is understandable. If they are guests in your home then they are probably close friends or family. Refusing access can make it seem that you don’t trust them. However, as Hunt goes on to point out, it is not the guests per se you need to worry about. Anyone on your network can cause problems – usually completely unintentionally. In my case I have the particular problem that my kids assume that they can use the network when they are here. Worse, they assume that they may access the network through their (google infested) smart phones. Now try as I might, there is no way I can monitor or control the way my kids (or their partners) set up their phones. Nor should I want to.
Hunt asks how others handle this problem. Like him I don’t much trust the separation offered by “guest” networks on wifi routers. In my case I decided long ago to split my network in two. I have an outer network which connects directly to my ISP and a second, inner network, which connects through another router to my outer network. Both networks use NAT and each uses an address range drawn from RFC1918. Furthermore, the routers are from different manufacturers so, hopefully, any vulnerability in one /may/ not be present in the other. My inner network has all my domestic devices, including my NAS, music and video streaming systems, DNS server etc. attached. These devices are mostly hard wired through a switch to the inner router. I only use wifi where it is not possible to hard wire, or where it would make no sense to do so. For example, my Sonos speakers and the app controlling them on my android tablet must use wifi. However, there is no reason why my kids, who insist on using Facebook, need to have access to my internal systems. So I run a separate wifi network on the outer router and they only have access to that. The only systems on the external screened network is one of my VPN endpoints (useful for when I am out and about and want to appear to be accessing the wider world from my home), and my old slug based webcam. My policy stance on the inner network is to consider the screened outer network as almost as hostile as the wider internet. This has the further advantage that bloody google doesn’t get notification of my internal wifi settings through my kids leaving “backup and restore” active on their android phones.
Permanent link to this article: http://baldric.net/2016/01/24/guest-network/
Jan 11 2016
I am a paying member of both Amnesty International and the Open Rights Group. Both those organisations, along with many other Civil Rights organisations, technology companies and concerned individuals are signatories to an open letter to Governments across the world demanding that we retain the right to strong encryption in order to protect our privacy. That letter says:
- Governments should not ban or otherwise limit user access to encryption in any form or otherwise prohibit the implementation or use of encryption by grade or type;
- Governments should not mandate the design or implementation of “backdoors” or vulnerabilities into tools, technologies, or services;
- Governments should not require that tools, technologies, or services are designed or developed to allow for third-party access to unencrypted data or encryption keys;
- Governments should not seek to weaken or undermine encryption standards or intentionally influence the establishment of encryption standards except to promote a higher level of information security. No government should mandate insecure encryption algorithms, standards, tools, or technologies; and
- Governments should not, either by private or public agreement, compel or pressure an entity to engage in activity that is inconsistent with the above tenets.
I’ve signed. You should too.
Permanent link to this article: http://baldric.net/2016/01/11/sign-this-now/
Jan 07 2016
I don’t wish to comment on that evidence here, Adrian Kennard has already provided much useful comment on the failings of the Draft Bill. My purpose in this post to highlight the absurdity of the Parliamentary Committee’s request that the ISPA evidence be withdrawn from it’s Website. The Register article ends with this update:
ISPA contacted The Register after the publication of this story to inform us: “ISPA was requested to remove the written evidence it submitted to the Joint Committee on the Investigatory Powers Bill from the ISPA website by the Joint Committee. Their guidance states that submissions become the property of the Committee and should not be published elsewhere until the Committee has done so itself.”
As of now (14.30 on 7 January) that evidence is still on the ISPA Website. Even if removed, it will still, of course, be available from a huge range of sources such as search engine caches (apologies for the google reference, but it is the obvious one). Or you could get it here.
The point is, once such a document has been published electronically on the net, no-one, but no-one, can put the genie back in the bottle and unpublish it.
The officials supporting the Joint Parliamentary Committee should know that. And if they don’t then I would submit that they are not technically competent enough to be supporting the Committee.
Permanent link to this article: http://baldric.net/2016/01/07/idiotic/
Jan 01 2016
Sadly, I read today that Ian Murdock, the “Ian” in Debian, died on Monday, 28 December 2015. He was only 42 years old. Various reports indicate that he had been distressed for some time before his death. The tweets reportedly from Murdock’s twitter account shortly before his death are very disturbing.
Murdock’s contribution to the FLOSS community was immense. The operating system he created with “Deb”, Debra Lynn, his then girlfriend, is the foundation upon which much of today’s internet infrastructure is built. Ubuntu, one of the most popular desktop linux distros, is itself built upon debian. This blog, and all of my web, mail and other servers is built upon debian. His legacy will endure.
Murdock left a wife and two young children. He died much, much, too young.
Permanent link to this article: http://baldric.net/2016/01/01/a-bad-way-to-end-the-year/
Dec 24 2015
It’s trivia’s birthday again (9 years old today!), so I just have to post to wish my readers (both of you, you know who you are….) a Merry Christmas and a happy New Year. Much has happened over the last year or so which has distracted me from blogging (life gets in the way sometimes) but I feel my muse returning so I may write more in the new year. Meanwhile, take a look at Alan Woodward’s update to Scott Culp’s 2000 essay “10 Immutable Laws Of Security” which he posted on the BBC site. It is called
have yourself a merry cyber-safe Christmas.
I’ll drink to that.
Permanent link to this article: http://baldric.net/2015/12/24/merry-christmas-2015/
Dec 08 2015
On sunday, the motherboard intially reported that, in the wake of the Paris atrocities of November 13th, the French Government was proposing to ban Tor and free WiFi. As it turns out, this is not strictly accurate. The report was later corrected – thus:
Correction: The initial headline and copy of this article suggested that the proposals to block Tor and control free wifi were already part of a proposed law. These are in fact points that the French police and gendarmes would like to see included in the bill, according to the document seen by Le Monde. The headline and copy have been updated to clarify this; we apologise for the error.
Nevertheless, the actual story is still worrying. Governments of all shades seem to react badly when they feel that they must be seen to “do something”. We, in the UK, have already seen how the desire to “do something” results in unfortunate over reaction and ill-thought proposals for legislation. So it is sad to see the French (for whom I have much admiration) apparently reacting to Paris by opting to clamp down on civil liberties. I’d like to think that the reality is not as bad as the initial report suggested though. Certainly the motherboard post now makes clear that:
French law enforcement wants to have (my emphasis) several powers added to a proposed law, including the move to forbid and block the use of the Tor anonymity network, according to an internal document from the Ministry of Interior seen by French newspaper Le Monde.
French law enforcement wish to “Forbid free and shared wi-fi connections” during a state of emergency. This comes from a police opinion included in the document: the reason being that it is apparently difficult to track individuals who use public wi-fi networks.
Noting that China actively blocks connections to Tor, the article continues:
If the French really wanted to block Tor, they might have to consider a model similar to the Chinese regime’s. Naturally, that might be worrying for anyone that cares about free-speech, increasing surveillance, or, say, democracy.
Let’s just hope that sense prevails and Western democracies do not react to terrorism in a way which reduces the very freedoms we cherish so much.
Permanent link to this article: http://baldric.net/2015/12/08/knees-and-other-jerks/
Nov 28 2015
Permanent link to this article: http://baldric.net/2015/11/28/cameron-meets-corbyn/
Nov 23 2015
Like most people in the UK at this time of the year I’ve been doing some on-line shopping lately. Consequently I’m waiting for several deliveries. Some delivery companies (DHL are a good example) actually allow you to track your parcels on-line. In order to do this they usually send out text or email messages giving the tracking ID. Today I received an email purporting to come from UKMail. That email message said:
Your parcel has not been delivered to your address November 23, 2015, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service. Where the law prevents such exclusion and implies conditions and warranties into this contract, where legally permissible the liability of UKMail for breach of such condition,
guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again. If you don’t receive a package within 30 working days UKMail will charge you for it’s keeping. You can find any information about the procedure and conditions of parcel keeping in the nearest post office.
I /very/ nearly opened the attached file. That is probably the closest I have come to reacting incorrectly to a phishing attack. Nice try guys. And a very good piece of social engineering given the time of year.
Virustotal suggests that the attached file is a malicious word macro container. Interestingly though, only 7 of the 55 AV products that Virustotal uses identified the attachment as malicious. And even they couldn’t agree on the identity of the malware. I suspect that it may be a relatively new piece of code.
Permanent link to this article: http://baldric.net/2015/11/23/christmas-present/
Nov 10 2015
Yesterday, Kenneth Freeman posted a note to the tor-relays list drawing attention to a new resource called TorFlow. TorFlow is a beautiful visualisation of Tor network traffic around the world. It enables you to see where traffic is concentrated (Europe) and where there is almost none (Australasia). Having the data overlaid on a world map gives a startling picture of the unfortunate concentration of Tor nodes in particular locations.
I recently moved my own relay from Amsterdam (190 relays) to London (133) but the network needs much more geo-diversity. Unfortunately, international bandwidth costs are lowest is the areas where relays are currently located. Given that the relays are all (well, nearly all…..) run by volunteers like me and funded out of their own pockets it is perhaps not surprising that this concentration should occur. But it is not healthy for the network.
There appears to be a particularly intriguing concentration of 16 relays on a tiny island in the Gulf of Guinea. Apparently this is an artifact though because those relays are all at (0, 0) which I am told GeoIP uses as a placeholder for “unknown” (in fact, GeoIP location is a somewhat imprecise art so there may be other anomalies in the data.)
Permanent link to this article: http://baldric.net/2015/11/10/torflow/