Networking & telecommunications archived articles

Subscribe to the RSS feed for this category only

Debian and Networking & telecommunications and Systems administration01 Jun 2015 at 15:02 by Jean-Marc Liotier

You have a nice amplifier in a corner of the living-room, tethered to nice loudspeakers. Alas the spot where you want to control the music from is far away – maybe in another corner of the livingroom, maybe in your office room or maybe on another continent… No problem – for about 40€ we’ll let you switch your music to this remote destination just as easily as switching between the headphones and speakers directly connected to your workstation. The average narcissistic audiophile pays more than that for a RCA cable.

So, I grabbed a Raspberry Pi model B (first generation – get them cheap !), a micro-USB power supply from the spares box and a stray SD card (at least 1 GB).

First step is to set it up with an operating system. Since I love Debian, I chose Raspbian.A handy way to install Raspbian quick & easy is raspbian-ua-netinst, a minimal Raspbian unattended installer that gets its packages from the online repositories – it produces a very clean minimal setup out of the box.

So, go to raspbian-ua-netinst’s latest release page and download the .img.xz file – then put it on the SD card using ‘xzcat /path/to/raspbian-ua-netinst-<latest-version-number>.img.xz > /dev/sdX’ for which you may have to ‘apt-get install xz-utils’. Stick that card into the Raspberry Pi, connect the Raspberry Pi to Ethernet on a segment where it can reach the Internet after having been allocated its parameters through DHCP or NDP+RDNSS – and power it up.

Let raspbian-ua-netinst do its thing for about 15 minutes – time enough to find what IP address your Raspberry Pi uses (look at your DHCP server’s leases or just ‘nmap -sP’ the whole IP subnet to find a Raspberry Pi). Then log in over ssh – default root password is raspbian… Use ‘passwd’ to change it right now.

The default install is quite nice, but strangely doesn’t include a couple of important features… So ‘apt-get install raspi-copies-and-fills rng-tools’ – raspi-copies-and-fills improves memory management performance by using  a memcpy/memset implementation optimised for the ARM11 used in Raspberry Pi, rng-tools lets your system use the hardware random number generator for better cryptographic performance. To finish setting up the hardware RNG, add bcm2708-rng to /etc/modules.

Also, the default install at the time of this writing uses Debian Wheezy, which contains a Pulseaudio version too old for our purposes – we need Debian Jessie which offers Pulseaudio 5 instead of Pulseaudio 2. And anyway, Jessie is just plain better – so let your /etc/apt/sources.list look like this:

deb http://mirrordirector.raspbian.org/raspbian jessie main firmware contrib non-free rpi
deb http://archive.raspbian.org/raspbian jessie main contrib non-free rpi

Then ‘apt-get update && apt-get -y dist-upgrade && apt-get -y autoremove’… This should take a while.

Now install Pulseaudio the piece of software that will offer a receiving end to your network audio stream:  ‘apt-get install pulseaudio’. I assume you have Pulseaudio already set up on the emitter station – your favourite distribution’s default should do fine, as long as it provides Pulseaudio version 5 (use ‘pulseaudio –version’ to check that).

Pulseaudio is primarily designed to cater to desktop usage by integrating with the interactive session of a logged in user – typically under control of the session manager of whatever graphical desktop environment. But we don’t need such complex thing here – a dumb receptor devoid of any extra baggage is what we want. For this we’ll use Pulseaudio’s system mode. Pulseaudio’s documentation repeatedly hammers that running in system mode is a bad idea – “nobody should run it that way, with the exception of very few cases”… Well – here is one of those very few cases.

In their zeal to discourage anyone from running Pulseaudio in system mode, the Pulseaudio maintainers do not ship any startup script in the distribution packages – this ensures that users who don’t know what they are doing don’t stray off the beaten path of orthodox desktop usage and end up on a forum complaining that Pulseaudio doesn’t work. But it also annoys the other users, who actually need Pulseaudio to run at system startup – but that is easily fixable thanks to another creation of Lennart’s gang: all we need is a single file called a systemd unit… I copied one from this guy who also plays with Pulseaudio network streaming (but in a different way – more on that later). This systemd unit was written for Fedora, but it works just as well for Raspbian… Copy this and paste it in /etc/systemd/system/pulseaudio.service :

[Unit]
Description=PulseAudio Daemon

[Install]
WantedBy=multi-user.target

[Service]
Type=simple
PrivateTmp=true
ExecStart=/usr/bin/pulseaudio –system –realtime –disallow-exit –no-cpu-limit

Then ‘systemctl enable pulseaudio’ and ‘systemctl start pulseaudio’ – you now have a properly set up Pulseaudio daemon. Now is a good time to take a moment to consider how much more fastidious the writing of a SysVinit script would have been compared to just dropping this systemd unit in place.

Now let’s see the meat of this article: the actual setup of the audio stream. If you stumbled upon this article, you might have read other methods to the same goal, such as this one or this one. They rely on the server advertising its Pulseaudio network endpoint through Avahi‘s multicast DNS using the module-zeroconf-publish pulseaudio module, which lets the client discover its presence and so that the user can select it as an audio destination after having told paprefs that remote Pulseaudio devices should be available locally. In theory it works well and it probably works well in practice for many people but Avahi’s behaviour may be moody – or, in technical terms, subject to various network interferences that you may or may not be able to debug easily… Struggling with it led me to finding an alternative. By the way, Avahi is another one of Lennart’s babies – so that might be a factor towards Pulseaudio’s strong inclination towards integrating with it.

Discoverability is nice in a dynamic environment but, in spite of my five daughters, my apartment is not that dynamic – my office and the livingroom amplifier won’t be moving anytime soon. So why complicate the system with Avahi ? Can’t we just have a static configuration by declaring a hardcoded link once and for all ? Yes we can, with module-tunnel-sink-new & module-tunnel-source-new !

Module-tunnel-sink-new and module-tunnel-source-new are the reason why we require Pulseaudio 5 – they appeared in this version. They are a reimplementation of module-tunnel-sink, using libpulse instead of reinventing the wheel by using their own implementation of the Pulseaudio protocol. At some point in the future, they will lose their -new suffix and officially replace module-tunnel-{sink,source} – at that moment your setup may break until you rename them in your /etc/pulse configuration to module-tunnel-sink and module-tunnel-source… But that is far in the future – for today it is all about module-tunnel-sink-new and module-tunnel-source-new !

Now let’s configure this ! Remember that we configured the Raspberry Pi’s Pulseaudio daemon in system mode ? That means the relevant configuration is in /etc/pulse/system.pa (not in /etc/pulse/default.pa – leave it alone, it is for the desktop users). So add those two load-module lines to the bottom of /etc/pulse/system.pa – the first one to declare the IP addresses authorized to use the service, the second one to declare the IP address of the client that will use it… Yes – it is a bit redundant, but that is the way (two single load-module lines – don’t mind the spurious carriage return caused by this blog’s insufficient width):

load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1;2001:470:ca99:4:21b:21ff:feaa:99c9

load-module module-tunnel-source-new server=[2001:470:ca99:4:21b:21ff:feaa:99c9]

It is possible to authenticate the client more strictly using a cookie file, but for my domestic purposes I decided that identification by IP address is enough – and lets leave some leeway for my daughters to have fun discovering that, spoof it and stream crap to the livingroom.

Also, as some of you may have noticed, this works with IPv6, but it works well with legacy IPv4 too – in which case the address must not be enclosed in brackets.

Anyway, don’t forget to ‘systemctl restart pulseaudio’ after configuring.

Then on the client side, add this single load-module line to the bottom of /etc/pulse/default.pa (not in /etc/pulse/system.pa – leave it alone, it is for headless endpoints and your client side is most probably an interactive X session). This is one single load-module line – don’t mind the spurious carriage return caused by this blog’s insufficient width:

load-module module-tunnel-sink-new server=[2001:470:ca99:4:ba27:ebff:fee2:ada9] sink_name=MyRemoteRaspberry

Actually I didn’t use sink_name, but I understand you might want to designate your network sink with a friendly nickname rather than an IPv6 address – though why would anyone not find those lovely IPv6 addresses friendly ?

Anyway, log out of your X session, log back in and you’re in business… You have a new output device waiting for you in the Pulseaudio volume control:

Pulseaudio remote device selection

So now, while some of your sound applications (such as the sweet Clementine music player pictured here) plays, you can switch it to the remote device:

Using Pulseaudio volume control to choose a remote device to stream a local playback to.

That’s all folks – it just works !

While you are joyously listening to remote music, let’s have a word about sound quality. As any sound circuit integrated on a motherboard where it cohabits with a wild bunch of RF emitters, the Raspberry Pi’s sound is bad. The Model B+ claims “better audio – the audio circuit incorporates a dedicated low-noise power supply” but actual testing shows that it is just as bad and sometimes even worse. So I did what I nowadays always do to get decent sound: use a cheap sound adapted on a USB dongle, in the present case a ‘Creative Sound Blaster X-FI Go Pro’ which at 30€ gets you a great bang for the buck.

Luck has it that the Raspberry Pi’s Pulseaudio offers it as the default sink – so I did not have to specify anything in my client configuration. But that may or may not be the case on yours – in which case you must use module-tunnel-sink-new’s sink parameter to tell it which sink to use. Since the Raspberry Pi’s Pulseaudio runs in system mode, you won’t be able to ‘pactl list sinks’ so you’ll have to detour through a run in debug mode to know the name of the sinks available.

Sound quality is also a reason why this method is better than a really long stereo line extension cord whose attenuation would degrade sound noticeably.

Well, that was verbose and long winded – but I hope to have clearly covered everything… If I there is anything you feel I should explain better, please ask questions in the comments !

Networking & telecommunications and Systems administration28 May 2015 at 14:01 by Jean-Marc Liotier
1  15.895697 2600:480e:4000:c00::3 -> 2001:470:1f12:425::2 DNS 94
  Standard query 0x896c  A wwW.ruWeNZORI.net
2  15.901855 2600:480e:4000:c00::7 -> 2001:470:1f12:425::2 DNS 94
  Standard query 0xe3e6  A Www.RuWEnzoRi.neT
3  16.557423 2600:480e:4000:c00::7 -> 2001:470:1f12:425::2 DNS 93
  Standard query 0x5040  A KiVu.grabEuH.COm
4  16.566121 2600:480e:4000:c00::3 -> 2001:470:1f12:425::2 DNS 93
  Standard query 0x9c91  A KIVU.grabeUH.cOM
5  17.211708 2600:480e:4000:c00::9 -> 2001:470:1f12:425::2 DNS 94
  Standard query 0x7b36  AAAA www.RUWENzORi.net
6  17.888244 2600:480e:4000:c00::9 -> 2001:470:1f12:425::2 DNS 93
  Standard query 0xc582  AAAA KiVu.gRabEUH.com
7  18.041786 2600:480e:4000:c00::7 -> 2001:470:1f12:425::2 DNS 93
  Standard query 0xcb72  AAAA Kivu.GRABEUh.coM

Well… WTF ? Who let the script kiddies out ? No one… Surprisingly: those are actually perfectly well-formed queries, using “0x20 Bit encoding“.

This technique was introduced in a 2008 paper, “Increased DNS Forgery Resistance Through 0x20-Bit Encoding – SecURItY viA LeET QueRieS” :

“We describe a novel, practical and simple technique to make DNS queries more resistant to poisoning attacks: mix the upper and lower case spelling of the domain name in the query. Fortuitously, almost all DNS authority servers preserve the mixed case encoding of the query in answer messages. Attackers hoping to poison a DNS cache must therefore guess the mixed-case encoding of the query, in addition to all other fields required in a DNS poisoning attack. This increases the difficulty of the attack”.

For example, Tor uses it by default for name lookups that a Tor server does on behalf of its clients.

Of course, this clever exploitation of a fortuitous behaviour did not go without inducing bugs… What a surprise !

Well… One less mystery.

Debian and Networking & telecommunications and Systems administration13 May 2015 at 13:34 by Jean-Marc Liotier

Upon reboot after upgrading yet another Debian host to sweet Jessie, I  was dismayed to lose connectivity – a slight annoyance when administering through the Internet. Later, with screen & keyboard attached to the server, I found that the Intel Ethernet interface using the e1000e module had not come up on boot… A simple ‘ip link set eth0 up’ fixed that… Until the next reboot.

/etc/network/interfaces was still the same as before upgrade, complete with the necessary ‘auto eth0’ line present before the ‘iface eth0 inet static’ line. And everything was fine once the interface had been set up manually.

Looking at dmesg yielded an unusual “[    1.818847] e1000e 0000:00:19.0 eth0: Unsupported MTU setting” – strange, considering I had been using a 9000 bits MTU without issue before… That error message let me to the cause of my problem: the driver maintainer chose that from kernel 3.15 onwards, calculation of the Ethernet frame’s length always takes into account the VLAN header, even when none is present… And I was running Linux 3.16:

diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
index d50c91e..165f7bc 100644
--- a/drivers/net/ethernet/intel/e1000e/netdev.c
+++ b/drivers/net/ethernet/intel/e1000e/netdev.c
@@ -5687,7 +5687,7 @@ struct rtnl_link_stats64 *e1000e_get_stats64(struct net_device *netdev,
 static int e1000_change_mtu(struct net_device *netdev, int new_mtu)
 {
     struct e1000_adapter *adapter = netdev_priv(netdev);
-    int max_frame = new_mtu + ETH_HLEN + ETH_FCS_LEN;
+    int max_frame = new_mtu + VLAN_HLEN + ETH_HLEN + ETH_FCS_LEN;
 
     /* Jumbo frame support */
     if ((max_frame > ETH_FRAME_LEN + ETH_FCS_LEN) &&

As the author remarked: “The hardware has a set limit on supported maximum frame size (9018), and with the addition of the VLAN_HLEN (4) in calculating the header size (now it is 22) , the max configurable MTU is now 8996”.

So there…

diff --git a/network/interfaces b/network/interfaces
index ee4e27d..a094569 100644
--- a/network/interfaces
+++ b/network/interfaces
@@ -7,7 +7,7 @@ iface lo inet loopback

 auto eth0
 iface eth0 inet static
-       mtu 9000
+       mtu 8996
        address 10.128.0.2
        network 10.128.0.0
        netmask 255.255.255.0

And a reboot later the host is still connected – problem solved. Now to avoid fragmentation I’ll have to set a few other hosts’ MTU to 8996 too… Damn.

Networking & telecommunications and Radio and Systems and Technology04 Feb 2015 at 23:24 by Jean-Marc Liotier

I was so happy with my pair of Baofeng UV-B6 that I decided to buy four more to entirely replace my fleet of even cheaper Lidl Silvercrest TwinTalker PMR transceivers whose horrendous attrition hints about excessive cheapness.

Alas, as I was using the beloved CHIRP to load them with the family’s standard configuration, I encountered the dreaded ‘Radio did not Ack Programming Mode‘ error.

I was using the USB serial adapter with ID 067b:2303 “Prolific Technology, Inc. PL2303 Serial Port” with of course the Baofeng/Kenwood/etc. specific twin 2.5mm/3.5mm plug.

Some of those Baofeng UV-B6 worked fine with this cable – those are UV-B6 with 29 menu entries (with serial numbers 10B6014828 and 10B6014839)

But others were entirely recalcitrant, with a consistent error pattern – those are UV-B6 with 27 menu entries (with serial numbers 10B6025976, 10B6025999, 10B6026018 and 10B6026047).

As suggested by Miklor I slightly trimmed the plug with a cutter – no change.

I also used a couple of male/female extension cords (2.5mm and 3.5mm) in case the lack of twin plastic molding would provide unimpeded contact – no change either.

I bought two different other cables – they both turned out to also be PL2303 serial adapters with same USB ID (but with different plastic moldings – and of course different commercial names). Still no change – same frustrating results.

My last hope was to get this cable, which turned out having USB ID 0403:6001 “Future Technology Devices International, Ltd FT232 USB-Serial (UART) IC”. The ‘Genuine‘ qualifier in its name and the photocopied sheet that attempted to pass for documentation by merely pointing to Miklor were par for the course and did not inspire me to expect anything different… But actually – it worked ! This is the legendary ‘FTDI’ cable I was reading about, the real thing, the one that works with all Baofeng UV-B6 sub-models. Was I not a militant atheist, I would certainly consider this as a proof of God’s greatness – الله أكبر and all those sorts of things !

TL;DR :
Cables with a FTDI chip work with both 27 and 29 menu entries UV-B6 submodels
– Cables with a PL2303 chip only work with 29 menu entries UV-B6

There is still a non-zero probability that all the PL2303 chips I went through were counterfeit and that only the FTDI model was genuine – thus voiding my analysis. But with a sample of three PL2303-based cables from three different vendors, that probability is low enough for me to publish this article. A driver issue is not entirely impossible either – I have only tested with Linux, where both PL2303 and FTDI drivers are part of the standard kernel.

By the way, how does one manage a mixed fleet of 27 and 29 menu entries UV-B6 submodels with CHIRP ? Well – easy:

– If you upload an image originaly downloaded from a 29 menu entries submodel to a 27 menu entries submodel, CHIRP will give you the following error message: “An error has occurred – Radio NAK’d block at address 0x0f10” but you can disregard this message as it only concerns the non-existent menu items – the rest of the configuration has been perfectly transmitted.

– If you you upload an image originaly downloaded from a 27 menu entries submodel to a 29 menu entries submodel, no error occurs – but companding will be disabled. No problem.

Now I would be grateful if someone could explain the interoperability of the companding feature – is it still useful if it is active in only one of the two transceivers involved in a given transmission ?

Uhhh… Anyone wants three PL2303-based cables ? I’ll sell them real cheap !

Edit: also used the FTDI cable successfully with the Pofung UV-B5.

Networking & telecommunications and Politics and Security17 Jun 2013 at 0:37 by Jean-Marc Liotier

I took the EFF and Tor stickers as corroborating material in support of Snowden’s appearances of good character, but not everyone saw them that way… Interviewed by Time’s Andrew Katz, former security clearance investigator Nicole Smith explains that sympathy for online rights activists is a sign that a candidate may not be fit for Top Secret clearance:

In a photograph posted online after Snowden revealed himself, his laptop displays a sticker touting the Electronic Frontier Foundation, a longstanding advocate for online rights and staunch opponent of government surveillance. That would have been enough of a warning sign to make it into his file, Smith says, but investigators wouldn’t have come across it because clearance interviews aren’t performed at their homes: “You’re not around that person’s personal belongings to make any other additional observations about that person’s characters”

Self doubt ? Ethical questioning ? Interest in social issues ? Affinities for dissenting viewpoints ? No – that is not useful nor even compatible with secret work… Better fill the ranks with yes-men who will follow superior orders to the bitter end – that worked so well in the past

Anyway, thanks to Smith, the authorities now know what to watch for – open display of affinities with the EFF is enough of a warning sign to make it to file. Take this NSA agent for example, performing devious agitprop in official EFF attire :

Uh – hello General Alexander ! Doesn’t the Director of the National Security Agency look swell in that T-shirt ? Better in my opinion than in his stiff official portrait… But that warning sign shall certainly cost him an entry in his file – he’ll have some serious explaining to do when his clearances come up for review ! Maybe he should have just ordered an EFF sticker for his home laptop instead.

Marketing and Networking & telecommunications and Security and Social networking and The media and The Web12 Jun 2013 at 11:11 by Jean-Marc Liotier

A few reflections from my notes of public reaction to last weekend’s events.

Advertising is the main source of revenue for publishers on the Web, including the lords of sharecropping empires such as Facebook and Google. Revenue from advertising varies hugely with how well the message targets the audience. Targeting requires getting to know the target – which is the business that Facebook and Google are in : getting the user to find them useful and trust them so that he willingly provides them with their raw material.

I used to enjoy giving the publishers a lot of data in return for personalization and services – even considering the risks. Yes, we knew the risks – but they are the sort of risks that we are notoriously bad at evaluating. Most of us have probably read at least a dozen different tales of Orwellian dystopias – yet our productive relationship with service providers let us convince ourselves that betrayal won’t happen. We were so complacent that it might be argued that we asked for this.

So why are we surprised ? The surprise is in the scale of the abuse. Corruption always exists at the margins of any system that is sufficiently slack to let alternative ways thrive and supply the mainstream with fresh ideas. A society with no deviance at its margins is totalitarian – so we live with that some antisocial behaviour as a cost of doing business in a society that values individual freedom.

But today we find that the extent of corruption is not restricted to the margins – we find that most of what goes on there among people we entrusted with extreme power at the core of the state entirely escapes oversight and drifts into mass surveillance which is known to asphyxiate societies. That much corruption was a risk that we were warned against, but seeing it realized is still a nasty surprise.

Again, this is not about lawful surveillance under democratic oversight, which is as acceptable as ever – this is about the dangerous nature of massive untargeted surveillance outside of democratic control. But public opinion reeling from the shock will probably be blind to the difference – it is now likely to be wary of anything that even remotely smells of surveillance.

Of course, not everyone has yet realized the tradeoffs that modern communications entail and that they have always been making, even if unwittingly – public awareness of privacy issues is not going to arise without continued evangelism anytime soon. But a host of users has awoken to realize that they were sleepwalking naked on Main Street. What will they do now ?

Considering how mainstream audiences have long happily kept gobbling up toxic information from the mass media, I am not holding my breath for a violent phase transition – but a new generation of privacy militants might just have been given birth and I wonder how much they will nudge the information industry’s trajectory. In any case, they will not make the Internet more welcoming to it.

Networking & telecommunications and Politics10 Jun 2013 at 10:02 by Jean-Marc Liotier

Do you remember who said this ?

“This Administration also puts forward a false choice between the liberties we cherish and the security we demand. I will provide our intelligence and law enforcement agencies with the tools they need to track and take out the terrorists without undermining our Constitution and our freedom.

That means no more illegal wire-tapping of American citizens. No more national security letters to spy on citizens who are not suspected of a crime. No more tracking citizens who do nothing more than protest a misguided war. No more ignoring the law when it is inconvenient. That is not who we are. And it is not what is necessary to defeat the terrorists”.

Hint – it was in August 2007. Yes, he may have changed his mind since then…

Yes we (probably) can ! (your mileage may vary; this message does not reflect the thoughts or opinions of either myself, my company, my friends, or alter ego; terms are subject to change without notice; this message has not been safety tested for children under the age of 3; any resemblance to actual persons, living or dead, is unintentional and purely coincidental; do not remove this disclaimer under penalty of law; for a limited time only; this message is void where prohibited, taxed, or otherwise restricted; message is provided “as is” without any warranties; reader assumes full responsibility; if any defects are discovered, do not attempt to read them yourself, but return to an authorized service center; read at your own risk; text may contain explicit materials some readers may find objectionable, parental guidance is advised; keep away from pets and small children; some assembly required; not liable for damages arising from use or misuse; may cause random outbursts of extreme violence, or epileptic seizures; actual message may differ from illustration on box; other rules may apply; past performance does not predict future results; see store for details).

Networking & telecommunications and Politics and Social networking and The media and Uncategorized09 Jun 2013 at 22:49 by Jean-Marc Liotier

In the wake of the Prism debacle, Google CEO Larry Page and Facebook CEO Mark Zuckerberg, among others, published reactions full of outrage, strong denials of specific allegations (“direct access”, “back doors”) and technically correct truth… But ridiculously inadequate in the face of the awesome shitstorm that Edward Snowden kicked up, as they won’t admit willful cooperation or even awareness of possible abuse of privileges lightheartedly granted to the NSA.

Meanwhile, the Director of National Intelligence issued a fact sheet stating that PRISM was conducted “under court supervision, as authorized by Section 702 of the Foreign Intelligence Surveillance Act (FISA) (50 U.S.C. § 1881a)”. Among other things, that fact sheet states that :

Under Section 702 of FISA, the United States Government does not unilaterally obtain information from the servers of U.S. electronic communication service providers. All such information is obtained with FISA Court approval and with the knowledge of the provider based upon a written directive from the Attorney General and the Director of National Intelligence.

Above emphasis is mine – “not unilaterally” and “with knowledge of the provider”. Hello, Larry ? Zuck ? Feeling lonely there ? Have you just been hung out to dry by your friend the DNI ?

Military and Networking & telecommunications and Politics and Social networking06 Jun 2013 at 22:40 by Jean-Marc Liotier

By now you are probably already participating in the fireworks triggered by the leak of a secret court order requiring Verizon to hand over all call data to the NSA. Mass surveillance was a well known threat – but now we have proof that the USA do it… Will that be the wake-up call for increased political awareness ? I’m not holding my breath…

US Senators don’t seem to have realized the extent of public outrage – witness comments such as “This is nothing particularly new… Every member of the United States Senate has been advised of this”… Mass surveillance ? Yes we can ! All that would not have happened if Obama had been elected.

Anyway, a couple of months ago, Frank La Rue, the United Nations Special Rapporteur on Freedom of Expression and Opinion, has reported  to the UN Human Rights Council, making a connection between surveillance and free expression. It establishes the principle that countries that engage in bulk, warrantless Internet surveillance are violating their human rights obligations to ensure freedom of expression. Was that report prescient ? Is it part of a new trend at the UN ? Here are a few choice morsels from the conclusions of this extensive piece of research:

79. States cannot ensure that individuals are able to freely seek and receive information or express themselves without respecting, protecting and promoting their right to privacy. Privacy and freedom of expression are interlinked and mutually dependent; an infringement upon one can be both the cause and consequence of an infringement upon the other.

80. In order to meet their human rights obligations, States must ensure that the rights to freedom of expression and privacy are at the heart of their communications surveillance frameworks.

81. Communications surveillance should be regarded as a highly intrusive act that potentially interferes with the rights to freedom of expression and privacy and threatens the foundations of a democratic society.

Clear enough for y’all ? The report was in no way aiming at the US of A but today’s revelations makes it difficult to read it without thinking about them…

Mass surveillance is like searching every single home in the whole country because some of them might hide something illegal. With such massive indiscriminate intrusion in private lives,  secrecy isn’t kept to avoid “tipping off the target” – it is about avoiding legitimate public outrage at misguided actions outside of any effective control, that undermine the very foundations of what we strive for.

 

Networking & telecommunications and Politics and Security30 Jan 2013 at 13:45 by Jean-Marc Liotier

[This post motivated by a strange lack of FISAA awareness around me]

You will certainly be relieved to learn that US government agencies do not spy clandestinely on the data you entrust to Google, Facebook & co.

So stop wondering about dark conspiracies : there are none.

The bad news is that they do it legally instead. Yes – US government agencies can legally access any data stored by non-American citizens at USA-based hosting companies. No warrant required – they can basically help themselves with your data anytime they please and that is entirely legal.

Brazen, isn’t it ? It is called FISAA – for more details, take a look at this European Parliament report. And by the way, I believe that some strong reaction from the European Union has been long overdue.

The silver lining is that European hosts are making good business with everyone who won’t host their data in the USA anymore !

Networking & telecommunications and Systems administration and Unix06 Jun 2012 at 11:48 by Jean-Marc Liotier

Today is IPv6 party time so let’s celebrate with a blog post !

Reliable IPV6 connectivity is no longer just nice to have – it is a necessity. If your Internet access provider still does not offer proper native IPv6 connectivity, your next best choice is to use an IPv4 tunnel to an IPv6 point of presence. It works and on the client side it only requires this sort of declaration in /etc/network/interfaces :

auto ipv6-tunnel-he
  iface ipv6-tunnel-he inet6 v4tunnel
  address 2001:170:1f12:425::2
  netmask 64
  endpoint 216.66.84.42
  gateway 2001:170:1f12:425::1

Of course, the same sort of configuration is required at the other endpoint – which means that, among other parameters, you must inform the IPv6 tunnel server of the IPv4 address of the client endpoint. Hurricane Electric, my tunnel broker lets me do that manually through its web interface – which is fine for a static configuration done once, but inadequate if your Internet access provider won’t supply you with a static IPv4 address. By the way, even if, after a few weeks of use, you believe you have a static address, you might just have a dynamic address with a rather long DHCP lease…

But Hurricane Electric also provides a primitive HTTP API that lets you inform the tunnel broker of IPv4 address changes – that is all we need to do it automatically every time our Internet access goes up. Adding this wget command to the uplink configuration stanza in /etc/network/interfaces does the trick :

auto eth3
iface eth3 inet dhcp
  up wget -O /dev/null https://USERNAME:PASSWORD@ipv4.tunnelbroker.net/ipv4_end.php?tid=34764

That’s it – you now can count on IPv6 connectivity, even after a dynamic IPv4 address change.

And after you are done, go test your IPv6 configuration and your IPv6 throughput !

Debian and Networking & telecommunications and Systems administration and Unix17 Oct 2011 at 11:03 by Jean-Marc Liotier

I just wanted to create an Apache virtual host responding to queries only over IPv6. That should have been most trivial considering that I had already been running a dual-stacked server, with all services accessible over both IPv4 and IPv6.

Following the established IPv4 practice, I set upon configuring the virtual host to respond only to queries directed to a specific IPv6 address. That is done by inserting the address in the opening of the VirtualHost stanza : <VirtualHost [2001:470:1f13:a4a::1]:80> – same as an IPv4 configuration, but with brackets around the address. It is simple and after adding an AAAA record for the name of the virtual host, it works as expected.

I should rather say it works even better than expected : all sub-domains of the second-level domain I’m using for this virtual host are now serving the same content that the new IPv6-only virtual host is supposed to serve… Ungood – cue SMS and mail from pissed-off users and a speedy rollback of the changes; the joys of cowboy administration in a tiny community-run host with no testing environment. As usual, I am not the first user to fall into the trap. Why Apache behaves that way with an IPv6-only virtual host is beyond my comprehension for now.

Leaving aside the horrible name-based hack proposed by a participant in the Sixxs thread, the solution is to give each IPv6-only virtual host his own IPv6 address. Since this server has been allocated a /64 subnet yielding him 18,446,744,073,709,551,616 addresses, that’s quite doable, especially since I can trivially get a /48 in case I need 1,208,925,819,614,629,174,706,176 more addresses. Remember when you had to fill triplicate forms and fight a host of mounted trolls to justify the use of just one extra IPv4 address ? Yes – another good reason to love IPv6 !

So let’s add an extra IPv6 address to this host – another trivial task : just create an aliased interface, like :

auto eth0:0
    iface eth0:0 inet6 static
    address 2001:470:1f13:a4a::1
    netmask 64
    gateway 2001:470:1f12:a4a::2

The result :

SIOCSIFFLAGS: Cannot assign requested address
Failed to bring up eth0:0.

This is not what we wanted… You may have done it dozens of time in IPv4, but in IPv6 your luck has ran out.

Stop the hair pulling right now : this unexpected behavior is bug – this one documented in Ubuntu, but I confirm it is also valid on my mongrel Debian system. Thanks to Ronny Roethof for pointing me in the right direction !

The solution : declare the additional address in a post-up command of the main IPv6 interface (and don’t forget to add the post-down command to kee things clean) :

auto he-ipv6
iface he-ipv6 inet6 v4tunnel
    address 2001:470:1f12:a4a::2
    netmask 64
    endpoint 216.66.84.42
    local 212.85.152.17
    gateway 2001:470:1f12:a4a::1
    ttl 64
    post-up ip -f inet6 addr add 2001:470:1f13:a4a::1 dev he-ipv6
    pre-down ip -f inet6 addr del 2001:470:1f13:a4a::1 dev he-ipv6

And now the IPv6-only virtual hosts serves as designed and the other virtual hosts are not disturbed. The world is peaceful and harmonious again – except maybe for that ugly post-up declaration in lieu of declaring an aliased interface the way the Unix gods intended.

All that just for creating an IPv6 virtual host… Systems administration or sleep ? Systems administration is more fun !

Mobile computing and Networking & telecommunications29 Jun 2011 at 15:13 by Jean-Marc Liotier

With UMTS now potentially available on all the frequency bands traditionally allocated to GSM, why are we still operating GSM there while UMTS offers nothing but improvements over it and all contemporary handsets support it. The question is particularly pressing since data traffic has for quite a while accounted for more than 90% of network usage in volume and grows faster than backhaul can be deployed and cells made smaller while spectral efficiency has become awfully close to theoretical optima. GSM data modes such as GPRS and its incremental improvements have their purpose well, but they are hacks shoehorning data into a TDM voice world – nothing like the native capabilities of UMTS. Of course, modern marketing knows the value of nostalgia as an advertising vector, but I suspect that the market of users who insist on GSM for nostalgia’s sake may not be sufficient to justify its cost.

Some manufacturers nowadays offer unified RAN infrastructure that supports both UMTS and GSM on a single piece of equipment – and many antennas are now multiband, but there is still an awful amount of specific equipment with the associated duplicated costs… And then there is the effort of maintaining the software for two entirely independent systems, each with its own bugs, quirks and yearly upgrades attempting to squeeze more throughput out of a slice of spectrum that is not going to expand – a single large operator typically has dozens of people whose workload could be cut in half overnight. I for one would love to spend more time on GIS software for the fiber optics infrastructure and less dealing with the Jurassic park.

So what are we waiting for ? Don’t we understand that frequencies are too precious to be wasted on obsolete protocols ? Let’s recycle ! Let GSM retire ! Taiwan’s ministry of transportation and communications is already working on it

Jabber and Mobile computing and Networking & telecommunications09 May 2011 at 14:02 by Jean-Marc Liotier

I have owned an an HTC “G2″ Magic for almost two years and one of my biggest disappointments with the Android operating system has been my inability to find a decent Jabber client. On the desktop, my love of Psi has been going on for half a decade but my encounters with mobile Jabber clients have been nothing but disappointments.

On Android in the past two years I have tried them all, including notables such as Jabbdroid, Beem, Jabiru, Yaxim, Emess and many others not even worth citing. Some of them are hampered by a slow graphical user interface, some deplete batteries in a hurry, some lack features I consider essential, some even crash on receiving a message and not a single one is capable of remaining connected while the radio segment hops from GPRS to UMTS to Wi-Fi and back again… They won’t even try to reconnect – leaving me slack-jawed at the lack of such a basic feature when there is even a standard Android class that notifies applications when network connectivity changes.

Enter Xabber – it does everything I expect from an Android Jabber client. Yes, it really does – you can drop that unbelieving face. I’ll spare you the whole features list… Let’s just focus on what I was looking for :

  • Permanent tray icon as link to contacts lists
  • vCard based avatars
  • XMPP priorities
  • Groups
  • Contacts list management
  • TLS/SSL support
  • Full Unicode support
  • Chat history
  • Parameters for just enough customization
  • Multi User Chat – you can even join multiple rooms
  • Does not deplete the batteries too quickly
  • Reconnects promptly after each disconnection while the radio segment hops from GPRS to UMTS to Wi-Fi and back again

As a bonus it publishes geographical location, but I have no idea where it gets it from, nor if it is supposed to implement XEP-0080.

Don’t you love the feeling of discovering a new application and finding that it behaves the way you expect, as if the developers had been reading your mind and making helpful suggestions about the fuzzy parts of what they had read ? On Android K-9 Mail is the only other example I can think about… Yes, Xabber is that good.

The only downside of Xabber is that the code is not free… The site does not even mention a license. So you don’t know what lies hidden inside, you can’t modify it and you are at the mercy of the developer changing his mind and starting to ask for money for further versions. But even as a Free software fanboy I’m willing to live with that for now – I’m so relieved to at last have something that works.

From now on, expect to find me online while I’m on the move !

Edit 20130130 – Xabber is now Free Software !

Code and Free software and Networking & telecommunications and Systems administration and Unix01 Mar 2011 at 20:06 by Jean-Marc Liotier

I loathe Facebook and its repressive user-hostile policy that provides no value to the rest of the Web. But like that old IRC channel known by some of you, I keep an account there because some people I like & love are only there. I seldom go to Facebook unless some event, such as a comment on one of the posts that I post there through Pixelpipe, triggers a notification by mail. I would like to treat IRC that way: keeping an IRC application open and connected is difficult when mobile or when using the stupid locked-down mandatory corporate Windows workstation, and I’m keen to eliminate that attention-hogging stream from my environment – especially when an average of two people post a dozen lines a day, most of which are greetings and mealtimes notifications. But when a discussion flares up there, it is excellent discussion… And you never know when that will happen – so you need to keep an eye on the channel. Let’s delegate the watching to some automation !

So let me introduce to you to my latest short script : bipIRCnickmailnotify.sh – it sends IRC log lines by mail when a specific string is mentioned by other users. Of course in the present use case I set it up to watch for occurrences of my nickname, but I could have set it to watch any other string. The IRC logging is done by the bip IRC proxy that among other things keeps me permanently present on my IRC channels of choice and provides me with the full backlog whenever I join with a regular IRC client.

This Unix shell script also uses ‘since’ – a Unix utility similar to ‘tail’ that unlike ‘tail’ only shows the lines appended since the last execution. I’m sure that ‘since’ will come handy in the future !

So there… I no longer have to monitor IRC – bipIRCnickmailnotify.sh does it for me.

With trivial modification and the right library it could soon do XMPP notifications too – send me an instant message if my presence is ‘available’ and mail otherwise. See you next version !

Networking & telecommunications and Security and Systems administration07 Feb 2011 at 13:04 by Jean-Marc Liotier

I work for a very large corporation. That sort of companies is not inherently evil, but it is both powerful and soulless – a dangerous combination. Thus when dealing with it, better err on the side of caution. For that reason, all of my browsing from the obligatory corporate Microsoft Windows workstation is done trough a SSH tunnel established using Putty to a trusted host and used by Mozilla Firefox as a SOCKS proxy. If you do that, don’t forget to set network.proxy.socks remote DNS to true so that you don’t leak queries to the local DNS server.

In addition to the privacy benefits, a tunnel also gets you around the immensely annoying arbitrary filtering or throttling of perfectly reasonable sites which mysterious bureaucracies add to opaquely managed exclusion lists used by censorship systems. The site hosting the article you are currently reading is filtered by the brain-damaged Websense filtering gateway as part of the “violence” category – go figure !

Anyway, back on topic – this morning my browsing took me to Internode’s IPv6 site and to my great surprise I read “Congratulations! You’re viewing this page using IPv6 (  2001:470:1f12:425::2 ) !!!!!”. A quick visit to the KAME turtle confirmed : the turtle was dancing. The surprising part is that our office LAN is IPv4 only and the obligatory corporate Microsoft Windows workstation has no clue about IPv6 – how could those sites believe I was connecting through IPv6 ? A quick ‘dig -x 2001:470:1f12:425::2’ cleared the mystery : the reverse DNS record reminded me that this address is the one my trusted host gets from Hurricane Electric’s IPv6 tunnel server.

So browsing trough a SOCKS proxy backed by a SSH tunnel to a host with both IPv4 and IPv6 connectivity will use IPv6 by default and IPv4 if no AAAA record is available for the requested address. This behaviour has many implications – good or bad depending on how you look at it, and fun in any case. As we are all getting used to IPv6, we are going to encounter many more surprises such as this one. From a security point of view, surprises are of course not a good thing.

All that reminds me that I have not yet made this host available trough IPv6… I’ll get that done before the World IPv6 Day which will come on 8th June 2011 – a good motivating milestone !

Next Page »