Yubico, PAM, and Challenge/response Authentication

Introducing the yubikey

The yubikey is a small device that act as a token generator for authentication system. Yubico build them and, as they’re seen as a Universal Keyboard, they can be easily interfaced with any kind of system.

From generating OATH token, to One Time Password systems, going by Radius and OpenVPN server authentication, they can be used for a lot of funny things and, among other thing, it’s free software (not free hardware, alas). The token is at $25 and you can order them by huge quantities.

Simply put, it’s a good token for it’s price and, given my threat model (my computer being stolen) it is enough.

So, some disclaimers.

  • I have no interest in the yubico company or any of their software.
  • You can end permanently locked out of your stuff if you lose your key and if it’s the only way you have to login. But, it’s what I’m looking to achieve.
  • I am not a security expert. I haven’t notice any obvious security flaw, that does not mean there is not. However, the yubikey seems to do the job.
  • I use Archlinux, and the AUR. You’ll have to adapt things for your distro, but you’re a grown up now, it should not be a problem.
  • The challenge-response mode described here, is only available on Yubikey 2.2 and later.

What are we going to do

The first thing I wanted, was to lock my computer when the key is away. The simple thing is to launch a xlock on running X servers. It’s far from perfect, but if I can do this, I can do more.

The second thing I wanted was to be able to forbid login to people who lack either the key or my user password, a classic Two-factor authentication. But I wanted to do that offline, and without using the static key configuration of the yubikey.

But first, I need some packages, so let’s do some yaourt.

[okhin@tara.sunnydale]$ yaourt -Sy libyubikey pam_yubico ykclient ykpers

The first and second packages, are needed for pam, the last ones are needed for using your key. It seems that some tweaking may be necessary in the PKGBUILD file of pam_yubico. I have change the –with-pam-dir options of the configure invocation to be /usr/lib/security and I added _CFLAGS=-DHAVE_LIBYKPERS1 to the make invocations.

 Configuring udev

So, first thing to do for xlocking everything when removing the YubiKey is to add some udev rules. On my Arch system, they’re located into /usr/lib/udev/rules.d and it’s recommended to use a low priority one, so let’s edit the 99-yubi.rules file in this dir. I just need to rules:

ATTRS{idVendor}=="1050",ATTRS{idProduct}=="0010",GROUP=yubi,MODE="0660" SUBSYSTEM=="usb",ACTION=="remove",ENV{ID_VENDOR}=="Yubico",RUN+="/usr/local/sbin/xlock-yubi"

The first one is a classic Udev rule, and you’ll need to create a group named yubi and to add users who’ll configure the key in this group.

The second one is a bit tricky. The yubikey is detected by the system as 3 devices (on usb, one input and one hidraw), and, if you do not add the SUBSYSTEM part, you’ll have to go through 3 xlock screens before unlocking your device. It’s not that good.

The other weird part is that, when configuring or dealing with your yubikey, the tools scan for the key, and so remove the input/hidraw part of it in udev before adding them back. The subsystem that get disconnected only when you remove the key of your computer, is the usb SUBSYSTEM.

And, for the script, well, do whatever you want in it. It’s not the topic of this post, maybe later.

So, now, when you’re going to get your key out of a USB slot, it will call the script. At least, once you’ve reloaded the udev daemon:

[root@tara.sunnydale] # udevadm control --reload

There’s also a udevadm monitor command that is quite handy when debugging udev rules.

Set up the key

Ok, now, when you unplug any Yubico branded devices, you’re going to lock your screen. We’re going to move into the fun stuff now.

There’s a command for customizing your yubikey. You have to know that this key can handle two different configuration. I’ll use the second one, keeping the first one for other purposes yet to find.

So, let’s burn a new configuration for activating challenge-response:

[okhin@tara.sunnydale] $ ykpersonalize -2 -ochal-resp -ochal-hmac

It will ask you for a AES passphrase, I used one generated by the yubikey (by pushing the button), but feel free to use what you want. You won’t have to use it again, since the AES key will be stored on the yubikey and that no one will be able to read it anymore.

Next options, is to generate the pam configuration for the challenge, and we need a ~/.yubico dir for that. Protect the files inside this directory, for they contain the challenge.

[okhin@tara.sunnydale] $ mkdir ~/.yubico

And then, run this utility to configure the challenges that will be used by pam.

[okhin@tara.sunnydale] $ ykpamcfg -2 -A add_hmac_chalresp

You’ll have a file named challenge-KEYID in your ~/.yubico directory. It contains the file you need.

If, like me, you have an encrypted /home that is mounted using pam_mount at login, you cannot use this configuration. So, creates a world read-writable directory where you’ll store your challenges.

[root@tara.sunnydale] # mkdir /etc/yubico/challenges -p

And then, move your file in it, keeping a 0600 mask and the ownership correctly set-up (that is, only the user that will use this key should be able to read it). Replace the challenge part of the name by the username:

[okhin@tara.sunnydale] $ mv {~/.yubico/challenge,/etc/yubico/challenges/okhin}_KEYID

And now, we just have to play with pam.

I wanted to force users on my graphical login manager to have a key. And to enter their Unix passphrase (I use it to mount my encrypted /home) at prompt. Both conditions being required to get a login.

So, in my /etc/pam.d/slim file I’ve added this line just above the pam_unix module:

[...] auth    required    pam_yubico.so mode=challenge-response chalresp_path=/etc/yubico/challenges auth    required    pam_unix.so nullok [...]

If you want to consider that having the yubikey is the only necessary thing, then change the required by sufficient. You have to know that no password will be asked for. As soon as the yubikey is plugged into your computer, knowing your login name is enough to get access to a session, and it is a security risk.

Relaunch your session-manager and window-manager, plug your key inside your computer, and login. It will asks for your username and password, as usual. However, if you haven’t got your key plugged into your system, then you’ll be unable to login.

Congratulations, you’re done. Try to keep a way to still log into your system, in case you lose your key.

You can also have different key for one user (just add new challenges file). And you can probably have one key for different user (didn’t test that).

What’s next?

I need to change my xlock script to log me out of the box, when the key is unplugged. I need to figure a way to use the yubikey challenge-response mode with system like luks or GPG.

Also, I’d like to use to remotely connect on VPN or SSH, but I need to look into those HowTos. If some of you wanna give it a shot, you know how to reach me.

How to install a Pirate Bay proxy?

How to set-up a The Pirate Bay proxy?

Assuming you have a webserver somewhere in a (cyber|cypher)space and you want to set-up an access to the infamous website thepiratebay.(com|se|org). You need different things:

  • A webserver, in this case apache2 but can probably be nginx or any other webserver you want to use
  • An up-to-date libssl along with the Perl::SSLeay library
  • A dedicated domain name (in this case yar.okhin.fr, can be anything else as long as you own it)
  • The patched tpbCgiProxy provided by the pirate bay.
  • A little bit of time.

 First some cgi

Since it’s based on CGI Proxy you need to have the NPH support of the cgi scripts in your webserver. It’s included into Apache since the 1.3, but just check that first.

Also, check that .cgi files are interpreted as cgi-scripts not as text. Check in your mime.conf file (in debian it’s in /etc/apache2/mods-enabled/mime.conf) that the following line is uncommented:

AddHandler cgi-script .cgi

Put the nph-tpb.cgi file into your cgi-bin script directory (we will define it later in apache), just be sure that the user who runs the webserver can also exec the file. A good place to put your cgi-scripts is usually /usr/lib/cgi-bin/

It seems the tpb admins have forget one URL in their allowed ones. So, just do it now, using the editor of your choice (at line 528), you need to add thepiratebay.se to the ALLOWED_SERVERS

@ALLOWED_SERVERS= ('thepiratebay\.se$', 'thepiratebay\.org$', 'bayimg\.com$', 'suprbay\.com$', 'bayfiles\.com$') ;

Next, let’s move to apache

So, we will need a nifty file for this virtual host. I’ll paste and comment mine here

<VirtualHost *:80>         ServerAdmin webmaster@localhost         ServerName yar.okhin.fr          RewriteEngine on         RewriteCond %{HTTPS} off         RewriteRule (.*) https://yar.okhin.fr%{REQUEST_URI} </VirtualHost>

The above is just to enforce SSL connexion. In case the user is not using HTTPS everywhere. If you do not want to have virtual host on all your address, you can specify one instead of the ‘*’

<VirtualHost *:443>         ServerAdmin webmaster@localhost         ServerName yar.okhin.fr

The name of the server is important in case of a multiple virtual host. You can add server alias too, if you’d like to access the proxy with different names.

        ErrorLog ${APACHE_LOG_DIR}/error.log

I do not like logs. But error logs are, in my mind, necessary to keep the things working. You’re warned, if you crash my server, I’ll know it.

        DocumentRoot /usr/lib/cgi-bin/nph-tpb.cgi/

This is the root of your proxy. This should be the complete and absolute path to the cgi-scripts you’ve installed above.

        <Directory /usr/lib/cgi-bin/>                 AllowOverride None                 Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch                 Order allow,deny                 Allow from all         </Directory>

Add some default for permissions. As we are in the cgi-bin directory, we do not want anyone to list the content of it.

        # Possible values include: debug, info, notice, warn, error, crit,         # alert, emerg.         LogLevel crit          CustomLog /dev/null combined

You do not want to log anything related to your visitors, or it will defeat the purposes of anonymity.

        SSLEngine on         SSLCertificateFIle /etc/ssl/certs/tpb.pem         SSLCertificateKeyFIle /etc/ssl/private/tpb.key

And this is for SSL. Just be sure that the key is only readable (mode 0600) by the user who runs the server.

</VirtualHost>

Why would I do that?

Well, for once, TPB is now censored in the UK. I personally think it should not happens, and if you like your freedom of speech and have access to a server, you should do it also.

Second, it’s fun to do this kind of stuff. You’ll then be able to use the cgi proxy for different purposes if needed. And, well, you really need another reason?

Legal issues

Well, as for all non-logging anonymous proxies, this will raise a lot of issue. Even if your server do not actually host any of the magnets links of the pirate bay, you could be in trouble.

Do what you want keeping this in a place of your head. Do not do it on a company owned server, or not without the former approval of your bosses.

Besides that… Have fun, proxy the planet, mirror the world, copy the tubes.

Sexism part 2

I’m not done yet

So, since the time I wrote my previous entry, I’ve discussed the topic of discrimination in the cyberspace with different people and one of them told me that, even if you do not know nothing about someone, you’ll give him an identity by default, and this identity in the hackerscene is white male (because hackers are mostly white male).

They were implying that, when we do not know who someone is, we tend to think they’re like us. It is, I think mostly true. I mean, when I’m in a hackerspace (cyber|meat)space , I tend to think that most of the people here are hackers or, at least, curious.

#define identity

So, when interacting with someone, we try to give them an identity. It is, I think, a purely cognitive process. We want to recover what we told to this person at a later time, so we assemble all the data in one cluster which then is called identity.

So, do I use a template when interacting with people in the meatspace? No, because their body and way they talk/act is creating a shell I’ll then use to remember them. When a girl comes to talk to me, I know she is a girl, she dos not have to tell me it’s like that, there’s some trait I will use to define this person as a girl. And that’s why we’re all different.

There is then no default identity in the meatspace. What about the cyberspaces? Our brain is trained to separate two entities and to call them with different names when we met them. It is also trained to classify people to remember them faster, we have an indexing system software. It is not perfect (since we can mix two people that shares common traits), but it works in some case. That’s why you can tell who’s this girl is.

So, there must be something in the cyberspaces that our brains can use to sort people. First, there’s the name. It is the first thing I’ll see when I meet someone in the cyberspaces, and that’s why pseudonyms are interesting. They are chosen handles (not like the name and surname thing that we did not choose) and are generally unique.

Then there’s the gimmick you’re using when writing. Your language but also the form of your sentences, the way you use some slang and the kind of slang you’re using. That’s why, after some time, I can now if the person’s talking to me is really who they pretend to be without needing a registering services of a kind.

Error: identity has no default value

So, there’s no such thing as a default identity in the cyberspaces. And yes, you can guess my sexual identity quite easily if you really want to. But there’s definitely no default identity.

There’s a lot of people I know whom I cannot describe. But I’ll recognize them when they’re going to write something. So, no, the cyberspaces is not a white male space because white and male are concept that cannot define someone you can’t see.

I admit it, your education will change the way you express yourself, including online. And yes, this is how people will recognize you in the cyberspaces. But I’m not sure this problem can be solved in the cyberspaces.

You cannot ask to people to consider everyone under a neutral identity. A template that will suit to anyone, because they won’t. Our brain do works by classifying people one way or another, so this default template will be different for everyone it it exist at all.

Misogyny and the hackers scene

Why this?

For some times now, I read and heard a lot on the sexual identity topic and, in particular, related to the hacker’s scene. A lot of people wrote things like this [FR] on one hand, and I hear a lot of bad stuff happening to people related to their sexual identity (sexual identity based discrimination, sexual harassment/aggression, false accusation of rape, true accusation of rape, and so on).

It’s makes me at least uncomfortable, and in some case, it makes me angry because I always saw the hackers community (whatever it means) as a collection of social experiments and as try to build a different world, call me idealist if you want.

Oh, and if you think that, because of my sexual identity not being female, I cannot talk about it, well shut up and read.

And yes, this is a rewrite of my initial post, because my ideas are too chaotic to make a good post at the first time.

The use of sexual identity

The only use of sexual identity I can find, i.e. situations where the sexual identity is a necessary information, are all related to sex. The only occasions when you need to know if someone is a girl, is when you’re attracted by girls and want to get laid (or to have a romantic story, kinky sex, whatever, not really my point).

It then means that, if you use part of your signal to deliver me this information, you’re expecting me to take it into account, in the specific case of sexual identity, it means that you want me to consider you as sexually available.

In the beginning there were the cyberspaces

In the cyberspace, nobody knows that you’re a dog

The cyberspace is a space of pure information, your identity is the amount of data you emitted and, as the internets were mainly based on text in the early days, nobody could know what you looked like. You could be a boy pretending to be a girl who thought she was a cat.

It’s still true in most of the cyberspaces where you do not have to choose a sexual identity or use meatspace data to define yourself.

So, in the cyberspaces, you can perfectly live without knowing the sexual identity of anyone you’re talking to, unless you want sex, in this case you have to publish your sexual identity online.

Wait, cyberspaceS?

Yes, there’s different cyberspaces. There are social one, where people hangs out juts to be with people, try to mate, set-up a social event or just act weird in group which share a lot of self-referenced non-sens humor that nobody can get if they’re not part of the group.

And there’s spaces where people share technical details, try to find some solution to a problem they have, where a lot of stuff is done. Those are the cyberspaces where hackers do things.

There’s also cyberspaces reserved to bots, or to tentikles monsters. There’s a lot of dirty back alley to, but that’s how cyberspaces are.

Girls don’t code

As well as boys. Girl and boy (and queer or else) are sexual identities. Sexual identities have sex not code. I’m totally aware that a sexual identity is a big part of a self, but it’s not the part that will code.

The part that code is the hacker part of self. It is unrelated to the gender, sexual identity or orientation of the person. When a person come online and they say: ‘Hey, I’m a girl, I want to learn python’, they will be answered by ‘Girls don’t code’ (at best).

So, is it a ‘don’t ask, don’t tell’ policy? Well, yes and no. In a technical context, in the case you wanna learn things, your sexual identity is irrelevant. It’s of no use. If you use it to obtain help, it means that you think the fact that you’re different will makes people answering favorably to you because of this difference. You use your sexual identity to obtain what you want? Do not complain because people see you as a pair of boobs then.

We’re defined by what we’re doing

Another big topic among the hackers’ communities is the doocracy. We are interacting with each other depending on what those people are doing, or thinking, not depending on appearance.

Our wealth is based on our knowledge and skills, and we try to share them a lot, not on things you can buy. Most of the physical discriminations someone has to deal with in the meatspace just do not exist on the cyberspaces as long as you’re not using it to define your identity.

In the cyberspaces we have a unique opportunity to ignore all the discriminations based on nationality, gender, sexual identity and orientation, colour or handicap. Each time someone is defining itself on physical criteria, they require a lot of work to everyone not to injure them. For the one who cares about not injuring people at least at least.

We’re not online for social reasons. Most of us are online because it’s an easy way to share technical point of view with someone on the other side of the earth. If we wanted to get laid, we will be in other cyberspaces, but it’s not our goal. When a girl comes here telling ‘Hey, look I’m a girl’, we mostly see ‘hey, look: boobs’ because that’s how she wanted to be considered (else she wouldn’t have told us she’s a girl).

Here be trolls.

About the ‘jokes’ online, and the sexist memes that emerge from the cyberspaces. Most of them come from /b/ and there’s a rule for that. The number 1 rule of the internet. Don’t talk about /b/. Also, you’re not forced to go there.

And those memes are not the problem. Humor can and will offend people, especially humor based on the identity of someone. And yes, I can perfectly understand the fact that some jokes are not funny for everyone and will offend people.

A lot of topics can offend people. I could, for instance, being offended by the fact you see me only as a boy who can’t get laid, or the too smart with big glasses one, or the regular weirdos of the group, or the IT guy that will fix all the torture your electronic stuff endure by just living with you. And you could be offended because I just see you as a pair of boobs because you told me you’re a girl.

But I do not see a reason to censor a speech. Even a heinous one. And I think that everyone should have a way to express their opinion without getting bashed for that. And last, you should not feed the troll because that’s how trolls live.

Yes, there are sexists trolls, there are also racists ones, antisemitic ones or BSDist ones (the worst kind if you want my opinion). It is the worst part of the cyberspace, it’s the part nobody is proud of, but it’s a necessary part. As soon as this part disappear, it will mean that we’ve undergone some serious self-censorship for a so-called greater good. You want to fight in the troll area, so be it, be warned you will get hurt.

But we’re made of meat

And this is the problem. Your body carries a lot of information. When I’ll see you, before knowing your name, I’ll know your gender, your size, your skin color, your weight, your attractiveness and so on.

All those informations we’re not using in most of our interaction (because I spend more time talking to people in the cyberspaces than talking to people in the meatspace) are mandatory, a bit like on Facebook. And you cannot fake them, unlike on Facebook.

The other problem of the meatspace is that it does not provide filter, ignore functionality, or quit button. You’re forced to interact with people, and not replying to someone is considered as rude. So, rules differs a lot and we sometimes tend to forget that.

When we meet people we already know from a cyberspace, it can become extremely awkward, but most of the time we are able to cope with it. And, due to pseudonym, we can even meet in the meatspace without making the link to pseudo (and it happens a lot). So, problems occurs mainly with people we do not know yet.

Outsiders running away scared to death because they have been hurt is a bad thing. It’s either because the outsiders just panicked because they didn’t understand what were the problematics and the social rules, either because the insiders were mean and forgot they can’t be ignored.

Is there an RFC for that?

I think we are aware of this situation. And it’s not that easy to fix thing, especially when both sides do not share the same set of rules. Feminists tends to define themselves as girls while we defines ourselves as hackers. It’s kind of expectable since their fight is the equality of the people whatever their sexual identities are, while our is the gathering and sharing of all the knowledge needed to understand the world.

As soon as there’s a difference, there’s discrimination. Girls complain about us being sexists, they should see how we deal with the ones that are on Windows. The main problem is probably that a lot of us do not care about these problematics. It’s not a problem, it’s how it works in a doocracy. Not everyone is thinking of a way to get rid of the root in DNS, or to find a new dynamic meshing protocol, the people interested in those problematics are working on it, and when they’ll reach an achievement, they will do a nice talk at a conference or publish their work silently somewhere.

The sexist problem is just another topic. There’s a lot of people thinking about it and it begins to reach some visibility. We are aware of the concern and we are aware that this is not solvable by a RFC.

Problems officer?

We are a bit rough around the edge. And so we can get rude without necessarily noticing it. It’s more related to a latent misanthropy than a latent misogyny. When we are in hackerspaces, we’re not here mainly for the social call, so people coming and saying ‘Hey, hello, I’m Luke’ and nothing more are annoying.

Another thing I do not like is positive discrimination. I won’t do a special effort to be kind with girls in specific. I try to be equal with everyone (and yes, it means being an asshole with everyone).

I think there’s also a small proportion of us, that are socially inept. They do not get, or do not want to get, the social conventions. I still think they are not the biggest part of us, but they are the part that suits the cliché everyone have about hackers. Remove the cliché of the balance, and you’ll see there is a lot of interesting people that will talk to you about a lot of different topics.

But you have to admit that, even in social conventions considered as normal by most of people, invading the information space of someone with topic that do not interest them is rude. This is perfectly OK for me. You’re not interested in the crafting of a quadocpter, tells me, I’ll stop bothering you with that. If you come at me and talk of subject that do not interest me, I’ll tell you, you just have to deal with it, it’s not because I do not like what you are, it’s just because the topic you want to discuss about are of no interest to me.

And then it gets physical

This is the problem. We are far from perfect. Some of us tend to consider themselves as a hero and world savior. Some of us are real sociopath that do not mind to crush people as long as they have what they want. But those people are everywhere, not only in our places.

When it gets physical, when someone is trying to crush a person, by harassment, by bullying or by explicit sexual assault we must intervene. I think the way the hackers’ chaotic world works grant us the possibility to try to fix that.

I have no idea for that. But I think that not trying to get the rules of the social games you want to play is a problem we can’t fix. You want to interact with hackers? Be one. Then if you still have problems, speak about them publicly, document the cases, find a way to work around the issue, be in charge of it. We can’t provide solutions since we are the problems it seems.

This post can be seen like excuses for some. Well, I try to understand how those things works and I’m mostly lucky, I’ve undergone few discriminations those last ten years (and the few I get was mainly because I act like a weirdo on purpose) and I may not be legitimate.

Off topic

I did not speak about the porn, or the fact that few girls are going into tech school, because they are excuses and symptoms, not causes. I did not use the my-childhood-was-a-hell-so-let’s-avenge-ourselves excuse neither, because you can then justify everything. I’d try to explain how I see the problem from my side, to understand what are the root causes.

I still think it’s a peripheral problem (not a small one), but focusing it on the sexual identity problem is, in my mind, wrong. We should not discriminate. Point.


Some patching has been made do to mathieui, thanks for that This is the second rewrite of this post, and a some people (ping quota_atypique and Intruse) shared their insigth about it. That was helpfull, thanks for that

Companies and hacktivism

Companies and hacktivism

Google’s case

On the 12nd of March, I was at the Cyber-censorship event organized by RWB and sponsored by Google. There was a nice panel after that, with a lot of activists from Belaruss, Egypt, Tunisia and Syria among others. And, well, could not restrain myself, but I’ve expressed some worries about Google, Skype and others companies providing tools used by activists to communicate and about the lack of openness of them.

The Google representative that was there answered briefly that

"[He] do not understand the criticism about the lack of openness of Youtube, everyone can access it".

Well, that’s not true. For instance, tehre’s a video posted by Fhimt.com was locally censored for no apparent reason (the story is on reflets.info). And that’s only one case. I’ve got another one of an allegedly leaked video of torture of syrian that is ‘not available’ (but given the numbers of views and other thing, it was available), and while building the TBS I saw that about twenty videos we once got in the past, are not available anymore.

So, yeah, youtube.com is available in most part of the world. But not the content of it, and Google gives no reason of the specifics (except for ‘copyright claims’), they give no guarantee that anything that is available now, will be available tomorrow.

Worst, when reading their terms of use they restrain the avaibility of the contents to the only authorized Google apps (youtube.com being one), that means that, yes TBS is violating the clause 4.C and H of the terms of use:

You agree not to access Content through any technology or means other than the video playback pages of the Service itself, the Embeddable Player, or other explicitly authorized means YouTube may designate.

You agree not to use or launch any automated system, including without limitation, "robots," "spiders," or "offline readers," that accesses the Service in a manner that sends more request messages to the YouTube servers in a given period of time than a human can reasonably produce in the same period by using a conventional on-line web browser. Notwithstanding the foregoing, YouTube grants the operators of public search engines permission to use spiders to copy materials from the site for the sole purpose of and solely to the extent necessary for creating publicly available searchable indices of the materials, but not caches or archives of such materials. YouTube reserves the right to revoke these exceptions either generally or in specific cases. You agree not to collect or harvest any personally identifiable information, including account names, from the Service, nor to use the communication systems provided by the Service (e.g., comments, email) for any commercial solicitation purposes. You agree not to solicit, for commercial purposes, any users of the Service with respect to their Content.

So, it means that, everything that is on youtube is subject to the good will of Google. If they decide for one reason or another that you must not see a content on youtube, then they will destroy it and you have no legal way to make an archive of it. Not without a commercial agreement.

Hence, the youtube services is, indeed, free of charge and accessible. But it is not free at all, because you cannot do a lot of things with it.

I mean, Google could be an amazing archiving tool, they have an insane amount of data at end, and they could archive them, providing to the citizens that content on Google (email, video, docs, search results, whatever) will always be available using, for instance, documented and free standard. But they aren’t and they won’t.

They won’t because, besides what Google can say, they are a company. And the only goal of a company is to earn a big pile of cash. They can have an ethics, they can pretend their going social, whatever. In the end, what will dictates their move is the quantity of money they will have at the end of the month.

That’s why they moved in China, despite the censorship over there. They saw 300 millions people that can use Google, that’s 300 millions people that can be submitted to compartmental analysis to serve theme efficiently targeted advertisement (which is the Google job).

Google is not about freedom of information, so they accepted a partial censorship from China authority. Then, they discovered they where targeted by a huge attack, the Aurora attack, probably commanded by China’s authority to go after some intellectual property of Google, so they went out.

They didn’t move because their tool was censored. They moved because their business was under attack. They’ve done some PR move about the China being uncooperative, violating their property (no shit?) and forcing them to do insane censorship (oh, really? So, you’re not censoring yourselves?) and then they moved to Hong Kong, acting like the good guys.

The good guys will have stay there, will have disobey and will have provided activists there online tool to preserve their anonymity and their security, fighting the laws and regulation of the Chinese government.

The Skype case

Skype is even worse. Even without being now a Microsoft product, Skype is designed on closed and obfuscated protocols that are designed to go through most of the firewall on both side of the call. The utility allow for Desktop Sharing that grants execution on distant host, your address book is stored somewhere, the cryptography is based on secret algorithm not documented anywhere, so it is Security through obscurity which is as bad as no security (even worse, because it gives a false feeling of security).

The only strength of Skype is to have a good marketing team, and to be available on whatever platform you can think about (the free of charge thing is the same for all VoIP providers).

One big problem with Skype, is the auto-update thing. It is used a lot to deploy malware, notably in Syria where activists get killed for organized themselves (so, yes, a government using such malware can now the people you’re calling and can arrest you and them, alongside with their friend and families). I’m not saying Skype is collaborating with government, just that a closed proprietary software that will get installed on all the computers, that can install things on his own without warning users, that can get through all firewall and that do things in your back is called a trojan over here.

Worst, now Microsoft bought Skype. And Microsoft have a lot of patents. There is one that need all your attention right now. The patent 2010153809 labelled ‘Legal Intercept‘. So, in short, Microsoft as patented the technology required to give any government the capability to intercept any communication using one of their software. Most of the government now have law to authorize such things. There was law for that in classic-phone system, as long as on GSM, and I always thought it’s legal for them to intercept any communication they need to build a case against you as long as the legal system allow them (and it will). The thing with Skype is, it was supposed to be end to end encrypted, so, mainly, the snoopers cannot have a verbatim of the talk.

With this patent, however, Microsoft is telling that any government can now intercept communication in Skype. So, basically, anyone who have access to the Microsoft tool for lawful intercept can now intercept Skype communication. So, the encryption is now broke and will never be recoverable.

The weird thing is that the Syrian government, for instance, has law that grants him access to spy on its people. With this kind of patent, they do not even need DPI and hackers tobreak it, just to ask Microsoft to give them the key of the system.

Facebook Google, Twitter and the One identity problem

As I saod before, most of the website you use have only one goal: serves you with the data they want you to access (because they’re paid for that), not the one you want. And, for this to be efficient, they need to know you in a lot of details.

They do not care about you having a pseudonym or a real name (except for Facebook). What they do care about is the fact that you must have only one name. They need it, because they wants to track you everywhere you go to build of profile of you they can sell to whoever pays for it (or access their data using more creative way).

For instance, Google has changed their Privacy Policy, requiring that you use only one account for all their services (and that all of those services will share data with all the services). So, youtube will now about what you wrote on gmail and what’s on your blog (if you use blogger).

Facebook, and its ‘like’ button is even worse. If you’ve got a facebook cookie in your browser (which, if you have a facebook account, is the case) and even if you’re disconnected, the simple fact of loading the ‘like’ button (which is a script) will tell it to facebook.

Twitter is now selling your public tweets (and all the informations associated to each tweet, including localisation if it’s active). I still do not understand who will buy something that is already free because it’s public, so I suppose they, in fact, sell analysis and profile that match some criteria to target them with advertisement. Or by selling them to a governmental agency that is willing to pay to watch their citizen. Don’t think it’s not the case, government are spending a huge amount of money on CCTV camera and other way of spying on their people.

So what?

The thing is that those company have product almost in every country, their product is free of charge because the users are the product, but still, you have it every where. They can live with insane traffic, they’re translated in the much common languages, they are easy to use, multi-platform and idiot-proof. And that’s why people uses them to share pictures of their sex life or of their last trip to Vietnam, to share videos of riots and uprising or about clever cats playing on a keyboard, to harass underage girls or to share an amazing animation clip.

Those tools are everywhere because they are big, they’ve made internet popular, they’re in part responsible for the development of those smart-phones and of the eradication of the dumb-phones.

And given that, and the fact that the last websites you will access in case of crisis are Google, Facebook and Twitter while news sites will be closed to protect the government, activists can and will uses them. And some of them will get killed for this, because those website do not provides way of communication that are really anonymous.

Google told they’re making an effort to be as ethical as possible. If they really was, they’ll open the code they use on their servers, they’ll open and disclose their algorithm, they’ll provide way of enjoying fully their services without building a profile.

Surely, they’ll earn less money. But they will still earn some. Plus, some people should have remain alive and free instead of being jailed for having uploaded content on facebook or Google.

Broadcasting news

A little introduction

Everything started from an non-planing stuff done on #opsyria. To give you some context, we have a bot there, named ii, that’s help us with information management.

Birth and death of a bot

ii’s birth dates back to the second phase of opsyria, the phase were we go wild and try to get some contacts with Syrians. It was first a greetings bots, telling new comers some safety tips in Syrian (because we still do not speak Syrian).

Then, we fired up a tweeter account, and so, we add twitter functions to ii. And status.net also (for our status.net platform). And then, we added it the possibility to repeat interesting stuff ii saw on those platform (publishing on IRC the thing he saw in its following list on both platforms).

Then, we had some problem with the micro bloging thing. 140 characters is short, especially when you use arabic and weird unicode chars. So, we build a news functionality, that leads us to our news website where we still publish real time news form the ground, due to our contacts help.

After that, things went crazy. Lots of videos were posted online and we started indexing them. here came the videos functionality (and later on the pics one, same thing, but with pictures) and we started building an index of all videos related to Syrian events.

So, this is how we built on 6 month, our database of information, with dates, places and comments of each videos, pictures or news we can find. We build different websites using these and, one day, we realized that, it could be nice for preservation of the data, to extract them from the website they are located to be sure they will always be online.

We had fears that Syrian officials (or Assad’s supporters) could manage to get youtube or facebook accounts closed, and then have the videos unavailable and lost for everyone.

The archiving idea

At the 28C3, we already had a somewhat big databases. And a script that could download each video, and stores them on a website, as ‘static file’ with a non-friendly user interface (apache directory listing) located here: http://syria-videos.ceops.eu/

Some journalists just told us that it was nice, but not really usable (no way to easily parse stuff, or to find events related to one particular date, and so on). So, we started to think about how we could do that.

Parsing it by hand was out of questions, there was more than 600 videos, that is more than 4GB of files to watch, and some of them are harsh and crude to watch. Besides, we’re still unable to understand arabic in the text, so the only data we could use was the one in the flat files provided by ii.

Let’s compile html

And, at the time, I was playing a lot with ikiwiki, which is a markdown compilation to build static html page. So, I started looking at that. After all, it can generate html5, so it should be easy to add some \<video> tag inside a template, generating the pages form flat text is easy to do in bash and then, I just have to use git to push it and make the magic of ikiwiki works.

We will have pure html website, with smart URL, easily mirrorable (hey, no ?static=yes&wtf=ya&unknownparam&yetanotherfrckingstuff url, just 2012/02/11 for the 11st of February of 2012 events page), with a tagging system and full html5.

This was the concept. And since ikiwiki provides a local.css system, we could even asks gently and harass some designers to have a logo and some design around it (I can leave with pure HTML, but a lot of people do like fancy and rounded stuff…)

Enough talk, do it

So, first, installing what we need. I’m on a debian openvz squeeze kernel and I’m gonna use nginx to serve it. Ineed to add the unstable version of ffmpeg to support .ogv

aptitude install ikiwiki nginx ffmpeg

Th setup of ikiwiki is preety easy to do, I’ll paste you all the uncommented line of TelecomixBroadcastSystem.setup:

So, let’s start with some naming stuff, the name of the wiki, the mail of the admin and the username of the admin/

wikiname => 'Telecomix Broadcast System', adminemail => 'okhin@bloum.net'; adminuser => [qw{a_user_admin}],

Since there’s no user function available, this should be empty.

banned_users => [],

Where I’ll puth the markdown files

srcdir => '/var/ikiwiki/TelecomixBroadcastSystem',

Where ikiwki will put the

destdir => '/var/www/tbs',

What will be teh url of the website

url => 'http://broadcast.telecomix.org',

The plugins I wanna add. Goodstuff is a package with a lot of usefull plugins for ikiwki. The goodstuff plugins page on ikiwiki website will give you more details.

I wanted a sidebar (for hosting the navigation), a calendar (to enable the calendar generation) and a favicon (because they are nice). As I do not want the site to be editable, I deactivate the recentchanges plugin.

add_plugins => [qw{goodstuff sidebar calendar favicon}], disable_plugins => [qw{recentchanges}],

Some system directory and default that I’ve kept.

templatedir => '/usr/share/ikiwiki/templates', underlaydir => '/usr/share/ikiwiki/basewiki', indexpages => 0, discussionpage => 'Discussion', default_pageext => 'mdwn', timeformat => '%c', numbacklinks => 10, hardlink => 0, wiki_file_chars => '-[:alnum:]+/.:_', allow_symlinks_before_srcdir => 0,

HTML 5 is nice and fun to play with, we should use it more

html5 => 1,

A link for the post-update git wrapper (that is, once the repo received an update, automatically generates the new wiki)

git_wrapper => '/var/git/TelecomixBroadcastSystem.git/hooks/post-update', atom => 1,

I want a sidebar for all the pages

global_sidebars => 1,

I want to autogenerate tagpage, and to stores them in the tag/ directory.

tagbase => 'tag', tag_autocreate => 1,

There’s a lot more things to change, but you should have a look at the ikiwiki documentation.

Now, we have to create the various directory ”/var/ikiwiki/TelecomixBroadcastSystem” and ”/var/www/tbs”, making them writable and owned by the user you’re going to use to generate it, and to give ”/var/www/tbs” permission to be read by the nginx user.

And let(s setup the wiki:

ikiwiki --setup /path/to/your/Wiki.setup file

Let’s tweak some templates

So, now, I need some templates to work with the videos repo. One for video, one for pictures (to add a specific CSS class around them), and one for the ‘regular’ page, because I wanted a logo in top of all of them.

Video template

I added a ”template” directory into the wiki root (so, //var/ikiwiki/TelecomixBroadcastSystem/template) and I create the video.tmpl file.

The tempaltes of ikiwiki use the HTML::Toolkit system to create the needed templates, and the one I need were realtively simples one. OI think comments are not needed

<article class="video">     <video controls="controls" type="video/ogg" width="480" src="/videos/<TMPL_VAR file>" poster="/pics/SVGs/tbs_V1.svg"><TMPL_VAR alt></video>     <p><TMPL_VAR alt></p>     <p><a href="/videos/<TMPL_VAR file>">Direct Link to the file</a> ||     <a href="<TMPL_VAR original>">Original link</a></p> </article>

So, fixed width video, in HTML5, the files must be in a /videos/ webdir and there will be a poster displayed on the video before playing it with one nice logos. Some more links to add context, and we’re set-up.

Notice the mime format used here: video/ogg, I want to use really free web format, that will need transcoding (but that’s a later problem). The same goes for the pictrues template.

Page template

So, the page template is a huge (and complex) one, so just a patch:

--- templates/page.tmpl 2012-03-07 15:35:45.000000000 +0000 +++ /usr/share/ikiwiki/templates/page.tmpl      2011-03-28 23:46:08.000000000 +0000 @@ -30,7 +30,6 @@  </head>  <body>  -<div id="logo"><a href="/" title="Dirty Bytes of Revolutions Since 1337"><img src="/pics/PNGs/tbs_V2.png" alt="Dirty Bytes of Revolutions  Since 1337" /></a></div>  <TMPL_IF HTML5><article class="page"><TMPL_ELSE><div class="page"></TMPL_IF>   <TMPL_IF HTML5><section class="pageheader"><TMPL_ELSE><div class="pageheader"></TMPL_IF> @@ -134,7 +133,6 @@  </TMPL_UNLESS>   </div> -<div class="clearfix"></div>   <TMPL_IF HTML5><footer id="footer" class="pagefooter"><TMPL_ELSE><div id="footer" class="pagefooter"></TMPL_IF>  <TMPL_UNLESS DYNAMIC>

The clearfix div is here for the goddamn IE browser (at least, that’s why the CSS integrator guy told me). And above, there’s the pictures.

Let’s build special pages

Sidebar.mdwn

So, the sidebar plugins, grants me the use of a sidebar.mdwn file in the root folder of the wiki.

First, some useful links (back to home, the pure text news and our webchat)

\# Quick Links \* \[Back to Home\](/index.html) \* \[News from the ground\](http://syria.telecomix.org) \* \[Webchat\](https://new.punkbob.com/chat)

What did happened this month

\# This month events

And all the page since the start of the year.

\# Events month by month

Index.mdwn

Next step is to build a nice index.mdwn page with some speech, the tag cloud and a global map of everything. I’ll skip to the interesting parts (maps and tagcloud).

Thepage list use the map directive to find all the page under 2011 and 2012 directories (one per year), that will lead to a list of all the daily pages

# Page list

This will go through all of the tag of the page, and do some computational to generate a nice cloud

Fancyness

I then added a favicon.ico file along with a local.css to the repository, the local.css need to be copied manually into the ”/var/www/tbs” directory. And now, the basic setup is done.

Commiting

So, now use git to add all those files and commit and push them. Easy to do, that will generates some files into /var/www/tbs/.

Yeepee, now, we need to populate this.

Bashing accross videos

So, I have a list of videos soemwhere here of the form:

2011-12-04 homs/al-meedan http://www.youtube.com/watch?v=-qjNo0uqSM8 Random gunfires during the night

(And yes, sometimes, Arabic characters all over the place). So, I have, date, location (that will be used for tags), URL and some comments to add. Thanks to ii’s magic (and the huge work done for month). We already add some python scripts for downloading the video, but, for this kind of things, I wanted to use something I know: bash. It will be split in 2. One half to parse the youtube’s hell pages and to download the .webm, this part is still inpython, works well and I was too lazy to rewrite it; the second half will get the video info and add the necessary information to the wiki.

And then, I’ll need to transcode it.

So, script. Let’s start with some variable, will need them later

#!/bin/bash # We want to download everything. export VIDEOS_LINK='https://telecomix.ceops.eu/material/ii/videos.txt' export VIDEOS_RAW_DIR='/var/tbs/tbs/raw/' export VIDEOS_OGV_DIR='/var/tbs/tbs/videos/' export VIDEOS_WIKI_ROOT='/var/ikiwiki/TelecomixBroadcastSystem' export VIDEOS_LIST=${VIDEOS_WIKI_ROOT}/videos.lst export VIDEOS_NEW=${VIDEOS_WIKI_ROOT}/new_videos.lst

Let’s make some cleaning, and backup, needed to now what’s new

[[ -e ${VIDEOS_LIST}.old ]] && rm -rf ${VIDEOS_LIST}.old [[ -e $VIDEOS_LIST ]] && mv $VIDEOS_LIST ${VIDEOS_LIST}.old

Get the new version of the file list

cd $VIDEOS_WIKI_ROOT wget $VIDEOS_LINK --no-check-certificate -O $VIDEOS_LIST

Update the git repository (we probably add tags since last time, so new pages) and find the new videos part (a dirty diff, with only the added lines).

git pull 2>&1 > /dev/null diff -N $VIDEOS_LIST ${VIDEOS_LIST}.old | grep -e '^<' > $VIDEOS_NEW

Loop in all the news videos to add them to the wiki.

while read LINE do

This is a bash array if you did not know how they worked

        VIDEO=( $LINE )         DATE=${VIDEO[1]}         TTAGS=${VIDEO[2]}

Let’s split TAGS in different words separated by space not by slash

        TAGS=$(echo $TTAGS | tr '/' ' ')         LINK=${VIDEO[3]}

This is how I get the same thing than [4:] in python (from 4th fields to the end of teh array)

        COMMENTS=${VIDEO[@]:4:${#VIDEO[@]}}

The date is YYYY-MM-DD in the file, I want it to be YYYY/MM/DD for creating my file in the good place (YYYY/MM/DD.mdwn), like that I have an automagick hierarchy, plus, you can get to /2012/02/14 URL quite easily.

The filename is the video link with only alphanumeric characters, will be good enough for me.

        VIDEO_PATH=$(echo ${DATE}.mdwn | tr '-' '/')         VIDEO_FILENAME=$(echo $LINK | tr -dc '[:alnum:]')

So, if the directory (which is YYYY/MM) dos not exist, let’s create it. If the file does not exist, it means this is the first time we see something for the day. We must create the page, and add some stuff (notably the date of creation must be juked, also we add a nice title). Once the file is create, git add it to the repo.

        # We have only updates which is nice, no need to check if the videos already exist         [[ ! -d $(dirname ${VIDEOS_WIKI_ROOT}/${VIDEO_PATH}) ]] && mkdir -p $(dirname ${VIDEOS_WIKI_ROOT}/${VIDEO_PATH})         if [ ! -e ${VIDEOS_WIKI_ROOT}/${VIDEO_PATH} ]                 git add ${VIDEOS_WIKI_ROOT}/${VIDEO_PATH}         fi

Add some tags to the page, along with the video template (one line, really fun), note the .ogv part added to the filename.

And now, download the file. I need to add a dot at the end of it, because the download scripts add the extension (without the .) to the file. I download it in a raw dir, where I’ll next transcode all the video into the proper format and directory.

        # And now, download it         python ${VIDEOS_WIKI_ROOT}/scripts/multiproc_videos_dl.py ${VIDEOS_RAW_DIR} "${VIDEOS_RAW_DIR}/${VIDEO_FILENAME}." "$LINK" 2>&1 > /dev/null &  done < $VIDEOS_NEW

Commit al the change at once, and push it.

# While we're at it, just publish the file git commit -a -m "VIDEO updated" 2>&1 > /dev/null git push 2>&1 > /dev/null

We’re done, just transcoding now, which is pretty easy, and done in another script. Nothing special here, looping across all the file in raw dir to transcode them into the video dir.

#!/bin/bash # Transcoding a video into ogv export ORIG='/var/tbs/tbs/raw' export DEST='/var/tbs/tbs/videos'  for RAW in $(ls -1 $ORIG) do         NAME=${RAW%.*}         echo "transcoding $NAME"         [[ -e $DEST/${NAME}.ogv ]] || ffmpeg -i $ORIG/$RAW -acodec libvorbis -ac 2 -ab 96k -b 345k -s 640x360 $DEST/${NAME}.ogv         rm $ORIG/$RAW done

Bashing across pictures

Same format as video, so same scripts, almost. Won’t detail it, just do sed VIDEO/PICTURE and you’re almost done. Also, the dl is done using wget –no-check-certificate.

Bashing the news

Same kind of things, except that I add the timstamp to it, but besides that, just the same thing.

Cronjobs everywhere

I just now need to auto-exec the 3 jobs above, the transcoding and some ikiwki-internal command to update the calendars, I’ve got 2 cronjobs for that executed every 6 hours

0 */6 * * * /var/ikiwiki/TelecomixBroadcastSystem/scripts/dl_news.bash 2>&1 > /dev/null && /var/ikiwiki/TelecomixBroadcastSystem/scripts/dl_pictures.bash 2>&1 > /dev/null && /var/ikiwiki/TelecomixBroadcastSystem/scripts/dl_video.bash 2>&1 > /dev/null && /var/tbs/transcode.sh > /dev/null 2>/dev/null 0 1/6 * * * ikiwiki-calendar /var/ikiwiki/TelecomixBroadcastSystem.setup "2011/* or 2012/*" 2012

This is the end

Now the wiki auto-build itself. I then just needed to tweak the nginx to suit my needs bt that was really easy to do. I just need to keep in mind that I’m in need of two aliases (one for /videos, one for /pictures) because I did not wanted to commit all the videos in the git directory (that eat a lot of space), and to tell it that .ogv aare indeed video files.

server {          listen   80; ## listen for ipv4         listen   [::]:80 default ipv6only=on; ## listen for ipv6          server_name  broadcast.telecomix.org;          access_log off;          location / {                 root   /var/www/tbs;                 index  index.html index.htm;         }          location /pictures {                 alias   /var/tbs/pictures;                 autoindex off;         }          location /videos {                 alias   /var/tbs/videos;                 autoindex off;         }  }

And I just need to edit the mime.types file to add those line at the end of the file:

    video/ogg                             ogm;     video/ogg                             ogv;     video/ogg                             ogg;

That’s it, everything worked fine now. A final thing was needed, to spread it easily (and that’s why I wanted static pages), ease the process of mirroring. The best way to do this is to use rsync in daemon mode with three modules read-only.

Installation of rsync is piece of cake:

aptitude install rsync

You then need to enable it in debian, for this, editing the file /etc/default/rsync is the way to go. I wanted to throttle it down and to keep it nice on the I/O (because I already have too much process that eat my cpu like, transcoding), so I’ve enabled those options in the same file:

RSYNC_ENABLE=true RSYNC_OPTS='--bwlimit 200' RSYNC_NICE='10 RSYNC_IONICE='-c3'

And then, in the /etc/rsyncd.conf, I’ve added those modules

max connections = 10 log file = /dev/null timeout = 200  [tbs] comment = Telecomix Broadcast System path = /var/www/tbs read only = yes list = yes uid = nobody gid = nogroup  [videos] comment = Telecomix Broadcast System - videos path = /var/tbs/videos read only = yes list = yes uid = nobody gid = nogroup  [pictures] comment = Telecomix Broadcast System - pictures path = /var/tbs/pictures read only = yes list = yes uid = nobody gid = nogroup

ANd that’s it, people can now duplicate the whole thing on a simple web server (they just need space) without anything else on it that serving webpage.

Thank You

There’s something on my mind I can’t sort without putting it in words. I feel extremely uncomfortable about it and it almost makes me sick. Yeah, it happens sometimes and that means I’m not a complete sociopath.

This is a problem about journalists, reporters, and each and every people that do everything they can to report news. I have no problems with any of them, and most of them are doing an incredible job.

They’re risking their life on a daily basis in Syria, and today that’s two of them being killed after broadcasting live from Homs and they probably were good at doing their jobs, yesterday one the citizen journalist was killed too, and that’s just the one reporting the news from the field.

My problem is about the ‘what can we do’. With the telecomix cluster and the opsyria volunteers, we are, most of us, sitting in our offices, speaking to media or other stuff like that. We always try to have fun, because else we won’t be able to manage all this crap, but we never were on the field.

We have some contacts there, and some of them have disappeared for a while. That’s how we can feed our different news publishing sites, but we do not put our lives in danger (yeah, we learned that life is a video-game with only one credit).

Sometimes journalists come on our chans asking us for advices. They’re asking if they can go in Syria. And we don’t know how to answer.

Either we spare their life, the one of the fixer they’ll have over there, and the ones of the people they’ll meet but then we play the game of Assad: encouraging black-out of information on the field, or we just tells them stay safe, use strong encryption, do not have notes or rush that can identify people.

But all those advices are good as long as you’re not in a city blindly shelled night and day for weeks. And we see the people dying there, trying to grab testimony and doing their jobs. We’re just archivists, we try to keep all the data we can found in perspective, but without those amazing people on the ground (whether they’re citizen journalists, or professional and international field reporters) we wouldn’t be able to do this.

Last week, I was at a lecture to discuss about the interaction between hackers and NGO, and someone asked me:

What are your plans for Syria now?

I don’t fucking know. I have no idea. We maintain our systems of communication, but when you’re under heavy shelling without electricity or food or water for days, it’s of no use. I have no fucking clue of what we can do. We are not meant to go on the field.

I see no hope of a peaceful resolution, and now that Assad’s forces have been ordered to assassinate journalists I do not even see how it is possible.

I do not know what to say. Journalists must get there, it’s mandatory to know what’s happening there, but they will get assassinated.

I will stand for freedom in Syria. We, as humans, need to know what’s happening there, not for any macabre voyeur thing, but for being able to be a witness, to be of any help for them.

So, to all the people that puts their life at stake to brings informations out of Syria, I want to say Thank You. You’re not alone, you won’t be forgotten. Continue your amazing job. Report. Try to stay reasonably safe, but it has no meaning in a battlefield. The violence must not kill the information. If you need any help to hide your communication or to establish more or less safe one, get in touch with us.

And to all the redactors out there or to all the editors of content that sometimes remove stuff like that from the intertubes, we’re watching you. You know what’s happening there. You must speak about it.

Thank You. Really.

Addendum: The Express

HowTo Chaos Workshop

Context

One thing I strongly believe in is that all kind of knowledge must be shared with the biggest number of people. So, there’s Internet which have a lot of knowledge in it but I think it’s more effective to explain to people in the meat space, rather than letting them procrastinate watching My Little Pony on line.

So, I try to animate workshop, lectures, or whatever you can call them toward a lot of different public. There will be one in Paris newt week end (the jhack thing that RWB and Telecomix set-up) directed to journalist, but I do not want to talk about this, it’s, from my perspective, a bit of boring (same old shit, bla bla, tor, bla bla, gpg).

The fun part of workshop, are the Chaos Workshop. Those are the workshop we organise with the crazy hackers from Le Loop. They are always different, totally unexpected and, as we do not know really the audience at first hand, you cannot plan anything.

The last one, ended with around 80 people in a crowded place, to have a talk about cryptography, where I expected 20 for a workshop around anonymity. Was interesting, but total improvisation was needed (and I still do not know what kind of people was there).

Let’s get a fire started

The first thing you have to do is to get a fixer. Someone that is connected to a lot of people. Go bang at his door, when he wakes up in the morning (around 16:00PM) with some beer and tell him:

There will be a workshop about crypto stuff, Tuesday evening, next week. I’ve found some beer on my way here, here you are.

So, the organized part of the non-organized workshop is now done. Go at your home, have fun with whatever you have fun with, wait the Monday evening for the date and place, run before you’re too late and enjoy.

Wait, WUT?

Oh, you actually want to get there with some kind of preparation? You’re a lamer you know that? But ok, I can get it. It’s quite intimidating.

They came for a reason

Yes, you’ll have an audience. Those people have moved away from the relative comfort of what is their usual life to come here and listen at you (and assault you with questions, torture you with questions, questions you with questions). Do not be afraid, Cannibals groups are now dead (we ate the last one yesterday) so, they won’t eat you.

I fully understand that standing on a stage or whatever is a kind of intimidating, but as technician, BOFH, or what you do for your living, you always need to speak to people, even when you try to be creative to tell a stupid-ass that he can rot in hell.

So, the intimidation is not due to the fact you’re going to speak to people. It’s not like you’re doing a crypto workshop in a stadium (could be fun however), you will speak to curious people about something you like. They will forgive your mistakes as long as you acknowledge them.

So, they will squeeze all the knowledge they can have from you with a lot of interesting questions that will force you to be smart and to think fast to get a quick answer.

I will recommend you to get on stage clean. No beer, no coffee, no drug. You must be in full possession of your mind for the first 2 minutes. After that, do what you want, the inhibition about speaking to an audience should have been dissolved by adrenalin.

Know what you know

You cannot know everything. Be humble, and tell to the people when you do not know. Try to give them leads to follow, you must try to have them understand that they can learn fast if they’re willing to search for knowledge.

For the thing you know, do not make any assumptions about the tech level of your audience. You do not know them so you do not know what they know. You can only work with the ‘what are they supposed to know’. You must be exhaustive. If you want to do a lecture about how internet work, you must be able to answer most of the questions linked to it (what’s the difference with the web, what’s a protocol, what’s an IP, what’s a packet, what’s a wire), those questions are the funniest part of a workshop or lecture part.

So, be prepared to everything, and know where you do not know and what you know. One thing however, try to avoid looping in a tech discussion that will takes you a lot of time. You can do that later with the two or three people that will jump on you at the end of the lecture.

Know where you wanna go

Remember the fixer above? He probably have sent an email with the main subject that will get discussed. Grab a piece of paper and a pen, and note them. You now know what you’ll have to speak about. Do not stick to it, you are here to answer the people’s question and to teach them more or less interesting stuff (and less is more or the other way around).

Try to speak freely about all the topic, do not restrain yourself. From the prospective of your audience you are weird, you can only get weirder so, use memes, acronym, weird axiom. Shout KILL IT WITH FIRE when people asks you What can I do with Skype?’

Try to have a clock in your point of view, it could be useful to know if you gonna get home with the last subway, in taxis, with the first one. Believe me, you will have no more notion of time when speaking, so if you have to stick to a planning (this is not very Chaotic, I know), get a clock you can read from a distance. Or asks your audience how much time left you have.

The visual display

The tricky part. The visual display are here to present data and to emphasize your speech. Not to be you speech. I rather working without them, or with only one or two words written in huge fonts that will give some thematics.

The thing with visual display is that they are organized. You cannot jump from slide 1 to 5 then going back to 2, so you must know it by heart and you will have to stick to it. It can be interesting for a lecture with 100 people, but for a workshop it’s not a good idea.

So, if you choose to go with slides or any kind of visual display, do not put your text on it, or anything that will takes more than 4s to be read. You must be the awareness focus of your audience, not the thing that’s been displayed on the wall.

I know it will gives you confidence, but you can perfectly have detailed notes on a scrapbook to refer to in case of doubt or if you get lost. But, again, that’s only for more planned talks. In case of Chaos, deal with it and assume the fact you’re going to explore a lot of directions.

The things that must be done

If you want people to do stuff, tells them before hand to bring whatever they will need to do it. Be as agnostic toward the prerequisite as you can (do not rely on a specific distribution, hardware or OS for instance), go for the easiest troll if you want, but do not spend time on it.

Then, never ever do things on their computers. They must do it by themselves, even if you have to spell each and every command line. Tell them to RTFM and to use seeks every once and a while.

You will encounter unexpected problem. If you can solves them fast, do it. Else, note them, and move on. You can spend time on it at a later time and even fill a bug report.

I’m not very fond of demo. First, they often rely on the fact that people understand what you’re doing, and then they will never work as expected. Even if you have prepared them. However, grab some live-CD or USB keys with you, to show them how it can work, but if they discover it by themselves it will be better.

Aftermath of chaos revolution

When everything is done, drink some water, grab a beer and go discuss and answer to most of the questions people will ask you. The hardest part is done, you deserve some rest, especially since being under the spotlight is quite amazing, even if intimidating.

So, send an email to the fixer to thanks him, and give him a small resume of the discussion. Populate it with links to how-to and to the software you tells about to people.

Communicate about it, keep it open to everyone, a wiki is nice for that but it does not have to be like this. It can be a txt file or an etherpad or a pastebin. As long as people can get it, at a later time. It’s important, it’s the only way for you to climb up the ladder in the tech level of the workshop you’re doing.

What are you waiting for?

So, it’s not that hard to get in the chaotic battle against ignorance. It’s even fun, so join us, find a date, find a topic you wanna discuss, find a place and do it. Do not be afraid, it’s fun and you’ll learn a lot of things doing it, because you can only teach what you know, you’ll soon need to know more.

Let’s Rumble!

Have Fun!

There is no hope

Opening

So, my post about software has generate some comments. The most detailed answer I can find until now is the one from Ju (sorry people, it’s written in baguette‘s speech). Go and read it, it’s interesting.

So, you are telling me:

But, what if I want to learn, but do not have the time? You won’t help me!

First, that’s not what I said. I said that I won’t install you any software, because you must do it to learn. If you need to asks question, go ahead, and asks, we even have axioms for that on IRC and other places:

Don’t ask to ask, just ask

But, a more important one:

Think before asking

Yeah, I won’t help you if what you’re asking me can be found on seeks or in less than 10 second of reflexion. I will not think for you. I will not make your life better, you will. Well, you will later, for now, you’re about to jump in the abysmal depth of knowledge. I know that it can be intimidating and if you are not scared, well, it means you’re knee deep into it.

Take the red pill. And the blue one. And the yellow one too.

Learning and understanding will eat your time and soul, it will forces you to change your perception of the world around you. Knowing how it work and how you can change it will not makes your life easier or nicer. It will makes you see how fucked things are.

I wasn’t in the protests last Saturday to say no to ACTA. First, because if protest could actually change things, the things will be in motion motion now, the Greek government had refused the ultimatum we gave him, people of Homs won’t be under heavy ordnance and the asshole at the head of the different countries will be demised. Second, because a lot of people are saying no to ACTA and that did not make government stepping out of the things they do not understand.

I do not want to takes you by the hand, walking in the My little poney fields, with cloud made of candy and a sunshine smiling at your face. We do not live in cuddlebears kingdom.

There is no hope the world will get better anytime soon. If someone tells you anything different, he’s lying to you. Hope is waiting passively for things to get better. Hope is the same thing as prayer. Hoping is what government and mass medias are giving you to keep you under control.

So, forget about hope. That’s not hope that brings Syria in this state, it’s the fact that people actually wanted to do things and to change their world. Yeah, believing that things will get better probably helped them to go into the street and to start changing their environment.

There is no chance things will get better if you think they will, and if it’s the only thing you do about it. ACTA will not pass, but the media industry and governments will come back with another thing to crush on us. It’s an endless battle which will not end, or one we can’t win.

I do not want to tell you lies. You do not need hope, you need to stand up on your legs and to walk in whatever direction you want. And you do not need me for

Be Evil, Kick Google In the balls

Be Evil

All of you might have heard the Google moto:

Don’t be evil

With a bit of context, this is said by a company that have only one goal: Be the only web that people will use. Glazman explain that Google, and Apple, are working to build a works only on webkit web, using some CSS closed properties (the one that starts with webkit-*). I won’t develop too much on this, it’s just that this is the event that generates this post.

So, we need to be evil and to move out of the googles-centralized-and-closed-space.

There is a lot of steps, and I’ll probably miss some. You have to know that I’m using an Android too, and that I’m tweaking it (and I almost managed to kick google out of it). But first thing first, let’s go for the easiest part first.

Gmail

So, let’s start. I do not like webmail. Not back when POP3 was hype, not even now that we have IMAP. I do not want to gives my personal email to a third party that will do whatever they want with it (yeah, even with encryption, if the mail is decrypted on the server, that gives the server to read it and break the point of encryption.

We know that Google is reading your mail, to place targeted advertisements on the page you’re reading it. We do not know what they’re doing with your mail and, since there still is an issue with censorship and google being ruled by US laws and regulation, you cannot be sure you won’t have any legal problem with your mails.

So, what can you do? Simple answer: host your mails. You will need a server. It’s cheap, and there is some nice virtual server hosted in Iceland, a country which have strong personal data protection law. Head at https://www.1984hosting.com for instance. That will cost you a few bucks per month. You’re going to need a domain name to. I made a mistake, mine is nation-tied (.fr), don’t do it, try to find a non nation-linked one.

Now, you’ve got a nice server, install an OS server (one open and free, as in freedom, one you know or can learn about, one designed for servers so, basically, a Linux distribution or a BSD one), plug a small databases in it, that will be needed later, and install stuff.

For your mail, I’ll advise you with postfix, I know it more than I know the other ones out there (but not enough to treat myself as a guru). There’s a lot of interesting Howto in the wild, pick one.

Look at TLS too, and grab a SSL Certs (either fire up an account on https://cacert.org, a distributed Certificate Authority based on trust, not on money, or create your own authority.

So, you know have your own server for sending and receiving mail. It’s enough for my needs, because I do not use webmail. If you really want one, have a look at roundcube, it’s pretty and shiny, works on most of the modern browser (probably even with links or mozaic), it looks a bit like gmail so you won’t be lost.

Nice isn’t it, you’re now in charge of your own mail system. No more advertisement, no more dependencies on an external company for that, plain and total autonomy. How does it feel?

You’re addicted now and you want more fix of decentralized freedom? You’re a junkie. But so am I, so, here is your new fix.

Google search

The previous one was easy to understand and to do. Now, we’re going after the big player. Search engines. Google wants you to find websites they think is more relevant to you. They do not want to tell you how they’re doing it, they will target you with advertisement, and they will operates real time censorship and suggestion.

But then, you’re going to say ‘Hey, no choices.’ For one, it’s not true. Even among the closed search engines, there’s Bing (and Yahoo, same engine now) which is quite interesting. Or http://duckduckgo.com. But those are still centralized and closed source solution.

We want to go derper. And farther. We want really open and decentralized search solutions. There’s two out there: YaCy, a java implementation of P2P search and seeks, a C++ one.

I do not know well YaCy, but it have the advantage of scanning and index local pages, and it has its own fans and community. I’m more a seeker (and I run my personal seeks node). They started like a proxy and a meta-engine, but they are now sharing results across P2P and, since the 0.4.0 version, there’s pure seeks results.

You can use a public node for seeks (like mine) that will learn from the uses of all the people that uses it, or you can install your private one. You can use it as a proxy that will intercept all the query that should have landed on Google to process it via seeks instead.

It will require you to build it from sources, but it’s easy to do, there’s an updated and fully detailed tutorial, so go for it. Also, there’s an IRC chan: #seeks@freenode.org, they’re quite nice people to hang with.

So, now, you won’t use google anymore to search your stuff. You see? The Colossus won’t feed on you. Now, worst part is done, let’s deal with the details.

Calendar and contact

Yeah, those are nice tools. But you do not need to them being on google. They are ical compatible, which is nice. VCARD is a old protocol, that used to work on my Nokia 3210 (the phone that can break the world in half with enough velocity). You just need an ical server (and a webserver, but with nginx or apache out there… Plus, if you have roundcube, you already have one).

The best solution I can found until now is Davical. It’s light, it do the job, it works on Postgresql. The sad part is that it does not gives you a shiny interface to click on. But that’s why you need software, no? You need an RSS Reader to read RSS flux, you need a client mail to read mail, you need a calendar client to read calendar. Claws-mail have one, but I assume that if you’re reading this, you’re not on claws. I suspect mutt to have one, emacs-fan will tell you that emacs most probably have one calendar included.

If you want a client that won’t scare you, go for the Mozilla Sunbird or, if you’re already using ThunderBird, there is a lightning add-on.

Davical works with contact to. And the calendar can be read by a lot of other clients, just go through their wiki. Or use your new seeks node to find more about it.

Documents

Use a local office suite (such as libre office if you really need the weight of it. You can use some pad (etherpad one for instance), like the one on Telecomix for on line and collaborative editing. You can even set one up on your own server, yay \o/.

If all you want is hosting and sharing documents, you have two choices. Owncloud will give you the possibility to use a part of your server as a public (or private: your server, your rules) hard drive. I strongly suggest you to encrypt it. Or Unhosted which, as the name suggest, is based on ‘not hosting’ the data. Sounds promising, the fact that the data are encrypted before being stocked anywhere is promising, and, since it’s free software, you can add your own server.

So, no more google docs, ok people?

The last fix will be for the coders one.

Google reader

A RSS Reader. It’s extremely easy and there’s a lot of one. I personally use tinytinyrss. Again it needs a webserver, but then you’ll have all your RSS in the same place. You can probably find other project like this one, but it works quite well.

And you can import OPML (or whatever the acronym is) file format. The one used by google when you want to do a backup of your flux.

Google talk

And last but not least (also, quite an easy one). Google talk. Google talk is pure XMPP. Just like jabber is. You can find a lots of client for jabber, but go for pidgin-otr, you’ll then have the possibility of Encrypted chat with plausible deniability for the same price.

You’ll just need an account for that. EIther set-up your own jabber server (all the XMPP-server can talk to each other) or you use one. Use your seeks node to find a provider you like.

For hosting your own XMPP server, go for Jabberd. Simple, packaged for most distribution. You can then register there with your own nick and talk to other XMPP accounts.

Google Code

Get out of it now, and as fast as you can. There’s plenty of open source git forge out there, especially the most notorious one Gitorious. GitHub isn’t free (does not run on free software) but is a not that bad candidate. But you do not want me to feed you with half-freedom, right? So, gitorious.

What else?

I need to talk to you about Android, but I’m not fully satisfied with what I have now, so you’ll have to wait for your next fix of freedom.

If you’ve done everything here, you probably have nothing left on google. Close and destroy your account. If they ask you why, just answer:

I do what I want, I’m a Matser of Evilness, MOUAHAHAHAHAHAH!

Or RickRoll them.

If you find one server for only you is a bit overkill, then go talk to your friends and family, have them in your server. It will be funnier if you’re a lot. Do not sold them anything, have them understand that the services might or might not working. Do backup. Try restoring your backup. Encrypt them. And do not forget:

Computers and freedom are like sex. The more we are doing it at the same time, the better it get.


version 2.0 – I’ve forgot about reader and talk. Need to find a picasa