Freiheit statt Angst – 2009-09-12 in Berlin

Hier der Trailer zur geplanten Großdemonstration unter dem Motto “Freiheit statt Angst – Stoppt den Überwachungswahn!“, die am 12.09.2009 in Berlin stattfindet. Hinweise zur Anfahrt gibt es im FoeBud Blog.

Die Forderungen der Bürgerrechtler sind:

1. Überwachung abbauen

  • Abschaffung der flächendeckenden Protokollierung der Kommunikation und unserer Standorte (Vorratsdatenspeicherung)
  • Abschaffung der flächendeckenden Erhebung biometrischer Daten sowie von RFID-Ausweisdokumenten
  • Schutz vor Bespitzelung am Arbeitsplatz durch ein Arbeitnehmerdatenschutzgesetz
  • Berücksichtigung des Datenschutzes für Bürger- und Arbeitnehmer/innen bereits in der Konzeptionsphase aller öffentlicher eGovernment-Projekte
  • Keine einheitliche Schülernummer (Berliner SchülerID)
  • Keine Weitergabe von Informationen über Menschen ohne triftigen Grund
  • Keine europaweite Vereinheitlichung staatlicher Informationssammlungen (Stockholmer Programm)
  • Keine systematische Überwachung des Zahlungsverkehrs oder sonstige Massendatenanalyse in der EU (Stockholmer Programm)
  • Kein Informationsaustausch mit den USA und anderen Staaten ohne wirksamen Grundrechtsschutz
  • Abbau von Videoüberwachung und Verbot des Einsatzes von Verhaltenserkennungssystemen
  • Keine pauschale Registrierung aller Flug- und Schiffsreisenden (PNR-Daten)
  • Keine geheime Durchsuchung von Privatcomputern, weder online noch offline
  • Keine Einführung der Elektronischen Gesundheitskarte in der derzeit geplanten Form

2. Evaluierung der bestehenden Überwachungsbefugnisse

Wir fordern eine unabhängige Überprüfung aller bestehenden Überwachungsbefugnisse im Hinblick auf ihre Wirksamkeit, Kosten, schädliche Nebenwirkungen und Alternativen.

3. Moratorium für neue Überwachungsbefugnisse

Nach der inneren Aufrüstung der letzten Jahre fordern wir einen sofortigen Stopp neuer Gesetzesvorhaben auf dem Gebiet der inneren Sicherheit, wenn sie mit weiteren Grundrechtseingriffen verbunden sind.

4. Gewährleistung der Meinungsfreiheit und des freien Meinungs- und Informationsaustauschs über das Internet

  • Keine Beschränkung des Internetzugangs durch staatliche Stellen oder Internetanbieter (Sperrlisten)
  • Keine Sperrungen von Internetanschlüssen
  • Verbot der Installation von Filtern in die Infrastruktur des Internet.
  • Entfernung von Internet-Inhalten nur auf Anordnung unabhängiger und unparteiischer Richter.
  • Einführung eines uneingeschränkten Zitierrechts für Multimedia-Inhalte, das heute unverzichtbar für die öffentliche Debatte in Demokratien ist.
  • Schutz von Plattformen zur freien Meinungsäußerung im Internet (partizipatorische Websites, Foren, Kommentare in Blogs), die heute durch unzureichende Gesetze bedroht sind, welche Selbstzensur begünstigen (abschreckende Wirkung)

GNOME Bugsquad Meeting

I am very excited that the Bugsquad has met last month. Finally we got some action in our beloved QA team. Also, I’d like to thank Max KanatAlexander for porting our Bugzilla installation from Bugzilla 2.20 to Bugzilla 3.4. I believe that this, and the migration on new servers, will increase the performance a lot and that we can be even more productive. Let’s not hope that the people will file more bugs though 😉
Your GNOME needs you!

So Javier Jardon kicked that meeting off and we were having productive three hours, I guess. It was really good to see people caring about our bug database. The decisions we’ve made are visible in Andres Blog or on our Wiki page of course.

We’ll have a next meeting and right now, we are using a Doodle to determine the next time and date. Feel free to add something to the preliminary agenda and participate! I am sure we’ll have lots of stuff to discuss, especially due to our brand new bugzilla! 🙂 We can now have a look at other folks like KDE and exchange hacks on our bugzilla! 🙂

Also, I am looking for ways making our processes easier: One thing is giving away bugzilla permissions so that a new Triager can start modifying bugs. We are supposed to track the people we are giving permissions to check that they don’t screw up, but it’s not that easy to track someone right now. Also, we can think about automatically giving away canedit permissions once we have given commit access to git. The argumentation is, that a committer might submit patches from bugzilla and thus needs to be able to close bugs. We’d need to talk to the Sysadmins in order to implement that…

I’m thinking about using a Gobby session while having the meeting just that everybody, including people joining the meeting lately, can see what the current topic is. Another reason is that we you can  order or prepare for the next topics if you are a bit bored. Also, we might have an easier protocol at the end, because if everybody writes everything directly in that gobby session, the log will be ready once the meeting is over. I’ll make up my mind and come up with something at the meeting.

Also I think, not using , but rather -meet for the meeting is a good idea because you can see who’s actively participating. Moderating the session without knowing who’s actively interested in the debate is not that easy, because you either wait for people who are either offline or have just left or you don’t ask people willing to participate. These are not really big issues but moving to another channel is also not a big deal.

Back from HAR2009

I have just arrived from HAR2009 which was a very awesome event! We were camping for 5 days, drinking beer and attending lectures. Some of us visited Workshops, but sadly I didn’t. I probably was too busy attending talks and visiting the Toasti booth 😉
Har2009 Logo

The CCC has built up a great Dome as well as a big tent for hacking. CCCHH brought Milliways, the last pub at the end of the universe and it was a really cool place to hang out. There were many people from different countries which made it really interesting and enjoyable to just be there. Last but not least, the beer was great 😉

Others have brought a GSM Network! How awesome is that?! Harald Welte and his fellow GSM-Tent members have set up the “42” Network and we were able to place as many (internal) phone calls and SMS as we liked. Of course, we started to script that 😉 So I found out, that sending an SMS via a serial connection to my phones modem is as simple as the following lines:

import serial
import time
 
DEVICE = '/dev/ttyACM0'
 
def send_sms(nr, msg):
    ser = serial.Serial(DEVICE, 115200, timeout=1)
    ser.write('AT\r')
    line = ser.readline()
    line = ser.readline()
    assert line == "OK\r\n"
 
    ser.write('AT+CMGF=1\r')
    line = ser.readline()
    line = ser.readline()
    assert line == "OK\r\n"
 
    ser.write('AT+CMGS="%s"\r' % nr)
    ser.write('%s\n' % msg)
    ser.write(chr(26))
    time.sleep(3)
    lines = ser.readlines()
    print lines
    ser.close()

Sadly, I couldn’t hack more with the GSM network because it was shut down rather early and I didn’t use my computer much during the lecture time. So next time I’ll try to reproduce the Curse of Silence and play around with PDU SMS.

So I have been to a lot of interesting villages and I met some interesting people but sadly GNOME people couldn’t make it. Maybe we’ll have a GNOME Village next time… 🙂 If you are interested in how the camp looked, watch this impressions movie or click through the media.

The next CCCamp will probably be in two years and according to rumours it’ll happen in Finowfurt again. I’m really looking forward to that event!

BufferOverflow Workshop at EasterHegg09

During Easterhegg I held a workshop together with hc. It was about Buffer Overflows, which used to be the most common security vulnerability a couple of years ago.

We gave a talk explaining the basic concepts of processes and how they work on x86 machines. This was heavily packed with information and I really think we couldn’t make everything clear in the first run. But as it was planned as workshop, we intended to give people stuff they can chew on 😉 Basically, we took stuff from the excellent Phrack article  Smashing the Stack for Fun and Profit which is nearly 13 years old by now.

As modern operating systems protect themselves against the consequences of buffer overflows, we prepared a virtual machine with QEmu/KVM so that exploits will work. It’s an old debian woody with an SSH daemon and build essentials.

Of course I have changed the image in the last minutes, because I wanted to improve it. And of course something went terribly wrong: The root filesystem was corrupted and fsck deleted important files, leaving the image in a useless state. We had to port my changes back to the old image.

Of course, we wanted to distribute the ~1GB image among our workshop guests. As we expected 50 people to show up and didn’t want to stress the WiFi so much, I intended to use BitTorrent, but it’s not as easy and smart as it could be: We are NATted, so using an external tracker would FAIL. Also, it can’t multicast the packets, which would perfectly make sense if many people start to download the torrent in the same network. We ended up having a usb pendrive and a thttpd serving the tarred image. Not very smart or efficient.

After the people ran that images, they couldn’t login with SSH due to a mysterious heisenbug. I suspect our last-minutes changes to be the culprit but I can’t provide a more technical error description. The SSH daemon worked quite well *in* the image, but as soon as you wanted QEmu to redirect the traffic into the machine, it FAILed: The connection was established, but no data was transferred. Could be a bug in QEmu as well.
The people either worked through the QEmu widget or set up a TUN device to get the network up and running…
That pissed some people off which then left. We ended up with 20 people trying to hack themselves 🙂

We prepared examples in the image, some of them copied from Gera, e.g.:

/* stack1.c                                     *
 * specially crafted to feed your brain by gera */

int main() {
	int cookie;
	char buf[80];

	printf("buf: %08x cookie: %08xn", &buf, &cookie);
	gets(buf);

	if (cookie == 0x41424344)
		printf("you win!n");
}

The people were supposed to make the program print “you win!”. If you know, how a stack works, it’s actually simple. Do you know, what input you have to feed in order to win!?
Oh, you don’t want to compile this program with anything other than -O0 because the compiler rearranges the variables on the stack so that you can’t overwrite the integer…

In the end, I think I am satisifed with the workshop, although things could have worked better. We had pretty smart people which were really curious how stuff works. They have learned a lot and I guess they had fun with that as well 🙂

Creative Commons Attribution-ShareAlike 3.0 Unported
This work by Muelli is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported.