2009 – Page 3 – muellis blog

Datenspuren 2009 – Call for Participation

Die Datenspuren in Dresden gehen wider erwarten in eine neue Runde! Es ist schoen zu sehen, dass sich ein neues Organisationsteam im C3D2 Umfeld geformt hat und die gemuetliche Konferenz ans Laufen bringt. Obwohl ich selber noch nie da war, soll es eine ueberschaubare Konferenz sein, die sich weniger um Technik, als um praktische Datenvermeidung und Risiken der glaesernen Gesellschaft dreht. “Hands off – Privacy on” lautet das diesjaehrige Motto: Finger weg von den Grundrechten; der eigenen Privatsphäre bewusst werden.

Wenn du also am 03.10.2009 und 04.10.2009 nichts vor hast, bist du herzlich eingeladen nach Dresden in die Scheune zu kommen! Der Eintritt ist frei.

Auch darfst du ueber das Pentabarf deinen Vortrag oder Workshop einreichen, die Schwerpunkte sollen dieses Jahr sein:

Datenspuren im täglichen Leben
Missbrauch von Daten
Rechtslage
Sicherheit und Prävention
Digital Resistance
Hacking
Technikfolgenabschätzung
Informationsfreiheit
Aufklärung und Diskurs

Freiheit statt Angst – 2009-09-12 in Berlin

Hier der Trailer zur geplanten Großdemonstration unter dem Motto “Freiheit statt Angst – Stoppt den Überwachungswahn!“, die am 12.09.2009 in Berlin stattfindet. Hinweise zur Anfahrt gibt es im FoeBud Blog.

Die Forderungen der Bürgerrechtler sind:

1. Überwachung abbauen

Abschaffung der flächendeckenden Protokollierung der Kommunikation und unserer Standorte (Vorratsdatenspeicherung)

Abschaffung der flächendeckenden Erhebung biometrischer Daten sowie von RFID-Ausweisdokumenten

Schutz vor Bespitzelung am Arbeitsplatz durch ein Arbeitnehmerdatenschutzgesetz

Berücksichtigung des Datenschutzes für Bürger- und Arbeitnehmer/innen bereits in der Konzeptionsphase aller öffentlicher eGovernment-Projekte

Keine einheitliche Schülernummer (Berliner SchülerID)

Keine Weitergabe von Informationen über Menschen ohne triftigen Grund

Keine europaweite Vereinheitlichung staatlicher Informationssammlungen (Stockholmer Programm)

Keine systematische Überwachung des Zahlungsverkehrs oder sonstige Massendatenanalyse in der EU (Stockholmer Programm)

Kein Informationsaustausch mit den USA und anderen Staaten ohne wirksamen Grundrechtsschutz

Abbau von Videoüberwachung und Verbot des Einsatzes von Verhaltenserkennungssystemen

Keine pauschale Registrierung aller Flug- und Schiffsreisenden (PNR-Daten)

Keine geheime Durchsuchung von Privatcomputern, weder online noch offline

Keine Einführung der Elektronischen Gesundheitskarte in der derzeit geplanten Form

2. Evaluierung der bestehenden Überwachungsbefugnisse

Wir fordern eine unabhängige Überprüfung aller bestehenden Überwachungsbefugnisse im Hinblick auf ihre Wirksamkeit, Kosten, schädliche Nebenwirkungen und Alternativen.

3. Moratorium für neue Überwachungsbefugnisse

Nach der inneren Aufrüstung der letzten Jahre fordern wir einen sofortigen Stopp neuer Gesetzesvorhaben auf dem Gebiet der inneren Sicherheit, wenn sie mit weiteren Grundrechtseingriffen verbunden sind.

4. Gewährleistung der Meinungsfreiheit und des freien Meinungs- und Informationsaustauschs über das Internet

Keine Beschränkung des Internetzugangs durch staatliche Stellen oder Internetanbieter (Sperrlisten)

Keine Sperrungen von Internetanschlüssen

Verbot der Installation von Filtern in die Infrastruktur des Internet.

Entfernung von Internet-Inhalten nur auf Anordnung unabhängiger und unparteiischer Richter.

Einführung eines uneingeschränkten Zitierrechts für Multimedia-Inhalte, das heute unverzichtbar für die öffentliche Debatte in Demokratien ist.

Schutz von Plattformen zur freien Meinungsäußerung im Internet (partizipatorische Websites, Foren, Kommentare in Blogs), die heute durch unzureichende Gesetze bedroht sind, welche Selbstzensur begünstigen (abschreckende Wirkung)

GNOME Bugsquad Meeting

I am very excited that the Bugsquad has met last month. Finally we got some action in our beloved QA team. Also, I’d like to thank Max Kanat–Alexander for porting our Bugzilla installation from Bugzilla 2.20 to Bugzilla 3.4. I believe that this, and the migration on new servers, will increase the performance a lot and that we can be even more productive. Let’s not hope that the people will file more bugs though 😉

So Javier Jardon kicked that meeting off and we were having productive three hours, I guess. It was really good to see people caring about our bug database. The decisions we’ve made are visible in Andres Blog or on our Wiki page of course.

We’ll have a next meeting and right now, we are using a Doodle to determine the next time and date. Feel free to add something to the preliminary agenda and participate! I am sure we’ll have lots of stuff to discuss, especially due to our brand new bugzilla! 🙂 We can now have a look at other folks like KDE and exchange hacks on our bugzilla! 🙂

Also, I am looking for ways making our processes easier: One thing is giving away bugzilla permissions so that a new Triager can start modifying bugs. We are supposed to track the people we are giving permissions to check that they don’t screw up, but it’s not that easy to track someone right now. Also, we can think about automatically giving away canedit permissions once we have given commit access to git. The argumentation is, that a committer might submit patches from bugzilla and thus needs to be able to close bugs. We’d need to talk to the Sysadmins in order to implement that…

I’m thinking about using a Gobby session while having the meeting just that everybody, including people joining the meeting lately, can see what the current topic is. Another reason is that we you can order or prepare for the next topics if you are a bit bored. Also, we might have an easier protocol at the end, because if everybody writes everything directly in that gobby session, the log will be ready once the meeting is over. I’ll make up my mind and come up with something at the meeting.

Also I think, not using #bugs, but rather #bugs-meet for the meeting is a good idea because you can see who’s actively participating. Moderating the session without knowing who’s actively interested in the debate is not that easy, because you either wait for people who are either offline or have just left or you don’t ask people willing to participate. These are not really big issues but moving to another channel is also not a big deal.

Back from HAR2009

I have just arrived from HAR2009 which was a very awesome event! We were camping for 5 days, drinking beer and attending lectures. Some of us visited Workshops, but sadly I didn’t. I probably was too busy attending talks and visiting the Toasti booth 😉

The CCC has built up a great Dome as well as a big tent for hacking. CCCHH brought Milliways, the last pub at the end of the universe and it was a really cool place to hang out. There were many people from different countries which made it really interesting and enjoyable to just be there. Last but not least, the beer was great 😉

Others have brought a GSM Network! How awesome is that?! Harald Welte and his fellow GSM-Tent members have set up the “42” Network and we were able to place as many (internal) phone calls and SMS as we liked. Of course, we started to script that 😉 So I found out, that sending an SMS via a serial connection to my phones modem is as simple as the following lines:

import serial
import time
 
DEVICE = '/dev/ttyACM0'
 
def send_sms(nr, msg):
    ser = serial.Serial(DEVICE, 115200, timeout=1)
    ser.write('AT\r')
    line = ser.readline()
    line = ser.readline()
    assert line == "OK\r\n"
 
    ser.write('AT+CMGF=1\r')
    line = ser.readline()
    line = ser.readline()
    assert line == "OK\r\n"
 
    ser.write('AT+CMGS="%s"\r' % nr)
    ser.write('%s\n' % msg)
    ser.write(chr(26))
    time.sleep(3)
    lines = ser.readlines()
    print lines
    ser.close()

Sadly, I couldn’t hack more with the GSM network because it was shut down rather early and I didn’t use my computer much during the lecture time. So next time I’ll try to reproduce the Curse of Silence and play around with PDU SMS.

So I have been to a lot of interesting villages and I met some interesting people but sadly GNOME people couldn’t make it. Maybe we’ll have a GNOME Village next time… 🙂 If you are interested in how the camp looked, watch this impressions movie or click through the media.

The next CCCamp will probably be in two years and according to rumours it’ll happen in Finowfurt again. I’m really looking forward to that event!

BufferOverflow Workshop at EasterHegg09

During Easterhegg I held a workshop together with hc. It was about Buffer Overflows, which used to be the most common security vulnerability a couple of years ago.

We gave a talk explaining the basic concepts of processes and how they work on x86 machines. This was heavily packed with information and I really think we couldn’t make everything clear in the first run. But as it was planned as workshop, we intended to give people stuff they can chew on 😉 Basically, we took stuff from the excellent Phrack article Smashing the Stack for Fun and Profit which is nearly 13 years old by now.

As modern operating systems protect themselves against the consequences of buffer overflows, we prepared a virtual machine with QEmu/KVM so that exploits will work. It’s an old debian woody with an SSH daemon and build essentials.

Of course I have changed the image in the last minutes, because I wanted to improve it. And of course something went terribly wrong: The root filesystem was corrupted and fsck deleted important files, leaving the image in a useless state. We had to port my changes back to the old image.

Of course, we wanted to distribute the ~1GB image among our workshop guests. As we expected 50 people to show up and didn’t want to stress the WiFi so much, I intended to use BitTorrent, but it’s not as easy and smart as it could be: We are NATted, so using an external tracker would FAIL. Also, it can’t multicast the packets, which would perfectly make sense if many people start to download the torrent in the same network. We ended up having a usb pendrive and a thttpd serving the tarred image. Not very smart or efficient.

After the people ran that images, they couldn’t login with SSH due to a mysterious heisenbug. I suspect our last-minutes changes to be the culprit but I can’t provide a more technical error description. The SSH daemon worked quite well *in* the image, but as soon as you wanted QEmu to redirect the traffic into the machine, it FAILed: The connection was established, but no data was transferred. Could be a bug in QEmu as well.
The people either worked through the QEmu widget or set up a TUN device to get the network up and running…
That pissed some people off which then left. We ended up with 20 people trying to hack themselves 🙂

We prepared examples in the image, some of them copied from Gera, e.g.:

/* stack1.c                                     *
 * specially crafted to feed your brain by gera */

int main() {
	int cookie;
	char buf[80];

	printf("buf: %08x cookie: %08xn", &buf, &cookie);
	gets(buf);

	if (cookie == 0x41424344)
		printf("you win!n");
}

The people were supposed to make the program print “you win!”. If you know, how a stack works, it’s actually simple. Do you know, what input you have to feed in order to win!?
Oh, you don’t want to compile this program with anything other than -O0 because the compiler rearranges the variables on the stack so that you can’t overwrite the integer…

In the end, I think I am satisifed with the workshop, although things could have worked better. We had pretty smart people which were really curious how stuff works. They have learned a lot and I guess they had fun with that as well 🙂

Wilhelm.Tel Speed

After ranting about the HanseNet Speed, I now have the opponents test result:

I didn’t expect 100MBit/s down, because I still have my old router in place which most likely isn’t able to push 100MBit/s. I’ll definitely give it a new try once I am “directly” connected, i.e. without any unnecessary hardware in between.

I did it for the lulz

Taking the IELTS

As I said some time ago, I had to do an IELTS test in order to apply at the DCU. I do already have kind of a language test which I made for the DAAD, but it’s not good enough for the DCU… So I bit the bullet and paid the Euros to take the IELTS.

I decided to go for IELTS, instead for the TOEFL, because I was told that it’s friendlier and even more comfortable to do. The TOEFL seems to be a computer based test which can be very annoying.

The IELTS was held in a friendly but formal atmosphere. Everything, and I mean everything, had a rule you and the supervisors had to stick to. I wasn’t even allowed to take my keys inside the examination room. Not to mention my wallet.

The test itself went pretty well, especially the listening and reading part. I didn’t manage to perform equally well on the writing part. These tests took a couple of hours and I was pretty happy to get some fresh air afterwards. I had three hours sparetime before the speaking test should begin. Actually, I was really nervous. I don’t know why, because there was nothing I should be afraid of. I mean, even if I failed pretty hard, I always could redo the test. At least, I managed to speak and the results are not that bad.

So I a better result than I actually needed 🙂 One step closer to my application at the DCU.

any2ogg/Theora+Vorbis

My University decided to publish some videos using an DivX Codec. These videos are part of some Software Engineering class and serves as a replacement for real customer interaction.

Anyway, I decided to transcode those videos using a free codec and I boldly announced, that I’ll do that without actually knowing how much work that’d be. In fact, I feared kilobytes of arguments to mencoder or ffmpeg. I also didn’t want to use new and awesome stuff like Transmageddon or Arista, because I wanted a really simple solution, like any2wav. I imagined something like any2theora which simply does what I want.

It turns out, that ffmpeg2theora exists and it does exactly what I want. It is really simple to use, no command line argument whatsoever to produce a well working Theora encoded video with Vorbis encoded sound.

Yay!

Gran Canaria Desktop Summit

The GCDS has just finished and I think it was a great and successful conference. It was the first joint aKademy + GUADEC conference and I feel it turned out quite well. We could have had more explicit collaboration or more attention on the “other” talks, but I think the people have to get used to the fact that there are people with different approaches who you can talk to. Let’s hope it’ll be a joint convention next year as well (I always wanted to spend a week or two in Finland…).

The registration process was a bit weird, because the organizers wanted to know private data without even trying to make clear what they are used for. In fact, the only thing I could see (even from a retro perspective) is to collect the data. As I’ve stated in a mail buried in this thread, I don’t really like that for several reasons and I hope that the next organization committee will not collect absolutely necessary data.

The first day began with a RMS keynote for me. I expected it to be really bad because for some reason the people say that RMS’ talks are boring, stubborn and repetitive. I’ve never heard a RMS talk before and I couldn’t apply any of these critics onto his talk. In fact, I really liked and enjoyed it, although it was not necessarily pleasant to listen because he disagrees with our decisions: He doesn’t like to see new applications to be written in C# because the Software Freedom Law Center doesn’t think that the Community Promise guarantees that Microsoft will not charge patent fees. I am not into that topic but I believe that the SFLC does a good job. And I also trust the SFLC more than I trust Microsoft. So it’s not about patents in general (which should be abolished anyway) but rather about not putting too many weight onto our Desktop so that we can get rid of C# apps easily in case of fire^W ugly patent stuff. And I don’t know what’s not clear about that: As the risk seems to be there and we want to have a free desktop in the future, we have to watch out now to not fall into a Bitkeeper trap.

I also don’t agree with travis or lefty who think the reference to an EMACS virgin is sexist or mixing different topics (software freedom and religion in this case) is unhealthy. RMS clearly referred to the Christian church and it’s habits, so if there is anything bad, it’s to be search in these circles. Also, virtually everyone has cheered after RMS’ performance. And I wouldn’t go that far and call all the audience sexist. Actually, I dislike the idea of (computer) engineers answering sociologists questions for the same reason I don’t ask a sociologist in case of computer trouble (I like it, when they think, talk and discuss about it though). From an intersectional point of view, I’d ask whether the strong focus on women is actually sexist, because there is clearly more than one domain we have minorities in. Take Blacks, Jews, Disabled or Queers or people with an inside out belly button for example. By constantly reciting that women are a minority, we could actually harden this situation instead of making it disappear. I could actually write a paper about it, as I need one for university anyway to finish my Gender Studies.

The parties were all awesome, thanks to Canonical, Nokia, Igalia and Collabora who really know how to throw a good party. I wonder why Google didn’t show up though.

I also have to thank the GNOME foundation for sponsoring my trip to Gran Canaria! It’s really good to see that my contributions are valued and that I can improve them by attending various talks and sessions. This year was especially useful because we could attend the KDE peoples sessions. I especially enjoyed being at the KDE bugsquad sessions to share and improve ideas.

Although I took some photos, I won’t upload them to flicker, but the people seem to tag their photos with “gcds” or “guadec”. I have looked through a couple of them and they seem to be all good. But I couldn’t make it through all of them as there are way too many.

Two major drawbacks were the relocation of the conference and the Internet connectivity during the event: We moved from the rather central Alfredo Kraus Auditorium to the suburban University on the fourth day or so. That was inconvenient because it took ages to get there. The Internet thing is totally unrelated to the organizers, but left a bad taste anyway. The uplink was totally broken with a packet loss with up to 75% in “So6-0-0-0-grtmadno1.red.telefonica-wholesale.net”.

I’m looking forward to next years GUADEC or maybe “TDS”… 🙂