Now, I’m not arguing that selling counterfeit goods should be allowed. The recent seizure however, where neither the claimed offenders, nor their domain registrars have been notified, represents a way of conducting law enforcement that just doesn’t belong in a modern society.

The seizure have been done through ICANN, the organization responsible for maintaining top-level domains and root DNS servers. Since ICANN is responsible for all the major top-level domains, there is no reason not to expect this happening again in the future. Likely targets are of course the popular download sites around. However, more worryingly is the fact that this opens for the possibility to seize other “problematic” domains such as whistle-blowing Wikileaks. (Hey, no reason secretly graded documents aren’t copyrighted, so the same reasons could be used here).

There are of course a number of ways to circumvent this, as currently the only thing being seized is the domain names, and not the servers’ internet access or IP addresses:

I’ve seen tips in comment fields here and there to just use the site’s IP address instead of it’s domain name. This is problematic however as many servers are serving up multiple sites using virtual hosts. This means that for the server to know which of the sites you want to access, you need to supply it with a name for that site. This is done by your browser when you go to an address, as it passess along the original name you supplied in the location bar in an HTTP header. What you can do however, is override how your computer resolves a given domain name to it’s IP address by manually adding an entry in your hosts file or setting up a local DNS server to propagate your changes to your entire local network.

Editing your hosts file

This file can be found at different places in different operating systems:

Linux: /etc/hosts
Windows: <Windows Folder>system32\drivers\etc\hosts
MacOS: /private/etc/hosts

This file can be edited with a normal text editor such as notepad or gedit. To point a domain to a specific IP address just add a line containing the IP address and domain name separated by whitespace. E.g.:

91.194.60.32 wikileaks.org

Now your computer will not be affected by any changes done to the DNS system for this domain.

DNSMasq

There are also a number of alternative DNS services around, or you can set up your own DNS server for your local network where you supply some addresses you don’t want to change, and forward the rest to higher level DNS servers. A simple and easy way to do this on a Linux system is through dnsmasq.

Dnsmasq can be installed on a Debian or Ubuntu system using by fetching the dnsmasq package (aptitude install dnsmasq). Dnsmasq automatically uses your system’s default dns settings from /etc/resolv.conf. You can add specific entries yourself by adding a line such as

address=/wikileaks.org/91.194.60.32

to your /etc/dnsmasq.conf file. (You probably have to restart dnsmasq after changing the file, so do a service restart dnsmasq or similar, depending on your system)

Now just set up your local computers to use the server running dnsmasq as DNS server and you should be good to go.

Cory Doctorow did a great job of describing how public key encryption works in his book “Little Brother”, so I won’t reinvent the wheel, but instead give you his words:

In public key crypto, each user gets two keys. They’re long strings of mathematical gibberish, and they have an almost magic property. Whatever you scramble with one key, the other will unlock, and vice-versa. What’s more, they’re the *only* keys that can do this — if you can unscramble a message with one key, you *know* it was scrambled with the other (and vice-versa).
So you take either one of these keys (it doesn’t matter which one) and you just *publish* it. You make it a total *non-secret*. You want anyone in the world to know what it is. For obvious reasons, they call this your “public key.”

The other key, you hide in the darkest reaches of your mind. You protect it with your life. You never let anyone ever know what it is. That’s called your “private key.” (Duh.)

Now say you’re a spy and you want to talk with your bosses. Their public key is known by everyone. Your public key is known by everyone. No one knows your private key but you. No one knows their private key but them.

You want to send them a message. First, you encrypt it with your private key. You could just send that message along, and it would work pretty well, since they would know when the message arrived that it came from you. How? Because if they can decrypt it with your public key, it can *only* have been encrypted with your private key. This is the equivalent of putting your seal or signature on the bottom of a message. It says, “I wrote this, and no one else. No one could have tampered with it or changed it.”

Unfortunately, this won’t actually keep your message a *secret*. That’s because your public key is really well known (it has to be, or you’ll be limited to sending messages to those few people who have your public key). Anyone who intercepts the message can read it. They can’t change it and make it seem like it came from you, but if you don’t want people to know what you’re saying, you need a better solution.

So instead of just encrypting the message with your private key, you *also* encrypt it with your boss’s public key. Now it’s been locked twice. The first lock — the boss’s public key — only comes off when combined with your boss’s private key. The second lock — your private key — only comes off with your public key. When your bosses receive the message, they unlock it with both keys and now they know for sure that: a) you wrote it and b) only they can read it.

- Little Brother by Cory Doctorow, available under a Creative Commons Attribution-Noncommercial-ShareAlike license

To employ this theory we are going to use the de facto standard for message encryption and signing; OpenPGP. OpenPGP is a widely supported in all major email applications and operating systems. In these examples we will use GPG – Gnu Privacy Guard – available in in Ubuntu in the gnupg package (installed by default). GPG is a free, open source application that uses the OpenPGP standard. For the usage examples we will use Mozilla Thunderbird with the OpenPGP plugin Enigmail.

Creating a key

The first step is to create your very own privat/public key pair. This can be done by the command:

gpg --cert-digest-algo=SHA256 --default-preference-list="h10 h8 h9 h11 s9 s8 s7 s3 z2 z3 z1 z0" --gen-key

In detail, this example tells gpg to use the SHA256 algorithm when signing other people’s keys (–cert-digest-ago=SHA256),

more about this later on, in the “ring of trust” section. Then –default-preference-list tells gpg what preferences to use for encryption and hashing, for the specifics of the values see this page. Lastly we tell gpg to generate the keys using the –gen-key command.

After you have issued the command you will be presented with a fairly self-explanatory wizard. If you are still unsure, you should select  RSA and RSA (default) as key type, and use the standard values for key size and key duration (2048 and unlimited). After that enter your information and password when asked, and your key will be created.

Take a note of the key ID in the final output of the process on the “gpg: key ABABABAB marked ….” line. (here ABABABAB would be your key ID.)

The public and private keys you created are now stored in your private keyring. This means that GPG can access and use them when needed. To be able to use your key pair though, there are still more to do:

Spreading your public key

This step will upload the newly created key to Ubuntu’s key servers. This is Doctorow’s previously described action of spreading your key for everyone to know. When a key server has received your key, it will be propagated through the internet to all the other key servers, and people will be able to download it from there.

gpg --send-keys --keyserver keyserver.ubuntu.com 6A9212EB

Your key can also be exported and spread through other means, e.g. put on your website, given to friends etc. For more information on this, see the “Moving, backing up and sending your key” section further down.

Using Thunderbird to read and send encrypted messages

First you have to install Thunderbird, as well as the Enigmail plugin. In Ubuntu this can be done by installing the thunderbird and enigmail packages:

sudo aptitude install thunderbird enigmail

If you are using another package management system or use another operating system, you can download them from the above links.

You can configure Enigmail under the OpenPGP option in the Thunderbird menus. In my case, Enigmail automatically detected the gpg exectuables and everything was good to go. When you first write an email and want to encrypt or sign it, Enigmail will prompt you for which key to use, and you can select your previously created key from a nice list.

When you recieve an encrypted or signed email from someone who’s public key you have, or who’s key is residing on a keyserver on the internet (Enigmail is automatically set up to check a large amount of them), email messages are automatically decrypted, and Enigmail shows you a nice notification about who they key used belongs to.

A decryptet message in Thunderbird, note the green bar.

Moving, backing up and sending your key

To get a copy of your public key to send to your friends or put on your website, you can use the command

gpg --export -a ABABABAB > public_key.asc

This will export your key in ASCII representation to a file called public_key.asc. If you just want to print the key to the command line for copy-pasting you can skip the “> public_key.asc” part.

To export your private key for backup purposes and for use on your other computers you can use the command:

gpg --export-secret-key -a ABABABAB > secret_key.asc

Do note that this key is strictly personal and should be kept extremely private. Stick it on a USB drive, preferably encrypted, and stick it in a safe or lock box. Also note that if you ever lose this key – or the password you used to create it – your public key will be useless as you can never decrypt anything encrypted by it. This is extremely important.

To import someone’s public key you can issue this command:

gpg --import some_public_key.asc

To import your private key on another computer, e.g. if you have multiple computers or are upgrading to a new one:

gpg --import --allow-secret-key-import your_secret_key.asc

Help, I’ve lost my private key!

If you ever lose your private key, or someone steals your computer and gets a hold of it a nice feature is in place to have it revoked. To be able to do this, you have to create a revocation key while you still have your key, so you should do this as soon as possible. To create a revocation key:

gpg --gen-revoke ABABABAB > revocation_key.asc

This key is also strictly personal, and should be kept hidden away. Do not store a single copy along with your other keys, as you need to have this key in case your computer gets stolen and you must revoke your key.

To use this key to revoke your key, simply import it to your keyring and upload it to a key server like you did earlier on, or upload it directly to a key server that supports doing that (some key servers will allow you to upload it in a web interface or similar)

Web of trust

Another cool feature in OpenPGP is key signing. This is the process of signing another persons key with your own. This tells everyone that you vouch for his or her key belonging to whom it says. A random key found on the internet can of course come from anyone, but if that key says that Sarah trusts it, and Sarah’s key says Jake trusts it, and you personally know Jake, then that key just became a lot more reliable. For key signing to work properly though, it should only be done with people who know each other and can verify the other person’s identity – and ideally, only in a “real life” setting where both parts are gathered.

To read more about key signing and web of trust take a look at the Ubuntu Wiki’s article on GPG and the GNU Privacy Handbook.

References

During the making of this article I’ve learned and transcribed a lot from other sources, notably:

• Ubuntu Wiki article on Gnu Privacy Guard
• Cory Doctorow’s Little Brother
• The GNU Privacy Handbook
• Eric Howe’s Privacy & Security Page on GPG Key Management

The last year or so I have to a large degree migrated most of my data over to external hosting such as Google Mail, Calendar, Wave, Contacts and Docs. My day to day work items go in a Dropbox folder allowing easy synchronization, backup and basic revision control. Some of my programming projects are hosted on Github and Bitbucket, and my website is hosted at Dreamhost.

All these services have given me a workflow in my day to day life that is wonderful. My email is pushed to my Android phone the moment it arrives in my Gmail, my contacts synchronize automatically between all my devices, my friend’s birthdays are delivered straight to my phone from Facebook, and basically I don’t have to do jack to get it to work.

I’ve been interested in matters of free software, privacy, freedom of speech etc. for a long time, but see myself as a pragmatic guy, and have done a very conscious choice choosing convenience over privacy lately. For now I have now data that I’m all that afraid of anyone seing, so convenience has been well worth it.

Just recently however I read Cory Doctorow’s youth novel ‘Little Brother’. It was a great book, and I read it cover to cover in two sittings. The book brings up a lot of very interesting – and serious – issues  that I believe most people use way to little time thinking about. These issues are wrapped in an entertaining story and as rarely seen in entertainment – very realistic depictions of technology.

‘Little Brother’ really sparked my interest in privacy and security again, and when I read about the American government illegally conducting espionage targeting Norwegian citizens I just couldn’t resist writing up some posts on the subject.

Over my next few blog posts I want to create a series of informational posts about some simple but important concepts of personal privacy and security measures anyone can start using. Such measures are of interest both in an idealogical perspective, as well as securing your data from possible threats such as a laptop or cell phone theft, network sniffing or people trying to break in to your computer. I also want to touch on the subject of open data formats and why that is a good thing.

Many of these subjects are widely discussed and described on the internet, but few articles seems to describe, what, why and how together and in a simple and understandable manner. That will be my goal in this series, and currently my plans for the topics are:

1. Securing and making your messages trustworthy
   Taking a look at private/public key par encryption using OpenPGP
2. Securing your data to prevent theft and snooping.
   Looking at various ways to encrypt data, including full drive and block file schemes and some insights into nested encryption layers and what they can accomplish.
3. Things you should know about using internet in the public.
   How people sniff your traffic and what you should think about when you surf the net, including topics such as SSL, open wireless networks and password, cookie and information sniffing.
4. Considerations you should have in mind when writing your documents and storing your media files.
   Proprietary vs open data formats, programs and digital rights management schemes on video and music.

I recently bought a HP MediaSmart EX490 for use as a home backup- and media server. In my eagerness to getting a new plaything however – I only looked at the pros:

• Great form factor for a home server staying in the living room
• Room for 4 front-swappable hard drives (which is great considering the tiny size of this thing)
• Next to no noise, and very cheap.

Now, Windows Home Server is a great home server operating system, but Linux is what really rocks my boat, so I started thinking about how to get Linux on this box even before ever booting the pre-installed Windows Server.

Problem is though, there are a couple of small quirks with the MediaSmart.

1. It’s completely headless – i.e. no chance of connecting a monitor (not really a problem, but a minor hassle)
2. According to the almighty internet, the network card (a SiS191) isn’t supported by the default SiS190 drivers.

These two problems combined makes installing Linux a tad bit harder than normal, but still a fairly trivial exercise.

My plan

Move the hard drive to my main desktop computer, install Ubuntu, recompile a set of drivers that works with the bundled network card, install an SSH server and kick back while enjoying my newfound sense of accomplishment and a new box for downloading all those Linux ISO’s.

The procedure

First of all I headed over to the Ubuntu pages for a copy of their Ubuntu 10.04 installation CD. The computer I was installing from doesn’t have a CD/DVD drive, so I created a USB boot disk using UNetbootin

While the Ubuntu image was downloading I removed the system drive from the MediaSmart. The disk tray for this drive is originally locked, and no key is bundled with the server, but it’s easy to open using a small screwdriver or kitchen knife. I then installed the drive in my other computer and waited for the UNetbootin to do it’s job.

Installing Ubuntu is probably one of the easiest tasks in the world, so no need to go into details there. I decided to install Ubuntu on the free space of the drive, leaving the Windows Home Server partition alone. I haven’t tried booting the Windows partition yet, and I certainly hope they haven’t bundled any stuff that will wipe the rest of the drive and create storage space in case I ever decide to boot that partition up.

While installing Ubuntu I read up a bit concerning the drivers for the SiS191 network card, finding some comments suggesting that it was now supported in the sis190 module. I decided to try and move the disk back immediately, hoping that it would work out of the box.

It did. So, to all of you who are thinking about installing Linux on one of these puppies: There is no problem with the hardware, at least if you’re using the Ubuntu 10.04 stock kernel (2.6.32) or newer, and probably a lot of older ones as well.

After having installed Ubuntu on the hard drive, there is one important step to remember before migrating the disk back to it’s original home: Remote management.

To install the openSSH server on Ubuntu, do a simple:

sudo aptitude install openssh-server

verify that the SSH server is running and that you can connect (you can with the default user you create when installing Ubuntu) and shut down the computer. Move the disk back to the MediaSmart and collect the winnings

If the SSH server isn’t running by standard for some reason, you can enable it using the command:

sudo update-rc.d ssh defaults

If you have control of your own switch/router you should easily be able to get a hold of the ip-address for your server from there. If this will pose a problem, you might consider setting up a static IP configuration before you move the drive back, or simply start port scanning your servers subnet until something answers.

If your network interface doesn’t start up automatically, make sure it is enabled in /etc/network/interfaces

Either for DHCP:

auto eth0
iface eth0 inet dhcp

or with static configuration:

auto eth0
iface eth0 inet static
address 192.168.1.33
netmask 255.255.255.0
network 192.168.1.1
broadcast 192.168.1.255
gateway 192.168.1.1

And make sure to adjust the values to something that’s relevant for you own network setup.

Next steps now are filling the last three drive slots, setting up a proper RAID array and let that server serve!

Edit November 10th 2010: Thanks to Guy in the comments for pointing out that he experienced problems with the SSH server and the network interfaces not coming up automatically. I have now added that to the tutorial as well if anyone else should experience problems.

I decided to write up a blog post on the subject to try and retrieve some feedback and opinions from others, but ultimately ended up postponing it indefinitely.

This summer though, the same conversation came up during lunch, and my interest was sparked again, so I finally decided to write up some of my thoughts.

The problem

Programming/Informatics is hard. Both for us – “the experts” – but even more so for those never exposed to our way of thinking. Even trying to explain the problems we try to solve every day can sometimes be hard.

“What? Why can’t you just click a button and the computer will make that fancy word processing tool for you? Isn’t  it just there? Kinda like all that great meat that is grown in our grocery stores?”

- Almost true story.

So up until last year every time someone asked me what I was studying, the conversation usually went something like this:

Parent/Cute girl/Someone from my High School/Whoever: So, what do you do?
Me: Informatics. I love that stuff!
Them: Wow, that sounds exciting. What does that mean?

At this point, after having tried to explain this a thousand times before, always ending up with them thinking I live in a basement hacking kernels and playing WoW, i usually just ended up doing some typing gestures with my hands while saying “compuuuters” with a bored voice, and then changing the subject to whatever generally exciting subject I could come up with as soon as possible.

After reflecting upon this a bit I realized that this behavior both made me look boring, and made me seem like I wasn’t proud of what I do. In short:

• I’m boring.
• My field of study/work is boring.
• I’m not proud of what I’m doing, something that makes me even more boring!
• Not reflecting pride concerning what I do could even be a slippery slope towards not having pride. Fake it till you make fail at it.

My Solution

Needless to say, I love computers. I love programming, and I love studying informatics. So I decided to come up with something like an elevator pitch for what I do (probably way to much of) every day.

Now when I’m asked I usually go into the wonders of all our modern gadgets and how every possible item in our society is run by computers, and that we programmers – we make that happen! Everything from Facebook to OpenOffice.org, even your watch or cell phone contains lots of technology, and someone gotta make that stuff behave. That’s my job.

Instead of trying to explain programming, discrete mathematics and algorithms I now go on about the concepts and problems we have to solve, on a much higher level than what I used to, and I love the way it has made me more aware of being proud of studying something as awesome as informatics.

Now my question is: How do YOU describe your work as a developer/computer geek?

unrar p -inul some_multipart.rar | mplayer -

like I’ve often done before, giving me errors like this instead:

Cannot seek backward in linear streams!
Seek failed

This behaviour has probably existed for a while, however I haven’t noticed it before since I’ve actually been using a workaround for this anyways. To play streams from stdin, a quick fix is to set cache size manually. E.g. like this:

unrar p -inul some_multipart.rar | mplayer - -cache 8092

Cache size can be set to whatever you like it to it seems, so feel free to customize it to your own preferences and bandwith.

Currently I’m working on Capgemini’s Summer of Code project in Trondheim, where I’m having a blast. We’re creating a great product, the team I’m working with is excelent – both technically and socially – and the reception from the employees at Capgemini have also been great.

I’m really learning a lot about a bunch of Microsoft technologies these days, including TeamFoundation Server, Silverlight 3 and .NET in general. I’m going to get down and dirty and write a post about some of my experiences working on the Windows platform again any day now. For those of you who don’t know me, I’m a Linux user, and all this Microsoft stuff is pretty new to me, so hopefully there’s going to be quite a lot to write about.