Planet Larry

Clete Blackwell: Banning IPs on DD-WRT Based on Failed SSH Authentication

Fri, 28 Nov 2014 15:28:44 +0000

In response to literally thousands of failed SSH attempts from china, I have written a Python script to automate blocking IPs that fail authentication.

It is a VERY dirty Python script. It reads syslog from my router, finds the IPs that have failed SSH authentication to my router, and adds a firewall rule to block them.

1. nvram get rc_firewall
2. Scan syslog for bad authentication
3. Build list of IPs in syslog but not in rc_firewall
4. scp file containing new rc_firewall
5. Apply new rc_firewall, commit, and reboot the router

It’s nasty right now, but it works!

https://github.com/Clete2/DD-WRT-Ban-IP

This all assumes a very specific setup:

1. SSH is enabled

2. syslog is logging to an external server

3. The account you run this script on has public key authentication setup with the router

Sven Vermeulen: No more DEPENDs for SELinux policy package dependencies

Sun, 02 Nov 2014 12:51:49 +0000

I just finished updating 102 packages. The change? Removing the following from the ebuilds:

DEPEND="selinux? ( sec-policy/selinux-${packagename} )"

In the past, we needed this construction in both DEPEND and RDEPEND. Recently however, the SELinux eclass got updated with some logic to relabel files after the policy package is deployed. As a result, the DEPEND variable no longer needs to refer to the SELinux policy package.

This change also means that for those moving from a regular Gentoo installation to an SELinux installation will have much less packages to rebuild. In the past, getting USE="selinux" (through the SELinux profiles) would rebuild all packages that have a DEPEND dependency to the SELinux policy package. No more – only packages that depend on the SELinux libraries (like libselinux) or utilities rebuild. The rest will just pull in the proper policy package.

Sven Vermeulen: Using multiple priorities with modules

Fri, 31 Oct 2014 16:24:09 +0000

One of the new features of the 2.4 SELinux userspace is support for module priorities. The idea is that distributions and administrators can override a (pre)loaded SELinux policy module with another module without removing the previous module. This lower-version module will remain in the store, but will not be active until the higher-priority module is disabled or removed again.

The “old” modules (pre-2.4) are loaded with priority 100. When policy modules with the 2.4 SELinux userspace series are loaded, they get loaded with priority 400. As a result, the following message occurs:

~# semodule -i screen.pp
libsemanage.semanage_direct_install_info: Overriding screen module at lower priority 100 with module at priority 400

So unlike the previous situation, where the older module is substituted with the new one, we now have two “screen” modules loaded; the last one gets priority 400 and is active. To see all installed modules and priorities, use the --list-modules option:

~# semodule --list-modules=all | grep screen
100 screen     pp
400 screen     pp

Older versions of modules can be removed by specifying the priority:

~# semodule -X 100 -r screen

Sven Vermeulen: Migrating to SELinux userspace 2.4 (small warning for users)

Thu, 30 Oct 2014 17:44:49 +0000

In a few moments, SELinux users which have the ~arch KEYWORDS set (either globally or for the SELinux utilities in particular) will notice that the SELinux userspace will upgrade to version 2.4 (release candidate 5 for now). This upgrade comes with a manual step that needs to be performed after upgrade. The information is mentioned as post-installation message of the policycoreutils package, and basically sais that you need to execute:

~# /usr/libexec/selinux/semanage_migrate_store

The reason is that the SELinux utilities expect the SELinux policy module store (and the semanage related files) to be in /var/lib/selinux and no longer in /etc/selinux. Note that this does not mean that the SELinux policy itself is moved outside of that location, nor is the basic configuration file (/etc/selinux/config). It is what tools such as semanage manage that is moved outside that location.

I tried to automate the migration as part of the packages themselves, but this would require the portage_t domain to be able to move, rebuild and load policies, which it can’t (and to be honest, shouldn’t). Instead of augmenting the policy or making updates to the migration script as delivered by the upstream project, we currently decided to have the migration done manually. It is a one-time migration anyway.

If for some reason end users forget to do the migration, then that does not mean that the system breaks or becomes unusable. SELinux still works, SELinux aware applications still work; the only thing that will fail are updates on the SELinux configuration through tools like semanage or setsebool – the latter when you want to persist boolean changes.

~# semanage fcontext -l
ValueError: SELinux policy is not managed or store cannot be accessed.

~# setsebool -P allow_ptrace on
Cannot set persistent booleans without managed policy.

If you get those errors or warnings, all that is left to do is to do the migration. Note in the following that there is a warning about ‘else’ blocks that are no longer supported: that’s okay, as far as I know (and it was mentioned on the upstream mailinglist as well as not something to worry about) it does not have any impact.

~# /usr/libexec/selinux/semanage_migrate_store
Migrating from /etc/selinux/mcs/modules/active to /var/lib/selinux/mcs/active
Attempting to rebuild policy from /var/lib/selinux
sysnetwork: Warning: 'else' blocks in optional statements are unsupported in CIL. Dropping from output.

You can also add in -c so that the old policy module store is cleaned up. You can also rerun the command multiple times:

~# /usr/libexec/selinux/semanage_migrate_store -c
warning: Policy type mcs has already been migrated, but modules still exist in the old store. Skipping store.
Attempting to rebuild policy from /var/lib/selinux

You can manually clean up the old policy module store like so:

~# rm -rf /etc/selinux/mcs/modules

So… don’t worry – the change is small and does not break stuff. And for those wondering about CIL I’ll talk about it in one of my next posts.

Jason Jones: Seek God Sooner

Tue, 21 Oct 2014 22:20:09 +0000

So, I thought I'd write something down that happened today.

For those of you who know me, I'm a pretty laid-back, easy-going type of guy.

My wife and I went to sleep quite late, mostly because we couldn't stop talking and laughing with one another (not an uncommon occurrence, unfortunately), and also unfortunately, we were woken up early by all of our fire alarms going off in unison. There was no fire. This also is not an uncommon occurrence (we've got to figure that one out).

Anyway, I couldn't get back to sleep after that, and due to my sleepiness, I had, what turned out to be one of the most frustratingly rotten days of my life today. My main studio and programming computer decided to have a myriad of uncommon issues, which due to my sleepiness, were uncommonly difficult for me to solve. I also had planned on working extra hours today on my programming project, which couldn't happen due to the various computer problems.

This lasted for about 5 hours.

After dinner, I had a recording session with a client, and thankfully, that went very well. After the recording session, it was about 9:15pm, and I still had hours of programming work to do.

With a sigh, I sat down to start programming, and remembered that earlier this morning, after my morning prayer, I hadn't studied my scriptures as I did every morning. So I decided to do that before programming tonight.

I can't tell you how much that one decision changed my entire demeanor. All the frustrations melted away as I felt the Spirit of God course into my heart as I listened to the words of General Conference.

Immediately after, I knelt down to thank God, and found myself being gently reminded that I had not done it earlier, and that if I had done it earlier, my day would have gone much, much better.

It's now easier to concentrate, get focused, and I'm ready to get down and code for the next few hours. Happily.

I love this Gospel. The simple truths can change lives.

Matija Šuklje: My very first commit to KDE

Sat, 04 Oct 2014 11:20:00 +0000

Hello world Planet!

My name is Matija Šuklje ¹, but geeks call me Hook ². I have been lurking around KDE and using it since its 2.x (or 1.x) times and in the many years mostly contributed by submitting nasty bug reports ³, suggesting crazy ideas and here and there helping translate KDE software into my mother tongue – Slovenian.

As a (very soon to be) lawyer with very limited coding skills, that is as much as I could have done for the community so far.

But in the past years, I got lucky and got employed by the FSFE to lead the FSFE Legal team. Since the FLA that KDE e.V. uses was made in tight cooperation with FSFE, I finally ~~had an excuse to go to Akademy~~ found a way to help out the KDE community with my skills and hold a lightning talk on how the FLA works and why KDE gearheads should sign it (video).

My very first commit to KDE ☺

After helping with a recent local KDE translation sprint, Andrej Mernik suggested that I should ask for direct commit access to the KDE localisations SVN, so I do not bug him or Andrej Vernekar to commit translations for me.

So I did, and Andrej Vernekar later supported my application and shortly thereafter Víctor Blázquez welcomed me with a nice new developer package. It is great to see the KDE community so welcoming to newcomers! ☺

Excited by my new powers, as soon as time let me, I fired up the trusty ⁴ Lokalize and started translating some of the packages that have been in my ToDo list for a long time now.

Just a few hiccups with my OpenPGP card setup, and the first ever commit to KDE repositories, signed with my name, was on-line. Ah, what a thrill!

Sign(ed) the FLA

Haha!

you might think,

Now we have you! Have you signed the FLA that you tell us all is such a great idea?

… and you would have all the reasons to ask.

And the answer is: Yes, of course, I contacted KDE e.V., where Albert Astals Cid answered me, I printed the copies, signed and sent them just a week after my first commit!

While I was filling it out, I did realise that the document needs to be a bit easier to read and understand. So I took notes of that and in the relatively near future am going to try to come up with a few suggestions how to make the FLA even better ⁵. This also means, I would very much welcome any feedback from the wider community on the text.

hook out → I wish I had time to go to Akademy 2014 as well …see you next year!

I know it not easy to pronounce. Matija is the Slovenian equivalent of Matthias (and is pronounced the same, just drop the S). As for Šuklje, it sounds a bit like “shoe kle” in “shoe kleptomaniac”, but has nothing to do with it. ↩
On FreeNode I go under the nickname silver_hook and for other ways to get in touch, feel free to check my contacts page. ↩
I have a knack for finding bugs – in digital as well as real life. One of the funnier occasions was at Akademy 2013, where I managed to find and coherently replicate a bug in one of the elevators in the place where most of participants were staying. Together with David E. “DMaggot” Narváez we also found a workaround and submitted the bug to the local person in charge. ↩
Lokalize might slowly be in need of a few visual improvements and better documentation, but it still is an awesome tool for localisation. ↩
Full disclaimer: The FLA is part of my work for FSFE as well as the topic of my LLM thesis. ↩

Ciaran McCreesh: Paludis 2.2.0 Released

Wed, 01 Oct 2014 18:05:51 +0000

Paludis 2.2.0 has been released:

Bug fixes.
Compilation fixes for Clang.
Added ‘cave resolve –chroot-path’.
Removed the “breaks Portage” feature.

Filed under: paludis releases Tagged: paludis

Sven Vermeulen: After SELinux System Administration, now the SELinux Cookbook

Wed, 24 Sep 2014 18:10:46 +0000

Almost an entire year ago (just a few days apart) I announced my first published book, called SELinux System Administration. The book covered SELinux administration commands and focuses on Linux administrators that need to interact with SELinux-enabled systems.

An important part of SELinux was only covered very briefly in the book: policy development. So in the spring this year, Packt approached me and asked if I was interested in authoring a second book for them, called SELinux Cookbook. This book focuses on policy development and tuning of SELinux to fit the needs of the administrator or engineer, and as such is a logical follow-up to the previous book. Of course, given my affinity with the wonderful Gentoo Linux distribution, it is mentioned in the book (and even the reference platform) even though the book itself is checked against Red Hat Enterprise Linux and Fedora as well, ensuring that every recipe in the book works on all distributions. Luckily (or perhaps not surprisingly) the approach is quite distribution-agnostic.

Today, I got word that the SELinux Cookbook is now officially published. The book uses a recipe-based approach to SELinux development and tuning, so it is quickly hands-on. It gives my view on SELinux policy development while keeping the methods and processes aligned with the upstream policy development project (the reference policy).

It’s been a pleasure (but also somewhat a pain, as this is done in free time, which is scarce already) to author the book. Unlike the first book, where I struggled a bit to keep the page count to the requested amount, this book was not limited. Also, I think the various stages of the book development contributed well to the final result (something that I overlooked a bit in the first time, so I re-re-reviewed changes over and over again this time – after the first editorial reviews, then after the content reviews, then after the language reviews, then after the code reviews).

You’ll see me blog a bit more about the book later (as the marketing phase is now starting) but for me, this is a major milestone which allowed me to write down more of my SELinux knowledge and experience. I hope it is as good a read for you as I hope it to be.

Sven Vermeulen: Showing return code in PS1

Sat, 30 Aug 2014 23:14:12 +0000

If you do daily management on Unix/Linux systems, then checking the return code of a command is something you’ll do often. If you do SELinux development, you might not even notice that a command has failed without checking its return code, as policies might prevent the application from showing any output.

To make sure I don’t miss out on application failures, I wanted to add the return code of the last executed command to my PS1 (i.e. the prompt displayed on my terminal).
I wasn’t able to add it to the prompt easily – in fact, I had to use a bash feature called the prompt command.

When the PROMPT_COMMMAND variable is defined, then bash will execute its content (which I declare as a function) to generate the prompt. Inside the function, I obtain the return code of the last command ($?) and then add it to the PS1 variable. This results in the following code snippet inside my ~/.bashrc:

export PROMPT_COMMAND=__gen_ps1
 
function __gen_ps1() {
  local EXITCODE="$?";
  # Enable colors for ls, etc.  Prefer ~/.dir_colors #64489
  if type -P dircolors >/dev/null ; then
    if [[ -f ~/.dir_colors ]] ; then
      eval $(dircolors -b ~/.dir_colors)
    elif [[ -f /etc/DIR_COLORS ]] ; then
      eval $(dircolors -b /etc/DIR_COLORS)
    fi
  fi
 
  if [[ ${EUID} == 0 ]] ; then
    PS1="RC=${EXITCODE} \[\033[01;31m\]\h\[\033[01;34m\] \W \$\[\033[00m\] "
  else
    PS1="RC=${EXITCODE} \[\033[01;32m\]\u@\h\[\033[01;34m\] \w \$\[\033[00m\] "
  fi
}

With it, my prompt now nicely shows the return code of the last executed command. Neat.

Edit: Sean Patrick Santos showed me my utter failure in that this can be accomplished with the PS1 variable immediately, without using the overhead of the PROMPT_COMMAND. Just make sure to properly escape the $ sign which I of course forgot in my late-night experiments :-(.

Dan Ballard: OpenSSH + 2 and 3 factor auth

Sat, 30 Aug 2014 16:01:03 +0000

How To Protect SSH With Two-Factor Authentication: Setup google authentication + password login via openssh
Three-factor authentication with OpenSSH, Google Authenticator and Password: Two factor authentication + pubkey authentication for openssh

Sven Vermeulen: Gentoo Hardened august meeting

Fri, 29 Aug 2014 14:43:22 +0000

Another month has passed, so we had another online meeting to discuss the progress within Gentoo Hardened.

Lead elections

The yearly lead elections within Gentoo Hardened were up again. Zorry (Magnus Granberg) was re-elected as project lead so doesn’t need to update his LinkedIn profile yet ;-)

Toolchain

blueness (Anthony G. Basile) has been working on the uclibc stages for some time. Due to the configurable nature of these setups, many /etc/portage files were provided as part of the stages, which shouldn’t happen. Work is on the way to update this accordingly.

For the musl setup, blueness is also rebuilding the stages to use a symbolic link to the dynamic linker (/lib/ld-linux-arch.so) as recommended by the musl maintainers.

Kernel and grsecurity with PaX

A bug has been submitted which shows that large binary files (in the bug, a chrome binary with debug information is shown to be more than 2 Gb in size) cannot be pax-mark’ed, with paxctl informing the user that the file is too big. The problem is when the PAX marks are in ELF (as the application mmaps the binary) – users of extended attributes based PaX markings do not have this problem. blueness is working on making things a bit more intelligent, and to fix this.

SELinux

I have been making a few changes to the SELinux setup:

The live ebuilds (those with version 9999 which use the repository policy rather than snapshots of the policies) are now being used as “master” in case of releases: the ebuilds can just be copied to the right version to support the releases. The release script inside the repository is adjusted to reflect this as well.
The SELinux eclass now supports two variables, SELINUX_GIT_REPO and SELINUX_GIT_BRANCH, which allows users to use their own repository, and developers to work in specific branches together. By setting the right value in the users’ make.conf switching policy repositories or branches is now a breeze.
Another change in the SELinux eclass is that, after the installation of SELinux policies, we will check the reverse dependencies of the policy package and relabel the files of these packages. This allows us to only have RDEPEND dependencies towards the SELinux policy packages (if the application itself does not otherwise link with libselinux), making the dependency tree within the package manager more correct. We still need to update these packages to drop the DEPEND dependency, which is something we will focus on in the next few months.
In order to support improved cooperation between SELinux developers in the Gentoo Hardened team – perfinion (Jason Zaman) is in the queue for becoming a new developer in our mids – a coding style for SELinux policies is being drafted up. This is of course based on the coding style of the reference policy, but with some Gentoo specific improvements and more clarifications.
perfinion has been working on improving the SELinux support in OpenRC (release 0.13 and higher), making some of the additions that we had to make in the past – such as the selinux_gentoo init script – obsolete.

The meeting also discussed a few bugs in more detail, but if you really want to know, just hang on and wait for the IRC logs ;-) Other usual sections (system integrity and profiles) did not have any notable topics to describe.

Michael Mair-Keimberger: flashing android mobiles on gentoo

noreply@blogger.com (Michael Mair-Keimberger) — Mon, 25 Aug 2014 10:04:58 +0000

This is just a quick tip in case you ever want to flash a mobile phone on gentoo.

If you look at the cyanogenmod howto [1] (in my case for a nexus s) you'll see that you need the tools "adb" and "fastboot" which usually comes with the android sdk. Naturally the howto suggests you to install this sdk, which isn't even available on gentoo.
However if you don't want java and all it's other dependencies on your computer (which is required for the sdk) there is package which installs only those two needed tools. It's called dev-util/android-tools - and it's in portage :)

This is all you need:

* dev-util/android-tools
     Available versions:  (~)0_p20130123
     Homepage:            https://android.googlesource.com/platform/system/core.git/
     Description:         Android platform tools (adb and fastboot)

[1] http://wiki.cyanogenmod.org/w/Install_CM_for_crespo

Sven Vermeulen: Switching to new laptop

Tue, 19 Aug 2014 20:11:24 +0000

I’m slowly but surely starting to switch to a new laptop. The old one hasn’t completely died (yet) but given that I had to force its CPU frequency at the lowest Hz or the CPU would burn (and the system suddenly shut down due to heat issues), and that the connection between the battery and laptop fails (so even new battery didn’t help out) so I couldn’t use it as a laptop… well, let’s say the new laptop is welcome ;-)

Building Gentoo isn’t an issue (having only a few hours per day to work on it is) and while I’m at it, I’m also experimenting with EFI (currently still without secure boot, but with EFI) and such. Considering that the Gentoo Handbook needs quite a few updates (and I’m thinking to do more than just small updates) knowing how EFI works is a Good Thing ™.

For those interested – the EFI stub kernel instructions in the article on the wiki, and also in Greg’s wonderful post on booting a self-signed Linux kernel (which I will do later) work pretty well. I didn’t try out the “Adding more kernels” section in it, as I need to be able to (sometimes) edit the boot options (which isn’t easy to accomplish with EFI stub-supporting kernels afaics). So I installed Gummiboot (and created a wiki article on it).

Lots of things still planned, so little time. But at least building chromium is now a bit faster – instead of 5 hours and 16 minutes, I can now enjoy the newer versions after little less than 40 minutes.

Michael Mair-Keimberger: jumping directly into found results in menuconfig

noreply@blogger.com (Michael Mair-Keimberger) — Sun, 10 Aug 2014 16:36:01 +0000

For those who still use menuconfig for configuring their kernel - there's a neat trick which let you jump directly into a found result.

For example you would like to add a new driver. Usually you go into menuconfig and start searching for it with the "/" shortcut. What you probably not know, after you found your module - like you searched for the "NetXen Multi port Gigabit Ehernet NIC" with just searching for "xen" - you can go directly to the particular config via it's number shortcut:

Search result for "xen"

Notice this line:

The "(5)" is the shortcut. Just press the number 5 on your keyboard and you'll jump directly into the QLogic devices config.
For every found entry there is a number shortcut which let you directly jump into the given config. If you go back with esc-esc <esc><esc>you also go back to the search result.</esc></esc>

I think not many people know this trick and i hope someone can use it for further kernel builds ;)

Sven Vermeulen: Some changes under the hood

Sat, 09 Aug 2014 19:45:22 +0000

In between conferences, technical writing jobs and traveling, we did a few changes under the hood for SELinux in Gentoo.

First of all, new policies are bumped and also stabilized (2.20130411-r3 is now stable, 2.20130411-r5 is ~arch). These have a few updates (mergers from upstream), and r5 also has preliminary support for tmpfiles (at least the OpenRC implementation of it), which is made part of the selinux-base-policy package.

The ebuilds to support new policy releases now are relatively simple copies of the live ebuilds (which always contain the latest policies) so that bumping (either by me or other developers) is easy enough. There’s also a release script in our policy repository which tags the right git commit (the point at which the release is made), creates the necessary patches, uploads them, etc.

One of the changes made is to “drop” the BASEPOL variable. In the past, BASEPOL was a variable inside the ebuilds that pointed to the right patchset (and base policy) as we initially supported policy modules of different base releases. However, that was a mistake and we quickly moved to bumping all policies with every releaes, but kept the BASEPOL variable in it. Now, BASEPOL is “just” the ${PVR} value of the ebuild so no longer needs to be provided. In the future, I’ll probably remove BASEPOL from the internal eclass and the selinux-base* packages as well.

A more important change to the eclass is support for the SELINUX_GIT_REPO and SELINUX_GIT_BRANCH variables (for live ebuilds, i.e. those with the 9999 version). If set, then they pull from the mentioned repository (and branch) instead of the default hardened-refpolicy.git repository. This allows for developers to do some testing on a different branch easily, or for other users to use their own policy repository while still enjoying the SELinux integration support in Gentoo through the sec-policy/* packages.

Finally, I wrote up a first attempt at our coding style, heavily based on the coding style from the reference policy of course (as our policy is still following this upstream project). This should allow the team to work better together and to decide on namings autonomously (instead of hours of discussing and settling for something as silly as an interface or boolean name ;-)

Matija Šuklje: The Jamendo experiment – “week” 1

Fri, 08 Aug 2014 22:00:00 +0000

As forecast in a previous blog post, this is the first "weekly" report from my Jamendo experiment. In the first part I will talk a bit about the player that I use (Amarok), after that will be a short report on where I get my music fix now and how it fares and in the end I will introduce some artists and albums that I found on Jamendo and like.

Amarok 2.0.2 sadly has a bug that makes it lack some Jamendo albums. This makes searching and playing Jamendo albums directly from Amarok a bit less then perfect and forces me to still use Firefox (and Adobe Flash) to browse music on Jamendo. Otherwise Amarok with its version 2.x has become an amazing application or even platform, if you will, not only for playing and organising, but also for discovering new music. You can even mix in the same playlist your local collection with tracks from web services and even streams.

Most of the music I got directly from Jamendo, a bit less I listened online from Magnatune and the rest was streams from Last.FM (mostly from my recommendations). As far as music on Jamendo and Magnatune – both offer almost exclusively CC licensed music – I honestly found it equally as good, if not better, then what conservative record labels and stations offer. This could in part be because of my music taste, but even so, I am rather picky with music. As far as the quality of the sound is concerned, being able to download music in Ogg/Vorbis (quality 7) made me smile and my ears as well. If only I had a better set of headphones!

Now here's the list of artists that I absolutely must share:

Jimmy the Hideous Penguin – Jimmy Penguin is by far my absolute favorite artist right now! His experimental scratching style over piano music is just godly to my ears – the disrhythmia that his scratching brings over the standard hip hop beats, piano and/or electronica is just genius! The first album that made me fall in love was Jimmy Penguin's New Ideas – it starts with six tracks called ff1 to ff6 with already the first one (ff1) showing a nice melange of broken sampling layered with a melody and even over that lies some well placed scratching. The whole album is amazing! From the previously mentioned ff* tracks, I would especially like to put into the limelight apart from ff1, then also ff3 and ff4. The ff6 (A Long Way to Go) and Polish Jazz Thing bare some jazz elements as well, while Fucking ABBA feels like flirting with R&B/UK garage. On the other hand the album Split Decisions has more electronic elements in it and feels a bit more meditative, if you will. The last of his albums that I looked at was Summer Time, which I have not listened to thoroughly enough, but so far I like it a lot and it's nice to see Jimmy Penguin take on even more styles, as the track Jimmy Didn't Name It has some unmistakable Asian influences.

No Hair on Head – very enjoyable lounge/chillout electronica. Walking on Light is the artist's first album and is a collection of some his tracks that he made in the past 5 years. It's great to see that outside mainstream artists are still trying to make albums that make sense – consistent style, but still diverse enough – and this album is just such. The first track Please! is not a bad start into the album, Inducio is also a nice lively track, but I what I think could be hits are the tracks Anywhere You Want and Fiesta en Bogotá – the first one starts rather standard, but then develops into a very nice pop-ish, almost house-like summery electronic song with tongue-in-cheek lyrics; the latter features an accordion and to me feels somehow like driving through Provence or Karst (although Bogotá lies actually in Columbia).

Electronoid – great breakbeat! If you like Daft Punk's album Homework or less popular tracks by the Chemical Brothers, you will most probably enjoy Electronoid (album) as well.

Morning Boy— great mix of post punk with pop-ish elements. On their album For us, the drifters. For them, the Bench, the song Maryland reminds me of Dinosaur Jr., while Whatever reminds me of Joan of Arc with added pop. Although All Your Sorrows is probably the track I like best so far – it just bursts with positive attitude while still being somewhat mellow.

Bilk (archived) – a fast German pop punk with female vocals that limits on the Neue Deutsche Welle music movement from the 80's. Their album Ich will hier raus (archived) is not bad and might even compare to more known contemporary artists like Wir sind Helden. Update: Sadly they removed themselves from Jamendo, they have their own website now, but unfortunately there is no licensing info available about the music.

Ben Othman – so far I have listened to two of his albums – namely Lounge Café Tunis "Intellectuel" and Lounge Café Tunis "Sahria" – they consist of good lounge/chillout music with at times very present Arabic influences.

Silence – this seems like a very popular artist, but so far I only managed to skim through the album L'autre endroit. It seems like a decent mix of trip-hop with occasional electric guitars and other instruments. Sometimes it bares elements of IDM and/or dark or industrial influences. I feel it is too early for me to judge if it conforms my taste, but it looks like an artist to keep an eye on.

Project Divinity – enjoyable, very calm ambiental new age music. The mellowness and openness of the album Divinity is very easy to the ears and cannot be anything else then calming.

SoLaRis – decent goatrance, sometimes wading even into the dark psytrance waters.

Team9 – after listening to some of their tracks on Jamendo, I decided to download their full album We Don't Disco (for free, under CC-BY-SA license) from their (archived) homepage. Team9 is more known for their inventive remixes of better known artists' songs, but their own work at least equally as amazing! They describe themselves as "melodic, ambient and twisted" and compare themselves to "Vangelis and Jean Michel Jarre taking Royksopp and Fad Gadget out the back of the kebab shop for a smoke" – both descriptions suit them very well. The whole album is great, maybe the title track We Don't Disco Like We Used To and the track _Aesthetic Athletics _stand out a bit more because they feel a bit more oldskool and disco-ish then the rest of them, but quality-wise the rest of the tracks is just as amazing!

As you can see, listening only to free (as in speech, not only as in beer) music is not only possible, but quite enjoyable! There is a real alternative out there! Tons of great artists out there are just waiting to be listened to – that ultimately is what music is all about!

hook out → going to bed…

Matija Šuklje: How to write your Pelican-powered blog using ownCloud and WebDAV

Wed, 06 Aug 2014 22:00:00 +0000

Originally this HowTo was part of my last post – a lengthy piece about how I migrated my blog to Pelican. As this specific modification might be more interesting than reading the whole thing, I decided to fork and extend it.

What and why?

What I was trying to do is to be able to add, edit and delete content from Pelican from anywhere, so whenever inspiration strikes I can simply take out my phone or open up a web browser and create a rough draft. Basically a make-shift mobile and desktop blogging app.

I decided to that the easiest this to do this by accessing my content via WebDAV via ownCloud that runs on the same server.

Why not Git and hooks?

The answer is quite simple: because I do not need it and it adds another layer of complication.

I know many use Git and its hooks to keep track of changes as well as for backups and for pushing from remote machines onto the server. And that is a very fine way of running it, especially if there are several users committing to it.

But for the following reasons, I do not need it:

I already include this page with its MarkDown sources, settings and the HTML output in my standard RSnapshot backup scheme of this server, so no need for that;
I want to sometimes draft my posts on my mobile and Git and Vim on a touch-screen are just annoying to use;
this is a personal blog, so the distributed VCS side of Git is just an overhead really;
there is no added benefit to sharing the MarkDown sources on-line, if all the HTML sources are public anyway.

Setting up the server

Pairing up Pelican and ownCloud

In ownCloud it is very easy to mount external storage, and a folder local to the server is still considered “extrenal” as it is outside of ownCloud. Needless to say, there is a nice GUI for that.

Once you open up the Admin page in ownCloud, you will see the External Storage settings. For security reasons only admins can mount a local folder, so if you aren’t one, you will not see Local as an option and you will have to ask your friendly ownCloud sysAdmin to add the folder from his Admin page for you.

If that is not an option, on a GNU/Linux server there is an easy, yet hackish solution as well: just link Pelican’s content folder into your ownCloud user’s file system – e.g:

ln -s /var/www/matija.suklje.name/content/ /var/www/owncloud/htdocs/data/hook/files/Blog

In order to have the files writeable over WebDAV, they need to have write permission from the user that PHP and web-server are running under – e.g.:

chown -R nginx:nginx /var/www/owncloud/htdocs/data/hook/files/Blog/

Automating page generation and ownership

To have pages constantly automatically generated, there is a option to call pelican --autoreload and I did consider turning it into an init script, but decided against it for two reasons:

it consumes too much CPU power just to check for changes;
as on my poor ARM server a full (re-)generation of this blog takes about 6 minutes², I did not want to hammer my system for every time I save a minor change.

What I did instead was to create an fcronjob to (re-)generate the website every night at 3 in the morning (and send a mail to root’s default address), under the condition that there blog posts have either been changed in content or added since yesterday:

%nightly,mail * 3 cd /var/www/matija.suklje.name && posts=(content/**/*.markdown(Nm-1)); if (( $#posts )) LC_ALL="en_GB.utf8" make html

Update: the above command is changed to use Zsh; for the old sh version, use:

%nightly,mail * 3 cd /var/www/matija.suklje.name && [[ `find content -iname "*.markdown" -mtime -1` != "" ]] && LC_ALL="en_GB.utf8" make html

In order to have the file permissions on the content directory always correct for ownCloud (see above), I changed the Makefile a bit. The relevant changes can be seen below:

html:
    chown -R nginx:nginx $(INPUTDIR)
    $(PELICAN) $(INPUTDIR) -o $(OUTPUTDIR) -s $(CONFFILE) $(PELICANOPTS)

clean:
    [ ! -d $(OUTPUTDIR) ] || rm -rf $(OUTPUTDIR)

regenerate:
    chown -R nginx:nginx $(INPUTDIR)
    $(PELICAN) -r $(INPUTDIR) -o $(OUTPUTDIR) -s $(CONFFILE) $(PELICANOPTS)

E-mail draft reminder

Not directly relevant, but still useful.

In order not to forget any drafts unattended, I have also set up an FCron job to send me an e-mail with a list of all unfinished drafts to my private address.

It is a very easy hack really, but I find it quite useful to keep track of things – find the said fcronjob below:

%midweekly,mailto(matija@suklje.name) * * cd /var/www/matija.suklje.name/content/ && ack "Status: draft"

Client software

ownNotes

As a mobile client I plan to use ownNotes, because it runs on my Nokia N9¹ and supports MarkDown highlighting out-of-the-box.

All I needed to do in ownNotes is to provide it with my ownCloud log-in credentials and state Blog as the "Remote Folder Name" in the preferences.

But before I can really make use of ownNotes, I have to wait for it to starts using properly managing file-name extensions.

ownCloud web interface

Since ownCloud includes a webGUI text editor with MarkDown highlighting out of the box, I sometimes use that as well.

An added bonus is that the Activity feed of ownCloud keeps a log of when which file changed or was added.

It does not seem possible yet to collaboratively edit files other than ODT in ownCloud’s webGUI, but I imagine that might be the case in the future.

Kate via WebDAV

In many other desktop environments it is child’s play to add a WebDAV remote folder — just adding a link to the file manager should be enough, e.g.: webdavs://thatfunkyplace.wheremymonkeyis.at:443/remote.php/webdav/Blog.

KDE’s Dolphin makes it easier for you, because all you have to do is select Remote ↦ Add remote folder and if you already have a connection to your ownCloud with some other service (e.g. Zanshin and KOrganizer for WebCal), it will suggest all the details to you, if you choose Recent connection.

Once you have the remote folder added, you can use it transparently all over KDE. So when you open up Kate, you can simply navigate the remote WebDAV folders, open up the files, edit and save them as if they were local files. It really is as easy as that! ☺

Note: I probably could have also used the more efficient KIO FISH, but I have not bothered with setting up a more complex permission set-up for such a small task. For security reasons it is not possible to log in via SSH using the same user the web server runs under.

SSH and Vim

Of course, it is also possible to ssh to the web server, su to the correct user, edit the files with Vim and let FCron and Make file make sure the ownership is done appropriately.

hook out → back to studying Arbitration law

Yes, I am well aware you can run Vim and Git on MeeGo Harmattan and I do use it. But Vim on a touch-screen keyboard is not very fun to use for brainstorming. ↩
At the time of writing this blog includes 343 articles and 2 pages, which took Pelican 440 seconds to generate on my poor little ARM server (on a normal load). ↩

Michael Mair-Keimberger: kmscon - next generation virtual terminals

noreply@blogger.com (Michael Mair-Keimberger) — Tue, 05 Aug 2014 17:33:29 +0000

KMSCON is a simple terminal emulator based on linux kernel mode setting (KMS). It can replace the in-kernel VT implementation with a userspace console. It's a pretty new project and still very experimental.
Even though gentoo provides a ebuild its rather rudiment and it's better to use the live ebuild form [1] plus the libtsm package, which is needed for kmscon, from [2]. Personally i've added those ebuilds into my private overlay.

Don't forget to unmask/keyword the live ebuild:

# emerge -av =sys-apps/kmscon-9999

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R   *] sys-apps/kmscon-9999::local  USE="drm fbdev gles2 optimizations pango unicode -debug -doc -multiseat -pixman -static-libs -systemd" 0 kB

Total: 1 package (1 reinstall), Size of downloads: 0 kB

After successfully emerging kmscon it's pretty simple to start a new vt with (as root):

# kmscon --vt=8 --xkb-layout=de --hwaccel

This starts kmscon on vt8 with hardware-accel on and a german keyboard layout.

If your experimental you can add (or replace) an additional virtual terminal to your inittab. A line like following should suffice to start kmscon everytime you boot your system.

c11:2345:respawn:/usr/bin/kmscon --vt=8 --xkb-layout=de --hwaccel

I've tested it with my amd cards (r600g and radeonsi) and it worked with some minor output corruptions. However, in certain cases it works already faster than agetty, for example printing dmesg output. So far it looks really promising, sadly development seems to be really slow. You'll find the git repository here [3]

[1] https://bugs.gentoo.org/show_bug.cgi?id=490798
[2] https://bugs.gentoo.org/show_bug.cgi?id=487394
[3] http://cgit.freedesktop.org/~dvdhrm/kmscon/

Sven Vermeulen: Gentoo Hardened July meeting

Fri, 01 Aug 2014 19:48:56 +0000

I failed to show up myself (I fell asleep – kids are fun, but deplete your energy source quickly), but that shouldn’t prevent me from making a nice write-up of the meeting.

Toolchain

GCC 4.9 gives some issues with kernel compilations and other components. Lately, breakage has been reported with GCC 4.9.1 compiling MySQL or with debugging symbols. So for hardened, we’ll wait this one out until the bugs are fixed.

For GCC 4.10, the –enable-default-pie patch has been sent upstream. If that is accepted, the SSP one will be sent as well.

In uclibc land, stages are being developed for PPC. This is the final architecture that is often used in embedded worlds that needed support for it in Gentoo, and that’s now being finalized. Go blueness!

SELinux

A libpcre upgrade broke relabeling operations on SELinux enabled systems. A fix for this has been made part of libselinux, but a little too late, so some users will be affected by the problem. It’s easily worked around (removing the *.bin files in the contexts/files/ directory of the SELinux configuration) and hopefully will never occur again.

The 2.3 userland has finally been stabilized (we had a few dependencies that we were waiting for – and we were a dependency ourselves for other packages as well).

Finally, some thought discussion is being done (not that there’s much feedback on it, but every documented step is a good step imo) on the SELinux policy within Gentoo (and the principles that we’ll follow that are behind it).

Kernel and grsecurity / PaX

Due to some security issues, the Linux kernel sources have been stabilized more rapidly than usual, which left little time for broad validation and regression testing. Updates and fixes have been applied since and new stabilizations occurred. Hopefully we’re now at the right, stable set again.

The C-based install-xattr application (which is performance-wise a big improvement over the Python-based one) is working well in “lab environments” (some developers are using it exclusively). It is included in the Portage repository ^{(if I understand the chat excerpts correctly)} but as such not available for broader usage yet.

An update against elfix is made as well as there was a dependency mismatch when building with USE=-ptpax. This will be corrected in elfix-0.9.

Finally, blueness is also working on a GLEP (Gentoo Linux Enhancement Proposal) to export VDB information (especially NEEDED.ELF.2) as this is important for ELF/library graph information (as used by revdep-pax, migrate-pax, etc.). Although Portage already does this, this is not part of the PMS and as such other package managers might not do this (such as Paludis).

Profiles

Updates on the profiles has been made to properly include multilib related variables and other metadata. For some profiles, this went as easy as expected (nice stacking), but other profiles have inheritance troubles making it much harder to include the necessary information. Although some talks have arised on the gentoo-dev mailinglist about refactoring how Gentoo handles profiles, there hasn’t been done much more than just talking :-( But I’m sure we haven’t heard the last of this yet.

Documentation

Blueness has added information on EMULTRAMP in the kernel configuration, especially noting to the user that it is needed for Python support in Gentoo Hardened. It is also in the PaX Quickstart document, although this document is becoming a very large one and users might overlook it.

Jürgen Geuter: The right tool for the job

Thu, 31 Jul 2014 22:14:04 +0000

Every subculture, even most smaller groups establish practices that are typical for said subculture or group. They often emerge within the foundations of the group itself or the background of an influential part of the members. A group of historians will probably tackle problems in a different way than engineers would for example: Where the historians might look for similarities in structure between the current issue and the past, engineers would try to divide the problem up into smaller and smaller units of work, assign them and hope that by assembling all the parts a solution will be created. Obviously the previous example was slightly exaggerated and simplified but you catch my drift. The people or the “culture” a group emerged from influence massively the set of tools the group has to interact with the world.

These tools exist on many levels. They can be physical objects like with a group of mechanics bringing actual tools from their workshops into the group. There are digital tools such as publication software or networked democracy/liquid democracy tools. The tools can be intellectual: Specific methods to process information or analyze things. Social tools can help organize and communicate. The list goes on and on.

Today I want to talk about the intellectual or procedural tools of a certain subculture¹ that I do have my run-ins with: The hackers. Not the “let’s break shit and steal money like they do in cheesy movies” type but the “we are fighting for digital civil liberties and free software and crypto for everyone and shit” type. The type that can probably best be defined as: People unwilling to always follow the instructions that things come with, especially technical things.

By: Matthew Hutchinson

While the myth of the evil hackers destroying everything still is very powerful especially within mainstream media, that subculture has – even given all the problems and issues raging through that scene² – gotten kind of a tough job these days. Because we as a society are overwhelmed by our own technical progress.

So we’ve kinda stumbled on this nice thing that some scientists developed to share information and we realized: Wow ~~I can copy all kinds of music and movies~~ I can share Information and publish my own creative works! And others found that thing interesting as well, bolted some – not always³ beautifully designed interfaces and technologies onto that “Internet” thing and used it to sell books and clothes and drugs and bitcoins to a global customer base.

Obviously I simplified things again a little. But there’s no denying that the Internet changed many many aspects of our life with shopping only being one of them. Global companies could suddenly move or spread data (and themselves) to different locations in zero-time circumventing in many cases at least parts of the legal system that was supposed to protect the people against their actions. Established social rules such as copyright or privacy came under pressure. And then there was the intelligence community. What a field trip they had!

All the things that used to be hard to gather, that could only be acquired through deploying agents and time and money, conversations and social graphs and “metadata” could be gathered, stored and queried. Globally. All the time. The legal system supposed to protect the people actually gave them the leverage to store all data they could get their hands on. All for the good of the people and their security.

So here we are with this hot and flaming mess and we need someone, anyone to fix it. To make things ok. So we ask the hackers because they actually know, understand and – more often than many want to admit – build the technology causing problems now. And they tried to come up with solutions.

By: kate hiscock

The hacker subculture is largely and dominantly shaped by a related group of people: Security specialists. To be able to assess and test the security of a technical system or an algorithm you really need to understand it and its environment at a level of detail that eludes many people. The problems the security community have to deal with are cognitively hard and complex, the systems and their interactions and interdependencies growing each day. The fact that those security holes or exploits can also be worth a lot of money to someone with … let’s say flexible ethics also informed the competitiveness of that scene.

So certain methods or MOs developed. One very prominent one that has influenced the hacker culture a lot is the “break shit in a funny way” MO. It goes like this: You have something that people (usually the people selling it) claim to be secure. Let’s say a voting machine or an iris scanner on a new smartphone. In come the hackers. They prod the system, poke it with sticks and tools until they get the voting machine to play pong and the iris scanner to project My Little Pony episodes. They break shit.

This leads to (if you are somewhat tech savvy) very entertaining talks at hacker conferences where the ways of how to break it are displayed. Some jokes at the expense of the developers are thrown in and it usually ends with a patch, a technical solution to the problem, that does at least mitigate the worst problems. Hilarity ensues.

But herein lies the problem. The issues we have with our political system, with the changes that tech brought to the social sphere are not easily decomposed into modules, broken and fixed with some technological patch. Showing that the NSA listens to your stuff, how they do it is all fine and dandy but the technical patch, the bazillion of crypto tools that are released every day don’t address the issues at hand – the political questions, the social questions.

That’s not the fault of the hacker scene really. They did their job, analyzed what happened and sometimes could even provide fixes. But building new social or legal concepts really isn’t in their toolbox. When forced they have to fallback on things such as “whistleblowing” as a catchall which really is no replacement for political theory. Obviously there are hackers who are also political but it’s not genuine to the subculture, nothing belonging to them.

In Germany we can see that every day within the politically … random … actions of the Pirate Party who recruited many of their members from said hacker culture (or related subcultures). They think in systems and patches, talk about “a new operating system for democracy”. Even the wording, the framing shows that they don’t think in political terms but in their established technical phrases. Which again isn’t their fault, it’s what every subculture does.

Hackers can do a lot for our societies. They can help officials or NGOs to better understand technology and maybe even its consequences. They just might not in general be the right people to talk to when it comes to building legal or social solutions.

The different subcultures in a society all contribute different special skill sets and knowledge to the discourse. It’s about bringing all the right people and groups to the table in every phase of the debate. That doesn’t mean that people should be excluded but that certain groups or subcultures should maybe take the lead when it comes to the domains they know a lot about.

Use the right tool for the job.

By: Lachlan Donald

Header image by: Ivan David Gomez Arce

if it actually is a subculture which we could debate but let’s do that another time
I’m not gonna get into it here, it’s a topic for another text that I’m probably not going to write
as in never

Jürgen Geuter: On whistleblowing

Fri, 25 Jul 2014 21:24:30 +0000

As some might know, I spent the last week in New York attending the HOPE conference. Which was btw. one of the more friendly and diverse conferences I have been to and which I enjoyed a lot not just because of it’s awe inspiring location.

It was not surprising that the session program would put big emphasis on whistleblowing. Edward Snowden’s leaks have pretty much defined the last year when it came to tech-related news. HOPE contextualized those leaks by framing Snowden with the famous US whistleblowers Thomas Drake and Daniel Ellsberg who both have had immense impact with their leaks. Drake had leaked information on NSA programs violating many US laws, Ellsberg had released the “Pentagon papers” proving that the public had been lied to by different US governments when it came to the Vietnam war. Ellsberg, Drake, Snowden. 3 whistleblowers, 3 stories of personal sacrifice and courage¹. 3 stories about heroes.

All of them enforced how important better infrastructure for leaks was. How important it was that the hacker community would provide better tools and tutorials that help keeping informers anonymous and protected. How central it was to make OpSec (operations security) easier for journalists and potential whistleblowers. Especially Snowden voiced how well he understood people not leaking anything when faced with the complete destruction of their lives as they know it.

And the community did actually try to deliver. SecureDrop was presented as a somewhat simpler way for journalists to supply a drop site for hot documents and the Minilock project is supposed to make the encryption of files much easier and less error-prone.

But in between the celebration of the courage of individuals and tools helping such individuals something was missing.

By: Robert S. Donovan

Maybe it was the massive presence of Snowden or maybe the constant flow of new details about his leaks but in our focus on and fascination for the whistleblower(s) and their work we as a community have somewhat forgotten to think about politics and policies, about what it actually is that “we” want.

Whistleblowing can be important, can change the world actually. But it is not politics. Whistleblowing can be the emergency brake for political processes and structures. But sadly nothing more.

Just creating some sort of transparency (and one could argue that Snowden’s leak has not really created even that since just a selected elite of journalists is allowed to access the treasure chest) doesn’t change anything really. Look at the Snowden leaks: One year full of articles and columns and angry petitions. But nothing changed. In spite of transparency things are mostly going on as they did before. In fact: Certain governments such as the Germans have talked about actually raising the budget for (counter)intelligence. The position of us as human beings in this cyberphysical world has actually gotten worse.

Simple solutions are really charming. We need a few courageous people. And we can build some tech to lower the courage threshold, tools protecting anonymity. Problem solved, back to the playground. We’ve replaced political theory, structures, activism and debate with one magic word: Whistleblowing. But that’s not how it works.

What happens after the leak? Why do we think that a political system that has created and legitimized the surveillance and intelligence state times upon times would autocorrect itself just because we drop some documents into the world? Daniel Ellsberg called it “telling the truth with documents”. But just telling some truth isn’t enough.

It’s time to stop hiding behind the hope for whistleblowers and their truth. To stop dreaming of a world that would soon be perfect if “the truth” is just out there. That’s how conspiracy nuts think.

“Truth” can be a resource to create ideas and policy from. To create action. But that doesn’t happen automagically and it’s not a job we can just outsource to the media because they know all that weird social and political stuff. Supporting the works of whistleblowers is important and I was happy to see so many initiatives, but they can get us at most a few steps forward on our way to fixing the issues of our time.

Header image by: Kate Ter Haar

I have written about the problem I have with the way Snowden is framed (not him as a person or with his actions) here

George Kargiotakis: Anonymous edits in Hellenic Wikipedia from Hellenic Parliament IPs

Sun, 13 Jul 2014 12:10:07 +0000

Inspired from another project called “Anonymous Wikipedia edits from the Norwegian parliament and government offices” I decided to create something similar for the Hellenic Parliament.

I downloaded the XML dumps (elwiki-20140702-pages-meta-history.xml.7z) for the elwiki from http://dumps.wikimedia.org/elwiki/20140702/. The compressed file is less than 600Mb but uncompressing it leads to a 73Gb XML which contains the full history of edits. Then I modified a parser I found on this blog to extract the data I wanted: Page Title, Timestamp and IP.

Then it was easy to create a list that contains all the edits that have been created by Hellenic Parliament IPs (195.251.32.0/22) throughout the History of Hellenic Wikipedia:
The list https://gist.github.com/kargig/d2cc8e3452dbde774f1c.

Interesting edits

Former Prime Minister “Κωνσταντίνος Σημίτης”
An IP from inside the Hellenic Parliament tried to remove the following text at least 3 times in 17-18/02/2014. This is a link to the first edit: Diff 1.

Για την περίοδο 1996-2001 ξοδεύτηκαν 5,2 τρις δρχ σε εξοπλισμούς. Οι δαπάνες του Β` ΕΜΠΑΕ (2001-2006) υπολογίζεται πως έφτασαν τα 6 με 7 τρις δρχ.<ref name="enet_01_08_01">[http://www.enet.gr/online/online_hprint?q=%E5%EE%EF%F0%EB%E9%F3%EC%EF%DF&a=&id=71538796 ''To κόστος των εξοπλισμών''], εφημερίδα ”Ελευθεροτυπία”, δημοσίευση [[1 Αυγούστου]] [[2001]].</ref>Έπειτα απο τη σύλληψη και ενοχή του Γ.Καντά,υπάρχουν υπόνοιες για την εμπλοκή του στο σκάνδαλο με μίζες από Γερμανικές εταιρίες στα εξοπλιστικά,κάτι το οποίο διερευνάται απο την Εισαγγελία της Βρέμης.
Former MP “Δημήτρης Κωνσταντάρας”
Someone modified his biography twice. Diff Links: Diff 1 Diff 2.
Former football player “Δημήτρης Σαραβάκος”
In the following edit someone updated this player’s bio adding that he ‘currently plays in porn films’. Diff link. The same editor seems to have removed that reference later, diff link.
Former MP “Θεόδωρος Ρουσόπουλος”
Someone wanted to update this MP’s bio and remove some reference of a scandal. Diff link.
The movie “Ραντεβού με μια άγνωστη”
Claiming that the nude scenes are probably not from the actor named “Έλενα Ναθαναήλ”. Diff link.
The soap opera “Χίλιες και Μία Νύχτες (σειρά)”
Someone created the first version of the article on this soap opera. Diff Link.
Politician “Γιάννης Λαγουδάκος”
Someone edited his bio so it seemed that he would run for MP with the political party called “Ανεξάρτητοι Έλληνες”. Diff Link
University professor “Γεώργιος Γαρδίκας”
Someone edited his profile and added a link for amateur football team “Αγιαξ Αιγάλεω”. Diff Link.
Politician “Λευτέρης Αυγενάκης”
Someone wanted to fix his bio and upload a file, so he/she added a link from the local computer “C:\Documents and Settings\user2\Local Settings\Temp\ΑΥΓΕΝΑΚΗΣ”. Diff link.
MP “Κώστας Μαρκόπουλος”
Someone wanted to fix his bio regarding his return to the “Νέα Δημοκρατία” political party. Diff Link.
(Golden Dawn) MP “Νίκος Μιχαλολιάκος”
Someone was trying to “fix” his bio removing some accusations. Diff Link.
(Golden Dawn) MP “Ηλίας Κασιδιάρης”
Someone was trying to fix his bio and remove various accusations and incidents. Diff Link 1, Diff Link 2, Diff Link 3.

Who’s done the edits ?
The IP range of the Hellenic Parliament is not only used by MPs but from people working in the parliament as well. Don’t rush to any conclusions…
Oh, and the IP 195.251.32.48 is probably a proxy inside the Parliament.

Threat Model
Not that it matters a lot for MPs and politicians in general, but it’s quite interesting that if someone “anonymously” edits a wikipedia article, wikimedia stores the IP of the editor and provides it to anyone that wants to download the wiki archives. If the IP range is known, or someone has the legal authority within a country to force an ISP to reveal the owner of an IP, it is quite easy to spot the actual person behind an “anonymous” edit. But if someone creates an account to edit wikipedia articles, wikimedia does not publish the IPs of its users, the account database is private. To get an IP of a user, one would need to take wikimedia to courts to force them to reveal that account’s IP address. Since every wikipedia article edit history is available for anyone to download, one is actually “more anonymous to the public” if he/she logs in or creates a (new) account every time before editing an article, than editing the same article without an account. Unless someone is afraid that wikimedia will leak/disclose their account’s IPs.
So depending on their threat model, people can choose whether they want to create (new) account(s) before editing an article or not

Similar Projects

Bonus
Anonymous edit from “Synaspismos Political Party” (ΣΥΡΙΖΑ) address range for “Δημοκρατική Αριστερά” political party article, changing it’s youth party blog link to the PASOK youth party blog link. Diff Link

Sven Vermeulen: Segmentation fault when emerging packages after libpcre upgrade?

Wed, 09 Jul 2014 18:35:26 +0000

SELinux users might be facing failures when emerge is merging a package to the file system, with an error that looks like so:

>>> Setting SELinux security labels
/usr/lib64/portage/bin/misc-functions.sh: line 1112: 23719 Segmentation fault      /usr/sbin/setfiles "${file_contexts_path}" -r "${D}" "${D}"
 * ERROR: dev-libs/libpcre-8.35::gentoo failed:
 *   Failed to set SELinux security labels.

This has been reported as bug 516608 and, after some investigation, the cause is found. First the quick workaround:

~# cd /etc/selinux/strict/contexts/files
~# rm *.bin

And do the same for the other SELinux policy stores on the system (targeted, mcs, mls, …).

Now, what is happening… Inside the mentioned directory, binary files exist such as file_contexts.bin. These files contain the compiled regular expressions of the non-binary files (like file_contexts). By using the precompiled versions, regular expression matching by the SELinux utilities is a lot faster. Not that it is massively slow otherwise, but it is a nice speed improvement nonetheless.

However, when pcre updates occur, then the basic structures that pcre uses internally might change. For instance, a number might switch from a signed integer to an unsigned integer. As pcre is meant to be used within the same application run, most applications do not have any issues with such changes. However, the SELinux utilities effectively serialize these structures and later read them back in. If the new pcre uses a changed structure, then the read-in structures are incompatible and even corrupt.

Hence the segmentation faults.

To resolve this, Stephen Smalley created a patch that includes PCRE version checking. This patch is now included in sys-libs/libselinux version 2.3-r1. The package also recompiles the existing *.bin files so that the older binary files are no longer on the system. But there is a significant chance that this update will not trickle down to the users in time, so the workaround might be needed.

I considered updating the pcre ebuilds as well with this workaround, but considering that libselinux is most likely to be stabilized faster than any libpcre bump I let it go.

At least we have a solution for future upgrades; sorry for the noise.

Edit: libselinux-2.2.2-r5 also has the fix included.

Sven Vermeulen: Multilib in Gentoo

Wed, 02 Jul 2014 19:03:59 +0000

One of the areas in Gentoo that is seeing lots of active development is its ongoing effort to have proper multilib support throughout the tree. In the past, this support was provided through special emulation packages, but those have the (serious) downside that they are often outdated, sometimes even having security issues.

But this active development is not because we all just started looking in the same direction. No, it’s thanks to a few developers that have put their shoulders under this effort, directing the development workload where needed and pressing other developers to help in this endeavor. And pushing is more than just creating bugreports and telling developers to do something.

It is also about communicating, giving feedback and patiently helping developers when they have questions.

I can only hope that other activities within Gentoo and its potential broad impact work on this as well. Kudos to all involved, as well as all developers that have undoubtedly put numerous hours of development effort in the hope to make their ebuilds multilib-capable (I know I had to put lots of effort in it, but I find it is worthwhile and a big learning opportunity).

Sven Vermeulen: D-Bus and SELinux

Mon, 30 Jun 2014 18:07:11 +0000

After a post about D-Bus comes the inevitable related post about SELinux with D-Bus.

Some users might not know that D-Bus is an SELinux-aware application. That means it has SELinux-specific code in it, which has the D-Bus behavior based on the SELinux policy (and might not necessarily honor the “permissive” flag). This code is used as an additional authentication control within D-Bus.

Inside the SELinux policy, a dbus permission class is supported, even though the Linux kernel doesn’t do anything with this class. The class is purely for D-Bus, and it is D-Bus that checks the permission (although work is being made to implement D-Bus in kernel (kdbus)). The class supports two permission checks:

acquire_svc which tells the domain(s) allowed to “own” a service (which might, thanks to the SELinux support, be different from the domain itself)
send_msg which tells which domain(s) can send messages to a service domain

Inside the D-Bus security configuration (the busconfig XML file, remember) a service configuration might tell D-Bus that the service itself is labeled differently from the process that owned the service. The default is that the service inherits the label from the domain, so when dnsmasq_t registers a service on the system bus, then this service also inherits the dnsmasq_t label.

The necessary permission checks for the sysadm_t user domain to send messages to the dnsmasq service, and the dnsmasq service itself to register it as a service:

allow dnsmasq_t self:dbus { acquire_svc send_msg };
allow sysadm_t dnsmasq_t:dbus send_msg;
allow dnsmasq_t sysadm_t:dbus send_msg;

For the sysadm_t domain, the two rules are needed as we usually not only want to send a message to a D-Bus service, but also receive a reply (which is also handled through a send_msg permission but in the inverse direction).

However, with the following XML snippet inside its service configuration file, owning a certain resource is checked against a different label:

<selinux>
  <associate own="uk.org.thekelleys.dnsmasq"
             context="system_u:object_r:dnsmasq_dbus_t:s0" />
</selinux>

With this, the rules would become as follows:

allow dnsmasq_t dnsmasq_dbus_t:dbus acquire_svc;
allow dnsmasq_t self:dbus send_msg;
allow sysadm_t dnsmasq_t:dbus send_msg;
allow dnsmasq_t sysadm_t:dbus send_msg;

Note that only the access for acquiring a service based on a name (i.e. owning a service) is checked based on the different label. Sending and receiving messages is still handled by the domains of the processes (actually the labels of the connections, but these are always the process domains).

I am not aware of any policy implementation that uses a different label for owning services, and the implementation is more suited to “force” D-Bus to only allow services with a correct label. This ensures that other domains that might have enough privileges to interact with D-Bus and own a service cannot own these particular services. After all, other services don’t usually have the privileges (policy-wise) to acquire_svc a service with a different label than their own label.