Spying, liberty, NSA and USA vs. Europe

When I discussed the loss of American liberties with people here in Europe few years ago, my position was simple – we get the same draconian regulations without any opposition or fanfare here in Europe. Remember export controls of cryptography? We should have been fighting against this barrier because it was primarily against our interests and privacy. The people in the U.S. got the benefits of cryptography anyway (short of some patent issues). They fought the battle anyway – on principle.

Do you remember Communication Decency Act of 1996? The Americans fought against it. There were blogs and strong opposition.

Do you remember data retention? Massive campaign against it in the U.S., a press release that said that a new law passed here in Slovakia. A press release, no discussion, no opposition. “We are just implementing European regulation”.

I always regarded Americans as liberty-minded and people who speak up when their liberties are about to be taken away from them.

That is until recently. While information about massive surveillance programs of NSA are nothing new. I wrote about Echelon (and ways to protect yourselves) in my book in 2002. Thomas Drake and William Binney are both ex-NSA employees and they both mentioned these programs before. There are several videos of them talking about the program on YouTube. It was easy to mistake all these report for conspiracy theories and not act upon this information.

With the information release by Edward Snowden, we now positively know that communication on the Internet is surveilled in real-time and recorded for unknown time by the NSA. We know that e-mail, telephone conversations, Facebook chat, Google communication tools, HTTP requests, SWIFT and credit card payments are all included. This huge world-wide privacy breach was revealed. And what happened? Nothing.

I mean it’s great that Mr. Snowden could at least walk out of the Moscow airport and have a life. What should have happened? People out in the streets demanding their privacy back. The state should have apologized to Snowden and to the public for their crimes. Something should have changed.

It seems that the American public does not care anymore. It’s exhausted from the financial crisis, sceptical about the issues around us. The failure of Occupy movement to bring any real change to the world, the gloom caused by the financial crisis, the reality of doing more of what caused the crash. The wars, the drones, the kill list.

Americans are tired; they no longer care about their freedoms. And that’s too sad. It means the the Illuminati can do whatever they want now. And they will use this opportunity.

On darkness: Your fear of death attracts such strange objects

I am widely known for listening to darker genres of music. It makes some people feel I am a complete weirdo (which is true). A few weeks ago I was sitting in a cab with a full album (!) of Aqua playing on a radio. Happy songs of happy days, so unauthentic. It thankfully ended with me putting my headphones on :).

Why do we fear darkness? When walking on a street at night, with no lights on, we don’t fear darkness itself; we fear that something unseen could harm us. The fact? It can happen on a clear day. Thanks to bystander effect, we are not even much safer during the day.

Getting comfortable with darkness, with things that seem evil and with the unknown is a huge asset in life. Our minds infer causation from correlation. We fear darkness because it may be evil and we fear it because it’s unknown. And then we infer that the unknown is evil, which is incorrect. There’s so much hatred and misunderstanding in this world already.

Happy songs with happy melodies, positive texts and beautiful performers have their place in this world. But there are tracks that are unexpected. Computer-generated noise, glitches and yelling can come at any time. And that prepares us to understand that dark and unexpected is not evil (please show me a person who died of listening to dark music if you disagree). While happy music can increase our mood, from the unexpected, we learn.

Here’s an interview with Coil about the same topic.

My favorite bands that are dark, but nice are Coil, Current 93, The Residents, Orphx and The Kilimanjaro Darkjazz Ensemble.

Raspberry Pi and Block Erupter on Fidora

My AsicMiner Block Erupter USB miners arrived a few days ago thanks to Andreas and people from Bitcoin Austria who processed the order and the chief Bitcoin economist Peter Šurda who drove them to Progressbar. I shipped some of them abroad to friends.

Although I appreciate the work guys that created minepeon do, I decided to go with pure Pidora as I believe using more generic distribution accounts for faster updates and makes it easier to use my Raspberry Pi for other things than just mining. This is debatable, as this is my first and only Raspberry Pi and it has been sitting on my window shelf for almost a year.

Anyway, this is how you get your block erupter running fast and easy under Pidora (and I guess any other Fedora-based distribution if you choose not to use Raspberry Pi):

 # screen is optional, but I like to run cgminer in screen and we will make it autostart in screen yum install libusb-devel libcurl libcurl-devel libudev-devel ncurses-libs ncurses-devel git gcc screen autoconf automake libusb1-devel libusbx-devel libusb libusb1 libusbx # current version of cgminer from git has working hotplug support for USB miners git clone https://github.com/ckolivas/cgminer.git cd cgminer ./configure --enable-icarus make && make install 

run cgminer to create config, in the menu, save the config file.

If mining is working, create /usr/local/bin/start_miner.sh with this content:

#!/bin/sh screen -dmS miner -- /usr/local/bin/cgminer -c /root/.cgminer/cgminer.conf 

Create /etc/systemd/system/cgminer.service with this content:

[Unit] Description=CGMiner Service After=network.target [Service] ExecStart=/usr/local/bin/start_miner.sh Type=forking [Install] WantedBy=multi-user.target 

Now make it a service and try it out:

chmod a+x /usr/local/bin/start_miner.sh systemctl daemon-reload systemctl start cgminer.service 

Now you attach the screen and make sure it’s working:

screen -x 

If all is well, make it run on boot:

systemctl enable cgminer.service 

I really like systemd instead of init.d scripts. I liked SMF from Solaris 10 for booting things up, but since Oracle ditched Solaris out of the window, I switched to Red Hat-based systems. The only thing I do not like about systemd is the estetical equivalent of .ini files from ancient DOS times. There has to be a better way to write configuration (no, I am not talking about XML).

Anyway, happy mining and remember – it’s just for fun, you will most probably not get a return on this investment anytime soon (the most optimistic scenario is 8 months, I would say two years if ever).

Are we going to be slaves of algorithms?

Server idnes.cz published an interview with Josef Šlerka, an expert on new media (translation by Google Translate). He warns that we can become slaves to algorithms that we do not understand. This issue has been raised repeatedly in media. I don’t doubt the fact that the algorithms are much more important in our lives than ever before. I do not think that we understand all algorithms – especially neural networks are problematic in this regard because we do not know exactly why the network made a particular decision. We can only tell how well the network performs given the inputs and outputs used during training phase. Corner cases are sometimes unknown and analytical understanding in extreme situations is quite difficult. Let me, however, explain my slightly different and less pessimistic view on the role of algorithms in our lives.

Mr. Šlerka mentioned an experiment, in which Lukasz Barabasz showed that given location information of people during a longer time period, he is able to predict a person’s location the next day at a given time. He used data collected from cell towers. The problem in this case is not a prediction algorithm – it is quite simple and it performs pretty well (and in this case, we understand it pretty well too). We are just being predictable. If you have something to worry about in this example, it is the possibility to collect data (what Mr. Šlerka also mentions). There is even a scarier algorithm that can identify a particular person by their movement itself (even if it’s recorded with a different device). Our movement is like a fingerprint.

The problem is not the algorithm. The algorithm is like a mathematical equation – when you invent it, it exists. Inventions like this cannot be “undone” – it is not possible to forget or ban it once it’s out. Algorithm is like an idea. If we really care about our privacy, blaming the algorithms will not help. We need to make sure that these algorithms do not have enough inputs to do things we do not want them to do. Is it possible to create anonymized mobile phones, where the operator know how much to bill us, but does not know our location at any time? I bet it is possible, but is there enough consumer demand?

Quote praised in headline of the article reads (translation from Czech is mine): “With the advent of technology and applications of artificial intelligence and neural networks, the majority of people loses understanding about what a computer does, and how it makes it’s decisions. In other words, we become slaves to algorithms we do not understand. “

Let’s talk about two different methods of decision-making – i.e. “table-based decisions” and “fuzzy” decision. Computers have been criticized for being to discreet, for having no smooth decision area. They were not human enough. An example “table” decision process is for example deciding whether an ATM (algorithm) or a bank clerk (person) should let you withdraw money from your account. Both decisions are based on the same table: If the available account balance is greater than or equal to the amount the customer wants to withdraw, customer gets their money. If it is less, do not allow this withdrawal. The algorithm is the same for human beings and machines and we understand it very well.

How about a loan? Bank clerk can say “This customer looks insincere” or he “was too nervous.” Alternatively officer does not trust that the underlying business plan of a company asking for a loan is sound. This is not a table-based decision – the bank representative decides on the basis of their feeling, which can be justified, but surely it cannot be explained in exact terms. Another bank clerk could decide differently.

The algorithm for bank loans is (or can be) similar to this line of thinking. We taught the algorithm that people with certain credit profile do not pay back. The input can be: financial behavior (as learned from the customer’s history in the bank), age, number of children or any other additional information available to the bank. If the algorithm is based on neural network, it could just say “loan rejected”. No explanation. In most cases, the neural network’s output is a score on some scale (for example 0 to 1), in which case a negative decision is something closer to zero (or less than some predefined threshold). We do not know why exactly the network’s output is a particular score.

A common example of algorithm critics is high frequency trading (HFT). HFT algorithms are used very successfully for several years. A human being simply cannot make decisions about buying and selling of a variety of asset classes several times per second. Can they cause a crisis? A common example that they can get “crazy” is the book The Making of a Fly by Peter Lawrence, which sold on Amazon marketplace for $1,730,045.91 due to an algorithm that set this price. The problem was that there were two competing algorithms. They go through Amazon marketplace and try to find rare products and offer them at a higher price than other sellers. When someone buys a book from a seller that has a higher price (e.g. due to higher reputation of the seller), the author of this algorithm orders the book from a dealer with a lower price. When it arrives, they deliver it to final customer and keep the price difference as profit. It gets interesting when the original item is sold and the only vendors are the automated trading bots. They start to raise prices to top up the best available seller. And depending on the periodicity of checking and harvesting the marketplace, the price starts going up. Neither of the seller has the goods available. They rely on each other for delivering the nonexistent product. The algorithm tries to make a profit and this corner conditions are not accounted for – so they get “crazy” while seeking profit…

Are we different? During 1636-1637 we witnessed one of the first bubbles. In the Netherlands, tulips have become popular and everyone wanted this beautiful flower (or it’s bulb actually). Many people wanted it because of it’s inherent beauty, but a lot more people perceived the price increase and wanted to buy cheap and sell for more later. The result was a bubble and its collapse. In the winter of 1636-1637, some bulbs changed hands ten times a day. During the peak of the bubble in February 1637, some onions sold for more than ten times the annual income of a skilled craftsman. People went crazy for a while. Do algorithms really behave differently to us or they are just getting more similar to us? Isn’t that what worries us?

Shai Danziger of the University of the Negev has done an interesting research on the Israeli judicial system. He examined the results of 1112 parole hearings. The judges had an average of 22 years of experience and their decisions accounted for 40% of cases of parole decisions during the investigated 10-month period. The results are quite uncomfortable for justice: Judges decided in favor of parole before their morning snack, lunch and before the end of working hours with much lower probability. Parole was granted in up to 20% of cases. Immediately after a meal, the chance of a positive decision was 65%. Note that this is no small statistical error, but a significant difference.

Our decisions are controlled by a number of factors we do not understand. Our neural network in the brain makes decisions that we not only don’t understand, but they are not consistent. The level of certain hormones in our body, mood, concentration, and hunger, even the lighting, biases us. These biases are significant and affect lives of people around us (such as judges granting or not granting parole based on when they ate).

If we are asking ourselves whether we are slaves to algorithms we do not understand, I would first ask: Aren’t we slaves to senseless human decisions we do not understand right now? The algorithm decides consistently and if it is flawed, we can at least quickly find out and fix it. Can we fix people this way?

Personally, I would not neither overestimate nor underestimate the role and threat of algorithms. They are tools for people. Let’s talk about what data are collected about us. That is what gets abused. If it is a person looking at a data or a highly efficient algorithm, it does not make such a difference. What external organizations (or people, companies, States) have power over our lives? Rather than adding algorithms to what we should “fight against”, I decided to become interested in the necessary conditions for their functions – data collection. Let’s not fear the algorithms. Let’s fight against everything that we can control that limits our freedom. Whether it’s an algorithm, hungry judge or greedy state backed the wrong econometric model…

Experiments with ZRTP and FreeSwitch

ZRTP is very important project for securing your voice communication. I started playing with Jitsi, Acrobits Softphone and FreeSWITCH.

What I found out after initial configuration of ZRTP for FreeSwitch is that FreeSwitch attempts to negotiate ZRTP keys and act as a trusted man in the middle. I wanted to avoid that and provide end to end encryption. The magic option that would allow direct passthrough of ZRTP to the endpoint is enabling:

<!--Uncomment to set all inbound calls to proxy media mode--> <param name="inbound-proxy-media" value="true"/> 

in conf/sip_profiles/internal.xml.

Other funny thing I found out is how many bots are out there trying to abuse my softswitch. This happened a few hours after setting up FreeSwitch on public IP (that was never used as a SIP server before). I have run tcpdump capturing only UDP on 5600:

[root@softswitch ~]# strings output.pcap |wc -l 37235 [root@softswitch ~]# strings output.pcap |grep To: | wc -l 2833 [root@softswitch ~]# strings output.pcap |grep To:| uniq | head -n 5 To: "J" <sip:1001@> To: "J" <sip:1001@>;tag=U4SvF45vSBeeN To: "J" <sip:1001@> To: "J" <sip:1001@>;tag=vDKNHZp0pm40g To: <sip:1001@> [root@softswitch ~]# strings output.pcap |grep To:| uniq | tail -n 5 To: 700972597727055 <sip:700972597727055@>;tag=Uy4Dmj5jN0NHB To: 700972597727055<sip:700972597727055@> To: 700972597727055 <sip:700972597727055@> To: 700972597727055 <sip:700972597727055@>;tag=v7X6NDppj9B4p To: 001972597727055 <sip:001972597727055@>;tag=jD1e4yDKFgD9j [root@softswitch ~]# strings output.pcap |grep -i nonce| uniq | head -n 10 Proxy-Authorization: Digest username="2010",realm="",nonce="9613eafe-5920-11e2-84ca-eb9dba96f036",uri="sip:00972592819732@",response="264f1ab22fa5dacafc01387032228446",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2010",realm="",nonce="96dbcfa6-5920-11e2-84cc-eb9dba96f036",uri="sip:000972592819732@",response="512df72182d278d705a2160ba15f4a0f",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2010",realm="",nonce="97630552-5920-11e2-84ce-eb9dba96f036",uri="sip:900972592819732@",response="a45fc82a1d632a8890f777716b7935f5",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2012",realm="",nonce="0b1a9a5a-5926-11e2-84d4-eb9dba96f036",uri="sip:00972592819732@",response="c5590c623d654384f83ff04da785a197",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2012",realm="",nonce="0c7a5b10-5926-11e2-84d6-eb9dba96f036",uri="sip:000972592819732@",response="f581d146cb370170764fa8f54bd4b360",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2012",realm="",nonce="0dc65ae6-5926-11e2-84d8-eb9dba96f036",uri="sip:900972592819732@",response="d522d9a645bd6b3a47a8d5091b73b0f4",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2020",realm="",nonce="811aaa42-592b-11e2-84de-eb9dba96f036",uri="sip:00972592819732@",response="407a62e3cc1dcadad13e5e672a8cdb88",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2020",realm="",nonce="826543b2-592b-11e2-84e2-eb9dba96f036",uri="sip:000972592819732@",response="f803d9c9687217fc97829bc317933c6e",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2020",realm="",nonce="83df2bfe-592b-11e2-84e4-eb9dba96f036",uri="sip:900972592819732@",response="5e11b2531e86709427c9eea542203cd9",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="301",realm="",nonce="2e81b5a4-592c-11e2-84e9-eb9dba96f036",uri="sip:00972597727055@",response="156ef65fecbe325882b48b555ec92cd4",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 

For those that are not that familiar with UNIX, this basically means, that there are bots (or botnets) out there trying to brute-force your password and call out. That means you need to change your password before running FreeSwitch for the first time.

I used a good (although older) tutorial about starting with FreeSwitch.

Moral reform by Ztohoven: An ultimate hack

Almost nobody would guess that the speech of Czech MP David Rath would start a moral reform in the country. Rath was arrested and charged with receiving bribes in May 2012. He had a chance to explain what happened to other MPs, who would then vote on his political immunity. His words were not addressing the fellow MPs. He was looking at the cameras and trying to create a sentiment in the Czech nation. He pointed out other cases of corruption. The moral reform was not coming from his words nor from his heart. It was happening in parallel to his speech. And he was the only one that did not notice.

In contrast to his fellow citizens, Karel Schwarzenberg (minister of foreign affairs)  was not moved by Rath’s words. He did what every sane person in that situation would do – he fell asleep. From that place where dreams melt with reality of TV cameras filming bored politicians he sent a text message to Karolína Peake (Deputy Prime Minister of the Czech Republic).

Miss Peake was not moved by heart-breaking speech of Rath either. The cameras caught her black ThinkPad, as she was sitting right behind the speaker, but we could not see its screen. We could read her face though and it kept saying: “I don’t care what’s around, I am doing something more important”. Probably reading e-mail. Or browsing Facebook. She almost forgot that the whole country is watching her. Then she woke up – from the place where we escape when we wait at the doctor’s office – when her phone vibrated. She received a text. Although we already know what it said, at that time, we could only see her reaction: She smiled, her hand swept through her hair and she got a rush of energy. She probably decided to share that text with someone…

Karel Schwarzenberg (TOP 09) -> Karolína Peake (independent)

“Watching what goes on these days, I realize that we need to stop doing that. We need to do something, something important. Something that will change our whole society from scratch”

Few minutes later something unexpected happened at the house of parliament. No, David Rath did not apologize for his corrupt behaviour. His speech was still directed at citizens, trying hard to make them emotional. He probably learned that from other heart-breaking speeches by many other politicians that use this technique to influence the public. Something was in the air. Whispering started in the house of parliament.

Jan Hamáček (ČSSD) -> Alexandr Vondra (ODS)

“We all have something on each other – a mutual deadlock. I feel really bad about it. Moral reform is the only way out of it. Let’s grasp this opportunity”.

More and more of these text messages (SMS) started to spread – between MPs, between heads of political parties, between press representatives and journalists. Both directions. Everyone was joining the moral reform. Everyone wanted to know more. The texts were promising a press conference that would explain the concept of moral reform to journalists and citizens. Rath did not finish yet, but something was going on here. How is it possible that Karel Schwarzenberg managed to write a message while sleeping? How is it possible that colleagues sitting next to each other exchanged messages without even touching their phones? The answer was in the text. “Moral reform is the only way out of it.” (“Morální reforma je jediná možnost jak z toho ven”)

Ztohoven is a Czech art group that is formed and then dismantled with every action they do. They became famous when they transformed the giant neon heart at Prague Castle (seat of the president) into a large red question mark. Their most famous artwork is their pirate broadcast of nuclear explosion above Krkonoše mountains on Czech Public Television (see more in the documentary about this project – English subtitles included). Project “Media Reality” was seeking an answer to question “Do people believe in what media present us as reality?”. TV cameras that are broadcasting live footage from Czech ski resorts (even during the summer) apparently were not secured that well. This group of artists managed to broadcast their own signal instead of live feed to the transmitter, replacing colorful panoramas of the Czech countryside with the atomic blast. This did not cause nation-wide panic, but a discussion about questions like “What is art?” and “Does this threaten the public?”. Discussion ended up in the court…

Ztohoven prepared a documentary (in co-production with Czech TV – which is really nice, considering their previous conflict about the explosion) about their other project. It’s name Občan K. (Citizen K.) is inspired by Franz Kafka. It is about identity and identification. What would it be like to be someone else for a while? How would it be to renounce your own identity? Twelve members of the group decided to try on their own. They took pictures of them in black T-Shirts and used image morphing software to create “inter-identities” – a little bit of me and a little bit of the other guy. Then they took the photo and requested a new state-issued ID card (in Czech republic – unlike other countries – you bring your own photo to use)…

When they had this new ID card, they requested passport, visa to China, gun permit and even a wedding certificate – during the wedding, the groom and the best man had to exchange, because their identities were exchanged and the bride wanted her husband’s real name on the certificate.

According to the state, we are all equal. They do not care about us when we pay taxes, do not break law and generally get out of the way. The bureaucrats do not communicate with people, but with rows in the database and their ID cards. The human being is usually only there to hand over the ID card to the state employee.  They only notice a face when they try to compare the picture on the ID to the face of it’s owner. From that point on, we are just a record in the database. You can find more about the project in the documentary Občan Ztohoven that is right now in Czech cinemas and will be touring world documentary film festivals soon.

Projects of the group are not taking place in a gallery – they occur in “public space”. Museums and galleries are only visited by hipsters and tourists anyway. The “public space” as their location is almost the only thing that the projects have in common – it is very difficult to predict their next project.

Members of the group have rarely control over the result of the project. Most of the people learn about them from media and that means that they only get to know the media interpretation. It is very interesting that the public is almost always on their side. Although public support is very important (even in court), the members never know what consequences would their projects have. When they were sending the texts to the members of parliament, they could have changed voting or cause panic. But did they want to do that? Did they want to cause panic or change votes? It’s sad that media wrote that “Hackers attacked mobile phones of members of parliament”. The content – the Moral Reform – was probably not so interesting as the hacker attack. MPs did not disapprove of the project (how could someone disapprove of Moral Reform?), but they never spoke about it. Media was focusing on the fact that someone can send fake text messages and getting hold of phone numbers of most MPs, the president and relevant journalists. They did not focus on the fact that our world needs a real moral reform. Maybe that’s the reason that the members of Ztohoven call their projects “media sculptures” – they can set the funding stone, but the resulting shape of the project is usually formed by the media. And most of foreign media totally ignored this project. What a pity.

People usually do not like to think about structures – in a mathematical sense. Almost everyone is interested in means and content, not in relations between objects. People are interested in who voted for and who voted against something (this is actually a better case – when people are interested at all). Few people are interested in the actual meaning of a law. There is little discussion about the power structure of the parliament – who says the MPs how to vote (no, they do not read all the law that they vote for). Moral Reform is much more than a mirror of morality of politicians. It shows the structure of power in Czech Republic (see the project’s web page at www.ztohoven.com/mr/index-en.html). You can see who communicates with the media, who tells the members of political parties how to vote. Who is a carrier of change and who is a voting puppet? I suggest checking out the text messages not in a list, but in the graphic representation of parliament, where you can see how information is spread. Of course this interpretation of structure of power was created by members of Ztohoven, but it is very scary when you think about how the dramaturgy and “screenplay” resembles the reality. When one politician showed the journalists the fake text he got from Radek John and let them take a picture, he did not realize that there was an older message from the same politician that said “Skokan pacified”. Both Petr Skokan, MP for Veci veřejné and Radek John decided not to comment…

Sometimes I wish we had Ztohoven in our country. There are not many people that ask the right questions. There are almost none that ask the difficult ones. I am trying to imagine what would happen if Moral reform really happened – if politicians really decided to end corruption and be better. If they would understand that they are here to serve us. Maybe it’s evolutionary – those that are politicians are there because they have the ability to speak well in front of people, to touch their hearts and transfer emotion. About doubling wages, about security, economy, the nation, education, the Europe and the bright future… And for some reason, people base their “voting” on that. If the only quality that people in the parliament are capable of is to speak to the hearts of people, are they able of real transformation from inside? Are they capable of moral reform? Every politician is able to tell the public that they let go of their past and focus on the future. Are they capable of actually doing it?

Václav Klaus, president of Czech Republic -> heads of political parties

“Mister chairman, I urgently ask you to come to the Castle today. I would like to talk to you about the Moral reform.”

It is sad that this text came from a dream of Ztohoven and even though all heads of political parties actually received it, it was not sent from the phone of the president. We are still waiting for the moral reform to come…

Backing up your github repositories

I put a lot of my free software to Github lately. Github is nice, it allows community forks and other great things. But what if it is gone? For that, we have backups. Do we?

We should.

Addy Osmani wrote about backup up your github repositories. He gave three solution. The second one did not work for me and I was too lazy to debug, the third one required Haskell and some additional libraries (I will learn Haskell, but not at 6am), so I adapted the first solution. It is pretty simple, but used github v2 API and it is no longer supported.

So updated version is here, I also added some shell escaping (although if you backed up someone else’s repository, I suggest checking for filename-significant characters too).

This backups all your public repositories (that’s what I use). I use it with duplicity for secure backup (and restore) by encrypting on client side (please take good care of your PGP private key if you do this).

Report from 29c3

Chaos Communication Congress (CCC or C3 for short) is traditionally held between Christmas and New Year. This date is chosen not only because most hackers are free during this time, but also because organizers like to avoid people who go to conferences to escape their job and actual work. An unusual but effective solution.


In addition to the traditional time, the place was traditional too – at least for the older ones among us. The 29th Congress returned from Berlin to the original city of CCC – Hamburg. An acronym of this year’s conference is 29C3 (29th Chaos Communication Congress). The tagline of this year’s congress is “Not My Department”. The name suggests something that most hackers don’t like to see – when someone (especially an officer) makes excuses about something being beyond their competence.

If some of the descriptions of lectures sound interesting, feel free to check them online at http://bit.ly/Zd2ZGR – the streams are free.

The conference was opened by a keynote address by Jacob Appelbaum. As the author of Tor and a Wikileaks collaborator, he has experienced what it is like to come into conflict with a powerful state. Interrogations lasting hours at airports are common practice, yet he has never been accused of anything. Jacob tried to inspire hackers to develop technologies that support individual freedom – privacy, anonymity, circumventing censorship. Later, he also delivered a technical lecture on Tor ecosystem – programs and libraries that people can use (with Tor) for anonymous access/posting and circumventing censorship. Sadia Afroza Islam and Aylin Caliskan gave a lecture on stylometry that reminded us of the fact that anonymity it is not easy – even if you are using a completely anonymous connection to the Internet, your writing style can give you up. The authors presented their toolkit for stylometry (JStylo)  and partial anonymization of writing style (do not trust it for strong anonymity though).

29C3 Hamburg Tag 1

The traditional theme of the congress is of hacking GSM communication. This time it was not focused on the interception of communication. Sylvain Munaut presented his “hack” – creating a BTS (base transreceiver station in GSM network) from an old Motorola C123 mobile phone with his own firmware. Thus, it is possible (under controlled conditions) to create your own GSM network, which is able to send short text messages (SMS). The phone must be connected to the computer that is running OpenBTS clone at all times, so the Motorola C123 is used as a GSM radio peripheral.

GSM network – along with DECT and VoIP networks (which are all interconnected) –  has traditionally been used at the Congress. The private network was used by many members of the congress for intra-congress communication.

Mark van Cuijk from Holland presented his “open” GSM service provider Limesco. It allows you to adjust the routing of calls the way you want – in fact you bring mobile calls to your VoIP PBX where you can route them or do other interesting things with them. The lecture was an overview of the background of commercial mobile operators and various companies (network operator, vendor, virtual operator, …) and pricing, or interconnection charges.

The second top issue was a serious conflict of states vs hackers. From the use of the Internet in protests (Arab spring, Occupy movement) to the so-called whistleblowing, 29C3 covered almost the full spectrum of the conflict. The highlight of this topic was a talk called “Enemies of the State: What Happens When Telling the Truth about Secret US Government Power Becomes a Crime.” It was led by two former NSA employees who worked on surveillance technology. Both left NSA after their superiors decided to develop and deploy an interception programme called Stellar Wind, which (according to them) is intercepting and storing all communications (regardless of citizenship) without a court order. Thomas Drake said several times that this is against the U.S. Constitution. William Binney explained how an eavesdropping technology works and what the capacity of the new NSA data center being built in Utah is.

Americans are not the only ones that are building and using mass-surveilance technologies – Russia is now doing it too and is not so secretive about it. The “Russian way” of intercepting everything is being exported beyond the borders of Russia, and even the original Soviet Union. Mexico decided to purchase listening technology from Russian companies and the company persuaded the government to also adapt Russian lawful interception procedures – this means that the competent authorities receive all unfiltered traffic and then filter things out. There is no independent party to check if they have a court order for that interception.


The cryptology and attacks on ciphers have special dedicated professional conferences, but cryptographic analysis of Russian cipher GOST was quite interesting even at the CCC. An analysis of RFID security cards was presented in a very funny and interesting way by Timo Kasper. They described also the hacking of Prague Opencard. However, the most interesting lecture (according to us) was the factorization of RSA public keys (FactHacks), which was presented by DJB (DJ Bernstein, author of djbdns and qmail mail package), Nadia Heninger and Tanja Lange. They pointed out the real problems in the development of encryption systems, such as insufficient entropy when generating keys. They showed a field-tested method to factorize a number of keys in parallel, and their project is available at http://factorable.net/ where you can verify if the public key is weak and has well-known factors. An important take-away from this lecture is that it is no longer safe to use 1024-bit RSA keys.

Sebastian Schinz introduced side-channel attacks (timing). The idea of this attack is that some operations take longer and some shorter. Based on the time it takes to perform an operation, an attacker can get information that is not public. Textbook example is the algorithm that first verifies your user name and then your password. If the operation is performed faster (statistically), it can be inferred that the user is not found. If it takes longer it means that the application found the user and checked the password, so the user exists. This works even if in both cases, the server replies “Incorrect user name or password”. Sebastian released a set of tools for measuring and evaluating time-based side channels and showed us some techniques to prevent these types of attacks.

The CCC consists of many interesting things, not only talks. Even though it is already the 29th annual conference, the organisers are not afraid to experiment. The new space hosted nearly a hundred so-called “assemblies”, i.e. sites (from few tables to a large hacking area) that have a common theme. Assemblies also organized workshops and technology demonstrations outside the main program. There were over 100 independent workshops that were not part of the official programme. The conference network was also interesting – peak usage was 3059 users, 40% of the traffic was IPv6. During the conference, the aggregate traffic of Hamburg increased by one third (conference used over 8GBit/s). The conference organizers declared this usage as “booooring” and concluded that people do not follow the recommendation on the screens: “Please use more bandwidth”.

A number of accompanying events, spontaneously organized workshops and meetings, interesting and high quality lectures, open access (low entrance fees, conference organized purely by volunteers and a free stream) made Chaos Communication Congress the best technical (hacking) Conference at least in Europe. Sister events of the Congress are two camps, one organized by the German Chaos Communication Club and the second organized in the Netherlands. This year the Dutch camp is called Observe, Hack, Make (OHM) and tickets are already sold on ohm2013.org. Join us in the summer, it will be an awesome event!