2007-05-13 20:02:50

Hints for dead-end conversations on surveillance

If you talk to the average people on the street about video/phone/internet surveillance, you end up in a never-ending round of the same arguments pretty quickly. Here is a way I came up with during the ChaosDocks to get out of some of these situations:

I have nothing to hide!

If someone comes up with this argument, ask him to follow you to a non-public room (a waiting room will do, it just needs to be off the street in order to eliminate legality arguments). In that room, take out a camera and ask the person to get naked so you can take some pictures.

If the person refuses to get naked, which he or she most likely will, ask the person, «Do you still think you have nothing to hide?»

If the person does get naked, he or she is either hitting on you or beyond good and evil. In the latter case, no debate is possible, in the former, none may be required. In fact, this hitting on you might even be something the person might be willing to hide from his or her significant other. Otherwise you at least get some interesting photos.

Amendment: Also, I found this:

Nothing to hide

Posted by Tonnerre Lombard | Permanent link | File under: general, chaos

2007-05-13 19:42:52

Netfilter clusterip: reinventing the wheel

One of the lectures at the 2007 edition of ChaosDocks was about the Netfilter extension «clusterip». This extension aims at providing an interface to Netfilter which allows for router redundancy.

Router reduncancy per se involves two major tasks. The first task is, of course, to listen to a common IP. Under OpenBSD, the protocol carp (Common Address Redundancy Protocol) is used for this. It is a versatile protocol which allows connections to be established and related to multiple hosts which share the same IP. The IETF standard protocol VRRP, a standardized variant of the Cisco protocol HSRP (Hot Standby Router Protocol), also specifies this functionality via a master/slave system inside its protocol.

The solution of the Netfilter people however was not to port the Carp protocol to Linux, but instead they reinvented address reduncancy in a rather uncommon way. First of all, all of the routers need an alias interface to the physical interface which will be connected to the corresponding network. This is to ensure that they all receive the entire traffic. It is thereby the duty of the network administrator to ensure that the packets arrive at both hosts.

For this purpose, Netfilter clusterip defines a new multicast protocol which is used to negociate between the nodes who is supposed to take which connections. This protocol then hashes the source and target IPs to assure that the connection sticks to the same router.

The other task is to ensure that the rules and state tables are equal on all redundant routers. In VRRP, the master controller regularly copies his rules and state tables to all of the slave nodes. OpenBSD defines a second primitive protocol to solve this task separately. This protocol is called pfsync.

pfsync itself is a cryptographically authenticated protocol. Only nodes which can authenticate themselves in a challenge-response protocol are allowed to push rules and states. While the carp protocol assures that only one router processes the arriving packets, the pfsync protocol takes care of the connection states (for e.g. NAT) so the packets don't get rejected in case the connection ends up on a router it has not been initiated on.

Thus, pfsync permits full load balancing and redundancy as well as error recovery in case one of the routers goes offline. It does not have any dependency on a special master server, and is cryptographically secure (to our current knowledge).

Nevertheless, the Netfilter architects chose to create an addition to clusterip which takes care of the states. It is part of clusterip even though its purpose is not related to address redundancy in any way. Also, it is incompatible with any of the three preexisting protocols, HSRP, VRRP and CARP/pfsync.

Inquired about his reasons to create his own protocol rather than to port existing protocols to Linux, the clusterip author responded that it would probably involve the same effort. Challenged about the interoperability of his solution, he answered that he didn't look at the existing solutions but had the feeling beforehand that they would not suit his requirements.

He wasn't sure about it though.

Posted by Tonnerre Lombard | Permanent link | File under: chaos, standards

2007-05-09 10:48:22

Media reception of Ubuntu Mobile and Embedded

The swiss newspaper «20min» reports about the new partnership between Intel, Dell and Ubuntu. The aim of the partnership is to sell mobile phones that run on the Ubuntu distribution.

Apparently, the market of Linux based mobile phones is slowly beginning to demarginalize.

(Unfortunately, the article is not available in the web version but only in the print release.)

Posted by Tonnerre Lombard | Permanent link | File under: chaos, news

2007-05-09 10:42:00

Even more passengers for the CFF

The Swiss Railways CFF (Chemin de fer Fédéraux Suisse) have managed to attract a new record number of passengers. In 2006, the swiss railways transported 285 million different people.

This means that the swiss railways have to increase the number of trains and cars per train again after only a couple of years. Also, the schedules are being reworked in order to allow passengers to be transported to main destinations with smaller delays. New tunnels are also being planned.

The CFF are even considering special boni for people who travel at hours which are outside the typical congested times in order to cool down the working hour «traffic jams».

Posted by Tonnerre Lombard | Permanent link | File under: general, news

2007-05-09 10:35:02

Keeping the youth out of government buildings - with ultra sound

The government of Geneva had a new idea how to keep the youth out of the government buildings. A new installation of speakers emits sounds in the range of 20kHz. These sounds cause headaches to younger people, but can no longer be heard by average citizens after a certain age.

However, this installation is highly based on the concept of the average citizen. There are people who are still able to hear sounds far beyond the 20kHz boundary, while some young people have already damaged their capability of hearing in discos and using walkmans well before they reach the «critical age».

Also, the question remains whether there is any sense in making such a discrimination. What exactly is the point of keeping the youth out of the Palais Eynard?

Posted by Tonnerre Lombard | Permanent link | File under: general, news