Friday, March 27, 2015

Journalism and digital security in Sweden

(This was first published in the SI network for The Local)


Nils Hanson from SVT, with generic tips on digital security.
After the sensational, yet revealing intelligence leaks by Edward Snowden in 2013,  the perception of internet being a safe haven, and a truly democratic platform for expression has been hampered. In most cases, by not denying them, the veracity of claims of mass surveillance by intelligence agencies have been acknowledged. As a consequence of which, many free speech advocates, globally, have raised flags of concern. Instances where whistle-blowers and journalists have been persecuted using weaknesses in security of digital communication tools have become a growing concern. I was inquisitive to learn what the Swedish journalists made of these leaks.

Gräv, the annual gathering of journalists in Sweden discussing investigative journalism was an apt platform to get a sense of how the Swedish journalism fraternity perceived this issue. With more than 400 journalists from across Sweden and about 50 international journalists, the event was the best arena to inquire into the post-Snowden epoch in digital security.

Inadequate efforts

SvenBergman, a prolific investigative journalist, now working for Sveriges Television's scoop program Uppdrag granskning, in his session during a focused workshop in Gräv, emphasized the need for journalists to secure their communications. Having worked on sensitive stories involving anonymous sources, he had tried many measures ranging from using basic tools like PGP encryption, to advanced measures like using air-gap computers.

When asked if there was a change in etiquette amongst rest of the journalist fraternity in Sweden, after Snowden revelations, Sven said that the concern had grown, but efforts taken weren't adequate. “Yes, and no. People are more aware of the possible threats when using internet based communication, but there is lack of education in using these security measures, which needs to be changed”, he said. He also pointed at a recent incident, when a major Swedish newspaper, Aftobladet published it's private encryption keys along with the user manual it had put together for its employees. The intent was to encourage it's employees to use PGP based encryption, but publishing the private keys jeopardized the whole initiative. Making one's private key available in public is analogous to investing in the most sophisticated security set up for your home, and finally leaving a post-it with the access code at your entrance.

Incidents like publishing private PGP keys by a major newspaper are not frivolous, to be laughed at. They highlight the bigger issue of the need to educate journalists and common public alike, in using digital security measures.

Based on a survey I conducted at Gräv, the concern raised by Sven Bergman and others during the conference was affirmed. An overwhelming majority of more than 100 participants in the survey were aware of the mass surveillance programs, and agreed that it was a risk to journalism and free speech. But less than 20% of the participants had used any security measures at all. They attributed this to the lack of education of these security tools.

Changing from within

There have been initiatives within the ambit of journalists in Sweden to popularize use of digital security. For instance, a representative from Journalistförbundet, the Swedish union for journalists, Peter Skyhag said that their organization had been trying to educate journalists, adding, “We have experts who conduct special workshops to train and educate journalists on using encryption and other basic security measures”. Peter also brought to notice a primer on internet security for journalists put together by three journalists in collaboration with Journalistförbundet. The manual, Digitalt källskydd, is available in Swedish, under Creative Commons license for journalists to understand the need for, and to learn basic security measures when using internet-based, and other digital communication services.

The disconnect in journalists not being able to widely adopt digital security measures like encryption in mail, chat or browsing seems to be three-fold. As with all technology, the adoption of security tools has a learning curve, and without comprehensive education aimed at training journalists, there cannot be widespread adoption of digital security. Secondly, the fact that the tools themselves aren't intuitive, makes it tedious to adopt them. This prompts technologists to make these tools more accessible to everyone, by making them user-friendly. Finally, the journalists need to understand the compulsion of having to secure their communications, in order to protect themselves and their sources.

Tuesday, May 27, 2014

Syncthing: Way out of DropBox

With connected devices, running upto three with each of us, services like DropBox did well in tapping the need to synchronise our data between our devices. I was, like everyone who tried out their service, immensely excited to learn and see DropBox synchronise between devices. That it did not need a geeky learning curve made it popular, rightly so.

But, talking from the perspective of a Free Software advocate, it was never the right solution.

  • Proprietary: DropBox uses Python scripts for the synchronisation services. But beyond that it is a black box, that accesses your data on multiple devices. I won't even bother explaining what that is a problem.
  • Cloud: All of the data DropBox synchronises, does not only shuttle between your devices but also rests on their ever-in-demand Cloud offering. 
  • Amazon: Quite recently I discovered that all the infrastructure of DropBox is handled by Amazon S3 cloud. For technical and political reasons, Amazon is one of the corporations you must distance yourself from.
  • DRM: Recently DropBox, updated its policies to enforce DRM check on the data you share on DropBox. If you were to upload a DRM protected file, and make a public link out of it, DropBox would check the hash of your file with a list of DRM protected files it has, and block it if your file is DRM protected. While it might sound sensible, but it is another level of intrusion one must not put up with.
I've known BitTorrentSync, but never had the motivation to try it out. If anyone else has done, do share your views.

Just yesterday I stumbled upon an open, secure and more importantly decentralised alternative for DropBox - syncthing!. The project code is pretty much in public domain (contributors only ask attribution).

I tried it out immediately on my Debian machine first, used the tarball and ran the executable. Worked fine. You might want to fork out the latest source and build it yourself.

The beauty of this tool is that it uses a p2p protocol, over encrypted link between nodes. There is no central arbitrator. To test it out, I was hoping there would be an Android porting of the app and found one.
Syncthing web GUI, with one local and one remote note


RSA fingerprint of one of a node
I got it running on my Nexus. Installation took a while, because the RSA-2048 key generation would take time to harness random data. Don't panic if your device takes a while.

Each device is identified by a node ID, which is the RSA fingerprint. You must add these public keys of the nodes between nodes you want them to synchronise and that's all. Look at the config.xml file if you are interested, or the web-based GUI to fine tune the settings like revisions, upload/download speed and other aspects.


Try it out, and if you are the gifted ones who can contribute, please do. The folks both on the Android and main project are nice and looking for contributors.

Happy SyncThinging!

Sunday, June 9, 2013

Automated online backup using FTP

I host my website on a hosted server with no shell access (I know it is pretty lame, but cuts down on my cost) and until I don't I have my server running with a Public IP address this problem will remain a problem.

Adding to this is the feature request that I get from others and myself to put some of the content from work/research away from the computers, somewhere in the Cloud. Since people have not gotten over the paranoia about Dropbox, and I too do not recommend them it, FTP way to hosted server is a sensible solution.

In case of a VPS, with shell access on the server a simple 'rsync' would do the job and crontab (one of the most beautiful pieces of software, ever) makes it a habit for the computer to do it as a routine.

Since all these are not happening, and simply because I do not have shell access to the server, I started looking at FTP as an option. Of course, FTP ain't secure, but I haven't yet worked the SFTP out. If one of you does it, do post it as comment.

Here's the script that will be automated using crontab.

#!/bin/bash
username="ftp_user@server"
domain="server"
password="ftp_user_password"

#Getting hold of current date in mm-dd-yy format to append to the backup
date=$(date +"%m-%d-%y")
#backing up a folder to upload
tar -cvzf /home/raghav/backup.tar.gz /home/raghav/backup/ 

#Here's the FTP portion of the code, which runs without interaction

ftp -n <<EOF
 verbose
 open $domain
 user $username $password
 put ~/backup.tar.gz $date-backup.tar.gz
 bye
EOF

Save this as ftp-backup.sh, or anything that makes sense to you. 
Test this code, and of course after making necessary changes with your FTP user name, password and folder to be backed up.

Change permissions, and making it an executable. Use 'chmod a+x ftp-backupto make it executable, and test it. If the script is working and has left a copy of the back up file on your server, now make it a routine task by making a crontab entry.

raghav@debian:~$ crontab -e

And make the following entry in your crontab, to run the backup script ftp-backup daily at 5PM
0 17 * * 1 /home/raghav/ftp-backup


Here's the daily backup (Except for on Saturday and Sundays) dumping archives to my FTP server.


Sunday, May 26, 2013

My date with the Mighty Savanadurga


by Monisha M Ganesh
19-05-2013
It was a cold pleasant morning, when I set out for what was supposed to be my first ever trek. I was going to scale the mighty Savandurga hill. I knew it was going to be really very exciting and quite naturally was curious about it. The day looked promising. It was not just another normal day.

I reached Kempegowda Bus Terminus at around 7 a.m., and the crowd there did not interest me this time. Any other time I would’ve landed in K.B.S., the never ending crowd and the fleet of buses waiting there would’ve crossed my mind. But that day, I was on a mission. I was not bothered about anything other than the trek. I knew, I would meet different people from different zones and make new friends all through the trek and the very thought, made me happy. Once a few of us gathered at the Majestic Bus Terminus, we proceeded with the trek.

As we began our travel, the weather and the scenery around were enthralling. It was as if the trees and the plants there were greeting us. At the end of the journey to Savandurga, all the unknown people were well known. Standing at the foot of that gigantic Savandurga hill, we looked like Lilliputians. For a minute I just wondered whether we could make it to the top. Without any further delay, we started the trek.

Every step motivated us to reach the acme of the hill. As I was climbing, a look backward scared me at times. But I was so keen on moving ahead that I did not bother looking behind. We took short breaks on the way. The sweet lime which I am not really very fond of, tasted the best at that time. Apart from the casual talks, it was the glucose powder that egged us on. As we were scaling a dry peak, the very sight of water made us go crazy. 
 
After two hours of exhaustive trek, we finally reached the pinnacle of the peak. I got a different view of the World from up there which I had never seen before. I wished I could make the time pause right there. Once we settled down there, and then began the most important phase of our trek. We had actually gathered there to discuss about the summer camp which is scheduled to take place in the month of July. Then it was time for some general discussions. Most of the speakers there instantaneously spoke on few general topics which later led to discussions. An hour passed by. Even though we did not want to leave, it was time. The discussions there were a preview of what could be expected at the summer camp. The enthusiasm level just shot up. I walked down hoping to experience another fun filled trip soon. And at the end, the day was way better than I expected it to be. I went back home with another memorable page ready to be penned down in my diary.



Sunday, March 31, 2013

How to change file upload size in phpmyadmin!

For lesser mortals in the universe of databases, who still inadvertently use lot of MySql, a tool like PHPMyadmin is the holy grail!

This web browser based, php querier accesses MySql tables and also gives tremendous functionalities to tinker with the databases. While most of it is intuitive, sometimes a small feature requirement needs the options beyond the defaults.

Before I delve into these non-default configurations, just for the record, here is how you get your phpmyadmin to access your mysql tables on your Debian based machines.

fsmk@gnu:~$ sudo apt-get install phpmyadmin

Once, you have installed, as a dependency Apache also gets installed. To access phpmyadmin, open your favourite web browser and type on "http://localhost/phpmyadmin"

Now, that settled let me get into the issue of the post.
SQL backup, taken from different servers or simply for the purpose of backing up data are the most precious files on my computer, at least. Now, to move in and out of different machines with the mysql data, phpmyadmin offers a cool import/export option.

While export is flawless, import has a default option which restricts the maximum file upload size to 2M. Once you encounter sql's which are more than 2M you know you are handling quite a lot of data, and in such cases how to restore these >2M files?

The configuration file for the phpmyadmin which checks this option is a php.ini file, which resides in the /etc/php5/apache2/ directory.



Get hold of this file, and search for "upload_max_filesize" in the php.ini file. After you've got it change it to whatever that your maximum file size might be.
Restart your apache service to upload those massive sqls into your database.

Sunday, March 17, 2013

Embeding long tables in plain HTML, using Libre Office

When using plain HTML for design of web pages, and there aren't any WYSIWG editors, and there is an inevitable requirement to embed tables into the HTML file, the <table> tag is quite handy.

<table border="1">
<tr>
<td><b>Movie</b></td>
<td><b>Favourite character</b></td>
</tr>
<tr>
<td>The Matrix</td>
<td>Neo</td>
</tr>
<tr>
<td>The Lord of the Ring</td>
<td>Eragon</td>
</tr>
<tr>
<td>V for Vendetta</td>
<td>Ivy</td>
</tr>
</table>

Will result in


For a table with couple of entries and default options, this syntax follows, and is adequate.

But, when one has to embed a longer table, with many more rows and columns and don't ask me why! Just in case, you find yourself in such a state that you have a complete table existing already in your document or spreadsheet and you do not have the patience or the in-aptitude to type out all of it using the syntax shown above, Libre Office (or even Open Office) comes to rescue!

Copy the entire table that you want to embed in a HTML file, and paste it into a new HTML document that you can create from the Libre Office prompt. Once you are done formatting your new table in a Libre Office HTML file, save it as a .html file.



All you now have to do is, locate the new .html file you created using Libre Office and open it with your favourite text editor!

It is a HTML file now with all the taggings done for your table, which otherwise would have taken painstaking hours of labour to reach that form! Copy-Paste the HTML code into your webpage that you started off wanting to embed a table.
It's ready!

Libre, set me literally free this time!

Happy hacking!
PS: Of course there might be better methods to accomplish this, if you do have one please post it as a comment :) 

Tuesday, March 12, 2013

Find,replace in multiple files using BASH

Another of those zillions of tweaks that I am afraid will slip out of my head! So jotting it down here.

When you are editing HTML files, or some similar content template with multiple changes to be done in a huge number of files, it is simply excruciating to dig into each of the files and search for a pattern and change it.

For instance, if you have a host of html files, and you need to maybe make one common change in all files, the simplest thing to do is use the power of BASH!

To change a string, recursively in multiple files, use the following command.

raghav@fossphosis:~$grep -rl 'old-string' ./ | xargs sed -i 's/old-string/new-string/g'

'grep' as always performs pattern matching
'sed' is used as the stream editor

Old-string is the string to be changed, into new-string.

May the power of BASH be yours!
GNU Rocks.