Centroid.EU Blog

(this blog is mostly encrypted - adults only)

Our Mass-surveilance problem

December 1st, 2016

I just watched Edward Snowden on a clip on youtube during dinner and he made a great speech regarding that presidents can't fix the mass surveilance problem and that we must fix it (as a world movement). He said we must weigh the should we and shouldn't we or something, because lately it's been the can or can't we. This reminded me that the german BND (spy service) has been given 150 million EUR to spy on people's snapchat and other encrypted forms of communication. We have to work against the powerstructures that want to take our privacy and route around these.

BTW there is fake news possibly saying that Julian Assange has been kidnapped by CIA. Fake news can be so annoying because they could turn out to be real. Julian, I hope you're OK!

0 comments

Blueberries

November 29th, 2016

At my local supermarket I picked up a batch of blueberries. When I ate them I noticed a change in vision and a hightened awareness. This made me curious what I experienced. For one it enacted in my visual senses, so that must be the occipital lobe area of the brain. Reading online about this fruit I found that it is classed a "superfood", a nutrition bomb so to speak. It is high in Vitamin C and K and has manganese. It is good to have when you have nutritional deficiencies. It sure made a diff for me this afternoon. Also its latin name of its genus: vaccinium sounds like the english vaccine. Maybe there is a relation. I'm glad I experimented with this.

0 comments

My OpenBSD bridge inside Freifunk Franken

November 23rd, 2016

Freifunk Franken is a network that is partitioned into what's called hoods. While the entire network consists of 10.50.0.0/16, my hood has 10.50.60.0/19 or something. I'm in the Hassberge Sued Hood which is centered around Hassfurt. Each hood represents a Layer 2 (Datalink layer) network, so you can reach within 1 IP Hop everything inside it. Since geographically my parents house and my apartment are in the same Hood, I set up an OpenBSD machine as a bastion host between my internal network and the freifunk franken network to do IPSEC tunneling in order to have security and integrity between my parents house and my house. The bastion host I set up at my parents house looks like this:

It is a PC-ENGINES APU router that does not have forwarding between its interface, hence there is no way to misroute things.

I've been running this for a few weeks now and have hooked up SIP phones to this. The phone conversations are clear as ever (38 ms ping). Knowing that they are encrypted is a big bonus.

0 comments

The Hydrogen Economy

November 23rd, 2016

My dad thinks this is a real good concept. The Hydrogen Economy. Unfortunately we're not there yet, but rest be assured our militaries submarines have been using these for quite a while. Maybe in another lifetime will we civilians make use of this.

0 comments

OpenBSD Donation Time

November 19th, 2016

Part 2/2 of this year, I have donated 100 EUR to Theo de Raadt. This wraps up my donations to all *BSD's this year. BTW the donation meter at OpenBSD foundation is almost filled to the goal. Congrats OpenBSD!

0 comments

A real exciting Idea

November 10th, 2016

Yesterday I was brainstorming how to "sign" binaries in OpenBSD, and I caught an itch. I don't know if I'll ever do this but I've given it thoughts since yesterday. First though I want to show you this, here. I'm not the only person that thinks a signed binary in OpenBSD would be a good idea. So then I thought about how to do this a little.

In the kernel the exec routines for reading an ELF binary would have to be modified in the following way. It reads the ELF program header table and expects a PT_OPENBSD_ELFSEC program header identification. By reading in the entire binary upon exec, given that the user is not root (a suser check) and caching shows no binary behing checked before (a walk of a LIST), the kernel HMAC checksums the binary with a key that was ioctl'ed into the kernel at boottime under securelevel 0, in fact this check is only done if the securelevel is > 0. It then compares the section of PT_OPENBSD_ELFSEC and it it matches it discards the read file, and lets read-on-demand take over for the file. It is running a genuinely "signed" binary.

In userland there is 4 programs that get modified. Binutils, strip, elfsec and elfsecd. When compiling new programs the PT_OPENBSD_ELFSEC program header gets added to the ELF program headers. As root you can execute any signed binary becasue then it doesn't matter if signed or not, a hacker has all control over the system. When binaries are compiled make calls strip with a new argument which will "bless" a binary with the elfsec program when root. When a non-root user it is checked first if a user is allowed to bless binaries and then elfsec speaks with elfsecd to bless a binary with the private key that only root can read, a bunch of descriptor passing within the imsg framework would work out nicely. The elfsec binary should also be able to bless entire directories such as /bin, /sbin, /usr/bin, /usr/sbin etc.

This is the track I have wrapped my thoughts around. Dunno if it's worth it but the installer program would need to be modified to rebless new binaries in an upgrade. That would satisfy all those naysayers that say it would never work. In the end result you prevent someone else from importing binaries that you don't want runnning on your system. Perhaps a worm of sorts. It's another level of security and it would cost an attacker a lot of resources to crack the private key to each binary. It would slow down a system somewhat, but I've been using SSD's for a few years now and don't see this as much of an issue, also there is caching which should speed this up.

Hehe, thinking of vapourware can be mind consuming for sure :-).

0 comments

Government (NASA) Space Program likely to suffer under Trump

November 9th, 2016

I talked a little about the American and European space programs in the past. Now on one hand it was a GOP under Dubya Bush who wanted Moon to Mars. However Trump has other priorities. He wants to fix the potholes in America first. He makes economic sense, there is no glory when your infrastructure is failing. But we likely won't see much action until at least 2021, that's after his first term is my thought. With Obama the American Space Program suffered but Obama set something in motion that was perhaps a smart move. The private space industry, SpaceX, boeing, those sorts of private enterprises.

0 comments

Donald Trump is president of the US-elect

November 9th, 2016

I did not cheer for Hillary and I did not cheer for Trump. Americans failed to look for the alternatives. My favourite was Jill Stein, who got very little votes if any. I did not cheer for the "lesser evil" I turned my thoughts away from the Clinton-Trump pair, even though people tried to tell me I had to chose. I don't have to chose, I chose the alternative. Hopefully the Donald will not wreck too much in relations between my country and the USA. I count on the real alternative, the US Green Party.

0 comments

Arctic Fibre aquired by Quintillion Networks

November 8th, 2016

Today is the first day of snow I experienced in 2016 fall season. In 2013 I experienced the same first few days of snow in Iqaluit, Nunavut. Because I saw a connection I researched the past and found in a link that Arctic Fibre of Toronto, Canada was aquired by Quintillion Networks last june. Quintillion Networks seems to be run by people from Alaska. It reminded me how my friend in Iqaluit said that Barrow, Alaska has a lot in common with Iqaluit (I think he said that on twitter). Anyhow the Canadian part joining with the Alaskan part and stretching to the UK is probably in limbo since it's been pushed back to Phase 3. But here is hoping that Iqaluit will get terrestrial submersed fibre optic cable some day.

0 comments