Представете си, че отивате на празненство – парти, среща на класа или нещо подобно. Познавате доста от присъстващите, но има предимно непознати лица. Тиха музика, приятни разговори. Всичко минава добре, прибирате се вкъщи и почти забравяте за него. След няколко дни научавате, че на партито е било ужасно, масово са били обрани чанти, едно момиче е било пребито, а вместо тихата музика, която си спомняте, се е дънила мазна чалга. Всичко това ви се струва странно, разпитвате познатите си, които сте срещнали там и всички са също толкова изненадани. Споменавате на няколко места, че това са глупости и набързо ви обвиняват, че вие сте крали чанти, че сте поръчвали чалгата и че прикривате онези пребили момичето.
Приблизително това се случва в последните 6 месеца около изборите във Франкфурт, Германия. От Европейските избори насам се въртят истории за изборни измами, контролиран вот от страна на наблюдатели и доброволци, купуване на гласове и дори лични заплахи към член на комисия. Всички тези нападки се подкрепят по-късно с жалби до ЦИК и съда.
Честно казано от самото начало си обещах да не се занимавам с всичко това. Мислех, че ако не се дава публичност на нечии глупости, то те ще бъдат отхвърлени от общественото съзнание като такива. Оказа се обаче точно обратното – от думите на няколко души се изфабрикува скандал, който беше постепенно украсяван и доразвиван. Тъй като много като мен не им се занимаваше, тези думи останаха единствената история висяща в пространството и бяха превърнати във факт. Сто пъти повторена лъжа и прочие.
Под статията съм описал хронологията на всички жалби и решенията по тях. От тях и протоколите стават ясни няколко неща. Почти всички жалби за нарушения в изборите във Франкфурт са отхвърлени. ЦИК не потвърждава, че е имало нарушения, а отхвърля проект за решение написан от един неин член. Този проект и твърденията в него обаче се тиражират като факт. Жалбата до ВАС е подадена след законовия срок с ясното съзнание, че ще бъде отхвърлена. Две жалби подадени 6 месеца след евроизборите са написана сякаш нарочно така, че да бъдат отхвърлени – не съдържат никаква фактология и възможност да бъдат ясно идентифицирани евентуалните нарушители. И накрая, жалбата за отказ да се гласува срещу председателката на комисията Людмила Шнайдер се разглежда сега от прокуратурата.
Тук може да добавим и становището на останалите членове на секционната комисия, че единственият проблем по време на изборите е било държанието на Шнайдер. Това се подкрепя от наблюдателите на изборите, включително онези от партията, която я е предложила за председател. Никой от присъствалите на самите избори пък не е видял купуването на гласове и контролирания вот, за който се говори в сигналите на Шнайдер, роднините и приятелите ѝ. Самият аз останах доста време пред секцията на евроизборите, за да говоря с познати в опашката и със сигурност мога да кажа, че определенията в последните две жалби са пълна глупост.
Къде е проблемът?
Сега би трябвало да разбирате защо започнах с историята за партито. Макар никой да не е видял някакви нарушения, освен тези на самата председателка, реално не може да се твърди, че такива е нямало. Странно е обаче, че всички жалби са подадени като ответна реакция на предишни сигнали – часове, дни и месеци по-късно. Цитирането на един отхвърлен проект на ЦИК като фактология, непознаването на процедурите и изискванията в Избирателния кодекс нямат значение при създаването на една сензация. Отхвърлянето на жалби като неоснователни или закъснели се представя като дългата ръка на мафията, която брани статуквото.
Няма дим без огън. За обзетото ни от цинизъм общество това е основна максима. Затова въобще не е нужно да доказваш нещо или някой да отсъди, че си прав. Достатъчно е да пуснеш достатъчно димки, за да решат всички, че огънят е факт. Журналистите ще го поемат с охота и също както с наводненията, ще показват несвързани преекспонирани кадри, за да илюстрират история, която вероятно не съществува. Скандалите донасят зрители. Отхвърлените жалби до ЦИК – не. Скандали на етническа основа носят подкрепа на отделни партии. Жалбите за нарушения срещу членове на комисии и наблюдатели от същите тези парии – по-скоро не.
За насъщната драма се борим
Ситуацията е малко дума срещу дума. При толкова ниско доверие в ЦИК и съда и принципната им непоследователност е съвсем естествено да не виждаме авторитет в отсъжданията им. В тази среда всяко обвинение – безпочвено или не – набира сила и популярност. Това пречи също толкова на демократичния процес, колкото и несанкционираните случаи на контролиран вот и изборни измами.
Бях си обещал да не се занимавам със случая и навярно не трябваше. Всичко обаче започна от едно обаждане малко след евровота и някак се разви пред очите ми в последните месеци. Работил съм доста по организацията на изборите в чужбина и знам колко е трудно да се направи всичко както трябва. Учудващо е обаче колко лесно личните предразсъдъци на един човек могат да нанесат толкова вреда. Затова реших да пусна всичко. Документите са публични. Който му се чете – да чете и да си направи изводите. За останалите остава медийната драма и патос.
Хронология на жалбите и решенията по тях:
25.05 – Евроизбори във Франкфурт. Изборният ден преминава спокойно. Няма никакви жалби и забележки в протоколите на двете секции – тук и тук
27.05 – получавам обаждане от председателката на едната комисия Людмила Шнайдер, че иска да пусне жалба срещу доброволците пред секцията помагащи с декларациите. Повече за разговорa ще намерите тук. Предлага да подпиша нейната жалба „за повече тежест“ и отказвам, защото не съм съгласен с твърденията ѝ.
28.05-12.06 – пусна ти са три приблизително идентични сигнала описващи контролиран вот, кражба на лични данни, фалшиви документи (надраскана лична карта) и нарушения от страна на консула. Един от сигналите е Людмила Шнайдер и баща ѝ – членове на комисията и подписали се по-рано, че няма никакви нарушения на изборния процес – ЕП-22-757, ЕП-22-766, ЕП-22-757, ЕП-22-781
13.06 – писмо от изпълняващия длъжността консул Иван Йорданов във Франкфурт до Външно и ЦИК относно обвиненията в сигналите описващо какво е направило консулството в изборния ден – ЕП-04-01-133
18.06 – възражение на Людмила Шнайдер срещу писмото на Йорданов цитиращо дискусията ми с нея на личната ми страница във Facebook – ЕП-22-757
19.06 – предложение от единия член на ЦИК за решение по жалбите е отхвърлено с мнозинство – 605-ЕП
23.06 – жалба до ВАС срещу решението на ЦИК. Адвокат е Капка Гергинова – ЕП-08-29
26.06 – ВАС отхвърля жалбата, защото е подадена повече от 3 дни след решението на ЦИК. Определението не подлежи на обжалване – 8435-2014
05.10 – две жалби от Людмила Шнайдер, че в секцията са допуснати наблюдатели на Атака без обозначителен бадж и че изпълняващ длъжността консул Иван Йорданов е използвал груб и заплашителен тон в личен разговор. Първата жалба е била в 13:24, а втората – три часа и половина по-късно описваща събития случили са преди първата жалба. Интересното в случая е, че тя е председател на комисията, тоест първият сигнал го подава срещу себе си. Вторият сигнал пък е бил за това, че Йорданов ѝ е отбелязал, че има наблюдатели на Атака без бадж и ако не предприеме действия като председател, ще подаде сам сигнал до ЦИК. Въпросните наблюдатели са двама от подалите жалби заедно с Шнайдер на европейските избори (точка 3) – С-75 и С-145-222
05.10 – протоколът на едната секция завършва без забележки. В протокола на секцията на Шнайдер е записано, че е подала жалба директно до ЦИК и твърденията в тази жалба не са били представени и обсъждани в СИК-а – тук и тук
13.10 – декларация от останалите четирима членове на СИК-а до ЦИК и Външно описващи изборния ден като „спокоен и законосъобразен“. Благодарят на служителите на консулството и консула Йорданов за помощта и отбелязват, че за съжаление Шнайдер „не допринесе за създаване на колегиална атмосфера и условия за своевременно приключване на работата в комисията“ – тук (получена от член на ЦИК)
13.10 – жалба/питане от Андрей Златинов срещу Людмила Шнайдер за отказ от гласуване. В жалбата се казва, че е бил върнат, защото е написал немския си адрес на латиница, а след това, защото не е носил със себе си немска адресна регистрация. Нито едно от тези изисквания не присъства в ИК. От двете секции единствено в едната по нареждане на Людмила Шнайдер са връщали хора за тези неща. Следвайки стандартната процедура, ЦИК изпраща сигналът до прокуратурата и Външно – НС-00-502
20.10 – Людмила Шнайдер изпраща жалба срещу решението на ЦИК да изпрати сигнала срещу нея в прокуратурата. Интересното в случая е, че нито жалбата на Златинов е публикувана тогава на страницата на ЦИК, нито има публично решение за изпращането. Това е стандартна практика в такива случаи. Въпреки това Людмила незнайно как е научила за сигнал срещу себе си и протестира срещу процедурата. ЦИК решава да не разглежда жалбата ѝ – НС-1348
21.10 и 22.10 – Постъпват два идентични сигнала за европейските избори от две жени твърдейки, че „30-33 годишен мъж“ им е предложил 120 евро да гласуват за ДПС и след като са отказали „защото са патриоти“, им е било отказано да гласуват, защото не носят адресна регистрация. Жалбите също така описват „бит пазар“ за купуване на гласове пред секцията и автобуси с български турци дошли да гласуват. Текстовете не включват конкретни имена или описание на участниците в целия този пазар, правещи невъзможно идентифицирането на който и да е било от жалбата. Обяснението за 6-те месеца закъснение е „поради провокация от лужите в интернет пространството“ (запазил съм правописа) – ЕП-22-803, ЕП-22-804
Every now and then, old security concepts resurface as if they were something new. Recently, I’ve been seeing a lot more activity related to parasitic attachments in pictures.
A parasitic attachment, or parasite, is an unrelated file that is simply attached to another file. With pictures, it is an unrelated chunk of data attached to the image file. When rendering a picture, the parasite is ignored. And when transferring the picture, the parasite follows along for the ride.
To understand how this works, let’s focus on JPEG. Every JPEG has a header, information related to decompression settings, and the compressed binary image stream. The stream has a well-defined start and a well-defined end. When rendering pictures, your graphics program stops at the end of stream marker. It doesn’t look beyond that point, so anything attached after the JPEG becomes ignored information.
There’s actually a lot of information that may be intentionally stuffed after the image. Some vendors store thumbnail images after the main image. Back in 2010, I pointed out that some Android devices store operating system information after the picture.
Parasites are not limited to JPEG formats. Virtually every image format out there has a well-defined “end”, and rendering programs stop when they hit the defined end. PNG, BMP, and even GIF can all have parasites without impacting how the picture is rendered. There’s even a nice tutorial from 2010 for how to attach a parasite. And a similar tutorial from 2006. (And I remember doing this type of thing back in 1992, and it definitely wasn’t “new” back then.) Creating a parasitic attachment is literally as easy as appending data to an existing JPEG.
Parasites are not limited to the end of the file. They may be stuffed in comment fields, proprietary data blocks, and other unused areas in the picture file format. Both JPEG and PNG support custom data blocks. If the rendering software doesn’t support the custom data block, then the block is ignored. For parasites, you just define your own custom data block and expect it to be ignored.
Finally, there is the payload carried by the parasite. At FotoForensics, about 0.05% (yes, less than a tenth of a percent) of all files contain some kind of parasitic attachment. Zip files, RAR files, 7zip, and text are all common. But I’ve also seen PDF, PKCS7 certificates, encrypted data, word documents, unrelated pictures, and much more. In September 2014, FotoForensics received 34,206 unique file uploads. Of those, 17 files have parasites that my software readily identifies. Most of the parasites were zip files, but there were also a few RAR files and other types of data.
As an example, the following picture was uploaded to FotoForensics on 1-Sept-2014.
This file looks like a picture of some hamsters. But inside JPEG file is a parasitic zip file stuffed in an APP1 data field. This non-standard APP1 data block is ignored when the image is rendered. Even program like ExifTool and exiv2 ignore the unknown binary block. However, the APP1 data definitely contains a zip file and most zip programs will happily unzip it without even extracting it from the JPEG. Inside the zip file is another picture that gives clues to some GPS coordinates.
This hamster picture actually came from a geo-caching forum. In fact, most of the files with parasites at FotoForensics come from geo-caching forums.
“Why geo-caching?” They love puzzles. It used to be fun to give someone GPS coordinates and let them see if they could find some prize at the physical location. When that was too simple, they began to use remote coordinates — get ready for a three-hour hike or a mountain climb. When remote locations became too easy, they began to hide the objects — you might need to bring a shovel or a flashlight to find the prize. Then they began to turn the coordinates into puzzles: if you can solve the puzzle, then you will find the coordinates. Today? Hard-core steganography. First you have to find the puzzle. Then you have to solve it. Then you have to go to the coordinates (where there may be more puzzles) until you find the final prize. Seriously — if you want to see steg in real life, watch the geo-caching community.
As an aside, one of my friends keeps saying that we should start up a get-rich-quick business. Since FotoForensics receives lots of these geo-caching puzzles, we should solve them first and park a food truck at the prize location. You just know the players will be hungry when they get there.
Last month I read about a proof-of-concept tool that will turn a JPEG into a PDF or PNG file after applying AES or 3DES cryptography. Corkami works by using parasitic attachments. Specifically, they encrypt a PNG file and PDF, one with AES and the other with 3DES.
With many cryptographic algorithms, decrypting an already decrypted file is just another way to encrypt data. The results are binary data that can only be restored by encrypting the file.
After encrypting (technically, decrypting) the PNG and PDF, they store them in the JPEG. The example encodes the encrypted PNG at the beginning of the JPEG (in a comment) and the PDF as a huge binary parasite at the end of the JPEG.
The hard part for all of this is choosing the right key for all of the cryptography. The AES key is chosen so that it generates a proper PNG header (8 bytes) when given the JPEG header as input. Applying AES encryption to the JPEG creates a PNG header, some binary junk, and then decodes the encrypted PNG data. This results in a valid PNG with binary crud that is ignored by any graphics software.
Similarly, the 3DES key is chosen to generate the PDF header (8 bytes). And the encoded 3DES PDF is placed at the end of the JPEG. This way, the 3DES encoding reconstructs a PDF. And since PDFs start parsing at the end of the file, the binary garbage at the beginning of the file (created from the JPEG) is ignored and the entire thing looks renders a valid PDF.
Discussions about parasitic attachments seem to come up annually. Last year, some researcher discovered that they could hide PHP or Perl or other types of code in text comment fields. If your web site processes back-end server scripts, displays JPEG comments, and isn’t careful about protecting output when displaying image comments, then this could run code on the server. (FotoForensics has captured plenty of examples of these hostile comment fields, and I’ve been seeing this sort of thing for years; the announcement last year may be new to them, but it wasn’t new.)
Keep in mind, hiding malware in a parasitic attachment is not the same as renaming an EXE to “JPEG” and emailing it as an attachment. (“Just double click on the picture!”) A properly created parasite will not interfere with the host image. Just renaming an executable to “.jpg” does not make it a parasite.
There’s a difference between steganography and cryptography. Cryptography refers to making data inaccessible. You can see the data, but you cannot understand it. Steganography refers to making data hard to find. But if you find it, you may be able to immediately understand it.
Parasitic attachments are one form of steganography. However, as hiding places go, they are relatively easy to detect. Anyone parsing the file format will see a large, non-standard binary blob buried in the file. While your friends may not readily notice these large binary chunks stuffed in your pictures, forensic investigators are likely to find the hidden data very quickly. If you’re doing something malicious and investigators see these parasitic attachments, then they may be interpreted as “intent” to hide activities. (I’m not an attorney; if you find yourself in this situation, then you should get an attorney.)
Parasites are also trivial to remove. I frequently mention “resaved” images. That’s where a picture is decoded and then re-encoded as it is saved to a new file. Facebook resaves pictures. Twitter resaves pictures. And nearly every online picture sharing service that scales pictures also performs a resave. The simple action of resaving an image is enough to remove parasites. (I am pretty certain that Facebook and Twitter resave pictures as an explicit method for removing metadata, including any parasites.)
As far as the threat level goes, these parasitic attachments are explicitly hiding. They won’t activate on a double-click and, with few exceptions, remain passive and unnoticed. In order to use the data, you must know it is there and know how to extract the content.
Even though the technique has been around for decades, I still think finding parasites within pictures is a treat. You never know what you’re going to find. (I have no idea what “APdb6″ means, but GrrCon sounds like a fun conference.)
If you’re a lover of music and Linux, you’re in for a treat. As streaming music services slowly take over as the means for listening to your favorite tunes, the Linux platform has quickly matured into an outstanding ecosystem for that very purpose. With plenty of streaming servers, everyone knows how powerful Linux is at serving up tunes…but did you know it was equally powerful at playing those streaming services?
That’s right, Linux can get that music stream to your desktop in many ways. If you’re a lover of Spotify, Pandora, Last.fm, SoundCloud…you name it, there’s a way to stream that music. But don’t think you’re limited to using a web browser. Linux has clients, and plenty of them.
I want to highlight what I consider to be some of the best streaming music clients for Linux. Some of these are a one-trick pony, while others allow for the streaming of multiple services. Either way, you’ll be rockin’ open source on your desktop of choice.
I must confess that I am a Spotify premium subscriber. I listen to this streaming server pretty much all day at my desk. What I really like about Spotify (other than the CD-quality streaming) is the client (Figure 1). It’s incredibly simple to use, offers all the features you need for streaming. With it, you can search for artists and other users, follow artists, add songs/albums to custom playlists, and much more. With the Spotify client, you can also add your own local music sources.
Though Linux is not an officially supported platform for Spotify, installing Spotify on Linux is actually quite simple. I’ll demonstrate on the Ubuntu platform (specifically, Ubuntu 14.04). Here are the commands, to be run in a terminal window, to install the Spotify client:
Once the client is installed, you will find the Spotify launcher in the Unity Dash. Start it up and then log into your Spotify account. The client allows you to log in via Facebook or using a Spotify username/password. You may have to log onto Spotify via Facebook on the web-browser client and then set up a device username/password. This is done under your profile (you’ll see the link for “Set a password for your devices”). The username will be a string of random numbers and you have to send your default email address a link in order to set the password.
This simple Pandora streaming client has long been one of my favorite streaming tools. With an incredibly easy-to-use interface, and the ability to add new stations (based on artists) and even select a quick mix (based on your current listing of stations). The best aspect of Pithos is its stripped-down interface (Figure 2). There are few bells and whistles here, just pure Pandora streaming goodness.
To install Pithos, issue these commands in a terminal window (again, illustrating on the Ubuntu platform):
sudo add-apt-repository ppa:pithos/ppa
sudo apt-get update
sudo apt-get install pithos
Once installed, you’ll find the launcher in the Unity Dash. Fire up Pithos and you’ll be prompted to log into your Pandora account. Once logged in, you can start creating stations. Here’s how:
Click the Pithos button (it doesn’t actually look like a button, just the word Pithos over the Play button — design flaw?)
Click Add Station
Enter an artist name
Select the artist from the results
Once the station has been added, you can select it from the drop-down on the upper right corner. You can also select Quick Mix to get a shuffled playlist of songs from your stations.
By far, my favorite tool for listening to music is Clementine (Figure 3). There are a lot of reasons to love this player (built-in equalizer, easy to handle playlists, etc.), but the inclusion of streaming services helps edge this to the top for me. Clementine can stream:
And with its ridiculously easy playlist setup, it makes for creating a streaming sampler very user-friendly.
Because of licensing, some of the above requires a bit of work. Let me illustrate how to get Clementine streaming Spotify. Here are the steps you need to take (illustrating on 64-bit Ubuntu):
Close Clementine (make sure the Clementine icon isn’t appearing in your panel)
Open a terminal window
Create a new directory with the command: mkdir -p -m 775 ~/.config/Clementine/spotifyblob/version14-64bit/
Change to the newly created directory: cd ~/.config/Clementine/spotifyblob/version14-64bit/
Download the Spotify plugin: wget http://spotify.clementine-player.org/version14-64bit/blob
Download the second file for the plugin: wget http://spotify.clementine-player.org/version14-64bit/libspotify.so.12.1.45
Change the permissions for the file: chmod 775 blob libspotify.so.12.1.45
Rename the file: mv libspotify.so.12.1.45 libspotify.so.12
Open Clementine and click on the Internet button in the left navigation. Right-click the Spotify entry and select Configure Spotify. You’ll need to enter your Spotify username and password. You cannot log into Spotify with Facebook credentials here. You must set up device username/password via your Spotify account (as mentioned earlier). Once authentication succeeds, you should be able to double-click the Spotify entry in Clementine’s left navigation and see all of your playlists, top tracks, Inbox, and more. The one thing you will not find is your saved artists. If you have favorite artists, you want to add their albums to playlists — otherwise you won’t see them. You also cannot search Spotify through Clementine (it’s best use is playing music from your current crop of Spotify playlists). But with Clementine’s outstanding EQ, you can match the quality of sound to your liking (something you cannot do on the Spotify client).
Linux is not short on multimedia tools. If you’re looking for a reliable platform with which to stream music, you would be remiss to not give the Linux desktop a try. Although this piece just barely scratches the surface of streaming clients, you should now see that there are plenty of options available.
During the spring of 2010 U.S. authorities started a campaign to take copyright-infringing websites offline.
Since then Operation in Our Sites has resulted in thousands of domain name seizures and several arrests. While most of the sites are linked to counterfeit goods, dozens of “pirate” sites have also been targeted.
After a period of relative calm the authorities appear to have restarted their efforts with the takedown of two large music sites. RockDizFile.com and RockDizMusic.com, which are connected, now display familiar banners in which ICE takes credit for their demise.
“This domain has been seized by ICE- Homeland Security Investigations, pursuant to a seizure warrant issued by a United States District Court under the authority of 18 U.S.C. §§ 981 and 2323,” the banner reads.
TorrentFreak contacted ICE yesterday for a comment on the recent activity but we have yet to receive a response.
The domain names are now pointing to the same IP-address where many of the previously seized websites, such as torrent-finder.com and channelsurfing.net, are directed. Both domain names previously used Cloudflare and had their NS entries updated earlier this week.
Despite the apparent trouble, RockDizFile.com and RockDizMusic.com’s Twitter and Facebook pages have remained silent for days.
RockDizMusic presented itself as an index of popular new music. Artists were encouraged to use the site to promote their work, but the site also featured music being shared without permission, including pre-release tracks.
RockDizFile used a more classic file-hosting look, but with a 50MB limit it was mostly used for music. The site offered premium accounts to add storage space and remove filesize and bandwidth limitations.
Both websites appear to have a strong focus on rap and hip-hop music. This is in line with previous ICE seizures which targeted RapGodFathers.com, RMX4U.com, OnSmash.com and Dajaz1.com.
The latter was seized by mistake. The record labels failed to deliver proof of alleged infringements to the authorities and after a long appeal the domain was eventually returned to its owners.
This incident and the general lack of due process of ICE’s domain seizures has led to critique from lawmakers and legal scholars. The authorities are nevertheless determined to keep Operation in Our Sites going.
“Operation In Our Sites’ enforcement actions involve federal law enforcement investigating and developing evidence to obtain seizure warrants from federal judges,” ICE states on its website.
Once a credible lead comes in ICE says it “will work with the U.S. Department of Justice to prosecute, convict, and punish individuals as well as seize website domain names, profits, and other property from IP thieves.”
At this point it’s unclear whether ICE has targeted any of the individuals connected to RockDizFile.com and RockDizMusic.com or whether the unit has taken down any other sites in a similar fashion.
As I tweak and tune the firewall and IDS system at FotoForensics, I keep coming across unexpected challenges and findings. One of the challenges is related to proxies. If a user uploads prohibited content from a proxy, then my current system bans the entire proxy. An ideal solution would only ban the user.
Proxies serve a lot of different purposes. Most people think about proxies in regards to anonymity, like the TOR network. TOR is a series of proxies that ensure that the endpoint cannot identify the starting point.
However, there are other uses for proxies. Corporations frequently have a set of proxies for handling network traffic. This allows them to scan all network traffic for potential malware. It’s a great solution for mitigating the risk from one user getting a virus and passing it to everyone in the network.
Some governments run proxies as a means to filter content. China and Syria come to mind. China has a custom solution that has been dubbed the “Great Firewall of China“. They use it to restrict site access and filter content. Syria, on the other hand, appears to use a COTS (commercial off-the-shelf) solution. In my web logs, most traffic from Syria comes through Blue Coat ProxySG systems.
And then there are the proxies that are used to bypass usage limits. For example, your hotel may charge for Internet access. If there’s a tech convention in the hotel, then it’s common to see one person pay for the access, and then run his own SOCKS proxy for everyone else to relay out over the network. This gives everyone access without needing everyone to pay for the access.
Proxy networks that are designed for anonymity typically don’t leak anything. If I ban a TOR node, then that node stays banned since I cannot identify individual users. However, the proxies that are designed for access typically do reveal something about the user. In fact, many proxies explicitly identify who’s request is being relayed. This added information is stuffed in HTTP header fields that most web sites ignore.
For example, I recently received an HTTP request from 126.96.36.199 that contained the HTTP header “X-Forwarded-For: 188.8.131.52″. If I were to ban the user, then I would ban “184.108.40.206″, since that system connected to my server. However, 220.127.116.11 is google-proxy-66-249-81-4.google.com and is part of a proxy network. This proxy network identified who was relaying with the X-Forwarded-For header. In this case, “18.104.22.168″ is someone in Yemen. If I see this reference, then I can start banning the user in Yemen rather than the Google Proxy that is used by lots of people. (NOTE: I changed the Yemen IP address for privacy, and this user didn’t upload anything requiring a ban; this is just an example.)
Unfortunately, there is no real standard here. Different proxies use different methods to denote the user being relayed. I’ve seen headers like “X-Forwarded”, “X-Forwarded-For”, “HTTP_X_FORWARDED_FOR” (yes, they actually sent this in their header; this is NOT from the Apache variable), “Forwarded”, “Forwarded-For-IP”, “Via”, and more. Unless I know to look for it, I’m liable to ban a proxy rather than a user.
In some cases, I see the direct connection address also listed as the relayed address; it claims to be relaying itself. I suspect that this is cause by some kind of anti-virus system that is filtering network traffic through a local proxy. And sometimes I see private addresses (“private” as in “private use” and “should not be routed over the Internet”; not “don’t tell anyone”). These are likely home users or small companies that run a proxy for all of the computers on their local networks.
If I cannot identify the user being proxied, then just identifying that the system is a proxy can be useful. Rather than banning known proxies for three months, I might ban the proxy for only a day or a week. The reduced time should cut down on the number of people blocked because of the proxy that they used.
There are unique headers that can identify that a proxy is present. Blue Coat ProxySG, for example, adds in a unique header: “X-BlueCoat-Via: abce6cd5a6733123″. This tracking ID is unique to the Blue Coat system; every user relaying through that specific proxy gets the same unique ID. It is intended to prevent looping between Blue Coat devices. If the ProxySG system sees its own unique ID, then it has identified a loop.
Blue Coat is not the only vendor with their own proxy identifier. Fortinet’s software adds in a “X-FCCKV2″ header. And Verizon silently adds in an “X-UIDH” header that has a large binary string for tracking users.
Language and Location
Besides identifying proxies, I can also identify the user’s preferred language.
The intent with specifying languages in the HTTP header is to help web sites present content in the native language. If my site supports English, German, and French, then seeing a hint that says “French” should help me automatically render the page using French. However, this can be used along with IP address geolocation to identify potential proxies. If the IP address traces to Australia but the user appears to speak Italian, then it increases the likelihood that I’m seeing an Australian proxy that is relaying for a user in Italy.
The official way to identify the user’s language is to use an HTTP “Accept-Language” header. For example, “Accept-Language: en-US,en;q=0.5″ says to use the United States dialect of English, or just English if there is no dialect support at the web site. However, there are unofficial approaches to specifying the desired language. For example, many web browsers encode the user’s preferred language into the HTTP user-agent string.
Similarly, Facebook can relay network requests. These appear in the header “X-Facebook-Locale”. This is an unofficial way to identify when Facebook being use as a proxy. However, it also tells me the user’s preferred language: “X-Facebook-Locale: fr_CA”. In this case, the user prefers the Canadian dialect of French (fr_CA). While the user may be located anywhere in the world, he is probably in Canada.
There’s only one standard way to specify the recipient’s language. However, there are lots of common non-standard ways. Just knowing what to look for can be a problem. But the bigger problem happens when you see conflicting language definitions.
User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; it-it; SAMSUNG SM-G900F/G900FXXU1ANH4 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.6 Chrome/28.0.1500.94 Mobile Safari/537.36
X-OperaMini-Phone-UA: Mozilla/5.0 (Linux; U; Android 4.4.2; id-id; SM-G900T Build/id=KOT49H.G900SKSU1ANCE) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
If I see all of these in one request, then I’ll probably choose the official header first (German from German). However, without the official header, would I choose Spanish from Latin America (“es-LA” is unofficial but widely used), Italian from Italy (it-it) as specified by the web browser user-agent string, or the language from one of those other fields? (Fortunately, in the real world these would likely all be the same. And you’re unlikely to see most of these fields together. Still, I have seen some conflicting fields.)
Time to Program!
So far, I have identified nearly a dozen different HTTP headers that denote some kind of proxy. Some of them identify the user behind the proxy, but others leak clues or only indicate that a proxy was used. All of this can be useful for determining how to handle a ban after someone violates my site’s terms of service, even if I don’t know who is behind the proxy.
In the near future, I should be able to identify at least some of these proxies. If I can identify the people using proxies, then I can restrict access to the user rather than the entire proxy. And if I can at least identify the proxy, then I can still try to lessen the impact for other users.
Liz: If you’re a regular reader, you’ll have noticed more and more frequent mentions over the last year of a piece of kit called RACHEL-Pi. RACHEL is an offline server, run on a Raspberry Pi, full of educational content from teaching curriculums, Khan Academy materials, Wikipedia, classic literature, reference material and textbooks; alongside vital community materials like medical and first aid textbooks.
We’re very proud to be able to support World Possible’s RACHEL-Pi project through our education fund. It’s being used all over the world in remote places where the internet is unavailable – and this year it’s gone from strength to strength. Here’s Jeremy Schwartz, the Executive Director of World Possible, to show you what they’ve been doing with the project in the last year.
What an incredible 12 months it has been. World Possible has seen RACHEL-Pi (our Raspberry Pi-based educational server) deployed in scores of countries – often in the most remote of locations – delivering a world of educational content to tens of thousands of students previously far removed from the great online learning tools those of us reading this blog take for granted almost every day.
How’d we get here?
It’s worth taking a few seconds to get some history on World Possible’s RACHEL server. In 2009, World Possible (an all-volunteer team, mostly from Cisco) curated a package of creative commons resources (Wikipedia, Khan Academy, CK12 textbooks, and much more) for offline distribution. Coupling the content with open-source web server software, we could create “Remote Area Community Hotspots for Education and Learning,” (“R.A.C.H.E.L.”) – a locally cached web server accessed through any connected web browser (with no need for internet connectivity).
RACHEL is accessed via a web browser
Probably more naïve than anything, an attempted round of pilot projects of RACHEL (which at the time was a power-hungry NAS device) in 2009, in Sierra Leone, failed in pretty dramatic fashion.
The failure took a real toll on World Possible and forced us to rethink RACHEL distribution, ultimately building a distribution network of partnerships with on-the-ground teams that could do the hard part for us, and many of which still lead the RACHEL distribution charge today:
Despite the early successes of those groups, we still didn’t have the final piece of the puzzle that has exploded RACHEL deployment today (development of open-source educational resources + uniform standards of web browsers + proliferation of low cost computing hardware and storage). In comes the Raspberry Pi, giving us the ability to create a plug-and-play webserver and hotspot at a price point that we can distribute to masses of people without any required computer literacy background.
Is it working? – “Content is king; distribution is King Kong”
Almost exactly a year ago, a partnership with the Gates-Backed Riecken Libraries in Guatemala and Honduras, as well as a funding leap of faith by a few loved donors and the Rotary Club of Portola/Woodside Valley (CA), allowed us to launch a new phase of World Possible and RACHEL-Pi focused on creating, curating, and distributing relevant content from and within disconnected communities. A good old fashioned sneaker-net, delivering locally relevant (and often locally created) digital educational content to disconnected schools, libraries, orphanages and community centers.
The World Possible team in Guatemala is now led by Israel Quic, a native Mayan, initially attracted to RACHEL-Pi as a means of preserving and teaching his Mayan heritage and language to local communities.
Israel Quic presents RACHEL at Campus Tec, the technology department of University de la Valle
Israel quickly saw an opportunity to collect more locally relevant agricultural and political resources than we currently distribute as part of our Spanish-language RACHEL-Pi. In April, the fruits of his labor truly began to sprout, when word came from one agricultural community, an early RACHEL-Pi recipient, which built a drip irrigation system out of old plastic bottles after discovering how to do it from a single teacher’s smartphone while researching our Guatemalan content on their RACHEL-Pi.
A drip irrigation system made from old plastic bottles, using how-to content from RACHEL-Pi
The successes only caused us to redouble our efforts. Aided by our local Facebook page, World Possible Guatemala solicits offers of help and requests for RACHEL from across the country.
Current RACHEL-Pi installations in Guatemala
Installations of RACHEL-Pi in community centers and libraries are often made available 24/7, enabling anyone with a smart phone to come learn, research, and explore.
San Lucas Toliman RACHEL-Pi wifi access point
Facebook post of Biblioteca Comunitaria Rija’tzuul Na’ooj
San Juan del Obispo in Sacatapequéz is an agricultural community where middle school kids are using RACHEL to learn not only how to grow and irrigate, but also how to cultivate mushrooms and make fresh peach jam. Along the way they get business skills as well.
The mission in Guatemala is still just beginning, but the lessons learned and successes are providing a key roadmap for World Possible. Make available valuable educational resources, supplement them with locally relevant vocational and cultural content, get buy-in from local community volunteers, and distribute… distribute… distribute. The results are truly inspirational.
What’s next? – “Tell me and I forget, teach me and I may remember, involve me and I learn.”
Globally, the RACHEL effort is still driven by the hundreds of groups that download RACHEL and distribute independently in their own communities. Everything we do is free to download through our website, FTP site, BitTorrent sync, or even shared Dropbox. The Raspberry Pi has also made it so anyone can do this on their own, a powerful democratization of access to a world-class education.
World Possible will continue to support these groups through our own volunteer network, through independent advice, and by creating the best package of content available. Even more today, a biweekly newsletter is connecting thousands of RACHEL advocates in nearly 40 countries who have been through the process and can provide best practices to new users locally.
What excites us most is our ability to replicate the successes that have been achieved in Guatemala. In Micronesia, Professor Hosman and her students curated a RACHEL for the state of Chuuk. She’s now working with Inveneo to deploy RACHEL to the entire region’s network of schools.
Grace, a teacher at Akoyikoyi School in Chuuk, receives a RACHEL-Pi
In Kenya and East Africa, thanks to a generous grant from this very Raspberry Pi Foundation, we’ve just completed a hire (Bonface Masaviru) to follow the roadmap that Israel Quic laid out in Guatemala. Bonface is spreading RACHEL throughout Kenyan schools…
… and working with local volunteers such as Zack Matere to help us curate RACHEL Shamba (an offline package of farming resources):
Where we can, we’ll look to our long-time distribution partners to help create full labs to access RACHEL-Pi. Here in Uganda, Romeo Rodriguez gives his “children” their first ever look at technology in a new library thanks to a full “digital library-in-a-box” from World Possible.
We’ll continue to find ways to hire additional country managers, local to their communities, who have proven their dedication to RACHEL, to involve indigenous people in creating and distributing the content they currently lack.
If you’d like to be part of the mission, we’d love to have you. A great group of development volunteers can be reached at email@example.com. If you have networking expertise, we can pair you with a group that might need your help deploying RACHEL – firstname.lastname@example.org.
If you want to join the Raspberry Pi Foundation in supporting our efforts financially, we’d love it – donate here.
If you want us to come talk to your group, or help deploy RACHEL, we’d love that also – please don’t hesitate to get involved! Thank you to all of the individuals and groups who already have; there is so much more we can do together.
Помните ли Google Reader? Това не беше само един от добрите проекти на Google, по която вярвам, че още много хора тъгуват. Той беше крайъгълен камък за един роматичен период на развитието на блогосферата (и българската), който свързваше общности от хора на базата на това какво пишат и какво четат. И преди социалните мрежи да опошлят това.
Спирането на Google Reader доведе до появата на много алтернативи, някои от които доста сполучливи и иновативни. Аз лично минах през Feedly, който печели доста потребители с изчистения си и функционален интерфейс и мобилните си приложения, след това през Digg Reader, същите Digg, които betaworks възродиха от пепелта и приютиха заедно с чудесното Instapaper под крилата си. Digg Reader позакъсня с мобилните си версии, но пък и до днес предлага може би възможно най-изчистения интерфейс от тип само-за-четене, който винаги ме е изкушавал.
Пробвал съм, разбира се и много други RSS-четци, включително и не само web, а и десктопски такива, но никой не предлагаше истински онзи социален елемент, който позволяваше да споделяш това, което четеш със своите приятели/последователи и да виждаш какво четата и споделят те. И не, не, не… в проклетия facebook или някъде другаде, а там – в самия четец.
Докато един ден не открих Inoreader. Интерфейсът му по подразбиране ми е една идея по-цветен от нужното, но пък настройките са толкова много и гъвкави, че (за жалост както могат да изплашат някого) така можеш да настроиш всичко, че да ти бъде максимално удобно и полезно. Аз лично използвам напоследък светлата тема с шрифт Verdana и това ми дава нужната светла семплост и уют за четене. Всъщност настройките по подразбиране са изключително премерено направени. Всичко, което е нужно човек да добави социалните си мрежи за да може да споделя статии в тях, ако иска. Ако ползва Instapaper или Pocket също може да добави прехвърляне към тях. Да потърси и добави приятели за да вижда техните канали, и разбира се да добави RSS-емисиите на блоговете и сайтовете, които следи. За щастие всички, които споменах по-горе поддържат import и export на колекциите от RSS-емисии в OPML файл и така човек може спокойно да си пренася абонамените от един инструмент в друг и да ги сравнява.
Аз се влюбих в Inoreader преди около половин година и ще се радвам, ако повече от бившите потребители на Google Reader оценят функцията да четат и broadcast-ват към приятелите си нещата, които намират за важни за споделяне, защото това е което ми липсваше във Feedly, Digg и другаде.
Inoreader за мен е най-добрият четец не само в момента, а и сред всички, които съм пробвал досега. Разполага освен с мобилни приложения, така и с разширения за браузърите Chrome, Firefox, Opera и Safari. А споменах ли, че една от големите ми изненади бе, че това е български проект! И нови и интересни функции се добавят едва ли не непрекъснато. Ето от преди два дни:
This is a creepy story. A woman has her phone seized by the Drug Enforcement Agency and gives them permission to look at her phone. Without her knowledge or consent, they steal photos off of the phone (the article says they were “racy”) and use it to set up a fake Facebook page in her name.
The woman sued the government over this. Extra creepy was the government’s defense in court: “Defendants admit that Plaintiff did not give express permission for the use of photographs contained on her phone on an undercover Facebook page, but state the Plaintiff implicitly consented by granting access to the information stored in her cell phone and by consenting to the use of that information to aid in an ongoing criminal investigations [sic].”
The article was edited to say: “Update: Facebook has removed the page and the Justice Department said it is reviewing the incident.” So maybe this is just an overzealous agent and not official DEA policy.
But as Marcy Wheeler said, this is a good reason to encrypt your cell phone.
В неделя порталът EuroChicago публикува материал за парламентарните избори във Франкфурт. Съдържаше интервю на председателката на една от комисиите с твърдения за изборни измами и упражнен натиск. С доста от познатите ми в града сме говорили по този въпрос, какви са впечатленията им от този и предишните вотове. Не съм срещал човек, който да смята, че твърденията ѝ имат нещо общо с истината. В същото време обаче никой не се решава да я обори – в публичното пространство или по процедурния ред. Ефектът е, че единствено нейните думи се въртят в медиите, които охотно ги препечатват заради пикантната история. Налага се едно грешно впечатление до такава степен, че в един момент всеки глас в обратна посока се пренебрегва.
Затова реших да опиша другата страна на нещата и помолих EuroChicago да публикува мнението ми редом с нейното. Вярвах, че ще го направят, защото многократно са препечатвали статии от този блог, използвали са мои данни и интервюта. Текстът по-долу беше публикуван днес на сайта им. Надявам се, че и други гласували във Франкфурт ще изразят мнение по въпроса преди лъжата да бъде повторена 100 пъти и да стане истина.
Живея в региона на Франкфурт от 10 години и съм гласувал на всички избори до сега. Следя отблизо изборния процес, участвал съм в два вота като член на комисия и съм подпомагал организацията на всички останали, помагам в информационни кампании и поддържам портала Glasuvam.org с изборна информационна услуга и карта на секциите. В последните месеци с раздразненене забелязвам редица материали из мрежата, където една и съща измислица за изборите във Франкфурт се повтаря и доукрасява. Забелязах още един такъв на Людмила Шнайдер на сайта EuroChicago от 12-ти октомври, неделя. Такива слухове се разпространяват, защото историята изглежда скандална, а никой от онези, които се възмущават на наглостта, не им се занимава да надигнат глас.
Познавам Люси от доста години. Запознахме се покрай българското училище в града. Занимавам се с доста социални каузи и ѝ помогнах да му направи сайт и страница във Facebook. Приветствах включването ѝ в комисията за евро вота, защото мислех, че е човек на място и ще помогне на изборния процес. В денят нямаше никакви проблеми, организацията беше на ниво и всичко вървеше бързо. Също както винаги до сега. Задържах се доста пред секцията говорейки с познати, които чакаха да гласуват, така че събрах впечатления.
Няколко дни след вота, Люси ми се обади и разговаряхме надълго за изборите. Спомена, че има притеснения и иска да подаде жалба срещу доброволците пред секцията. Тогава твърдеше, че имали достъп до лични данни, притискали гласоподавателите и въобще не им е мястото там. Това будеше в мен недоумение, защото от една страна тя не е била свидетел на нищо такова бидейки част от комисията вътре в сградата. От друга страна, доброволци винаги е имало на вота – те обясняват правата на хората, че имат нужда от една декларация или друга и помагат да не става блъсканица пред секцията. Самият аз съм бил доброволец и съм правил абсолютно същото както тези момчета. Говорих с тях пред секцията – бяха вежливи и помагаха на всички. По-късно разпитах познати гласували там и всички бяха също толкова учудени, колкото и аз.
Люси настояваше, че не им е било работата там, защото били български турци. Попита ме как да подаде жалба до ЦИК и дали бих се подписал заедно с нея „за по-голяма тежест“. Обясних ѝ, че не смятам нищо от това, което ми наговори, за истина и съвсем естествено не бих се подписал. Подаването на жалба обаче е нейно право и ѝ обясних каква е процедурата. Посочих ѝ също, че ако е знаела за нарушения, е трябвало да се повдигне този въпрос в комисията и да го напише в протокола. Това е процедурата да се пресекат веднага каквито и да е нарушения. Всичко останало води единствено до вдигане на медиен шум. Вместо това тя е посочила, че е нямало никакви проблеми. Няколко седмици по-късно видях жалбата ѝ, която беше доста украсена версия на това, което ми разказа по-рано. Бяха се включили и още няколко души, но ЦИК я отхвърли и сега се съдят. Интересното в случая, че тогава още не твърдеше, че е имало купуване на гласове. В текста си в EuroChicago също така за пръв път споменава, че от секцията е подала сигнал по телефона до ЦИК – нещо, което тогава тя изрично ми каза, че не е правила.
На последните избори Люси беше отново председател на комисията и този път е забранила да има доброволци пред секцията. Това закономерно забави гласуването. Както стана ясно по-късно, налагала е и случайни условия на определени гласоподаватели – немският адрес в декларацията да е на кирилица и да носят регистрацията в немската община. Нито едно от тези изисквания не е разписано в закона и тя няма право да отказва гласуване по тях. За жалост, никой не е подал жалба до ЦИК, навярно, защото не са си знаели правата си или не им се е занимавало.
Поддържам на доброволни начала много страници във Facebook и една от тях е неофициалната страница на консулството във Франкфурт. Стана неофициална след като консулството не можеше да следи и отговаря на всичко там. Тъй като вече беше събрала доста българи в Германия, реших да я запазя посочвайки редовно и навсякъде, че не е официална. Всички въпроси се препращат към официалния мейл на консулството и страницата се използва единствено за разпространение на събития и новини. Имаше недоволни, но като цяло реакциите към решението ми са положителни.
Знаейки всичко това, няколко дни преди изборите, Люси ми писа, да публикувам нейна картинка във Facebook. Представляваше трибагреник с обяснение, че купуването и продаването на гласове е престъпление и че ако някой види такова, да се обади на немската полиция и на членовете на комисията. Казах ѝ, че идеята да изясним правата на гласоподавателите е добра, но няма да пусна точно нейната снимка, защото не е вярна. Немската полиция няма никакво отношение към българските избори и в своя нота изрично са казали, че ще съблюдават единствено спазването на обществения ред. Вместо това, на страницата описах процедурата както е по Изборния кодекс – сигнал до СИК и Външно. Добавих, че ако някой види нарушение на самата комисия, има право да изиска обяснение в писмен вид и да подаде сигнал на ЦИК. Всичко това не се понрави на Люси, защото ме заплаши със съд и жалба до ЦИК, че не изпълнявам точно разпорежданията ѝ като председател на комисия. Настоя, че подвеждам хората, че подпомагам купуването на гласове и че нарушавам немската конституция. Жалба така и не видях, навярно, защото е разбрала, че позицията на председател на СИК не ѝ дава неограничена власт.
Наскоро попаднах обаче на нова жалба срещу консулството – този път за натиск. Причината е, че самите те са спазили задължението си да ѝ съобщят за нарушение в изборния процес и да ѝ припомнят да си изпълни своите. Става дума за двама наблюдатели без баджове. Според нея е било задължение на консулството да им осигури такива, въпреки, че отново това не е разписано никъде. Дори напротив – има образец на ЦИК, който наблюдателите е трябвало сами да подготвят, както е направил другия наблюдател от Глас народен. Възприела е сигнала като заплаха, навярно защото нарушителите са представители на същата партия като нея – Атака. Твърди също така, че върху нея е оказано натиск да не пише забележки в протокола. Междувременно другите членове на комисията, както и същите тези двама наблюдатели присъствали през цялото време, са писали, че е нямало никакви нарушения и не са видели натиска, за което тя говори. Впрочем последните двама са същите подписали се под жалбата ѝ след евро изборите.
В изборните в България има много нарушения. Някой са престъпления, много са причинени от неграмостност и непознаване на закона. Всички те вредят еднакво на демократичния процес в страната и трябва да бъдат санкционирани. За едно нещо Людмила беше права в текста си – трябва да знаем правата си и да подаваме сигнали когато смятаме, че са нарушени. Грешката на много хора в изборния ден е, че не са го направили възмущавайки се на дискриминативното ѝ отношение и измислени изисквания. Така сега украсената ѝ история виси единствена в пространството и създават грешни представи как протича изборният процес във Франкфурт. Време е да надигаме глас не само когато виждаме нередности, а и когато виждаме, че нещо се прави както трябва. Иначе единици ще експлоатират нетърпимостта към нарушения, за да вредят на същия този изборен процес и да отказват още повече хора да гласуват.
We were directed to a Facebook page from Hong Kong this week. It’s been set up by one of the people involved in the peaceful demonstrations that are being called the Umbrella Revolution, protesting about Beijing’s insistence on vetting and controlling the list of candidates for they city’s Chief Executive, effectively preventing free elections in Hong Kong.
Our very own Dave Honess is in Hong Kong this week (nothing to do with the demonstrations – he’s gone to see some Hong Kong friends for a holiday that’s been planned for a long time). He tweeted these pictures on arriving:
Eben and I were also in Hong Kong a little while before the demonstrations started, talking to some components suppliers after our press and community tour of China and Taiwan, and visiting friends – the mood was sombre, and many of the people we spoke to were expressing grave concern about what’s next for Hong Kong. Hong Kong is much on our minds here at Raspberry Pi at the moment, and we wish all our friends in the city the very best.
So then. Why am I blogging about Hong Kong? It all comes back to that Facebook page I mentioned up at the top: it’s been set up to host time-lapse footage of the enormous pro-democracy crowds that have been gathering in Central since September 26. And that footage has been collected using a Raspberry Pi and a webcam, all set up in a biscuit tin and secured with duct tape.
Here’s one of the videos taken by the apparatus last week.
What more can we say? This sort of application of the Raspberry Pi, which is as simple as anything (you can learn how to make your own time-lapse camera here in our learning resources section), is an extraordinary leap from what we originally intended the Pi to be – a device to teach school kids computer science. Making technology cheap and accessible has some applications that go way beyond education.
Is that the date already? The new issue of The MagPi, the free magazine written and produced by members of the Raspberry Pi community, is available today.
Editor Ash Stone says:
Welcome to Issue 27 of The MagPi magazine. This month’s issue is packed cover to cover with something for just about everyone!
Are you tired of controlling your Raspberry Pi with the same old mouse and keyboard? Have you ever wished you could have the ergonomic feel of a console controller in your hands when playing some of those retro games we have written about in past issues? If you answered yes to either of these questions, why not take a look at Mark Routledge’s fantastic article describing how to do just that.
Alec Clews talks us through the use of Git, a free version control software package that we also use here at The MagPi to ensure that all of the team work on the most up to date copy of each issue. This is a great read, especially if you work with any type of document or file as part of a team.
As you can see from our front cover, we return to the popular world of Minecraft in Dougie Lawson’s clever article on building QR code structures inside the game. We also have more physical computing from ModMyPi, and a great father and son story on building and funding a Raspberry Pi project through Kickstarter.
Of course we have not forgotten about programming. William Bell continues his popular C++ series and we also have part three of our game programming series using FUZE BASIC. Start thinking of some game ideas now because in the next issue we will have a game programming competition.
If you want even more from The MagPi this month then why not join us on the 11th October at the SWAMP Fest event (see this month’s Events page) where we will have our own stand. We look forward to seeing you there.
Last week Apple announced that it is closing a serious security vulnerability in the iPhone. It used to be that the phone’s encryption only protected a small amount of the data, and Apple had the ability to bypass security on the rest of it.
From now on, all the phone’s data is protected. It can no longer be accessed by criminals, governments, or rogue employees. Access to it can no longer be demanded by totalitarian governments. A user’s iPhone data is now moresecure.
To hear U.S. law enforcement respond, you’d think Apple’s move heralded an unstoppable crime wave. See, the FBI had been using that vulnerability to get into peoples’ iPhones. In the words of cyberlaw professor Orin Kerr, “How is the public interest served by a policy that only thwarts lawful search warrants?”
Ah, but that’s the thing: You can’t build a “back door” that only the good guys can walk through. Encryption protects against cybercriminals, industrial competitors, the Chinese secret police and the FBI. You’re either vulnerable to eavesdropping by any of them, or you’re secure from eavesdropping from all of them.
Back-door access built for the good guys is routinely used by the bad guys. In 2005, some unknown group surreptitiously used the lawful-intercept capabilities built into the Greek cell phone system. The same thing happened in Italy in 2006.
In 2010, Chinese hackers subverted an intercept system Google had put into Gmail to comply with U.S. government surveillance requests. Back doors in our cell phone system are currently being exploited by the FBI and unknown others.
This doesn’t stop the FBI and Justice Department from pumping up the fear. Attorney General Eric Holder threatened us with kidnappers and sexual predators.
The former head of the FBI’s criminal investigative division went even further, conjuring up kidnappers who are also sexual predators. And, of course, terrorists.
FBI Director James Comey claimed that Apple’s move allows people to “place themselves beyond the law” and also invoked that now overworked “child kidnapper.” John J. Escalante, chief of detectives for the Chicago police department now holds the title of most hysterical: “Apple will become the phone of choice for the pedophile.”
It’s all bluster. Of the 3,576 major offenses for which warrants were granted for communications interception in 2013, exactly one involved kidnapping. And, more importantly, there’s no evidence that encryption hampers criminal investigations in any serious way. In 2013, encryption foiled the police nine times, up from four in 2012and the investigations proceeded in some other way.
This is why the FBI’s scare stories tend to wither after public scrutiny. A former FBI assistant director wrote about a kidnapped man who would never have been found without the ability of the FBI to decrypt an iPhone, only to retract the point hours later because it wasn’t true.
We’ve seen this game before. During the crypto wars of the 1990s, FBI Director Louis Freeh and others would repeatedly use the example of mobster John Gotti to illustrate why the ability to tap telephones was so vital. But the Gotti evidence was collected using a room bug, not a telephone tap. And those same scary criminal tropes were trotted out then, too. Back then we called them the Four Horsemen of the Infocalypse : pedophiles, kidnappers, drug dealers, and terrorists. Nothing has changed.
Strong encryption has been around for years. Both Apple’s FileVault and Microsoft’s BitLocker encrypt the data on computer hard drives. PGP encrypts email. Off-the-Record encrypts chat sessions. HTTPS Everywhere encrypts your browsing. Android phones already come with encryption built-in. There are literally thousands of encryption products without back doors for sale, and some have been around for decades. Even if the U.S. bans the stuff, foreign companies will corner the market because many of us have legitimate needs for security.
Law enforcement has been complaining about “going dark” for decades now. In the 1990s, they convinced Congress to pass a law requiring phone companies to ensure that phone calls would remain tappable even as they became digital. They tried and failed to ban strong encryption and mandate back doors for their use. The FBI tried and failed again to ban strong encryption in 2010. Now, in the post-Snowden era, they’re about to try again.
We need to fight this. Strong encryption protects us from a panoply of threats. It protects us from hackers and criminals. It protects our businesses from competitors and foreign spies. It protects people in totalitarian governments from arrest and detention. This isn’t just me talking: The FBI also recommends you encrypt your data for security.
As for law enforcement? The recent decades have given them an unprecedented ability to put us under surveillance and access our data. Our cell phones provide them with a detailed history of our movements. Our call records, email history, buddy lists, and Facebook pages tell them who we associate with. The hundreds of companies that track us on the Internet tell them what we’re thinking about. Ubiquitous cameras capture our faces everywhere. And most of us back up our iPhone data on iCloud, which the FBI can still get a warrant for. It truly is the golden age of surveillance.
After considering the issue, Orin Kerr rethought his position, looking at this in terms of a technological-legal trade-off. I think he’s right.
Given everything that has made it easier for governments and others to intrude on our private lives, we need both technological security and legalrestrictions to restore the traditional balance between government access and our security/privacy. More companies should follow Apple’s lead and make encryption the easy-to-use default. And let’s wait for some actual evidence of harm before we acquiesce to police demands for reduced security.
EDITED TO ADD (10/6): Threemoreessays worth reading. As is this on all the other ways Apple and the government have to get at your iPhone data.
And a Washington Posteditorial manages to say this:
How to resolve this? A police “back door” for all smartphones is undesirable–a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant.
Because a “secure golden key” is completely different from a “back door.”
Bugs, glitches and technical issues are real-life problems for all web-based operations. As a result, most websites are vulnerable to downtime, whether that’s for a few minutes or a few hours.
In the file-sharing space the phenomenon is very common indeed as these entities, torrent and ‘cyberlockers’ in particular, often face unique challenges. These special issues can often lead to unexpected downtime, although with the advent of social media many sites have improved their communications with users.
That being said, tens of thousands of Firedrive users currently have no idea what has happened to their site.
Firedrive, which was previously known as Putlocker before a rebranding exercise earlier this year, started behaving strangely last week. User reports to TorrentFreak initially complained that the site was simply down, but a couple of days later, with no official announcement forthcoming, things took a turn for the strange.
It’s well known that Firedrive is used by some to host unauthorized copies of movies. It’s unclear just how many but thousands of sites around the world carry links to Firedrive that allow the viewing of mainstream movies with nothing more than a web browser. However, users trying to access those links are currently facing disappointment.
Since before the weekend, many (perhaps all) video files on Firedrive have been replaced with 13-15 second intros used by the major movie studios. TF tested a few random links we found using Google and found intros from Sony, Warner, Universal and Dreamworks, instead of the movies that claimed to be there.
TVAddons, the XBMC-focused community previously known as XBMCHub, told TorrentFreak that the issues at Firedrive and sister-site Sockshare (which is also currently non-functional) have broken some of their XBMC/Kodi addons. However, even greater concern lies with those who use Firedrive as a personal storage site.
In recent months following the Putlocker transition, Firedrive has been debuting tools and features which give the site an appeal to users looking for Dropbox-style functionality. And this is where things get even more strange. After a short beta period, on October 1 Firedrive issued a press release heralding the official debut of their iOS and Android syncing apps.
“We are looking forward to our users exploring the new applications and finding value in sharing and backing up their rich media using Firedrive,” said Joseph Turner, CEO of Firedrive.
However, users searching for the apps on either the App Store or Google Play are now met with silence. ITunes reports that the app is only available in Canada yet switching to that location reveals that it has been removed. Searches on Google Play for the Android versions yields nil results.
Ever since their press release Firedrive simply hasn’t been working and the only posts on Firedrive’s Facebook page are from angry users complaining about everything from lost files to hackers having taken over the site.
“All I can say is thank god I didn’t pay for this bullshit and to think was just about to go pro and pay,” wrote one. “Never happening now even if it does come back with my files intact, which I doubt will happen! Anyone into a class action suit, I have 100s of hours of work lost could only imagine what paying customers might have lost!”
TorrentFreak reached out to the site for comment but we have yet to receive any response. If anyone has any additional information, feel free to contact us.
There are a couple of common approaches to applying security. The most recommended method is a defense in depth approach. This applies layers of independent, well-known security methods, protecting the system even when one layer is breached. For example:
Your home has a front door. That’s the first layer. The door permits people to enter and leave the house. Closing the door stops access.
The door has a lock. The lock is actually independent of the door. The lock can be enabled or disabled regardless of whether the door is open or closed. But the lock provides an additional security layer to the door: if the door is closed and locked, then it is harder to get into the house.
The front door probably has a deadbolt. Again, this is usually independent of the lock on the doorknob. A deadbolt even has it’s own latch (the bolt) to deter someone from kicking in the door.
Inside the house, you have an alarm system. (You do have an alarm system, right?) The alarm is another layer, just in case someone gets around the door. The alarm may use door sensors, motion sensors, pressure pads, and more. Each of these add another layer to the home’s security.
You might have a dog who barks loudly or attack intruders.
Your valuables are locked down or stored in a safe. Even if the burglar gets past the door, dog, and alarm, this is yet another hurdle to contend with.
And don’t forget the nosy neighbors, who call the cops every time a stranger drives down the street…
Each of these layers make it more difficult for an attacker. With your computer, you have your NAT-enabled router that plugs into your cable or DSL modem — the router that acts as a firewall, preventing uninvited traffic from entering your home. Your computer probably has its own software firewall. Your anti-virus scans all network traffic and media for hostile content. Your online services uses SSL and require passwords.
All of these are different layers. Granted, some layers may not be very strong, even the weakest ones are probably better than nothing.
Another concept is called Security by Obscurity. This is where details about some of the security layers are kept private. The belief is that the layer is safe as long as nobody knows the secret. However, as soon as someone knows the secret, the security is gone.
Lots of security gurus claim that Security by Obscurity isn’t security. But in reality, it is another layer and it works as long as it isn’t your only security precaution.
As an example, consider the lowly password. Passwords are a kind of security by obscurity. As long as you don’t tell someone your password, it is probably safe enough. Of course, if someone can guess your password then all security that it provides is gone.
However, even a weak password can be strong enough if you have other layers protecting it. One of my passwords is “Cubumber”. I’m not kidding, that’s really my password. At this point, people are probably thinking “What an idiot! He just told his password to the entire world!” Except, my password is protected by layers:
I didn’t identify the system or username that uses that password. This is security-by-obscurity. Without knowing where to use it, the password remains secure. (This is analogous to finding a car key and not knowing where the car is located. You can’t steal the car if you can’t find it.)
Even if you know the system, you still need to find the login screen. (Another security-by-obscurity.)
This particular system uses that password only allows logins from a specific subnet. So you need to identify the subnet and compromise it first. This falls under defense in depth and two-part authentication: something you know (the password) and something you are (the correct network address).
Assuming you can get on the right network, the connection to the system requires strong encryption. You will need to crack two other passwords (or one password and a fingerprint scanner) before you can access the encrypted network keys.
I should also mention that the necessary subnet is protected by a firewall and IPS system, so I’m not too concerned about a network attack.
All of these systems are physically located in an office that has a solid metal door, two locks, an overly-complex alarm system, and a barky dog. Oh, and there’s also nosy neighbors in the adjacent offices. (Hi Beth!)
Honestly, I’m not too concerned with people knowing my “Cucumber” password since nobody can easily get past all of the other security layers.
There are other common security practices. Like the principle of least privilege: you only have access to the things you need. Secure by default and fail securely regarding initialization and error handling. Separation of duties (aka insulation), explicit trust, multi-part authentication, break one get one, etc.
All of these concepts are great when they are used and even better when used together. However, what we usually see is something nullified by apathy. There’s really two types of security apathy. There’s the stuff that you control and the stuff that is beyond your control.
For example, it is up to the user to choose a good password, to not use the same password twice, and to change default passwords. However, everyone reuses passwords. And if that online service really wants a password to continue, then I’ll just supply my standard “I don’t care” password. This becomes security apathy that I can control.
Similarly, I often find people who say “I don’t care if someone breaks into my computer. I don’t have anything valuable there.” That’s security apathy. It’s also myopic since the computer is usually connected to the Internet. (“Thanks! I’ll use your computer to send spam and to host my spatula porn collection!”)
Not all security-related apathy can be blamed on the user. My cellphone has some bloatware apps that were installed by the manufacturer. Most of these apps are buggy and some have known vulnerabilities. When I install a new app, I can see what privileges it needs and I have the option to not install. But with pre-installed apps, I don’t know what any of them want to do with my data. I cannot even turn these things off. I rarely use my cellphone for maps, but the maps app is always running. And I’ve turned off the backup/sync options, but the backup app is always sucking down my battery. Even killing the backup app is only a temporary solution since it periodically starts up all by itself.
What’s worse is that many of these undesirable and high-risk features have no patches and there is no option to delete, disable, or remove them. Every few days I get a popup asking me to update some vendor-provided app, but then it complains that there is no update available. (Yes, T-Mobile, I’m talking about your User Account app.)
With my phone, the manufacturer has demonstrated Security by Apathy. They failed to provide secure options and failed to give me the ability to remove the stuff I don’t want. I cannot make my phone secure, even if I wanted to.
A least privilege approach would be to install nothing but the bare essentials. Then I could add in the various apps that I want. I think only Google’s Android One tries to do this. Every other phone is preloaded with bloatware that directly impacts usability, battery life, and device security.
It isn’t just mobile devices that have weak security that is out of our control. When the nude celebrity photo scandal first came out, it was pointed out that Apple permitted an unlimited number of login retries. (Reportedly now fixed… kind of.) In this case, it doesn’t matter how strong the password is if I can guess as many times as I want. Every first-semester computer security student knows this. Apple’s disregard toward basic security practices and a lack of desire to address the issue in a timely fashion (i.e., years before the exploit) shows nothing but apathy toward the user.
Then again, there are plenty of online services that still use the dreaded security question as a backdoor to your account.
“What is your mother’s maiden name?”
“Where did you go to high school?”
“What is your pet’s name?”
Everyone who does security knows that public information should never be used to protect private data. Yet Apple and Facebook and Yahoo and nearly every other major online service still asks these questions as an alternate authentication system. (As far as I know, Google is the only company to stop using these stupid questions that offer no real security.)
It isn’t that there are no other options for validating a user. Rather, these companies typically do not care enough to provide secure alternatives. There’s usually some marketeer with a checklist: “Do we have security questions? Check!” — There’s no checkbox for “is it a good idea?”
Moreover, we cannot assume that the users will be smart enough to not provide the real answers. If the system asks for your favorite color, then most people will enter their favorite color. (Security-minded people will enter an unrelated response, random characters, or a long phrase that is unlikely to be guessed. What’s my favorite color? “The orbit of Neptune on April 27th.”)
Talk to the Hand
There are a few things that enable most of today’s security exploits. First, there is bad software that has not been through a detailed security audit but is widely deployed. Then there is the corporate desire to check off functionality regardless of the impact to security. And finally, there are users who do not care enough to take security seriously.
Educating the user is much easier said than done. In the 35+ years that I have worked with computers, I have yet to see anyone come up with a viable way to educate users. Rather, software developers should make their code idiot proof. If users should not enter a bad password, then force the password to be strong. If you know that security questions are stupid, then don’t use them. And if you see that someone can guess the password as many times as they want, then implement a limit.
Yes, some code is complex and some bugs get released and some mistakes make it all the way out the door. But that doesn’t means that we shouldn’t try. The biggest issue facing computer security and personal privacy today is not from a bug or an oversight. It’s from corporate, developer, and user apathy.
In order to measure the danger of the bash shellshock vulnerability, I scanned the Internet for it. Many are debating whether this violates the CFAA, the anti-hacking law.
The answer is that everything technically violates that law. The CFAA is vaguely written allowing discriminatory prosecution by the powerful, such as when AT&T prosecuted ‘weev’ for downloading iPad account information that they had made public on their website. Such laws need to be challenged, but sadly, those doing the challenging tend to be the evil sort, like child molesters, terrorists, and Internet trolls like weev. A better way to challenge the law is with a more sympathetic character. Being a good guy defending websites still doesn’t justify unauthorized access (if indeed it’s unauthorized), but it’ll give credence to the argument that the law is unconstitutionally vague because I’m obviously not trying to “get away with something”.
Law is like code. The code says (paraphrased):
intentionally accesses the computer without authorization thereby obtaining information
There are two vague items here, “intentionally” and “authorization”. (The “access” and “information” are also vague, but we’ll leave that for later).
The problem with the law is that it was written in the 1980s before the web happened. Back then, authorization meant explicit authorization. Somebody first had to tell you “yes, you can access the computer” before you were authorized. The web, however, consists of computers that are open to the public. On the web, people intentionally access computers with the full knowledge that nobody explicitly told them it was authorized. Instead, there is some vague notion of implicit authorization, that once something is opened to the public, then the public may access it.
Unfortunately, whereas explicit authorization is unambiguous, the limits of implicit authorization are undefined. We see that in the Weev case. Weev knew that AT&T did not want him to access that information, but he believed that he was nonetheless authorized because AT&T made it public. That’s the tension in the law, between unwanted access vs. unauthorized access.
It would be easy to just say that anything the perpetrator knows is unwanted is therefore unauthorized, but that wouldn’t work. Take the NYTimes, for example. They transmit a “Cookie” to your web-browser in order to limit access to their site, in order to encourage you to pay for a subscription. The NYTimes knows that you don’t want the cookie, that placing the cookie on your computer is unwanted access. This unwanted access is clearly not hacking.
Note that the NYTimes used to work a different way. It blocked access until you first created an account and explicitly agreed to the cookie. Now they place the cookie on your computer without your consent.
Another example is Google. They access every public website, downloading a complete copy of the site in order to profit by other people’s content. They know that many people don’t want this.
These, and a thousand other examples, demonstrates that “unwanted but authorized” access on the public Internet is the norm.
Figuring out when public, but unwanted, access crosses the line to “unauthorized” is the key problem in the CFAA. Because it’s not defined, it invites arbitrary prosecution. Weev embarrassed the powerful, not only AT&T and Apple, but the politicians whose names appeared in the results. Prosecutors therefore came up with a new interpretation of the CFAA by which to prosecute him.
A common phrase you’ll hear in the law is that “ignorance of the law is no excuse”. For example, a lot of hackers get tripped up by “obstruction of justice”. It’s a law that few know, but ignorance of it doesn’t make you innocent. Barret Brown’s mother is serving a 6-month sentence for obstruction of justice because she didn’t know that hiding her child’s laptop during execution of a search warrant would be “obstruction of justice”.
But this “ignorance of the law” thing doesn’t apply to the Weev case, because everyone is ignorant of the law. Even his lawyers, planning ahead of time, wouldn’t be able to figure it out. In my mass scanning of the Internet people keep telling me I need to consult with a lawyer to figure out if it’s “authorized”. I do talk to lawyers about it, including experts in this field. Their answer is “nobody knows”. In other words, the answer is that prosecutors might be able to successfully prosecute me, but not because the law clearly says that what I’m doing is illegal, but because the law is so vague that it can be used to successfully prosecute anybody for almost anything — like Weev.
That’s the central point of any appeal in my case of getting arrested for scanning: that the CFAA is “void for vagueness“. The law is clearly too vague for the average citizen to understand. Of course, every law suffers from a little bit of vagueness, but in the case of the CFAA, the unknown parts are extremely broad, covering virtually all public access of computers. When computers are public, as on the web, and you do something slightly unusual, there is no way for reasonable people to tell if the conduct is “authorized” under the law. The very fact that my lawyers can’t tell me if mass scanning of the Internet is “authorized” is a clear indication that the law is too vague.
The reason vagueness causes the law to become void is that it violates due process. It endangers a person with arbitrary and discriminatory prosecution. Weev was prosecuted not because a reasonable person should have known that such access was impermissible under the CFAA, but because his actions embarrassed AT&T, Apple, and some prominent politicians like Rahm Emanuel.
Lawyers think that the word “intentional” in the CFAA isn’t vague. It’s the mens rea component, and is clearly defined. There are four levels of mens rea: accidental/negligent, reckless, knowing, and intentional. It differentiates manslaughter (negligent actions that lead to death) vs. murder (intentionally killing someone). The CFAA has the narrowest mens rea component, intentional. That partially resolves the problem of accessing public websites: you may not be authorized, but as long as you don’t know it, then your access is not illegal. Thus, you can click on the following link xyzpdq, and even though you suspect that I’m trying to trick you into accessing something you shouldn’t, it’s still okay, because you didn’t know for certain if it was unauthorized. (Yes, that URL is designed to look like hacking, but no, I’m fairly certain it won’t work, because the NSA has never had a ‘cgi-bin’ subdirectory according to Google). You can “recklessly” access without authorization, but as long as it’s not “intentional”, you don’t violate the CFAA.
Lawyers think this is clear, but it isn’t. We know Weev’s state of mind. We knew he believed his actions were authorized. For one thing, all his peers in the cybersecurity community think it’s authorized. For another thing, he wouldn’t have published the evidence of his ‘crime’ on Gawker if he thought it were a crime.
Yet, somehow, this isn’t a mens rea defense. You can read why on the Wikipedia article on mens rea. This is merely the subjecive test, but the courts also have an objective test. It’s not necessarily Weev’s actual intentions that matter, but the intentions of a “reasonable person”. Would a reasonable person have believed that accessing AT&T’s servers that way was unauthorized?
This test is bonkers for computers, because a “reasonable person” means an “ignorant person”. Reasonable people who know how the web works, who have read RFC 2616, believe Weev’s actions are clearly authorized. Other reasonable people who know nothing except how to access Facebook with an iPad often believe otherwise — and it’s the iPad users the court relies upon for “reasonable person”.
If you are on a desktop/laptop, you are reading this blogpost in a browser. At the top of your browser is the URL field. You can click on this and edit this field. When presented with a URL like “http://example.com/?articleId=5″, you know you can edit the URL, changing the ’5′ to a ’6′, and thereby access the next article in the sequence. Reasonable people who know how the web works routinely do this every day — we know the URL field is there for exactly this reason. Ignorant-but-reasonable people who don’t know how computers work have never edited the URL. To the ignorant, the URL is some incomprehensible detail that nobody would ever edit, and that if they ever did, it was because they were “hacking”.
In legal terms, this means that the mens rea for the CFAA is actually “strict liability”. Your actual intentions are irrelevant, because it’s the intentions of the ignorant that matter. And the ignorant think anything other than clicking on links is unauthorized. Hence, editing the URL field is “intentional unauthorized access”.
I have this fantasy that one day Tim Berners-Lee (the designer of the web) gets prosecuted for incrementing the URL to access the next article. In the debate about “how the web works” and “what does authorization mean”, Tim will be refering to RFC 2616 which he wrote. However, he’ll be found guilty because the ignorant people in the jury box, consisting of his ‘reasonable’ peers, thinks it works a different way. Tim will say “I designed the web so that people could increment the URL” whereas the jury would claim “no reasonable person would ever increment the URL”.
What we have is something akin to the Salem Witch Trials, where a reasonable jury of their peers convicted people for practicing witchcraft. To the average person on the street, computers work by magic, and those who do strange things are practicing witchcraft. Weev was convicted of witchcraft, and nothing more.
That brings me back to my scan of the Internet for the Shellshock bug. The facts are not in doubt. I document exactly what I sent to the web servers. That I didn’t intend to “hack” the servers and believed my accessed was “authorized” is likewise clear.
Some of my peers are uncomfortable, though, because the nature of the access is unusual. But they haven’t thought things through. This isn’t a buffer-overflow remote-code execution, where data becomes code contrary to the expectations of the programmer. Instead, it’s code execution according to the intentions of the programmer. Shellshock is a feature whose defined intent was to execute code. Shellshock is fixed by removing a feature from bash that has been used for 20 years. That servers are misconfigured to run shellshock code doesn’t make it unauthorized.
Furthermore, there is the “thereby obtains information” clause. If my command were “cat /etc/passwd”, I can understand there’d be an issue. In the Weev cause, it’s clear that the programmers intended for the iPad account information to be public, but it’s clear in this case that nobody intends “/etc/passwd” to be public. But I don’t use Shellshock to get the password file, I use ‘ping’ because clearly pinging is authorized — because pings are a normal authorized interaction between two computers on the Internet.
If you want to claim that all “code execution” is invalid, then a lot of what we do becomes invalid. For example, our community routinely adds a tick mark ‘ onto URLs to test for SQL injection. That’s technically code execution. By pasting strings, website programmers have implicitly authorized us to run some SQL code, like tick marks. It doesn’t mean they’ve authorized us to execute all code, like getting the password file, or doing the famous “; DROP TABLES Students”. But it does mean that they’ve authorized the principle of running code — which is why we put tickmarks in URLs with reckless abandon. Heck, when websites are broken, we’ll write entire SQL queries to get the information in our account that we believe we are authorized to.
At least, that’s the narrow reading we’ve all been using of the CFAA: when they make a website public, and they’ve configured certain features (albeit without full understanding of their actions), then we feel authorized to use them. It’s their responsibility to make thinks explicitly un-authorized, not our responsibility to figure out what’s been implicitly authorized. If they put a password on it, we recognize that as “authorization”, and we don’t try to bypass the password even if we can (even with URL editing, even with SQL code). Conversely, when it’s public, we treat things as public. We have simple criteria, “authorized means explicit” and “public means public”.
I know that I’m at risk for prosecution of the CFAA, but somebody has to do this. Unless security researchers are free of the chilling-effects of the law, Chinese cyberwarriors and cyberterrorists will devastate our country. More importantly, the CFAA is unconstitutionally vague violating due process, and somebody has to defend the constitution. I can handle getting prosecuted, so I’m willing to stick my neck out.
Update: The point I’m trying to make about ‘mens rea’ is that it doesn’t resolve the ambiguity over “authorization”. Some people have claimed that the law isn’t void for vagueness, because ‘intent’ clarifies things. It doesn’t. All access is intentional, it’s authorization that’s the question. If I think I’m authorized, but the law disagrees, then “ignorance-of-law-is-no-excuse” trumps “I thought I was authorized”, thus we are right back at strict liability. Only in the case of recklessly clicking on web links is there a difference. Anything more complex that technical people do collapses to ill-intentioned witchcraft.
Yesterday the Digital Citizens Alliance released a new report that looks into the business models of “shadowy” file-storage sites.
Titled “Behind The Cyberlocker Door: A Report How Shadowy Cyberlockers Use Credit Card Companies to Make Millions,” the report attempts to detail the activities of some of the world’s most-visited hosting sites.
While it’s certainly an interesting read, the NetNames study provides a few surprises, not least the decision to include New Zealand-based cloud storage site Mega.co.nz. There can be no doubt that there are domains of dubious standing detailed in the report, but the inclusion of Mega stands out as especially odd.
Mega was without doubt the most-scrutinized file-hosting startup in history and as a result has had to comply fully with every detail of the law. And, unlike some of the other sites listed in the report, Mega isn’t hiding away behind shell companies and other obfuscation methods. It also complies fully with all takedown requests, to the point that it even took down its founder’s music, albeit following an erroneous request.
With these thoughts in mind, TorrentFreak alerted Mega to the report and asked how its inclusion amid the terminology used has been received at the company.
Grossly untrue and highly defamatory
“We consider the report grossly untrue and highly defamatory of Mega,” says Mega CEO Graham Gaylard.
“Mega is a privacy company that provides end-to-end encrypted cloud storage controlled by the customer. Mega totally refutes that it is a cyberlocker business as that term is defined and discussed in the report prepared by NetNames for the Digital Citizens Alliance.”
Gaylard also strongly refutes the implication in the report that as a “cyberlocker”, Mega is engaged in activities often associated with such sites.
“Mega is not a haven for piracy, does not distribute malware, and definitely does not engage in illegal activities,” Gaylard says. “Mega is running a legitimate business alongside other cloud storage providers in a highly competitive market.”
The Mega CEO told us that one of the perplexing things about the report is that none of the criteria set out by the report for “shadowy” sites is satisfied by Mega, yet the decision was still taken to include it.
Infringing content and best practices
One of the key issues is, of course, the existence of infringing content. All user-uploaded sites suffer from that problem, from YouTube to Facebook to Mega and thousands of sites in between. But, as Gaylard points out, it’s the way those sites handle the issue that counts.
“We are vigorous in complying with best practice legal take-down policies and do so very quickly. The reality though is that we receive a very low number of take-down requests because our aim is to have people use our services for privacy and security, not for sharing infringing content,” he explains.
“Mega acts very quickly to process any take-down requests in accordance with its Terms of Service and consistent with the requirements of the USA Digital Millennium Copyright Act (DMCA) process, the European Union Directive 2000/31/EC and New Zealand’s Copyright Act process. Mega operates with a very low rate of take-down requests; less than 0.1% of all files Mega stores.”
Affiliate schemes that encourage piracy
One of the other “rogue site” characteristics as outlined in the report is the existence of affiliate schemes designed to incentivize the uploading and sharing of infringing content. In respect of Mega, Gaylard rejects that assertion entirely.
“Mega’s affiliate program does not reward uploaders. There is no revenue sharing or credit for downloads or Pro purchases made by downloaders. The affiliate code cannot be embedded in a download link. It is designed to reward genuine referrers and the developers of apps who make our cloud storage platform more attractive,” he notes.
The PayPal factor
As detailed in many earlier reports (1,2,3), over the past few years PayPal has worked hard to seriously cut down on the business it conducts with companies in the file-sharing space.
Companies, Mega included, now have to obtain pre-approval from the payment processor in order to use its services. The suggestion in the report is that large “shadowy” sites aren’t able to use PayPal due to its strict acceptance criteria. Mega, however, has a good relationship with PayPal.
“Mega has been accepted by PayPal because we were able to show that we are a legitimate cloud storage site. Mega has a productive and respected relationship with PayPal, demonstrating the validity of Mega’s business,” Gaylard says.
Public apology and retraction – or else
Gaylard says that these are just some of the points that Mega finds unacceptable in the report. The CEO adds that at no point was the company contacted by NetNames or Digital Citizens Alliance for its input.
“It is unacceptable and disappointing that supposedly reputable organizations such as Digital Citizens and NetNames should see fit to attack Mega when it provides the user end to end encryption, security and privacy. They should be promoting efforts to make the Internet a safer and more trusted place. Protecting people’s privacy. That is Mega’s mission,” Gaylard says.
“We are requesting that Digital Citizens Alliance withdraw Mega from that report entirely and issue a public apology. If they do not then we will take further action,” he concludes.
TorrentFreak asked NetNames to comment on Mega’s displeasure and asked the company if it stands by its assertion that Mega is a “shadowy” cyberlocker. We received a response (although not directly to our questions) from David Price, NetNames’ head of piracy analysis.
“The NetNames report into cyberlocker operation is based on information taken from the websites of the thirty cyberlockers used for the research and our own investigation of this area, based on more than a decade of experience producing respected analysis exploring digital piracy and online distribution,” Price said.
That doesn’t sound like a retraction or an apology, so this developing dispute may have a way to go.
The EFF and other activists are promoting NetNeutrality in response the to FCC’s request for comment. What they tell you is a lie. I thought I’d write up the major problems with their arguments.
Proponents claim they are trying to “save” NetNeutrality and preserve the status quo. This is a bald-faced lie.
The truth is that NetNeutrality is not now, nor has it ever been, the law. Fast-lanes have always been the norm. Most of your network traffic goes through fast-lanes (“CDNs”), for example.
The NPRM (the FCC request for comments we are all talking about here) quite clearly says: “Today, there are no legally enforceable rules by which the Commission can stop broadband providers from limiting Internet openness“.
NetNeutrality means a radical change, from the free-market Internet we’ve had for decades to a government regulated utility like electricity, water, and sewer. If you like how the Internet has been running so far, then you should oppose the radical change to NetNeutrality.
“NetNeutrality is technical”
Proponents claim there is something “technical” about NetNeutrality, that the more of a geek/nerd you are, the more likely you are to support it. They claim NetNeutrality supporters have some sort of technical authority on the issue. This is a lie.
The truth is that NetNeutrality is pure left-wing dogma. That’s why the organizations supporting it are all well-known left-wing organizations, like Greenpeace, Daily Kos, and the EFF. You don’t see right-wing or libertarian organizations on the list supporting today’s protest. In contrast, other issues like the “SOPA blackout” and protests against the NSA enjoy wide bi-partisan support among right-wing, libertarian, and left-wing groups.
Your support of NetNeutrality correlates with your general political beliefs, not with your technical skill. One of the inventors of TCP/IP is Vint Cerf who supports NetNeutrality – and a lot of other left-wing causes. Another inventor is Bob Kahn, who opposes NetNeutrality and supports libertarian causes.
NetNeutrality is a political slogan only. It has as much technical meaning has “Hope and Change”. Ask 10 people what the phrase technically means and you’ll get 13 answers.
The only case where NetNeutrality correlates with technical knowledge is among those geeks who manage networks – and it’s an inverse correlation (they oppose it). That’s because they want technologists and not politicians deciding how to route packets.
“Fast lanes will slow down the Internet”
Proponents claim that fast-lanes for some will mean slow-lanes for everyone else. The opposite is true – the Internet wouldn’t work without fast lanes, because they shunt high-volume traffic off expensive long-distance links.
The fundamental problem with the Internet is the “tragedy of the commons” where a lot of people freeload off the system. This discourages investment needed to speed things up. Charging people for fast-lanes fixes this problem – it charges those willing to pay for faster speeds in order to invest in making the Internet faster. Everyone benefits – those in the new fast-lane, and those whose slow-lanes become less congested.
This is proven by “content delivery networks” or “CDNs”, which are the most common form of fast lanes. (Proponents claim that CDNs aren’t the fast lanes they are talking about, but that too is a lie). Most of your network traffic doesn’t go across long-distance links to place like Silicon Valley. Instead, most of it goes to data centers in your local city to these CDNs. Companies like Apple and Facebook maintain their own CDNs, others like Akamai and Lightspeed charge customers the privilege to be hosted on their CDNs. CDNs are the very essence of fast lanes, and the Internet as we know it wouldn’t happen without them.
“Bad things will happen”
NetNeutrality proponents claim bad things will happen in the future. These are lies, made-up stories designed to frighten you. You know they are made-up stories because NetNeutrality has never been the law, and the scary scenarios haven’t come to pass.
The left-wingers may be right, and maybe the government does indeed need to step in and regulate the Internet like a utility. But, we should wait for problems that arise and fix them – not start regulating to prevent bad things that would never actually occur. It’s the regulation of unlikely scenarios that is most likely to kill innovation on the future Internet. Today, corporations innovate first and ask forgiveness later, which is a far better model than having to ask a government bureaucrat whether they are allowed to proceed – then proceeding anyway by bribing or lobbying the bureaucrats.
“Bad things have happened”
Proponents claim that a few bad things have already happened. This is a lie, because they are creating a one-sided description of events.
For example, a few years ago, Comcast filtered BitTorrent traffic in a clear violation of NetNeutrality ideals. This was simply because the network gets overloaded during peak hours (5pm to 9pm) and BitTorrent users don’t particularly care about peak hours. Thus, by slowing down BitTorrent during peak hours, Comcast improved the network for everyone without inconveniencing BitTorrent users. It was a win-win solution to the congestion problem.
NetNeutrality activists hated the solution. Their furor caused Comcast to change their policy, no longer filtering BitTorrent, but imposing a 250gig bandwidth cap on all their users instead. This was a lose-lose solution, both BitTorrent users and Comcasts normal customers hated the solution – but NetNeutrality activists accepted it.
NetNeutrality activists describe the problem as whether or not Comcast should filter BitTorrent, as if filtering/not-filtering where the only two choices. That’s a one-sided description of the problem. Comcast has a peak-hour congestion problem. The choices are to filter BitTorrent, impose bandwidth caps, bill by amount downloaded, bill low-bandwidth customers in order subsidize high-bandwidth customers, cause all customers to suffer congestion, and so on. By giving a one-sided description of the problem, NetNeutrality activists make it look like Comcast was evil for choosing a bad solution to the problem, but in truth, all alternatives are bad.
A similar situation is the dispute between NetFlix and Comcast. NetFlix has been freeloading off the system, making the 90% of low-bandwidth customers subsidize the 10% who do streaming video. Comcast is trying to make those who do streaming to pay for the costs involved. They are doing so by making NetFlix use CDNs like all other heavy users of the network. Activists take a very narrow view of this, casting Comcast as the bad guy, but any technical analysis of the situation shows that NetFlix is the bad guy freeloading on the system, and Comcast is the good guy putting a stop to it.
Companies like Comcast must solve technical problems. NetNeutrality deliberately distorts the description of the problems in order to make corporations look evil. Comcast certainly has monopolies in big cities on broadband (above 10mbps) Internet and we should distrust them, but the above examples were decided on technical grounds, not on rent-seeking monopolist grounds.
I’m not trying to sway your opinion on NetNeutrality, though of course it’s quite clear I oppose it. Instead, I’m trying to prove that the activists protesting today are liars. NetNeutrality isn’t the status quo or the current law, it’s not being “saved”. NetNeutrality is pure left-wing politics, not technical, and activists have no special technical authority on the issue. Fast-lanes are how the Internet works, they don’t cause slow-lanes for everyone else. The activists stories of future doom are designed to scare you and aren’t realistic, and their stories of past problems are completely distorted.
Frankly, activists are dishonest with themselves, as shown in the following tweet. In their eyes, Comcast is evil and “all about profits” because they lobby against NetNeutrality, while NetFlix is arresponsible/good company because they support NetNeutrality. But of course, we all know that NetFlix is likewise “all about profits”, and their support for NetNeutrality is purely because they will profit by it.
Filename Ballistics is proving itself to be a massive success. The entire idea with this forensic approach is that (1) different applications use different filename formats, and (2) people rarely rename files. If the filename format is distinct enough, then you can identify the camera, application, or online service that generated the picture.
From a forensic viewpoint, knowing what causes these filenames helps identify the source. For example, some filenames map back to specific applications, platforms, and even software versions. Imagine law enforcement tracking down a suspect and finding the right type of mobile device with the right version of the right software installed… Or maybe the suspect has multiple smartphones, but only one matches the required software. This can be used to identify the smoking gun (or smoking cellphone, in this case).
The current ruleset covers over 60% of digital picture filename formats uploaded to FotoForensics. Cameras, web services, smartphone apps, etc. With many web services, you can even map the filename back to a URL. This is great for comparing the local file with the online version. (If they differ, then you immediately know some of the edits.)
The best part is that, even knowing how this works, there is no benefit to bad guys. Filenames are everywhere. On your hard drive, in your web cache, attached to emails. Even deleting files doesn’t always remove filenames from the system. The effort to rename everything is significant. And even if you do rename everything, it doesn’t alter the fact that you have incriminating evidence on your computer.
Filename Not Found
Unfortunately, there’s a couple of filename formats that I haven’t been able to map (yet). They clearly identify some kind of application, but I don’t know the application. For example, the following filenames all use the same file format:
With each of these names, there’s an initial “!” (it may be optional), the letters “cid_”, and then a bunch of hex characters (it’s a random UUID). There’s an optional “@” with a name after it, and then “.jpg”. These appear to be from some kind of email attachment. However, I don’t know what email application generates these filenames. I also don’t know if the “@” repesents the sender, recipient, or something else.
The first filename should be IMG_20120524_115512.jpg — that’s from some kind of Android. However, something converted the underscores to “95″. This conversion is consistent and widespread; there is some kind of common application that performs the conversion, but I don’t know what causes it and it may not be limited to Android devices.
If you happen to recognize any of these unidentified filename formats, please let me know!
Most online services need some way to generate unique filenames rapidly. If three people upload different files that are all called “image.jpg”, then the site needs to keep all of them separate. Low volume services can usually get away with a random element in the filename. Other sites use something more deterministic, like SHA1 checksums, incremental counters, or timestamps.
With random filenames, you always risk a naming collision. That’s where two files are assigned the same random characters. This is usually a low risk for small sites, but places like Flickr, Facebook, and Twitter need something with less risk of a collision.
Incremental counters are useful because there is no naming collision. Unfortunately, they permit nosy people to iterate through counter values and identify other pictures on the system. Many services with incremental counters also include some kind of random or user-specific element to prevent arbitrary photo traversal. Facebook image names have three numerical components; the third one is a random number to prevent guessing. However other sites, like Twitpic, permit anyone to just iterate through the list of images.
Cryptographic checksums are also a wonderful idea. The values are non-linear, so you cannot increment through values. And they are not predictable (unless you already have the source picture). However, computing the checksum can be time consuming. FotoForensics is a low volume site (compared to Google), so it can spend time computing checksums. In contrast, Facebook and Twitter process so many pictures that the computing overhead would be prohibitively expensive for them. (Their power bill would increase and they’d need more computers since the simple act of computing checksums tens of thousands of times per second would add up and delay the user experience.)
Timestamps, especially those with high-precision values, are great for filenames. They are fast to generate, constantly incrementing so there is no risk of a name collision, and large gaps in the sequence deter iterators. 4chan, for example, uses a timestamp format. The 4chan filename “1409931694122.jpg” is the time in microseconds since 1-Jan-1970; it translates as 2014-09-05 15:41:34.122. As long as their system does not process more than 1000 pictures per second, there won’t be a naming collision. (And I doubt that their servers can handle that kind of load.) Since 4chan usually receives a picture every few seconds, an iterator would need to go through thousands of failures before finding an image. And that many failures would likely trigger an alert if 4chan uses any kind of network attack detector.
While timestamps are useful, some sites like to encode the times. I’ve managed to decode a lot of the encoded time formats, however one format is still stumping me: Twitter. Here’s the last few pictures from my Twitter stream (the top one is most recent). Do you see the pattern?
Each filename is in the format “BxxxxxxxxAyyyyy.jpg”. The B values increment, but not as regularly as the A values. In contrast, the A values increment uniformly. Assuming that they actually are incremental values, it appears (and I could be wrong here) that lowercase are followed by uppercase are followed by numbers. (Or maybe it’s numbers followed by lowercase followed by uppercase?) There’s also two characters that may appear (underscore and hyphen). Basically, it looks like some kind of base-64 encoding. (When I say “base-64″ here, don’t think of it as the standard base64 function used to convert binary data into text. Instead, think of it like a numerical base conversion. Base-2 uses 2 digits. Base-16 uses 16 characters. Base-64 uses 64 characters.)
The tweet IDs always increment and fit within a 64-bit value. In this case, they differ by 10,586,423,297 (506867118126559233 – 506867107540135936 = 10586423297). I can’t help but wonder if this is actually two numbers, or one high-precision number. For example, they start with “50686710″ and “50686711″. Could that be a timestamp with a non-unix epoch? I can look at any tweet and see that the numerical IDs always increment.
I suspect that the Ayyyyy values are a timestamp, or some fraction of a timestamp, while the B values may be the tweet ID. I can sort every picture by the Ayyyyy value and know the relative time when the picture was posted to Twitter. (And the initial “A” may actually be part of the time encoding.)
The Bxxxxxxxx string may represent the tweet ID. In my test, they are BwjA8nCCc and BwjA9QPCQ. The tweet ID changes about half-way through the number, as does this encoded sequence.
Twitter appears to be encoding useful information into their picture filename formats. Given a Twitter picture, I can easily find the URL to the image. However, I cannot easily identify when it was posted or who posted it. The encoded information may allow filename ballistics to map a picture to a specific time or specific tweet. And if I can map it to a tweet, then I can identify who tweeted it.
I typically don’t make my really cool findings public unless I believe that there is (1) no benefit to the bad guys, and (2) little risk of the public disclosure causing the data to be changed.
For this reason, I rarely make public anything I discover about Facebook. Every time I mention how we can pull out cool information from Facebook, they change their system or patch their holes or take steps to prevent forensic analysis. I find it ironic that Facebook doesn’t mind if they repeatedly exploit your personal information, but they don’t want anyone else to gain any insight.
In contrast to Facebook, I do not believe that Twitter will change their encoding method. And I’m hoping that someone who reads this blog entry will either recognize the encoding method or figure out how to decode it. Besides, I think Twitter is doing this more for speed than for secrecy, especially since tweets are not secret.
As more of the submissions to the Australian Federal Government’s call for input on online copyright infringement are published, it’s becoming clear that the move and movie industries have a battle on their hands.
Hollywood in particular is seeking a tightening of the law which would hold ISPs more responsible for the actions of their users, while introducing a graduated response to deal with persistent domestic file-sharers.
Still can’t agree
In 2012, movie and recording companies fought a bloody battle with tech companies over SOPA in the United States but more than two years on its evident that the divide over what should be done about piracy is as wide as ever.
In a submission to the Government, a group of tech companies including Google, Facebook, Microsoft, eBay, Samsung, Motorola and BT largely oppose the wish-list of the entertainment industries.
Mirroring the tendency of Hollywood to state how important its members are to the economy, the Computer & Communications Industry Association begin by stating that its members employ more than 600,000 workers who generate more than $200 billion in revenue.
Launching its key observations, CCIA say that rather than pushing for the introduction of a so-called graduated response scheme, policy makers could achieve better results by focusing on the issues that encourage people to pirate in the first place.
No graduated response: provide content in a timely manner at a fair price
The group describes “high prices” and a “lack of availability of lawful content” as key domestic and international market barriers for consuming online content. But the problems don’t end there.
“Naturally, from this follows that access to on-demand/online content across territories becomes even more cumbersome and restrictive due to territorial copyright restrictions, licensing conduct, geo-blocking, price discrimination holdback and windowing,” CCIA explains.
Noting that there is “an inverted relationship” between lawful and unlawful access to content, the tech group underlines their point with a quote from Kevin Spacey.
“Audience wants the freedom.. they want control…give consumers what they want, when they want it and in the format they want it and at reasonable price,” they write.
Don’t believe their lies
A couple of points raised by the CCIA will sting their entertainment industry adversaries more than most. Noting that there “is little or no evidence” that graduated response schemes are successful (but plenty to the contrary), enforcement policies should be based only on facts, not on the claims of those determined to introduce them.
“It is also absolutely essential that enforcement debate and policy is not based on manufactured claims, exaggerations and deceptions that will in the long run risk resulting in a negative public sentiment concerning intellectual property,” CCIA writes.
“Empirical data on the impact of copyright infringement over the last two decades is deeply contested and in some cases to such a level that it is
being ridiculed. This is a highly undesirable development for the perception of copyright and by extension intellectual property in general by the broader public.”
Copyright is a “moral hazard”
In another interesting statement the CCIA suggest that when supported by legislation, companies will fall back on that to maintain business models that are no longer viable.
“Economists have expressed concerns that copyright has a moral hazard effect on incumbent creative firms, by encouraging them to rely on enforcement of the law rather than adopt new technologies and business models to deal with new technologies,” the tech firms continue.
“Hence, enforcement should not become a tool to protect businesses from competition, changing business realities and changes in consumer exactions, hereby allowing them to continue to hold on to outdated business models.”
Summing up, CCIA director Jakob Kucharczyk says that any new scheme should employ a “holistic end-to-end approach” and be coupled with efforts by content providers to give customers the content they need at a fair price.
On the issue of ISPs, the CCIA is clear. There must be a level playing field, legal protection from liability must be enshrined in law, and rightsholders must be held responsible for their actions when making allegations of infringement.
“If all parties are willing to look at equitable, cooperative programs that include a focus on the key issues outlined above, we believe that a better, more balanced and more effective outcome is achievable than that which is likely to result from the Government’s present proposals,” Kucharczyk concludes.
How the conflicting approaches of the technology companies, ISPs and the entertainment industries can ever be reconciled will be a topic for heated debate in the coming months, not only in Australia, but across the world.
Last month we put out a blog post advertising that I would be doing a tour of America, with a rough initial route, and we welcomed requests for visits.
Over the next couple of weeks I was overwhelmed with visit requests – I plotted all the locations on a map and created a route aiming to reach as many as possible. This meant covering some distance in the South East before heading back up to follow the route west towards Utah. I prepared a set of slides based on my EuroPython talk, and evolved the deck each day according to the reception, as well as making alterations for the type of audience.
With launching the Education Fund, being in Berlin for a week for EuroPython followed by YRS week and a weekend in Plymouth, I’d barely had time to plan the logistics of the trip – much to the annoyance of our office manager Emma, who had to book me a one-way hire car with very specific pick-up and drop-off locations (trickier than you’d think), and an internal flight back from Salt Lake City. I packed a suitcase of t-shirts for me to wear (wardrobe by Pimoroni) and another suitcase full of 40 brand new Raspberry Pis (B+, naturally) to give away. As I departed for the airport, Emma and Dave stuck a huge Raspberry Pi sticker on my suitcase.
When checking in my suitcase the woman on the desk asked what the Raspberry was, and her colleague explained it to her! In the airport I signed in to the free wifi with one of my aliases, Edward Snowden. I started to think Phil McKracken or Mr. Spock might have been a better choice once I spotted a few security guards seemingly crowding around in my proximity…
Mon 4 – NYC, New York
I managed to board the flight without a federal investigation (although I may now be on the list, if I wasn’t already), and got chatting to the 60 year old Texan lady I was seated with, who hadn’t heard about Raspberry Pi until she managed to land a seat next to me for 8 hours. I had her convinced before we left the ground. I don’t know how he does it, but Richard Branson makes 8 hours on a tin can in the sky feel like heaven. Virgin Atlantic is great!
Upon landing at JFK I was subjected to two hours’ queuing (it was nice of them to welcome us with traditional British pastimes), followed by a half-hour wait to get through customs. I felt I ought to declare that I was bringing forty computers in to the country (also stating they were to be given away), and was asked to explain what they were, show one to the officer who took hold of one of the copies of Carrie Anne‘s book, Adventures in Raspberry Pi, to validate my explanation. Fortunately I was not required to participate in a pop quiz on Python indentation, GPIO, Turtle graphics and Minecraft, as he took my word for it and let me through. I was then given the chance to queue yet again – this time about 45 minutes for a taxi to Manhattan. I arrived at Sam‘s house much later than I’d anticipated much she was there to greet me by hanging her head out the window and shouting “MORNING BEN”. An in-joke from a time we both lived in Manchester.
We ate and met my friend-from-the-internet Aidan, we went to a bar until what was 5am on my body clock. A sensible approach, I thought, was to just stay up and then get up at a normal time the next day. I awoke and saw the time was 6.00 – my jetlagged and exhausted mind decided it was more likely to be 6pm than 6am, but it was wrong. I arose and confirmed a meeting time and place for my first visit – just a few blocks away from Sam’s apartment in Manhattan.
Tue 5 – NYC, New York
I met Cameron and Jason who had set up a summer class teaching a computing course for locals aged 18-and-under for 2 weeks, delivered purely on Raspberry Pis! I chatted with them before the students arrived, and they told me about how they set up the non-profit organisation STEMLadder, and that they were letting the students take the Pis home at the end of the course. Today’s class was on using Python with Minecraft – using some material they found online, including a resource I helped put together with Carrie Anne for our resources section.
I gave an introduction about the Raspberry Pi Foundation and showed some example projects and then the kids did the Python exercises while working on their own “side projects” (building cool stuff while the course leaders weren’t looking)!
Thanks to Cameron and Jason for taking the opportunity to provide a free course for young people. A perfect example use for Raspberry Pi!
Wed 6 – Washington, DC
On Wednesday morning I collected my hire car (a mighty Nissan Altima) and set off for Washington, DC! I’ve only been driving for less than a year so getting in a big American car and the prospect of using the streets of Manhattan to warm up seemed rather daunting to me! I had a GPS device which alleviated some of my concern – and I headed South (yes, on the wrong side of the road).
I’d arranged to meet Jackie at 18F – a digital services agency project in the US government General Services Administration. This came about when I met Matt from Twilio at EuroPython, who’d done a similar tour (over 5 months). After a 6 hour drive including horrendous traffic around Washington (during which I spotted a sign saying “NSA – next right – exployees only“, making me chuckle), I arrived and entered 18F’s HQ (at 1800 F Street) where I had to go through security as it was an official government building. I was warned by Jackie by email that the people I’d be meeting would be wearing suits but I need not worry and wear what I pleased – so I proudly wore shorts and a green Raspberry Pi t-shirt. I met with some of the team and discussed some of their work. 18F was set up to replicate some of the recent initiatives of the UK government, such as open data, open source projects and use of GitHub for transparency. They also work on projects dealing with emergency situations, such as use of smartphones to direct people to sources of aid during a disaster, and using Raspberry Pis to provide an emergency communication system.
We then left 18F for the DC Python / Django District user group, where I gave a talk on interesting Python projects on Raspberry Pi. The talk was well received and I took some great questions from the audience. I stayed the night in Washington and decided to use the morning to walk round the monuments before leaving for North Carolina. I walked by the White House, the Washington Monument and the Lincoln Memorial and took some awkward selfies:
Thu 7 – Raleigh, North Carolina
I left DC and it took me 6 hours to get to North Carolina. I arrived at the University (NCSU) in Raleigh just in time for the event – Code in the Classroom - hosted at the Hunt library and organised by Elliot from Trinket. I set my laptop up while Eliot introduced the event and began my talk. There was a good crowd of about 60 people – from around age 7 to 70!
The talk went down well, and I received many questions about teaching styles, classroom management and the future of the hardware. One older chap, who has been running a summer coding club on the Pi shouted out: “Where were you two weeks ago when I needed you!?” when I answered one of his questions, which generated laughter from the audience. I also had a teacher approach me after the talk asking if she could take a selfie with me to show her students she’d met someone from Raspberry Pi – I happily obliged and showed her some of my awkward selfies from Washington, DC. She asked if we could take an awkward one too – needless to say, I happily obliged!
Elliot had arranged a room next door to the lecture theatre with some Pis set up for kids to play on. I gave out some Pis to the kids and it was well over an hour before the last of them were dragged home by their parents. I chatted with Elliot and the others about them setting up a regular event in Raleigh – as there was obviously huge demand for Pi amongst kids and adults in the area and beyond (I’d heard someone had driven up from Florida to attend the talk!) – and so I look forward to hearing about the Raleigh Raspberry Jam soon! A few of us went out to get pizza, and we were accompanied by one of the smartest kids I’ve ever met – and among interesting and inspiring conversation, he kept asking me seemingly innocent questions like “what do you call that thing at the back of your car?” to which I’d reply with the British word he wanted me to speak! (It’s a boot.)
Here’s a video of the talk:
I thanked Elliot and departed for Greensboro, where I’d arranged to stay with my friend Rob from my university canoe club, and his wife Kendra.
Fri 8 – Charlotte, North Carolina
In the morning I left for UNC Charlotte where I spoke to embeddable systems engineering students at EPIC (Energy Production Infrastructure Centre). There was a good crowd of about 60 students and a few members of staff. When I entered the room they were playing Matt Timmons-Brown’sYouTube videos – what a warm-up act!
Following the talk I chatted with students about their projects, answered some questions, deferred some technical questions to Gordon and Alex, and was taken out to a brilliant craft beer bar for a beer and burger with some of the staff.
In the evening Rob, Kendra and I went out to eat – we had a beer in a book shop and ate bacon (out of a jam jar) dipped in chocolate. True story. We also took some group awkward selfies:
Sat 9 – Pigeon River, Tennessee
The Saturday I’d assigned to be a day off – I hoped to go kayaking with Rob but he had to work and Kendra was busy so Rob put me in touch with some paddling friends who welcomed me to join them on a trip to the Pigeon River in Tennessee! An early start of 6am left me snoozing in the back of the car, which Matt took the chance to snap a picture of and post it to Facebook (I only found out when Rob mentioned it later that evening). We had a nice couple of runs of the river by kayak, accompanied by a rafting party. And another awkward selfie.
Sun 10 – Lawrenceville, Georgia
On Sunday morning I left Rob and Kendra’s for Georgia. One of the requests I’d had was from a man called Jerry who just wanted to meet me if I was passing by. I said it’d be great if he could set up a public meeting to be more inclusive – and he got back in touch with a meetup link for an event at Geekspace Gwinnett – a community centre and hackspace in Lawrenceville. I pulled up, shook hands with Jerry and was shown to the front of the room to connect up my laptop. There was a larger crowd than I’d imagined, seeing as Jerry had set the event up just a few days prior to this – but there were about 40 people there, who were all very interested in Raspberry Pi and after my talk we had a great discussion of everyone’s personal projects.
Liz, who runs marketing for the space, gave me a tour, and Joe, the guy setting up the AV for my presentation spotted the Adventure Time stickers on my laptop and told me he worked for Turner in Atlanta who broadcast Cartoon Network, and offered to give me a tour of the network when he went on his night shift that evening. I went to Jerry’s house where he and his wife cooked for me and he showed me Pi Plates, the extension board he’s been working on.
I then left to meet Liz and her husband, Steve, who has been working on a huge robotics project – a whole wearable suit (like armour) that’s powered by a Pi and will make sounds and be scary! I look forward to the finished product. They also have an arcade machine Steve built years ago (pre-Pi) which houses a PC and which, he claims, had basicallyevery arcade game ever on it.
Did you know there was a Michael Jackson game for the Sega Mega Drive, where you have to perform dance moves to save the children? Neither did I
We set off for Atlanta at about 11.30pm and I witnessed its beautiful skyline, which is well lit up at night. We arrived at Turner and met Joe, who gave us the tour – I’ve never seen so many screens in my life. They show all the broadcast material for TV and web on screens and have people sit and watch them to ensure the integrity of the material and ensure the advertising rules are adhered to. We also saw the Cartoon Network floor of the office side of the building where staff there work on the merchandise for shows like Adventure Time!
Joe also showed us the Turner Makers room – a mini hackspace for the Turner staff to work on side projects – he told me of one which used a Raspberry Pi to control steps that would light up and play a musical note as you walked across them. They’re currently working on a large games arcade BMO with a normal PC size screen as a display – I look forward to seeing it in action when it’s finished.
I then left Georgia to return to Tennessee, where I’d arranged to visit Red Bank Middle School in Chattanooga. I arrived at the school, signed in to get my visitor’s badge and met Kimberly Elbakidze - better known to her students as Dr. E – who greeted me with a large Subway sandwich. I ate in the canteen and while chatting with some of the staff I noticed the uniformed security guard patrolling the room had a gun on his belt. Apparently this is normal in American schools.
It was the first day back at the school, so the children were being oriented in their new classes. I gave two short talks, introducing the Raspberry Pi and what you can do with it – to sixth and eighth graders, and opened for some questions:
“Do you like Dr. Who?”
“Is that your real accent?”
“Are you really from England?”
“Can I get a picture with you?”
“Can I keep Babbage?”
I wrapped up, left them a copy of Carrie Anne’s book and some Pis, and went on my way. I’d intended to get online and confirm the details of my next school visit (I’d arranged the date with the teacher, but we hadn’t settled on the time or what we were doing), but access to the internet from the school was restricted to staff so I couldn’t get on. I had to set off for Alabama, and only had the school name and the town. I put the town name in to my car’s GPS and set off.
Tue 12 – Talladega, Alabama
I arrived in Talladega town centre unsure how close I was to the school. I parked up and wandered down the main street in magnificent sunshine and intense heat looking for a McDonald’s or Starbucks, hoping to get on some WiFi to check where it was. With no luck, I headed back to the car and decided to just find a hotel and hope that I was at least nearby. I asked someone sitting outside a shop if they knew of the school – RL Young Elementary School – and they said it was just 15 minutes or so away, so I asked for a nearby hotel and she pointed me in the right direction. As I neared the car, the intense heat turned in to a terrific storm – the 5 minute drive to the hotel was in the worst rain I’ve ever seen.
I checked in to the hotel and got on with my emails – I sent one to the teacher who’d requested me at the school to say I’d arrived in Talladega, that I was staying in the Holiday Inn, and asked what time I should come in. My hotel phone rang 5 minutes later – it was the husband of the teacher. Trey said the principal hadn’t been told about the visit yet, and the details needed to be confirmed with her before we set a time – but they would sort it out as soon as possible and let me know. He offered to take me out for a meal that night so I arranged to meet him within an hour. Just as I was leaving I got an email from someone called Andrew who said he’d just spotted I was in Talladega, and asked if I could meet him if I had time – I said if he could get to the restaurant, I’d be there for the next couple of hours.
As I arrived I met them both, and introduced them to each other. Driving through that afternoon I’d noticed the town has about 50 churches. Trey said he recognised Andrew’s surname, and Andrew said his father was the priest of one of the churches, and Trey said he knew him. Andrew was also training to become a priest like his Dad, and Trey said he’d skipped Bible school that night to come and meet me. We had a nice meal and a chat and Trey said he’d let me know in the morning what the plans for the school visit were. Andrew offered to take me out for breakfast and show me around the town. I said I’d contact him in the morning once I’d heard the timings from Trey.
Once I woke up the next morning my email told me I needed to be at the school for about 1pm, so I had time to go to breakfast with Andrew, and he showed me around the place. I also visited his home and his church and met his family. He showed me some Raspberry Pi projects he’s been working on too.
He also offered to help out at the school – RL Young Elementary, so we got my kit and he drove us over. We signed in at reception where we entered our names in to a computer which printed visitor labels (seriously – a whole PC for that – and another just showing pictures of dogs! The Raspberry Pi was definitely needed in this place).
I was to follow a woman from the Red Cross, who gave a talk to the children about the importance of changing their socks every day. I thought an introduction to programming with Minecraft might blow their smelly socks right off!
The principal attempted to introduce me but had no idea who I was or why I was there, so just let me get on with it. I spoke to the young children and introduced the Raspberry Pi, focusing on a Minecraft demo at the end where I let them have a go themselves. The principal thanked me, said it was interesting and wished me a safe trip back to Australia! I left them some Pis and a copy of Adventures in Raspberry Pi.
Wed 13 – Somerville, Tennessee
I’d arranged my next visit with a very enthusiastic teacher called Terri Reeves from the Fayette Academy (a high school) in Somerville, Tennessee. In her original request she’d said she wasn’t really on my route, but would be willing to travel to meet me for some training – but I explained I’d changed my route to try to hit as many requests as I could, so I’d be happy to visit the school. She offered to let me stay at her house, and told me her husband would cook up some Southern Barbecue for me on arrival. It was quite a long drive and I arrived just after sunset – the whole family was sitting around the table ready to eat and I was welcomed to join them. I enjoyed the Southern Barbecue and was treated to some Razzleberry Pie for dessert. I played a few rounds of severely energetic ping pong with each of Terri’s incredibly athletic sons and daughters before getting to bed.
I spent most of the day at the school, where I gave my Raspberry Pi talk and demo to each of Terri’s classes. Again, it was the first week back for the school so it was just orientation for students settling in to their classes and new routines. The information went down well across the board and Terri said lots of students wanted to do Raspberry Pi in the after-school classes too.
This is what the Raspberry Pi website looks like in the school, as Vimeo is blocked
I joined some students for lunch, who quizzed me on my English vocabulary and understanding of American ways – they thought it was hilarious when I pointed out they said “Y’all” too much. I suggested they replace it with “dawg”. I do hope this lives on.
I also took a look at a project Terri had been trying to make in her free period – she’d been following some (really bad) instructions for setting up a webcam stream from a Pi. I diagnosed the problem fairly quickly – the apt-get install motion command she’d typed had failed as the site containing the .deb (hexxeh.net) was blocked on the school network (for no good reason!) – I asked if we could get it unblocked and the network administrator came over and unblocked it. She originally only wanted to unlock it for the Pi’s IP address but I explained it would mean no-one could install things or update their Pis without access to that website, so she unlocked it from the system. I tried again and there were no further problems so we proceeded to the next steps.
When I returned to Terri’s house she asked me to help her with webcam project again – I checked she’d done all the steps and tried opening the stream from VLC Player on my laptop. I’ve never heard anyone shriek with joy so loud when she saw the webcam picture of us on that screen! Terri was overjoyed I’d managed to help her get that far.
Thu 14 – Louisville, Kentucky
I left the next morning for Louisville (pronounced Lou-er-vul), and en route I realised I’d started to lose my voice. I arrived in the afternoon for an event at FirstBuild, a community hackspace run by General Electric. The event opened with an introduction and a few words from me, and then people just came to ask me questions and show me their projects while others were shown around the space and introduced to the equipment.
We then proceeded to the LVL1 hackerspace where I was given a tour before people arrived for my talk. By this point my voice had got quite bad, and unfortunately there was no microphone available and the room was a large echoey space. However I asked people to save questions to the end and did my best to project my voice. I answered a number of great questions and got to see some interesting projects afterwards.
Fri 15 – St. Louis, Missouri
Next – St. Louis (pronounced Saint Lewis), Missouri – the home of Chuck Berry. I had a full day planned by teacher and tinkerer Drew McAllister from St. John Vianney High School. He’d arranged for me to meet people at the Grand Center Arts Academy at noon, then go to his school to speak to a class and the after school tech club followed by a talk at a hackspace in the evening.
I was stuck in traffic, and didn’t make it to the GCAA meetup in time to meet with them, so we headed straight to the school where I gave a talk to some very smartly dressed high school students, which was broadcast to the web via Google Hangouts. Several people told me afterwards how bad my voice sounded on the Hangout. Here it is:
I had a few minutes’ rest before moving next door to the server room, where they host the after school tech club – Drew kindly filled in the introduction of the Pi to begin (to save my voice) and asked students if they knew what each of the parts of the Pi were for. I continued from there and showed examples of cool projects I thought they’d like. I gave Drew some Pis for the club and donated some Adafruit vouchers gifted by James Mitchell – as I thought they’d use them well.
Drew showed me around St. Louis and took me out for a meal (I consumed lots of hot tea for my throat) before we went to the Arch Reactor hackerspace. I gave my talk and answered a lot of questions before being given a tour of the space.
Throat sweet selfie
Sat 16 – Colombia, Missouri
In the morning I left in the direction of Denver, which was a journey long enough to have to break up over two days. With no visit requests in Kansas City, but one in Colombia, which was on my way but not very far away, I stopped there to meet with a group called MOREnet, who provide internet connection and technical support to schools and universities. Rather than have me give a talk, they just organised a sit-down chat and asked me questions about education, teacher training and interesting ways of learning with Raspberry Pi. Some of the chat was video recorded which you can watch at more.net (please excuse my voice).
I even got to try Google Cardboard – a simple virtual reality headset made with cardboard and an Android phone. A very nice piece of kit! I stayed a couple of hours and made my way West. I’d asked around for a good place to stay that night on my way to Denver. Some people had suggested Hays in Kansas so I set that as my destination. It had taken me 2 hours to get to Columbia and would be another 6+ hours to Hays, so it was always going to be a long day, but at least I was in no rush to arrive anywhere for a talk or event.
Kansas City Selfie
I stopped briefly in Kansas City (actually in the state of Missouri, not Kansas) to find almost nobody out and almost everything closed. I think it’s more of a nightlife town. I finally arrived in Hays at 8.30pm after the boring drive through Kansas and checked in to a hotel just in time for a quick dip in the swimming pool.
Sun 17 – Denver, Colorado
I left Hays for Denver, which meant I had a good 5+ hour drive ahead – all along that same freeway – the I-70, to arrive at denhac, the Denver Hackspace for 4pm. I’d also arranged late the night before to visit another Denver hackspace afterwards, so I said I’d be there at 7pm. On my way in to Denver I noticed a great change in weather – and saw lots of dark grey and black clouds ahead – and as I got closer I entered some rough winds and even witnessed a dust storm, where dust from the soil and crops of the fields was swept in to the air. It was surreal to drive through!
I arrived just on time and was greeted by Sean, who had invited me. He introduced me to the members, all sitting around their laptop screens, and was given a tour of the space. He was telling me how the price of the space had been rising recently due to the new demand for warehouse space such as theirs for growing cannabis, now that it is legal in Colorado. I took some pictures of cool stuff around the space, including a Pibow-encased Pi powering a 3D printer. I even got to try on Sean’s Google Glass (I think Cardboard is much better).
To Grace Hopper, you will always be grasshopper
One of the neatest Pi cases I’ve ever seen
I met a young girl, about 12 years old, who told me she recently went in to an electronics shop saying she wanted to buy a Raspberry Pi for a new project, and the member of staff she spoke to had never heard of a Raspberry Pi and assumed she wanted to cook one. Anyway, I gave her one of mine – she was delighted and immediately announced it in the networked Minecraft game she was hosting. I gave my talk in their classroom (great to see a classroom in a hackspace) before heading to my next stop – TinkerMill.
TinkerMill is a large hackspace, coworking space and startup accelerator in Denver. On arrival a group of people were sitting ready for my talk, so I got set up and was introduced by Dan, who runs the space and works out of it. The hackspace version of my talk includes more technical detail and updates on our engineering efforts. This went down well with the group and after answering a few questions we broke out in to chat when we discussed the Pi’s possibilities and what great things have come out of the educational mission.
I found a Mini Me
I also met a woman called Megg who was standing at the back of the room, I got chatting to her and she asked me a few questions. She hadn’t attended the event but just came to use the laser cutter for the evening, and caught the end of the talk. She kept asking me questions about the Pi, and in answering them I basically gave the talk again. She said the reason she’d not come to the talk was that she was looking to use the Arduino in some future projects because she assumed it would be easier than using a Pi, based on the fact she’d heard you could do more with a Pi, so it must be more complex. I explained the difference to her hoping this would shed light on how the Pi might be useful to her after all, and that she would be able to choose a suitable and appropriate tool or language on the Pi, which is not an option with Arduino. She also discussed ideas for creative projects and wearables which were really interesting and I told her all about Rachel’s project Zoe Star and put her in touch with Rachel, Charlotte and Amy. Dan took Meg and me out to dinner and we had a great time.
Mon 18 – Boulder, Colorado
Dan offered to put me up and show me around Denver the following day – I’d originally planned to get straight off to Utah the next day but it made sense to have an extra day in Denver – I’m glad I did as I really enjoyed the town and got to have a great chilled out day before driving again. We drove up one of the nearby mountains to a height of almost 10,000 feet.
I wandered around Boulder, a wonderful town full of cafes, restaurants and interesting shops. I ended up buying most of my awful souvenirs there – including a three-tiered monkey statue for Liz:
We ate at a restaurant called Fork so it seemed appropriate to get a picture for my Git/GitHub advocacy!
Colorado seemed to be the most recognisable state in all the places I visited, by which I mean it was culturally closest to Britain. My accent didn’t seem too far from theirs, either. A really nice place with great food and culture, with mountains and rivers right on hand. I could live in a place like that!
Tue 19 – Provo, Utah
I left Dan’s in the morning and headed West along the I-70 again. After a couple of bathroom breaks I got on some McDonald’s WiFi and checked my email and twitter – I’d had a tweet asking if I would be up for speaking in Provo that night. I thought “why not?” and said yes – expecting to arrive by 7pm, I suggested they make it 8pm just in case. I was actually heading to Provo already, in hope of meeting up with some family friends, Ken and Gary, who I stayed with last time I visited Utah. I hadn’t managed to get hold of them yet, but I kept ringing every now and then to see if they were around. When I finally got hold of them, they asked if they could come to see my presentation – so I told them where it was and said I’d see them there.
As I entered Utah the scenery got more and more beautiful – I pulled up a few times to get pictures. The moment I passed the ‘Welcome to Utah’ sign I realised what a huge feat I’d accomplished, and as I started to see signs to Salt Lake City – my end point – I was overjoyed. I hadn’t covered much distance across the country in my first week, as I’d gone South, along a bit, North and East a bit before finally setting off from St. Louis in the direction of the West Coast, so finally starting to see the blue dot on my map look a lot closer to California meant a lot.
I arrived in Provo about 7.30, located the venue, the Provo Web Academy, and by the time I found the right place and parked up it was 8pm. I was greeted by the event organiser, Derek, and my friends Ken and Gary! I hadn’t seen them for 13 years so it was a pleasure to meet again. I set up my presentation and gave my talk, had some great questions and inspired the group of about 20 (not bad, to say it had been organised just a few hours earlier) to make cool things with Pi and teach others to do the same. I went out to eat with Ken and Gary and caught up with them.
Wed 20 – Logan, Utah
The next day I had my talk planned for 4pm in Logan (North of Salt Lake City) so I had all morning free to spend with Ken (retired) while Gary was at work. Back story: my Mum (a primary school teacher) spent a year at a school in Utah in 1983-84 on an exchange programme. Ken was a fellow teacher at the school, and like many others, including families of the kids she taught, she kept in touch with him. As I said, we visited in 2001 while on a family holiday, and stayed with them on their farm. So Ken and I went to the school – obviously many of the staff there knew Ken as he only recently retired, and he told them all about my Mum and that I was touring America and wanted to visit the school. None of the teachers there were around in 1984, but some of the older ones remembered hearing about the English teachers who came that year. I took photos of the school and my Mum’s old classroom and sent them to her. We visited another teacher from that time who knew all about me from my Mum’s Christmas letter (yikes!) and even went to see the trailer my Mum lived in for the year!
I then left Provo for Logan, where the talk was to take place at Utah State University. I’d prepared a talk for university students, really, but discovered there was a large proportion of children there from a makers group for getting kids in to tech hardware projects – but they seemed to follow along and get some inspiration from the project ideas. Down to my last two Pis, I did what I did at most events and called out for the youngest people in the room – these went to 5 and 7 year olds, and my demo Babbage (I mention Dave Akerman’s Space Babbage in all my talks) was given out to a family too.
My final talk was recorded, but they told me they were recording the other screen so I’m out of the frame in most of the video.
Happy to have completed the tour, sad for my journey to be coming to and end, but glad to be able to sit down and take a breather, I chilled out for a while before heading back to Provo for my final night in America. I thought at one point I wouldn’t make it back as I hit a storm on my way home, and could barely see the road in front of me due to the incredible rain. The entire 4-lane freeway slowing to 40mph with high beams glaring, catching a glimpse of the white lines now and then and correcting the wheel accordingly, I made it home safely to join Ken and Gary for dinner.
Ken, me, Gary
Thu 21 – Salt Lake City, Utah
I bid farewell and left for the airport, returned my hire car with 4272 miles on it – which was 10% of the car’s overall mileage!
I flew from Salt Lake City to New York and stupidly forgot to tell them that wasn’t my final destination so I had to retrieve my suitcases at JFK baggage claim and check them back in for my next flight – because, you know, I like stress. Luckily I had no problems despite the internal flight running late and me not having a boarding card for my second flight (I had no access to a printer or WiFi in the 24 hours before the flight!), my luggage and all was successfully transported back to London with me. I was driven back to Cambridge, then up to Sheffield where I bought a suit, had my hair cut and attended the wedding of two great friends – Congratulations, Lauren and Dave.
Lauren and Dave
What did I learn?
Despite sales of Pis in America being the biggest in the world, the community is far less developed than it is in the UK and in other parts of Europe. There are hardly any Jams or user groups, but there is plenty of interest!
American teachers want (and need) Picademy – or some equivalent training for using Pis in the classroom.
There is a perception that Raspberry Pi is not big in America (due to lack of community), and assumption Pis are hard to buy in America. While this is still true in many hardware stores (though people should bug stores not selling Pi and accessories to start stocking stuff!), I refer people to Amazon, Adafruit and our main distributors Element14 and RS Components. You can also buy them off the shelf at Radioshack.
If you build it, they will come. Announcing that I would turn up to a hackspace on a particular day brought people from all walks of life together to talk about Raspberry Pi, in much the same way a Raspberry Jam does in the UK. I could stand in front of these people and make them realise there is a community – they’re sitting in the middle of it. All they need is a reason to meet up – a Jam, a talks night, an event, a hack day, a tech club. It’s so easy to get something started, and you don’t need to start big – just get a venue and some space, tell people to turn up with Pis and take it from there.
Huge thanks to all the event organisers, the people who put me up for the night or took me out for a meal, and everyone involved in this trip. Sorry if I didn’t make it to you this time around – but I have a map and list of places we’re required – so we hope to cover more ground in future.
You can view the last iteration of my talk slides at slideshare.
As you might have spotted, if you follow us on Twitter, Eben and I spent the last week and a bit touring China, meeting the Raspberry Pi community there and giving interviews to the press, with some sterling organisational help from our friends at RS Components. (A special and huge thank you to Eric Lee, without whom we’d have been absolutely stuffed. Mostly with delicious pork confections and noodles, but stuffed nonetheless.)
Here’s what we got up to.
First up, there were a lot of press conferences to give, with help from the excellent William, our simultaneous translator; after a week of doing this, we ended up with more than 100 pieces of media being written or recorded about Raspberry Pi across China. This one, in Shanghai, is pretty typical.
We noticed that the tech press in China is incredibly well-educated; a lot of these journalists trained as engineers and then moved into publishing. (And everywhere we went, at least 50% of the technical journalists were women – something I wish we’d emulate in the west.)
We went to a Raspberry Jam in Shanghai, held at RS Components’ offices. We met some great people (Kevin Deng and the gang from 52pi.cn, a Chinese website dedicated to the Raspberry Pi, actually followed us on to the next event in Shenzhen as well), who’d built some amazing projects.
The robot on our desk is LIDAR (laser radar)-equipped, from DFrobot. We’re listening to a talk about open source from David Li, one of China’s most famous open source pioneers. Eric Lee from RS is on the right.
This laser-etcher is one of the projects the 52pi gang had brought along; you can buy lasers for this sort of project off the shelf in China, where the integrity of your eyeball is your own responsibility. I’ve got a couple of coasters with our logo on them on my desk at the moment, made using this machine.
Jackie Li gave an amazing talk about the projects he’s made at home – cameras streaming to remote screens, a simplified media centre for his grandma, robots – and this excellent LED persistence of vision device for displaying reminders in the kitchen.
We flew out next to Shenzen, where hundreds of people turned up for a Raspberry Jam, and where we did more press conferences and more interviews. Before we left for China, I’d been worried that the community base would be smaller than we’re used to. It turned out to be almost too large for us to deal with in the time we’d had allotted in each location.
It got a bit hard to move in Shenzhen for all the people wanting a photo. We saw some great presentations (one of which, from Martin Liu, who describes himself as a living-room maker, demonstrated the work we sponsored to get the XBMCmenu working in new fonts – including Chinese. It’s at the back of the photo here, behind all the people with cameras.)
We met a lot of Shenzhen makers who are also entrepreneurs; on the left here is Zoe from Seeed Studio. Eben’s holding some sensors from their Grove project, which works with Raspberry Pi.
This young gentleman had a robot to show us, controlled with Scratch (on the desk to the right), and a poster for Eben about Pi-controlled brewing. He was terribly shy, and I really wanted to give him a hug, but suspected that might have made matters worse.
We managed to get about an hour at the enormous electronics market in Shenzhen with Eric, where we had some fun looking at components and working out if we could lower the bill of materials cost in the Pi itself. Unfortunately, it’s so big you need at least a week to work your way around the place; we plan to return.
Next stop, Taipei. We started off at Noise Kitchen, where we met a group from CaveDu, a local hacker group. The robot in the middle was being prepared for the next day’s Jam at Tatung university – the display shows how many likes CaveDu’s Facebook page has.
These guys hung around for HOURS to meet us, for which we’re very grateful; our plane was delayed six hours, and we didn’t get there until nearly 11pm. I met a home-made laptop with a removable wireless keyboard (a clever way to get around the hinge problem), and made a new best friend.
First thing the next morning, we headed out to Tatung university.
We were expecting a few tens of people, having failed to learn our lesson from Shenzhen. More than 250 people turned up.
Among the crowd was my new best friend from the night before. We do not have a language in common, but we bonded over high-fives and fist-bumps.
It was HOT; about 33C in the shade. And unfortunately, the air conditioning in the building got turned off an hour or so in, so we get damper and damper as these photos progress and the temperature climbs well above 40C.
We met a self-balancing robot in a hamster ball.
We bumped into an old friend. (The beer is there for thermal reasons.)
Eben got interviewed, sweaty, by Taiwanese TV.
And this is my other new best friend, Liang Chih Chiang, who gave a presentation (which he’s very kindly translated for me so you can all read it) about our community and social media – a subject that’s very close to my heart, for obvious reasons.
We saw some amazing projects, like this gaming machine…
…this Pi-powered 3d printer…
…and this, which I was never able to get close enough to to find out what it does. I think it might be a musical instrument. Or possibly a cocktail machine.
Any suggestions, anybody?
We had a wonderful, exhausting, wonderful time. Thanks so much to everybody who came to see us; and an especial thanks to Eric, Desiree, Soo Chun, Katherine and the rest of the RS gang, who looked after us so well. We hope we’ll be back in a year or so – and until then, here’s a picture of a bit of press that I can’t read, but that’s made me laugh more than anything else that’s been published about us this year.
Миналата седмица писах в Twitter и Facebook за справка от ГРАО за българчетата родени в чужбина. Ще пиша подробно тези дни за това как я получих и ще пусна интерактивна карта с анализ. Сега обаче искам да обърна внимание на един интересен за мен аспект от данните.
За последните 10 години 96653 деца са били родени в чужбина и родителите им са изкарали български акт за раждане. Тези деца се вписват в статистиката на НСИ, защото ГРАО вижда, че имат издадени ЕГН-та. Писал съм и други пъти за статистиката около раждаемостта у нас и как почти всички медии се оплитат в цифрите. Приблизително може да приемем, че годишно се раждат 70000 българчета с лека тенденция на повишение от тази година. Това прави около 95 деца на всеки 10000 българи. Изключвайки родените в чужбина, цифрата клони към 82-85.
Поглеждайки данните получени от ГРАО, бързо се вижда, че в САЩ и Канада има много по-малко регистрирани деца спрямо други държави. Взимайки предвид приблизителни оценки за българското население там, излиза, че на всеки 10000 българи се раждат и регистрират съответно 21 и 25 деца. От Германия и Испания са регистрирани съответно 74 и 79 българчета на всеки 10000. Ще забележите, че тези цифри са доста под статистиката за България дори отчитайки занижените цифри на МЗ за ражданията в български болници. Има доста причини за това, но тук ще се концентрираме върху тройната разлика между регистрираните раждания в Европа и Северна Америка.
Единствената логична причина за това разминаване са усложнените административни процедури и липсата на информираност. За да се извади български акт за раждане, на този издаден в чужбина трябва да постави апостил и да се преведе. След това трябва да се предаде лично в общината по адрес на майката и след две-три седмици чакане се изважда български акт за раждане. Повечето българи зад граница не знаят, че по принцип служителите приемат документи подадени от близки и родителите няма нужда да присъстват лично. Някои се сблъскват с доста по-сложна процедура, защото не са извадили акт за раждане до 6-тия месец. Преди това е лесно, ако си подготвен. Ефектът е, че повечето българи вадят акт за раждане на децата си чак когато се прибират от чужбина и намерят повече време.
Всичко това може да се улесни неимоверно, ако се въведе услуга за изваждане на акт за раждане в консулските служби. Това вече се прави за паспорти и лични карти. Такава услуга се предлага от консулствата на много други държави. За целта е достатъчно да се предостави акта за раждане с апостил на консулството и те да се погрижат за превода и процедурата в съответната община. Това, разбира се, ще струва повече и ще отнеме повече време, отколкото като се прави на място в България. Улеснението обаче ще е огромно и при получаване на документа ще може веднага да се поръча паспорт за детето. Консулствата пък ще имат още един източник за приходи.
Друга малко известна подробност е, че от декември 2013-та България подписа Конвенция за издаване на многоезични извлечения. Това означава, че актове за гражданско състояние (раждане, смърт, брак) от 23 държави нямат нужда от апостил. Това е допълнително улеснение за родителите. Тъй като обаче най-често са на английски, документите ще имат нужда от превод, който може да бъде заверен в консулските служби.
Какъв ще е ефектът от подобна марка е трудно да се прецени, но ако предположим, че много родители в щатите не минават процедурата, защото не могат да пътуват до България, то консервативните оценки са за годишно увеличение от 70% на регистрираните деца. В това число включвам и повишаване на регистрациите в Европа и Азия. Така ще получим около 10% увеличение в статистиката на НСИ за раждаемостта и 20% понижение в сегашния ни отрицателен прираст. Това, разбира се, няма да е реално повишаване в раждаемостта, а по-скоро промяна в начина на броене. Ще отчитаме обаче по-добре реалните стойности за родените българчета в цял свят.
Last year, Philip Danks, a man from the West Midlands, UK, went into a local cinema and managed to record the movie Fast and Furious 6. He later uploaded that content to the Internet.
After pleading guilty, this week Wolverhampton Crown Court sentenced him to an unprecedented 33 months in prison.
The Federation Against Copyright Theft are no doubt extremely pleased with this result. After their successful private prosecution, the Hollywood-affiliated anti-piracy group is now able to place Danks’ head on a metaphorical pike, a clear warning to other would-be cammers. But just how difficult was this operation?
There’s often a lot of mystery attached to the investigations process in a case like this. How are individuals like Danks tracked and found? Have FACT placed spies deep into file-sharing sites? Are the authorities sniffing traffic and breaking pirates’ VPN encryption?
Or are they spending half an hour with Google and getting most of it handed to them on a plate? In Danks’ case, that appears to be exactly what happened.
Something that many millions of people use online is a nickname, and Danks was no exception. His online alias in the torrenting scene was TheCod3r, and as shown below it is clearly visible in the release title.
The idea behind aliases is that they provide a way to mask a real name. Military uses aside, adopting an alternative communications identity was something popularized in the 70s with the advent of Citizens Band radio. The practice continues online today, with many people forced to adopt one to register with various services.
However, what many in the file-sharing scene forget is that while aliases on a torrent site might be useful, they become as identifying as a real name when used elsewhere in ‘regular’ life. The screenshot below shows one of Danks’ first huge mistakes.
Clicking that link on dating site Plenty of Fish (POF) reveals a whole range of information about a person who, at the very least, uses the same online nickname as Danks. There’s no conclusive proof that it’s the same person, but several pieces of information begin to build a picture.
In his POF profile, Danks reveals his city as being Willenhall, a small town situated in an area known locally as the Black Country. What FACT would’ve known soon after the movie leaked online was which cinema it had been recorded in. That turned out to be a Showcase cinema, just a few minutes up the road from Willenhall in the town of Walsall.
Also revealed on Danks’ POF profile is his full name and age. When you have that, plus a town, you can often find a person’s address on the UK’s Electoral Register.
It’s also trivial to find social networking pages. Not only do pictures on Danks’ POF profile match those on his Facebook page, he also has a revealing movie item listed in his interests section.
Of course, none of this in itself is enough to build a decent case, but when you have the police on board as FACT did, things can be sped up somewhat. On May 23, 2013 Danks was raided and then, just two days later, he did something quite astonishing.
Posting on his Facebook page, the then 24-year-old took to his Facebook account (he has two) to mock the makers of Fast and Furious 6.
“Seven billion people and I was the first. F*** you Universal Pictures,” he wrote.
Also amazing was Danks’ apparent disregard for the predicament he was in. On May 10, 2013, Danks again took to Facebook, this time to advertise that he was selling copies of movies including Robocop and Captain America.
This continued distribution of copyrighted material particularly aggravated the Court at his sentencing hearing this week, with Danks’ behavior being described as “bold, arrogant and cocksure offending.”
While the list of events above clearly shows a catalog of errors that some might even find amusing, the desire of many pirates to utilize the same nickname across many sites is a common one employed by some of the biggest in the game.
Once these and other similar indicators migrate across into real-life identities and activities (and the ever-present Facebook account of course), joining the dots is not difficult – especially for the police and outfits like FACT. And once that happens, no amount of VPN encryption of lack of logging is going to put the genie back in the bottle.
A number of journalists have responded to our recent blog post about Islamic State accounts on diaspora* with articles under headlines such as 'Diaspora cannot ban IS accounts'. This is simply untrue, and misrepresents what our last post said. This may come from a lack of understanding of the distributed nature of the network. We hope this follow-up post helps to clarify the situation.
diaspora* can and does deal with inappropriate usage. As with everything in a decentralized project, the ability and responsibility to deal with inappropriate usage are devolved, from the one central body of the centralized corporate model of Facebook or Twitter to individual podmins and individual community members.
We have always had mechanisms in place to deal with inappropriate usage of the network. Some time ago this was made a lot easier and more efficient by the introduction of the report feature. Using this, each diaspora* community member is able easily to report any post or comment they believe is inappropriate to the administrator of their pod. Once alerted, it is the responsibility of that podmin to decide how best to deal with that content. This decision will be based on their personal policy on dealing with such content, as well as the local legislation governing the hosting of such material which applies where they live and where their pod is hosted. This system has worked very well.
It's worth repeating: diaspora* does indeed have mechanisms in place to deal with inappropriate usage. Like everything else in diaspora*, these mechanisms are decentralized. That is the point our last post addressed.
As our last post made clear, by the time that post was written all of the most active IS accounts had already been closed by the podmins on whose pods those accounts had been opened. One podmin had technical difficulties in removing accounts which caused a few hours' delay, but in each case the decision and action was swift once alerted to the presence of those accounts.
As we said in the last post, if you find user accounts on a diaspora* pod which are a cause for concern, please be a responsible member of our community by contacting the administrator of that pod; most pods display a link to contact the podmin. If you cannot reach the podmin directly, you can send us an email and we will attempt to contact the person concerned.
Anti-piracy groups are often quick to label file-sharing sites as criminal organizations, but these outfits also have some rotten apples amongst their own.
A few months ago we reported on the President of the Lithuanian Anti-Piracy Association LANVA, who was jailed for two years for drug trafficking. The boss of Iceland’s anti-piracy group SMAIS is not doing much better, it seems, as he stands accused of fraud and embezzlement.
SMAIS is a local branch of Hollywood’s Motion Picture Association. The group recently failed to get The Pirate Bay blocked in Iceland, and has now run into the law itself.
The organization’s board filed for bankruptcy after it discovered a wide range of serious problems. The group’s financial statements were falsified, the books were not in order, and taxes haven’t been paid since 2007.
Making matters even worse, the board says that its CEO Snæbjörn Steingrímsson has admitted to embezzlement. This case is now under review by the Special Prosecutor, who has to decide whether a criminal investigation will be launched against the anti-piracy chief.
The last time SMAIS made international headlines was last year, when the group pulled its Facebook page offline after four days. According to Steingrímsson, SMAIS didn’t have enough resources to handle the constant flaming comments from the public.
What certainly didn’t help was that the launch of the Facebook page coincided with the news that SMAIS never paid for the film and game rating software they purchased from a Dutch company back in 2007. Considering the position the group is in now this is hardly a surprise.
Whether Hollywood has plans to install a new anti-piracy group in Iceland if the bankruptcy goes through is currently unknown.