Stumbled upon this slightly dated talk by Richard M. Stallman (aka. RMS) of GNU and FSF fame, in which my home country of Denmark is sadly referenced as only a “supposedly free country”.
“But censorship is wrong, of course, whether it is done on the internet or not. We used to think that the internet would protect us from censorship because it was too hard to censor the internet. But thanks to the efforts of various companies in the US, The UK, France and so on, it is now possible for governments to censor the internet and also surveil it completely, they just need to put enough effort in. And this is not limited to obvious tyrannies such as China and Iran. We see a lot of supposedly free countries imposing censorship on the internet. For instance, Denmark several years ago imposed filtering on the internet blocking a secret list of sites. The list was leaked and posted on WikiLeaks. Hooray for WikiLeaks! Whereupon Denmark blocked access to that page too. So everyone else could know what internet users in Denmark were blocked from seeing except those people.”
“But censorship is wrong, of course, whether it is done on the internet or not. We used to think that the internet would protect us from censorship because it was too hard to censor the internet. But thanks to the efforts of various companies in the US, The UK, France and so on, it is now possible for governments to censor the internet and also surveil it completely, they just need to put enough effort in. And this is not limited to obvious tyrannies such as China and Iran. We see a lot of supposedly free countries imposing censorship on the internet.
For instance, Denmark several years ago imposed filtering on the internet blocking a secret list of sites. The list was leaked and posted on WikiLeaks. Hooray for WikiLeaks! Whereupon Denmark blocked access to that page too. So everyone else could know what internet users in Denmark were blocked from seeing except those people.”
Sadly since this time it has not gotten any better. Most of the points RMS makes (the whole talk is worth a listen) are still valid and a grave concern from my perspective. The Danish internet (really DNS) blocking system has been broadened and the slippage that was feared has become a reality. Even though this issue has gotten some attention in the IT and rights communities the general public just doesn’t care.
The actual block is technically done through DNS blacklists that Danish ISP are legally required to implement. The list of blocked sites is available from the telecom trade organization “Telekommunikationsindustrien i Danmark” (English: Telecommunication’s Industry Association in Denmark) at teleindu.dk/brancheholdninger/blokeringer-pa-nettet/ and currently has 111 sites (csv) on active block.
As it being DNS based if you are impacted, workarounds do exist. However, my guess is that they will soon be able to actively shut down services physically located in Denmark.
Below are links to the full talk, and an inline/embedded player courtesey of youtube. Start time of all links are at starting point of above transcript.
EDIT 2021-07-11: prompted by an email from a reader the approach described below was refined into a script which can be used as a (sort of) drop-in replacement for mosquitto_passwd, find it on sourcehut in my hometools repository as mosquitto_passwd.php (first edition also on paste.sr.ht). Even though it generates a pre-2.0 plain hash using SHA512 this is still parsable by 2.0 and later. However, 2.0 adds support for PBKDF2 aka. RFC2898 on top of SHA512 with 20.000 iterations which is also the default generated by 2.0+ mosquitto_passwd, but the broker is still able to parse previous SHA512 hashes (notice the algorithm identifier after <username>:$, 6 for SHA512, 7 for PBKDF2-SHA512, similar to common /etc/shadow convention and extensions to implementations of POSIX crypt()).
Here is a delayed write-up of my involvement in a question posted to the liberally licensed MQTT broker (server) Mosquitto’s developer list list about how to generate authentication tokens programmatically. It kicked the curious cat in me which propelled a journey into the backyards of the C code for the mosquitto_passwd tool which normally is used for this purpose. This resulted in the proof of concept PHP implementation outlined in my answer on the list which is reproduced below.
MQTT (once Message Queue Telemetry Transport) is a lightweight publish/subscribe protocol intended for communication between low power, low bandwidth embedded devices. These days it is commonly hyped as a holy grail in the religion of IoT. The protocol was originally developed by IBM but is now a standard overseen by the OASIS standardization organization which also has the OpenDocument standard (ODF, think Open/Libre-Office) under its wings. According to Wikipedia MQTT is used behind the scenes of Facebook Messenger, OpenStack and Amazon’s IoT services.
For further practical use of the concept outlined you would need to produce a random 16 byte base64 encoded salt to feed into the hasher, that could be done using something like; $salt_base64=base64_encode(openssl_random_pseudo_bytes(12));
If your need a shrink wrapped solution to this you could try to ping me.
Hi Srinivas. On 2016-07-26 12:49, Srinivas Pokala wrote: > Username successfully created using linux command with: > "mosquitto_passwd /etc/mosquitto/passwd guest". > I need to create same with php or javascript how? Looking at the source of mosquitto_passwd (https://github.com/eclipse/mosquitto/blob/master/src/mosquitto_passwd.c) basically all it does to generate the resulting line you see in the password file is: 1) draw a random 12 byte binary salt 2) hash the combination of password and salt using sha512 3) write username, base64 encoded salt, base64 encoded hash in one line A PHP implementation would use something like this ($salt is fixed for demonstration purposes, it ought to be random in production); --- $username="Bitten"; $password="Insect"; $salt_base64="spicychilinstuff"; $salt=base64_decode($salt_base64); $hash=hash("sha512",$password.$salt, true); $hash_base64=base64_encode($hash); echo($username.":$6$".$salt_base64."$".$hash_base64."\n"); --- Comparing against mosquitto_passwd using a one-liner (uses the base64 salt from output to be able to correlate the two); --- $ mosquitto_passwd -b ~/mosq_passwd_test Bitten Insect $ cat ~/mosq_passwd_test Bitten:$6$mfJ0Eq3rIDLKG33r$gkiIlz80JA6Pq9OtGhasIsx7L2vf0APdZH77+thmNW2Zp5vE1d/dAi5TjbfO9mZpKHLh38Oem1ic072rSO328g== $ php -r '$username="Bitten"; $password="Insect"; $salt_base64="mfJ0Eq3rIDLKG33r"; $salt=base64_decode($salt_base64); $hash=hash("sha512",$password.$salt, true); $hash_base64=base64_encode($hash); echo($username.":$6$".$salt_base64."$".$hash_base64."\n");' Bitten:$6$mfJ0Eq3rIDLKG33r$gkiIlz80JA6Pq9OtGhasIsx7L2vf0APdZH77+thmNW2Zp5vE1d/dAi5TjbfO9mZpKHLh38Oem1ic072rSO328g== --- As can be seen, the PHP generated password line are identical to the mosquitto_passwd generated. I have also successfully tested authentication against the mosquitto broker with PHP generated users. One caveat is that the above can generate a salt of arbitrary length, but the broker must see a 12 byte binary salt (16 byte base64) or authentication will fail. Note however, that this hasn't been tested on more than a few username/password pairs, there might be other issues lurking. Regards, -- Mikkel
Mit svar på et spørgsmål i Facebook-gruppen Danske Arduino Entusiaster omkring Arduino ROM/Flash, PROGMEM og system-inklude-filer.
Spørgsmål
Hej er der en der ved hvor jeg kan hente dett lib. <avr/pgmspace.h> jeg skal bruge denne funktion PROGMEM så jeg kan gemme et billede i Arduino uden SD kort det kan være der er en der kender en anden måde at gøre det på.
Svar
pgmspace.h er en inklude-fil som er en del af c-biblioteket til AVR-arkitekturen (avr-libc). C-bibliotekets inklude-filer vil normalt ligge i kompilerens “system include”-sti (se GCC options -I og -isystem). Dermed kan den inkluderes blot med “#include <avr/pgmspace.h>”. Se evt. også Arduino-referencen på https://www.arduino.cc/en/Reference/PROGMEM. Bemærk at PROGMEM ikke er en funktion, men en storage modifier (lager-modifikator) som fortæller kompileren at den kan placere en en given variabel i ikke-skrivbar lager (ROM/Flash). Der skal efterfølgende anvendes specielle funktioner til at læse data fra en sådan variabel (se referencen). Arduino-frameworket har dog lavet en nem måde at placere konstant-strenge i Flash på (normalt lagres de i SRAM!), nemlig funktionen F() som kan anvendes direkte i f.eks. printf/write/print (Serial.print(F(“Waiting for connection”));) Hvis du vil inspicere indholdet af pgmspace.h, kan du finde filen i Arduino IDE’ets installations-mappe under hardware/tools/avr/avr/include/avr/pgmspace.h. Det er ikke en man kan/skal redigere manuelt i, da den er tæt koblet med den binære kode i selve biblioteket. Der findes også EEPROM-lager du sikkert vil kunne bruge til samme formål; https://www.arduino.cc/en/Reference/EEPROM
Se svaret på Facebook.
Den videre færd med F()
Da jeg ikke kunne finde en uddybende forklaring på F()-funktionen (som egentlig er en makro) i Arduino-dokumentationen (brugen nævnes meget kort i PROGMEM , Memory og Print), gravede jeg efterfølgende lidt rundt for at lære mere. I de sparsomme Arduino-eksempler er den anvendt udelukkende med konstante strenge, hvilket også viser sig at være et krav (eller i hvert fald noget der kan castes til const char *).
Makroen er defineret af Arduino-frameworket i filen hardware/arduino/avr/cores/arduino/WString.h (referencerne er ifht. min lokale installation af Arduino 1.6.9, pt. er nyeste 1.6.13) således:
#define F(string_literal) (reinterpret_cast<const __FlashStringHelper *>(PSTR(string_literal)))
Altså parametren til F() bruges som parameter til PSTR() (progmem string, er mit bud på navn) som er en makro defineret i pgmspace.h fra avr-libc.
Dens funktion er at caste parametrens type til konstant streng-pointer med PROGMEM modifier;
#define PSTR(s) ((const PROGMEM char *)(s))
Skal vi se på hvad PROGMEM rent faktisk er, så finder vi endnu et sæt makroer der ender med at blive udviddet til kompiler-attributten __progmem__, igen definieret i pgmspace.h (hardware/tools/avr/avr/include/avr/pgmspace.h):
#define PROGMEM __ATTR_PROGMEM__ #define __ATTR_PROGMEM__ __attribute__((__progmem__))
#define PROGMEM __ATTR_PROGMEM__
#define __ATTR_PROGMEM__ __attribute__((__progmem__))
__progmem__ attributten er en instruks til kompileren (GCC) og linkeren om ved programmering/flashing af programmet at placere disse data i en sektion af hukommelsen der hedder “.progmem“. Se evt. mere om dette i GCC-kompilerens dokumentation. For hver AVR-chip kompileren understøtter er der eksakte definitioner af hvilke hukommelsesadresser .progmem ligger på for netop denne chip.
Dvs. når man i sin kode skriver F(“test”) får man i virkeligheden:
(reinterpret_cast<const __FlashStringHelper *>(((const __attribute__((__progmem__)) char *)(“test”)))
Altså en konstant streng der lagres i AVR-processorens progmem-sektion, og som returværdi får en pointer til en konstant instans af en klasse kaldet “__FlashStringHelper“. Denne klasse må være lavet sådan at den anvender de korrekte mekanismer til at læse fra progmem-området (måske mere om dette i en senere artikel). Arduinos funktion-bibliotek (Serial.print() mm.) er lavet således at de direkte kan tage en parameter af denne type som erstatning for en konstant-streng (og det er netop her Arduino-frameworket viser sin værdi ved at abstrahere sådanne kompleksiteter væk fra programmøren).
Edit 2023-04-23: on present day Ring is known instead as GNU Jami. Contact me using ring:f20607f4f974714ba91c664b153496fb931020e5 on the Ring distributed communication platform: ring.cx
Having used the Arduino prototyping platform (a loose combination of specific pieces of somewhat open/free hardware and a more open/free software stack) for some time for educational and tinkering purposes in my local hackerspace (geeklabs.dk) I have seen and studied the Arduino UNO hardware and lots of its “clones/compatibles/knockoffs” and their common MCU (MicroController Unit);
Atmel ATmega328P
I had begun wondering what the P in the microcontroller model name actually meant. So here is an attempt to decode the Atmel megaAVR chip numbering system. The other existing AVR based series UC3, tinyAVR, XMEGA, Battery & Automotive, will probably employ similar naming schemes.
The remainder of the product name following “ATmega” expresses the available flash memory and the approximate pin count of the package in an integer and optionally other features as either integer or letter (like the initial wondering of P in 328P above).
Starting with the integer, it is a concatenation of two separate integers encoding the flash size and pin count as defined below. The division of the two is non-ambiguous leaving some interpretation to be done.
1st integer: onboard flash size 8 = 4 KiB 8 = 8 KiB 16 = 16 KiB 32 = 32 KiB 64 = 64 KiB 128 = 128 KiB 256 = 256 KiB
2nd integer: total pin number (none) = standard pin count (differs) 8=28/32-pin 4= 40/44/49-pin 5= 64-pin 0= 100-pin
Suffix (char or integer), multiple possible P = picoPower (max. consumption 9mA@8MHz,5v vs. 12mA@8Mhz,5v for non-P) 9=LCD controller U2 = USB controller U4 = USB controller A = ?
Exceptions Note that some of the product names are completely void of these rules. Others employ different numbering but still with a familiarity to the above.
An example: ATmega6490A: 64KB flash, 100-pin, LCD Controller
Sources
Patch for u-boot mainline master (http://git.denx.de/u-boot.git) to prevent BBB’s to get stuck in a u-boot prompt because of spurious characters being received on the serial console (see http://www.mikini.dk/index.php/category/beaglebone-black/boot-issue).
diff –git a/include/configs/ti_am335x_common.h b/include/configs/ti_am335x_common.h index 5ed86d9..c58f467 100644 — a/include/configs/ti_am335x_common.h +++ b/include/configs/ti_am335x_common.h @@ -12,6 +12,12 @@ #ifndef __CONFIG_TI_AM335X_COMMON_H__ #define __CONFIG_TI_AM335X_COMMON_H__ +#define CONFIG_AUTOBOOT_KEYED +#define CONFIG_AUTOBOOT_STOP_STR “stop” +#define CONFIG_AUTOBOOT_PROMPT “autoboot in %d seconds (type ‘%s’ to abort)\n”,bootdelay,CONFIG_AUTOBOOT_STOP_STR +#define CONFIG_BOOT_RETRY_TIME 30 +#define CONFIG_RESET_TO_RETRY + #define CONFIG_AM33XX #define CONFIG_ARCH_CPU_INIT #define CONFIG_SYS_CACHELINE_SIZE 64 @@ -102,4 +108,7 @@ /* Now bring in the rest of the common code. */ #include <configs/ti_armv7_common.h> +#undef CONFIG_BOOTDELAY +#define CONFIG_BOOTDELAY 5 + #endif /* __CONFIG_TI_AM335X_COMMON_H__ */
diff –git a/include/configs/ti_am335x_common.h b/include/configs/ti_am335x_common.h index 5ed86d9..c58f467 100644 — a/include/configs/ti_am335x_common.h +++ b/include/configs/ti_am335x_common.h @@ -12,6 +12,12 @@ #ifndef __CONFIG_TI_AM335X_COMMON_H__ #define __CONFIG_TI_AM335X_COMMON_H__
+#define CONFIG_AUTOBOOT_KEYED +#define CONFIG_AUTOBOOT_STOP_STR “stop” +#define CONFIG_AUTOBOOT_PROMPT “autoboot in %d seconds (type ‘%s’ to abort)\n”,bootdelay,CONFIG_AUTOBOOT_STOP_STR +#define CONFIG_BOOT_RETRY_TIME 30 +#define CONFIG_RESET_TO_RETRY + #define CONFIG_AM33XX #define CONFIG_ARCH_CPU_INIT #define CONFIG_SYS_CACHELINE_SIZE 64 @@ -102,4 +108,7 @@ /* Now bring in the rest of the common code. */ #include <configs/ti_armv7_common.h>
+#undef CONFIG_BOOTDELAY +#define CONFIG_BOOTDELAY 5 + #endif /* __CONFIG_TI_AM335X_COMMON_H__ */
Patch and compiled binaries at http://www.mikini.dk/wp-content/uploads/2015/01/u-boot_mainline_BBB-autoboot-patch_201501151.zip.
Install the new u-boot by copying the files “MLO” and “u-boot.img” to the root directory of your boot device (first FAT-partition on your SD-card or onboard MMC). Using the stock Debian image (http://beagleboard.org/latest-images) this can be done via USB by powering the board from your computers USB-interface, waiting for the BBB to boot and register its drive as an usb mass-storage in your OS. Now use your favorite file management application to copy the files from the above zip-file replacing the existing files.
Disclaimer: this is mostly an experiment, there is a lot of u-boot trees and patches floating around for the BBB (like https://github.com/beagleboard/u-boot), so probably mainline hasn’t got the most recent stuff for AM335x/BBB yet.
Working on a Beaglebone Black based product, running the latest Debian GNU/Linux system image (bone-debian-7.5-2014-05-14-2gb.img) from the BB HQ at beagleboard.org I just had the following strange experience.
Using Subversion I wanted to commit a change to a file made locally on the BBB. The file resided in a working copy of a repository on which I had done the initial work on my x86_64 laptop. The working copy was checked out and updated on the BBB without any problems, but comitting I got the following error:
debian@beaglebone:~/VCAS_FR$ svn ci rc.local -m"Append to vncserver.log." Authentication realm: <https://svn.xx.xx> Subversion Repository Password for 'yaya': Sending rc.local Transmitting file data .svn: Commit failed (details follow): svn: File not found: transaction '414-1', path '/trunk/BBB%20deployment/rc.local' debian@beaglebone:~/VCAS_FR$
This failed repeatedly, and checking out a fresh new working copy exhibited the same result.
For the fun of it, because file name issues are long gone in my everyday computing life, I tried to remove the space from the directory path. And voila, unexpectedly it succeeded!
debian@beaglebone:~/VCAS_FR$ svn ci rc.local -m"Append to vncserver.log." Authentication realm: <https://svn.xx.xx> Subversion Repository Password for 'yaya': Sending rc.local Transmitting file data . Committed revision 416. debian@beaglebone:~/VCAS_FR$
Without spaces, things actually did work. Apparently there’s an issue with ARM built subversion and repositories containing spaces.
URL before
debian@beaglebone:~/VCAS_FR$ svn info | grep URL URL: https://svn.xx.xx/trunk/BBB%20deployment debian@beaglebone:~/VCAS_FR$
URL after
debian@beaglebone:~/VCAS_FR$ svn info | grep URL URL: https://svn.xx.xx/trunk/BBB_deployment debian@beaglebone:~/VCAS_FR$
Investigating a bit further narrowed down that the Debian distribution uses an old (old, old) subversion 1.6.17 release from 2009:
debian@beaglebone:~/VCAS_FR$ svn --version svn, version 1.6.17 (r1128011) compiled Mar 15 2014, 21:37:31 Copyright (C) 2000-2009 CollabNet. Subversion is open source software, see http://subversion.apache.org/ This product includes software developed by CollabNet (http://www.Collab.Net/).
Probaly, this has been fixed since, a quick investigation in svn issue tracker revealed no open issues regarding this. I’ll look further into this later, and of course report it appropriately if this is an unknown issue.
But as you see, you can still experience basic issues on the latest and greatest stuff out there. Be wary!
A very annoying feature of the Ångström image that is shipped with the BeagleBone Black, is that a display connected to the HDMI output of the board will by default be blanked when powering up, and is first woken when any pointer activity occur (touch/mouse).
This seems to originate from the fbdev that is used for displaying graphics, and it took me some time to figure out how to cirumvent it. The normal X commands for controlling blanking of “xset -dpms” or “xset s off” did nothing, and neither did the terminal options of “setterm powersave off” or “setterm powerdown 0”. I went all the way back to old ANSI escape sequences trying “echo -e ‘\033[9;X]'” without success.
Luckily I fell by at Armadeus.com’s framebuffer tips, which listed the sys-fs node named /sys/class/graphics/fb0/blank that controls blanking of the low level framebuffer, thus executing (as root)
echo 0 > /sys/class/graphics/fb0/blank
disables blanking and wakes up the BBB HDMI output.
To do this at every boot (really login) you can use the Gnome Startup Applications Preferences (gnome-session-properties) to execute this at Gnome autologin, or add it to whatever startup script you see fit.
Beware that you might need to delay the execution when using the gnome-session-properties, I had to put in a sleep, but that probably depends on what other stuff is starting up from it.
Eric S. Raymond, “The Cathedral and the Bazaar” (@Goodreads)
The above quotes the first lesson from Eric S. Raymond‘s (ESR) essay/book “The Cathedral and the Bazaar“ (link to full book, summary at Wikipedia), which has become a kind of bible within the FOSS ecosystem (also nicknamed CatB). In his text Eric investigates motivations and social organisation of free and open source software projects. Itches are known initiators of many both large projects and minor changes to FOSS software. Itches, and the scratching of those by developers in the FOSS community, highlights a FOSS software user’s right to access, modify and redistribute the source codes behind FOSS software. With access to the underlying source code of FOSS software, a developer is able to scratch an itch, and is usually very motivated by this, because it often is a very personal itch.
You can listen to an audio recording of Eric elaborating about the central topics of CatB in a recording from a talk at Linux Kongress all the way back to May 22th 1997 17:15 CEST (48k MP3, 96k MP3):
I’ve long been trying to keep a list of itches I want to scratch in free software projects/products. Realizing that most of these were lost in transit in the chaotic neuron mess of my brain, my intention now is to, also, keep track of them textually using the mechanisms of this site.
This effort will be an ongoing, and probably ever expanding, mix of my private personal itches and itches related to and spun-off from my software development work done as a professional embedded developer, but still personal itches.
You can head over to the static page at mikini.dk/what/itches and take a look at my past and present itches.
EDIT 2021-08-24: add prominent quote source, add GR quote link, add CatB main page link, add para. with audio recording, minor copyediting
When dealing with policy enforcement for products that you distribute from business partners and whose sales your organization directly profits from, you’d think that you’d want to engage in some kind of communication with your peers before making drastic moves like shutting down distribution of these products. Especially when your peer is a national lottery organization partly owned by a European state, who is strictly professional about their business and which probably has a non-significant turnover facilitated by the product.
Well, if your are Google and runs the Google Play software distribution system for the Android platform, you apparently couldn’t care less. At least that is what a move today by Google implies, when banning an Android gaming app by Danske Spil, the national Danish lottery, who has a governement enforced monopoly on lottery in Denmark. This was done without any interaction with Danske Spil which of course was taken by surprise when realizing this, as reported (GTrans) by Danish tech magazine Version2.
Admittedly, as it stands now from an objective point of view, the app clearly breaks the content policy of Google Play which states that “We don’t allow content or services that facilitate online gambling”. So the real question, apart from the peculiar behaviour of Google towards this app provider for Google Play, is for Danske Spil; “How on earth did you think you could distribute an app through Google Play which so blatantly is in direct violation of the content policy?”.
Maybe the endorsement by the Danish legislation has risen to their heads, making them think their monoploy in Denmark made them so special that they could ignore Google’s standard policies? The current response from Danske Spil is that the app had been previously “approved” by Google, whatever that means because to my knowledge there is no verification procedure as such for content on Google Play (that’s a point for further investigation when time permits) .
At the moment not only the app itself, but also the provider page for Danske Spil A/S is inaccessible at Google Play, even though marketing from Danske Spil still tries to lure new users to the lotteries provided by the app, both from the web, TV and electronic billboards.
If your business model relies on outside partners (and which doesn’t?), this might be a good occasion to take the time for a second thought about what dependencies it has. And especially who is in the power to pull the carpet below it without interacting with you.
If I had a business with parts, components or services not under my in complete control, I’d prefer a partner which had a fellow human representing him, with which I could meet and look into his eyes. That way a social bond is created, which hopefully increases the probability that I will know if anything is about to happen that affects my business.
