Jekyll2022-11-10T15:48:31+00:00/feed.xmlHiro’s Home on the Light WebWrite an awesome description for your new site here. You can edit this line in _config.yml. It will appear in your document head meta (for Google search results) and in your feed.xml site description.Running tails on a VM via usb key2021-09-09T10:00:00+00:002021-09-09T10:00:00+00:00/writings/devsecops/2021/09/09/running-tails-vm-usb<p><em>** Disclaimer: This isn’t the intended use of Tails **</em></p>
<p>There are many reasons why you shouldn’t do this. But if you want to experiment
with tails from a virtual machine (like on VirtualBox) but load from USB, then this
might help you along the way.</p>
<p>Also this works on MacOSX mostly.</p>
<h2 id="step-by-step">Step by step</h2>
<p>Find out how your usb is called</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ diskutil list
</code></pre></div></div>
<p>Then unmount it:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ diskutil unmountdisk /dev/disk2
</code></pre></div></div>
<p>Because VirtualBox process can only read/write files owned by the your current
user you have to change the permission of the device.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo chown hiro /dev/disk2
</code></pre></div></div>
<p>Prepare the VMDK on VirtualBox:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>VBoxManage internalcommands createrawvmdk -filename /Users/hiro/Documents/usbdrive.vmdk -rawdisk /dev/disk2
RAW host disk access VMDK file /Users/hiro/Documents/usbdrive.vmdk created successfully
</code></pre></div></div>
<p>Unmount it again:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ diskutil unmountdisk /dev/disk2
</code></pre></div></div>
<p>Now you can use your USB VMDK on VirtualBox where you select the storage for the machine and boot from there.</p>
<p>With certain USB you have also to modify the Tails boot loader:</p>
<p>Start Tails and enter the Bootloader Menu by hitting (e) for edit.</p>
<p>Remove the boot option:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>live-media=removable
</code></pre></div></div>
<p>If you don’t want to do this at every run you have to access the EFI Shell and
modify grub options editing the configs under <code class="language-plaintext highlighter-rouge">fs0:\efi\boot\</code>.</p>** Disclaimer: This isn’t the intended use of Tails **Welcome to Jekyll!2021-08-23T10:03:11+00:002021-08-23T10:03:11+00:00/jekyll/update/2021/08/23/welcome-to-jekyll<p>You’ll find this post in your <code class="language-plaintext highlighter-rouge">_posts</code> directory. Go ahead and edit it and re-build the site to see your changes. You can rebuild the site in many different ways, but the most common way is to run <code class="language-plaintext highlighter-rouge">jekyll serve</code>, which launches a web server and auto-regenerates your site when a file is updated.</p>
<p>Jekyll requires blog post files to be named according to the following format:</p>
<p><code class="language-plaintext highlighter-rouge">YEAR-MONTH-DAY-title.MARKUP</code></p>
<p>Where <code class="language-plaintext highlighter-rouge">YEAR</code> is a four-digit number, <code class="language-plaintext highlighter-rouge">MONTH</code> and <code class="language-plaintext highlighter-rouge">DAY</code> are both two-digit numbers, and <code class="language-plaintext highlighter-rouge">MARKUP</code> is the file extension representing the format used in the file. After that, include the necessary front matter. Take a look at the source for this post to get an idea about how it works.</p>
<p>Jekyll also offers powerful support for code snippets:</p>
<figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span class="k">def</span> <span class="nf">print_hi</span><span class="p">(</span><span class="nb">name</span><span class="p">)</span>
<span class="nb">puts</span> <span class="s2">"Hi, </span><span class="si">#{</span><span class="nb">name</span><span class="si">}</span><span class="s2">"</span>
<span class="k">end</span>
<span class="n">print_hi</span><span class="p">(</span><span class="s1">'Tom'</span><span class="p">)</span>
<span class="c1">#=> prints 'Hi, Tom' to STDOUT.</span></code></pre></figure>
<p>Check out the <a href="https://jekyllrb.com/docs/home">Jekyll docs</a> for more info on how to get the most out of Jekyll. File all bugs/feature requests at <a href="https://github.com/jekyll/jekyll">Jekyll’s GitHub repo</a>. If you have questions, you can ask them on <a href="https://talk.jekyllrb.com/">Jekyll Talk</a>.</p>You’ll find this post in your _posts directory. Go ahead and edit it and re-build the site to see your changes. You can rebuild the site in many different ways, but the most common way is to run jekyll serve, which launches a web server and auto-regenerates your site when a file is updated.Network dynamics in the Spanish Right2020-05-19T10:00:00+00:002020-05-19T10:00:00+00:00/writings/disinformation/2020/05/19/network-dynamic-spanish-right<h2 id="online-misinformation-groups-a-network-within-the-network">Online misinformation groups: a network within the network.</h2>
<p>Let’s analyze accounts interacting with a specific account and let’s see with what
other accounts they interact.</p>
<p>We would have the idea that organically people replying or RT-ing a certain account
have different interests and follow different people.</p>
<p>We would expect that if the activity is not organic, a large part of the actions
performed (like commenting or replying to posts on social media) all follow a
specific pattern.</p>
<p>At the following links and images I have collected data and visualization for the
accounts RT and replied by users RT-ing @vox_es:</p>
<p><img src="https://www.sifr.tech/static/files/twitter/vox_es-overall.png" alt="distribution_vox_es-overall" title="Twitter activity distribution for users RT-ing @vox_es" />
<img src="https://www.sifr.tech/static/files/twitter/vox_es-RT.png" alt="distribution_vox_es-RT" title="Retweets activity distribution for users RT-ing @vox_es" />
<img src="https://www.sifr.tech/static/files/twitter/vox_es-reply.png" alt="distribution_vox_es-reply" title="Reply activity distribution for users RT-ing @vox_es" /></p>
<p><a href="https://docs.google.com/spreadsheets/d/15Z85z3WQ7gZ5p-qQFFeDfFcetDWUH1D5DCCMfzMm55I/edit?usp=sharing">@vox-es overall activity and Retweets</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1ZFCyObb-Rm7kFM6Bq9tXFbGKSipkXIjRm5laP4h7ens/edit?usp=sharing">@vox-es replies</a></p>
<p>Let’s compare this with some other parties accounts from the opposite political
spectrum, @psoe and @iunida:</p>
<p><a href="https://docs.google.com/spreadsheets/d/1bUtwPpgIjNbWf9_uDaNwK2QnVAvGTLKJZbYEFY4uyO4/edit?usp=sharing">@psoe overall activity, RTs only and replies only</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1JFBaPellTlYM5ad1O87L11jXskWtxvF5--zARWsCCLk/edit?usp=sharing">@iunida overall activity, RTs only and replies only</a></p>
<p>We can see how the behavior is completely different by observing how the replies
for the accounts in the population aren’t necessarily directed at accounts of the
opposition with the same volumes, suggesting a more organic behavior.</p>
<p>Some more distribution for accounts in the Spanish right:</p>
<p><a href="https://docs.google.com/spreadsheets/d/1S2C_1Kkr0cGpSH9313xp79Swa_emz0e8PRsLGE104Gg/edit?usp=sharing">@okdiario</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/17vGyK64R477MMK9gmLLwIqlTfYD8zWFdZSL5sBL8Y0Y/edit?usp=sharing">@inesarrimadas</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1_FgjInYXtSQnxKohZYsqAK7s7anupXjBbIWPMUBtCDs/edit?usp=sharing">@alvisepf</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1iTSTkuX5XbVyCE-zORH5dGJNUtRQZ4OgdvMQdQWq7yk/edit?usp=sharing">@hermanntertsch</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1hNsypcwuKN6IjaWtzNpTNqmFky1i6mKa6dKCOHh_JFQ/edit?usp=sharing">@carlesenric</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1q_C0EnaVp92IDgbCSAzNqlJp2Xt2QmL071QZniSjuLQ/edit?usp=sharing">@estadodalarmatv</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/16V3KmZ5DEP5P6XbNLRSMMyi1WfX8p6udjDOyLsjjcgU/edit?usp=sharing">@abc_es</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1klcXbcYJWSty30660JnrKqRI0jMtyjZrFffH8BpWbY8/edit?usp=sharing">@gonnassau</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1ZEIKxWJQm79oDtIs7eoZeJOdDcNjr-EI3QS1U8xyEPY/edit?usp=sharing">@pablocasado_</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1ZWybsa_GTROtTrGdxAyk1Y7mVnz9DuYFMaSrfAX6POk/edit?usp=sharing">@jorgebuxade</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1bbXnMeD0V7E27BzItrEqOW6rLtO4U7SSN8HfRgsM0rc/edit?usp=sharing">@elmundoes</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/15I8SDGlHTTxTTWST3-0cn6_RmgZXT3qvTUqv88Kklo4/edit?usp=sharing">@frayjosepho</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1afjc5BJWR1M5dxb36_5qy6gFPi3e4yN-bce6mrNVekQ/edit?usp=sharing">@elaguijon_</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1Z-A4L0Q6EUy2oCdDcVCXAHVkKvRo3FZOSAvMbI1ykoo/edit?usp=sharing">@guajesalvaje</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1cjAvrmb9RSqoNM09xaaBPbQYC1yzc0SRp0hN3ySd2EI/edit?usp=sharing">@javiernegre10</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1hcKqlpVn0W41Go7Gj3jKGK_qXrNjf4gPInYH6Q_tLX8/edit?usp=sharing">@juanfraescudero</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1tM-H2pe8bZjuFkpWEs5ybkPmzA_8aEEuJcz_LgCl_6Y/edit?usp=sharing">@idiazayuso</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/19v9wjYlEt8GpnfsRlZ6yh62Fry6cUnlJ30tryo2_ZUk/edit?usp=sharing">@alfonso_ussia</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1N_l-h-2IDFYRBTMkqpEkvpBd2vgpFz4Z1UM62JvNadI/edit?usp=sharing">@tonicanto1</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1RN761oC1EIn-CS3iCZILqZrXJh-ei0onW_nqR4fxYjs/edit?usp=sharing">@willytolerdoo</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1nMpDbcd0wyvCL0_mFnrv3dZQXuqXeJyCO1wl_CREy64/edit?usp=sharing">@crpandemonium</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1h49-c6QVQc5F1M9QTT9E3gUfZPczOU-LdvMdehwxqNk/edit?usp=sharing">@cristinasegui_</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1kL6CTy7-iCDGDWeJx_VMQZLvLRNmbKEf5j15xfoslKU/edit?usp=sharing">@girautaoficial</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1nNvqnANXB6RLWy_LMdMSCJW_GANvme55e35ISjZhLRY/edit?usp=sharing">@ldpsincomplejos</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1KoyOsBhPJ7fGX5OnI3wyB0M3Q__NkTwF5MhdI2PM5Oc/edit?usp=sharing">@Macarena_Olona</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/1hEQxU0EJ5lB1WRBRMBxqkGVw2Ke75zMqDnBOEgYL9QU/edit?usp=sharing">@rosadiezglez</a></p>
<p><a href="https://docs.google.com/spreadsheets/d/183J0iMCgmg0mV9YkTmydWRvdKRpX9pdDs3yjpBTpdqA/edit?usp=sharing">@JosPastr</a></p>
<p>What is particularly interesting is how the first two accounts replied by users in
these population are always @psoe and @peniche.
I would tend to think this accounts are set as targets, suggesting some organized
strategy to boost a certain political narrative.</p>Online misinformation groups: a network within the network.Online disinformation campaigns. A deep dive.2020-04-08T10:00:00+00:002020-04-08T10:00:00+00:00/writings/disinformation/2020/04/08/online-disinformation-part-2<p>A few days ago I published a little summary of online disinformation campaign for
the Spanish far right [1].</p>
<p>I tried to highlight the emerging patterns of how these amplification machines
operate. Shoving retweets distribution for users rt-ing one of the top-talker
accounts.</p>
<p>To obtain the archive of tweets used for this stufy I compiled all the tweets from users that have
retweeted the account <a href="https://twitter.com/ldpsincomplejos">@ldpsincomplejos</a>.</p>
<p>Here is how I obtained the tweets for the account @ldpsincomplejos was obtained:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>def get_tweets_search(key, client):
tweets_endpoint = "https://api.twitter.com/1.1/search/tweets.json?q=" + key + "&count=500&include_entities=true&result_type=recent"
response, data = client.request(tweets_endpoint)
return json.loads(data)
</code></pre></div></div>
<p>This function will return 500 tweets, including both tweets by the account and RTs
to the account.
For each tweet I extracted the username and got the latest 200 tweets user timeline.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>def get_timeline(username, client):
timeline_endpoint = "https://api.twitter.com/1.1/statuses/user_timeline.json?screen_name=" + username + "&include_rts=true&count=200"
response, data = client.request(timeline_endpoint)
return json.loads(data)
</code></pre></div></div>
<p>Now I identified a few top-talkers and computed the distribution of RTs to Accounts.</p>
<p>Here are some results:</p>
<h3 id="twitter-distribution-for-users-rt-ing-okdiario-who-are-they-rting">Twitter distribution for users RT-ing @okdiario: who are they RTing?</h3>
<p><img src="https://www.sifr.tech/assets/files/twitter/distribucion_okdiario_RTs-50.png" alt="distribution_okdiario" title="Twitter distribution for users RT-ing @okdiario" />
<a href="https://www.sifr.tech/assets/files/twitter/distribucion_okdiario_RTs.png">full image</a></p>
<h3 id="twitter-distribution-for-users-rt-ing-hermanntertsch-who-are-they-rting">Twitter distribution for users RT-ing @hermanntertsch: who are they RTing?</h3>
<p><img src="https://www.sifr.tech/assets/files/twitter/distribucion_hermanntertsch_RTs-50.png" alt="distribution_hermanntertsch" title="Twitter distribution for users RT-ing @hermanntertsch" />
<a href="https://www.sifr.tech/assets/files/twitter/distribucion_hermanntertsch_RTs.png">full image</a></p>
<h3 id="twitter-distribution-for-users-rt-ing-alvisepf-who-are-they-rting">Twitter distribution for users RT-ing @alvisepf: who are they RTing?</h3>
<p><img src="https://www.sifr.tech/assets/files/twitter/distribucion_alvisepf_RTs-50.png" alt="distribution_alvisepf" title="Twitter distribution for users RT-ing @alvisepf" />
<a href="https://www.sifr.tech/assets/files/twitter/distribucion_alvisepf_RTs.png">full image</a></p>
<p>Here is the thing. If you look at the distribution of comments instead you get a
different result.</p>
<h3 id="twitter-distribution-for-users-commenting-ing-okdiario-who-are-they-commenting">Twitter distribution for users commenting-ing @okdiario: who are they commenting?</h3>
<p><img src="https://www.sifr.tech/assets/files/twitter/distribucion_comment_okdiario-50.png" alt="distribution_okdiario" title="Twitter distribution for users RT-ing @okdiario" />
<a href="https://www.sifr.tech/assets/files/twitter/distribucion_comments_okdiario.png">full image</a></p>
<h3 id="twitter-distribution-for-users-commenting-ing-hermanntertsch-who-are-they-commenting">Twitter distribution for users commenting-ing @hermanntertsch: who are they commenting?</h3>
<p><img src="https://www.sifr.tech/assets/files/twitter/distribucion_comment_hermanntertsch-50.png" alt="distribution_hermanntertsch" title="Twitter distribution for users RT-ing @hermanntertsch" />
<a href="https://www.sifr.tech/assets/files/twitter/distribucion_comments_hermanntertsch.png">full image</a></p>
<h3 id="twitter-distribution-for-users-commenting-ing-alvisepf-who-are-they-commenting">Twitter distribution for users commenting-ing @alvisepf: who are they commenting?</h3>
<p><img src="https://www.sifr.tech/assets/files/twitter/distribucion_comment_alvisepf-50.png" alt="distribution_alvisepf" title="Twitter distribution for users RT-ing @alvisepf" />
<a href="https://www.sifr.tech/assets/files/twitter/distribucion_comments_alvisepfs.png">full image</a></p>
<p>This means in practice that there is a list of accounts RT-ing sources on the right
and commenting on accounts from the left. The anticipation machines objective is
in fact to spread division and hate.</p>
<p>Finally here is a visualization of the graph of accounts RTin OkDiario:</p>
<p><img src="https://www.sifr.tech/assets/files/twitter/plot-50.jpg" alt="plot_graph_okdiario" title="Graph of accounts RTing Ok Diario" />
<a href="https://www.sifr.tech/assets/files/twitter/plot.jpg">full image</a></p>
<p>If we isolate the accounts doing more than 100 RT, we find a group of approximately
20 accounts doing most of the tweets.</p>
<p><img src="https://www.sifr.tech/assets/files/twitter/top_plot-50.jpg" alt="plot_graph_okdiario" title="Graph of top accounts RTing Ok Diario" />
<a href="https://www.sifr.tech/assets/files/twitter/top_plot.jpg">full image</a></p>
<p>Here is probably a team of accounts acting to promote the tweets from OkDiario and
a group of other accounts.</p>
<h2 id="would-you-like-to-have-access-to-this-data">Would you like to have access to this data?</h2>
<p>I have a <a href="https://metabase.com">metabase</a> <a href="https://project-mononoke.herokuapp.com/">instance</a>
setup on <a href="https://heroku.com">heroku</a>.</p>
<p>You can have a look at the <a href="http://project-mononoke.herokuapp.com/public/dashboard/7e31a8e1-345b-4742-9774-82b86892135f">data</a>
used in this study.</p>
<p>If you get in touch I can give you access.</p>
<p>REFERENCES</p>
<p>[1] https://www.hiro7.eu/blog/2020-04-05-online-disinformation</p>A few days ago I published a little summary of online disinformation campaign for the Spanish far right [1].Online disinformation campaigns. How do these work. What can we do.2020-04-05T10:00:00+00:002020-04-05T10:00:00+00:00/writings/disinformation/2020/04/05/online-disinformation<p>Every social media user has possibly noticed how content is often driven by very
strong emotions. Many posts range from extreme cute kittens to drama stories, but
above all emotions it seems like online content is especially fueled by anger [1] [2].</p>
<p>This might be specifically true for political driven content [3], but how people
came from coming together to comment Eurovision [4] to insult each others during
political campaigns?</p>
<p>To understand how we got here, we cannot ignore everything that happen with facebook
and Cambridge Analytica [5]. Between 2013 and 2018 the company combined aggregation
of Facebook data (later proved illegal), data mining and analysis, with communication
campaigns during the electoral processes around the world with the goal to influence
their outcome in favour of their clients [6].</p>
<h2 id="what-how-does-misinformation-really-look-like">What how does misinformation really look like?</h2>
<p>If we take a look how any controversial or political topic on twitter we get
a glimpse of how companies like Cambridge Analytica operate.</p>
<p>At its core misinformation campaigns are built to spread a certain political agenda
using specific language and amplifying only certain sources.</p>
<p>In the last week I have been analyse topics spanning from the #covid-19 crisis to
Spanish political propaganda. Here is what I found.</p>
<p>A few accounts and news sources spread the main messages, then a network of automated
accounts make sure to retweet, highlight and reply to these messages.</p>
<h2 id="a-few-examples">A few examples</h2>
<p>We have been observing a number of accounts following this similar pattern. Here
is an example:</p>
<p>User: <a href="https://twitter.com/Alvisepf">@alvisepf</a></p>
<p>We have chosen this user because it is one of the “top talkers” in the spanish
Far right accounts.</p>
<p>For this user we extracted a subset of users that are retweeting their posts.
For this subset of users we extracted a subset of their timelines.</p>
<p>This is the <a href="https://www.sifr.tech/assets/files/twitter/query_result_2020-04-01T09_42_42.689784Z.csv">archive</a>.</p>
<p>We were interesting in finding out what other accounts these users were tweeting.
We found out most of the tweets are actually retweets to accounts in the spanish
far right political spectrum.
In other words these accounts are part of an amplification machine of the same
group of top talkers for the spanish far right.</p>
<p>Hence we counted the number of retweets for account with the idea of extracting
a distribution.</p>
<p>Again here is the <a href="https://www.sifr.tech/assets/files/twitter/query_result_2020-04-01T11_23_09.761662Z.csv">result</a>.</p>
<p>And here is a distribution per account:</p>
<p><img src="https://www.sifr.tech/assets/files/twitter/screenshot-50.png" alt="distribution" title="Twitter distribution per accounts" />
<a href="https://www.sifr.tech/assets/files/twitter/Screenshot_2020-04-01%20Distribution%20of%20RT%20to%20accounts%20%C2%B7%20Metabase.png">full image</a></p>
<h2 id="how-does-a-typical-amplification-account-look-like">How does a typical amplification account look like</h2>
<p>This <a href="https://www.sifr.tech/assets/files/twitter/query_result_2020-03-31T09_44_57.589694Z.csv">archive</a>
contains approximately 400 tweets from a single user, that coincidentally never sleeps ;).</p>
<h2 id="what-news-sources-are-linked">What news sources are linked</h2>
<p>Here is a list of identified news sources:</p>
<ul>
<li>Ok Diario</li>
<li>Periodista Digital</li>
<li>La Gacet</li>
<li>Caso Aislado</li>
<li>El Municipio</li>
<li>Mediterraneo Digital</li>
<li>Outono</li>
<li>Libertad Digital</li>
<li>Libremercado</li>
<li>Alerta Digital</li>
<li>La Tribuna de Cartagena</li>
<li>Es Diario</li>
<li>Heraldo de la Mancha</li>
<li>El Diestro</li>
<li>https://youtube.com/channel/UCisIqN_XqjXz92eJMnjvEmA</li>
</ul>
<p>We noticed that all these accounts always retweet the same news source.
So <a href="https://www.sifr.tech/assets/files/twitter/query_result_2020-04-05T17_07_24.229283Z.csv">here</a>
we compiled a list of tweets to these recurrent news sources from accounts that
retweeted @alvisepf.</p>
<p>Finally here is a complete archive of a set of tweets linking articles from these
news source: <a href="https://www.sifr.tech/assets/files/twitter/users_tweeting_right_news_2020-04-05T16_51_11.893225Z.csv">archive</a>.</p>
<h2 id="what-can-be-done">What can be done</h2>
<p>The patterns observed are pretty simple and repeated across countries and issues.
Accounts like these are exposed every other day by researchers, but also by the
social networks operators [7].</p>
<p>Why are operators not taking a stand against automated accounts? Patterns are not
sophisticated, nor difficult to spot, different network and traffic metadata could
be easily identified. More importantly these accounts exceed well the average
frequency of tweets per hour of a normal user. A simple Proof of Work (PoW) [8] mechanism
could well increase the cost of automating a large amount of highlights and retweets.</p>
<p>A PoW is a mathematical mechanism asking a client to perform a certain
operation whose calculation difficulty is increased as the client makes more requests
to a certain service. PoWs deters denial-of-service attacks and other service abuses,
such as spam on a network.</p>
<h2 id="what-can-you-do">What can you do</h2>
<p>You can run your own research. I use a mix of own scripts calling twitter APIs and
I also use <a href="https://github.com/twintproject">twint</a>. For visualizations I use
<a href="https://metabase.com">metabase</a>.</p>
<p>If you are a researcher or a journalist please get in touch. I’d be happy to
collaborate with you monitoring different political scenarios around the world.
I’d also be happy to share access to my DB and give you full access to the data.</p>
<p>REFERENCES:</p>
<p>[1] https://www.wired.com/story/this-big-beef-exposes-the-ugly-underbelly-of-vegan-vlogging/</p>
<p>[2] https://www.theguardian.com/science/2018/may/16/living-in-an-age-of-anger-50-year-rage-cycle</p>
<p>[3] https://time.com/4838673/anger-and-partisanship-as-a-virus/</p>
<p>[4] https://blog.twitter.com/en_gb/topics/marketing/2017/eurovision-2017.html</p>
<p>[5] https://www.theguardian.com/technology/2019/mar/17/the-cambridge-analytica-scandal-changed-the-world-but-it-didnt-change-facebook</p>
<p>[6] https://en.wikipedia.org/wiki/Cambridge_Analytica</p>
<p>[7] https://cyber.fsi.stanford.edu/io/news/april-2020-twitter-takedown</p>
<p>[8] https://en.wikipedia.org/wiki/Proof_of_work</p>Every social media user has possibly noticed how content is often driven by very strong emotions. Many posts range from extreme cute kittens to drama stories, but above all emotions it seems like online content is especially fueled by anger [1] [2].Perche preoccuparsi per la privacy in tempo di pandemia2020-04-03T10:00:00+00:002020-04-03T10:00:00+00:00/writings/privacy/2020/04/03/contact-tracing-app-privacy<h2 id="applicazioni-per-il-contract-tracing-durante-lemergenza-covid-19-perche-bisogna-preoccuparsi-della-privacy">Applicazioni per il contract tracing durante l’emergenza covid-19. Perche’ bisogna preoccuparsi della privacy.</h2>
<p>Perche preoccuparsi di privacy in tempo di pandemia?</p>
<p>Ne abbiamo discusso in questo webminar: <a href="ttps://alexandrageese.eu/de/le-contact-tracing-app-rispettano-la-nostra-privacy/">Le contact tracing app rispettano la nostra privacy?</a> [1]</p>
<p>Cerco di aggiungere un po’ di contesto al mio intervento in queste note.</p>
<h2 id="come-funziona-una-app-di-contact-tracing">Come funziona una app di contact tracing?</h2>
<p>Una app di contact tracing e’ uno strumento di prevenzione che se utilizzato insieme
agli altri metodi di cui disponiamo per fare fronte alla pandemia del covid, ovvero
test massivo e profilassi di protezione (igiene, mascherine, distanziamento sociale),
puo’ aiutare a rompere la catena dei contagi.</p>
<p>Per quanto sappiamo fino ad ora le app europee verrano sviluppate sulle linee
guida di protocolli decentralizzati, come il <a href="https://github.com/DP-3T/">DP-3T</a> [2].</p>
<p>La app funziona (anche se forse e’ meglio dire funzionera’) piu’ o meno cosi’:</p>
<ul>
<li>
<p>Un cittadino viene diagnosticado come covid-19 positivo dal suo medico di famiglia,
o dalla asl, o in ospedale.</p>
</li>
<li>
<p>Il personale sanitario e il cittadino configurano la positivita’ sulla app che
comunica questa informazione ad un server centrale. L’identita’ del cittadino ne’
dei suoi contatti non e’ rivelata, ma solo degli identificativi anonimi.</p>
</li>
<li>
<p>Questi identificativi vengono inviati a tutte le app, tecnicamente si dice che
vengono trasmessi in broadcast.</p>
</li>
<li>
<p>Le singole app faranno la verifica se sono stati in contatto con l’individuo
positivo, verificando se gli identificativi che ricevono sono contenuti tra quelli
delle persone con cui il cellulare e’ stato in contatto.</p>
</li>
</ul>
<p>Le funzioni fondamentali di una app di contact tracing possono essere riassunte
nelle due seguenti:</p>
<ul>
<li>
<p>Rivelare le interazioni sociali in caso di contatto con un individuo positivo</p>
</li>
<li>
<p>Poter calcolare un fattore di rischio per gli utenti</p>
</li>
</ul>
<p>Le funzioni che preoccupano chi si occupa di privacy, invece sono le seguenti:</p>
<ul>
<li>
<p>Il grafo sociale degli individui puo’ essere ricompilato osservando i dati
scambiati dall’applicazione</p>
</li>
<li>
<p>La condizione di positivita’ di un individuo puo’ essere rivelata.</p>
</li>
<li>
<p>Gli spostamenti e le coordinate geografiche degli utenti dell’applicazione possono
essere calcolati o ricavati dai dati scambiati dall’applicazione.</p>
</li>
</ul>
<h2 id="che-rischi-presuppone-creare-e-utilizzare-una-app-di-contact-tracing">Che rischi presuppone creare e utilizzare una app di contact tracing?</h2>
<h3 id="protezione-dei-dati">Protezione dei dati</h3>
<p>Perche’ una app di contact tracing non sia un rischio per la popolazione e’ importante
che vengano rispettati alcuni criteri di protezione dei dati raccolti, tra cui:</p>
<h4 id="minimizzazione-dei-dati">Minimizzazione dei dati</h4>
<p>Nessuna entita’ deve essere in grado di poter osservare o ricavare il grafo sociale
degli utenti della app. Neanche in forma anonimizzata.</p>
<p>Questo aspetto e’ molto importante perche’ il grafo sociale di una popolazione o
semplicemente di un gruppo ristretto di persone puo’ rendere pubbliche informazioni
altrimenti confidenziali.</p>
<h4 id="le-informazioni-ricevuti-dagli-utenti-e-raccolte-dal-sistema-devono-essere">Le informazioni ricevuti dagli utenti e raccolte dal sistema devono essere</h4>
<p>solamente quelle essenziali.</p>
<p>Le informazioni raccolte sugli utenti che decideranno di installare la app devono
essere solo quelle necessarie a ridurre il rischio di diffusione dell’empidemia.</p>
<h4 id="gli-individui-negativi-devono-essere-protetti">Gli individui negativi devono essere protetti</h4>
<p>Il sistema non puo’ essere utilizzato come uno strumento di sorveglianza della
popolazione. Nessuna informazione sugli utenti negativi deve essere raccolta dal
sistema.</p>
<h4 id="i-dati-devono-essere-distrutti">I dati devono essere distrutti</h4>
<p>Il sistema deve essere in grado di dimenticare i dati raccolti alla fine dell’empidemia.
Se non ci saranno pazienti infetti che trasmettono dati riguardo la loro positivita’,
e se in generale le persone smetteranno usare la applicazione, i dati dovranno
essere distrutti.</p>
<h3 id="sicurezza">Sicurezza</h3>
<p>Perche’ una app di contact tracing sia utile per il rischio epidemiologico si stima
che debba essere utilizzata da circa il 50%-70% della popolazione.</p>
<p>Per avere un’idea di questo dato fondamentale, pensiamo che il 60% delle persone
che hanno un cellulare, hanno installato whatsapp.</p>
<p>Inoltre una app che venga utilizzata da un numero cosi’ elevato di persone, e che
potenzialmente contiene dei dati sensibili e riservati sugli utenti, diventa
necessariamente un target. Esiste un mercato di vulnerabilita’ di sistemi informatici
a cui accedono agenzie governative e non per le quali questi dati possono rappresentare
un valore.</p>
<h4 id="rischi">Rischi</h4>
<h5 id="un-avversario-modifica-la-app-per-raccogliere-ulteriori-informazioni-sugli-utenti">Un avversario modifica la app per raccogliere ulteriori informazioni sugli utenti</h5>
<p>In questo scenario un possibile avversario puo’ collezionare gli identificativi
anonimi generati dai cellulari con cui e’ stato in contatto per identificare degli
individui.</p>
<h5 id="un-avversario-implementa-unantenna-per-intercettare-le-connessioni-bluetooth-dei-cellulari-in-una-zona-circoscritta">Un avversario implementa un’antenna per intercettare le connessioni bluetooth dei cellulari in una zona circoscritta.</h5>
<p>Questo scenario e’ simile al precedente. In questo caso pero l’avversario utilizza
dei sistemi per poter intercettare i segnali bluetooth dei cellulari nelle sue
vicinanze e poter identificare gli utenti della app.</p>
<h5 id="un-avversario-riesce-ad-impersonificare-le-notifiche-della-app-e-comunicare-degli-status-di-esposizione-falsi-agli-utenti">Un avversario riesce ad impersonificare le notifiche della app e comunicare degli status di esposizione falsi agli utenti</h5>
<p>Questo scenario e’ simile alle campagne di fishing agli account bancari. Un avversario crea
un messaggio simile alla notifica che invia la app e comunica ad un numero elevato
di utenti di essere stati in contatto con un positivo.</p>
<p>L’effetto di questo attacco e’ quello di generare panico o di ridurre la fiducia
della popolazione nella app (discoragiandone l’utilizzo).</p>
<h4 id="perche-e-importante-parlare-di-privacy">Perche’ e’ importante parlare di privacy</h4>
<p>Identificare un individuo positivo puo’ rappresentare un rischio per la sicurezza
fisica di quella persona.</p>
<p>Alcune persone possono reaggire con aggressivita’ alla notizia di essere stati in
contatto con una persona infetta.</p>
<p>Identificare il grafo sociale di gruppi di persone e’ un’informazione molto riservata
che puo’ essere utilizzata per vari scopi.</p>
<p>Immaginate che sia possibile accedere alle informazioni su come, quando e quanto spesso
certi esponenti di gruppi di politici si incontrano?</p>
<p>Immaginate ceh sia possibile sapere che i gruppi direttivi di determinate aziende
stanno avendo delle riunioni con una certa frequenza?</p>
<p>Inoltre e’ importante sottolineare che la tecnologia non e’ neutra, contiene le
influenze politiche del momento in cui viene creata. Le architetture tecnologiche
che definiamo in questo momento straordinario determinaranno in parte i nostri
dirtitti futuri.</p>
<p>REFERENCES</p>
<p>[1] Le contact tracing app rispettano la nostra privacy? https://alexandrageese.eu/de/le-contact-tracing-app-rispettano-la-nostra-privacy/</p>
<p>[2] Decentralized Privacy-Preserving Proximity Tracing https://github.com/DP-3T/</p>Applicazioni per il contract tracing durante l’emergenza covid-19. Perche’ bisogna preoccuparsi della privacy.Decentralization meets anonymity.2020-03-25T11:00:00+00:002020-03-25T11:00:00+00:00/writings/tor/2020/03/25/decentralization-meets-anonymity<h2 id="how-can-the-onion-service-protocol-be-used-to-develop-p2p-privacy-friendly-app">How can the .onion service protocol be used to develop p2p privacy friendly app</h2>
<p>The architecture of the web is based on the client/server paradigm where the Hypertext Transfer Protocol (HTTP) occupies a predominant role [1]. HTTP was designed to transfer resource representations, to abstract over lower-layered transport protocols, such as TCP or UDP, and to act as the primary application-level protocol.</p>
<p>Representational State Transfer (REST) architectures are a generalization of the Web based on the HTTP protocol. In this sense the World Wide Web represent an Internet-scale implementation of the RESTful architectural style.</p>
<p>RESTful architecture identify three main foundation blocks:
– The identification mechanism, or a Uniform Resource Identifier (URI)
– The communication process between agents
– The representation of data being exchanged</p>
<p>We used to think of the web as hypertext documents linked to one another, but nowadays web documents are more like data objects linked to other objects, or in other words: hyperdata. The constraints imposed by the RESTful architectural style make the Web’s architecture particularly malleable. The components making the web are continually changing and providing new capabilities, adding new resources in the form of novel websites and web services, supporting new representations for resources, etc [2].</p>
<p>The web architecture is hence inherently decentralized, but the data shared on the Internet and the services used to store this data are completely centralized [3]. These means that access to those data is controlled by the service owner, which is often different from the entity that produced the data. This approach might be considered extremely pragmatic and in most cases also cheaper and easier to manage than in-house data storage services.
This process of centralizing data in a handful of location has been described as dataveillance [4], or a form of surveillance using the massive collection and storage of vast quantities of personal data. While users lose control over their data, they also lose control over their privacy.</p>
<p>Personal data store approaches have been proposed to over come these issues [5] and allow users to regain control over who can access their data. But decentralized access to data is only one part of the problems associated with web privacy.</p>
<p>Tor is an important tool providing privacy and anonymity online. The Tor network itself is only a part of what Tor is. Tor also provides privacy at the application level through the Tor Browser. The Tor Browser was designed to provide privacy while surfing the web and defend users against both network and local forensic adversaries. The same properties can be adopted by applications and services wishing to integrate the tor network in their architecture. Furthermore, onion services provide better authentication and assurance of who you are talking to. With onion services Tor can provide bi-directional anonymity by making it possible for users to hide their locations while offering various kinds of services, such as web publishing or an instant messaging server.</p>
<p>An .onion service needs to advertise its existence in the Tor network before clients will be able to contact it. Therefore, the service randomly picks some relays, builds circuits to them, and asks them to act as introduction points by telling them its public key. An onion service lives on the Tor network and its name is its long term master identity key. This is encoded as a hostname by encoding the entire key in Base 32, including a version byte and a checksum, and then appending the string “.onion” at the end. The result is a 56-character domain name.</p>
<p>This means that onion service operators do not need a public IP address to publish an onion service, but only it’s onion service address (URI) making the protocol ideal for p2p applications.</p>
<p>While the introduction points and others are told the onion service’s identity (public key), we don’t want them to learn about the onion server’s location (IP address). By using a full Tor circuit, it’s hard for anyone to associate an introduction point with the .onion server’s IP address.
Because .onion services are only accessible via the Tor network, users do not need hosting or a public ip address to offer some service via .onion address. This means .onion services are a gateway to a decentralized, peer-to-peer internet, where users regain control on the content they create and who they are sharing it with.</p>
<p>Access control for an onion service is imposed at multiple points. The first stage of access control happens when downloading HS descriptors. Specifically, in order to download a descriptor, clients must know the public key of the service. Also, if optional client authorization is enabled, onion service descriptors are super-encrypted using each authorized user’s identity x25519 key, to further ensure that unauthorized entities cannot decrypt it. The final level of access control happens at the server itself, which may decide to respond or not respond to the client’s request depending on the contents of the request.</p>
<p>By using the Tor Browsers (or any web browser supporting the Tor protocol) clients can interact with onion service applications following the same RESTful paradigms. Users can still interact with applications via hyperlinks and the browser will render accessed resource representation in a similar way to how it renders the content of a website. In fact a website shared via .onion is still a website. In fact for a set of web services, the onion service protocol is just another way that they can be reached, i.e. via the Tor network. For p2p applications instead it is a way to take advantage of the flexibility, far-reach and ease of use of web technologies to create decentralized, privacy-friendly services. Furthermore because .onions can be hosted locally, on someone personal computer, we can start imaging services that are available for the time the user desire, and disappear when the .onion operator wishes to shutdown the server.</p>
<p>There are a number of applications that are using the onion service protocol in a p2p fashion. One of this is onionshare [6] that allow user to share files or publishing a website without using a centralized server. Another is Haven [7] that transform an Android phone into a physical security device and use an onion service to check logs of the phone sensors remotely. We can envision apps allowing people to communicate between one another or developing their own social network. Hopefully more applications will be developed in the near future, creating a dynamic onion service app ecosystem and fostering a more privacy friendly decentralized web.</p>
<p>REFERENCES:</p>
<p>[1] Berners‐Lee, T., Cailliau, R., Groff, J.F. and Pollermann, B., 1992. World‐Wide Web: the information universe. Internet Research. https://www.emeraldgrouppublishing.com/products/backfiles/pdf/backfiles_sample_5.pdf</p>
<p>[2] Fielding, R.T., Taylor, R.N., Erenkrantz, J.R., Gorlick, M.M., Whitehead, J., Khare, R. and Oreizy, P., 2017, August. Reflections on the REST architectural style and” principled design of the modern web architecture”(impact paper award). In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (pp. 4-14). https://pdfs.semanticscholar.org/1942/68d1965a7704d1361e440c3ebf599249a005.pdf</p>
<p>[3] Robinson, D.C., Hand, J.A., Madsen, M.B. and McKelvey, K.R., 2018. The Dat Project, an open and decentralized research data tool. Scientific data, 5. https://www.nature.com/articles/sdata2018221</p>
<p>[4] Solove, D.J., 2004. The digital person: Technology and privacy in the information age (Vol. 1). NyU Press. https://scholarship.law.gwu.edu/cgi/viewcontent.cgi?article=2501&context=faculty_publications</p>
<p>[5] Mansour, E., Sambra, A.V., Hawke, S., Zereba, M., Capadisli, S., Ghanem, A., Aboulnaga, A. and Berners-Lee, T., 2016, April. A demonstration of the solid platform for social web applications. In Proceedings of the 25th International Conference Companion on World Wide Web (pp. 223-226). https://pdfs.semanticscholar.org/5ac9/3548fd0628f7ff8ff65b5878d04c79c513c4.pdf</p>
<p>[6] https://onionshare.org</p>
<p>[7] https://play.google.com/store/apps/details?id=org.havenapp.main&hl=en</p>How can the .onion service protocol be used to develop p2p privacy friendly appThoughts on internet censorship and surveillance2020-03-04T11:00:00+00:002020-03-04T11:00:00+00:00/writings/tor/2020/03/04/some-thoughts-on-censorship-and-surveillance<p>When we talk about things like internet censorship and surveillance, these might appear as abstract concepts to some people, especially in global north countries. This post will tries to explain the effects of these activities, and what can be done to help people subjected to both.</p>
<h1 id="how-does-internet-censorship-look-like">How does internet censorship look like?</h1>
<p>Internet censorship can take many different forms. In most countries there is some form of internet censorship, meaning that the government might decide to block some websites for different reasons. Usually, in democratic settings, internet blocking is regulated by the state and it takes more the shape of content restrictions based on various constitutional rights and principles, and it is enacted both through the democratic process and formal legislation.</p>
<p>Generally speaking a network can be censored by blocking or slowing down access to certain websites, services, protocols. The ooni project [1] has been developing tests to find out when and how is censorship happening in a network [2].
How blocking is implementing varies widely from country to country and even by specific political situations or events. Measures that can be adopted to circumnvent censorship at a certain moment might not work after a while. It is said that censorship circumnvention is a arms race. As censorship circunvention measures become more sophisticated so does censorship technology. Eventually the right for freedom and democracy is won at the political level.</p>
<p>Ooni keeps a blog [3] where they present each internet censorship events and describe both the political background and the technical details of how the blocking is performed.</p>
<p>While interent censorship might seems secondary it is important to point out that autoritarian regimes use communication control and blocking to shutdown or reduce people ability to organize and protest. There is evidence that as digitalr rights are restricted human rights are violated [4] [5].</p>
<p>Internet censorship doesn’t affect everyone equally either. Marginalized groups and people living in the global south are the ones that summer digital rights violation the most [6] [7].</p>
<h1 id="relationship-between-internet-censorship-and-surveillance">Relationship between internet censorship and surveillance</h1>
<p>When communication networks are controlled and blocked, citizens are surveilled [8][9]. Controlling dissent by targeting certain groups and dissidents is a common practice for many authoritarian governments [10]. In certain cases these governments prefer to engage themeselves online or partern with online media companies to control content and who has access to it [11]. In other cases the technics are more sophisticated. In certain cases even, having a state actor surveil their citizens affects users and business outside that country. This is the example of China weaponizing ligitimate requests to attack certain websites outside the Great Firewall (GFW) and even target the global chinese community [10].</p>
<h1 id="how-to-protect-yourself-from-surveillance-and-circumnvent-censorship">How to protect yourself from surveillance and circumnvent censorship</h1>
<p>The global investigative journalism network advises journalist to protect themselves and their sources from possible threats [13]. The first step is usually try to protect communications [14] by using end-to-end encrypted services, followed by taking necessary measures to protect access to personal accounts and using secure and encrypted tools and services to store and share documents.</p>
<p>The ability to interact with sources is strategically important for journalist. This is why tools like Secure Drop [16] are used in newsrooms around the globe. Often journalists rely on more lightweight applications. One of this is OnionShare [17]. Onionshare allows users to share or receive files, or to publish a website, directly from their computer. Because OnionShare uses the Onion Service protocol [19] and expose the service on the Tor network only. The Onion Service protocol allows for bi-directional anonymity, meaning both the party offering the service and the party receiving the service are anonymous and protected by a 3-hops tor circuit.</p>
<p>The Onion Service protocol also allows news organizations to reach surveilled and censored individuals [21] by offering their website on the Tor network. These website addresses end in the TLD .onion. Similar to how the https:// protocol of a website provides more security than the http:// protocol, an onion address also appears to be the same site but gives a visitor more privacy and security through end-to-end encryption and improved authentication. Visiting an onion address is easy. All that’s needed is Tor Browser (Tor Browser is built from Firefox and is similar to use); you visit the onion address in Tor Browser like you visit any web address.</p>
<p>Because journalists and activists often have a public profile, both in real life and on social media, they need to take extra care to protect themselves from phishing attacks [15]. To understand the magnitude of phishing operations we just have to consider that the NSO’s spyware Pegasus was targeting people in 45 countries [18].</p>
<p>In other situation activists and journalist need to protect themselves by remaining anonymous. Tools like Tor [20] allow activists to safely browse the internet, do research, publish articles, and plan actions. All without being tracked.</p>
<p>[1] https://ooni.org</p>
<p>[2] https://ooni.org/nettest/</p>
<p>[3] https://ooni.org/post/</p>
<p>[4] https://www.washingtonpost.com/politics/2019/11/27/iran-shut-down-internet-stop-protests-how-long/</p>
<p>[5] https://netblocks.org/reports/evidence-of-internet-disruptions-in-russia-during-moscow-opposition-protests-XADErzBg</p>
<p>[6] https://www.accessnow.org/digital-rights-101-understanding-how-technology-affects-human-rights-for-all/</p>
<p>[7] https://ooni.org/post/2019-blocking-abortion-rights-websites-women-on-waves-web/</p>
<p>[8] https://www.theguardian.com/technology/2012/mar/02/censorship-inseperable-from-surveillance</p>
<p>[9] https://www.washingtonpost.com/world/asia_pacific/chinas-scary-lesson-to-the-world-censoring-the-internet-works/2016/05/23/413afe78-fff3-11e5-8bb1-f124a43f84dc_story.html</p>
<p>[10] https://www.wired.com/2017/04/internet-censorship-is-advancing-under-trump/</p>
<p>[11] https://www.zdnet.com/article/internet-censorship-its-on-the-rise-and-silicon-valley-is-helping-it-happen/</p>
<p>[12] https://www.eff.org/deeplinks/2019/10/chinas-global-reach-surveillance-and-censorship-beyond-great-firewall</p>
<p>[13] https://gijn.org/digital-security/</p>
<p>[14] https://www.icij.org/blog/2018/01/five-digital-security-tools-to-protect-your-work-and-sources/</p>
<p>[15] https://cpj.org/2019/07/digital-safety-kit-journalists.php</p>
<p>[16] https://securedrop.org/</p>
<p>[17] https://onionshare.org/</p>
<p>[18] https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/</p>
<p>[19] https://2019.www.torproject.org/docs/onion-services.html.en</p>
<p>[20] https://torproject.org</p>
<p>[21] https://blog.torproject.org/news-orgs-activists-onionize-your-sites-against-censorship</p>When we talk about things like internet censorship and surveillance, these might appear as abstract concepts to some people, especially in global north countries. This post will tries to explain the effects of these activities, and what can be done to help people subjected to both.Supporting the Tor network relays community. Challenges and opportunities.2020-03-04T11:00:00+00:002020-03-04T11:00:00+00:00/writings/tor/2020/03/04/tor-relays-community-challenges-opportunities<p>How can small organization run relays on the Tor network while sustain their operations
How is the Tor network composed</p>
<p>The Tor network consists entirely of relays run by volunteers, providing bandwidth and other services to Tor users. There are currently about 6000 relays sustaining the network [1]. Up to now the Tor network has grown organically, by the mean of community outreach activities. Tor relay operators are usually individuals that are motivated by various factors. The Tor project mission itself is a strong driver for individuals interested in providing privacy enhancing communication tools to people all over the world. Other relay operators might be researchers interested in the technical aspects of the Tor software and protocol. Others can also simply be open source entusiasts that want to be part of its community. Many relay operators have often been recruited, so to speak, by other community members or core developers. Finally some relay operators are adversaries that are trying to run different analysis over the Tor network itself, like collecting information on its use or on the content being transferred.</p>
<p>All the motivations described above do not require direct compensation by the Tor Project and the volunteer-based approach to sustain the network has been proved successful. Relay operators do not only invest their hardware, but also time and commitment in running the relays and in being part of the Tor community. Expenading the set of relays is vital for the Tor network. More importantly the network needs a diverse set of relay, not just advertised bandwidth. Diversity means different hardware and operating systems, but also different locations across the globe in order to reach users worldwide and offer overall the same quality of service.</p>
<p>Throughout Tor history, there have never been in place an official mechanism for relay operators to be rewarded extrinsically. The intrinsic reward of being a relay operator was the social perceived value, like recognition within the Tor community. Many different proposals have been made for a Tor incentives system [2], but none has ever been implemented.
How do relay operators organize</p>
<p>Relay operators sometimes create a small non profit or join an umbrella organization, to support their activities. These are setup so that the individual operators are not legally responsible in case of a legal dispute. Also the organization is setup to share the burden of possible legal expenses and to collect donations for their activities. The Tor Project itself advises people to constitute a non-profit organization responsible for the relays in case of possible legal disputes. There are some legal risks in fact associated with running relays. These are usually not different from the same risks that an ISP could have since both relay internet traffic. Exits relays have more legal concerns that bridges, guards or middle relays, because middles and guards only relay encrypted traffic, while exits performs requests to the open internet. The Tor Project provides some standard response letters that relay operators can use and some legal resources that could become handy. In any case relay operators are advised to consult with a lawyer if any problem with law enforcement should arise.
How much does it cost to run a relay</p>
<p>Running a relay can be as cheap as a few dollars per month and as expensive as a few hundred, depending on where the relay runs, which kind of hardware it’s running on, bandwidth, operating system and so on. Most relays operators rely on donations from individuals that want to contribute to the network but for several reasons are not able to run a relay at the moment. There is again intrinsic value to donate to relay operators to contribute to the Tor community.</p>
<p>A big portion of relay costs are taken over by bandwidth consumption. If an individual or group wants to run a node that relays a lot of traffic, bandwidth might become expensive.
Participatory Business Models for Off-Grid utilities, what can we learn</p>
<p>Certain mechanisms developed by and for the maintenance and operations of the Tor network have much in common with off-grid utility implementation. To start both are ipso-facto decentralized, community based and require experimenting with different business models for implementation.</p>
<p>A number of previous studies have developed their own classifications for electrification models.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Commercially led models which are driven by suppliers and dealers with relatively little government control.
Multi-stakeholder programmatic model wherein a project management unit or multi-stakeholder management authority is typically charged with reaching consumers.
Utility model typically operates on a fee-for-service basis.
Grant based models.
</code></pre></div></div>
<p>[3] describes different participatory models for off-grid electricity services in rural areas. Drawing from previous defined classification systems, they identify five models with different types of operations that have been used in rural electrification.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Co-operatives;
Service distribution franchises;
Fee-for-service models;
Community managed models; and
Private sector models.
</code></pre></div></div>
<p>One thing that differentiate the ecosystem of companies and cooperatives providing utilities and relay operators is the fact that while utility providing organizations could in theory charge its users for using their network, the Tor network is freely accessible by everyone running a Tor client. Since neither the Tor Project nor any reasonable relay operator would like to charge Tor users for bandwidth used, in the past people have speculated whether it would make sense to build mechanisms so that the network could reward relays for the bandwidth provided to the network. A part of this speculation has also involved considering possible harms of such mechanism to both the privacy and security of Tor users and the community of relay operators. For example some have argued that this could encourage bad or malicious relays, or the growth of relay farms with the only interest to cash out instead of maintaining the network and protecting the privacy of its users.</p>
<p>Some relay operators groups have developed a membership model to help sustain their operations [4] [5]. The membership model allows such group to build a close relationship with their supporters while also sustaining their operations.
Running a participatory relay community</p>
<p>While relay operators cannot be directly compensated by Tor users directly, they could be compensated for offering other services in a participatory way to the community of Tor users and .onion websites. The relay operators group could add a certain fee to the service offered and redirect part of this compensation to sustaining their infrastructure and work in maintaining the Tor network. This mechanism could help both the relay operators and the Tor network itself in more than one way. One the one hand relay operators can build a relationship with their members by offering a set of privacy friendly services that might or might not use the Tor network itself to be operated, like bridges, .onion hosting, vpn, and so on. On the other hand the Tor project will benefit by seeing more diverse use of the Tor network. Finally, this could also be an incentive for creating a better experience for onion services developers and operators and therefore fostering a more legitimate onion service ecosystem.</p>
<p>This mechanism could be easier to implement for some relay operators that other form of financing, simply because they are already running some of these services as these are needed for day-to-day operations. For example many operators group running exit are already running an authoritative dns and could easily offer this service to their members (some in fact already do). This might actually be easier in many circumstances than applying for international grants or public funding, since in many cases this suppose a big overhead in work that small relay operators group cannot sustain.</p>
<p>[1] https://metrics.torproject.org/networksize.html</p>
<p>[2] https://blog.torproject.org/tor-incentives-research-roundup-goldstar-par-braids-lira-tears-and-torcoin</p>
<p>[3] Krithika, P.R. and Palit, D., 2013. Participatory business models for off-grid electrification. In Rural electrification through decentralised off-grid systems in developing countries (pp. 187-225). Springer, London. https://www.researchgate.net/profile/Debajit_Palit/publication/261946063_Participatory_Business_Models_for_Off-Grid_Electrification/links/53e993090cf2fb1b9b671622.pdf</p>
<p>[4] https://applied-privacy.net/membership/
[5] https://enn.lu/member</p>How can small organization run relays on the Tor network while sustain their operations How is the Tor network composedHow to setup and use yubikeys for authentication2019-11-15T11:00:00+00:002019-11-15T11:00:00+00:00/writings/devsecops/2019/11/15/yubikey-setup<h2 id="setting-up-yubikeys-to-store-gpg-and-ssh-keys">Setting up yubikeys to store gpg and ssh keys</h2>
<p>I use yubikeys to store my gpg and ssh keys.</p>
<p>Before starting do a little bit of reading to familiarize yourself with the setup
procedure.
I have added a list of links at the end. These are mainly the resources that I used.</p>
<h2 id="generate-a-new-gpg-key">Generate a new gpg key</h2>
<p>I have generated my keys on a qube VM without internet connection.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ gpg --gen-key
</code></pre></div></div>
<p>Selected option 0 and moved on to create my ID associated with the key.</p>
<p>In this step I used mostly the guide from yubico developers website [1]
The guide goes through generating Sign (S) Authentication (A) and Encryption (E)
keys.</p>
<h2 id="add-an-authentication-key">Add an authentication key</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ gpg --expert --edit-key 123ABC45
</code></pre></div></div>
<p>At this step we select another RSA key to attach to our key. In the gpg selection
menu this corresponds to option 8.</p>
<h2 id="backup">Backup</h2>
<p>Here is where you should backup your keys and revocation certificates. Please do
I have personally lost yubikeys and having backups really helps.</p>
<p>Also setup a PIN and a admin PIN for your yubikey [5]. With:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ gpg --card-edit
$ gpg/card> admin
</code></pre></div></div>
<h2 id="import-the-key-to-the-yubikey">Import the key to the yubikey</h2>
<p>Finally we edit our key and add it to the keycard [1].</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ gpg --expert --edit-key 123ABC45
$ gpg> keytocard
</code></pre></div></div>
<p>Now your key is exported to your card and ready to be used.</p>
<h2 id="setup-key-to-be-used-with-ssh">Setup key to be used with ssh</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ gpg2 -K --with-keygrip
</code></pre></div></div>
<p>This will show all your keys available with keygrip.
Use the keygrip of your authentication key to export it to <code class="language-plaintext highlighter-rouge">sshcontrol</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>echo 1234567AB8CDFFF90G9H1I23JJ4K5L67M89N012O > ~/.gnupg/sshcontrol
</code></pre></div></div>
<p>I have also added the following to my <code class="language-plaintext highlighter-rouge">~/.gnupg/gpg-agent.conf</code> [4]:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>default-cache-ttl 600
max-cache-ttl 7200
enable-ssh-support
write-env-file ~/.gpg-agent-info
</code></pre></div></div>
<p>And edited my <code class="language-plaintext highlighter-rouge">~/.bashrc</code> with:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gpg-connect-agent /bye
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
</code></pre></div></div>
<p>You can now:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ source ~/.bashrc
$ ssh-add -l
</code></pre></div></div>
<p>This should list your new key.</p>
<ul>
<li>[1] <a href="https://developers.yubico.com/PGP/Importing_keys.html">https://developers.yubico.com/PGP/Importing_keys.html</a></li>
<li>[2] <a href="https://zeos.ca/post/2018/gpg-yubikey5/">https://zeos.ca/post/2018/gpg-yubikey5/</a></li>
<li>[3] <a href="https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/">https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/</a></li>
<li>[4] <a href="https://www.isi.edu/~calvin/yubikeyssh.htm">https://www.isi.edu/~calvin/yubikeyssh.htm</a></li>
<li>[5] <a href="https://developers.yubico.com/PGP/Card_edit.html">https://developers.yubico.com/PGP/Card_edit.html</a></li>
</ul>Setting up yubikeys to store gpg and ssh keys