"To be trusted is a greater compliment than being loved." - George MacDonald
myRL.net
Home Services Downloads About
Posted on 2015-09-16 by IceBear

In this and two following articles I'd like to take a look at three different areas of personal data storage, how I see a majority of people handling these three issues and what my personal theoretical approaches regarding them is. This is going to be purely about data storage and security, not transport security, which is another topic on its own.

The questions mainly are:

  • Where am I supposed to store my private data?
  • Is my data secure?
  • Who can access my data?
  • Is security based on trust or actual scientific security (encryption)?

First of all, the three distinctions of data storage I'd like to make, and also how I'm splitting the articles, are the following:

  • Email storage
  • Preference storage (application preferences, browser syncing, phone syncing etc.)
  • Personal data storage (photos, videos, documents, contacts, calendar, etc.)

Let's start with email storage. Where are your emails stored? The vast majority of Internet users have an email account with one of the big free email providers or they might have an account that is provided by their Internet Service Provider (ISP). Maybe you even use some shared web hosting somewhere which comes with shared email servers. Whichever of these is the case: your emails are effectively stored with a third party, an ISP that is not you.

Let me ask you this: where is your mail stored? And by mail I actually refer to physical mail: letters. Where are they received? Surely you have a mailbox at your home, or you might have a post-office (PO) box. Most likely you'll be receiving your mail at your mailbox in front of your house and then store it safely inside your home. Would you want your letters to be sent to a third-party that is sending you a copy but also storing all your letters within their own house? Probably not.

I believe we have a major misunderstanding how we are treating Email currently. We are giving away our email data to big companies that make a living with it (among with other services). Always keep in mind that you're most likely not the customer when using a free service, you might be the actual product. If events in the last years regarding the NSA and Edward Snowden have shown us anything, it's that our data stored at big ISPs is most likely easily accessible by governments.

Instead of using such a centralized infrastructure, we should be decentralizing Email in the same way our usual mail system works. When you go back looking at the development of email, it actually was meant to be exactly like that.

My suggestion for email therefore is this:

  • Get your own domain name to use for your email address. Be aware that public email providers like gmail.com, hotmail.com, etc. are the ones in charge of their domain names and can cancel them or your email address at any time. You should be the one in charge of your own domain name.
  • Run your own email server at home. While this might sound difficult, a lot of services and communities try to make this as easy as possible. Some examples would be iRedMail, Mail-in-a-BoxSynology Email Server and YunoHost. In case you've heard about or own a Raspberry Pi, there are two major projects making self-hosted services, including Email, on a Raspberry Pi as easy as possible: arkOS and FreedomBox.
  • Use a third-party email server only as a backup mail server. In case your Internet connection at home drops and your mail server is unreachable, configure a third-party email server as a backup, so your emails will be delivered regardless. In a best case scenario, you can set up a friend's home email server as your backup server and vice versa.
  • Use end-to-end encryption such as GPG to protect your emails even if someone else is able to access them.

This just a very brief overview of why I suggest hosting your own email server. There are lots of other things to consider and running an email server is by no means an easy task, I understand that.

As a concluding suggestion, I'd like to introduce the website PRISM Break which lists free and open alternatives for all kinds of proprietary and closed solutions. Specifically for mail servers: PRISM Break Mail Servers

In my next article I'll be taking a look at preference storage, where to save application preferences, what to do with browser syncing and phone syncing.

Article NSA parody logo cc by EFF. Article title in reference to "All your base are belong to us".

Posted on 2015-06-02 by IceBear

With the A588T, Lenovo released a neat Android 4.4 based flip phone on the Chinese market. It comes with a touchscreen and also allows the user to completely flip the screen by 180° to make it usable as a conventional smartphone. It doesn't seem to very popular as documentation on it is very scarce and I can't even seem to be able to find an official Lenovo product page.

Since the model I got my hands on is only intended for the Chinese market, it comes with several restrictions:

  • TD-SCDMA 3G modem which only allows 3G usage in China Mobile networks and not internationally
  • Google Play and other Google services are not installed and can't be installed in a simple way
  • Recent versions of Lenovo apps are only available in Chinese
  • Hardware keyboard input seems to be limited to Chinese

Yes, 3G won't work outside China Mobile networks which is, for the most part, limited to mainland China. While most of the phone initially seems to be available in English, after updating Lenovo store and other apps, they are only available in Chinese, dropping English language support. Quite the bummer.

The biggest drawback is support for the hardware keyboard, however. It always seems to suggest Chinese and not English input. I somehow got it to suggest English at one point but it's far from proper T9 support like we had back in the days. I have yet to find a proper solution for this. Either way, this is not part of this guide.

I wanted to have Google Play available and also get root access, since I like to be in full control of my devices. Most of this article is based on the video "How to Root every MTK China Phone" by ITXtutor. Do note that the general idea of this article does indeed work with other MTK devices, only some aspects (like the firmware) are Lenovo A588T specific.

This guide is relying on tools for Windows and is therefore meant for Windows only.

As prerequisites you may want to download the following tools:

As I'm assuming everyone knows how to extract and install these files, I won't mention that as an extra step. You may require to install additional ADB and device specific USB drivers. I'm not covering this for every device, for the Lenovo A588T drivers are included within the "FlashTool" folder of the firmware linked above.

If you'd like a fresh start or upgrade your firmware, flash Lenovo A588T firmware version S044 on your phone using MediaTek Smart Phone Flash Tool. Be aware that this will delete all your data stored on the phone and is a completely optional step:

  1. Turn your phone off and remove the battery
  2. Open MediaTek Smart Phone Flash Tool:
    • Go to "Download" tab
    • Select Scatter-loading file from downloaded firmware: "MT6582_Android_scatter.txt"
    • Select Download Only from the dropdown menu
    • Press "Download"
    • Connect the phone (while it is without battery and turned off) to your computer via USB which should connect your phone in preloader mode
      • The screen will stay blank and if you check Windows Device Manager, a "preloader" device may pop up and disconnect every now and then. This is completely normal.
    • Wait for the download to finish
      • If you get an error message, try again in case the device was currently in a non-ready mode (as it keeps connecting and disconnecting all the time) and if it still doesn't work, make sure you have the proper USB drivers for your phone installed
    • A green icon should appear to inform you of successfully flashing the firmware
  3. Disconnect the phone, put the battery back in and boot it up
  4. You are now using a clean and fresh stock version of Lenovo's A588T firmware version S044
  5. You may or may not want to update to the most recent version of Lenovo's A588T firmware by running the System Update tool on your phone

Follow these steps to create a full backup of your current ROM:

  1. Turn your phone on and make sure USB debugging is enabled
    • On the Lenovo A588T you first need to enable developer options by going to System -> About phone -> Version information -> click seven times on Build number
    • Once you have enabled developer options you need to enable USB debugging by going to System -> Developer options -> check USB debugging
  2. Connect the phone to your computer via USB
  3. Launch MTK Droid Tools and accept the USB debugging request from your computer on your phone which should pop up there
  4. In the default tab "Phone information" click on the button "Blocks map"
    • Note down the scatter address for "cache". For example: 003E100000
    • Create a scatter file by pressing the button "Create scatter file". Save it to any desirable location.
  5. Disconnect your phone from the computer
  6. Turn your phone off and remove the battery
  7. Open MediaTek Smart Phone Flash Tool:
    • Go to the "Readback" tab and press "Add"
    • Double click on the new entry and select any desirable location and file name where you would like to save your current ROM backup
    • In the popping up dialog, set the readback type to "Hex" and the length to your previously noted scatter address for "cache" by prefixing "0x" and removing any prefixed 0-padding of the address. In our example: 0x3E100000
    • Leave the start address to the default 0x0
    • Press "Read Back" to save your backup
    • Connect the phone to your computer via USB which should connect your phone in preloader mode (as mentioned above)
    • Wait for the backup to finish, this might take a while
      • If you get an error message, try again in case the device was currently in a non-ready mode (as it keeps connecting and disconnecting all the time) and if it still doesn't work, make sure you have the proper USB drivers for your phone installed
    • A green icon should appear to inform you of successfully reading back the ROM

Now that you have successfully created a backup, it's time to install CWM recovery:

  1. Turn your phone on normally
  2. Connect the phone to your computer via USB
  3. Launch MTK Droid Tools
    • Go to the "root, backup, recovery" tab
    • Press "To process file ROM_ from Flash Tool" and select the previous created ROM backup
    • A popup will ask you whether "To make CWM recovery automatically?" - Select "Yes"
    • This will create a recovery file for your ROM including CWM recovery
  4. The recovery file including CWM recovery will be located in a folder called something like "LenovoA588t_*_ForFlashtoolFromReadback_*" within the "backup" folder of your MTK Droid Tools directory
  5. The file is called something like "LenovoA588t_*__recovery_*"
  6. Disconnect your phone, turn it off, remove the battery
  7. Open MediaTek Smart Phone Flash Tool:
    • Go to the default "Download" tab
    • Click on "Scatter-loading" and select the scatter file we created while backing up our current ROM
    • Set mode to "Download only" and tick the "RECOVERY" item in the list
    • Double click on the location for the "RECOVERY" item and select the recovery file including CWM recovery mentioned before
    • Press "Download" to flash CWM recovery
    • Connect your phone via USB into preloader mode (as we did before)
    • Wait for the download to finish
      • If you get an error message, try again in case the device was currently in a non-ready mode (as it keeps connecting and disconnecting all the time) and if it still doesn't work, make sure you have the proper USB drivers for your phone installed
    • A green icon should appear to inform you of successfully flashing CWM recovery

After CWM recovery has been successfully flashed, it's time to see if it's working alright. Boot your phone into CWM recovery by holding down Volume up, Volume down and the Power button at the same time. If you end up in the CWM recovery menu, everything is working as intended. It should say something along "rua1 autoCWM" at the top of the screen.

Installing SuperSU and Google apps are a piece of cake now:

  1. Boot up your phone normally and transfer both SuperSU as well as the Google apps zip files onto your external phone SD card.
  2. Turn your phone off and reboot it into CWM recovery by holding down Volume up, Volume down and the Power button while turning it on
  3. Navigate by using the volume buttons and select a menu item by using the power button
  4. Go to "install zip from sdcard" -> "choose zip from sdcard" -> Select the SuperSU zip file and acknowledge the installation
  5. After it has been successfully installed to the same with the Google apps zip file
  6. Reboot your phone normally

Congrats! You should now have SuperSU as well as Google apps installed successfully. This will give you root access and the full app range of Google's Play store.

Posted on 2014-05-24 by IceBear

totally unconstitutional symbolRecently MachineGames' new video game Wolfenstein: The New Order was released. In case you are not familiar with the popular Wolfenstein series, it began way back in 1981 with Castle Wolfenstein and essentially is a video game series revolving around Nazis and organisations which were active in Nazi Germany. You do not play as a Nazi, instead you play against them. So effectively you are killing Nazis within the game.

The more popular part of the series Wolfenstein 3D released in 1992 was "confiscated" in Germany in 1994 because of its use of the Swastika which in this context is considered a symbol of an unconstitutional organisation. The use of such symbols is regulated by German law in § 86a StGB and can lead to a fine and/or imprisonment of up to three years. When a video game is "confiscated" in Germany it effectively means the following (for a more thorough analysis see this (German)):

  • You are not allowed to sell the video game within Germany
  • You are allowed to buy the video game within Germany (however the seller is going against the law here)
  • You are allowed to own the game
  • You are allowed to import the video game from another country

So, assuming you already owned the game before the "confiscation", it is perfectly legal to keep it and play it. It is also perfectly legal to import the video game from another country which most people don't seem to know about. To me this doesn't really seem like a "confiscation" which is the German term used by law: "Beschlagnahmung", hence I put it in quotes. Instead I'd call it a ban, effectively censorship even.

Now you might be wondering: what about movies or television series involving the use of such symbols? Well, according to German law you may be allowed to make use of such symbols in certain cases like for example for "art" which is regulated in § 86 StGB. The next question is: those are considered art, but video games are not? Who says?

Answering this question would be an article on its own and effectively there is no decisive answer. It's a matter of court decisions in the past, a matter of a people that doesn't even want to touch certain topics due to a taboo and an industry that is rather scared and goes the "easy" way of censoring their video games for the German video game market instead of fighting against censorship.

Anyway, the discussion on why this ban exists is irrelevant to the point I actually want to make. As you have learned now, video games might get banned in Germany due to usage of symbols used by an unconstitutional organisation and regardless of that it is still perfectly legal to import such games from other countries. And here comes the catch.

Back in the days without digital rights management (DRM) it was as easy as importing a video game from another country, installing it and playing it. On the PC anyway, video game consoles already had a kind of a region lock through NTSC and PAL standards. But that's again another topic.

Let's go back to the recently released game Wolfenstein: The New Order which uses Steamworks as their DRM. To play the game you will have to activate it online with Valve Corporation's Steam software. And here's what Bethesda Softworks, the publisher of Wolfenstein: The New Order decided to do: they released a censored German version without the use of any unconstitutional organisation symbols and to top it off disallow the activation of the uncensored version from a German IP address.

Within Germany I'm only allowed to activate and play the censored version even though by law it is perfectly legal for me to import the uncensored version from another country. Since the Steam Subscriber Agreement disallows use of any proxy servers or virtual private network (VPN) to obfuscate my location, I have no legal and allowed means to play a perfectly legal and legit copy of an imported video game.

"You agree that you will not use IP proxying or other methods to disguise the place of your residence, whether to circumvent geographical restrictions on game content, to purchase at pricing not applicable to your geography, or for any other purpose. If you do this, we may terminate your access to your Account." - Steam Subscriber Agreement

Thank you for fucking over the honest customer. Obviously you don't want people's money, you made that abundantly clear.

Since Wolfenstein: The New Order is a single player only game it is happily shared by thousands of German peers... and you shouldn't even really be mad at them... Bethesda Softworks caused this themselves.

Posted on 2013-01-21 by IceBear

Since the illegal closure and take-down of Megaupload in January, 2012 people were anxious what might happen with the case and whether a new Megaupload will follow. Kim Dotcom has already announced the relaunch of Megaupload in November, 2012 and an exact year after the raid the new Megaupload now simply called MEGA (MEGA Encrypted Global Access) has launched.

What MEGA supposedly makes different from every other file hosting service such as Dropbox, Google Drive and more is the built in and mandatory end-to-end encryption. A reason for them to implement this is of course so they can have plausible deniability and claim that they have no idea what kind of content is hosted on their service. A side product of that is also privacy for their users hence MEGA also calls itself "The privacy company". Is it really, though?

A quick look at the Security & Privacy page of their Help center shows this:

"All encryption is end-to-end. Data uploaded is encrypted on the uploading device before it is sent out to the Internet, and data downloaded is decrypted only after it has arrived on the downloading device. The client machines are responsible for generating, exchanging and managing the encryption keys. No usable encryption keys ever leave the client computers (with the exception of RSA public keys)." - MEGA Help center

That sounds pretty awesome. Real end-to-end encryption, that seems pretty safe to me. Let's take a closer look. They are kind enough to lay out their exact process with their MEGA API on the developers page. There it reads:

"Each user account uses a symmetric master key to ECB-encrypt all keys of the nodes it keeps in its own trees. This master key is stored on MEGA's servers, encrypted with a hash derived from the user's login password." - MEGA API

Eh? So, the master key is after all stored on MEGA's servers? I'm confused.

"In addition to the symmetric key, each user account has a 2048 bit RSA key pair to securely receive data. Its private component is stored encrypted with the user's symmetric master key." - MEGA API

What? So... the symmetric master key is stored on MEGA's servers albeit "encrypted with a hash derived from the user's login password". Well, they can grab my password every time I log on or simply save it in plain text in the first place. The private component of my RSA key pair is also stored on their servers albeit "encrypted with the user's symmetric master key", where we just stated why that is broken. But wait a minute. Didn't it clearly state "No usable encryption keys ever leave the client computers" in their Help center? Oh, I see. They are encrypted, hence they are obviously not "usable". Yes. That makes sense.

Now to be honest with you, I'm by no means an expert in cryptography nor have I checked any of their source code and what it actually does. But you can all get down to it with a simple assumption and raising one single question.

Let's assume all the encryption and decryption is in fact done on the client side only. How is it possible to simply switch browsers and/or computers and use all of the encryption and decryption functions without transferring any keys between them whatsoever? Because all of your keys are stored on their servers whether they are stored "encrypted with a hash derived from the user's login password" doesn't matter. They are stored there.

That concludes that in theory it is totally possible for them to decrypt all your files, whether they do that or not is up to your belief and imagination, the ability stands.

How does the upcoming case against MEGA look like? Judge: "Is it true that you actually were able to decrypt and read all the files hosted?" - Kim: "Yes, but we never did."

Real end-to-end encryption does not require you to trust the file hosting service. MEGA does.

"The privacy company"

MEGA fail.

Posted on 2012-08-01 by IceBear

You might have heard about the legal case going on and on with The Pirate Bay for years already. Basically the music industry and other retarded cokeheads of the likes claim that the services The Pirate Bay are offering are illegal.

What exactly is The Pirate Bay offering?

They once actually served as a BitTorrent tracker, search engine and indexing service. They got rid of the BitTorrent tracker sooner or later because they got aware of the retarded people living on this planet deeming it illegal. So what are they left with? A search engine and indexing service. Sounds familiar. Something like Google, Yahoo and Bing? Pretty much, yes, except only for the BitTorrent network. How is that illegal you ask? Well, beats me. But apparently even judges agree.

In case you are wondering how the classical BitTorrent network operates, here's a quick outline:

  • BitTorrent is a peer-to-peer network for data transfers (files like music, videos, pictures, etc.)
  • If you want to download a certain file, you download a *.torrent file that contains hashes of pieces of the actual file you want. A hash essentially is nothing but a calculated number from that piece of a file, to verify its integrity and to find the file. Keep in mind that you can not recreate the file from these hashes.
  • The *.torrent file also contains a list of so called BitTorrent trackers, which are servers you will connect to, essentially ask them "Who has this file?" but also tell them whether you have a file to offer. They enable a communication between the peers, so the peers can find each other and initiate a transfer between themselves.

Okay, now let's assume we have a file that is shared and it contains by law content that is not allowed to be freely shared (like for example a ripped music album). Whoever puts this file up has to create the *.torrent file for it. So that person calculates hashes from the files, adds a BitTorrent tracker to the file and done.

This *.torrent file, containing nothing but legal metadata, will be put up on a site now, for example on The Pirate Bay. So The Pirate Bay offers this *.torrent file, with a description of the files it supposedly contains metadata for and people are free to download this *.torrent file. This is not illegal. Anybody who claims it is, is a retard and did not understand how this system works.

If anybody downloads this *.torrent file of said music album now and adds it to their BitTorrent client, the BitTorrent client will contact the specified BitTorrent trackers and they will reply a list of people who currently want or offer the file. Now, depending on the country you are residing in but also depending on your moral values, none, one or both of these actions can be considered illegal:

  • Downloading the actual files from a peer (getting the music album)
  • Uploading the actual files to a peer (sharing/giving the music album)

What did The Pirate Bay do in all this? Effectively the following:

  • Telling you about the file: Music album
  • Offering hashes for said file (Remember: calculated numbers, not possible to recreate the file from)
  • Telling you which BitTorrent tracker to ask about peers
  • If specified as a BitTorrent tracker itself: telling you which peers are getting and sharing the file (This is now obsolete as The Pirate Bay no longer operates a BitTorrent tracker themselves)

All of that is considered metadata. None of that is illegal.

Still, on April 17th, 2009 the operators of The Pirate Bay were found guilty of "assistance to copyright infringement" in Sweden and sentenced to one year in prison and payment of a fine of 30 million SEK (roughly 4.4 million USD (as of writing of this article)).

This didn't stop The Pirate Bay from operating however. It still operates as of today and the music industry is still trying really hard to get them down. Since by now they realized they can't take them down from the very source instead they try censoring access to The Pirate Bay.

So far access to The Pirate Bay has been "blocked" in: Belgium, Denmark, Finland, Ireland, Italy, Malaysia, the Netherlands, the People's Republic of China and the United Kingdom. Several other countries had temporary blockades or legal cases about blocking the site. More are probably to come.

The quality from these blockades usually reach from mostly simple Domain Name System (DNS) blockades to Internet Protocol (IP) blockades. Both of them are very easy to go around and people wanting to access The Pirate Bay as well as The Pirate Bay themselves offer tons of ways to go around them. In the end all these blockades cause is free advertising for The Pirate Bay and BitTorrent plus getting people aware what kind of MAFIAA is operating within our governments and courts resulting in membership boosts for the Pirate Party.

One of the worst organizations, trying the hardest to block The Pirate Bay is BREIN (Bescherming Rechten Entertainment Industrie Nederland) in the Netherlands. They don't even stop at just blocking The Pirate Bay by forcing the country's Internet Service Providers (ISPs) to apply a blockade but instead they also want to stop every proxy that is being set up to go around said blockades.

But they even go further. After successfully getting court orders to force closure of a proxy provided by the Dutch Pirate Party as well as a proxy provided by Greenhost they even demand a gag on the Dutch Pirate Party to stop operating any kind of proxy service as well as stop explanation on how to use them or set them up.

Yes. The censorship is getting worse and worse. Stop discussing. Stop offering proxy services. The question how long before VPNs and proxy services become illegal is very valid.

BREIN, you can not win this. Stop fighting.

For every IP address that gets blocked The Pirate Bay will have a new one ready within minutes.

This is a futile game, already lost by BREIN. But since they apparently don't have a BRAIN, they don't see it. As long as there is one person on the Internet who does not agree, content can not be censored. And such people will fortunately always exist.

With that said, have a link to a list of The Pirate Bay proxies, generously provided by Pirate Reverse: http://about.piratereverse.info/proxy/list.html

And also a guide on how you can help and set up your own Pirate Bay proxy: http://about.piratereverse.info/proxy/index.html

Older posts
Cached static page
2017-12-16T13:25:27+00:00

Served by rin
© myRL.net
PHPIDS LGPL PHPIDS Team
Font Awesome SIL OFL 1.1 Dave Gandy