Arnt Gulbrandsen
About meAbout this blog

More on surveillance and political violence

Two years ago I did a back-of-the-envelope calculation suggesting that if a well-run state is to use surveillance to prevent or investigate politically motivated violence, then it has to spend considerably more than €3000 per year and person to get results (where person means anyone who might be willing to help plan or carry out political violence).

The limit is higher: The €3000 did not include the price of xkeyscore and the other ineffective programs that have since come to light. Most of that cost is borne by the USA, but the 500 million records supplied monthly by Germans will have cost something.

I suppose it's theoretically possible that the names of known Nazis weren't added to the list of suspects, but I can't bring myself to believe it. These are people who gather in the woods to practise with guns, and their names are in a database run by someone who supplied data to the NSA. They must have been added.

So xkeyscore had the names of Mundlos, Böhnhard, Zschäpe and probably everyone who helped them, and it found nothing, neither before any of the killings nor afterwards.

It found one thing, though: Laura Poitras had 400 out of 400 points on the risk scale, and in the event she has turned out to be a great risk to job security at the NSA.

My razor blades were confiscated today

A security guard at an airport confiscated my razor blades today. I've carried razor blades in my hand luggage since 2004 (inadvertently on the first few dozen flights, knowingly and together with my razor on a hundred or more since I found the blades). Usually the guards want to look at my razor and the corkscrew I also carry, but until today noone has asked whether I might perhaps have any blades for the razor.

He also found, and let me keep, my forbidden shampoo and aftershave. And he checked whether I had a blade in the razor. Such clue. Maybe there is hope for mankind.

Good news

Deutsche Telekom has published a live overview of internet security. It's good news, just look at the top 5 attack types.

Here's a screenshot, in case Telekom learns that traceroute isn't a weapon and starts excluding it from the list of attack types:

I'm going to assume that 50% of what Telekom sees is innocent, ie. half the attacks on SMB protocol are fat-fingered configurations. (I know I've fat-fingered someone's port 5353 not long ago.) That leaves 13 million SMB attacks last month, 690,000 traceroute invocations, and the other kinds of attacks are less common than traceroute.

If there are fewer attacks than traceroute invocations on everything except that one notorious Microsoft target, the world can't be too badly off. Have a nice day.

I should be tidier

I ditched the old laptop bag and got a new one. Much better. The new one is roomier on the inside than outside — and just as dangerous to aircraft security. Things end up in it that I don't know about. During my first two trips with the new bag, I have already brought several dangerous materials undetected through security checkpoints: dangerous liquids (an orange, a large bottle of hair conditioner), a sharp knife and of course something explosive.

A minor security bug in Ubuntu

This has two parts.

First, sudo, which ubuntu encourages using rather than su. Sudo can be set up to allow users to do just some things as root rather than everything, by editing the file /etc/sudoers.

Second, various Ubuntu programs that run as root. Some expect that the user's $PATH starts with /sbin and /usr/sbin, and run programs without specifying the complete file name.

If a user has limited sudoers privileges, then various Ubuntu-supplied programs can often be tricked into granting the user complete root access.

For example, sudo apt-get install firefox will run either ldconfig or start-stop-daemon (I forget). Not every package has this problem, but many enough to make it a FAQ.

I feel sure that whoever reports this will be told by the sudoers maintainers that the problem is with e.g. apt-get, and by the apt-get people that the problem is with sudoers. Both are reasonable responses, but I'd rather write code than argue. So all I'll do is publish this.

The cost of large-scale surveillance

Fittingly, Germany has a federal office for protecting the democratic state against nazis and other threats to democracy. Each of the sixteen states also runs a smaller effort of its own. Some have dedicated organizations, some locate the work within a ministry, but all do something.

Because of the variety it's nontrivial to add up the cost of all this. I added up six of the biggest organizations and that came to €220 million, so I blithely estimate a total of €250-300 million.

Conveniently, there are 25-30,000 nazis in Germany […More…]

The absentminded Osama

One of my not very frequently used possessions is a large laptop bag. Big enough for two laptops and some random other items, or for one laptop, a change of clothes, random chargers and whatnot, and a book. […More…]