Category Archives: Freedom

Migration to my own email server

After the revelation of the mass surveillance programs used by government agencies from various countries and given the unhealthy amount of information that I provided to Google, using services such as Gmail, Google Maps, etc, I decided already in mid-2013 to take my privacy back.

I already had setup my own calendar (calDAV) and contact list (cardDAV) using Baikal on my own server and Davdroid. However, in the past couple of weeks, I finally completed the last point I still wanted to implement: migrate away from Gmail to run my own email server. I followed this excellent setup guide to setup Postfix, Dovecot & Co and am now reachable at herve at hmarcy.com. I moved all my Gmail emails with Thunderbird by copying the IMAP files and everything works just fine. I did not receive any spam so far. If you have a little bit of experience with Linux system administration, I strongly advise you to give it a shot, because the tutorial is really easy.

If you feel comfortable using Gmail or other free email services based in the US, maybe this video will help change your mind.

This is also of course valid for non-US citizens/residents, as the US government shares a lot of information with foreign government agencies. The Electronic Frontier Foundation also published pretty much everything you need to know about the scale of the NSA spying activities at https://www.eff.org/nsa-spying

Do you want to make the content of your emails safe and (fairly) unreadable by a third party, be it Google or anyone else? Encrypt them conveniently with GPG, Thunderbird & Enigmail. The Enigmail quick start guide will help you to do so!

The state should not dictate cybersecurity policies to businesses

I read the Handelsblatt this morning and its headlines were all about IT security and what an immense threat such attacks represent for both corporations and government agencies. While I agree with the diagnosis of the situation -IT security is indeed critical- the response from the German government seems to me completely absurd.

Thomas de Maizières (CDU – Christian Democrat), the German minister of interior declared that Germany should take a leadership role in Europe to fight cybercrime and develop a comprehensive regulatory framework. This would make it compulsory for businesses to update and maintain their security infrastructure through an “IT security law”.

One should, however clearly differentiate whether the state wants to protect itself or German businesses. The former is a legitimate and perfectly acceptable mission, the latter can only lead to an increase of bureaucratic burden and costs and will most certainly not bring the expected benefits.

Thomas de Meizières announced an investment plan of 300€ millions in the cybersecurity infrastructure of the German secret service (Bundesnachrichtendienst, BND). This measure seems to make sense for three reasons. First, more and more people have an access to the Internet (which increases the pool of potential attackers, professional or not). Second, the increased sophistication of attacks makes it urgent to make sure that the intelligence agency is well protected. Finally, it is no secret that state agencies from various countries stand behind large scale attacks in order to gain access to technology or information.

The German government, however, also wants to help protect businesses through a law creating mandatory guidelines aiming at improving the information security, and hence the competitiveness of German companies.

I believe that this approach is completely ill-suited and will fail. Why? Because it is a company’s duty to protect its confidential information and there are probably as many ways to protect information as there are companies. One of the IT departments of a very large French bank, provides a key component of their security infrastructure. As one would expect from a financial services institution, they tend to be quite conservative, not applying the last updates to their systems. They simply favor stability over new features. A couple of months ago, Heartbleed, a security bug in an encryption system called OpenSSL was disclosed. This failure allowed an attacker to decipher any message presumably safe and hence get access to confidential information. This Heartbleed bug was only applicable to the OpenSSL versions 1.0.1 and above. The bank, however, ran an earlier version of OpenSSL that was still supported, which means that they were safe against this attack. With such an IT security law, the government would have had the authority to force a German bank in a similar case to use a pre-defined software versions. What would have happened if the state, for one reason or another, would have forced the bank to apply non-security related updates to the software, although they did not need it? It could lead to a situation where the bank is forced to update its software against its will and its interest, for a more than dubious advantage.

Moreover, the law would apply to all companies running an IT infrastructure, and it is almost impossible to create a baseline for companies that differ to such great extent. The electrical toothbrush company should have a similar security policy as Airbus, that builds fighter jets?

Finally, who will enforce the law? Will state agencies have to audit every company in Germany to make sure that security updates are applied? Where will they find the security experts for not only Linux, Windows, but also antiquated operating systems, such as OpenVMS (which runs some of the critical operations of many companies)? You can count people who understand this type of software (supported by their vendors) one two hands in Europe. Maximum. This law will lead either to a bad compromise, based on the lowest common denominator that will change nothing, and to a bureaucratic burden for companies that will reduce the competitiveness of Germany companies. Literally the opposite of what the government intended.

So what should the government do? US president Obama, according to the Handelsblatt, declared that “the government cannot do everything, because most of the IT infrastructure lies in the hand of the private sector. But the private sector alone can also not deal with everything, because the government very often has the most current in formation about threats.”. In my opinion, if the government is in possession of this type of information, it should release it as soon as possible to all. It is the responsibility of the government to protect itself against attacks, it is also a proof of being a good world citizen to alert as many people as possible of a possible security bug. This of course benefits businesses, who can protect themselves. Openness is the key and collaboration with IT providers and companies will help the latter become more aware about security threats that might endanger their competitiveness. Whether they do something about it or not is their prerogative and should be implemented according to their priorities.

Not state coercion, but full openness and collaboration between the state, IT providers and businesses will make Germany a leader in cybersecurity.

Taking my privacy back

In the light of the recent revelations about the large-scale spying activities of the NSA (and others, including European agencies), I will be changing my behavior to make the most of my right to keep my privacy intact. I am not stupid enough to believe that this will protect me completely from intruders, companies and government agencies alike, but I want to make use of my right to do whatever I want to do without being suspected or spied on. So I will gradually undertake the following steps:
use Tor for as much traffic as possible, including web and email. This includes not only my home desktop, but my work laptop as well as my Android mobile phone. The Tor project can help you protect your privacy. The connection is slower, but that is a small price to pay. It takes a couple of minutes to install  see https://www.torproject.org/ Having already started to use it, I noticed how Google and Microsoft services hate to see you somehow anonymous, asking at every connection if you are the legitimate user of the account.
run my own mail server. I will gradually leave GMail, which -granted- is a fantastic service, for something like email at hmarcy dot com. Gmail is way to intrusive for me and giving my or someone else’s data to the NSA does not play in Google’s favor either.
replace Google analytics with Piwik. As I do not want to be spied on, I do not want you to be spied on when you visit my website. I started an OpenShift application with Piwik to monitor my website to not give your data away to Google through Google Analytics
remove +1 buttons. I actually installed a WordPress plugin on this website to share my articles on Facebook, Google+ and LinkedIn. I removed it because these buttons will help these service to track your browsing behavior and that is just not right.
run my own calendar application. I will stop using Google Calendar and take an open-source replacement for it on my server.
use jabber. Using Jabber alone will not help protect my privacy, but I trust the jabber.org people much more than Google with their Hangouts. Feel free to add me herve at jabber  dot de. See http://www.jabber.org/
use Ixquick as search engine.
use the browser extensions Ghostery and adblock
use OSMand instead of Google Maps on my Android mobile phone (look for “osmand” on Google Play Store). It is a GPLv3 application !

CyanogenMod installed on my Galaxy SII using Fedora

As I am on vacation with some time to kill, I decided to free my Samsung Galaxy SII from all the Samsung crapware and install an open-source version (GPLv2 and Apache 2 licenses) of Android on it : CyanogenMod. Here is how I did it, using Fedora 17 only.

I do not take any responsibility for what you do with your device. YMMV with your Android version and hardware model. This kind of operations voids the warranty of your smartphone and may damage it irreversibly. (But, hey, it’s fun 🙂 )

First, let’s compile and install the tool that will help us to root our Android mobile phone “Heimdall”. We start by installing the development tools and needed libraries.

# yum -y install “Development Tools”
# yum -y install libusb1-devel

Then we compile and install the actual program

$ git clone git://github.com/Benjamin-Dobell/Heimdall.git
$ cd Heimdall/libpit
$ ./autogen.sh
$./configure
$ make
$ cd ../heimdall
$ ./autogen.sh
$ ./configure
$ make
# make install

After that, we download the tool that will root our Android phone: ClockworkMod Recovery, our CyanogenMod operating system as well as Google Apps.

$ wget http://cmw.22aaf3.com/c1/recovery/recovery-clockwork-5.5.0.4-galaxys2.tar
$ md5sum recovery-clockwork-5.5.0.4-galaxys2.tar
364315cb9a499d50638d05b93bb44422  recovery-clockwork-5.5.0.4-galaxys2.tar

$ wget http://download.cyanogenmod.com/get/jenkins/4627/cm-9.0.0-RC2-galaxys2.zip
$ md5sum cm-9.0.0-RC2-galaxys2.zip
ee62fd69d305d8af79e65cd7c8bdd459  cm-9.0.0-RC2-galaxys2.zip

$ wget http://goo.im/gapps/gapps-ics-20120429-signed.zip
$ md5sum gapps-ics-20120429-signed.zip
7c524e1e078164f681e0aa6753180b2c  gapps-ics-20120429-signed.zip

We then extract the following file

$ tar -xvf recovery-clockwork-5.5.0.4-galaxys2.tar

The extracted file is a kernel image called “zImage” that we will boot on later on

Put the CyanogenMod as well as the GoogleApps in the root directory of your SD card, then, let’s get rid of the Samsungoid ! This is also the right moment to backup your data and configuration, in case anything goes wrong.

Power off the Samsung Galaxy S II and connect the microUSB to the computer but not to the Samsung Galaxy S II.
Boot the Samsung Galaxy S II into download mode by holding down Home & Volume Down & Power while connecting the microUSB to it.
Change the directory back to where the previously extracted zImage file is and execute the following command

# heimdall flash –kernel zImage

A blue transfer bar will appear on the phone showing the kernel being transferred. But, unlike CyanogenMod’s documentation mentionned, my Galaxy SII did not reboot automatically. I tried to boot it by pressing on the power button on the right side, but it did not work. The only thing that worked was starting the phone by pressing on Home & Volume Up & Power at the same time, until the ClockworkMod Recovery booted.

In ClockworkMod Recovery, select the following options

“Wipe data/factory reset” then “Wipe cache partition”
“Install zip from sdcard” -> “Choose zip from sdcard” and choose first CyanogenMod and redo the operation for the Google Apps zip file

Once the installation has finished, select “Go Back” to get back to the main menu, and select “Reboot system now” and CyanogenMod should boot as it did for me.

So far, the user experience is much better and my phone is way faster than it used to be. The process was not as straightforward as I described it here and I had a couple of “interesting” moments when the Galaxy did not boot as expected, but I hope it will make your switch to a freer operating system smoother.