[Short Tip] Enable IPTV using a Netgear R8000

I recently got IPTV for my DSL. Included was an multimedia box, which I connected via WiFi: the DSL modem was a Fritzbox 7412, the WiFi was provided by a Netgear R8000, and the WiFI receiver on the multimedia box side was a Netgear EX6200 (yeah, quite heavy setup for simple tasks) . However, IPTV didn’t work properly: few seconds after I picked a channel, the image froze and got stuck.

The solution was to not operate the R8000 in access point mode (routing IP traffic through), but in normal mode providing its own IP addresses. In that mode, it is possible to activate the IGMP proxy in Advanced -> Setup -> WAN Setup. This is the key: the IGMP proxy enables multicasting. Multicasting is needed so that the IPTV traffic is just sent to the devices which request it, and not to all devices (and thus flooding the entire network and freezing the picture).

So if you happen to use a R8000 in combination with IPTV like the “Entertain – Provided by Telekom” from 1&1 – activate the IGMP proxy to enable multicast – and enjoy the show.

Thoughts on crypted communication

Due to the recently published information about mass surveillance on a yet not known level right now the question remains how to encrypt communication. I had some thoughts regarding that topic involving a GPG like web of trust combined with user friendliness which I’d like to share here.

Given everything which was published so far, un-encrypted communication is not save at all. The same is unfortunately true for encryption methods which rely on encryption provided by the servers of some organization. If there is a centralized organization storing the keys for you, or just providing you with the encryption technology, you are screwed, because the intelligence agencies will force them to cooperate. For that reason, the encryption must take place on the end users system already (and the software must be Open Source).

However, if you have end-user encryption, you have the problem of the key exchange – if two people want to communicate securely, they need to exchange the keys or at least securely verify that a public key indeed belongs to their private key. That only works if they meet in person – or if there is a web of trust.

A common example of such a web of trust is the GPG web of trust: people who have properly verified that person A belongs to key M sign this key. If person B trusts person A, it can just use key M since it is already verified by person A. However, in case of GPG the web of trust never reached mainstream. It is mainly used by technical minded people. Most users never got used to it.

So, from what I can tell the only chance to establish a web of trust is to hide the technical details as much as possible from the users. The same is true for the actual key exchange – it needs to be as simple as possible so that each normal user can use it.

Given this background I would suggest the following solution at least for mobile phones. You download the app, and it asks the user for a password. In the background, a key pair is generated and secured with the password, and all data stored on the device are encrypted using the public key. If user A meets user B all they need to do is pressing a button in the app, and a QR code is shown. The other user scans that QR code, and its done. The user shows up in the contact list, and they can chat. In the background, the app extracts the key ID and fingerprint from the QR code, downloads the public key, signs it and uploads the signature automatically.

The biggest problem comes up when user C comes into play, wants to communicate with user A, but they both have no common connection in their web of trust. They would have to meet – or use some other way of exchanging the data securely. A simple way would still be to talk on the phone, but that never worked for GPG. So some kind of web service to host their QR code for a short time only would probably a solution, although it would be pretty risky.

To lower the danger of a man in the middle attack in the above given web example the key servers must only accept one key pair for each identity, which is different to the way GPG works. That would in fact mean that you can have each login only once – if you loose your key, your are screwed.

One question though remains: how many steps in the web of trust are still trustworthy? I guess that could be left as a configuration option if, and only if, a user wants to modify that.

To summarize: I guess that the current cryptography technologies we have could really help to establish secure communication. But to really bring that communication to the masses we need easy-to-use (read: your grandma!) applications doing everything in the background.

Skype is following your links – that’s proprietary for you

Yesterday it was reported that Skype, owned by Microsoft these days, seems to automatically follow each exchanged https link. Besides the fact that this is a huge security and personal rights problem in its own it again shows how important it is to not trust a proprietary system.

The problem, skin deep

Heise reported yesterday that Skype follows https links which have been exchanged in chats on a regular basis. First and foremost, this is a privacy issue: it looks like Skype, and thus Microsoft, scans your chat history and acts based on these findings on a regular base. That cannot be explained by “security measures” or anything like it and is not acceptable. My personal data are mine, and Microsoft should not have anything to do with as long as there is no need!

Second, there is the security problem: imagine you are exchanging private links, or even links containing passwords and usernames for direct access (you shouldn’t, but sometimes you have to). Microsoft does follows these links -and therefore gains full access to all data hidden there. Imagine these are sensitive data (private or business), you have no idea what Microsoft is going to do with them.

Third, there is the disturbing part: Microsoft only follows the https links, only the encrypted URLs. If this action would be a security thing, they would surely follow the http links as well. So there must be another explanation – but which one? It is disturbing to know that Microsoft has a motivation to regularly follow links to specifically secured content.

The problem, profound

While these news are shocking, the root problem is not Skype or the behavior of Microsoft – I am pretty sure that their Licence Agreement will cover such actions. And it is most likely that others like WhatsApp, Facebook Chat or whatnot do behave in similar ways. So the actual problem is handing over all your data to a company which you have no inside to. You have no idea what they are doing, you have no control about it, and you cannot even be sure that nothing bad is done with it. Also, most vendors try to lock you in with your service, so that switching away from them is painfully due to used workflows, tools and social networks.

The solution

From my point of view, my personal perfect solution is hosting such sensitive services on my own. However, that cannot be a solution for everyone, and I for myself cannot provide for example the SLAs others need.

Thus I guess the best solution is to be conscious about what you do – and what the consequences are. Try to avoid proprietary solutions where possible. For example for chats, try to use open protocols like XMPP. Google Talk is a good example here: company based, but still using open protocols, they even push the development forward (Jingle, …). Or, if you upload files to web services, make sure you have local backup. Also, try not to upload sensitive data – if you have to, encrypt it beforehand. And if you use social networks, try to not depend on one of them too much, use cross posts for various services at the same time if possible.

And, last but not least: ask your service providers to establish transparency and rules for a responsible and acceptable usage of your data. After all, they depend on the users trust, and if enough users are requesting such changes, they will have to follow.

Stunned by the friendliness of a stranger

Since I decided to blog again a couple of days ago I was always asked by WordPress to publish my posts in twitter as well. However, I didn’t have a twitter account and thus never really gave it any thought.

Today I had some spare time, and decided to go for it and looked for twitter.com/liquidat – and it was taken. The account was abandoned, the last tweet was from years ago, and it was obvious that the company behind it already used another, better fitting twitter account. But, nevertheless, the name was taken.

So what to do? I use my nick name “liquidat” almost everywhere, from Wikipedia over WordPress to GitHub and whatnot, and somehow I didn’t want to use another nick name for twitter. So I decided to write the people behind the twitter account if they somehow would be willing to let me have the twitter name. I went to company website, used the contact form and asked kindly – not expecting any response, and not at all a positive one, since this is a company on another continent, thousands of kilometers away.

But today I got the answer – and it was positive:

No problem. Is a pleasure help you.
[…]
I wish your success.

And in a second mail, it became even better:

Hi! This is a chain. I do well for you, you do good for someone and that
someone does for someone else, and one day your turn will come you again.
Be happy

I am stunned. And speechless. And can hardly believe the fact that this person actually decided to help me. And that the reason behind it was a reason I try to live myself: helping others where you can so that they help others, to make this blue marble a better place. To actually help someone you never met and most likely will never meet who is living thousands of kilometers away, is a beautiful thing to do. And just gave me a bit more faith in humanity.

So: I am now on twitter as liquidat. And that is due to the kindliness and friendliness of the people at liquidation.com.br. I wish them all the best, and best regards!

So there are people who want to make this a better place. I like that =)

Last call for ….

I haven’t posted anything in a while on this blog, and now I made the decision that this will not change: it is unlikely that this blog will be updated anytime soon. The reason is actually twofold:

Job

I’m working full time as an Open Source/Linux consultant these days – and after work I do not really have the time nor the energy to invest even more time into Open Source (besides the Fedora packaging).

Company’s Blog

I was successful in convincing enough people in our company to start a blog – and I blog there since then, so when I get home I usually already have blogged about whatever comes to my mind.

That means effectively that you will not receive any more new posts here. It hurts my heart and kills kittens, but you can remove the blogfeed. @planets where I might still be listed at: please remove this blog feed as well.

However, if you *do* want to keep up with my thoughts: credativ’s company blog is working quite nice these days. Btw., in case you don’t know, credativ is an Open Source/Linux company and the one behind the Open Source Support Center (OSSC) and the Open Source Support Card (yeah, “catchy” names, I know). They are focussed on Open Source support (Linux-Support, PostgreSQL-Support, etc.) and have offices in DE, UK, US, etc. So the general topics are pretty close to this blog. If you look close you will recognize my style: short italic introduction, eye catcher on the upper right side, special headline markings for Howtos and Short Tips, and so on. Also, the categories are quite the same, and it is actually available in German and English. Also, I am not the only person writing there – one very active PostgreSQL developer keeps blogging there, if I want it or not. 😉

However – it is a company blog, so you will (!) find information regarding the company itself, or newest marketing things. You are warned!

So this is it: the last post. Thanks everyone for wonderful years full of blogging, discussions, news, Howtos and good tips. So long, and thanks for the fish! 🙂