sharealike.org

Doug Tygar has pointed out that Google’s efforts to assist the Chinese government censor the web are not yet perfected. Tygar points to an example of a technological glitch that, to me, also illustrates why one should have moral qualms about Google’s actions to aid the Chinese government.

	When using Google.cn’s Image search for ‘Tiananmen’ (capitalized) one currently receives almost exclusively images of the lone student protestor halting a line of Chinese tanks as well other images of the Tiananmen square protest. Presumably this is not what the Chinese government wants.
	However, when one uses Google.cn’s Image search for ‘tiananmen’ (uncapitalized) one currently receives almost exclusively non-descript scenic images of The Tiananmen (the entrance to the Imperial Palace Grounds). Presumably this is what the Chinese government wants both searches to produce.

(I’ve archived both pages for when Google fixes this.)

If you take a look at both of those pages you get a graphic illustration of what censorship looks like. Information related to non-violent political dissent has vanished, as if it never happened, and as if we have nothing to learn from acknowledging, recalling, or studying it. Anyone is entitled to put their head in the sand if they so choose, that’s freedom. But when a government decides on behalf of all of its citizens that they must not be allowed access to such materials, that’s the opposite of freedom.

Given two questions put to Google recently by John Battelle, we should be even more concerned:

“Given a list of search terms, can Google produce a list of people who searched for that term, identified by IP address and/or Google cookie value?”

“Given an IP address or Google cookie value, can Google produce a list of the terms searched by the user of that IP address or cookie value?”

I put these to Google. To its credit, it rapidly replied that the answer in both cases is “yes.”

Combine that ability with the Chinese government’s desire to imprison people who search for the wrong sorts of things and Google agreeing to assist the Chinese government in its censorship efforts becomes all the more disconcerting. Will Google turn over this information about Chinese dissidents? Let’s hope not. Chinese prisons do not have a sterling reputation for humane treatment of prisoners.

But even if they don’t go that far, there is a fairly simple pair of arguments that explain the logic behind the outrage over Google’s censorship of google.cn. Maybe Google didn’t think it through like this, so I’d like to help them out with the following:

1. If a government engages in a comprehensive campaign to censor information related to non-violent a) political dissent or b) religious expression then that government is engaged in a morally reprehensible course of action. (Premise)
2. If a corporation willingly and knowingly provides essential assistance to a government in a morally reprehensible course of action, when refusing to provide that essential assistance produces no greater harm, then that corporation is itself engaged in a morally reprehensible course of action. (Premise)
3. The Chinese government is engaged in a comprehensive campaign to censor information related to non-violent political dissent and religious expression. (Premise)
4. Therefore, the Chinese government is engaged in a morally reprehensible course of action. (Follows from 1 and 3).
5. By (among other things) implementing filtering technologies at google.cn that censor information related to non-violent political dissent and religious expression, Google is willingly and knowingly providing essential assistance to the Chinese government in a morally reprehensible course of action, when refusing to provide that essential assistance would produce no greater harm. (Premise)
6. Therefore, Google is itself engaged in a morally reprehensible course of action. (Follows from 2, 4, and 5).

I welcome counter-arguments or challenges to any of these premises, but I currently believe all the premises are uncontrovertibly true, and consequently that the above argument is valid and sound. I hope Google comes to the same set of beliefs.

UNIX apparently has a dircmp program that will compare two directories and tell you where they differ. This is useful if you want to ensure that two directories are identical or nearly so. Maybe I’m looking in the wrong places, but I can’t find dircmp for Debian. Instead, I think this works:

diff -r --brief dir1 dir2

Enjoy.

Oh my, this post from Fafblog on our omnipotent president is too funny.

A. Well if you want, the president can stop the illegal wiretapping just for you.
Q. Really? Well thanks, that’d be great!
A. And then the terrorists can come and eat you.
Q. Wait! What?
A. Cause without the wiretaps there’s nothin to stop the terrorists from eatin you, yknow. The terrorists and their army of bees.

via boing boing.

I am thoroughly enjoying my MythTV setup now that I have it recording over-the-air HDTV, but I have to admit that these folks at snapstream have me beat with their Godzilla PVR that is capable of simultaneously recording 4 HDTV broadcasts and 7 standard broadcasts, i.e., 11 shows at once. Of course, their setup costs about three times as much as mine and it’s not clear that there would ever be eleven things on at the same time that are worth recording, but nonetheless, it’s impressive.

1. You should be using Firefox to browse the web.

2. One reason is how many add-on search engines you can add to the top right corner so that searching Wikipedia, Merriam-Webster, eBay, Amazon, Flickr Tags, etc is just a click away and built right into the browser. It’s stunningly useful. Begin with Mozilla’s 23 popular add-on search engines, but then check out the motherload of add-on search engines at mycroft. Just click on ‘Google’ alone and see all the different ways you can more easily utilize Google (searching News, Images, etc.) and it’ll blow your mind.

3. Note: I’ve found that after installing a bunch of these at once sometimes Firefox needs a restart before it sorts all your changes. So, if you notice strange behavior, don’t panic, just restart.

For those who recall text-based adventure games, check out defective yeti’s Iraqi Invasion: A Text Misadventure. Hilarious. An excerpt:

> STAY COURSE
The situation in Iraq deteriorates.

Some insurgents arrive. There is a large number of insurgents here.

> STAY COURSE
The situation in Iraq deteriorates.

> STAY COURSE
The situation in Iraq deteriorates.

Some insurgents arrive.
There is a huge number of insurgents here.

> STAY COURSE
The situation in Iraq deteriorates.

> STAY COURSE

The situation in Iraq deteriorates.

Some insurgents arrive.
There is an overwhelming number of insurgents here.

via lawgeek.

Falko Timme at howtoforge.com has a number of excellent howtos on setting up GNU/Linux servers. I have learned much from using his Perfect Setup for Debian Sarge 3.1.

However, when I finish his perfect setup, there remain a few things that I think essential to do, particularly regarding security. There are an increasing number of dictionary attacks against ssh servers that should be addressed. I do the following:

# apt-get install logcheck
edit /etc/logcheck/logcheck.conf to change the SENDMAILTO=”your@email.address” line to include your email address so you can be notified of suspicious log activity.

To actually ban those ssh attackers, I love a program called fail2ban that is currently in Debian unstable, but not in stable. I prefer to install it without messing with my apt sources by browsing ftp://ftp.debian.org/debian/pool/main/f/fail2ban/ and noting the filename of the latest version. Then

# wget ftp://ftp.debian.org/debian/pool/main/f/fail2ban/fail2ban_0.6.0-2_all.deb
# dpkg -i fail2ban_0.6.0-2_all.deb

Then I edit /etc/fail2ban.conf and change the maximum failures allowed from 5 to 3 and the time (in seconds) that the failed IP is banned from 10 minutes to a little over two months. Also, set up the section entitled [MAIL] to notify you of the bans.

maxfailures = 3
bantime = 6000000

# /etc/init.d/fail2ban restart

Next, edit /etc/ssh/sshd_config and add the usernames of anyone authorized to have ssh access:

AllowUsers user1 user2 user3

Then, perhaps it’s the nascent attorney in me, but I like to put the SSH attackers on notice that their unauthorized access attempts are not welcome. In the same
sshd_config file, uncomment

Banner = /etc/issue.net

Then edit /etc/issue.net to contain only the following text:

If you are not authorized to access this system, LEAVE NOW.
Access attempts will be logged. Unauthorized access will be prosecuted.

On servers that have excess processor cycles and bandwidth, it’s also nice to help out the Tor network by (at least) being a middle-man server. (Tor is free software that improves your privacy online and their network relies on volunteer servers.) I prefer to run the latest version and stay up to date, so modifying /etc/apt/sources.list is the way to go. Add:

deb http://mirror.noreply.org/pub/tor experimental-0.1.1.x-sarge main

# apt-get update
# apt-get install tor privoxy socat

Then to allow no more than 1 GB of traffic per day at an average rate no greater than 75 KB/s edit /etc/tor/torrc like so:

Nickname something-unique-like-your-hostname
ContactInfo Your Name <your AT email dot address>
BandwidthRate 75 KB
AccountingStart day 12:00
AccountingMax 1 GB

Then be sure to uncomment:

ORPort 9001
DirPort 9030
ExitPolicy reject *:* # middleman only — no exits allowed

# /etc/init.d/tor restart

Then make logcheck do a little more work for you by editing /etc/logcheck/logcheck.logfiles to include:

/var/log/tor/log
/var/log/daemon.log

After a few days, when you know the tor server is working correctly, you should register it. Send mail to tor-ops@freehaven.net with a subject of ‘[New Server] (your server’s nickname)’ and include the following information in the message:

• Your server’s nickname
• The fingerprint for your server’s key (the contents of the “fingerprint” file in your DataDirectory — on Linux/BSD/Unix, look in /var/lib/tor or ~/.tor)
• Who you are, so the tor ops know whom to contact if a problem arises
• What kind of connectivity the new server will have

Finally, you should implement some sort of backup process. Falko at howtoforge comes to the rescue again with his Automated backups with rdiff-backup. (Strangely, I can get remote backups to work like this fine, but backing up the backup server itself required me to resort to a root cronjob, despite different howtos describing two alternative ways to handle this. –Update: solved.)

Also, if you’re doing rdiff-backups across various GNU/Linux distributions it’s usually important to have the same version of rdiff-backup installed on each. In this event, you might not want to follow the installation instructions at howtoforge (just the subsequent configuration stuff). For manual installations, do this:

Step 1: Get Python dependencies (explained for Debian, but just do the equivalent for your distro).

# apt-get install python2.3 python2.3-dev python2.3-pylibacl python2.3-pyxattr

(Those last two are optional, but you might as well…)

Step 2: Get librsync.

# wget http://easynews.dl.sourceforge.net/sourceforge/librsync/librsync-0.9.7.tar.gz
# tar zvxf librsync-0.9.7.tar.gz
# cd librsync-0.9.7
# ./configure
# make
# make install
# ldconfig

Step 3: Get rdiff-backup.

# wget http://savannah.nongnu.org/download/rdiff-backup/rdiff-backup-1.0.4.tar.gz
# tar zvxf rdiff-backup-1.0.4.tar.gz
# cd rdiff-backup-1.0.4
# python setup.py install

Then you configure according to the howtoforge article linked above and you’ll be backing up in style.

When I get a chance I may also explain how to set up snort, portsentry, and spamassassin. I’ve also used Bastille in the past. For the security-conscious, that’s worth looking into as well.