Michal Čihař: Weblate users survey
Filed under: Debian English phpMyAdmin SUSE Weblate 0 comments
Filed under: Debian English phpMyAdmin SUSE Weblate 0 comments
demo
account using demo
password or register your own user. Weblate is also being used on https://hosted.weblate.org/ as official translating service for phpMyAdmin, OsmAnd, Aptoide, FreedomBox, Weblate itself and many other projects.
Should you be looking for hosting of translations for your project, I'm happy to host them for you or help with setting it up on your infrastructure.
Further development of Weblate would not be possible without people providing donations, thanks to everybody who have helped so far! The roadmap for next release is just being prepared, you can influence this by expressing support for individual issues either by comments or by providing bounty for them.
Filed under: Debian English phpMyAdmin SUSE Weblate 0 comments
Filed under: Debian English SUSE Weblate 0 comments
demo
account using demo
password or register your own user. Weblate is also being used on https://hosted.weblate.org/ as official translating service for phpMyAdmin, OsmAnd, Aptoide, FreedomBox, Weblate itself and many other projects.
Should you be looking for hosting of translations for your project, I'm happy to host them for you or help with setting it up on your infrastructure.
Further development of Weblate would not be possible without people providing donations, thanks to everybody who have helped so far! The roadmap for next release is just being prepared, you can influence this by expressing support for individual issues either by comments or by providing bounty for them.
Filed under: Debian English phpMyAdmin SUSE Weblate 0 comments
As children use digital media to learn and socialize, others are collecting and analyzing data about these activities. In school and at play, these children find that they are the subjects of data science. As believers in the power of data analysis, we believe that this approach falls short of data science s potential to promote innovation, learning, and power. Motivated by this fact, we have been working over the last three years as part of a team at the MIT Media Lab and the University of Washington to design and build a system that attempts to support an alternative vision: children as data scientists. The system we have built is described in a new paper Scratch Community Blocks: Supporting Children as Data Scientists that will be published in the proceedings of CHI 2017. Our system is built on top of Scratch, a visual, block-based programming language designed for children and youth. Scratch is also an online community with over 15 million registered members who share their Scratch projects, remix each others work, have conversations, provide feedback, bookmark or love projects they like, follow other users, and more. Over the last decade, researchers including us have used the Scratch online community s database to study the youth using Scratch. With Scratch Community Blocks, we attempt to put the power to programmatically analyze these data into the hands of the users themselves. To do so, our new system adds a set of new programming primitives (blocks) to Scratch so that users can access public data from the Scratch website from inside Scratch. Blocks in the new system gives users access to project and user metadata, information about social interaction, and data about what types of code are used in projects. The full palette of blocks to access different categories of data is shown below. The new blocks allow users to programmatically access, filter, and analyze data about their own participation in the community. For example, with the simple script below, we can find whether we have followers in Scratch who report themselves to be from Spain, and what their usernames are.
In designing the system, we had two primary motivations. First, we wanted to support avenues through which children can engage in curiosity-driven, creative explorations of public Scratch data. Second, we wanted to foster self-reflection with data. As children looked back upon their own participation and coding activity in Scratch through the project they and their peers made, we wanted them to reflect on their own behavior and learning in ways that shaped their future behavior and promoted exploration. After designing and building the system over 2014 and 2015, we invited a group of active Scratch users to beta test the system in early 2016. Over four months, 700 users created more than 1,600 projects. The diversity and depth of users creativity with the new blocks surprised us. Children created projects that gave the viewer of the project a personalized doughnut-chart visualization of their coding vocabulary on Scratch, rendered the viewer s number of followers as scoops of ice-cream on a cone, attempted to find whether love-its for projects are more common on Scratch than favorites , and told users how talkative they were by counting the cumulative string-length of project titles and descriptions. We found that children, rather than making canonical visualizations such as pie-charts or bar-graphs, frequently made information representations that spoke to their own identities and aesthetic sensibilities. A 13-year-old girl had made a virtual doll dress-up game where the player s ability to buy virtual clothes and accessories for the doll was determined by the level of their activity in the Scratch community. When we asked about her motivation for making such a project, she said:I was trying to think of something that somebody hadn t done yet, and I didn t see that. And also I really like to do art on Scratch and that was a good opportunity to use that and mix the two [art and data] together.We also found at least some evidence that the system supported self-reflection with data. For example, after seeing a project that showed its viewers a visualization of their past coding vocabulary, a 15-year-old realized that he does not do much programming with the pen-related primitives in Scratch, and wrote in a comment, epic! looks like we need to use more pen blocks. :D. Additionally, we noted that that as children made and interacted with projects made with Scratch Community Blocks, they started to critically think about the implications of data collection and analysis. These conversations are the subject of another paper (also being published in CHI 2017). In a 1971 article called Teaching Children to be Mathematicians vs. Teaching About Mathematics , Seymour Papert argued for the need for children doing mathematics vs. learning about it. He showed how Logo, the programming language he was developing at that time with his colleagues, could offer children a space to use and engage with mathematical ideas in creative and personally motivated ways. This, he argued, enabled children to go beyond knowing about mathematics to doing mathematics, as a mathematician would. Scratch Community Blocks has not yet been launched for all Scratch users and has several important limitations we discuss in the paper. That said, we feel that the projects created by children in our the beta test demonstrate the real potential for children to do data science, and not just know about it, provide data for it, and to have their behavior nudged and shaped by it.
git remote set-url origin https://github.com/WeblateOrg/weblate.git
Filed under: Debian English SUSE Weblate 0 comments
install
command (not the
install_data
!), you will have self.root
and self.install_scripts
(and lots of other self.install_*
). As a result, you can read the
template and write the desired output file after calling super
's
run
method. The fix was inspired by GateOne (which, however
doesn't get the --root
parameter right, you need to strip
self.root
from the beginning of the path to actually make that work
as intended).
As suggested on IRC, the snippet (and my software) no use pkg-config
to get at the systemd path as well. This is a nice improvement
orthogonal to the original problem. The implementation here follows
bley.
def systemd_unit_path():
try:
command = ["pkg-config", "--variable=systemdsystemunitdir", "systemd"]
path = subprocess.check_output(command, stderr=subprocess.STDOUT)
return path.decode().replace('\n', '')
except (subprocess.CalledProcessError, OSError):
return "/lib/systemd/system"
class my_install(install):
_servicefiles = [
'foo/bar.service',
]
def run(self):
install.run(self)
if not self.dry_run:
bindir = self.install_scripts
if bindir.startswith(self.root):
bindir = bindir[len(self.root):]
systemddir = "%s%s" % (self.root, systemd_unit_path())
for servicefile in self._servicefiles:
service = os.path.split(servicefile)[1]
self.announce("Creating %s" % os.path.join(systemddir, service),
level=2)
with open(servicefile) as servicefd:
servicedata = servicefd.read()
with open(os.path.join(systemddir, service), "w") as servicefd:
servicefd.write(servicedata.replace("%BINDIR%", bindir))
Comments, suggestions and improvements, of course, welcome!
32-bit number of index entries.What? The index/staging area can t handle more than ~4.3 billion files? There I was, writing Rust code to write out the index.
try!(out.write_u32::<NetworkOrder>(self.entries.len()));
(For people familiar with the byteorder crate and wondering what NetworkOrder is, I have a use byteorder::BigEndian as NetworkOrder
)
And the Rust compiler rightfully barfed:
error: mismatched types:
expected u32 ,
found usize [E0308]
And there I was, wondering: mmmm should I just add as u32
and silently truncate or hey what does git do?
And it turns out, git uses an unsigned int
to track the number of entries in the first place, so there is no truncation happening.
Then I thought but what happens when cache_nr
reaches the max?
Well, it turns out there s only one obvious place where the field is incremented.
What? Holy coffin nails, Batman! No overflow check?
Wait a second, look 3 lines above that:
ALLOC_GROW(istate->cache, istate->cache_nr + 1, istate->cache_alloc);
Yeah, obviously, if you re incrementing cache_nr
, you already have that many entries in memory. So, how big would that array be?
So it s an array of pointers, assuming 64-bits pointers, that s ~34.3 GB. But, all thosestruct cache_entry **cache;
cache_nr
entries are in memory too. How big is a cache entry?
So, 4 ints, 20 bytes, and as many bytes as necessary to hold a path. And two inline structs. How big are they?struct cache_entry struct hashmap_entry ent; struct stat_data ce_stat_data; unsigned int ce_mode; unsigned int ce_flags; unsigned int ce_namelen; unsigned int index; /* for link extension */ unsigned char sha1[20]; char name[FLEX_ARRAY]; /* more */ ;
Woohoo, nested structs.struct hashmap_entry struct hashmap_entry *next; unsigned int hash; ; struct stat_data struct cache_time sd_ctime; struct cache_time sd_mtime; unsigned int sd_dev; unsigned int sd_ino; unsigned int sd_uid; unsigned int sd_gid; unsigned int sd_size; ;
So all in all, we re looking at 1 + 2 + 2 + 5 + 4 32-bit integers, 1 64-bits pointer, 2 32-bits padding, 20 bytes of sha1, for a total of 92 bytes, not counting the variable size for file paths. The average path length in mozilla-central, which only has slightly over 140 thousands of them, is 59 (including the terminal NUL character). Let s conservatively assume our crazy repository would have the same average, making the average cache entry 151 bytes. But memory allocators usually allocate more than requested. In this particular case, with the default allocator on GNU/Linux, it s 156 (weirdly enough, it s 152 on my machine). 156 times 4.3 billion 670 GB. Plus the 34.3 from the array of pointers: 704.3 GB. Of RAM. Not counting the memory allocator overhead of handling that. Or all the other things git might have in memory as well (which apparently involves a hashmap, too, but I won t look at that, I promise). I think one would have run out of memory before hitting that integer overflow. Interestingly, looking at Documentation/technical/index-format.txt again, the on-disk format appears smaller, with 62 bytes per file instead of 92, so the corresponding index file would be smaller. (And in version 4, paths are prefix-compressed, so paths would be smaller too). But having an index that large supposes those files are checked out. So let s say I have an empty ext4 file system as large as possible (which I m told is 2^60 bytes (1.15 billion gigabytes)). Creating a small empty ext4 tells me at least 10 inodes are allocated by default. I seem to remember there s at least one reserved for the journal, there s the top-level directory, and there sstruct cache_time uint32_t sec; uint32_t nsec; ;
lost+found
; there apparently are more. Obviously, on that very large file system, We d have a git repository. git init
with an empty template creates 9 files and directories, so that s 19 more inodes taken. But git init
doesn t create an index, and doesn t have any objects. We d thus have at least one file for our hundreds of gigabyte index, and at least 2 who-knows-how-big files for the objects (a pack and its index). How many inodes does that leave us with?
The Linux kernel source tells us the number of inodes in an ext4 file system is stored in a 32-bits integer.
So all in all, if we had an empty very large file system, we d only be able to store, at best, 2^32 22 files And we wouldn t even be able to get cache_nr
to overflow.
while following the rules. Because the index can keep files that have been removed, it is actually possible to fill the index without filling the file system. After hours (days? months? years? decades?*) of running
seq 0 4294967296 while read i; do touch $i; git update-index --add $i; rm $i; done
One should be able to reach the integer overflow. But that d still require hundreds of gigabytes of disk space and even more RAM.
seq 0 100000 4294967296 while read i; do j=$(seq $i $(($i + 99999))); touch $j; git update-index --add $j; rm $j; done
At the rate the first million files were added, still assuming a constant rate, it would take about a month on my machine. Considering reading/writing a list of a million files is a thousand times faster than reading a list of a billion files, assuming linear increase, we re still talking about decades, and plentiful RAM. Fun fact: after leaving it run for 5 times as much as it had run for the first million files, it hasn t even done half more
One could generate the necessary hundreds-of-gigabytes index manually, that wouldn t be too hard, and assuming it could be done at about 1 GB/s on a good machine with a good SSD, we d be able to craft a close-to-explosion index within a few minutes. But we d still lack the RAM to load it.
So, here is the open question: should I report that integer overflow?
Wow, that was some serious procrastination.
Edit: Epilogue: Actually, oops, there is a separate integer overflow on the reading side that can trigger a buffer overflow, that doesn t actually require a large index, just a crafted header, demonstrating that yes, not all integer overflows are equal.
Filed under: Debian English SUSE Weblate 0 comments
Adults worry a lot these days. Especially, they worry about how to make other people learn more about computers. They want to make us all computer-literate. Literacy means both reading and writing, but most books and courses about computers only tell you about writing programs. Worse, they only tell about commands and instructions and programming-language grammar rules. They hardly ever give examples. But real languages are more than words and grammar rules. There s also literature what people use the language for. No one ever learns a language from being told its grammar rules. We always start with stories about things that interest us.In a new paper titled Remixing as a pathway to Computational Thinking that was recently published at the ACM Conference on Computer Supported Collaborative Work and Social Computing (CSCW) conference, we used a series of quantitative measures of online behavior to try to uncover evidence that might support the theory that remixing in Scratch is positively associated with learning. Of course, because Scratch is an informal environment with no set path for users, no lesson plan, and no quizzes, measuring learning is an open problem. In our study, we built on two different approaches to measure learning in Scratch. The first approach considers the number of distinct types of programming blocks available in Scratch that a user has used over her lifetime in Scratch (there are 120 in total) something that can be thought of as a block repertoire or vocabulary. This measure has been used to model informal learning in Scratch in an earlier study. Using this approach, we hypothesized that users who remix more will have a faster rate of growth for their code vocabulary. Controlling for a number of factors (e.g. age of user, the general level of activity) we found evidence of a small, but positive relationship between the number of remixes a user has shared and her block vocabulary as measured by the unique blocks she used in her non-remix projects. Intriguingly, we also found a strong association between the number of downloads by a user and her vocabulary growth. One interpretation is that this learning might also be associated with less active forms of appropriation, like the process of reading source code described by Minksy. The second approach we used considered specific concepts in programming, such as loops, or event-handling. To measure this, we utilized a mapping of Scratch blocks to key programming concepts found in this paper by Karen Brennan and Mitchel Resnick. For example, in the image below are all the Scratch blocks mapped to the concept of loop . We looked at six concepts in total (conditionals, data, events, loops, operators, and parallelism). In each case, we hypothesized that if someone has had never used a given concept before, they would be more likely to use that concept after encountering it while remixing an existing project. Using this second approach, we found that users who had never used a concept were more likely to do so if they had been exposed to the concept through remixing. Although some concepts were more widely used than others, we found a positive relationship between concept use and exposure through remixing for each of the six concepts. We found that this relationship was true even if we ignored obvious examples of cutting and pasting of blocks of code. In all of these models, we found what we believe is evidence of learning through remixing. Of course, there are many limitations in this work. What we found are all positive correlations we do not know if these relationships are causal. Moreover, our measures do not really tell us whether someone has understood the usage of a given block or programming concept.However, even with these limitations, we are excited by the results of our work, and we plan to build on what we have. Our next steps include developing and utilizing better measures of learning, as well as looking at other methods of appropriation like viewing the source code of a project.
This blog post and the paper it describes are collaborative work with Sayamindu Dasgupta, Andr s Monroy-Hern ndez, and William Hale. The paper is released as open access so anyone can read the entire paper here. This blog post was also posted on Sayamindu Dasgupta s blog and on Medium by the MIT Media Lab.
SOURCE_DATE_EPOCH
SOURCE_DATE_EPOCH
) (Closes: #792202)SOURCE_DATE_EPOCH
also to luatexSOURCE_DATE_EPOCH
. Original patch by akiraSOURCE_DATE_EPOCH
SOURCE_DATE_EPOCH
SOURCE_DATE_EPOCH
file(GLOB ...)
sudo add-apt-repository ppa:dank/dpkg && sudo apt-get update && sudo apt-get install dpkg
should be enough to get reproducible builds on Ubuntu 16.04.
This week's edition was written by Ximin Luo and Holger Levsen and reviewed by a bunch of Reproducible builds folks on IRC.
__DATE__
/ __TIME__
) has been applied upstream and will be released with GCC 7.
Following that Matthias Klose also has uploaded gcc-5/5.3.1-17 and gcc-6/6.1.1-1 to unstable with a backport of that SOURCE_DATE_EPOCH patch.
Emmanuel Bourg uploaded maven/3.3.9-4, which uses SOURCE_DATE_EPOCH for the maven.build.timestamp
.
(SOURCE_DATE_EPOCH specification)
Other upstream changes
Alexis Bienven e submitted a patch to Sphinx which extends SOURCE_DATE_EPOCH support for copyright years in generated documentation.
Packages fixed
The following 12 packages have become reproducible due to changes in their
build dependencies:
hhvm
jcsp
libfann
libflexdock-java
libjcommon-java
libswingx1-java
mobile-atlas-creator
not-yet-commons-ssl
plexus-utils
squareness
svnclientadapter
The following packages have became reproducible after being fixed:
Unfortunately, a series of recent legal rulings have forced us to suspend our campaign. In 2015, Time Warner s copyright claim to Happy Birthday was declared invalid. In 2016, a settlement was announced that calls for a judge to officially declare that the song is in the public domain. This is horrible news for the future of music. It is horrible news for anybody who cares that creators, their heirs, etc., are fairly remunerated when their work is performed. What incentive will there be for anybody to pen the next Happy Birthday knowing that less than a century after their deaths their estates and the large multinational companies that buy their estates might not be able to reap the financial rewards from their hard work and creativity? We are currently planning a campaign to push for a retroactive extension of copyright law to place Happy Birthday, and other works, back into the private domain where they belong! We believe this is a winnable fight. After all, copyright has been retroactively extended before! Stay tuned! In the meantime, we ll keep this page here for historical purposes.Copyrighteous Benjamin Mako Hill (2016-02-11)
#ooni
IRC channel. Tor also works fine, and could be a great way
to avoid the global surveillance system described later in this
article.
Nevertheless, it still remains to be seen how the internet is censored
in the "real" Cuban internet, outside of the tourist designated
areas - hopefully future visitors or locals can expand on this using
the tools mentioned above, using the regular internet.
Usual care should be taken when using any workaround tools, mentioned
in this post or not, as different regimes over the world have accused,
detained, tortured and killed sometimes for the mere fact of using or
distributing circumvention tools. For example, a Russian developer
was arrested and detained in 2001 by United States' FBI for
exposing vulnerabilities in the Adobe e-books copy protection
mechanisms. Similarly, people distributing Tor and other tools have
been arrested during the period prior to the revolution in Tunisia.
--- 10.0.0.1 ping statistics ---
163 packets transmitted, 31 received, 80% packet loss, time 162391ms
rtt min/avg/max/mdev = 133.700/2669.535/64188.027/11257.336 ms, pipe 65
Still, it allowed me to login to my home server through SSH using
Mosh to workaround the reliability issues.
Every once in a while, mosh would get stuck and keep on trying to send
packets to probe the server, which would clog the connection even
more. So I regularly had to restart the whole stack using these
commands:
killall iodine # stop DNS tunnel
nmcli n off # turn off wifi to change MAC address
macchanger -A wlan0 # change MAC address
nmcli n on # turn wifi back on
sleep 3 # wait for wifi to settle
iodine-client-start # restart DNS tunnel
The Koumbit Wiki has good instructions on
how to setup a DNS tunnel. I am wondering if such a public service
could be of use for Cubans, although I am not sure how it could be
deployed only for Cubans, and what kind of traffic it could
support... The fact is that iodine does require a server to
operate, and that server must be run on the outside of the censored
perimeter, something that Cubans may not be able to afford in the
first place.
Another possible way to save money with the captive portal would be to
write something that automates connecting and disconnecting from the
portal. You would feed that program a list of credentials and it would
connect to the portal only on demand, and disconnect as soon as no
traffic goes through. There are details on the implementation of the
captive portal below that may help future endeavours in that field.
Wifi_Memories_Jibacoa
which, for anyone that cares to research, will
give them a location of about 20 square meters where I was located
when connected (there is only one access point in the whole hotel).
Finally, the central portal also knows my MAC address,
a unique identifier for the computer I am using which also reveals
which brand of computer I am using (Mac, Lenovo, etc). While this
address can be changed, very few people know that, let alone how.
This led me to question whether I would be allowed back in Cuba (or
even allowed out!) after publishing this blog post, as it is obvious
that I can be easily identified based on the time this article was
published, my name and other details. Hopefully the Cuban government
will either not notice or not care, but this can be a tricky
situation, obviously. I have heard that Cuban prisons are not the best
hangout place in Cuba, to say the least...
[1034]anarcat@angela:cuba$ speedtest
Retrieving speedtest.net configuration...
Retrieving speedtest.net server list...
Testing from Empresa de Telecomunicaciones de Cuba (152.206.92.146)...
Selecting best server based on latency...
Hosted by LIME (George Town) [391.78 km]: 317.546 ms
Testing download speed........................................
Download: 1.01 Mbits/s
Testing upload speed..................................................
Upload: 1.00 Mbits/s
Latency to the rest of the world is of couse slow:
--- koumbit.org ping statistics ---
122 packets transmitted, 120 received, 1,64% packet loss, time 18731,6ms
rtt min/avg/max/sdev = 127,457/156,097/725,211/94,688 ms
--- google.com ping statistics ---
122 packets transmitted, 121 received, 0,82% packet loss, time 19371,4ms
rtt min/avg/max/sdev = 132,517/160,095/724,971/93,273 ms
--- redcta.org.ar ping statistics ---
122 packets transmitted, 120 received, 1,64% packet loss, time 40748,6ms
rtt min/avg/max/sdev = 303,035/339,572/965,092/97,503 ms
--- ccc.de ping statistics ---
122 packets transmitted, 72 received, 40,98% packet loss, time 19560,2ms
rtt min/avg/max/sdev = 244,266/271,670/594,104/61,933 ms
Interestingly, Koumbit is actually the closest host in the above
test. It could be that Canadian hosts are less affected by bandwidth
problems compared to US hosts because of the embargo.
traceroute to koumbit.net (199.58.80.33), 30 hops max, 60 byte packets
1 10.156.41.1 (10.156.41.1) 9.724 ms 9.472 ms 9.405 ms
2 192.168.134.137 (192.168.134.137) 16.089 ms 15.612 ms 15.509 ms
3 172.31.252.113 (172.31.252.113) 15.350 ms 15.805 ms 15.358 ms
4 pos6-0-0-agu-cr-1.mpls.enet.cu (172.31.253.197) 15.286 ms 14.832 ms 14.405 ms
5 172.31.252.29 (172.31.252.29) 13.734 ms 13.685 ms 14.485 ms
6 200.0.16.130 (200.0.16.130) 14.428 ms 11.393 ms 10.977 ms
7 200.0.16.74 (200.0.16.74) 10.738 ms 10.019 ms 10.326 ms
8 ix-11-3-1-0.tcore1.TNK-Toronto.as6453.net (64.86.33.45) 108.577 ms 108.449 ms
Let's take this apart line by line:
1 10.156.41.1 (10.156.41.1) 9.724 ms 9.472 ms 9.405 ms
This is my local gateway, probably the hotel's wifi router.
2 192.168.134.137 (192.168.134.137) 16.089 ms 15.612 ms 15.509 ms
This is likely not very far from the local gateway, probably still in
Cuba. It in one bit away from the captive portal IP address (see
below) so it is very likely related to the captive portal implementation.
3 172.31.252.113 (172.31.252.113) 15.350 ms 15.805 ms 15.358 ms
4 pos6-0-0-agu-cr-1.mpls.enet.cu (172.31.253.197) 15.286 ms 14.832 ms 14.405 ms
5 172.31.252.29 (172.31.252.29) 13.734 ms 13.685 ms 14.485 ms
All those are withing RFC 1918 space. Interestingly, the Cuban
DNS servers resolve one of those private IPs as within Cuban
space, on line #4. That line is interesting because it reveals the
potential use of MPLS.
6 200.0.16.130 (200.0.16.130) 14.428 ms 11.393 ms 10.977 ms
7 200.0.16.74 (200.0.16.74) 10.738 ms 10.019 ms 10.326 ms
Those two lines are the only ones that actually reveal that the route
belongs in Cuba at all. Both IPs are in a tiny (/24
, or 256 IP
addresses) network allocated to ETECSA, the state telco
in Cuba:
inetnum: 200.0.16/24
status: allocated
aut-num: N/A
owner: EMPRESA DE TELECOMUNICACIONES DE CUBA S.A. (IXP CUBA)
ownerid: CU-CUBA-LACNIC
responsible: Rafael L pez Guerra
address: Ave. Independencia y 19 Mayo, s/n,
address: 10600 - La Habana - CH
country: CU
phone: +53 7 574242 []
owner-c: JOQ
tech-c: JOQ
abuse-c: JEM52
inetrev: 200.0.16/24
nserver: NS1.NAP.ETECSA.NET
nsstat: 20160123 AA
nslastaa: 20160123
nserver: NS2.NAP.ETECSA.NET
nsstat: 20160123 AA
nslastaa: 20160123
created: 20030512
changed: 20140610
Then the last hop:
8 ix-11-3-1-0.tcore1.TNK-Toronto.as6453.net (64.86.33.45) 108.577 ms 108.449 ms 108.257 ms
...interestingly, lands directly in Toronto, in this case going later
to Koumbit but that is the first hop that varies according to the
destination, hops 1-7 being a common trunk to all external
communications. It's also interesting that this shoves a good 90
milliseconds extra in latency, showing that a significant distance and
number of equipment crossed. Yet a single hop is crossed, not showing
the intermediate step of the Venezuelan link or any other links for
that matter. Something obscure is going on there...
Also interesting to note is the traceroute to the redirection host,
which is only one hop away:
traceroute to 192.168.134.138 (192.168.134.138), 30 hops max, 60 byte packets
1 192.168.134.138 (192.168.134.138) 6.027 ms 5.698 ms 5.596 ms
Even though it is not the gateway:
$ ip route
default via 10.156.41.1 dev wlan0 proto static metric 1024
10.156.41.0/24 dev wlan0 proto kernel scope link src 10.156.41.4
169.254.0.0/16 dev wlan0 scope link metric 1000
This means a very close coordination between the different access
points and the captive portal system. Finally, note that there seems
to be only three peers to the Cuban internet:
Teleglobe, formerly Canadian, now owned by the Indian
[[!wiki Tata group]], and Telef nica, the Spanish Telco
that colonized most of Latin America's internet, all the way down to
Argentina. This is confirmed by my traceroutes, which show traffic to
Koumbit going through Tata and Google's going through Telef nica.
190.6.81.230
in the hotel.
Accessing http://1.1.1.1/ gives you a status page which allows you
to disconnect from the portal. It actually redirects you to
https://192.168.134.138/logout.user. That is also a
self-signed, but different certificate. That
certificate actually reveals the implication of Gemtek which is a
"world-leading provider of Wireless Broadband solutions, offering a
wide range of solutions from residential to business". It is somewhat
unclear if the implication of Gemtek here is deliberate or a
misconfiguration on the part of Cuban officials, especially since the
certificate is self-signed and was issued in 2002. It could be,
however, a trace of the supposed involvement of China in the
development of Cuba's networking systems, although Gemtek is based in
Taiwan, and not in the China mainland.
That IP, in turn, redirects you to the same portal but in a page that
shows you the statistics:
https://www.portal-wifi-temas.nauta.cu/?mac=0024D1717D18&script=logout.user&remain_time=00%3A55%3A52&session_time=00%3A04%3A08&username=151003576287&clientip=10.156.41.21&nasid=Wifi_Memories_Jibacoa&r=ac%2Fpopup
Notice how you see the MAC address of the machine in the URL
(randomized, this is not my MAC address), along
with the remaining time, session time, client IP and the Wifi access
point ESSID. There may be some potential in defrauding the session
time there, I haven't tested it directly.
Hitting Actualizar
redirects you back to the IP address, which
redirects you to the right URL on the portal. The "real" logout is at:
http://192.168.134.138/logout.user?cmd=logout
The login is performed against
https://www.portal-wifi-temas.nauta.cu/index.php?r=ac/login with a
referer of:
https://www.portal-wifi-temas.nauta.cu/?&nasid=Wifi_Memories_Jibacoa&nasip=192.168.134.138&clientip=10.156.41.21&mac=EC:55:F9:C5:F2:55&ourl=http%3a%2f%2fgoogle.ca%2f&sslport=443&lang=en-US%2cen%3bq%3d0.8&lanip=10.156.41.1
Again, notice the information revealed to the central portal.
www.portal-wifi-temas.nauta.cu
, 190.6.81.230
)192.168.134.138
)10.156.41.1
)2.4.21
and 2.4.31
. Now, to
find out which version of Linux it is running is way more challenging,
and it is possible it is just some custom Linux distribution. Indeed,
the webserver shows up as G4200.GSI.2.22.0155
and the SSH server is
running OpenSSH 3.0.2p1
, which is basically prehistoric (2002!)
which corroborates the idea that this is some Gemtek embedded device.
The fact that those devices are running 14 years old software should
be a concern to the people responsible for those networks. There is,
for example, a remote root vulnerability that affects that
specific version of OpenSSH, among
many other vulnerabilities.
15100
, the
following digits being 3576
or 4595
, presumably depending on the
"batch" that was sent to different hotels, which seems to be batches
of 1000 cards. You can also correlate the UID with the date at which
the card was issued. For example, 15100357XXX
cards are all valid
until 19/03/2017, and 151004595XXX
cards are all valid until
23/03/2017. Here's the list of UIDs I have seen:
151004595313
151004595974
151003576287
151003576105
151003576097
The passwords, on the other hand, do seem fairly random (although my
sample size is small). Interestingly, those passwords are also 12
digits long, which is about as strong as a seven-letter password
(mixed uppercase and lowercase). If there are no rate-limiting
provisions on that captive portal, it could be possible to guess
those passwords, since you have free rein on accessing those
routers. Depending on the performance of the routers, you could be
lucky and find a working password for free...
WHEN: Wednesday, January 13 at 6:30-9:30 p.m.
WHERE: Communications Building (CMU) 120, University of Washington
We invite you to celebrate the life and activism efforts of Aaron Swartz, hosted by UW Communication professor Benjamin Mako Hill. The event is next week and will consist of a short book reading, a screening of a documentary about Aaron s life, and a Q&A with Mako who knew Aaron well details are below. No RSVP required; we hope you can join us.
Aaron Swartz was a programming prodigy, entrepreneur, and information activist who contributed to the core Internet protocol RSS and co-founded Reddit, among other groundbreaking work. However, it was his efforts in social justice and political organizing combined with his aggressive approach to promoting increased access to information that entangled him in a two-year legal nightmare that ended with the taking of his own life at the age of 26.
January 11, 2016 marks the third anniversary of his death. Join us two days later for a reading from a new posthumous collection of Swartz s writing published by New Press, a showing of The Internet s Own Boy (a documentary about his life), and a Q&A with UW Communication professor Benjamin Mako Hill a former roommate and friend of Swartz and a contributor to and co-editor of the first section of the new book. If you re not in Seattle, there are events with similar programs being organized in Atlanta, Chicago, Dallas, New York, and San Francisco. All of these other events will be on Monday January 11 and registration is required for all of them. I will be speaking at the event in San Francisco.
The free software movement has twin goals: promoting access to software through users freedom to share, and empowering users by giving them control over their technology. For all our movement s success, we have been much more successful at the former. I will use data from free software and from several related movements to explain why promoting empowerment is systematically more difficult than promoting access and I will explore how our movement might address the second challenge in the future.In related news, registration is open for LibrePlanet 2016 and that it s free for FSF members. If you re not an FSF member, the FSF annual fundraiser is currently going on so now would be a great time to join.
Next.