Smart City OLLN et contrat bancal

La Ville d’Ottignies-Louvain-la-Neuve mène depuis près d’un an un projet pilote de commune dite intelligente, ou Smart City selon l’appelation anglophone communément utilisée. Pour ce faire, elle a passé un contrat avec Proximus. Et bien qu’il ne s’agisse que d’un pilote, et que le projet soit déjà bien engagé, cela vaut la peine de jeter un oeil sur la convention qui lie les deux parties.

Un contrat déséquilibré, rédigé largement à l’avantage de Proximus, avec des clauses d’exclusivité, de limitation de responsabilité, et lui conférant la propriété des données, laissant la Ville au bon vouloir de son "partenaire", si on peut parler de partenariat dans de telles conditions. Avec en plus des clauses de confidentialité à la fois inquiétantes et ridicules.

En espérant que la Ville, si elle décidait de conclure un contrat au-delà du pilote, ne s’engagerait pas à nouveau sur une base aussi défavorable.

 Fritz!Box DSL monitoring in Python

Let’s start off the year with a small home project. I have a Fritz!Box 7430 DSL gateway (wireless router and VDSL modem). After I ran into degraded performance, I wanted to record how my line performs. The box has a web interface with mighty functionalities and it exposes nerdy data - although I’m still looking for the obvious "disconnect DSL" button, dude please. The interface is surprinsgly clear compared to the standard market crap (bbox I’m looking at you). It’s more expansive than a Sagem counterpart but it’s well worth it.

DSL Summary screen

So you can get info like:

  • Current throughput

  • Maximum attainable throughput

  • S/N ratio

  • CRC error count

  • Approximate cable length

and much more that I can imagine a usecase for.

DSL Info screen

But it does not record historic info, so I have no way to nag my ISP about reduced performance over the long run. And an error may be present long before I realise it (for instance after I started playing an online game or after I elected to Netflix and chill).

The obvious geeky thing to do was to write a tool that collects the relevant data. Python was the tool I needed for the job.

The main obstacle was to figure out how to simulate the login screen. For some reason (maybe an illusion of security by obfuscation?), the login process relies on a javascript md5 encoded challenge. After I figured out what was going on, I found code emulating that process on GitHub and re-used it.

Too bad the FritzBox firmware is confused about how to handle data. On some pages, you can see JSON served by the box. But unfortunally, the info I need where stored on a page fully generated in HTML. So I went for good old ugly HTML scraping.

I still have to figure out how to interpret data and how to act on them. Probably I’ll add simple alerts for obvious cases.

In the meantime, here it is, licensed under GNU GPL.

Happy hacking

 Scam PC

Devant moi, un PC portable à réinstaller entièrement après que son propriétaire fût victime d’une arnaque à distance, un scam.

Le scénario est le suivant :

  • Un arnaqueur vous contacte par téléphone, se faisant passer pour un employé Microsoft par exemple.

  • Il prétend qu’une anomalie ou un virus a été détecté sur votre PC.

  • Il parvient à vous convaincre d’allumer votre PC et, sous prétexte de partager son diagnostic, vous fait installer un logiciel de prise de contrôle à distance.

  • Il exécute une commande logicielle en réalité inoffensive, et vous fait croire que le résultat est le signe d’un virus.

  • Pour vous en débarrasser, il vous en coûtera quelques euros (5 ou 10 par an).

  • En continuant à user de pressions psychologiques, l’arnaqueur vous convainc de vous connecter à votre banque en ligne pour effectuer un virement. Le nombre “200” que vous entrez comme montant ? Ce n’est rien qu’un code de contrôle, vous dit-il.

Voici la victime délestée de 200 euros. Dans certains cas, l’addition peut grimper. Eric Darchis m’a rapporté un cas à 5000 euros. Ici, la victime a finalement eu la présence d’esprit de tout couper, et de ne pas utiliser son PC pour d’autres opérations bancaires.

Ne vous imaginez pas que ce sont des as de l’informatique : certains s’amusent à se faire passer pour des personnes sans défense et, retournant leur arme contre eux, à prendre contrôle de la machine de l’attaquant, ou de leur webcam. Certains en profitent pour rendre le PC des méchants inutilisable.

Loin d’être des experts en informatique, ces arnaqueurs sont par contre d’excellents manipulateurs. Quand on lit ce compte-rendu, on se dit : mais c’est bien sûr, il ne fallait pas se laisser entrainer. Mes ces organisations sont manifestement drillées et expertes dans l’art de manipuler à distance et de prendre l’ascendant sur leurs proies, en jouant sur la peur et la culpabilité, et en utilisant un ton autoritaire ou aggressif si besoin.

Plainte est déposée à la Police et auprès de la banque qui, bien entendu, refusera d’indemniser, puisque la victime a volontairement exécuté le virement sans qu’il y ai de menace. Et ne pensez pas un seul instant que les services de police feront autre chose que d’acter votre plainte.

Trois heures et…​ pas d’IP

L’opération de lavage de cerveau aura duré… plus de trois heures!

En examinant l’Event Viewer de Windows, j’ai pu retracer les grandes étapes, dont l’installation sans doute avortée de ScreenConnect, suivie d’un reboot, puis de GoToAssist, également suivie d’un reboot. Le programme était résident quand j’ai repris la machine, sans connexion vers les scammers cependant. En essayant de retrouver l’adresse IP du peer, information basique que je pensais retrouver dans les fichiers journaux des applications en question, c’est la consternation…​ Aucune info n’est enregistrée par ces deux programmes! Non, ce ne sont pas les attaquants qui ont pris soin de couvrir leurs traces. Les programmes légitimes en question s’en sont chargé pour eux. Je ne sais pas si les scammers ont choisi ces logiciels en connaissance de cause, profitant de ce choix de conception.

Conseils élémentaires

Les conseils tombent sous le sens :

  • Ne pas donner suite à une demande d’un inconnu, que ce soit par email ou par téléphone.

  • Ne jamais révéler un de vos mots de passe.

  • Associer inconnu et connexion à votre banque doit déclencher une alerte mentale.

  • Si vous vous êtes malgré tout engagé dans l’escroquerie, vous déconnecter dès que possible.

  • Ne rallumez pas votre machine avant de l’avoir fait examiner / réinstaller par un professionnel ou une personne qui s’y connait, au cas (peu probable) où une connexion persisterait.

  • Faites bloquer vos cartes bancaires.

  • Déposez plainte auprès de la police.

 LEAN GDPR radical pour freelances

On dit que les cordoniers sont les plus mal chaussés, mais le consultant LEAN GDPR ne peut pas sérieusement prétendre aider ses clients à être en conformité sans l’être lui-même.

Sur ma landing page de consultant indépendant, j’avais installé un Google Analytics. Presque par habitude, sans but précis. Au cas où. Et sur mon blog, j’ai délégué les commentaire à une service tiers : Disqus. Enfin, tout cela était hébergé par gandi.net, que je viens de migrer sur AWS. OVH ne subsiste que comme registrar.

En récoltant des données à caractère personnel sur mes visiteurs, même si je n’ai aucune intention de les identifier ou de les pister, j’agis en temps que responsable de traitement et ces sociétés (Google, Disqus, AWS, OVH) sonts mes sous-traitants. Cela implique toute une série d’obligations, entre autres :

  • Fonder mon traitement sur une base légale, par exemple en obtenant un consentement explicite des visiteurs.

  • Un contrat écrit est obligatoire entre responsable du traitement et sous-traitant.

  • D’établir une plusieurs fiches de traitement.

  • Mener une analyse d’impact en cas de risque élevé (pas d’application ici).

  • Organiser des processus internes (bon, là, je suis seul à bord…​).

  • Documenter la conformité.

Le responsable du traitement ne peut se déforcer sur le sous-traitant; autrement dit, je reste responsable de la conformité de ces sous-traitants au GDPR. Peu importe que je ne sois qu’une petite société. Il m’appartient de vérifier ce qu’il en est, et d’appliquer des paramètres de gestion adéquats.

Google Analytics

Dans une approche LEAN, je me suis demandé à quoi me servait Google Analytics. En réalité, je ne me connecte jamais pour voir combien de visites ont eu lieu sur mon site. Cette information me servirait-elle à quelque chose? Non. Du coup, à quoi bon collecter des informations à caractère personnel (et alimenter le "G")?

Pas données collectées, pas de fiche de traitement, pas d’obligations GDPR.

Un problème réglé.

Disqus

Les commentaires sont mon blog étaient gérés par Disqus. En mars 2018, deux mois avant l’entrée en vigueur du GDPR, je n’avait rien trouvé de concret sur leurs intentions en la matière. J’en ai conclu que ce sujet n’intéressait pas vraiment Disqus et j’ai décidé de désactiver les commentaires, peu utilisés de toute façon. En écrivant cet article, je découvre cette mise à jour récente, mais elle arrive tardivement.

Même principe qu’avec Google Analytics. Pas de données collectées, pas de soucis GDPR. Sauf qu’en plus ici, ma confiance dans mon sous-traitant était assez faible.

Amazon Web Services

Cela n’a pas été une mince affaire, mais j’ai migré l’hébergement de mes sites vers AWS (coûts très faibles, elasticité illimitée mais courbe d’apprentissage assez rude). Le GDPR exige un contrat écrit. Il faut un peu chercher pour trouver leur DPA mais on peut mettre la main sur un contrat en bonne et due forme à imprimer, signer et retourner à AWS.

Par "écrit", il ne faut selon moi pas nécessairement un document signé de manière manuscrite par les deux parties. Une signature numérisée suffit.

16 pages de lecture tout de même, avec les inévitables tournures "Unless otherwise defined" (rolling eyes), mais tous les points prévus s’y retrouvent, en ce compris la question assez amusante des audits :

At Customer’s written request, AWS will provide Customer with a confidential Report so that Customer can reasonably verify AWS’s compliance with the security obligations under this Addendum.

J’aurais préféré pouvoir accéder directement au datacentre pour me faire une idée.

Tellement LEAN

Je lis souvent, sur des fils de discussion, qu’il suffit d’ajouter l’une ou l’autre mention sur votre site "et c’est bon". C’est aller un peu vite en besogne.

Bien sûr, ma solution plutôt radicale ne convient pas à tous le monde. Je ne l’applique d’ailleurs qu’à ma seule activité de freelance, qui se base sur mon réseau (dans la vraie vie ou sur internet mais sans fichier maison), à destination B2B, sans réel besoin de collecter des données. Rien ne vous empêche d’avoir des commentaires sur votre blog ou mettre en place un Google Analytics pour autant que vous respectiez les obligations du GDPR. La tâche est loin d’être insurmontables, mais le temps à y consacrer peut ne pas en valoir la peine.

 Riding the Cowboy's bike

The Cowboy is an electric bike built for the city. It is elegant, smartly designed and nice to handle. If it is the right bike for you depends on several factors.

Photo Hello Cowboy

Introducing the Cowboy

David Nguyen and I booked a trial in Brussels. The staff is very friendly and eager to help you.

The look of that bike is unique. It is very elegant, and obviously designed to be an electric bike from the start. At last, someone figured out how to do it right. Most electric bikes would certainly look clumsy when standing next to the Cowboy.

The bike was thought with strongly opinionated choices in mind. And that was for the better. For instance it has no shifter. Only one speed. This allowed the manufacturer to replace the conventional chain by a carbon belt. That means less maintenance and a cleaner biking experience. Powerful safety lights are nicely integrated in the frame. That’s smart for a city bike.

You get hydraulic brakes, but no front suspension. Which means a lighter bike and a lower price. Just like with the absence of shifter. You can’t easily unlock the front wheel. At least it makes it harder for thieves to steal it. The attention to the details is clear. As a result, it weights only 16 kg, which is very reasonable for an electric bike. It makes a difference when you have to climb a few steps on a stairs.

It’s a connected bike, meaning you can plug your smartphone to access certain functionalities. Actually, you must use your mobile phone to unlock and start the bike. Some people like that sort of gadgets, but I don’t, and I was a bit worried something could go wrong in that department. And it somewhat did. More on that later.

Looking closer, it is obviously not a high-end bike. The grips seem a bit cheap, the pedals are entry-level for sure, and the frame looks like it will scratch easily. The brake handles could be larger. But all of that is perfectly acceptable for that price: €1,790.00.

Hit the road and sweat

We started our test ride with an already connected phone on the frame. Something was wrong. I had to push hard to make the bike move. I first attributed that to the absence of derailleur and the surprisingly high gear ratio, and to my dubious physical condition. But when we reached a flat terrain, I was still lagging way behind David, and I knew something was wrong.

The app on the smart phone had crashed. I restarted it but it crashed again a few seconds after. However, I managed to find out the assistance was actually turned off. I was able to turn it on before the app crashed again. Like I feared, you become dependent on your mobile phone to properly operate the bike. And that’s certainly not as reliable as a dedicated device. The staff explained that iOS had not been updated, but there’s always a good reason for an app to cease functioning. Including for instance when your battery dies, or when your Nexus 5X decides to enter an infinite bootloop.

Assistance

Once the assistance was on, I managed to climb the next hill without breaking a sweat, like a breeze, with a grin on my face. Maybe because I realised I was not in such bad shape after all. The assistance is strong and smooth. The website claims they have an intelligent speed and torque sensor.

Our intelligent speed and torque sensors kick in the motor-assistance system as you pedal. Basically, you ride like you always do, but go faster than before.

I assumed that was just marketing talk. It is not. It is at least on par with what you can find on expensive electric bikes. If not above. On bikes sold at a similar price tag, you will get a shaky and lousy experience in comparison. The assistance is so strong I reckon that must put a toll on the battery. But if you can get the announced 50km out of it, or even only half of it, is it really an issue?

This being said, we did not attempt the most severe climbs of Brussels. Other neighbourhoods may end up much more challenging with the crazy super high fixed gear ratio. No issue if you live in Leuven, but I’d be curious to see it in action in Namur.

Photo Staff and me and the bike

Enjoy the ride

Overall, the bike is pleasant and easy to handle. Inspired. Fun and delightful even.

Please note that you are bent on the bike; it’s not one of those bikes with large and highly positioned handlebars.

I wouldn’t get too comfortable speeding above 30 km/h, but that’s not the point with that type of bike. The brakes will stop you all right, but I didn’t find them very progressive. More like if I had regular V-brakes rather than hydraulic brakes. David liked the way they operate though.

I managed to be cut-off by cars 3 times during the short test (what kind of place is this?) and the bike handling was no concern at all while hitting the brakes heavily or swerving, even though I was riding it for the first time. Rear wheel locked as expected given the driver’s position and the tire dimensions. That’s where more progressive brakes would come in handy. Cowboy ProTip: please install a bell on it, the law requires it. And not one you activate from the phone. I yelled at the faulty drivers instead, as they all had opened windows. Works too, and I get to keep both hands on the bar.

The bike remained relatively comfortable on cobblestones, and I had no difficulties manoeuvring it with one hand (at lower speed) on the unpleasant road coating, despite the lack of front suspension.

Repairs and replacement parts

The bike is sold on the internet exclusively. There’s only one store located in Brussels. Some parts of the bikes are industry standards, but others like the battery and the electric engine, are custom.

This raises some concerns, should the company producing the Cowboy discontinue that line, or go bankrupt. How would the app on the smart phone still be maintained so that it would run on newer versions of iPhones? Where would you find a replacement for the battery? In any case, repair at your local bike shop will probably be complicated, if not impossible.

That would certainly make me think twice before buying this otherwise great bike.

Verdict

Pros

  • Electric bike for the city done right

  • Style

  • Price

  • Attention to details

  • Smart opinionated choices

  • Delightful

Cons

  • Several parts entry-level

  • High fixed gear ratio and steep hills

Up to you

  • Mandatory smartphone

  • No repair network

  • Replacement parts in the long run

Based on this short trial, I’d say it’s a fantastic bike for the city. You’ve got to love its style, and the intelligent design choices that make most other manufacturers look like clueless corporate bozos. You could easily forget this is not a high-end, expensive bike. For most of us, and taking the intended use into consideration, it is a perfectly reasonable balance. The mandatory use of a smart phone to unlock the bike may be appealing to you, or could also deter you from buying it. If you are willing to take a chance with the uncertainty regarding repairs and replacement parts, I’d seriously consider placing it on the top of my shopping list.

 Hack Belgium

Oversold and disappointing: this is how I see Hack Belgium. Sloppy workshops, pointless brainstorming exercises, unannounced schedule changes, talks labelled workshops. I feel like I have wasted time and money.

Logo hackbelgium

Day 1 - Exploring

I had registered for several education-related sessions as it’s my current field of work.

Obviously, it is not enough to label some people "Expert" and place them in a room with an "Agile Coach" to have something meaningful happening. In my book, it takes more than Post-Its and pens and asking people to brainstorm on predefined questions to make a workshop. Granted, this gave me the opportunity to talk to several persons outside my usual IT horizon but most of them were wondering what was the point of the exercise.

During that first morning session, my associate had no workshop to attend. He had registered for something else, but his session had been moved or cancelled without prior notification, even on the HB event app. We had paid a hefty sum of money for a "PRO" access badge, allowing us to register early to the different workshops and make sure we could get a seat. That benefit was negated as he had to find another activity, considering many were already sold out. He was not very happy. And I was wondering what good would come out of my session.

The afternoon was even worse. The two edu workshops had been swapped, and that was announced by the speaker only after the workshop had started. Several people left, and probably some other outside missed the session that was taking place earlier that planned.

The workshop animation was abysmal. During an ice-breaker, you are invited to talk to different random persons. But the instructions were contradictory and confusing. For instance nobody had the time to finish talking. You were supposed to be given one minute to get acquainted with a stranger only to be cut off after 20 seconds. During that awkward activity, I could see how confused other people were too. And it didn’t get any better. The group I had joined got stuck during the brainstorming. One of the coach offered advise only to leave us with more questions.

For me, nothing useful came out of that weird activity, for lack of better word. I went home disappointed, hoping the next day would be better.

Day 2 - Building

It is a sad vision, specially in the afternoon. The venue looks deserted compared to the first day.

The speakers were okay or even good, I won’t point my finger to any particular session here. One was supposed to allow the audience to code along but there was no time to follow as the pace was too fast and some code was copy-pasted. For another one, I had to find out where the speaker was 10 minutes after the scheduled starting time…​ Confusion on who was supposed to do the talking. We ended up with two presenters for…​ two listeners. I love the scale of it and I enjoyed the presentation. Then it reminded me the event had already been deserted.

The announced objective of the day:

Build your idea by planning how it will work in the real world

But none of what was discussed today or yesterday was my idea. Therein lies the rub.

End of day 2: you have the blueprint of your project

I admit I dropped out, but remember, it would not have been my project.

Day 3 - Launching

This is possibly the worst event I’ve ever attended. Certainly the most overrated one. The only things that’s been hacked is my wallet. So I didn’t go to Day 3. I had wasted enough time already. I’d better work on my current project and build something great and actually launch it.

If my endeavour turns out to be successful, hackbelgium will have nothing to do with it.


Older posts are available in the archive.