Informasjonsdeling innenfor en liten gruppe er brukes ganske typisk. For
eksempel, hvis barna dine er i en skole eller barnehage, må du gå inn i en
klassegruppe for å dele forskjellig informasjon, meldinger osv. Ofte
proprietære sentraliserte plattformer som Facebook eller Whatsapp (Å, begge er
i bunn og grunn det samme uetiske selskapet, Meta!) eller noen ganger Telegram.
Mange ikke-IT-folk bruker bare det de pleide å bruke i dagliglivet. De som er
mer bekymret for personvern og sikkerhet til dem og barna deres, vil ikke
bruke noen av Meta eller andre store teknologiske apper. Men det er andre og
det er en behov til å kommunisere. Valget er enkelt: Enten blir du med i
foreldregruppen på Facebook eller så blir du ekskludert. Hvis ekskludert,
vil du ikke få oppdateringer om arrangementer, bursdager og så videre. De andre
foreldrene vil kanskje se på deg med en viss mistanke: er du en spion eller en
narkohandler som prøver å gjemme deg i en skygge av darknet? Dette er hva Cory
Doctorow kaller "the nettwork effect." Og det utnyttes og promoteres av de
gigantiske plattformene. De gjør sitt beste for å manipulere deg til å se på
plattformen og reklame deres så mye tid som mulig, ideelt sett 24 timer i
døgnet, og de lokker deg til å gi ut så mye privat data som mulig. Ingen vet
hvordan disse dataene vil bli brukt i fremtiden. Det er skjult i usikkerhet.
Den eneste sikkerheten er at brukerne utnyttes for andres fortjeneste.
Mens Facebook og andre prøver å pålegge enorme byttekostnader for å holde deg
på plattformen, er det en enkel løsning som er tilgjengelig for alle. Det er
den gamle gode e-posten. Alle har det nå. Men noen bruker det kun til å
registrere seg på nettsider, få lenker til tilbakestilling av passord og
lignende. Nei, e-post er fortsatt i live og er faktisk bedre enn mange pleide å
tro.
Epostlister
Maillister er velkjente. Vanligvis brukes de bare å spam deg med unødvendig
informasjon, reklame kampanjer og så videre. Men epostlister kan brukes til
bedre. Det er noe åpen kildekode-programvare for e-postlistebehandling som du
(jeg antar at du er administrator for gruppen) kan bruke på din egen server.
Deretter kan du abonnere alle i gruppen på listen (eller nyhetsbrevet ditt).
Okay– nå får alle i gruppen oppdateringer. Enkelt. Folk kan ha muligheten til å
abonnere seg på listen, eller avslutte abonnementet seg selv (uten din,
administratorens, manuelle handling). Det er nyttig.
E-post diskusjonsgrupper
E-postdiskusjonsgrupper eller listserv er egentlig en eldgammel (et
bedre ord: moden) teknologi som har blitt brukt for flere tiår siden. Den
brukes fortsatt mye av programvareutviklerfellesskapet med åpen kildekode. For
eksempel det berømte Linux kernel prosjektet. Ideen er bare triviell:
-
Du abonnerer på e-postlisten
-
Du får gruppens e-post ("listserv") e-postadresse, f.eks. foreldre@din.fqdn
-
Alle meldinger sendte en melding til denne gruppeadressen (ja,
foreldre@your.fqdn
) spres til hver abonnents postkasse.
Deretter, hvis du abonnerer, svarer det å svare på gruppeadressen til å dele
e-postmeldingen med alle medlemmer.
Den gode gamle e-posten konkurrerer ikke om oppmerksomheten din med irrelevante
og irriterende varsler, manipulerer deg ikke til å blikk og dumscrolling. Alt
kommer bare til postkassen din. Du kan svare når som helst fra hvilken som
helst enhet, ingen spesielle apper er nødvendig.
Men slutt, for å bruke listserv trenger du din egen (eller kontrollerte)
e-postserver, domenenavn, kompetanse og tid for konfigurering og vedlikehold.
Hvis du er modig nok, kan du konfigurere din egen GNU Mailman:
Men hvis du liker å unngå bryet, er det flere åpne servere som tillater
registrering og gratis hosting for små ideelle grupper.
Det er også en Listserv on steroids som er gratis for små ikke-rpfit-grupper
(opptil 1000 abonnenter, som vanligvis er nok):
Her kan du:
-
Registrer din (admin) konto
-
Legg til gruppe-e-poster
-
Del, svarer, videresend gruppe-e-poster, med arkiver og mye annen funksjonalitet.
Doctorow, C. 2023. The internet con: how to seize the means of computation.
Verso.
Messaging continues to be of rise. The new generation is more willing to
send texts than to call. Communicating with an instant messenger has an
unique advantage over the old good email: you can easily send replies
over replies quickly, resulting in a dialogue. But there is a serious problem:
many of the instant messengers are commercial products that work such that
their "users" are in fact the exploitable resource having no control or
choice.
Most corporations are fair providers of various products and services we
can buy. But not these "Big Tech" that offer "free applications," including
instant messengers. There is, obviously, nothing free on the Earth. Then,
if you do not pay, then you are the product not the customer. The Big
Tech corporations exploit the "end-users" to suck out private data,
often for further resale. Nearly all of these messengers have centralised
architecture and the user's account is linked to the telephone number,
completely destroying privacy. The link to the telephone number is also
very inconvenient because you cannot get several accounts easily, this
requires obtaining several mobile subscriptions. It's just illogical,
expensive and silly. Centralized architecture dictates that the
communication is kept on the corporate servers
so theoretically many employees can read
messages by abuse.
Some of the products are advertised as end-to-end encrypted. But nearly
all of them are closed source so there is no way to check how this is
implemented and if and when the service owner can have access to private
messages content. Moreover, we have evidence for the opposite. Many
so called "end-to-end encrypted" messages are actually read by AI and human
contractors.
Even if communication is technically end-to-end encrypted, the company owns
and fully controls the server, the client application and network traffic, so
a man-in-the-middle attack by silently changing certificates is possible
(e.g. in the context of lawful intercept, or unlawful abuse). Metadata
(technical information information about all aspects of communication,
including the addressees, their locations, IP addresses, telephone number
etc.) is always accessible to the service. But metadata is often even
more informative than the message content. How such metadata is used is
typically unclear. The user has no authority here at all.
Nearly all of these messengering systems have closed proprietary protocol. This
means that how you use the product is completely controlled by the owner
company. The only way to use the product is with the official application.
You cannot just choose for yourself which application program to use. This
is cardinally different from the email, for example, where you can use the
provider's web interface, its mobile app or any of the many available email
applications such as Thunderbird or
K-9 Mail. With such a third-party application you
can easily consolidate several email accounts in one place and easily make
use of the functionality the provider does not offer, such as end-to-end
encryption. Another
major problem is monopoly and lack of interoperability. The "users" (in
reality, the exploited resource) are completely restricted to the owner's
platform and are unable to communicate with the other (especially competing)
platforms (e.g. Facebook to Snapchat) as a way to keep users within the silo.
This is as if you were unable to call/send sms across different mobile
operators. And this is silly. To break down monopoly, ensure fairer
competition and interoperability across the services, the EU has developed
the Digital Markets Act (DMA) regulation.
This is a big step, but it does not solve many of the problems with
centralization, privacy and regular security flaws.
Take back your freedom, privacy and security
So, why use the restricted, inconvenient, monopolistic, insecure and
non-private platforms for the trivial task of sending instant messages? There
are several ways to configure one's own privately controlled instant messaging
system: XMPP and Matrix. XMPP is
lightweight, easy to install, and more private and
secure, yet covers all the typical
instant communication purposes: text, file share and voice. Moreover, XMPP
servers are by default
federated:
it is easy to send messages across the different servers like in the email.
There are many different applications for all operating systems and
platforms the user can choose. Update: XMPP can
communicate with federated Matrix network because ejabberd now implements a
Matrix
gateway.
It is very easy to set up one's own XMPP server for a small group,
company,
the family or just an individual. You will need
two things:
-
Server that will be the central hub for the communication network running
24x7. This can be anything, from a Rasberry PI in a cupboard to a Virtual
Private Server
(VPS) somewhere in a data centre or just an old PC running in your
basement. A small scale VPS useful for an XMPP server can be very cheap,
up to a three Euro per month. There exist even cheaper options, such as
EUR 6 per year. There are also dedicated search engines
to help locate cheap VPS, e.g. LowendBox
and ServerHunter.
A typical operating system running on the server is Linux (very secure,
highly configurable, free and open source).
-
Domain name that needs to be used to connect to the XMPP server. Domain
can be registered to the user (e.g. myname.no
), which costs about 30 Euro
yearly. But a sub-domain can be obtained for free using the
https://freedns.afraid.org or similar "free
DNS" services. In the later case you might have something like
myownchat.mooo.com
or myownchat.ptchat.net
.
Freenom offers free domains ending .tk
, .ml
.ga
,
.cf
, .gq
. It is possible to run the XMPP server purely on IP address even
without domain name, but it is much less convenient (e.g. then federation
with other servers is lost).
Given you have got a server (VPS or dedicated machine) and the domain,
configuring an XMPP server can be done on 1-2-3. There exist several Linux
variants (distributives) with different management commands (usually for
installing software). I assume Debian Linux
is used below (the same commands also work for Ubuntu and other Debian-based
Linux systems).
1. Install XMPP server software
Login. When you have got a server of any kind, you need tologin
to it, typically with ssh
:
here the user name on the server is debian
and the server ip
is 1.2.3.4
. Typically, you may need to create the ssh key and
upload it to the server to authenticate (refer the server documentation, e.g.
this).
I assume logging-in is not a problem.
Prepare server. First of all, update the software on the new server
sudo apt update -y && sudo apt-get upgrade -y
Install some useful monitoring and security-enhancing utilities
sudo apt install -y mc htop atop nload nmon tree zip pwgen fail2ban dnsutils iptables-persistent locate unattended-upgrades
Install certbot, a system that manages the
TLS certificates
for secure connection
sudo apt -y install certbot
Install the ejabberd server, which is is very
reliable and light on resources
sudo apt install ejabberd
Firewall. To allow incoming network access to this server by the XMPP
clients and also third-party servers, the server needs to configure
the firewall rules. This can be done differently in different
installations. For example, some VPS may do this using a friendly web
interface. The standard Linux firewall is done via iptables
.
The XMPP system requires incoming acces via ports 5222, 5223, 5269, 5443,
5280, 3478. To determine the ports refer to the listen section of the XMPP
configuration file below.
sudo iptables -A INPUT -p tcp --dport 5222 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 5223 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 5269 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 5443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 5280 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# STUN is over udp
sudo iptables -A INPUT -p udp --dport 3478 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
The port 7777 is used for a proxy for peer-to-peer (bytestream) file
transfer. If peer-to-peer file sharing is intended for use, an additional
rule should be set allowing incoming connections:
sudo iptables -A INPUT -p tcp --dport 7777 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
To see what firewall rules are in effect issue this:
iptables -L --line-numbers
It makes sense to save the iptables rules so they are automatically get in
effect after reboot
iptables-save > /etc/iptables/rules.v4
2. Configure your XMPP server
Secure connection certificate. Get a free
Let's Encrypt
TLS certificate.
I assume you have got a free domain myownchat.ptchat.net
from
https://freedns.afraid.org.
Note that ejabberd can manage (issue and update) TLS certificates on its
own, but this needs some configuration as described in the
acme
configuration option:
https://docs.ejabberd.im/admin/configuration/basic/#acme.
An advantage of the standalone certificate management system (as here) is
that it is slightly less tricky and can easily be used with a
web server on the same machine.
Why not also configure a web server for a small static web site here?
Ejabberd is very lightweight and will happily coexist with many other
servers running on the same machine.
sudo certbot --standalone certonly -d myownchat.ptchat.net
This command will ask a few questions and issue a TLS certificate. This process
is done over http so http port 80 must allow incoming connections. If this is
not so, use the following command:
sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Do not forget to save iptables rules with the iptables-save
as above.
The certificate files are located in
/etc/letsencrypt/live/myownchat.ptchat.net/fullchain.pem
directory.
For the sake of security, the certificate directories have by default no
access to anyone except the admin (root) user. But this precludes the XMPP
server ejabberd to access the certificate. This can be easily fixed with the
following commands
First, add ejabberd to the root group
sudo adduser ejabberd root
Second, allow access to the certificate directories to the group
sudo chmod g+rx /etc/letsencrypt/live/myownchat.ptchat.net
sudo chmod g+rx /etc/letsencrypt/live
sudo chmod g+rx /etc/letsencrypt/
Configure ejabberd. Once the preparations are done, it is time to
configure the ejabberd messaging server. Edit the configuration file
(assuming the mcedit text editor is used)
sudo mcedit /etc/ejabberd/ejabberd.yml
This is a long configuration file that may look scary. But in fact only a few
changes are required to make the server running with the default options. But
note that the indents are important, try to keep them as in the original file.
Any line starting with #
is considered a comment, this can be easily used
to disable specific options by "commenting them out."
First, set up the host name that is used for the server, it is the same as
the domain:
hosts:
- myownchat.ptchat.net
Second, configure the location of the TLS certificates that are used by the
server:
certfiles:
- "/etc/letsencrypt/live/myownchat.ptchat.net/fullchain.pem"
- "/etc/letsencrypt/live/myownchat.ptchat.net/privkey.pem"
Configure the admin users who can manage the XMPP server:
acl:
admin:
user:
- ""
- "myname": "myownchat.ptchat.net"
Then, add configuration for http-file-upload module that will allow file
sharing (sending files):
mod_http_upload:
put_url: https://@HOST@:5443/upload
custom_headers:
"Access-Control-Allow-Origin": "https://@HOST@"
"Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
"Access-Control-Allow-Headers": "Content-Type"
It is convenient to keep the latest messages on the server, it is done with
the "mam" module:
mod_mam:
assume_mam_usage: true
default: always
Ejabberd supports several other communication protocols in addition to
XMPP. For example, it also works with MQTT that is
typically used for IoT devices. If this functionality is not used,
just comment out the MQTT module to disable it.
The STUN and TURN protocol is mainly used for voice calls and needs the
actual IP address of the server (replace with your server IP addfress)
-
port: 3478
ip: "::"
transport: udp
module: ejabberd_stun
use_turn: true
## The server's public IPv4 address:
turn_ipv4_address: "1.2.3.4"
An important issue is wether to allow anonymous registrations of new users.
I strongly recommend not allowing this for security reasons. For a small
private server, you will normally add users manually and set them initial
passwords. Every user can then change password within the client program. So,
you need to disable the mod_register
by commenting it out:
# mod_register:
# ## Only accept registration requests from the "trusted"
# ## network (see access_rules section above).
# ## Think twice before enabling registration from any
# ## address. See the Jabber SPAM Manifesto for details:
# ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
# ip_access: trusted_network
Start server! And that's all minimal configuration. Now it's time to
start the server:
sudo systemctl start ejabberd
If there are any errors and the server fails to start, Linux logs can be
inspected with this command:
or logs for only ejabberd:
sudo journalctl -xe --unit ejabberd
Additional stuff. The above is enough to make the XMPP server running for
text. If voice is required, you need to configure the DNS as described here:
https://www.process-one.net/blog/how-to-set-up-ejabberd-video-voice-calling/.
DNS is normally configured using the control panel of the domain registrar.
The TLS certificate that is managed by certbot
is updated each 90 days. This is an automatic process, but the ejabberd
server must know when certificate is changed. This can be done using the
deploy hook. Just create the hook file reloadxmpp.sh
(the file name can be
anything):
sudo mcedit /etc/letsencrypt/renewal-hooks/deploy/reloadxmpp.sh
and add the following commands:
#!/bin/sh
ejabberdctl reload_config
This file must be executable, so issue this command:
sudo chmod ugo+x /etc/letsencrypt/renewal-hooks/deploy/reloadxmpp.sh
The last note on the server is that it should be regularly updated for
bug fixes and security updates. This is done automatically by installing
unattended-upgrades
above. Yet, it is a good practice to log in regularly
over the ssh, check logs and update the system:
sudo apt update -y && sudo apt-get upgrade -y
3. Configure the XMPP users and client application
Register new users. First, you need to register the XMPP users. The
quickest method is to use the command line on the server, the command
ejabberdctl
has advanced functions.
A secure random password can be generated withy pwgen
, e.g. the following
generates passwords with 18 symbols:
It normally generates an array of possible passwords to choose from.
Now, to register the user myname
, It is the admin user configured in the main
configuration file /etc/ejabberd/ejabberd.yml
above.
# user domain password
sudo ejabberdctl register myname myownchat.ptchat.net pee8chogh9Heel6hei
Other users can be configured similarly. Note that the full user name for XMPP
has the same format se email: myname@myownchat.ptchat.net
. This is due to
the federated nature of both systems: you need to know both the user and
the server with whom to communicate.
For this example let's register two additional users:
sudo ejabberdctl register john.dow myownchat.ptchat.net ohyeeLeefo9yief4gu
sudo ejabberdctl register anna.karenina myownchat.ptchat.net hejo7phiy2iFeW9She
Use! The final step is configure the client program on the
user's device. The biggest difficulty at this step is the plenty
of choice. For any major platform, one can choose any of the many
available XMPP client programs. Some email
programs, e.g. Thunderbird also support
XMPP (although only a limited subset of features). Check out the
https://xmpp.org. The configuration for the client
is simple:
-
Server: your server, in the example above it is myownchat.ptchat.net
-
User name: your user name. In the example we used above, it can be
myname
Note that the option to create new account must NOT be enabled as
long as the account has already been created on the sever and the in-band
registration (mod_register
, see above) is disabled for
security.
Some programs accept the full user name without specifying user and domain
separately. Then the user is just myname@myownchat.ptchat.net
. If you
plan to use the peer-to-peer (bytestream) file transfer (but
this is not mandatory), you should also find where the file transfer proxy is
configured and set it with the proxy
subdomain, for our example it should be
proxy.myownchat.ptchat.net
. And that is all for basic client configuration.
I recommend the Blabber XMPP application for
devices running Android. Yaxim is the best option for
minimalists, it is notoriously miniature (only a few megabytes) and works great
even on the oldest and weakest devices. Miranda NG
is a powerful XMPP client program for Windows. There are also a few
web-based clients: https://conversejs.org/ and
https://web.xabber.com/ that you can try right
away without installing anything.
The final step is to fill the contact list (called roster) with the addresses
of the people (or maybe devices, because XMPP can be easily configured for
bots accepting commands). Just remember that the address is full name as in
email: user@server.domain
. One useful option is so called Shared roster
groups: then you can configure
a group of contacts without the need to add them manually.
Happy chatting!
Further
There are many advanced options and possibilities in ejabberd. Just check
the documentation at the official web site: https://www.ejabberd.im/
and documentation https://docs.ejabberd.im/.
There are also a few useful tutorials, e.g.
https://www.process-one.net/blog/how-to-move-the-office-to-real-time-im-on-ejabberd/