Sergey Budaevhttps://budaev.info/2024-03-19T23:00:00+01:00A year with Mikrotik router2024-03-19T23:00:00+01:002024-03-19T23:00:00+01:00Sergey Budaevtag:budaev.info,2024-03-19:/a-year-with-mikrotik-router.html<p>A year with Mikrotik router</p><p>I use <a href="https://www.nextgentel.no/">NextGenTel</a> with fibre broadband connection
as my home Internet provider. The connection line works fairly well with
no interruptions. I have been using a <a href="https://mikrotik.com/product/hap_ax2">Mikrotik router</a>
for nearly a year now and have experienced no single interruption.
No hanging internet, no problems at all. I nearly forgot that it is
here.</p>
<p><img alt="Year traffic plot" src="images/traff-yearly.gif" title="Year traffic plot"></p>
<p><img alt="Mikrotik" src="images/mikrotik.jpg" title="Mikrotik"></p>
<p>Why I love Mikrotik is the <a href="https://help.mikrotik.com/docs/display/ROS/RouterOS">Router
OS</a>, a
professional operating system with tons of configurability and
fine tuning. You can tweak any aspect and configure a variety of
services. For example VPNs with different protocols for connecting
into the local home network is easy to configure using the <a href="https://help.mikrotik.com/docs/display/ROS/">Mikrotik
documentation</a>.
<a href="https://help.mikrotik.com/docs/display/ROS/Queues">Queues</a> are a nice
configuration feature to control and manage bandwidth given to
devices in the local network. There is also quite advanced
<a href="https://help.mikrotik.com/docs/display/ROS/Scripting">scripting</a> that can
be used to do many interesting things. I do not recommend Mikrotik to an
average user, however, because Router OS has a professional interface with
too many options and details: you need to understand what you are doing.
<a href="https://mikrotik.com/">Mikrotik</a> is a <a href="https://www.latvia.eu/business-innovation/export/mikrotik/">Latvian company</a>
that makes a lot of professional carrier-grade
<a href="https://mikrotik.com/products">equipment</a>, all run the same OS.</p>
<p>The previous router provided by the NextGenTel was pure disaster. I in fact
used <a href="https://hjelp.nextgentel.no/no_NO/-finn-din-ruter/-inteno-dg150">two</a>
<a href="https://hjelp.nextgentel.no/no_NO/-finn-din-ruter/inteno-dg200">different</a>
units of the same marque: <em>Inteno.</em></p>
<p><img alt="Intento shit router" src="images/router-ngt-inteno.jpg" title="Intento shit router"></p>
<p>This shit router tended to hung up at least one or twice a week, leaving no
connection. The NextGenTel support was useless, with the routine advice to
reboot router. Rebooting helped indeed until the next hangup, maybe the
next day. It is not a solution to fix bad hardware. It is so weird that
they supply their users with this shit when the competition between
providers is so intense. Many people would not figure out that it is
the router that is so bad and will blame NextGenTel as a whole and
switch to another provider. Shame, NextGenTel.</p>
<p>But if you subscribe for the <a href="https://www.nextgentel.no/produkter/telefoni">home telephone</a>
line with NextGenTel, then you are out of luck because telephone is
served by the Inteno router which also includes a <a href="https://en.wikipedia.org/wiki/Session_Initiation_Protocol">SIP</a>
service via built in <a href="https://www.asterisk.org/">Asterisk</a> server pre-configured
by the provioder. The only solution is then to torture NextGenTel with service
requests and replacing the router. (But, of course, a better alternative is
to set up your own asterisk-based SIP VoIP server with trunks from any of the
many available SIP providers; this will be much more flexible and
cost-effective solution).</p>Shit happens: det kommer garantert til å skje hvis dumhet gjentas2023-12-31T10:00:00+01:002023-12-31T10:00:00+01:00Sergey Budaevtag:budaev.info,2023-12-31:/shit-happens-det-kommer-garantert-til-a-skje-hvis-dumhet-gjentas.html<p>Shit happens: det kommer garantert til å skje hvis dumhet gjentas.</p><p><strong>Shit happens.</strong> Det er en triviell visdom. Ofte er det en direkte konsekvens
av en enkelt stupid ting. I mange tilfeller kan lite gjøres for å forhindre
det skal skje. Uansett, sannsynligheten antas veldig lav. Katastrofen er
uforutsigbar. Det er en ulykke, helt tilfeldig. Ikke sant?</p>
<p><img alt="Den bærbare datamaskinens tastatur er dekket av kaffe (eller brus). Å shit..." src="images/spill-mac.jpg" title="Den bærbare datamaskinens tastatur er dekket av kaffe (eller brus). Å shit..."></p>
<p>Det gjelder for en enkelt hendelse. Kanskje en enkelt hendelse
av dumhet eller klønete... Men hvis toskeskap gjentas (f.eks. hvis det er en
<em>vane</em>) er situasjonen en helt forskjellige. Sannsynligheten av shit som
skal skje er nå</p>
<p><img alt="P(1|n)=1-(1-p)^n" src="images/eq-shit-01.svg" title="P(1|n)=1-(1-p)^n"></p>
<p>her er <em>P(1|n)</em> sannsynligheten for at shit skjer minst én gang i en gruppe
av <em>n</em> hendelser; hver hendelse har sjansen <em>p</em> (veldig lav!) til å skje, og <em>n</em>
er antall hendelser.</p>
<p>For eksempel, hvis sjansen for en singel ulykke er så lavt som 0.01 og
antallet dumme handlinger er 365 (bare en gang om dagen i løpet av et år),
blir sjansen for at shit skjer i løpet av denne tiden</p>
<p><img alt="1-(1-0.01)^365=0.97" src="images/eq-shit-02.svg" title="1-(1-0.01)^365=0.97"></p>
<p><strong>Det er nesten sikkert at shit skjer minst én gang i løpet av et år.</strong></p>
<ul>
<li>
<p>Drikker du kaffe/brus/smoothie/vin på den bærbare datamaskinen til vanlig?
Forberede for å erstatte tastaturet. Det vil skje.</p>
</li>
<li>
<p>Vant til å sende sms mens du kjører? Har du en god forsikring?</p>
</li>
<li>
<p>Løper ofte over veien foran lastebil/buss/bil? Det er på tide å bestille
krykker (eller enda kiste) på forhånd.</p>
</li>
</ul>Telefonen til et barn2023-11-05T14:00:00+01:002023-12-28T10:00:00+01:00Sergey Budaevtag:budaev.info,2023-11-05:/telefonen-til-et-barn.html<p>Ikke la barnet ditt bli smarttelefonzombie</p><p>Både voksne og barn blir stadig mer avhengige av smarttelefonene sine. Et
morsomt begrep for slike rusavhengige er smarttelefonzombie. Men dette er
ikke morsomt. Faktisk, <strong>smarttelefoner dreper.</strong> For eksempel har det
vært en økning i antall dødsfall hos barn fordi barna sitter klistret
til telefonene sine</p>
<ul>
<li><a href="https://www.ibtimes.co.uk/smartphone-zombies-child-road-deaths-spike-because-kids-are-glued-their-phones-1604722">Smartphone zombies: Child road deaths spike because kids are glued to their phones</a></li>
</ul>
<p>Stadig flere barn nå eier smarttelefoner. Nesten alle ungdommer
eier en smarttelefon i Norge, Storbritannia, USA og mange andre
land. Smarttelefonavhengighet er en verdensomspennende plage (<a href="https://doi.org/10.1016/j.chb.2021.107138">Olson et al.,
2022</a>).</p>
<p><img alt="Smartphone zombie sign" src="images/smartphone-zombie.jpg" title="Smartphone zombie sign"></p>
<p>Imidlertid, forskning viser at smarttelefonavhengighet fører til en rekke
alvorlige psykologiske, helse- og velværeproblemer, inkludert nevrologiske
lidelser (e.g. <a href="https://doi.org/10.3390/ijerph182212257">Ratan et al., 2022</a>;
<a href="https://doi.org/10.3390/healthcare11010014">Achangwa et al., 2023</a>). Mange
undersøkelser viser at bruk av smarttelefoner påvirker
studentenes akademiske prestasjoner negativt (e.g. <a href="https://doi.org/10.1016/j.ijer.2020.101618">Amez &
Boert, 2020</a>; <a href="https://doi.org/10.1016/j.lindif.2021.102035">Sapci
etal. 2021</a>).</p>
<p>Smarttelefonen din er en dedikert spionenhet, men enda mer bekymringsfull
er det faktum at apper målrettet mot barn sporer, samler inn personlige
data og laster dem opp til ukjente tredjeparter (e.g.
<a href="https://blues.cs.berkeley.edu/wp-content/uploads/2018/04/popets-2018-0021.pdf">Reyes et al., 2018</a>).
Men det handler ikke bare om data og reklame. Smarttelefoner kan
direkte påvirke fysisk sikkerhet av barn. En russisk studie indikerte
at nesten 50% av barna får nye bekjentskaper i sosiale medier og 36%
av dem møter disse nye menneskene i virkeligheten etterpå (<a href="https://www.kaspersky.ru/about/press-releases/2022_pochti-chetvert-zayavok-v-druzya-deti-poluchayut-ot-vzroslyh-polzovatelej">Kaspersky Lab,
2022</a>).</p>
<p>Vi må løse en avveining mellom behovet for å kommunisere med barna våre,
men unngå avhengighet. <strong>Så hva er løsningen? Jeg tror det er en kombinasjon
av gammel stil (men ikke foreldet!) knapptelefon og et stort nettbrett.</strong></p>
<h2>Knappetelefoner er klassiske, men ikke udaterte!</h2>
<p><img alt="Cool buttonphone" src="images/buttonphone-ascii.svg" title="Cool buttonphone"></p>
<p>Fordeler med knappetelefon, i tillegg til at det neppe forårsaker avhengighet,
inkludere</p>
<ul>
<li>
<p><strong>BATTERI</strong> fungerer lange eller veldig lange, ingen grunn til å tenke på
lading, det er liten risiko for å sitte igjen med en død, utladet telefon
i det mest uleilige øyeblikket. Batteriet dør ikke i kulden. Batteriet
er avtakbart og kan enkelt skiftes ut. Det er ingen risiko for at barnet
vil lade ut batteriet på grunn av intens spilling på telefonen. Det
vil ikke skje i verste øyeblikk, for eksempel når han eller hun trenger
hjelp fra foreldrene</p>
</li>
<li>
<p><strong>SIKKERHET:</strong> det er ingen konstant tilkobling til Internett, viktige data,
passord, personlige dokumenter, kredittkortdata lagres ikke på telefonen:
det er ingen risiko for lekkasje eller hacking, selv om telefonen er mistet
eller stjålet. Plasseringen kan ikke spores og lekkes. Mange hackere og
sikkerhetseksperter bær ikke smarttelefoner. <em>Men knappetelefonen tjener
sin hovedfunksjon, kommunikasjon, helt perfekt.</em></p>
</li>
<li>
<p><strong>PRIS</strong> telefonen er billig, ikke bry deg om det, den er lett å erstatte hvis
den er ødelagt, mistet eller druknet. Men dette er spesielt viktig siden du
alltid har telefonen med deg. Barn er ofte uforsiktige og kan bryte ned ting.</p>
</li>
<li>
<p><strong>FYSISK STYRKE:</strong> En liten skjerm, sterk telefon, går ikke i stykker med
det minste fall, mindre utsatt for vann. Jeg har erfaring med at en telefon
ble vasket i vaskemaskin og fortsatte å virke etterpå.</p>
</li>
<li>
<p><strong>FYSISK KNAPPER</strong> <a href="https://news.usni.org/2019/08/09/navy-reverting-ddgs-back-to-physical-throttles-after-fleet-rejects-touchscreen-controls">er fortsatt et av de beste
brukergrensesnittene</a>,
praktisk å bruke. Du kan konfigurere ett-tasts hurtigvalg. Knapper er
også lettere å bruke med hansker i kaldt vær.</p>
</li>
<li>
<p><strong>STØRRELSE</strong> en liten telefon passer lett i lommen. Det er bare praktisk.</p>
</li>
<li>
<p><strong>IKKE FORELDET</strong> en trykkknapptelefon kan betraktes som <em>en "fysisk
app"</em> som ikke blir foreldet og rett og slett alltid fungerer uten
å kreve konstante "oppdateringer."</p>
</li>
</ul>
<p>Knappetelefon blir ofte sett på som noe enkelt og kjedelig, selv om det ikke
er helt utdatert. Men det finnes noen få moderne, elegante, designertelefoner,
for eksempel <strong><a href="https://www.punkt.ch/">Punkt</a></strong> (overpriset!).</p>
<h2>Nettbrett gir mye bedre brukeropplevelse</h2>
<p>Men vi kan ikke frata barna våre internett, spillkommunikasjon med venner
og alt annet som en smarttelefon gir! Riktig nok, men det finnes et bedre
enhet enn smarttelefon: nettbrett</p>
<p><img alt="Tablet for the young" src="images/tablet-ynge.png" title="Tablet for a young"></p>
<ul>
<li>
<p><strong>STOR SKJERM:</strong> nettbrettet har en stor skjerm som gir mye bedre
brukeropplevelse for alle bruksområder: Internett, video, spill, tegning,
skriving og til og med lydsamtaler. En stor skjerm kan bare ikke sammenlignes
med den lille skjermstubb på typisk smarttelefon. Det er mye bedre for
alle slags kreative aktiviteter.</p>
</li>
<li>
<p><strong>LAVERE ER BEDRE:</strong> Det er ikke så lett å ta en tablett med deg hele
tiden. Med andre ord er tilgjengeligheten lavere og det er noen små
kostnader forbundet med bruken. Faktisk må du gå til laderen eller et
bord, ta nettbrettet og først deretter bruke det. Det er ganske stor
forskjell fra smarttelefonen som ofte alltid ligger i lommen. Dette gjør
det mindre sannsynlig at du blir avhengig av et nettbrett.</p>
</li>
<li>
<p><strong>STOR OG MERKBAR:</strong> Bruk av nettbrett er lettere å legge merke til. Dette
gjør det også lettere for foreldrene å overvåke og kontrollere barnas
nettbrettbruk.</p>
</li>
</ul>
<h2>Konklusjon</h2>
<p>Konklusjonen er denne: <strong>i stedet for en smarttelefon, er det tilrådelig
å gi en grunnleggende knappetelefon til barnet ditt å bære med seg. Men
de bør også eie et nettbrett hjemme for å bruke til internett, videoer,
spill, studier og alt smarttelefonen som normalt brukes til.</strong></p>
<h3>Anbefalt lesing</h3>
<ul>
<li>Gabrielsen, Bjørn (2020) Skjermslaver: hva skjermene har gjort med oss,
og hva vi kan gjøre med dem. Kagge (ISBN: 9788248925231).</li>
</ul>XMPP server on 1-2-32023-10-10T10:00:00+02:002023-10-10T10:00:00+02:00Sergey Budaevtag:budaev.info,2023-10-10:/xmpp-server-on-1-2-3.html<p>How to setup one's own XMPP messaging server and not be used by Facebook/Telegram/Microsoft/Snapchat etc.</p><p>Messaging continues to be of rise. The new generation is more willing to
send texts than to call. Communicating with an instant messenger has an
unique advantage over the old good email: you can easily send replies
over replies quickly, resulting in a dialogue. But there is a serious problem:
many of the instant messengers are commercial products that work such that
their "users" are in fact the exploitable resource having no control or
choice.</p>
<p>Most corporations are fair providers of various products and services we
can buy. But not these "Big Tech" that offer "free applications," including
instant messengers. There is, obviously, nothing free on the Earth. Then,
<strong>if you do not pay, then you are the product not the customer.</strong> The Big
Tech corporations <a href="https://www.wired.com/story/ways-facebook-tracks-you-limit-it/">exploit the "end-users" to suck out private data</a>,
often for further resale. Nearly all of these messengers have centralised
architecture and the user's account is linked to the telephone number,
completely destroying privacy. The link to the telephone number is also
very inconvenient because you cannot get several accounts easily, this
requires obtaining several mobile subscriptions. It's just illogical,
expensive and silly. Centralized architecture dictates that the
communication is kept on the corporate servers
so <a href="https://www.vice.com/en/article/xwnva7/snapchat-employees-abused-data-access-spy-on-users-snaplion">theoretically many employees can read
messages by abuse</a>.</p>
<p>Some of the products are advertised as end-to-end encrypted. But nearly
all of them are closed source so there is no way to check how this is
implemented and if and when the service owner can have access to private
messages content. Moreover, we have evidence for the opposite. Many
so called "end-to-end encrypted" messages <a href="https://arstechnica.com/gadgets/2021/09/whatsapp-end-to-end-encrypted-messages-arent-that-private-after-all/">are actually read by AI and human
contractors</a>.
Even if communication is technically end-to-end encrypted, the company owns
and fully controls the server, the client application and network traffic, so
a <strong>man-in-the-middle attack</strong> by silently changing certificates is possible
(e.g. in the context of lawful intercept, or unlawful abuse). <strong>Metadata</strong>
(technical information information about all aspects of communication,
including the addressees, their locations, IP addresses, telephone number
etc.) is always accessible to the service. But metadata is often even
more informative than the message content. How such metadata is used is
typically unclear. The user has no authority here at all.</p>
<p>Nearly all of these messengering systems have closed proprietary protocol. This
means that how you use the product is completely controlled by the owner
company. The only way to use the product is with the <strong>official application.</strong>
You cannot just choose for yourself which application program to use. This
is cardinally different from the email, for example, where you can use the
provider's web interface, its mobile app or any of the many available email
applications such as <a href="https://www.thunderbird.net/en-US/">Thunderbird</a> or
<a href="https://k9mail.app/">K-9 Mail</a>. With such a third-party application you
can easily consolidate several email accounts in one place and easily make
use of the functionality the provider does not offer, such as <a href="https://emailselfdefense.fsf.org/en/infographic.html">end-to-end
encryption</a>. Another
major problem is monopoly and lack of interoperability. The "users" (in
reality, the exploited resource) are completely restricted to the owner's
platform and are unable to communicate with the other (especially competing)
platforms (e.g. Facebook to Snapchat) as a way to keep users within the silo.
This is as if you were unable to call/send sms across different mobile
operators. And this is silly. To break down monopoly, ensure fairer
competition and interoperability across the services, the EU has developed
the <strong><a href="https://digital-markets-act.ec.europa.eu/index_en">Digital Markets Act (DMA) regulation</a>.</strong>
This is a big step, but it does not solve many of the problems with
centralization, privacy and regular <a href="https://www.eff.org/deeplinks/2021/04/553000000-reasons-not-let-facebook-make-decisions-about-your-privacy">security flaws</a>.</p>
<h2>Take back your freedom, privacy and security</h2>
<p>So, why use the restricted, inconvenient, monopolistic, insecure and non-private platforms for
the trivial task of sending instant messages? There are several ways
to configure one's own privately controlled instant messaging system:
<a href="https://xmpp.org/">XMPP</a> and <a href="https://matrix.org">Matrix</a>. XMPP is
lightweight and more private, yet covers all the typical instant communication
purposes: text, file share and voice. Moreover, XMPP servers are by default
<a href="https://en.wikipedia.org/wiki/Federation_(information_technology)">federated</a>:
it is easy to send messages across the different servers like in the
email. There are <a href="https://xmpp.org/software/">many different applications for all operating systems and
platforms</a> the user can choose.</p>
<p>It is very easy to set up one's own XMPP server for a small group,
<a href="https://www.process-one.net/blog/how-to-move-the-office-to-real-time-im-on-ejabberd/">company</a>,
<a href="https://budaev.info/xmpp-en-ideell-direktemeldingssystem-for-et-familie.html">the family</a> or just an individual. You will need
two things:</p>
<ul>
<li>
<p><strong>Server</strong> that will be the central hub for the communication network running
24x7. This can be anything, from a Rasberry PI in a cupboard to a <a href="https://en.wikipedia.org/wiki/Virtual_private_server">Virtual
Private Server</a>
(VPS) somewhere in a data centre or just an old PC running in your
basement. A small scale VPS useful for an XMPP server can be very cheap,
up to a three Euro per month. There exist even cheaper options, such as
<a href="https://mrvm.net/lxc/">EUR 6 per year</a>. There are also dedicated search engines
to help locate cheap VPS, e.g. <a href="https://lowendbox.com/category/virtual-servers,dedicated-servers,reseller-hosting,shared-hosting,special-offers,seedbox-offers,community-offers,vpn/">LowendBox</a>
and <a href="https://www.serverhunter.com/#query=stock%3Ain_stock+virtualization%3A%28none+OR+hyperv+OR+kvm+OR+lxc+OR+xen+OR+vmware%29">ServerHunter</a>.
A typical operating system running on the server is Linux (very secure,
highly configurable, free and open source).</p>
</li>
<li>
<p><strong>Domain name</strong> that needs to be used to connect to the XMPP server. Domain
can be registered to the user (e.g. <code>myname.no</code>), which costs about
30 Euro yearly. But a sub-domain can be obtained for free using the
<a href="https://freedns.afraid.org">https://freedns.afraid.org</a> or similar
"free DNS" services. In the later case you might have something like
<code>myownchat.mooo.com</code> or <code>myownchat.ptchat.net</code>. It is possible to run the
XMPP server purely on IP address even without domain name, but it is much
less convenient (e.g. then federation with other servers is lost).</p>
</li>
</ul>
<p>Given you have got a server (VPS or dedicated machine) and the domain,
configuring an XMPP server can be done on 1-2-3. There exist several Linux
variants (distributives) with different management commands (usually for
installing software). I assume <strong><a href="https://www.debian.org/">Debian Linux</a></strong>
is used below (the same commands also work for Ubuntu and other Debian-based
Linux systems).</p>
<h2>1. Install XMPP server software</h2>
<p><strong>Login.</strong> When you have got a server of any kind, you need to<strong>login</strong>
to it, typically with <code>ssh</code>:</p>
<div class="highlight"><pre><span></span>ssh debian@1.2.3.4
</pre></div>
<p>here the user name on the server is <code>debian</code> and the server ip
is <code>1.2.3.4</code>. Typically, you may need to create the ssh key and
upload it to the server to authenticate (refer the server documentation, e.g.
<a href="https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server">this</a>).
I assume logging-in is not a problem.</p>
<p><strong>Prepare server.</strong> First of all, update the software on the new server</p>
<div class="highlight"><pre><span></span>sudo apt update -y <span class="o">&&</span> sudo apt-get upgrade -y
</pre></div>
<p>Install some useful monitoring and security-enhancing utilities</p>
<div class="highlight"><pre><span></span>sudo apt install -y mc htop atop nload nmon tree zip pwgen fail2ban dnsutils iptables-persistent locate unattended-upgrades
</pre></div>
<p>Install <a href="https://certbot.eff.org/">certbot</a>, a system that manages the
<a href="https://en.wikipedia.org/wiki/Public_key_certificate">TLS certificates</a>
for secure connection</p>
<div class="highlight"><pre><span></span>sudo apt -y install certbot
</pre></div>
<p>Install the <a href="https://www.ejabberd.im/">ejabberd</a> server, which is is very
reliable and light on resources</p>
<div class="highlight"><pre><span></span>sudo apt install ejabberd
</pre></div>
<p><strong>Firewall.</strong> To allow incoming network access to this server by the XMPP
clients and also third-party servers, the server needs to configure
the <strong>firewall rules.</strong> This can be done differently in different
installations. For example, some VPS may do this using a friendly web
interface. The standard Linux firewall is done via <code>iptables</code>.</p>
<p>The XMPP system requires incoming acces via ports 5222, 5223, 5269, 5443,
5280, 3478. To determine the ports refer to the listen section of the XMPP
configuration file below.</p>
<div class="highlight"><pre><span></span> sudo iptables -A INPUT -p tcp --dport <span class="m">5222</span> -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport <span class="m">5223</span> -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport <span class="m">5269</span> -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport <span class="m">5443</span> -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport <span class="m">5280</span> -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
<span class="c1"># STUN is over udp</span>
sudo iptables -A INPUT -p udp --dport <span class="m">3478</span> -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
</pre></div>
<p><a name="bytestream"></a></p>
<p>The port 7777 is used for a proxy for peer-to-peer (bytestream) file
transfer. If peer-to-peer file sharing is intended for use, an additional
rule should be set allowing incoming connections:</p>
<div class="highlight"><pre><span></span>sudo iptables -A INPUT -p tcp --dport <span class="m">7777</span> -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
</pre></div>
<p>To see what firewall rules are in effect issue this:</p>
<div class="highlight"><pre><span></span> iptables -L --line-numbers
</pre></div>
<p>It makes sense to save the iptables rules so they are automatically get in
effect after reboot</p>
<div class="highlight"><pre><span></span> iptables-save > /etc/iptables/rules.v4
</pre></div>
<h2>2. Configure your XMPP server</h2>
<p><strong>Secure connection certificate.</strong> Get a free
<a href="https://letsencrypt.org/">Let's Encrypt</a>
<a href="https://en.wikipedia.org/wiki/Transport_Layer_Security">TLS certificate</a>.
I assume you have got a free domain <code>myownchat.ptchat.net</code> from
<a href="https://freedns.afraid.org">https://freedns.afraid.org</a>.</p>
<blockquote>
<p>Note that ejabberd can manage (issue and update) TLS certificates on its
own, but this needs some configuration as described in the
<code>acme</code> configuration option:
<a href="https://docs.ejabberd.im/admin/configuration/basic/#acme">https://docs.ejabberd.im/admin/configuration/basic/#acme</a>.
An advantage of the standalone certificate management system (as here) is
that it is slightly less tricky and can easily be used with a
<strong>web server</strong> on the same machine.
Why not also configure a web server for a small static web site here?
Ejabberd is very lightweight and will happily coexist with many other
servers running on the same machine.</p>
</blockquote>
<div class="highlight"><pre><span></span> sudo certbot --standalone certonly -d myownchat.ptchat.net
</pre></div>
<p>This command will ask a few questions and issue a TLS certificate. This process
is done over http so http port 80 must allow incoming connections. If this is
not so, use the following command:</p>
<div class="highlight"><pre><span></span> sudo iptables -A INPUT -p tcp --dport <span class="m">80</span> -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
</pre></div>
<p>Do not forget to save iptables rules with the <code>iptables-save</code> as above.</p>
<p>The certificate files are located in
<code>/etc/letsencrypt/live/myownchat.ptchat.net/fullchain.pem</code> directory.</p>
<p>For the sake of security, the certificate directories have by default no
access to anyone except the admin (root) user. But this precludes the XMPP
server ejabberd to access the certificate. This can be easily fixed with the
following commands</p>
<p>First, add ejabberd to the root group</p>
<div class="highlight"><pre><span></span>sudo adduser ejabberd root
</pre></div>
<p>Second, allow access to the certificate directories to the group</p>
<div class="highlight"><pre><span></span>sudo chmod g+rx /etc/letsencrypt/live/myownchat.ptchat.net
sudo chmod g+rx /etc/letsencrypt/live
sudo chmod g+rx /etc/letsencrypt/
</pre></div>
<p><strong>Configure ejabberd.</strong> Once the preparations are done, it is time to
<em>configure the ejabberd</em> messaging server. Edit the configuration file
(assuming the <em>mcedit</em> text editor is used)</p>
<div class="highlight"><pre><span></span>sudo mcedit /etc/ejabberd/ejabberd.yml
</pre></div>
<p>This is a long configuration file that may look scary. But in fact only a few
changes are required to make the server running with the default options. But
note that the indents are important, try to keep them as in the original file.</p>
<p>Any line starting with <code>#</code> is considered a comment, this can be easily used
to disable specific options by "commenting them out."</p>
<p>First, set up the host name that is used for the server, it is the same as
the domain:</p>
<div class="highlight"><pre><span></span> <span class="l l-Scalar l-Scalar-Plain">hosts</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">myownchat.ptchat.net</span>
</pre></div>
<p>Second, configure the location of the TLS certificates that are used by the
server:</p>
<div class="highlight"><pre><span></span> <span class="l l-Scalar l-Scalar-Plain">certfiles</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="s">"/etc/letsencrypt/live/myownchat.ptchat.net/fullchain.pem"</span>
<span class="p p-Indicator">-</span> <span class="s">"/etc/letsencrypt/live/myownchat.ptchat.net/privkey.pem"</span>
</pre></div>
<p>Configure the admin users who can manage the XMPP server:</p>
<div class="highlight"><pre><span></span> <span class="l l-Scalar l-Scalar-Plain">acl</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">admin</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">user</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="s">""</span>
<span class="p p-Indicator">-</span> <span class="s">"myname"</span><span class="p p-Indicator">:</span> <span class="s">"myownchat.ptchat.net"</span>
</pre></div>
<p>Then, add configuration for http-file-upload module that will allow file
sharing (sending files):</p>
<div class="highlight"><pre><span></span> <span class="l l-Scalar l-Scalar-Plain">mod_http_upload</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">put_url</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">https://@HOST@:5443/upload</span>
<span class="l l-Scalar l-Scalar-Plain">custom_headers</span><span class="p p-Indicator">:</span>
<span class="s">"Access-Control-Allow-Origin"</span><span class="p p-Indicator">:</span> <span class="s">"https://@HOST@"</span>
<span class="s">"Access-Control-Allow-Methods"</span><span class="p p-Indicator">:</span> <span class="s">"GET,HEAD,PUT,OPTIONS"</span>
<span class="s">"Access-Control-Allow-Headers"</span><span class="p p-Indicator">:</span> <span class="s">"Content-Type"</span>
</pre></div>
<p>It is convenient to keep the latest messages on the server, it is done with
the "mam" module:</p>
<div class="highlight"><pre><span></span> <span class="l l-Scalar l-Scalar-Plain">mod_mam</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">assume_mam_usage</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="l l-Scalar l-Scalar-Plain">default</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">always</span>
</pre></div>
<p>Ejabberd supports several other communication protocols in addition to
XMPP. For example, it also works with <a href="https://mqtt.org/">MQTT</a> that is
typically used for IoT devices. If this functionality is not used,
just comment out the MQTT module to disable it.</p>
<div class="highlight"><pre><span></span> <span class="c1"># mod_mqtt: {}</span>
</pre></div>
<p>The STUN and TURN protocol is mainly used for voice calls and needs the
actual IP address of the server (replace with your server IP addfress)</p>
<div class="highlight"><pre><span></span> <span class="p p-Indicator">-</span>
<span class="l l-Scalar l-Scalar-Plain">port</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">3478</span>
<span class="l l-Scalar l-Scalar-Plain">ip</span><span class="p p-Indicator">:</span> <span class="s">"::"</span>
<span class="l l-Scalar l-Scalar-Plain">transport</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">udp</span>
<span class="l l-Scalar l-Scalar-Plain">module</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">ejabberd_stun</span>
<span class="l l-Scalar l-Scalar-Plain">use_turn</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="c1">## The server's public IPv4 address:</span>
<span class="l l-Scalar l-Scalar-Plain">turn_ipv4_address</span><span class="p p-Indicator">:</span> <span class="s">"1.2.3.4"</span>
</pre></div>
<p><a name="mod_register"></a></p>
<p>An important issue is wether to allow anonymous registrations of new users.
I strongly recommend not allowing this for security reasons. For a small
private server, you will normally add users manually and set them initial
passwords. Every user can then change password within the client program. So,
you need to disable the <code>mod_register</code> by commenting it out:</p>
<div class="highlight"><pre><span></span> <span class="c1"># mod_register:</span>
<span class="c1"># ## Only accept registration requests from the "trusted"</span>
<span class="c1"># ## network (see access_rules section above).</span>
<span class="c1"># ## Think twice before enabling registration from any</span>
<span class="c1"># ## address. See the Jabber SPAM Manifesto for details:</span>
<span class="c1"># ## https://github.com/ge0rg/jabber-spam-fighting-manifesto</span>
<span class="c1"># ip_access: trusted_network</span>
</pre></div>
<p><strong>Start server!</strong> <em>And that's all minimal configuration.</em> Now it's time to
<strong>start the server:</strong></p>
<div class="highlight"><pre><span></span>sudo systemctl start ejabberd
</pre></div>
<p>If there are any errors and the server fails to start, Linux logs can be
inspected with this command:</p>
<div class="highlight"><pre><span></span>sudo journalctl -xe
</pre></div>
<p>or logs for only ejabberd:</p>
<div class="highlight"><pre><span></span>sudo journalctl -xe --unit ejabberd
</pre></div>
<p><strong>Additional stuff.</strong> The above is enough to make the XMPP server running for
text. If voice is required, you need to configure the DNS as described here:
<a href="https://www.process-one.net/blog/how-to-set-up-ejabberd-video-voice-calling/">https://www.process-one.net/blog/how-to-set-up-ejabberd-video-voice-calling/</a>.
DNS is normally configured using the control panel of the domain registrar.</p>
<p>The TLS certificate that is managed by <a href="https://certbot.eff.org/">certbot</a>
is updated each 90 days. This is an automatic process, but the ejabberd
server must know when certificate is changed. This can be done using the
deploy hook. Just create the hook file <code>reloadxmpp.sh</code> (the file name can be
anything):</p>
<div class="highlight"><pre><span></span> sudo mcedit /etc/letsencrypt/renewal-hooks/deploy/reloadxmpp.sh
</pre></div>
<p>and add the following commands:</p>
<div class="highlight"><pre><span></span> #!/bin/sh
ejabberdctl reload_config
</pre></div>
<p>This file must be executable, so issue this command:</p>
<div class="highlight"><pre><span></span> sudo chmod ugo+x /etc/letsencrypt/renewal-hooks/deploy/reloadxmpp.sh
</pre></div>
<p>The last note on the server is that it should be regularly updated for
bug fixes and security updates. This is done automatically by installing
<code>unattended-upgrades</code> above. Yet, it is a good practice to log in regularly
over the ssh, check logs and update the system:</p>
<div class="highlight"><pre><span></span>sudo apt update -y && sudo apt-get upgrade -y
</pre></div>
<h2>3. Configure the XMPP users and client application</h2>
<p><strong>Register new users.</strong> First, you need to register the XMPP users. The
quickest method is to use the command line on the server, the command
<code>ejabberdctl</code> has advanced functions.</p>
<p>A secure random password can be generated withy <code>pwgen</code>, e.g. the following
generates passwords with 18 symbols:</p>
<div class="highlight"><pre><span></span>pwgen 18
</pre></div>
<p>It normally generates an array of possible passwords to choose from.</p>
<p>Now, to register the user <code>myname</code>, It is the admin user configured in the main
configuration file <code>/etc/ejabberd/ejabberd.yml</code> above.</p>
<div class="highlight"><pre><span></span># user domain password
sudo ejabberdctl register myname myownchat.ptchat.net pee8chogh9Heel6hei
</pre></div>
<p>Other users can be configured similarly. Note that the full user name for XMPP
has the same format se email: <code>myname@myownchat.ptchat.net</code>. This is due to
the federated nature of both systems: you need to know both the user and
the server with whom to communicate.</p>
<p>For this example let's register two additional users:</p>
<div class="highlight"><pre><span></span>sudo ejabberdctl register john.dow myownchat.ptchat.net ohyeeLeefo9yief4gu
sudo ejabberdctl register anna.karenina myownchat.ptchat.net hejo7phiy2iFeW9She
</pre></div>
<p><strong>Use!</strong> The final step is configure the client program on the
user's device. The biggest difficulty at this step is the plenty
of choice. For any major platform, one can choose any of <a href="https://xmpp.org/software/">the many
available XMPP client programs</a>. Some email
programs, e.g. <a href="https://www.thunderbird.net">Thunderbird</a> also support
XMPP (although only a limited subset of features). Check out the
<a href="https://xmpp.org">https://xmpp.org</a>. The configuration for the client
is simple:</p>
<ul>
<li>
<p><strong>Server:</strong> your server, in the example above it is <code>myownchat.ptchat.net</code></p>
</li>
<li>
<p><strong>User name:</strong> your user name. In the example we used above, it can be
<code>myname</code></p>
</li>
</ul>
<p>Note that the option to <strong>create new account</strong> must <strong>NOT</strong> be enabled as
long as the account has already been created on the sever and the in-band
registration (<code>mod_register</code>, <a href="#mod_register">see above</a>) is disabled for
security.</p>
<p><img alt="Pidgin configuration" src="images/xmpp-123-client.png" title="Pidgin configuration">
<img alt="Thunderbird configuration" src="images/xmpp-123-thunderbird.png" title="Thunderbird configuration">
<img alt="Conversations configuration" src="images/xmpp-123-convers.png" title="Conversations configuration"></p>
<p>Some programs accept the full user name without specifying user and domain
separately. Then the user is just <code>myname@myownchat.ptchat.net</code>. If you
plan to use the peer-to-peer (<a href="#bytestream">bytestream</a>) file transfer (but
this is not mandatory), you should also find where the file transfer proxy is
configured and set it with the <code>proxy</code> subdomain, for our example it should be
<code>proxy.myownchat.ptchat.net</code>. And that is all for basic client configuration.</p>
<p>I recommend the <a href="https://blabber.im/en.html">Blabber</a> XMPP application for
devices running Android. <a href="https://www.yaxim.org/">Yaxim</a> is the best option for
minimalists, it is notoriously miniature (only a few megabytes) and works great
even on the oldest and weakest devices. <a href="https://miranda-ng.org/">Miranda NG</a>
is a powerful XMPP client program for Windows. There are also a few
web-based clients: <a href="https://conversejs.org/">https://conversejs.org/</a> and
<a href="https://web.xabber.com/">https://web.xabber.com/</a> that you can try right
away without installing anything.</p>
<p>The final step is to fill the contact list (called roster) with the addresses
of the people (or maybe devices, because XMPP can be easily configured for
bots accepting commands). Just remember that the address is full name as in
email: <code>user@server.domain</code>. One useful option is so called <a href="https://www.ejabberd.im/shared-roster-all/">Shared roster
groups</a>: then you can configure
a group of contacts without the need to add them manually.</p>
<p><strong>Happy chatting!</strong></p>
<h2>Further</h2>
<p>There are many advanced options and possibilities in ejabberd. Just check
the documentation at the official web site: <a href="https://www.ejabberd.im/">https://www.ejabberd.im/</a>
and documentation <a href="https://docs.ejabberd.im/">https://docs.ejabberd.im/</a>.</p>
<p>There are also a few useful <strong>tutorials,</strong> e.g.
<a href="https://www.process-one.net/blog/how-to-move-the-office-to-real-time-im-on-ejabberd/">https://www.process-one.net/blog/how-to-move-the-office-to-real-time-im-on-ejabberd/</a></p>XMPP: en ideell direktemeldingssystem for et familie2023-02-06T17:00:00+01:002022-11-01T17:00:00+01:00Sergey Budaevtag:budaev.info,2023-02-06:/xmpp-en-ideell-direktemeldingssystem-for-et-familie.html<p>Forskjellige meldingssystemer ble populær de siste tiårene. Den
meste kjente eksempler er Whatsapp, Facebook Messenger, Snapchat eller
Discord. Mange bruker dem uten å tenke bare fordi de ser praktiske ut og er
gratis. Kostnadene er imidlertid alvorlig: <strong>den er personvernkatastrofe.</strong>
Brukere har ingen egenkontroll, så eieren kan endre alle funksjoner uten
at brukerne vilje. Disse tjenstene (platformene) er laget og fullstendig
kontrollert av store monopoler fokuserte på å suge alle slags av
brukerdata. Personvernkostnaden til store kommersielle direktmeldingssystemer
av er mye høyere enn brukervennligheten. De er <strong>bevisst laget for å være
gjensidig uforenlige</strong>. En bruker av Whatsapp kan ikke sende en melding til
noen på Telegram eller Facebook. Bare se for deg at du hadde Telenor men kunne
ikke sende sms til noen på Telia, kun til sin eget system Telenor. Eller
se hvis du kunne ikke sende en epost fra Gmail til Yahoo. <strong>Det er helt dumt.</strong></p>
<p>Nå, blant de populære systemene er det bare epost det eneste systemet på
internett som har ikke vært monopolisert. Og det er fortsett fordi epost
ikke er en <em>plattform</em> (eller 'ecosystem'), men <em>åpen og federert protokoll</em>
etter eget design. <strong>Alle kan konfigurere og kjøre egen mailserver og meldinger
skal sendes mellom evt. Alle kan velge mellom mange epost apper. Alle kan
legge til ytterligere funksjonalitet, slik at ende-til-ende kryptering,</strong> men
<strong>interoperabilitet opprettholdes.</strong></p>
<p><em>Protokoll betyr et sett med regler og konvensjoner for interoperabilitet,
ikke et enkelt komplett produkt.</em></p>
<p><img alt="xmpp logo" src="images/xmpp-logo.svg" title="XMPP logo"></p>
<p>Men, det finnes en direktemeldingssystem som er like enkel å bruke
som Whatsapp, men mangler de fleste av problemene. Faktisk, er det
<strong><a href="https://xmpp.org/">XMPP</a></strong>. Det er en åpen og federert protokoller
som epost. Alle kan ha egen server, så kan ha kontakt med noen på alle
serverer som helst, akkurat som epost eller mobil. I tillegg, kan alle også
velge mellom ulike app etter vilje: foretrekker du funksjonalitet,
eller skjønnhet eller bare det å være veldig lett... Det finnes også
flere XMPP serverer programvare å velge mellom, de fleste er gratis og
åpen kildekode. Med XMPP kan du få alt: <strong>direktemeldinger, filer, tale,
video, gruppechat, flere enheter</strong>. Det er også flere typer av
<strong>ende-til-ende kryptering</strong>
(<a href="https://conversations.im/omemo/">OMEMO</a>, <a href="https://gnupg.org/">GPG</a>,
<a href="https://otr.im/">OTR</a>) og mye mer. Det finnes enda en XMPP-basert
sosialnettverk: <a href="https://movim.eu/">Movim</a>.</p>
<p>XMPP er ikke alene. Det finnes også en alternativ åpen og
federert protokoll: <strong><a href="https://matrix.org/">Matrix</a></strong>. Men
sammenlignet med XMPP, har den flere mangler: (a) <a href="https://github.com/libremonde-org/paper-research-privacy-matrix.org">problemer med
personvern</a>
(selv om mange ikke bryr seg om det), (b) alvorlige ytelsesproblemer:
mens XMPP fungerer fint selv på den minste og billigste
<a href="https://no.wikipedia.org/wiki/Virtuell_privat_server">VPS</a>, Matrix
server krever mange gigabyter med RAM og stor diskplass, på denne grunn
er det dyrere i drift, også krever Matrix mye mer oppmerksomhet (f.eks. se
<a href="https://disroot.org/it/blog/matrix-closure">her</a>). Det kan være berettiget
i bedrifts- eller stororganisasjonsbruk, men ikke i hjemmebruk.</p>
<p><strong>Så XMPP er ideell for å lage et helt privat kommunikasjonssystem
for et familie.</strong> Du trenger bare dette: (a) <strong>en server:</strong> billigste
<a href="https://no.wikipedia.org/wiki/Virtuell_privat_server">VPS</a> eller enda
en Rasberry Pi boks vil fungere fint (f.eks ejabberd skal støtte
hundrevis brukere med dette nivå); (b) <strong>server programvare</strong>
som kjøres alt: sjekke ut flere og velge selv, de mest populære er
<a href="https://www.ejabberd.im/">ejabberd</a> og <a href="https://prosody.im/">Prosody</a>;
(c) <strong>domenenavn</strong> slik at brukere kan konnektere til: domenenavn er også
en del av brukernavn, som i epost, f. eks <code>alexander@johansson.me</code> (<a href="https://www.process-one.net/blog/how-to-set-up-ejabberd-video-voice-calling/">enkelt DNS
oppsett</a>
trenges for å støtte tale og video); (d) hver bruker kan velge hvilken
<strong><a href="https://xmpp.org/software/">klientapp</a></strong> som skal brukes (f. eks
<a href="https://monal-im.org/">Monal</a> eller <a href="https://siskin.im/">Siskin IM</a> på
iPhone). Og det er det.</p>
<p>Nå må serveren konfigureres. Så kontrollerer du systemet fullt
ut! Du kan <strong>registrere så mange brukere at du trenger</strong>, men for en
familieserver anbefaler jeg ikke å tillate åpen registrering av alle som
helst. For eksempel du kan registrere flere kontoer for en enkelt bruker
hvis nyttig (å bruke med forskjellige formål). Ingen mobilnummer kreves:
f.eks. trenger du ikke fem SIM-korter for fem brukere, faktisk ingen er
nødvendig. Det også anbefales å konfigurere <strong>‘Shared roster group’</strong>
(delt brukerliste) for å unngå å legge til familiekontakter manuelt for
alle familiemedlemmer. <strong>Ende-til-ende kryptering</strong> er ikke avgjørende
for din egen private server fordi transportkryptering (TLS) brukes alltid;
men det er lettere å konfigurere hvis du bruker flere enheter (mobil,
nettbrett, desktop, laptop, web-basert). Men det er bedre og sikrere å
bruke ende-til-ende kryptering til å kommunisere med noen på andre
offentlige servere.</p>
<p>Og nå, når flere grupper har sine egne private servere, kan de
<strong>kommunisere fritt og sikkert</strong>. For eksempel, det er nå lett
for <code>pappa@johansson.me</code> å sende melding (eller video-ringe) til
<code>mattias@johansson.me</code> (samme familier og på samme privat server) eller
til en venn <code>john@dowfamily.info</code> eller enda alle som bruker <a href="https://list.jabber.at/">hundrevis av
åpne gratis offentlige serverer</a> f. eks <code>maria@jabber.no</code>
(på <a href="https://www.jabber.no/">Jabber Norge</a>), <code>christian@jabber.de</code>,
<code>oyvindharaldsson@tigase.org</code> eller <code>nikolaibode@riseup.net</code>.</p>
<p><img alt="Federated network" src="images/federated.svg" title="Federated network"></p>
<p><strong>Se <a href="https://budaev.info/xmpp_clients_no.html">her</a></strong> for litt mer informasjon
om <a href="https://xmpp.org/">XMPP</a>.</p>
<h2>Lenker</h2>
<ul>
<li>
<p><a href="https://budaev.info/xmpp-server-on-1-2-3.html">XMPP server på 1-2-3</a></p>
</li>
<li>
<p><a href="https://www.process-one.net/blog/how-to-move-the-office-to-real-time-im-on-ejabberd/">Hvordan å konfigurere XMPP server ejabberd</a></p>
</li>
<li>
<p><a href="https://www.process-one.net/blog/ejabberd-xmpp-server-useful-configuration-steps/">Useful configuration steps for ejabberd</a></p>
</li>
<li>
<p><a href="https://medium.com/geekculture/how-to-setup-an-xmpp-server-for-private-messaging-dcb1f4740fe">Hvordan å konfigurere XMPP Server Prosody</a> eller
<a href="https://landchad.net/prosody/">Install Prosody</a></p>
</li>
<li>
<p><a href="https://jabber.no">Jabber Norge</a> - en åpen XMPP server fra Norge.</p>
</li>
<li>
<p><a href="https://www.jabjab.de/">Jabjab.de</a> en åpen XMPP server med transporter til andre meldingssystemer.</p>
</li>
</ul>Intervju kristendom2022-11-01T17:00:00+01:002022-11-01T17:00:00+01:00Sergey Budaevtag:budaev.info,2022-11-01:/intervju-kristendom.html<p>Skolens intervju kristendom</p><p>Jeg hadde en intervju med studenter av <a href="https://www.stpaulgymnas.no/">St Paul
gymnas</a>. Her er noen svar.</p>
<h2>Hvordan å praktisere religionen?</h2>
<p>Å praktisere religionen betyr at du leve med Gud i hjertet ditt. Først,
det er viktig å bare være god i livet og unngå noe som er dårlig. Unngå
synd og dårlige ting som er enda uten av synd. Men det er ikke nok å bare
ikke gjøre noe. Det er viktigste å gjøre god ting i livet for God hjelper
oss når vi gjøre det som er godt. Jeg tror det er den Guds ligning:</p>
<!--
E = i * G
-->
<p><img src="https://latex.codecogs.com/svg.image?\large&space;E&space;=&space;i&space;\times&space;&space;G"></p>
<p>her E er effekt som vi får, i er menneskers innsats og G er Gods nåde. Hvis
innsats er null, helt effekt er null selv når Gud er enig å hjelpe den
største (f.eks. G = 1,000,000). Tå eksempel av Jesus og følge Kristus i
hverdagen aktivt. Tenke om dette: I velkjente miraklet tok Kristus få brød
og fisk fra folk og multipliserte dem til flere tusen. Det var i stedet av å
skape brød ut av ingenting. Den hovedbetingelsen for miraklet var en gratis
gave og samarbeid fra få enkle mennesker. Vi vet ikke hvor mange mirakler
som ikke skjedde fordi noen bestemte seg å gjøre ingenting. Den G-leddet i
den formelen er det viktigst del. Så vi kan ikke gjøre mye uten av Kristus
nåde. Det betyr at vi trenger sakramenter og be å få den G-ledder. Vi
lever i verden og Gud er transcendent, Jesus er i himmelen, ikke her med
oss nå. Det betyr vi ikke får direkte opplevelse av Gud og kan ikke se,
spørre og kjenne hva er som Guds vill. Men vi har masse informasjon i
skriften og den hellige tradisjon. Kirken får det i kirkelige dokumenter,
Codex juris, og mange teologiske og filosofiske verk. Vi kan lære mye av
dette hellige vitenskap ved hjelp av vår egen sunn fornuft.</p>
<p>Kort fortalt: å praktisere religionen inkluderer dette: (1) å få Guds
nåde ved sakrament og be, (2) lære hva er som god og Guds vilje ved
hellige vitenskap og rasjonalitet, (3) vare aktivt å følge det som er god
i hverdagen.</p>
<h2>Hvilke sakramenter påvirker ditt liv mest og hvordan?</h2>
<p>Nattverd, Eukaristen, er den sakrament vi kan få og har oftest. Det er
også det sakramentet som forbinder oss med Gud fysisk. Det er den eneste
sakrament som tillater oss å se på Gud, streife på Gud og akseptere Gud
fysisk. Men det er også den vanskeligste sakrament vi har.</p>
<p>Det kan være vanskelig å forstå hvordan et lite stykke brød kan være
Kristi legeme. Men tenk om enkelt ting, f.eks. så enkle ting som en stol
vi seter på. Det kan vare laget av tre, eller jern eller plastikk eller
glass. Men hva vi se som materialet er helt uviktig. Hvordan vi behandler
og bruker stolen er helt uavhengig av materialet, men bare faktum at det er
an stol. Å forstå hva stolen er og av hvilken grunn det brukes og hva det
brukes, må vi resonnere ved hjelp av kognisjonen og abstraksjonen vår. Det
trenger litt høyere nivå av tenking enn bare se på det ytre utseende. Men
vi hittil ikke forvirrer en tre stol med vedtre. Nå tenke om en dyr som ikke
får slik abstraksjonsevnen. En fly eller maur som seter på en tre stol og
etterpå har en opplevelse av en plastikk stol skal tenke at denne er helt
forskjellige ting og har ingenting til felles. Men vi kan få det rart:
vi finner det helt åpenbart at denne to objekter tilhører til samme kategori.</p>
<p>Samme skjer med hvordan kan vi se på Eukaristen. Gud er transcendent og ikke
en del av denne verden. Så vi selv kunne ikke se på, eller på annen måte
oppleve Gud. Vi selv kan ikke ha denne kapasiteten. Men Kristus kommer til
oss i denne sakrament fysisk, bruker den vanligste ting som er en del av vår
verden, så vi kan vi kan kommunisere og enda forene med transcendent. Men
for dette, vi ikke har vårt eget konsept og må abstrahere å forstå.</p>
<p>Å vare et menneske betyr å forstå hva er den naturen av verden og tinger
vi lever med. Hvordan vi forstår det påvirker hvordan vi lever livet vart.</p>
<h2>Hvis gud er allmektig, hvorfor tror du det er så mye ondt i verden?</h2>
<p>Nøkkelen å forstå dette er frie vilje av mennesker.</p>
<p>Det var en metafor av Gud som skaper, i ekstrem form Gud som urmaker. Her
Gods allmakt og allvitenhet kunne se ut til å peke at verden som Gud skapte
er idealt som en maskin. Da er det Gud som er den eneste skuespilleren. Dette
synet blir spesielt populært da mennesker utviklet enkelt fysiske vitenskap,
Newtons fysikk som er basert på streng årsak og virkning. Tenke om dette:
årsaken A forårsaker B. Her A bare styrer en fiksert og helt bestemt effekt
B, men B ikke har noe rolle. Da Gud er tenkt som den første og hovedårsaken
av alle ting i verden. Konsekvens av dette er at Gud tar alt ansvar. Så bare
faktum at det ar noe galt i verden betyr det er Gud som har forårsaket dette.</p>
<p>Men God som bare skaper eller urmaker er en feil metafor. Dessuten, motsier
det det bibelske synet. I bibelen Gud er tenkt om som en far. Noen kan tror
det er et utdatert og primitivt syn, ikke vitenskapelig som vi nå trenger. Men
konsept av faren, den forelderen, tar den eneste essensen av Guds rolle.</p>
<p>En urmaker lager maskinen for et bestemt formål. Maskinen gjør kun det som
er urmakers formål, ingenting mer. Maskinen er ikke en uavhengig "agent"
med egen aktivitet. Det også finnes ikke en rolle av kjærlighet.</p>
<p>Forelderen er helt motsatt av det synet. Forelderen føder ut av kjærlighet,
ikke for en funksjon. Barnet er ikke en programmert robot, men en uavhengig
agent som bare lever sitt eget liv. Det betyr at barnet har egen frie vilje
som forelderen skal respektere og helt verdsette. Det også betyr at barnet har
lov til å feile og lære av sine feil. Dessuten, barnet har likt lov å ikke
lære av sine feil og enda å gå helt galt. Forelderen kan ikke gjøre har,
men gi råd og kanskje lide over barnets feil. Fordi barnet har frie vilje,
det kan ikke fikses, kun kureres.</p>
<p>På samme måte, Gud lar oss å leve vårt eget liv slik vi bestemmer
selv. Det betyr våre feil har lov til å være enorme. Men det at vi har
fri vilje skaper vår verdi som mennesker. En programmert robot med liten
selvstendighet og kreativitet er en helt kjedelig og dumt skapning.</p>
<p>En del av frie vilje er ikke en ting Gud har gatt oss mennesker. Hele
verden er skapt til å være uavhengig, ikke som en klokke eller noe andre
maskin. Verden er ikke skapt som en endelig ideell ting, men det kan utvikle
seg selvstendig. Det finnes eksempler i kvantefysikk: elementærpartikler
kan fungere uten noe streng årsakssammenheng. Men den beste eksempel
er Darwins evolusjon. Her levende former utvikler seg kreativt uten Guds
kontroll. Uavhengighet og fri vilje er Guds plan og gaven, men det er også
et tungt ansvar.</p>Goodbye Gmail2022-04-22T00:57:00+02:002022-04-22T00:57:00+02:00Sergey Budaevtag:budaev.info,2022-04-22:/goodbye-gmail.html<p>I do not use Gmail as my principal email provider any more, bye Google</p><p>The old good <strong>email</strong> remains the most <a href="https://utcc.utoronto.ca/~cks/space/blog/tech/EmailCriticalInfrastructure">critical digital communication tool</a>.
What makes the venerable email so useful and sustainable
over the long time is its <strong>openness and standardization.</strong> Email is radically
different from the modern "apps" which integrate all pieces of technology--the
server, the client, and the protocol--by a single monopolist provider. With
email, we are free to choose the server (provider) and client with any
combination. It provides enormous flexibility, added privacy and
security. Indeed, the provider does not control my client and cannot add
backdoors; there is no monoculture of client software with all the related
security risks (any security vulnerability is global). Email is one of
the few pieces of technology that is very resistant against internet
censorship. Repressive state can easily block a web site and even force
an app store to remove an app
<a href="https://www.theguardian.com/world/2021/sep/17/apple-and-google-accused-of-political-censorship-over-alexei-navalny-app">(as the Navalny's "Smart Voting")</a>.
Also, an app store can delete it for any other bizarre reason. But it
is much more difficult to block a mailing list: it is easy to redeploy and
recreate it on a different server (without the users even noticing anything).
Furthermore, The user can easily create several different email-based
identities (e.g. a separate one for politically sensitive activity) which
adds anonymity. And anonymity means physical security in some countries.</p>
<p>It is not surprising that many internet services use the email address
to register users, authenticate, restore password and other similar
purposes. <strong>Open, standardized</strong> and <strong>decentralized</strong> email is one of the most
critical technology everything else depends on. After all, the flexibility
offered by the email technology--the freedom to choose all pieces (provider,
client etc.) is just very very handy, at least for an advanced user (you
can add new features on top of what the provider realized, even against the
provider's will--isn't it convenient?).</p>
<p><strong>The whole email technology is build around open protocols rather than a
centralized platform. This facilitates competition, makes for better and
fairer service and reduce possible impacts of malicious monopolists
(<a href="https://knightcolumbia.org/content/protocols-not-platforms-a-technological-approach-to-free-speech">Masnick, 2019</a>).</strong></p>
<p>Google's Gmail has long been one of the main pillars of email, millions used
to rely upon every day. We should praise Google for popularising email
as the basic mainstream technology among the masses. <strong>I started using Gmail
many years ago when it was in its "beta" and available only by invitation.</strong>
At that time Gmail openness and unrestricted nature was just blazing. The
web interface was lightweight and not really cluttered with ugly banners,
unlike other email providers. There were ads but they were small and
unobtrusive. Gmail had long supported all the basic protocols (POP, IMAP,
SMTP) that allowed to use any standard compliant client software, and that
was available for free (some other providers were more greedy and allowed
this only on paid plans). <strong>Google's POP, IMAP and SMTP implementations</strong>
have been (and still remain!) <strong>quite idiosyncratic, incomplete and not
really standard-compliant which caused various glitches</strong> (e.g. message
deletion and default sorting are weird, I always hated Gmail's labels). But
this was bearable.</p>
<p>The <a href="https://en.wikipedia.org/wiki/Privacy_concerns_regarding_Google">serious privacy problems and threats of Gmail</a>,
such as user email scanning for context-specific advertising
(<a href="https://blog.google/products/gmail/g-suite-gains-traction-in-the-enterprise-g-suites-gmail-and-consumer-gmail-to-more-closely-align/">until 2017</a>)
or
<a href="https://www.forbes.com/sites/daveywinder/2020/02/28/google-confirms-new-ai-tool-scans-300-billion-gmail-attachments-every-week/?sh=7e744fc83edd">AI tool</a>
which could provide access to some pieces of data to <a href="https://protonmail.com/blog/google-privacy-problem/">third-party</a>
<a href="https://www.pcmag.com/news/google-apps-can-scan-and-share-your-gmail-data-with-consent">developers</a>.
<strong>That is nearly a disaster that cannot be fixed because spying on the user's
data is at the heart of Google's business model.</strong> But who cares as long as
it is free! I have long been using and promoting <strong>PGP</strong> encryption which
could fix many of the privacy (and security) problems.
Yes, PGP is <a href="https://sequoia-pgp.org/blog/2021/06/29/202106-yes-we-want-cryptographic-protection-for-email/">crucial for individuals and businesses</a>
and yes, <a href="https://doi.org/10.2478/popets-2021-0037">a motivated user can encrypt</a>.</p>
<p>Gmail still remained free and relatively open while an alternative of
deploying private email server is time-consuming and tedious (e.g. ensuring
that emails from a tiny private server don't end up in spam folders of
intended recipients). I used to pay with some of my privacy to get the
usability and stability of Gmail.</p>
<p>But over time I became increasingly concerned about the clear trend taken
by Google to make the open email more and more difficult to use outside of
the Google monopolistic ecosystem. There are signs of the famous
<strong><a href="https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguish">embrace, extend, and extinguish</a></strong>
strategy. <a href="https://developers.google.com/gmail/api">Gmail API</a> is featureful and powerful... but only if
you really need the complexity and like to play with the Google rules. If
you don't like to see ads, for example, and for this use a standard IMAP
mail client of your choice, your must suffer. If you need full PGP support on
a mobile client, never offered by Google, you are out of luck and have to
use an IMAP-based mobile app like Android <a href="https://k9mail.app/">K-9 Mail</a>
that requires sacrificing some usability.</p>
<p><strong>Google tends to draw its users by all means into its browser, its
own apps and APIs to get more user's private data and show ads.</strong> For
that matter, Google's security usability has become just terrible. The
intrusive access-blocks when a mobile user with an IMAP client moves across
IP addresses can drive anyone crazy... Access can be blocked even if the
user switches just to the next IP address within the same provider's IP
pool.</p>
<p><img alt="Google security alert" src="images/google-security-block.png" title="Google security alert"></p>
<p>I have to use VPN with fixed IP address to avoid these stupid blocks!</p>
<blockquote>
<p>To help keep your account secure, Google will no longer support the use
of third-party apps or devices which ask you to sign in to your Google
Account using only your username and password. Instead, you’ll need
to sign in using Sign in with Google.</p>
</blockquote>
<p>The Google's insistence on rather complicated and heavyweight
<a href="https://oauth.net/2/">OAuth2</a>
<a href="https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-should-not-use-it-for-authentication-5f47597b2611">mechanism</a>
for basic email client access (remember, most email programs do not require
you to enter your password every time, diminishing the risk of phishing)
is understandable only as a means to limit all uncontrollable third-party
clients. Yes, OAuth2 is logical for complex workflows of data access delegation
across multiple web-based services with different login/password combinations
(the "Auth" stands for <a href="https://oauth.net/2/">authorization</a>, not
<a href="https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-should-not-use-it-for-authentication-5f47597b2611">authentication</a>).
Whenever I need access to <strong>my own emails</strong> I need to <a href="https://en.wikipedia.org/wiki/Authentication">authenticate</a>
my identity granting <strong>full access</strong>. But isn't OAuth2 client secret kept
on the device just as the username/password combination? Yet, limiting the
(power) users access to their <strong>own data</strong> provides just an illusion of
security at a large cost to usability and compatibility.</p>
<p>The Google's move to OAuth2 <strong>authorization</strong> seem to point that
the <strong>Gmail-hosted emails do not belong to me any more.</strong> My emails are now
<strong>owned by Google,</strong> who just "authorizes" (delegates) me access to some of
the data without trusting me. <strong>This is not what I need from my private
communication.</strong> Does Google pretend to "zero-trust" any third-party
apps? Maybe it doesn't trust its users (<strong>the owners</strong> of their data),
assuming they are all idiots?</p>
<blockquote>
<p>If you think your users are idiots, only idiots will use it [your service]. ---
<a href="https://mail.gnome.org/archives/usability/2005-December/msg00021.html">Linus Torvalds</a></p>
</blockquote>
<p>And there is another side effect: as Google increasingly deployed more and
more heavyweight frameworks and technologies, <strong>Gmail became very sluggish
and bloated.</strong> It is cluttered and confusing, especially to those who don't
use it often enough to remember all the idiosyncrasies. And it's still poorly
adaptable to the user's needs. How can I get a fixed-width font for my plain
text message? Where is my favourite basic (and very fast) HTML web interface?</p>
<p><strong>Enough is enough. I now go away from Gmail, and primarily not because of
big privacy concerns (which is quite expectable) but because of deteriorating
usability and growing incompatibility. It looks like the people at Google have
forgotten their old motto "Don't be evil." While I have been paying Google
with my privacy currency in the past to get functionality and usability,
the benefits of Gmail continuously went lower and now reached an unprofitable
level.</strong></p>
<h2>Migadu is my choice</h2>
<p>There are many hosted email providers, some are focused on privacy and
security. For example, <a href="https://protonmail.com/">Protonmail</a> is a fantastic
project that makes it nearly trivial to use PGP even for an uninitiated. But
its drawbacks are that it is non-standard and has too high publicity making
it quite undesirable in certain authoritarian countries. Simply said, if
you use Protonmail in some countries you may be suspected; Protonmail can
be blocked by the authorities, and worse still,
<a href="https://habr.com/ru/company/habr/blog/443222/">blocked in quite idiosyncratic way</a>.
Some services may also <a href="https://protonmail.com/support/knowledge-base/website-blocks-protonmail-email-address/">reject registration</a>
using this service.</p>
<p>What I have finally chosen is <strong><a href="https://www.migadu.com/">Migadu</a>.</strong> It is not
yet another standard email hosting provider. It is a domain-based service. Once
you have got your own domain name (domains are now cheap), you can make your
own email service for your domain. That simple. This makes it <strong>super useful</strong>
for companies, families, groups and NGOs without large budgets. <strong>For a
reasonable price you get nearly your own mail server with many configurable
features (any custom mailboxes, aliases, forwarding, regexp, webmail,
etc.) but without the need to maintain all this complex system.</strong></p>
<p>If you have a web site, you necessarily get a domain name for it. Now it's
easy to get your own email identity. True that some hosting providers also
do host email. But if you decide to switch to a different hosting it will
create a trouble: you need to move also email and this fact strongly limits
your next choice. <strong>Having a completely indpendent email system for your
existing domain avoids such hoster lock-in and makes life much easier.</strong></p>
<p>By the way, the Migadu standard <a href="https://webmail.migadu.com/">webmail interface</a>
is sleek and very simple. Looks modern but lightweight and quite fast. No
bloat whatsoever, only the most crucial functionality. I am not big fan
of web-based email, but use it from time to time. And there is even some
very basic support for PGP! (But remember that web-based PGP is
<a href="https://www.migadu.com/procon/#not-encrypted">not a very secure solution</a>.)</p>
<p>I found the <strong>mail server configuration (including more esoteric stuff like
DNS setup and DKIM signatures) very easy.</strong> In my view you do not need an
IT degree to configure your email server with full functionality. I like the
admin panel, it is <strong>minimalist and easy to use,</strong> no stupid and distracting
visual effects. And <a href="https://www.migadu.com/">Migadu</a> is advertised as
<strong>fully open standard compliant service</strong> without proprietary glitches and
limitations. So any standard (open source or closed source) software is very
likely to be fully usable. This freedom is very important. And they are also
clear and honest about the
<a href="https://www.migadu.com/procon/">limitations and drawbacks</a>.</p>
<p><strong>Finally, goodbye Gmail.</strong></p>
<ul>
<li>Masnick, M. 2019. Protocols, not platforms. A technological
approach to free speech. <em>Knight First Amendment Institute</em>
<a href="https://knightcolumbia.org/content/protocols-not-platforms-a-technological-approach-to-free-speech">https://knightcolumbia.org/content/protocols-not-platforms-a-technological-approach-to-free-speech</a>.</li>
</ul>
<hr>
<p><strong>PS:</strong> Disclaimer: I have no links with <a href="https://www.migadu.com/">Migadu</a>.</p>
<p>This post is also published on
<strong><a href="https://sbudaev.substack.com/p/goodbye-gmail">Substack</a></strong>
and <strong><a href="https://medium.com/@sbudaev/goodbye-gmail-7849f8c23baa">Medium</a></strong></p>How to use open source openconnect for UiB VPN2021-11-10T14:19:00+01:002021-11-10T14:19:00+01:00Sergey Budaevtag:budaev.info,2021-11-10:/how-to-use-open-source-openconnect-for-uib-vpn.html<p>How to use open source openconnect for UiB VPN</p><p><strong>Cisco AnyConect</strong> is an unethical software. First, it is proprietary and
closed source code, although the nature of its functioning makes it capable
to control all the user's network traffic. Even worse, Cisco AnyConnect
implements controversial functionality making it technically a kind of malware:
the so called "posture" (HostScan) service is scanning the user's device and
(steals?) sends various information out (Cisco said this is done "to improve
security," e.g. to avoid non-certified and unauthorized devices), Cisco VPN
client can officially download and install spyware trojan on the user's device
(Cisco also advertises the trojan as a tool to "improve security"). Also,
the VPN client can reroute the network settings in arbitrary way without the
user's consent and knowledge. All this is a serious security and privacy
threat. (And Cisco products have a bad history of serious security flaws
that look like backdoors.)</p>
<p>It can be justified to run <strong>Cisco AnyConnect</strong> on a corporate-owned
machine (understanding the consequences for the user's privacy and
security). But <strong>installing it on the user's owned private
devices should be avoided.</strong></p>
<h2>Openconnect</h2>
<p><strong>Openconnect</strong> is an open source SSL VPN client that supports several protocols
including Cisco AnyConnect. It can be used as an alternative to proprietary
Cisco software that may in some installation include controversial and
undesirable functions such as uncontrollable network re-routing, proprietary
scanning module, installable <em>spyware trojan</em> etc.</p>
<p>For more information go to the Opeconnect web site: <a href="https://www.infradead.org/openconnect/">https://www.infradead.org/openconnect/</a>.</p>
<p><strong>Install openconnect</strong> from the standard Linux repository, e.g. in case of
Ubuntu/Debian use:</p>
<div class="highlight"><pre><span></span>apt install openconnect network-manager-openconnect \
network-manager-openconnect-gnome
</pre></div>
<h2>Server settings</h2>
<p>To connect to the vpn, go to the network configuration entry, then add a
new VPN connection, choosing <strong>Cisco AnyConnect Compatible VPN (openconnect)</strong>
in the list.</p>
<p>To connect to the UiB VPN one needs this:</p>
<ul>
<li>Server gateway: <code>vpn3.uib.no</code></li>
<li>UiB username (short name, in the following examples <code>zzz000</code>)</li>
</ul>
<h2>Basic connect using command line</h2>
<p>The simplest command to connect to UiB network is:</p>
<div class="highlight"><pre><span></span>sudo openconnect --user zzz000 vpn3.uib.no
</pre></div>
<p>Note that <code>sudo</code> is required to set up the <code>tun</code> device (It is, however,
possible to configure openconnect to run as unprivileged user, see
<a href="http://www.infradead.org/openconnect/nonroot.html">http://www.infradead.org/openconnect/nonroot.html</a>).</p>
<p>There are also a few <em>useful options</em>:</p>
<ul>
<li><code>--background</code> run openconnect at the background</li>
<li><code>--syslog</code> send messages to the system log</li>
<li><code>--pid-file /var/run/openconnect.pid</code> use specific pid file, then it is
easy to switch off the background vpn using this command:
<code>kill $(cat /var/run/openconnect.pid)</code> assuming process pid is saved to
<code>/var/run/openconnect.pid</code></li>
</ul>
<p>These options result in this command:</p>
<div class="highlight"><pre><span></span>sudo openconnect --background --syslog --pid-file /var/run/openconnect.pid \
--user zzz000 vpn3.uib.no
</pre></div>
<p><img alt="running on terminal" src="images/oconn-img1.png" title="command line example"></p>
<h2>Connect using graphical user interface</h2>
<p>Most Linux desktop environments (e.g. Gnome, xfce etc ) have graphical
utility that is accessible in the system tray. To configure it use:</p>
<ul>
<li>VPN protocol: <em>Cisco AnyConnect</em></li>
<li>Software token authentication: <em>TOTP</em></li>
</ul>
<p><img alt="GUI step 1" src="images/oconn-img2.png" title="GUI example"></p>
<p>Other options should be left intact.</p>
<p>At login, the GUI program will ask the University user name and password. Enter
and press <em>Login</em></p>
<p><img alt="GUI step 2" src="images/oconn-img3.png" title="GUI example"></p>
<p>Then, Microsoft authentication code will be sent via SMS on the mobile phone.</p>
<p><img alt="GUI step 3" src="images/oconn-img4.png" title="GUI example"></p>
<p>There may be a caveat: DNS might not work with the default configuration
(web sites are inaccessible by their http names). If this is the case,
go to IPv4 settings and manually configure DNS servers, such as Google DNS
<code>8.8.8.8</code> and <code>8.8.4.4</code></p>
<p><img alt="GUI step 4" src="images/oconn-img5.png" title="GUI example"></p>
<p>and then to IPv6 settings and enter DNS servers manually, e.g. Google DNS
<code>2001:4860:4860::8888, 2001:4860:4860::8844</code></p>
<p><img alt="GUI step 4" src="images/oconn-img6.png" title="GUI example"></p>
<p><em>Now UiB VPN should work in a private way.</em> Openconnect turns out to be a
useful tool to connect to the UiB network in a simple and straightforward way.</p>
<h2>Microsoft Windows</h2>
<p>Openconnect also works on <strong>Microsoft Windows.</strong> If you are
using <a href="https://community.chocolatey.org/">Chocolatey</a>
then there is a port that can installed
be <a href="https://community.chocolatey.org/packages/openconnect-gui">using this command</a>:</p>
<div class="highlight"><pre><span></span>choco install openconnect-gui
</pre></div>
<p>Disclaimer: I did not try it.</p>
<h2>References</h2>
<ul>
<li>
<p>Opeconnect web site with source code, documentation etc:
<a href="https://www.infradead.org/openconnect/">https://www.infradead.org/openconnect/</a>.</p>
</li>
<li>
<p>Microsoft Windows port: <a href="https://openconnect.github.io/openconnect-gui/">https://openconnect.github.io/openconnect-gui/</a></p>
</li>
<li>
<p>Tim Hårek Andreassen had a similar howto in his blog:
<a href="https://timharek.no/blog/uib-vpn-without-cisco/">https://timharek.no/blog/uib-vpn-without-cisco/</a>
<em>Note: My openconnect was experience even more straightforward, e.g. in
my case no certificate configuration was necessary.</em></p>
</li>
</ul>Are we going to work in a paper jail?2021-10-25T10:00:00+02:002021-10-25T10:00:00+02:00Sergey Budaevtag:budaev.info,2021-10-25:/are-we-going-to-work-in-a-paper-jail.html<p>Are we going to work in a paper jail?</p><h3>Main points</h3>
<ul>
<li>
<p>Any major university IT infrastructure is huge and heterogeneous, it is
used by lots of people, many of whom are experimenters and explorers,
who like challenge, rather than office robots. Most users are busy,
focus on research and study and hate additional (and especially sudden)
hassle. This is why <strong>consideration of the usability cost is absolutely
critical for IT security strategy.</strong></p>
</li>
<li>
<p>Creating a walled "trusted" area by a firewall--<strong>the perimeter model</strong>--is
an <strong>outdated</strong> approach to security at the age of universal <strong>zero-trust</strong>
deployment. Instead of following an already outdated approach, a more
sensible strategy is to start implementing components of the zero-trust
model, including <strong>score-based trust</strong> and wide use of <strong>personal identity
hardware tokens</strong>.</p>
</li>
<li>
<p>Major focus in security should be shifted from solely technology components
to the end users, <strong>creating incentives to use more secure technology,</strong>
rather than making additional hassle.</p>
</li>
</ul>
<h3>The great firewall</h3>
<p>There was a very rapid trend towards an increasingly restrictive IT policies at
the University of Bergen implemented from October this year. While the aim of
“Increasing security” is laudable, I think the planning and implementation
of the policies has several flaws which may compromise its declared aim. The
biggest problem is that the UiB IT is huge and heterogeneous. There is a
variety of services with different levels of security risks, many users,
with diverse needs, user cases and environments, competences, personal
backgrounds and personalities. This requires a more sensible, flexible and
inclusive approach. If this is not the case, rigid policies will not make
the IT environment significantly safer. Instead, it may hamper normal work
for some users, and in the long run compromise both security and privacy
contrary to the declared aim.</p>
<p>Security, including the computer security, is not a fixed state, it is
rather a continuous process. Security is not limited solely to the IT
technology. Technology alone cannot bring security. Security is primarily
a human rather than technical problem. Indeed, most dangerous security
breaches did not target encryption algorithms, many even only partly involved
exploitation of software and hardware vulnerabilities. They typically make
use of human factors, such as social engineering, trust exploitation, human
mistakes and so on. Successful tracking and catching cyber criminals do not
often primarily target technology, but usually depends on exploiting
human errors, negligence, laziness and other similar factors. This is why the
current primary focus on just technological restriction of the IT environment,
aimed barely to its isolation from the outside networks, is neither sufficient
nor efficient. A more balanced, flexible and holistic approach is needed.</p>
<p><strong>Security can only work at a balance with usability.</strong> Moreover, there is
often a trade-off: technological security restrictions often make for worse
usability. A completely “sealed” environment would be just too restricted
to be usable. Usability is indeed a primary factor: research shows that many
security problems and users’ hesitance or unwillingness to make use of
(more) secure tools is caused by their imperfect usability. Furthermore,
within a hugely heterogeneous environment, there would be no single optimal
balance between security and usability. An important consequence of this
is that a flexible and inclusive approach to security, aimed at different
degrees of balance with usability, is important.</p>
<p>The technical part of security should start and primarily respond to specific
threat model(s), not theoretical or vaguely possible risks. And the threat
model(s) should be connected with the real life statistics, e.g. how many
breach attempts usually occur, to which of the services, from which IP
addresses etc. It does not make sense to install solid steel screens on
all windows in our department building to make it “more secure” from
any kind of possible breaches; even if there are crowds of hungry zombies
walking outside, it is just enough to protect the first floor.</p>
<p>Blanket unconditional restriction of the UiB IT network environment as is
being implemented does not seem to respond to specific consideration of threat
model(s), the variety of users, needs, sub-environments etc. It looks like
a desperate attempt to seal everything in a hope that a jailed environment,
isolated from the outside, will be more secure. This is a wrong assumption.</p>
<h3>Some specific problems</h3>
<h4>Multi-factor authentication via TOTP: Not a panacea.</h4>
<p><a href="https://hjelp.uib.no/solutions/open-knowledge-items/item/KI%200780/en_gb/">KI
0780</a>
introduced multi-factor authentication policy. This is generally a crucial
component to improve security, if implemented sensibly. However, not all
implementations would automatically improve security or provide a sufficient
balance between security and usability. What is called “multi-factor
authentication” may not even be really multi-factor. The definition
of multi-factor authentication involves the use of several things for
authentication, typically something you know: password, plus something you
own, e.g. a mobile device (SIM) and something you are e.g. fingerprint. If
the password is entered using the password manager software saved on the
mobile device and the “multi-factor” SMS comes to the same mobile device
(or password entered and SMS read on the same computer that links to the
smartphone as is now the norm within the Apple ecosystem), the whole idea of
two factors is ridiculed: the smartphone becomes the single authentication
device. It can be at best called “two-step authentication,” a weaker
mechanism. The SMS (and anything based on phone-line or phone-number) is
actually one of the poorest authentication means due to the long known and
essentially unsolvable vulnerabilities in the GSM, SS7 and other related
protocols. SMS can be hijacked by malicious smartphone apps (e.g. Google Play
store does not even approach 100% safety, there are occasional scandals with
malware in apps with very substantial audience) or even basic GSM dumb phones
(there are reports about quite a few Chinese-made GSM button-phones having
factory-installed malware). Worse still, some of the modern and widespread
multi-factor mechanisms such as push-based popups are also easily exploited
(even worse, they make for a bad habit of clicking “approve” without
thinking). If authentication is done on a web page, it is usual to save
the authentication cookie to avoid repeated two-factor invocation. However,
cookies are not necessarily secure, long kept cookies might be hijacked by
malware, there is a well known mechanism of CSRF attacks, there is also a
big privacy drawback (e.g. tracking). The current industry trend is to go
away from the cookie mechanism in the mainstream browsers (e.g. Google Chrome
will not allow any third-party cookies from 2022). A sensible user policy is
to reduce the lifetime of any cookie. However, it makes the “two-step”
authentication as is currently implemented at the UiB a hassle. Indeed,
the user then has to go via the SMS code process nearly every time he
or she logins, even if it is done from the same IP address and the same
device.</p>
<p>The ssh access to the <code>login.uib.no</code> server have apparently disabled the
best-practices secure mechanism of ssh-key authentication (<em>incidentally,
if the key is combined with a passphrase then it is actually a two-factor
authentication itself!</em>) and forced the potentially week password-based
mechanism with SMS code. There seems to be <em>no other TOTP mechanisms except
SMS</em> at the time of writing!</p>
<p>A better mechanism is to use the time-based one-time password code (TOTP)
authenticator application on the mobile phone. This is in fact recommended at
the Microsoft and UiB web pages as a more secure alternative (via <strong>Microsoft
authenticator</strong> app). While TOTP is better than SMS, it is far from perfect
because it is potentially vulnerable to phishing and the MITM attack and
the secret seed should be kept on the authenticator application as well as
on the server to make synchronised generation of TOTPs possible.</p>
<h4>Personal hardware tokens</h4>
<p>There is a much better and stronger two-factor authentication mechanism:
<strong>U2F</strong> and <strong>FIDO2/WebAuthn</strong> that use hardware security device keeping
the private key. The security token, in the form of a small USB or
NFC key can both authenticate on the server and authenticate the server
itself with strong asymmetric crypto, making phishing and many other attacks
virtually impossible. Many such devices also implement biometric
(e.g. fingerprint) identification with privacy-respected way (e.g. biometric
data is not sent from the user's device). This is now a mature technology
that is implemented in all major web browsers, can be used with ssh key-based
authentication, GPG-enabled email etc.</p>
<p>The best known hardware token is probably the
<a href="https://www.yubico.com/">Yibikey</a> and there are a few others on the market
(e.g. Google Titan, FEITIAN, Token2, Thetis etc.). They can be not very cheap,
but not prohibitively expensive either.</p>
<h4>VPN needed for all, even the most essential everyday services</h4>
<p>The UiB IT services have previously used several open and industry-standard
VPN mechanisms (IPsec, OpenVPN) so that different users could easily find a
solution working for them individually. Now, there is a single closed and
proprietary mechanism: Cisco AnyConnect including both unique protocol
(SSL-based) and the software client. This mechanism may work for many
but not necessarily for everyone (e.g. unlike open solution, it may not
be available on some computing platforms, some enthusiasts of the open
source might find restriction to a single proprietary tool unethical,
etc.). There are rumors about unreliable connections with Cisco AnyConnect,
and that OpenVPN was previously more stable for some users. It is indeed
likely if Cisco AnyConnect is used over certain restrictive environments
with DPI that block connections to certain ports or UDP traffic even at
the 443 port, or otherwise censor VPNs (e.g. some public WiFi networks may
have such limitations). Some implementations of the OpenVPN, in contrast,
can be configured to mimic normal SSL web traffic (e.g. shadowsocks) and
work even under the Great Chinese firewall. There is a clear benefit at not
prohibitively high cost to provide at least some limited support for such a
mechanism for certain users (e.g. special needs or during travel). It might
even be provided only on special request with some substantiation. Also, the
reliability statistics internally used by the IT department might be biased
if not all users report minor and transient VPN issues. So there is a case to
deploy and support alternative VPN solutions, perhaps even on a smaller scale.</p>
<p>It sounds quite reasonable that providing and supporting a wider choice of VPN
solutions for a minority of users would not be economically feasible. However,
it is certainly not the case when just all the services become available
only from within the UiB internal network jail. Then, there should be more
flexibility and inclusion, several ways to get into a jailed environment
comfortably by a variety of users in different environments. It is just too
unbalanced limitation to mandate the use of a single restricted VPN to get
email from home or from an airport, for example. A better alternative is of
course to relax the policy moving at least the most essential but inherently
secure services out of the jail.</p>
<h4>Is the universal jail really essential for everything?</h4>
<p>One issue with unconditional moving of all the UiB IT services into a jailed
environment is that this would not reflect sufficient balance between security
and usability. It is of course good to keep potentially less secure services
(e.g. RDP) jailed. But are real threats substantial enough to hide just
everything into such a jail?</p>
<p>Are there any real-life statistical or other data evidencing that accessing
the university email system from an IMAP client with normal SSL/TLS protection
can be dangerous? The user in such a case does not need to enter the UiB
password for login (it is saved into the software, often encrypted on devise),
so phishing risk is near zero. The authenticity of the IMAP server certificate
is usually checked through the standard SSL mechanism. So is there any real
security advantage to move such essential everyday tool as email into the
jail, does this just induces additional hurdle?</p>
<p>Another example is connecting the UiB login.uib.no ssh server. Many (presumably
less advanced) users can use the ssh with their default password. Then,
the “two-factor” authentication is a serious security improvement of
course, even if it is in fact used in the weakened two-step authentication
mode. However, some other users can configure ssh-key authentication,
which is a much more secure mechanism. Will the manual entry password with
two-factor authentication really provide sufficient security improvement
in such a case? Will it provide anything beyond a negligible effect if the
user has already authenticated with SMS on the same device, or a different
device from the same IP address shortly before? Is there any improvement in
security that substantiates such degradation of usability?</p>
<p>The question is this: is the same level of restriction and jailing really
essential for all services, often and rarely used, potentially less secure
and highly secure, easy and difficult to exploit, those with documented
attacks and those that present little interest to intruders? Does not it
just provide usability costs not balanced by any security improvement?</p>
<h4>Human ingenuity: Is the jail actually made of paper?</h4>
<p>It is clear that equally and unconditionally restricting just everything,
especially, without considering usability costs, will not automatically
increase security. The situation can well be worse: lower security as
well as compromised privacy.</p>
<p>For example, to avoid all the nuisance, users may switch to using <em>third-party
commercial providers,</em> such as increasingly use private gmail.com accounts,
Dropbox etc. Users may use smaller, more cryptic online tools and applications
(e.g. file sharing sites, communication tools, some advertised as encrypted)
with uncontrollable and unknown security. Some of them might be owned and
run by community and volunteers, some could be compromised or deliberately
devised to gather data, track users and spy.</p>
<p>Some of more qualified "insider" users might successfully hack the system
to get nuisance-free access to the UiB jailed environment from outside. It
is actually not a hard problem. One possible solution is to use the reverse
<code>ssh</code> proxy. It does not even require administrative rights and can be done
by a motivated average level computer user after 20 min of reading the
<code>ssh</code> manual. More advanced users can create stable backdoors implementing
such things as proxy jump and port forwarding that will sustain reboots,
logouts etc. It is also easy to add various layers for plausible deniability
and obfuscation.</p>
<p>There are much more tools, ways and possibilities to implant and efficiently
hide a backdoor into the UiB jailed environment. All that is required is
various open source components freely available on the net and an <strong>incentive</strong>
to do such unauthorized actions. It is not just an abstract theoretical
threat but real and serious risk left behind the current jailing policy.</p>
<p>Imposing a jailed environment without considering trade-off of flexibility
and usability has this biggest problem: <strong>It may create an incentive to break
the rules to make life more hassle-free.</strong> A related and serious problem
is that the IT department would not be able to control this and in most
cases will remain unaware of the issue. It is virtually impossible to detect
that users communicate and share sensitive medical or personal data over a
private google mail account, for example. A cryptic backdoor implanted on
the computer within the UiB jail with sufficient plausible deniability can
remain long undetected without costly and tedious forensic analysis. But
such an analysis will be conducted only by the police after a catastrophic
break-in has occurred, too late.</p>
<p>There are many advanced users, smart students, at the university. Many well
understand (and they do discuss!) the inconsistency of the restrictive jail
policies. Some people may find it quite fun to overcome the silly rules
imposing unneeded hassle. It can indeed be an interesting challenge but,
unfortunately, an additional incentive.</p>
<p>A further problem is that many users usually do not bother to report
smaller or transient problems at the normal issue tracking channels such
as hjelp.uib.no. They may not be acquainted with it or just consider it a
hassle if they are very busy (and they are very busy with real things to
hang at tangential IT problems). A quite typical way of action is to ask
someone nearby for a help or workaround. Therefore, if the knowledge of
the ways for implanting backdoors and the obvious fact that it is quite
easy and just solves the problem, is spread within the student and staff,
it can create a real security disaster. Unfortunately, backdoor skills are
very likely to spread if the IT department continues to create more and more
restrictive jail and provide more incentives to break the rules. Then, it
would be essential to further tighten the jail: inspect all devices on entry
and refuse entry to everyone with IQ > 0.60. The simple fact is that the
jail that is being happily built is not made of rock and steel, it is paper.</p>
<p>The situation at the UiB is quite different from a typical commercial
organization that the standard security recipes are based upon. There
are many brilliant students and staff out here, many are young and like
challenges. There can be those who would not hesitate to take risk, given
the benefit of making one’s own hassle-free environment is high, the cost
is zero while expected risk is rather low. Making a backdoor is indeed a
way of learning technology that is fun and another added incentive. Many
folks are already aware of various software tools and know how to use their
black magic. People are ingenious, and people at UiB are on average much more
ingenious than outside. What is the threat model for developing the jailed IT
environment? Is to protect the UiB from outside hackers? It is a wrong model
because many such hackers are already within the jailed environment and are
ready and to get the challenge to punch its feeble paper walls from inside.</p>
<h3>What should be done?</h3>
<p>Inconsiderate and inflexible jailing of the UiB IT networks should certainly
be slowed down before it is too low and people started using third-party
tools and making their own unauthorized solutions. There should be a serious
analysis on what must be implemented and over which time scale so the users
can get acquainted and do not just suddenly get huge hassle. As to now,
the “analysis” seems to be mainly focused on “what is suddenly broken
down once we put everything into a jail”; this is not acceptable. The
policies should not be based mechanistically on some manual made for a
different type of environment, they should be inclusive, flexible enough to
adapt to the complex, diverse and heterogeneous UiB environment. <strong>The main
focus should switch from technology to people:</strong> how to reach most of them
(they are busy!), make security improvements minimally obtrusive, teach very
busy people sufficient security skills without much hassle. Specifically,
the most important information should not be sent by global mailing list
that may disappear in user’s mail filter, but must be directed personally
to each user (it isn’t prohibitively hard to write a script for this,
substituting <code>%NAME%</code> with the real user’s name).</p>
<p>The technological part of the solution should develop sensible threat models
based on attack and usage statistics. It should be governed by real risks
rather than desire to just protect everything quickly and at all costs. Some
of the restrictions already applied can be relaxed. A reasonable solution is
to apply more sensible <strong>score-based security mechanism,</strong> e.g. including
IP based rules for two-factor or two-step authentication. Some of more
secure services, can for example, be available without firewall restriction
if the user comes from his/her frequently used Norwegian home IP address
(to improve usability while still reducing potential attack surface). This
efficiently transforms a jail into a continuum adapting for the threat
and uncertainty level. It will also pay back to demonstrate the practical
benefits of client-side certificate authentication, OAuth2 and similar more
phishing-resistant security token mechanisms (e.g. they can relax the need in
TOTP/SMS authentication) to all users. The university should also facilitate
much wider use of <strong>hardware-based authentication devices,</strong> such as YubiKey,
for proper two-factor authentication, perhaps even distribute such devices
freely in some groups if universal deployment turns out expensive. Such
personal identity verification hardware devices are actually a crucial
component of modern <strong>zero-trust</strong> security approaches.</p>
<p>The crucial element of the whole policy is to <strong>create incentives for using
more secure tools.</strong> For example, the use of hardware personal identity
verification tokens should allow to bypass all or most restrictions,
perhaps even the need in VPN. There would currently be little added risk
with such a policy, but the users would be much happier to do their work
securely whenever they need without hassle. This would require hard work,
additional integration and funding. But educating, helping and cooperating
with users—not restricting and obstructing them—would be the only viable
strategy to achieve increased security in the University environment in
reality, not just on paper.</p>Using Subversion to manage Office files2020-10-23T09:47:00+02:002020-10-23T09:47:00+02:00Sergey Budaevtag:budaev.info,2020-10-23:/using-subversion-to-manage-office-files.html<p>Using Subversion to manage Office files</p><p>Because <strong>Subversion</strong> works best (and can track) <strong>plain text</strong> files,
it is not well adapted for versioning normal <strong>Microsoft Office</strong> or
<strong>LibreOffice/OpenOffice</strong> documents. However, both are actually zipped XML
files. Therefore, it is possible both directly (binary) and using flat XML
text (full version control/merge support).</p>
<h2>Microsoft Office</h2>
<p>For <strong>Microsoft Office</strong>, there are extensions for Subversion:
<a href="https://sourceforge.net/projects/msofficesvn/">Msofficesvnf</a>,
<a href="https://archive.codeplex.com/?p=officesvn">OfficeSVN</a> and
<a href="https://www.youtube.com/watch?v=mN2vT1oS0DQ">MagnetSVN</a>.</p>
<p>Also, <a href="https://tortoisesvn.net/">TortoiseSVN</a> can use native Microsoft Word
"compare versions" tool to check for differences between versions. Check out
the <code>Diff-Scripts</code> in the TortoiseSVN installation directory. Note that these
scripts are js and can be blocked by corporate or university security policy:
ask the IT!</p>
<h3>Subversion keywords</h3>
<p>Subversion keywords (properties) can be managed in Microsoft Word files using
<a href="https://insights.oetiker.ch/windows/SvnProperties4MSOffice/">SvnProperties4MSOffice</a>.</p>
<p>For more information see
<a href="https://gotomation.info/2019/01/svn-version-control-office-documents/">https://gotomation.info/2019/01/svn-version-control-office-documents/</a>.</p>
<p>If special software for adapting Office files is not used, it is
recommended to use Microsoft <strong>uncompressed XML</strong> formats for all
outputs. While they take more disk space (because it is unzipped), these
are plain text XML, so Subversion treats them very efficiently. Also, svn keywords/tags
can be used within the text without any additional tools.</p>
<h2>LibreOffice or OpenOffice</h2>
<p>For <strong>LibreOffice</strong>, the easiest way is to use <strong>.fodt</strong> format for saving
the document (instead of .odt or .docx), FODT is a flat XML format. A drawback
is that it is unzipped and takes much more disk space. But Subversion does not
store all versions of the whole file, it saves effectively differences between
the versions. Therefore, there is little or no overhead within the version control system
of working with <strong>fodt</strong> files.</p>
<p>Quite importantly, it is then trivial to add keywords to the <strong>fodt</strong>
file on the svn system. Then, it is easy to include normal svn
keywords/tags] such as <code>$Revision 1234$</code> into whenever needed into
the fodt file and it will autoupdate on every commit without any
additional tools. But note that the whole tag <code>$Revision 1234$</code>
must have the same formatting (i.e. no bold/italic/other font within
and including the <code>$ $</code> delimiters).</p>
<p>For more information see
<a href="https://wiki.documentfoundation.org/Libreoffice_and_subversion">https://wiki.documentfoundation.org/Libreoffice_and_subversion</a>
and <a href="https://wiki.documentfoundation.org/Svn:keywords">https://wiki.documentfoundation.org/Svn:keywords</a>.</p>
<h2>Conflicts</h2>
<p>To avoid conflicts when several people are working concurrently with
svn-tracked files, <strong>use svn locks</strong>. This is because the files are like
binary and cannot be easily merged, unlike normal plain text code. In fact,
they could be merged, but do not always expect merge to work as expected
because the text file includes complex tags and these may be broken at merge.</p>
<p>It is also difficult to resolve conflicts visually. A useful trick is
to set this property on the file: <code>svn propset svn:needs-lock "true"
file_name.fodt</code>. Then, any <code>svn update</code> will result this file becoming
read-only. To allow editing, file lock must be enabled. This ensures that
only one user can edit the file at a time.</p>
<h2>How differences between versions can be checked?</h2>
<p>Because the Libreoffice files are not just text, checking differences
is not trivial. Normal diff tool will result in lots of messy XML
differences.</p>
<p>But there is a Linux bash script that helps comparing
the files through converting FODT to PDF and then running diffpdf
utility:</p>
<ul>
<li><a href="https://git.app.uib.no/Sergey.Budaev/lo_svn/-/blob/master/diffodt">https://git.app.uib.no/Sergey.Budaev/lo_svn/-/blob/master/diffodt</a></li>
</ul>
<p>There is also a Windows/DOS batch script that does this trick:</p>
<ul>
<li><a href="https://git.app.uib.no/Sergey.Budaev/lo_svn/-/blob/master/diffodt.bat">https://git.app.uib.no/Sergey.Budaev/lo_svn/-/blob/master/diffodt.bat</a></li>
</ul>
<p>The script requires <code>diffpdf</code> program that is found in most Linux
distributions. A Windows version is open source but id not normally distributed
in the binary ".exe" form</p>
<h3>How to use diffodt script</h3>
<ul>
<li>
<p>Compare working copy with the latest revision from svn: <code>diffodt paper.fodt</code></p>
</li>
<li>
<p>Compare the working document with r9925: <code>diffodt 9925 paper.fodt</code></p>
</li>
<li>
<p>Compare two specific versions of the document: <code>diffodt 9925 9987 paper.fodt</code></p>
</li>
</ul>
<h2>Integrating Subversion into LibreOffice User Interface</h2>
<p>Lo_SVN is a LibreOffice extension that adds a basic Subversion functionality
into the LibreOffice interface. Then, basic svn commands are available from
the LibreOffice menu.</p>
<p><img alt="Lo_SVN" src="https://budaev.info/images/losvn_scr.png" title="Lo_SVN screenshot"></p>
<ul>
<li>
<p>Source code: <a href="https://git.app.uib.no/Sergey.Budaev/lo_svn">https://git.app.uib.no/Sergey.Budaev/lo_svn</a>.</p>
</li>
<li>
<p>Official LibreOffice <strong>extension repository</strong>:
<a href="https://extensions.libreoffice.org/en/extensions/show/4071">https://extensions.libreoffice.org/en/extensions/show/4071</a></p>
</li>
<li>
<p><strong>User manual</strong> for Lo_SVN is here:
<a href="https://budaev.info/pub/doc/Lo_SVN.pdf">https://budaev.info/pub/doc/Lo_SVN.pdf</a>.</p>
</li>
</ul>Is Zoom safe to use? Is the company marketing and other information correct and can be trusted?2020-04-03T11:10:00+02:002020-04-03T11:10:00+02:00Sergey Budaevtag:budaev.info,2020-04-03:/is-zoom-safe-to-use-is-the-company-marketing-and-other-information-correct-and-can-be-trusted.html<p>Is Zoom safe to use? Is the company marketing and other information correct and can be trusted?</p><h2>Zoom privacy and security problems</h2>
<p>Zoom has demonstrated significant negligence with respect to
cybersecurity. Additionally, the company has shown aggressive marketing
campaigns and was caught at providing false information to its end users.</p>
<ul>
<li>
<p>Zoom aggressively forces the user to download and install native
application rather than use web browser for videoconferencing even
though videoconferences will work in the web browser. This is a little
suspicious. Browser-based conferences are more convenient for an occasional
user and is safer due to browser sandboxing of network applications.</p>
</li>
<li>
<p>Serious security deficiency on the Apple Mac platform allowing
any unauthorized remote attacker to activate web camera, connect
to a conference and execute denial-of-service attack. Zoom tried
to ignore and deliberately hide information about the very serious
security vulnerability and was slow to fix it.
<a href="https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5">See here for more details</a>,
and <a href="https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/">here</a>
(technical information is
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13449">here</a> and
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13450">here</a>).
Zoom management response seem to point to quite irresponsible corporate
culture.</p>
</li>
<li>
<p>More recently it appeared that Zoom was sending users' data
to Facebook servers without the user's consent. This is now fixed. See
<a href="https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account">Vice paper</a>
and <a href="https://www.vice.com/en_au/article/z3b745/zoom-removes-code-that-sends-data-to-facebook">this follow-up</a>.</p>
</li>
<li>
<p>Zoom was caught at providing false and misleading information that the
videoconference has "end-to-end" encryption while this was not so. Check out <a href="https://theintercept.com/2020/03/31/zoom-meeting-encryption/">this</a>.
The explanation for this provided by Zoom is unsatisfactory.</p>
</li>
<li>
<p>Zoom had a serious security vulnerability that could lead to
user password leak in Microsoft Windows.
<a href="https://www.bleepingcomputer.com/news/security/zoom-lets-attackers-steal-windows-credentials-run-programs-via-unc-links/">See here for details</a>.</p>
</li>
<li>
<p>Zoom has a strange privacy policy that, even though states that "privacy
is very important to us," requires quite large collection of private user's
information. There is little explanation about to why this information
is collected. Unlike many other similar companies, Zoom does not release
transparency report(s). See here: <a href="https://zoom.us/privacy">https://zoom.us/privacy</a></p>
</li>
<li>
<p>Electronic Privacy Information Centre has filed complaint to FCC</p>
<ul>
<li>alleging that the videoconferencing company Zoom has committed unfair
and deceptive practices in violation of the FTC Act. According to EPIC,
Zoom intentionally designed its web conferencing service to bypass
browser security settings and remotely enable a user's web camera
without the knowledge or consent of the user.</li>
</ul>
</li>
<li>
<p>See more details <a href="https://epic.org/2019/07/epic-files-complaint-with-ftc-.html">here</a></p>
</li>
<li>
<p>There is a growing concern on the privacy deficiency in Zoom,
for more details see <a href="https://blogs.harvard.edu/doc/2020/03/27/zoom/">this</a> and
<a href="https://www.consumerreports.org/video-conferencing-services/zoom-teleconferencing-privacy-concerns/">this</a>.
Also see <a href="https://www.theguardian.com/technology/2020/apr/02/zoom-technology-security-coronavirus-video-conferencing">The Guardian</a>.</p>
</li>
<li>
<p>Recently SpaceX has banned Zoom because
of privacy concerns, see
<a href="https://www.reuters.com/article/us-spacex-zoom-video-commn/elon-musks-spacex-bans-zoom-over-privacy-concerns-memo-idUSKBN21J71H">here for details</a>.</p>
</li>
<li>
<p>Zoom has close links with China. Even though the intellectual property,
management and marketing are based in the USA, many if not most developers and
engineers are bsed in China (see <a href="https://www.sec.gov/Archives/edgar/data/1585521/000119312519083351/d642624ds1.htm#toc642624_7">Form S-1 registration statement</a>). This
can potentially lead to serious privacy and cybersecurity issues, given
the Chinese regime tightening of Internet regulation (censorship, privacy
etc.). One example is MLPS 2.0 legislation, 2019 mandating China residents
and any foreign companies unrestricted access to user data. (In China, Zoom
has a <a href="https://www.iyiou.com/p/96718.html">network of agents acting under different names but using the same
platform</a>. )</p>
</li>
</ul>
<h3>Updates: More on Zoom problems</h3>
<ul>
<li>
<p>Vulnerabilities:</p>
<ul>
<li><a href="https://objective-see.com/blog/blog_0x56.html">https://objective-see.com/blog/blog_0x56.html</a></li>
<li><a href="https://www.bleepingcomputer.com/news/security/zoom-lets-attackers-steal-windows-credentials-run-programs-via-unc-links/">https://www.bleepingcomputer.com/news/security/zoom-lets-attackers-steal-windows-credentials-run-programs-via-unc-links/</a></li>
</ul>
</li>
<li>
<p>Privacy holes:</p>
<ul>
<li><a href="https://www.nytimes.com/2020/04/02/technology/zoom-linkedin-data.html">https://www.nytimes.com/2020/04/02/technology/zoom-linkedin-data.html</a></li>
<li><a href="https://techcrunch.com/2020/04/03/zoom-calls-routed-china">https://techcrunch.com/2020/04/03/zoom-calls-routed-china</a></li>
</ul>
</li>
<li>
<p>CitizenLab Report on Zoom:</p>
<ul>
<li>
<p>CitizenLab published a detailed report on Zoom security and privacy. Here are a few hlights:</p>
<ul>
<li>
<p>Zoom documentation claims that the app uses “AES-256”
encryption for meetings where possible. However, we find that
in each Zoom meeting, a single AES-128 key is used in ECB mode
by all participants to encrypt and decrypt audio and video. The
use of ECB mode is not recommended because patterns present in
the plaintext are preserved during encryption. The AES-128 keys,
which we verified are sufficient to decrypt Zoom packets intercepted
in Internet traffic, appear to be generated by Zoom servers, and
in some cases, are delivered to participants in a Zoom meeting
through servers in China, even when all meeting participants,
and the Zoom subscriber’s company, are outside of China. Zoom,
a Silicon Valley-based company, appears to own three companies in
China through which at least 700 employees are paid to develop
Zoom’s software. This arrangement is ostensibly an effort at
labor arbitrage: Zoom can avoid paying US wages while selling
to US customers, thus increasing their profit margin. However,
this arrangement may make Zoom responsive to pressure from Chinese
authorities.</p>
</li>
<li>
<p>See the full report here: <a href="https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/">Move Fast and Roll Your Own Crypto A Quick Look at the Confidentiality of Zoom Meetings</a></p>
</li>
</ul>
</li>
</ul>
</li>
<li>
<p>Google now banned Zoom for its employees: Google has banned the popular
videoconferencing software Zoom from its employees’ devices, BuzzFeed
News has learned. Zoom, a competitor to Google’s own Meet app, has seen an
explosion of people using it to work and socialize from home and has become
a cultural touchstone during the coronavirus pandemic.
<a href="https://www.buzzfeednews.com/article/pranavdixit/google-bans-zoom">Read here</a>.</p>
</li>
<li>
<p>Zoom zero-days for sale: People who trade in zero-day
exploits say there are two Zoom zero-days, one for Windows
and one for MacOS, on the market. <a href="https://www.vice.com/en_us/article/qjdqgv/hackers-selling-critical-zoom-zero-day-exploit-for-500000">See here for more detail</a>.</p>
</li>
<li>
<p>Zoom is using the microphone even when not in meeting on MacOSX.
<a href="https://community.zoom.com/t5/Meetings/Why-is-the-Zoom-app-listening-on-my-microphone-when-not-in-a/td-p/29019">Why is the Zoom app listening on my microphone when not in a meeting?</a>
An <a href="https://support.zoom.us/hc/en-us/articles/201361963-New-Updates-for-Mac-OS">update fixed</a> the problem... but NOT with microphone being activated, but with interface: microphone indicator.
Zoom nevertheless <a href="https://habr.com/ru/news/t/650539/">continues to activate microphone</a> on MacOSX. Is CCP listening?</p>
</li>
</ul>
<h2>How to increase privacy and security of using Zoom on Linux</h2>
<p><strong>Sandboxing.</strong> On the Linux platform, one solution is always to run Zoom
videoconferencing software only in a <strong>limited sandbox.</strong> Then, Zoom client
would not have access to user's files and other processes running on the
system.</p>
<ul>
<li>Update: This recipe works for Zoom v. 3.5.361645.0301, but not for some
later versions, e.g. 3.5.374815.0324, see update below on this.</li>
</ul>
<p><strong>Disable any unauthorized update/upgrade of Zoom client.</strong> Do not install
Zoom software via the standard reopository. Use static tar.gz archive
instead. Select Other Linux OS for installation. Uncompress the static
distribution in a safe directory. <em>Disadvantage</em> of this is that update is
only manual, check out Zoom web site for new releases and read changelog. But
<em>advantage</em> is that zoom cannot silently install any unauthorized update or
software on the system.</p>
<p>It also makes sense to register at Zoom with the institutional email but
separate password, so Zoom does not use the main institutional login (SSO
login). This might help against credentials leak in case of Zoom software
vulnerability. Using the institutional email to register would ensure Zoom
is registered as "licensed."</p>
<p><strong>Install firejail sandboxing.</strong> <a href="https://firejail.wordpress.com/">https://firejail.wordpress.com/</a>:</p>
<p><code>sudo apt install firejail</code>.</p>
<ul>
<li><strong>Firejail</strong> is a SUID program that reduces the risk of security breaches
by restricting the running environment of untrusted applications using
Linux namespaces and seccomp-bpf. ... Firejail can sandbox any type
of processes: servers, graphical applications, and even user login
sessions. The software includes security profiles for a large number
of Linux programs: Mozilla Firefox, Chromium, VLC, Transmission etc. To
start the sandbox, prefix your command with “firejail.”</li>
</ul>
<p>Make a configuration file for Zoom in <code>.config/firejail/</code>. Here is the
configuration file named as the main Zoom run executable: ZoomLauncher.profile
(given the running executable is ZoomLauncher):</p>
<div class="highlight"><pre><span></span># Note: to delete all firejail profiles for all local trusted apps
# run sudo firecfg --clean
# ----------------------------------------------------------------
# Duplication of zoom configs in noblacklist and whitelist
# sections fixes login credentials no save problem:
noblacklist <span class="cp">${</span><span class="n">HOME</span><span class="cp">}</span>/.config/zoomus.conf
noblacklist <span class="cp">${</span><span class="n">HOME</span><span class="cp">}</span>/.zoom
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
whitelist <span class="cp">${</span><span class="n">HOME</span><span class="cp">}</span>/bin/zoom
whitelist <span class="cp">${</span><span class="n">HOME</span><span class="cp">}</span>/.config/zoomus.conf
whitelist <span class="cp">${</span><span class="n">HOME</span><span class="cp">}</span>/.zoom
whitelist <span class="cp">${</span><span class="n">HOME</span><span class="cp">}</span>/.cache/zoom
whitelist <span class="cp">${</span><span class="n">HOME</span><span class="cp">}</span>/downloads
include /etc/firejail/whitelist-common.inc
caps.drop all
netfilter
nodvd
nonewprivs
noroot
notv
protocol unix,inet,inet6
seccomp
private-tmp
# Needed for latest versions of Zoom and perhaps certain other Qt/QML apps
env QML_DISABLE_DISK_CACHE=1
</pre></div>
<p>Now Zoom client can be started from the firejail sandbox:</p>
<div class="highlight"><pre><span></span>firejail /path_to_safe_install_location/bin/zoom/ZoomLauncher
</pre></div>
<p>To make it possible to use standard graphical menus, one need
to make a zoom.desktop startup file in the user's directory
<code>.local/share/applications</code>. The Exec entry of the file must include the
firejail-based startup:</p>
<div class="highlight"><pre><span></span><span class="k">[Desktop Entry]</span>
<span class="na">Name</span><span class="o">=</span><span class="s">Zoom Desktop [Jailed]</span>
<span class="na">GenericName</span><span class="o">=</span><span class="s">Zoom videoconferencing</span>
<span class="na">Comment</span><span class="o">=</span><span class="s">Zoom Desktop Client jailed</span>
<span class="na">Exec</span><span class="o">=</span><span class="s">firejail /path_to_safe_install_location/bin/zoom/ZoomLauncher %f</span>
<span class="na">Icon</span><span class="o">=</span><span class="s">zoom.png</span>
<span class="na">Terminal</span><span class="o">=</span><span class="s">false</span>
<span class="na">Type</span><span class="o">=</span><span class="s">Application</span>
<span class="na">Categories</span><span class="o">=</span><span class="s">Network;Internet;Education;Qt;</span>
<span class="na">X-SuSE-translate</span><span class="o">=</span><span class="s">false</span>
</pre></div>
<h3>Firejail caveats</h3>
<p>Firejail can start serving all user's applications in its jail, which is
often too restrictive (e.g. settings are not saved).</p>
<ul>
<li>
<p>To force reconfiguring all application to run in firejail do (do not do
this if you are unsure) this:</p>
<p><code>sudo firecfg</code></p>
</li>
<li>
<p>To disable configuring all local applications to run in jail, do this:</p>
<p><code>sudo firecfg --clean</code></p>
</li>
<li>
<p>Do this (<code>sudo firecfg --clean</code>) if you have problems starting applications
after installing firejail.</p>
</li>
<li>
<p>To check if an application is by default starting in a jail, run it
from the terminal. If terminal shows several lines like Reading profile
<code>/etc/firejail/disable-common.inc</code> then the application runs in a jail.</p>
</li>
</ul>
<p>A newer version of Zoom client (3.5.374815.0324) refused to run in a jailed
environment and hanged.</p>
<p>A <em>workaround</em> for running recent Zoom in jail:</p>
<p>add the below line <code>env QML_DISABLE_DISK_CACHE=1</code></p>
<p>to the firejail config file.</p>
<ul>
<li><code>QML_DISABLE_DISK_CACHE</code> Disables the disk cache and forces re-compilation
from source for all QML and JavaScript files. (from QML Documentation)</li>
</ul>
<h2>How to increase privacy and security of using Zoom on Microsoft Windows</h2>
<p>Here is a link on sandbox in Windows 10: How to
use <a href="https://www.windowscentral.com/how-use-windows-sandbox-windows-10-may-2019-update">Windows sandbox</a>.</p>
<p>I have not tested how this works.</p>
<h2>Android sandbox</h2>
<p>For Android, one solution is to use the open source <strong>Shelter</strong> application,
then mobile Zoom can run in a secure container.</p>
<p>I have been running several programs that I do not like to give access to
my data within Shelter. It works fine for me.</p>
<p>Advantages:</p>
<ul>
<li>
<p>Contacts (address book) are not leaked to Zoom if a separate address book
is used within shelter</p>
</li>
<li>
<p>All apps can be frozen to avoid them run all the time at the background,
this reduces the chances of data leaks as well as battery drain. Freezing
can be done automatically, after timeout.</p>
</li>
</ul>
<p>Links</p>
<ul>
<li>
<p>Google Play:
<a href="https://play.google.com/store/apps/details?id=net.typeblog.shelter">https://play.google.com/store/apps/details?id=net.typeblog.shelter</a>.</p>
</li>
<li>
<p>F-Droid: <a href="https://f-droid.org/en/packages/net.typeblog.shelter/">https://f-droid.org/en/packages/net.typeblog.shelter/</a>.</p>
</li>
<li>
<p>Source code of Shelter is here: <a href="https://github.com/PeterCxy/Shelter">https://github.com/PeterCxy/Shelter</a>.</p>
</li>
</ul>How to make an array and initialize it with a sequence of values in Fortran?2019-11-20T10:19:00+01:002019-11-20T10:19:00+01:00Sergey Budaevtag:budaev.info,2019-11-20:/how-to-make-an-array-and-initialize-it-with-a-sequence-of-values-in-fortran.html<p>How to make an array and initialize it with a sequence of values in Fortran?</p><p>How do you make an array and initialize it with a sequence of values? For
example, I want a list from 0.25 to 1.5 that is separated with 0.25. In
other words I want something similar to <code>seq(0.25,5,0.5)</code> in R.</p>
<h2>Equally spaced real array with fixed increment in Fortran</h2>
<p>Producing an equally spaced array from V<sub>1</sub> to V<sub>N</sub> with
increments ΔV</p>
<!--
Math in markdown:
https://stackoverflow.com/questions/11256433/how-to-show-math-equations-in-general-githubs-markdownnot-githubs-blog
Latex editor:
https://www.codecogs.com/latex/eqneditor.php
-->
<!--
{ V<sub>1</sub>, V<sub>2</sub>=V<sub>1</sub> + ΔV, V<sub>3</sub>=V<sub>2</sub> + ΔV, V<sub>4</sub>=V<sub>3</sub> + ΔV ... V<sub>N</sub>=V<sub>N-1</sub> + ΔV}
-->
<p><img src="https://latex.codecogs.com/svg.latex?\{V_1,V_2=V_1+\Delta V,V_3=V_2+\Delta V,V_4=V_3+\Delta V, ... V_N=V_{N-1}+\Delta V\}"></p>
<p><strong>1.</strong> Each of the values in the above vector can be calculated as:</p>
<p><img src="https://latex.codecogs.com/svg.latex?V_i=V_1+\Delta V(i-1)"></p>
<!--
V<sub>i</sub> = V<sub>1</sub> + ΔV (i-1)
-->
<p><strong>2.</strong> The total number of values <em>N</em> in the array ending with a fixed known
V<sub>N</sub> is equal to</p>
<p><img src="https://latex.codecogs.com/svg.latex?N=\frac{V_N-V_1}{\Delta V}+1"></p>
<p><strong>3.</strong> It is not possible to use a simple piece of code like this to produce real type
array in Fortran:</p>
<div class="highlight"><pre><span></span>Array = [V1:VN:Incr]
</pre></div>
<p><strong>4.</strong> Such a construction cannot be used in modern Fortran, even though old
versions could accept a similar construction based on implied loop with real
type index counter:</p>
<div class="highlight"><pre><span></span>real :: r ! Index must be integer in loops!
print *, (r, r=V1,VN,Incr)
</pre></div>
<p><strong>5.</strong> In modern Fortran standard do loops can only have integer indexing
variable. Real indexing in do loops is one of the very few features that
had been deleted from the language because it can create lots of problems
in float point computations due to finite precision in computer hardware.</p>
<p>The old code might work with modern compilers but it may require special
legacy compiler options. The printing-only code as above may still work but
would issue a compiler warning.</p>
<p><strong>6.</strong> Initialising such equally spaced real type arrays in Fortran implied
loops must use the formulas defined in 1. and 2.</p>
<div class="highlight"><pre><span></span># Produce exactly N_VALS values starting from INIT with increments INCR
Array = [( INIT + INCR * (i-1), i=1,N_VALS )]
</pre></div>
<p>Where the number of array elements <code>N_VALS</code> is calculated as:</p>
<div class="highlight"><pre><span></span>N_VALS = floor( (END - INIT) / INCR + 1 )
N_VALS = ceiling( (END - INIT) / INCR + 1 )
</pre></div>
<p>The <code>floor</code> and <code>ceiling</code> functions convert real value to integer as the lower
or upper nearest integer; they can give different values when division cannot
be done without the remainder</p>
<div class="highlight"><pre><span></span># All values starting from INIT with increments INCR and up to the limit END
Array = [( INIT + INCR * (i-1), i=1,floor((END-INIT)/INCR+1) )]
</pre></div>
<p><strong>7.</strong> This code does not seem to be a very simple and elegant solution.
Ideally, the code should be packaged into a function returning the desired
grid array. But such function could not be used in declarations of array
parameters. In the later case the one-liner code should be used as above.</p>
<h2>Integer arrays</h2>
<p>By the way, it is quite easy to produce an <strong>integer array,</strong> e.g. here is an
initialisation for array from <code>1</code> to <code>100</code> (<code>|1,2,3,...,100|</code>). This can be
useful for indexing arrays.</p>
<div class="highlight"><pre><span></span>integer, parameter, dimension(*) :: IDX_ARRAY = (/(i,i=1,100)/)
</pre></div>
<h2>Examples:</h2>
<p><strong>A.</strong> Produce an array of 10 values starting from 1.0 with increments 0.1</p>
<div class="highlight"><pre><span></span>Array = [( 1.0 + (i-1) * 0.1, i=1,10 )]
</pre></div>
<p>Result:</p>
<div class="highlight"><pre><span></span>1.00000000 1.10000002 1.20000005 1.29999995 1.39999998
1.50000000 1.60000002 1.70000005 1.79999995 1.90000010
</pre></div>
<p>Declaration of a parameter array:</p>
<div class="highlight"><pre><span></span>real, parameter, dimension(*) :: Array = [( 1.0 + (i-1) * 0.1, i=1,10 )]
</pre></div>
<p>However, note that not all compilers may support assumed array size
<code>dimension(*)</code> in such array declaration statement, this requires newer Fortran
standard (fortunately, recent versions of Intel and GNU Fortran do support
assumed size arrays). In such a case declaration must explicitly set the
number of array elements:</p>
<div class="highlight"><pre><span></span>real, parameter, dimension(10) :: Array = [( 1.0 + (i-1) * 0.1, i=1,10 )]
</pre></div>
<p><strong>B.</strong> Produce an array of starting from <code>1.0</code> to <code>2.0</code> with increments <code>0.145</code>;
note that lower value (<code>floor</code>) for the array size is used:</p>
<div class="highlight"><pre><span></span>Array = [( 1.0 + 0.145 * (i-1), i=1, floor((2.0-1.0)/0.145 + 1) )]
</pre></div>
<p>Result:</p>
<div class="highlight"><pre><span></span>1.00000000 1.14499998 1.28999996 1.43499994 1.57999992
1.72499990 1.87000000
</pre></div>
<p><strong>C.</strong> The same as (B) but the upper value (<code>ceiling</code>) for the array size is used:</p>
<div class="highlight"><pre><span></span>Array = [( 1.0 + 0.145 * (i-1), i=1, ceiling((2.0-1.0)/0.145 + 1) )]
</pre></div>
<p>Result:</p>
<div class="highlight"><pre><span></span>1.00000000 1.14499998 1.28999996 1.43499994 1.57999992
1.72499990 1.87000000 2.01499987
</pre></div>
<p><strong>D.</strong> In the case B., declarations of parameter arrays can be done like this:</p>
<div class="highlight"><pre><span></span>real, parameter, dimension(*) :: Array = &
[( 1.0 + 0.145 * (i-1), i=1, floor((2.0-1.0)/0.145 + 1) )]
</pre></div>
<p>or, if the compiler does not support assumed size arrays <code>(*)</code>, with explicitly
calculated array size:</p>
<div class="highlight"><pre><span></span>real, parameter, dimension(floor((2.0-1.0)/0.145 + 1)) :: Array = &
[( 1.0 + 0.145 * (i-1), i=1, floor((2.0-1.0)/0.145 + 1) )]
</pre></div>
<h2>Test program</h2>
<div class="highlight"><pre><span></span>! This program illustrates how to produce equally spaced real vectors with
! fixed increment in Fortran.
!
! 1. Produce exactly N_VALS values starting from INIT with increments INCR
! Array = [( INIT + INCR * (i-1), i=1,N_VALS )]
!
! 2. All values starting from INIT with increments INCR and up to the limit END
! Array = [( INIT + INCR * (i-1), i=1,floor((END-INIT)/INCR+1) )]
!-------------------------------------------------------------------------------
program spaced_array
! Integer counter for implied loops defining vectors.
integer :: i
! Example A. Produce an array of 10 values
! starting from 1.0 with increments 0.1
real, parameter, dimension(*) :: Array1 = [( 1.0 + (i-1) * 0.1, i=1,10 )]
! Example B. Produce an array of starting from 1.0 to 2.0
! with increments 0.145.
! Note that lower value (floor) for the array size is used.
real, parameter, dimension(*) :: Array2 = &
[( 1.0 + 0.145 * (i-1), i=1, floor((2.0-1.0)/0.145 + 1) )]
! Example C. The same as (B) but the upper value (ceiling) for the
! array size is used.
real, parameter, dimension(*) :: Array3 = &
[( 1.0 + 0.145 * (i-1), i=1, ceiling((2.0-1.0)/0.145 + 1) )]
! Print the sizes of the arrays that were declared above.
print *, "Array sizes (Array1, Array2, Array3)", &
size(Array1), size(Array2), size(Array3)
! Print the parameter arrays that were declared above.
print *, "Array1", Array1
print *, "Array2", Array2
print *, "Array3", Array3
end program spaced_array
</pre></div>
<h2>PDF Card</h2>
<p>A PDF version of this document is available here: <a href="https://budaev.info/images/spaced-array.pdf">https://budaev.info/images/spaced-array.pdf</a>.</p>How to produce a reverse of a vector in Fortran?2019-11-20T10:19:00+01:002019-11-20T10:19:00+01:00Sergey Budaevtag:budaev.info,2019-11-20:/how-to-produce-a-reverse-of-a-vector-in-fortran.html<p>How to produce a reverse of a vector in Fortran?</p><p>Let's we have a vector A, e.g.</p>
<div class="highlight"><pre><span></span>A = [1,2,3,4,5]
</pre></div>
<p>How to produce a vector with reverse indices, e.g.</p>
<div class="highlight"><pre><span></span>B = [5,4,3,2,1]
</pre></div>
<p>The answer is this:</p>
<div class="highlight"><pre><span></span><span class="nv">B</span> <span class="o">=</span> <span class="nv">A</span><span class="p">(</span> <span class="nf">size</span><span class="p">(</span><span class="nv">A</span><span class="p">)</span><span class="s s-Atom">:</span><span class="mi">1</span><span class="p">:-</span><span class="mi">1</span> <span class="p">)</span>
</pre></div>
<p>To reverse A itself do</p>
<div class="highlight"><pre><span></span><span class="nv">A</span> <span class="o">=</span> <span class="nv">A</span><span class="p">(</span> <span class="nf">size</span><span class="p">(</span><span class="nv">A</span><span class="p">)</span><span class="s s-Atom">:</span><span class="mi">1</span><span class="p">:-</span><span class="mi">1</span> <span class="p">)</span>
</pre></div>Gaussian random numbers in Fortran2018-06-13T13:22:00+02:002018-06-13T13:22:00+02:00Sergey Budaevtag:budaev.info,2018-06-13:/gaussian-random-numbers-in-fortran.html<p>Gaussian random numbers in Fortran</p><p>The <a href="https://ahamodel.uib.no/doc/#_introduction_to_the_aha_fortran_modules">HEDTOOLS</a>
tools library has a module for working with random numbers
<a href="https://ahamodel.uib.no/doc/#_module_base_random">BASE_RANDOM</a>. There is, in
particular, a set of procedures for generating
Gaussian random values: <a href="https://ahamodel.uib.no/doc/#_functions_rnorm_r4_rnorm_r8_rnorm">RNORM</a>
and <a href="https://ahamodel.uib.no/doc/#_arrays_of_random_numbers_rand_array_and_rnorm_array">RNORM_ARRAY</a>.
These are based on the Kinderman & Monahan, augmented with quadratic
bounding curves method (Leva, 1992: algorithm 712, Trans. Math. Software,
18, 4, 434-435).</p>
<p>I have made a quick comparison of the quality of the Gaussian random numbers
generated by the simple Box-Muller method (Box & Muller, 1958)</p>
<p>Classical (ancient) Fortran code:</p>
<div class="highlight"><pre><span></span>normrand_number = dsqrt(-2.*dlog(drand(0)))*dcos(2.*pi*drand(0))
</pre></div>
<p>that has been used in TEG codes so far...</p>
<p>and the algorithm 712 as implemented in <code>HEDTOOLS</code> using this test program
(see attachment).</p>
<p>Fortran code for the test program:</p>
<div class="highlight"><pre><span></span>program test_bm
use csv_io
use base_random, rand_x => rand ! Alias rand() as rand_x() for ifort.
!use IFPORT, only : rand_x => rand ! This is the Intel Fortran tweak.
integer, parameter :: prec = 8, arrsize=100000
character(len=255), parameter :: filename1="file_01.csv", filename2="file_02.csv"
real(kind=prec), dimension(arrsize) :: norand1, norand2
real :: timer_start, timer_end
!-------------------------------------------------------------------------------
! Generating Box-Muller random numbers
call cpu_time(timer_start) ! START
do i=1, arrsize
norand1(i) = sqrt(-2.*log(rand_x(0)))*cos(2.*pi*rand_x(0))
end do
call cpu_time(timer_end) ! END
print *, "Box-Muller took: ", timer_end - timer_start
! Write random normal data to CSV
call CSV_MATRIX_WRITE(norand1, filename1)
!-------------------------------------------------------------------------------
!-------------------------------------------------------------------------------
! Generating based on algorithm 712
call cpu_time(timer_start) ! START
call RNORM_ARRAY(norand2)
call cpu_time(timer_end) ! END
print *, "Alg. 712 took: ", timer_end - timer_start
! Write random normal data to CSV
call CSV_MATRIX_WRITE(norand2, filename2)
!-------------------------------------------------------------------------------
end program test_bm
</pre></div>
<h2>Comparison of Box-Muller and A712</h2>
<p>The alg. 712 looks slightly faster than the simple Box-Muller transform.</p>
<p>alg. 712 is much better, as the Box-Muller significantly deviates from the
normal distribution, alg. 712 does not (using the Anderson-Darling test from
the nortest R package).</p>
<div class="highlight"><pre><span></span> # Gaussian random numbers by Box-Muller deviate from the Normal distribution:
> ad.test(data_bm$X1)
Anderson-Darling normality test
data: data_bm$X1
A = 581.7, p-value < 2.2e-16
# Gaussian random numbers by Kinderman & Monahan's A712 do not deviate from the Normal distribution:
> ad.test(data_a712$X1)
Anderson-Darling normality test
data: data_a712$X1
A = 0.46975, p-value = 0.2474
</pre></div>
<p>So, the alg. 712 procedure implemented in HEDTOOLS should be used instead
of the Box-Muller method.</p>
<h2>References</h2>
<ul>
<li>
<p>Box, G. E. P., & Muller, M. E. (1958). A note on the generation of
random normal deviates. The Annals of Mathematical Statistics, 29(2),
610–611. http://doi.org/10.1214/aoms/1177706645</p>
</li>
<li>
<p>Leva, J. L. (1992). Algorithm 712; a normal random number
generator. ACM Transactions on Mathematical Software, 18(4),
454–455. http://doi.org/10.1145/138351.138367</p>
</li>
</ul>About me2018-05-06T21:30:00+02:002018-05-06T21:30:00+02:00Sergey Budaevtag:budaev.info,2018-05-06:/about-me.html<p>About Sergey Budaev</p><p>I am a researcher at the Theoretical Ecology Group, the University of
Bergen, Norway. My current research focuses on animal and human behaviour
in the adaptive and evolutionary perspective. How cognition, behaviour and
personality have evolved through adaptation and natural selection? In my
work I try to integrate both proximate and ultimate causation and use both
experimental and <a href="https://ahamodel.uib.no">modelling</a> approaches.</p>
<h2>Cognition and behaviour</h2>
<p>The current work concerns developing a large scale simulation model
that implements a general decision-making architecture in evolutionary
agents. Each agent is programmed as a whole virtual organism including the
genome, rudimentary physiology, the hormonal system, a cognitive architecture
and behavioural repertoire. They "live" in a stochastic spatially explicit
virtual 3-D environment with physical gradients, predators and prey. The
primary aim of the whole modelling machinery is to understand the evolution
of decision making, personality, emotion and behavioural plasticity within
a realistic ecological framework.</p>
<p>I believe that understanding and modelling complex adaptive behaviour
requires both extraneous factors and stimuli as well as endogeneous
architectural mechanisms (genetic, hormonal, cognitive etc.) that produce the
behaviour. Explicit proximate representation of the motivation and emotion
systems, prediction-oriented cognition provides a better approach to understand
the behaviour, adaptation and evolution of the whole organism. Ultimately,
such an approach can help us understand the evolutionary emergence of
consciousness and complex cognition.</p>
<p>For more details, links to source codes etc. see
<a href="https://ahamodel.uib.no">The AHA Model web page</a>.</p>
<h2>Animal personality</h2>
<p>Although I am interested in any species, most of my work so far has been
conducted on fish. Using series of tests we have shown that individual fish
of several species have consistent personality traits that translate to
a variety of different adaptive contexts. Individual fish with different
personalities, such as shy and bold, may behave quite differently in their
natural environment, e.g. prefer different social strategies (school or not
to school) and different local habitats. Shy and bold fish choose their
mates based on personality, personality also significantly affects their
parental care tactics. Personality in fish can be linked to the operant
learning performance. For example, shy fish may be more susceptible to the
development of the conditioned fear, providing a link between emotion and
personality in such "lower" vertebrates. It is also possible to trace the
development and the appearance of consistent personality traits during the
ontogeny. Certain environmental effects, like exposure to light, acting early
in the ontogeny could significantly affect fish personality via the involvement
of specific brain structures, such as the photosensitive habenula. Personality
in fish and other species could be linked with lateral asymmetries via the
involvement of the morphologically asymmetrical habenula. I am also interested
in the adaptive and evolutionary mechanisms that bring about patterns of
consistent personality and alternative strategies. We have shown that gender
differences in personality follow from sex-related adaptive strategies in
humans. In another study we have shown how a trade-off between parental
food provisioning and the fry's own individual experience of searching for
cryptic food creates a range of parental strategies in a cichlid fish. This
reflects my specific interest in the evolution of mate choice and parental
care in fish, and their potential role in sympatric speciation. Currently,
we are developing models linking emotion and decision making to understand
the proximate and ultimate factors governing the evolution of consistent
personality.</p>
<h2>Ecology and conservation</h2>
<p>I am also interested in complex biological interactions at various levels,
e.g. competitive interactions between multiple cladoceran species and their
predators, and relationships between various associates and the host within
a symbiotic community. The former is closely linked with conservation and
species invasion. We have developed a model that allows to predict the
population dynamics and the invasion success among freshwater cladocerans
in various conditions. I took part in several conservation projects, ranging
from coral reef and freshwater conservation in Vietnam to fish monitoring and
protection in subarctic Siberian rivers and optimising sturgeon hatcheries. We
have developed a series of quick low-technology tests for rapid assessment of
the coral reef health. Additionally, we have developed hydroacoustic methods
for the assessment of the fish populations in very shallow water bodies,
such as large Siberian floodplains.</p>
<h2>Links</h2>
<ul>
<li>
<p><a href="https://scholar.google.com/citations?hl=en&user=RxvZR7UAAAAJ">Google Scholar</a></p>
</li>
<li>
<p><a href="https://orcid.org/0000-0001-5079-9795">ORCID 0000-0001-5079-9795</a></p>
</li>
<li>
<p><a href="https://www.uib.no/personer/Sergei.Budaev">Universitetet i Bergen</a></p>
</li>
<li>
<p><a href="https://bio.uib.no/te/sb/">Theoretical Biology Group</a></p>
</li>
<li>
<p><a href="https://ahamodel.uib.no/">The AHA Model</a></p>
</li>
</ul>
<hr>