Sergey Budaev

Bruk F-Droid i stedet av Google Play Store

Googles Android Play Store blir verre over tid. Det blir stadig mer strødd med ubrukelige apper som utelukkende tar sikte på å vise reklame. I navnet av "personvern" gjennomfører Google ytterligere hindringer for både utviklere og brukere, mens ekte skadelig programvare blomstrer på plattformen. Det ofte blir et mareritt for utviklere av åpne kilde programmer som er fokusert på personvern og sikkerhet. Den nylige de-listingen av Snikket—en sikker, personvernsentrert melding app—viser at personalet som er ansvarlig for applikasjonsvurdering på Googles side, er mentalt forsinket idioter. Sjekk ut hele historien her: https://snikket.org/blog/snikket-google-play-removal/.

Google, er det slik at ansatter med IQ<50 koster mindre? Eller alle mennesker på Google ble erstattet med en AI som mangler intelligens? Mange utviklere gir opp å slite med idioter på Googles applikasjonsvurdering og slutter å distribuere appene sine i Play Store (her kommer en annet eksempel).

Situasjonen kan være så absurd at åpne kilde Conversations appen som går ikke fri (NOK 47) på Google Play måtte forringe funksjonaliteten på denne distribusjonsplattformen. Den samme appen går gratis med fult funksjonalitet på F-Droid.

Men det er en løsning for alle Android-brukere: bare installer F-Droid, en appbutikk som publiserer åpne kilde programmer uten reklame, traking, datalekkasjer, skadevare og bakdører.

• F-Droid: https://f-droid.org/

Den eneste garantien mot skadelig programvare er åpen kildekode som alle som helst kan sjekke og revidere: mange øyne oppdager problemer tidligere og bedre. F-Droid gjennomfører "reproducible builds" som sikrer at binær apk bloben er bygget av samme kildekoden som utvikler har publisert, så det finnes ikke noe uautorisert tilleg eller endringer (apk fra Google Play inkluderer Googles blober for reklame og tracking). Det anbefales å søke apper først på F-Droid og gå til Google Play kun når den ikke er tilgjengelig. Da skal Google Play brukes bare for apper som er klarert på forhånd, f.eks. banken.

• Fight Android malware by quitting Google Play and using F-Droid for Android apps

• To Avoid Malware, Try the F-Droid App Store

A year with Mikrotik router

I use NextGenTel with fibre broadband connection as my home Internet provider. The connection line works fairly well with no interruptions. I have been using a Mikrotik router for nearly a year now and have experienced no single interruption. No hanging internet, no problems at all. I nearly forgot that it is here.

Why I love Mikrotik is the Router OS, a professional operating system with tons of configurability and fine tuning. You can tweak any aspect and configure a variety of services. For example VPNs with different protocols for connecting into the local home network is easy to configure using the Mikrotik documentation. Queues are a nice configuration feature to control and manage bandwidth given to devices in the local network. There is also quite advanced scripting that can be used to do many interesting things. I do not recommend Mikrotik to an average user, however, because Router OS has a professional interface with too many options and details: you need to understand what you are doing. Mikrotik is a Latvian company that makes a lot of professional carrier-grade equipment, all run the same OS.

The previous router provided by the NextGenTel was pure disaster. I in fact used two different units of the same marque: Inteno.

This shit router tended to hung up at least one or twice a week, leaving no connection. The NextGenTel support was useless, with the routine advice to reboot router. Rebooting helped indeed until the next hangup, maybe the next day. It is not a solution to fix bad hardware. It is so weird that they supply their users with this shit when the competition between providers is so intense. Many people would not figure out that it is the router that is so bad and will blame NextGenTel as a whole and switch to another provider. Shame, NextGenTel.

But if you subscribe for the home telephone line with NextGenTel, then you are out of luck because telephone is served by the Inteno router which also includes a SIP service via built in Asterisk server pre-configured by the provioder. The only solution is then to torture NextGenTel with service requests and replacing the router. (But, of course, a better alternative is to set up your own asterisk-based SIP VoIP server with trunks from any of the many available SIP providers; this will be much more flexible and cost-effective solution).

Shit happens: det kommer garantert til å skje hvis dumhet gjentas

Shit happens. Det er en triviell visdom. Ofte er det en direkte konsekvens av en enkelt stupid ting. I mange tilfeller kan lite gjøres for å forhindre det skal skje. Uansett, sannsynligheten antas veldig lav. Katastrofen er uforutsigbar. Det er en ulykke, helt tilfeldig. Ikke sant?

Det gjelder for en enkelt hendelse. Kanskje en enkelt hendelse av dumhet eller klønete... Men hvis toskeskap gjentas (f.eks. hvis det er en vane) er situasjonen en helt forskjellige. Sannsynligheten av shit som skal skje er nå

her er P(1|n) sannsynligheten for at shit skjer minst én gang i en gruppe av n hendelser; hver hendelse har sjansen p (veldig lav!) til å skje, og n er antall hendelser.

For eksempel, hvis sjansen for en singel ulykke er så lavt som 0.01 og antallet dumme handlinger er 365 (bare en gang om dagen i løpet av et år), blir sjansen for at shit skjer i løpet av denne tiden

Det er nesten sikkert at shit skjer minst én gang i løpet av et år.

• Drikker du kaffe/brus/smoothie/vin på den bærbare datamaskinen til vanlig? Forberede for å erstatte tastaturet. Det vil skje.

• Vant til å sende sms mens du kjører? Har du en god forsikring?

• Løper ofte over veien foran lastebil/buss/bil? Det er på tide å bestille krykker (eller enda kiste) på forhånd.

Telefonen til et barn

Både voksne og barn blir stadig mer avhengige av smarttelefonene sine. Et morsomt begrep for slike rusavhengige er smarttelefonzombie. Men dette er ikke morsomt. Faktisk, smarttelefoner dreper. For eksempel har det vært en økning i antall dødsfall hos barn fordi barna sitter klistret til telefonene sine

• Smartphone zombies: Child road deaths spike because kids are glued to their phones

Stadig flere barn nå eier smarttelefoner. Nesten alle ungdommer eier en smarttelefon i Norge, Storbritannia, USA og mange andre land. Smarttelefonavhengighet er en verdensomspennende plage (Olson et al., 2022).

Imidlertid, forskning viser at smarttelefonavhengighet fører til en rekke alvorlige psykologiske, helse- og velværeproblemer, inkludert nevrologiske lidelser (e.g. Ratan et al., 2022; Achangwa et al., 2023). Mange undersøkelser viser at bruk av smarttelefoner påvirker studentenes akademiske prestasjoner negativt (e.g. Amez & Boert, 2020; Sapci etal. 2021).

Smarttelefonen din er en dedikert spionenhet, men enda mer bekymringsfull er det faktum at apper målrettet mot barn sporer, samler inn personlige data og laster dem opp til ukjente tredjeparter (e.g. Reyes et al., 2018). Men det handler ikke bare om data og reklame. Smarttelefoner kan direkte påvirke fysisk sikkerhet av barn. En russisk studie indikerte at nesten 50% av barna får nye bekjentskaper i sosiale medier og 36% av dem møter disse nye menneskene i virkeligheten etterpå (Kaspersky Lab, 2022).

Vi må løse en avveining mellom behovet for å kommunisere med barna våre, men unngå avhengighet. Så hva er løsningen? Jeg tror det er en kombinasjon av gammel stil (men ikke foreldet!) knapptelefon og et stort nettbrett.

Knappetelefoner er klassiske, men ikke udaterte!

Fordeler med knappetelefon, i tillegg til at det neppe forårsaker avhengighet, inkludere

• BATTERI fungerer lange eller veldig lange, ingen grunn til å tenke på lading, det er liten risiko for å sitte igjen med en død, utladet telefon i det mest uleilige øyeblikket. Batteriet dør ikke i kulden. Batteriet er avtakbart og kan enkelt skiftes ut. Det er ingen risiko for at barnet vil lade ut batteriet på grunn av intens spilling på telefonen. Det vil ikke skje i verste øyeblikk, for eksempel når han eller hun trenger hjelp fra foreldrene

• SIKKERHET: det er ingen konstant tilkobling til Internett, viktige data, passord, personlige dokumenter, kredittkortdata lagres ikke på telefonen: det er ingen risiko for lekkasje eller hacking, selv om telefonen er mistet eller stjålet. Plasseringen kan ikke spores og lekkes. Mange hackere og sikkerhetseksperter bær ikke smarttelefoner. Men knappetelefonen tjener sin hovedfunksjon, kommunikasjon, helt perfekt.

• PRIS telefonen er billig, ikke bry deg om det, den er lett å erstatte hvis den er ødelagt, mistet eller druknet. Men dette er spesielt viktig siden du alltid har telefonen med deg. Barn er ofte uforsiktige og kan bryte ned ting.

• FYSISK STYRKE: En liten skjerm, sterk telefon, går ikke i stykker med det minste fall, mindre utsatt for vann. Jeg har erfaring med at en telefon ble vasket i vaskemaskin og fortsatte å virke etterpå.

• FYSISK KNAPPER er fortsatt et av de beste brukergrensesnittene, praktisk å bruke. Du kan konfigurere ett-tasts hurtigvalg. Knapper er også lettere å bruke med hansker i kaldt vær.

• STØRRELSE en liten telefon passer lett i lommen. Det er bare praktisk.

• IKKE FORELDET en trykkknapptelefon kan betraktes som en "fysisk app" som ikke blir foreldet og rett og slett alltid fungerer uten å kreve konstante "oppdateringer."

Knappetelefon blir ofte sett på som noe enkelt og kjedelig, selv om det ikke er helt utdatert. Men det finnes noen få moderne, elegante, designertelefoner, for eksempel Punkt (overpriset!).

Nettbrett gir mye bedre brukeropplevelse

Men vi kan ikke frata barna våre internett, spillkommunikasjon med venner og alt annet som en smarttelefon gir! Riktig nok, men det finnes et bedre enhet enn smarttelefon: nettbrett

• STOR SKJERM: nettbrettet har en stor skjerm som gir mye bedre brukeropplevelse for alle bruksområder: Internett, video, spill, tegning, skriving og til og med lydsamtaler. En stor skjerm kan bare ikke sammenlignes med den lille skjermstubb på typisk smarttelefon. Det er mye bedre for alle slags kreative aktiviteter.

• LAVERE ER BEDRE: Det er ikke så lett å ta en tablett med deg hele tiden. Med andre ord er tilgjengeligheten lavere og det er noen små kostnader forbundet med bruken. Faktisk må du gå til laderen eller et bord, ta nettbrettet og først deretter bruke det. Det er ganske stor forskjell fra smarttelefonen som ofte alltid ligger i lommen. Dette gjør det mindre sannsynlig at du blir avhengig av et nettbrett.

• STOR OG MERKBAR: Bruk av nettbrett er lettere å legge merke til. Dette gjør det også lettere for foreldrene å overvåke og kontrollere barnas nettbrettbruk.

Konklusjon

Konklusjonen er denne: i stedet for en smarttelefon, er det tilrådelig å gi en grunnleggende knappetelefon til barnet ditt å bære med seg. Men de bør også eie et nettbrett hjemme for å bruke til internett, videoer, spill, studier og alt smarttelefonen som normalt brukes til.

Anbefalt lesing

• Gabrielsen, Bjørn (2020) Skjermslaver: hva skjermene har gjort med oss, og hva vi kan gjøre med dem. Kagge (ISBN: 9788248925231).

XMPP server on 1-2-3

Messaging continues to be of rise. The new generation is more willing to send texts than to call. Communicating with an instant messenger has an unique advantage over the old good email: you can easily send replies over replies quickly, resulting in a dialogue. But there is a serious problem: many of the instant messengers are commercial products that work such that their "users" are in fact the exploitable resource having no control or choice.

Most corporations are fair providers of various products and services we can buy. But not these "Big Tech" that offer "free applications," including instant messengers. There is, obviously, nothing free on the Earth. Then, if you do not pay, then you are the product not the customer. The Big Tech corporations exploit the "end-users" to suck out private data, often for further resale. Nearly all of these messengers have centralised architecture and the user's account is linked to the telephone number, completely destroying privacy. The link to the telephone number is also very inconvenient because you cannot get several accounts easily, this requires obtaining several mobile subscriptions. It's just illogical, expensive and silly. Centralized architecture dictates that the communication is kept on the corporate servers so theoretically many employees can read messages by abuse.

Some of the products are advertised as end-to-end encrypted. But nearly all of them are closed source so there is no way to check how this is implemented and if and when the service owner can have access to private messages content. Moreover, we have evidence for the opposite. Many so called "end-to-end encrypted" messages are actually read by AI and human contractors. Even if communication is technically end-to-end encrypted, the company owns and fully controls the server, the client application and network traffic, so a man-in-the-middle attack by silently changing certificates is possible (e.g. in the context of lawful intercept, or unlawful abuse). Metadata (technical information information about all aspects of communication, including the addressees, their locations, IP addresses, telephone number etc.) is always accessible to the service. But metadata is often even more informative than the message content. How such metadata is used is typically unclear. The user has no authority here at all.

Nearly all of these messengering systems have closed proprietary protocol. This means that how you use the product is completely controlled by the owner company. The only way to use the product is with the official application. You cannot just choose for yourself which application program to use. This is cardinally different from the email, for example, where you can use the provider's web interface, its mobile app or any of the many available email applications such as Thunderbird or K-9 Mail. With such a third-party application you can easily consolidate several email accounts in one place and easily make use of the functionality the provider does not offer, such as end-to-end encryption. Another major problem is monopoly and lack of interoperability. The "users" (in reality, the exploited resource) are completely restricted to the owner's platform and are unable to communicate with the other (especially competing) platforms (e.g. Facebook to Snapchat) as a way to keep users within the silo. This is as if you were unable to call/send sms across different mobile operators. And this is silly. To break down monopoly, ensure fairer competition and interoperability across the services, the EU has developed the Digital Markets Act (DMA) regulation. This is a big step, but it does not solve many of the problems with centralization, privacy and regular security flaws.

Take back your freedom, privacy and security

So, why use the restricted, inconvenient, monopolistic, insecure and non-private platforms for the trivial task of sending instant messages? There are several ways to configure one's own privately controlled instant messaging system: XMPP and Matrix. XMPP is lightweight and more private, yet covers all the typical instant communication purposes: text, file share and voice. Moreover, XMPP servers are by default federated: it is easy to send messages across the different servers like in the email. There are many different applications for all operating systems and platforms the user can choose.

It is very easy to set up one's own XMPP server for a small group, company, the family or just an individual. You will need two things:

• Server that will be the central hub for the communication network running 24x7. This can be anything, from a Rasberry PI in a cupboard to a Virtual Private Server (VPS) somewhere in a data centre or just an old PC running in your basement. A small scale VPS useful for an XMPP server can be very cheap, up to a three Euro per month. There exist even cheaper options, such as EUR 6 per year. There are also dedicated search engines to help locate cheap VPS, e.g. LowendBox and ServerHunter. A typical operating system running on the server is Linux (very secure, highly configurable, free and open source).

• Domain name that needs to be used to connect to the XMPP server. Domain can be registered to the user (e.g. myname.no), which costs about 30 Euro yearly. But a sub-domain can be obtained for free using the https://freedns.afraid.org or similar "free DNS" services. In the later case you might have something like myownchat.mooo.com or myownchat.ptchat.net. It is possible to run the XMPP server purely on IP address even without domain name, but it is much less convenient (e.g. then federation with other servers is lost).

Given you have got a server (VPS or dedicated machine) and the domain, configuring an XMPP server can be done on 1-2-3. There exist several Linux variants (distributives) with different management commands (usually for installing software). I assume Debian Linux is used below (the same commands also work for Ubuntu and other Debian-based Linux systems).

1. Install XMPP server software

Login. When you have got a server of any kind, you need tologin to it, typically with ssh:

ssh debian@1.2.3.4

here the user name on the server is debian and the server ip is 1.2.3.4. Typically, you may need to create the ssh key and upload it to the server to authenticate (refer the server documentation, e.g. this). I assume logging-in is not a problem.

Prepare server. First of all, update the software on the new server

sudo apt update -y && sudo apt-get upgrade -y

Install some useful monitoring and security-enhancing utilities

sudo apt install -y mc htop atop nload nmon tree zip pwgen fail2ban dnsutils iptables-persistent locate unattended-upgrades

Install certbot, a system that manages the TLS certificates for secure connection

sudo apt -y install certbot

Install the ejabberd server, which is is very reliable and light on resources

sudo apt install ejabberd

Firewall. To allow incoming network access to this server by the XMPP clients and also third-party servers, the server needs to configure the firewall rules. This can be done differently in different installations. For example, some VPS may do this using a friendly web interface. The standard Linux firewall is done via iptables.

The XMPP system requires incoming acces via ports 5222, 5223, 5269, 5443, 5280, 3478. To determine the ports refer to the listen section of the XMPP configuration file below.

 sudo iptables -A INPUT -p tcp --dport 5222 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 sudo iptables -A INPUT -p tcp --dport 5223 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 sudo iptables -A INPUT -p tcp --dport 5269 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 sudo iptables -A INPUT -p tcp --dport 5443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 sudo iptables -A INPUT -p tcp --dport 5280 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

 # STUN is over udp
 sudo iptables -A INPUT -p udp --dport 3478 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

The port 7777 is used for a proxy for peer-to-peer (bytestream) file transfer. If peer-to-peer file sharing is intended for use, an additional rule should be set allowing incoming connections:

sudo iptables -A INPUT -p tcp --dport 7777 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

To see what firewall rules are in effect issue this:

 iptables -L --line-numbers

It makes sense to save the iptables rules so they are automatically get in effect after reboot

 iptables-save > /etc/iptables/rules.v4

2. Configure your XMPP server

Secure connection certificate. Get a free Let's Encrypt TLS certificate. I assume you have got a free domain myownchat.ptchat.net from https://freedns.afraid.org.

Note that ejabberd can manage (issue and update) TLS certificates on its own, but this needs some configuration as described in the acme configuration option: https://docs.ejabberd.im/admin/configuration/basic/#acme. An advantage of the standalone certificate management system (as here) is that it is slightly less tricky and can easily be used with a web server on the same machine. Why not also configure a web server for a small static web site here? Ejabberd is very lightweight and will happily coexist with many other servers running on the same machine.

 sudo certbot --standalone certonly -d myownchat.ptchat.net

This command will ask a few questions and issue a TLS certificate. This process is done over http so http port 80 must allow incoming connections. If this is not so, use the following command:

 sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

Do not forget to save iptables rules with the iptables-save as above.

The certificate files are located in /etc/letsencrypt/live/myownchat.ptchat.net/fullchain.pem directory.

For the sake of security, the certificate directories have by default no access to anyone except the admin (root) user. But this precludes the XMPP server ejabberd to access the certificate. This can be easily fixed with the following commands

First, add ejabberd to the root group

sudo adduser ejabberd root

Second, allow access to the certificate directories to the group

sudo chmod g+rx /etc/letsencrypt/live/myownchat.ptchat.net
sudo chmod g+rx /etc/letsencrypt/live
sudo chmod g+rx /etc/letsencrypt/

Configure ejabberd. Once the preparations are done, it is time to configure the ejabberd messaging server. Edit the configuration file (assuming the mcedit text editor is used)

sudo mcedit /etc/ejabberd/ejabberd.yml

This is a long configuration file that may look scary. But in fact only a few changes are required to make the server running with the default options. But note that the indents are important, try to keep them as in the original file.

Any line starting with # is considered a comment, this can be easily used to disable specific options by "commenting them out."

First, set up the host name that is used for the server, it is the same as the domain:

 hosts:
  - myownchat.ptchat.net

Second, configure the location of the TLS certificates that are used by the server:

 certfiles:
  - "/etc/letsencrypt/live/myownchat.ptchat.net/fullchain.pem"
  - "/etc/letsencrypt/live/myownchat.ptchat.net/privkey.pem"

Configure the admin users who can manage the XMPP server:

 acl:
   admin:
      user:
       - ""
       - "myname": "myownchat.ptchat.net"

Then, add configuration for http-file-upload module that will allow file sharing (sending files):

 mod_http_upload:
    put_url: https://@HOST@:5443/upload
    custom_headers:
      "Access-Control-Allow-Origin": "https://@HOST@"
      "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
      "Access-Control-Allow-Headers": "Content-Type"

It is convenient to keep the latest messages on the server, it is done with the "mam" module:

 mod_mam:
   assume_mam_usage: true
   default: always

Ejabberd supports several other communication protocols in addition to XMPP. For example, it also works with MQTT that is typically used for IoT devices. If this functionality is not used, just comment out the MQTT module to disable it.

 # mod_mqtt: {}

The STUN and TURN protocol is mainly used for voice calls and needs the actual IP address of the server (replace with your server IP addfress)

 -
   port: 3478
   ip: "::"
   transport: udp
   module: ejabberd_stun
   use_turn: true
   ## The server's public IPv4 address:
   turn_ipv4_address: "1.2.3.4"

An important issue is wether to allow anonymous registrations of new users. I strongly recommend not allowing this for security reasons. For a small private server, you will normally add users manually and set them initial passwords. Every user can then change password within the client program. So, you need to disable the mod_register by commenting it out:

 # mod_register:
 #   ## Only accept registration requests from the "trusted"
 #   ## network (see access_rules section above).
 #   ## Think twice before enabling registration from any
 #   ## address. See the Jabber SPAM Manifesto for details:
 #   ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
 #   ip_access: trusted_network

Start server! And that's all minimal configuration. Now it's time to start the server:

sudo systemctl start ejabberd

If there are any errors and the server fails to start, Linux logs can be inspected with this command:

sudo journalctl -xe

or logs for only ejabberd:

sudo journalctl -xe --unit ejabberd

Additional stuff. The above is enough to make the XMPP server running for text. If voice is required, you need to configure the DNS as described here: https://www.process-one.net/blog/how-to-set-up-ejabberd-video-voice-calling/. DNS is normally configured using the control panel of the domain registrar.

The TLS certificate that is managed by certbot is updated each 90 days. This is an automatic process, but the ejabberd server must know when certificate is changed. This can be done using the deploy hook. Just create the hook file reloadxmpp.sh (the file name can be anything):

 sudo mcedit /etc/letsencrypt/renewal-hooks/deploy/reloadxmpp.sh

and add the following commands:

 #!/bin/sh
 ejabberdctl reload_config

This file must be executable, so issue this command:

 sudo chmod ugo+x /etc/letsencrypt/renewal-hooks/deploy/reloadxmpp.sh

The last note on the server is that it should be regularly updated for bug fixes and security updates. This is done automatically by installing unattended-upgrades above. Yet, it is a good practice to log in regularly over the ssh, check logs and update the system:

sudo apt update -y && sudo apt-get upgrade -y

3. Configure the XMPP users and client application

Register new users. First, you need to register the XMPP users. The quickest method is to use the command line on the server, the command ejabberdctl has advanced functions.

A secure random password can be generated withy pwgen, e.g. the following generates passwords with 18 symbols:

pwgen 18

It normally generates an array of possible passwords to choose from.

Now, to register the user myname, It is the admin user configured in the main configuration file /etc/ejabberd/ejabberd.yml above.

#                         user   domain               password
sudo ejabberdctl register myname myownchat.ptchat.net pee8chogh9Heel6hei

Other users can be configured similarly. Note that the full user name for XMPP has the same format se email: myname@myownchat.ptchat.net. This is due to the federated nature of both systems: you need to know both the user and the server with whom to communicate.

For this example let's register two additional users:

sudo ejabberdctl register john.dow myownchat.ptchat.net ohyeeLeefo9yief4gu
sudo ejabberdctl register anna.karenina myownchat.ptchat.net hejo7phiy2iFeW9She

Use! The final step is configure the client program on the user's device. The biggest difficulty at this step is the plenty of choice. For any major platform, one can choose any of the many available XMPP client programs. Some email programs, e.g. Thunderbird also support XMPP (although only a limited subset of features). Check out the https://xmpp.org. The configuration for the client is simple:

• Server: your server, in the example above it is myownchat.ptchat.net

• User name: your user name. In the example we used above, it can be myname

Note that the option to create new account must NOT be enabled as long as the account has already been created on the sever and the in-band registration (mod_register, see above) is disabled for security.

Some programs accept the full user name without specifying user and domain separately. Then the user is just myname@myownchat.ptchat.net. If you plan to use the peer-to-peer (bytestream) file transfer (but this is not mandatory), you should also find where the file transfer proxy is configured and set it with the proxy subdomain, for our example it should be proxy.myownchat.ptchat.net. And that is all for basic client configuration.

I recommend the Blabber XMPP application for devices running Android. Yaxim is the best option for minimalists, it is notoriously miniature (only a few megabytes) and works great even on the oldest and weakest devices. Miranda NG is a powerful XMPP client program for Windows. There are also a few web-based clients: https://conversejs.org/ and https://web.xabber.com/ that you can try right away without installing anything.

The final step is to fill the contact list (called roster) with the addresses of the people (or maybe devices, because XMPP can be easily configured for bots accepting commands). Just remember that the address is full name as in email: user@server.domain. One useful option is so called Shared roster groups: then you can configure a group of contacts without the need to add them manually.

Happy chatting!

Further

There are many advanced options and possibilities in ejabberd. Just check the documentation at the official web site: https://www.ejabberd.im/ and documentation https://docs.ejabberd.im/.

There are also a few useful tutorials, e.g. https://www.process-one.net/blog/how-to-move-the-office-to-real-time-im-on-ejabberd/

XMPP: en ideell direktemeldingssystem for et familie

Forskjellige meldingssystemer ble populær de siste tiårene. Den meste kjente eksempler er Whatsapp, Facebook Messenger, Snapchat eller Discord. Mange bruker dem uten å tenke bare fordi de ser praktiske ut og er gratis. Kostnadene er imidlertid alvorlig: den er personvernkatastrofe. Brukere har ingen egenkontroll, så eieren kan endre alle funksjoner uten at brukerne vilje. Disse tjenstene (platformene) er laget og fullstendig kontrollert av store monopoler fokuserte på å suge alle slags av brukerdata. Personvernkostnaden til store kommersielle direktmeldingssystemer av er mye høyere enn brukervennligheten. De er bevisst laget for å være gjensidig uforenlige. En bruker av Whatsapp kan ikke sende en melding til noen på Telegram eller Facebook. Bare se for deg at du hadde Telenor men kunne ikke sende sms til noen på Telia, kun til sin eget system Telenor. Eller se hvis du kunne ikke sende en epost fra Gmail til Yahoo. Det er helt dumt.

Nå, blant de populære systemene er det bare epost det eneste systemet på internett som har ikke vært monopolisert. Og det er fortsett fordi epost ikke er en plattform (eller 'ecosystem'), men åpen og federert protokoll etter eget design. Alle kan konfigurere og kjøre egen mailserver og meldinger skal sendes mellom evt. Alle kan velge mellom mange epost apper. Alle kan legge til ytterligere funksjonalitet, slik at ende-til-ende kryptering, men interoperabilitet opprettholdes.

Protokoll betyr et sett med regler og konvensjoner for interoperabilitet, ikke et enkelt komplett produkt.

Men, det finnes en direktemeldingssystem som er like enkel å bruke som Whatsapp, men mangler de fleste av problemene. Faktisk, er det XMPP. Det er en åpen og federert protokoller som epost. Alle kan ha egen server, så kan ha kontakt med noen på alle serverer som helst, akkurat som epost eller mobil. I tillegg, kan alle også velge mellom ulike app etter vilje: foretrekker du funksjonalitet, eller skjønnhet eller bare det å være veldig lett... Det finnes også flere XMPP serverer programvare å velge mellom, de fleste er gratis og åpen kildekode. Med XMPP kan du få alt: direktemeldinger, filer, tale, video, gruppechat, flere enheter. Det er også flere typer av ende-til-ende kryptering (OMEMO, GPG, OTR) og mye mer. Det finnes enda en XMPP-basert sosialnettverk: Movim.

XMPP er ikke alene. Det finnes også en alternativ åpen og federert protokoll: Matrix. Men sammenlignet med XMPP, har den flere mangler: (a) problemer med personvern (selv om mange ikke bryr seg om det), (b) alvorlige ytelsesproblemer: mens XMPP fungerer fint selv på den minste og billigste VPS, Matrix server krever mange gigabyter med RAM og stor diskplass, på denne grunn er det dyrere i drift, også krever Matrix mye mer oppmerksomhet (f.eks. se her). Det kan være berettiget i bedrifts- eller stororganisasjonsbruk, men ikke i hjemmebruk.

Så XMPP er ideell for å lage et helt privat kommunikasjonssystem for et familie. Du trenger bare dette: (a) en server: billigste VPS eller enda en Rasberry Pi boks vil fungere fint (f.eks ejabberd skal støtte hundrevis brukere med dette nivå); (b) server programvare som kjøres alt: sjekke ut flere og velge selv, de mest populære er ejabberd og Prosody; (c) domenenavn slik at brukere kan konnektere til: domenenavn er også en del av brukernavn, som i epost, f. eks alexander@johansson.me (enkelt DNS oppsett trenges for å støtte tale og video); (d) hver bruker kan velge hvilken klientapp som skal brukes (f. eks Monal eller Siskin IM på iPhone). Og det er det.

Nå må serveren konfigureres. Så kontrollerer du systemet fullt ut! Du kan registrere så mange brukere at du trenger, men for en familieserver anbefaler jeg ikke å tillate åpen registrering av alle som helst. For eksempel du kan registrere flere kontoer for en enkelt bruker hvis nyttig (å bruke med forskjellige formål). Ingen mobilnummer kreves: f.eks. trenger du ikke fem SIM-korter for fem brukere, faktisk ingen er nødvendig. Det også anbefales å konfigurere ‘Shared roster group’ (delt brukerliste) for å unngå å legge til familiekontakter manuelt for alle familiemedlemmer. Ende-til-ende kryptering er ikke avgjørende for din egen private server fordi transportkryptering (TLS) brukes alltid; men det er lettere å konfigurere hvis du bruker flere enheter (mobil, nettbrett, desktop, laptop, web-basert). Men det er bedre og sikrere å bruke ende-til-ende kryptering til å kommunisere med noen på andre offentlige servere.

Og nå, når flere grupper har sine egne private servere, kan de kommunisere fritt og sikkert. For eksempel, det er nå lett for pappa@johansson.me å sende melding (eller video-ringe) til mattias@johansson.me (samme familier og på samme privat server) eller til en venn john@dowfamily.info eller enda alle som bruker hundrevis av åpne gratis offentlige serverer f. eks maria@jabber.no (på Jabber Norge), christian@jabber.de, oyvindharaldsson@tigase.org eller nikolaibode@riseup.net.

Se her for litt mer informasjon om XMPP.

Lenker

• XMPP server på 1-2-3

• Hvordan å konfigurere XMPP server ejabberd

• Useful configuration steps for ejabberd

• Hvordan å konfigurere XMPP Server Prosody eller Install Prosody

• Jabber Norge - en åpen XMPP server fra Norge.

• Jabjab.de en åpen XMPP server med transporter til andre meldingssystemer.

Intervju kristendom

Jeg hadde en intervju med studenter av St Paul gymnas. Her er noen svar.

Hvordan å praktisere religionen?

Å praktisere religionen betyr at du leve med Gud i hjertet ditt. Først, det er viktig å bare være god i livet og unngå noe som er dårlig. Unngå synd og dårlige ting som er enda uten av synd. Men det er ikke nok å bare ikke gjøre noe. Det er viktigste å gjøre god ting i livet for God hjelper oss når vi gjøre det som er godt. Jeg tror det er den Guds ligning:

her E er effekt som vi får, i er menneskers innsats og G er Gods nåde. Hvis innsats er null, helt effekt er null selv når Gud er enig å hjelpe den største (f.eks. G = 1,000,000). Tå eksempel av Jesus og følge Kristus i hverdagen aktivt. Tenke om dette: I velkjente miraklet tok Kristus få brød og fisk fra folk og multipliserte dem til flere tusen. Det var i stedet av å skape brød ut av ingenting. Den hovedbetingelsen for miraklet var en gratis gave og samarbeid fra få enkle mennesker. Vi vet ikke hvor mange mirakler som ikke skjedde fordi noen bestemte seg å gjøre ingenting. Den G-leddet i den formelen er det viktigst del. Så vi kan ikke gjøre mye uten av Kristus nåde. Det betyr at vi trenger sakramenter og be å få den G-ledder. Vi lever i verden og Gud er transcendent, Jesus er i himmelen, ikke her med oss nå. Det betyr vi ikke får direkte opplevelse av Gud og kan ikke se, spørre og kjenne hva er som Guds vill. Men vi har masse informasjon i skriften og den hellige tradisjon. Kirken får det i kirkelige dokumenter, Codex juris, og mange teologiske og filosofiske verk. Vi kan lære mye av dette hellige vitenskap ved hjelp av vår egen sunn fornuft.

Kort fortalt: å praktisere religionen inkluderer dette: (1) å få Guds nåde ved sakrament og be, (2) lære hva er som god og Guds vilje ved hellige vitenskap og rasjonalitet, (3) vare aktivt å følge det som er god i hverdagen.

Hvilke sakramenter påvirker ditt liv mest og hvordan?

Nattverd, Eukaristen, er den sakrament vi kan få og har oftest. Det er også det sakramentet som forbinder oss med Gud fysisk. Det er den eneste sakrament som tillater oss å se på Gud, streife på Gud og akseptere Gud fysisk. Men det er også den vanskeligste sakrament vi har.

Det kan være vanskelig å forstå hvordan et lite stykke brød kan være Kristi legeme. Men tenk om enkelt ting, f.eks. så enkle ting som en stol vi seter på. Det kan vare laget av tre, eller jern eller plastikk eller glass. Men hva vi se som materialet er helt uviktig. Hvordan vi behandler og bruker stolen er helt uavhengig av materialet, men bare faktum at det er an stol. Å forstå hva stolen er og av hvilken grunn det brukes og hva det brukes, må vi resonnere ved hjelp av kognisjonen og abstraksjonen vår. Det trenger litt høyere nivå av tenking enn bare se på det ytre utseende. Men vi hittil ikke forvirrer en tre stol med vedtre. Nå tenke om en dyr som ikke får slik abstraksjonsevnen. En fly eller maur som seter på en tre stol og etterpå har en opplevelse av en plastikk stol skal tenke at denne er helt forskjellige ting og har ingenting til felles. Men vi kan få det rart: vi finner det helt åpenbart at denne to objekter tilhører til samme kategori.

Samme skjer med hvordan kan vi se på Eukaristen. Gud er transcendent og ikke en del av denne verden. Så vi selv kunne ikke se på, eller på annen måte oppleve Gud. Vi selv kan ikke ha denne kapasiteten. Men Kristus kommer til oss i denne sakrament fysisk, bruker den vanligste ting som er en del av vår verden, så vi kan vi kan kommunisere og enda forene med transcendent. Men for dette, vi ikke har vårt eget konsept og må abstrahere å forstå.

Å vare et menneske betyr å forstå hva er den naturen av verden og tinger vi lever med. Hvordan vi forstår det påvirker hvordan vi lever livet vart.

Hvis gud er allmektig, hvorfor tror du det er så mye ondt i verden?

Nøkkelen å forstå dette er frie vilje av mennesker.

Det var en metafor av Gud som skaper, i ekstrem form Gud som urmaker. Her Gods allmakt og allvitenhet kunne se ut til å peke at verden som Gud skapte er idealt som en maskin. Da er det Gud som er den eneste skuespilleren. Dette synet blir spesielt populært da mennesker utviklet enkelt fysiske vitenskap, Newtons fysikk som er basert på streng årsak og virkning. Tenke om dette: årsaken A forårsaker B. Her A bare styrer en fiksert og helt bestemt effekt B, men B ikke har noe rolle. Da Gud er tenkt som den første og hovedårsaken av alle ting i verden. Konsekvens av dette er at Gud tar alt ansvar. Så bare faktum at det ar noe galt i verden betyr det er Gud som har forårsaket dette.

Men God som bare skaper eller urmaker er en feil metafor. Dessuten, motsier det det bibelske synet. I bibelen Gud er tenkt om som en far. Noen kan tror det er et utdatert og primitivt syn, ikke vitenskapelig som vi nå trenger. Men konsept av faren, den forelderen, tar den eneste essensen av Guds rolle.

En urmaker lager maskinen for et bestemt formål. Maskinen gjør kun det som er urmakers formål, ingenting mer. Maskinen er ikke en uavhengig "agent" med egen aktivitet. Det også finnes ikke en rolle av kjærlighet.

Forelderen er helt motsatt av det synet. Forelderen føder ut av kjærlighet, ikke for en funksjon. Barnet er ikke en programmert robot, men en uavhengig agent som bare lever sitt eget liv. Det betyr at barnet har egen frie vilje som forelderen skal respektere og helt verdsette. Det også betyr at barnet har lov til å feile og lære av sine feil. Dessuten, barnet har likt lov å ikke lære av sine feil og enda å gå helt galt. Forelderen kan ikke gjøre har, men gi råd og kanskje lide over barnets feil. Fordi barnet har frie vilje, det kan ikke fikses, kun kureres.

På samme måte, Gud lar oss å leve vårt eget liv slik vi bestemmer selv. Det betyr våre feil har lov til å være enorme. Men det at vi har fri vilje skaper vår verdi som mennesker. En programmert robot med liten selvstendighet og kreativitet er en helt kjedelig og dumt skapning.

En del av frie vilje er ikke en ting Gud har gatt oss mennesker. Hele verden er skapt til å være uavhengig, ikke som en klokke eller noe andre maskin. Verden er ikke skapt som en endelig ideell ting, men det kan utvikle seg selvstendig. Det finnes eksempler i kvantefysikk: elementærpartikler kan fungere uten noe streng årsakssammenheng. Men den beste eksempel er Darwins evolusjon. Her levende former utvikler seg kreativt uten Guds kontroll. Uavhengighet og fri vilje er Guds plan og gaven, men det er også et tungt ansvar.

Goodbye Gmail

The old good email remains the most critical digital communication tool. What makes the venerable email so useful and sustainable over the long time is its openness and standardization. Email is radically different from the modern "apps" which integrate all pieces of technology--the server, the client, and the protocol--by a single monopolist provider. With email, we are free to choose the server (provider) and client with any combination. It provides enormous flexibility, added privacy and security. Indeed, the provider does not control my client and cannot add backdoors; there is no monoculture of client software with all the related security risks (any security vulnerability is global). Email is one of the few pieces of technology that is very resistant against internet censorship. Repressive state can easily block a web site and even force an app store to remove an app (as the Navalny's "Smart Voting"). Also, an app store can delete it for any other bizarre reason. But it is much more difficult to block a mailing list: it is easy to redeploy and recreate it on a different server (without the users even noticing anything). Furthermore, The user can easily create several different email-based identities (e.g. a separate one for politically sensitive activity) which adds anonymity. And anonymity means physical security in some countries.

It is not surprising that many internet services use the email address to register users, authenticate, restore password and other similar purposes. Open, standardized and decentralized email is one of the most critical technology everything else depends on. After all, the flexibility offered by the email technology--the freedom to choose all pieces (provider, client etc.) is just very very handy, at least for an advanced user (you can add new features on top of what the provider realized, even against the provider's will--isn't it convenient?).

The whole email technology is build around open protocols rather than a centralized platform. This facilitates competition, makes for better and fairer service and reduce possible impacts of malicious monopolists (Masnick, 2019).

Google's Gmail has long been one of the main pillars of email, millions used to rely upon every day. We should praise Google for popularising email as the basic mainstream technology among the masses. I started using Gmail many years ago when it was in its "beta" and available only by invitation. At that time Gmail openness and unrestricted nature was just blazing. The web interface was lightweight and not really cluttered with ugly banners, unlike other email providers. There were ads but they were small and unobtrusive. Gmail had long supported all the basic protocols (POP, IMAP, SMTP) that allowed to use any standard compliant client software, and that was available for free (some other providers were more greedy and allowed this only on paid plans). Google's POP, IMAP and SMTP implementations have been (and still remain!) quite idiosyncratic, incomplete and not really standard-compliant which caused various glitches (e.g. message deletion and default sorting are weird, I always hated Gmail's labels). But this was bearable.

The serious privacy problems and threats of Gmail, such as user email scanning for context-specific advertising (until 2017) or AI tool which could provide access to some pieces of data to third-party developers. That is nearly a disaster that cannot be fixed because spying on the user's data is at the heart of Google's business model. But who cares as long as it is free! I have long been using and promoting PGP encryption which could fix many of the privacy (and security) problems. Yes, PGP is crucial for individuals and businesses and yes, a motivated user can encrypt.

Gmail still remained free and relatively open while an alternative of deploying private email server is time-consuming and tedious (e.g. ensuring that emails from a tiny private server don't end up in spam folders of intended recipients). I used to pay with some of my privacy to get the usability and stability of Gmail.

But over time I became increasingly concerned about the clear trend taken by Google to make the open email more and more difficult to use outside of the Google monopolistic ecosystem. There are signs of the famous embrace, extend, and extinguish strategy. Gmail API is featureful and powerful... but only if you really need the complexity and like to play with the Google rules. If you don't like to see ads, for example, and for this use a standard IMAP mail client of your choice, your must suffer. If you need full PGP support on a mobile client, never offered by Google, you are out of luck and have to use an IMAP-based mobile app like Android K-9 Mail that requires sacrificing some usability.

Google tends to draw its users by all means into its browser, its own apps and APIs to get more user's private data and show ads. For that matter, Google's security usability has become just terrible. The intrusive access-blocks when a mobile user with an IMAP client moves across IP addresses can drive anyone crazy... Access can be blocked even if the user switches just to the next IP address within the same provider's IP pool.

I have to use VPN with fixed IP address to avoid these stupid blocks!

To help keep your account secure, Google will no longer support the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password. Instead, you’ll need to sign in using Sign in with Google.

The Google's insistence on rather complicated and heavyweight OAuth2 mechanism for basic email client access (remember, most email programs do not require you to enter your password every time, diminishing the risk of phishing) is understandable only as a means to limit all uncontrollable third-party clients. Yes, OAuth2 is logical for complex workflows of data access delegation across multiple web-based services with different login/password combinations (the "Auth" stands for authorization, not authentication). Whenever I need access to my own emails I need to authenticate my identity granting full access. But isn't OAuth2 client secret kept on the device just as the username/password combination? Yet, limiting the (power) users access to their own data provides just an illusion of security at a large cost to usability and compatibility.

The Google's move to OAuth2 authorization seem to point that the Gmail-hosted emails do not belong to me any more. My emails are now owned by Google, who just "authorizes" (delegates) me access to some of the data without trusting me. This is not what I need from my private communication. Does Google pretend to "zero-trust" any third-party apps? Maybe it doesn't trust its users (the owners of their data), assuming they are all idiots?

If you think your users are idiots, only idiots will use it [your service]. --- Linus Torvalds

And there is another side effect: as Google increasingly deployed more and more heavyweight frameworks and technologies, Gmail became very sluggish and bloated. It is cluttered and confusing, especially to those who don't use it often enough to remember all the idiosyncrasies. And it's still poorly adaptable to the user's needs. How can I get a fixed-width font for my plain text message? Where is my favourite basic (and very fast) HTML web interface?

Enough is enough. I now go away from Gmail, and primarily not because of big privacy concerns (which is quite expectable) but because of deteriorating usability and growing incompatibility. It looks like the people at Google have forgotten their old motto "Don't be evil." While I have been paying Google with my privacy currency in the past to get functionality and usability, the benefits of Gmail continuously went lower and now reached an unprofitable level.

Migadu is my choice

There are many hosted email providers, some are focused on privacy and security. For example, Protonmail is a fantastic project that makes it nearly trivial to use PGP even for an uninitiated. But its drawbacks are that it is non-standard and has too high publicity making it quite undesirable in certain authoritarian countries. Simply said, if you use Protonmail in some countries you may be suspected; Protonmail can be blocked by the authorities, and worse still, blocked in quite idiosyncratic way. Some services may also reject registration using this service.

What I have finally chosen is Migadu. It is not yet another standard email hosting provider. It is a domain-based service. Once you have got your own domain name (domains are now cheap), you can make your own email service for your domain. That simple. This makes it super useful for companies, families, groups and NGOs without large budgets. For a reasonable price you get nearly your own mail server with many configurable features (any custom mailboxes, aliases, forwarding, regexp, webmail, etc.) but without the need to maintain all this complex system.

If you have a web site, you necessarily get a domain name for it. Now it's easy to get your own email identity. True that some hosting providers also do host email. But if you decide to switch to a different hosting it will create a trouble: you need to move also email and this fact strongly limits your next choice. Having a completely indpendent email system for your existing domain avoids such hoster lock-in and makes life much easier.

By the way, the Migadu standard webmail interface is sleek and very simple. Looks modern but lightweight and quite fast. No bloat whatsoever, only the most crucial functionality. I am not big fan of web-based email, but use it from time to time. And there is even some very basic support for PGP! (But remember that web-based PGP is not a very secure solution.)

I found the mail server configuration (including more esoteric stuff like DNS setup and DKIM signatures) very easy. In my view you do not need an IT degree to configure your email server with full functionality. I like the admin panel, it is minimalist and easy to use, no stupid and distracting visual effects. And Migadu is advertised as fully open standard compliant service without proprietary glitches and limitations. So any standard (open source or closed source) software is very likely to be fully usable. This freedom is very important. And they are also clear and honest about the limitations and drawbacks.

Finally, goodbye Gmail.

• Masnick, M. 2019. Protocols, not platforms. A technological approach to free speech. Knight First Amendment Institute https://knightcolumbia.org/content/protocols-not-platforms-a-technological-approach-to-free-speech.

PS: Disclaimer: I have no links with Migadu.

This post is also published on Substack and Medium

How to use open source openconnect for UiB VPN

Cisco AnyConect is an unethical software. First, it is proprietary and closed source code, although the nature of its functioning makes it capable to control all the user's network traffic. Even worse, Cisco AnyConnect implements controversial functionality making it technically a kind of malware: the so called "posture" (HostScan) service is scanning the user's device and (steals?) sends various information out (Cisco said this is done "to improve security," e.g. to avoid non-certified and unauthorized devices), Cisco VPN client can officially download and install spyware trojan on the user's device (Cisco also advertises the trojan as a tool to "improve security"). Also, the VPN client can reroute the network settings in arbitrary way without the user's consent and knowledge. All this is a serious security and privacy threat. (And Cisco products have a bad history of serious security flaws that look like backdoors.)

It can be justified to run Cisco AnyConnect on a corporate-owned machine (understanding the consequences for the user's privacy and security). But installing it on the user's owned private devices should be avoided.

Openconnect

Openconnect is an open source SSL VPN client that supports several protocols including Cisco AnyConnect. It can be used as an alternative to proprietary Cisco software that may in some installation include controversial and undesirable functions such as uncontrollable network re-routing, proprietary scanning module, installable spyware trojan etc.

For more information go to the Opeconnect web site: https://www.infradead.org/openconnect/.

Install openconnect from the standard Linux repository, e.g. in case of Ubuntu/Debian use:

apt install openconnect network-manager-openconnect \
            network-manager-openconnect-gnome

Server settings

To connect to the vpn, go to the network configuration entry, then add a new VPN connection, choosing Cisco AnyConnect Compatible VPN (openconnect) in the list.

To connect to the UiB VPN one needs this:

• Server gateway: vpn3.uib.no
• UiB username (short name, in the following examples zzz000)

Basic connect using command line

The simplest command to connect to UiB network is:

sudo openconnect --user zzz000 vpn3.uib.no

Note that sudo is required to set up the tun device (It is, however, possible to configure openconnect to run as unprivileged user, see http://www.infradead.org/openconnect/nonroot.html).

There are also a few useful options:

• --background run openconnect at the background
• --syslog send messages to the system log
• --pid-file /var/run/openconnect.pid use specific pid file, then it is easy to switch off the background vpn using this command: kill $(cat /var/run/openconnect.pid) assuming process pid is saved to /var/run/openconnect.pid

These options result in this command:

sudo openconnect --background --syslog --pid-file /var/run/openconnect.pid  \
                 --user zzz000 vpn3.uib.no

Connect using graphical user interface

Most Linux desktop environments (e.g. Gnome, xfce etc ) have graphical utility that is accessible in the system tray. To configure it use:

• VPN protocol: Cisco AnyConnect
• Software token authentication: TOTP

Other options should be left intact.

At login, the GUI program will ask the University user name and password. Enter and press Login

Then, Microsoft authentication code will be sent via SMS on the mobile phone.

There may be a caveat: DNS might not work with the default configuration (web sites are inaccessible by their http names). If this is the case, go to IPv4 settings and manually configure DNS servers, such as Google DNS 8.8.8.8 and 8.8.4.4

and then to IPv6 settings and enter DNS servers manually, e.g. Google DNS 2001:4860:4860::8888, 2001:4860:4860::8844

Now UiB VPN should work in a private way. Openconnect turns out to be a useful tool to connect to the UiB network in a simple and straightforward way.

Microsoft Windows

Openconnect also works on Microsoft Windows. If you are using Chocolatey then there is a port that can installed be using this command:

choco install openconnect-gui

Disclaimer: I did not try it.

References

• Opeconnect web site with source code, documentation etc: https://www.infradead.org/openconnect/.

• Microsoft Windows port: https://openconnect.github.io/openconnect-gui/

• Tim Hårek Andreassen had a similar howto in his blog: https://timharek.no/blog/uib-vpn-without-cisco/ Note: My openconnect was experience even more straightforward, e.g. in my case no certificate configuration was necessary.

Are we going to work in a paper jail?

Main points

• Any major university IT infrastructure is huge and heterogeneous, it is used by lots of people, many of whom are experimenters and explorers, who like challenge, rather than office robots. Most users are busy, focus on research and study and hate additional (and especially sudden) hassle. This is why consideration of the usability cost is absolutely critical for IT security strategy.

• Creating a walled "trusted" area by a firewall--the perimeter model--is an outdated approach to security at the age of universal zero-trust deployment. Instead of following an already outdated approach, a more sensible strategy is to start implementing components of the zero-trust model, including score-based trust and wide use of personal identity hardware tokens.

• Major focus in security should be shifted from solely technology components to the end users, creating incentives to use more secure technology, rather than making additional hassle.

The great firewall

There was a very rapid trend towards an increasingly restrictive IT policies at the University of Bergen implemented from October this year. While the aim of “Increasing security” is laudable, I think the planning and implementation of the policies has several flaws which may compromise its declared aim. The biggest problem is that the UiB IT is huge and heterogeneous. There is a variety of services with different levels of security risks, many users, with diverse needs, user cases and environments, competences, personal backgrounds and personalities. This requires a more sensible, flexible and inclusive approach. If this is not the case, rigid policies will not make the IT environment significantly safer. Instead, it may hamper normal work for some users, and in the long run compromise both security and privacy contrary to the declared aim.

Security, including the computer security, is not a fixed state, it is rather a continuous process. Security is not limited solely to the IT technology. Technology alone cannot bring security. Security is primarily a human rather than technical problem. Indeed, most dangerous security breaches did not target encryption algorithms, many even only partly involved exploitation of software and hardware vulnerabilities. They typically make use of human factors, such as social engineering, trust exploitation, human mistakes and so on. Successful tracking and catching cyber criminals do not often primarily target technology, but usually depends on exploiting human errors, negligence, laziness and other similar factors. This is why the current primary focus on just technological restriction of the IT environment, aimed barely to its isolation from the outside networks, is neither sufficient nor efficient. A more balanced, flexible and holistic approach is needed.

Security can only work at a balance with usability. Moreover, there is often a trade-off: technological security restrictions often make for worse usability. A completely “sealed” environment would be just too restricted to be usable. Usability is indeed a primary factor: research shows that many security problems and users’ hesitance or unwillingness to make use of (more) secure tools is caused by their imperfect usability. Furthermore, within a hugely heterogeneous environment, there would be no single optimal balance between security and usability. An important consequence of this is that a flexible and inclusive approach to security, aimed at different degrees of balance with usability, is important.

The technical part of security should start and primarily respond to specific threat model(s), not theoretical or vaguely possible risks. And the threat model(s) should be connected with the real life statistics, e.g. how many breach attempts usually occur, to which of the services, from which IP addresses etc. It does not make sense to install solid steel screens on all windows in our department building to make it “more secure” from any kind of possible breaches; even if there are crowds of hungry zombies walking outside, it is just enough to protect the first floor.

Blanket unconditional restriction of the UiB IT network environment as is being implemented does not seem to respond to specific consideration of threat model(s), the variety of users, needs, sub-environments etc. It looks like a desperate attempt to seal everything in a hope that a jailed environment, isolated from the outside, will be more secure. This is a wrong assumption.

Some specific problems

Multi-factor authentication via TOTP: Not a panacea.

KI 0780 introduced multi-factor authentication policy. This is generally a crucial component to improve security, if implemented sensibly. However, not all implementations would automatically improve security or provide a sufficient balance between security and usability. What is called “multi-factor authentication” may not even be really multi-factor. The definition of multi-factor authentication involves the use of several things for authentication, typically something you know: password, plus something you own, e.g. a mobile device (SIM) and something you are e.g. fingerprint. If the password is entered using the password manager software saved on the mobile device and the “multi-factor” SMS comes to the same mobile device (or password entered and SMS read on the same computer that links to the smartphone as is now the norm within the Apple ecosystem), the whole idea of two factors is ridiculed: the smartphone becomes the single authentication device. It can be at best called “two-step authentication,” a weaker mechanism. The SMS (and anything based on phone-line or phone-number) is actually one of the poorest authentication means due to the long known and essentially unsolvable vulnerabilities in the GSM, SS7 and other related protocols. SMS can be hijacked by malicious smartphone apps (e.g. Google Play store does not even approach 100% safety, there are occasional scandals with malware in apps with very substantial audience) or even basic GSM dumb phones (there are reports about quite a few Chinese-made GSM button-phones having factory-installed malware). Worse still, some of the modern and widespread multi-factor mechanisms such as push-based popups are also easily exploited (even worse, they make for a bad habit of clicking “approve” without thinking). If authentication is done on a web page, it is usual to save the authentication cookie to avoid repeated two-factor invocation. However, cookies are not necessarily secure, long kept cookies might be hijacked by malware, there is a well known mechanism of CSRF attacks, there is also a big privacy drawback (e.g. tracking). The current industry trend is to go away from the cookie mechanism in the mainstream browsers (e.g. Google Chrome will not allow any third-party cookies from 2022). A sensible user policy is to reduce the lifetime of any cookie. However, it makes the “two-step” authentication as is currently implemented at the UiB a hassle. Indeed, the user then has to go via the SMS code process nearly every time he or she logins, even if it is done from the same IP address and the same device.

The ssh access to the login.uib.no server have apparently disabled the best-practices secure mechanism of ssh-key authentication (incidentally, if the key is combined with a passphrase then it is actually a two-factor authentication itself!) and forced the potentially week password-based mechanism with SMS code. There seems to be no other TOTP mechanisms except SMS at the time of writing!

A better mechanism is to use the time-based one-time password code (TOTP) authenticator application on the mobile phone. This is in fact recommended at the Microsoft and UiB web pages as a more secure alternative (via Microsoft authenticator app). While TOTP is better than SMS, it is far from perfect because it is potentially vulnerable to phishing and the MITM attack and the secret seed should be kept on the authenticator application as well as on the server to make synchronised generation of TOTPs possible.

Personal hardware tokens

There is a much better and stronger two-factor authentication mechanism: U2F and FIDO2/WebAuthn that use hardware security device keeping the private key. The security token, in the form of a small USB or NFC key can both authenticate on the server and authenticate the server itself with strong asymmetric crypto, making phishing and many other attacks virtually impossible. Many such devices also implement biometric (e.g. fingerprint) identification with privacy-respected way (e.g. biometric data is not sent from the user's device). This is now a mature technology that is implemented in all major web browsers, can be used with ssh key-based authentication, GPG-enabled email etc.

The best known hardware token is probably the Yibikey and there are a few others on the market (e.g. Google Titan, FEITIAN, Token2, Thetis etc.). They can be not very cheap, but not prohibitively expensive either.

VPN needed for all, even the most essential everyday services

The UiB IT services have previously used several open and industry-standard VPN mechanisms (IPsec, OpenVPN) so that different users could easily find a solution working for them individually. Now, there is a single closed and proprietary mechanism: Cisco AnyConnect including both unique protocol (SSL-based) and the software client. This mechanism may work for many but not necessarily for everyone (e.g. unlike open solution, it may not be available on some computing platforms, some enthusiasts of the open source might find restriction to a single proprietary tool unethical, etc.). There are rumors about unreliable connections with Cisco AnyConnect, and that OpenVPN was previously more stable for some users. It is indeed likely if Cisco AnyConnect is used over certain restrictive environments with DPI that block connections to certain ports or UDP traffic even at the 443 port, or otherwise censor VPNs (e.g. some public WiFi networks may have such limitations). Some implementations of the OpenVPN, in contrast, can be configured to mimic normal SSL web traffic (e.g. shadowsocks) and work even under the Great Chinese firewall. There is a clear benefit at not prohibitively high cost to provide at least some limited support for such a mechanism for certain users (e.g. special needs or during travel). It might even be provided only on special request with some substantiation. Also, the reliability statistics internally used by the IT department might be biased if not all users report minor and transient VPN issues. So there is a case to deploy and support alternative VPN solutions, perhaps even on a smaller scale.

It sounds quite reasonable that providing and supporting a wider choice of VPN solutions for a minority of users would not be economically feasible. However, it is certainly not the case when just all the services become available only from within the UiB internal network jail. Then, there should be more flexibility and inclusion, several ways to get into a jailed environment comfortably by a variety of users in different environments. It is just too unbalanced limitation to mandate the use of a single restricted VPN to get email from home or from an airport, for example. A better alternative is of course to relax the policy moving at least the most essential but inherently secure services out of the jail.

Is the universal jail really essential for everything?

One issue with unconditional moving of all the UiB IT services into a jailed environment is that this would not reflect sufficient balance between security and usability. It is of course good to keep potentially less secure services (e.g. RDP) jailed. But are real threats substantial enough to hide just everything into such a jail?

Are there any real-life statistical or other data evidencing that accessing the university email system from an IMAP client with normal SSL/TLS protection can be dangerous? The user in such a case does not need to enter the UiB password for login (it is saved into the software, often encrypted on devise), so phishing risk is near zero. The authenticity of the IMAP server certificate is usually checked through the standard SSL mechanism. So is there any real security advantage to move such essential everyday tool as email into the jail, does this just induces additional hurdle?

Another example is connecting the UiB login.uib.no ssh server. Many (presumably less advanced) users can use the ssh with their default password. Then, the “two-factor” authentication is a serious security improvement of course, even if it is in fact used in the weakened two-step authentication mode. However, some other users can configure ssh-key authentication, which is a much more secure mechanism. Will the manual entry password with two-factor authentication really provide sufficient security improvement in such a case? Will it provide anything beyond a negligible effect if the user has already authenticated with SMS on the same device, or a different device from the same IP address shortly before? Is there any improvement in security that substantiates such degradation of usability?

The question is this: is the same level of restriction and jailing really essential for all services, often and rarely used, potentially less secure and highly secure, easy and difficult to exploit, those with documented attacks and those that present little interest to intruders? Does not it just provide usability costs not balanced by any security improvement?

Human ingenuity: Is the jail actually made of paper?

It is clear that equally and unconditionally restricting just everything, especially, without considering usability costs, will not automatically increase security. The situation can well be worse: lower security as well as compromised privacy.

For example, to avoid all the nuisance, users may switch to using third-party commercial providers, such as increasingly use private gmail.com accounts, Dropbox etc. Users may use smaller, more cryptic online tools and applications (e.g. file sharing sites, communication tools, some advertised as encrypted) with uncontrollable and unknown security. Some of them might be owned and run by community and volunteers, some could be compromised or deliberately devised to gather data, track users and spy.

Some of more qualified "insider" users might successfully hack the system to get nuisance-free access to the UiB jailed environment from outside. It is actually not a hard problem. One possible solution is to use the reverse ssh proxy. It does not even require administrative rights and can be done by a motivated average level computer user after 20 min of reading the ssh manual. More advanced users can create stable backdoors implementing such things as proxy jump and port forwarding that will sustain reboots, logouts etc. It is also easy to add various layers for plausible deniability and obfuscation.

There are much more tools, ways and possibilities to implant and efficiently hide a backdoor into the UiB jailed environment. All that is required is various open source components freely available on the net and an incentive to do such unauthorized actions. It is not just an abstract theoretical threat but real and serious risk left behind the current jailing policy.

Imposing a jailed environment without considering trade-off of flexibility and usability has this biggest problem: It may create an incentive to break the rules to make life more hassle-free. A related and serious problem is that the IT department would not be able to control this and in most cases will remain unaware of the issue. It is virtually impossible to detect that users communicate and share sensitive medical or personal data over a private google mail account, for example. A cryptic backdoor implanted on the computer within the UiB jail with sufficient plausible deniability can remain long undetected without costly and tedious forensic analysis. But such an analysis will be conducted only by the police after a catastrophic break-in has occurred, too late.

There are many advanced users, smart students, at the university. Many well understand (and they do discuss!) the inconsistency of the restrictive jail policies. Some people may find it quite fun to overcome the silly rules imposing unneeded hassle. It can indeed be an interesting challenge but, unfortunately, an additional incentive.

A further problem is that many users usually do not bother to report smaller or transient problems at the normal issue tracking channels such as hjelp.uib.no. They may not be acquainted with it or just consider it a hassle if they are very busy (and they are very busy with real things to hang at tangential IT problems). A quite typical way of action is to ask someone nearby for a help or workaround. Therefore, if the knowledge of the ways for implanting backdoors and the obvious fact that it is quite easy and just solves the problem, is spread within the student and staff, it can create a real security disaster. Unfortunately, backdoor skills are very likely to spread if the IT department continues to create more and more restrictive jail and provide more incentives to break the rules. Then, it would be essential to further tighten the jail: inspect all devices on entry and refuse entry to everyone with IQ > 0.60. The simple fact is that the jail that is being happily built is not made of rock and steel, it is paper.

The situation at the UiB is quite different from a typical commercial organization that the standard security recipes are based upon. There are many brilliant students and staff out here, many are young and like challenges. There can be those who would not hesitate to take risk, given the benefit of making one’s own hassle-free environment is high, the cost is zero while expected risk is rather low. Making a backdoor is indeed a way of learning technology that is fun and another added incentive. Many folks are already aware of various software tools and know how to use their black magic. People are ingenious, and people at UiB are on average much more ingenious than outside. What is the threat model for developing the jailed IT environment? Is to protect the UiB from outside hackers? It is a wrong model because many such hackers are already within the jailed environment and are ready and to get the challenge to punch its feeble paper walls from inside.

What should be done?

Inconsiderate and inflexible jailing of the UiB IT networks should certainly be slowed down before it is too low and people started using third-party tools and making their own unauthorized solutions. There should be a serious analysis on what must be implemented and over which time scale so the users can get acquainted and do not just suddenly get huge hassle. As to now, the “analysis” seems to be mainly focused on “what is suddenly broken down once we put everything into a jail”; this is not acceptable. The policies should not be based mechanistically on some manual made for a different type of environment, they should be inclusive, flexible enough to adapt to the complex, diverse and heterogeneous UiB environment. The main focus should switch from technology to people: how to reach most of them (they are busy!), make security improvements minimally obtrusive, teach very busy people sufficient security skills without much hassle. Specifically, the most important information should not be sent by global mailing list that may disappear in user’s mail filter, but must be directed personally to each user (it isn’t prohibitively hard to write a script for this, substituting %NAME% with the real user’s name).

The technological part of the solution should develop sensible threat models based on attack and usage statistics. It should be governed by real risks rather than desire to just protect everything quickly and at all costs. Some of the restrictions already applied can be relaxed. A reasonable solution is to apply more sensible score-based security mechanism, e.g. including IP based rules for two-factor or two-step authentication. Some of more secure services, can for example, be available without firewall restriction if the user comes from his/her frequently used Norwegian home IP address (to improve usability while still reducing potential attack surface). This efficiently transforms a jail into a continuum adapting for the threat and uncertainty level. It will also pay back to demonstrate the practical benefits of client-side certificate authentication, OAuth2 and similar more phishing-resistant security token mechanisms (e.g. they can relax the need in TOTP/SMS authentication) to all users. The university should also facilitate much wider use of hardware-based authentication devices, such as YubiKey, for proper two-factor authentication, perhaps even distribute such devices freely in some groups if universal deployment turns out expensive. Such personal identity verification hardware devices are actually a crucial component of modern zero-trust security approaches.

The crucial element of the whole policy is to create incentives for using more secure tools. For example, the use of hardware personal identity verification tokens should allow to bypass all or most restrictions, perhaps even the need in VPN. There would currently be little added risk with such a policy, but the users would be much happier to do their work securely whenever they need without hassle. This would require hard work, additional integration and funding. But educating, helping and cooperating with users—not restricting and obstructing them—would be the only viable strategy to achieve increased security in the University environment in reality, not just on paper.