Author: Rui Seabra

Professional sysadmin during the day; Free Software advocate, former president of https://ANSOL.org/, father and other adventurous stuff by night with a strong interest in civil rights, namely in the (broadly ignored) digital scene.
Posted on

Be careful what you wish for… #foodforthought #censorship

https://news.slashdot.org/story/20/10/21/2128248/fcc-defends-helping-trump-claims-authority-over-social-media-law

This is the result of not only originally from a) copyright maximalism extremists lobby but also, more recently, from b) pressure by people who can’t handle offence from the right with all the “cancel culture” calls.

The problem is… you have just opened the door for people who can’t handle offence from the left, get it?

You can’t ask for censorship of things you don’t like without giving the legal tools for censorship of the things you do like from a guy you don’t like. Like Trump.

I’ve been saying for years that places like the closed garden social networks provide a space to speak your mind, but they *do* have the right to restrict your speech in their own walled garden.

However… the moment they started editorializing (and they not only can do it, they actively do it when they manipulate our feeds, insert ads, etc…) they opened themselves up to existing regulation.

Regulation that is now being abused by the Trump administration.

Congratulations, lobbyists and snowflakes, you got what you asked for.

Can we now work to fix this?

Is it even fixable without exiting the huge social networks, making people loose all the network effects from vast networks?

I’m not sure it is, but it certainly is awake up call.

There are other options like the Fediverse, where you can build your own social network that integrates with others, but Facebook and Twitter will never allow federation, nor any other successful (by numbers or regulation like in China) social network.

Posted on

Create your own #Jitsi *and* #XMPP instance

So the best, and quickest, way to get your own Jitsi instance is to follow this instructions:

https://dev.to/noandrea/self-hosted-jitsi-server-with-authentication-ie7

As far as I can tell there is no such easy peasy way to have it running in CentOS, and I won’t be diving into it for the moment although I certainly intend to do so in the future, but I think it’s very much worth it to just build upon those instructions in order to set up (what would seem to me as essential for the free federated communication world) an XMPP instance that already is built-in in your Jitsi server!

  1. If you only want the video conference part, you only need 443/tcp (https) and 10000:20000/udp and you can skip the rest of this blog entry. You don’t need to enable http as it only redirects into https, and if you don’t plan on allowing remote public ssh you don’t have to enable it either. That’s just there as a helpful reminder in case you just created a virtual machine on some VPS provider and so you don’t get locked out by accident;
  2. But if you’d like to have your own instant messaging server, you can additionally follow the instructions below in order to expose Jitsi’s integrated XMPP address as well, and your identity will be your.user@your.jitsi.website

So you start by setting up additional permissions you’ll be needing in order to re-use the same Let’s Encrypt certificate managed by certbot:

cd /etc/letsencrypt/
chmod a+rx live live/*
chmod g+rx archive
chgrp -R ssl-cert archive
chmod g+s archive archive/*
chmod g+r archive/*/*key*pem

You’ll also have to change prosody’s certificates in order to use the correct ones, and then restart it:

cd /etc/prosody/certs
ln -sf your.jitsi.website.crt /etc/letsencrypt/live/your.jitsi.website/fullchain.pem
ln -sf your.jitsi.website.key /etc/letsencrypt/live/your.jitsi.website/privkey.pem
systemctl restart prosody

Finally, you’ll need to open prosody’s port in the firewall as well:

ufw allow 5222/tcp

That’s it. Now you have your Jitsi video conference properly integrated with XMPP/Jabber, neat hey?

PS: Oh, a minor but relevant update… use the following ufw rule rather than the correspondent one in the article above to be able to allow multiple UDP streams for the video conference, as TCP and only one UDP port will be a bit painful…

ufw allow 10000:20000/udp
Posted on

How to connect to a different Jitsi site

So you have now setup your own Jitsi site, or you want to connect to your friend’s Jitsi site. How to do it?

If you’re using a computer, it’s simple: all you need is to type the address of the website and room in your browser’s url bar: https://your.jitsi.website/SomeFancyRoomEatingIcecream

But if this was all to it, then it would be a very boring short blog. 🙂 What about the app?

At least for the Android version, Jitsi Meet doesn’t make it easy to change the server, although it’s quite easy, it could be a lot simpler.

Just press the “menu” button (the three horizontally stacked bars on the top left part of the Jitsi Meet app window):

Choose Settings:

Then choose your display name and, most importantly, the website (without any room reference, just the root):

Done. Now go back and write your desired room name.

That’s it, that’s really just all there is to it.

Now go and have fun. 🙂

Posted on

pam_ipahbac, the James Bond release

So we had another take into joining AIX servers against a FreeIPA / Red Hat Identity Management domain, this time with complete success since IBM has improved a lot certain aspects that allowed a much easier integration:

  • IDSLDAP (at least 6.4) now configures properly aginst FreeIPA
  • the rpm packages (aixtoolbox) are being maintained allowing for a much more recent sudo with ldap support (we couldn’t get sudo_ids to work, just go for normal sudo)
  • sshd is finally a version with support for AuthorizedKeysCommand

So it was time for a new take on the HBAC front, and after not being successful with either pam_hbac or my own pam_ipahbac, a new look at the code was needed.

Turns out the issue was OpenLDAP. The integration of pam, sshd, idsldap… basically you now need to use idsldap’s libraries so… time for a new release.

Being much simpler to change my code rather than adapt pam_hbac, that’s what I did and now configure detects that one is on AIX and no longer requires OpenLDAP. Still you need special compilation flags so it wa smuch easier for me to just let them be setup in the rpm spec.

Anyway, you can go to the website and download shiny new binaries for 0.0.7 and tar ball if you want, as well as read my definitive AIX/FreeIPA integration guide (which is also quite relevant).

Posted on

Obfuscated encryption fails again… No Shit, Sherlock!

This is obfuscation, rather than encryption, for all purposes.

Major hardware vendors are involved, and «the issue is worse on Windows». No surprises, then… Glad I don’t use that poor excuse for an operating system… 🙂

It seems a few popular devices with hardware controlled self encryption aren’t really doing it good by having master passwords (truly a #WTF) and faulty standards implementations.

«SSDs from Micron (Crucial) and Samsung are affected. These are SSDs that support hardware-level encryption via a local built-in chip, separate from the main CPU. Some of these devices have a factory-set master password that bypasses the user-set password, while other SSDs store the encryption key on the hard drive, from where it can be retrieved. The issue is worse on Windows, where BitLocker defers software-level encryption to hardware encryption-capable SSDs, meaning user data is vulnerable to attacks without the user’s knowledge»

There’s a paper with all the gory details for the hard core guys  and a report on ZDNet for the rest.

Posted on

I love learning new stuff

Really! Learning new stuff is always good to improve yourself, even when it’s something so boring as accounting (well, this one I need to help myself believe it).

This is definitely not news for many people, but I always wondered how failban was blocking an ip.ad.dre.ss when I couldn’t find any of the banned IPs with iptables-save | grep ip.ad.dre.ss

I always left it for another time and boy did it pass long and quickly, with other things more important.

But no more! This past weekend I finally learned how fail2ban manages IP block lists with Firewalld: it uses ipset and then creates iptables multiport matches on that defined ipset!

Boy, was I happy… May come in useful in the future, and in the past it was definitely very useful at times, rather than other workarounds.

Still… nice. I must thrive to make time to learn new stuff at least every weekend.

Posted on

That god-awful upcoming european copyright directive revision…

So the European Comission and Parliament wants to give more power to the copyright maximalism extremists, sorry… to revise the european copyright directive…

Among other issues they want to:

  • tax links to news sources (article 11)
  • censor before pubication anything citizens want to publish online under the excuse of “protecting” against copyright infringement (article 13)

Article 11

The first one is moronic, andI will do all my best to lead to the death of the publishers of news sources who support this.

No more sharing of article, no more links.

I may personally not be liable BUT any social network I participate in is, and if they deem my website as commercial in any way or form even I may be liable because of what users publish as comments.

This is absurd, links drive potential customers to you, guys. Wanting to cash-in because a link and a short excerpt points to your page is a very misguided idea driven by avarice.

This is what you deserve: a very slow death by nobody using your services because nobody knows of links to you.

I will do my best with this regard. If you can die slowly and painfully (as a business, not as persons), I will watch with a smile on my face.

Ear to ear grin, guys. Not a slight Amazon-like smirk. Ear to ear…

Article 13

Guys… this is censorship at the full extent of the meaning of the word. Government mandated rules that prevent publishing for some specific reason.

If you believe that software can properly detect copyright infringement, then I have a good piece of land on  the moon to sell you really cheap. I promise to provide a good deed of proof of ownership! Really!

And if you needed any proof, then here it goes… a most recent and obnoxious case where Sony claims copyright of Bachs works on Facebook. Seriously?

Do not even dream for a second that is will get refined and work in the future.

It won’t. Artifical Intelligence will sooner take over our society and replace it with repetitive robotic work than do this properly.

And this leeds to a slippery slope of censorship where other rules will be added to the censorship machines…  and in fact… really… they’re already doing it… now they’re adding the “rules against terrorism”, I wonder how many steps until you can’t say something against the european authority…

Posted on

Sobre a mudança (ou não) de hora… Venha a hora Primavera/Outonal

Parece que a Comissão Europeia está a dar até Abril do próximo ano para os Estados-membro indicarem qual a hora que pretendem manter: Verão ou Inverno.

Nota: teria aqui um link para os artigos d’O Público sobre isto, mas na sequência da mais que provável aprovação da diretiva europeia que legitima a cobrança de taxas pelos links, não pretendo mais colocar links para qualquer órgão noticioso tradicional..

Acho que é de louvar que pelo menos uma vez a Comissão Europeia dê ouvidos aos cidadãos sobre algum tema, seria de esperar que tivesse a mesma atitude no que diz respeito à revisão da diretiva europeia sobre direitos de autor, pelo que de momento temo apenas por… “what’s the catch“…

Que 79% dos portugueses prefiram a hora de verão não me admira nada, como país que por causa do turismo só tem a ganhar com mais exposição solar durante o dia, sobretudo no verão, seria algo muito preferencial.

Por outro lado, há quem diga que isto também tem outros efeitos nefastos.

Ou seja, independentemente de qual a opção tomada, há vantagens e desvantagens.

Qual o caminho a seguir?

Eu pessoalmente acho que a UE podia toda ajustar apenas meia hora e ficar algures a meio sem mudança de fuso horário daí para a frente.

Este meio-termo parece-me mais viável e algo que equilibra os argumentos a favor e contra cada um dos lados. Chamemos-lhe a hora da Primavera-Outonal…