+ <a href="https://people.skolelinux.org/pere/blog/Latest_Jami_back_in_Debian_Testing__and_scriptable_using_dbus.html">Latest Jami back in Debian Testing, and scriptable using dbus</a>
+ </div>
+ <div class="date">
+ 12th January 2021
+ </div>
+ <div class="body">
+ <p>After a lot of hard work by its maintainer Alexandre Viau and
+others, the decentralized communication platform
+<a href="https://en.wikipedia.org/wiki/Jami_(software)">Jami</a>
+(earlier known as Ring), managed to get
+<a href="https://tracker.debian.org/pkg/ring">its latest version</a>
+into Debian Testing. Several of its dependencies has caused build and
+propagation problems, which all seem to be solved now.</p>
+
+<p>In addition to the fact that Jami is decentralized, similar to how
+bittorrent is decentralized, I first of all like how it is not
+connected to external IDs like phone numbers. This allow me to set up
+computers to send me notifications using Jami without having to find
+get a phone number for each computer. Automatic notification via Jami
+is also made trivial thanks to the provided client side API (as a DBus
+service). Here is my bourne shell script demonstrating how to let any
+system send a message to any Jami address. It will create a new
+identity before sending the message, if no Jami identity exist
+already:</p>
+
+<p><pre>
+#!/bin/sh
+#
+# Usage: $0 <jami-address> <message>
+#
+# Send <message> to <jami-address>, create local jami account if
+# missing.
+#
+# License: GPL v2 or later at your choice
+# Author: Petter Reinholdtsen
+
+
+if [ -z "$HOME" ] ; then
+ echo "error: missing \$HOME, required for dbus to work"
+ exit 1
+fi
+
+# First, get dbus running if not already running
+DBUSLAUNCH=/usr/bin/dbus-launch
+PIDFILE=/run/asterisk/dbus-session.pid
+if [ -e $PIDFILE ] ; then
+ . $PIDFILE
+ if ! kill -0 $DBUS_SESSION_BUS_PID 2>/dev/null ; then
+ unset DBUS_SESSION_BUS_ADDRESS
+ fi
+fi
+if [ -z "$DBUS_SESSION_BUS_ADDRESS" ] && [ -x "$DBUSLAUNCH" ]; then
+ DBUS_SESSION_BUS_ADDRESS="unix:path=$HOME/.dbus"
+ dbus-daemon --session --address="$DBUS_SESSION_BUS_ADDRESS" --nofork --nopidfile --syslog-only < /dev/null > /dev/null 2>&1 3>&1 &
+ DBUS_SESSION_BUS_PID=$!
+ (
+ echo DBUS_SESSION_BUS_PID=$DBUS_SESSION_BUS_PID
+ echo DBUS_SESSION_BUS_ADDRESS=\""$DBUS_SESSION_BUS_ADDRESS"\"
+ echo export DBUS_SESSION_BUS_ADDRESS
+ ) > $PIDFILE
+ . $PIDFILE
+fi &
+
+dringop() {
+ part="$1"; shift
+ op="$1"; shift
+ dbus-send --session \
+ --dest="cx.ring.Ring" /cx/ring/Ring/$part cx.ring.Ring.$part.$op $*
+}
+
+dringopreply() {
+ part="$1"; shift
+ op="$1"; shift
+ dbus-send --session --print-reply \
+ --dest="cx.ring.Ring" /cx/ring/Ring/$part cx.ring.Ring.$part.$op $*
+}
+
+firstaccount() {
+ dringopreply ConfigurationManager getAccountList | \
+ grep string | awk -F'"' '{print $2}' | head -n 1
+}
+
+account=$(firstaccount)
+
+if [ -z "$account" ] ; then
+ echo "Missing local account, trying to create it"
+ dringop ConfigurationManager addAccount \
+ dict:string:string:"Account.type","RING","Account.videoEnabled","false"
+ account=$(firstaccount)
+ if [ -z "$account" ] ; then
+ echo "unable to create local account"
+ exit 1
+ fi
+fi
+
+# Not using dringopreply to ensure $2 can contain spaces
+dbus-send --print-reply --session \
+ --dest=cx.ring.Ring \
+ /cx/ring/Ring/ConfigurationManager \
+ cx.ring.Ring.ConfigurationManager.sendTextMessage \
+ string:"$account" string:"$1" \
+ dict:string:string:"text/plain","$2"
+</pre></p>
+
+<p>If you want to check it out yourself, visit the
+<a href="https://jami.net/">the Jami system project page</a> to learn
+more, and install the latest Jami client from Debian Unstable or
+Testing.</p>
+
+<p>As usual, if you use Bitcoin and want to show your support of my
+activities, please send Bitcoin donations to my address
+<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>
+
+ </div>
+ <div class="tags">
+
+
+ Tags: <a href="https://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="https://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>, <a href="https://people.skolelinux.org/pere/blog/tags/surveillance">surveillance</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
+ <div class="entry">
+ <div class="title">
+ <a href="https://people.skolelinux.org/pere/blog/Secure_Socket_API___a_simple_and_powerful_approach_for_TLS_support_in_software.html">Secure Socket API - a simple and powerful approach for TLS support in software</a>
+ </div>
+ <div class="date">
+ 6th June 2020
+ </div>
+ <div class="body">
+ <p>As a member of the <a href="https://www.nuug.no/">Norwegian Unix
+User Group</a>, I have the pleasure of receiving the
+<a href="https://www.usenix.org/">USENIX</a> magazine
+<a href="https://www.usenix.org/publications/login/">;login:</a>
+several times a year. I rarely have time to read all the articles,
+but try to at least skim through them all as there is a lot of nice
+knowledge passed on there. I even carry the latest issue with me most
+of the time to try to get through all the articles when I have a few
+spare minutes.</p>
+
+<p>The other day I came across a nice article titled
+"<a href="https://www.usenix.org/publications/login/winter2018/oneill">The
+Secure Socket API: TLS as an Operating System Service</a>" with a
+marvellous idea I hope can make it all the way into the POSIX standard.
+The idea is as simple as it is powerful. By introducing a new
+socket() option IPPROTO_TLS to use TLS, and a system wide service to
+handle setting up TLS connections, one both make it trivial to add TLS
+support to any program currently using the POSIX socket API, and gain
+system wide control over certificates, TLS versions and encryption
+systems used. Instead of doing this:</p>
+
+<p><blockquote><pre>
+int socket = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
+</pre></blockquote></p>
+
+<p>the program code would be doing this:<p>
+
+<p><blockquote><pre>
+int socket = socket(PF_INET, SOCK_STREAM, IPPROTO_TLS);
+</pre></blockquote></p>
+
+<p>According to the ;login: article, converting a C program to use TLS
+would normally modify only 5-10 lines in the code, which is amazing
+when compared to using for example the OpenSSL API.</p>
+
+<p>The project has set up the
+<a href="https://securesocketapi.org/">https://securesocketapi.org/</a>
+web site to spread the idea, and the code for a kernel module and the
+associated system daemon is available from two github repositories:
+<a href="https://github.com/markoneill/ssa">ssa</a> and
+<a href="https://github.com/markoneill/ssa-daemon">ssa-daemon</a>.
+Unfortunately there is no explicit license information with the code,
+so its copyright status is unclear. A
+<a href="https://github.com/markoneill/ssa/issues/2">request to solve
+this</a> about it has been unsolved since 2018-08-17.</p>
+
+<p>I love the idea of extending socket() to gain TLS support, and
+understand why it is an advantage to implement this as a kernel module
+and system wide service daemon, but can not help to think that it
+would be a lot easier to get projects to move to this way of setting
+up TLS if it was done with a user space approach where programs
+wanting to use this API approach could just link with a wrapper
+library.</p>
+
+<p>I recommend you check out this simple and powerful approach to more
+secure network connections. :)</p>
+
+<p>As usual, if you use Bitcoin and want to show your support of my
+activities, please send Bitcoin donations to my address
+<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>
+
+ </div>
+ <div class="tags">
+
+
+ Tags: <a href="https://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="https://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sysadmin">sysadmin</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
+ <div class="entry">
+ <div class="title">
+ <a href="https://people.skolelinux.org/pere/blog/Jami_as_a_Zoom_client__a_trick_for_password_protected_rooms___.html">Jami as a Zoom client, a trick for password protected rooms...</a>
+ </div>
+ <div class="date">
+ 8th May 2020
+ </div>
+ <div class="body">
+ <p>Half a year ago,
+<a href="http://people.skolelinux.org/pere/blog/Jami_Ring__finally_functioning_peer_to_peer_communication_client.html">I
+wrote</a> about <a href="https://jami.net/">the Jami communication
+client</a>, capable of peer-to-peer encrypted communication. It
+handle both messages, audio and video. It uses distributed hash
+tables instead of central infrastructure to connect its users to each
+other, which in my book is a plus. I mentioned briefly that it could
+also work as a SIP client, which came in handy when the higher
+educational sector in Norway started to promote Zoom as its video
+conferencing solution. I am reluctant to use the official Zoom client
+software, due to their <a href="https://zoom.us/terms">copyright
+license clauses</a> prohibiting users to reverse engineer (for example
+to check the security) and benchmark it, and thus prefer to connect to
+Zoom meetings with free software clients.</p>
+
+<p>Jami worked OK as a SIP client to Zoom as long as there was no
+password set on the room. The Jami daemon leak memory like crazy
+(approximately 1 GiB a minute) when I am connected to the video
+conference, so I had to restart the client every 7-10 minutes, which
+is not great. I tried to get other SIP Linux clients to work
+without success, so I decided I would have to live with this wart
+until someone managed to fix the leak in the dring code base. But
+another problem showed up once the rooms were password protected. I
+could not get my dial tone signaling through from Jami to Zoom, and
+dial tone signaling is used to enter the password when connecting to
+Zoom. I tried a lot of different permutations with my Jami and
+Asterisk setup to try to figure out why the signaling did not get
+through, only to finally discover that the fundamental problem seem to
+be that Zoom is simply not able to receive dial tone signaling when
+connecting via SIP. There seem to be nothing wrong with the Jami and
+Asterisk end, it is simply broken in the Zoom end. I got help from a
+very skilled VoIP engineer figuring out this last part. And being a
+very skilled engineer, he was also able to locate a solution for me.
+Or to be exact, a workaround that solve my initial problem of
+connecting to password protected Zoom rooms using Jami.</p>
+
+<p>So, how do you do this, I am sure you are wondering by now. The
+trick is already
+<a href="https://support.zoom.us/hc/en-us/articles/202405539-H-323-SIP-Room-Connector-Dial-Strings#sip">documented
+from Zoom</a>, and it is to modify the SIP address to include the room
+password. What is most surprising about this is that the
+automatically generated email from Zoom with instructions on how to
+connect via SIP do not mention this. The SIP address to use normally
+consist of the room ID (a number), an @ character and the IP address
+of the Zoom SIP gateway. But Zoom understand a lot more than just the
+room ID in front of the at sign. The format is "<tt>[Meeting
+ID].[Password].[Layout].[Host Key]</tt>", and you can here see how you
+can both enter password, control the layout (full screen, active
+presence and gallery) and specify the host key to start the meeting.
+The full SIP address entered into Jami to provide the password will
+then look like this (all using made up numbers):</p>
+
+<p><blockquote>
+<tt>sip:657837644.522827@192.168.169.170</tt>
+</blockquote></p>
+
+<p>Now if only jami would reduce its memory usage, I could even
+recommend this setup to others. :)</p>
+
+<p>As usual, if you use Bitcoin and want to show your support of my
+activities, please send Bitcoin donations to my address
+<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>
+
+ </div>
+ <div class="tags">
+
+
+ Tags: <a href="https://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="https://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>, <a href="https://people.skolelinux.org/pere/blog/tags/surveillance">surveillance</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
+ <div class="entry">
+ <div class="title">
+ <a href="https://people.skolelinux.org/pere/blog/Jami_Ring__finally_functioning_peer_to_peer_communication_client.html">Jami/Ring, finally functioning peer to peer communication client</a>
+ </div>
+ <div class="date">
+ 19th June 2019
+ </div>
+ <div class="body">
+ <p>Some years ago, in 2016, I
+<a href="http://people.skolelinux.org/pere/blog/Experience_and_updated_recipe_for_using_the_Signal_app_without_a_mobile_phone.html">wrote
+for the first time about</a> the Ring peer to peer messaging system.
+It would provide messaging without any central server coordinating the
+system and without requiring all users to register a phone number or
+own a mobile phone. Back then, I could not get it to work, and put it
+aside until it had seen more development. A few days ago I decided to
+give it another try, and am happy to report that this time I am able
+to not only send and receive messages, but also place audio and video
+calls. But only if UDP is not blocked into your network.</p>
+
+<p>The Ring system changed name earlier this year to
+<a href="https://en.wikipedia.org/wiki/Jami_(software)">Jami</a>. I
+tried doing web search for 'ring' when I discovered it for the first
+time, and can only applaud this change as it is impossible to find
+something called Ring among the noise of other uses of that word. Now
+you can search for 'jami' and this client and
+<a href="https://jami.net/">the Jami system</a> is the first hit at
+least on duckduckgo.</p>
+
+<p>Jami will by default encrypt messages as well as audio and video
+calls, and try to send them directly between the communicating parties
+if possible. If this proves impossible (for example if both ends are
+behind NAT), it will use a central SIP TURN server maintained by the
+Jami project. Jami can also be a normal SIP client. If the SIP
+server is unencrypted, the audio and video calls will also be
+unencrypted. This is as far as I know the only case where Jami will
+do anything without encryption.</p>
+
+<p>Jami is available for several platforms: Linux, Windows, MacOSX,
+Android, iOS, and Android TV. It is included in Debian already. Jami
+also work for those using F-Droid without any Google connections,
+while Signal do not.
+<a href="https://git.jami.net/savoirfairelinux/ring-project/wikis/technical/Protocol">The
+protocol</a> is described in the Ring project wiki. The system uses a
+distributed hash table (DHT) system (similar to BitTorrent) running
+over UDP. On one of the networks I use, I discovered Jami failed to
+work. I tracked this down to the fact that incoming UDP packages
+going to ports 1-49999 were blocked, and the DHT would pick a random
+port and end up in the low range most of the time. After talking to
+the developers, I solved this by enabling the dhtproxy in the
+settings, thus using TCP to talk to a central DHT proxy instead of
+
+peering directly with others. I've been told the developers are
+working on allowing DHT to use TCP to avoid this problem. I also ran
+into a problem when trying to talk to the version of Ring included in
+Debian Stable (Stretch). Apparently the protocol changed between
+beta2 and the current version, making these clients incompatible.
+Hopefully the protocol will not be made incompatible in the
+future.</p>
+
+<p>It is worth noting that while looking at Jami and its features, I
+came across another communication platform I have not tested yet. The
+<a href="https://en.wikipedia.org/wiki/Tox_(protocol)">Tox protocol</a>
+and <a href="https://tox.chat/">family of Tox clients</a>. It might
+become the topic of a future blog post.</p>
+
+<p>As usual, if you use Bitcoin and want to show your support of my
+activities, please send Bitcoin donations to my address
+<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>
+
+ </div>
+ <div class="tags">
+
+
+ Tags: <a href="https://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="https://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>, <a href="https://people.skolelinux.org/pere/blog/tags/surveillance">surveillance</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
+ <div class="entry">
+ <div class="title">
+ <a href="https://people.skolelinux.org/pere/blog/Fetching_trusted_timestamps_using_the_rfc3161ng_python_module.html">Fetching trusted timestamps using the rfc3161ng python module</a>
+ </div>
+ <div class="date">
+ 8th October 2018
+ </div>
+ <div class="body">
+ <p>I have earlier covered the basics of trusted timestamping using the
+'openssl ts' client. See blog post for
+<a href="http://people.skolelinux.org/pere/blog/Public_Trusted_Timestamping_services_for_everyone.html">2014</a>,
+<a href="http://people.skolelinux.org/pere/blog/syslog_trusted_timestamp___chain_of_trusted_timestamps_for_your_syslog.html">2016</a>
+and
+<a href="http://people.skolelinux.org/pere/blog/Idea_for_storing_trusted_timestamps_in_a_Noark_5_archive.html">2017</a>
+for those stories. But some times I want to integrate the timestamping
+in other code, and recently I needed to integrate it into Python.
+After searching a bit, I found
+<a href="https://dev.entrouvert.org/projects/python-rfc3161">the
+rfc3161 library</a> which seemed like a good fit, but I soon
+discovered it only worked for python version 2, and I needed something
+that work with python version 3. Luckily I next came across
+<a href="https://github.com/trbs/rfc3161ng/">the rfc3161ng library</a>,
+a fork of the original rfc3161 library. Not only is it working with
+python 3, it have fixed a few of the bugs in the original library, and
+it has an active maintainer. I decided to wrap it up and make it
+<a href="https://tracker.debian.org/pkg/python-rfc3161ng">available in
+Debian</a>, and a few days ago it entered Debian unstable and testing.</p>
+
+<p>Using the library is fairly straight forward. The only slightly
+problematic step is to fetch the required certificates to verify the
+timestamp. For some services it is straight forward, while for others
+I have not yet figured out how to do it. Here is a small standalone
+code example based on of the integration tests in the library code:</p>
+
+<pre>
+#!/usr/bin/python3
+
+"""
+
+Python 3 script demonstrating how to use the rfc3161ng module to
+get trusted timestamps.
+
+The license of this code is the same as the license of the rfc3161ng
+library, ie MIT/BSD.
+
+"""
+
+import os
+import pyasn1.codec.der
+import rfc3161ng
+import subprocess
+import tempfile
+import urllib.request
+
+def store(f, data):
+ f.write(data)
+ f.flush()
+ f.seek(0)
+
+def fetch(url, f=None):
+ response = urllib.request.urlopen(url)
+ data = response.read()
+ if f:
+ store(f, data)
+ return data
+
+def main():
+ with tempfile.NamedTemporaryFile() as cert_f,\
+ tempfile.NamedTemporaryFile() as ca_f,\
+ tempfile.NamedTemporaryFile() as msg_f,\
+ tempfile.NamedTemporaryFile() as tsr_f:
+
+ # First fetch certificates used by service
+ certificate_data = fetch('https://freetsa.org/files/tsa.crt', cert_f)
+ ca_data_data = fetch('https://freetsa.org/files/cacert.pem', ca_f)
+
+ # Then timestamp the message
+ timestamper = \
+ rfc3161ng.RemoteTimestamper('http://freetsa.org/tsr',
+ certificate=certificate_data)
+ data = b"Python forever!\n"
+ tsr = timestamper(data=data, return_tsr=True)
+
+ # Finally, convert message and response to something 'openssl ts' can verify
+ store(msg_f, data)
+ store(tsr_f, pyasn1.codec.der.encoder.encode(tsr))
+ args = ["openssl", "ts", "-verify",
+ "-data", msg_f.name,
+ "-in", tsr_f.name,
+ "-CAfile", ca_f.name,
+ "-untrusted", cert_f.name]
+ subprocess.check_call(args)
+
+if '__main__' == __name__:
+ main()
+</pre>
+
+<p>The code fetches the required certificates, store them as temporary
+files, timestamp a simple message, store the message and timestamp to
+disk and ask 'openssl ts' to verify the timestamp. A timestamp is
+around 1.5 kiB in size, and should be fairly easy to store for future
+use.</p>
+
+<p>As usual, if you use Bitcoin and want to show your support of my
+activities, please send Bitcoin donations to my address
+<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>
+
+ </div>
+ <div class="tags">
+
+
+ Tags: <a href="https://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="https://people.skolelinux.org/pere/blog/tags/noark5">noark5</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
+ <div class="entry">
+ <div class="title">
+ <a href="https://people.skolelinux.org/pere/blog/Stortingsflertallet_g_r_inn_for_ny_IP_basert_sensurinfrastruktur_i_Norge.html">Stortingsflertallet går inn for ny IP-basert sensurinfrastruktur i Norge</a>
+ </div>
+ <div class="date">
+ 24th April 2018
+ </div>
+ <div class="body">
+ <p><a href="https://www.vg.no/sport/i/J1g8zj/stortingsvedtak-snart-ip-blokkerer-utenlandske-spillselskaper">VG</a>,
+<a href="https://www.dagbladet.no/nyheter/stortinget-blokkerer-utenlandske-spillselskaper/69740219">Dagbladet</a>
+og
+<a href="https://www.nrk.no/ostfold/tar-opp-kampen-mot-utenlandske-spillselskap-1.14021381">NRK</a>
+melder i dag at flertallet i Familie- og kulturkomiteen på Stortinget
+har bestemt seg for å introdusere en ny sensurinfrastruktur i Norge.
+Fra før har Norge en «frivillig» sensurinfrastruktur basert på
+DNS-navn, der de største ISP-ene basert på en liste med DNS-navn
+forgifter DNS-svar og omdirigerer til et annet IP-nummer enn det som
+ligger i DNS. Nå kommer altså IP-basert omdirigering i tillegg. Når
+infrastrukturen er på plass, er sensur av IP-adresser redusert et
+spørsmål om hvilke IP-nummer som skal blokkeres. Listen over
+IP-adresser vil naturligvis endre seg etter hvert som myndighetene
+endrer seg. Det er ingen betryggende tanke.</p>
+
+ </div>
+ <div class="tags">
+
+
+ Tags: <a href="https://people.skolelinux.org/pere/blog/tags/norsk">norsk</a>, <a href="https://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
+ <div class="entry">
+ <div class="title">
+ <a href="https://people.skolelinux.org/pere/blog/_Rapporten_ser_ikke_p__informasjonssikkerhet_knyttet_til_personlig_integritet_.html">«Rapporten ser ikke på informasjonssikkerhet knyttet til personlig integritet»</a>
projects / homepage.git / blobdiff