NOTICE: The use of term nonfree on this page does not refer to the price, but refers instead to the freedom (or more specifically the lack thereof) offered by the program and/or its developer(s). Learn more at https://www.gnu.org/philosophy/categories.en.html#non-freeSoftware

It is my belief that everyone should use Free Libre Open Source (FLOSS) software. I use FLOSS software for its cost (or lack theirof), freedom, and privacy. (FLOSS) software is free to use, provides the ability for me to modify it for any reasons, and respects my privacy. I also find that FLOSS software is generally more compatible with Linux which is my preferred Operating System.

Those are my reasons for using FLOSS software. You may have other things that you care about, and that is fine. There are many reasons you may want to use FLOSS. These may be anything from Cost reasons to privacy reasons to not wanting to support big tech companies. Here is a short list of reasons you may want to use FLOSS software, although there are most certainly others.

NOTICE: The use of nonfree

• Cost – If you don’t have any excess money to spend, don’t have access to a credit card, or don’t or can’t pay for software for some other reason, FLOSS software may be of interest to you.
• Freedom – True FLOSS software is designed to give you control and stay out of your way, let you hack on it in anyway you want, and not force you to use it in the way the software was intended to be used. Additionally, open source software does not generally attempt to lock you in to their programs, or restrict you to whatever platform they say you can use their appp on. For instance, you will never find an FLOSS web service that forces or even pushes you to use an app to access their service on mobile devices.
• Security – Open Source Software in general, and FLOSS software in particular is generally more secure. While it is commonly said that this is due to their being more eyes on the software, this is not necessary the reason. With non open-source software, you are relying the software developer(s) to (A) be aware of any security issues (it is uncommon for their to be an official way to make devs aware of security issues), and (B) fix the issues. With FLOSS software specifically, “anyone” ¹ is able to fix the issue and contribute the fix back to the developers of the software. Additionally, open source developers are ususally not tied to a rigid release schedule, meaning that they are often able to get the fixed released almost immediately.
• Privacy – It is common for nonfree software to not respect your privacy, and instead track you, collect and store personally identifiable information, and send that data to third parties (often without your knowledge. Most free software projects go out of their way to collect as little data about you as possible. Exceptions to this norm include open source projects by companies like f@ceb00k and g00gl3.
• Features – I have been amazed by how many times I have used an FLOSS tool or application (or even a set of tools or applications) and have found it to have more features, customization, or even documentation then a nonfree alternative. And it may not even be a new feature, but a feature that works better on the FLOSS version compared to the nonfree alternative. It isn’t even small things. I have seen features that are so obvious that I go to use the nonfree version for some reason and fail to understand why that feature does not exist. Now this is not always the case. I have seen instances of a open source alternative to a nonfree project be missing several features that are in the nonfree one. However, in a majority of cases, those features are either being worked on, or are on the projects roadmap. Very rarely have I seen the developers refuse to implement the feature or refuse to take contributions that implement that feature.

Now I will not claim that using FLOSS or even OSS (open source software) tools and applications is perfect. Open source projects can be quite buggy or not work at all. It is also not that uncommon to find an interesting project, but have it be unmaintained or unsupported. However, finding a actively worked on project that does everything that you need (or not, you might need multiple apps to do everything you need, or decide that you can deal with missing features), can be quite rewarding.

¹ While technically anyone is able to make modifications to open source software, it requires at least a basic knowledge of whatever programming language(s) are used by the project.

On Thursday, March 24th, the EU Parliament held its last debate on the Digital Markets Act (DMA), and decided how strongly to bring Big Tech to heel.

The EU’s intentions to ‘ensure fair and open digital markets’ have always been good, but there have been many points in the negotiations where the outcome could have been toothless – in particular around the interoperability obligation.

Interoperability in messaging’s core

So it’s a major positive to see that interoperability is now baked into the regulation. Despite the fact that the web, email and the phone network have been interoperable for decades (or centuries for the phone), the ‘siloisation’ of instant messaging and social networks is strongly entrenched. The gatekeepers didn’t want change, and had been lobbying hard spreading fear, uncertainty and doubt (FUD) – in particular around technical feasibility, privacy and moderation.

And while the final agreement reached on Thursday is not perfect, it is a huge step forward for user freedom and an open market. It mandates gatekeepers (aka Big Tech) enable other providers to interoperate with them for 1:1 and group messaging services, by opening up their APIs. Today the mandatory features are limited to basic ones rather than industry standard. So we’re at risk of seeing anything beyond text, images, videos, files and VoIP calls – such as animations, stickers, emojis and reactions – not being made available by gatekeepers. However there is scope for these to evolve as time goes.  A strong case is being made to preserve security, including end-to-end encryption if applicable.

It is significant that interoperability applies to group chat. Big Tech argued against it on the grounds that it wasn’t technically feasible, but that was eventually debunked with Matrix and others proving that interoperable group chats, with end-to-end encryption, is perfectly possible. Group calls do not seem to be in scope.

Limiting interoperability requirements to 1:1 messaging would have been a fatal mistake; a classic small detail that would render the regulation entirely ineffective. Communication is group-centric, so users would not bother to use a different app for one-to-one chats if they had to switch back to the gatekeeper’s app for group discussion.

But social networks managed to get away with it

While there was enough debate and education for the European bodies to see through status-quo preserving FUD for instant messaging, unfortunately interoperability for social networks got dropped; mostly based on concerns around the ability to moderate a big open network. Hopefully that’ll be revisited in the future. In the meantime, within the realm of instant messaging, we’ll implement a far superior – and user-driven – form of moderation that can set an example for interoperable social networks.

The innovation lie

Behemoths will be behemoths. Of course they will use their huge resources to protect their market position, profits and shareholders. But something that really needs calling out is Big Tech’s (and in particular Facebook’s) empty claim that interoperability will slow innovation down.

Interoperability is the catalyst for innovation. Tim Berners-Lee unleashed the power of the open (interoperable) web. Big Tech subsequently built on it, gradually centralising great chunks of it to become proprietary platforms. Ensuring interoperability is the most reliable way to kick-start a new era of innovation to challenge outsized and complacent incumbents.

The only thing interoperability slows down is Facebook’s ability to further cement the marketplace in its favour, which is why it’s been fighting so hard against it.

How to interoperate

Ensuring interoperability is one thing, stipulating how to do it is another.

Interoperability means that two services need to be able to communicate with one another. That can be done by connecting them one-to-one, or by having them all able to speak the same language.

The EU has gone with the first approach, where the gatekeeper simply opens up the APIs used internally for its service to function to the rest of the world so others can connect to it. It’s very simple for the gatekeeper to do, but it means that other services will have to implement every gatekeepers’ APIs, which is cumbersome – and that if the gatekeeper is using end-to-end encryption then it will be harder to preserve. And that gatekeeper can, of course, decide to be deliberately opaque and difficult in making APIs available.

The second approach is what we see with email and the web; everyone uses the same open standard.  It is the most sustainable solution as everyone only has one implementation to do to join the network. It also makes it far easier to preserve end-to-end encryption. However it requires an independent standard to be ready and recommended by the regulation, and whilst protocols like Matrix are ready for it, the time frames for the EU to select a standard were a bit tight. So while open APIs are a valid first step, we imagine an open standard will become the foundation for stronger and more practical interoperability.

The bottom line

The EU has taken an historical step in addressing Big Tech’s stranglehold over messaging, sparking innovation that will see users get far better messaging services. They will now be able to choose who is hosting their data, and which app they want to use to access it. Smaller companies will be able to invest, innovate and build value; either by addressing a niche market, providing differentiating features, or bringing a whole new communication experience. Most importantly they can thrive because they won’t have to worry about having to build a network of users from scratch. Freedom and competition won in Europe today, at least in the tech world.

The EU’s next discussion on the Digital Markets Act (DMA) will take place soon and interoperability for online communications (messaging apps, collaboration tools and social media platforms) will be at the heart of it.

Interoperability was one of the key features of the DMA when it was first advertised, as it’s completely aligned with the fundamental goals of the act. Interop removes the grip gatekeepers have on digital markets and gives an opportunity to smaller players to flourish – whilst giving more control to the users over their communications.

However the different parties (the European Commission, Parliament and Council) are having a hard time reaching an agreement over it, to the point the clause may be completely dropped.

Interoperability means that users will no longer be locked into particular ecosystems. For instance, you’ll no longer have to use WhatsApp in order to chat with someone else who uses WhatsApp. No more silos. No more being locked into a product or ecosystem. People will be free to easily chop and change between different apps, without the cost of existing friends dropping out of their contacts.

The concept isn’t too different from interoperability between banks, or interoperability between phone networks. Encouraging consumers to shop around creates a more innovative and competitive marketplace, driving up standards and customer service. It’s a good thing.

How Big Tech will dupe the EU

Unless you’re a Big Tech incumbent; in which case helping people to shop around more easily threatens your huge profits and monopoly position. Indeed it’s such a crimp in your plans that you’ll fight tooth and nail to preserve the status quo.

So with Big Tech fighting any level of change, regulators will opt for the easiest solution possible. They will say: “Look, all you need to do is open your respective APIs to enable others to interoperate – then we’re done!”

And they are right to a degree; every app has APIs, that’s how they work, and several (like Twitter, Facebook, Slack, Telegram…) have already made them public. Although currently, the terms of use of these public APIs tend to be incredibly restrictive (paid, rate-limited, or literally anticompetitive: “you cannot use this API if you compete with us”) or can be turned off at any time (as Twitter famously did).

However from an EU perspective, it could be pretty easy to stipulate that the gatekeepers must open APIs and also prevent Big Tech from limiting how those APIs can be used by others.

From Big Tech’s perspective, that’s a win. It allows them to easily tick the compliance box, while kicking the can L-O-N-G down the road. As Apple is currently demonstrating in the Netherlands, they can play the political game forever – they have the marketplace, the cash and the resources. Big Tech has hordes of lawyers and the like. Hell, Facebook has even hired an ex-prime minister (well, a deputy one at least) to lobby for them.

They can drag their feet on opening an API. Release it without fanfare or enthusiasm, and make sure it’s not particularly good; a bit of a pig. Clunky. Unreliable. “This stuff is tricky, you know?” And just when people are finally getting to grips with it… they can update it! To make it worse. Or just different. Different enough to put a bunch of smaller companies through a whole lot more development cost.

And of course when all the Big Tech players do that across all their products, it becomes very expensive indeed for some start up to continue to compete. And Big Tech will say: “Well, we tried. We created the open APIs. But consumers chose to stay with us.”

Not only do open APIs favour the incumbents, they also present a fresh challenge. If you bridge to any end-to-end encrypted app (e.g. WhatsApp) you will have to decrypt the communication at the bridge level to either pass it to an unencrypted app (e.g. Slack or Telegram) or re-encrypt it to send it to another encrypted app like Signal.

How the EU can ensure genuine interoperability

The real solution is not open APIs, but open standards.

It’s an open standard that levels the playing field, not asking the big players if they don’t mind sharing the ball please.

An open standard means that anyone and everyone can invest in development – driving innovation, raising standards, creating jobs – safe in the knowledge that the ground won’t move from under them. Knowing that Big Tech can’t simply whip away the API rug.

An open standard also means that end-to-end encryption can be preserved, protecting users and their privacy.

The web flourished because it was based on an open standard; something that was free both literally and in spirit.

The power of the early days of the web can be rekindled by an open standard for online communications. Element is built on just such a standard – Matrix, which has a thriving ecosystem, and puts forward its own interoperability argument. Other open standards exist, and there are more to come.

The EU’s DMA could bring fundamental change and improvement to online communications, and challenge a business model that sees centralised tech giants profit by harvesting users’ data. Or it could fail.

The DMA is a noble piece of legislation, and mandating open APIs would be a good first step. But to be a successful piece of legislation, it must eventually choose open standard based interoperability.

Combating Big Tech’s Fear, Uncertainty and Doubt

Big Tech doesn’t want an open standard. The gatekeepers will raise objections in an effort to create fear, uncertainty and doubt so let’s answer that FUD in advance…

Does an open standard slow down innovation and development?

No, not everyone has to provide the same features. The standard only defines the common language so that the basic act of sending information from one app to another can be achieved. Then any service can create its own specialities on top, ensuring innovation and competition.

Is it complicated to make an existing service compatible with a standard?

No, it only took Gitter a month to speak Matrix when it joined the network. And the person leading that project was from Gitter, not a Matrix developer.

Is an open standard incompatible with security?

An open standard is far more secure than open APIs and today’s siloed apps. An open standard can ensure end-to-end encryption (and much more) between competing apps – and be audited independently for the benefit of all. And of course an open standard is far more transparent.

Contrast that to the current world of siloed apps. A service such as WhatsApp or Signal puts all its users in one place. Those users are at the mercy of the service; it owns and manages everything and can be as opaque as it wants.

Is an open standard incompatible with data privacy?

Quite the opposite. Regulations like the Digital Markets Act do not exist by themselves. Data privacy is already regulated by GDPR, and soon the Data Act. Data can be shared on a need to know basis with other providers, users can have their say and clarity on what is being shared, with who and why. And of course end-to-end encryption protects users too.

How can we even moderate interoperable social media?

Big Tech has failed very badly, and unleashed many serious consequences as a result.

No individual, team or company can make choices on behalf of the world at large. A company simply cannot unilaterally dictate what is ‘good’ or ‘bad.’

The entire approach to moderation requires a mind shift because a top-down approach of armies of moderators staring at bad stuff is not a sustainable solution.

What’s required is tooling to empower all admins, moderators and users in the network to manage their communication. Email failed spectacularly at this, and rather than say “it’s impossible, look at email” our take is “email failed, how can we learn from it?”. This is why Element has a Trust and Safety team that builds all the tools service providers need to keep their users safe in a decentralised and secure open network, and uses them extensively.

The key is to give admins and users the ability to filter content and people based on their reputability and one’s interests. We believe a collaborative approach to moderation allows communities of people to draw on the experience and knowledge of those they trust (much as in real life), from blocking illegal and unpleasant content to simply ignoring things they aren’t interested in.

First off, I assume that you have both a Cloudflare account, as well as an account on either Github or Gitlab. I will be using Gitlab in this tutorial. You will also need to have git installed on your computer. Start off by creating a new blank repository (or project as Gitlab calls it). The name doesn’t matter, but name it something descriptive so you can find it later. The visibility level shouldn’t matter. I flipped it to Public so that it can be helpful for others. Click create if you haven’t already. You should now be taken to your brand new repository. You can use an existing repository if you want as well.

Next, you will want to clone your project locally. I would recommend setting up ssh auth before cloning as this will make it easier to push your changes later. If you have already done this, you can skip this step. If you don’t know how to do so, follow these steps for Github, or these steps for Gitlab. This is especially important if you use 2 Factor Authentication. Now you can clone it. Open a terminal window on Mac or Linux, or a Powershell window on Windows. Next, change to the directory where you want your project to live (creating it if necessary), find the clone button near the top of your project page, copy the ssh link, type git clone ,and paste the link you got. Type cd <your projects name> to go into the projects repository.

.well-known files.

Now you are ready to add content. First thing is to create the .well-known files for your matrix server. Skip this if you just want to host element and use a public homeserver like matrix.org. Create a new folder named .well-known (notice the period at the front), and create a folder in that folder named matrix (no period this time). Using your favorite text editor (I personally like vim), create a file in the .well-known/matrix folder named client with the following content (replace the URL of the homserver with yours).

{
    "m.homeserver": {
        "base_url": "https://minecraftchest1-matrix.eastus.cloudapp.azure.com:443"
    },
    "m.identity_server": {
        "base_url": "https://vector.im"
    }
}

Next create the file .well-known/matrix/server file with the following content, again replacing the URL with your own. That’s all for the .well-known files. Run the command git add * to tell git about the files, git commit -am 'Add .well-known files' to commit the files, and do a git push to push them back to Github or Gitlab.

{ "m.server": "minecraftchest1-matrix.eastus.cloudapp.azure.com:443" }

Adding Element.

Element is also easy to add. It requires slightly more work to get working correctly, but the steps are all very easy. Download the latest release from https://github.com/vector-im/element-web/releases (the file ending in tar.gz) and extract it to the root of your site (it will extract into a new dir). On Linux, you can use tar -xvf <filename>.tar.gz to extract the file. On Windows, you will likely need a tool line 7zip to extract it. Next, rename the extracted folder if desired. You can also contents down one level if you want it at the root of your site.

Now you need to configure Element. Open the folder that Element lives in and copy config.sample.json to config.json. Open it up and change the homeserver baseurl and server name to the correct values. You can change the other settings, but those are the ones that you are most likely going to want to change.

You can now do git add, git commit and git push if you want, but there is one more thing that needs to be done for Element to work right, and that it configuring CORS (Cross Origin Resource Settings) headers that allow Element to talk to the homeserver. At the root of your repository, create a file named _headers with the following content. Once that is done, add the files to git, commit your changes, and perform a git push

/*
        Access-Control-Allow-Origin: * 
        X-Frame-Options: SAMEORIGIN
        X-Content-Type-Options: nosniff
        X-XSS-Protection: "1; mode=block"
        Content-Security-Policy: "frame-ancestors 'none'"

Serving your repository with Cloudflare pages.

Now you have everything in your repository, we need to serve the content. Login to the Cloudflare dashboard and go to the pages tab on the side, then Create a Project in the top of the middle pane. Select the tab for Github or Gitlab and Signin if you aren’t already. Select the project you want to use, then begin setup at the bottom. Change the project name (which will affect the pages.dev subdomain you get) if desired. You should be able to keep everything else at the defaults, then click save and deploy at the bottom. You should then be taken to the project deployment page. The project will likely take a few minutes to build.

Once it is done, you should get a success message. If not, read through the logs and go back through this post to see of you can figure it out. You can also comment down below and I will be happy to help. Click the Continue to Project button when done and you will be taken to your sites dashboard. And that’s all. I hope this post was helpful for you. Pleas comment below with any feedback you have. Thanks for reading.

Are you on Matrix? Discuss this post at https://matrix.to/#/#minecraftchest1-blog-matrix-elemet-cloudflare:matrix.org

Threat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and executing RedLine stealer malware.

The timing of the attacks coincides with the moment that Microsoft announced Windows 11’s broad deployment phase, so the attackers were well-prepared for this move and waited for the right moment to maximize their operation’s success.

RedLine stealer is currently the most widely deployed password, browser cookies, credit card, and cryptocurrency wallet info grabber, so its infections can have dire consequences for the victims.

The campaign

According to researchers at HP, who have spotted this campaign, the actors used the seemingly legitimate “windows-upgraded.com” domain for the malware distribution part of their campaign.

The site appears like a genuine Microsoft site and, if the visitor clicked on the ‘Download Now’ button, they received a 1.5 MB ZIP archive named “Windows11InstallationAssistant.zip,” fetched directly from a Discord CDN.

Fake website used for malware distribution (HP)

Decompressing the file results in a folder of 753MB of size, showcasing an impressive compression ratio of 99.8%, achieved thanks to the presence of padding in the executable.

When the victim launches the executable in the folder, a PowerShell process with an encoded argument starts.

Next, a cmd.exe process is launched with a timeout of 21 seconds, and after that expires, a .jpg file is fetched from a remote web server.

This file contains a DLL with contents arranged in reverse form, possibly to evade detection and analysis.

Finally, the initial process loads the DLL and replaces the current thread context with it. That DLL is a RedLine stealer payload that connects to the command-and-control server via TCP to get instructions on what malicious tasks it has to run next on the newly compromised system.

RedLine execution and loading chain (HP)

Outlook

Although the distribution site is down now, nothing stops the actors from setting up a new domain and restarting their campaign. In fact, this is very likely already happening in the wild.

Windows 11 is a major upgrade that many Windows 10 users cannot get from the official distribution channels due to hardware incompatibilities, something that malware operators see as an excellent opportunity for finding new victims.

As BleepingComputer reported in January, threat actors are also leveraging Windows’ legitimate update clients to execute malicious code on compromised Windows systems, so the tactics reported by HP are hardly surprising at this point.

Remember, these dangerous sites are promoted via forum and social media posts or instant messages, so don’t trust anything but the official Windows upgrade system alerts.

I want to mention that I am in the process of deactivating and deleting my twitter account, even though it is only a week old.

The first thing I noticed when creating my account is that Twitter was that I was asked for my areas of interest, something I was not willing to give. I was able to get around it by changing the URL to just twitter.com. As I followed just 2 people, I started to get unrelated suggestions breaking up the list of tweets for a user. This is easily migrated by using a 3rd party app Twidere X, or by using Nitter. However, the fact that they add it in the first place makes me unhappy.

The next thing I noticed, a day later, is that I started getting emails about everything happening on Twitter, even after turning off all email notifications, something that made me leave the platform.

As I was signing into Twidere X, a third party client on f-droid, I noticed that there was no option to sign in with Google (which was what I used to sign up), making me have to create a password.

In summary, I have had nothing but a bad experience with Twitter. I am going to continue to use Mastodon and follow Twitter users with Birdsite Live. While I don’t get the ability to like and comment on tweets, I consider it a small price to pay to use a platform that is what I think twitter should be. And if laws regarding open interoperability come to be, I may be able to experience the best of both worlds.

Update: I have successfully deactivated my twitter account.