cos

Kartta merikaapeleista

Venäjän hyökkäyksen alettua on medioissa esitetty erilaisia skenaarioita joita sodan eskalaatio voi aiheuttaa. Yksi näistä on Internet-yhteyksien sabotointi.

Hyvänä esimerkkinä Iltalehti uutisoi tänään “Kansainvälinen tietoliikenne on merikaapeleiden varassa – näin kävisi, jos Suomen kaapelit katkaistaisiin”

Mitä tapahtuisi pikaviestinmaailmassa, jos tietoliikenne suomen ja muun maailman välillä katkeasi yhtäkkiä?

Käytännössä kaikki perinteiset viestimet lakkaisivat toimimasta. WhatsApp, Slack, Telegram, Discord, Teams ja Signal kaikki perustuvat keskitettyyn palvelimeen. Jos yhteys tähän palvelimeen katkeaa, koko palvelu lakkaa toimimasta. Yksikään näistä palveluista ei sijaitse suomessa, joten kaikki lakkaisivat toimimasta kunnes yhteydet saataisiin kuntoon.

Samoin sosiaalisen median palvelut kuten Facebook ja Twitter lakkaisivat kokonaan toimimasta.

Jäljelle jäisi puhelinverkko, jossa puhelut ja tekstiviestit toimisivat yhä. Hätäviestinnässä näillä pääsee aika pitkälle, mutta esimerkiksi työpaikoilla alkaisi nopeasti tulemaan ongelmia kun pelkkiin puhelimiin perustuva viestintä ei olisi kovin tehokasta.

Viranomaisten Virve-verkko toimisi kriisitilantessakin, mutta sekin on ominaisuuksiltaan sangen rajattu eikä ole käytettävissä tavallisille kansalaisille.

Tällaisessa tilanteessa hajautetut viestimet kuten Matrix-verkkoa käyttävä pikaviestin.fi loistavat. Pikaviestin.fi -palvelin sijaitsee suomalaisessa konesalissa joten se toimisi kuten ennenkin ilman ulkomaanyhteyksiä.

Viestintä toimisi kaikkien suomalaisten Matrixia käyttävien yhteisöjen ja yritysten välillä kuten ennenkin. Kun Internetin reititys esimerkiksi muissa pohjoismaissa ja keskieuroopassa oleviin palvelimiin palautuu, pystytään viestimään näissäkin maissa olevien palvelinten käyttäjien kanssa.

Jos jokin palvelimista putoaa verkosta esimerkiksi sähkökatkon tai tietoliikenneongelman vuoksi, se automaattisesti synkronoi kaiken viestinnän heti kun yhteys palaa. Vaikka yhteys olisi hidas tai katkeilisi, ei Matrixissa yhtään viestiä jätetä välittämättä.

Kriisitilanteen pitkittyessä Pikaviestin.fi -palvelu lakkaisi todennäköisesti toimimasta 1-2 kuukauden päästä, kun sen käyttämä Let's Encrypt TLS-sertifikaatti vanhenee. Se uusitaan automaattisesti kun vanhenemiseen on kuukausi. Sertifikaatin korvaaminen maksullisella, pidempiaikaisella sertifikaatilla olisi toki mahdollista. Palvelun www-sivut ovat GitHub pages-palvelussa joka lakkaisi toimimasta, mutta se ei estäisi palveluun rekisteröitymistä eikä sen käyttöä, sillä käyttäjätunnuksia hallitseva Authentik-palvelin sijaitsee myös suomessa.

Users frequently ask how to set up a non-federating Matrix server for a company. This is usually due to not understanding how federation works. This post explains this a bit.

First, federating does not mean everyone can access your rooms from outside. Federation works on room level. If you have zero rooms with users from other servers, no data leaves your server. You can use room options to choose which rooms to share outside your organization and to whom.

Let's take a generic company as an example.

Company internal rooms

Create new room: Private, enable E2EE, select “Block anyone not part of company.com from ever joining this room.”

This will create a non-federating room. No data from these rooms is ever sent outside your server. Rooms can be used for strictly company internal messaging.

Project rooms

Create new room: Private, enable E2EE if needed.

Go to Room settings / Roles and permissions. Set role for “Invite users” to “Moderator” or “Admin” as required.

This room can be used for discussing projects by company employees, but privileged users can also invite customers, subcontractors or other outside participants to join the room.

The messages are readable only by the invited users. The data is sent only to the invited user's servers. There is no central server (not even matrix.org) that can see any of the data. If the room is E2EE encrypted, the message content is readable only by the user's clients, not even their servers. This applies also to shared files – in E2EE rooms they are also encrypted.

Public rooms (contact, recruitment, support..)

Create new room: Public, do not enable E2EE, add a nice address for the room. Add link to the room to company web page.

These rooms can be used as public contact points for your company. Move discussions to direct messages if non-public information needs to be discussed with user.

Spaces

Spaces can be used to group rooms, but also limit users who can join rooms. You might want to create space for all employees containing company rooms.

For extra security you can mark company internal rooms to require membership in company space. You can add more spaces freely for different parts of organization (sales, marketing, management) and use them to limit who can join which rooms.

Room Access Control Lists

This feature is not exposed in Element UI yet so it requires some API usage. You can setup per-room server access control lists to white/blacklist servers that can participate in a room.

For extra layer of security you may want to add room ACL in some rooms. For example if you want to allow only users from company.com and customer.com to join, you might want to set them to allow-list of the room and deny others. This way even admins or moderators cannot invite outsiders to this room. See this page for documentation.

Room ACL's also make it possible to make public rooms which can be joined from specific servers without invite.

Conclusion

  • Don't disable federation. It's a powerful feature and does not compromise security if used correctly.
  • Matrix is still suffering from chicken and egg problem. This is like 1995 for e-mail and will hopefully change in future. Be ahead of the curve.

This is a random combination of FAQ and guides about Matrix. Mostly for my own notes but these might be useful for others.

FAQ

1. Matrix is slow or not working properly. I'm on matrix.org homeserver

Matrix.org is used as default server in many clients. It is known to be slow occasionally. You should pick a server you like from list of public servers and register there. If you already have joined many rooms, you can use migration tool to “copy” your old account to the new account.

After finished, remember to leave all rooms with your matrix.org account so it won't use any resources on the already overloaded server. You can login to both accounts simultaneously with private browser windows.

This also helps decentralize Matrix which is important for the whole ecosystem.

2. Synapse is slow. I'm running sqlite database

The documentation should be more clear: sqlite is only for testing and development servers and not suitable for production use. You must migrate to PostgreSQL using this script.

If you have further problems, join Synapse Admins room and describe your problem.

3. I'm confused about Matrix terminology

It's a complex beast. Here is a short list of what is what:

  • Matrix = Protocol and ecosystem around it. You cannot “run Matrix” or have an “account on Matrix”. Often mixed with matrix.org.
  • Homeserver = A Matrix server. There are lot of public ones or you can set up your own. You create user account on a homeserver you choose.
  • matrix.org = One of many public Matrix homeservers where you can make an account. Often mixed with Matrix. If possible, use other homeserver (see FAQ 1).
  • Element = One of many Matrix client applications. Has different Web/Desktop/Android/iOS versions, so always specify which you use when asking for help. You cannot have “account on Element”, your account is on your Matrix homeserver.
  • Synapse = One of many Matrix server implementations. You can run Synapse on your server if you want your own Matrix homeserver.
  • Room = Called channel in some other messengers. Contains users that are in the room and the message contents. Rooms can also have topic, logo (room avatar), and widgets (small web pages such as calendar, webcam, weather etc).
  • Space = Group of rooms and other spaces. Can be used to organize rooms. A bit like Discord guilds or Slack workspaces, but more flexible. Spaces can contain other spaces, and you can create own spaces for grouping rooms.
  • EMS = Element Matrix Services, a company developing Element client and Synapse and Dendrite homeservers. You can also get hosted and professionally supported Matrix homeserver for your company or other organization here. There are also other paid Matrix providers and anyone is free to start their own business based on Matrix.

4. I'm running Element Android but notifications are unreliable. I installed it from F-Droid.

Push messages wake up the Element app if it's on background. You need to setup UnifiedPush to receive push messages from server. Documentation is here

6. My Synapse is not working

  • Check that you are running the latest version. If you use debian packages, you should use the matrix.org repository. Distro packages may be old.
  • If it doesn't start at all, check that your homeserver.yaml is correctly formatted. Yaml files are quite strict about it.
  • Use federation tester to test for any federation errors. It understands delegation so give it your server name (server.org instead of matrix.server.org).
  • Check Synapse log file for any errors .
  • Check your reverse proxy log file for any errors.

If you still can't figure out the issue, come to Synapse Admins room and seek for help.

7. Isn't matrix.org the main Matrix server?

It is common misconception that matrix.org is the “main” Matrix server. This is incorrect. Matrix.org is just one (large) homeserver and has no special powers in the federation. Matrix.org staff cannot ban anyone on other servers or give admins on rooms for users who don't have them. This is a conscious decision to keep Matrix decentralized.

Matrix.org is used as default server for registration in some clients, notably Element. Users are encouraged to register on other servers if possible to spread the load.

Matrix.org has been offline on two occasions in history and Matrix federation kept working without issues for everyone else.

8. How do I disable federation?

Usually this is a mistake – read this post for details.

If you really want to do it, set federation_domain_whitelist: [ ] in Synapse config.

9. Should I upgrade my room to latest version?

Room versions describe how rooms work on a technical level. New room versions can fix bugs, improve security, and (rarely) add new user facing features. If you have an existing room that seems to be working fine, there is generally no need to upgrade the room version.

If you still think you want to upgrade, you should first be aware that “upgrading” the room version is a bit of a misnomer. A room's version can't be changed. When you “upgrade” a room, what you are actually doing is creating a brand new room and your client will copy over the name, avatar, topic, and other settings. Your client will also give you the option to invite all of the users from the previous room. Each user will need to manually join the new room. For this reason, upgrading is a somewhat painful process. You shouldn't upgrade without a good reason.

If you decide that it is worth the cost to upgrade a room, you should generally jump to as new a version as practical so that you get all of the bug fixes, features, and security improvements in one jump. For example don't upgrade from version 1 to version 2 today. If you have a version 1 room and decide to upgrade, go straight to current default version. The main reason not to pick the absolute latest version is that servers need to specifically support each room version. If the users in your room are on older versions of Synapse or are on alternative homeservers like Conduit they may not be able to join rooms using the latest version.

Differences between the room versions:

Rooms created from 2014 though early 2019 use room version 1. Room version 1 has a bug which can cause the state of the rooms to reset. This is fixed in room version 2 and later. You should upgrade all version 1 rooms now.

Room versions 3 and 4 contained internal changes which don't affect users.

Room version 5 contained a minor security improvement.

Room version 6 contained more internal changes which don't affect users.

Room version 7 was the first to add a user facing feature, knocking. This allows a user to request access to a private room.

Room version 8 was a buggy version. Upgrade these.

Room version 9 fixed the issues with version 8. Version 9 contains another user facing feature which is the ability to allow users in one room to join a separate private room. For example you could allow members of a Space to join all of the private rooms within that Space.

etc.. new versions are created every now and then. At time of writing this latest is version 10.

For more details on each room version, see https://spec.matrix.org/latest/rooms

10. I'm coming from Discord. What is Matrix like compared to it?

  • Both are basically chat systems. Matrix has about the same chat features as Discord, but is missing voice rooms currently. Voice rooms are being implemented.
  • Discord is a product created by one company. Matrix is an open standard and can be used and extended by anyone.
  • With Discord you can only chat with Discord users. Matrix has built-in interoperability with other messengers so that you can chat with users on different messengers. This is called bridging.
  • Discord has one official client everyone is supposed to use. Matrix has lot of clients you can choose from and pick your favorite.
  • Discord is hosted by the company it's owned by. You cannot connect to any other server with Discord client. Matrix is decentralized (a bit like e-mail). As a user you can choose which server you want to trust or run your own server.
  • Discord can be blocked by government or ISP's. Discord has power to ban any users they wish from the whole service. As Matrix is decentralized, it's practically impossible to block it or mass-censor it. There is no central authority that can ban you and it's not possible to block every single Matrix server. Every server and room sets their own rules.
  • Discord is not encrypted so the staff can read and store any messages sent. Matrix supports end to end encryption that can be used for truly private messaging. Your server admin cannot read the messages as the decryption keys are never sent to the server.

You can bridge a existing Discord channels to Matrix rooms with a public Discord bridge.

Hints and guides

Tombstoning a room

With tombstone you can decommission a room and point all it's users to join another room.

Create a new room

Create a new room. Make sure it's not encrypted. Go to Room settings / Advanced and copy-paste the Internal room ID somewhere. Add the alias(es) you removed to this room. Set other room settings to your liking and don't forget a nice room icon picture.

Create tombstone

This will move all Matrix users in the old room to the new room.

Go back to the old room.

  • Type /devtools.
  • Select “Create custom event”
  • Press red “Event” button to change to “State event”
  • Set event type to “m.room.tombstone”
  • In event content enter (you'll need the target room ID now): { "body": "This room has been replaced by new one", "replacement_room": "!target_room_id:server.org" }
  • Press “Send”

Tämä (ja edellinen) löytyvät Funkwhalesta https://am.pirateradio.social/channels/grandmasterdrc/

Biisit

  1. Skeewiff – Man of constant sorrow
  2. UNKLE – The Knock (Drums Of Death Part 2)
  3. Simple Minds – New Gold Dream (81-82-83-84)
  4. Arling & Cameron – 1999 Spaceclub
  5. Pariss Clemons – Black Mary
  6. Paul Hardcastle – The Wizard
  7. Minä ja Nieminen – Tyttö Tanssii
  8. Pesäharava – Futupää
  9. The Shamen – Boss Drum (The Beatmasters Boss Mix)
  10. Bomb the Bass – Megablast (Hip Hop Precinct 13)
  11. Mike Mareen – Love-Spy
  12. Frankie Goes to Hollywood – Two Tribes (Annihilation)

Kaikki biisit vinyyliltä paitsi Tyttö Tanssii.