The cybersecurity collaboration of University of Iceland and Reykjavik University will open their Frostbyte cybersecurity laboratory and students will present results from their cybersecurity projects.

When: 23 May 2025, 9:00-13:45

Where: Reykjavik University – Lecture room Mars M122

        9:00-9:10	Opening 
	  9:10-9:30	Keynote presentation

 	  9:30-9:50	Student presentation
	 9:50-10:10	Student presentation
	10:10-10:30	Student presentation

	10:30-10:45 	Coffee break

	10:45-11:05 	Student presentation
	10:05-11:25 	Student presentation
	10:25-11:45 	Student presentation

	11:45-12:15	Lunch break

	12:15-12:35 	Student presentation
	12:35-12:55 	Student presentation (or early start of round table discussions)

	12:55-13:15 	Round table discussions 
		Identify problems & topics, needed skills & resources for teaching and research
	13:15-13:25 	Summary of round table discussions

	13:25-13:30 	Closing & Announcement of best student presentation
	13:30-13:45 	Frostbyte cybersecurity laboratory opening

Coffee and small bites available from 9:00.
Registration needed (to qualify for food), see also https://www.frostbyte.is/news/

Presentation topics:

• Accidental pentest – why not to code with AI
• Future of bootkits and defences against them
• Real-time malware classification through honeypot analysis
• How safe is home? – Investigating router configurations and cybersecurity readiness in Iceland
• Gagnabær: An interactive visualization of real-world cyberattacks
• HoneywareX: LLM-based Linux Shell Honeypot
• Flexible introspection solutions & VMI vs eBPF
• Vulnerabilities and exploitation of RFID identification cards

See also the printed programme.

This event is also announced on the RU webpage and on the UoI webpage in Icelandic and English.

This event is in the context of our cybersecurity activities and the ECCC/EU co-funded projects ICEDEF – Defend Iceland and Eyvör – the National Cybersecurity Coordination Centre of Iceland (NCC-IS).

While the deadline for our M.Sc. programmes in Tölvunarfræði/Computer Science, Hugbúnaðarverkfræði/Software Engineering, and Reikniverkfræði/Computational Engineering have passed, you can still enroll into or B.Sc. programmes.

So, if you wanted to enroll into one of our M.Sc. programmes, but missed the deadlines: just enroll into a related B.Sc. programme (e.g. Iðnaðarverkfræði/Industrial Engineering) which allows you to take courses, including the M.Sc. courses of the M.Sc. programme that you were aiming for. In some cases, you need to talk to the teachers of these courses to get admitted as a non-B.Sc. student (but this should not be a problem if you can show that you have already the B.Sc. degree that is assumed for that course). You can then still change next year into your desired M.Sc. programmes and get your M.Sc. courses that you already took accounted.

The coalition agreement of the new Government that is forming aims at more digital surveillance (e.g. data retention in telecommunication, face and number plate recognition). While this is not good for privacy, at least IT security gets legal certainty:

In the Germany, there is the problem that IT security researchers who report vulnerabilities to companies (Responsible Disclosure) are sometimes sued by these companies based on a German legislation that was supposed to make breaking into IT systems a crime. I signed a petition of IT security researchers to change that legislation in order to prevent that Responsible Disclosure can be made a crime. The hope was that the currently forming government will change legislation and indeed:

The new coalition agreement covers cybersecurity at some places in an abstract manner and also includes the above legislative change:

Cyberstrafrecht, Deepfakes, Strafbarkeit Plattformbetreiber und Hackerparagraph
Wir reformieren das Cyberstrafrecht und schließen Strafbarkeitslücken, zum Beispiel bei bildbasierter sexualisierter Gewalt. Dabei erfassen wir auch Deep Fakes und schließen Lücken bei deren Zugänglichmachung gegenüber Dritten. Wir verschärfen die Sanktionsmöglichkeiten gegenüber Plattformen, insbesondere bei systemischen Mängeln bei der Entfernung strafbarer Inhalte. Wir werden im Computerstrafrecht Rechtssicherheit für IT-Sicherheitsforschung schaffen, wobei wir Missbrauchsmöglichkeiten verhindern.

Research trip/Vísindaferð is a visit to learn about companies (also as future employers) and to learn about the science behind the products that they develop. Often, these are organised by student associations as a social event.

This time, our student association Nörd visited not a company, but their teachers at the Computer Science department to learn about the research done there -- to get an idea of topics that they could do later as M.Sc. students.

I presented the following short slide deck on Software Engineering research area and the Cybersecurity M.Sc. specialisations.

Video showing the installation of a buoy: due the results of a student's M.Sc. thesis, the location can be obtained with centimeter precision and even without mobile phone coverage: an internet connection at the shore can be relayed via LoRaWAN several dozens of kilometers. Note that the linked video goes into archiving mode if it has not been viewed for two years.

The above video shows the results of the M.Sc. thesis Design and Implementation of a Buoy Positioning and Monitoring System Using Differential GNSS and LoRaWAN.

Earlier this year, I have suggested together with other colleagues to the Icelandic government to use open-source software in order to save money. While we mentioned there already the opportunity to gain digital sovereignty, this has become even more important with the new administration in the U.S., i.e. being dependent on Microsoft or any other US software provider can be dangerous, because a "kill switch" could lead to making US software stop working and loosing access to your data that is stored in the cloud of an US company. Note that also European companies that use internally US-services are affected, e.g. while Spotify is Swedish, it uses both the Google and Amazon cloud for delivering their services. (And of course, this is not just about US services, but also about US operating systems, i.e. Microsoft Windows, Apple OS and iOS, and also the Google service in Android which might be a motivation to use Android without any Google services. Also everything with a firmware, e.g. a WiFi router or the BIOS of a computer, might either already have or get via firmware update a kill switch. While people got already sensitive concerning hardware from China, this could apply also to hardware that is developed elsewhere.)

The Dutch parliament just approved a series of motions calling on the Dutch government to reduce dependence on U.S. software companies.

Also, if you check the accesses to the web page of european-alternatives.eu you see that the interest European alternatives for digital service and products is rapidly increasing since mid of January 2025, i.e. when the new US administration came into office.

Currently, the Icelandic government is drafting a bill on the future IT system for the Icelandic administration:

• A draft of a new bill has been made. While the 9 articles of the bill itself are very abstract (but give the finance minister more power on deciding centrally on the IT system), the justification that follows towards the end is more interesting to read.
• The first reading was held at the parliament. While Microsoft has been mentioned a couple of times, also Open-Source was mentioned once.

The question is whether a system like Stafrænt Ísland ("Digital Iceland") is created where Icelandic companies win tenders offered by the state and then develop software for the island.is portal (that can be used to access digital government services) (and the developed software is even made available as open-source) or whether one gigantic Microsoft solution is introduced.

In fact, other states are already working on digital sovereignty, for example the German Zentrum Digitale Souveränität, or short: ZenDis, that is working on OpenDesk which is an open-source solution intended for governments and other public institutions as alternative to Microsoft services that are currently used. The German Army just signed a seven year framework contract with ZenDis to introduce OpenDesk.

Therefore, it would be exciting to see the Icelandic government offering tenders for integrating such software into the Icelandic government IT landscape and have then Iceland teams win these tenders. By this, digital sovereignty is achieved and Icelandic tax money stays in Iceland instead of feeding the big US tech companies and expertise is created and stays in Iceland.

I did not find that draft bill number 141 in the comment system of the parliament (umsagnagátt), but the above justification refers to comments that have been made earlier.

Update 10 Apr 2025:

Seem that I missed the window for comments: On 27.03.2025, a request for comments was issued and the deadline was til 06.04.2025. stakeholders have been asked for comments and comments came in right now.

P.S.: The Mozilla subsidiary Thunderbird has just announced that they will be offering Thundermail and Thunderbird-pro services" as an alternative too Google's GMail and Microsoft's Office365. Note that while the Thundermail web mail service is probably hosted in some cloud related to an US provider, the underlying software is supposed to become open-source so that you can host this on you own hardware. (This is anyway based on Stalwart that already provides such an open-source solution. In contrast to Mailcow it might be more commercial. A technical comparison can be found on reddit.

Update 19 May 2025:
Microsoft blocked the email account of Chief Prosecutor of the International Court of Justice after Trump's sanctions.. So, all the concerns became already reality.

The EU's Digital Europe Programme (DEP) is fostering digital transformation and therefore co-funding projects that improve cybersecurity, artificial intelligence, high-performance computing and other aspects of digital transformation.

We have already established in 2022 Eyvör – the National Cybersecurity Coordination Centre of Iceland (NCC-IS) that received co-funding from the European Cybersecurity Competence Centre (ECCC) for the period 10/2023-9/2025.

Now, we just got the notification that we will receive two further years of co-funding from the the ECCC/EU based on the call Deploying The Network of National Coordination Centres with Member States (DIGITAL-ECCC-2024-DEPLOY-NCC-06-MS-COORDINATION).

The core tasks of the follow-up Eyvör NCC-IS are:

• Acting as contact points at the national level for the Cybersecurity Competence Community to support the ECCC in achieving its objectives and missions;
• Providing expertise and actively contributing to the strategic tasks of the ECCC, taking into account relevant national and regional challenges for cybersecurity in different sectors;
• Promoting, encouraging and facilitating the participation of civil society, industry in particular start-ups and SMEs, academic and research communities and other actors at Member State level in cross-border projects and cybersecurity actions funded through all relevant Union programmes;
• Providing technical assistance to stakeholders by supporting the stakeholders in their application phase for projects managed by the ECCC, and in full compliance with the rules of sound financial management, especially on conflict of interests. This should be done in close coordination with relevant NCPs set up by Member States;
• Seeking to establish synergies with relevant activities at national, regional and local levels, such as addressing cybersecurity in national policies on research, development and innovation in the area of, and in particular in those policies stated in the national cybersecurity strategies;
• Where relevant, implementing specific actions for which grants have been awarded by the ECCC, including through provision of financial support to third parties, i.e. Evyör NCC-IS providing via Rannís funding to Icelandic companies to improve their cybersecurity. The funding should foremost facilitate the adoption and widespread use of state-of-the-art cybersecurity solutions. This should equip organisations with the latest and most effective tools and strategies available for cybersecurity, fortifying their overall cybersecurity capabilities, and helping them to become more resilient and better prepared to face the evolving challenges posed by cyber threats in the digital age.
• Promoting and disseminating the relevant outcomes of the work of the Network and the ECCC at national, regional or local level;
• Assessing requests for becoming part of the Cybersecurity Competence Community by entities established in the same Member State as the NCC;
• Advocating and promoting involvement by relevant entities in the activities arising from the ECCC, the Network of National Coordination Centres, and the Cybersecurity Competence Community, and monitoring, as appropriate, the level of engagement with actions awarded for cybersecurity research, developments and deployments.

To prevent any misunderstandings: Eyvör NCC-IS will not take over the job of CERT-IS (or any other party) nor is Eyvör NCC-IS a Security Operation Center (SOC). Eyvör NCC-IS is rather an add-on to existing activities in order to raise awareness, co-ordinate actions, and improve education and research related to Cybersecurity on national and European level.

Eyvör – the National Cybersecurity Coordination Centre of Iceland (NCC-IS) is co-funded by the ECCC/EU.

With larger screens, tiling windows become an issue. While there are special tiling window managers, KDE/Plasma has built-in tiling:

• System Settings -> Workspace Behaviour -> Screen Edges: enable Tile: Windows dragged to left or right edge: now you can drag windows to left or right edge and it gets tiled horizontally by half of the screen. Depending on the percentage at Trigger quarter tiling in: it depends on whether you drag the window to the upper or lower percentage of the screen to have the window vertically tiled by half of the screen. If you rather drag the window to the left or right centre of the screen, then the window will be only horizontally tiled but get full screen height.
• System Settings -> Workspace Behaviour -> Screen Edges: enable Maximize: Windows dragged to the top edge: now you can drag windows to the top edge to maximize them.
• To get horizontal tiling into three parts, you can hold the shift key while moving a window.
• Unfortunately, there are no mouse gestures to tile a window vertically but have them horizontally full screen size. But there are keyboard combinations: super key (typically: the Windows key) and cursor keys tile the window by half of the screen size in the respective cursor key direction.

The deadline (for students from Iceland) for applying for our B.Sc. programmes in Computer Science and Software Engineering is 5. June for the autumn semester that starts end of August. As I was involved in updating our programmes, I can assure you that you will receive up-to-date education and can really recommend studying with us.

It was just recently in the news that Iceland will need 9000 specialists within next 5 years -- you will be one of them if you studied Computer Science and Software Engineering at University of Iceland.

If you want to learn more about Software Engineering, I have a blog post Why you should study Software Engineering / Af hverju hugbúnaðarverkfræði and a distinction of Software Engineering versus Programming.

The Frostbyte lab is the joint cybersecurity lab of the security researchers and teachers at University of Iceland and Reykjavik University. It is co-funded by the Icelandic government and the EU/ECCC. The official opening to experts is on Friday, 7 February 2025, and to the general public on Saturday, 8 February 2025, 11:00-16:00, in Harpa at the IT fair UT messan. Both University of Iceland and Reykjavik University have at the exhibition day for the public a booth on the 2nd floor of Harpa where you can learn more about the lab. The lab is open to interested parties for their cybersecurity research: please contact people at Frostbyte lab if you have a cybersecurity use case. For example, we offer to do a security scan if your organisation that has computers facing the internet.

From the lab opening to experts on 7.2.2025.

From the lab opening to the general public on 8.2.2025.

Gagnabær ("Datatown") digital twin that visualises cyber attacks in Iceland: each time our server gets attacked, a light goes off.

Presentation slides

To play them:

1. Open link in browser;
2. Slides should automatically advance every 20 seconds (possible to adjust that value via the delayms parameter of the URL) -- if they do not advance: reload page via F5 key;
3. Switch to fullscreen mode:
• In Chrome: F5 (=reload to start), followed by F11 (=fullscreen);
• In Firefox: do not use F11 key (would stop auto advance), but rather 'hamburger' menu and there, in the Zoom entry line on the very right, click the fullscreen icon.

This event is in the context of our cybersecurity activities and the ECCC/EU co-funded projects ICEDEF – Defend Iceland and Eyvör – the National Cybersecurity Coordination Centre of Iceland (NCC-IS).

While Eneloop batteries are the best NiMH AA and AAA batteries that you can get, they have only 1.2 V and some devices need in fact the full 1.5 V of a normal AA battery (e.g. 3.3 V logic that assumes 2 x 1.5 V AA batteries). Li-ion batteries can disguise as 1.5 V AA batteries by using a voltage regulator that step down the Li-ion voltage to 1.5 V. Newer variants have even a USB charging port built in, so that you can charge them without a NiMH charger, but just with any USB power source.

Such Li-ion-based AA batteries typically have two disadvantages:

• The keep the 1.5 V as long as possible and when they are empty, they simply shut down: a device that assumes a normal 1.5 AA battery uses however the voltage drop that a AA 1.5 V battery has when it gets drained to display in advance whether the battery needs to be replaced. This will not work with the Li-ion-based batteries.
• The Li-ion-based batteries can be deep discharged: while they have a protection circuit that switches them off, they recover after some time and the protection circuit enabled the battery again which drains them further and so on.

According to tests (in German), the Keeppower P1450TC (ca. 6.45 EUR with USB C charging port) seems currently to be the only exception that does not have that disadvantage. (However, it starts to drop the voltage somewhat too early so that devices that really need 1.5 V switch off far too early. Would be interesting to see whether future brings even better alternatives).