Freedombone Blog

Freedom in the Cloud

Hopes and Fears

I notice that the Internet Governance Forum is happening and they always put out very short videos on what are the greatest hopes and fears for the internet.

What are my hopes and fears for the internet?

There have been some studies on the consolidation of power on the internet. In the mid 2000s MySpace was considered to be very large and yet even at its peak it only had a small percentage of all internet users. The biggest internet companies today are in far more of a monopoly position and my fear is that we are on a very clear trajectory which ends with full centralization and one company or institution running the whole internet. If the internet becomes fully centralized and administered from a few giant data centers then the limited communications freedoms which still exist today will vanish.

My hope is that it's still possible for the centralization trend to be reversed. In the last couple of years I've seen the monopolists losing mindshare together with internal dissent within companies like Google. At the same time it's getting easier and cheaper for internet systems to be run in a decentralized way. Facebook still has billions of users but in terms of mindshare among hackers - the raw material which they need to keep their business going - that's declining fast.

Some thoughts on SQRL

Recently I was reading about an authentication method called SQRL. Would it be useful for Freedombone? Could it be built into Epicyon?

At first this sounds great. You log in by scanning a code or clicking a button. There are a few example implementations, including in Python and PHP. But the suspicious side of my character then asks: but where's the catch? how is this actually working?. And also if this is so great and it's been around since 2013 then why doesn't every web system use it by now, because the problem which this guy is describing is common.

I think the answer to the last one is just inertia, but there are also other more substantive problems. According to the spec it looks like the server needs to send a link to the client browser which then interacts with a port on localhost so that it can talk to the client agent who holds the keys. Doing that sort of localhost interaction which escapes from the browser is kind of shady and typically not recommended. In fact it's not recommended to the level where Tor browser will prevent you from doing it.

But wait, there's a Javascript browser plugin which maybe avoids having anything escape from the scope of the browser. When creating a new identity with the plugin the progress bar sometimes goes backwards. Maybe just a bug. I can sense that by this point readers are already facepalming and shaking their heads. After what seems like ages of entropy gathering the SQRL plugin identity generation fails! And trying again doesn't succeed.

From looking at some implementations it appears that an IP address is being used by the authenticator to reply back to the server - the so-called same IP check. This also won't work in a Tor browser, because the IP address of the sender will just be that of a Tor router and may change every ten minutes. Even if using a non-Tor browser home servers on dynamic DNS may have IP address changes. As the specification says, this leaves SQRL open to spoofing attacks.

And thus I rest my case, milud.

The concept of SQRL isn't necessarily bad. That is, having a separate authentication agent which stores keys and avoids needing to type in any credentials which could be keylogged or clipboard sniffed. However, for this to work in a reliable and trustable way I think the agent needs to be part of the browser codebase, or there needs to be an authentication API which provides a protected channel between the authenticator app and the browser, and not just arbitrary localhost access.

FreedomBox at Ten

Or almost ten. Here is another talk by Eben Moglen about the FreedomBox project. For avoidance of confusion Freedombone isn't the same thing as FreedomBox, though it is the same type of project and is in some ways compatible.

Nine years on from the Freedom in The Cloud talk which launched FreedomBox as a concept the project now exists as actually running software and has some developers actively working on it. Events have transpired, but in the intervening time the underlying nature of the problem which FreedomBox seeks to remediate has hardly changed at all. The only additional factor which might be added is the environmental one.

Data center cooling is a huge market that’s expected to be worth about $8 billion by 2023. With power densities increasing rapidly, many companies are investing heavily in new data center cooling technologies to ensure that they’ll be able to harness the computing power of the next generation of processors.

-- Kaylie Gyarmathy

The environmental argument for home servers is something I tried to make a few years ago, but the general opinion was that gigantic liquid-cooled data warehouses owned by Facebook, Google and Amazon had the magical "economies of scale". The tendency was always to believe that people from Google were wizards who could cleverly figure out how to circumvent the basic laws of physics. But given that a home server can run on 10W of electrical power, and potentially off of a solar panel I found this unpersuasive. I didn't have any quantitative estimates then, and still don't now. However, it's likely that a world in which there is one server per household or per street would be more electrically efficient than the current world of billionaire cloud servers.

Another point in Moglen's recent talk is about the problem of promotion. It's one thing to build technology but quite another to get people using it. You might think that this whole approach is wrong-headed and that surely according to classical economics "demand" must precede supply. Technologists merely solve problems for which "the market" wants solutions. But this was never the way that technology worked in reality. Nobody was "demanding" smartphones or spreadsheets before they existed. Nobody consumer demanded that the internet exist in the first place. Instead things were invented often with very different motivations and sometimes they turned out to have other uses and businesses then grew up to support those.

If the last decade was the birth phase I hope that the 2020s will be the time when running your own internet services, individually or in small groups, becomes quite normal. Perhaps something like FreedomBox will be installed onto internet routers by default. Facebook might be re-branded but I expect it will also continue to exist, because billions of users don't switch technologies easily or quickly and the gravity of the network effect is powerful. Agitation and education will need to continue.

Adding Bookmarks

Bookmarks have now been added to Epicyon.

Bookmarks screenshot

So if you want to reply to a post, but not right now, or if it contains a link that you want to follow later then you can select the bookmark icon at the bottom of the post and it will be added to the top of the Saves timeline.

Why Saves rather than bookmarks? It's just a shorter word which fits more easily on the button.

In the present implementation bookmarks are only for private viewing by a single account, but in principle there's no reason why shared bookmarks couldn't exist. That might be added in future, but it's better to avoid complexity until it's demonstrated that it's really required.

FOSS Sustainability

The people complaining that FOSS is "not sustainable" and that developers need to be paid more and add nagware to their software need to remember: most people using FOSS hardly have enough money to survive.

Free software at least is supposed to be a commons. A resource that anyone can use and learn from regardless of their financial status. Projects have come and gone, but the main system components have sustained for the last few decades.

The outrage at developers adding nagware is because it isn't respectful to repeatedly ask people who are hardly surviving to pay you, and to do so in a very entitled manner.

The need to survive under capitalism does conflict with a gift economy. This is what should be recognized. But we should also respect the user and not try to turn them into cash cows like the proprietary developers do.

Epicyon Shared Items Timeline

Fixed some bugs in the shared items system and have added an instance-wide shares timeline. This allows you to view and receive notifications for the latest things being shared on your instance.

Shared items is a Freecycle-style moneyless sharing system intended for the users of an instance. There is limited visibility of available shares other than to logged in users of the instance, so this follows the usual semi-opaque model. Outsiders will be able to get some idea of the kinds of things being shared, but not full access to the list, nor the ability to do arbitrary searches.

A button allows you to send a DM to the person sharing an item to make inquiries about it. Selecting the image shows you the full sized photo of the item.

Unlike a money based system of exchange there is no attempt to hide the social relationships which are involved behind a currency abstraction.

This functionality was inspired by the earlier Sharings plugin for GNU Social, made by a group called Las Indias.

All the banners we had flown for decades: distributed networks, free software, the globalization of the small… were producing a change in ways of producing wealth and knowledge in which the center was no longer in nations or in big businesses, but rather in small groups and communities that are empowered by a new knowledge commons
Shares timeline of Epicyon