Freedombone Blog

Freedom in the Cloud

Unmotivated by Doom

Earlier I watched some of the talks from the Freenode Live conference - especially the ones with Leslie Hawthorn, Bradley Kuhn and Simon Phipps. Much of the message here seemed to be quite doomy, and it appeared to me that the general idea was that Free Software had peaked some years ago and had now been coopted by big companies or was in decline. Also that Free Software communications systems are failing to keep up with proprietary chat apps.

You do realize that WhatsApp is really just a closed version of XMPP, right?

These people do have good points and know what they're talking about. The engineering, political and legal problems do all exist and are concerning. But I'd caution against a message of despair because that doesn't motivate anyone to do better. Also things may not be as hopeless as they appear and doomy stuff can be quite demoralizing. There is more Free Software being written than in the past and at least some of it is high quality. Free Software communication systems are actually succeeding in a significant way in the fediverse, despite detractors in the mainstream technology news claiming otherwise. It might be true that IRC and Freenode is in decline (although I'm not sure about that) but other communications systems like Matrix and Mastodon are appearing and seem to be doing well.

With Simon Phipps comment about "what does freedom in the cloud look like?" he might be unaware of the current status of projects like FreedomBox and Freedombone. When choosing apps to be included in Freedombone I'm not encountering any situation of decline and quite the opposite there are a growing number of decent apps which can be inexpensively self-hosted and are usually AGPL licensed - respecting user freedom while also being kryptonite to companies like Google.

Anyone who has met me IRL knows that I'm not some happy-clappy person, but I think Free Software needs a more positive message than the talks I saw earlier. We need to celebrate the victories in addition to lamenting the bad legislation. The big tech companies have a lot of money and lobbying power, but when you compare their apps to what it's possible to self-host the value which they deliver is quite marginal and it might not take much to shift things in a different direction.

Centralization isn't the only problem

I was reading a blog post which seems to me to present a straw man argument:

I’ve had many conversations recently with very well meaning people who believe that if we just decentralize everything, it will fix the internet—and perhaps all of society! Decentralize social networks, decentralize money, decentralize the world…if only it was so simple. This is the “magical decentralization fallacy” — the mistaken belief that decentralization on its own can address governance problems.

I don't think there are any such people and if there are I've never encountered them.

Centralization is the biggest problem on the internet today. It's not that the internet was ever highly decentralized, but especially over the last ten years or so it has been becoming much more centralized than ever before, such that a few companies control a lot of what goes on and have really disproportionate influence. You know who they are. It's Google, Facebook, Amazon and Twitter mainly. The introduction of cloud computing in the late 2000s meant that organizations stopped running their own servers and employing local sysadmins, and a lot of that was taken over by a small number of gigantic data centers who now act like the storage and computing brain of the internet. This degree of centralization has political and economic effects which are now hard to ignore. It's essentially a return to the old Compuserve or AOL model of the mid 1990s, or the even earlier era of mainframes and dumb terminals.

But the blog post is right in as much as that centralization isn't the only problem. There are problems at every level of the protocol stack.

In the "good old days" the web was made out of standards. Those standards were defined by W3C. But when we examine actually existing W3C, as opposed to the rose-tinted view of it in the Silicon Valley histrionics, we find that it's just a corporate club encamped by the usual suspects and that it in no way represents - or even makes any effort to represent - "the people of the internets" at large. The standards produced by W3C represent the interests of its corporate/academic members and nothing more than that. This leads to problems where for example things like browser DRM gets pushed through and the rights of billions of people worldwide are trampled because a couple of companies want to maintain a particular business model.

Beyond web standards you have the proprietary protocols of various chat apps which make the days of W3C dominance look like a picnic.

Then there's encryption. The lamentable state of internet security is so comprehensive that it would be difficult to enumerate all of the problems here, but just as a first pass the name system that we all use most of the time (DNS) remains unencrypted and routinely exploited by governments for censorship. The Certificate Authority system was designed in the mid 1990s at Netscape "in a series of 4am decisions". I've yet to find anyone who genuinely trusts all of the CAs in a typical web browser, which includes entities like the Chinese government and some companies with the lowest ethical standards you can imagine. Also decades after its invention there remains no commonly deployed encryption standard for email. Many fine words have been uttered at tech conferences but not a lot of rollout has happened. This has very real consequences in terms of loss of privacy and ultimately loss of freedom, and again its because business models are taking priority over lives.

And then there's community governance. For me, Twitter is the ultimate example of online community done wrong. There's a lot of interesting news published on that site, but the human interactions there often resemble a bar room brawl in a spaghetti Western. Centralization is part of the problem but advertising, optimizing for "engagement" even if that really means "fights" and lack of meaningful controls over who you interact with or what information you share all contribute to one of the worst social experiences which the internet has invented so far. I'm still on Twitter, but some days I wonder why.

There are many other problems and those listed above are just the preface of what could turn into a substantial tome. The traditional remedy is "digital detox" and although that might be ok for some of the people some of the time it's becoming an ever less viable suggestion as the distinction between online activity and IRL becomes hopelessly entangled.

As an alternative to decentralization, a Facebook constitution could leave Facebook as a monopoly. This does keep “the power of violence” (e.g. online policing) centralized just as it is in the physical world but it can also put structures in place to prevent tyranny.

I think constitutional centralism would be the worst of all worlds. Constitutions don't work in politics and are heavily criticized as being ineffective within online communities in which the "code of conduct" is the closest analogy. Constitutions only really work in small, decentralized, communities of active participants in which every member is able - and more importantly willing - to take direct action to uphold the code.

The worst sort of constitutionalism is the sort of thing that we've seen recently from Tim Berners Lee - the "Contract For The Web". This is guaranteed to be ineffective from the outset and is really just a kind of corporate spin-doctoring to paper over the many problems which the internet has. Just telling companies and governments to "respect privacy" isn't going to work. The problems are a lot more complex than that and need smarter solutions.

Deciphering Microsoft

Microsoft isn't as big as it once was. In the last decade we would obsess over their desktop hegemony and underhanded dealings, but these days not so much. Microsoft missed the boat with regards to mobile. They never entirely grokked the internet and are only recently trying to make inroads into the cloud.

My tepid take on the state of Microsoft is that they're going to be all about the cloud in the next few years. I expect Windows to become freeware or adware and to be a thin client operating system with minimal onboard processing. Anything that matters will happen in an Azure cloud and Windows laptops will be remotely managed clients, reminiscent of the days of mainframe computing. Users will be able to change a few settings, but other than that all of the software maintenance will be handled centrally.

So why did they buy Github? Was it to finally assassinate open source, their hatred of which was famously outlined within the Halloween documents?

Actually, subsequent to the Ballmer period, which ended four years ago, I think they're following a different strategy. The Windows desktop operating system is now legacy, and not their main focus. The new business model is going to be about telemetry and pushing targeted ads from the cloud to the desktop. That means they won't open source Windows but they'll try to cut its maintenance costs to the bare minimum. If they open sourced it then they'd lose control of the telemetry and ad delivery pipeline. I think the way they're going to reduce maintenance costs is by using as much open source software as they can, where they're not paying the developers. Note that here I'm using the term "open source" deliberately and not "Free Software". Owning Github puts them in a good position to do that. They can nudge things towards Azure over time in a slowly-slowly frog-boiling type of strategy and generally "communitize the community" in a Windows direction.

In the coming years I expect that Microsoft will do with Windows what Canonical has done With GNOME after Unity. An increasing fraction of the desktop OS will be maintained by the open source developer community at large and not by Microsoft. Privatize the benefits, externalize the costs. So open source, or even Free Software, is not the same kind of threat to them that it was during the Gates/Ballmer era and it may even be considered a business-critical ally.

You could object that this strategy is all about centralized cloud systems and that it fails to take into account that there is an emerging decentralization trend.

I think the decentralization trend is not quite what it appears to be. In most cases you'll find that what is decentralized is the software only and that the physical computing remains centralized within giant data centers. So even if we are entering a federated era based on ActivityPub or some similar protocol the Azure strategy would still work for Microsoft and wouldn't change their profitability much. If their Windows desktop client becomes thin enough it may also be suitable for mobile.

Integrated Search

Internet search is such a fundamental function that in an effort to make it easier to get out of the habit of just using Google all the time I've moved the Searx metasearch app to being part of the base system of Freedombone so that it's installed by default. When you navigate to the web interface there is now a search bar there, or you can use http://freedombone/search or the equivalent onion address for the web interface.

Outgoing search queries are routed through Tor so that you have a reasonable level of privacy. Metasearch isn't a complete solution to the problem of searching in a decentralized architecture, since it merely sends out your query to other search engines. You could call this a less centralized approach which does a better job of avoiding privacy problems.

Pi-Hole on Freedombone

The ad blocking system called pi-hole has now been integrated with the new web based user interface of Freedombone. This blocks ads at the DNS level on your home network. It's not perfect and doesn't block all ads, but it does help to improve the user experience and speed of browsing the web. One thing I notice in particular is that it doesn't block ads on YouTube, and that Google has been adopting devious ways to avoid ad blocking by using randomly generated subdomains to serve advertising content from.

For a long time I didn't really care about ads and the internet didn't depend highly upon them. Then I distinctly remember the occasion in 2007 when my web browsing experience went from having discreet banner ads which I didn't care about to having actually offensive ads shoved in my face in a highly disrespectful manner. From that time onwards I started using browser based ad blockers, and then eventually pi-hole.

Pi-hole has its own web based user interface, but I've made no attempt to integrate that into the Freedombone web UI. That's because it requires logging, and from both a security and a performance perspective I'd rather avoid any additional unnecessary logging. If you're running on a microSD card then writing the minimum amount of things to disk is important because I/O bandwidth is low and the disk itself wears out eventually.

Continuously Integrating

I've now set up a continuous integration (CI) system for making image builds for the Freedombone system. This is something I had been wanting to do for a while, because building images by hand is laborious and not always reliable. If during a build a repo fails or a certificate expires somewhere on the internets then you have to start again. The details of the new system can be found here.

In compressed format Freedombone images are typically just over 3GB in size. Even on a fast multi-core machine builds can take an hour or more, because it's creating a minimal Debian operating system and then installing and configuring many things on top of that. In the past, and even now, I don't have a spare laptop or desktop machine to dedicate to continuous builds which would be powerful enough to make multi-gigabyte images within a reasonable amount of time. But ARM SBCs are getting good enough for this task, with a combination of a fast CPU and also the ability to run from an SSD which gives I/O performance which is an order of magnitude better than EMMC or microSD.

Various CI systems exist, but I thought I'd do the traditional thing which is to make one out of a bash script. In the old days, before the now well known CI systems existed, hackers would just create some scripts to compile overnight and report the results back by email which could be viewed in the morning. My CI system, called BirbCI is not a lot different from that except that the results are reported on a web page. Originally it was 80 lines of bash. It has grown a little, and is now a few hundred lines, but it's not all that complicated and is very general such that any type of build in whatever language you choose could be supported. The web page on which results appear can also be customized.

So in future it should be easier to do releases, since at any point in time there will be a bunch of ready made images. It will also be easier to know if anything I do with the source code breaks the build.