Email via Onions

April 6, 2018 - Reading time: 2 minutes

I use org-agenda, the Emacs task manager, as a TODO list and the problem of getting email to work from an onion address has been a remaining very low priority task for the last couple of years. Not many people need this sort of functionality, but as time passes the problems with conventional email get more acute, especially if you are running your own server.

The problems with existing email can be summarized as:

  • You need a domain name, which costs money.
  • You need a TLS certificate. This isn't as much of a problem now as it was a couple of years ago, but LetsEncrypt is becoming a single point of failure.
  • The protocols were devised during the "profdoctor" stage of the internet, when most users were academics and everyone trusted everyone. Security was an afterthought, and the consequence was a massive spam problem.
  • Port forwarding has to be done for NAT traversal. What if you don't control the internet router?
  • Indiscriminate blocking based upon IP address ranges is increasingly a problem.
  • Some ISPs block email ports.
  • Some ISPs force users to proxy outgoing email via their own server, making censorship or MiTM a possibility.
  • PGP/GPG is needed for content security. A lot of people whinge about the unusability of email encryption.

Using onion addresses gets around the above issues. With onion addresses the public key crypto comes for free, so PGP isn't strictly required and the nay-sayers can stop whining. If you're paranoid enough then you can still use it as an extra encryption layer. Using onion addresses also ensures end-to-end security between email servers.

So long as you're willing to put up with a random-looking email address, and your friends are sufficiently geeky, then onion addresses solve a lot of niggly problems.

Recently I've put some effort into making this work on Freedombone and managed to arrive at a solution where you can send email between onion addresses or between an onion address and a clearnet address. Configuring Exim to do this is mind-bendingly tricky, but possible. This is also a sufficiently niche thing that there is not much information available out there, and what information exists is usually either far out of date or just wrong.

Support for onion email addresses will work "out of the box" with a new Freedombone install. There is also an app called bdsmail, which does something similar but using I2P as the transport mechanism. So you can take your pick, whether you're a Tor fan or an I2P fan.

The Stallman Directive

April 4, 2018 - Reading time: 3 minutes

In an episode of Linux Unplugged they talk about Richard Stallman's proposed solutions to the problem of companies spying on people and then using the data in dubious ways. After a lot of meandering the actual discussion is about an hour into the show.

So what's the solution to this? Cambridge Analytica isn't the first company to use data in sketchy ways and it won't be the last. I also don't really agree with Stallman that legislation is the answer, since here in the UK the data protection act has existed for decades and even though there are many violations of it it's largely ignored.

For example, the data protection act says that data collected about people is supposed to be used by the "data controller" for a specified purpose, not for purposes different from the one for which the data was originally supplied, and also that people should be able to obtain copies of their data without unreasonable delay. When you think of the world of advertising companies and data brokers and so on it's easy to see that these basic rules are being broken routinely. Data supplied for one reason ends up being used for entirely other purposes. Maybe somewhere in the terms of service there are buried descriptions of what happens to personal data, but realisticly nobody except lawyers reads those documents and the problem boils down to what constitutes meaningful education and consent.

Things that have been tried and which we know don't work are:

  • Legislation similar to the data protection act. It very rarely or never gets enforced.
  • Simplified terms of service documents with fancy coloured icons. Still nobody reads them. In an era of technology monopolies often users don't have a realistic choice about whether to sign up for a service or not.
  • Naming and shaming companies when they abuse personal data. They just carry on doing the same anyway.
  • Browser plugins which do client side encryption. Have existed for a long time but since they're not installed by default practically nobody uses them.

In the Linux Unplugged episode FreedomBox is mentioned as a possible solution to the data ownership and privacy problem. I like this idea, but I think there's also another possibility which is non-corporate community management of systems - especially social networks. That is, the kind of federated model which exists already on the Open Web. To some extent the work involved with storing and managing communications data can be collectivised within an affinity group so that each user of the system doesn't have to take on the whole responsibility by themselves.

A couple of years ago it would have been easy to dismiss the federated model as something old-fashioned, perhaps resembling the bulletin board era before the internet, but now there are thousands of Mastodon installs and what appears to be very active communities around them who are not just the previous demographic of hardcore Stallmanites. What exists today is a pretty substantial proof of concept for an exit strategy from the current data dilemmas. It's not that today's fediverse is ultra private - far from it - but it's conceivable that better privacy features could be added.

What I think organisations such as FSF, EFF and ORG need to be doing is getting behind projects like FreedomBox and promoting them and showing people how to install and maintain them. If data is increasingly managed in a non-corporate way and perhaps also at a more municipal level then at least when it comes to devising legislation the pro-privacy side of things will be in a much stronger bargaining position.

Another Blogging System

March 31, 2018 - Reading time: 1 minutes

The popular Ghost blogging system has been in Freedombone for a while. Recently I was trying to update it using the current Node LTS version (8.9) but not getting very far. The command line app had its option to specify the user account deprecated, and that seemed to be an important feature without which the installation process became a lot more complex.

I was struggling to get the ghost command line to work without a lot of errors and was also thinking that it's 2018 and surely blogging software doesn't need to be this complex to administer. The essence of blogging software is pretty simple, and probably it doesn't require these thousands of javascript dependencies.

So I've decided to remove Ghost from Freedombone for now. Instead I've replaced it with Bludit. Bludit is much simpler and easier to install. It has no database, so moving it from one domain to another or making backups is just copying a directory. The amount of RAM needed is negligible, so it should run even on the most minimal single board computer. It also of course supports RSS via a plugin.

Perhaps Ghost will return in future, but for now I think Bludit is a better option for self-hosting. When you're self-hosting web systems it's not just the bling which matters, but also the practicality of maintaining the system over time and on low cost hardware.

This means there are now two blogging options on the server version of Freedombone - Bludit and HTMLy. Both are databaseless and written in PHP.

The Bosworth Memo

March 31, 2018 - Reading time: 2 minutes

I notice some amount of scandal around an internal Facebook memo written by Andrew Bosworth in 2016. What he's basically saying is that Facebook's mission is to connect people regardless of the outcomes of those connections, and that connecting people is always good.

That's obviously not true, and Zuckerberg is right when he says in response:

We recognize that connecting people isn't enough by itself. We also need to work to bring people closer together.

Probably the more damning part of this memo is where Bosworth admits to Facebook's use of antipatterns to trick people into over-sharing.

That’s why all the work we do in growth is justified. All the questionable contact importing practices. All the subtle language that helps people stay searchable by friends. All of the work we do to bring more communication in.

The Facebook scandal of the last month or so is just one of many over the previous decade. It's always nice to see people leaving that site, so long as they end up going somewhere better and not just disconnecting themselves out of misplaced hubris. Despite what technology journalists may say, there are real alternatives to Facebook and have been for many years. Friendica is still quite good, as is Hubzilla. Diaspora still exists. Mastodon is currently by far most popular of the non-corporate social network systems. And there are others in ascendancy. I am quietly (ok, noisily) confident that the worm is beginning to turn on what has been the status quo in social networks for the last decade.

I don't know anything about Andrew Bosworth, and the current fashion is to attack the individual as being uniquely immoral. This trend seems to apply regardless of where you are in the political milieu. Left, right, whatever. But it's important to remember that especially for a company the size of Facebook it's not really about corrupt individuals. The behavior and attitudes of Facebook staffers is strongly determined by the logic of the business model, which is surveillance capital. Even if Bosworth were to resign in disgrace he would be replaced by someone whose standpoint towards users and shareholders would be extremely similar. People create organizations but also organizations and their situation within a market (admittedly limited in this case - Facebook is a near monopoly) create particular kinds of personality. As the anthropologyst Alan McFarlane once said, Capitalism contains many contraditions, and often these contradictions play out within individual personalities.