Nicholas Johnson

Please Disclose AI Contributions to Your Work

2025-11-30T00:00:00+0000

If you’re working on a creative project that others will see, such as an online journal like mine, please disclose A.I. contributions to your work.

I personally have very little interest in creative works like books, websites, blogs, movies, music, and artwork that was produced by A.I. and I think many people feel similarly. We like getting to know the human(s) behind those works, through their works. We like discovering what motivated them to create it and what experiences they had that went into it.

We know that A.I. could produce it a million times faster and better, but the process by which it was created also matters to us. As I said back in my entry “Automation and the Meaning of Work”, there are certain activities people just don’t want to be automated, even if they can be automated and the end product is better by some objective measure.

So to respect that wish, if you use A.I. tools in the course of your creative work, the least you can do is make the nature of their contribution known to those who might find your work so that they can choose for themselves if they’re interested in it. I’ll lead by example:

I don’t use A.I. tools to write this journal, nor do I plan to. I don’t use A.I. tools to generate ideas for writing either—I prefer to come up with ideas myself. In the past, I used an automated tool, which included an NLP library, to detect and correct grammatical mistakes. I wasn’t restructuring whole paragraphs with it. I write without LLMs because I enjoy writing and because I want to give my readers the chance to get to know me through my writing, as opposed to what some LLM thinks the next word should be.

Store Now Decrypt Later Isn't Taken Seriously Enough

2025-11-23T00:00:00+0000

There is always the possibility that some new mathematical technique breaks existing encryption algorithms. We should not therefore say that all encryption is insecure. Rather, we should change our conception to reflect that encryption has an expiration date. A lock is the most common analogy for encryption, and it’s fine for helping beginners grasp the concept, but a countdown timer is more apt in this context.

The countdown timer represents how long encrypted data will stay secret for. It has no markings on it for us to know how long until its dial reaches zero (representing the data becoming decryptable), so we can only estimate. Following that analogy, using classical encryption instead of hybrid encryption (classical + quantum-resistant) is like winding back the dial halfway when you could wind it back all the way.

There’s software out there whose users’ data is vulnerable to store now, decrypt later attacks in the near term not as a result of the aforementioned inevitable mathematical advances, but rather due to the software developers just not winding back the dial all the way (using quantum-secure libraries).

We don’t know how soon practical Shor-capable quantum computers will hit the scene, but there are good reasons to suspect that they’re not far off. So developers should anticipate that any data sent today using classical encryption algorithms might be intercepted and retroactively decrypted in the near future.

If you’re a developer, it is irresponsible to subject users to this risk when it can be avoided. There are quantum-secure cryptographic libraries available for mitigating it. Too many software projects that don’t need backwards compatibility still lack quantum-resistant encryption and still market their software as private and secure. I think some gatekeeping is in order…

If you’re writing software that transmits sensitive data over the internet in current year and it has no compatibility requirements and isn’t quantum-resistant, then it’s not private or secure and marketing it as such is false advertising.

Use Notifications To Check Your Phone Less

2025-10-17T00:00:00+0000

In my entry “Why I Don’t Have a Smartphone”, I wrote:

“… [my smartphone] was in airplane mode unless I was making a call. It was always on silent with no vibration. Unless I deliberately pulled it out, it couldn’t interrupt my day.”

I think my goal of spending less time on distracting technology was worthwhile, but that keeping one’s phone always on silent with no vibration is not a practical way to achieve that for most people. Since writing that entry, I’ve started using a smartphone again and I’ve had to change the way I handle notifications as well since having it always on silent is no longer practical for me either.

I have notifications turned on now because I noticed that when I had them off, I was constantly checking my phone every few minutes to make sure I didn’t miss anything important. With notifications turned on, I don’t need to poll my phone, because I’ll hear a ding if something important happens. If I haven’t heard a ding, I know I don’t need to check it. So if I only use my phone either when I receive a notification or when there’s something important I need to do on it, I know that I’m making good use of it. Otherwise, I know I’m probably wasting my time.

If you’re interested in replicating my notification strategy, you must curate your notification settings first on a per-app basis as I do. If you stick with the default notification settings for every app you have installed, you’ll get pinged for many unimportant things and it won’t help as much with checking your phone less. This isn’t hard to remedy, and you don’t have to fix it all at once. Each time you receive an unwanted notification, just go into settings and disable it. Eventually, all unwanted notifications will be gone. Repeat the process as you download new apps. The goal is to disable as many notifications as you can without falling back to constantly checking your phone.

To close, I want to comment that I think that in popular media, there’s too much focus on reducing total time spent on one’s smartphone, and too little focus on making sure the time is well-spent. The common recommendations to check one’s screen time or look at which apps you’re using the most don’t necessarily give much insight into whether you’re making good use of the time. For instance, if you spend four hours per day on your smartphone, that might seem like a lot, but if you’re using it to read a book or practice a foreign language, that time isn’t wasted. If you’re just autoplaying YouTube videos or mindlessly scrolling through infinite feeds during breakfast, that’s a different story.

As I’ve said before and I want to emphasize again here, I don’t think telling every individual person to just be more disciplined and find new strategies each time a distracting technology comes out is a substitute for real, systemic solutions that address the challenges created by these technologies. If we’re going to have smartphones, they need to be non-distracting and non-addictive by default by design. In the meantime though, hopefully the notification strategy I’ve outlined here can help some people.

On Personal Cybersecurity

2025-04-05T00:00:01+0000

I think the recent US government Signal chat leak creates a good opportunity to talk about personal cybersecurity and offer a few high-level tips.

Signal is a private messaging application. It prevents specific types of adversaries from accessing the contents of your calls and messages, and their metadata. But if you, the human, choose to use it for adversaries it was never designed to defend against, that’s a problem the technology can’t fix. The biggest vulnerability in cybersecurity is not the tools, the protocols, nor the cryptography. It’s the human.

Often, it’s the human not understanding the limitations of the tools they’re using. If you think that using Signal is all you need to do to secure your messages, you are so wrong. Consider that Signal is not designed to protect you against any of the following threats:

A weak phone password
Phishing attacks
Shoulder surfing
Inserting a malicious USB device masquerading as a charging cable into your phone
Your virtual keyboard app collecting your keystrokes
Vendor spyware installed on your phone’s stock operating system
Hardware backdoors installed by governments or corporations acting on their behalf
Someone stealing your phone while it’s unlocked and impersonating you
Someone installing a rootkit on your phone while you’re away, sleeping, or distracted
Someone screenshotting your disappearing messages
Someone replacing your phone with a lookalike that sends them your password
Being drugged and hit with a five dollar wrench until you give up your messages
Being overheard while on a phone call
Adding the wrong person with the same name to a private group chat

What happened with the Signal leak was government officials used Signal for a purpose it wasn’t designed for — sharing military attack plans. There’s a proper tool for doing that. It’s called a SCIF. It would’ve prevented the mistake that caused the leak. The fact that they used a mobile chat app instead of a SCIF is a monumental OPSEC failure, and somebody should be held accountable for it.

Unfortunately, instead of owning up to their error, they made excuses and blamed Signal for being “insecure”. This leads me to another point which is important to understand for personal cybersecurity:

Calling an application “secure” or “insecure” is an oversimplification. No one has ever managed to build a foolproof communications system. We only have systems that are secure against certain types of attacks carried out by certain adversaries. As you can see with Signal, I just listed a dozen ways its security could be bypassed right off the top of my head.

Another thing to keep in mind for your personal cybersecurity is that it’s easy to get tunnel vision, focusing only on the technicals while overlooking more basic threats that are far more likely. Your messages aren’t going to get compromised by a vulnerability in the Double Ratchet algorithm or Post-Quantum Extended Diffie-Hellman that Signal uses. But have you ever sent a message to the wrong person because you were distracted or intoxicated? Exactly. You are the biggest vulnerability to your personal cybersecurity, not the technology.

Also, you need a cohesive strategy. Merely using Signal, or merely having a password manager, is not enough for good cybersecurity. Good tools are necessary for good cybersecurity, but cybersecurity is more than a set of tools. It’s a mindset. It requires you to think like the adversaries you’re likely to face, anticipate their attacks, create strategies to impede them, and update those strategies when circumstances change.

Although “cyber” is in the name, sometimes the most effective measures you can take to improve your cybersecurity are non-technical. They have more to do with social awareness. Do you have any enemies? A jealous ex? A roommate who can’t stand you? A dirty cop whose ego you bruised? What information do they have on you? What information can they find out? What are their available resources? How might they carry out an attack? How dedicated are they? To create a sensible personal cybersecurity plan, you must know thine enemy.

Just one more thing I want to mention before signing off. Personal cybersecurity is an endless rabbit hole one can go down. You’re free to go down that rabbit hole to your heart’s content. Just be sure to prioritize the threats to your security posture. Address the most likely attack vectors first, and the least likely ones last. And finally, don’t rely on any single technology to protect you one hundred percent.

A Retrospective on My Free Software Absolutism

2025-02-01T00:00:00+0000

Background

There’s this problem one gets into when creating content about one’s own life. I’ll try to illustrate it with a few examples from past entries I’ve made.

Veganism

In one of my journal entries, I advised people to go vegan, mentioning that I was a vegetarian trying to become vegan myself.

I am no longer a vegetarian.

In fact, I haven’t been a vegetarian for quite some time now. I still believe in the cause of veganism and would advocate for others to take steps toward veganism if they can, but I personally still fall short of that goal.

Smartphones

I also wrote about why I didn’t have a smartphone, citing the harmful effects they have on people’s attention, privacy, and digital freedom.

I now use a smartphone.

I’ve been using one for a while now. I still believe they’re harmful in all the ways I described in that entry. I try to mitigate the harm in my own case by using GrapheneOS with the proprietary apps isolated to a separate profile, but I still use one and I still have some proprietary applications installed.

Free Software

This next one will probably shock you the most if you’re a long-time reader of mine. After all the hubbub on my journal about the harms of proprietary software, dropping classes over it, sacrificing my career for it, and building an unsuccessful career plan to avoid it…

I now have a Windows machine and use proprietary software.

I’ve even subjected myself to remote proctoring software, which I dropped out of university over back in 2020.

On Giving Updates

The point is, having my current lifestyle contradict a lot of what I’ve written in the past makes me feel like a hypocrite. Once I write about something in my life in order to further a point, I almost feel an obligation to give an update or explanation when it changes.

To be fair, I never promised anyone that I’d never change my mind or behavior after writing an entry or that I’d make an update each time I do, and it’s expected for someone in their twenties to change quite a bit. Ideally, readers would interpret my journal entries as a snapshot of my beliefs and actions at the time of publication, but I know that in reality people will naturally assume that what I wrote at one point in time still applies, and I don’t want anyone to have a false impression.

That’s partly why I feel so strongly about writing this entry. Free software has been such a persistent theme in this journal that I feel like I owe some explanation.

Retrospective

For this entry, I want to address my past free software absolutism, whether I made a positive difference, whether I avoided doing harm, and what it costed me.

Did I Make a Positive Difference?

I think it’s difficult to quantify how much of a positive difference I made. I mean, I don’t know how many people read this journal. I don’t know how many people I left an impression on with my free software advocacy or what they might’ve done as a result, so it’s pretty hard to measure.

If I had to guess though, on the whole, I’d say that the difference I made was tiny.

Because of me:

A few more people use free software instead of proprietary
A few more people are semi-aware of free software and mass surveillance

I wanted to believe that I had more of an impact than that, but at least it’s something. I think there’s an important insight lurking here though: With a few compromises and a change of tactic, I could’ve had the same impact, probably an even greater impact, with far fewer personal sacrifices. What I was doing was akin to self-immolation with no audience.

Okay. The positive difference I made wasn’t much in comparison to the sacrifices I had to make, but did I at least avoid doing harm?

Did I Avoid Doing Harm?

Let’s analyze harm I avoided doing during my free software absolutism:

Didn’t write proprietary software, avoiding potential harm to users
Mostly avoided being a victim of proprietary software and mass surveillance myself

The first point can itself be argued to be a harm actually. Since I’m someone who cares more about respecting user freedom than the average dev, I could have potentially reduced the harm meanwhile the proprietary software industry exists. The second point is positive. However, the knock-on effects of my free software absolutism overshadow it:

Zero career progression
No financial security or independence
A lack of personal life experiences and personal growth due to the above
Chronic medical problems that went untreated due to the above
Immeasurable stress on me, the people financially supporting me, and our relationships
Social isolation (I’m autistic, so it’s hard enough already)
A lot of time and effort I will never get back that amounted to very little

And the above isn’t even a comprehensive list. I can’t make a comprehensive list because it gets too personal.

In the end, those who suggested that avoiding doing harm by being a free software absolutist would cause harm in other ways, were spot on. I made some counterarguments to that specific point in “My Career Path”, but I now see why those counterarguments were wrong. I didn’t end up starting a successful business in free software (I tried) or finding a more ethical career. All I accomplished was generating profits for corporations that retard the social movements I support, and relying financially on others who did the same so I didn’t have to.

I think my heart was in the right place, but ultimately I was doing more harm than good and I may have subconsciously been using writing (along with other unhealthy coping strategies) as a way to escape that fact. Emotionally this has all been quite difficult to process, and it’s hard to put into words the loss that I feel. I sacrificed so much of my time, energy, and happiness just to have the same impact that I could’ve had without jeopardizing my health, career, and future.

Moderation Versus Dogmatism

I’m still going to promote and advocate for free software where I can, but I think the right approach is a more moderate one. The approach of people like Richard Stallman is, in my opinion, dogmatic to the point of possibly hurting the free software movement. It would do good to refine the free software philosophy a bit.

I feel obliged to mention Louigi Verona, who has put some serious thought into the core principles of free software. His work brings much-needed skeptical analysis to free software philosophy as put forth by GNU and the FSF. While I probably don’t agree with all of Louigi’s points, I think his effort in carefully deconstructing and critiquing the core tenants of free software is valuable and important for the future of the movement.

Louigi himself is a proponent of both free software and skepticism and his writing on the subject is thought-provoking. At some point in the future, I’d like to get around to making a response to his arguments and talk about my thoughts on them.

What Would Actually Make a Difference?

I have one final point to make because I feel like stopping here leaves one in limbo. This entry makes it seems like whether you work inside “the system”, trying to promote free software from within, you only get as far as the economic incentives let you, which is not far enough. And for most of us, trying to work outside “the system” and go full Stallman leaves you with no economic resources left to further the cause. Either way, you lose. So what is one to do?

To put it bluntly, I think meaningful progress on most important social issues is made practically impossible by a single upstream systemic cause: capitalism. I’m not going to lay out the full argument for why capitalism is a problem here. I’m no expert on it and others have already made the case better than I can, but I’ll talk briefly about how capitalism hinders the free software movement specifically.

Capitalism creates a system of economic incentives such that the majority of programmer labor power is spent competing, working on closed proprietary software, rather than collaborating on free software for the benefit of larger society. The feedback loop of capital accumulation by corporations creates vested interests for proprietary software. These corporations are economically incentivized to use their power to bribe elected representatives into passing laws that harm cooperation, such as strengthening copyright law and protecting software patents. To sum it up, I don’t think the fight for free software (or most other social causes) is winnable as long as the overriding economic incentives of capitalism are present.

So with that in mind, I’ll finally answer the question of what actions I believe would actually make a difference for the free software movement. This advice also generalizes to other social causes out there:

Join pro-labor organizations and socialist groups. If you’re a leader or organizer of a movement, build solidarity with reasonable groups that oppose capitalism or its excesses
Only make personal sacrifices commensurate with the results you expect to achieve. Big personal sacrifices are okay if you’re also achieving big results (E.g: Edward Snowden), but don’t do what I did and throw yourself under the bus just to make a tiny difference for a single cause, especially when there are better ways to go about it

Related to the last bullet point, there’s a book titled “The Lifelong Activist: How to Change the World Without Losing Your Way”. It seems like a decent guide based on what I’ve read so far, so I recommend it to those of you who call yourselves activists. I’m not sure if it would’ve made any difference had I read it six years ago, but I certainly wish I would’ve discovered it sooner.

Why I Timestamped My Journal

2024-04-08T00:00:00+0000

Foreword

Before I talk about timestamping, I just want to make clear that this entry does not constitute a return to writing. I’m still taking a step back from writing. I’m only writing this entry to give context for the new timestamp I created.

Why I Timestamped My Journal

As AI improves, it will get harder to differentiate synthetic (AI-generated) media from human-created media. Thus there’s a need for a verification system that can confirm the human provenance of media. What does this have to do with timestamps? Well, for sophisticated data such as this journal, timestamps can be used to prove that it existed prior to AI’s ability to generate it. This proves its human provenance.

How I Timestamped My Journal

One way to timestamp data is by embedding its hash into the Bitcoin blockchain. Even if Bitcoin falls out of favor and miners stop securing its blockchain, a historical copy of the ledger would be all that’s necessary to verify timestamped data. Given Bitcoin’s cultural significance and the fact that its ledger is widely witnessed, genuine historical copies of its blockchain will probably be preserved for a long time, allowing verification of any timestamps within it. OpenTimestamps is the software I used to do just this.

How to Verify The Timestamp

Here’s the procedure for verifying this journal’s timestamp (and thus its human provenance):

Prerequisites:

Git
OpenTimestamps
A local Bitcoin node

Commands:

git clone --recursive https://git.nicholasjohnson.ch/journal
ots verify -d "$(git -C journal show-ref --hash archive/signify-signature-10)" journal/static/static/timestamp-2.ots

Critiquing My Last Timestamping Entry

Now I first had this idea back in November of 2021 and wrote an entry about it titled “future-proof digital timestamping”. There are a number of issues with that entry and I could spend time nitpicking it, but its primary deficiency is that the idea of timestamp chaining via successor ledgers is erroneous.

Timestamp chaining could perhaps provide stronger assurance of the legitimacy of the timestamps (due to the successive blockchains having the largest amount of cumulative work), but the gains in assurance would only be very marginal at best, it’s all predicated on Bitcoin having endless successors that also rely on energy-intensive proof-of-work, and there would have to be software supporting such a scheme. In my estimation, that’s all highly unlikely.

But one good idea contained in that entry was to restamp this journal’s Git repo to future-proof its timestamp. The old timestamp was performed on the old repo which used the broken SHA-1 hashing algorithm. Since then, I converted the repo to the new SHA-2 object format and SHA-2 support in Git has been stabilized. So everything I needed to create a new, stronger timestamp was present. Well, almost everything.

The only issue I ran into was that the OpenTimestamps software does not have sufficient Git integration to embed timestamps within Git objects in SHA-2 repos like it can for SHA-1 repos. So I just timestamped the most recent tag manually, creating a fully separate .ots proof file which is verified without using OpenTimestamps’ GnuPG wrapper.

Hopefully the new timestamp lasts. If not, both Software Heritage and Archive.org have centralized timestamps of this journal as fallbacks.

Don't Say PC When You Mean Windows

2023-10-15T00:00:00+0000

“PC” stands for “personal computer”. Windows is one of a countless number of operating systems that can run on PCs.

Occasionally the terms “PC” and “Windows” are used interchangeably. I ask people not to do this because:

It may confuse laypeople
It may confer a sense of primacy to Windows and secondariness to other operating systems

If you catch someone using these terms interchangeably, please explain why they should not do this.

Re: They Told Their Therapists Everything. Hackers Leaked It All

2023-10-10T00:00:02+0000

Vastaamo ran the largest network of private mental health providers in Finland when it suffered a catastrophic data breach. A hacker group (or individual) got into the database, downloaded private notes from patient therapy sessions, and threatened to release them all unless paid a very large sum of money by the provider, later extorting then-current and former patients as well.

If you want to learn more about it, you can click the link above. I’m not writing about it for the details of this specific case though. I want to use it as evidence for a broader point, which is that data as sensitive as therapy notes don’t ever belong on networked computers. Putting them on networked computers is the most moronic thing I’ve ever heard. Unfortunately it continues to be standard practice in certain places.

Hospitals and health facilities get hacked constantly. They’re so insecure that once I even accidentally socially engineered an employee to send me my own health data (they did not verify who I was). It would be more secure to use air gapped laptops with hardware-token-based full disk encryption, storing the laptops in a locked safe. At least then one would have to physically break into the facility, which would be much more difficult and risky than remotely hacking in.

Edit (05-04-2025): One would not necessarily have to break into the facility to access patient records. One could coerce an employee to give up patient records or register as a patient oneself to access the computer system when the therapist is away. My main point was that it would be much harder to hack patient records remotely or in bulk with this configuration, thus making the hacker more vulnerable to getting caught, and less likely to even try in the first place.

The relationship between a therapist and a patient is among the most intimate relationships there are. The only two people who need detailed records of said interaction are the therapist and the patient. That’s it. And the therapist only strictly needs those records until the patient stops being a patient. There is absolutely no need for patient notes to be available to anyone else, particularly not in a networked database.

I’m not writing this to discourage anyone from seeking mental health treatment or avoid telling things to their therapist. I just wanted to highlight how unsafe the practice of putting therapy notes in networked databases is and suggest that providers stop doing it.

Don't Use Ancestry Services

2023-10-10T00:00:01+0000

I swear I planned on making this journal entry before the whole 23andMe fiasco. Alas, I never got around to it. Now seems like a good time.

If you’re not up-to-date on what happened, 23andMe is a company that offers genetics testing which reveals ancestry and health information. Recently, they had a data breach with millions of sensitive customer records now being sold on the dark web. These records include names, profile pictures, date of birth, location, and genetic ancestry data. As far as I’m aware, no raw DNA data was leaked, but nothing prevents that from happening in the future. As has been my mantra for years now:

“Companies cannot protect your data.”

How this is not obvious to people yet, I do not know. After seeing breach after breach of user data on the news, one would think that people would stop voluntarily giving companies sensitive data. It doesn’t matter what promises companies make, what expensive advertising campaigns they run, or what laws are supposedly protecting you. The only person who can protect your data is you. The moment you give your data to a third party, you lose control.

Privacy doesn’t exist in a vacuum like people think. Inductive reasoning and statistical inference automated by machine intelligence and applied to data that your associates surrender reveals information about you, even if you never signed anything. Since genetic data, by its nature, always reveals some information about genetically-related nonconsenting innocent parties, and data tends to get leaked, its long-term storage by anyone including governments is a non-starter for me.

Most of the time it’s not the government collecting personal data directly. It’s private entities that people surrender their data to who cooperate with government. We need laws prohibiting the collection of highly sensitive personal data by private entities. While I’m not saying there aren’t legitimate ends that warrant collecting such data about people, even against their will, such collection must be off-limits to private entities since they’re undemocratic and can’t be held accountable like properly-functioning governments can.

To conclude, don’t use ancestry services!

Re: Cloudflare Considered Harmful

2023-10-10T00:00:00+0000

Time for another Hugo Landau blog post. This particular one, “Cloudflare considered harmful”, was written in 2019, but it’s even more relevant given that Cloudflare has since expanded.

First I just want to say that I fully agree with Hugo’s post.

I will never MitM my websites with Cloudflare. For one, there’s no need for it. That I’m aware of, my site has never been DoSed and it gets on my nerves seeing websites use Cloudflare that don’t need it. I often stumble across a website in Tor Browser that I can’t access because of Cloudflare and think to myself “Is this website important enough to need Cloudflare? I doubt anyone has ever cared to DoS it.” And second, as Hugo Landau points out, there are other ways to mitigate DoS that don’t involve MitMing one’s site and making it stochastically fail.

Another important point Hugo makes is that Cloudflare is potentially a global active adversary, calling it “essentially the world’s premier global MitM agency” which causes massive centralization and represents a huge step backwards in the progress we’ve made in TLS support since 2013. Given the nature of Cloudflare’s business, I agree with Hugo that it’s highly likely that it’s cooperating with the NSA. Even if by some miracle it’s not wittingly or willingly cooperating with the NSA, the nature of Cloudflare’s business makes it a high-value target for US intelligence. In other words, if the G men want the data badly enough, and they do, then they’ll find a way.

Finally, I agree with Hugo that the idea of web application firewalls (WAFs) is fundamentally flawed:

“The “web application firewall” concept is fundamentally flawed in all instances, because it falsely presupposes that a blind intermediate proxy can reliably assess the semantic meaning of data transmitted, which is in actual fact impossible. Since this kind of “service” is part of the Cloudflare value proposition and an attempt to add a profit-making value-add, Cloudflare has essentially built their entire business on doing something which is a bad idea and which cannot be reliably implemented.”

I wouldn’t deny that WAFs can increase security. They are defense-in-depth. But they come at the cost of increasing coupling and complexity and, in Cloudflare’s case, blocking valid requests and mangling harmless HTML. Like Hugo says, it’s not the place of intermediate proxies to assess the semantic meaning of transmitted data.

So that’s about all I have to add. In summary, don’t use Cloudflare. If you find yourself tempted to use a WAF, maybe look for another solution.

Re: I've stopped using mobile phones in my life.

2023-10-06T00:00:00+0000

There aren’t many people who intentionally go phoneless in today’s society, especially not young people like myself. But there are some who resist the social expectation to carry a proprietary surveillance device at all times. Since we are few, it’s important to spread the word about our efforts. So today, I comment on Jakub Bidžan’s blog post written in January of this year, “I’ve stopped using mobile phones in my life.”

Before I start, I must admit that I haven’t been completely or continuously phoneless since I wrote my entry about why I don’t use a smartphone, but I’ve resisted using one enough to feel qualified to comment on Jakub’s blog post. So I’ll start by introducing him.

Jakub Bidžan is a Free Software enthusiast, GNU+Linux enthusiast, and GNU+Linux systems administrator from the Czech Republic. He is an administrator of drgnz.club and other servers as well. Judging by his picture, he is also young, which is interesting because most people who reject smartphones are older. Let’s see what he has to say.

“By the end of January 2023 I’ve decided that I would stop using mobile phones.As a consequence I expected there to be much more inconvenience in my life, but actually I feel way more mentally free. I generally have much less temptations with it and can focus better on what I’m doing.”

My experience has been similar. Smartphones created this need in me for instant gratification. When it wasn’t provided by real life, out came my smartphone immediately. It was like a drug. I was often seeking the instant gratification it provided, making it impossible to achieve sustained focused attention for the long-term life goals which give me a deeper sense of meaning.

I relate to feeling more “mentally free” too. Besides improving my focused attention, my mind also felt more free to wander. Without the need to be entertained by something 24/7, boredom troubled me less and I found it easier to connect with the real world around me. I developed patience, realizing that it doesn’t hurt me to wait sometimes and consequently being less of an asshole to people around me.

“You might think that I stopped using phones because the insane privacy violations that come with it, or because I just wanted to be a hipster that walks arround with his librebooted thinkpad and looks down upon normies who scroll through Instagram on their phones.”

I think that being young and intentionally phoneless certainly creates this air of curiosity around oneself, and not just for the surveillance state. But, as the author is about to explain, there are better reasons to go phoneless:

“The real reason why I left phones is that I find phones to be utterly irritating. You can’t do anything useful on these bricks, they are designed to be debilitated devices that are used to coom to porn and consooming youtube.”

Phones are powerful multitools which are good for a number of purposes. Jakub’s hyperbole has a point though. Phones lend themselves to consumption, nay, overconsumption. They have no physical keyboard, so typing is inefficient. The screen is small, so the kind of work you can get done is limited. Users demand a long battery life, so apps that do too much computing aren’t used.

Besides not being that useful compared to computers, phones are also very distracting and addictive. They sound off at random times for notifications and calls, interrupting whatever their owners are doing and causing noise pollution that distracts others. Somehow this has become socially acceptable almost everywhere but movie theaters and business meetings.

As Jakub points out, they are also used to “coom to porn”. Having a smartphone makes watching porn way more convenient since it only takes one hand. This is bad because porn is itself highly addictive and masturbating to porn can degrade real intimate relationships by ruining sex. Also, it heavily skews your expectations by showing you one perfect body after another.

“Installing an operating systems of your choice them is a leap of faith and making them acceptably privacy-respecting is a herculean task. I actually wanted to install a newer version of lineage OS on my phone but I managed to soft-brick it. Now, A soft brick is fixable, but I think the right decision was to not waste time with these stupid devices and just not use them”

If you have an iPhone, forget about changing the OS. Unless you buy an Android phone that is well-supported by custom roms, trying to flash one can be a “herculean task”. You may find yourself following instructions you found on XDA Forums that direct you to download unsigned firmware from expired Google drive links uploaded by god knows who. Then, after hours of trying, the custom rom still won’t work and your computer is now infected with malware.

Desktop or laptop computers on the other hand generally don’t present so many obstacles to installing a privacy-respecting OS.

“Now, I do still use a phone. I use a nokia 6 with stock android on it, which I leave at home and never ever bring it anywhere with me. It basically serves as a kind of a landline. For the few normies that still for some reason prefer to use inferior communication methods.”

Seems like a reasonable compromise.

Jakub goes on to talk about how he makes purchases without using a proprietary banking app. This may be a little off-topic, but I think it’s also important to include:

“My solution to money is to just pay use cash. I can hear people who read this screaming in disbelief, but it is true. I only use cash, I always did and I dont know why I should stop. I honestly don’t even know why I get so many weird reactions when I say this, or actually very cheerful reactions from people involved in Free Culture or Privacy. As if it was something hard, almost impossible to do. I truly don’t know what is so hard about it. Cash is the only good way of transacting privately nowdays, without being surveilled by Big Brother. I think people should be more aware of how dangerous it is for democracy that the government knows what each and every person is buying, where they’re sending money etc.”

I live in Mexico where cash is universally accepted and many vendors don’t even have card readers, so carrying cash is necessary anyway. I’m happy that I never need to worry that cash might be rejected. But I’m keenly aware of societies that are trying to go cashless, making private monetary transactions impossible. I think this could account for why some people into free culture and privacy are so impressed. Where they live, it may be much harder to go cashless.

As for the weird reactions Jakub receives, they probably come from clueless people who don’t understand why privacy matters. In a world filled with people who either don’t know or don’t care that their choices are empowering a surveillance state that erodes democracy, hearing about other young people who see the problem clearly and do something about it cheers me up.

Jakub goes on to say what he misses about having a phone:

“I used to use a phone for some handy things. One of these things was having a flashlight. I bought a small flashlight that is much stronger and I have it on my keyring.”

This sounds like a good solution. Not having a flashlight when you need one can be a pain in the ass. The good thing is that they’re not needed in most normal circumstances and the need for one can often be anticipated beforehand.

“Other thing is that I sometimes listened to music in public transport. Well, I could spend money and buy an MP3 player I guess but I mean I can just not listen to music in public transport… so I did that.”

Same. One doesn’t have to look very far to discover that there’s unlimited free entertainment available even without a smartphone, but I find that it’s good to limit myself so I don’t become dependent.

“There are only two things that I seriously miss about a phone. One thing is mobile hotspot. Going somewhere in the middle of nowhere with my thinkpad and having access to the internet is a nice convenience. I’ve adjusted my computer usage more for offline use, and I’m able to go without it.”

The utility of a mobile hotspot depends on one’s lifestyle and location. People who live in cities for example don’t need one as much since free Wi-Fi is everywhere.

While most people’s experiences with mobile hotspots are limited to smartphones and smartphones are probably the most convenient way to use one, you don’t strictly need a smartphone to have a mobile hotspot. You can buy a standalone mobile hotspot or use a radio for emergencies. I’m not a lawyer and this is not legal advice, but if I’m not mistaken, you’re allowed to transmit on certain radio frequencies without a license in emergency situations.

“Another thing that I miss is a camera. I might just buy a physical camera from a second-hand store, that is my plan. I’m not exactly a photography enthusiast, so some basic one might suffice.”

I can relate. I own a PinePhone Pro running postmarketOS. It’s turned off most of the time and I seldom carry it with me. The mobile Linux application ecosystem is lacking, so I’m thankfully not yet tempted to use it like I am with Android devices.

I believe that the camera works for other OSes, but not for postmarketOS, which is disappointing. I miss being able to take pictures and record videos. Rather than buying a new camera, I’ve decided to just wait until camera support arrives, at which point I’ll probably start bringing it places.

The author concludes:

“Living in a city while not having a cell phone is becomming increasingly difficult, but with enough will it’s not impossible. I think everyone should try not brining their phone anywhere or using it for some period of time, just to experience true freedom. I feel as though I am more mentally free, less teathered to the system and less reliant on technology. Which if you ask me, is a good thing.”

Phones are undeniably useful and I admit that giving them up is a big sacrifice, but I agree with Jakub that we should try to get more people to not bring them everywhere, at least until they’re libre, non-addictive, and privacy-respecting. Maybe we can make it socially acceptable, expected even, to leave one’s phone at home sometimes? Surely that would be a step in the right direction.

Gaining Clarity After Walking Off a Job on Orientation Day

2023-09-05T00:00:00+0000

Over the past year, I’ve been trying to break into teaching as a career since there’s no money in free software. So I earned a TEFL certification and was recently offered an English teaching job at a highly-respected educational institution in Mexico, where I live.

It came as a surprise because this type of job normally wouldn’t be offered to an “unqualified” person like myself. In fact, I’m pretty sure it wasn’t even legal for me to occupy the position given how “unqualified” I am, but there was a desperate need to fill it and, in this country, corruption is the rule.

It started with an interview with the English program director. We discussed the details of the job for a while and got to know each other. The director was surprised to learn that I didn’t have a phone or a phone number. After realizing that I’d need a phone, a phone number, and WhatsApp to contact the director and my coworkers, I told the director I would be willing to get those things. I also learned that I’d need a Mexican bank app to get paid. I wasn’t happy about it, but I tried to remind myself that I needed the job since I’ve lacked stable employment for quite a while now.

Before I’d even discovered the teaching opportunity, I’d already made the rounds at large Mexican banks in a futile attempt to find one that didn’t require a proprietary mobile application just to use the fucking account. I ended up finding an alternative to banking that’s good enough for now. So imagine how annoyed I was finding out that I’d need an account and the app anyway. One of the biggest problems with these bank apps, besides them being proprietary spyware, is that they refuse to work if you use a custom rom or try to exercise any real control over your own device.

I’d need a real mobile phone to get the bank app since my computers lack the CPU instructions to spin up Android VMs. I certainly wasn’t going to spend money on a closed hardware computer or mobile phone, so a family member gave me their old Android device. Thanks to planned obsolescence, I could not upgrade the system past Android 8.1, meaning it probably contained unpatched security vulnerabilities. I was unable to install a custom degoogled rom either.

Thus the phone had all the standard spyware one would expect from an off-the-shelf Android device, including a manufacturer backdoor. I removed as much of it as I could using the Universal Android Debloater, but it was still an outdated Googled Android rom. There was no real way to make it private or secure. This on top of the other reasons I don’t want a smartphone was making me progressively more agitated about the entire situation.

Then I went to the store and gave money to the Mexican telecommunications monopoly Telmex in exchange for a SIM card. After putting it in the phone, I knew it would allow my location to be constantly tracked by the telecom, at least while I was at work and when I didn’t remember to put the phone in airplane mode.

I used my new phone number to download WhatsApp. WhatsApp is an app owned by Facebook, a company so evil and dangerous for democracy that it should’ve been forcibly dissolved years ago, but instead it makes up a large part of the world’s digital communication infrastructure. I was not happy about giving the Zuck my data, but I told myself that I had no choice. I needed the job.

I still hadn’t created the bank account, but I was all set up for it. I had an Android phone and a SIM card. I let the director know that I’d gotten that far.

The next day, I went to the job orientation. The first thing I noticed was that everyone except me was dressed up in suits. It was then explained in the presentation that we were not allowed to wear “anything that made us look like a student”, including tennis shoes. I find formal attire uncomfortable and any expectation for me to wear it, especially on a long term basis, feels oppressive. But whatever. I needed the job.

I also noticed that the classrooms had surveillance cameras, which made me uncomfortable because I had no idea what sort of system lied behind them. I might be okay with it if I knew for certain that the video surveillance feed data was never transmitted over the internet and only a human being was watching it, but I didn’t know that. For all I knew, it sent video surveillance data to some third party which used AI to analyze human faces.

After the orientation, we were shuffled off to a conference room. In the conference room, we were emailed a document to complete as some kind of Google form. While everyone was using their phones to complete the form, I wasn’t even aware that I’d need to access my email on my phone while at work, so I didn’t prepare it and couldn’t access the form. I was also very apprehensive about putting any information in a Google form. Why should I have to give data to the corporate surveillance monster that is Google just to have a job?

Eventually everyone in that group had completed the form and went to get their pictures taken, except for me since I could not access the form. I became frustrated and stressed, so I left to sit down on a bench outside the conference room to calm down, then headed towards the English language coordinator’s office to discuss the matter. They had to continue the orientation soon, but they gave me a few minutes anyway.

At that point, I’d had enough. I didn’t want a phone. I didn’t want a phone number. I didn’t want WhatsApp. I didn’t want a bank app. I didn’t want to use Google. I originally thought I could put up with it all given how badly I needed a stable job, but it turns out I was wrong.

I decided to confront the director about the software we were required to use and why I didn’t want to use it. We ended up having a fairly long discussion. I mentioned that I was on the verge of quitting before I had even begun the job because the software was so bothersome. The director said they wanted to keep me, that I didn’t need to use the technologies I didn’t like, and that they would be willing to work with me towards that goal.

I was slightly relieved, but knowing how large institutions work, I was also skeptical that the English teaching director had the influence to make such an exception just for me. It was time for them to give their speech, so I left to sit outside and consider whether to leave then and there or give it a shot. I ultimately decided that I would give it a shot as long as certain concessions could be made from the very beginning. Specifically that:

I could teach without using a phone number, WhatsApp, Google or Microsoft services, or a proprietary banking app
My refusal to use these services would not inconvenience other teachers in any major way

The director messaged asking me to return and I did. I tried to state the terms under which I was willing to work, but I and all the other teachers were shuffled into another room and paired into our groups before I had a chance to say anything. After being put into a group, the group leader asked me if there was a problem. I told them there was: I didn’t want to use WhatsApp. They said that my refusal to use it would be very inconvenient and cause problems for the group; exactly the situation I didn’t want to happen.

The leader proceeded to lecture me, saying that sometimes it’s necessary to do things I don’t like to fit in with the group and that if I had a problem with that, I’d need to talk with the director. I believe that was the moment when I decided for certain I wasn’t going to work there.

I sat through the rest of the debriefing anyway, where I noticed that the online grading system wasn’t even protected by a TLS certificate, meaning that anyone smart enough to use Wireshark could capture all institutional data including student grades and teacher and administrator login credentials.

After the debriefing, I informed my group leader that I’d decided not to take the job and that they needed to tell the systems people to fix their TLS because the site was unsecured. I explained the severity of this and the importance of fixing it, but I was told that the systems people “would not listen to them”. After hearing that, I walked straight out the door.

Lessons Learned

The reasons I decided to pursue the teaching position in an institution were the pay being reliable, gaining much-needed professional experience, and possibly finding an even better opportunity after.

However, as I’ve realized, working in an institution has some major drawbacks. It means using WhatsApp and other proprietary spyware, making me a victim-coperpetrator of the surveillance apparatus that’s undermining everyone’s digital freedom. It means existing within a rigid command hierarchy where I work my ass off for an unlivable wage meanwhile the value I generate goes towards paper-pushing administrators who pretend to make sure certain requirements are being met.

All in all, I’m glad I had this experience despite it being stressful. It helped me get clear on my career objectives by showing me that there’s absolutely no way I’ll be able to work or study inside any institution or normal workplace. I cannot fit inside “the system”, so I won’t spend any more time trying. The only viable option for me seems to be self-employment, so that’s what I’m going to focus on.

The Electronic Frontier Foundation Defends Your Digital Rights

2023-08-23T00:00:00+0000

The Electronic Frontier Foundation (EFF) is a nonprofit that has been tirelessly defending your digital rights since 1990. Here’s a quote from the about page of their website:

“Today, EFF uses the unique expertise of leading technologists, activists, and attorneys in our efforts to defend free speech online, fight illegal surveillance, advocate for users and innovators, and support freedom-enhancing technologies.

Together, we forged a vast network of concerned members and partner organizations spanning the globe. EFF advises policymakers and educates the press and the public through comprehensive analysis, educational guides, activist workshops, and more. EFF empowers hundreds of thousands of individuals through our Action Center and has become a leading voice in online rights debates.

EFF is a donor-funded U.S. 501(c)(3) nonprofit organization that depends on your support to continue fighting for users.”

Organizations like the EFF are more important now than they’ve ever been. They run campaigns and events, host podcasts, make press releases, fight legal battles, promote digital privacy tools, document police surveillance tech, and much more in the name of protecting digital civil liberties.

My main personal interest in the EFF is their press releases. I find them informative and they help me stay updated. For others who might want to easily follow the EFF, here is a list of their RSS feeds.

If you can, please make a donation (not with cryptocurrency) or contribute to their work in other ways.

Re: Why even let users set their own passwords?

2023-08-17T00:00:00+0000

This entry is a yet another commentary on an article written by Hugo Landau, titled “Why even let users set their own passwords?”.

“Today we seem to be living through a war on passwords. This is manifested in various ways … The more material changes are the general trend towards no longer treating passwords as a sufficient condition for access in favour of either mandatory “2FA” or, where 2FA is not used, risk-based authentication, in which some extra authentication step is non-deterministically and randomly demanded.

This step is commonly something like “enter the code in an email we just sent” when trying to login. Since this process is literally the same as most password recovery processes, it raises the question of what the point of a password is in the first place if you always have to go through this process when trying to login.”

There are several flaws with this email token approach to account security as described by Hugo.

First, as Hugo points out, since the alternate login flow (password recovery) only requires the email token, the password not only becomes a pointless inconvenience that increases system complexity with no security benefit, but it also gives the user a false sense that their account is protected using two-factor authentication when it’s not.

Even if the email tokens were truly two-factor, most users probably access email from the same device they use to log in to online accounts anyway. So it still wouldn’t be “proper” two-factor.

Second, these email tokens actually give the attacker several more avenues to gain account access, and in ways the user likely isn’t considering, doesn’t know about, and has no ability to mitigate. Here are a few:

Guessing the user’s email account password
Completing the user’s email account recovery process
Phishing the user’s email
Compromising the user’s email server
Phishing the user’s email server administrator
Compromising the user’s email server’s cloud hosting provider
Compromising the user’s email server’s cloud hosting provider account
Phishing the user’s email server’s cloud hosting provider
Completing the email server’s cloud hosting provider account recovery process
Breaking into the user’s email’s domain name registrar account
Completing the user’s email’s domain name registrar account recovery process

“Often this will be combined with fallacious notions such as “remember this device”, the idea being you only have to go through all this the first time when logging in from a particular device. This idea is fallacious because the web has no notion of a “device”, and this is a very intentional design choice made for privacy purposes. We are literally living through the gradual phase-out of third-party cookies, amongst other functionality, specifically to try and prevent this sort of thing, so why do web developers persist in believing in this fiction of a “device”? My own browser erases all cookies from an origin immediately after the last tab from that origin is closed, so these sites are convinced I am logging in from a new “device” every single time, and then demand I respond to one of these challenge emails.”

I don’t see the “remember this device” terminology as a problem. I think it helps non-technical people understand what’s going on while technical people understand what it’s doing anyway.

My browser also erases cookies, so I also have to log in every time, but this is the desired behavior.

I agree that using email tokens as a login system is problematic, but that’s a separate issue. I agree that websites shouldn’t use third-party cookies, but third-party cookies aren’t required for “remember this device” that I’m aware of. So it’s not exactly clear to me what Hugo’s complaint is here or what they want done about it.

“While at the same time every website for the masses now seems to be designed around the assumption that everyone is going to set their password to “password1”, web-based HTTP APIs are also widely popular nowadays. These services almost invariably perform authentication via use of a token or “API key”.

An API key is basically a password, except that it is randomly generated by a website with a large amount of entropy and thus assumed to be secure. A given website might obnoxiously refuse to trust in my ability to set a secure password, assume the 24-character randomly generated password I keep in my password safe is insecure, and demand I complete an email challenge every time I login because I actually bother to exercise control over browser privacy and persistent cookies, yet that same website is happy to let me authenticate using an API key for API access as a single authentication step. No “2FA” here.”

API keys are used by programs and automated systems, so they can’t use 2FA. As Hugo observes, this nullifies 2FA. This is why API key access should be limited by default so someone with the key can’t just change the account login credentials as they could if they’d logged in normally with 2FA. Some online services do limit the scope of the API by default, but some don’t. They ought to.

For many non-security-minded people, it doesn’t even occur to them that enabling API keys cancels their 2FA. Websites ought to display a warning inside a confirmation dialog when users try to create an API key that would circumvent 2FA while they have 2FA enabled, or when they enable 2FA while having an API key.

“…all website login schemes ultimately rely on some kind of session cookie, which is similar to an API key in the sense that it is a high-entropy site-issued bearer token. In other words, all website authentication schemes, “2FA” or not, ultimately rely on the ability of a client to be enrolled in and use high-entropy site-issued bearer authentication tokens as the sole criterion of access.”

By logging in, users trade their 2FA for a 1FA session cookie. If the attacker can steal the session cookie, that’s all they need to assume control over the account.

Some online services are keen on this and require an additional 2FA step to change important account settings while logged in, such as account credentials. This extra 2FA step still doesn’t make the account fully secure, but it’s better to have it than not and many websites don’t have it.

“There are agreed best practices for the handling of passwords, namely, to not reuse passwords between accounts, use randomly generated passwords, and keep those unique passwords for each account in a password safe. This raises the question: if the industry agrees this is the (more or less only) correct way to handle passwords, why actually allow users to set their own passwords?

Rather than allowing a user to set their own password, passwords can be issued in exactly the same way as API keys are now: a high-entropy password is randomly generated by the issuing website, and the user is shown the password once only and asked to record it. If the password is lost, a new password must be generated using the same process. The user cannot choose their password, but can get a new randomly generated one in the event of compromise. The password essentially becomes indistinguishable from an API key.”

I agree. I also think it would be a good idea to include a notice telling the user to store the token in a password manager. Some might object “You can’t require users to store randomly generated passwords. Since they can’t remember it, they’d take a picture of it which would be synced to Google Photos and Apple iCloud. They’d write it down in an insecure location. They’d save it in a text file which they’d accidentally delete. They’d do everything except learn to use a password manager.”

Based on my IT experience, I completely agree. The average user would simply ignore the advice to use a password manager and do whatever they wanted anyway. But they already do the same with passwords they set themselves. While websites have a duty to take every reasonable step to secure user accounts, in the end, they can’t stop users from shooting themselves in the foot if they insist on doing so. So they may as well make things as secure as possible on their end by generating secure user passwords rather than allowing them to set poor ones.

On the server side, generating secure user passwords would have another benefit that Hugo didn’t mention: One could store user passwords run through a single iteration of a cheap, fast hash function rather than using a relatively expensive key derivation function that needs its iteration count constantly updated and requires storing a salt. Rainbow tables and password cracking software would be so useless that no sane attacker would even attempt it.

“… With TOTP, knowledge of the secret is proven without sending it to the website. With a site-generated password, knowledge of the secret is proven by sending that secret to the website. This is a slight security benefit to TOTP. It doesn’t seem to provide any useful security against a compromised or impersonating website (an impersonating website can just forward the TOTP challenge value to the real website and use it to login as the user), so its main benefit seems to be to avoid having the device the user is logging in as be able to glean the secret, in the event that device is compromised. This is a potential upside, though since on successful login the compromised client device has access to anything gated by that login anyway, the benefit seems dubious.”

While I’d prefer to use TOTP codes instead of a password for online services, I agree that the security gain would be dubious when compared to secure, server-generated passwords.

“Since I don’t lose my secrets I’m happy to assume responsibility for the possibility of permanently locking myself out in exchange for higher account security and disabling email as the “master key to all accounts”.”

Email being the “master key to all accounts” irks me too. I understand why online services make it so and it may even be necessary as an emergency fallback measure for restoring user account access post server compromise, but email is insecure and cannot be secured. 99.99% of users don’t even legally own the domain their email is registered under, so they don’t own their email either. That means the “master key to all their accounts” is an identifier they don’t own and can be arbitrarily taken away. Not good.

But if you don’t allow users to reset passwords via email, what else is there? SMS codes? Phone numbers are even less secure than email. Security questions require storing sensitive information about users that inevitably gets leaked by hackers.

What I’m about to suggest might sound harsh, but I think it’s the best way forward. I think online services should just enforce random server-generated passwords as the only credential required for login and if a user loses it, they have to create a new account.

I know, I know. People would be getting locked out of their accounts left and right, but I think part of the reason the average user is so incompetent is because online services are designed with the expectation that they are.

If we want competent users, we should stop catering to the least common denominator. Let’s set this bare minimum standard instead: If a user can’t figure out how to save their login credentials to a file and create a backup in case of emergency, or at least find a trusted third-party to do it for them, maybe they’re not competent enough to use the service.

If it’s important that they be able to access the service even if they’re technically uninclined, then the service should be available through offline means.

There are online services that already use secure, server-generated passwords, such as the VPN company Mullvad. Granted, it’s easier for them to pull it off given the type of service they offer, but online services have to set the bar somewhere or else website login will continue to be inconsistent and suck.

“… a site which requires a password and email verification for each login is not 2FA if access to the same email account can be used to reset the password; this scheme is no more secure than just requiring email verification per login. Another example is if a site tries to insist on verifying logins using SMS messages sent to a user’s phone number. Since this (particularly bad) design is based on the false premise that a user’s phone number is more secure than an email account or any password, such sites will often allow a reset of all the other factors (like a password) by access to this phone number alone. This is quite literally 1FA, just with a different single factor.”

I think the reason websites’ login systems often seem confused about what they’re doing and we get all these strange, poorly-designed login schemes is that they’re trying to accomplish two mutually exclusive goals simultaneously:

Make certain that tech-illiterate users never get locked out of their accounts
Secure user accounts and associated data against attackers

You can try to strike a balance between these two options with risk-based authentication, but you’ll just end up with indeterminate login criteria which locks out tech-illiterate users and/or collecting sensitive user data which you cannot secure in the long run. Supporting Web Authentication is a good idea, but the tech-illiterate user will get locked out when their FIDO device breaks or gets lost or they buy a new computer with a different TPM.

In conclusion, I’m highly skeptical that there’s any way of creating a secure online login system that also ensures tech-illiterate users never get locked out. Designing a login system around the assumption that the user can’t even safeguard a password or hardware key is a total non-starter for account security and teaches users that it’s okay not to know what they’re doing because online services cater to the clueless.

Online services should instead start with the assumption that the user has a basic level of computer competence and force them to use passwords that are securely generated on the server-side with an optional 2-factor TOTP instead of cooking up poorly-designed, misleading, insecure, non-deterministic, data-hazardous login systems.

Long term, we need to deprecate passwords and move towards asymmetric keys for authentication. There is an attempt to bring asymmetric-key-based authentication to the Web with the Web Authentication standard, but almost no one has FIDO devices, a lot of people still have old CPUs without TPMs, and I haven’t found any purely software-based solution for using WebAuthn.

So, for the moment, forcing WebAuthn on users seems less practical than forcing secure server-generated passwords onto them. Until WebAuthn becomes a viable option or the Web itself is replaced with a more secure standard, secure server-generated passwords would be a good next step.

Re: Against risk-based authentication (or, why I wouldn't trust Google Cloud)

2023-08-10T00:00:01+0000

I found another article written by Hugo Landau which discusses the unavailability of risk-based authentication (non-deterministic login). For those who don’t want to read the entire article, here’s a short quote which captures the essence of Hugo’s critique:

“The problem is precisely this: The credentials you require to access a Google account are essentially indeterminate. Supposedly, for a simple Google account without 2FA enabled, knowledge of the account email and password should be sufficient to access an account; except sometimes, they aren’t. Sometimes, Google might randomly decide your login attempt is suspicious, and demand you complete some additional verification step.

This sounds potentially innocuous until you then realise that there’s no guarantee you can actually complete this additional verification step. There are to my recollection numerous stories of people being locked out of accounts which they have the passwords for because Google has decided that things are suspicious and having the password is not enough.”

Apart from the availability issue that Hugo brought up, my problem with risk-based authentication is that it usually relies on collecting and indefinitely storing sensitive data about the user for later comparison, which violates their privacy and creates needless risk of sensitive data exposure.

Hopefully risk-based authentication will fade away and online services will switch to better alternatives.

Re: Phone numbers must die

2023-08-10T00:00:00+0000

This entry is a commentary on the article written by Hugo Landau titled “Phone numbers must die”. I’ll be quoting from it heavily. Let’s get started.

“I neither have, nor want, a E.164 number (phone number) at this time, so services which demand I offer them one are making an invalid assumption and, advertently or inadvertently, telling me to get lost.”

Very early on in the article is the first criticism of E.164 numbers. Hugo doesn’t explicitly say so here, but it’s implied that they are frustrated that so many services require a phone number.

I know what Hugo is going through here. As someone who also doesn’t want a phone number, I have struggled to avoid services which require one. My biggest obstacle so far has been banking. All the banks in Mexico require not only a phone number, but also a phone app, despite the fact that banks predate phones and phones have never been needed in the past to have a bank account. It took me some time to figure this out though.

Edit (20-03-2024): It isn’t 100% fair to say that all banks in Mexico require a phone app, but it isn’t far from the truth. BanCoppel is the only major bank I’ve found to be semi-usable without downloading a proprietary app. If there are other banks which don’t require an app, they certainly don’t advertise it. Even at BanCoppel, customers without the app have limited account functionality and interactions with bank employees are more difficult since they’re so accustomed to app-using customers.

In the first bank I tried, I was able to successfully make an account. I asked if a phone was required before I made the account and was told no. They said I could use the web interface. As I would find out later, a proprietary phone app (which also required a phone number) was needed to log into the web interface. I tried the app on someone else’s phone and found out it uses a dizzying array of seemingly redundant token-based authentication mechanisms which make it seem like whoever designed it didn’t understand the concept of a threat model. After looking into the app further, I discovered it included face-scanning, location tracking, and AI-based behavior tracking. Needless to say, I closed that account.

After that, I walked into another bank branch where there was a sign saying that one had to make an appointment over WhatsApp before talking to someone. I just walked out.

In the next bank, I was very clear that I didn’t want to use a phone or phone number. I was told that all banks in Mexico require proprietary smartphone apps. By refusing to use one, I’d be unbanked.

As if that weren’t bad enough, I found out that the bank apps strictly limit the configuration of the phone for “security reasons”, making it very difficult to run them on privacy-respecting roms. It’s as if they expect you not to exercise control over your phone, and discriminate against those who do. During testing, I did successfully get one working on stock Android after several hours of fiddling with settings and installing mods to spoof system information. The average user would have no chance.

In the end, since my only alternative was being unbanked, I signed up for a fintech company which doesn’t require a phone app. It still officially requires a phone number, but seems to work without one. It’s definitely not a permanent solution. In the future, I hope to find a more permanent solution that doesn’t require a phone nor a phone number in any capacity.

After “Phone numbers must die”, Hugo wrote another article titled “Having a bank account without having a phone number”, the first part of which recounts their own story of achieving phoneless banking in the UK. Apparently it’s still feasible over there. Go ahead and read it if you’re curious.

But phone numbers being mandatory doesn’t just leave phoneless people unbanked. It creates problems for attending university, socializing, finding a job, and other things which have never historically depended on having a phone number.

I think this brings up the important question of why people like Hugo and I go through so much trouble not to have a phone number when it’s just easier to have one. What reason is there not to have one? As it turns out, there are many. Here’s one of Hugo’s reasons:

“…Though I could trivially obtain a new SIM card to put in an old dumbphone, and with it a new E.164 number, this would force me to engage with the small number of carriers with spectrum and their variously obnoxious business practices, or the larger number of MVNOs which resell those carriers and are thereby forced to perpetuate their business practices, and thus can never truly be better than them.”

As Hugo states, one of the reasons it’s a problem that having a phone number has become a de-facto requirement is that telcos are evil oligopolies that fuck over their customers. Why should you have to give money to evil telcos just to get a bank account, or a job, or a university degree?

Given that the practical choice for the vast majority of people is between having a phone and phone number or being destitute, the telco contracts and software license agreements on phones are manufactured agreement. It’s a bastardization of real consent because there is no real alternative. When people sign these contracts, they’re not agreeing with the terms set by telcos or software vendors. They’re agreeing that they need a job. They’re agreeing that they want to participate in society. And they’re agreeing not to be left behind.

I would just add that requiring telephone numbers for performing basic functions in society is also bad because it necessitates having a phone. Yes, online telephony APIs exist, but almost nobody uses them for a personal phone number. I’ve already made quite a detailed journal entry talking about the harms of smartphones, but even dumbphones necessarily have 24/7 location tracking (that’s how the telephone network works). People shouldn’t have to submit to the surveillance or the addictive nature of phones just to function in society.

“The E.164 namespace addresses an international, and rather opaque, network of companies operating dubious business and billing practices. Many networks are being converted to packet-switched, VoIP architectures internally, but the chronological billing model borne of the economics of circuit-switched telecoms is kept alive as a facade, it no doubt being more profitable. In some ways no company has any power to rise above this, because they have to route calls to other networks which operate in the same way. The global PSTN thus forms a dubious world map of private fiefdoms, each with their own billing practices. The PSTN is never going to be weaned off the billing model of hundred-page price lists listing E.164 prefixes and associated per-unit-time call costs, despite the Internet by its very existence having proven that there are better ways to pay for and operate a global communications network. I object to the continued existence of this network, operated as it is.”

Here, Hugo is shifting from criticizing phone numbers to the global circuit-switched telephone network itself. The first part of the criticism is technical. Hugo points out that circuit-switching is so outdated that telecoms don’t even use it internally because of its inefficiency. Instead, they use Voice over IP, a packet-switched internet protocol. The packet-switched internet should have superseded the telephone network years ago, but the telephone network still remains alive today.

The second part of the criticism complains that the reason the telephone network remains alive is so that the oligopolistic telecoms can continue to greedily extract money from customers. There’s no technical reason that the telephone network shouldn’t be gone by now. We would all do just fine without it and without E.164 numbers. Some internet-based replacement for E.164 numbers could easily be realized.

While I completely agree with Hugo’s technical criticisms, I would point out that while the internet is superior to the telephone network, it also faces the same problem of oligopolistic control enforced by the network effect. Like the telephone network, the internet is largely controlled by only a few entities. The reason for this centralization is because the network stack is broken and outdated. We’ve known for decades about ways to improve it and create a more secure, decentralized internet, but it’s hard because, just like with the telephone network, there are vested interests who stand to lose power and money if the technology improves.

“The E.164 namespace is not secure, not only because carriers are prone to randomly reassign disused numbers. Not too many months ago were articles posted on HN about how a targeted attacker managed to obtain control of a organization’s staff member’s highly used E.164 number, probably just via social engineering. Since many accounts systems entertain the demonstrably false idea that E.164 numbers represent a more secure point of contact than other identifiers, such as an e. mail address, this creates a significant vulnerability, especially where users are forced to offer E.164 numbers unto this end.”

Fully agree. When I see online services using SMS as a form of multi-factor authentication, it drives me up a wall. SMS codes are not secure authentication! In my journal entry “Comparing Multi-Factor Authentication Methods”, I rated SMS code security as “weak” precisely because texts can be intercepted relatively easily via SIM swapping. As a user, there is no way to prevent this. The burden to protect your phone number rests entirely on the side of telcos, who have proven easy to socially engineer.

Also in my journal entry regarding multi-factor authentication, I rated email tokens as “fair” security. That is, perhaps not as strong as something like time-based one-time passwords when properly used (stored on a separate device), but definitely better than SMS codes. Hugo seems to agree with me about that:

“There are an array of procedural hazards regarding the security of ICANN domains, relating to a variety of suspension and forced-transfer-of-ownership procedures, such as those used for trademark disputes. It’s not a very accountable system, and one that operates independently of the courts, nor are ICANN domains something one truly owns. Nonetheless, understanding the threats posed to ICANN domains one controls, I trust and prefer them a lot more than E.164 numbers.”

I’ve also expressed the opinion that ICANN can’t be trusted and that you never truly “own” ICANN domains. But, I also trust and prefer ICANN domains over E.164 numbers.

“Probably the most laughable instance of telephone centricity however was when in a moment of madness I tried to sign up for a Twitter account. Upon submission of the registration form the Twitter website told me to sign up via the Twitter smartphone application instead, which was a truly bizarre non sequitur given that I hadn’t provided it any evidence I had a smartphone in the first place. Since in fact I do not, it was essentially telling me to get lost. What was hilarious however was that I succeeded in creating the account by running the Twitter application inside an (obviously E.164 number-free) Android VM, essentially proving that the whole thing was a spectacle of security theatre.”

I’ve also used Android VMs to avoid smartphone use. I once helped someone set up an Android VM with Microsoft’s multi-factor authenticator app so they wouldn’t have to mix their work data with their personal smartphone. I understand if the developers are just targeting mobile, but intentionally forcing users to use mobile apps to accomplish certain flows is awful design. Like Hugo said, what if the user doesn’t have a phone?

What’s particularly frustrating about this is that, as a user, I have no indication ahead of time which of the flows require the mobile app and which I can do on the web or desktop. It’s also not something company employees are used to thinking about, so they generally can’t give straight answers regarding which part of their services require a phone either. It’s like the example I mentioned with the bank that told me that I didn’t need a phone and then I found out later that I couldn’t even log in without their mobile app.

“What really irritates me about these demands for E.164 numbers, however, is how they represent an abandonment of what I would describe as “internet nativity”. When Google demands an E.164 number, they’re not demanding it despite the fact that E.164 is a somewhat closed, opaque network, but because of it. Basically everything bad about the E.164 namespace and its constituent organizations is precisely what makes it attractive to organizations for use cases like these. They prop up an opaque network by relying on it, because they find the very openness of the internet troublesome. This essentially represents a wilful vacation of the internet as the one true network, by an organization which is iconically associated with the internet itself. It’s a depressing move to see.”

Internet services require a phone number because they cost money and the user probably already has one. So it makes for a decent barrier against spam that doesn’t make the user spend extra money and doesn’t leave out (most) legitimate users. But as Hugo points out, coupling E.164 numbers with internet services detracts from “internet nativity”, creating a dependency on an opaque network run by oligopolies following questionable business practices.

If you run an online service or business which strictly depends on E.164 numbers and there’s no legal regulation forcing you to, then you’re just wrong. There are alternative ways to prevent spam and E.164 numbers certainly shouldn’t be used for authentication. There’s no excuse for requiring them. So please stop propping up this shite network and let phone numbers die already.

Copyright Versus Freedom of Speech

2023-07-18T00:00:01+0000

Almost all debates about copyright leave out a crucial argument against it, perhaps even the strongest one.

Hyphanet, a peer-to-peer platform for censorship-resistant and privacy-respecting publishing and communication, spells out this crucial argument in their about page:

“The core problem with copyright is that enforcement of it requires monitoring of communications, and you cannot be guaranteed free speech if someone is monitoring everything you say. This is important, most people fail to see or address this point when debating the issue of copyright, so let me make it clear:

You cannot guarantee freedom of speech and enforce copyright law

It is for this reason that Hyphanet, a system designed to protect Freedom of Speech, must prevent enforcement of copyright.”

In the past, there was a stronger distinction between distributors and distributees of copyrighted media. The distributees didn’t themselves have the means to redistribute it on a mass scale. So this argument didn’t apply because one didn’t need to conduct massive surveillance on communications to enforce copyright law.

But now we have the internet and peer-to-peer networks. Anyone can download from or upload to anyone else. Within this environment, the only way to ensure copyright law isn’t being broken is to employ a digital surveillance dragnet on everyone. This should be the first and last point brought up when debating copyright. Until someone figures out a way to enforce copyright without either crippling the open internet or violating people’s privacy and freedom of speech, no further refutation is necessary.

The Hyphanet about page then goes on to make more standard arguments against copyright. I won’t quote these points since they’re a dime a dozen among those who are against copyright, but I’ll give a quick summary to close:

Copyright is ineffective at rewarding artists
There are better alternatives for rewarding artists than copyright
Ending copyright wouldn’t be the end of professional art

Explore Neocities!

2023-07-08T00:00:00+0000

This story starts with GeoCities. I’ll let Wikipedia do the explaining:

“GeoCities, later Yahoo! GeoCities, was a Web hosting service that allowed users to create and publish websites for free and to browse user-created websites by their theme or interest. GeoCities was started in November 1994 by David Bohnett and John Rezner, and was named Beverly Hills Internet briefly before being renamed GeoCities. On January 28, 1999, it was acquired by Yahoo!, at which time it was reportedly the third-most visited website on the World Wide Web.

In its original form, site users selected a “city” in which to list the hyperlinks to their Web pages. The “cities” were named after real cities or regions according to their content: For example, computer-related sites were placed in “SiliconValley” and those dealing with entertainment were assigned to “Hollywood”, hence the name of the site. Soon after its acquisition by Yahoo!, this practice was abandoned in favour of using the Yahoo! member names in the URLs.

In April 2009, the company announced that it would end the United States GeoCities service on October 26, 2009.

There were at least 38 million pages displayed by GeoCities before it was terminated, most user-written. The GeoCities Japan version of the service endured until March 31, 2019.”

The third most visited website on the World Wide Web. 38 million mostly user-written pages before it was terminated in 2009. Just wow. That’s impressive. I was only ten years old when GeoCities shut down, so it was before my time. I never got to experience it in its prime.

Thankfully it was archived by The Internet Archive and others before being shut down. So now there are mirrors out there which still allow navigating GeoCities in case you wish to browse. There’s also a torrent available for download containing archived GeoCities.

In my Gemini appreciation entry, I briefly mentioned a site called Neocities, but decided that it deserves it’s own entry, which is what this is. Neocities is what it sounds like: a continuation of the idea of GeoCities. Unlike other site-creation websites which come with predefined templates with professional site designs, Neocities targets site designers who have a passion and interest for making fun websites, not just profit.

The goal of Neocities is to revive the Web of old, where people made their own creative and fun websites instead of being herded into lame corporate-controlled addictive social media to express themselves. It allows anyone to create their own free website, express themselves online, and it makes the Web fun again.

While I ultimately think that the Web should be replaced with a better protocol, I still very much enjoy browsing Neocities. There’s all sorts of zany websites there and it’s much more personal than anything you can find on the big search engines.

Back in the day when the Web wasn’t a hypercommercialized advertising and tracking cesspool, people used to surf the Web. You followed webrings from one website to the next and it was fun. Maybe you’d find a deep conspiracy, or read someone’s blog about their twenty cats, or take a virtual tour of someone’s garden. You never knew what you’d find, but every website you visited was personal. It was someone’s way of expressing themselves. It was a way of connecting with other people.

Sure people express themselves today with social media, but it’s not how it used to be. People no longer surf the Web. They browse it, often just mindlessly scrolling to keep the dopamine levels up. Their creative freedom is more limited. Everyone’s profile pages look almost exactly alike. The Web is no longer the wild west it used to be. Now it’s just ruled by companies that want to mine our data and waste our time with ads.

That’s why I appreciate Neocities. So check it out! (and maybe even make a site!)

The Problem With GrapheneOS

2023-07-06T00:00:00+0000

GrapheneOS offers far more privacy and security than the Googled vendor-and-carrier-modified versions of Android that most Android users have. This would still be true even if people continued using the same proprietary apps after transitioning to GrapheneOS. For that reason, I don’t want this entry to discourage anyone who already has a Pixel from flashing GrapheneOS.

However, I think the way GrapheneOS is marketed is potentially harmful. GrapheneOS is marketed as private and secure despite it only supporting devices with proprietary firmware and blobs.

“But isn’t proprietary firmware a problem with all custom Android roms? Why pick on GrapheneOS?”

Yes it’s a problem for all custom Android roms, but I’m picking on GrapheneOS in particular for several reasons:

It runs exclusively on devices with proprietary firmware
Its website reaches many in the privacy/security community
Its website emphasizes its privacy and security more than any other custom Android rom
Its website documents how proprietary components are used to “increase” device security
Its website fails to acknowledge that the proprietary firmware that GrapheneOS-supporting phones run is a risk to privacy and security

In my opinion, calling your operating system (OS) “private and secure” while not acknowledging the risk of the proprietary blobs required to run it is misleading. It’s one thing if your OS can also run on open hardware or the proprietary firmware it requires is very limited, but it’s another thing entirely when your OS only runs on very closed hardware. Free software, privacy, and security go hand in hand. You can’t just ignore hundreds of megabytes of unauditable proprietary blobs that run at boot time and still pretend it’s a secure device just because you have hardened malloc.

Also, there’s another problem with the proprietary firmware which GrapheneOS doesn’t sufficiently address in my opinion. Since GrapheneOS requires up-to-date proprietary firmware to support devices, it’s entirely dependent on OEMs to update that firmware. But it’s in the OEM’s economic self-interest to stop providing support as soon as they’re not legally obligated to.

Why is this GrapheneOS’ problem? Well if privacy-conscious people are promoting GrapheneOS, some might purchase new Pixel phones to keep up with GrapheneOS’ releases. This funnels more money into proprietary hardware, perpetuating the cycle of endless e-waste rather than funding open hardware, which is less wasteful and clearly the right direction for privacy and security. GrapheneOS could warn people against buying new Pixel phones just to install their OS and instead suggest supporting open hardware.

As for the privacy/security aspect, what I’d like to see on GrapheneOS’ website is something like what Replicant, another Android fork, has. Replicant has a lengthy article detailing how the proprietary firmware and blobs plaguing modern smartphones threaten mobile privacy and security in the general case and specifically for Replicant-supported devices. It shows that the developers clearly understand the problem with proprietary firmware.

In conclusion, GrapheneOS should include a page like Replicant’s on their site detailing the potential dangers of the proprietary firmware on their supported devices and encouraging people to purchase maximally open hardware alternatives if possible.

Finally, I know I’ve used the terms “firmware” and “blobs” interchangeably even though they’re not interchangeable. I don’t think it affects the point I’m making, but I’m not an expert in this topic. So I’m happy to take criticism from someone who knows more and make corrections or clarifications if necessary.

Re: bullshit.js

2023-07-04T00:00:00+0000

People in advertising, marketing, SEO, and other bullshit industries have littered the web with phrases that sound significant but don’t actually communicate anything.

A while back I discovered this amusing JavaScript program called bullshit.js which you can run in the browser to replace some of that marketing BS with the word “bullshit”.

The official bullshit.js webpage includes a bookmark link which is vulnerable to xss. Here’s my patched version:

javascript:(function(){var d=document,s=d.createElement('script');s.crossOrigin='anonymous';s.integrity='sha256-J3uYBSO4XnmUCTfYH458SPL2Cp+wlPOnt64DreZjAtw=';s.src='https://unpkg.com/@mourner/bullshit@1.2.0/bullshit.js';d.body.appendChild(s);}())

Enjoy.