broken telephone and the hammer which smashed it

Tracking Cookies, Analytics, and the GDPR. Or “How I learned to stop worrying and FUCK the European Union”

General Data Protection Regulation

Wikipedia: The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

The General Data Protection Regulation, often referred to as the GDPR for short, is a European Union law taking effect in 2018. This law was crafted to address the problem of corporations exploiting the data they gather from consumers using their internet products, which has gotten completely out of hand.

Enter: The Problems

GDPR was rushed. This is most blatantly evident in the huge number of obvious per-use-cases where it simply does not apply. There’s a whole lot of exemptions made to allow for conflicts with other laws. They wanted to punish Facebook, and they did not take the time required to craft a thoughtful solution that will survive long term. I will try to address some of the more damaging issues introduced by this regulation.

WHOIS: A necessary public tool for the Internet to function

The first casualty in this story is the WHOIS service. When you register a domain name you are leasing a public resource from a limited pool of similar resources. For this reason it is absolutely necessary to ensure that every domain name registered is a real person, who is using their domain for real legitimate purposes. In cases where they are not, the domain is released back into the public pool so that someone more deserving can utilize it.

WHOIS not only provides a means of contacting the owner or maintainer for a particular domain, it also provides an important tool for diagnosing security problems such as being attacked from specific networks. It is necessary to use WHOIS to contact the appropriate administrator handling security on those networks.

Because of the terrible way in which GDPR has been executed, there has been a rushed effort to “fix” WHOIS to be compliant with GDPR. But WHOIS doesn’t need fixing, it works exactly the way it’s supposed to already. The problem is ignorance among the users, period.

Analytics, a god given right.

Another huge problem area is website analytics. GDPR places restrictions on the kinds of data that can be gathered using tracking and reporting software. But this is insanity, you can’t restrict what methods I use to monitor and police the activity of those accessing MY networks. I am 100% within my rights to scan and record 100% of your requests against my server, all of your page-viewing habits, and anything else I can think of. It’s my toy, and you’re touching it. You damn well better believe I’m recording your fingerprints and there is nothing anyone can do about that. When you are visiting my website you are not entitled to privacy. (I do respect your privacy, you just aren’t entitled to it). One nation cannot change this with some bullshit law, it’s a fundamental concept of property ownership, it’s older than the EU and more important.

The EU is Disintegrating. Why do their laws matter?

This is a contentious item to be sure but no less important. With the removal of Greece and then the United Kingdom, it is reasonable to assume that the European Union is already dead. It is too soon to assume that they will recover from the loss of two significant member nations. We don’t have a lot of historical precedent, but typically when a “union” starts losing members it is no longer a union. Why should the global marketplace conform to the laws of a failed nation? What gives the EU more authority on this subject than say, a collection of Third World nations? Nothing. It’s favoritism from “Western” nations. That’d be fine, if the EU weren’t crumbling, but all of the indications are that it is. Maybe we shouldn’t be betting on the losers.

So what’s the right answer?

FUCK man, how the hell should I know? The internet was not invented with privacy in mind. Encryption was an after-thought. Here’s a suggestion, why don’t we spend the next 5 to 10 years brainstorming and crafting an INTELLIGENT and BUG-FREE privacy protection treaty? The Internet is a global environment, and laws which regulate behavior on the Internet should only be those which all of us living on this planet can agree upon. This is really common sense that any properly educated adult could only conclude.

Why are you down on privacy rights?

I’m not. You probably realize if you’ve spent time on my blog I’m a die-hard privacy advocate. I also hate poorly crafted regulations, which is what the GDPR is. I wish they would have spent more time on it. I wish they would have consulted with more qualified experts. Maybe if they’d crafted the law on github and allowed the public to submit issues, the result would have been better. Heck all laws should be written this way.

Some Tips

There is a classic saying well known amongst grey-bearded hackers: “If you don’t want it known, don’t use the phone”. You should firstly assume that whatever you’re doing on the Internet, someone is watching it. If you want to protect your data you should encrypt it, and secure your computer against unauthorized spying. Visit ssd.eff.org for a lot of excellent tutorials on how to achieve this.

This Post is a Work In Progress

The consequences and fallout of the GDPR are still unfolding. I will be updating this post as I find more things to complain about which would surely have been caught if they’d spent a bit more time on the bill.

care bears holding paws

How to socialize on the internet

Preface

It occurs to me many internet users maybe don’t have a Free and Open Source guide to the socializing options available to everyone. We all know about large social media corporations but perhaps you’re tired of the limitations they place on your content, or the invasions into your property rights or privacy. So this guide will be a signpost to a few great (and free!) choices.

The Blog – WordPress

WordPress is currently the best choice for blogging. It’s a great choice for a lot of other purposes too, which makes it a solid leader for “best website software”. Your family photo album, your small business, your personal opinions, and many other capabilities. I suggest starting with free themes, and low cost private hosting that offers you E-mail with your website’s domain name.

How will my friends follow me?

All the best blogging softwares, including WordPress, include support for publishing content “feeds”, including rss, rss2, atom, and so on. This is usually built in and enabled by default, allowing anyone to use various free RSS feed reader applications to follow their friends’ updates.

Link to WordPress: https://wordpress.org/.
Link to RSS Readers: Wikipedia.
Link to Hosting: Pride Tech Design.

The BBS – phpBB

A somewhat underappreciated feature of social computer networks is the bulletin boards, these days called forums. It’s a slow and thoughtful way to communicate and an excellent method to meet new friends with similar interests. I recommend the phpBB software, it’s extremely mature. It’s not as easy to install or administer as WordPress but there is documentation and with a little effort anyone can do it.

Link to phpBB: https://www.phpbb.com/.

The MicroBlog – Mastodon

Twitter is a corporate giant and your satisfaction as a user is second place to their return on investment. An excellent choice of alternatives is Mastodon, which is a diversified and federated network of private and community “instances”. You can join one or many, you can create your own, and everyone can participate together.

Link to Mastodon: https://joinmastodon.org/.

The Chat – Matrix

You’ve got a lot of options for chat softwares.. that is any app aimed at instant response conversations with support for group conversations. I recommend Matrix.org, for a number of reasons. It’s free, it’s open source, it’s distributed, it’s disowned from any corporate masters, and it’s ambitious. You’ll need to be patient with it, it is brand new software and they are trying to do a lot of very modern and exciting features. It’s a great opportunity for new programmers to cut their teeth on something exciting too.

Link to Matrix.org: https://matrix.org/.
Link to Riot.im (Leading client): https://riot.im/.

apple 2 computer showing bbs screen

How to build a Modern BBS

Preface

After reading an article here about building a modern Bulletin Board System, and crafting my own brief response here about how the website already is a modern BBS, I decided I should write a short guide on how you can construct a modern equivalent of a BBS on the web using mostly free tools.

A computer & phone line

In the 1980s operating a BBS required a computer and at least one phone line. Back then a single phone line would cost $20 to $50 per month. Today, a phone line still costs a minimum of $20 a month (phone service is a racket!), but you don’t need to spend that much. For $5 per month you can rent a Virtual Server from Digital Ocean with a dedicated IP address. As far as quality and reliability are concerned Digital Ocean are the best in the marketplace, which is why I recommend them. The link I provide is a referral link which will give me credit toward my own hosting bill if you sign up.

Digital Ocean Hosting

Website Software

It is true that you could build a website from scratch so you don’t actually need to use this software but that takes a lot of time and you’d be re-inventing the wheel. That’s okay if you’re a developer and you’ve got a great idea for a wheel that nobody has thought of before, but otherwise I recommend using WordPress. It’s free and mature, as well as very easy to start using.

WordPress.org

Message Boards

In the 1980s, “Message Boards” are where people would post and discuss topics. Today we call these things “Forums” but they serve the same functionality. The best software for setting up a message board on a website is phpBB. Not only is it free, but it has a really excellent user interface that meets all of the common needs and is very intuitive. It is stand-alone software and it is loaded with features. Installation is pretty easy but configuration can feel a bit daunting. Just take your time and read the documentation and you should be fine.

phpBB

DOOR Games

One of the coolest features of a BBS in the 1980s was Door Games. These were computer games that ran externally from the BBS software. The term ‘door’ was a reference to how the BBS acts as a gateway to access these games. This technology has evolved in multiple ways and powers many of the advanced capabilities seen on the internet today.

There are many ways to run games on your website. Software such as Unity or HTML5 make it possible to build modern games for the browser. However because Nostalgia is a big part of this theme, I’m going to recommend EM-DOSBOX, which is a plugin that allows you to run actual DOS games from within a web browser. The Internet Archive uses this same software for it’s video game archive website.

EM-DOSBOX

Real Time Chat

In the 1980s operating a chat system on a BBS was extremely expensive. First most free BBS software didn’t support it well at all, so you probably had to pay for a commercial platform. Second, every user required their own phone line connection, so if you wanted a 10 person chatroom you had to pay for 10 separate phone lines. Today it’s so much easier and cheaper.

There’s a lot of ‘chat’ plugins available for WordPress. I am going to focus on Matrix.org and Riot.im. There isn’t an easy ‘plugin’ available to install these on your website, but you could use an iframe to embed a riot.im chatroom. The Matrix protocol is still very early in development and as time goes on you can expect there will be simpler and more elegant solutions for this purpose.

Matrix.org
Riot.im

Summary

So there you have it all of the tools required to build a modern “BBS” on the web, and with the exception of server rental all of it is free. You could, in theory, do all of this on your own server running on your home internet connection but that introduces some challenges such as DNS addressing. It’s up to you if that’s worth the $5 saved.

You might notice I did not include detailed tutorials on each piece of this puzzle. That is intentional. This post is meant to be a starting point for people interested in this sort of project. There are already dozens of specific guides and tutorials available for each of the things I’ve linked. This kind of project represents an adventure and learning about the software is part of that adventure. Also, detailed information like installation procedures are likely to evolve over time. So if you’re looking for help with phpBB or WordPress, just do a web search for tutorials on those subjects and you’ll find dozens.

I hope you found this article helpful or useful. I welcome any comments on how to improve my recommendations.

The website is the modern equivalent of a dialup BBS

Preface

Today I read a really cool and nostalgia article about the BBS, which stands for Bulletin Board System. BBSes were what the cool kids used to communicate online before there was a consumer internet. You can read that article here

I just had to comment, because BBSes played a significant role in my teenage life. I spent more time online than I did in the classroom. Seriously I failed several classes in high school because I never attended, I was at home playing Legend of the Red Dragon or responding to posts in the forums. I’ve included my response below:

My response

I think it’s awesome what you’re doing, I grew up on BBSes and I didn’t think they were weird at all, but everyone at school thought I was weird. Then the internet hit their living rooms and I don’t talk to those people anymore. Too busy getting paid $100/hr to build and support their websites.

While I love the nostalgia of this project, I think it’s worth noting that the “Modern BBS” is called a website. I know I know, ‘it’s not the same!’, believe me I get it. But from a purely end-user functionality standpoint, a website is exactly the same as a BBS, only improved.

Forums are handled by software such as phpBB (hands down the best UX in forums), you can play all sorts of web based games including dosbox classics with some java plugin, chat rooms are easy to embed especially with the new Matrix.org protocol, and of course we have various ‘wiki’ software to handle documents.

Best of all, an IP address is cheaper than a phone line ($5/mo droplets from Digital Ocean are the way to go) and the cheapest solutions can still handle 5–20 simultaneous visitors.

One of the things I always thought was really great about BBSes is how they empower “regular” people to organize and communicate ideas. Literally anybody can set one up, you don’t need a license or permit and the costs aren’t prohibitive. Websites are the same. We’ve been seeing the results of this anarchy for the past 30 years as corporations are no longer able to monopolize the distribution of information.

When I was a kid I ran my own BBS using the Renegade software. I had wicked ASCII art I found on pirate sites when you logged in, I forget what but it was probably a grim reaper or something. Now I have tailpuff.net and the first thing you see are high resolution full color graphics. It doesn’t tweak the nostalgia but it definitely is an improvement of the model first presented by the BBS.

How to Build a Modern BBS

I thought people might be interested in this idea, and so I decided I would provide some links to software and resources you can use to re-create all of the features of a BBS from your own blog website. These are not the only solutions, just my personal favorites.

Full disclosure: The Digital Ocean link is a referral link, if you sign up I will get credit toward my own hosting bill.

Linux: batch convert webp to png using ffmpeg

If you have some images in webp format, such as exported from Telegram’s “sticker” packs, and you want to convert them to standard png for use in other applications, I have written a small bash script which will convert all the webp files in a directory into png and then remove the webp files.

This requires that you have ffmpeg installed. If you don’t want the webp files deleted afterward just remove line 5.

If you find this useful let me know in the comments! I invite suggestions to improve upon it.

stacks of money

DMARC is not the solution to E-mail Fraud.

The latest craze in E-mail security appears to be DMARC. Let me preface my post by saying I use DMARC, I use SPF and I use DKIM. I understand that people are mostly up in arms about the importance of DMARC because of how many major organizations haven’t adopted it. I understand it’s importance.

Problems with DMARC

Here’s the issue as I see it. DMARC does not solve phishing E-mails. It doesn’t do much more than SPF already does, and it doesn’t solve trust or identity in E-mail.

DMARC requires compliance by the recipient server to function at all, and all it does is tell the recipient to reject, quarantine, or allow fraudulent E-mails, a feature that SPF already provides.

This prevents someone from sending email from “custserv@paypal.com” but it doesn’t do anything to prevent them from sending an email from “custserv@payypal.com” which is how a huge number of phishing attacks are launched.

Oh and DMARC gives you some forensic information on who is sending fake E-mails from your domain. Which is completely useless in a high traffic real world scenario because you can’t take any effective action against the perpetrators.

Key Pair Signing & Encryption, a Real Solution.

Meanwhile we have PGP/GPG signatures which would, if properly implemented, provide a user friendly means of identifying the sender of an E-mail and verifying the integrity of an E-mail. But these have been completely disregarded by nearly 100% of organizations as “too difficult” to implement. Seriously, why doesn’t GMAIL come with a ‘PGP’ button?

PGP is arguably easier to implement worldwide than SPF + DKIM + DMARC. All you need to do is create the functionality client-side to create keys manage keyrings and interact with key databases. Compare this with setting up 3 different inline mail verification tools on every E-mail server in the world plus a slew of DNS records which can instruct servers to pass fake E-mails along without notifying the end users at all of suspicion.

Why are we being sold this half-assed solution to E-mail fraud when the real answer has existed for decades and would be easier to implement? If someone can explain why DMARC is being treated as the holy grail of E-mail security I would really appreciate it.

GPG/PGP is “Too Hard” for End Users

Bullshit. The difficulty of PGP/GPG has nothing to do with the technology and everything to do with the lack of proper support in E-mail clients. End Users don’t need to understand the technology at all, they just need a button that creates a key and publishes it to public key databases. The process is no more complicated than adding people to the address book on your phone.

Paranoid Conclusion

Using keypairs to verify authenticity of E-mail comes with a bonus feature, they can be used to encrypt E-mail to the point that it is “uncrackable”. Adding the signing capability to a service like GMAIL would also make it a lot easier for users to encrypt their E-mail, which would destroy Google’s business model since they read all of your E-mail to gather data. This is probably the #1 reason why keypairs have been ignored, with the #2 reason being pressure from world governments.

Your Thoughts?

My paranoid conclusion is not the only possible scenario, I would love to hear the opinions of other internet security experts on this issue.

Some Good News

You can implement PGP/GPG in your own E-mail and start using it with your friends, family and colleagues right away. And you should.  Visit the Electronic Frontier Foundation website to find some simple step by step tutorials for all platforms.

My Public Key: https://tailpuff.net/keys/

Cloudflare’s “Keyless SSL” Feature violates trust and privacy.

SSL exists to ensure Privacy and Trust

SSL serves two purposes. Privacy and Trust. Both purposes are equal. Privacy means it encrypts your traffic, this ensures that packet sniffers on a public network can’t view your credit card number when you purchase something on Amazon. Trust means when you visit Amazon.com, you know that the responding server is actually Amazon.com

Without both Privacy and Trust, SSL is useless.

If you compromise either privacy or trust, the SSL certificate becomes completely worthless. Now your activities are at risk of being compromised, which is precisely what SSL exists to protect against.

KeyLess SSL violates both Privacy and Trust.

Cloudflare’s new feature “Keyless SSL” violates both privacy and trust. This dubious service operates by decrypting 100% of your web traffic between the server and Cloudflare’s network. That means Cloudflare can view your credit card numbers. All that is required is a Cloudflare employee to hide malicious code in their traffic inspection function and they could steal thousands or millions of credit card numbers in an hour.

Browsers should Declare all Cloudflare traffic “Insecure”.

The solution is simple. If SSL traffic comes from Cloudflare, one must assume that it has been decrypted and inspected during transit. This means it is not secure. Web Browsers need to declare this to the user. Traffic that comes from Cloudflare websites should be flagged as insecure, regardless of the SSL status.

US Flag - Distress

Google’s “NoCaptcha ReCaptcha” product is slave labor.

Google are Crooks.

Google has been in trouble over their ReCaptcha product in the past, and they are bound to face the fire again. Their “NoCaptcha” service advertises itself as being user friendly, by presenting users’ with a single check box they click to pass the test. However it very rarely works like this, especially if you use any sort of adblocker or privacy protecting addons in your web browser. Most of the time it presents the user with a photograph, or a series of photographs, in a 16 square grid. It then asks the users to click on each square which matches a specific description.

If you don’t answer the captcha to Google’s satisfaction, the challenge becomes more annoying. For example after clicking a square you might have to wait for that square to reload. The time it takes that square to reload is adjusted by Google, based on how much they “trust” you. So while some users might only have to click 3 squares, others might have to click 6, and wait for as many as 10 seconds for other squares to reload. And then when you perform the tasks they demand and you click ‘verify’, it will often start the entire process over again, for no explicable reason as you answered everything correctly.

What is really going on?

What is actually going on here? Is the system broken? No. What is happening is Google has a massive database of images, billions and billions of images, and they are using the unpaid labor of millions of computer users to add digital tags to those images. “This Image contains a Car” or “This Image contains a Mountain” and so on. The entire system is automated. On it’s rosy surface it would appear as if the labor of those users is being used to improve the captcha system, but that’s not what it’s for. It exists to force millions of users to do the work that Google is required by law to pay people to perform.

This is slavery.

This is slavery. We haven’t tolerated slavery in this nation in nearly 300 years, but Google thinks they can get away with anything they want because they think the world depends on them. It doesn’t. We don’t need their stupid search engine, there are a number of 100% equally useful search engines such as Bing and DuckDuckGo, in fact some have found those engines provide better results for their searches. We don’t need their free E-mail service, as there are countless providers of that same type of service, none of whom use it to spy on their users the way Google has done for years. The truth is Google does not provide ANY valuable services to the world, and they are raping the information market in new and disgusting ways to make a quick profit.

Stop Google.

It’s time we put a stop to it. A class action lawsuit should be raised against Google again for their “NoCaptcha ReCaptcha” service, and the FTC needs to step in and force them to stop.

Red circle with a line through it, crossing out the word "LIES"

Choosing a webhost, why are they all lying to us?

Preface

If you have a website you have 3 options to put your site on the internet. You can self-host, you can rent hosting space from someone else, or you can use a free hosting service. Self-hosting is the best, if you can afford it. You need a computer and a reliable internet connection, typically not residential internet but that is changing thanks to services like Google Fiber. Free hosting services are great, if you don’t need a private domain name or special server side applications. For people who want “Mydomain.com” however, renting a hosting service is usually the best choice.

Nearly every hosting provider is lying

That seems straightforward enough, so this should be easy, you visit a few websites, compare some prices, and purchase your hosting. This shouldn’t demand more than an hour of your day, but it’s not that easy. Nearly every large hosting company is outright lying about the services they offer. There’s no regulation in the hosting market and the prices are as low as they can realistically get, so the companies have resorted to competing with lies instead.

The devaluation of the word “Managed”

For example, let’s look at the word “Managed”. Every hosting provider in the world offers “Managed Hosting” if their websites are to be believed, but what does that really mean? Well not much as it turns out. The word Managed starts with “Man” because it’s supposed to mean a human being is overseeing operations, but with large hosts that have 100,000 customers how is that even possible? It’s not, they are lying. They use completely automated systems and if you require any personal support it will come from underskilled phone-operators, or you’ll pay extra for it.

Unlimited is never unlimited

The other popular buzzword in the hosting industry is “Unlimited”. Nearly every hosting provider offers “Unlimited” service, but computer hardware has a finite amount of storage space, processing power, and memory, so how can they offer “Unlimited” service? They can’t. Every hosting package in the world is limited. What’s really happening is they’ve stopped being up front about the details of their service. This makes it especially difficult to compare the value of different services because most of the details are hidden from you.

Full Disclosure

I own a technology consulting business and one of the services I offer is webhosting. I’m not writing this article to advertise my business however. I was unaware of the problems in this marketplace until I entered it, and I am disgusted by how nearly all of my competitors operate. I say nearly all, because there are a good number of honest businesses who are up front about what service you receive and for what price.

What can we do about it?

The simple answer is stop supporting hosting services which behave in dishonest ways. If their sales page doesn’t provide full details of the service you’ll receive for the prices they advertise, or if they claim to offer “Unlimited” storage/memory/CPU, or if they hide extra costs and features on sub-pages of their website, shop elsewhere.