my (and your) PGP habits could be better
I am an opportunistic PGP user, and I've used PGP for quite some time. if you encrypt mail to me, I'll encrypt back. if a download has a signature, I'll check it. I sign every one of my blog posts automatically, thanks to some dirty hacks to bashblog.
what's the issue then? well, I don't always do it religiously. I used to have a proper canary, but I abandoned it because it was a hassle on my end and I was afraid that nobody checked it anyway (I was wrong, one person actually did check it). that's why I have switched to blogging, which is sort of a more natural medium to sign and doesn't require me to go as out of my way to update (and even then, I have been slacking on my blog really hard).
there are some other issues with my current use of PGP. check to see if the following also applies to you:
- creating a perfect keypair? forget it. I don't have an airgapped device to do this safely. and even if I settled for a special removable medium, I used to have some trouble importing my stripped keypair into OpenKeychain. not to mention, the GnuPG utility – or any utility, for that matter – doesn't really have first-class support for this kind of scenario. there are a lot of issues with PGP's user experience, and I'll go into more detail with those later.
- confirming trust of keys by signing them? signing keys and publishing my signatures to keyservers? it's difficult for me to remember to do this. so far, I'm pretty sure I have signed fewer than a dozen other people's keys.
- confirming keys in general? I do basic checking, but I don't know how much is enough.
- maintaining my key properly? who knows, honestly. I have not had a religious policy for subkey creation, deletion, and renewal. nor do I really know what is the
optimalpractice for maintaining my key.
- refreshing and maintaining my keyring? a while ago, I found a safer way to do this but I have never ended up using it. furthermore, I have made very little effort to remove invalid keys from my keyring.
here are some issues I have seen with others' use as well as when I have been trying to use PGP with others:
- first off, this is really on my side: I use elliptic-curve subkeys for signing and encryption, but I also have RSA 4096 subkeys when communicating with older PGP implementations. there are a few issues I have run into with this, such as not really knowing which subkeys I'm using since I let programs handle this automatically, as well as possible delivery errors because my recipient has no support for ECC algorithms. it's all very opaque to me and I tend to dismiss errors as
their issue, not minewhile in hindsight that might not have actually been the case.
- I have seen many people, especially on Tor, try to be smart and reveal as little detail about them in their key metadata. this is straight-up the wrong way to use PGP especially over E-mail. your address is not
firstname.lastname@example.org, stop making your key more difficult to use. create separate keys for separate purposes and use them appropriately.
- since there is no
right wayof using PGP, we end up with people using all kinds of algorithms, all kinds of expiry policies, all kinds of renewal policies. some people properly renew their keys, others create new keys to replace the old ones (and I was guilty of this). some people's keys expire never, others' expire next week. I know some of this is a personal threat model consideration, but still, I believe too many people set unrealistic, unsafe expiries on their keys.
and lastly, usability and interface issues. it feels like XMPP all over again, what with all the different clients and none of them implementing the full standard in a correct and easy-to-use manner. there are practically no full-featured GUI frontends for PGP, and the GnuPG commandline implementation discourages newbies (and even people like me) from figuring out how to correctly maintain personal keypairs and a full keyring. I use keys for different purposes (some for E-mail, others for download signing) and it isn't immediately obvious that I could probably have two or more keyrings for that. also, is it possible to attach metadata to PGP keys (such as your XMPP account, website, or anything else that could possibly help verify people)? if it's possible, I surely don't know how to do it, nor do I know where I can search for more information.
so, my suboptimal use of PGP is everyone's fault. and if you use PGP, you're probably using it suboptimally as well. I don't want to bash PGP outright for being a poor standard – I mean, come on, it has been around for decades, and it's still suggested by security professionals. but over those decades, very little has been done to change the state of affairs, and it's so easy to use it wrong.
as always, I accept E-mail replies to my posts, but I especially want to hear readers' thoughts on this. I want to gauge how others use PGP, and I want to see what others believe should be the
correct way of using it.
why I no longer use GitHub
I have had issues with GitHub long before the Microsoft acquisition this year. in fact, Microsoft is the best thing that could have happened to it because it's an excuse for people to leave GitHub. but for everyone who continues to use it, who has built their FOSS projects on top of its infrastructure, they need a little more motivation to move than just an acquisition scare. and the fact that these projects stay behind inconveniences me, as a FOSS contributor, especially if they outright refuse to collaborate outside of GitHub and they insist on you making an account, opening pull requests and new issues through the web interface.
since I am tired of reiterating to every project the reasons I refuse to sign up to and contribute via GitHub, I feel like the best course of action is to write it all out, once, and give this article to anyone who asks. plus, maybe all my readers may find this an interesting read to perhaps rethink their decision to use GitHub for their projects.
GitHub is not FOSS
GitHub boasts its love for the FOSS community, but the site itself runs on proprietary software. if you hate double standards as I do, you may stop reading as you should be content with the answer I gave you.
but really, look at GitLab in comparison. GitLab is the leading competitor and the current go-to for most people fleeing GitHub because of its similar
social coding interface. guess what? it's FOSS, so you can take GitLab's software and run it on your own server. and from what I understand, GitLab manages to be a for-profit company despite the fact it gives away its software to the community, so why doesn't the
FOSS-loving GitHub do it as well? it just doesn't fly with me.
GitHub is (poorly) reinventing git
git is a distributed version control system. it says that right on the tin. and it does a damn good job at being one. so why turn it into something that it isn't? I don't know, but GitHub seems happy doing away with many of the benefits of this. with plain git, I can stick my repository anywhere, give people the link to clone it, and take pull requests through mail. everyone on the Internet has an E-mail address (which is also a federated communication technology, so it's easy to see how it can be best friends with git) and E-mail doesn't lock you into a single terms-of-service agreement (I'll go in depth on that in a bit). this makes it easier for the passerby to contribute to a project, regardless where the project is hosted. no new user accounts necessary.
with GitHub, E-mail is second-class and people become spoiled by the wrong way of doing things, so they insist that you do things the wrong way as well. this is called vendor lock-in and it's very bad especially for FOSS projects. you can witness a similar effect between Blender and YouTube that surfaced recently. GitHub knows it has you by the nape and can shut you down whenever they want, and it can use that to manipulate you into making decisions for your project that you otherwise wouldn't take. and GitHub knows that your project's success is imperative to its own success, since it means more people signing up to contribute, more people being exposed to its nice, incorrect, not-git interface, and thus more people becoming locked in to GitHub as well.
there are some AUP/ToS loopholes, and they will shut you down
I promised I would go into detail about the terms of service. there are two clauses that are poorly worded, subjective, and ... well, loopholish in nature.
You agree that you will not under any circumstances upload, post, host, or transmit any content that[...] contains or installs any active malware or exploits, or uses our platform for exploit delivery (such as part of a command and control system)
this means that you can develop an innocuous research tool, note in your README that it must not be used maliciously and that you are not responsible for skids using your software, and still get punished. all it takes is a skid cloning your repo, pissing off the wrong people with it, and those people reporting you to GitHub. and yes, I am not making this up. I know of people who have been affected by this and I am sure you can find your own examples if you search for a bit.
[...]transmit any content that[...] is discriminatory or abusive toward any individual or group
oh, this is a fun one. this basically means that anyone can report you as long as they feel offended. I'm sure you have heard enough about this so I won't go into excruciating detail, but I will tell you that it is a huge loophole allowing anyone to abuse the report function to knock you off GitHub.
the grey area of paedophilia
before anyone gets shocked: I am against rape and abuse of any kind. this post is only to address the fact that most people -- those who claim to protect the rights of children -- are focusing in the wrong places.
lately, I have come across articles online that explain the difference between Western and Japanese views on lolicon (which refers to Japanese media that focuses on cartoon underage girls). contrarily, I have also come across some real counts of child abuse such as a review on Dr. Phil's interview that
exposes global elite pedophiles which seems to sum up the issue the best.
also within the past year, various people have questioned my stance on paedophilia, and they seem to not grasp a full picture on my beliefs, so I would like to make this all clear within a full written explanation, complete with supporting information.
where am I going with this? in the Americas and Europe, there seems to be a sacred air around anything involving children. this is not necessarily a bad thing; children are impressionable and deserve every chance to experience a fulfilled life without fear of harm in any way. but it seems as if this is being used as an excuse to push certain legislation and cultural norms, rather than an actual reason for focusing on these issues. take for example child exploitation. somehow a count for rape is deemed lesser than a count for child rape? what's the difference? they're both inhumane and deserve harsh
eye for eye punishment in my book. so why is it any worse for this to happen to children than for it to happen to anyone else?
both adult and child molestation are sadly very prominent in the world, not only with undeveloped nations but also with this global elite -- sometimes the same people who publicly support legislation to crack down on child abuse. if that isn't hypocritical, nothing is.
but are we focused on the right issues? being an active member in various Tor/I2P hidden service communities, as well as on online imageboards, I see a lot of talk against the possession of child pornography itself. there is no mention about the severity of the case, and to these people, a picture of a fourteen-year-old posing nude in a mirror is fully equivalent to one of a violent rape scene involving children who may not even be old enough to talk. these people stop at the mention of
children and don't take into account all of the aspects of whatever they're speaking against.
the fourteen year old? fourteen is an age of consent in various parts of the world, and it is a natural stage in life for sexual exploration. should someone post their nudes on the internet -- probably not, because they might regret it later, but this is true for any aged person, right? I'm sure some twenty- and thirty-somethings have regretted drunkenly posting sexual depictments of themselves for everyone to see. to sum up, I don't see why this should be up for legislation to decide. children should be educated on what is okay and not okay to post online instead, and they need to learn to think for themselves.
the rape scene? this is not okay. this is what people need to focus on when they are advocating for humane reform. it is a very real issue and many people, children and adults alike, are involuntarily involved in the sex trade every day, with little to no hope of escaping this life. this should be what I see when I hear people speaking against child abuse. with enough care, these injustices can be corrected, and police may work together so that the criminals responsible may be punished (by death, as far as I care). that way, we are objectively making the world a more humane place, and we aren't only satisfying people who hold subjectively-moral beliefs. you as an individual are welcome to have your own beliefs, but please focus on concrete efforts to stop unjust activity in the world.
I don't typically like to be involved in political discussion, but this issue has been concerning me for a while, and people genuinely believe I am a paedophile due to my
liberal opinions of paedophilia and lolicon. as I have said, my issue is about the different classifications of crimes against children versus those against adults. crime is crime, no matter the victim.
a new era for Hidden Answers
this post is specifically for users of the Hidden Answers website. if you don't know what it is, this probably isn't worth reading. still, curious people who want to help out with the website are welcome to contact me; any help is appreciated.
for those who aren't on Hidden Answers: it's a hidden service question-answer website using the Question2Answer software, and in similar format to Stack Exchange. it's available on tor and on i2p and currently is multilingual for English, Spanish, Portuguese, and Russian speakers.
at the time of writing, new user registration is closed for a multitude of reasons. I have hopes of re-enabling registration soon, after we have fixed some long-lasting issues with the site.
as users have inevitably noticed by now, there are a few issues with the site, ranging from the community to the software. the past month, the MySQL database for Hidden Answers has experienced unexplained corruption, and last week the server's disk space was completely consumed by MySQL binary logs, causing the site to be totally inaccessible. (seriously MySQL/MariaDB, why keep all logs infinitely by default? and why did nobody tell me about this before I went into web hosting?)
over the past year pinochet, the website founder, has come in and out of the scene for being responsible for the site. the grunt of the website's work has been handled by both me and the dedicated moderation team. but even we aren't enough to keep the website running optimally. not only that, but mods come and go, and some of them understandably become tired of dealing with the site. and we have no idea what's going on with the multilingual sites (Portuguese HA was overrun by scammers at some point, for example). communication between all the moderators is barely established, and this causes additional strain on relationships and on the state of the website.
pinochet is now long gone and only the mods and I are left to run the site. I am officially taking over the site; this is effective at the time of writing this post. that means you should write down my PGP key and you should write down my contact information (it's best to contact me over E-mail and XMPP, and please tell me who you are and why you wish to contact me, or I'll likely ignore you. saying
hi isn't enough to get my attention because I deal with a lot of people and things daily).
I am going to make a few assertions. before, I have made these as suggestions, but they have clearly not been enough to cause any notable change in the site. from this point on:
- I need moderators, editors, and anyone else with an official Hidden Answers role to post their E-mail and/or XMPP address on their profile, and I need them to have a copy-pastable PGP key or fingerprint. no exceptions. we need to improve communication, especially since the PM system has been disabled (and more on that in the next point).
- PMs are indefinitely disabled. they're a venue of abuse. they're unencrypted. I have had to look into suspicious accounts per moderator request, and each suspicious account I looked into, I found shitloads of messages breaking the website's rules. if you need to contact someone, do it off-site. do it on their public wall. PMs are useless for a question-answer site such as ours.
- I will make my source code changes to Question2Answer available on my git. I am aware this will make the website easier to clone, but I believe this isn't an issue, since people already try to set up scam sites targeting HA users anyway. the benefit of open software development outweighs the risks, in my view.
- we need a defined process to choose official roles. we need more concise roles too:
- super administrator: the website owner (me, now). I can add new admins and mods, change site settings, and be the
last sayof what goes on.
- administrator: trusted people who represent Hidden Answers probably more than I do, lift a lot of the site's weight, and can maintain relations with mods and users. I'm appointing v0h20 and Fox to this role because they have done a shitload for this site and I trust their judgment for adding new mods.
- global moderator. their main roles will be to oversee editors and to block rulebreaking users.
- global editor. responsible for backtracking through the older questions (at least until they're all cleaned up eventually) and recategorising, editing, closing, and selecting answers as necessary. does this for new questions and answers as well.
- category editors. responsible for cleaning up posts under their own category and can be seen as a category expert as well.
- emeritus. just a status for ex-mods and -admins that have stepped down from their roles voluntarily (or were inactive).
- technical contributor. I promised a role for anyone willing to help with the code. these people contribute to Q2A updates, debugging, and security penetration testing.
- super administrator: the website owner (me, now). I can add new admins and mods, change site settings, and be the
- we need administration transparecy. moderation decisions need to be made public so we're all on the same page, and so users can criticise us if we do something wrong.
- we need concrete rules and ways to deal with offences. so far, it's just been play-by-ear.
- additional focus needs to be placed on the other HA languages.
- additional focus also needs to be placed on supplementary shit like a showcase of frequently-asked questions, to make it easier for newbies to search.
- anything else needs to be discussed on HA, in front of everyone, making use of the poll system I installed recently. that way, we have a more democratic approach to the site.
I'm busy with IRL shit (school semester is wrapping up for instance, I have a lot of studying to do and projects to wrap up), so anything that's broken will stay broken until I get around to it or until someone is able to help me with it. be reminded that since this is a hidden service website, I have trust issues and if you contact me anonymously, asking to help, I'll probably assume you're a malicious entity. so please tell me anything that can help me establish who you are. I'm not all that anonymous so I don't think I'm being hypocritical for asking you for some additional information about yourself. if you disagree with my approach, don't contact me.
any issues or questions or whatever you have about any of this, please contact me directly so I can respond to you sooner. I check E-mail and XMPP more often than I check Hidden Answers, and I prefer those methods of contact because they are much easier for me to keep track of shit. pinochet/oqypa are out of the picture; don't use those E-mail addresses because you won't get a response.
by the way, you may be curious as to why some of my websites were down this week. something happened to one of my VPSes so I had to reinstall the operating system and set everything back up. the new install is now enjoying Alpine Linux just like all my other boxes.
paving the road for the future of technology
when computing first became a real thing, they were mainly geared toward big business, education, government, and science. networks were groups of trusted entities, there was less need for security or future-proofing, because nobody had anticipated that this technology would become for personal use in the future. early computing and programming pioneers were passionate about their work; software and hardware were built durably because it was still only a niche market, and everyone in the market cared deeply about quality.
now, the tide has shifted and with the advent of personal computers and mobile/IoT technologies, both sides of the equation have weakened: the target market has adopted a consumer approach to technology, and the developers have followed suit. there is no push for developers to cater to quality; there is high demand for cheap labour in these fields. small businesses remain insecure, large businesses can get away with opaque policies and planned obsolescence, and decent software and ideas become overlooked for a few reasons: the creators of good software normally work under the mantra of FOSS, they normally work as a hobby in their own free time, and they do not attract much of a following for one big reason: choice.
give a user a choice between security and ease of use: they'll choose ease of use. give them elegant code or elegant UI, they'll choose UI. it is therefore the developer's responsibility to give users the easy UI/UX they desire as well as the security and elegance they need. some big players like Google understand the value of security (others such as Equifax, maybe not so much, sadly) but they still cut corners with regard to privacy and quality in an effort to take the easy route. because the fact still stands, users have a mentality that
anything bad won't happen to me or
I have no information that anyone cares to utilise, therefore I must be safe -- they will not do any more than is required to access their services and move on with their life. because of this, it is the developer's responsibility to set a precedence and to give users only one choice.
I believe that all big businesses can invest enough to improve hardware and software quality; to improve security practices; to approach newer, saner standards that match the growing demands of the twenty-first century. it is a shame that thousand-dollar smartphones are not physically worth a thousand dollars, aside from the brand esteem these products have developed. it is sad that phones are not able to last as long as most cars or computers, or to last half as long as houses; they are seen as disposable technologies that are not built to last. it is sad that people cut corners for safety even though basic security practices are easy and cheap to implement these days; and more-advanced security would cost a short-term investment but set a future-proof standard for this type of thing.
a lot of things could be implemented today that would be a bit of a speed bump for companies, but it would be a net improvement both for security and for ease of use. some things I want to see implemented:
- public/private key authentication for online services rather than passwords. I have touched on this previously and I will say it again because I believe in it so much. users would not have to remember passwords; their software could automatically generate the necessary keys and provide a simple
log inbutton (or fingerprint TFA, something that requires an extra step of authentication but is easy to use), and the software could tell the user to periodically back up these account databases to a flash drive or some other medium.
- client-side encryption. we're already increasingly seeing this in some messaging platforms. Google Chrome and Chromium do this for browser setting synchronisation. MEGA.nz does this for file uploads and downloads. it needs to be extended to cloud file storage: your files are tied to your account login, only you (or friends, or people with the link, if you configure filesharing as such) may decrypt and access the files, and the server only sees an encrypted copy of anything, making passive and active file analysis impossible. I wish to see E-mail headed toward the same direction.
- the return of user-serviceable appliances. we invented removable parts ages ago for a reason: it allows for reliable, repairable, inexpensive products and cuts down on wastefulness, since a user will not need to throw away the entire appliance if one part is broken.
- user education. people and businesses need to know the consequences of inadequate technology. privacy and security are important to protect against identity theft and money fraud. if you are not using secure and reliable technology, you are putting not only yourself but also your friends at risk.
it's a shame that not everyone is passionate about technology and that most people just want things to work without exploring them, but that's a fact of life. what we don't need is for this attitude to leak into developers' attitudes. security and quality can be easy, maybe with some additional short-term costs, but it's for the better.
Chen Hosting goals and difficulties
since late 2015, I have hosted the website Hidden Answers accessible via tor and i2p. the Hidden Answers administrator was upset by the constant downtime of Freedom Hosting 2 and was seeking another host. shortly after I decided to offer my hosting to anyone interested, thus starting Chen Hosting (available on i2p as chen.i2p). I wanted to do this both to learn more about web hosting, and to earn some cash while in college. two years in hidden service web hosting has given me plenty of time and experience that I can share with others.
to start off with the upsides, I have definitely learned a fair share about shared web hosting, software, and configuring everything for security, performance, and ease of deployment. I have been able to perform unorthodox installs of popular web software such as WordPress, Question2Answer, and MediaWiki (one shared install for all users). I have partitioned off access between users and services as best I could without the use of fully-virtualised containers, by way of hardened chroots (thanks to grsecurity), process separation (a php-fpm pool per user), and proper file permissions. I have made sure that the real server IP address could not be leaked under any circumstance. on top of this, I have met a handful of people whom I would consider to be good friends by now.
on the flip side, a lot of frustration has come out of web hosting, especially for the niche market in Tor and I2P. obviously, I have to deal with a lot of scammers, trolls, and difficult people. I cannot count with my fingers alone how many times someone has requested a website and never ended up paying for or using it; most people simply run out of patience, apparently. this makes it very difficult to find the motivation to improve my services for current and new customers; it seems like nobody cares enough. in fact, as of the time I am writing this blog post, I have this on the Chen Hosting website:
Chen Hosting is causing me more of a headache than I can handle right now. I'm busy with school and personal projects (and soon, hopefully a part- or full-time job in IT) and the requests for websites I get are rarely serious. People abandon their sites and I'm not making any real money off it.
other issues I have come across with hosting: the Tor network itself. most of the traffic I receive for Hidden Answers is automated, and some of the automated traffic is very malicious in nature, causing the server's load to spike and performance to drop, at times causing the whole server to be unavailable for legitimate users. on top of that, I have witnessed Tor become unresponsive or crash for unexplainable reasons; I can only assume these are other attacks on the network or on my onion sites. I have tried to find suitable log-monitoring solutions, but this is an exasperating process and I finally just hacked everything together enough that it would
just work, not too concerned with whether it was at optimal performance. also, while I have always preferred I2P over Tor for its hidden service support, it doesn't come without its own share of issues: the main implementation is in Java, and the C++ implementation still has a way to go before it is feasible for a live production server.
if I had an interested customer base, I would be able to find the motivation to improve my services to support all major CMSes and web softwares, to spawn a robust ticket and newsletter system, to expand to clearnet hosting, to build a real community and set a precedent for anonymous and secure hosting. sadly, my efforts are now going unnoticed, and it sort of disheartens me that something I spent this much time on has not proven itself to be too useful. I would love to continue putting effort into
the best professional shared hosting setup, with proper log monitoring and statistics, tight engagement with customer base and surrounding Tor/I2P community, contribution to free software, and embodiment of free speech. maybe I could have placed effort into decentralised solutions as well, in order for people not to rely on a single entity -- such as myself -- for their web hosting. but apparently I will not end up doing this because there is no demand for it. people are perfectly content with half-assed solutions that we have now, and I cannot for the life of me understand why.
trying new software
I haven't been motivated to write anything lately, but I guess I can give an update on what software I am currently trying or going to try:
- neovim, to replace vim. I chose it because the codebase and development is supposed to be cleaner and less dependent on one person pulling in patches. liking it so far; it also has a few small features I've been looking for in vim, namely the ability to resize panes using mouse. this may have already been possible in vim but it has never worked for me.
- neomutt, saw it when I was looking up mutt and chose it because it offers some plugins built-in. once I configure it I may replace seamonkey with that and a different internet browser. first issue I see with mutt/neomutt is lack of mouse support, but I'll still play with it for a while.
- sway (wayland compositor). I haven't really had a chance to try this yet but I want to see how well wayland works, and I may switch to it from X.
- ConnMan, to replace NetworkManager. it's definitely light and apparently it supports USB tethering and bluetooth PAN, so I'll give it a shot.
I also downloaded some ISOs to play with in qemu:
- Void Linux -- haven't run it yet
- TempleOS -- tried it, it works but the 100% sound volume scared me
- ReactOS -- it won't boot properly; I'll have to look at the error again
- Gentoo -- I used this briefly years ago but haven't accustomed myself to it at all. I want to install it with musl and busybox, possibly also a hardened profile.
- Plan 9 -- haven't run it yet
aside from that, I had a very spiritual dream last night so I have decided to keep a dream/meditation log now. I used to keep a dream log years ago but stopped due to lack of interest. hopefully I keep my interest this time, because I feel I may be able to learn some things from my experiences. if I make any notable discoveries I may write about them here.