prevent or react

Beginning of this year, there was a very tragic event prominently present in all newspapers across Switzerland. The whole thing was so tragic, that I won’t add a link here. But there is one aspect, that kept me thinking for the last two weeks. Today’s blog post by Bruce Schneier triggered me to write about it. There was a family father who fed his family from selling smart phones on online auction sites without delivering anything. Apparently he did that for years. They couldn’t get hold of him because he moved house every couple of months. In contras to places like Nigeria, I didn’t think this was even possible here in Switzerland.

First of all, I don’t think that’s the profession he imagined for himself. There must have gone something terribly wrong long before. I think one has to be very desperate to become a professional cheater. Most measures our society has in place against such behaviour are reactive. Bad behaviour is punished, and the prospect of the punishment should keep the hesitant from misbehaving.

In certain areas of commerce it’s easier. In a brick and mortar store, you get the goods and pay directly. If you take the goods and run out of the store, chances are somebody will follow or somebody will stop you. This kind of theft is also easier for the police to pursue. But there are other areas where you need to bring a certain trust. That’s for example if you order something online and pay upfront. If it is a big name store, you may know it’s reputation. If they wouldn’t deliver, you ‘d tell your friends. This in turn could influence the reputation of the shop. With sites like ebay that have more participants than could any individual keep track of, it doesn’t work as easy. That’s why they have reputation systems built in. There are certain ways how you could trick them. I have no ideas how well that would work out, but the only way to prevent that would be to require for example a social security number instead of just an email address to register. Other countries issued electronic passports for a while which could be used for identification in such cases. Whether this is desired is another question.

Ebay and ricardo do offer some sort of escrow service. But nobody seems to make use of it. Certainly not the victims of the above mentioned iphone scammer. Some may already know where I’m leading to. That’s an area where BitCoin can shine. With it’s built in, easy (soon) to use  multi signature escrow system, certain types of fraud almost disappear over night. If the system doesn’t allow cheating, there is no need for punishment after somebody was ripped off, or threats against such behaviour. So which is better, prevention or reaction paired with menace?

decentralized social communication

When you think about social networks, do you even realize how centralized and compartmentalized the prevalent systems are? Neither centralization nor artificial borders are inherent traits of a network though. Imagine you could only talk to customers of the same phone company you use. Or you could exchange emails only with customers of the same service provider. Wouldn’t that be ridiculous? And yet this lack of interoperability is the reality with most social networks today.

Blogging -> wordpress

Blogging is about the only category here that is fairly decentralized. You can host your own blog without any problem. Even though wordpress seems to have the lion’s share of feeds, rss and atom are open standards. And indeed lots of products and platforms offer that functionality. And most important: you can freely choose the software that fetches all the news for you. The same system is also used for podcasts, videocasts and various other content you can subscribe to. Lately, wordpress is even used increasingly to build regular websites. It is also what powers the blog you’re currently reading.

Microblogging -> twister

Everybody knows twitter. People who use it say it was great before they had to start pleasing their share holders. It was used for communicating in the North African revolutions. Sounds ironic, given it’s centralized nature. It’s easy to revoke free speech with centralized systems. Nobody is astonished when it happens in turkey.  Lately I read that even in the UK they think about blocking twitter when things are going out of control.

There was a more open alternative called identica, but I don’t know if it’s still used a lot. I saw twister mentioned a while ago, and thought that’s something I should have a closer look at. Only last week I installed it and started playing with it. It triggered new interest in the whole topic. It is based on BitCoin and torrent systems, thus completely decentralized. A blockchain is used to register users, and torrents to distribute the content. Installing is as simple as adding a ppa (personal package archive from launchpad.net) and apt-get install it. As I don’t use twitter, I don’t know for sure, but I think the user experience should be similar except for ads. And while twitter provided rss feeds a long time ago, but stopped due to monetization, it is no problem with twister. While they say it’s in alpha stage, I had no issues, and the experience is better than with many commercial software. One downside it currently has is that a lot of handles for big company names or celebrity names were reserved early on by hwo knows whom. There is no mechanism to transfer a handle other than sharing the secret key. Maybe an expiration model such as with namecoin would be appropriate here. My handle is @ulrichard, if you want to follow me.

Social networks -> diaspora or gnu social?

I never really got it why I should be on facebook. You could describe their business model as a man in the middle attack. You chat with friends and there is always someone nearby who listens in and takes notes. Then he sells the information he gathered. And if he pleases so, he can even block you from chatting with your friends altogether. Sounds over the top? Think about it.

I do have a google+ account, but I actually never used it. It was forced on me to be able to keep uploading videos to youtube. The same criticism as for facebook also apply to google+. But the worst thing is that they are not interoperable. Why do people have to be on the same platform to interact? That is a huge step backwards.

Diaspora was touted as an alternative for a long time. I wanted to give it a try, and I routinely check the packaging status. Usually I only use software that I can apt-get install, and thus is automatically updated, cleanly uninstalled, and I can check what files belong to it and where they go. If it is written in a language and environment that I’m familiar with, I might compile it to give it a try. I’m not familiar with ruby at all. Apart from that, I make very few exceptions from my apt-get rule. So, I’m still waiting for the diaspora packages.

Then I recently learned about gnusocial. It also looks viable, but again, no deb package. So I’m waiting here as well.

Messengers and Video calls -> Tox

Skype used to be great before it was sold to Microsoft. We used it a lot to phone home on our South America trip in 2007. Then GoogleTalk used to be even better until they terminated xmpp federation, and subsequently even switched to a proprietary protocol.

For text messages, xmpp is still perfect, but for voice calls it was difficult for a while. I once tried mumble, but can’t remember at the moment, what I didn’t like about it. My SIP VoIP experiments didn’t lead anywhere. And all the proprietary apps like WhatsApp really don’t cut it for me.

Only through twister I learned about tox. It’s still a mystery to me why I didn’t know about it sooner. It is easy to apt-get install from a ppa, and just works. They say it’s at an early stage and can be buggy. I had no issues so far. Nothing more to say… other than my tox id : 75A6B5F621BF142FA836E58A96023EE8F51AE0446FD85B2FBAFB378F4034E265EFF16B919A7A

Chat -> IRC, BitMessage, TorChat

I almost forgot to mention chat. IRC has been there forever. In my early chat experiences in the nineties I didn’t know about the technology behind, but in retrospect I assume it was powered by IRC. I still use IRC regularly, mainly on freenode to discuss about OpenSource software.

There is BitMessage which uses some ideas from BitCoin to run a fully anonymous stealth communication network. I like the idea and the concept, but getting a message through can sometimes take it’s time.

And recently I learned about TorChat. It worked fine the one time I used it. It makes use of the tor onion router to hide the communication, but appart from that it’s not associated with the tor project.

 

wake up to a clean state

I used to have problems when my ultrabook woke up from sleeping mode. Nothing serious, but annoying. One thing was that the empathy messenger application fully occupied one CPU core, effectively transforming the power out of the battery into heat. I grew tired of manually terminate it every time. So I did some research, and put the following lines into  /etc/pm/sleep.d/20_empathy_cpu_hog :

case "${1}" in
    resume|thaw)
        killall empathy-gabble
        ;;
esac

The other problem was the ssh connection that I keep to my server. After waking up from sleep it took a while to time out. Now, I terminate it right after wakeup, so that it can be automatically re-established. To accomplish this , I wrote the following lines into /etc/pm/sleep.d/30_ssh_ulrichard :

#! /bin/bash
case "${1}" in
    resume|thaw)
        kill `ps aux | grep ssh | grep user@server.ch
                 | grep -v grep | awk '{print $2}'`
        ;;
esac

I love linux, where problems are rare, every problem can be solved, and the solution is just a few lines away…

Paying online without a credit card

I can still remember the times when travelling without a credit card could be really inconvenient. But since Maestro and Cirrus cards work around the globe, it’s fine without. The time where shopping on the internet without a credit card was inconvenient to impossible was not so long ago. In a recent post, I announced that I don’t plan to renew my credit card. So here are some hints on how to get by without. BitCoin is the tool of choice as it has so many advantages.

On christmas we usually play a game with the familiy of my wife. Everybody gets assigned a random person to make a gift. Beforehand we distribute our wish lists. My stuff is usually from online sites. The problem is, I’m the only one with a credit card in this circle. So what looks easy to me, might be difficult to order for the others. But the democratization of money, which BitCoin is about, is going to make online commerce a lot easier. Soon anybody with a computer or a phone will be allowed to participate.

Businesses that directly accept BitCoin

Even though there are thousands of businesses listed in the directories to accept BitCoin worldwide, only a few of them are in Switzerland. Most of them are in niche areas, selling goods that most people rarely need. And usually you search for goods rather than places where you can spend your money. Some of the American giants like dell, overstock, tigerdirect, newegg or adafruit deliver abroad at prohibitive costs, not at all, or only allow BitCoin payments for domestic clients. But sometimes you stumble across a site that accepts BitCoin by pure coincidence like for example nitrokey, spycoins or reelhouse.

Movies

Call me old school, but I don’t like subscriptions to watch movies. Yes NetFlix is a lot cheaper than the other options we have in Switzerland, but I just don’t like subscriptions that renew automatically, cost you when you don’t use it, and have notice periods when you want to terminate. Instead I want to select the movie I want to watch, and pay for it. Basta. Why is that so difficult? No wonder movies get pirated all the time. If it were so easy to pay for what you want, and the prices were reasonable, there would be no incentive to download movies from torrents or p2p. The music industry struggled for a while with the same problem. But nowadays you can download music at reasonable prices and it’s not even crippled with DRM anymore. When will the movie industry learn that making interesting offers is better than trying to break the internet? When I bought the movie “The rise and rise of BitCoin” on vimeo, I could pay with BitCoin and download the movie without DRM. The experience was so good, that I started exploring the video on demand section on vimeo. But when I wanted to buy the next movie, there was no BitCoin option, as with the previous one it ran through a voucher code. So I wanted to pay it with PayPal. But it kept failing and asking for a credit card. It just wouldn’t use my balance. It didn’t state it clearly, but somehow vimeo requested the address information associated with a credit card. Why that? Probably because of some area restriction which is almost as stupid as DRM itself. And this type of restriction clearly didn’t apply to the movie I was about to buy. Luckily somebody from “The flying Frenchies” told me that their video is also available from reelhouse. They natively support BitCoin. You can choose to rent and watch in the browser with flash, or buy and download DRM free. That’s exactly how it should be. I found my movie platform, and hope their selection will expand quickly.

Amazon and buy by proxy with discount

No, they still don’t accept BitCoin directly. But you can either buy gift cards from gyft.com or egifter.com, or even better let someone else place the order on your behalf and pay him in BitCoin. That is how purse.io and brawker work. Purse.io is exclusively geared towards amazon. You create a new wish list with amazon, configure your shipping address and populate it. Then you copy the URL of your wish list into purse and select your desired discount. People who want to buy your bitcoins make offers with differing discounts, usually in the range of 7%. You send your coins into escrow and select an offer. Once the goods are delivered, you release the coins from escrow and the buyer gets them. As it is geared towards amazon there are less variables, and thus it runs very smoothly. If your item is listed with amazon, but delivered by a 3rd party seller, purse might have problems processing. That’s when I tried brawker. Here you populate one or more edit fields with URL’s containing direct links to the products you want. They can be on any site. That’s why you also see strange things listed. But the process is otherwise the same as with purse. One thing I noticed is that the escrow BitCoin address is actually a P2SH multisig address. But to release, I didn’t have to sign the transaction with my BitCoin refund address. Thus I don’t really know what this is about. Finally, I sould mention snapcard and bitspend. They offered similar service where they executed the orders and charged in BitCoin. BitSpend closed long ago, and SnapCard changed their business model.

Donations

I used to do donations for Mozilla and SeaShepherd through SnapCard, but these days I do direct BitCoin donations only. And in fact many non profit organisations accept direct donations: Apache, Mozilla, LibreOffice, GnuPG (through the Wau Holland foundation), Electronic Frontier Foundation, digitale-nchhaltigkeit.ch, Wikipedia, Gliding Everest, Ebola fighters, Koptimism, BitCoinFoundation, to name just a few.

Auctions

There used to be an auction site that ran on BitCoin. It was called BitMit and was very cool. For some reason they closed a while ago. I don’t know of a good alternative at the moment, but there are better things to come. The most prominent being OpenBazaar. The great thing about it ist that it’s not jsut another centralized service, but completely decentralized.

Food

In some areas you find lots of restaurants where you can pay with BitCoin. In Switzerland, I know only of Kafi Schoffel in Zürich. But this post is about the internet. You can order food for BirCoin on lieferservice.ch, which for sure has something in your area.

fido universal 2nd factor authentication

In the time since my rant about passwords, more and more sites adopt OAuth. I don’t like this development. Usually they offer login with facebook, sometimes with google or twitter and rarely with linkedin. The problem with OAuth is that the site operator decides what providers are supported. With OpenID on the other hand, I can host my own OpenID provider and secure it with whatever 2nd factor authentication I choose. It’s sad to see that OpenID lost traction, and is actually removed in many places. One concern about OAuth is that exactly the companies that track you the most, get this extra information about where you log into and when. And on top of that you usually have to grant the site you log into the permission to tweet or post on your behalf. But what bothers me most, is that you grant your id provider more power than you are probably ready to admit. Say for example you use google as your id provider for every site you can, because it is just so convenient. Then one day google decides for whatever reason to block your account. As a result you are locked out not just from all google services, but out of most of the sites you care. And it does happen that google blocks accounts for no good reason.

Most BitCoin exchanges these days offer some sort of 2nd factor authentication. Some use YubiKeys, some use GoogleAuthenticator and some send you text messages. They are somewhat similar as they all use something called “one time passwords“. Only how the user gets them is different. Text messages seem like an ugly hack, and phones known to be insecure.  That’s also why I don’t like the Google Authenticator as it is just software running on the regular processor of your smart phone. The YubiKey is clearly the best option out of these, but it also has its weakness. If you use it for different purposes, an OTP generated for one site could be reused for a different site. As it emulates a keyboard it’s a one way track and it has no way of knowing where it is used. This is why the now defunct MtGox distributed dedicated YubiKeys. At least some parts they did right .But there is something in the works to solve all of this…

Last week I received a new USB security token. It’s a PlugUp fido u2fa device. It has exactly the same form factor as the HW1 BitCoin hardware wallet. And that is actually how I paid it. Not directly, but through Brawker. The device implements the new FIDO universal 2nd factor authenticator standard. Finally a conglomerate of big name companies got together to solve the password authentication problem.

When I first read up on it, I found lots of marketing speech, and overly detailed specification, but not the kind of technical overview I was looking for. But it seemed interesting enough to give it a try. So far, there are USB devices available from only two vendors: Yubico and PlugUp. Even though I love the YubiKey NEO, the price was too high just to give it a try. The PlugUp device is much cheaper but also less rigid. Also there are not a lot of places where you can use it so far. But looking at all the companies that form the alliance, that is hopefully going to change.  The only place I could use was to log into my google account, and only with the Chromium browser. My browser of choice is Firefox, but it doesn’t look as if fido support is imminent. I did like what I saw so far. You can register multiple devices per account. And you can use the same device for multiple accounts. There were no technical hiccups. It just worked.

But still I thought, I would prefer a solution based on OpenPGP Card with EnigForm. With GPG, I can manage my identity myself, how I want it. Of course this is great for power users, but not something regular users want or can do. FIDO is targeted at regular users, and I think they found a good compromise. It appeared that from the security standpoint they should be similar, in that both work in a challenge response scheme. The server knows the public key, and lets the device sign something.

Then I found the technical information I was looking for on this blog. Now that looks promising. The device generates a new set of keys for every site. That is perfect for authentication, i.e. making sure it’s the same user as last time. If you want to compartmentalize your identity, you don’t even have to do it by hand. But it doesn’t help with identification. GPG would be better in that regard. So while GPG would be enough to identify a user, with fido the user will still have to fill in some required information. But most important, with both approaches fido and GPG/EnigForm, you don’t need a central service like with OpenID or OAuth that can track you.

Once fido gains more traction, the new YubiKey NEO will be perfect, as it combines fido u2fa with an OpenPGP applet. In the meantime, you can check which sites offer what type of 2nd factor auth at dongleauth.info