Starve The Beast

Finally moved all my Facebook Saved Links out to Pocket and dumped them from Facebook. Went from 600 pages liked to 300, although I think there are items on that list that Facebook is no longer revealing, and I suspect it is a bid to prevent people from using automated tapeworms to delete their Facebook account via hollowing. Leave the account in place, but dump all the guts out.

I don’t care to encourage people to do anything. The more I see how much Facebook knows about me, the more shocked I feel. That they have monetized me was always a part of the deal, but the Cambridge Analytica scandal points to a deeper corruption that runs along with the platforms inability to admit error and only responds when caught red-handed. If they have been corrupt all along, how far does the corruption go? How much have they sold us all for profits? Who has the data that describes us so well?

In many ways, #DeleteFacebook is a matter of bonum ira. It’s a good sort of anger that helps clean up a mess that we all have made of things. Facebook demands punishing, in a manner of speaking and retraction of personal data is probably the only rational way to achieve this sort of effort.

I don’t want to delete Facebook as much as starve it of data.

Crocodile Apologies

The media is starting to process the Cambridge Analytica misuse of Facebook data, and the story is only just getting some legs underneath it now. I see this as a reflective surface of the panic that we all felt back in November 2016, digging all that psychic turbulence back up again.

I want to focus more on Facebook itself. There have been several instances where Facebook has declared innocence publicly up until proof found, usually by journalists or investigators, and then when the truth comes out, Facebook stops, pauses, and issues an apology for their transgressions or mistakes. This reactivity is for me what lies at the core of my misgivings about the Facebook platform, and Facebook as a company.

In my opinion, it appears that Facebook is only chastened and contrite when caught red-handed doing something improper. I cannot trust a platform or a company that behaves this way. I honestly admit that I never really expected Facebook even to want to try to be upright and wholesome, I wanted them to, but all of this is similar to the feeling that I had when Google walked away from its mission statement “Do No Evil.” Facebook cannot be trusted.

There is no shock or surprise that Facebook has no tapeworm function available, only two options exist, leave everything alone or blow it all to kingdom come. I know there is a third path, the manual deletion of everything in the Activity Stream, but over ten years and quite a regular amount of use that is utterly impractical. Plus, I expect Facebook to be both capable and invested in retaining my data even if I think I’ve deleted it. Just because it no longer exists on the interface to me doesn’t mean that it is gone. I doubt thoroughly that even deleted accounts get deleted. I would bet money that they get hidden from view. It would not be in Facebook’s self-interest to lose any data they can get their hands on. I would also not put it past Facebook to also log every keystroke that goes into the text boxes on their site, so even if you don’t post anything, I would bet that Facebook has a record of what you did type and that you abandoned it. That they could record and store your unshared thoughts, indexing, and selling them even if you didn’t share. Logging into the Facebook site itself is a personal hazard to privacy. I have no proof of this last part, but I would fully expect a company like Facebook to do this very thing.

There is little that quitting Facebook will accomplish, since human personalities are quite fixed and constant constructs. We maintain that iron grip of control and Facebook has monetized it, and now, since Cambridge Analytica, they have lost it. Pandoras Box is open.

So why stop using Facebook then? Facebook must be caught being evil, which means that the intent is a stain that runs right to the core. I’ve abandoned Facebook itself because continued use is tacit approval of their offensive behavior, and if it makes them money through advertising revenue, and I’m a part of that? That’s personally unacceptable.

Going West With Facebook

Much like the elves in Tolkiens tales, sometimes the time is right to board the boats and head west. In this particular case, what to do with Facebook.

I’ve been using Facebook since July 2nd 2008. In the beginning it was wonderful, sharing and everyone seemed kinder, more conscientious, I suppose the world was better back then. Many people were looking for a new platform once LiveJournal collapsed, which if we are really serious about it, came when SixApart was sold to the Russians. Americans fled pretty much after that. And so, Facebook was a thing.

Mostly friends, it hadn’t taken off yet. Many of the later iterations that make Facebook the way it is today weren’t even thought up of back then, and in a lot of ways, it was better in the past. But then everyone started to join the service and we started to learn about the ramifications and consequences of using Facebook. I can remember that feeling of betrayal as Facebook posts were printed out and handed to my workplace management. That really was the first lesson in privacy and the beginning of the end of my involvement with Facebook.

Facebook has been on-again-off-again for a while. In time I realized that I was addicted to the service and the sharing. With enough time I realized that Facebook was actually fit more as a mental illness than an addiction. I had to stop it, because in a very big way, it was the service or my mental health.

So fleeing Facebook is the name of the game. First I downloaded all my content from the service, then I started to move the saved links from Facebook to Pocket for safekeeping. Then I went through and started hacking away at groups, pages, and apps. All of these tasks will be long-tailed, they’ll take a while for me to polish off because Facebooks tentacles run very deep, and in a rather surprising way, just how deep they actually go is remarkable.

So now I’m looking at writing more and sharing more from my Blog. This post is kind of a waypoint to this end. I installed a new theme with some new images featured, and the next step is to figure out a “Members Only” area where I can separate out the public from my friends. There are some items that I intend to write about that use specific names and I don’t want to play the pronoun game with my readers. I also don’t want hurt feelings or C&D notices, both of which some of my writing has created in the past.

I will detail my journey with disposing of Facebook here on this blog. I have eliminated publicity to Twitter and Facebook, but I left G+ on, because G+ is a desert.

So, here we go!

Peer to Peer File Transfer, Reep.io

I recently needed to move about ten gigabytes of data from me to a friend and we used a new website service called reep.io. It’s quite a neat solution. It relies on a technology that has exists in many modern browsers, like Chrome, Firefox, and Opera called WebRTC.

The usual way to move such a large set of data from one place to another would probably best be mailing a USB memory stick or waiting to get together and then just sneaker-net the files from one place to another. The issue with a lot of online services that enable people to transfer files like this is that many of them are limited. Most of the online offerings cap out at around two gigabytes and then ask you to register either for a paid or free account to transfer more data. Services like Dropbox exist, but you need the storage space to create that public link to hand to your friend so they can download the data, plus it occupies the limited space in your Dropbox. With reep.io, there is no middleman. There are no limits. It’s browser to browser and secured by TLS. Is that a good thing? It’s better than nothing. The reason I don’t like any of the other services, even the free-to-use-please-register sites is because there is always this middleman irritation in the way, it’s inconvenient. Always having to be careful not to blow the limit on the transfer, or if it’s a large transfer like ten gigabytes, chopping up the data into whatever bite-sized chunk the service arbitrarily demands is very annoying.

To use this site, it’s dead simple. Visit reep.io, and then either click and drag the file you want to share or click on the File Add icon area to bring up a file open dialog box and find the file you want to share. Once set, the site generates a link that you can then send to anyone you wish to engage with a peer-to-peer file exchange. As long as you leave your browser running, the exchange will always work with that particular link. You don’t need any extra applications, and it works across platforms, so a Windows peer can send a file to a Mac client, for example. That there is no size limit is a huge value right there.

If you have a folder you want to share, you can ZIP it up and share that file. It’s easy to use, and because there are no middlemen, there aren’t any accounts to create, and thanks to TLS, nobody peeping over your shoulder.

Weak Certificates

I’ve got an odd little problem at work. I’ve got a Ricoh copier in the Traverse City office that I apparently now can no longer manage remotely due to an error in SSL. The error that Firefox throws is ssl_error_weak_server_cert_key and in Google Chrome it’s ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY. In both situations I understand what the issue is, that the SSL layer is weak because the Diffie-Hellman key is not big enough.

I’ve run into this issue before, mostly with self-signed certs and the browsers have usually allowed me to click on an exception and get on with my day. Except for Firefox and Chrome now, that is no longer the case. The browsers just refuse to display the webpage. I understand the logic behind it, everyone wants a more secure web, but sometimes what we are really after isn’t privacy or security, but rather just getting our work done.

I still need to connect to this copier and manage it, and frankly my dear, I don’t really care that much that the transactions be secure. In a way, this security is irrelevant. The traffic on our WAN is flowing over a Meraki VPN site-to-site link, so it’s already secure. This is security on top of security, and it’s in the way.

So I thought about using the awful Internet Explorer for this and I chafe at even considering using one more wretched bit of Microsoft technology – there has to be a better solution. So when you run into little bits like this the best way forward is to pursue my favorite solution, heterogenous computing! There’s more than one way to get what you are after. So if Firefox and Chrome won’t work, and Internet Explorer is unthinkable, how about Opera?

So I downloaded Opera and installed it. Then browsed to my copier in Traverse City. Opera told me about the error, but it also provided me with an exception button and then once I clicked that, the error was bypassed and my copiers remote management screen appeared.

So now I’ll add Opera to all the other browsers I have on my computers. The answer is competition. I wonder sometimes if there isn’t a special browser out there for IT type people like me. They’ll render anything, ignore any “privacy or security” type errors, all so people like me can get our jobs done. For now, Opera seems to lead the pack, at least for this. Thank you Opera!

Better Credit Card Security

While talking with a friend, who is enduring some unpleasantness the conversation turned to issues with using credit cards to buy things, like food for example. That got me thinking, how would I design a really strong way to prevent data breaches?

Encrypt everything!

Well, perhaps not that, but hash everything. Here’s what I talked myself into, of course none of this is rational because nobody will effect a planetwide shift in payment processing based on what this yokel has to say, but still, here goes.

Issuing Bank sets up credit account, there are four key fields that are important for the classic transaction, name, number, expiration date, and CVV2. I think one could also establish a timebased one-time-password secret as well, it would operate like Google Authenticator functions. So you’d need a secret that the bank generated for their systems and the physical card too. You’d need a smart chip on the card so it could forward the TOTP code to the credit terminal at the point of sale.

The bank sets up a TOTP secret, so it’s named JQP Credit Card (or account number or whatever) and the secret is: 6B57078FB88A4DD73E447D2647DCEC7D04C3D887951BA6A2D8DBA294E0B60579. This number is forwarded to the credit card terminal. Right now it’s 726995, but in thirty seconds it’ll be something else. Since the credit card terminal and the bank share sync’ed time via time.nist.gov, there is no risk that there would be some sort of mismatch between the two.

The customer goes to the credit card terminal and swipes, a value is entered and a timestamp is recorded, all of this is already parts of a credit transaction. The terminal can read the name, expiration, CVV2, whatever from the magnetic stripe and the smart chip forwards the TOTP code, then the terminal assembles this into a EDI transaction:

JOHN/Q/PUBLIC#1111222233334444#1015#170#726995 and applies SHA256 to it, to create:

621d3dd5a66277a7ab3737f306728e3c4bc5f3cd20c8730c37cc61c6575de0ba

This is stored in a database and then forwarded to the bank with the timestamp, so it’ll look like this:

987654321#621d3dd5a66277a7ab3737f306728e3c4bc5f3cd20c8730c37cc61c6575de0ba#15.09#1426615839

So the bank will be presented with a Customer ID, SHA-256, they’ll have the total dollar amount, and they’ll have Epoch time, or the number of seconds from 00:00:00 UTC, January 1, 1970. This could be easily done by a Linux kernel by the output of date -j -f “%a %b %d %T %Z %Y” “date” “+%s”

The bank would then have everything they need, they’d have the secret key, which with the Epoch time from the transaction would give them the TOTP calculation, which would generate the answer 726995. Then they’d have the card details from the customer ID, the SHA-256, and the amount. They could then calculate the hash on their own:

621d3dd5a66277a7ab3737f306728e3c4bc5f3cd20c8730c37cc61c6575de0ba

And authorize the transaction.

Even if the card details were stolen by someone copying the numbers off the card, they wouldn’t get the TOTP secret. Plus the TOTP secret is changing every 30 seconds. If someone tried to run this transaction and guessed at the TOTP code, they’d generate this:
987654321#a1b714fba988632200c78a5b9021bca5b48f149b036aa901c03173f0f2de5399#15.09#14266158 and the bank would instantly detect this incorrect SHA hash and cancel the card and ship a new one.

This is rather involved but the practical upshot is, if a vendor kept these transactions in a database and someone stole the database to use for their own nefarious needs, the presence of the TOTP and SHA-256 would make the data in the database worthless because the TOTP has no predictable pattern if you don’t know the secret, and SHA-256 is very sensitive to even the smallest change in the input data that it’s hashing. This would free vendors, banks, and customers from risking PII leakage or identity theft.

I’ve also thought that this would be a great way to secure SSN’s as well for use with the government, they know your SSN and you know your SSN, so when communicating over a possibly compromised channel you can authenticate not with your SSN, but with the hash of your SSN.

John Q. Public, 123-45-6789 -> 01a54629efb952287e554eb23ef69c52097a75aecc0e3a93ca0855ab6d7a31a0

Geek Excursions: BitMessage

Along with my curiosity surrounding Bitcoin, there is a similar technology that has been released for public use called BitMessage. This system is a really neat way to securely communicate in a secure method that involves absolutely no trust whatsoever. It’s a completely decentralized email infrastructure and has captured a lot of my spare attention. BitMessage works a lot like how Bitcoin does, you can create email addresses on the fly, they are a long sequence of random characters that your system can display because you have both a public key and a private key. In a lot of ways BitMessage deals with the biggest problem surrounding PGP/GPG, which is key management. Nobody really wants to manage keys or use the system because it’s extra work. Plus even with PGP/GPG, your identity is written on your keys for everyone to see.

Getting started with BitMessage is a snap. First you need to download the BitMessage client, and you can get that at bitmessage.org. There’s a Windows and Mac client available, you can start it and be instantly attached to the BitMessage network, ready to create new “BitMessage Addresses” and throw them away just as easily. So, for example, you could reach me by sending me a BitMessage to this address: BM-2cWAk99gBxdAQAKYQGC5Gbskon21GdT29X. When you send a message using BitMessage, its to this address and from an address that your client makes, so the conversation occurs securely and since every node has a copy of the data it’s impossible to tell who is getting what information. I think an even more secure method would be to cross BitMessage with a PGP/GPG key. The only problem with a key like that is that classically PGP/GPG keys require that you include your email address as a subkey so that you can be identified by a human-readable email address when looking for your public key or when someone else is looking for it, to verify a signature for example. The PGP/GPG system doesn’t require an email address, you can of course create a public and private keypair using PGP/GPG and make the email address up from whole cloth, and instead just let people know the key ID that you want them to use. So technically if Alice wanted to secretly communicate with me, we could give each other our public keys to start and then use BitMessage as the messaging mule. I don’t see how any eavesdropper could make sense out of any of that data flow. It’s unclear what the contents are, the PGP/GPG encryption keeps the contents of the message secure, and BitMessage itself seriously obfuscates if not outright eliminates being able to tell where the messages are ultimately going to or coming from.

I have to admit that BitMessage is very user friendly and very handy to have. My only issue with it is that I don’t know anyone who uses it, but perhaps this blog post will change that. If you are interested in this bleeding-edge crypto/privacy software, I encourage you to chat me up on BitMessage for serious matters or for fun.

Geek Excursion: Cryptocurrencies

I’ve been thinking on and off about Bitcoin ever since it was written years ago. Right around the end of last month, in December I thought I would look into it again. Turns out the environment has grown considerably since the last time I looked at it, by leaps and bounds! I figured now would be a great time to dip my big toe into the stream, so I found an online exchange and pursued Bitcoin with them. This exchange was ExpressCoin and the purchase deal was mailing them a US Postal Money order, they’d cash it and then send me the Bitcoin equivalent. Since this was a conversion from Fiat money (in this case United States Dollars) to Bitcoin, the exchange rate was around $330 per Bitcoin. The $10 investment gave me 0.03120712 Bitcoin.

Right after that I started lurking on the Bitcoin subreddit on Reddit and discovered two other currencies, Litecoin and Dogecoin. Then just after that I discovered the Cryptocurrency Faucet websites, places where they hand out free money for proving that you’re human with a captcha, and the off chance that exposing you to advertising will pay for the money flowing out of the faucet.

I still think a great part of all these cryptocurrencies is still quite firmly fixed in the hobbyist framework, the enthusiasts are on the “bright” side of the currency and the speculators are on the “dark” side of the currency. All of these currencies that I’ve engaged with display pretty wild volatility in comparison with any linked Fiat. My buy-in rate was around $330 per Bitcoin, and now weeks later, that’s at $218.87 per Bitcoin. There seems to be two camps developing, the first camp is quite keen on ignoring the Fiat exchange rate and trying to ignite their currencies inside themselves. One of the most positive and tightly knit communities surrounds the Dogecoin. Seeing how the Dogecoin enthusiasts communicate and cope with their currencies volatility is a lesson in lighthearted, altruistic generosity. People who hold Doge appear to be very ready to donate it to other people as encouragement, sympathy, or even on a lark. As you go from Doge to Litecoin to Bitcoin you see a lot less of the pleasantries and a lot more of the cold hard business of currency work and trading.

I think one of the most fascinating parts of these new currencies is how everything is starting from the very beginning – including questions of trust and honor. Because all of these coins are decentralized and unregulated there is no capacity for a “chargeback” mechanism, and when this runs up against mechanisms in other currencies, like the Fiat, where there are “chargeback” mechanisms in place, you run the risk of being seriously defrauded. I completely understand the fear and the very careful progress that these cryptocurrency traders make, but it does speak volumes about just how awful and corrupt some people are. We don’t assume people are trustworthy and honorable, so we need many complicated structures in place to cope with the unknowns. This gap in honor is, I feel, a huge part of what these currencies should work on next. How do you measure honor? How do you establish trustworthiness? I got to thinking about it, and every time I think I have a solution I run into an edge case that blows my concept out of the waters. The only thing that I think might work is arranging honor and trustworthiness in a way similar to the “Web of Trust” that PGP and GPG cryptographic systems rely on to establish trust. PGP/GPG never really took off for mass adoption and that’s always been a very sad thing for me, but I really like the “Web of Trust” idea that they pioneered. That people can trust others when there is reputation on the line, backed by money perhaps, there would need to be some sort of contingency addressing on the line as well. So if Bob wants to establish his trustworthiness and his honor he puts his money on the line for it. But the problem with this is that someone who is not honorable could just come along and lie about Bob and take his money, sending you right back to the start again. It’s fascinating, that Bitcoin decentralized money, but we need to figure out how to decentralize trust as well.

The US Government has done its due diligence in preventing egregious misuse of the Bitcoin currency to be used for illegal purposes by attempting to regulate how centralized exchanges transfer Fiat into the cryptocurrencies. It seems that Bitcoin and all the others are very elegantly designed in so far that despite all these regulations there is a community of individuals willing to operate as nano-exchanges that help bring everything back to its decentralized and unregulated roots. Half of the fun of playing with cryptocurrencies is being at ground zero for all these fascinating developments and arguments and seeing how something so new develops and unfolds.

So far I’ve got some small parts of a Bitcoin, some small parts of a Litecoin, and gobs of Dogecoin. For myself, I am very interested in figuring out ways to secure the relationships between traders, working on terms of honor, trust, and faith. If anyone has ideas that they would like to share, please leave them in the comments below. I would really love a nice conversation about securing honor, trust, and faith between traders.

Alternatives to Clouds

I’ve been toying around with a wonderful free utility from BitTorrent Labs called BTSync. You can find it here: http://www.bittorrent.com/sync.

What really drew my attention was the lack of centralized service that stands at the core of BitTorrent technology. It’s distributed, without any company or cloud provider dwelling in the background. All the hardware is owned by you, the “secret” code you use to share that identifies your sync experience also forms the encryption key so that the data that is flowing across the network is secure from prying eyes. Because you own all the hardware and encryption covers the data exchange, you can store whatever you like in your BTSync’ed folder and not have to worry about anyone else peeping over your shoulder or removing material from your storage without your knowledge or permission.

This free system has clients for workstations and mobile devices, so it really can be a drop-in replacement for services like Box, Dropbox, Google Drive, and SkyDrive. You can share the secret with anyone you like and anything you place on the folder set up with BTSync will synchronize across all the connected devices. You can also send “Read Only” secrets to sync your folders to people who you want to have your files but don’t want them deleting or changing your files and since this uses BitTorrent technology you won’t have to pay hosting fees and the more people share the data, the faster the system sends updates and changes and new data to all the subscribers.

I’ve created a Work folder, a Sync folder and have them set up on my work machine, my work laptop, my Mac Mini at home, and my iPhone and iPad. Since I own all the hardware, the maximum storage that I can store on this system is only limited by the smallest storage unit amongst all the shared machines. The folder lives on a 1TB USB HD at home, at work I have hundreds of GB’s available and the same as on the laptop. The storage in Mobile isn’t the same as a full workstation as the BTSync app doesn’t actually download data to store on the mobile devices directly but rather downloads a file list making it possible for you to pick and choose what you need on mobile when you need it. If you need security in the storage components you could leverage Encrypted Disk Images in Mac systems and TrueCrypt Encrypted Volumes on Windows machines. For Linux clients, you could likely use loop filesystems set with EncFS or something like that.

The applications for BTSync are amazing. Freed from middlemen companies I can store anything I like without having to worry about some company evaluating what I’m storing or even being able to respond to warrants to reveal what I’m storing on the service. Something like this could be a great benefit to companies that need to share files without having to worry about “buying into the Cloud” since everything is free. You can run a BTSync on a server, host a folder and share the secret out to all your employees and have a very handy share drive and even if your central server fails, copies of your data are stored on all the connected workstations so to recover the data all you would need to do is download the small BTSync client again, re-establish the shared secret code, identify a folder and watch as all your connected clients swarm and return all your data back to the “central depot” server.

Another wonderful option is to host a family shared folder, where you can store anything you like, securely and backed up amongst all the connected workstations. Alternatively, if you were an aspiring artist you could place a folder with all your work and establish a read-only secret and publish it on your social networks. Not only would all your fans be able to have your work, but you’d also be able to cleverly transform them into a swarm of willing backup sources for your work. If an artist has their secret code and a copy of BTSync client and they lose their primary system and all their data, they can just get a new system, re-establish the client and secret and smile as all their work comes back home as it was stored on all your fans computers. That’s amazing to me!

Getting started using this utility is a snap. Download the client and install it on your system. Then on whatever storage medium you like create a new folder. In the BTSync application itself you can create a new shared folder with a single click, there is a “Generate” button which creates the shared secret for you, you can then determine if you want it to be full-sync or read-only sync and then point the app to the folder you want to share, then minimize the app and you’re all set. Send the shared secret code to anyone you want to share with and your data will immediately be sent to their systems according to your preferences.

BTSync is the best of all worlds. You have a secure cloud infrastructure without anyone in your way, judging you or risking any intrusions from companies or governments.