Body scanning at the candy store

Interesting experiment on the willingness of ordinary people to subject themselves to invasive forms of surveillance. A body scanner is used on customers entering a candy store. Many had the appropriate reactions - disbelief, disgust, anger, walking away - but according to the producers:

The goal was to see how far we could take this scanning and if people would let us! To our surprise, most people didn't put up much of a fight and went along with the person ahead of them in line... which was our plant that we actual scanned again and again.

Machineries of freedom

Last night I was talking with some fellow anarchists about what kind of practical projects we should be exploring and promoting, to move beyond the usual grind of politics and ideology. There were lots of interesting suggestions of course and over time I would like to explore many of them on this blog. Here are some types of projects that I am currently involved with or seriously exploring:

  • Autonomous wireless mesh networks to complement/compete with/replace the government controlled Internet. I have been talking to people, going to conferences etc to explore this topic, with the goal of building a mesh network in Stockholm. The motivation is primarily to counter government restrictions on information exchange, by creating a parallel network which the state can not control or censor.
  • New technology for small scale production of food. One of the small startups in this space that I am watching closely is AutoMicroFarm. Some friends of mine are building similar setups of their own. Don't know much about energy production, but would love to hear from some solar power enthusiasts or something.
  • The interplay between government services and free software might offer some opportunities. I have personal experience of projects where the implementation of open data standards has made a substantial difference to the allocation of money and other resources. Wider implementation of free software might shift the balance of power in a favorable direction.
  • Setting up secure mail hosting services, systems for encrypted mailing lists etc. I run a full-stack mail server to help friends and acquaintances improve their security, use encryption etc (let me know if you are interested). I provide these services for free, but it could easily be turned into a small business if I wanted it to. Lots of people should be doing this, i.e. making money helping others to become more free and secure.
  • A while ago I collaborated with a friend to create a prediction market, something like a more up-to-date version of Intrade. The project was put on hold, but feels more relevant than ever now that Intrade has been forced by the US government to shut down. Prediction markets are powerful tools for crowd sourcing intel and we should use them.
  • I have created a piece of software called Digital Demokrati, which is a decision making system based on a fluid combination of direct and representative democracy. The general idea is to challenge the conventional idea of politicians representing the people by providing a superior mechanism of representation.

If you are interested in this kind of stuff, feel free to get in touch. I am especially interested in talking to people who have practical experience of building and maintaining wireless mesh networks.

The title of this post is a reference to The Machinery of Freedom by David Friedman, one of the classic works on anarcho-economy. If you have not read it, you should check it out.

How Sweden became rich

One of the central pieces of government propaganda in Sweden is the belief - embraced by almost everyone in Sweden - that conditions in this country were horrible until the Social Democrats came along and built the so-called welfare state. And of course, a lot of people around the world idolize this system and think of it as great success.

This is in fact an absurd inversion of what actually happened.

This recent essay by Johan Norberg digs deep into this interesting topic and describes when and how Sweden actually went from being a poor country to one of the richest. Highly recommended reading if you have some time on your hands and want to learn more about this particular corner of the world:

http://www.libertarianism.org/publications/essays/how-laissez-faire-made-sweden-rich

From the essay:

It was not socialist policies that turned Sweden into one of the world’s richest countries. When Sweden got rich, it had one of the most open and deregulated economies in the world, and taxes were lower than in the United States and most other western countries. The Social Democrats kept most of those policies intact until the 1970s, when they thought that those excellent foundations—unprecedented wealth, a strong work ethic, an educated work force, world-class exports industries, and a relatively honest bureaucracy—were so stable that the government could tax and spend and build a generous cradle-to-grave welfare state on them.

They couldn’t. At least not without costs. Because that welfare state began to erode the conditions that had made the model viable in the first place. And the fourth richest country became the 14th richest within three decades.

The New Libertarians

In this excellent article my favorite kind of libertarianism gets some serious love. This is exactly the kind of stuff I wish that more libertarian minded people would get involved in!

http://www.fee.org/the_freeman/detail/the-new-libertarianism

The article describes a conference organized by the Students for Liberty. I was recently at another of their conferences and it was a blast. Even though most of the people attending were conventional political types, there were a substantial number of people there thinking outside the political box, talking about anarchy, entrepreneurship etc.

From the article:

When I was in college, I can’t remember anyone doing this. We trusted that the system would take care of us, and our job was to fit in. These young people do not have this view. The existing system is something they will use, but only on the path to bypassing it with new innovations and businesses to change the future. 

To be sure, this is a group that is very commercially astute. They see business as the way to change the world. The tools they use every day to navigate the world—buying everything from coffee to concert tickets, getting around cities, planning trips, talking to friends and family—came to them via the private sector. Government contributes nothing to their lives apart from annoyance. 

What’s more, among these libertarians, there is very little hope that political change is a viable option. What would be the mechanism of change? The two-party system? The trends in politics are inexorably worse, regardless of the promise. The trends in commercial life are toward progress every day. Which seems like the better path?


Encrypted mailing lists with Schleuder

I recently needed to have a way for a group of people to send encrypted messages to each other. Regular PGP is designed for one-to-one communication, so this is a bit of a tricky problem. Multiple strategies are possible, but they all involve some kind of trade-off in regards to security or practical feasibility.

One option is to use a secret key which is shared by all members. The benefit of this model is that it provides proper end-to-end encryption. The drawback is the practical problem of securely distributing the shared secret. If there is geographical separation and few other secure channels, this can be a very difficult problem. What happens if you need to revoke access for one of the members - do you create a new secret and go through the process of securely distributing it to everyone again?

The second option is to have users encrypt messages with a special public key, the list key. The list server receives messages, decrypts them with the private list key and immediately re-encrypts them with the public key of each member of the group. One benefit of this approach is that key management is a non-issue (same as normal PGP mail). The drawback is that messages will be decrypted and at some point held in cleartext before reaching the recipients. So there is not end-to-end encryption - in effect, the server does a benevolent version of a man-in-the-middle attack.

The drawback of the first option is huge - I don't think I could convince anyone to participate in my mailing lists if they were so cumbersome to manage. The drawback of the second option on the other hand is rather limited. Temporarily decrypted messages need only be stored in RAM, and never for more than a few seconds. Given that we have some degree of trust in the list server, this is probably not one of our primary security concerns.

With this decision made, I started looking for specific software to use. I quickly found a very nice open source project called Schleuder (meaning 'slingshot' in German), which had exactly the features I was looking for, a few little extras that I hadn't thought of but liked, and basically nothing else - perfect! And when I downloaded the source I got another nice surprise: Schleuder is written in Ruby which happens to be my weapon of choice for everyday scripting.

Thus began my love affair with Schleuder. About a week later it was consummated when I had a server set up and could start playing around with encrypted lists. So far there are a couple of small groups keeping in touch through the Schleuder lists on my server, and I'm working on getting more people to start using encryption and joining lists. I have also written my first Schleuder plugin and hopefully I will find the time to write a few more.

Some of the extra features that Schleuder comes with:

  • Anonymous remailer. Lists can act as mail gateways for groups, exchanging mail with any external address. Might be useful e.g. for info-type addresses or for anonymity purposes.
  • Lists are to a large extent managed by sending text commands in emails to the list server. Commands include things like adding new members, listing current members, requesting a specific public key etc.
  • Flexible plugin system, which has worked without a hitch for me. Very easy to create new mail based commands. My first plugin experiment was a mail based web browser.

For more information about Schleuder, check out the project web site. And by all means, if you are interested in this kind of thing and want to share your thoughts, please send me an email. To anyone interested in having an encrypted mailing list for some project or just messing around, let me know and I will create a list for you on my server. The only requirement is that you are able to send and receive PGP encrypted mail.

Whole disk encryption and the boot partition

In most cases, so-called "whole disk encryption" does not in fact encrypt the whole disk. A small part of the disk is used for the boot partition, which must be stored unencrypted. This creates a potential attack vector. One description of this problem comes from Micah Lee in an interesting report originally published in 2600:

Pwning Past Whole Disk Encryption

In a nutshell: If an antagonist gets physical access to your computer (say, if you go to the bathroom and leave your laptop laying around, even if it is powered off), malicious software can be installed on the boot partition, e.g. a keylogger which grabs your hard drive decryption password the next time you enter it and/or any other kind of malware.

The suggested solution to this problem is to eliminate the local boot partition. Instead, have the boot partition on a flash drive which you insert temporarily every time you reboot your compuer (much like you insert a physical key to start your car). To prevent tampering with the flash drive, and to make sure it is not close to the computer when you are not, buy a nice and durable one and keep it on your keychain.

My personal setup costs less than $10 and involves the following hardware:

Kingston DataTraveler SE9

Stainless Steel 2.9mm Curb Chain

Own your mail

Most people use email addresses under domain names owned by their mail hosting provider, e.g. gmail.com or hotmail.com. This makes it very easy for providers to revoke access to personal mail accounts. For one thing, all the archived mail will be inaccessible if the user has not taken care to make an independent backup. More importantly, the user can be denied access to all future incoming mail. At any point such a provider has the capacity to intercept messages, impersonate the user etc.

This is no way to manage such important personal tools as ones email addresses!

Fortunately, it is easy to solve the problem:

  1. Register your own domain name and use it for your personal mail account. Most email providers (e.g. Google) will provide this as a free add-on service, i.e. you can continue to use the Gmail web interface or whatever. Now, if Google suspends your account, you can simply point your domain to another provider and immediately start recieving your mail through them.
  2. Have backups of your mail history. The easiest way to achieve this is probably to set a normal desktop mail client to store all messages locally. There are also several tools for exporting mail data from e.g. Gmail. Now, if Google shuts your mail down, not only can you continue to use the same email address, you will also have access to  your mail archive.
  3. Use cryptography to sign and encrypt messages as often as possible. Encryption takes away the ability of the mail provider to read the contents of messages sent through and stored on their servers. Signing removes the ability of external parties to impersonate you after taking control of your mail account. (This assumes, of course, that your private key remains private.)

Why you should encrypt your mail

By default, email messages are sent in cleartext over the Internet. A common analogy is that an email is like a postcard - anyone who handles it along the way from sender to recipient can read the entire message. In comparison, encrypting your messages is like putting them in an envelope. But here the analogy suffers, because the digital envelope of encryption is so strong that, as far as we know, even the NSA can not force it open.

For this reason, strong encryption is a threat to government power and it is very likely that governments will sooner or later try to prohibit it. They will not outright ban the use of encryption, but rather require that people who use encryption provide their decryption keys when asked by the government. This is already the case in several jurisdictions.

When we come to this particular point in the expansion of tyrannical power, developments might turn on the number of people who have adopted encryption as a daily routine. If encryption is still a fringe phenomenon, there will not be enough voices to avert government abuse. On the other hand, it is possible that if a large enough segment of a population is using encryption, it might be difficult for politicians to push an anti-encryption agenda. In any case, if millions of people are habitually sending encrypted messages, it will be much more difficult to target them systematically.

So even if you currently are not concerned about your personal privacy (although you definitely should be), you should still use encryption and encourage others to use it. If many of us do, it might provide a bulwark against state suppression of private communication. In any case, it will strengthen the capacity of the general population to resist further power-grabs by the cleptocratic elites.

Prism-Break

A while ago I started using the website prism-break.org for assistance in migrating my last OS X environments to free software alternatives. The site provides a great overview of friendly alternatives to proprietary software and from the beginning I recommended it highly to my friends. The site has developed and become even better since.

Only the other day did I see who is behind the site. To my surprise and delight, it is Peng Zhong, a very talented freelance designer who has done projects both for my own company and for friends of mine. Most importantly, he created the design for artilect.com and I happen to like it a lot. He was also contracted by Artilect to design foretagsklimat.se and he later did some great work on the Scrive website.

I don't exactly know Peng (despite having worked together in multiple projects, we have never spoken to each other), but I think that he is obviously a good guy. Please support him if you can, e.g. by making a bitcoin donation or by contributing code, translations etc!

In any case, make sure to check out the site - it is a gold mine!