Rambling Thoughts on Security and the IndieWeb

PLEASE NOTE: This post is, in expository terms, a mess.  While I may edit and clean it up later, I am very much thinking out loud and typing ideas before I forget them,


The heartbleed mess got me thinking about security again.  It started with pondering a password manager, particularly whether to go with something third party and web based like LastPass or Install KeePass locally.  From there the scenario moved to “If I use Keepass, where to put the database, and what things to encrypt.”

I installed an S/MIME cert from Start for my primary email on this server. I did this of course just as the entire CA system was being called into question. How’s that for timing?  As I continued to poke and prod, I discovered that no iOS browser checks for certificate revocation.  Ouch.

So back to the web of trust I went.  First there was the question of how to protect a GPG keypair I might create.  I imagine two possibilities.

  1. Having a dedicated CPU (probably a Raspberry Pi) for security operations.
  2. When reading about something else, I came across a reference to Qubes, an OS designed to contain exploits by using appVMs and aggressive sandboxing,

The lead developer of Qubes, Joanna Rutkowska , wrote about her security setup.  I found it an enlightening introduction into the behaviors necessary to improve security.  I might try Qubes if I had a machine to dedicate to the endeavor,

Finally my thoughts turned to various attempts at more secure and/or federated systems

  • Pond – forward secret messaging
  • Trsst – microblogging/RSS feed reading that supports GPG – Now with Alpha Code that runs
  • MailPile – standalone MUA that supports Web of Trust
  • FreedomBox and ArkOS – implemetations of personal plug servers for data storage and service provision

When I compare these to all the “facebook/twitter killers”  that haven’t taken off yet.(Diaspora, Friendica, Tent, Pump) I realize that the projects which are seeming to move forward target individual users, rather than try to focus around federated social networks, This lets adoption happen one user at a time,

I think the killer app for the federated social web is a single app that can aggregate all these protocols into one stream,  Gwibber was headed that direction ( I haven’t used it since it became Friends).  Mike Caulfield argues that this aggregation happens in the notification panels of our smartphones and tablets.  I suppose there is no particular reason the hybrid apps on our devices couldn’t point to local instances of federated services from our basement plug servers.   I’ll have to ponder how that would work.

Thoughts on Mike Caulfield’s Vision of Storage Neutral Apps

Today Mike Caulfield proposed a different vision of cyberinfrastructure. It’s late enough that I may be missing something, but here’s what I think he’s saying,

At present you have two options for personal cyberinfrastructure —

1) Use big cloud providers (Google, Facebook, etc.)  Pay in data mining and lock in rather than money. Have little control over your presence

2) Get your own domain (or a VPS if you are truly brave) pay some money and lots of what Ryan Brazell called the web version of “sweat equity”.  Have as much control over your presence as your skill set allows, including content portability. This is essentially the premise from which Jim Groom et cie. are working with Domain of One’s Own at the University of Mary Washington.

Caulfield quotes Klint Finley to support the idea that most end users want data and software portability, but don’t care about the other control that being able to rewrite free software allows.  This leads Caulfield to a third way, which looks something like this:

You buy software, a VPS, and cloud storage, but not necessarily from the same provider. Everything is interoperable enough that you can change software, server provider, or storage provider easily.  All my payment is done via money, rather than sweat or data mining.

Caufield’s idea addresses the most common criticism of the personal cyberinfrastructure movement, that nobody wants to mess with the inner workings of their website, not even in cpanel. I find it very discouraging that Mike may be right, especially as someone who works in higher ed.

James Burke pointed out more than thirty years ago in Connections that modern society allows us to go through our lives without knowing how much of anything really works, One of the things all education wrestles with is how much of the inner workings of various things (chemistry, music, economics, etc.) a broadly educated person “needs to know”.

We have in so many areas of life already given up knowledge and control so that a scenario like E.M. Forster’s “The Machine Stops” is now quite plausible. For much of it’s earliest history, the Internet pushed back, in the 90’s building a web presence meant knowing HTML and maybe even having to brave the CLI. It was a place where you could learn to be hands on, even as your cars and appliances became too complex to be fixed by non-experts.  Now the pendulum seems to be swinging again,   The success of Blogger, WordPress.com, and, yes, Facebook supports Mike’s contention that people want a less hands on solution.  However,  I believe that the Internet is a fundamental “System of the World” to paraphrase Newton, and that it is among the things of which an “educated person” should have some understanding.

I think this could be done by replacing the desktop applications class that constitutes many students’ formal learning about computers with a “technology and society” sort of course that would could cover everything from the Internet and its issues to  GMO food and personal fabrication/3D printing,  Recent attempts at technology law and policy (remember SOPA/PIPA?) show us that those responsible for policy (including voters) desperately need a better understanding of how, at least conceptually, it all works.Domain of One’s Own tries to do that.  I’m not sure Mike’s solution is up to that challenge, even though it’s quite a step forward from what most people use in terms of portability and privacy..