Moving Away From Webmail: Why?

Back in the late 1990s, I encountered webmail services. I quickly signed up for accounts with every service I knew:

  • Yahoo! mail—sponsored by Yahoo!, which had a top-notch human-curated search engine directory
  • Mailexcite—later known as Excite mail—at that time sponsored by Excite and Webcrawler search engines
  • Hotmail—before it became a Microsoft property
  • and over time, various services that went by names like Warmmail, Coolmail, Coldmail, and CoolEmail—these services came and went and sometimes came back under completely different owners

What I liked about them was that I could go to the local college, the state college, or to friends’ homes and still check my e-mail without having to set up client software for each computer I used. This was before we knew a lot of the things we have learned about online security. Passwords were often restricted to 4-6 characters, often either all lower-case or all numeric.

If you forgot the password you used on site ‘X’, you would click ‘Send my password’ and check the relevant webmail account where the password would be sent.

Over time, things changed. Passwords started to require a mix of upper and lower case, along with one or more numeric digits. Then special characters were added. Passwords became longer. And ‘forgot my password’ started taking you through one or more secret questions before sending a password reset link to your e-mail. (No more mailing your password.)

It became more and more time consuming to log into a website, scroll through your new and existing messages to find the ones you choose to read, and write responses as necessary. This would be enough to make me switch back to the convenience of using client software to handle my e-mail messages (at the small cost of more complicated set-up than just typing a name and password into a couple of boxes on a webpage). But this is not even really the problem.

You see, in some areas, we have never advanced. We call it electronic mail, but it is really more like electronic postcards. This means that anyone, anywhere along the chain between you and the other party (or parties) could easily and quickly read your messages. That contract to buy a retirement property in Hawaii? Someone could have grabbed a copy, whipped out their word processor, and read everything in it. Same with that e-mail to your kid’s school about her grades. Didn’t you say they use Social Security numbers as student ID numbers?

You may say that you don’t do anything illegal and you don’t use e-mail to conduct financial transactions, therefore you have nothing to worry about. That is not so. You cannot know in 2012 whether information you “leak” today will become useful to someone who decides to use it against you in 2017 or 2022.

What is the answer? PGP. PGP (or Gnu Privacy Guard, which is a freedom-preserving implementation of OpenPGP). PGP puts your e-mail messages into an envelope, making it more difficult for someone to snoop on your message. Since the message is electronic, the envelope is also electronic, a type of public-key encryption.

Now, there are some who believe that anyone who encrypts data is doing it because they are doing something wrong or illegal. Those people are wrong. I personally believe that it is patriotic to encrypt your data. First of all, I do not believe that the government would have permitted its use if they had not figured out how to penetrate the encryption, if they are willing to devote enough time and computing power to do so. This means that encryption is not going to protect spying or terrorism. Our government will still be able to see what evil deeds such people are planning.

However, for unimportant people like you and I, people who may occasionally speed on the freeway, but do not otherwise break the law, the government is not likely to invest the effort. Our lives are too boring. There is nothing to be gained. I cannot imagine Jon and Ponch showing up at your door to write you a ticket because you admitted in an e-mail message that you drove 70 in a 65 zone.

I should point out that I have no evidence that our security agencies can read your encrypted messages. It is purely my opinion that they would still be trying to suppress PGP is some security agency had not figured out how to penetrate it. (Disclaimer: I work for a federal agency, but I don’t speak for them and they don’t speak for me.)

On the other hand, using encryption gives you some privacy. While I firmly believe the government can read your encrypted messages, the average computer criminal cannot. And more importantly, the casual observer who inadvertently is exposed to your message is not able to read it. The beat cop who is trying to make his quota cannot read it. The junior high kid down the street cannot read it.

So you and I should be using PGP (or the open source implementation, GPG) for most of our messages. Remember that an envelope only protects its contents in transit. If you’ve got the unencrypted contents sitting on your hard drive, or if the person on the other end has them, all that anyone has to do is gain access to that computer.

It is sometimes convenient to think of encryption like a vault. The locks on 1920s-era vaults probably would not slow modern criminals very much. The locks on current bank vaults are probably sufficient to slow down the majority of criminals long enough for the police to arrive. If you think encryption will protect your secret treasure map forever, you’re mistaken.

Now, once you decide to encrypt your e-mail, you’ll immediately be faced with two big issues. First of all, none of the big webmail providers supports using PGP through their websites. So unless you can get FireGPG working, you cannot do the prudent thing. Secondly, installing and configuring PGP/GPG is somewhat complicated. It isn’t really–some of the most tech-adverse people I know today set up similarly-complex software on their computers back in the 1990s–but it isn’t as easy as it could or should be.

Enter GPG4Win. GPG4Win comes with a lightweight mail client (Claws Mail), the GPG and Kleopatra and GPA software to manage the process from creating keys to uploading to public key to a keyserver to signing keys of others whom you know in person, a file encryption plugin (GpgEX), and an optional encryption plugin for Outlook. Mac users can use GPGTools instead of GPG4Win. BSD, Hurd, and Gnu+Linux users can use a somewhat less polished version or KDE’s Kleopatra.

Clearly, though, the process of using PGP and GPG needs to be simplified and streamlined. However, even in their current condition, you and I should be using PGP / GPG. And that means, given that the webmail providers have not figured out how to support it in their interfaces, that I need to pull back from using webmail for most of my messages.

I should also point out that you have to remember your passphrase, or you will not be able to use PGP / GPG. You should probably not create keys that are valid for more than a year or two. I am still learning about it, so I am by no means an expert. It just seems to me that if you forget your passphrase, you want a quick expiration, rather than waiting for years.

Monday, 2012-January-09 at 04:55 5 comments

2011 in review

The stats helper monkeys prepared a 2011 annual report for this blog.

Here’s an excerpt:

The Louvre Museum has 8.5 million visitors per year. This blog was viewed about 76,000 times in 2011. If it were an exhibit at the Louvre Museum, it would take about 3 days for that many people to see it.

Click here to see the complete report.

Tuesday, 2012-January-03 at 13:45

Discussing Diaspora’s Future

I have seen lots of discussion about the future of !Diaspora lately. Here is my first attempt to really weigh in. We need to distinguish between several things that are all called Diaspora. First of all, there is Diaspora the project (DProj), the Diaspora core development team (DCore), Diaspora the corporation (DStar), and DStar’s Diaspora pod, (JD). There are also several independently-operated pods, such as (DiaspO) and (DiaspE).

First of all, DProj, can really benefit from more contributors. Sadly, I cannot help. I messed around with Ruby for a while, realized that its soup of special characters with special meanings was not going to ever match my brain (like Perl, which has the same problem), and put it down quickly.

DProj is almost synonymous with DCore and DStar, as is usual in a cathedral-type of project. However, DStar is also distracted with the financial and administrative burden of operating JD. This, I think, is the chief problem that Diaspora (overall) faces. Even with a cathedral model, they could be very successful. But they’ll have to be very careful.

DStar must, absolutely must start to create a business model. They need to wake up and realize that centralizing around JD, a site that charges its users nothing and accepts no advertising, is suicidal. Likewise, owners of other Diaspora pods, including both DiaspO and DiaspE, should be thinking about their own business models.

Once you realize that hosting a zero-price site for yourself and a few friends and family is considerably different from hosting a zero-price site for tens or even hundreds of thousands of people you do not know, you will realize that all large Diaspora pods will need some kind of business model. Hosting costs money. Bandwidth costs money. Having someone to administer the site, to respond to issues and outages all day, every day costs money. By refusing to face this issue up front, JD may have seriously damaged the future of both DStar and DProj.

Diaspora, particularly the JD pod, has attracted a large number of people who cannot contribute code, cannot or will not contribute funds, and will not tolerate advertising on the site. Unless the JD pod finds a billionaire sponsor or forces the freeloaders to leave or change, that pod will continue to be a severe drain upon DStar, and to consume resources that DProj and DCore need.

I understand the founders wanted Diaspora to be more of a non-profit foundation, and I understand this. Putting DProj development in a NPO would be the best way to go, but pod-hosting (JD) is killing the project.

People are complaining about the instability of the JD pod, which seems to be down several times each day. As a user of that pod, but a non-participant in DProj itself, my estimation is that the influx of JD users is straining the already-tight finances and server administration resources of DStar.

What should be done about all of this? I am glad you asked.

Number one, DStar must put DProj into a non-profit organization funded primarily by DStar. That will free DProj to seek grants and sponsors. DCore needs to open up DProj a little, so that people who can grok Ruby are more willing to contribute code.

Number two, DStar must emphasize federation. People need to be encouraged to start new pods and to choose to join other pods instead of JD. In fact, I would encourage DProj and DCore to get in touch with the people trying to patch XMPP into the Diaspora codebase. Get in touch with Friendica’s Mike. Get in touch with the StatusNet, OStatus, and RStatus people. Work to make it possible for Diaspora pods to interfederate with OStatus-using federations, such as StatusNet and RStatus; make it possible to interfederate with Friendica using its Zot protocol; and to interfederate with XMPP-using federated social networks, such as Jappix. Many have argued that Diaspora lost its chance to ever become popular. I do not believe that displacing one or more of the big commercial socnets is or ever was on DStar’s agenda, but to the degree that Diaspora or any other federated socnet succeeds in attracting active and sustainable communities, they all benefit, and all the more if they can interfederate. Diaspora, the Zot-using networks (currently just Friendica), the OStatus-using networks (including Identica and other StatusNet instances, and RStatus, at least), and the XMPP-using networks together can form a network with no vulnerable central hub, no corporation or organization in control, and no way for patent and copyright trolls to buy government-sponsored tollbooths.

Number three, JD absolutely needs to immediately post a privacy policy, even if it is a work in progress. Privacy and users controlling their own data is part of Diaspora’s “USP” (unique selling point), as your introductory college marketing class will tell you about. Without a privacy policy and TOS (terms of service) policy on JD, many who would otherwise be willing to help out are avoiding not just JD, but all Diaspora pods.

Number four, DStar must take action to place JD on a sound financial footing. I see two ways to do this: (1) advertising, and (2) subscriptions. Most likely, both will be needed.

Analytics: Nearly every site uses some sort of analytics, if only to help with allocation of server resources and deploying anti-spam and anti-cracking defenses. I imagine that some idea of what features are used and in which sequence they get used is going to strongly influence which features get the most developer attention, also. JD should implement a solution like Piwik, until effective analytics can be integrated into the Diaspora software as a plugin. Without analytics, JD will have no way to know how to adjust the appearance and operation site to enable it to become profitable.

Advertising: Although Google’s adsense is said to be the more profitable ad network, there is absolutely no way that JD can use it. JD is going to have to build its own ad network (using OpenX or a similar application) or contract another ad network to service the site. However this is done, ads shown on JD need to respect its users’ privacy and the integrity of the Diaspora experience. This means no expanders, none of those popups when you roll over text, no “please view this ad while the page loads”, and positively no “you were discussing cats so we’ll show an ad for XYZ cat food”.

Subscriptions: Subscriptions are an excellent way to pay for some of the costs of operation. Subscription-only would chase away those who cannot afford it, or those who object to paid-only sites. Subscriptions as a “see fewer ads, subscribe” would be the best option.

I would like to encourage DStar to get in touch with Automattic, which is thriving with a similar business and funding model to the one which the various Diaspora entities will need to adopt in order to keep themselves going.

Number five, the various entities mentioned above that are individually and collectively known as ‘Diaspora’ need to be transparent. We know that the developers need to eat, drink, commute, sleep, and do all the other things that any other human needs to do. We know that DStar and any other legal entities need to have a space they operate out of. We know that operating high-traffic servers is expensive. We also know that no one involved in Diaspora is getting rich or trying to put something over on us.

So I would hope that DStar and all other legal entities, along with JD and other major pods, will make it a point to be transparent about what their needs are and what resources are available. Perhaps in doing so, people like me, who really want to see them succeed in producing a viable alternative to centralized networks, will find ways to help them do so.

Please be aware that this is not meant in any way to trash-talk anyone involved in Diaspora. It is meant to spur others to think about the financial needs of developing code full-time and of running large, resource-intensive pods, and to persuade them to be supportive of the people behind Diaspora as JD and other large pods move to find the revenues they need to continue operating.


Tuesday, 2012-January-03 at 05:55 6 comments

Thinking About Independence Day


I am in mid-America right on Independence Day. Some Californians would think negatively about this. I find that Kansas and its nearby states are full of people who are much like the people in LoCal (both areas lack the arrogant self-righteousness that is often found in “coasties” and especially in NorCal residents). In either place, people are not aware of the extent to which corporations have gained control over our lives and our political processes. Further, they lack awareness of just how important copyrights, patents, and proprietary software are to the corporate puppetmasters who are rapidly enslaving us.

Let me make it clear. The new corporate slave-masters are not concerned about your sex (“plumbing”) or gender (how you perceive yourself), or ancestry or ethnic background, except to the extent that they can use that to deprive you of legal leverage. Thanks to a recent court ruling, these things matter even less. Boilerplate language that deprives you of the ability to use the legal system again powerful corporations is now inviolable.

In this time, it is even more important to help awaken US-ians to the need to sacrifice if necessary, but by all means start to deprive the copyright cartels, mobile telephone network operators, cable television operators, broadcasters, and large proprietary software companies of financial resources. I intend to become more active here and elsewhere with long-form writings to inform, persuade, and propel people to use freedom-respecting / freedom-preserving software (open source / free software) to produce their own original, remixable media.

Finally, let us no longer be captivated by the conjoined twin political parties (Republican & Democratic parties). Neither one is for you and I instead of for-profit & non-profit organizations. Neither one is on our side.

Monday, 2011-July-04 at 19:59

Social Networking Vulnerable, Federate It To Protect It, Part 3

This is part of a continuing series. Parts 1 and 2 have already been written and posted. (NOTE: links point to Amplify, but this series also appears on Tumblr, Posterous, Xanga, Typepad, and WordPress.)

It is difficult to observe the events that have occurred recently (and are still occurring as of this date) in the Middle East without recognizing that social networking sites such as Twitter and Facebook can be used to organize protests and other political activity. If the cause attracts sufficient interest and enough people believe the cause is urgent, those protests can topple governments.

Social networking is a tool that can be used to organize and coordinate the activities of large numbers of individuals. Whether your cause is toppling dictatorships or removing genetically-altered organisms from the food supply, these tools may be helpful to you.

But that comes at a price. We saw the wikileaks site chased off of its cloud-hosting service and we saw its payment processors sever their ties. We saw Tunisia blocking access to Twitter and Facebook. We saw Egypt cut off Internet traffic with the rest of the world (something which may have also occurred in Libya). Those who are in control can take action to prevent protesters from accessing any particular site or they can shut down the entire Internet.

Federation is a necessary mechanism to help prevent such blocking. It has limits, to be sure. When a nation’s Internet carriers shut down border gateway protocol with the rest of the world, nothing we can do will allow us to regain connectivity outside the country. When a nation’s Internet service providers completely shut down Internet access, even sites inside the country will be unreachable.

What federation provides is the first level of target dispersion. If 50% or more of protest organization takes place on Twitter and Facebook, blocking those two sites might possibly be enough to disrupt your group’s activities. If, on the other hand, you are using multiple sites which are members of federated networks, it is not as easy to disrupt your group. Recognize that federation is only the first step toward resilient networks.

Over time, we will have to evolve our networks to be resilient against the kinds of attacks we have recently seen in Tunisia, Egypt, Libya, Iran, China, and other countries. This is true whether your group seeks a political goal or not.

We must, however, start by moving much of our social networking activities to federated sites like Friendika (demo site at, Diaspora (official alpha site at and other sites at and, and StatusNet (main site at see also here).

It isn’t that centralized sites like Twitter and Facebook are evil. It is that they are an easy chokepoint for those whose agendas conflict with yours. If your small business threatens the dominance of a large and wealthy corporation, watch out. There will be ample incentive for some kind activity meant to disrupt your ability to organize and coordinate the group’s activities. If centralized sites like Twitter and Facebook are the hubs of your internal communications, they will find ways to bring it down.

If your group’s agenda threatens the agenda of some political group, there will be ample incentive for some kind of action meant to disrupt your ability to organize and coordinate your group’s activities.

Again, I cannot stress this enough: recent news out of the Middle East says that any activities that threaten someone powerful could lead to blocking access to sites, attempts to break into accounts (for impersonation and destroying reputations or as a way to prevent opposition from coalescing into an effective foe), or even nuking the entire Internet within a country or a part of a country. And since powerful corporations have the ear of politicians, it does not have to be a political issue.

In fact, that is the more important factor. Perhaps you wish to advocate on the behalf of farmers, particularly organic farmers, against corporations that sell gene-modified seed to neighboring farmers, then sue the organic farmers when the modified genes bleed over into their fields. Do not let yourself be fooled into thinking that you can’t be targeted by these same tactics. You don’t have to be against the government to become a target.

If your group’s organization and coordination activities are based around the use of a centralized service, you need to make sure to move most of your actions to a federated service such as Friendika or Diaspora, RStatus, or StatusNet. Now, don’t just move everything to another brand of central hub. Group members should use various sites that are members of the federated web, so that $BIG_COMPETITOR can’t stop your activities simply by preventing access to one or two sites.

Diverse networks of sites which all follow the same basic set of functionality (including common protocol suites, for the technically inclined) are harder to successfully target. StatusNet and RStatus, for example, both aim to fully support the OStatus protocol suite. This means that you can install StatusNet on commodity hosting and I can install RStatus on my laptop, and users of each system should be able to subscribe to updates from the other system.

There is much to do beyond federation. The entire Internet is designed more for efficiency than for resistance to these kinds of attacks. As more and more of our personal, business, financial, political, and governmental communications move online, we must pay even more attention to these unresolved issues. However, it starts with federation, encryption, and peer-to-peer. We will discuss more of these issues later in this series.

Tuesday, 2011-April-19 at 03:43

Social Networking Vulnerable, Federate It To Protect It (Part 2)

As we saw in Part 1, the information you share on social networking sites is vulnerable because they are subject to closure at any time. Site closure is not the only way your data can be lost leaked.

When you sign up for a service, somebody is paying rent on a building, paying electricity to run a server, paying staff members, and paying for network service. As much as you may like to think that random companies like you so much that they provide all these things for free, that is really not the case. They are seeking to get paid by someone for something.

Many sites are partially or entirely advertising-supported. This means that you are bait to enable them to catch advertising sponsors. Several years ago, this meant that they had to use pop-ups, pop-unders, and other unsavory techniques to try and divert your attention from the content that brought you to the site. In exchange, these advertisers would pay the site money.

These days, advertisers want personal information to enable them to “target” their ads at groups to which you belong, in an effort to make you more likely to buy their products and services. Facebook is willing to help application developers access users’ names, usernames, genders, addresses and mobile phone numbers. (While this is a particularly egregious example, Facebook is not the only one doing such things).

It is important to understand that if you don’t have a financial relationship with the company offering the service, you are not their customer. You are merely the bait they use to catch their customers.

Now let us think about some scenarios.

  • The DeLorean Scenario: Person decides to start an ad-supported social network. Service never gains enough users to produce enough ad revenue, so person resorts to “desperate measures” in order to keep the doors open a little longer. In this case, person sells access to the user database. Ooh. Now “Scumbag Collectors LLC” starts calling you because someone you went to high school with owed their client some money.
  • The Leaker Scenario: Something you said angers rich and politically-connected people. Suddenly, your accounts at big, centralized social networking services are cancelled, and you have no access to your pictures or other data which you had uploaded.
  • The Cracker Scenario: That big social networking site suffers a security breach. They gain your information, including a password which you use for your e-mail and three other social networking sites and your bank. Before you know it, your money is gone and images of you are edited to show you performing disgusting acts with farm animals before being re-uploaded to your sites.
  • Shameful Scenario: The service chooses to accept advertising from companies, organizations, and causes you personally find distasteful. People who visit your online profile are greeted by extremist group recruitment ads featuring video of group members telling why non-members’ lives have no value to them.
  • Monopoly Scenario: The company behind the site makes so much money from ads that they stop responding to the needs of site users at all. However, your online data and veryone you know is on that site.
  • DMCA Scenario: Something you post brings a charge of copyright violation. Rather than allowing you to prove that someone else’s copyright is not being violated, the site decides to cancel your account.
  • What each of these scenarios have in common is centralization. Centralization makes social networks vulnerable, more vulnerable than they would be otherwise. With centralization comes unequal power. With centralization, $BIGNETWORK can treat you any way they choose when everyone you communicate uses that network and only that network. With centralization comes the need for big data centers, big expensive data centers, with plenty of ad revenue to pay for them. With centralization comes the overpaid CEO who somehow believes he/she “deserves” to earn millions of dollars per year while the site which is paying that salary is unmaintained for years at a time.

    Lesson number two: With centralization, especially where you have no financial relationship with the company providing the central site, comes all sorts of abusive activities. With centralization, one company has its hands on the collective throats of its users’ social networking activities. Unless you pay for the site, you’re not a customer, and the company that owns the site will likely have no loyalty to you, nor much of an urgency to solve any situations you find problematic.

    Keep a watch on the things that are being done by the social networking sites you use. Try to be ready to jump off of those which are provided to you without charge in order to protect yourself from the anti-user activities such sites often engage in.

Monday, 2011-January-17 at 03:34 1 comment

Social Networking Vulnerable, Federate It To Protect It (Part 1)

Social networking is the big thing these days. What happened to face-to-face interaction, people ask. As employers demand more and more of our time, as we increase the physical distance between where we live and where other people who are or have been important in our lives live, as we disconnect from the landline telephone system and broadcast television (replacing them with mobile phones and Internet-enabled communications devices), it is only natural that we would grab onto something that allows us to continue our existing relationships and to build new ones. Now, we have to understand that–as currently structured–the social web is extremely vulnerable, being in the almost sole control of a small number of vendors, including Facebook and its fading rivals MySpace and Bebo; Twitter and its weaker rivals Jaiku and Plurk; the for-sale or soon-closing Delicious and its rivals Diigo and already-closed Magnolia; the not-closing-yet Flickr and its rival Zooomr; Digg and its competitor Reddit; and even blogging sites (, TypePad, LiveJournal, Xanga). As was already the case with Pownce (a “better” Twitter which was purchased and closed) and (Ma)Gnolia and which will soon be the case with Yahoo! Video, those who post data to any centralized service are subject to losing that data when the service closes. If the service is sold or taken over, the new owners may have a completely different privacy policy than the original owners–your writings and photos may suddenly wind up being distributed and used without you having any say in the matter.

As any economics student can tell you, monopolies and oligopolies, once they form, are not concerned about you and your needs at all. Your cable company is not concerned about making you happy, but with preventing you from purchasing services from others which they can sell to you instead (for a small added fee, of course).

It does not have to be closing, nor being bought out. Users of Brightkite’s status updates and location services found they had mere days to try and retrieve their data before the service wiped the data from their old services as it transitioned to a “group texting” service. In fact, users who used external services or clients to post were caught off guard when they were no longer able to post.

Lesson number one. Every service is subject to closure, even those run by the largest companies in the business. As we go on in this series, we’ll talk about how to reduce the impact you experience from any particular service’s closure. For now, just think about all the information you have posted to MySpace, Facebook, Twitter, Blogsome, and so on. What happens if a particular service closes before you have had a chance to download your data? What happens if they are taken over by someone who changes the terms of service to give them the right to use or sell your data?

Saturday, 2011-January-15 at 06:31

Older Posts Newer Posts

RSS Unknown Feed

  • An error has occurred; the feed is probably down. Try again later.

RSS Unknown Feed

  • An error has occurred; the feed is probably down. Try again later.

RSS Owner Managed Business


Recent Posts

Blog Stats

  • 587,222 hits



Get every new post delivered to your Inbox.

Join 173 other followers

%d bloggers like this: