VSCodium

Visual Studio Code is a fantastic editor, and that is remarkable because it is built on Electron. The uptake and plugin eco-system is what makes even staunch Emacs-users switch allegiance, according to Hackernews threads. Stuff that even Sublime doesn’t have (and Kate certainly doesn’t), such as the fantastic todo-tree plugin, which does almost what I already did in a terminal (grep for TODO), but also show it in a pane and allow me to quickly navigate to the right line in the file: todo-tree. Oh so simple compared to for instance Eclipse’s builtin todo management…

Now, the dirty is that VSCode builds are no open source, but proprietary builds with loads to tracking and anayltics built-in. SAD! From the title of this post you probably feel what’s coming: VSCodium. Although you still must use the preferences to disable tracking, at least you are now using an open source community build. Linux and Mac builds only, but a friendly guy named Timothy D. Jewell provides Windows build for those that need it right here. Enjoy your freedom and great plugins!

Kafka

How to read Kafka, part 1. Indeed. I don’t have the time, patience or drive to read all through the modern thinkers. But I do have the time to wish I could read and study them. There exist these books that summarize them, and although I was told these books are for cheaters, I don’t think that is true: I must not be the only person with limited time for a serious study of Kafka, but yet still interested in the precise origins of the ‘kafkaesque’, so, if you can accept the thinking is done for you (one hopes these summaries are largely concensus-based), then why not?

Above a summary of a few of Kafka’s works. I really like how he sees how rationalism is no guarantee for better results. Being aware of our human nature is essential for any improvement (The Burrow) and we must be aware that old structures can be identical to new ones without us realizing (The Castle). Good stuff, even if it is a summary!

PGP 4

This is part 4 of this series in which I describe my experiences of setting up PGP for myself and my significant other, as a test and a way to in fact email about our bank robberies and so on.

So nothing has changed much since the last episode. An important thing I misunderstood before I now correctly understand: the use of signing messages. Encryption means only the person with the right private key can read it. It does not however ensure anything about the author, which is handled by signatures. So, end-to-end PGP encryption requires both, because without a signature anyone could have written the message. I missed this nuance, which I now think is not really nuanced, when I read K9mails PGP considerations a while back. Signing and encryption are two different things, and for privacy the latter is most important.

I realized this because there are two mailbox hosters that offer the user to upload their public keys with which they’ll then encrypt all incoming mail. If you believe the hoster they discard the plain-text versions, you have a fully encrypted IMAP server that only you can read, and no subpoena, government request or hack will reveal a single thing. Since this is obviously not end-to-end encryption, I invented the need for signatures and then slapped my forehead realizing that obviously that is what signing messages is for. Even though I say this every now and then, I must now say it to myself: it is extremely unlikely you’re the first with that idea…

Posteo and Mailbox.org are the two hosters offering public key PGP encryption. I thought this is rather elegant, because avoids lock-in to a silo like Protonmail or Tutanota since it is fully compatible with existing PGP tools. Hope more mailboxes will follow.

50+

Op GoT een grafiekje dat elke bejaarde zou moeten zien: het netto-profijt van het Nederlandse sociale stelsel per geboortejaar.

Ik zit in de put 😢

PGP drie

In earlier posts I describe how I have set up GPG on Kmail and K9mail. I discovered that Kleopatra is included in gpg4win, and yesterday I used it to import my keys and succesfully set up Thunderbord/Enigmail this way. I also discovered that Mailvelope, the browser plugin which allows you to use PGP in webmail seems to use openpgp.js, and does not in fact require any extra client, which is of course superior UX to the whole deamon/manager/client thing that you do for desktop software. Encryption should be a library! I wrote seems to, because the Mailvelope website does not mention it uses openpgp.js.

Strangely, Enigmails documentation is quite clear and recommends gpg4win, but according to a message on Debian bugs it does include openpgp.js. Can you still follow? I certainly don’t!

Also, I discovered that although K9mail “improved” its UX as to how the status of encryption is shown, it shows a non-green lock icon with a cross sometimes, which is not on that website explaining the new icons! Tapping the icons gives the cryptic (haha!) message that the message is encrypted but not end to end (how is that even possible?). Checking these mails with Kmail shows these messages are encrypted but not signed (why is that even possible?) which is not not encrypted, and not explained anywhere in K9mails UI or docs… Man o man…

Enfin! I set PGP up on a variety of clients and operating systems, for my and my partner, and I am happy ‘s all good now. I know now how the mail concepts work, how to configure some mainstream clients and I can now send and recieve encrypted messages! I will agree with any and all UX critiques to PGP though: it leaves something to be desired.

You may find my public key on various keyservers and also on right here: pgp_pub.asc.

PGP twee

In an earlier post I tried setting up Autocrypt and detailed the process for my own reference, but also in the warrantless hope it might add a usable anecdote to how the procedure of setting up email encryption is prohibitively complex. Today I retried, with success. To be precise, this time I did not setup Autocrypt, but just PGP. I decided Kmail was a more pleasant (and fast) email client, but it does not supports Autocrypt. Incidentally, Kmail, together with Kontact, is a quite comprehensive PIM package, supporting things like CardDav/CaldDav in addition to mail. It even syncs calender tasklists. It is however slightly laborious to set up, not in the least because of the (I might not even be exaggerating) millions of settings. In that maze of settings, of course PGP was not missing, tempting me into retrying once again to set up things.

Kmail uses the Kleopatra tool to manage your gpg server/client/deamon. Get it? For reasons I don’t quite grasp, gpg, an implementation of PGP, works as a background process continuously running, and ‘managing’ your keys. That means you import keys into it, be they your private keys or others public keys. I do not know if it is responsible for keyserver lookups, but I guess any process can retrieve public keys themselves and then simple add them to gpg. Kleopatra is a tool to manage gpg, so it can create new keypairs, import keys through a GUI interface. Incidentally, the gpg4win distribution includes Kleopatra, so this very straightforward to use tool is not limited to Linux, and as Thunderbird (the Enigmail plugin rather) actually downloads gpg4win for you when setting up, so perhaps using Kleopatra instead of the procedure that resulted in a bug detailed in that earlier post can be worked around. Todo later.

Kleopatra does not offer to generate a revocation key, but the help details how to generate one:

gpg --output revocation_certificate.asc --gen-revoke your_key

Unfortunately, gpg asks you to give reasons for your revocation, indicating you are revoking the key straight away. I think it is not actually doing that (after all, the command generates the revocation key and saves it to a file). Confusing UI!

Once I generated my key with Kleopatra, it offered to submit it. After giving no feedback for about 30 seconds, a message popped up it had failed, and it included the http://keys.gnupg.net keyserver in its message. Doublechecking on their website, an account seems to be required, for which Kleopatra appears to have no UI. Also, it shows my old key as revoked, while as far as I know that key was never submitted here. So perhaps keyservers sync keys between them? Or the GUIs fails on key submission detailed in the earlier posts are even graver than I then described. Meanwhile, I have submitted my key by hand to <//pgp.mit.edu> and <//keyserver.ubuntu.com>. The former, after a few time-outs, now shows my key, but the latter does not, and allows me to resubmit, indicating a problem.

While not smooth, things are set up and I send myself an encrypted message successfully, so anyone may now lookup my key on <//pgp.mit.edu> and <//keyserver.ubuntu.com>, and send me your top secret stuff! What’s left is to instruct K9 to use my key and to perhaps retry Thunderbird but using Kleopatra as a workaround for the bug.

De Wereldreiziger

De Speld maakt een grap, maar ik ken wel een paar van deze ‘wereldreizigers’.

Van de krasbare wereldkaart aan de muur van zijn studio in Amsterdam heeft Alex Verkerk inmiddels 57 landen opengekrast. Zo vaak als het kan gaat hij op reis, want hij wil de wereld zien. Thuis in Nederland zet Alex echter geen voet buiten zijn woonplaats.

De Waddeneilanden, hunebedden, de Veluwe, allemaal pareltjes die binnen twee uur te bereiken zijn, maar deze plekken heeft Alex nog nooit aangedaan. “Weet je wat gaaf is? Die eeuwenoude boeddhabeelden in Thailand. Of Maya-tempels. Zo vet om zo dichtbij ruïnes te zijn van wel een paar honderd jaar oud”, vertelt Alex, die nog nooit een 6000 jaar oud hunebed heeft gezien.

De Amsterdammer legt uit wat de reden is dat hij zoveel op reis gaat. “Ik ben zo iemand die geïnteresseerd is in andere plekken, die niet altijd maar op dezelfde plek wil blijven. Nee, ik hou ervan bijzondere natuurgebieden te bezoeken en om historische bouwwerken met eigen ogen te zien. En tja, voor dat soort dingen moet je wel naar ver.”

Setting up autocrypt

Today I decided to try to setup Autocrypt for my email address. I use both Thunderbird and K9 email as clients, both support Autocrypt. The marketing of Autocrypt sounds great: automatic PGP encryption with any contacts that support it. This post documents my effort of setting up the clients so far. Neither client offers something like a ‘setup autocrypt’ button, I reckon setting up PGP first will unlock some options regarding Autocrypt.

Thunderbird Enigmail

  • After installing the addon, it offers to install gnupg4win (this is on Windows) and I did.
  • Continue with Enigmail setup (standard): a key is already present (how it got there: not stated).
  • If you select this key (because I assumed either Enigmail or the GnuPG installer must have generated as an attempt to improve the UX for newbies) the next dialog requests a passphrase to protect the key.
  • The following dialog generates a key anyway, so I am still unclear what the intially present key was. Perhaps it was an ‘identity’ (name + emailadres combo to which PGP keys are linked).
  • Then you can save the revocation key (it is not explained how that is different from the private key, which is not explained either, nor is it explained wether or not that recovation key file will be protected be the passphrase entered previously.)
  • Windows Firewall pops up with dirmngr.exe wanting access. No publisher, no other info. It’s 2018, your installer can add firewall rules just like in Linux people.
  • The last dialog of the wizard reports success, but no option to close or otherwise end Enigmail setup. Closing the windows gives a ‘do you want to abort’ modal. The dialog contains a link to more documentation (<https://ww.enigmail.net/documentation) but clicking pops up a window with a ‘Server not found’ message.

As I can’t seem to continue, I aborted the attempt. I use Thunderbird 60, the latest versions Gnu Privacy Guard and Enigmail available as of today.

K9

Setting up on K9 was not hasslefree either.

  • Configuration page just says no providers present, does not suggest any solutions.
  • K9 website mentions OpenKeychain. F-droid has OpenKeychain: Easy PGP. Anyone trained to be security-safe flinches here: subtle naming differences are a sure way to install spyware crap on commercial webstores. I took a chance and it is the correct program, but beforehand it is confusing precisely because you have to turn off behaviour that is otherwise essential (do install similar named apps).
  • During key generation crash, but key appears to be there. After trying to delete and revoke I deduce key upload probably failed (it is not on , which isn't listed anywhere either but appears in the errorlog when you wait a while on the key screen and a key import error appears.) Manually checking the keyserver URL reveiled that it was down. Fifteen minutes later it was up. There appears to be no way to publish the public key manually.
  • In K9 I set OpenKeychain as OpenPGP app. No Autocrypt options appeared.
  • Although OpenKeychain asked Contact-access, it does not reveal for which contacts keys were found. Also in K9 there is no feedback beforehand. A contact whom I know has a key published on was listed as not supporting encryption.

Summary

You can feel where this is going: a resounding downvote for the entire process. Although I’d like to believe I’m not clueless, I did not manage to setup PGP email encryption, and I do blame the software for being obtuse. I suppose it is entirely geared towards people working in organizations (formal or not) already intimately familier with PGP. I also suppose I must have hit a bug in Thunderbird. The fact that the setup procedure has bugs in both pieces of software does not leave the impression of solidity however, and it feels a lot like the early Linux-days, where having the time and skill to troubleshoot was essential and seen as a rite of passage. Today I expect something different, and I now know why PGP has next to no adoption: only those who really care (for either personal safety or authentication reasons) can manage. I am proud to have converted my closest family to Signal, and I chose Autocrypt so that I might have a chance with them too, without forcing them to switch to third party providers (Tutanota, Protonmail, etc.). That is not going to happen however, because this is a process that even I cannot tolerate.

What’s next

Since the third parties mentioned are all siloed and/or require that you trust them because they hold your private keys, I don’t see any good way forward. Custom domains, which I think is an important component to being independently secure, cost money with all of them, and good amounts too. Only Tutanota has a reasonable price of 1 EUR/month where I could hook up my domain and send non-Tutanota contacts links to my encrypted message, which is fine on occasion but untenable as a matter of course.

So, I think I’ll check in on Enigmail with a new release to see if things were fixed. Until then I’ll continue to do what I’ve done so far:

  • Assume email is compromised. Just accept it: even if I am secure, 99% of my contacts will not be, and will use hosters that not to be trusted.
  • Have a custom domain, so that options remain open
  • Avoid hosters in US jurisdictions ()
  • Do not use the hoster for email storage, so that data mining or trawling by state actors will result in little data. That is: I save important emails to disk (which I prefer anyway, I store them in my regular document file hierarchy) and delete email that’s read and has no lasting value (which is nearly all email). Every now and then I cleanup by selected all mail older than N months and delete it all.
  • Use any of the secure third parties for disposable purposes, they’re better protected than the mainstream options.

Marleen Stikker

Het afgelopen Zomergasten interview met Marleen Stikker had wel meer interessants op dit onderwerp, maar het deel naar aanleiding van het fragment met David Bohm (1:54) ging specifiek in op waarom ‘social media’ helemaal niet leiden tot constructieve en positieve communicatie, maar tot botsing en isolatie. Dit is omdat de technologie die we social media noemen een bias van de ontwerpers kristalliseert: de discussie, de twist. Door deze opzet, in vakjes twisten (discussieren) is het volkomen natuurlijk dat echokamers ontstaan en er (bijna) geen productieve dialoog plaatsvind. Ik zal verder niet samenvatten wat je zelf in tien minuten beter uitgelegd kunt zien dus kijkt allen!