Self-Hosting Email is Possible

I self-hosted for well over 20 years, I did not throw the towel and I do not plan to. Self-hosting is a sign of pride. Neither my government nor my Prime Minister nor even my Ministry of Interior or Foreign Ministry can host their own email.

Last time I checked, only State Security self-hosted.

I was probably lucky, but I rarely had delivery problems. The last one was a couple years ago with Microsoft swallowing my emails and it was due to the combination of a fairly old exim and a TLS certificate verification quirk at *.protection.outlook.com. I found a fix in the form of a configuration option somewhere on SO.

In all fairness, there is very little maintenance involved, and whenever I have to do maintenance work, I take the opportunity to learn something new. Like this year, I decided to finally replace my aging Debian jessie setup by Arch Linux, and I rewrote all cron jobs as systemd timers.

I must admit that when I send a really important email, I check the mail server log if it went off without errors, but this does not bother me as checking logs manually once in a while is a good thing anyway.

Lastly, a piece of advice: treat self-hosting like a hobby and learn to enjoy it.

Oh and the very last thing: the person who designed Exim configuration for Debian deserves a special place in hell for all the hours wasted. If you set up Exim on Debian, just figure out how to use the upstream exim config and adapt it to your needs.

Rentio sucks for renters and divides the society

I had to use Rentio as a renter of an apartment, and the experience was so humiliating that the only way I can regain my human dignity is by writing about it.

Renters usually experience it via the website mytenantprofile.be or its French or Dutch counterparts where one can book a visit to an apartment or make an application to the landlord. The first sign of troubles ahead is that the website pushes the renter to provide the identity of the previous landlord while this should rather be discouraged, be it only for privacy reasons. But the real problems start when renters apply to multiple agencies.

The website does not make it clear, but it saves the first application and reuses it for the next. I have not found a way to adapt my profile to the second application, so I clicked the link to delete my profile, waited, then tried to create my profile anew just to be greeted with the message "Perfect, you have already used our service. We can reuse your data" and then when I try to reset my password via SMS, it announces "Too many requests generic error message" and an invitation to contact the support by email. I believe they break a few laws by not deleting my personal data and our Data Protection Authority should look closely into them, but I will follow this up in a different story.

Luckily, I had the phone number of the realtor, so I could call her, explain the problem and submit my application via email while waiting for Rentio support to fix my login issue.

Flow is Considered Harmful

One of the most popular psychology books among Software Engineers is Flow by Mihaly Csikszentmihalyi. I have always been fascinated how we perceive flow as a desired state of mind that has to be entered into and exploited for one's own good.

Ancient programmers tried to control the flow via practices like Pair Programming or Agile. Today, these practices are largely forgotten and I wonder what's the reason. Is is the rise of individualism or weak markets or high costs? I do not know. But I know that everyone has their own flow and each flow has its own quirks, and this is why it's so difficult to change someone else's code.

My way is to understand the quirks of my flow and to communicate it so that others can effectively adapt:

  1. my flow is slow, with pauses, interruptions and long nights
  2. my flow is low-level, I prefer JDBC over JPA and JavaScript over Angular
  3. my flow is compact, I write as little code as possible, and this is probably due to the old carpal syndrome that I cured but which still makes long typing sessions psychologically unconformable
  4. my flow is sticking to old ideas, circling back to #1, interruptions are a natural way for me to look at my work from a different angle.

The imminent death of HTTP/1.1 and its risks are not fully understood

Let's Encrypt had an outage today, and websites started disappearing off the web, progressively. It serves 60% of websites in the world. No wonder the world noticed.

And if you think we can still deploy HTTP websites, you are wrong, because browsers:

  • show any website served over HTTP as explicitly not secure in the address bar.
  • limit many web APIs to "secure" contexts
  • upgrade mixed-content so that HTTPS sites cannot request HTTP-only resources
  • increasingly attempt HTTPS to a site first even if linked/typed as HTTP
  • warn about downloads over HTTP...

Moreover, browsers will continue to phase-out the unsecure HTTP over time.

But it does not stop there. HTTP/1.1 is on the verge of extinction.

According to Cloudflare Radar, HTTP/1.1 usage is below 10%, and since HTTP/2 and HTTP/3 have TLS baked in the specifications, chances of quickly falling back to unencrypted HTTP connections are slim.

The last stab in the back are HTTP/1.1 Desync attacks joyfully popularized by James Kettle in DEFCON and Black Hat conferences.

HTTP/1.1 is dying and the decentralized nature of the web is dying with it.

Loss of Digital Sovereignty via Multi-Factor Authentication

One of the nefarious aspects of Multi-Factor Authentication that I have not mentioned in my previous post on the subject is the risk of loosing Digital Sovereignty.

Authentication via a login and a password is well understood and is usually implemented within existing software. On the other hand, Multi-Factor authentication is often implemented via US-based third parties: Google, Facebook, Github, Linkedin, etc.

Countries can not implement Multi-Factor Authentication for their citizens themselves either. Case is point is Belgium, with the national service that provides authentication services relying on the US-based COTS software for most of its functionality.

There's a simple way to enforce Digital Sovereignty. Digital Services should be legally coerced to enable user login via a single string, akin to an API key already used by many services.

We all know that login/password combos are flawed, as users tend to choose weak passwords. For a lay person, the combination of a unique login and a weak password is enough to differentiate them from all other users. They do not know about rainbow tables nor multi-site attacks.

That same lay person presented with the need to have a single string as authentication key will ponder seriously on its length and randomness.

That string will not be called password but something else, be it passkey or key or passphrase. With a whole new world of assumptions and software helpers to generate them and securely store in key managers.

Looking for a European alternative to GitHub? Look no further than Git itself

Here's the step-by-step guide.

Change directory to your local git repository that you want to share with friends and colleagues and do a bare clone git clone --bare . /tmp/repo.git You just created a copy of the .git folder without all the checked out files.

Upload /tmp/repo.git to your linux server over ssh. Don't have one? Just order a tiny cloud server from Hetzner. You can place your git repository anywhere, but the best way is to put it in a separate folder, e.g. /var/git. The command would look like with scp -r /tmp/repo.git me@server:/var/git/.

To share the repository with others, create a group, e.g. groupadd --users me git You will be able to add more users to the group with groupmod.

Your git repository is now writable only by me. To make it writable by the git group, you have to change the group on all files in the repository to git with chgrp -R git /var/repo.git and enable the group write bit on them with chmod -R g+w /var/repo.git.

This fixes the shared access for existing files. For new files, we have to make sure the group write bit is always on by changing UMASK from 022 to 002 in /etc/login.defs.

There is one more trick. For now on, all new files and folders in /var/git will be created with the user's primary group. We could change users to have git as the primary group.

Tags: 

The Hobbyist Internet is the Amateur Radio of XXI century

Amateur radio strives as a niche hobby. Clubs are actives and while the average age of radio amateurs is well over 60, there is a steady stream of newcomers. States and international organizations recognize the importance of nourishing amateur radio communities and there are endless possibilities to excel in this space.

In contrast, none yet cares about the possible demise of the hobbyist internet. It all started with phasing out HTTP in favour of HTTPS for good reasons: ISPs and network providers in some places of the world were injecting ads into HTTP pages. Big content providers and the general public wanted to stop that. They could have gone the legislative route but a technical solution to force all websites to use HTTPS was easier to implement. It was enough for Google to hint that it will penalize HTTP websites over HTTPS in search results, and everyone started to happily switch over to HTTPS.

Things did not stop there, though.

Browsers show content served over HTTP as not secure, making HTTPS the "default" and HTTP the visibly dangerous option, they limit many web APIs to sites served over HTTPS, they block or upgrade mixed-content by default (HTTPS sites cannot request HTTP-only resources anymore), they require HTTPS for HTTP/2 and HTTP/3, they increasingly attempt HTTPS to a site first even if linked or typed as HTTP, they warn about downloads over HTTP, and they're continuing to ratchet up such measures over time.

Lately, WhatsApp completely stopped opening HTTP urls.

This is an old fart's rant but it is none the less true.

Tags: 

European IT industry can be revived only via regulation

Case in point: euro-stack.eu that promotes European software using... wait a minute...

  1. A wordpress.com based website hosted in California by the US company Auttomatic
  2. Fronted by Cloudflare, a US monopoly (this is probably part of wordpress.com paid subscription)
  3. Edits its letter to EU Commission asking to support European IT industry in Microsoft Word.
  4. Converts it to PDF with Adobe software

For all steps of the process, there are either Free or European alternatives, it just requires some extra work to find them and get used to them. European techies crave to get rid of US dominance and will help for free if only asked politely.

Tags: 

The pointless churn of SHA1 deprecation

In a recent interview, Linus Torvalds expressed regret about the pointless churn of SHA1 deprecation and this immediately reminded me of a similar, although much smaller pointless churn.

There was once a company-wide ban on SHA1, so a developer replaced SHA1 with SHA256 in a Hashcash implementation in one of the projects... without thinking of the negative side effects:

  1. Hashcash became ~1.5..2 times slower
  2. Third-party tooling could not be used anymore

The project uses this half-assed Hashcash implementation even today.

P.S. In case it is not clear, SHA1 was "broken" by generating two PDFs with identical SHA1 hashes but different content by adding random binary data to it. This is why the "attackers" used PDF and not C or Java code in the first place. And when they say broken, they mean that the SHA1 collision was generated 100,000 times faster that it should be, but it still took quite a lot of computing and coding.

Where there have been better SHA1 attacks since Google's, they are mostly impractical due to collision detection built into git for a long time already.

Pages