Xabber now uses Orbot: OTR+Tor

Sunday, November 3, 2013 

As of Sept 30 2013, Xabber added Orbot support. This is a huge win for chat security. (Gibberbot has done this for a long time, but it isn’t as user-friendly or pretty as Xabber and it is hard to convince people to use it).

The combination of Xabber and Orbot solves the three most critical problems in chat privacy: obscuring what you say via message encryption, obscuring who you’re talking to via transport encryption, and obscuring what servers to subpoena for at least the last information by onion routing. OTR solves the first and Tor fixes the last two (SSL solves the middle one too, though Tor has a fairly secure SSL ciphersuite, who knows what that random SSL-enabled chat server uses – “none?”)

There’s a fly in the ointment of all this crypto: we’ve recently learned a few entirely predictable (and predicted) things about how communications are monitored:

1) All communications are captured and stored indefinitely. Nothing is ephemeral; neither a phone conversation nor an email, nor the web sites you visit. It is all stored and indexed should somebody sometime in the future decide that your actions are immoral or illegal or insidious or insufficiently respectful this record may be used to prove your guilt or otherwise tag you for punishment; who knows what clever future algorithms will be used in concert with big data and cloud services to identify and segregate the optimal scapegoat population for whatever political crises is thus most expediently deflected. Therefore, when you encrypt a conversation it has to be safe not just against current cryptanalytic attacks, but against those that might emerge before the sins of the present are sufficiently in the past to exceed the limitations of whatever entity is enforcing whatever rules. A lifetime is probably a safe bet. YMMV.

2) Those that specialize in snooping at the national scale have tools that aren’t available to the academic community and there are cryptanalytic attacks of unknown efficacy against some or all of the current cryptographic protocols. I heard someone who should know better poo poo the idea that the NSA might have better cryptographers than the commercial world because the commercial world pays better, as if the obsessive brilliance that defines a world-class cryptographer is motivated by remuneration. Not.

But you can still do better than nothing while understanding that a vulnerability to the NSA isn’t likely to be an issue for many, though if PRISM access is already being disseminated downstream to the DEA, it is only a matter of time before politically affiliated hate groups are trolling emails looking for evidence of moral turpitude with which to tar the unfaithful. Any complacency that might be engendered by not being a terrorist may be short lived. Enjoy it while it lasts.

And thus (assuming you have an Android device) you can download Xabber and Orbot. Xabber supports real OTR, not the fake-we-stole-your-acronym-for-our-marketing-good-luck-suing-us “OTR” that Google hugger-muggers and caromshotts you into believing your chats are ephemeral with (of course they and all their intelligence and commercial data mining partners store your chats, they just make it harder for your SO to read your flirty transgressions). Real OTR is a fairly strong, cryptographically secured protocol that transparently and securely negotiates a cryptographic key to secure each chat, which you never know and which is lost forever when the chat is over. There’s no open community way to recover your chat (that is, the NSA might be able to but we can’t). Sure, your chat partner can screen shot or copy-pasta the chat, but if you trust the person you’re chatting with and you aren’t a target of the NSA or DEA, your chat is probably secure.

But there’s still a flaw. You’re probably using Google. So anyone can just go to Google and ask them who you were chatting with, for how long, and about how many words you exchanged. The content is lost, but there’s a lot of meta-data there to play with.

So don’t use gchat if you care about that. It isn’t that hard to set up a chat server.

But maybe you’re a little concerned that your ISP not know who you’re chatting with. Given that your ISP (at the local or national level) might have a bluecoat device and could easily be man-in-the-middling every user on their network simultaneously, you might have reason to doubt Google’s SSL connection. While OTR still protects the content of your chat, an inexpensive bluecoat device renders the meta information visible to whoever along your coms path has bought one. This is where Tor comes in. While Google will still know (you’re still using Google even after they lied to you about PRISM and said, in court, that nobody using Gmail has any reasonable expectation of privacy?) your ISP (commercial or national) is going to have a very hard time figuring out that you’re even talking to Google, let alone with whom. Even the fact that you’re using chat is obscured.

So give Xabber a try. Check out Orbot, the effortless way to run it over Tor. And look into alternatives to cloud providers for everything you do.

Posted at 08:50:47 UTC

Category: FreeBSDself-publishingtechnology

Yahoo account PSA

Sunday, March 17, 2013 


It seems that if you have a yahoo mail account it either already has or  will soon be hacked. There’s some news out there about this…..

Yes, how could you not be sure that when somebody offers to host your  personal data for free on their servers that nothing could possib-lie go  wrong. Uh, PossibLY go wrong.

Posted at 08:08:01 UTC

Category: politicsself-publishingtechnology

You can’t read this at the Westin

Monday, December 26, 2011 

Oddly, this server is blocked by the network at the Westin Grand, Berlin.  Everything else seems to work, even (which is blocked by sites that subscribe to the  Barracuda filter list, cause any site with information on radios is frequented by hackerz).  It does not seem to be a national level block as I get plenty of visitors from Germany.

Easy enough to get around by VPN, but odd.  Very odd indeed.

Posted at 09:02:40 UTC

Category: hotelsself-publishingtechnologytravel

Will G+ Eat RSS, or Insist on Sole Ownership?

Thursday, July 21, 2011 

Weird: I have yet to find a way to import an RSS feed into G+. This is one of those things that significantly undermines Google’s “your data” cred. Anyone know of a way to do it? I haven’t found an “import RSS feed into your feed” the way facebook kinda does and the wordpress/facebook plugin does.

I’m a very strong believer in “he who owns the hardware, owns the data,” so, for example, posting this on G+ means that this text is Google’s (note, this was originally published on G+, then I stole it back!). And since it didn’t originate on my personal wordpress installation (free as in speech, free as in beer) running on my server at home (free as in speech, not absurdly expensive as in cheap beer), it isn’t mine.

My server also runs my mail server, my file server, my web server etc. all from my garage meaning that’s my data and my hardware and fully protected by law, while any data on Google’s server is effectively shared with every good and bad government in the world and my only legal recourse if it gets hacked or stolen or sold or given away or simply deleted is to… write an angry post on my blog and swear never to trust a cloud service again.

This is, obviously, exactly the same at FaceBook and every other cloud service. I use Facebook as a syndication service: I post on my own servers and syndicate via RSS to FaceBook, which becomes, in effect, the most frequently used RSS reader should people who haven’t gotten around to blocking me in their streams might find and by which perhaps occasionally be amused. This means I still own my data and my data has no particular dependence on FaceBook’s survival.

This post is visible only as long as Google wants it to be.  If Google changes the rules, I lose the data.  OK, I can download it – as long as they choose to let me, but it isn’t my data. When I post on my server then give FaceBook permission to republish the data, I control my data and they get only what I decide to give them. When I post this on Google and then ask “please, sir, may I recover my post for another use?” the power relationship is reversed: Google owns and controls everything and my rights and usage are only what they deign to offer me.

That almost everyone trusts the billionaire playboys who put king sized beds in their 767 party plane as “do no evilparagons of virtue is odd to me, but nothing better validates Erich Fromm’s thesis than the pseudo-religious idolatry of Google and Apple.  Still, even the True Believers should realize that the founders of these Great Empires are not truly immortal and that even if Google is doing no evil now, it will change hands and those that inherit every search you’ve ever done, every web page you’ve ever visited, every email you’ve ever sent, every phone call you’ve ever made or received, the audio of every message ever left for you, the GPS traces of every step you’ve ever taken, every text and chat and tweet might think, say, that Doing Good means something different than you think it does.  One should also remember the Socratic Paradox that renders tautological Google’s vaunted motto.

Unfortunately, at least so far, Google won’t let me use G+ to syndicate my data – they insist on owning it and dictating the terms by which I can access it. If I want to syndicate content through my G+ network, it seems I have to fully gift Google that content. I’m hoping there’s a tool to populate my “posts” from RSS so the canonical will remain on my server. Because it is the Right Thing To Do.

(Shhhh..  I’m going to copy and paste this into my own wordpress installation, even though I wrote it here on the G+ interface.  They probably won’t send me a DMCA takedown, but I do run the risk that they’ll hit me with a “duplicate content penalty” and set my page rank to 0 thus ensuring nobody ever finds my site again.  Ah, absolute power, so reassuring to remember that it is absolutely incorruptible.)

Posted at 11:47:35 UTC

Category: politicsself-publishingtechnology

Finding fun TLDs

Wednesday, September 15, 2010 

URL shortening services have discovered international TLDs because they aren’t as jammed as .com where every combination of 5 or fewer characters and every word in the English language is registered at a parking site.  Some new ones ( have found pretty good short domains.

I found that is a great resource for registering domains around the globe – not only do they let you register all the easy ones in the table below, but they also have a way to register more complicated ones that require in-country support (for a fee).

Then all you need is a wildcard dictionary search and some patience to find a cute short domain.  Check out the list below:

Read more…

Posted at 19:26:50 UTC

Category: self-publishingtechnology

WordPress Twitter Integration

Tuesday, May 5, 2009 

I discovered TwitterFeed and I was happy.  It does a nice job of formatting blog entries to tweets.  I set it up then went back to it later after I changed my login for twitter and whoops.  You can only log in with OpenID.

Uh oh.  OpenID. Why?  Why do this?  It is a solution in search of a problem.  It is very clever and worse than useless.  It must be a support nightmare.  So instead of having my browser automagically insert my passwords (and instead of having my browser’s convenient password store “show passwords” option to help me figure out what they are all in one convenient place) I have to remember some random URL from a totally random company I’ve never heard of, do not have any reason to trust, and would never use for anything else.


Security!  Plus they use some idiotic picture picker thing instead of a password.  Why?  Why?

These things are great in theory, but worse than useless in practice.

Time to find another blog->twitter tool.  Hello

Simple username/password login.  Browser remembers it for me.  Sign up once, done.

Of course this makes me enter my username and password for my twitter account, but I’m signing up with hellotxt so I’m already trusting them with a user/pass combination and at least I know something about them and I’m trading some security for some function, unlike the OpenID provider that’s just creepily asking to be my Big Id Brother to vouch for me when I go to the bar (and what happens when vidoop’s lights get turned out or the servers fail? No more logins?)

Anyway, hellotxt has a service called hellotxtfeed which uses a feed as input and then like syndicates it out to all your hungry fans on every service who are just waiting with baited breath to hear how your most recent poop came out.

In the end though, I prefer having things run on my own servers because even if hellotxt isn’t a single point of failure like vidoop yearns to be, most “pre-revenue” companies don’t make it.  So I use a nice clean open source solution:  Alex King’s excellent TwitterTools plug in.   It has a lot of great features for bidirection integration between blogs and twitter including the digest posts it is creating on this site.  The only bug I’ve found is that sometimes seems to reject login.   For me it has just cleared up randomly, so I’m happy enough to assume it is, at least as long as it continues working.

Posted at 01:19:09 UTC