We need free and open passwordless login

It’s been a while since Google introduced its passkey login system which users won’t need to set and remember passwords in order to log in to their accounts. Now, Google is giving its users option to switch to passkey-only login for their accounts.

It simply works like this on your mobile phone (which needs biometrics implemented): type your username, pick a passkey, scan your finger/face. I’m not gonna lie, this is absolutely awesome. It’s a wonderful feature which makes logging in and signing up pretty easy and not a pain in the ass.

However, being forced to use biometrics to be able to use this feature is not what many people such as myself would like. I would like to be able to set a pattern to log in or type a pin or password on my mobile phone. I don’t like to share or store my biometric data (such as fingerprints and/or face scan) with my mobile phone no matter how safe or privacy-promising they are.

Also, this system is built using proprietary software. The passkey is a certificate that gets stored on your device. Your device shares a signature (not the certificate) with the service you’re signing into to prove you have access to the certificate. But they’re issuing you the cert through their proprietary software.

1Password’s passkey page also has a video saying that passkeys weren’t open enough. The video says, “Today’s solutions don’t deliver on that promise of openness and interoperability. If you create a password on your iPhone or Android device today, it’s pretty much trapped. It’s not easy to share, move it to another platform or sync with your preferred password manager. We can do better. And that’s why we’re excited to show you what the future could look like, if passwordless technology were more open.”

The whole passkey system is not something new though. The system works the way many public/private key systems, such as GPG/PGP, work. And our community, which is free and open, can build something like that. I would really like it if I could sign up on services giving them my public PGP key and when I want to sign in, I just sign a random message given to me to prove my identity.

Wouldn’t that be amazing? What I have in mind is simple. When I face a registration form, instead of setting a password or email address, i would like to paste my PGP public key in the form. Then system saves or remembers the public key and whenever I want to sign in, it generates a random message for me to sign. Then I sign the message using the private key which I have (and only me has access to it) and the system checks if the message is signed by the correct key and if it checks out, it logs me in.

Now I know it may sound kind of hard to do or more frustrating than simply typing your password or clicking on your password manager button for it to insert it for you but wouldn’t that be a good signing and logging system to use? Isn’t that more private than what we already have? And it can be synced with whatever device we have or want. We just need to sync our secret keys using infinite libre tools we already have.

And the amazing part is that it can be built using free software only. No proprietary program is needed to implement this and even password managers can implement and use it and it won’t be limited to any kind of operating system or computer.

What I’m proposing may not be perfect or even easy for many users but I’m sure it can be improved and it’ll work way better for everyone and it won’t be limited to big tech to decide who and how people can use it. If you have any idea or suggestion about this please inform me or, better, publish a blog or a social network post and send me the link so we can discuss it.

And if there’s a legal thing behind using ideas or anything, I have not read or heard a similar idea so if you though or have wrote about this before I did, I’m sorry. If you want to build a system based on my idea, you won’t need any permission so just go ahead. Although I would be happy if you inform me so I know somebody is working on something like this.

Free software, free society, in practice

It’s been hard times for Internet and my people. Internet situation is getting worse every day and people are facing more shutdowns and censorship. These shutdowns are not even reported because the regime is switching its form of censorship from a blacklist type to a whitelist type.

It means that every site and service is blocked by default unless it’s whitelisted. This way the regime can still claim the internet is working while also denying access and preventing people from using a service.

However, people are still resisting this. Using free (libre) tools and services, many are helping others to gain access to free Internet. I now see people providing VPNs to each other. These VPNs are created using open protocols and free (libre) programs. Young and unexperienced people are now trying to learn more about how networks work and they are teaching each other about these so more and more people can access free Internet.

I see people brag about how they’re using open source software and they are very happy about beauty of it. The same people who were denied access to services because of sanctions or even censorship now are building their own tools.

I try to teach them about the philosophy of free software and the movement behind it and how they are basically advocating for the same principals I fight for and I see the pride in their eyes.

I, now, am seeing the motto of our movement. I now see “free software, free society” in practice and I see it by my own eyes how free software, its philosophy, and programs built under free licenses are actually working and taken in action to help people fight for their rights and freedom and let me tell you something, I’ve never been more proud of myself and every single person in this community.

This is our work in practice. This is what we’ve been telling people all these years in action. This is thousands (if not million) of people actually using and advocating for free software in order to fight tyranny and in order to achieve an live in a free society. Every time we advocated for software freedom,, every time we refused to use a proprietary software, every single one of our actions have been resulting and leading us to this.

It’s such a beautiful time for our movement and you probably didn’t know about this. This may be happening, and I believe it’s happening, every day somewhere and we don’t notice it but we should be very proud. I know it’s there, I know it’s happening, and I am proud. You should be too.

I’m NOT changing my license!

I was reading Zen Habits and it made me thinking about changing my blog’s license to public domain and I was going to do it. But I thought about it and I thought about it hard and I realized then I might change the license of any code or program I wrote to public domain as well, and it felt wrong.

I’m a free software person. I care about software freedom and that’s why I advocate for GNU GPL family of licenses. GNU GPL license makes sure that you have freedom to do anything with your copy but you have to keep it free. If I truly advocate for freedom, I think I wouldn’t want my piece of software to become proprietary. And I thought the same argument goes for other forms of published work.

I want people to be able to do whatever they want with my published works, and I sometimes don’t even care if they give me credit, but the difference my Creative Commons license makes is that it requires people to keep the work under the same license. They can do whatever they want, even profit from it financially, but they don’t have the right to limit other people from freedoms they were given to.

The GNU GPL family of licenses do the same. If you publish your code or program under the GPL, the users will be entitled to the four essential freedoms but they won’t be able to make the software proprietary. If you license your work under BSDs or Expat, you’ll give the user right to prevent other people from benefiting of the same rights you gave the user.

I care about freedom. Free culture is as important to me as free software but also as much as I advocate for copyleft in software, I advocate for it in other forms of publications. I believe the right to freedom in any matter should not be put in hands of someone else thus someone should not be able to restrict other people from the freedoms they are are benefiting from.

If I was given the freedom to walk in a beach, I shouldn’t be able to build walls and restrict others from enjoying the beach. I was given the freedom to speak, then I shouldn’t be able to restrict other people from speaking. That’s how copyleft works. You’re enjoying your freedoms thus you can’t limit others. You can share what you have if you want only if you spread the freedom you were given.

The purpose of AI

About a year ago when we talked about artificial intelligence and machine learning, what we meant was a machine getting used to some routines or somehow understanding an algorithm and order of matters happening so it can respond in a certain way. That may sound complicated but in comparison to what we are experience right now, it’s quite simple.

What we have right now is marvelous and very much advanced. Of course it will improve day to day and maybe another year from now what we currently have may seem even stupid but we got to compare it to what we had before to see how much progress we made.

However, the real purpose of AI and the path we’re going is not exactly what I believe we had in mind when we first started working on it. We built artificial intelligence to make our lives easier so we can be able to focus on what truly matters to us as human race. I believe when we started the machines and when we first started to replace part of the labor and work with automatons what we had in mind was to finally replace humans with machines not in what we enjoyed doing but in what we believed is exploiting our essence.

Today, with all the improved codes and computers running AI, we are forgetting what we had in mind when we first started. We are now experimenting with artificial intelligence that writes essays and articles for us. We are experimenting to hand over what we were pleased to do to a robot. Writing an article had a purpose of sharing ideas and teaching people of a point of view. Now we are training robots to prove points for us, like if we’re in a war.

We are not all internet trolls who are fighting and trying to win an argument at all costs. We are people of reason and intellectual who have good will and intentions in our souls and bodies, so we don’t need a robot to write an article on our behalf and prove, in any way, that our point is valid. What is the point of that article if it prevents us from thinking?

We are now experimenting robots and so-called intelligence that is creating art for us. Art used to be an escape for us humans. It was a form of creation that made us feel needed, made us feel empowered, it gives us a way to invent a new reality for ourselves in which everything’s placed according our will and ideas. And the satisfaction was not from the result or what others would see, it was from the work we put in it and every detail that we thought about and cared deeply with passion to create a thing with our bare hands.

Now there’s a robot that will learn from what others have created and you just tell it to create a portrait of unicorn with purple scary eyes and it will give it to you in few seconds. Where is the fun? Where is the satisfaction? Who is the real artist here? Is it you? Is it the robot? Is it the creator of the robot? Or is it the actual creators of portraits that the machine learnt from them?

Machines supposed to write our emails and clean our houses and run our factories and bring us food so we can focus on art and philosophy and everything else we enjoyed. We are going to the wrong end on the wrong road. We weren’t supposed to create machines that mass produce art so we can focus on labor, it was quite opposite.

I believe it is wrong and it should be prohibited. We all have seen movies like Matrix that machines finally enslave the human race and forced us to do the labor but what we’re doing now is to do it voluntarily. We were frightened that machines some day can think for themselves and purge us all or force us to give up on what we truly loved and now we are happily training them to do what we love and replace us where we love to be and force us to where we always hated.

This article could be produced with an AI. I just needed to write a question that “how modern AI will act like Matrix and replace us from creators of art and put us to labor instead?” and it would most probably write the same arguments. It’s nice because then I could argue that even the machines know it but happily machines don’t think.

They don’t think so they should not be put in a position to decide for an important matter. Happily, we’re not there yet but we have started to put them in an important place to think instead of us and replace us in where I consider one of the most important aspects of humanity which is art.

Instead of developing intelligence to create art, we should use this intelligence to better our farming and food producing and solve human crises like hunger, education reform, environmental issues, and freedom-related matters.

I believe that is the true purpose of AI and that is what we need to do.

Aim for freedom tech

While people are still publishing their end-of-the-year lists and new year resolutions, and while people are still debating about whether social networks should provide a safe space or a complete free speech environment, many people around the world are struggling to connect to internet.

The situation in Iran is terrible. Internet is heavily censored and people are facing shutdowns on a daily basis. Almost all popular messengers, including WhatsApp, Telegram, and Signal are blocked and there are reports of instances of federated messengers, such as XMPP and Matrix, being blocked as well.

Almost all popular social networks such as Twitter, Facebook, Instagram, and many instances of Mastodon are blocked and people can’t use them freely. Even if they can use them, their posts may be used as evidence of criminal activity, labeled as “action against national security” or “combat against god” or even “insulting the supreme leader.”

The free VPNs and anti-censorship tools are blocked as well, ironically. No popular VPN is working as intended and people rely on paid domestic VPN providers which on many cases are very dangerous. They either give away users’ data to authorities or are designed as spyware. This leaves people vulnerable to a lot of harm simply for trying to connect to free internet and get free flow of information.

The goal of every developer focused (or even not focused) on human rights should be providing and developing tech that can help people access free internet and information. Anti-censorship tools and new tech that can send and receive data.

One example of this effort is the awesome project of Toosheh. They are a satellite filecasting technology deployed in Iran and the Middle East that use common satellite equipment to deliver digital content without relying on access to the Internet. I have no idea how many people receive information and needed stuff from this project but this is a very useful and helping project.

In recent days, I’ve heard WhatsApp is deploying a feature that lets people connect to the messenger using proxies. This probably is the same effort done by Telegram and Signal. Many people in Iran are using MTProto proxies to be able to connect to Telegram and communicate with each other. Telegram is the second (if not first) most used messenger in Iran. Similar proxy feature was added to Signal but I doubt that many people use it. WhatsApp providing proxies will be very much appreciated by the public as many people rely on WhatsApp to communicate with each other.

As much as I advocate for free (libre) technology and software, in this situation, connecting people is far more important to not only me but everybody who is concerned with the situation we are facing in the country.

If you’re a software/hardware person or a techie, you surely can help developing tools to help people not only in Iran, but every other place or people needing tools to access basic available daily stuff such as a social network or a communication tool or even reading an article and getting information. You can contact your friends discussing the needs and required tools to get started. The simplest act can be running Snowflake extensions and help people connecting to free internet using Tor.

As I said, this is not just a matter of Iran. There are many reports of internet shutdowns or heavy censorship in India, China, countries of Middle East, Cuba, Venezuela, Brazil, and many others. So, please, if you can do something about it, many people will appreciate your efforts.

How does Fediverse work?

As Elon Musk took over Twitter, people are migrating to alternative social networks. One of them being Mastodon, it is a decentralized social network based on a protocol named ActivityPub. This protocol is what Fediverse is built upon.

But we don’t want to talk about the technical stuff behind the Fediverse. What we want to talk about is simply how Fediverse and/or Mastodon work. Mastodon is just a part of Fediverse, not all of it. Fediverse is a word built by mixing the two words of federation and universe.

The Fediverse is a network of connected different social platforms making it possible for users to communicate with each other. For example, they can follow each other or send posts to each other or simply share whatever they want without being forced to sign up on a single centralized social network, or a web site, app, whatsoever.

Mastodon, Pleroma, GNU Social, and Pixelfed are some of these different social networks all connected to each other using the protocol they are built upon. Each of those social networks have many instances or servers. So they are federated with each other and each of those federations are also federated to other federations.

If it’s too complicated for you, imagine earth. We have multiple countries, all having relationships with each other, and within every country, there are many cities which are also connected with each other. Now every city also can connect to another city whether it’s inside the country or outside.

Continue reading →

The need for decentralized domain name system is much felt

It’s been a while since I have started thinking, or worrying, about my email security. And since few days ago my PGP key was compromised, I’ve been changing my passwords and emails on sites I’ve been on and I’ve been wondering if my email is secure and stable enough.

The thing about current email system is it’s easy to take control of it. Many email providers are resided inside the United States or where US government has jurisdiction over. Even if they don’t reside where US government has power, they probably use a domain name which is controlled by American companies.

We know that if the domain name ends in .com or .net, or many other TLDs, it’s seizable by the US government. It means my website can be seized by US government easily. They don’t even have to communicate with my domain provider, they can simply talk to Verisign (the technical company controlling.com domains) and seize the domain. Same goes for my email provider, Riseup, which has a .net domain.

The stability of the domain names is another problem. Imagine all maintainers, or at least those who control the domain name, get arrested over request for data of a user, and they remain in jail for enough time for the domain to get expired. Why would happen then? You can imagine.

I used to use my own domain for my email address. The thing that worried me, and made me change it, was that there’s a chance that I get arrested over my political activism and my domain will be left with no renewal and I eventually will lose it. Or my domain can be seized by cops and they can redirect my mails.

My domain is my identity online. If anything happens to it, I can lose my identity. Whatever I publish on my site is believed to be from me. What I say or publish is exactly like me myself standing somewhere in the city and shouting them to listening people. What happens if a oppressive regime takes control of my domain or site? They can say anything to anyone and pretend it’s me saying them.

People who read me supposedly trust me. One who takes over my domain can misuse their trust in my name.

It wasn’t a long ago since US government seized some Iranian-owned domains accusing them of spreading misinformation. This power over web, which is basically impossible to be on without having a domain, is dangerous.

A decentralized domain system, something like what we have with Tor Onion domain services is much needed. An onion address is generated by the site owner using Tor network. It is also only available on the Tor network, nowhere else. So you should configure your system to run Tor or use Tor Browser.

At the time, Riseup’s Tor address is vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion. See how it’s different from the normal Riseup.net we use? The domain extension of it is .onion, which is different from .com or .net, etc. It is automatically generated by the Tor Onion service running on the server Riseup is operating.

The benefit of Onion addresses is that it’s truly decentralized and no entity, not even those behind the Tor software and services, control it. It’s directly from the operators of the specific web site you’re visiting and since you can only visit the web site while you’re running Tor browser or are configured to run Tor network on your system, all data sent and received from that web site is encrypted and anonymous. Using it correctly will make you completely anonymous and tracker-free, the way the web should be.

Also, the decentralized domain system by Tor gives people opportunity to have chance of free speech online, what we’re missing for a long time. It is made possible by special privacy practices done by Tor developers, making it possible to have privacy and security online.

However, it will cost you to run a Tor network and not all server and hosting providers will let you run a Tor network on your space. Many will shut you down if they find out about it and others who don’t are very cautious about what can happen to them (who can blame them?), often easily giving your personal data to authorities when requested (or not?),

I admire the work done by Tor. I think they’ve planted a seed and developed what is the foundation of what we need as a decentralized domain name system. However, it is not enough. A decentralized domain name system should be accessible for everybody. We need something like what we currently have with normal TLDs, but decentralized.

People should be able to simply run their own domain without worrying about any inconsistencies. Without worrying about a provider banning their account for saying what the provider wasn’t pleased to hear. People should be able to have their own domain, and a safe space on web, without worrying about a government being able to seize it.

I don’t know how it can be developed or even what aspects it may have. I’m not sure about technical details of it, and I don’t know how it can affect the web we have today. All I know is that it’s so necessary for the sake of all of us.

Is freedom more important than safety?

Every freedom we surrender is a freedom our children will never know existed. History shows humans are willing to die to gain freedom. For thousands of years, as much as we know about myths and legends of wars, people were willing to fight to death to gain freedom and liberty. Either they liberated themselves from external forces or local dictators, people who fought were seen as heroes and those who surrendered were seen as cowards and unworthy.

Is freedom more important than safety? I believe it doesn’t even depend on what you call safety. I know dictators that will protect their citizens from anything, but no person feels safe. Living in fear of losing everything with a simple mistake is more unsafe situation than fear of losing your life to an army of invaders.

Today, we see Ukrainians fighting against Russian invaders. They are willing to die but not lose their liberty. People in Iran are protesting against violations of their liberty and personal and societal freedoms. Many are killed by the cops. There are thousands of marches and protests in United States every year against tyrannical laws and rules and I’ve seen people arrested, tear gassed, and getting shot for that.

For human beings, life without freedom is not worth living. Safety has become a keyword for tyrants to violate our liberties. By safety, the dictator means “keep being alive” and that’s wrong. Safety has a lot of meanings and is multi-dimensional.

Economical safety, emotional safety, health and environmental safety, humanitarian and freedom safety, and protection against anything that can take these away are kinds of safety a human being needs, and without any of them, you’re not safe.

A right is a right when you have it, if anything can take it away, it’s just a privilege and an illusion. Safety is a keyword for that illusion to make you emotionally prepared to lose your rights. And when you lose any of your rights, any, you’re no longer free.

I am a fan of free software. A software is free when it gives the user the four essential freedoms. The four freedoms are 1) freedom to run the program as you wish, for any purpose; 2) freedom to study how the program works, and change it so it does your computing as you wish; 3) freedom to redistribute copies so you can help others; and 4) freedom to distribute copies of your modified versions to others.

A program is free when it gives you all these freedoms. Even if you lose one of these freedoms, the program is considered proprietary. A proprietary software violates users’ rights. It gives privileges to some people but violates others. That’s wrong.

Now I know many (if not most) free programs are gratis (meaning free of cost) but sometimes having these freedoms costs you money. Sometimes it costs you effort and work, and sometimes it costs you giving up something else, such as comfort of using a nice interface or smooth progress of work on a proprietary program. I am willing to give up that comfort and pay money to have my essential four freedoms. I know a community of very nice and hard-working people who think the same as me on this.

I believe free programs are much more safe than proprietary ones. When a program is free, and lets you express and practice freedoms, it gives you ability to change it so it works and behaves as you wish. If it has security vulnerabilities, you can fix them yourself or hire someone to do it for you. If there’s a backdoor or a violation of privacy, you can close that door and stop the violation. If there’s a behavior you don’t like, you can change it.

You may not want to change anything but the freedoms are still there to assure you one important matter: it’s you who is in control.

A proprietary program doesn’t let you practice your freedoms, therefore you’re reliant on the developer, the master, to grant you what you need.

I believe this effort, to have software freedom, is much similar to life. In life we sometimes need to give up on some comfort to gain freedom and that freedom eventually leads us to a safe society with individual liberties that collectively will create a safe society where there’s comfort and safety.

I believe safety is a result of freedom. Safety without freedom is an illusion, is a violation of whatever humans stood for, for thousands of years. It’s freedom and personal liberties that brings us safety, not vice versa.

Justifying privacy!

Trying to justify the right of privacy is like trying to justify any other human right. They are called rights, not because you need to justify them, but because we came to a consensus that they are integral parts of a working society. The right to privacy is like the right to not being harmed, your right to free speech or right to freedom. All of these are nothing you need to justify in order to acquire them, you innately have them, period.

You may choose not to use them, but you can never use that as grounds to deny them to others. The answer “because I have a right to privacy” is enough to satisfyingly answer the “I have nothing to hide” paradigm; no justification needed for making use of basic human rights.

Do we need blockchain?

No.