Category Archives: Our world

Posts about different issues in the tech world

Using privacy email aliases providers and not becoming locked-in

Services like Firefox Relay or SimpleLogin can help a lot with your privacy and security posture online. They allow to easily provide different email addresses to each online account you sign up to. This protects you in situations were a given service suffers a breach, as it wouldn’t leak your personal email. Only the email address which is unique to that service would have been leaked instead. Thus, protecting the rest of your online services you use, where you will be using different email addresses to log in into them.

Unfortunately, there is a price to pay here in terms of being locked in into those services.

What if the service is discontinued or I decide I don’t want to use it anymore?

Nothing last forever and this is true online as well. The reasons that made a service a good choice at some point may not be there anymore sometime into the future, or maybe someone else makes the decision of taking down that beloved email aliases service we have used over the years to register accounts in so many sites. Then we are in trouble.

Email addresses are in many services the main identifier for our online identity and it is important for us to have as much control as possible over their availability. Many online services won’t make it easy or even don’t allow to change the email address associated to a given account.

If you have the skills and will to setup and manage your own email server, you can probably overcome these issues by putting the right config in place to allow easily forwarding those per-site emails to your personal email account(s). In that case, congratulations!!! However, for the rest of us who don’t want to bother managing email servers, this is my proposal to use those email aliases providers while making sure you keep ultimate control over those online accounts.

Find a provider which supports custom domains

The first step is to find a provider which supports custom domains (eg: SimpleLogin does). This feature allows those providers to generate email addresses using that custom domain instead of the default ones they provide.

Register a domain to use for these logins

Registering a domain these days is not hard and you can easily get your own domain for under 15€/year, which is a low price to pay for your privacy and online autonomy. Depending on your situation, you may want to pay attention to the TLD (ie: .com, .org, .eu, .cn, etc.) jurisdiction and select the domain accordingly. For similar reasons, you may also want to pay attention to the email aliases provider jurisdiction.

Once you have a domain and an account with the email aliases provider you just need to follow their instructions to configure the custom domain. Usually it is a matter of copy pasting some values the email provider provides to your domain’s DNS records, which you can usually perform through the domain registrar web UI.

What have I gained with this setup?

Now that you are signing up into services with an email which belongs to a domain you control, in a situation where you would need/want to switch between email aliases providers (or even do your own email server setup), those online services where you have signed up with those emails can still communicate with you through the same email addresses. It is a matter of adjusting the DNS records to work with the new provider.

With this setup you remove the lock-in effect of not having control of the email addresses those email aliases providers offer by default.

I hope you find this useful.

A proposal to manage your high value keys (including crypto wallet seeds)

BIG DISCLAIMER: This is post from a software engineer who is interested in the cryptocurrencies area but not an expert. I am not a cryptographer and the following advice may be inaccurate and even wrong in some important way. Having said that, it is written with the best of the intentions and to the best of my knowledge. Comments, suggestions and corrections are welcome.

Cryptocurrencies and other security oriented distributed systems (PGP keys management, SSH keys, SQRL, KeeypassXC password manager, etc) rely on some sort of secret that users must keep safe and outside of the reach of others as a foundation of their security model. As our world increasingly moves towards digital, these keys are becoming more and more valuable and we need to make sure we manage them responsibly.

Over the years, our industry has thrown that responsibility onto users and then it has asked them to use complex secrets and also asked them to change them frequently… This has been a huge industry mistake with obvious consequences and let me provide these two references as quick examples from a quick search: https://audit.wa.gov.au/reports-and-publications/reports/information-systems-audit-report-2018/audit-findings/ , https://digitalguardian.com/blog/uncovering-password-habits-are-users-password-security-habits-improving-infographic. This post is not close to fix this fundamental issue, but hopefully it gives a tool to help managing high-valuable secrets. Eg: one of these can be the unlocking key for your password manager 😉.

What are the fundamental problems to solve?

  • Human brain is bad at storing many precise pieces of information.
  • Provide a model that can be used to recover the secret in case of emergency (natural disaster, serious injury or even the death of the individual).
  • Individuals must be able to decide exactly who can access to the secret and under which circumstances.
  • Being able to operate without relying on any third party. Third parties may break the interfaces over the years or even disappear. They can also limit access to the secret or even become evil and not trustworthy.
  • If possible, it should be based on well-known mechanisms and algorithms which guarantee that the secret can be recovered after years if the specific tooling used to create it is lost or not functioning anymore in the future.
Continue reading A proposal to manage your high value keys (including crypto wallet seeds)

A single-purpose ISO to generate Shamir’s scheme secrets

In this post, I want to present my tool to generate Shamir scheme secrets reducing the risk of them being exposed or hacked. It consists in a single purpose ISO that can be used to start a VM or boot your PC from it once you burn it into a CD or a USB stick (preferred option).

Why bother?

In our day to day environment, we tend to install a significant amount of software and use it for activities that may have compromised our installation even without being aware of it. A malicious site may have been able to use a browser’s vulnerability to implant some malware, for example.

In our digital life, there are specific pieces of information that require very cautious handling. Access to them by malicious actors can result in big inconveniences or even financial loses. Some examples of this may be passphrases you may use for encryption, crypto wallets seed phrases, etc.

This tool helps you running in a minimal ephemeral environment which is more trustworthy.

Continue reading A single-purpose ISO to generate Shamir’s scheme secrets

Deprecating most of our passwords

I’m happy to introduce you to a new way to do user authentication in the web. Over the years, we techies have been culprit of introducing patterns and technologies that are sound when a system is analysed in isolation, but which don’t work so well when they are adopted at scale. One classical example is the public key infrastructure where we end up trusting blindly all kind of entities around the globe. Really, our browsers trust any cert from organizations like this one (I’m not saying they are not trustworthy, just that I have no idea of who they are):

A random CA which Firefox trusts by default which I have no clue about.

A similar situation has happened with usernames and passwords. We’ve been years looking at our systems and securing them by assuming a user can provide us with some secret piece of information that only she knows. That has been an input of our system, we have taken it for granted and moved on making the rest of the system secure. We have spent great effort to store that secret so we can validate it the next time that user come to us again. Then we can go and ask: “Tell me that thing only you and me know so I can verify that you are who you are saying?”. If there is a breach in our system and someone else gets to know that piece of secret information, he can fool our system impersonating our beloved user. What it is worse, if our user has used that same secret in other systems, those are compromised as well. Last but not least, our user needs to make sure the device is not compromised, the connection is secure, no one is looking over his shoulder, etc. It is overwhelming.

Continue reading Deprecating most of our passwords

Their alternative or no alternative

It’s been a long time since I decided to focus this blog on technology issues and I haven’t manage to start posting regularly. I’m sorry for that, but reading and listening to different positions on current net neutrality issues I felt the need to write down my position on this issue and it’s a good oportunity to kick off this new stage.

After the small preface, let’s get into today’s topic. When I hear debates about net neutrality, arguments gather around two camps: the big business camp which argue that they defend net sustainability and the freedom camp which argue that proposed messures effectively kill the Internet as we know it. From my view both arguments are right, but none of the solutions proposed by either camps are valid. What I feel is that big bussiness camp utilises a particular problem around bandwith usage to change the whole model under which the Internet works without worring about (wanting to) put in place technical solutions to tackle it. The freedom camp doesn’t want to tackle it as it might bring the debate into technical proposals that might look too similar to big bussinesses’ ones from a non-technical perspective.