Loomio
Tue 8 Jan 2019

Trustworthy hosting and instances

K
Kristian Public Seen by 207

Arising from a discussion on mastodon: In many situations, moving from centralized silos to federated infrastructure, "end users" are left out in the cold a bit because we're increasingly moving to a situation where (like mastodon, pleroma, XMPP, ...) centralized silos are claimed to be "deprecated" in favor of federating instances. Unfortunately, this doesn't always make things better. In many cases, choosing centralized silos for end users isn't mainly about favoring centralized services but actually needing to choose a "service" that someone runs for them and provides them with, rather than running software entirely on their own (which they in most cases are neither capable of nor desire to do).

How can we make sure this doesn't get "worse" for users? Choosing Facebook, Twitter, ... of course has drawbacks but also certain advantages, such as:
- These are large legal entities, meaning you possibly can meet them on legal ground and try to enforce laws such as GDPR (of course only to some extent, but at least this option is there). Talking about "some instance of some service run by one or two volunteers" pretty much voids this option.
- These are large organizations, too, meaning they have a lot of very skilled and qualified staff to ensure their services are running more or less reliable, safe, stable, available. I'm (professionally) involved with ISO 27k and the whole ISMS stuff so I have a somewhat reasonable idea how professional "service management" also on a team, staffing, process level looks like, including things such as update/patch management, backup, scaling or handling security incidents. In most cases this is a process model way too large, but yet how is a decentralized system consisting of instances run by enthusiasts likely to come up to a common reliable quality here? How to make sure there is some handling of security incidents? How to make sure there is an understanding of patch management? How to make sure the admins of the system actually do care about privacy and related issues?

Not sure whether or how this relates here, but I've been recommended to move this discussion off mastodon to here, so I might as well give it a try. Apologies if I'm completely off-track. :)

M

mfioretti Wed 9 Jan 2019

"In many cases, choosing centralized silos for end users isn't mainly about favoring centralized services but actually needing to choose a "service" that someone runs for them and provides them with, rather than running software entirely on their own (which they in most cases are neither capable of nor desire to do)"

THIS is the crucial issue. Never mind whether you use protocols, frameworks and whatnot. If you don't work from day one to build stuff that REALLY is AVAILABLE-AS-A-SERVICE in the same way a facebook account is, you aren't doing anything that will make enough of a difference, soon enough to make it. 6+ years of irrelevance of Diaspora and friends, the same years in which Facebook went from 1 to 2 billions users, are there to prove it.

"How can we make sure this doesn't get "worse" for users?"

By providing as a service personal clouds that can be transparently moved from any hosting provider to any other.

I have already elaborated all I could about this in the links below. Start from the parts about providing a service and go backwards, or read from beginning to end, the conclusions don't change:

http://per-cloud.com/percloud-proposal/

http://mfioretti.com/2018/02/calicut-personal-clouds-to-replace-corporate-controlled-platforms/

SP/

Steve Phillips / @elimisteve Wed 9 Jan 2019

I think you've hit the nail on the head regarding the problem. Your proposed solution is also good, and I think that people like me -- cypherpunks and sys admins at prominent hackerspaces like Noisebridge -- should be running said infrastructure for the people.

There's also IndieHosters, which I believe is very similar to your idea.

Another way to accomplish all this, which I personally worked on for a while, and which is based on work I presented at DEF CON 23 3.5 years ago: write software that neither we nor end users must run for people. How? By writing apps that use services like Dropbox or Google Drive as a backend through which end-to-end encrypted collaborative app data can sync.

By packing all the functionality into the client (including encryption), users are empowered and the server acts as the dumb pipe that it should. And if users want to store more data than they can get for free, they can pay for more, and everybody's happy.

And if people want to collaborate through some other file syncing service or even their own server, they just move the folder of encrypted files to the new location.

CrypTag enables this possibility: github.com/cryptag/cryptag ( http://github.com/cryptag/cryptag ) .

I will read more about your ideas as well :-).

--Steve Phillips / @elimisteve
tryingtobeawesome.com ( http://tryingtobeawesome.com )

SP/

Steve Phillips / @elimisteve Wed 9 Jan 2019

Another solution architecture is to let people host everything they need on their phones, which is getting more and more viable every day as smartphones get more capable.

Orbot (Tor daemon packaged for Android, basically) now lets you host a Tor hidden service on your phone!... sort of. It lets you expose a local TCP port as a hidden service.

I have built Go binaries for ARM and hosted websites that way. We could build such things for users where all they must do is install something once, and they can then host all kinds of things on the only device anyone has that is online 24/7 and that they (mostly) trust -- their phones.

This could be paired with running something like ngrok rather than (or in addition to) Tor/Orbot so that more normal-looking domain names could be used, though then someone would need to run those servers.

I think we have more viable architectures to solve these problems than we tend to think!

--Steve

M

mfioretti Thu 10 Jan 2019

Hello Steve, and thanks for your interest in my proposals. Here is some comments to both your replies:

  1. Please blog about/reshare the links with my proposals as much as you can. I have said countless times that of course I would like to be one of those paid to implement them, but what matters is that whoevever can do it, just goes ahead to do it, just giving credit where credit is due.
  2. yes, organizations like IndieHosters would be ideal providers of personal clouds as I propose them
  3. what matters is that the whole thing is packaged and provisioned to be moveable from provider to provider without loss or interruption of service, except a few minutes, or even hours offline when the transfer happens. But for this to happen, since it includes "links to posts, pictures etc... remain valid" the whole thing must include provisioning and DNS handling of a unique domain name chosen by the user.
  4. wrt the specific protocols, software libraries etc..: as long as it is 100% free-as-in-freedom, license-wise, and looks and feels from the outside as I already described... I couldn't care less whether is done with cryptag or linguini Alfredo. In my writings I specifically mention stuff like nextcloud, postfix, pubsubhub... but only as examples, or samples of what I would test first, if I were paid to do this. 5: last but not least. Basically I agree with everything you wrote, except one thing: I am firmly convinced that "let people host everything they need on their phones" is a terrible, terrible idea. Hosting on your phone the VERY, VERYY FEW data and software you actually need to be surely accessible non-stop, even when you are offline (be it a picture of your fiancee, the draft of your next novel, or a GPS application)... sure, OK. Ditto if you propose "this thing should be able to run also on a smartphone"

But running my blogging or email server, or just hosting all my decades of photographs, text documents, tax returns, whatever... on something that may be stolen, fried by coffee spills or run out of battery every moment? No way. We are talking of something that should quickly scale to billions of users (otherwise is as useless as a cellphone working on non-standard frequencies). Including minors, rural people with very unreliable electricity, people living off ~300 USD/month...

Having this kind of stuff run on smartphones as the default way is very, very bad at at least three fundamental levels:

  1. security and service availability, see above
  2. costs. Server-hosted software = I can buy the cheapest smartphone I find
  3. environmental impact.Everyone running their cloud on their phone, instead of one real, highly optimized data center rack(s) every 10K users = global consumption of energy and raw materials orders of magnitude bigger than it can and must be. We already made that mistake with bitcoin. No, thanks
SP/

Steve Phillips / @elimisteve Thu 10 Jan 2019

Hi there,

I am firmly convinced that “let people host everything they need on their phones” is a terrible, terrible idea. Hosting on your phone the VERY, VERYY FEW data and software you actually need to be surely accessible non-stop, even when you are offline (be it a picture of your fiancee, the draft of your next novel, or a GPS application)… sure, OK.

That is what I'm talking about. You are focused on the use case of
"how can I store my entire life's data on some server that someone
else runs for me but yet is very secure," not me. CrypTag + Dropbox
can achieve this, but if we're talking about running services that run
what we normally think of as server software on trusted devices,
smartphones will be an excellent choice, though it'd be nice to have
better battery life and lower latency than we do now. This is coming.

We are talking of something that should quickly scale to billions of users (otherwise is as useless as a cellphone working on non-standard frequencies). Including minors, rural people with very unreliable electricity, people living off ~300 USD/month…

Smartphones have already quickly scaled to billions of users.

Having this kind of stuff run on smartphones as the default way is very, very bad at at least three fundamental levels:

  • security and service availability, see above
  • costs. Server-hosted software = I can buy the cheapest smartphone I find
  • environmental impact.Everyone running their cloud on their phone, instead of one real, highly optimized data center rack(s) every 10K users = global consumption of energy and raw materials orders of magnitude bigger than it can and must be. We already made that mistake with bitcoin. No, thanks
  1. Running services on a device you always have with you is much more
    secure than having some random company or nonprofit running them.

  2. Even homeless people have smartphones, but do not have servers.
    Therefore this is the cheapest option, so objective based on cost doesn't
    make sense.

  3. Accusing me of suggesting a solution that is as environmentally
    destructive as Bitcoin when it clearly is not is a gross exaggeration that
    I do not appreciate. Everyone's phone is on 24/7 as-is, and the additional
    compute needed to provide the basic things that most people need is
    pretty close to zero. Not needing servers in the first place could end up

saving electricity compared to using already-always-on devices (namely
our smartphones).

Your reply came off as an overly-aggressive rant. Please avoid this
in the future.

--Steve

M

mfioretti Fri 11 Jan 2019

Hello @elimisteve ,

you had written “let people host everything they need on their phones”

It is evident from your reply that we were starting, and are still focused, on different meanings, or use cases, of "everything". This led to a misunderstanding, which at least in part seems to persist.

My previous and current comments about energy/environmental impact refer to my use case only (http://per-cloud.com, which for simplicity's sake, is an always-on equivalent combination of gmail+dropbox+facebook+wordpress.com+rss aggregator, packaged and provisioned for individual use, as one portable VPS/container with a permanent domain name). More clearly, they do not automatically criticize or attack your arguments, they simply do not overlap, in my opinion. I am very sorry that they ended up seeming a personal accusation.

Back to my scenario/use case: in general, I believe that the next generations of smartphone should be less powerful than the current ones, not more, for a whole bunch of reasons unrelated to this discussion. But sticking to the personal cloud servers, the materials/power consumption of the single phone is just a part of the picture. Something like that must be always connected, not just always on. Running hundred of millions of web, email and other servers over mobile connections, with any decent reliability, means ubiquitous 5G = huge infrastructure to be still built. This is why I still consider the running of billions of complete personal clouds on smartphones as a huge waste, that we should do as much as we can to avoid. That's it, really. And again, please note that nothing of this prevents or criticizes the implementation of the other scenario, the one you are focused on.

About the other side, i.e. security. You write:

"Running services on a device you always have with you is much more
secure than having some random company or nonprofit running them"

1) running services on something that could be stolen every moment, or cracked because I forgot to update some software, seems much less secure than having professionals, competing in a really open market, host the same services

2) In principle, I do agree with you, but this is a world of millions of people still using 123456 or similar as passwords. IF those people (=the overwhelming majority) cared about your arguments, we'd all be using PGP on email by decades now. What I care about is giving them an alternative their brain can accept, as soon as possible. Proposing it on servers first is also immensely easier to maintain. Only a few configuration of servers, instead of many more variants of android, ios and maybe others, each with uncontrollable update schedules