lupine/capsule
1
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

Upgrade to kiln 0.2

Browse Source
This commit is contained in:
Nick Thomas
2022-01-03 15:56:24 +00:00
parent f6a2f62c92
commit 04ef9421b8
49 changed files with 100 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
content/blog/2013-09-14-dane-1.gmi Normal file
View File

@@ -0,0 +1,69 @@
---
title: "DNSSEC + DANE: Part 1"
---
## Problem
Communications on the Internet overwhelmingly rely on SSL/TLS for protection.
There are two forms of protection this is meant to provide - from snooping of
traffic, and from impersonation. The first of those gets a lot of attention
but, unless we have the latter as well, an attacker can snoop on your traffic
by performing a man-in-the-middle attack on you with a dodgy certificate:
=> http://falkvinge.net/2013/09/12/the-nsa-and-u-s-congress-has-destroyed-ssl-we-must-rebuild-web-security-from-the-ground-up/
Unfortunately, the current method of providing protection-from-impersonation
is terrible. Traditionally, OS and browser vendors pick a range of root
certificates to bundle with their software - a list that's generally hundreds
of entries long - and everyone trusts that the list is good. Anyone who can
get a certificate into the lists can then sell certificates signed by it to
people who can't (like me, for a start).
They can sell certificates for any domain, for any reason, with any degree of
publicity, transparency or validation; the only recourse vendors have is to
threaten to stop trusting them if the're shown to be issuing certificates that
don't meet some standard or another. If they're compromised and the key for the
root certificate is stolen - as happened in 2011:
=> https://www.eff.org/deeplinks/2011/03/iranian-hackers-obtain-fraudulent-https
Then it's a mad scramble to revoke or blacklist new certificates based on that
stolen information before too much harm is done.
Recently, some vendors - Chrome, for instance - have started introducing
certificate pinning
to restrict the range of CAs that are valid for a particular domain:
=> https://www.imperialviolet.org/2011/05/04/pinning.html
This helps a bit against some attacks on large sites, but isn't much use as a
general solution.
As for the first part - the encryption itself - there's a lot of discussion
right now over which parameters are safe, and which aren't. There's probably
*some* setups that're safe from cryptanalysis - or if not, then we can probably
come up with some. In this area, one more problem we have with the current CA
model is that deploying new types of certificates is a slow process - you have
to wait for a trusted CA to start offering them, before you can use them.
## Solutions
The current system, then, can be summarised as trust silos. The main contender
to replace it is an RFC known as DANE:
=> https://datatracker.ietf.org/doc/rfc6698/
This leverages DNSSEC-signed DNS to publish records that say which certificates
(rather than certificate authorities) are valid for a particular service running
on a domain. As it utilises the DNS, we move from trust silos to hierarchical
trust.
Hierarchical trust is narrower, and so better, but still vulnerable to
compromises of keys not under your control. However, the only other schemes
I'm really aware of at the moment are based on web-of-trust relationships with
offline identity verification. This boils down to everyone manually curating
bookmarks that tell them how much to trust things, and there are still keys
out of your control that, if compromised, break you - you just get to choose
between trust anchors more flexibly than with a hierarchical system. I'm not
convinced the extra effort is worth it, so I've deployed DNSSEC + DANE instead,
and in the next article, I'll go over how I did it.

405
content/blog/2013-09-15-dane-2.gmi Normal file
View File

@@ -0,0 +1,405 @@
---
title: "DNSSEC + DANE: Part 2"
---
Assuming you've been convinced that it's a good idea to set up DNSSEC and DANE,
the point of this article is to demonstrate how I did it for my own domain -
the individual steps to get from nothing to valid DANE records weren't very
difficult; just not documented in a recipe-style guide anywhere. Hopefully,
this will help you get set up. I'm using Debian Squeeze or Wheezy throughout,
depending on host, but the instructions should be similar for most Linux
distributions.
## DNSSEC
This is the part that provides the hierarchical trust model, enabling a random
user of your site to trust (more or less, anyway) that when they ask for a
record that tells them which certificates are valid for their site, they
get the same record that you're going to upload later.
### Resolving nameserver
Firstly, the user needs to be able to make DNSSEC-validatable DNS queries to
begin with. This requires that their caching (also known as resolving) nameserver
supports DNSSEC queries. This is easy enough to test:
```
lupine@den:~$ dig +dnssec mozilla.org
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +dnssec mozilla.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25143
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 7
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;mozilla.org. IN A
;; ANSWER SECTION:
mozilla.org. 60 IN A 63.245.217.105
mozilla.org. 60 IN RRSIG A 7 2 60 20131013124658 20130913125405 17933 mozilla.org. k2LOpTkl35qIPmFKVQix87mItL2ycPFTymx0yoZoIt+jpsGhEbQWgiiV FXndEwOKap/RsXdHtzWWWI4vcDdQgES0X/XInAxRKTadceapQ34Nyb0w TN9CpYidxpI35MY9cseZVu9eCKXq0M7VxpSBKSHshby2A/hymJntq1lD sSI=
mozilla.org. 60 IN RRSIG A 7 2 60 20131013125201 20130913125405 63920 mozilla.org. N/dNbs71T0oEAJ0ulqeVPg4ty7UwG02QKOFr3tRy0kDpnRsPvIKX8E0e lVxCU/TCEckfS8QQv3JytoOrIwKt/Y1lOI//NuxLIZT8RndMvWaROkrt Ncs3moQAsD6w0sT+Yn7wx1AimVO4udQ8dh3lyYCKHdRq8VfxyK6/5Lws tzQ=
;; AUTHORITY SECTION:
mozilla.org. 60 IN NS ns2.mozilla.org.
mozilla.org. 60 IN NS ns1.mozilla.org.
mozilla.org. 60 IN RRSIG NS 7 2 60 20131013125024 20130913125405 17933 mozilla.org. MlltXDEKazn80b3mMqGSOhCCqeQhuiIsgMXI+kaAABnwXyxzHsli+BEL f1AC3Grog3p9DLtRUPbAm3RWIF6HWgd5gJJ5rcw+50ihWVEwQceWniKD Sl/13G7V8pKR0P4GZjpTg//Go4H6xYZAThhU544zjxis5ytupM+rAW0I +ho=
mozilla.org. 60 IN RRSIG NS 7 2 60 20131013125355 20130913125405 63920 mozilla.org. KnOTFZRq6f3K6wbfa6YMjVROHc6kr+RzvthX531H7AQjejB0yAc6ttyI q9J3u/cDg2sdsmROJ91JXkmU7Kjq+LJKrRedQPwY0xLr57ODK/87D3Kv Z9icf5HxarvdN4FlPb7j/uI8EIN4jKXb08976KtPu7BT+6o+1b+rwUWf Ccc=
;; ADDITIONAL SECTION:
ns1.mozilla.org. 60 IN A 63.245.215.5
ns2.mozilla.org. 60 IN A 63.245.218.7
ns1.mozilla.org. 60 IN RRSIG A 7 3 60 20131013124618 20130913125405 63920 mozilla.org. e1mdvK7ERSuaNIxSf1O+8vyFJWoGBGGPSFt20KLiF+KBU1siDlywTTBr /UT5cNBB4prqcZ0DdFagnmWE2OploEqof0Nl/IiSPwVGy8eGksGmS0Qf zK78emWv4nQmVkiVokcZqIHiAXPxG9ZafJaTo/BGtnThILmatdnk2xuI JdY=
ns1.mozilla.org. 60 IN RRSIG A 7 3 60 20131013125230 20130913125405 17933 mozilla.org. 1wWdtXpmOk9oOwzl8j8Jvz2IyqfVXIMfB9kDRC0AUKQNvUDk85Xp6AfE 2i4vaupFRa5RTKKj4gBTYRqfObhdrJHLNIRx1BMb/mb/B/8IF0HuxXeU IlGU8Wu/GbDHOHrS42Z3i2w9Y+DVUI1JQQlPHapDtD20kzKnClIN9iSa FRo=
ns2.mozilla.org. 60 IN RRSIG A 7 3 60 20131013125059 20130913125405 17933 mozilla.org. WcnS3dw6gQ6gM5dP6tKGK+Gwkd3u8AMco2WCU3WzLoK0ADeJo9qjYGzd pSnJLRRMfiKBeWZJvm6g89sS+gPQh1IlncPp6AaGQdAAyl+OtwIswA/n qPQLlWBdJQrfAnzLKDXbOjTH2K9vXxNSUyAL5QzUgLIAB16oTvREbL42 bIc=
ns2.mozilla.org. 60 IN RRSIG A 7 3 60 20131013125237 20130913125405 63920 mozilla.org. V2xTFK6cG9v+mBKbZP7a5yXFJUaXKAt1qOP0VmHWrP1n5lNfvcOMrKLc g4vpaxdbA0M1B7xMhX4ps2IYljAUZdzkBCMXp+bYKPKXdkxKRmXsnspF 7Fii5N9q7FKyhLEbsW8G9MRTScE0ohu5s8db6hOGmkcbyvZJmk5+R1Qd aAk=
;; Query time: 285 msec
;; SERVER: 213.138.102.177#53(213.138.102.177)
;; WHEN: Sat Sep 14 16:54:58 2013
;; MSG SIZE rcvd: 1492
lupine@den:~$
```
If you see RRSIG records, as above, then you don't need to do anything. If you
don't, then your resolver doesn't support DNSSEC. This is fairly common. As a
first resort, ask your provider (normally your ISP) to fix it. If that doesn't
bear fruit, or if you're impatient, you can install and use the Unbound resolver:
=> http://unbound.net/
I was in the latter situation, and my router happens to run a hacked-up version
of Debian Squeeze, so I installed Unbound on it and configured the DHCP server
to refer to it when configuring clients; so every machine on my home network
now has access to a DNSSEC-capable resolver. You can also install and use it
locally, which might look like this:
```
root@den:~# apt-get install unbound # unbound-anchor # for wheezy
root@den:~# echo "nameserver 127.0.0.1" > /etc/resolv.conf
root@den:~# chattr +i /etc/resolv.conf
```
The resolv.conf file can be managed and altered in a number of ways - I can't
actually recommend altering it to point to the Unbound instance you just
installed and making it immutable. If your desktop environment manages DHCP
for you, then you should investigate options for providing the DNS manually.
Debian also has the `resolveconf` package which would allow you to specify
static fragments to go into resolv.conf. If you're old-fashioned and are
using static configuation + /etc/network/interfaces, then the dns-nameservers
directive will let you specify 127.0.0.1 - your local Unbound instance.
### Browser (and other application) support
Now that you can get DNSSEC records from your resolver, through means fair or
foul, you need client application support. Firefox has a plugin or two that also support DANE:
=> https://os3sec.org/
=> https://www.dnssec-validator.cz/
The equivalent Chrome plugin only supports DNSSEC:
https://chrome.google.com/webstore/detail/dnssec-validator/hpmbmjbcmglolhjdcbicfdhmgmcoeknm
Internet Explorer is probably Right Out, and I have no
idea about Opera, Safari, and the rest. Another option is to install the
Bloodhound browser. Apparently.
=> https://www.dnssec-tools.org/wiki/index.php/Bloodhound
Web browsers aren't the only applications that could make use of DNSSEC and
DANE, of course. Mail and XMPP are two other important protocols; Thunderbird
has no DNSSEC plugin at the moment, as far as I'm aware, and neither does Gajim
or Pidgin. Let me know if you're aware of any replacements that do - there's
obviously work to be done when it comes to client support. The more servers
support DNSSEC, the more pressure there is on client applications to support
it, of course. For now, open this web page on your DNSSEC-capable browser and
ensure that the DNSSEC plugin is happy.
### Domain
Now that you've got a client environment that can handle DNSSEC records, it's
time to look at getting your own domain DNSSEC-signed. I'll be using lupine.me.uk
as an example throughout; you need to pick (or register) a domain from a
DNSSEC-supporting registry:
=> http://dnssec-deployment.org/
You should also ensure that it's with a registrar that allows you to upload
so-called DNSKEY records to that registry. For me, the answers were ".me.uk"
(now ".gs") and "gandi" - they may be different for you.
### Authoritative nameserver
Once you've got your domain, you need to decide how you're going to serve DNS
with it, in general. I was lazy and just set up my DNS server on the same machine
as the website - that's not generally appropriate for production, but a common
deployment is to have a DNS master on the same machine as the website, with
geographically-diverse slave servers doing zone transfers over AXFR. I'll just
look at sorting out one nameserver - a.ns.lupine.me.uk - though.
The best authoritative nameserver - by far - for DNSSEC support is PowerDNS:
=> https://www.powerdns.com/
It handles all the difficult details that, if I'm quite honest, I don't really
understand. Debian Squeeze includes version 2.9, and DNSSEC support comes in
the 3.x series, so I installed the 3.3 static package available on the
website and installed it:
=> https://www.powerdns.com/downloads.html
Wheezy backports, and Debian Jessie, are both easier to deal with.
PowerDNS is fairly configurable, particularly for backends; I used its sqlite3
backend, and setting it up for that looks like this:
```
root@oak:/etc/powerdns/pdns.d# cat 00-sqlite3-backend.conf
launch=gsqlite3
gsqlite3-database=/var/lib/powerdns/pdns.sqlite3
gsqlite3-dnssec=yes
```
The pdns.sqlite3 file is autogenerated when you restart PowerDNS, but it lacks
certain schema elements that are necessary for DNSSEC. You can add them by
running the commands detailed here:
=> http://doc.powerdns.com/html/gsqlite.html#idp36763616
For completeness, they're duplicated below:
```
root@oak:~# sqlite3 /var/lib/powerdns/pdns.sqlite3
sqlite> alter table records add ordername VARCHAR(255);
sqlite> alter table records add auth bool;
sqlite> create index orderindex on records(ordername);
sqlite> create table domainmetadata (
id INTEGER PRIMARY KEY,
domain_id INT NOT NULL,
kind VARCHAR(16) COLLATE NOCASE,
content TEXT
);
sqlite> create index domainmetaidindex on domainmetadata(domain_id);
sqlite> create table cryptokeys (
id INTEGER PRIMARY KEY,
domain_id INT NOT NULL,
flags INT NOT NULL,
active BOOL,
content TEXT
);
sqlite> create index domainidindex on cryptokeys(domain_id);
sqlite> create table tsigkeys (
id INTEGER PRIMARY KEY,
name VARCHAR(255) COLLATE NOCASE,
algorithm VARCHAR(50) COLLATE NOCASE,
secret VARCHAR(255)
);
sqlite> create unique index namealgoindex on tsigkeys(name, algorithm);
```
Now add some ordinary DNS records for PowerDNS to serve:
```
sqlite> insert into domains (name, type) VALUES('lupine.me.uk', 'NATIVE');
sqlite> select id from domains where name = 'lupine.me.uk';
1 # This may be different for you - I set domain_id below to it
# Set your own SOA serial value according to what you prefer
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES(
1, 'lupine.me.uk', 'SOA', 'a.ns.lupine.me.uk nick.lupine.me.uk 1378936223', 3600
);
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES(
1, 'lupine.me.uk', 'NS', 'a.ns.lupine.me.uk', 3600
);
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES(
1, 'a.ns.lupine.me.uk', 'A', '213.138.100.8', 3600
);
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES(
1, 'lupine.me.uk', 'MX', 'lupine.me.uk', 3600
);
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES(
1, 'www.lupine.me.uk', 'CNAME', 'lupine.me.uk', 3600
);
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES(
1, '*.chat.lupine.me.uk', 'CNAME', 'lupine.me.uk', 3600
);
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES(
1, '_xmpp-client._tcp.lupine.me.uk', 'SRV', '0 5222 lupine.me.uk', 3600
);
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES(
1, '_xmpp-server._tcp.lupine.me.uk', 'SRV', '0 5269 lupine.me.uk', 3600
);
```
At this point, the PowerDNS server will respond to DNS requests, but they're
not DNSSEC-signed. Enabling DNSSEC for the domain is as simple as:
```
root@oak:~# pdnssec secure-zone lupine.me.uk
Securing zone with rsasha256 algorithm with default key size
Zone lupine.me.uk secured
root@oak:~# pdnssec set-nsec3 lupine.me.uk
NSEC3 set, please rectify-zone if your backend needs it
root@oak:~# pdnssec rectify-zone lupine.me.uk
Adding NSEC3 hashed ordering information for 'lupine.me.uk'
root@oak:~# pdnssec check-zone lupine.me.uk
Checked 14 records of 'lupine.me.uk', 0 errors, 0 warnings.
root@oak:~# pdnssec show-zone lupine.me.uk
Zone is not presigned
Zone has hashed NSEC3 semantics, configuration: 1 0 1 ab
keys:
ID = 1 (KSK), tag = 7450, algo = 8, bits = 2048 Active: 1 ( RSASHA256 )
KSK DNSKEY = lupine.me.uk IN DNSKEY 257 3 8 [...] ; ( RSASHA256 )
DS = lupine.me.uk IN DS 7450 8 1 [...] ; ( SHA1 digest )
DS = lupine.me.uk IN DS 7450 8 2 [...] ; ( SHA256 digest )
DS = lupine.me.uk IN DS 7450 8 3 [...] ; ( GOST R 34.11-94 digest )
DS = lupine.me.uk IN DS 7450 8 4 [...] ; ( SHA-384 digest )
ID = 2 (ZSK), tag = 15433, algo = 8, bits = 1024 Active: 1 ( RSASHA256 )
root@oak:~#
```
Now we have a signed DNSSEC zone. If you check the SQLite3 database, you'll
see new records have been generated to match the DNSKEY and DS records displayed
by the show-zone command, and the records you've added will have had various
bits of mysterious glue added. The finer points of DNSSEC are still lost on
me, but the important thing to note is that the "KSK DNSKEY" is the important
record that allows the chain of trust to be developed; this record is given
to the upstream zone via your registry (the ".me.uk" zone for me), who sign
it with their key. It is rotated every year or so, and you need to inform
the registry whenever it changes; you can have multiple active ones at once.
PowerDNS has some documentation on key management best practices, but I've
not needed to fuss with any of this, yet.
=> http://doc.powerdns.com/html/dnssec-operational-doctrine.html
So, take your DNSKEY record (or possibly DS record - different registrars
apparently might ask you for different things) and give it to your registrar.
Gandi has a neat "Enable DNSSEC" form you can use; others may vary.
Once they have the record, you're ready to change the nameservers for the
domain to point to the DNS server you've just set up. I did this in gandi's
panel, and additional hoops I needed to jump through (because the nameserver
was in the lupine.me.uk zone) included notifying Nominet of the "a.ns.lupine.me.uk"
name, as well as notifying them of the "glue" between the name and its IP
addresses. This varies quite considerably by registry and registrar, so I'll
leave it as an exercise to the reader.
## DANE
Now that we have a DNSSEC-signed zone, we can add records to it, as defined by
RFC 6698. Unless someone is able to compromise the DNS trust anchor, your
registry's keys, or your keys, anyone looking these records up can be confident
that they are the ones you uploaded.
### Getting a certificate
If you already have a self-signed or CA-issued certificate that you intend to
use, then great. If not, you can either buy one from a CA, or become your own
mini-CA and issue one for yourself. I'm sticking with a CA-issued one for the
next few months, because although DNSSEC has poor client support, DANE support
is entirely non-existent; so the value of a non-CA-certified certificate is
still almost nil. Using a CA-issued certificate (mine is from StartSSL, and
was free) in conjunction with DANE is OK - DANE-aware clients will detect
traditionally-MitM'd certificates from such a record - but you miss out on
a couple of benefits. Specifically, you're still dependent on the CA to support
sensible (or new/experimental) key types, and if you let the CA generate the
private key rather than going the CSR route (don't do this, ever) then you're
trusting them not to keep a record of what it was.
I may talk about how to generate a self-signed certificate here in the future.
### Generating records
Once you've got your certificate and configured your various services to use
it (HTTPS especially, but also XMPP, IMAPS, SSMTP, etc), it's time to link
it all together in the DNS. Generating the records (which are known as TLSA
records) is a pain, but there is a tool - called swede - to do it for you:
=> https://github.com/pieterlexis/swede
It's Python, only works against HTTPS, and you'd get and
use it like this:
```
lupine@den:~/Development$ git clone https://github.com/pieterlexis/swede
Cloning into 'swede'...
remote: Counting objects: 116, done.
remote: Compressing objects: 100% (55/55), done.
remote: Total 116 (delta 67), reused 107 (delta 59)
Receiving objects: 100% (116/116), 21.83 KiB, done.
Resolving deltas: 100% (67/67), done.
lupine@den:~/Development$ cd swede
lupine@den:~/Development/swede$ sudo apt-get install python-unbound python-argparse python-ipaddr python-m2crypto
# [...]
lupine@den:~/Development/swede$ ./swede create --output rfc lupine.me.uk
No certificate specified on the commandline, attempting to retrieve it from the server lupine.me.uk.
Attempting to get certificate from 213.138.100.8
M2Crypto does not support SNI: services using virtual-hosting will show the wrong certificate!
Got a certificate with Subject: /description=z3YBHiV5NCKOeIZs/C=GB/CN=www.lupine.me.uk/emailAddress=postmaster@lupine.me.uk
_443._tcp.lupine.me.uk. IN TLSA 1 0 1 9730ccc0952f3150bc3c640aedb364bd628bc1738ada89826624d9442589eb06
```
That last line is the TLSA record that identfies your certificate. Even though
swede only supports HTTPS, you can change _443 to _5222 and you've got an XMPP
record - so let's add a sensible set of TLSA records for this certificate to
DNS.
```
root@oak:~# sqlite3 /var/lib/powerdns/pdns.sqlite3
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES (
1, '_443._tcp.lupine.me.uk', 'TLSA', '1 0 1 9730ccc0952f3150bc3c640aedb364bd628bc1738ada89826624d9442589eb06', 3600
);
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES (
1, '_993._tcp.lupine.me.uk', 'TLSA', '1 0 1 9730ccc0952f3150bc3c640aedb364bd628bc1738ada89826624d9442589eb06', 3600
);
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES (
1, '_5222._tcp.lupine.me.uk', 'TLSA', '1 0 1 9730ccc0952f3150bc3c640aedb364bd628bc1738ada89826624d9442589eb06', 3600
);
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES (
1, '_5269._tcp.lupine.me.uk', 'TLSA', '1 0 1 9730ccc0952f3150bc3c640aedb364bd628bc1738ada89826624d9442589eb06', 3600
);
sqlite> .exit
root@oak:~# pdnssec increase-serial lupine.me.uk && pdnssec rectify-all-zones
```
Now when you visit your website in a DANE-enabled browser, you'll see the
certificate is considered valid; you could remove all CA certificates from it
or use a self-signed certificate to the same end. Success!
## SSHFP
As a fillip, now that you've done all that work, you can also add SSHFP records
to smooth SSH access. That looks like this:
```
root@oak:~# sshfp --scan lupine.me.uk
WARNING: Ignoring -k option, -s was passwd
# lupine.me.uk SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze3
# lupine.me.uk SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze3
lupine.me.uk IN SSHFP 1 1 08C614DAF69DA62937FEFFA025607569B54B8D08
lupine.me.uk IN SSHFP 2 1 67B596A0A593A931DAD21C83F6E7B9F02CBFE6F5
root@oak:~# sqlite3 /var/lib/powerdns/pdns.sqlite3
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES (
1, 'lupine.me.uk', 'SSHFP', '1 1 08C614DAF69DA62937FEFFA025607569B54B8D08', 3600
);
sqlite> # ...
sqlite> .exit
root@oak:~# pdnssec increase-serial lupine.me.uk && pdnssec rectify-all-zones
To make use of this, you'll also need to alter your ssh_config:
lupine@den:~$ echo "\n\nVerifyHostKeyDNS yes" >> ~/.ssh/config
```
The outcome is that when logging into your machines over SSH from a new
location, your SSH client can check the presented host key fingerprints
against the ones in DNS, and warn you if they don't match for any reason -
a man-in-the-middle attack, for instance. Or a server reinstall, of course.

30
content/blog/2015-04-09-new-blog.gmi Normal file
View File

@@ -0,0 +1,30 @@
---
title: "New Blogging Platform"
---
## Alive again
So, back to blogging. I've tried to run a blog since the dawn of time, more or
less, and it's always been a bit of a failure, partly for lack of anything
interesting to write about, and partly because blogging software is uniformly
awful. Typo, Wordpress, Zotonic, various home-grown bits and pieces... always a
hassle to install, maintain and publish to.
The latest attempt is also slightly home-grown, but based on the go.tools/blog
codebase (via hints in goblog), which is reasonably pleasant. TODO: styling.
Really TODO.
=> https://blog.toshnix.com/goblog
## The future
No point having a blog if I'm not going to put anything on it (again), of
course. My old articles will be imported soon (they remind me how to do DNSSEC,
so I really do need them), but I'm hoping to embark on a project that's been
sat around in my head for a little while now. Working title: *The Capitalist
Pig-Dog Blog*. There's also a general election coming up, which is making me
want to write things, as ever. The state of housing is also still in my head.
Prices make me angry, co-operative housing models make me feel better.
Watch this space. Possibly forever, but hopefully not.

108
content/blog/2015-04-19-pig-dog-01.gmi Normal file
View File

@@ -0,0 +1,108 @@
---
title: "The Capitalist Pig-Dog Blog"
---
## Wat
I'm a sucker for catchy names (do say it out loud, at least once), but the
premise might need some explanation for people who aren't me. It's worth noting
at the outset that I'm primarily writing this for, and to, myself; but there's
no point in being unreasonably obtuse about it.
"Capitalist pig-dog" is a wonderful insult I've heard in the past, usually
issued by comical Communist caricatures at heroic Capitalist caricatures in
pursuit of a cheap laugh or two. I can't track it down to a particular source,
although the Pythons are partially to blame for popularising "pig-dog" in
general. The term really caught my imagination about a year ago, and I've spent
the intervening time trying to work out what it *means*. Or could mean.
Any analysis of my political/socioeconomic views puts me somewhere generally
identified as leftwing. Although I can't call myself a communist in good faith,
people I discuss these things with will happily label me a communist or
socialist after a few rounds of discussion. Hopefully, it goes without saying
that I should try to stand by my beliefs, and live according to them. Even if
said beliefs are dead wrong (of course, I don't believe they are), doing
*nothing* about them would be a little odd.
=> /img/pig-dog-01/politicalcompass-me.png
The most obvious thing I can do is to vote in elections according to said
beliefs; being a UK citizen, I get a wonderful range of choices.
=> /img/pig-dog-01/politicalcompass-uk-parties.png
Ah.
The Green Party are probably closest to me at the moment, although I wouldn't
consider myself to be a natural Green voter. Living in York adds Yorkshire First
and the TUSC to my ballot paper, but removes the SDLP Plaid Cymru, the SNP, SSP,
Sinn Féin, and Respect. A choice of three vaguely representative candidates to
vote for isn't terrible (assuming the TUSC and Yorkshire First are in my ballpark),
so I can express my beliefs in this way.
=> https://www.greenparty.org.uk Green Party
=> http://www.yorkshirefirst.org.uk Yorkshire First
=> https://www.tusc.org.uk TUSC
=> https://www.sdlp.ie SDLP
=> https://www.plaid.cymru/ Plaid Cymru
=> http://www.snp.org SNP
=> http://www.scottishsocialistparty.org/ SSP
=> https://www.sinnfein.ie Sinn Fein
=> http://www.respectparty.org Respect
However, since York Central is a pretty safe Labour seat, and the election is run
according to the frankly pathological FPTP system, that vote doesn't then result
in my beliefs being advanced through the political system. By itself, this form
of political expression is a non-starter. At best, I can help one of these parties
to start establishing a support base to get an MP into parliament to... well, do
very little. Westminster is not kind to small parties:
=> https://www.theguardian.com/politics/2015/feb/28/caroline-lucas-im-not-playing-about
=> https://en.wikipedia.org/wiki/York_Central_%28UK_Parliament_constituency%29 York Central
=> https://www.electoral-reform.org.uk/first-past-the-post FPTP
Voting, then, is not doing much for me, or my beliefs. Even if it were, it's a
couple of minutes of action every five years or so - and my beliefs are
important to me. Since the parties in power are busily advancing beliefs that
are, in my view, fairly diametrically opposed, surely there is more that I can
do? Activism for parties I *do* support, and reform of the associated
electoral systems, is a long game, and I do put some resources into that -
although I could do more, I'm sure. In my personal life, I can resist the
prevailing (or Westminster-prevailing, perhaps) social currents and act
according to my conscience instead. Economically, though, I'm a bit stuffed.
The UK is, at least in theory, a capitalist state - and by living here, drawing
a wage here, paying taxes and spending money here, I am engaging in that system.
These actions mark me as a capitalist pig-dog by deed, even if my words are
quite different.
## Help, I'm stuck in a capitalist country
I'm not actually stuck, of course. I could move to a different country - one
matching my ideological leanings more closely. Some thought and research has
gone into this possibility - I recently visited Finland, and I'm keeping an eye
on Scottish independence - but it's on ice at the moment.
=> https://en.wikipedia.org/wiki/Politics_of_Finland Finland
=> https://commonspace.scot Scottish Independence
What else is there to do? Here's the not-very-revelatory revelation: in
capitalist economic systems, spending money is a bit like voting.
People engage in consensual exchanges - labour for money, money for (other)
commodities. Competition drives down prices, price discovery guides production,
and consumer choice determines which competitors win out, in the end. Consumer
choice is generally assumed to be "rational", which can be interpreted in a
number of ways, and may not be true in general anyway.
=> https://mises.org/sites/default/files/Economics%20in%20One%20Lesson_2.pdf The Lesson
=> http://www.goodreads.com/series/40494-apprentice-adept
In reality - in my judgement, anyway - the system I'm in doesn't work like that
at all. But if it works a *bit* like that, I can advance my beliefs by earning
and spending according to them. I think I already do that to some extent, but
I've never tried to analyse or quantify it; I just act in fairly knee-jerk ways
to the new story _du_jour_ . What if I look at everything I earn, and everything
I spend? What if I analyse it and try to maximise the effect that my money has,
in creating the sort of world I want to live in? And what if I blog about it,
and others join in? Will I still be a capitalist pig-dog? Will they?
Let's find out.

108
content/blog/2015-04-24-pig-dog-02.gmi Normal file
View File

@@ -0,0 +1,108 @@
---
title: "The Capitalist Pig-Dog Blog: Starting Points"
---
## Beliefs and values
My last post talked a bit about beliefs and sticking to them, but it shied away
from discussing them in any detail. Words like "leftwing", and the
Political Compass graph, might have given a few hints away. If I'm going to be
analysing and changing my behaviour according to these things, it's important to
get a decent grasp on what they _are_.
=> https://politicalcompass.org Political Compass
Firstly, I don't consider myself to be an ideologue. I've read Das Kapital and
The Wealth of Nations, but I'm not about to pick one up and start brandishing it
as the source of all answers to everything ever. Instead, I think of myself as a pragmatist - the economy (and human economic behaviour in general) is a means to
an end, and should be arranged however best meets those ends, regardless of
theoretical underpinnings.
=> https://www.marxists.org/archive/marx/works/1867-c1/ Das Kapital
=> http://www.econlib.org/library/Smith/smWN.html The Wealth of Nations
What end(s) am I pursuing? I lack any great theoretical underpinnings for this
either, but it's very important to me, personally, that everyone has access to
a basic, comfortable standard of living. It is also very important to me that
the power people have over other people is minimised. These beliefs do have
a degree of tension, of course - to ensure everyone is comfortable, you must
necessarily impinge on the freedom of others, to an extent. I've mostly resolved
this internally by emphasising the collectivist strand over the individualist
one.
Is this all classic Third Wayism? Am I 20 years late to the party? Perhaps to an
extent, but watching New Labour in action (or looking back at its goals and
accomplishments) doesn't leave me with the feeling that the strategies pursued
actually worked - instead, I'm left with some degree of hostility to naive market
solutions.
=> http://en.wikipedia.org/wiki/Third_Way Third Wayism
I think this mostly comes down to private property. Some people believe that
property rights are sacrosanct, with their exercise being a vital part of being
free from others, but I lean more towards viewing them as a device for exercise
power over other people. Property rights are, of course, here to stay - and I
take advantage of them extensively - but this viewpoint informs how I'm inclined
to use property rights to solve problems. In particular, I'm liable to avoid
usages of property rights that permit a relatively few people to direct or control
the behaviour of many others, or their exploitation. Like the entire economic
spectrum.
=> http://en.wikipedia.org/wiki/Natural_law Natural law
=> http://en.wikipedia.org/wiki/Rentier_capitalism Rentier capitalism
=> http://en.wikipedia.org/wiki/Rent-seeking Rent-seeking
I consider rentiers to be rather bad; to me, this form of participation in a
market necessarily maximises the amount of power over others that a group can
have, while leaving significant numbers unable to participate (as artificially
restricting supply to raise prices is the surest way of increasing profits).
Austrian-style economics see rent-seeking and demand an end to all regulations;
but in many cases, some regulation is actually quite handy. As an example,
removing all planning restrictions would reduce the costs of property
significantly, but it would also result in some very unpleasant - including
fatal - dwellings being constructed. Honest regulations aiming to meet the basic
human need of housing - why is that so difficult to achieve?
=> http://www.insidehousing.co.uk/quarter-of-tory-mps-are-landlords-says-research/6524104.article
=> http://en.wikipedia.org/wiki/Regulatory_capture
At some point I'll be examining what I do for housing myself, and what other
options there are. Perhaps I'll be able to come to some conclusions at that point.
For now, it's easy to point at problems, but much harder to think up solutions.
## Income and expenditure
I've spent a little while trying to work out whether I should publish actual
numbers on here or not. We can be an odd bunch when it comes to how much we
earn, what we spend it on, etc. In the end, I figured, what's the harm?
I've been using Gnucash to track my finances since 2010, and while I could just
open up read-only access to that database, even I'm not that open. So instead, I
made some pretty pictures:
=> http://gnucash.org
=> /img/pig-dog-02/net-worth.png Net worth
=> /img/pig-dog-02/expenses.png Expenses
I am intending to dip into this historical data a fair bit in the future,
so this isn't the sum total of everything I'm releasing ever; there might even
be some tables in the future. The next post will look at my income in more
detail, before I go on to poke various aspects of expenditure (which is the
really interesting bit).
For now, I'll just note that my take-home pay (after taxes and pension
contribution) is ~£3300/month (this is better than the median) but my net worth
(excluding said pension, as it happens) is still relatively low, although it's
on a fairly rapid upward trajectory. All this gives me significant leeway to
change my behaviour that, I will try my best to remember, won't necessarily be
available to people earning the kind of sums I can remember from before I lucked
out (this job started in 2008; things were a lot hairier before then, hence the
current net worth game). The next post will look at my income & net worth in a
bit more detail; it's worth setting out how much I earn and why I earn it in the
way that I do (along with considering alternatives, feasible or no) before going
on to see how that money is spent, hoarded or invested in any detail.
=> http://en.wikipedia.org/wiki/Income_in_the_United_Kingdom
=> http://news.efinancialcareers.com/uk-en/9815/compare-your-net-wealth-to-the-rest-of-your-age-group/

178
content/blog/2015-05-01-pig-dog-03.gmi Normal file
View File

@@ -0,0 +1,178 @@
---
title: "The Capitalist Pig-Dog Blog: Income"
---
## Payday!
I get paid at the end of each month, from my job at Bytemark.
This is a typical employment contract, nothing special, but it bears thinking
about anyway. Bytemark's a pretty standard for-profit company; people hand over
cash for hosting, some of that cash is handed over to me in exchange for labour.
I never see some of the cash nominally handed over to me, because of taxes,
which go to various things - some of which I like, some of which I don't. More
on *that* another time.
=> https://bytemark.co.uk Bytemark
=> https://en.wikipedia.org/wiki/PAYE Taxes
Work is how I pay the bills; bills are how I live. The job ensures that I have
somewhere to live, food, water, energy, transport... everything. It's possible
some of this can be changed in the future, and I'll look at that when I get around
to it, but this is the situation right now.
Fundamentally, I'm quite happy to accept the Marxist analysis of employment (go
back and read Das Kapital if you haven't already). The job that I have is pretty
nice to me, personally, but it's an exploitative contract (see: surplus value),
which works towards the reproduction of capital, and so ensuring these kinds of
contracts continue on forever.
The usual free-market objections to this analysis that I encounter have been
deeply unconvincing; usually, they revolve around the idea that labour is a free
market (or it would be, if it weren't for that pesky government), and people are
free to exchange their labour for wages, or not, as they prefer. Nobody would
willingly allow themselves to be exploited, so employment cannot be exploitative.
QED.
## Compulsion
Unfortunately, if I don't work, I'm in a bit of a sorry state. Refusing to work
means no wages. We live in a vaguely civilised society, so if you're out of a
job there are welfare payments. Of course, you're not eligible for those if you
refuse to work - and it's generally argued amongst those *not* on welfare
(and even many who are) that "conditionality" - as the DWP now calls - is a good
thing.
The switcharoo here is that I'm actually fine with working in principle - what
I'm not fine with are the employment terms on offer. But if I don't accept those
terms, I'm left in the fairly precarious position of needing to find a new way
to acquire, at a minimum, housing, food, water, energy and transport. If there's
no sane way for me to do this, the idea that the labour market is a free one is
ridiculous; a choice of X or death is no choice at all.
It's worth noting that I could quite conceivably go on doing exactly the same
job with no complaints, if the background issue of compulsion went away; I am in
effect complaining, right now, about having no option but to do something I don't
really mind doing anyway. Other people may hate their jobs, of course, but if I
weren't being paid to write code, I'd do more of it at home for fun.
## Alternatives
So, is there a current (or conceivable) alternative that could render the current
situation unexploitative? From my point of view, the simplest hack is to make
the social security net unconditional. This normally takes the form of a
basic income or negative income tax Without the threat of death if I refuse to
accept the commonly-offered contract terms in my field, the contract can be freely
negotiated and entered into (or refused, of course), and free-market logic starts
to line up with reality. In this model, employers desperately need employees to
survive; but potential employees can scrape along, more or less, without employers
for as long as they feel they're being exploited. (In my case, that might not be
any time at all, of course). It's a complete inversion of the currently-existing
power relation between employer and employee, and this is for the better, in my
view. However, it's not happening anytime soon.
=> http://basicincome2013.eu/ Basic income
=> http://www.econlib.org/library/Enc1/NegativeIncomeTax.html Negative income tax
=> http://www.businessinsider.com/heres-how-switzerlands-basic-income-initiative-works-2013-11?IR=T
It's also worth noting that people are supremely good at not noticing that they're
being exploited; I'm taking a marxist analysis here almost as a given, but it's
the height of barmy radicalism to a lot of people. I'm fine with that.
Entrepreneurs in the audience are, at this point, jumping up and down and shouting
"why not start your own business, or become a contractor?" - and I have given
both of these options serious thought in the past. Ultimately, however, neither
option does much - as a contractor, I'd still be subject to extraction of surplus
value; I'd just be throwing away a whole bunch of protections in employment law.
Becoming a business owner is identical to being a contractor, if the business is
a sole trader; and once I employ someone else, I'm just swapping around who
is the exploiter, and who is exploited. If I don't like the contract style,
there's absolutely no way I'd want to impose it on someone else, right?
So far, I've assumed that surplus value (and all the other standard aspects of
a capitalist business) is actually happening. Could I construct (or join) an
organisation that lacks these characteristics, and so salve my conscience that
way? I've not come across anything that would allow me to pay the bills, but
non-profit, Free or otherwise-worthy software development is generally available
(reskilling might also be an option, allowing me to change jobs completely, but
that's not something I can do immediately).
=> http://socialcoder.org/ non-profit software development
=> https://gnu.org/ Free (as in freedom) software development
Joining a worker's cooperative would also do the trick, but I'm not aware of any
in my current skill set. I've already enquired about the possibility of converting
Bytemark into one; it's a no-go. Do get in touch if you're running one ;).
=> http://en.wikipedia.org/wiki/Worker_cooperative Worker's co-operatives
Could I start my own up? Quite possibly, but not this year, and probably not next
year either. Starting a business (of any sort) requires more capital than I have
at the moment. That's changing, of course, but I'm still quite ambivalent to this
option; running a worker's co-operative really does come under reskilling, I suppose!
Evidently, I should have looked harder; there *are* some web-hosting co-operatives
in business. Eeenteresting.
=> https://www.co-operativehost.com
=> https://www.webarchitects.coop
=> https://web.coop/
## The nuclear option
Finally, I could just pack it all in, withdraw from the current market system
for housing, food, water, energy and transport, and join a long, honourable list
of people who've taken up homesteading:
=> https://en.wikipedia.org/wiki/Homesteading
All I need is enough land to support me, either individually or as part of a
commons...
Back in the day, this was a viable living choice. Hopefully it's entirely obvious
that it's not the option it used to be - all the land is claimed, owned, parcelled
out, unavailable. If you want to live off the land, you need to acquire the land
first. And not just any land - you'll need permission. Really, this option has
the same problems as "start a worker's co-operative". Prohibitive levels of
reskilling, and large initial capital requirements. Another one for the future.
It's worth noting that this state of affairs hasn't come about by chance, and nor
is it equitable.
=> http://en.wikipedia.org/wiki/Inclosure_Acts
=> http://en.wikipedia.org/wiki/Diggers
Land reform is more popular in some areas than others; maybe this can be fixed
in time.
=> https://consult.scotland.gov.uk/land-reform-and-tenancy-unit/land-reform-scotland
## Full circle
That's a lot of words, and not all of them are particularly encouraging. Would I
want to grub in the dirt for food every day of the week, even if it were an
option? Would a worker's co-operative be a success in any of the fields I could
work in? Am I brave enough to switch jobs *right*now*? Only possibly!
Leaving that last one aside, is there anything at all that I can do to improve
matters here? The fundamental issue is the imbalance of power between employee
and employer; the traditional remedy for that has been unionisation.
there is no union shop at work, nor do I suspect there ever will be; but I can
always join a union as an individual - so I'll join Prospect.
=> https://prospect.org.uk
I don't expect it to change any aspect of my current employee-employer relationship
in the short to medium term, but if nothing else, maybe the dues will help somewhere
else; and unions really need a shot in the arm. They really aren't the mass
movements they used to be, and they're not going to improve if someone as in
favour of them as myself can justify not joining one, are they?
=> http://en.wikipedia.org/wiki/Wapping_dispute Wapping dispute
=> http://en.wikipedia.org/wiki/1926_United_Kingdom_general_strike 1926 UK general strike
=> http://en.wikipedia.org/wiki/Three-Day_Week Three-day week
So, membership form sent. That makes this post worthwhile all by itself! I'm only
7 years late in joining... and hey, it's May Day!
=> https://en.wikipedia.org/wiki/May_Day May Day

103
content/blog/2015-05-27-pig-dog-04.gmi Normal file
View File

@@ -0,0 +1,103 @@
---
title: "The Capitalist Pig-Dog Blog: Expenditure: Debt"
---
## Apologies
It's been a bit quiet recently because I've been collecting receipts all month.
Once I've got a month's worth, I can write a scintillating article about
shopping expenditure; until then, I'll just have to content myself with a short
piece on debt expenditure.
## Time travel
I've got quite a few debts; modern capitalist economies really are predicated
on the notion that debt is good. Although this raises a lot of hackles, it
doesn't bother me too much. If we're going to have money, it might as well have
a high velocity, and a lot of the objections are from people I'm not predisposed
to trust. Also, there's very little I could do on a practical level except to
stop using money entirely. Not impossible, but very much on the outskirts of
practical.
=> http://en.wikipedia.org/wiki/Fractional-reserve_banking
=> http://wiki.mises.org/wiki/Criticism_of_fractional_reserve_banking
=> http://www.infowars.com/fractional-reserve-banking-government-and-moral-hazard/
=> https://www.youtube.com/watch?v=ELEwjVRxxGE
=> http://en.wikipedia.org/wiki/Velocity_of_money Velocity of money
I will never link to Alex Jones again. I promise.
Anyway, the basic principle of debt is that you are leveraging your future earnings
to get something done *now*, goddamnit. As a child of New Labour, I was fortunate
enough to go to University, but in doing so, I got to experience this concept
for the first time in the form of student loans.
=> http://en.wikipedia.org/wiki/Student_Loans_Company
Fairly simple - the government lends me £12,000 over three years to go to university,
I pay it back with interest once I've got a decent job. I win, the government
wins twice (as it gets a higher-rate taxpayer out of it too), and society at large
wins as well. Certainly in theory.
Student loans aren't my only credit arrangement, of course; I've borrowed money
since for various reasons. I don't really have any objections in principle, it's
mostly a matter of degree
=> http://en.wikipedia.org/wiki/Usury
## Analysis
So what does my current expenditure on loans look like? And where does it go?
```
| Item | Monthly payment | Months left | Provider |
| ------------- | --------------- | ----------- | ------------------------- |
| Student loan | £300 | 3 | Student Loans Company |
| Mortgage | £780 | 267 | Nationwide |
| Personal loan | £430 | 22 | Nationwide |
| Bathroom loan | £100 | 12 | Barclays Personal Finance |
| Boiler loan | £ 80 | 36 | Hitachi Loans |
| Car loan | £300 | 15 | Santander |
```
Total: £1,990
It's not particularly pretty; even on my income, this is too much money on debt
repayments, any financial planner can tell you that (it's not even the end of the
story; there's also credit cards and an overdraft to consider, but I'll talk about
those separately). Just on common prudence grounds, it's imperative that I reduce
these payments; fortunately, the student loan is almost repaid and the mortgage
becomes much cheaper in the near future (new fixed-rate deal); that reduces the
total to around £1500, which is somewhat more sensible.
In terms of who gets the money, Nationwide - a building society - gets the biggest
single share, receiving over half of it. The Student Loans Company - a non-profit -
is another significant beneficiary, at least for now. "Just" a quarter of the current
total - £480/month - goes to Evil Private Companies.
A loan can be repaid at any time, so in theory I could shift that monthly expenditure
to Nationwide just by taking out a second loan; the amount of detriment to the losing
companies is precisely the interest they lose from my doing so, minus any early
repayment fees. The Hitachi one is worthwhile, so I'll look at that; the Barclays
one is not, but is nearly repaid. The car is actually a PCP with an interest
rate of 0% (I guess they make their money from the VAT dodge), so the point of moving
it within the term is more or less nil.
=> http://en.wikipedia.org/wiki/Personal_contract_purchase#UK PCP
Future loans can certainly be taken out exclusively with mutual organisations.
Building societies are OK, but alternative models do exist; credit unions are a
better model, but they aren't that popular in the UK, and my local one, NYCU,
collapsed in 2012 - I'd actually filled out the membership form the day before
they went.
=> http://en.wikipedia.org/wiki/Credit_union Credit unions
=> http://www.bbc.co.uk/news/uk-england-york-north-yorkshire-20167650 NYCU
Interestingly, it seems SYCU have expanded to York; they have a branch in the city,
at least. I've emailed them to ask about membership. I'll see if I can move a
subset of my concerns there; although I'd be surprised if they can do mortgages!
The mortgage itself is an interesting thing; I'm paying it instead of rent, and
that in itself makes it great. I'll see if I can write more about the Evils Of
Renting later in the year.

90
content/blog/2015-06-15-festival-of-ideas-2015.gmi Normal file
View File

@@ -0,0 +1,90 @@
---
title: "York Festival of Ideas 2015"
---
## Users vs. Techs
This year, I learned about York's Festival of Ideas. Started in 2011, this year's
theme was "Secrets and Discoveries", which included a whole day (today) on
Surveillance, Snowden and Security. Right up my alley, so off I went. This
article is really about things that were brought up in a panel discussion,
entitled The Future of Cyber-Security. I don't know if these things are being
recorded and uploaded, but I'll link if it becomes available.
=> https://yorkfestivalofideas.com/2015/ Festival of Ideas
=> https://yorkfestivalofideas.com/2015/focus-days/surveillance/ Surveillance, Snowden and Security
=> http://yorkfestivalofideas.com/2015/talks/the-future-of-cyber-security/ The Future of Cyber-Security
The panel was composed of five speakers, with what could be called a range of
experience; it was chaired by a BBC technology correspondent. Early in the main
discussion came a generally-agreed maxim - that "we" shouldn't let "the techies"
determine our online future. Being as charitable as I can be to this idea, I think
it's expressible as "not everything that is possible should be permitted". Or maybe,
"techies should build the online environment we mutually agree we should have,
rather than the one techies think is best". At the time, it came across as being
quite antagonistic - in any division of the populace between "techie" and "everyone else",
I'm surely in the former group, after all.
Later in the discussion, an illuminating window was shone on this attitude - at
least for me - by a digression into the power that a small, elite group of
technologists sitting in Silicon Valley and working on huge online edifices that
we find ourselves willing, or forced, to use. Facebook, Google, Apple, Microsoft,
etc. These services and software companies mediate a large portion of online
interactions, and to a very real approximation, they *do* decide what is possible
online for people. This became evident in the last (and best) audience question
of the session, where someone asked what alternatives there were to these
behemoths - the questioner wanted to know what she could do, right now, to avoid
them, if possible.
None of the panel could answer this. They all sheepishly proclaimed their allegiance
to Google, or to Apple, and commuted the question to "can we do without this service?"
or "what's the minimum amount of information I can give to this company while still
using their service?". One of the panellists (I forget who) managed to note that
alternatives do exist for some of these services, but didn't know what any of them
were, and opined that the cost of finding and using such an alternative outweighed
the benefits of escaping the Silicon Valley set of solutions.
These people are users. More than that, they are consumers. Consumer activism,
it turns out, is how they expect their online services to evolve in a direction
that fulfils their wishes. (The pig-dog blog, incidentally, turns out to be
consumer activism and it's not a new thing. Who knew?) The techs are expected to
present a choice of online services that represents the range of the possible
(well, minus a few that have been determined ahead-of-time to be too dangerous),
and consumer choice is meant to filter out the bad ones. Wouldn't that be nice?
In reality, of course, the options open to me as a tech for any online service
are much broader than the options open to a user, simply because many ways of
providing a given service haven't been productised in any sensible fashion. I
host my own email and instant messaging, and create my own encryption keys to
secure these things over the wider Internet. This is the online equivalent of
brewing your own beer, or making your own biltong. Those who can't are unlikely
to ever have the *dubious* pleasure of tasting Henderson's Relish biltong.
Anyway, these users have their view of what is possible shaped by the products
that are currently successful. The "right to be forgotten" ruling came up partway
through this panel. Removing search results from Google indexing is fairly
pointless, a techie will cry - the content still exists, after all, and other
search indexes also exist. You just can't stop YaCy from indexing them. But it
doesn't matter to the user - the desired effect has been achieved according to
their (limited) view of what is possible.
The idea of having your own email securely located in your own living room, or
being responsible for asserting your own identity online, is a revolutionary
concept to users in general. They're just not aware that it's an option until a
helpful techie informs them that it is - brainstorming "alternatives to GMail"
with such a group is going to throw up replies like "hotmail". Their view of
hat is possible is shaped by the techies providing the services they already
use.
Attempts to productise self-hosting of email, say, are ongoing - but it's a niche
thing. The other side of the coin is attempting to convince users to be more
gung-ho with non-productised (or less-productised, I guess) solutions. If we're
sat in a wood, freezing to death, a decent proportion of us could make fire from
first principles, even if we don't have a Zippo lighter with us. As things are
with online services, we wouldn't even start collecting the analogous driftwood.
Groups of techies like those behind MailPile have got the right idea, I think,
but it's an uphill slog - and trying to make users aware of these possibilities,
and get them into policy and legislative debates, is the hardest bit. The tech
comes naturally to us, after all. Did I stand up and say any of this at the panel
discussion? Of course not :p.

63
content/blog/2015-07-26-subsonic.gmi Normal file
View File

@@ -0,0 +1,63 @@
---
title: "Subsonic and Licensing"
---
## Subsonic
Subsonic is a reasonably neat "personal cloud" sort of thing for playing music.
In many ways, it replicates the Owncloud Music application. I'm a fan of that
too, but switched to Subsonic once it became clear that upgrading OC would
always be a trial. Unfortunately, although Subsonic is open-source, it includes
a bunch of money-making "premium" stuff backed by a licensing scheme. This
includes nagware, etc.
=> http://subsonic.org Subsonic
=> http://owncloud.org Owncloud
With an open-source project, you can just fork it and release a version with all
that crap removed, of course, and that's precisely what
`@EugeneKay` has done:
=> https://github.com/EugeneKay/subsonic/commit/a08c8a80da07ddfe8d34dada439cc3480ddce725
## Do not trust HTTP or DNS
As the patch notes, the licensing scheme is fairly hilariously simple: the
license "key" is just the md5sum of the email address; a remote HTTP server
is looked up over DNS and queried to see if that license is on a central DB and,
if it is, whether it has expired.
So in `/etc/hosts`:
```
127.0.0.1 subsonic.org
```
In `/etc/nginx/sites-enabled/subsonic.org.conf`:
```
server {
listen 80;
listen [::]:80;
server_name subsonic.org;
location /backend/validateLicense.view {
return 200 "true\n2068585481000\n";
}
location / {
proxy_pass http://66.49.215.227;
}
}
```
(I've not actually tested the proxy_pass but I imagine it'll work).
Then in the Subsonic licensing box:
```
Email: foo@example.com
Key: b48def645758b95537d4424c84d1a9ff
```
So, no need to maintain a separate fork after all. Beautiful.

19
content/blog/2016-06-07-new-new-blog.gmi Normal file
View File

@@ -0,0 +1,19 @@
---
title: "New, New Blogging Platform"
---
It's just over a year since I last changed blogging software!
The new model integrates blog into website and the whole thing is based on
Hugo, a static site generator of some class.
The theme is called grid-side]() and the big painted wall background is on
someone else's fine Creative Commons work.
I've not been writing much recently, not even about PigDog, but I have been
*thinking* and *doing* instead. Big changes are afoot, and I'll write about
what I can, when I can.
=> https://gohugo.io Hugo
=> http://themes.gohugo.io/grid-side/ Grid-Side
=> https://www.flickr.com/photos/shaireproductions/6824147671/ Painted wall

104
content/blog/2017-11-16-email.gmi Normal file
View File

@@ -0,0 +1,104 @@
---
title: "Email!"
---
## Email sucks
It really does, and yet we still need it. I've been hosting my own for over a
decade now, although for the bulk of the time I outsourced most of the mail
server smarts necessary to do so to the excellent Symbiosis virtual hosting
package, although I switched to `@tomav`'s docker-mailserver about six months
ago.
=> https://symbiosis.bytemark.co.uk Symbiosis
=> https://github.com/tomav/docker-mailserver docker-mailserver
Today, I finally switched to running my own mail server, directly on the server
with no third-party configuration or any docker. "But why?!" cried a friend
desperately, pointing out the existence of Mailcow and Libre.sh,
in addition to the options I'd already tried.
=> https://libre.sh, Libre.sh
The mail server setup I wanted had two requirements:
* Use as few system resources as possible
* Be as unobtrusive to the rest of the system as possible
Both of these requirements are tightly linked to *where* I self-host my
email. Normally, servers are hosted in datacentres with big, fast Internet
connections. About 2 years ago, I noticed that home Internet connections are
quite fast enough, thank you very much; since then, I've mostly been running
email on servers sat at home. In York, I used a standard rack-mounted server
that hid in the larder!
In Shetland (more on that another time), I've switched to an
APU2, which also happens to be my router, website, and everything else as well.
Yes, this post was served from Shetland!
=> https://pcengines.ch/apu2.htm APU2
Being tiny and multi-purpose, a heavyweight mail server solution wasn't an
option. In particular, no Docker. It would be absurd to install Docker on a
machine acting as a router. And in any case, I was always terrible about
rebuilding the containers to get fixes for security issues - I'm too used to
`unattended-upgrades`.
The good thing about docker-based mail server setups is that they are very
self-contained - it's just a few files in `/var/lib/docker`, in the end.
non-docker mail server solutions like Symbiosis or Mailcow have an unfortunate
tendency to try to take over the whole machine. They come with piles of
dependencies, maybe a database and web interface you have to hook up, config
files modified or added across the system. It's not pretty. You also tend to
be stuck on older OS versions for an extended period as the vendor takes a while
to port their octopus-like solution to the updated system.
## Make it better?
I use Debian on all my personal hardware. It's rock-solid and comes with lots of
useful software, with very useful default configurations. I also have a set of
Ansible recipes I use to automate setting things up on those machines - you can
view them on the link below.
=> https://debian.org
=> https://ansible.com
=> https://code.ur.gs/lupine/ansible-personal
So, I resolved to create a minimal set of Ansible recipes that would get email
working simply by installing Debian packages and modifying their configuration,
with as light a touch as possible. You can view what I ended up with in the
`mail` role, so I won't document them in detail, but here's a brief overview:
* Exim4 SMTP server
* Dovecot IMAP server
* amavisd-new + spam-assassin
Everything gets solid TLS support, using certificates issued by LetsEncrypt.
It's quite rare to have a mail server with valid certificates! In any case, if
someone wants *my* email archive, they'll have to serve the warrant on *me* to
get it. And the APU2 is small enough to hide under a floorboard or so, if I
turned out to be really paranoid...
=> https://letsencrypt.org LetsEncrypt
## TODO
The anti-spam setup is extremely rudimentary, and will likely need a lot of
extra work. I'll see how much spam comes in and adjust accordingly. Ultimately,
this was the most disappointing part of the setup - it's Perl-heavy and it took
a lot of head-scratching to work out how the different parts even fit together.
There's no webmail. I'm OK with that.
Dovecot has solr and lucene search engine integration. I doubt either will fit
onto the APU2, but I'll evaluate it.
A long-term ambition of mine is to put together a vertical slice of email
functionality as a single, neat daemon that's optimised for the small, single
domain use case - a sort of Caddy for email. It could even use JMAP and database
storage instead of IMAP and Maildir, ship a HTTP server, and handle the tricky
DNS parts too.
One day. Until then, this setup is working well enough. Give it a try!
=> https://caddyserver.com Caddy

219
content/blog/2020-01-15-stardew-valley.gmi Normal file
View File

@@ -0,0 +1,219 @@
---
title: "Stardew Valley on aarch64"
---
At the end of last year I got a Pinebook Pro - mostly for reasons of paranoia.
So far, it's been pretty good, but there was
one thing that I couldn't get working: Stardew Valley
You could call me a little bit addicted to this game, but it's proprietary,
closed-source, and the authors don't release binaries compiled for aarch64 -
although they do very kindly release x86_32 and x86_64 Linux binaries, which
is more than most companies do.
I left a message on the forum and moved on, confident that it wouldn't ever
happen. I vaguely knew it was written in C#, but it's not an ecosystem I have
any experience in. I figured it was going to be the kind of thing that comes
under "possible, but not trivial" - and aarch64 + linux is super-niche.
Fast forward a few weeks, I mentioned it in passing on the `#pinebook` IRC
channel, which went a little like:
```
<lupine> stardew valley never got back to me *sob*
<halosghost> lupine: trying to get Stardew Valley on the pbp as well?
<Nadia> The game itself is written in C# so runs through Mono
<lupine> they don't distribute aarch64-linux executables
<Nadia> You just need to build the libraries it needs and it should run
<lupine> it's closed source, so "just need to build" is rather an issue
```
They rather roundly assured me that it wasn't an issue at all, and literally
10 minutes later I had a working Stardew Valley setup. This is incredible.
I'm documenting the steps I took so I can come back to this in the future, but
maybe it'll be useful for others too.
First, you need a copy of the game. I was working with v1.4 as shipppd by
GOG Games. It comes as one of those `.sh` files that contains an archive. That
doesn't have aarch64 support, and doesn't run on the PBP. Fortunately, I'd
already installed it on an amd64 laptop so I just rsynced that over:
```
lupine@pbp:~$ rsync -avzP '10.0.1.104:GOG Games' .
# Might as well grab my savegames at the same time
lupine@pbp:~$ rsync -avzP 10.0.1.104:.config/StardewValley .config/StardewValley
```
I'm sure it's possible to make it run, I'm just being lazy. I'll update this in
the future if I work out how to go from the `.sh` file.
What does this give us?:
```
lupine@pbp:~/GOG Games/Stardew Valley/game$ ls -lh
total 438M
-rwxrwxr-x 1 lupine lupine 12K Dec 8 23:58 BmFont.dll
drwx--x--x 17 lupine lupine 4.0K Dec 8 23:58 Content
-rwxrwxr-x 1 lupine lupine 330K Dec 8 23:58 GalaxyCSharp.dll
-rwxrwxr-x 1 lupine lupine 336 Dec 8 23:58 GalaxyCSharp.dll.config
-rwxrwxr-x 1 lupine lupine 91K Dec 8 23:58 goggame-1453375253.hashdb
-rwxrwxr-x 1 lupine lupine 782 Dec 8 23:58 goggame-1453375253.info
drwx--x--x 2 lupine lupine 4.0K Dec 8 23:58 lib
drwx--x--x 2 lupine lupine 4.0K Dec 8 23:58 lib64
-rwxrwxr-x 1 lupine lupine 197M Dec 8 23:59 libGalaxyPeer64.so
-rwxrwxr-x 1 lupine lupine 177M Dec 8 23:59 libGalaxyPeer.so
-rwxrwxr-x 1 lupine lupine 5.3M Dec 8 23:59 libSkiaSharp.dll
-rwxrwxr-x 1 lupine lupine 119K Dec 8 23:58 Lidgren.Network.dll
lrwxrwxrwx 1 lupine lupine 14 Dec 9 00:00 mcs -> mcs.bin.x86_64
-rwxrwxr-x 1 lupine lupine 17M Dec 8 23:59 mcs.bin.x86
-rwxrwxr-x 1 lupine lupine 16M Dec 8 23:59 mcs.bin.x86_64
drwx--x--x 3 lupine lupine 4.0K Dec 8 23:59 mono
-rwxrwxr-x 1 lupine lupine 2.5K Dec 8 23:59 monoconfig
-rwxrwxr-x 1 lupine lupine 1.3M Dec 8 23:58 MonoGame.Framework.dll
-rwxrwxr-x 1 lupine lupine 527 Dec 8 23:58 MonoGame.Framework.dll.config
-rwxrwxr-x 1 lupine lupine 203K Dec 8 23:58 Mono.Posix.dll
-rwxrwxr-x 1 lupine lupine 328K Dec 8 23:58 Mono.Security.dll
-rwxrwxr-x 1 lupine lupine 3.6M Dec 8 23:59 mscorlib.dll
-rwxrwxr-x 1 lupine lupine 267K Dec 8 23:58 SkiaSharp.dll
-rwxrwxr-x 1 lupine lupine 1.2K Dec 8 23:58 StardewValley
-rwxrwxr-x 1 lupine lupine 4.0M Dec 8 23:58 StardewValley.bin.x86
-rwxrwxr-x 1 lupine lupine 3.8M Dec 8 23:58 StardewValley.bin.x86_64
-rwxrwxr-x 1 lupine lupine 4.1M Dec 8 23:58 StardewValley.exe
-rwxrwxr-x 1 lupine lupine 6.5K Dec 8 23:58 StardewValley.GameData.dll
-rwxrwxr-x 1 lupine lupine 127K Dec 8 23:58 System.Configuration.dll
-rwxrwxr-x 1 lupine lupine 879K Dec 8 23:58 System.Core.dll
-rwxrwxr-x 1 lupine lupine 2.0M Dec 8 23:58 System.Data.dll
-rwxrwxr-x 1 lupine lupine 2.2M Dec 8 23:58 System.dll
-rwxrwxr-x 1 lupine lupine 442K Dec 8 23:58 System.Drawing.dll
-rwxrwxr-x 1 lupine lupine 966K Dec 8 23:58 System.Runtime.Serialization.dll
-rwxrwxr-x 1 lupine lupine 130K Dec 8 23:58 System.Security.dll
-rwxrwxr-x 1 lupine lupine 3.1M Dec 8 23:58 System.Xml.dll
-rwxrwxr-x 1 lupine lupine 131K Dec 8 23:58 System.Xml.Linq.dll
-rwxrwxr-x 1 lupine lupine 161K Dec 8 23:58 WindowsBase.dll
-rwxrwxr-x 1 lupine lupine 48K Dec 8 23:59 xTile.dll
-rwxrwxr-x 1 lupine lupine 9.0K Dec 8 23:59 xTilePipeline.dll
```
The magic here is that not all the `.dll` and `.exe` files here are **Windows**
object files. Instead, many of them are just Mono bytecode, which is analogous
to JVM bytecode:
```
lupine@pbp:~/GOG Games/Stardew Valley/game$ file StardewValley*
StardewValley: Bourne-Again shell script, ASCII text executable
StardewValley.bin.x86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=4801f8881feefa8aa515f9fadc02c01598c44131, not stripped
StardewValley.bin.x86_64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=04fe4f2c2ca8b4dc7faf70c643417bf0df632a9e, not stripped
StardewValley.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
StardewValley.GameData.dll: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
```
We need Mono to run these assemblies. I guess the `StardewValley.bin.*` files
ar just stripped-down Mono runtimes that invoke `StardewValley.exe`!
The `mcs.*` binaries are "Mono C Sharp" - I don't know C#, but I assume it's
another essential part of the runtime.
Debian has Mono + MCS already, so...
```
lupine@pbp~/GOG Games/Stardew Valley/game$ sudo apt install mono-runtime mono-rcs
lupine@pbp~/GOG Games/Stardew Valley/game$ ln -sf `which mcs`
```
We can then try to run the game:
```
lupine@pbp~/GOG Games/Stardew Valley/game$ mono StardewValley.exe
```
Amazingly, that's **almost sufficient**, all by itself, to get a fully working
game, at least for me. It starts up, and the only obviously broken thing is
sound. There are some complaints on the comamnd line that don't seem to get in
the way of actually playing it.
Wat.
No sound is annoying though, how about we fix that?
Turns out Stardew Valley only **requires** two external libraries: SDL and
libasound. I've no idea if the graphics is working even though it can't find
SDL, or if it can find my native SDL libary but not the libasound one, or what,
but it's trivial to fix. Edit `MonoGame.Framework.dll.config` and add these
two lines:
```
<dllmap dll="SDL2.dll" os="linux" cpu="armv8" target="./libaarch64/libSDL2-2.0.so.0"/>
<dllmap dll="soft_oal.dll" os="linux" cpu="armv8" target="./libaarch64/libopenal.so.1" />
```
Now you just need to put those two .so files into that directory locally, and
sound begins to work!
(I just symlinked `/usr/lib/aarch64-linux-gnu` into place, which does the same
job).
At this point the game works perfectly, including LAN multiplayer - which is
ridiculous - and despite worries about endianness, it can load and run my saves
as well.
There are a few complaints on the console though. Let's see what we can do
about them.
```
Your mono runtime and class libraries are out of sync.
The out of sync library is: /home/lupine/GOG Games/Stardew Valley/game/System.dll
```
OK, these are shipped with `mono-runtime` (actually in `libmono-system4.0-cil`)
anyway. The complaint is that these assemblies were compiled with a different
version of Mono, but it's falling back to the main ones anyway, so we can just
move these out of the way.
The only `System.*.dll` file we need to keep is `System.Runtime.Serialization.dll` -
the rest can be moved out of the way.
```
System.TypeInitializationException: The type initializer for 'Galaxy.Api.GalaxyInstance' threw an exception. ---> System.TypeInitializationException: The type initializer for 'CustomExceptionHelper' threw an exception. ---> System.DllNotFoundException: GalaxyCSharpGlue
at (wrapper managed-to-native) Galaxy.Api.GalaxyInstance+CustomExceptionHelper.CustomExceptionRegisterCallback(Galaxy.Api.GalaxyInstance/CustomExceptionHelper/CustomExceptionDelegate)
at Galaxy.Api.GalaxyInstance+CustomExceptionHelper..cctor () [0x00011] in <22373852dcce42128dc7e065ea92368d>:0
--- End of inner exception stack trace ---
at (wrapper managed-to-native) System.Object.__icall_wrapper_mono_generic_class_init(intptr)
at Galaxy.Api.GalaxyInstance..cctor () [0x00000] in <22373852dcce42128dc7e065ea92368d>:0
--- End of inner exception stack trace ---
at StardewValley.SDKs.GalaxyHelper.Initialize () [0x00000] in <1ed49e648be548bcae8e4508597c9f4c>:0
```
I am *astonished* that this one isn't a fatal error - but the game runs fine
even though it can't find an external library. Ridiculous.
Galaxy is GOG's multiplayer gubbins. If you've got a Steam game, it's different,
I'm sure, but the functionality this stuff is *for* is to negotiate multiplayer
games with strangers.
I have no use for this myself, but `libGalaxyCSharpGlue.so` is looked up via
another dllmap in `GalaxyCSharp.dll.config` - it's not packaged by Debian, and
it may even be proprietary GOG code, but if we can get an aarch64 version of it,
making it work should be as simple as adding an entry there.
If this did become a fatal error at some point, the minimum work would be a stub
implementation that meets the ABI but always says "no games available" or some
such.
And... that's all the errors. Despite a different architecture, despite being
short some libraries, and despite running reverse-engineered (Panfrost) graphics
drivers with only a bare whisper of OpenGL support, my favourite game is running
at normal speed on an architecture its authors and publishers didn't even think
about.
Again I say: ridiculous
...maybe I should learn some CSharp?
=> https://pine64.org/pinebook-pro Pinebook Pro
=> https://stardewvalley.com/ Stardew Valley
=> https://community.playstarbound.com/threads/arm-arm64-aarch64-linux-support.158840/ Forum message
=> https://www.gog.com/game/stardew_valley GOG Games: Stardew Valley

158
content/blog/2022-01-02-pig-dog-05.gmi Normal file
View File

@@ -0,0 +1,158 @@
---
title: "The Capitalist Pig-Dog Blog: Coda"
---
## Final apologies
The pig-dog blog fizzled out six years ago. This was mostly because I was too
lazy to collect those receipts, and the longer I left it, the more life changes
took me away from the picture I'd already painted. I always felt a nagging urge
to "finish" the series in some way, though - and now I think I can!
## Consumer activism
This is where I left the previous pig-dog article. There is Ethical Consumer
Magazine for those interested in the topic, but I'll leave it at "can't be done,
cap'n".
=> https://ethicalconsumer.org Ethical Consumer Magazine
Not unless you're rich, anyway.
Ethical Consumer is something of a mixed bag, and is far too credulous on some
topics (biodynamic eggs in the most recent issue!), but is the best resource I
know for the topic. They also show their working, so you can prioritise what
matters for you, and work around any shortcomings in their process or
conclusions. Definitely the poster child for this kind of thing.
## Changes
In November 2015, I began a new relationship. This was followed in 2016 with a
new job; in 2017 by moving to Shetland; in 2018, a proposal; in 2019, a
wedding; in 2020, a pandemic(!); and in 2021, a baby.
In 2022, we're moving back to Yorkshire. Each of the above could be its own
series; I'll see if I get to them, but don't hold your breath. However, we're
returning in very different financial circumstances to those we left in.
## Debt
All paid off. Every penny. Including student loan, car PCP, and mortgages.
How, you ask? Simples. Share options. The new job provided me with some, and
they panned out over the next 5 years. I'm now ridiculously wealthy by any
standard.
The UKPersonalFinance reddit has a website with a handy flowchart,
based heavily on the Bogleheads methodology, and the options permitted me to
skip right to the final step!
=> https://ukpersonal.finance
Mortgages, plural, you ask? Well, I peaked at 3 - the original house in York,
our house in Shetland, and the the new one in Yorkshire. My sister has been
living in the first (rent-free, I hasten to note), and now the mortgage is paid,
I'm transferring it to her legally. The second we bought with a deposit
contributed by my now wife's parents, but it's turned out to be a money pit -
we've spent at least 50% of the original purchase price on repairs, and the saga
continues. We'll be selling it at a significant loss, and I can't wait.
=> /img/pig-dog-05/wall-state.jpg Over half the walls are rotten
=> /img/pig-dog-05/groundwater-state.jpg Groundwater is eating the foundations
=> /img/pig-dog-05/foundations-state.jpg The foundations need replacing
=> /img/pig-dog-05/chimney-state.jpg And the chimney leaks
The new house, we bought with a mortgage, with the deposit coming from sold
shares, but were able to pay it off in full a couple of months later by selling
even more shares! We plan to stay there for at least 5 years, as with Shetland,
then re-evaluate. The off-grid life increasingly appeals to us both, and this
house won't do for that, but it's a fine place for the first few years of a
child's life.
## Equity
As mentioned above, the new company had a share option scheme. Bytemark had
introduced one toward the end of my time there, but the two were very different.
I'd already internally discounted the Bytemark one to £0 because it seemed very
obvious to me that it would never pay out - you had to be at the company right
up until its termination or flotation if you wanted to exercise the shares. I
already had itchy feet at the time, and the best-case scenario was "only" around
the £100,000 mark anyway. GitLab's option scheme was much better - you could
exercise at any time, for a start - but it was really an afterthought when
making the decision to switch.
(As it happens, Bytemark was subsequently bought out by iomart. I switched in
August 2016, and the purchase was Octover 2018, so winnings were in my future,
whichever choice I made. However, with the benefit of hindsight,
switching to GitLab was absolutely the right financial choice to make.)
=> https://blog.bytemark.co.uk/2018/09/04/moving-up-the-stack iomart acquires Bytemark
I'm easily on course to make more than a million pounds after tax from the
GitLab options. The salary is a drop in the ocean by comparison. Naïvely, I can
model this as getting more of my "fair share" of the work I've put into a
company - salary in no way reflects the value added by labour - but the truth
is simpler, and sadder.
I joined early on, and got more share options than people who joined later. The
price of the shares has been doubling or tripling every year, as has the number
of employees, but I get a greater share of the total than those who came later,
since I quite literally own a greater share of the company. It follows that my
wins come at their expense - they work, hundreds of them, to increase the
company's value, and I get a cut of that.
Bleurgh.
## Taxes
Typically, if an employer gifts you a share, that is treated as income and taxed
at acquisition time through PAYE at 19-46% income tax, plus 12-2% national
insurance. With share options, you buy them at a discount, and the difference
between discounted price and market value is taxed as income. Once you own it,
further appreciation is taxed at disposal time through capital gains tax - at a
much lower rate, sometimes as low as 10%.
The Bytemark scheme was very carefully worded to exclude any possibility of
paying income tax rates, instead targeting special CGT treatment, and most of
the provisions I disliked in it came from that choice - it was made to fit the
mould of an Enterprise Management Incentive scheme.
=> https://www.gov.uk/tax-employee-share-schemes/enterprise-management-incentives-emis EMI
GitLab's options did no such thing, so my notional tax rate on the gain has
been 48%. In addition to my million, the tax authorities get themselves a
million as well. The precise number is difficult to figure out - the tax code
pays a *lot* of attention to people making this kind of money. In particular,
the personal allowance reduces to 0 and the pension allowance reduces to 4,000,
although you can now use up allowance from previous years instead. Various other
things suddenly become tax-deductible too, and gift aid starts to make sense,
among other things.
Still, the majority of what ukgov and scotgov do is good stuff, so this is fine.
When I joined GitLab, I had the option to "early exercise" my shares. That would
have cost about £7,000, and - through shenanigans - led to my winnings being
taxed entirely through CGT, at 10-20%, instead of the 48% rate I got. I even had
the money at the time - by coincidence, my car's PCP was up, and I could either
pay off the loan portion, or early exercise the shares. I chose the former, and
even with hindsight, can't being myself to regret it. I still have the car, it
works great.
It does sting a little that other people were able to get the lower rate,
though. If anything, there could be less of that.
## Future
How does one convert a windfall into an income? Through investment! This is
more bleurgh-inducing skimming off of the work of others, as with the share
options themselves; the alternative is to see inflation erode the value of the
cash. I could talk about more-ethical vs less-ethical investments, but
fundamentally, they all work on this premise. Not ideal.
Now I'm actually a capitalist pig-dog, my Ethical Consumer magazine has
suggestions I can follow without pain, so I'll be looking into that.
Got to raise a child! I have parental leave until March, at least.
As ever, I can hope I'll have more time/enthusiasm for writing in this new year.
Time will tell.

3
content/blog/_index.gmi Normal file
View File

@@ -0,0 +1,3 @@
---
title: "Blog posts"
---