Browse Source

Import old blog posts

Nick Thomas 5 years ago
  1. 65
  2. 371
  3. 87
  4. 30
  5. 101
  6. BIN
  7. BIN
  8. 102
  9. BIN
  10. BIN
  11. 155
  12. 129
  13. 56


@ -0,0 +1,65 @@
title = "DNSSEC + DANE: Part 1"
date = "2013-09-14"
tags = ["security", "technical", "DANE"]
#### Problem
Communications on the Internet overwhelmingly rely on SSL/TLS for protection.
There are two forms of protection this is meant to provide - from snooping of
traffic, and from impersonation. The first of those gets a lot of attention
but, unless we have the latter as well, an attacker can snoop on your traffic
by [performing a man-in-the-middle attack on you with a dodgy
Unfortunately, the current method of providing protection-from-impersonation
is terrible. Traditionally, OS and browser vendors pick a range of root
certificates to bundle with their software - a list that's generally hundreds
of entries long - and everyone trusts that the list is good. Anyone who can
get a certificate into the lists can then sell certificates signed by it to
people who can't (like me, for a start).
They can sell certificates for any domain, for any reason, with any degree of
publicity, transparency or validation; the only recourse vendors have is to
threaten to stop trusting them if the're shown to be issuing certificates that
don't meet some standard or another. If they're compromised and the key for the
root certificate is stolen -
[as happened in 2011](
- then it's a mad scramble to revoke or blacklist new certificates based on that
stolen information before too much harm is done.
Recently, some vendors - Chrome, for instance - haver started introducing
[certificate pinning](
to restrict the range of CAs that are valid for a particular domain. This helps
a bit against some attacks on large sites, but isn't much use as a general
As for the first part - the encryption itself - there's a lot of discussion
right now over which parameters are safe, and which aren't. There's probably
*some* setups that're safe from cryptanalysis - or if not, then we can probably
come up with some. In this area, one more problem we have with the current CA
model is that deploying new types of certificates is a slow process - you have
to wait for a trusted CA to start offering them, before you can use them.
#### Solutions
The current system, then, can be summarised as trust silos. The main contender
to replace it is an RFC known as
This leverages DNSSEC-signed DNS to publish records that say which certificates
(rather than certificate authorities) are valid for a particular service running
on a domain. As it utilises the DNS, we move from trust silos to hierarchical
Hierarchical trust is narrower, and so better, but still vulnerable to
compromises of keys not under your control. However, the only other schemes
I'm really aware of at the moment are based on web-of-trust relationships with
offline identity verification. This boils down to everyone manually curating
bookmarks that tell them how much to trust things, and there are still keys
out of your control that, if compromised, break you - you just get to choose
between trust anchors more flexibly than with a hierarchical system. I'm not
convinced the extra effort is worth it, so I've deployed DNSSEC + DANE instead,
and in the next article, I'll go over how I did it.


@ -0,0 +1,371 @@
title = "DNSSEC + DANE: Part 2"
date = "2013-09-15"
tags = ["security", "technical", "DANE"]
#### Setting up DNSSEC + DANE ( + SSHFP )
Assuming you've been convinced that it's a good idea to set up DNSSEC and DANE,
the point of this article is to demonstrate how I did it for my own domain -
the individual steps to get from nothing to valid DANE records weren't very
difficult; just not documented in a recipe-style guide anywhere. Hopefully,
this will help you get set up. I'm using Debian Squeeze or Wheezy throughout,
depending on host, but the instructions should be similar for most Linux
This is the part that provides the hierarchical trust model, enabling a random
user of your site to trust (more or less, anyway) that when they ask for a
record that tells them which certificates are valid for their site, they
get the same record that you're going to upload later.
##### Resolving nameserver
Firstly, the user needs to be able to make DNSSEC-validatable DNS queries to
begin with. This requires that their caching (also known as resolving) nameserver
supports DNSSEC queries. This is easy enough to test:
lupine@den:~$ dig +dnssec
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25143
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 7
; EDNS: version: 0, flags: do; udp: 4096
; IN A
;; ANSWER SECTION: 60 IN A 60 IN RRSIG A 7 2 60 20131013124658 20130913125405 17933 k2LOpTkl35qIPmFKVQix87mItL2ycPFTymx0yoZoIt+jpsGhEbQWgiiV FXndEwOKap/RsXdHtzWWWI4vcDdQgES0X/XInAxRKTadceapQ34Nyb0w TN9CpYidxpI35MY9cseZVu9eCKXq0M7VxpSBKSHshby2A/hymJntq1lD sSI= 60 IN RRSIG A 7 2 60 20131013125201 20130913125405 63920 N/dNbs71T0oEAJ0ulqeVPg4ty7UwG02QKOFr3tRy0kDpnRsPvIKX8E0e lVxCU/TCEckfS8QQv3JytoOrIwKt/Y1lOI//NuxLIZT8RndMvWaROkrt Ncs3moQAsD6w0sT+Yn7wx1AimVO4udQ8dh3lyYCKHdRq8VfxyK6/5Lws tzQ=
;; AUTHORITY SECTION: 60 IN NS 60 IN NS 60 IN RRSIG NS 7 2 60 20131013125024 20130913125405 17933 MlltXDEKazn80b3mMqGSOhCCqeQhuiIsgMXI+kaAABnwXyxzHsli+BEL f1AC3Grog3p9DLtRUPbAm3RWIF6HWgd5gJJ5rcw+50ihWVEwQceWniKD Sl/13G7V8pKR0P4GZjpTg//Go4H6xYZAThhU544zjxis5ytupM+rAW0I +ho= 60 IN RRSIG NS 7 2 60 20131013125355 20130913125405 63920 KnOTFZRq6f3K6wbfa6YMjVROHc6kr+RzvthX531H7AQjejB0yAc6ttyI q9J3u/cDg2sdsmROJ91JXkmU7Kjq+LJKrRedQPwY0xLr57ODK/87D3Kv Z9icf5HxarvdN4FlPb7j/uI8EIN4jKXb08976KtPu7BT+6o+1b+rwUWf Ccc=
;; ADDITIONAL SECTION: 60 IN A 60 IN A 60 IN RRSIG A 7 3 60 20131013124618 20130913125405 63920 e1mdvK7ERSuaNIxSf1O+8vyFJWoGBGGPSFt20KLiF+KBU1siDlywTTBr /UT5cNBB4prqcZ0DdFagnmWE2OploEqof0Nl/IiSPwVGy8eGksGmS0Qf zK78emWv4nQmVkiVokcZqIHiAXPxG9ZafJaTo/BGtnThILmatdnk2xuI JdY= 60 IN RRSIG A 7 3 60 20131013125230 20130913125405 17933 1wWdtXpmOk9oOwzl8j8Jvz2IyqfVXIMfB9kDRC0AUKQNvUDk85Xp6AfE 2i4vaupFRa5RTKKj4gBTYRqfObhdrJHLNIRx1BMb/mb/B/8IF0HuxXeU IlGU8Wu/GbDHOHrS42Z3i2w9Y+DVUI1JQQlPHapDtD20kzKnClIN9iSa FRo= 60 IN RRSIG A 7 3 60 20131013125059 20130913125405 17933 WcnS3dw6gQ6gM5dP6tKGK+Gwkd3u8AMco2WCU3WzLoK0ADeJo9qjYGzd pSnJLRRMfiKBeWZJvm6g89sS+gPQh1IlncPp6AaGQdAAyl+OtwIswA/n qPQLlWBdJQrfAnzLKDXbOjTH2K9vXxNSUyAL5QzUgLIAB16oTvREbL42 bIc= 60 IN RRSIG A 7 3 60 20131013125237 20130913125405 63920 V2xTFK6cG9v+mBKbZP7a5yXFJUaXKAt1qOP0VmHWrP1n5lNfvcOMrKLc g4vpaxdbA0M1B7xMhX4ps2IYljAUZdzkBCMXp+bYKPKXdkxKRmXsnspF 7Fii5N9q7FKyhLEbsW8G9MRTScE0ohu5s8db6hOGmkcbyvZJmk5+R1Qd aAk=
;; Query time: 285 msec
;; WHEN: Sat Sep 14 16:54:58 2013
;; MSG SIZE rcvd: 1492
If you see RRSIG records, as above, then you don't need to do anything. If you
don't, then your resolver doesn't support DNSSEC. This is fairly common. As a
first resort, ask your provider (normally your ISP) to fix it. If that doens't
bear fruit, or if you're impatient, you can install and use the
[Unbound](][Unbound) resolver.
I was in the latter situation, and my router happens to run a hacked-up version
of Debian Squeeze, so I installed Unbound on it and configured the DHCP server
to refer to it when configuring clients; so every machine on my home network
now has access to a DNSSEC-capable resolver. You can also install and use it
locally, which might look like this:
root@den:~# apt-get install unbound # unbound-anchor # for wheezy
root@den:~# echo "nameserver" > /etc/resolv.conf
root@den:~# chattr +i /etc/resolv.conf
The resolv.conf file can be managed and altered in a number of ways - I can't
actually recommend altering it to point to the Unbound instance you just
installed and making it immutable. If your desktop environment manages DHCP
for you, then you should investigate options for providing the DNS manually.
Debian also has the `resolveconf` package which would allow you to specify
static fragments to go into resolv.conf. If you're old-fashioned and are
using static configuation + /etc/network/interfaces, then the dns-nameservers
directive will let you specify - your local Unbound instance.
** Browser (and other application) support
Now that you can get DNSSEC records from your resolver, through means fair or
foul, you need client application support. Firefox has a
[plugin]( or [two](
that also support DANE; the equivalent
[Chrome plugin](
only supports DNSSEC. Internet Explorer is probably Right Out, and I have no
idea about Opera, Safari, and the rest. Another option is to install the
[Bloodhound]( browser.
Web browsers aren't the only applications that could make use of DNSSEC and
DANE, of course. Mail and XMPP are two other important protocols; Thunderbird
has no DNSSEC plugin at the moment, as far as I'm aware, and neither does Gajim
or Pidgin. Let me know if you're aware of any replacements that do - there's
obviously work to be done when it comes to client support. The more servers
support DNSSEC, the more pressure there is on client applications to support
it, of course. For now, open this web page on your DNSSEC-capable browser and
ensure that the DNSSEC plugin is happy.
##### Domain
Now that you've got a client environment that can handle DNSSEC records, it's
time to look at getting your own domain DNSSEC-signed. I'll be using
as an example throughout; you need to pick (or register) a domain from a
[DNSSEC-supporting registry](, and you should
ensure that it's with a registrar that allows you to upload so-called DNSKEY
records to that registry. For me, the answers were "" (now ".gs") and
"gandi" - they may be different for you.
##### Authoritative nameserver
Once you've got your domain, you need to decide how you're going to serve DNS
with it, in general. I was lazy and just set up my DNS server on the same machine
as the website - that's not generally appropriate for production, but a common
deployment is to have a DNS master on the same machine as the website, with
geographically-diverse slave servers doing zone transfers over AXFR. I'll just
look at sorting out one nameserver - - though.
The best authoritative nameserver - by far - for DNSSEC support is
It handles all the difficult details that, if I'm quite honest, I don't really
understand. Debian Squeeze includes version 2.9, and DNSSEC support comes in
the 3.x series, so I installed the 3.3 static package available on the
[website]( and installed it.
Wheezy backports, and Debian Jessie, are both easier to deal with.
PowerDNS is fairly configurable, particularly for backends; I used its sqlite3
backend, and setting it up for that looks like this:
root@oak:/etc/powerdns/pdns.d# cat 00-sqlite3-backend.conf
The pdns.sqlite3 file is autogenerated when you restart PowerDNS, but it lacks
certain schema elements that are necessary for DNSSEC. You can add them by
running the commands detailed
- for completeness, they're duplicated below.
root@oak:~# sqlite3 /var/lib/powerdns/pdns.sqlite3
sqlite> alter table records add ordername VARCHAR(255);
sqlite> alter table records add auth bool;
sqlite> create index orderindex on records(ordername);
sqlite> create table domainmetadata (
domain_id INT NOT NULL,
content TEXT
sqlite> create index domainmetaidindex on domainmetadata(domain_id);
sqlite> create table cryptokeys (
domain_id INT NOT NULL,
active BOOL,
content TEXT
sqlite> create index domainidindex on cryptokeys(domain_id);
sqlite> create table tsigkeys (
secret VARCHAR(255)
sqlite> create unique index namealgoindex on tsigkeys(name, algorithm);
Now add some ordinary DNS records for PowerDNS to serve:
sqlite> insert into domains (name, type) VALUES('', 'NATIVE');
sqlite> select id from domains where name = '';
1 # This may be different for you - I set domain_id below to it
# Set your own SOA serial value according to what you prefer
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES(
1, '', 'SOA', ' 1378936223', 3600
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES(
1, '', 'NS', '', 3600
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES(
1, '', 'A', '', 3600
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES(
1, '', 'MX', '', 3600
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES(
1, '', 'CNAME', '', 3600
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES(
1, '*', 'CNAME', '', 3600
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES(
1, '', 'SRV', '0 5222', 3600
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES(
1, '', 'SRV', '0 5269', 3600
At this point, the PowerDNS server will respond to DNS requests, but they're
not DNSSEC-signed. Enabling DNSSEC for the domain is as simple as:
root@oak:~# pdnssec secure-zone
Securing zone with rsasha256 algorithm with default key size
Zone secured
root@oak:~# pdnssec set-nsec3
NSEC3 set, please rectify-zone if your backend needs it
root@oak:~# pdnssec rectify-zone
Adding NSEC3 hashed ordering information for ''
root@oak:~# pdnssec check-zone
Checked 14 records of '', 0 errors, 0 warnings.
root@oak:~# pdnssec show-zone
Zone is not presigned
Zone has hashed NSEC3 semantics, configuration: 1 0 1 ab
ID = 1 (KSK), tag = 7450, algo = 8, bits = 2048 Active: 1 ( RSASHA256 )
KSK DNSKEY = IN DNSKEY 257 3 8 [...] ; ( RSASHA256 )
DS = IN DS 7450 8 1 [...] ; ( SHA1 digest )
DS = IN DS 7450 8 2 [...] ; ( SHA256 digest )
DS = IN DS 7450 8 3 [...] ; ( GOST R 34.11-94 digest )
DS = IN DS 7450 8 4 [...] ; ( SHA-384 digest )
ID = 2 (ZSK), tag = 15433, algo = 8, bits = 1024 Active: 1 ( RSASHA256 )
Now we have a signed DNSSEC zone. If you check the SQLite3 database, you'll
see new records have been generated to match the DNSKEY and DS records displayed
by the show-zone command, and the records you've added will have had various
bits of mysterious glue added. The finer points of DNSSEC are still lost on
me, but the important thing to note is that the "KSK DNSKEY" is the important
record that allows the chain of trust to be developed; this record is given
to the upstream zone via your registry (the "" zone for me), who sign
it with their key. It is rotated every year or so, and you need to inform
the registry whenever it changes; you can have multiple active ones at once.
PowerDNS has some documentation on key management best practices
but I've not needed to fuss with any of this, yet.
So, take your DNSKEY record (or possibly DS record - different registrars
apparently might ask you for different things) and give it to your registrar.
Gandi has a neat "Enable DNSSEC" form you can use; others may vary.
Once they have the record, you're ready to change the nameservers for the
domain to point to the DNS server you've just set up. I did this in gandi's
panel, and additional hoops I needed to jump through (because the nameserver
was in the zone) included notifying Nominet of the ""
name, as well as notifying them of the "glue" between the name and its IP
addresses. This varies quite considerably by registry and registrar, so I'll
leave it as an exercise to the reader.
#### DANE
Now that we have a DNSSEC-signed zone, we can add records to it, as defined by
RFC 6698. Unless someone is able to compromise the DNS trust anchor, your
registry's keys, or your keys, anyone looking these records up can be confident
that they are the ones you uploaded.
##### Getting a certificate
If you already have a self-signed or CA-issued certificate that you intend to
use, then great. If not, you can either buy one from a CA, or become your own
mini-CA and issue one for yourself. I'm sticking with a CA-issued one for the
next few months, because although DNSSEC has poor client support, DANE support
is entirely non-existent; so the value of a non-CA-certified certificate is
still almost nil. Using a CA-issued certificate (mine is from StartSSL, and
was free) in conjunction with DANE is OK - DANE-aware clients will detect
traditionally-MitM'd certificates from such a record - but you miss out on
a couple of benefits. Specifically, you're still dependent on the CA to support
sensible (or new/experimental) key types, and if you let the CA generate the
private key rather than going the CSR route (don't do this, ever) then you're
trusting them not to keep a record of what it was.
I may talk about how to generate a self-signed certificate here in the future.
##### Generating records
Once you've got your certificate and configured your various services to use
it (HTTPS especially, but also XMPP, IMAPS, SSMTP, etc), it's time to link
it all together in the DNS. Generating the records (which are known as TLSA
records) is a pain, but there is a tool - called [swede](][swede) -
to do it for you. It's Python, only works against HTTPS, and you'd get and
use it like this:
lupine@den:~/Development$ git clone
Cloning into 'swede'...
remote: Counting objects: 116, done.
remote: Compressing objects: 100% (55/55), done.
remote: Total 116 (delta 67), reused 107 (delta 59)
Receiving objects: 100% (116/116), 21.83 KiB, done.
Resolving deltas: 100% (67/67), done.
lupine@den:~/Development$ cd swede
lupine@den:~/Development/swede$ sudo apt-get install python-unbound python-argparse python-ipaddr python-m2crypto
# [...]
lupine@den:~/Development/swede$ ./swede create --output rfc
No certificate specified on the commandline, attempting to retrieve it from the server
Attempting to get certificate from
M2Crypto does not support SNI: services using virtual-hosting will show the wrong certificate!
Got a certificate with Subject: /description=z3YBHiV5NCKOeIZs/C=GB/ IN TLSA 1 0 1 9730ccc0952f3150bc3c640aedb364bd628bc1738ada89826624d9442589eb06
That last line is the TLSA record that identfies your certificate. Even though
swede only supports HTTPS, you can change _443 to _5222 and you've got an XMPP
record - so let's add a sensible set of TLSA records for this certificate to
root@oak:~# sqlite3 /var/lib/powerdns/pdns.sqlite3
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES (
1, '', 'TLSA', '1 0 1 9730ccc0952f3150bc3c640aedb364bd628bc1738ada89826624d9442589eb06', 3600
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES (
1, '', 'TLSA', '1 0 1 9730ccc0952f3150bc3c640aedb364bd628bc1738ada89826624d9442589eb06', 3600
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES (
1, '', 'TLSA', '1 0 1 9730ccc0952f3150bc3c640aedb364bd628bc1738ada89826624d9442589eb06', 3600
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES (
1, '', 'TLSA', '1 0 1 9730ccc0952f3150bc3c640aedb364bd628bc1738ada89826624d9442589eb06', 3600
sqlite> .exit
root@oak:~# pdnssec increase-serial && pdnssec rectify-all-zones
Now when you visit your website in a DANE-enabled browser, you'll see the
certificate is considered valid; you could remove all CA certificates from it
or use a self-signed certificate to the same end. Success!
#### SSHFP
As a fillip, now that you've done all that work, you can also add SSHFP records
to smooth SSH access. That looks like this:
root@oak:~# sshfp --scan
WARNING: Ignoring -k option, -s was passwd
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze3
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze3 IN SSHFP 1 1 08C614DAF69DA62937FEFFA025607569B54B8D08 IN SSHFP 2 1 67B596A0A593A931DAD21C83F6E7B9F02CBFE6F5
root@oak:~# sqlite3 /var/lib/powerdns/pdns.sqlite3
sqlite> insert into records (domain_id, name, type, content, ttl) VALUES (
1, '', 'SSHFP', '1 1 08C614DAF69DA62937FEFFA025607569B54B8D08', 3600
sqlite> # ...
sqlite> .exit
root@oak:~# pdnssec increase-serial && pdnssec rectify-all-zones
To make use of this, you'll also need to alter your ssh_config:
lupine@den:~$ echo "\n\nVerifyHostKeyDNS yes" >> ~/.ssh/config
The outcome is that when logging into your machines over SSH from a new
location, your SSH client can check the presented host key fingerprints
against the ones in DNS, and warn you if they don't match for any reason -
a man-in-the-middle attack, for instance. Or a server reinstall, of course.


@ -0,0 +1,87 @@
title = "York Festival of Ideas 2015"
date = "2015-06-15"
tags = ["security", "technical"]
#### Users vs. Techs
This year, I learned about York's [Festival of Ideas](
Started in 2011, this year's theme was "Secrets and Discoveries", which included
a whole day (today) on [Surveillance, Snowden and Security](
Right up my alley, so off I went. This article is really about things that were
brought up in a panel discussion, entitled [The Future of Cyber-Security](
I don't know if these things are being recorded and uploaded, but I'll link if
it becomes available.
The panel was composed of five speakers, with what could be called a range of
experience; it was chaired by a BBC technology correspondent. Early in the main
discussion came a generally-agreed maxim - that "we" shouldn't let "the techies"
determine our online future. Being as charitable as I can be to this idea, I think
it's expressible as "not everything that is possible should be permitted". Or maybe,
"techies should build the online environment we mutually agree we should have,
rather than the one techies think is best". At the time, it came across as being
quite antagonistic - in any division of the populace between "techie" and "everyone else",
I'm surely in the former group, after all.
Later in the discussion, an illuminating window was shone on this attitude - at
least for me - by a digression into the power that a small, elite group of
technologists sitting in Silicon Valley and working on huge online edifices that
we find ourselves willing, or forced, to use. Facebook, Google, Apple, Microsoft,
etc. These services and software companies mediate a large portion of online
interactions, and to a very real approximation, they *do* decide what is possible
online for people. This became evident in the last (and best) audience question
of the session, where someone asked what alternatives there were to these
behemoths - the questioner wanted to know what she could do, right now, to avoid
them, if possible.
None of the panel could answer this. They all sheepishly proclaimed their allegiance
to Google, or to Apple, and commuted the question to "can we do without this service?"
or "what's the minimum amount of information I can give to this company while still
using their service?". One of the panellists (I forget who) managed to note that
alternatives do exist for some of these services, but didn't know what any of them
were, and opined that the cost of finding and using such an alternative outweighed
the benefits of escaping the Silicon Valley set of solutions.
These people are users. More than that, they are consumers. Consumer activism,
it turns out, is how they expect their online services to evolve in a direction
that fulfils their wishes. (The pig-dog blog, incidentally, turns out to be
consumer activism and it's not a new thing. Who knew?) The techs are expected to
present a choice of online services that represents the range of the possible
(well, minus a few that have been determined ahead-of-time to be too dangerous),
and consumer choice is meant to filter out the bad ones. Wouldn't that be nice?
In reality, of course, the options open to me as a tech for any online service
are much broader than the options open to a user, simply because many ways of
providing a given service haven't been productised in any sensible fashion. I
host my own email and instant messaging, and create my own encryption keys to
secure these things over the wider Internet. This is the online equivalent of
brewing your own beer, or making your own biltong. Those who can't are unlikely
to ever have the *dubious* pleasure of tasting Henderson's Relish biltong.
Anyway, these users have their view of what is possible shaped by the products
that are currently successful. The "right to be forgotten" ruling came up partway
through this panel. Removing search results from Google indexing is fairly pointless,
a techie will cry - the content still exists, after all, and other search indexes also
exist. You just can't stop YaCy from indexing them. But it doesn't matter to the user -
the desired effect has been achieved according to their (limited) view of what is possible.
The idea of having your own email securely located in your own living room, or being
responsible for asserting your own identity online, is a revolutionary concept
to users in general. They're just not aware that it's an option until a helpful
techie informs them that it is - brainstorming "alternatives to GMail" with such
a group is going to throw up replies like "hotmail". Their view of what is possible
is shaped by the techies providing the services they already use.
Attempts to productise self-hosting of email, say, are ongoing - but it's a niche
thing. The other side of the coin is attempting to convince users to be more
gung-ho with non-productised (or less-productised, I guess) solutions. If we're
sat in a wood, freezing to death, a decent proportion of us could make fire from
first principles, even if we don't have a Zippo lighter with us. As things are
with online services, we wouldn't even start collecting the analogous driftwood.
Groups of techies like those behind MailPile have got the right idea, I think,
but it's an uphill slog - and trying to make users aware of these possibilities,
and get them into policy and legislative debates, is the hardest bit. The tech
comes naturally to us, after all. Did I stand up and say any of this at the panel
discussion? Of course not :p.


@ -0,0 +1,30 @@
title = "New Blogging Platform"
date = "2015-04-09"
tags = [ "meta", "technical" ]
#### Alive again
So, back to blogging. I've tried to run a blog since the dawn of time, more or
less, and it's always been a bit of a failure, partly for lack of anything
interesting to write about, and partly because blogging software is uniformly
awful. Typo, Wordpress, Zotonic, various home-grown bits and pieces... always a
hassle to install, maintain and publish to.
The latest attempt is also slightly home-grown, but based on the
codebase (via hints [here](, which is reasonably
pleasant. TODO: styling. Really TODO.
#### The future
No point having a blog if I'm not going to put anything on it (again), of
course. My old articles will be imported soon (they remind me how to do DNSSEC,
so I really do need them), but I'm hoping to embark on a project that's been
sat around in my head for a little while now. Working title: *The Capitalist
Pig-Dog Blog*. There's also a general election coming up, which is making me
want to write things, as ever. The state of housing is also still in my head.
Prices make me angry, co-operative housing models make me feel better.
Watch this space. Possibly forever, but hopefully not.


@ -0,0 +1,101 @@
title = "The Capitalist Pig-Dog Blog"
date = "2015-04-19"
tags = ["politics"]
categories = ["pig-dog"]
#### Wat?
I'm a sucker for catchy names (do say it out loud, at least once), but the
premise might need some explanation for people who aren't me. It's worth noting
at the outset that I'm primarily writing this for, and to, myself; but there's
no point in being unreasonably obtuse about it.
"Capitalist pig-dog" is a wonderful insult I've heard in the past, usually
issued by comical Communist caricatures at heroic Capitalist caricatures in
pursuit of a cheap laugh or two. I can't track it down to a particular source,
although the Pythons are partially to blame for popularising "pig-dog" in
general. The term really caught my imagination about a year ago, and I've spent
the intervening time trying to work out what it *means*. Or could mean.
Any analysis of my political/socioeconomic views puts me somewhere generally
identified as leftwing. Although I can't call myself a communist in good faith,
people I discuss these things with will happily label me a communist or
socialist after a few rounds of discussion. Hopefully, it goes without saying
that I should try to stand by my beliefs, and live according to them. Even if
said beliefs are dead wrong (of course, I don't believe they are), doing
*nothing* about them would be a little odd.
![Political Compass - Me](/post/pig-dog-01/politicalcompass-me.png)
The most obvious thing I can do is to vote in elections according to said
beliefs; being a UK citizen, I get a wonderful range of choices.
![Political Compass - Parties](/post/pig-dog-01/politicalcompass-uk-parties.png)
The [Green Party]( are probably closest to me at
the moment, although I wouldn't consider myself to be a natural Green voter.
Living in York adds [Yorkshire First]( and
the [TUSC]( to my ballot paper, but removes
the [SDLP](, [Plaid Cymru](, the
[SNP](, [SSP](,
[Sinn Féin]( and [Respect](
A choice of three vaguely representative candidates to vote for isn't terrible
(assuming the TUSC and Yorkshire First are in my ballpark), so I can express my
beliefs in this way.
However, since [York Central](
is a pretty safe Labour seat, and the election is run according to the frankly
pathological [FPTP]( system,
that vote doesn't then result in my beliefs being advanced through the political
system. By itself, this form of political expression is a non-starter. At best,
I can help one of these parties to start establishing a support base to get an
MP into parliament to... well, do very little.
[Westminster is not kind to small parties](]).
Voting, then, is not doing much for me, or my beliefs. Even if it were, it's a
couple of minutes of action every five years or so - and my beliefs are
important to me. Since the parties in power are busily advancing beliefs that
are, in my view, fairly diametrically opposed, surely there is more that I can
do? Activism for parties I *do* support, and reform of the associated
electoral systems, is a long game, and I do put some resources into that -
although I could do more, I'm sure. In my personal life, I can resist the
prevailing (or Westminster-prevailing, perhaps) social currents and act
according to my conscience instead. Economically, though, I'm a bit stuffed.
The UK is, at least in theory, a capitalist state - and by living here, drawing
a wage here, paying taxes and spending money here, I am engaging in that system.
These actions mark me as a capitalist pig-dog by deed, even if my words are
quite different.
#### Help, I'm stuck in a capitalist country
I'm not actually stuck, of course. I could move to a different country - one
matching my ideological leanings more closely. Some thought and research has
gone into this possibility - I recently visited
[Finland](, and I'm keeping
an eye on [Scottish independence]( - but it's on ice
at the moment.
What else is there to do? Here's the not-very-revelatory revelation: in
[capitalist economic systems](,
[spending money is a bit like voting](
People engage in consensual exchanges - labour for money, money for (other)
commodities. Competition drives down prices, price discovery guides production,
and consumer choice determines which competitors win out, in the end. Consumer
choice is generally assumed to be "rational", which can be interpreted in a
number of ways, and may not be true in general anyway.
In reality - in my judgement, anyway - the system I'm in doesn't work like that
at all. But if it works a *bit* like that, I can advance my beliefs by earning
and spending according to them. I think I already do that to some extent, but
I've never tried to analyse or quantify it; I just act in fairly knee-jerk ways
to the new story _du_jour_ . What if I look at everything I earn, and everything
I spend? What if I analyse it and try to maximise the effect that my money has,
in creating the sort of world I want to live in? And what if I blog about it,
and others join in? Will I still be a capitalist pig-dog? Will they?
Let's find out.



Width: 400  |  Height: 400  |  Size: 18 KiB



Width: 400  |  Height: 400  |  Size: 59 KiB


@ -0,0 +1,102 @@
title = "The Capitalist Pig-Dog Blog: Starting Points"
date = "2015-04-24"
tags = ["politics"]
categories = ["pig-dog"]
#### Beliefs and values
My last post talked a bit about beliefs and sticking to them, but it shied away
from discussing them in any detail. Words like "leftwing", and the
[Political Compass]( graph, might have given a
few hints away. If I'm going to be analysing and changing my behaviour according
to these things, it's important to get a decent grasp on what they _are_.
Firstly, I don't consider myself to be an ideologue. I've read
[Das Kapital]( and
[The Wealth of Nations](,
but I'm not about to pick one up and start brandishing it as the source of all
answers to everything ever. Instead, I think of myself as a pragmatist - the
economy (and human economic behaviour in general) is a means to an end, and
should be arranged however best meets those ends, regardless of theoretical
What end(s) am I pursuing? I lack any great theoretical underpinnings for this
either, but it's very important to me, personally, that everyone has access to
a basic, comfortable standard of living. It is also very important to me that
the power people have over other people is minimised. These beliefs do have
a degree of tension, of course - to ensure everyone is comfortable, you must
necessarily impinge on the freedom of others, to an extent. I've mostly resolved
this internally by emphasising the collectivist strand over the individualist
Is this all classic [Third Wayism](
Am I 20 years late to the party? Perhaps to an extent, but watching New Labour
in action (or looking back at its goals and accomplishments) doesn't leave me
with the feeling that the strategies pursued actually worked - instead, I'm left
with some degree of hostility to naive market solutions.
I think this mostly comes down to private property. Some people believe that
property rights are [sacrosanct](,
with their exercise being a vital part of being free from others, but I lean
more towards viewing them as a device for exercise power over other people.
Property rights are, of course, here to stay - and I take advantage of them
extensively - but this viewpoint informs how I'm inclined to use property rights
to solve problems. In particular, I'm liable to avoid usages of property rights
that permit a relatively few people to direct or control the behaviour of many
others, or their exploitation. Like the entire
I consider rentiers to be rather bad; to me, this form of participation in a
market necessarily maximises the amount of power over others that a group can
have, while leaving significant numbers unable to participate (as artificially
restricting supply to raise prices is the surest way of increasing profits).
Austrian-style economics see rent-seeking and demand an end to all regulations;
but in many cases, some regulation is actually quite handy. As an example,
removing all planning restrictions would reduce the costs of property
significantly, but it would also result in some very unpleasant - including
fatal - dwellings being constructed. Honest regulations aiming to meet the basic
human need of housing -
is that so [difficult]( to achieve?
At some point I'll be examining what I do for housing myself, and what other
options there are. Perhaps I'll be able to come to some conclusions at that point.
For now, it's easy to point at problems, but much harder to think up solutions.
#### Income and expenditure
I've spent a little while trying to work out whether I should publish actual
numbers on here or not. We can be an odd bunch when it comes to how much we
earn, what we spend it on, etc. In the end, I figured, what's the harm?
I've been using [Gnucash]( to track my finances since 2010,
and while I could just open up read-only access to that database, even I'm not
that open. So instead, I made some pretty pictures:
![Net Worth](/post/pig-dog-02/net-worth.png)
I am intending to dip into this historical data a fair bit in the future,
so this isn't the sum total of everything I'm releasing ever; there might even
be some tables in the future. The next post will look at my income in more
detail, before I go on to poke various aspects of expenditure (which is the
really interesting bit).
For now, I'll just note that my take-home pay (after taxes and pension
contribution) is ~£3300/month (this is
[better than the median](
but my net worth (excluding said pension, as it happens) is still
[relatively low](,
although it's on a fairly rapid upward trajectory. All this gives me
significant leeway to change my behaviour that, I will try my best to remember,
won't necessarily be available to people earning the kind of sums I can remember
from before I lucked out (this job started in 2008; things were a lot hairier
before then, hence the current net worth game). The next post will look at my
income & net worth in a bit more detail; it's worth setting out how much I earn
and why I earn it in the way that I do (along with considering alternatives,
feasible or no) before going on to see how that money is spent, hoarded or
invested in any detail.



Width: 1816  |  Height: 825  |  Size: 88 KiB



Width: 1709  |  Height: 841  |  Size: 65 KiB


@ -0,0 +1,155 @@
title = "The Capitalist Pig-Dog Blog: Income"
date = "2015-05-01"
tags = ["politics"]
categories = ["pig-dog"]
#### Payday!
I get paid at the end of each month, from my job at [Bytemark](
This is a typical employment contract, nothing special, but it bears thinking
about anyway. Bytemark's a pretty standard for-profit company; people hand over
cash for hosting, some of that cash is handed over to me in exchange for labour.
I never see some of the cash nominally handed over to me, because of
[taxes](, which go to various things - some
of which I like, some of which I don't. More on *that* another time.
Work is how I pay the bills; bills are how I live. The job ensures that I have
somewhere to live, food, water, energy, transport... everything. It's possible
some of this can be changed in the future, and I'll look at that when I get around
to it, but this is the situation right now.
Fundamentally, I'm quite happy to accept the Marxist analysis of employment (go
back and read Das Kapital if you haven't already). The job that I have is pretty
nice to me, personally, but it's an exploitative contract (see: surplus value),
which works towards the reproduction of capital, and so ensuring these kinds of
contracts continue on forever.
The usual free-market objections to this analysis that I encounter have been
deeply unconvincing; usually, they revolve around the idea that labour is a free
market (or it would be, if it weren't for that pesky government), and people are
free to exchange their labour for wages, or not, as they prefer. Nobody would
willingly allow themselves to be exploited, so employment cannot be exploitative.
#### Compulsion
Unfortunately, if I don't work, I'm in a bit of a sorry state. Refusing to work
means no wages. We live in a vaguely civilised society, so if you're out of a
job there are welfare payments. Of course, you're not eligible for those if you
refuse to work - and it's generally argued amongst those *not* on welfare
(and even many who are) that "conditionality" - as the DWP now calls - is a good
The switcharoo here is that I'm actually fine with working in principle - what
I'm not fine with are the employment terms on offer. But if I don't accept those
terms, I'm left in the fairly precarious position of needing to find a new way
to acquire, at a minimum, housing, food, water, energy and transport. If there's
no sane way for me to do this, the idea that the labour market is a free one is
ridiculous; a choice of X or death is no choice at all.
It's worth noting that I could quite conceivably go on doing exactly the same
job with no complaints, if the background issue of compulsion went away; I am in
effect complaining, right now, about having no option but to do something I don't
really mind doing anyway. Other people may hate their jobs, of course, but if I
weren't being paid to write code, I'd do more of it at home for fun.
#### Alternatives
So, is there a current (or conceivable) alternative that could render the current
situation unexploitative? From my point of view, the simplest hack is to make
the social security net unconditional. This normally takes the form of a
[basic income]( or
[negative income tax](
Without the threat of death if I refuse to accept the commonly-offered contract
terms in my field, the contract can be freely negotiated and entered into (or
refused, of course), and free-market logic starts to line up with reality. In
this model, employers desperately need employees to survive; but potential
employees can scrape along, more or less, without employers for as long as they
feel they're being exploited. (In my case, that might not be any time at all, of
course). It's a complete inversion of the currently-existing power relation
between employer and employee, and this is for the better, in my view. However, it's
[not happening anytime soon](
It's also worth noting that people are supremely good at not noticing that they're
being exploited; I'm taking a marxist analysis here almost as a given, but it's
the height of barmy radicalism to a lot of people. I'm fine with that.
Entrepreneurs in the audience are, at this point, jumping up and down and shouting
"why not start your own business, or become a contractor?" - and I have given
both of these options serious thought in the past. Ultimately, however, neither
option does much - as a contractor, I'd still be subject to extraction of surplus
value; I'd just be throwing away a whole bunch of protections in employment law.
Becoming a business owner is identical to being a contractor, if the business is
a sole trader; and once I employ someone else, I'm just swapping around who
is the exploiter, and who is exploited. If I don't like the contract style,
there's absolutely no way I'd want to impose it on someone else, right?
So far, I've assumed that surplus value (and all the other standard aspects of
a capitalist business) is actually happening. Could I construct (or join) an
organisation that lacks these characteristics, and so salve my conscience that
way? I've not come across anything that would allow me to pay the bills, but
[non-profit](, [Free]( or otherwise
worthy software development is generally available (reskilling might also be an
option, allowing me to change jobs completely, but that's not something I can do
Joining a [worker's cooperative](
would also do the trick, but I'm not aware of any in my current skill set. I've
already enquired about the possibility of converting Bytemark into one; it's a
no-go. Do get in touch if you're running one ;). Could I start my own up? Quite
possibly, but not this year, and probably not next year either. Starting a business
(of any sort) requires more capital than I have at the moment. That's changing,
of course, but I'm still quite ambivalent to this option; running a worker's
co-operative really does come under reskilling, I suppose!
Evidently, I should have looked harder; there *are*
[co-operatives]( in business. Eeeenteresting.
#### The nuclear option
Finally, I could just pack it all in, withdraw from the current market system
for housing, food, water, energy and transport, and join a long, honourable list
of people who've taken up [homesteading](
All I need is enough land to support me, either individually or as part of a
Back in the day, this was a viable living choice. Hopefully it's entirely obvious
that it's not the option it used to be - all the land is claimed, owned, parcelled
out, unavailable. If you want to live off the land, you need to acquire the land
first. And not just any land - you'll need permission. Really, this option has
the same problems as "start a worker's co-operative". Prohibitive levels of
reskilling, and large initial capital requirements. Another one for the future.
It's worth noting that this state of affairs hasn't come about by
[chance](, and nor is it
Land reform is [more popular in some areas than others](;
maybe this can be fixed in time.
#### Full circle
That's a lot of words, and not all of them are particularly encouraging. Would I
want to grub in the dirt for food every day of the week, even if it were an
option? Would a worker's co-operative be a success in any of the fields I could
work in? Am I brave enough to switch jobs *right*now*? Only possibly!
Leaving that last one aside, is there anything at all that I can do to improve
matters here? The fundamental issue is the imbalance of power between employee
and employer; the traditional remedy for that has been unionisation.
there is no union shop at work, nor do I suspect there ever will be; but I can
always join a union as an individual - [so I will](
I don't expect it to change any aspect of my current employee-employer relationship
in the short to medium term, but if nothing else, maybe the dues will help somewhere
else; and unions really need a shot in the arm. They really
[aren't]( the mass movements they
[to]( be, and they're not going to
improve if someone as in favour of them as myself can justify not joining one,
are they?
So, membership form sent. That makes this post worthwhile all by itself! I'm only
7 years late in joining... and hey, it's [May Day](!


@ -0,0 +1,129 @@
title = "The Capitalist Pig-Dog Blog: Expenditure: Debt"
date = "2015-05-27"
tags = ["politics"]
categories = ["pig-dog"]
Nick Thomas
#### Apologies
It's been a bit quiet recently because I've been collecting receipts all month.
Once I've got a month's worth, I can write a scintillating article about
shopping expenditure; until then, I'll just have to content myself with a short
piece on debt expenditure.
#### Time travel
I've got quite a few debts; modern capitalist economies really are predicated
on the notion that [debt is good](
Although this raises a [lot](
[hackles](, but it doesn't bother
me too much. If we're going to have money, it might as well have a high
[velocity](, and a lot of the
objections are from people I'm not predisposed to trust. Also, there's very little
I could do on a practical level except to stop using money entirely. Not impossible,
but very much on the outskirts of practical.
I will never link to Alex Jones again. I promise.
Anyway, the basic principle of debt is that you are leveraging your future earnings
to get something done *now*, goddamnit. As a child of New Labour, I was fortunate
enough to go to University, but in doing so, I got to experience this concept
for the first time in the form of
[student loans](
Fairly simple - the government lends me £12,000 over three years to go to university,
I pay it back with interest once I've got a decent job. I win, the government
wins twice (as it gets a higher-rate taxpayer out of it too), and society at large
wins as well. Certainly in theory.
Student loans aren't my only credit arrangement, of course; I've borrowed money
since for various reasons. I don't really have any objections in principle, it's
mostly a matter of [degree](
#### Analysis
So what does my current expenditure on loans look like? And where does it go?
<th>Monthly payment</th>
<th>Months left</th>
<td>Student loan</td>
<td>Student Loans Company</td>
<td>Personal loan</td>
<td>Bathroom loan</td>
<td>Barclays Personal Finance</td>
<td>Boiler loan</td>
<td>Hitachi Loans</td>
<td>Car loan</td>
It's not particularly pretty; even on my income, this is too much money on debt
repayments, any financial planner can tell you that (it's not even the end of the
story; there's also credit cards and an overdraft to consider, but I'll talk about
those separately). Just on common prudence grounds, it's imperative that I reduce
these payments; fortunately, the student loan is almost repaid and the mortgage
becomes much cheaper in the near future (new fixed-rate deal); that reduces the
total to around £1500, which is somewhat more sensible.
In terms of who gets the money, Nationwide - a building society - gets the biggest
single share, receiving over half of it. The Student Loans Company - a non-profit -
is another significant beneficiary, at least for now. "Just" a quarter of the current
total - £480/month - goes to Evil Private Companies.
A loan can be repaid at any time, so in theory I could shift that monthly expenditure
to Nationwide just by taking out a second loan; the amount of detriment to the losing
companies is precisely the interest they lose from my doing so, minus any early
repayment fees. The Hitachi one is worthwhile, so I'll look at that; the Barclays
one is not, but is nearly repaid. The car is actually a
[PCP]( with an interest
rate of 0% (I guess they make their money from the VAT dodge), so the point of moving
it within the term is more or less nil.
Future loans can certainly be taken out exclusively with mutual organisations.
Building societies are OK, but alternative models do exist;
[credit unions]( are a better model,
but they aren't that popular in the UK, and my local one
[collapsed in 2012]( -
I'd actually filled out the membership form the day before they went.
Interestingly, it seems SYCU have expanded to York; they have a branch in the city,
at least. I've emailed them to ask about membership. I'll see if I can move a
subset of my concerns there; although I'd be surprised if they can do mortgages!
The mortgage itself is an interesting thing; I'm paying it instead of rent, and
that in itself makes it great. I'll see if I can write more about the Evils Of
Renting later in the year.


@ -0,0 +1,56 @@
title = "Subsonic and licensing"
date = "2015-07-26"
tags = ["security", "music"]
#### Subsonic
[Subsonic]( is a reasonably neat "personal cloud" sort of
thing for playing music. In many ways, it replicates the [Owncloud](
Music application. I'm a fan of that too, but switched to Subsonic once it became
clear that upgrading OC would always be a trial. Unfortunately, although Subsonic
is open-source, it includes a bunch of money-making "premium" stuff backed by a
licensing scheme. This includes nagware, etc.
With an open-source project, you can just fork it and release a version with all
that crap removed, of course, and that's precisely what
[@EugeneKay has done](
#### Do not trust HTTP or DNS
As the patch notes, the licensing scheme is fairly hilariously simple: the
license "key" is just the md5sum of the email address; a remote HTTP server
is looked up over DNS and queried to see if that license is on a central DB and,
if it is, whether it has expired.
So in /etc/hosts:
In /etc/nginx/sites-enabled/
server {
listen 80;
listen [::]:80;
location /backend/validateLicense.view {
return 200 "true\n2068585481000\n";
location / {
(I've not actually tested the proxy_pass but I imagine it'll work).
Then in the Subsonic licensing box:
Key: b48def645758b95537d4424c84d1a9ff
So, no need to maintain a separate fork after all. Beautiful.