Privacy Matters

yet another blog about privacy and security online

Why you won't find me on WhatsApp and why you shouldn't use it yourself? For one simple reason: there's a better alternative called Signal. That's it. I could probably stop here and call it a day.

However, for those of you who need a little more persuasion I've got a few more reasons to switch.

  1. Signal is a non-profit and it's been around for many years now. Thus, you can safely assume that it will be here for many years to come. In other words, it's a stable platform that won't leave you stranded.
  2. As opposed to WA, Signal is open source and its end-to-end encryption is a gold standard in the industry.
  3. Signal doesn't really collect metadata.
  4. Signal does not offer a cloud backup, which is actually a good thing. WA nags users to enable backups that are often unencrypted. This, in my opinion, undermines the whole idea of E2E encrypted messaging.
  5. Coming back to point 1, Signal doesn't have any incentive to collect your data as it's funded by its users. I gladly donate to the project each month and I'd like to encourage you to do the same. This way we can keep Signal independent from Big Tech.

I think these reasons alone should be enough to try out Signal. Obviously it's not the only secure messenger out there. But it's one of the most user-friendly options available atm. The more people who sign up, the better off we'll be as a society.

Reply to this on the fediverse: @michal@101010.pl

So this is a new home for my blog. Since it's a side project and I don't really write that often I decided to move to a shared writefreely instance. The move itself was a very smooth process so I can't complain. The only issues are my stats and follower count. Both metrics have been reset. I guess I'll have to write more often ;) Perhaps (even) shorter posts will do the trick? Only time will tell. In the meantime: feel free to follow this blog on the fediverse and spread the word!

Reply to this on the fediverse: @michal@101010.pl

I may be stating the obvious here but it's something that I've discovered through many explorations. See, I'm somewhat obsessed with various gadgets and recently I focused mostly on finding the perfect dumbphone that would fit my needs and be this quiet digital companion. My journey was (and still is) quite long and I had a chance to play with a few seemingly interesting devices. Now that I think about it, I'm definitely addicted to technology and I tend to buy stuff that I shouldn't. With that confession out of the way, let's see what I found.

Light Phone 2

I first heard about dumbphones and digital minimalism when the Light Phone 2 appeared on the market. I promptly read Cal Newport's book “Digital Minimalism” as I wanted to know more about this movement. Soon I also discovered the whole dumbphone community on Reddit and Jose Briones' YouTube channel. Unfortunately the device itself was kind of a let-down. Sure, I could call people, send texts (though a bit awkwardly), listen to podcasts and use maps. At the same time I missed so many features of a modern smartphone that I quickly gave up and sold my LP2. If you're wondering, here are the features I just couldn't live without: secure messaging, 2FA, camera, quick texting, banking, to-do list, translator, and possibly a few more. By now it's obvious that I need some smart apps on a daily basis.

Dumbphone + tablet

Ok, so I had this idea that maybe I could manage with a simple phone and a separate smart device, i.e. an Android tablet. I must say that I don't really regret getting one as it's quite useful whenever I want to read some articles or watch a show on the go. But as a companion device it works terribly. Let me give you just one example. Imagine you need Signal or some other secure messenger. You can install it on a tablet but then actually using it on a 10 inch screen, while holding a not-so-light device is just impractical. It could work with a smaller tablet or a bigger smartphone but I decided it just introduced more complexity. Remember: the goal is to achieve digital minimalism, not digital clutter. And for me it's just not acceptable to have to check multiple devices to see if I've got any pending messages or notifications. Still, I couldn't resist and tried out a few more dumbphones.

More dumbphones

During my (cursed) journey I tested the following devices:

  • Hisense A9: not really a dumbphone but I just love e-ink screens so I had to know how it performed. What threw me off was Chinese bloatware and outdated version of Android.
  • Qin F21 and F22: due to their small screens these could be considered dumbphones, especially once you get rid of unnecessary apps. What actually annoyed me was both the screen size and physical keyboard, which impacted my typing speed considerably.
  • Punkt MP02: IMO, the phone with a flawless design but poor software. I still own one as a spare / weekend phone but I might sell it in the near future. The biggest selling point of Punkt is its implementation of Signal called Pigeon. I just wish it wasn't so buggy. Plus, if you consider the abysmally small screen size it makes for a poor experience with both text and multimedia messages.

What's next?

Right now I settled on my good old Pixel with a curated selection of apps. Sometimes I switch to a minimal launcher like Unlauncher from F-Droid but I mostly use it with the defaults that GrapheneOS provides. Looks like this kind of setup works for me though I really wish there were more interesting devices out there. By interesting I mean: well designed, easily repairable, and with a different form factor. I guess I've had enough of slab phones. But maybe it's for the better. You know, the more boring the device, the less pull it exerts on you. In other words, my dumbphone journey took me there and back to where I started.

Reply to this on the fediverse: @michal@101010.pl

At the beginning of this year I couldn't sit still anymore and so I started a new project. I decided to deploy a chatmail service for new Delta Chat users. Obviously, it's not restricted to new users, as even existing ones may benefit from the service that's dedicated to being speedy and private by design. I got inspired by folks who develop DC and by the project itself. chatmail strives to be fast, easy to use and private. I can attest it is indeed fast, even though it's still good old email under the hood. It's also easy to use for the end user: you can set up an account in just a few seconds by scanning the QR code visible on the main page. Finally, it's private because it doesn't really collect any identifying information and requires messages to be encrypted end-to-end. I will focus on the onboarding experience in a moment. For now though, let's talk about some technical aspects I had to go through.

I launched mailchat.pl on January 2nd so it's been running for over a month now. And it's been super smooth and stable. I have to be honest though, I encountered a few bumps at the very beginning. These were mostly related to gaps in my knowledge. So I took this opportunity to learn something new. Here's what I learned. Apparently you can now deploy a whole stack using Python scripting. I didn't know it at the time so I was confused as to how I was supposed to run the scripts. Long story short, you need a quite recent Linux distro (like Ubuntu 22.04) as your workstation. You will deploy from here. Then you need to rent a VPS with a relatively recent distro (again, Ubuntu 22.04 in my case). You'll also need a domain name. The official guide is there to help you with the installation. The deploy scripts provide details as to how to set up DNS entries and make sure everything runs as it should. Like I said, it can be a little confusing at first. Just remember that the scripts must be launched on your local machine. Oh, by the way, this will only work if you have SSH keys set up properly. Once you get used to the process it kinda makes sense. For my service I had to translate the contents of the homepage and come up with a simple privacy policy.

Still, there was one thing I had to figure out: updates. chatmail is in active development and devs are working hard (or rather smart) to fix any outstanding issues. Thankfully, we have this thing called The Internet so I was able to find a working solution to my problem. At some point I even asked ChatGPT (or was it Bard?) to help me with updating a Git project. Let me present this secret knowledge then.

  1. Open terminal and go to the chatmail folder,
  2. type git stash, this will stash or save any changes that you've made so far, like configs or translations,
  3. git pull to pull the most recent changes from the GitHub repo,
  4. git stash apply to apply those changes without destroying your local files.

Of course it's always wise to backup local files before making any changes. In point 4 you may need to inspect some files and resolve any conflicts. It happened to me once or twice when I changed files in /www/src directory. So there you go, my little journey.

Finally, let's go back to the title of this post. chatmail makes it easy for new and existing Delta Chat users to register an account and start texting people. Sure, you can still use DC with your own email account. However, if for some reason you can't do that, chatmail can be a good solution. Here are some examples for when it could work: – your email provider is not supported – your messages are delayed – you want to encourage your friends to use DC – you'd like to have a separate account just for DC – you care about your privacy.

I'm sure there are other reasons why people would choose to go this route. For me it's simplicity. You can get an anonymous account that consists of some random letters. Alternatively you can choose your username. The first option is super quick and suitable for most people, especially if they don't care about fancy usernames. All it takes is to scan an invite code. The second option is available in Delta Chat for more advanced users. Here you can type your username and password in the app itself. If the name's not taken, it will be given to you. Just like that. Now, to text people you'll have to share your invite code: this ensures full encryption. Sidenote: sharing codes is not always necessary, e.g. when you and your contacts use the same server.

I hope you enjoyed reading this little behind-the-scenes story. Plus, if you haven't already, explore Delta Chat and its ecosystem of decentralized mail servers.

Reply to this on the fediverse: @michal@101010.pl

As a GrapheneOS user, I've witnessed minimalism from the get-go. It's been a refreshing experience to be completely honest. The difference between the stock OS and GrapheneOS lies mostly in improved security and privacy in case of the latter. But, as I soon learned, it's also about its minimal approach. You might have heard or read something along the lines “fewer apps mean smaller attack surface”. And I completely agree with this sentiment. However, this isn't what I wanted to highlight today. The minimalist in me actually enjoys the sparse number of apps. More than that, these apps are quite bare-bones to begin with, which means fewer distractions for the end user. They won't try to pull you in. Ok, I've gotta admit, sometimes I wish they looked nicer, had brighter colours and had the 'wow effect'. But then I remember: I don't want to be slave to my smartphone. It's supposed to be a tool, like any other. This realisation is also why I started to look for minimalist launchers or home screens.

Enter Unlauncher.

Over the years I've become a fan of minimalistic design. User interface should be utilitarian and allow me to get things done. For some time I was under the spell of the Light Phone 2. I even got one but soon discovered it was way underpowered for my needs. Still, the whole principle of a phone being just a tool stayed with me. So I began the process of 'decluttering' my digital spaces. You know, standard stuff like uninstalling apps I no longer needed, etc. There was just one element that didn't fit the puzzle: the home screen. So I performed a quick search. I typed 'launcher' on F-Droid. I figured I would start with simple, privacy respecting launchers. I installed several of them but one stood out: Unlauncher. It's an extremely simple and lightweight launcher for Android devices. In short, it transforms your smartphone into a feature phone. All Unlauncher does is present a list of up to 6 apps / tools and the rest stays hidden below. You can of course access all of your apps with a swipe up. There are shortcuts for dialer, settings and camera. If you wish, you can even disable them. The latest version offers several colour themes and can set the wallpaper based on the selected theme. Like I said, it's very, very simple and minimalist.

I realise that minimalism is not everybody's jam. But if you're like me and you want to simplify your device(s), give Unlauncher a try. The only side-effect you might notice after a few days of usage is less screen time for your eyeballs. But is it really something you should worry about?

Reply to this on the fediverse: @michal@101010.pl

As it happens, I came upon a little problem. I needed to shorten an awfully long URL. I remembered using bitly.com in the past but then I realised I had closed my account. I just didn't use it often enough. So my first instinct was to find a self-hosted solution. I looked through a Yunohost app catalog and voila – there are 4 URL shorteners: Lstu, Shlink, Shuri, and Yourls. I thought, well, let's have a look, do a little research. And so I did (a very short research) as I didn't want to spend the whole morning on such a silly task. As I was reviewing the options, none of them really impressed me. Then it struck me: do I really need to run my own URL shortening service just to 'process' one link? Of course I don't! At once I felt lighter and somehow liberated. But the problem persisted. Thankfully, the solution wasn't far away. I listen to many podcasts, quite a few of them technical. Recently, one of them mentioned this new URL shortener called pnqk.me. So I opened the site and learned that the service is much better in terms of privacy than most other link shorteners. It cleans your links and, if possible, archives the contents, which is neat considering that some links might stop working in the future. Without wasting any more time I decided to give it a go. I can now report that pnqk.me works as expected, with a small caveat: it doesn't seem to offer any statistics or insights about your links. Not a problem for me, but if you care about this stuff you'll need to look elsewhere. So, short story... shorter: always look for the simplest solution. Privacy doesn't have to be difficult.

Reply to this on the fediverse: @michal@101010.pl

I'd like to talk about hackers. Not the kind of hackers that you often hear about in the media. These are most probably common criminals, or, to be precise, 'cybercriminals'. I don't want to talk about those. But it's important to distinguish between the two. Now, before I move on I need to note that this post has been inspired by a recent conversation with my wife. I suddenly realised that I might call myself a hacker, even though I'm not an engineer of any sort. All I have done is troubleshooting hardware and software bugs. In fact, that's one of the misconceptions people have about hackers. You don't need a degree to become one. And you certainly don't have to be a criminal.

First, let's discuss hacking in terms of curiosity. Hackers are essentially tinkerers, masters of DIY. They need to know how stuff works, inside and out. They enjoy solving problems and pushing technology to its limits. If something doesn't work they will find a way to make it work. You might have heard about Kevin Mitnick (rest in peace) or Linus Torvalds. The former specialised in exploiting human vulnerabilities to gain access to various systems. He went from being a 'grey hat' to a 'white hat' hacker. His actions were shady at first but later he contributed greatly to the society by running a company and writing several books on social engineering. BTW, I highly recommend reading “The Art Of Deception”. My second example, Linus Torvalds, is best known for creating the Linux kernel. This time we're talking about a proper software engineer who wanted to make a truly free and open source operating system. He followed the principle: my computer, my rules. Importantly, he's still true to his ideals. Both hackers tried to push the boundaries of what's possible in a constructive way.

Second, hacking is about problem solving. If you're a hacker you'll do your best to find a solution to the problem at hand. It doesn't really matter if the problem is technical or not. What matters is the attitude. This in itself is a valuable skill which can help advance your career. Earlier I mentioned the term 'white hat' hacking. It refers to ethical hackers who employ their skills to improve the cyber security of various organisations. They play a crucial role in safeguarding our digital infrastructure.

Ultimately, hacking is often a community effort. There's a strong sense of community among hackers. Many of them are part of open source projects, hacking away and improving code so that we can later benefit from their actions. When you find yourself in a hacker group you are bound to improve your technical and social skills. In this setting, hacking is about sharing knowledge, and doing it responsibly. Ethical hackers often publish their findings and contribute to open source projects, which benefits the whole community.

To sum up, I wanted to make it clear that hackers are not inherently bad. The term 'hacker' is often used to describe anyone who uses their computer skills to commit crimes. But this is inaccurate and misleading. Sure, there are bad apples but let's call them accordingly: cybercriminals. They are the ones who harm people. If you enjoyed this short article please share it with others, hackers or not ;)

Reply to this on the fediverse: @michal@101010.pl

When I first heard about Delta Chat and the idea of instant messages sent through email I was both thrilled and confused. I remember thinking to myself: how would it work? In my mind, email was quick but it was hardly instantaneous. It turns out that the good, old email can be indeed used to deliver short messages, just like any other IM does. I mean, Delta Chat is a bit different in this respect since it doesn't use a single provider (like Signal or WhatsApp) and this fact alone can be baffling to some people. It can also affect your experience with the app because it relies on your email provider. And trust me, the whole email landscape can be messy. But knowing the limitations we can still enjoy sending sweet, short messages to our friends and family. They don't even have to use the app themselves: the messages will still arrive in their inboxes. That's the beauty of interoperability.

Sending your first message

So how do you get started? Well, if you have an email account, and I assume you do (be it Gmail or work account), you should first check the compatibility: https://providers.delta.chat There's a good chance that your current inbox will do the trick. Unfortunately, some secure email providers like Proton or Tutanota are not supported because they use non-standard connection protocols. If you have one of those (I use both) you'll need to look elsewhere. And if you don't mind paying a few euros per year I know for a fact that Posteo is an excellent choice.

Once we have the provider covered, now it's time to download Delta Chat. I've got some very good news: it's available for every major platform, including Android, iOS, Windows, MacOS, and Linux. I recommend starting with one device, e.g. your Android smartphone. Later on, you can set up a second device, like your laptop, similar to what other messengers offer. Ok, with the app installed you'll log into your email. Don't worry, your credentials won't be sent to DC servers because... there aren't any. What you do here is logging directly to your email account. After providing your email and password you should be ready to go. In most cases, the app will detect the required server configuration so you don't have to hunt for specific instructions. In the rare event that it doesn't, you can always set it up manually (which I've never had to do). You should now be able to send your first message. Who will be the lucky recipient? =)

The good and the bad

I'm trying to be completely honest with you so here are some loose thoughts about Delta Chat. Let's start with the positive. The app uses email as its 'back-end' so it's the most universal IM out there. Almost everybody has an email address so you can message people from the get-go without even asking them to install additional software. Your message will simply appear in your contact's inbox. Here's the (small) problem. By default, email is not encrypted so if you use DC and your contact doesn't, then your messages will be in plain text. I know, it's not ideal. But if you're not discussing anything confidential you might not care. If you'd rather make use of automatic encryption then you'll have to convince your contacts to install DC. So yeah, you cannot beat the universal aspect of this system, maybe with the exception of mobile numbers, but that's a different story.

As for usability: Delta Chat has all the essentials that modern IMs offer, without the ability to place calls (natively). I believe you can set up an external voice service but I haven't experimented with that. I treat DC as my text-based messenger. However, it can do more than just text. You can send images, videos, emojis, voice notes and even share location. You can have 1:1 chats or groups. The latest, and still experimental feature let's you create broadcast lists, which resemble Telegram channels or good ol' email newsletters. Want more? If both contacts use DC you can enable 'disappearing messages', just like in Signal or WhatsApp. Finally, there's the killer feature: Webxdc, or apps / games that work within chats. Just to mention a few: TimeTracking, CrappyBird, Snake, Reactle (Wordle clone), Tic Tac Toe, Poll, Calendar, and more. I've had lots of fun with these mini apps.

Now let me mention some not-so-great aspects. I've already told you about the encryption, or lack thereof if your recipient doesn't use DC (yet). Maybe it won't matter to you but I find it problematic. The app may not be as streamlined and intuitive for some people who are used to centralised IMs (again: Signal, Whatsapp, Telegram). BTW, the whole idea of decentralisation (and email is decentralised, at least in principle) can be a double-edged sword. On the one hand it's great: no single point of failure, yay! On the other hand: not all email providers play by the rules, and so we have deliverability problems. So I'm putting a warning here: you might experience delayed, or even missing messages. It all depends on your (and your contact's) email provider. There are ways to get around this problem, like using your own email server, but it's beyond the scope of this post. The last thing I want to discuss is message retention / storage. I know it can be pretty confusing for new DC users. You might think that your chats will clutter your inbox. Thankfully, that's not the case. Delta Chat moves your short messages into its own folder on the server. This allows you to use one email account for both traditional emails and chat messages. By default, DC doesn't delete anything from the server (smart move IMO). So if you'd like to free some space you can either 'clear' individual chats or just delete the contents of “Delta Chat” folder on the server. There's an option to auto-delete messages from the server (and/or app) but I don't recommend it. Better safe than sorry.

Want to learn more?

Thanks for reading! This post is a bit longer than usual. I admit I’m quite passionate about the topic ;) Now go and share the knowledge! If you'd like to know more about Delta Chat, check their FAQ. It's available both online and in the app itself (also offline!). Happy chatting!

Reply to this on the fediverse: @michal@101010.pl

You might have heard or even used an app from Mozilla called Pocket. It's a service that allows you to save online articles for later consumption. Pocket has been relatively successful because of its integration with Firefox. Apparently this integration is now tighter than ever as the app requires a Firefox account to log in. I'm not saying it's a bad thing. If you use Firefox as your main browser you may find Pocket really useful. I know I did for a few years. It's been a very pleasant experience. Whenever I found something interesting to read online I would press the Pocket button and voila – now I could read the contents on all my devices. I usually used my smartphone or tablet to read the saved articles. I must admit: it's a really convenient way to read and process online content. But... if you're like me and prefer open source solutions with superior data portability, there's a better solution on the market. It's called wallabag.

Now, wallabag, in contrast to Pocket, is fully open source and offers quite a few synchronisation options. What does it mean? Well, with Pocket you rely on Mozilla's infrastructure (i.e. their servers). With wallabag you can actually choose where you store your data. You can change 'providers', so to speak. So how does it work? How can you set up an account? Read on.

Let's start with the easiest option. Go to https://www.wallabag.it and create an account. You can test the service for 14 days. After that, if you decide to stay, you'll have to pay a small fee (11 EUR per year or 4 EUR per 3 months). I've been a user myself for about 6 months now and I've been really happy with the service. Once you set up an account you'll need to install some apps / extensions to enjoy the full experience. To save web articles it's best to install a browser extension. The configuration may be kinda disorienting because you need to generate an API key. But once it's done it just works. As with Pocket, you'll see a wallabag button among your extensions. Once pressed, the article will appear in your wallabag collection. To complete your experience you'll need to install a mobile app. I downloaded the Android app from F-Droid but it's also available on Play Store. This time the setup process should be much easier since the app will automatically generate and fetch the API key for you. Tada! You can now enjoy ad-free reading experience on your smartphone or tablet.

The other option I want to present is self-hosting wallabag on your local machine or on a VPS. Alternatively, you can ask a tech-savvy friend to set it up for you. The route I took was to set up a Yunohost server. Yup, I know, it's a recurring theme on my blog. I happen to manage a local machine (Raspberry Pi 4) and a VPS (Hetzner FTW). I can attest that both options will be an excellent choice for a Yunohost / wallabag combo. I believe I don't have to mention that this option is not for the faint-hearted. But of course I wouldn't be myself if I didn't pick the harder path.

Long story short, I exported my saved articles on wallabag.it (in .json format) and then imported them all on my instance. In fact, it wasn't the first time I did this so I know it works perfectly well. I also set up a wallabag instance for my family so they too can enjoy a Pocket-like experience for free. From the user's perspective, the only hurdle with this approach is that you need to manually enter your instance address when setting up the app and/or browser extension.

Have you heard about wallabag before? Would you consider using it or recommending to friends? For me it's become a must-have app so naturally I spread the news. Feel free to save this post in your wallabag collection just to see how it works ;)

Reply to this on the fediverse: @michal@101010.pl

In the previous post I wrote about the benefits of password managers: convenience and security. Right after publishing that post I realised there's more to say about Bitwarden specifically. I suppose it shows just how good the software really is. So without further ado, I present 2 more features that make Bitwarden a very useful tool every day.

The first feature that's perhaps not unique to Bitwarden is the password generator. I mentioned last time that the master password is the only password that you need to remember. But what about other, regular passwords? Here's where the generator comes in. It can generate strong, unique passwords for you. You can specify the length and the type of characters: letters, numbers, and special signs. Now, here's the deal. Humans are terrible at creating and remembering strong passwords. So do yourself a favour and start using random, generated passwords from now on. Ok, I can sense you wondering: “But I won't be able to remember such passwords”. Actually, it doesn't matter. Like I said, you just need to know your master password. All the others? They are safely stored in your vault and you don't even have to know them. I certainly don't know 90% of my passwords, and that's fine. The few ones I decided to memorize are for accounts where I can't easily paste them from my Bitwarden vault (e.g. at work, on a shared computer). Even then, I could just look them up on my phone and enter them manually. Summing up, whenever you need to come up with a new password (or change the existing one), use the generator. For example, all of my passwords are at least 16 characters long and include all types of characters.

The second feature I'd like to discuss is called “Send”. In short, it allows you to share sensitive data (plain text or attachment) with a recipient. Let me give you an example. Say you want to send some documents to your lawyer. The documents contain sensitive information like your address or social security number (PESEL in Poland). In this scenario, you can utilise “Send” to share the documents, protect them with an agreed upon password, and even set the expiry date. It surely beats sending critical data over unencrypted email, or, worse still, on Messenger (you know which one). I admit that I don't use this feature often but when I do I'm glad I have the option.

That's it for today. Thank you for reading and I hope you'll find this information useful.

Reply to this on the fediverse: @michal@101010.pl