I am writing this because there is a lot of hyperbole about efail
Are GPG/PGP and S/MIME broken?
No. efail is an attack on the mail client. Not on the cryptography. Although there is some mussing with the cryptographic elements That would be very apparent, signatures would fail, etc.
Are my Private Key Compromised, Does this lead to a compromise of the keys?
No. This tricks email reading programs into sending the clear text of the message once it is decrypted back to the attacker.
Is my email program affected?
Maybe. Not all are. There is an excellent chat on page 11 of The official report
Should I disable/stop using GPG or S/MIME?
The real problem is HTML rendering in some email clients. Check the list Document mentioned above to see if yours is effected
Patches are coming on-line quickly so check that your E-mail client is up to date
If you are comfortable doing so turn off HTML rendering of E-mail. This will almost completely mitigate the issue. The researchers did not get a non-HTML rendered E-mail to be effected but they do suggest other more complicated things that MAY be able to do that.
Keep in mind that is a complicated Man-in-the-middle attack that requires the attacker to have access to your stored E-mails on the server or your computer or the ability to capture them in transit. This is not something generic hackers will be doing. It is something that Governments and places like the NSA will be interested in. If you are worried about them I'd strongly suggest making sure you are using a non-effected client and disabling HTML rendering.
But for the average person that isn't worried about nation states and spy agencies actively trying to get their stuff I'd say keep using GPG or S/MIME. Apply the patches as they become available. Turn Off HTML Rendering. or move to an unaffected client.
It's better to send encrypted and force people to work at decrypting it then just say fuck it and send everything in the clear and let them have it all with no effort.
The Bullet points
- The attacker must have access to your E-mails either on the server or in transit
- Not all email programs are effected
- Patches are coming quickly
- This is not a problem with the encryption. It a problem with the E-mail programs
- Turning off HTML rendering almost completely neuters this attack (except for some theoretical attacks)
- For the average person this is a low priority and easily mitigated attack.
- Take the appropriate precautions like moving to a non-effected E-mail reader, patching, plus turning off HTML rendering and keep encrypting.
Ok, I'm going to attempt to explain why open source software is better then closed source. For the libre-software folks in the crowd I'll be addressing copyleft and the four freedoms in a following post.
I'm going to explain this using an analogy and what I hope is an apt one- that of a recipe. This is something everyone is familiar with and has probably worked with at one point or other.
Source code is a recipe for how to make a program. Depending on the language it is either "baked" (compiled) or "eaten as is" (interpreted).
Like a recipe the source code is just a list of things to use (resources) and instructions on how to use them (the program).
Just as many recipes need to be baked and one can't easily identify what went in to the recipe after baking, many modern programs are compiled and what comes out of the compiler looks way more like cake then eggs, flour, sugar, vanilla, etc. Therefore it is very hard to work on a program after it is compiled. Just imagine trying to add more oil to a cake that came out too dry after it's baked. It just won't end well.
Ok, now that we have the analogy established, imagine a world where recipes were all legally protected secrets. The only food you could buy was pre-cooked or ready-to-eat. Hate the flavour? Too bad. Want to add blueberries? Sorry can't do that, or at least not in a meaningful way. Ovens would be for heating alone just as most people's computers are just for using a browser.
Worse still, if you did figure out how to make a brownie, somehow found the ingredients and tools to use them and then, GASP! used your oven for cooking, you'd probably promptly get sued by the local big brownie concern for stealing their secrets. And because they are secrets you couldn't prove that you didn't or it would be very hard to.
In this world almost no one could help you with your brownies as only a select few know how to cook or what cooking even is, other then "That thing specially trained people do for big companies".
This is the world of closed source. This is the world of the late 80's and early 90's before the open-source movement. There were a few small pools of hobbyists keeping programming for fun alive but mostly all the recipes had disappeared or were very old and stale.
Now imagine a world where everyone publishes their recipes. And because of this the tools to use the recipes are readily available. If you didn't like Magoo's chocolate cake, you could download the recipe and fix it and bake your own. Now depending on the license that Magoo attached to the recipe you may or may not be able to tell anyone about how you fixed it, and may or may not be able to sell the better cake you made. This is where software freedom and copyleft comes in which I'll talk about in a later posting.
In this world there would be lots of people cooking, sharing ideas on how to cook, how to cook better, coming up with new and interesting things. Also people could look over Magoo's recipes and say "Too much salt in cake #3, it should be 1 teaspoon not 1 tablespoon". Also people could make sure Magoo's wasn't including rat poison, or making a frosting of raw eggs, sugar and lard that'd go off in a day and lead to people getting sick and dying, thus making everyone safe.
Just imagine if VW's emission control software had been open source. People would have looked at it and said "WTF! What are you doing?" Now I know some of you are saying "Ah, but they could publish a good recipe and then bake the bad one". True, but it'd still be a lot easier to catch them as you could bake the recipe they published and then compare it to the pre-baked version. In the VW example the pre-baked version would somehow, mysteriously have way better mileage. And because people know how to cook, they'd know there are only a couple of ingredients that could be fiddled with to achieve that result.
VW is not the only one hiding things in their closed source software. Most programs that you find in "App Stores" are closed source and many of them do their best to take your personal information, often without permission. These activities would be plainly visible if people could look at the source code, as would many vulnerabilities or things like back doors in the program.
This is where we are hopefully heading. Many programs are now open source; many are still secret. We will probably never get to a 100% open source world. But as people learn more about the open source movement, and realize that programming is just a learned skill like cooking, instead of seeing it as a magical "something" that only rare geniuses can do, there will be more and more pressure for companies to open their source code, or for software repositories like "App Stores" to include a way to also download the source code for a program.
I am writing this because there is a lot of hype, click bait and other stuff going on around Meltdown and Spectre. I want to put out the info in plain simple terms.
First and Foremost
Your computer is not broken or defective.
Intel DID NOT screw up.
The fact that Out-of-order Execution has been around since the '70s and in modern PCs since the mid '90s and the exploit is only now being found shows that this is a extremely clever, highly technical, exploit that builds on much more modern concepts like "CPU cache timing attacks for side channel leakage of information.".
There are software patches already on the way to mitigate the problem. The "performance hits" talked about are not well documented and as the mitigations improve any performance hit will be reduced.
Is it bad?
It is a serious issue. It is not the end of the world, or your computer, or the internet.
What is it?
Both techniques take advantage of a feature of many (not all) modern processors called Out-of-order execution. Which is a technique that most modern CPUs use to get things done more efficiently and faster.
It is NOT a technique to get code on your machine. It is a technique that code that has already gotten on your machine can use to access information that is usually protected.
Access to such information would let the code then bypass several other protections to gain more privileges or steal information from other processes.
What should I do
Breath. Relax. There is no evidence that these have been exploited in the wild yet. Patches/Fixes are coming online quickly.
Apply patches as they become available. Many people are working on ways to mitigate these problems.
What about all the noise.
Sadly this is the type of exploit that makes for great attention grabbing headlines and news coverage. But the facts are much more complex then the mainstream media want to cover. It is much easier to say "Every Intel Processor is effected but this bug." than "There is a highly technical side channel attack on processors that support Out-Of-Order Execution that leads to the leakage of privileged information. This would let them steal information or use information about the layout of system memory to use another advanced technique called Return Oriented Programming to gain full control of the system."
So, I came to the realization that I was in a broken relationship. One in which my attention was often demanded for petty reasons. A relationship where interacting with the other party failed to fill any deep or meaningful need despite a promise that it would be more fulfilling.
The other party was my smartphone. So it was time for a divorce.
Put in less whimsical terms I recently and increasingly realized I was spending far too much time on my device. I'd find myself reaching for it in any idle moment, as many do. And I never left such events feeling rewarded or fulfilled.
I think that part of what has cause this increased awareness is that in all my other computing I work in an almost completely text centric environment. Bowing to the need for the occasional use of a GUI based browser is about the only non-text interactions I have. But even with browsing most of what I do is done with a text only browser.
Also all my other computing devices are not always on/always connected devices.
This disparity between my normal computing devices and my smartphone I think really highlighted the differences. A growing frustration with the direction that Android is going is also in the mix. As many may know I De-Googled my life a while back and have been very happy for it. So my smartphone runs a Google free version of AOSP. With only apps from F-droid on it. So I'm heading in a more free (as in freedom) direction and every new version of Android that comes out does more and more to lock Android and to lock it to Google.
One of the first thing I noticed is that when working in a non-GUI environment I was more focused, more productive, and more task oriented. Where as on the phone everything felt muddled, unfocused and often meaningless.
I also do not like the treacherous nature of smartphones. As anyone who reads my blog will know privacy is a huge issue for me and smartphones simply leak far too much personal information.. So I had already been mulling what I would do when it was time to replace my current device. I did not want to get another smartphone.
So with all this going on and me recently building myself a small mobile computing device.. Much more of a MID then a smartphone and Linux based not Android based. I decided it was time to start saying good-bye to my smartphone.
Now there were some minor considerations that might have mean that I would have to keep the phone. At least for a while. But I wanted to minimize my use of it.
The first thing I did was transfer as much of the non-communication things I did on it over to my new MID (BTW also text centric), and even a few of the communication functions like Instant messaging.
That went well and I felt no real pain in doing so. Mostly what it did is give that overly attached part of me a mental safety net. "OK, phew, I still have all that, just on the other device"
The next step was turning off all non-critical notifications. If it wasn't something that absolutely required my immediate attention off went the notification. This step was amazingly successful. I quickly stopped looking at my phone all the time. Even the amount of checking it in the idle times dropped. I even started to lose the desire to keep it with me all the time.
After that came A big one. Pull every attention sucking, non-critical communication thing off the phone. All social media things gone from the phone. All games, gone. All those random interesting but ultimately time wasting apps, gone. Calendar, gone (have it on my MID now). Even the browser, Youtube player, etc.. gone.
This sounds rather radical but it was necessary if I was to say good-bye to my phone.. All that was left were things that deal directly with real time communications, and privacy enhancements. So basically phone, SMS (encrypted), GPS navigation, and contacts. Plus a few enhancements like firewall, ConnectBot and F-driod.
And. I didn't go nuts.. In fact my routines changed in pleasant ways. I no longer reached for the phone as soon as I woke up. No reason to. It often lay forgotten until I was about to head out for the day. I still check my social media but it is a much more intentional type of interaction which happens on my laptop while having my morning coffee, and ends once I'm caught up. Same with e-mail.
After another purge further stripping the phone down to nothing but basic phone features, and turning off WiFi, which went far better then I thought it would. I was ready to take the plunge. I ordered a $70 feature phone to replace my smart phone.
The phone arrived quickly and despite myself and others being concerned that I would end up ultimately being unhappy with the phone, quite the opposite has happened. Other then some initial pain learning how to TXT with T9 style input again, life is fine.
Although I can no longer easily do encrypted SMS only a few people ever got on board with that and most of what I send via SMS isn't anything that needs encryption. I don't really care if the powers the be see me asking my wife if we need bananas. For anything that requires encryption I can use the Instant Messanger on my MID.
I am actually loving the flip phone. It is smaller, lighter, better on battery, has a replaceable battery, feels and acts more phone like, and still is able to play my music and podcasts through my Bluetooth headphones. I do not need more. And best of all I got my life back. I'm no longer tied to a hugely expensive, privacy sucking, attention sucking, thing that is doomed to the landfill because the battery can not be replaced.
I even now turn the hone off when not in use. Imagine that. A life where I only get bugged by the outside world when I chose to. A world where I control how and when I talk to people or people talk to me. A world where I watch all the way through a TV show (or several) without ever two screening. A world in which when I'm with fiend I'm with them not split between them and my annoying smart thing.
I'd strongly suggest that other should try to follow in my path. Even if you only got as far as pairing back what is on the phone and limiting notifications to only the important ones I suspect you'd notice a large difference in your life. I certainly did.
I will not be moved to hatred by media and politicians seeking to use tragedy to gain power.
Instead I will hold fast to my love of my fellow human beings and my knowledge that the vast majority are peaceful.
I wil not be goaded to anger by those hoping to exploit the unclear thinking that lives there.
Instead I will hold and extend compassion to my fellow human beings,
Compassion for the victims, but also, and much more challenging,
Compassion for the pain, and hopelessness that the perpetrator must have been in to commit such an act.
I will not be made to fear, by hanious acts, or those that seek to exploit peoples reactions to such acts.
Because I know the world is mostly safe,
Because I know that all sane people wish peace and stability,
Because I know that the sane far far outnumber the troubled.
And because I know that love and compassion are far more potent salves for human problems then anger and fear.
I'm getting tired of term "Sharing" or "sharing economy" being applied to things that clearly are not sharing. It muddies the waters in discussions of these services, it's more about marketing then the reality of the situation, and frankly it's highly inaccurate.
Sharing is something one does without profit in mind.
- If I let you borrow my car for free that's sharing. If I charge you for the use of my car, I'm offering a paid service.
- If I let you stay at my place for free because I have the space, that's sharing. If I charge you it is a service. If we make an arrangement where I stay at your place in exchange that is barter.
- If I give you half my chocolate bar for free, thats sharing.
- If I trade you half my chocolate bar for one of your cookies, thats barter
Things like Uber, AirBnB, etc. are not about sharing. There is an exchange of funds involved. The companies provide a service to people how in turn provide a different service to clients.
If you go to Uber's "Drive" page it is quite clear from the wording that this is not about sharing. Phrases like:
"earn what you need"
"we deduct a service fee"
clearly show that this has nothing to do with sharing. So any references to Uber as a sharing service are completely inaccurate. It is a business plain and simple.
So with the "sharing" mystique stripped away it is clear that Uber is just another taxi service and thus should be regulated like any other taxi service.
AirBnB is about the same, their website starts off with:
"Rent unique places to stay from local hosts in 190+ countries." (emphasis mine)
Renting is not sharing. Also the "Hosts" pay a service fee to AirBNB:
"You'll only pay a 3% service fee".
So, once again we have a Company offering a service to people who offer a different service to clients. No Sharing. And with the "Sharing" mystique once again stripped away it's clear that this is just an unregulated hotel service.
So can we please stop referring to companies like this as "sharing" or being part of a "Sharing Economy". The use of that term is nothing but marketing buzz and an attempt to try and duck regulations that are generally there to protect the public.
So even though CouchSurfing facilitates sharing they are in it to make a buck. They are a business. They are offering a monetized service.
I am in no way disparaging CouchSurfing. Everyone needs to eat. And bravo! they are facilitating actual sharing. Good for them. I'm just saying that their motivations are not entirely selfless.
I am also not saying that there is a dearth of sharing. Certainly the capitalistic society in which we live tries hard to push people away from sharing, as it is bad for their bottom line. Even so, I have seen many people offer public spaces and resources on-line for altruistic and/or selfless reasons.
People who run Tor nodes are sharing their bandwidth and computer resources. The same goes for people running I2P nodes, or people running publicly available Pump.io nodes or Diaspora pods. There is also the thousands of people that devote their time and energy to creating freely available GPL'd software.
So there is definitely a sharing economy out there. It just isn't the one you hear about. And sadly the "Sharing Economy" that is getting all the press isn't about sharing at all, just more capitalistic endeavours trying to wrap themselves in a palatable and marketable guise.
With recent articles like this and this, I felt it was important to point out the golden thread running through these. Which boils down to one thing. "He who controls the software and/or server controls the device" at least in devices like these.
When buying a product that is Internet ready or Internet connected it is very important for people to ask the question "What happens if the Internet part goes away?"
For some products it's no biggie, like say a media player that downloads from a specific site, but also let you put your own music on. In this case the Internet part is more of a "Value added" piece then an mandatory one.
Then there are things like the Google Chromecast. If the Internet back end goes away because Google decides to move to ChromeCast V3.0 and not support earlier ones, then the device will become a brick. useless. And due to the lack of software freedom in these devices there is nothing the owner can do.
This same thing is true of an ever increasing number of products. Especially as we move into the whole "Internet of Things" (IoT) world. One of the reasons that businesses are so hot on the IoT idea is the reach it gives them over the product. This was seen with Kindle when amazon reached into thousands of devices and Erased the book 1984.
There are two separate issues at play here:
- Who controls the software
- Who controls the server
The "ownership" of the device hinges on these two things. Lets look at each of them.
Who controls the software
If you do not control the software on the device, then it controls you. You do not own that device. The person that controls the software owns it.
When I talk about control I am not talking about how "Usable" the software is. I'm talking about the users ability to Change, modify, study, etc. the software on the device.
If you can't change the software at all them you have absolutely no control.
If you can swap one opaque mass of software for another opaque mass of software you have the limited illusion of control
Only when you can Study the software to see how it works, Change it to work the way you want it to, Share the changes you've made and have the freedom to use the software in any way you choose do you truly control the device.
Sadly an ever decreasing number of devices fall into this category. Even many devices that appear free, like the Raspberry Pi, are actually Not truly so due to the fact that they can not work without some opaque bit of software. In the case of the Raspberry Pi it is impossible to boot the device without software that is not in your control.
Who controls the server
This question is either of slightly less or equal importance to the "ownership" of the device based on what the server bit does.
If the server bit is strictly "Value added", as in the device will continue to function completely without the server. Then the question is a minor one.
However increasingly, and by design, devices will not function if the server is gone.
Now if you have freedom in the software as mentioned above. It wouldn't be an issue. You or someone else could study the software, change it to use a different server or to not need the server and then share that change to the world. Problem solved.
Sadly as mentioned above it is a rare device where that can be done. Partly because most software licenses prevent you from doing any of those and thus from using the software any way you want
So lacking freedom in the software and being tied to a server that you don't control means that not only can you not fix, or modify the device, you are now entirely at the whim of the person that controls the server. What if the server says to delete all your stuff? Nothing you can do. The device wont work without the server so you can't prevent it from connecting and once it does bang your stuff is gone.
It goes well beyond just deleting your stuff. The server could push out an update that kills the device. Now it wont even turn on. Or they could just shut down the sever, Again you're stuck with a useless device. It is also important to remember that the connection to the server is a two way street and can be used to spy on anything you do with or near the device, as Windows 10 does and it looks like Occulus Rift will.
As the whole IoT thing takes off this is going to become a huge issue and one that customers need to pay attention to. An IoT fridge that you do not control could be remotely told to not keep food cold anymore when the manufacturer decides it is time for you to buy a new one.
Think that is far fetched? There have been printer out there for years now that decide to stop working based on a software counter in the printer. There is absolutely nothing mechanically wrong with them the software just decides "Sorry I'm done.. go buy a new printer". If manufacturers are willing to screw with you like this how much more so when they can reach over the network and do what ever they like to your device?
So the next time you buy an electronic device ask, Who controls the software? Is the server part "Value added" or mandatory? Can I change the software? Can I run my own server? And ultimately, Do I want to buy a device I will not "own or control".
With the ongoing debate about strong encryption on mobile devices, I'd like to take a moment to clear up a misconception that I've seen tossed around and sadly accepted by too many people.
To be clear anyone that reads my stuff will know that I fall well inside the "must have strong crypto" camp. So the views expressed here will clearly be coloured by that.
The point I want to clear up is this new comparison of cell phones to physical spaces. The argument tends to go like this: "Peoples homes are private but the government can get a warrant to search them. So the government should be able to do the same for Phones."
On the surface that may seems to make sense and I suspect that is why people are buying into it, but the truth is much closer to saying: "Peoples homes are private but the government can get a warrant to search them. So the government should be able to do the same for private conversations."
What the government is seeking is not access to a physical space but rather retroactive access to private conversations. The government has never had the ability in the past to compel you to divulge what you said to your friend last Tuesday. Especially if such might be incriminating.
By wanting all encryption breakable the government is trying to do an end run around your right to remain silent, or plead the 5th, or what ever the equivalent is in your country.
Cell phones are by definition communication devices, not dwellings, not safes, not a place of business. Cell phones store and transmit conversations, which is speech, which has special safe guards when talking privately with another individual.
Yes there are wiretaps and police can get a warrant to get a wiretap. But wiretaps have never been retroactive. Remember it's "You have the right to remain silent, anything you say may be used against you in a court..."
How safe do you feel knowing that by breaking into your phone and having retroactive access to your speech, "anything you say" now includes much of what you said for the last 2, 3, 5 years. Did you have an indiscretion that they can blackmail you with? Did you joke with a friend about robing a bank? Did you talk with someone about the possibility of fudging your taxes a bit? Did you get really drunk after a break-up and text something that could be considered a threat? And on, and on.
One of the reasons that speech is protected is because it is so easy to twist and use against someone. As the famous quote goes "If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him."
We can not, we must not allow governments and police to have easy unfettered retroactive access to our speech going back years. It removes too many safeguards and tips the balance of power dangerously to the side of the already powerful.
Keep private conversations private. Say No to big brother.
Back in 2014 I wrote Cold Urticaria and the Rural Canadian Male. This is a follow up to that to talk about the things I have learned living with CU.
Know you're reaction point
The First thing I'd tell to someone newly diagnosed with CU is to get a good indoor outdoor thermometer or a small thermometer they can take with them. This was very useful for me in determining the temperature at which I start reacting. For me that is around 10C (50F). knowing this temperature is very important to managing ones CU. It is especially helpful in the spring and fall as it lets me know if a day is a dress light or medium day.
Knowing this temperature is not the only deciding factor on how to dress as things like how damp/wet it is out and how windy will raise the temperature I react at by a few degrees. A clear still day of 15C and I'm probably Ok. Make it a windy day and it gets iffy depending on how strong the wind is. Make it a wet windy day and I'll be reacting for sure even at 15C.
Stay warm inside
In not talking about making sure the heat is on. I expect that you'd do that anyway. However I have learned that not getting "chilled" is very important. And I've also learned that unless you're paying close attention you may not even notice that you've gotten a little chilled.
I first noticed this on my walks to the local Tim Horton's. My hands (usually the first thing to react) would be fine on the way to Tim Horton's but would react on the way home. At first I just assumed that the temperature had dropped or the wind had come up a bit and so I needed heavier gloves. But It kept happening even when I was pretty sure it had gotten warmer. What I finally clued into is that Tim Horton's must keep things a bit cooler then I do at home and the combination of that and me sitting working on my computer (being inactive) caused my body temperature to drop a bit which was priming me to react once I went outside.
I've come to think of it as a buffer or battery kind of thing. If I'm nice and warm inside which keeps my body temperature up I have more stored heat and so don't cool to my reaction point as quickly when I go out. If I've already dropped a couple of degrees of body heat I'm that much closer to my reaction point and so will react much more quickly upon going out. So making sure that I'm staying warm is important even when I'm inside. The tough places for this are the places that are just a little cool. You don't really notice it but you're loosing body temperature. I'm sure if I were in them long enough I'd notice but by then I'd probably pretty chilled.
All I can do is pay attention and dress a littler warmer then usual when I'm at such a place.
It about a lot more then just the weather
This is the thing That I'd most like people to understand. It's about anything cold.
- Cold drinks - which result in a very unhappy stomach and dumping as the body tried to remove the irritant as quickly as possible.
- Handling cold items - frozen food, laundry done in the cold cycle, thing from the fridge, etc.
- Water - any water that isn't from the hot tap will cause me to react. It's not necessarily under 10C but water sucks heat out of things fast. And rapid cooling causes a reaction.
So when you start to think about things like that a clearer picture forms. I can't have ice cream, or ice cold beer. I can't go swimming. Getting sprayed with a garden hose would be dangerous. I have to be quick handling things from the fridge or freezer, or get gloves, or just deal with the fact that my hands are going to react. And on and on.
You're going to have reactions
When I was first diagnosed and got on the Reactine and knew to bundle up etc. I mistakenly believed that I'd be able to get to a place through care and medication of being reaction free. Unfortunately this is not possible, or at least not likely I could go to the maximum dosage and stay there all the time and maybe I'd not react, but I doubt it. In my experience the meds only limit the severity and duration of the reaction and don't actually prevent it.
Also this isn't like a nut allergy where I can just stay away from nuts. Cold stuff, or stuff that causes rapid cooling (like water) is everywhere. I have to walk in it, touch it, breath it, etc. there is just no way I'm going to be reaction free. But that is OK. I've learned that part of having CU is coming to terms with the fact that I'm going to have reactions.
The goal has to be as few reactions as possible and no big and dangerous reactions.
Reactine (Cetirizine) isn't perfect
About a year after I was diagnosed I started suffering symptoms that for all the world looked like Rheumatoid Arthritis. So much so that it was starting to affect my mobility and daily life. But as I went for test they all came back negative. So I started to wonder what had changed that might be causing these symptoms. The only thing I could think of was that I was now on 20mg/day of Cetirizine so I did a web search on longterm use of Cetirizine at higher than the over the counter dose (10mg) and found that I was not alone. Many people reporting joint pain and other symptoms. So I stopped the Cetirizine and poof all my joint pain and fatigue went away.
Luckily there are a multitude of options for daily antihistamines so I just switched to another and haven't looked back.
Things I'd tell people who have a friend that has been diagnosed with CU
The number one thing is don't say stupid shit when someone comes to you and tells they have Cold Urticaria (or Heat Urticaria, or Stress Urticaria)
Things like "Well, bundle up" or "I hate the cold too" just don't cut it.
Now I completely get that it is not an everyday situation and there is going to be that uncomfortable "Oh crap, what do I say...." moment. So let me give you a head start on it.
Instead of "well, bundle up/stay warm" which when you break it down really comes off like this:
Her: "My puppy just died" (I have CU and I'm kinda freaked out)
You: "Guess you better bury it then..." (Well, bundle up/Stay warm)
When we put it like that it is easy to see how it is missing the point.
As for the "I hate the cold too". It is a totally annoying response as CU isn't about 'liking' or not 'liking' it is about "If I'm not careful the cold (anything under 10C, 50F) could KILL me". That is a world away from "Brr.. My toes are freezing.. This sucks"
So, Better responses:
"oh Man! Does that mean no more ice cream, that blows"
"Shit, that must be rough/scary theres a ton of stuff that'll make you react"
"Gee, I bet that is complicated to manage day to day"
These all show that you kinda get it and don't come across like a brush off. Trust me your friend with CU will appreciate the good response.
I am writing this blog entry to explain to those that may not know the three models of doing things on the Internet. And also why it is important to understand them, to pay attention to them, and choose services and software that use the most correct model.
The three models are:
- P2P - Peer-to-Peer
They all have their strength and weaknesses and more importantly, they all have an impact on your rights and freedoms.
Centralized is the most common. This is your Google, Facebook, Pinterest, Twitter, Amazon, E-bay, Bank, Etc.
The centralized model has Big servers run by private interests (the site owners/Company) located in some place of their choosing which you use a browser or mobile App. to connect to. Typically all data is stored on the remote server.
This model is perfect for things like banking or online shopping. Just like in the real world you go to the place of business to shop or bank. It is also very appropriate for information type websites news,stocks,weather,sports scores,etc.
The important thing to remember about this model is that you do not control the server and therefor you do not control the data on the server. For the sites mentioned above, no biggie. For things like Facebook,Twitter,etc that live and die on user generated content (your stuff, your data) it's a huge biggie. Once your data is on their server it is usually considered "their data". The User Agreements of such site almost always stipulate that they can do what ever they want with what you upload.
The centralized model is also the easiest for the government to spy on, sensor, control, and shutdown. Because all the data on the server is owned but Company X all the government has to do is legally compel Company X to hand it over. In this way encryption like HTTPS is null and void. Governments can also just seize and shutdown servers they don't like. Also if Company X gets tired of running the server it and all your data will just go Poof and disappear from the Internet.
Considering all these things it is easy to see that the centralized model is both the least free (as in your rights and freedoms) and the most fragile. A lot of service providers out there could be whipped off the Internet by one good flood or other disaster happening to their main server.
This model is less known and understood by the average person today but it is actually the most common model used in the early days of the Internet. In this model instead on one server (or server farm/s) owned by one company there are many small servers that all talk to each other (federate) to provide a service. This model is used for E-mail, IRC, Usenet, XMPP, UUCP (yes I know that is ancient and deprecated), and newer system like pump.io and Tor. The strength of this system lies in the fact that no one owns the system.. sure they may own a server or two but no one owns the whole system. If a server goes down you just switch to another one.
This model is much harder to sensor, shutdown or control. Servers can live in different countries with different laws and governments. Typically the software to run these kinds of servers is small and easier to install and maintain. This means that anyone with a bit of work and understanding can set up an server and become part of the network of servers. If a government wanted to shutdown the service they'd have to block access to every single server, or a majority of them, to make the system unusable. Not so easy. Spying wise it is harder too. If the government compelled Google to hand over all E-mails (you can be pretty confident that they have/are) it doesn't get them any mails going from email@example.com to firstname.lastname@example.org.
Users typically use some sort of "client" software to connect to their server of choice and interact with the system as a whole. They don't have to worry about what server their friend is on because all servers in the system talk to one another. So email@example.com can email firstname.lastname@example.org no problem, no worries. As you can see from that example the part that comes after the @ actually refers to what server someone is on in the system. The same is true for XMPP addresses, SIP (proper Voip) addresses, webfinger addresses (pump.io), etc.
There is still the problem of your data on their server.. but as a federated system passes the data from server to server people running federated servers tend to act more like custodians of the data then owners of it. People tend to run these types of servers to offer a public service. OK, well not the Google's of the world. But places like Riseup or Ostel.
Peer to Peer (P2P)
In this model the client software is also the server. All clients on the system talk to and can connect to all other servers on the system. These systems are highly dynamic (servers coming and going all the time) and tend to be very connection and bandwidth heavy because everyone has to help move everyone else's data around.
In a P2P system no one owns the data it just lives out there bouncing from client to client. This means that for most P2P systems you have to be willing to give resources to the network. You have to let the P2P network use some of your bandwidth and disk space.
As you can imagine this is the least easy to censor or shutdown model, and also, if it is done right the hardest to spy on. Because of this many people see the P2P model as a freedom and privacy Panacea. But the truth is this isn't the best model for all things. I don't want to be trading huge chunks of bandwidth and disk space just to see what the weather is going to be like tomorrow. Also because of the dynamic nature of the network and the problem of where stuff is stored relative to who is online the P2P model isn't really the best for "store and forward" applications like E-mail. Sure there are things like Bitmessage but if Bob isn't around for a day or two after Sue tries to send him a bitmessage her software will have to try sending it again. If they have really bad timing it could take months for Bob to get the message. Where in a federated system Sue would send the data to her server of choice which would send it to Bob's server of choice which would hold on to it till bob came online.
People in remote locations or developing countries may not have the bandwidth or disk space to share. There are people in the area where I live for whom a P2P system could easily eat their monthly data allotment in a day or two.
Even tho a P2P system that used good encryption for transfer and storage would be very hard to spy on these systems are complicated beasties and are prone to other forms of attack, resource depletion, evil clients that do things like say they'll forward that data but then throw it away thus vanishing it from the network, governments running a ton of clients to analyze the traffic flow and figure out who is talking to who or even who is who, etc.
It is also important to note that many P2P systems like Bittorrent and Bitcoin do nothing to hide your IP address, so there is no anonymity. Many people are confused and think that P2P automatically means anonymous.
Which is Best
There really is no one best model. The important thing is to try and pick the services that are using the right model for the right job and be aware of the trade offs
- more right but more resources (P2P) - Heavy on bandwidth, CPU time, and disk space but no central server, just other people using the software.
- No rights but fast, easy and light on resource (centralized) - Where people running the service control everything. The rules, your data, who has access and how, etc.
- a bit of a mix (federated) where people running the many servers take the bandwidth and resource hit.
Things to watch out for are centralized sites that are trying to own and control your data, and a newer trend of big companies trying to push the workload onto users by using P2P technologies. Netflix has eyed this to take some of the load off their servers by making people watching a show also stream that show to other people watching the show.. great for them.. terrible for your bandwidth.
Pay attention to which model a service is using and you have a much better ideal of how it effects your rights, freedoms, data, bandwidth, and disk space.