Skip to content

privacy

A new take on Email to Blog

tl;dr I have a new son, Jasper, and now need to share photos with friends and family. The existing tools (social networks, email, and SMS) are too invasive or only work with a handful of people before becoming SPAM so I built my own system using a static site generator and an email server. I think it is a novel configuration that may be interesting to people working on self-hosting projects or small group collaborations. Configuration details to follow in later posts.

Social Sharing

I have spent the past couple of weeks wrestling with a seemingly simple question: how do you share photos without using a social network? The recent birth of my son Jasper means that I have a newfound need to share pictures with family and friends but all the existing solutions are either invasive (social networks) or will only work for a handful of participants before turning your happy news into SPAM (email, SMS). Interestingly, I have found a rather large portion of my friends who are fine with social networks in general but not for pictures of their children. I also have a number of friends who use social networks for everything but feel SPAMed by people’s baby pictures there. I set out to find some better options to address this fairly widespread need.

Defining the need

Like any good technologist I started out by defining what I need from this social sharing tool and then turned those goals into technical requirements. The general goal is to have a tool that lets my wife and I privately share photos and text with family, builds an archive or record of what we post, will work with everyone’s software setups, and is easy enough to use that we actually use it. As I worked through some of the details of these goals I distilled them into these requirements:

  1. Must run on servers I can trust.
  2. Must use software people are already using or very general purpose free software.
  3. Must use authentication for reading and posting but must not require me to manage passwords for each user.
  4. Must not flood people with announcements.
  5. Must have browse-able archive.
  6. Must be able to post from and read on iOS devices.
  7. Cannot be harder to add content to than it is to send an email.
  8. The hosting software must require minimal maintenance and have minimal security risk.

The Candidates

With requirements in hand I started looking at the available technology out there for a solution. Five emerged for consideration: commercial social networks (facebook, instagram, etc), free software social networks (diaspora, frendika, etc), email, mailing lists, and blogs.

Commercial social networks

Facebook, Instagram, etc all run on commercial servers designed to datamine your social interactions and profile all participants so they fail criteria 1: run on servers I can trust.

Free software social networks

Diaspora, frendika, etc could be good fits for this situation, especially because, of all the self-hosted options, these offer the easiest fine-grained permission management. Unfortunately no one in my social circle is using them, including myself, so they fail criteria 2: use software people are already using.

Email

Email actually comes pretty close here, which is probably why it is the main tool my friends use for sharing photos of their children with family. Unfortunately, it does flood people so it fails at criteria 4 and it does not provide an archive for recipients so it fails criteria 5. People can build their own archive by saving all their messages but this only works for original recipients, not someone we add later or might have forgeten to include on some individual messages.

Mailing list

Mailing lists actually solve almost all the issues with email. You get a browse-able archive. People can manage their own subscriptions so they can unsubscribe if they are getting too many messages. People do need new passwords but the listserv software manages storing those and has built-in password reset capabilities. Unfortunately, I know many of my family and friends simply get so much email or have too few tools to effectively filter the email they get that even something as easy to process as a mailing list would be burdensome or get ignored. Ultimately, this still fails criteria 4: don’t flood.

Blog

This also hits a number of the big requirements, especially using a static site generator to achieve the low maintenance and security risk of criteria 8, but some challenges remain. The biggest issues are authentication and ease of posting. Since I will be running the web server I can use whatever authentication I wish but I do not want to have to setup and maintain passwords for all of my friends and family. Posting is simply hard, especially from a mobile device, and that is where my custom work comes in.

For authentication I looked into simplifying things with RSS. Many of my family members do use RSS readers for news browsing on their iPads and RSS clients are general enough that I would be comfortable telling family to install one in return for baby photos. I would also feel better about supporting individual passwords for client software than I do for general web pages because I know the websites will be viewed on multiple devices (requiring multiple times the password support). Sadly none of the free software RSS readers for iOS support authenticated feeds so this fails criteria 6: iOS required. I ended up settling on simple authentication with shared credentials for all readers and moving posting authentication to the email submission. If anyone knows of a free software iOS reader that can handle authenticated feeds, I would love to hear about it. The Android spaRSS reader worked wonderfully if anyone is looking.

For ease of posting I had a problem. Logging in and posting to a blog is just not easy enough, especially if you are posting a gallery of photos, which is the main purpose of the project. I knew that if things were more complicated than sending an email we would just end up falling back to sending emails and only our parents would ever hear about Jasper. I started looking at existing email-to-blog tools but all of these either require you to trust your blog software with your email login credentials or trust a third party to process your email and post your updates. I decided that email-to-blog was the right approach but that having my blog check email for me would break criteria 8: server software should have low maintenance and security risk. In the end I decided the only blogging software durable enough for me to configure and then ignore were the static site generators, none of which have an email-to-blog submission tool that I could find. So I needed to build my own.

The Plan

What I ended up designing, and am now almost done building, is a specially configured email server (postfix) that is set to only accept email from a couple of people, to pass those messages to a local script that converts them into blog-formated plain text files with accompanying directories of images, and then feeds that into a static site generator (pelican) sitting on my webserver (Apache). I used whitelists and some anti-SPAM tools on the mail server to control who can post based on their existing email addresses, which means my wife and I can post without needing new passwords or to remember to send the post from special accounts. Using this approach it is possible to turn postfix into a sort of file-based application server that may be useful in a number of situations. I think this approach has particular potential for those looking to build a system somewhere between the simplicity of static site generators and the complexity of dynamic tools like WordPress.

Currently the mail server configuration and the static site are both complete but the script to move the email messages along is still in process. I will write more detail in the next few posts on how I configure both postfix and pelican for this project and what some of the security considerations are for this using the kind of delegated authentication scheme.

De-Chroming the Acer c720 Chromebook

What is De-Chroming?

This talk is an instructional companion to the SFLC @ 10 Disposable Computing talk.

De-Chroming is the process of taking a Chromebook laptop, in this case the Acer c720, and replacing the Chrome operating system with a full-featured Debian install.

Why would you De-Chrome a laptop?

Perhaps you want access to all the great programs in Debian, perhaps you want a high security computer for use doing humanitarian work in hostile conditions, or perhaps you just want to tinker with some cool new hardware. There are many reasons you might be interested.

What do you need?

  • A small Philips-head screwdriver
  • A USB flash drive or an SD card with 100 megabytes free
  • A chromebook (this guide is for the Acer c720 model but other models are supported)
  • A wireless network

How to De-Chrome the c720 in 10 simple steps

This series of steps is designed to replace the default coreboot BIOS shipped on the laptop with a community-built version. This process brings a theoretical risk of bricking your device, which would require ~$50 of hardware and some technical knowledge to repair. You should be safe if you read all the instructions carefully but, if you would like to know more, take a look at the community wiki.

  1. Start the computer and log in to the chromebook guest account.
  2. Activate developer mode (note: this will delete all the user data on the machine so if you have been using the laptop you should back up your documents first).
  1. When you are logged in hold down Escape+Refresh(F3) and press the power button to reboot into recovery mode.
  2. Press Ctrl+D at the Recovery screen and then confirm that you would like to activate developer mode.
  1. Wait as it reboots and switches to developer mode, then shut down the machine.
  2. Remove write-protect screw as shown in: this video (available as mp4 or mkv).
  3. Reboot and re-log in as guest.
  4. Press Ctrl+Alt+t to get a Google terminal.
  5. In that terminal type “shell” to gain access to the full set of capabilities.
  6. Plug in your USB thumbdrive or insert your SD card.
  7. Run this command, which will download a script. (enter this as one unbroken line):

    cd; rm -f flash_chromebook_rom.sh; curl -k -L -O https://johnlewis.ie/flash_chromebook_rom.sh; sudo -E bash flash_chromebook_rom.sh

    Press 4 to backup your old BIOS and press 5 to install a community version from John Lewis.

  8. Once that has completed successfully and without errors, reboot. Now you can install Debian or your free software distribution of choice. If you received errors, do not reboot and seek help from the coreboot on chromebooks community.

Installing free software

Once you have replaced the default BIOS you will be able to boot from a USB device and install whatever version of a free software operating system you have handy. Everything on the c720 except for the bluetooth is supported with free software drivers so installation should be straightforward, though you may need to install the most recent kernel from your distribution to enable support for the trackpad. Some tips and tricks for dealing with any hardware issues you may run into are available from Kevin Keijzer’s blog on the FSFE site.

As with all of our SFLC machines, we install Debian and use the Debian installer to encrypt the hard drive. I am happy to report that that works perfectly well here whether you are installing to the internal drive or to an external USB thumb drive or SD card. That is important since, for most people, the only thing to consider when De-Chroming one of these laptops is what to do with the hard drive.

What to do with the hard drive

To keep costs down, Chromebooks are sold with hard drives that may be too small for most people to comfortably use as their only storage, generally 16 or 32 gigabytes. Those of us De-Chroming the laptops have a few general options for how to deal with this potential limitation: use it as is, replace the drive, or add extra storage with a USB drive or an SD card.

Use as is

16 GB is plenty of space for a Debian install, even using some for swap. This is especially true if you want to have your home partition on a separate thumb drive or SD card. This is also the cheapest and most straightforward option so, if cost is a factor or you just want to test out different versions of linux on the laptop, you should have plenty of space and can always expand it later.

Replace the drive

Larger SSDs are available for ~$50-60 online so if you want more space it is simple enough to just get a larger drive. Just make sure the disk you buy is compatible with the c720 laptop since there are a number of different format options available. There are only a couple dozen machines using these disks so far so any website selling them should list which ones are compatible. To replace the drive just open the case the same way you did to remove the write-protect screw and unscrew the one screw holding the drive in.

If I were going to use the laptop as my primary machine this is what I would do.

Expand the storage with USB or SD devices

Since the c720 has both a USB3 port and an SD card slot, it is easy enough to expand your available storage space with removable media. 64gb USB3 drives are available from $30-40 online. If you do not know how much space you will need, 64gb is probably enough space for you.

If you are buying a thumb drive you also have the opportunity to install the whole operating system to the thumb drive and leave no information about you on the laptop. This is particularly useful for people operating in high security situations like those doing humanitarian work in hostile countries, anyone who is worried about bringing a business machine back inside a secure facility, or anyone who is worried about having to decrypt a hard drive when crossing a hostile national boarder. With no information about you or your activities on the device, you can simply leave your laptop at whatever risky location you have traveled to and De-Chrome yourself a new one when you return to safer ground.

(Originally posted 2014-12-01 on the Software Freedom Law Center’s Blog)

Updated July 22, 2015 with options for updated script from John Lewis.

Information in this post may change over time. Check here for updates.

Technological Wizardry

The Washington Post editorial board just suggested that the tension between consumer’s right to encrypt their devices and the government’s legal power to access data with a search warrant could be resolved by magic.

Here is the final paragraph from Friday’s editorial Compromise needed on smartphone encryption:

How to resolve this? A police “back door” for all smartphones is undesirable — a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant. Ultimately, Congress could act and force the issue, but we’d rather see it resolved in law enforcement collaboration with the manufacturers and in a way that protects all three of the forces at work: technology, privacy and rule of law.

They also seem to think that Congress could pass a law preventing us from using publicly available encryption technology on computers we own, which seems like a pretty big misunderstanding all be itself. Do you think they also want congress to mandate a secret unlock code for all physical safes sold in the US?

css.php