Saturday, February 14, 2015

Dear Mr. President: Let's talk about data encryption and the right to privacy

Dear President Obama,

In a recent speech, you said you wanted an open, public, discussion about data encryption. Great! Open, public, discussions between the citizenry and our elected officials are always interesting and useful so let's start to have that discussion. Right now, right here, just you and me.

Mr. President, you're a fairly young man who, I assume, isn't particularly savvy with advanced technology. That's not meant to be a disparaging comment, not all of us are. Some people are good with tech, others fill different roles and don't need to be good with tech. You fall into the latter category. But I bring this fact up because, not being a tech-centric guy, you likely don't remember the 'crypto-wars' of the 1990's. They were a brutal time when the government, much like this government, thought that all manner of crime would run rampant if they didn't have access to secret, encrypted, communications.

The government at the time tried various ways to protect itself from 'the bad guys' having encryption. They tried to say it was a weapon and could not be exported outside of the United States, they tried to convince people to store a copy of their encryption keys with the government 'just in case', and none of that worked. Ultimately, the Clinton administration gave up and encryption became the widespread beast it is today.

You know the weird thing, Mr. President? Online crime didn't skyrocket like the FBI and NSA had predicted, the government didn't 'go dark' where it couldn't enforce laws and catch bad guys. Sure, some bad guys might have used encryption and gone uncaught because of it, but the vast majority of them just didn't care. Most criminals just aren't that smart.

Today, many in our government are making the same arguments that were made in the 1990's. The same claims about law enforcement 'going dark' are being bandied about and the same players are the ones saying it.  Except now they're using scarier words like 'terrorism' and 'protecting the homeland from attack' and 'ISIS'. But the fact of the matter, Mr. Obama, is that criminals still aren't that smart. The vast majority of bad guys still aren't using encryption - or at least aren't using it properly so, really, law enforcement isn't particularly that locked out.

You've recently started talking about how the creators of security and encryption software should build in secret back doors that "only the government" can access when there is a "compelling need". This was actually one of the arguments the government made in the 1990's and here is why that doesn't work (please read this next statement carefully):

There is no way to build a government back door that only the government can access. Once the backdoor is there, it's open to anyone who knows it exist and knows how to open it.

This will include Russia.
This will include China.
This will include run-of-the-mill hackers

Everything that is wrong with the 'let's install a government backdoor' argument can be summed up in the statements above and anyone who knows anything about security knows that the above statement is true.

Now, sir, I understand that you will have some of the best and brightest minds in the industry working to carefully design these theoretical back doors that only the government can access. But, I have to ask, where will you get these mental giants? Will you look to private industry who, by the governments own claims, have lost billions if not trillions of dollars in security breaches involving their systems in the last year alone? If they can't design systems that are secure to protect themselves, how will they protect our secrets when they work for you?

Unfortunately, as you know, government IT isn't the answer either as only a few short years ago the Anonymous collective laid many agencies secrets open to the public and a single contractor was, only two years ago, able to walk out of what is arguably one of the most secure places on earth with over 50,000 documents.

Mr. President, I think it's time you realize what your predecessors eventually did: certain communication will always and should always be locked away from government eyes. A 'pressing need' because of some spectre of fear doesn't justify giving an arguably already overreaching government the power to spy into all our lives, innocent or not.  Our right to privacy can and does extend to corners the government can't see. While this may place certain people in uncomfortable positions and cause some 'darkness', such is the price we pay for freedom.

Will bad guys slip through the cracks? Yes.
Will encryption sometimes bring an investigation to a halt? Yes.

But even with those things being true, our rights stand. Rights are not secured or laid aside by convenience.

So what is the answer then? I would put forth that there is nothing wrong with continued, good-old-fashioned police work. The FBI and NSA have proven that they have a remarkable ability to coordinate investigations into crime using all of the data - and that's still most of the data flowing over the Internet- that isn't encrypted. The FBI still has the ability to break tough cases and obtain convictions even with encryption in place and getting better.  Training is the answer. Better, more technologically focused training. It's as simple as that.   

Mr. President, you are being presented with two opportunities here - two different roads as it were. On one side, you have the ability to stand with the American people and reaffirm the rights that you swore an oath to uphold - without conditions or convenience. On the other, you have the siren call of convenience, increased power, and an ever data hungry intelligence community.

Stop for a moment, take a deep breath, and think about the world you want to live in for the next 50 years, the world you want your wife and daughters to live in. Do you believe they might have things they don't want someone in Washington to know about? Should all of their secrets be laid bare because someone deems it convenient or have a 'compelling reason'?  Do you believe you and your family would be spared from such intrusion? I'd argue that you would be a valid target in some people eyes for it because you were President and 'you know things'. Is that the life you want?

It's certainly not the life I want for you either. I want a world where you can have secrets and you can have privacy. Where everything you say and do isn't subject to the microscope of data analysis. Where your daughters can make inappropriate jokes to their friends and not have to worry that those jokes will come back to haunt them 20 years later.  Maybe even where you could write a saucy love note to your wife and not worry that someone might read it. Nothing to hide, but still private.

I want that for you, Mr. Obama because you as an American - as a human being - deserve that privacy. But so does everyone else. Stand with the American people sir and be the champion we believe you can be. Stand with us as we asset our rights to privacy without conditions, without back doors. You are an American.

Tuesday, February 10, 2015

Google Talk is shutting down. Don't like Hangouts? Here's the solution!

In less than a week, Google will be shutting down its popular instant messaging service called Google Talk. Google Talk was Google's first attempt at building chat services right into your email but they also provided mobile and desktop clients too. Best of all, because they used XMPP (Jabber) on the back end, you weren't limited to talking to only other Google Talk users, you could chat with any user on any system that used XMPP.

Over the last year or two, Google has slowly rolled out its new "Hangouts" application. The idea behind Hangouts is simple: you have the ability to have a continuous conversation that includes pictures, video, and text, with the ability to move between multiple devices during conversations and pick up where you left off. It's a fairly decent system once you get used to it but not everyone needs "continuous conversation" and many people have contacts that aren't Google users. Unfortunately, because Hangouts is its own entity, it does not integrate with other systems. If you want to chat with someone using Hangouts, they have to use Hangouts too.

Thankfully, the same technology that Google is ditching for Hangouts, XMPP, is still widely used and readily available for anyone who might not want to use Hangouts or be too happy about Google's walled-garden approach to chat. A great XMPP server can be set up in less than 30 minutes and for about $5 a month. Best of all, you're not limited to who you can talk to and can chat to your hearts content with anyone on the planet who uses a Jabber service (unfortunately, this no longer includes Google users).

Here is what you will need:

- A $5/month VPS account with DigitalOcean (or a server of your own, if you have it)
- The Prosody XMPP server
- This tutorial
- A domain or subdomain for your server (not stricly required but useful)
- Each user will need a chat program. I recommend Jitsi but there are MANY.

For security, you probably also want to grab an SSL certificate for your service. You can get that from your favorite SSL provider (I recommend NameCheap).

Once you've gotten everything you need together, setting up Prosody is really a 20 minute or less job. Following the tutorial linked above, you'll be up and running and ready to accept user registrations in minutes with a fully secure and rock solid server. Best of all, your conversations truly are private and nothing goes to Google.

A discussion about chat programs:

Many people who've used Google Talk have used third-party tools like Trillian or Miranda to access their accounts. Accessing your new XMPP server is no different. Any chat program that supports XMPP (sometimes called Jabber) will work with your new server. I recommend Jitsi because it offers features such as fully encrypted text, video, and audio chat, that make keeping your conversations secure a breeze. But, really, in the end, the choice is yours. Try out a few programs (Miranda and Trillian should still work too) and see which best suites your organizations needs.

That's it! That wasn't too hard was it? Of course, there's a myriad of things you could do with your new XMPP server if you wanted to but there's nothing saying you can't just use it for awesome and secure chat with friend, coworkers, and family.  If you have any questions, or need help, don't hesitate to contact me and I'll lend a hand if I can.

Until next time!

Monday, November 17, 2014

How does an open source .NET effect Xojo developers

As most of you know, I live in two worlds as a developer.  Yes, I develop cross-platform application but that's not the two worlds I'm talking about. Specifically, I'm talking about languages.

For most of the last decade, I've been firmly planted in the .NET work, using C# to build new systems and web applications that ran on Windows and, for the last few years, to build embedded applications for a variety of different purposes by using the .NET Micro Framework.  But that only got me part of the way there. While Microsoft describes the .NET framework as 'cross-platform', it really means 'Windows and a few platforms we officially bless' (like the .NETCF stuff I mentioned above. It did not mean Mac. It did not mean Linux (not officially, at least). So that meant that, if I really wanted to go cross-platform, I needed to look elsewhere.

For me, that elsewhere was Xojo. Xojo is a programming language that is very similar to VB.NET and strongly delivers on the promise of cross-platform. Write our code onces on either Mac, Windows, or Linux, compile it for any of the other platforms and it will run unmodified. It's the promise of Java only better. It's like having the best of both worlds: the ease of .NET combined with the cross-platform nature of Java.

As you might imagine, reading news about Microsoft open sourcing .NET gave me a reason to reflect on the future of Xojo and if I really wanted to hitch my wagon to a technology made by a small company that very well could be obsoleted within a year or two if the .NET train delivers on its promises and actually goes fully and officially cross-platform. Does the promise of working in one. heavily supported, language and ecosystem provide everything a cross-platform developer needs? Does this mean that there is a looming end in the near future for Xojo?

Absolutely not.

There are roughly three places where ,NET technologies consume Xojo nearly wholely:

1. Visual Studio - While it's technically possible to write .NET code without Visual Studio, the IDE is so good that you're a fool if you do. Visual Studio has features that cater to the needs of just about every developer and it's amazingly stable. Add to that a rich plugin ecosystem that extends the IDE and you have one of the best development environments in the industry.

Xojo, by comparison, isn't even close to being there. The IDE has performance issues on some platforms, doesn't have a rich plugin environment, and can be slow even on supported platforms. And with the announcement of the Visual Studio Community Edition (which is Visual Studio Professional, free), the Xojo IDE being a paid product adds another challenge that the company needs to address. You can develop entire solutions in .NET, using Visual Studio without paying a penny. With Xojo, you're going to pay at least $99 just to write for one single platform.

2. Stability - I'm not going to pretend that Xojo apps don't have stability problems. Xojo developers learn to compensate for those issues with a variety of tricks but, the fact remains, I would never choose Xojo for a large scale project that required rock solid reliability. My choice would always be C# and the .NET framework. Thankfully, Xojo has been laser focused on this issue lately and it's getting much better so this might not be a problem for much longer. But, still, for the time being, .NET wins on this issue.

3. Documentation - I don't think anyone can deny that MSDN has some of the best developer documentation in the industry. Xojo, by contrast, has a wiki that provides decent doc but not full. There are still some methods and technologies that the developer is left to figure out on their own with very little guidance and no examples from Xojo. This, like item 3, is getting better but it's not there yet.

Out of the three items listed above, I think items one and two present the largest challenges to Xojo's future in the face of an open sourced .NET.  Thankfully, item one can be fixed pretty easily: rewrite the IDE, focus on stability and performance on all platforms.  Sure, that will take time but it's not insurmountable.

Item 2, on the other hand, presents a larger problem for Xojo. The company behind the language has a history of moving too fast and not fixing things in a timely fashon. For example, they're hard at work on giving Xojo users the ability to write iOS apps but there are several stability issues on the desktop that have never been addressed even after multiple releases. If the language is going to compete, the company needs to change this and start to take stability seriously.  I'd love to use Xojo in enterprise app development, but I'd have to be crazy to do that right now. That needs to get better (and it is) fast.

So my final conslusion is that Xojo can compete with open sourced .NET. It's going to be a bloody battle and one where Xojo Inc is going to have to be ready to make some changes to win, but it's a battle that can be won. Xojo users are fiercely loyal. We want to believe in the company and we're willing to fight for it. That's important. Xojo Inc just needs to saddle up and go kick some ass.