We have servers!   #

Today the Beanstalks Project reached an important milestone: the company received its very own credit-card and we immediately put it to good use, renting computers to run our systems on.

We now have servers in the UK, New Jersey and California, thanks to the excellent people at Linode.com.

World domination, here we come! :-)

Deleting an account   #

"You can't take something off the Internet - it's like taking pee out of a pool." ~Unknown, 1995

On this topic, our friend Brian posted an insightful piece on his blog, discussing some of the reasons why deleting your data from an on-line service may be more difficult than it sounds: The delete that wasn't.

In other privacy-related news, the Diaspora guys have announced that their first release will be on September 15th. It will be very interesting to see what they have been up to this summer.

Another promising project is the Debian Freedom Box, which is a project to build a Debian-derived operating system for privacy-friendly home servers. If they do a good job, this has the potential to make it much easier for people who want to take control of their presence on-line.

Happy 0th Birthday to us!   #

Today the Beanstalks Project was officially recognized by the Icelandic authorities as an "einkahlutafélag", the most common form of company in these parts.

The official name of the company is "The Beanstalks Project ehf." and it lives in Reykjavík. Founders are Bjarni Rúnar Einarsson, Ewelina Barczuk and Már Örlygsson.

Next week, we are going to go hire ourselves and maybe even open a bank account or two.

Why the web is unencrypted   #

Aside from paperwork to do with formally founding The Beanstalks Project as a legitimate company, the last couple of days have been spent refreshing my memory on the state of cryptographic security for web-sites.

Here are my findings, opinions and relevant links.

Web-browser security is based on cryptographic protocols named "SSL" and the more modern "TLS", which do two things:

1. They verify that the web-site you are communicating with really is the site it claims to be, not a forgery.
2. They prevent Bad Guys from eavesdropping or tampering with your communication with that same web-site.

These two capabilities provide the foundations required for things like on-line banking, tax returns or just shopping. This is all well and good, it's proven technology which works pretty well. The software is all available for free, and has been for many years.

So why aren't more web-sites using these protocols? Why is most of the web unencrypted?

Part of the reason has to do with speed; for various reasons, cryptographically secured web-sites are generally slower than those which aren't. Faster computers and networks have made this less of an issue, but for large sites with millions of visitors it still matters.

For all the smaller sites with moderate traffic, the main obstacles are money, paperwork and laziness. It is harder to build a secure web-site than an insecure one.

The key ingredient for a secure web-site is a "certificate", a form of digital ID. Technically, it's just a very large, carefully chosen number. The software required to generate this number is available for free, you can do it yourself and the process only takes a few seconds. So far, so good!

The kicker is the next step: in order for your certificate to be accepted by common web-browsers (Firefox, Internet Explorer, etc), you have to get a trusted (but not necessarily trustworthy) third party to sign it, which is another mathematical process which should only take a few milliseconds on modern computers.

These third parties are chosen by those who make the web-browsers, and they are generally for-profit companies that refuse to sign anything without getting paid first. They want dozens, or even hundreds of dollars for a few milliseconds of automated work. They justify their prices by making wild claims about security, but the general consensus is that they're just greedy (with at least one exception). They have of course set their prices at a level where businesses that need the security will just pay up, but the prices and the paperwork are still a significant hindrance to the rest of us.

Technically, you can go ahead and use an unsigned (self-signed) certificate on your web-site. But all the popular web-browsers make this very scary for your guests; when they reach a web-site using a home-made certificate, they see a warning like this. If they can figure out whether it is safe to proceed past that warning and how to do so, then they are more tech-savvy than the average Joe.

If you are a web-master, scaring people with messages like that is probably the last thing you want to do!

So, most people don't and the web remains unencrypted.

In my opinion, doing things securely should be easy and should be the norm. The current situation for web-sites is analogous to drivers being charged double or triple just for the ability to lock their cars. It makes no sense!

There is no good reason you shouldn't get a free, signed TLS-certificate every time you buy a domain. Creating the certificate is just math! But selling certificate signatures separately is such a profitable business that the power of greed keeps that from happening. It would be nice if some domain registrar would show some initiative and change that, but let's not hold our breaths.

However, it is something I am keeping in mind as I work on Beanstalks.

Throw-away e-mail addresses in Google Apps   #

Like everyone else, I hate spam.

In a previous job, I worked on a team developing anti-spam solutions for e-mail, so I know first-hand that it is a very hard problem. In certain fundamental ways, it is a problem which cannot be solved by filtering technology alone, as one man's spam is another man's valued e-mail.

Starting the Beanstalks Project, we are beginning with a clean slate. The domain is new, all the e-mail addresses are new, we don't yet receive any spam! It's really nice. But we know it won't last, eventually our addresses will end up on the spammers' lists and the crap will begin to flow.

We cannot stop it, but we can hope to slow it down a little.

In addition to using Google Apps and Gmail, which come with an excellent spam filter, there is one non-obvious technique we are trying out: throw-away e-mail addresses. It requires a little bit of extra work on our side, but not very much.

For any of our publicly visible contacts, roughly once a month, I create a new address like so: "info.month2010.beanstalks-project.net". This isn't an actual new mail-box, but rather an alias, or nickname in Google terminology. Then I go update our web-site so any mention of last month's throw-away is replaced by the new one. All in all, the whole process takes less than 5 minutes once a month, which I consider a pretty modest investment of time to keep our inboxes free of garbage.

To do this from the Google Apps management console, click on "Users and Groups" and then the name of the person who is to receive the e-mail. Roughly half-way down the page there is a "Nicknames" section where you can add and remove these throw-away addresses.

The throw-aways are the only addresses we list publicly on our web-site. We also use them when filling out on-line forms where we don't really trust the other site not to add us to some marketing list or other. After a while, we'll simply delete the outdated address and never use it again. Generally I expect each throw-away to live for 2 months at most, but nothing prevents us from creating longer-lived ones if the need arises.

For proper correspondence with people we actually want to hear from again, obviously we use our real addresses: we don't want the throw-aways to end up in our friends' and customers contact lists!

This won't stop all the spam: many spammers use lists which are created by viruses which infect people's computers and harvest addresses directly from their contacts. But it will stop all the spam that is directed to our most visible addresses, which should make a noticeable difference.

Time will tell how well it works.

Doomed? Doomed!   #

This Computerworld article discusses some of the community efforts underway to provide more privacy-friendly alternatives to Facebook. It's worth reading.

The article also raises the question: is Facebook doomed to become irrelevant? Will it inevitably replaced by open, interoperable systems? Is Facebook the AOL of our times?

Of course it is.

But not necessarily for the reasons cited in that article.

Basically, on-line social networking is simply too important to let a single entity control it. People are slowly realizing this, and governments will eventually follow: just like laws have been passed all over the world to break up telephone monopolies and foster competition, similar laws will be passed to govern the social networking space.

Facebook may survive these changes. It may not be doomed in the most dramatic sense of the word. But if it isn't made largely irrelevant by idealistic techies and innovative competition, eventually, government will step in and break up the monopoly.

The Mysterious Project   #

The other day I bumped into someone called my Beanstalks Project mysterious.

I don't think I've ever done anything mysterious before. How... odd.

The thing is, I don't mean to. I've always been annoyed by "teaser campaigns" and to be honest, I desperately want to tell everyone all about my idea. And I do, in person. If you don't want an excited nerd chewing your ear off and going on and on about some esoteric technological solution to something you weren't even aware was a problem, then I suggest you run away as fast as you can, if you see me heading your way...

I'm not afraid someone I meet is going to steal my idea and build a competitor. Most people are too busy with their own lives and projects to go off and steal mine based on a brief conversation at some bar. And although it's a simple idea (all the best ones are, right?), there are still only a small number of people out there with the technical skills required to make it work.

The Internet however, it's another matter. The Internet is big. Really, really big. Huge! And on the Internet, there are people looking for cool ideas for something exciting to work on. Not very many, but there are some. There are also companies doing related things, which might think my idea would make a nice addition to their portfolio of services. Of course I accept that I'll have competition at some point, but I'm not in a hurry. So until I have something to show for my efforts and have established a clear head-start, I'm not telling the Internet exactly what I'm up to. Sorry Internet!

In a few short months, I hope that will all change.

Long term, I don't plan to rely on patents, or secrecy, closed source or other monopolistic practices so common in the software industry - I plan to release code and seek out attention, talk about what I am doing as loudly and frequently as I can. (If you want to be one of the first to hear about it, or think you might want to help out, join the Google group - it's free and not full of spam.)

But until then, apparently I'm mysterious on the Internet.

How exotic! :-P

Facebook hits 500 million   #

It's all over the tech news today: Facebook has 500 million active users. Wow!

That's a huge amount of people using the web to communicate with their friends and family. This is good news to us, since that is a big part of what the Beanstalks Project is about - building tools to help people communicate over the web. It is a huge market, with plenty of room for new players.

On the other hand, this is also a sad day for anyone concerned about privacy on-line.

Most of those 500 million people are non-technical people who don't understand the implications of entrusting their personal information, photos and thoughts to Facebook. I'd be willing to bet that under 1% of Facebook's recent converts have bothered to read the site's "Privacy Policy". Of those who did, only a minority will have actually understood it.

Of course, it can be argued that those who didn't bother to read it were right to not waste their time; Facebook will probably just change the policy when they feel it limits their business plans, just like they have in the past.

But that's old news, isn't it?

The big question really is, what can we do about it? Social networking is a wonderful tool, opting out and disconnecting from the social web isn't really an option for many of us. Fundamentally, that is why people accept the risks and tolerate the poor behavior of companies like Facebook: because the service they provide is so valuable. So we grit our teeth and log on. Until we have a viable alternative, not just equally good, but better, our privacy will remain "collateral damage" to this particular steamroller.

Before deciding to launch the Beanstalks Project, I spent a fair chunk of time researching what alternatives there are out there, exploring what other concerned netizens are building to "compete" with Facebook. It turns out there are quite a few projects, at varying stages of usability. I hope to write a bit about each of them in the near future, as I go through my list again and check what progress they have made.

I would really like for one or more of them to succeed, and the Beanstalks Project will hopefully be a small part of making that happen.

Web-site launched   #

Today I re-launched this web-site, removing the requirement that people log-in to see what's going on. At the moment there is not much to see here, but if you are interested please join our Google group or subscribe to the blog's RSS feed.

Much progress has been made founding our little company: we have a business plan and some money to get us started. We have found some grants to apply for, we have experienced people giving us good advice and we have a slowly growing list of people to approach if we decide we need further funding.

Oh, and our technology does work - but polishing it and making it user-friendly, scalable and powerful will keep us busy for the foreseeable future.

And that's what the project is all about! :-)