The Distraction Industrial Complex

People are spending huge amounts of time scrolling through feeds.

I'm not talking about chat apps like Snapchat or channel apps like Twitch. Those are cool.

I'm talking about algorithmic feeds of posts that scroll forever and ever off the bottom of the page.

Posts with Upvotes or Hearts or Likes. Posts with Retweets or Shares or Revines or Reblogs.

The biggest offenders are Twitter and Facebook.


Feeds suck. 

When was the last time you scrolled thru a feed and felt refreshed and invigorated?

Felt you'd learned something new and useful?

Felt that it was time well spent?

Most of the time you read a social feed it's just a quick diversion, a way to procrastinate. It will give you a few mildly funny things to snort at  and a few terrible things to get mad about  and maybe a photo of someone's suntanned feet on a white beach with a clear blue ocean in Thailand so you can feel a little #fomo.

You feel kind of bad afterwards. You know you're just wasting time, but it's hard to stop. So hard, in fact, that Facebook now has a BILLION DAILY USERS.


How did it get this way?

1. The companies DGAF about you

The cliche is that if you're not paying, you're not the user, you're the product.

More precisely, ad impressions are the product. Every hour you spend feed scrolling creates ad impressions, which are sold to advertisers for a few cents per thousand.

Turns out, every hour you spend scrolling is sold for surprisingly cheap.

Facebook made $18b in revenue in 2015 from about a billion daily active users, each of which use the site for an average of about half an hour a day, 365 days a year.

That means that to Facebook, an hour of your time is worth just under 10 cents.

18b USD per year / 1 billion people / 365 days a year / 0.5 hours per day = 10 cents per hour

Facebook is the blue whale. You're the plankton.

(Wait, $18 billion? Ten cents per hour? Does that mean roughly 180 BILLION HUMAN HOURS were spent Facebooking in 2015? Why YES IT DOES!)


2. Feed companies make their feeds as compelling and distracting and addicting as possible

They're constantly experimenting, tweaking their product. Anything that makes you waste even more time per day, ships. This is called Driving User Engagement.

After years of optimization, they've come up with some pretty powerful ways of keeping people Engaged.

The top nav bar always hovers over your feed as you scroll, showing bright red notification bubbles, begging for clicks. The smallest things trigger new notifications. Some dude you met once at a party three years ago clicked Like on a picture of your butt while you were squatting on #LegDay. Ding!

By default, every notification hits your email or buzzes your phone or both.

The feed suggests new friends. The feed suggests reposting years-old content ("Memories"). The feed suggests Liking things that your Friends Liked. The feed suggests putting a french flag in front of your profile pic.

They've reduced the effort to participate down to a single tap. Just say Yes.

All this extremely low effort content floods out to your 1000 or so closest friends' feeds. Jim Bob just changed his profile picture. Ding! By default, almost every action you take is public.

Infinite scrolling feeds start at the very top every time you open the app. There's no way to pick up where you left off last time and efficiently catch up. Instead, you just have to scroll down and down until you notice posts you've already seen before. This is by design!

Reposts (retweets/shares/etc) and non-chronological feed algorithms mean that new and old posts are interleaved. You can scroll for a really long time and never really know when you're "done". While you scroll, the bright red notification bubble lights up again because there are now "9+" new posts since you started reading. Clicking sends you all the way back up to the top.

I'm sure they A/B tested this and found that it makes the Average Session Time go up.

Such User Engagement. Wow.


3. Feeds reward the wrong stuff

Sexy photos. Baby photos. Beer drinking photos. Happy Birthday posts. Political screeds. Thoughts and prayers.

Feeds are random. They have no coherent theme. That makes them unsatisfying.

If you watch thirty minutes of Netflix, it's not exactly productive, but you do get the satisfaction of a coherent story with a beginning, middle, and end.

Thirty minutes of feedscrolling is neither productive nor particularly satisfying. It's a random stream of bite-size miscellaneous posts.

It's just there, always in your pocket, always a finger flick away. It can be consumed anytime, anywhere, in bed, standing in line, sitting on the toilet, at lunch, or in a boring meeting. Maybe that's why 85% of video on Facebook is viewed with the sound turned off.

So the content is low effort and the consumption is low effort, too. The whole feed is mostly noise.


How do we fix it?

Well, ideally we'd nuke the Distraction Industrial Complex from orbit and build a better way of hanging out over the internet.

A new way that prioritizes quality over quantity. 

A new way that respects our attention and values our time.

If we can dream, maybe our New Way will even be free from centralized control.

Until we can make that happen...

Here are a few simple fixes that worked for me

Uninstall the apps from your phone. 

You can keep Messenger, but get rid of Facebook and Twitter. At very least turn off the notifications. There's nothing healthy about having your pants buzz every time some dude from middle school Wants To Play Candy Crush Saga With You

Take a break from Twitter. 

If Sam Altman can quit, so can you.

It helps to block twitter.com from your hosts file.

Update: if you want to keep Twitter but avoid distraction, check out this new Chrome extension, Kill Tweet Stream. Nate Goldman made it after reading this post (!) and he's the boss.

Install Kill News Feed.

That way, you can keep your Facebook and use it for events and chat, but without getting sucked down the rabbit hole of "news".

Install uBlock Origin.

The faster we can get to 100% ad-blocker adoption, the faster this business model of wasting billions of hours of people's time for ten cents per hour will die.

--

Kill the feeds and enjoy the sunshine!

How To Make Your Electron App Sexy

Electron is excellent.

There's a long history of ways to package HTML and Javascript into an installed desktop app. The result usually feels like a web app detached from the rest of the OS.

Electron makes it easy to do better.

Electron exposes lots of deep OS integrations thru simple Javascript APIs, so you can have a single clean codebase instead of having to code against three different C++ and Objective C libraries for Windows, Linux, and Mac.

Using npm and electron-prebuilt, you can also keep your build simple and clean. No node-gyp, no native compilation at all. Things that are a pain in most environments, like installers and automatic updates for multiple platforms, are easy here.

Feross and I used Electron to make WebTorrent Desktop recently. We were surprised by Electron's quality and attention to detail.

Here's a list of things you can do to make your Electron app feel native and pro.

(If you're new to Electron, check out the Quick Start. First things first! This post is for people who already know Electron, but want to make their apps even better.)


The List

  • Dock and tray integration
  • Notifications
  • Menus
  • Shortcuts
  • Drag and drop
  • Crash reporting
  • Signed installers for all three platforms
  • Automatic updaters for Mac and Windows
  • Fast startup
  • One-step build

WebTorrent Desktop implements 10 / 10.

How does your app score?


Dock and tray integration

On Windows and Linux, you can minimize to tray.

(You can do it on Mac too, but you probably don't need to since Mac has the dock.)

This is great for running in the background or running automatically on system startup.

If you're making a decentralized app, you probably want to do this to keep your network healthy.


On a Mac, integrate with the dock.

Show a progress bar when the user might be waiting for something to finish.

Show a badge when work finishes while your app is in the background.

Caveat: only some Linux distros support the tray correctly. Check that you're on one of them--otherwise, your users will have no way to quit your program if you hide the window and your tray icon doesn't show up. See checkElectronTraySupport for a workaround.


Notifications

Desktop notifications work on all three platforms. They're really easy to use.

Stay concise. Don't go over 256 characters, or your message will be truncated on Mac OS.

Here's an example with custom sounds: a satisfying "ding!" whenever a file finishes downloading.

Play sounds using the normal web audio API. You'll want to preload them. Here's a nice way to do that.


Menus

Electron gives you nice declarative menus on all three platforms.

You can use them in lots of places: context menus, dock icon menus, tray menus. Most are optional but the one you'll always want to implement is the window menu.

Follow each platform's conventions for what goes where. For example, if you have Preferences, Mac users will expect to click YourApp > Preferences while Windows users expect Window > Preferences and Linux users expect File > Preferences.

If you have a button for something, give it a menu item anyway. Two advantages: it makes your keyboard shortcuts discoverable, and it makes actions searchable under Help > Search on a Mac.

See it in action here: menu.js.


Shortcuts

Electron supports two kinds of shortcuts: menu shortcuts and global shortcuts. 

Menu shortcuts are great. New users can click around and learn what's available. Power users can use your app very efficiently.

Follow each platform's keyboard shortcut conventions. Electron makes this easy: for example, you can specify "CmdOrCtrl+O" as the accelerator for Open, and it'll be Cmd+O on Mac and Ctrl+O on Windows and Linux.

Global shortcuts work even when your app is not focused. For example, if you're running WebTorrent Desktop in the background, playing an audiobook, while using Chrome in the foreground, you can still use the play/pause button on your keyboard (F8 on Mac) to control WebTorrent.


Drag and drop

If you want to let users drag files into your app, you'll need to handle three separate cases.

When someone drags files onto the window of your running app, you'll get the regular HTML5 drag-and-drop events.

When someone drags files onto the icon while your app is running, you'll get a special Electron on-file event.

When someone drags files onto the icon while your app is not running, the OS will run your main process with special command-line arguments. You'll have to handle those.


Crash Reporting

Electron has built-in Crashpad support so that you can get a report when a process crashes.


You might also want to be notified of uncaught Javascript exceptions. You can do this:

  • In the main process with process.on('uncaughtException')
  • In the renderer process using window.onerror

Your server will need an API endpoint to save the crash reports. Check out the WebTorrent website code for an example of how to make one.


Signed Installers

You must sign your installers. Otherwise, you'll get a scary full-page red warning on Windows that says your app is "untrusted", and modern Macs in their stock configuration will refuse to run your app altogether.

Here's a build script that does this for Mac and for Windows.

Getting certs:

To get a Mac signing certificate, sign up for an Apple Developer account. It costs $100 a year.

To get a Windows signing certificate, we recommend Digicert. The documentation for Windows app signing is surprisingly bad. If you go with the wrong vendor, they'll ask you to mail them notarized paperwork. That makes it a slow and annoying process to get the cert. Digicert is easier: they just send you a password via Certified Mail, you go to the post office, show your ID to pick it up, and bam, you get your signing certificate.

You do not have to go thru the Mac App Store, unless you want to. If you do, your app will be sandboxed and you may have to change the UX slightly to accommodate the extra restrictions and permission prompts.

You definitely don't need the Windows App Certification Kit. WACK is wack, and also kind of obsolete.

Consider starting an organization to own your project's domain and certs. It looks a lot more legit if a user downloads your app and sees "Do you want to run this file? ... Publisher: Webtorrent LLC", than if they see "Publisher: Jim Bob". There are other advantages as well. In California, starting an LLC costs just a few hundred dollars and a few hours of time.

Keep your signing certificates safe. At a very minimum, they must never be sent via email or checked into a Github repo, even a private one. In fact, certs should never ever be online at all. Store them offline, passphrase-protected. Back them up onto a thumb drive, preferably an encrypted thumb drive, and keep it safe.

Once you get your first million users, your auto updater is basically a botnet with a million nodes. With great power comes great responsibility.


Automatic Updaters

Your app is getting better every week. Remember Flash back in the day, nagging you to Please Upgrade To The Latest Version? Don't be that guy.

Ever since Chrome popularized autoupdaters eight years ago, users have come to expect software to just continuously get better and fix bugs automatically.

Writing your own reliable auto updater is hard. Fortunately, Electron has already integrated with Squirrel, which makes it easy.

Squirrel only works on Windows and Mac.

For Linux, I recommend checking for updates as you would on the other two platforms, and simply popping up a notification if a new version is available:

Here's a bit of code that checks for updates on all three platforms: updater.js

Your server will need an API endpoint to tell the app which version is the latest. This can be really lightweight. You can offload the heavier work of hosting binaries to Github Releases.

Here's our server code for the updater API.


One-Step Build

16 years ago, a smart guy named Joel Spolsky invented the Joel Test for whether a software project has its act together.

#2 on his list: Can You Make A Build In One Step?

Yes, you can! Electron makes it pretty easy to automate your build. And you can do it without any fancy tools like Grunt or Bower.

Check out WebTorrent Desktop's build script. With one command, npm run package, we can:

  • Run the linter and tests
  • Package the app for all three platforms
  • Create signed installers for Mac and Windows*
  • Create binary deltas for the auto updater

* (Almost. Right now we still need to do the Windows code signing on a separate Windows machine, but there's a bug that should be fixed in the next few weeks that will allow us to build an entire release in a single command on a Mac.)


Fast Startup

You want your app to start quickly and smoothly. If it doesn't, it won't feel native.

Check out Spotify, for example. After clicking the dock icon, the window takes a long time to appear. Once it does, it first flashes grey, then some DOM elements appear, then the style changes, then more elements appear. Each time, it reflows, so the elements bounce around.

It feels like a web page loading over slow internet, not like a native app. (Spotify's UI is built with HTML and Javascript, but it doesn't use Electron.)

Make your app load quickly.

Step 1. Measure

Right at the start of our main process index.js, we call console.time('init')

Then, once the window (renderer process) has started and sends us an IPC message saying it's ready, we call console.timeEnd('init')

That gives us a bottom-line number to get as low as possible: the total startup time.

Step 2. Get your DOM right the first time

If you use functional reactive programming, this i easy. What you see is a function of your state object. The state object should be correct and ready to go the first time you render your DOM---otherwise, the DOM might have to change immediately and your app first renders, and the elements will jank around.

In our case, WebTorrent Desktop loads a JSON config file before the first render. This only adds a few milliseconds to our couple-hundred-millisecond startup time.

Step 3. Defer loading of big modules

We bisected using console.time() calls to find out which requires() were taking the longest, and cut our startup time almost in half by loading those lazily. They are loaded either the first time we need them or five seconds after app startup, whichever comes first.

Step 4. Colors and CSS

Make sure your window background color, which electron sends down to the OS, matches your CSS background color. Otherwise, you'll see flashes of white when the app is starting and again when you resize the window quickly.

---

Now we're already doing a lot better than a lot of apps. The window shows up quickly and with the correct background color, then a fraction of a second later the UI shows up.

One last improvement: by adding a CSS fade-in, the window shows up and the UI smoothly but quickly fades in, instead of popping up suddenly. Try it both ways---we think this feels better:


Conclusion

1. Make It Native

When on Mac, your app should look and feel like a Mac app. When on Windows, it should feel like a Windows app.

2. Make It Fast

Measure your startup speed. Keep it well under a second.

3. Keep It Simple

Your users don't care if you're using Flux and Redux and React and Bower and Grunt and Less and Coffeescript. Plain npm, plain Javascript, and plain CSS go a long way. Electron supports require() natively, so you don't need Browserify.

WebTorrent Desktop uses no preprocessors at all and no build system except npm. Spend your energy on things that give your users pleasure!

Bruce Lee said it best--

The height of cultivation always runs to simplicity. 

Art is the expression of the self. The more complicated and restricted the method, the less the opportunity for expression of one's original sense of freedom.
To me a lot of this fancy stuff is not functional.

Happy Hacking!



Silicon Valley Political Contributions

American political contributions above $200 are public record.

This Federal Election Commission database lets you search who's contributed to whom. It has lots of interesting information about all kinds of people, including some that are close to us here in Silicon Valley.

Let's take a tour!

 

Y Combinator

Sam Altman and Paul Graham both contribute to progressive candidates.


A16Z

Marc Andreesen contributed only to Democrats and to a nonpartisan PAC that advocates tech company interests.

I found this surprising, since he sounds like a right-of-center libertarian on Twitter. I guess not.

Skewering Hillary hypocrisies is a bipartisan sport


Ben Horowitz donates mostly to Democrats. He was especially active supporting Obama.

This is pretty funny because it looks like Ben originally donated to Romney's first primary campaign way back in '07, then had a change of heart and made the maximum contribution to Obama '08.

He then made an even bigger contribution, $33,400, to the Democratic Hope Fund in 2015--and yet the donation receipt says it's for the 2012 election! How is that possible?

A. You can donate more to a Joint Fundraising Committee than to an individual candidate.

B. Political campaigns are often in debt years after they're finished and continue fundraising to pay it off.


Google

Sergey Brin contributes to Obama and the Google PAC.

Larry Page makes yearly contributions, only to Google PAC. Yes, there's a Google PAC and they in turn fund basically everyone in congress.


Facebook

Mark Zuckerberg. Funded a wide range of congresspeople including archconservative Utah Senator Orrin Hatch.

Sheryl Sandberg. Funded a bunch of people. Strictly Democrats.

Dustin Moskovitz. Contributed just once, giving the maximum allowed amount to Sean Eldrige. Eldrige is an interesting guy. He's a gay, married Canadian-born Democrat and one of the youngest people to ever run for Congress. He lost to the incumbent Republican by 29 points...

Dustin's contribution looks like it was made out of idealism and personal friendship. Sean Eldrige's husband Chris Hughes was another cofounder at Facebook.


Palantir

Joe Lonsdale

Stephen Cohen

Nathan Gettings

Alex Karp

I would've thought that libertarians who once wrote for the Stanford Review would donate to the Republican party and to Liberty Caucus candidates like the Pauls Ron and Rand. Nope. Joe is the most consistently Republican, but the others are mixed, also donating to local liberals like Anna Eshoo and the occasional left-wing civil libertarian like Ron Wyden.

What about the fifth Palantir cofounder, Peter Thiel? That brings me to...


The Billionaires

Peter Thiel gave a lot of money to a lot of candidates, pretty much exclusively Republican. Peter is a gay libertarian Silicon Valley icon who sends money to hardline family-values "born-again" evangelical social conservative Ted Cruz. I don't get it either.

Jeff Bezos donates primarily to Democrats

Elon Musk donates to everyone and their mom and to both parties' committees. At least one hapless government paperwork transcriber thinks he's the CEO of "Space K". 

Anyway, for a company as reliant on federal legislation and federal contracts as "Space K", it probably makes sense to spread donations across both parties and lots of congressional districts.

Elon Musk is still the greatest. He's just doing this because he has to. The ULA has a cozy, seemingly corrupt relationship with the government that goes back decades, and Elon's imperative is to compete with them.

Don't hate the player, hate the game.

K Street in Washington DC is the Sand Hill Road of federal lobbying


What I've Learned

  • Big tech companies have their own PACs. Palantir PAC. Facebook PAC. Amazon PAC. There's even a Blue Origin PAC. They all donate to both parties.

  • Some rich donors have an ideological agenda, like Peter Thiel. They really commit to specific, ideology-driven candidates like Ted Cruz and Rand Paul.

  • More often, though, rich donors throw smaller amounts of money at both parties. The money goes to big, generic organizations like the DCCC and the RSCC. It goes to local congresspeople with safe seats, like Barbara Boxer.

    The $1k, $5k, occasionally $30k amounts involved are peanuts for these guys. It's not traditional quid-pro-quo corruption--but they are definitely paying for something. I think it's access and attention. I'd be willing to bet $10k buys you the ability to call a congressperson and talk to them directly, instead of having to leave a message with a staffer like a pleb.

  • There's a lot of variance. Some tech leaders, like Peter Thiel, donate millions year after year. Others, like Roelof Botha, don't show up in the FEC database at all.


The current system is one where the average congressperson spends more than four hours a day fundraising

Where every successful startup grows up to have its own PAC.

That doesn't seem healthy.


How can we fix it?

Thirsty for War

I just got this banner ad trying to recruit me. Sums up the general tone of the defense industry perfectly. Hubris, nationalism, and technologically sophisticated bombers.

But what do they mean by "America Wins. Again."?

You'd never know it from our movies and TV shows and political rhetoric, but we have not been winning.


We lost the war in Afghanistan. After almost $1000b, 14 years, several thousand American lives, and several hundred thousand Afghan lives, Afghanistan is a failed state. The country harbors more terrorists than when we started, the Taliban is still around, and still controls significant chunks of the country.

We lost the war in Iraq. After a staggering $1700b, 13 years and counting, and several hundred thousand lives, Iraq is more dangerous than it was under Saddam Hussein and its remaining people are worse off. The country is split into three warring parts: a nearly failed state in the south, Kurdistan in the northeast, and the Islamic State in the north. 

We switched reasons. First it was weapons of mass destruction, then a nation-building exercise to replace dictatorship with democracy. Thomas Friedman even tried to justify it as a generalized collective-punishment retaliation against the Arab Muslim world for 9/11. "We could have hit Saudi Arabia. We could have hit Pakistan. We hit Iraq because we could." Charming dude.

Pick any of those justifications. They all failed. There were no WMDs. The nation-building could not possibly have gone any worse. Most of the Islamic State's heavy weaponry comes from America. It's a frustratingly familiar story. We arm "the good guys" and then the weapons "fall into the wrong hands".

George Bush declaring victory twelve years ago.

We lost the war in Libya. The story played out surprisingly similarly to Iraq. The old dictator was killed. Some politicians declared victory. The resulting stable US-friendly democracy didn't quite work out that way. Just like Iraq, Libya is now split into three warring thirds, one of which is part of the Islamic State.

Hillary Clinton declaring victory four years ago.

Anyway, Lockheed, Northrop Grumman, Raytheon, and co are doing great. Profits are record. Shareholders are happy.


It's a jingoistic and amoral industry.

These companies lobby for war, though they prefer to use words like "intervention" and "military aid". They provide lucrative jobs to lots of former generals and politicians in exchange for promoting their agenda and helping them win contracts. This is called the "revolving door"--a euphemism for salary-and-bonus-based corruption.

Even now, after all of the above, they are still pushing for deeper involvement in the Middle East, telling their shareholders it would be good for business.


Many Americans want to go back to being a nation of peace. 

That doesn't mean we're isolationists or pacifists. It's good to speak softly and carry the world's biggest stick. It's cool to quietly underwrite the freedom of allies like South Korea and Japan and Taiwan.

It's not cool to be in a state of endless war. The average voter couldn't even tell you which countries we're currently bombing. (Iraq and Syria by jet, Afghanistan and Pakistan by drone, and Yemen by proxy.)

War should be a last resort and strictly for self defense. We should crack down on the corruption of the military industrial complex. We need a voice. We need leaders who are serious about peace.

We Need A Better PC

My challenge: I'm trying to get a computer that doesn't suck

Like lots of people I spend about half of my waking life on my laptop, so this really matters.

However, I don't want a Mac.

Apple has great design, but they sell things that are locked down, both physically and in software. You're not supposed to open them, you're not supposed to replace parts, and if they break you're supposed to take them to your nearest "Genius Bar". Not my style. Also, Apple makes beautiful hardware, but their software is getting worse.

Whatever your opinion about Apple, we can agree that there should be a least one good alternative.


No problem, I thought, I'll get a PC

So a year ago I bought a System76 Galago UltraPro, because it's fast and sleek and it comes with Ubuntu. It's also modular and hackable, easy to take apart and put back together.

Unfortunately, it turns out System76 doesn't actually make their own stuff. The Galago is just a rebranded Taiwanese Clevo W740SU. Here's my Clevo compared to one of iFixit's Macbooks:

Like most computers that don't have a glowing white apple on the back, the Galago has questionable build quality. It's made of plastic, the screen flexes a lot, and the battery lasts three hours on a good day.


No problem, I thought, I'll get a Thinkpad

Lenovo is pretty much the only PC manufacturer that has a reputation for good industrial design and quality hardware. So I went to their website to see what I could buy.

Wow, that is some bad web design. Tons of fonts and colors. Tons of tiny text. Popups. And that's just one of their many series. They display low ratings for their own products on their own website. What.

Among all of this information overload, simple information is missing.

For example: I did my own research. For what I need, their best computer by far is the 2016 X1 Carbon, which Lenovo introduced at CES recently. It is thin and beautiful, it's solidly built, it has ten hours of battery life and a screen sharp enough that Apple would call it a Retina display. When is it coming out?

Apparently it's already available--sweet!

Except that page is deceptive, because that's actually the old X1 Carbon, with a low res screen and without the new Skylake processor. The new X1 Carbon will ship later this month according to third party news sites, so buying the old one today would be a bad deal. Intentionally or not, Lenovo's own product page tries to trick you into doing just that.

Then there's the part where Lenovo, like most PC manufacturers, bundles crapware with every computer they sell. A few months ago, in a perfect storm of malice and incompetence working together in a big corporate environment, they went one step further and decided to factory-install straight up malware. They completely broke HTTPS and left their customers insecure--all to further "monetize" you by injecting extra ads into websites you visit.

The 2016 X1 Carbon still looks really good, but after all that I would rather not give Lenovo my business.


It's downhill from there.

Lenovo comes closest to Apple in building quality hardware. Other PC manufacturers, like Acer and HTC and HP, have the same problems Lenovo has, but with worse build quality and an unfortunate penchant for injection-molded plastic. Their designs look cheap. The Microsoft Surface is well built, but that's a tablet, not a laptop. The Chromebook Pixel is good, but that's not a full PC, it's a limited system designed to run Chrome and Chrome Apps.


Conclusion: everything sucks... so far

What I want is a computer with:

  • Decent build quality
  • Decent performance and battery life
  • A decent website. It doesn't have to be an icon of web design, like apple.com. It can be simple and utilitarian, like an Amazon page. It just has to be honest and up to date. It should contain pictures, text, and a Buy button.
  • A clean OS without crapware or malware factory installed

Is that too much to ask? Make one and you can have my money!

Read next: Panopticon

Panopticon

There’s dark and scary trend in technology. A true panopticon, where bureaucrats can plot the movements of every citizen on a map minute by minute, read every message, know at all times who's talking to whom, is technically possible today to the extent that it’s not already here.

That kind of power imbalance between people and their government is a threat to freedom everywhere, both in places that have democracy and in places that don't have it yet. More powerful tools for an authoritarian state to suppress a group who desire rights or freedom or a more participatory government have never existed.

Fixing this, not just through policy but through technology, is critically important.

Panopticon refers to a 19th-century prison design. The wardens can always see you, but you can't see them. Surveillance is about control, especially when it affects a whole population simultaneously and continuously.

Here's what I think needs to happen.

  • E2E must be the norm for all personal communications. Signal and WhatsApp have delivered huge progress toward that for calls and texts. I’m working on end-to-end encrypted email.

  • Software distribution must use deterministic builds and multisigs. Gitian and bitcoind are great examples. The current norm, where every device you own can be auto-updated to run anything by a bunch of different organizations at any time, is not OK.

  • Software must be open and auditable. Closed source is acceptable on the server, but everything I run on my device should be either open source, sandboxed, or both.

  • Hardware must be open and auditable. I should be able to check that my phone is not hardware backdoored. Anything that is not open--such as the baseband processor--should be untrusted at the hardware level.


Where do we start?

Easy Email Encryption

First, the good news. There's been a lot of progress toward letting people talk to each other securely. Signal is amazing, and it showed the world that strong cryptography can be clean and easy to use even for our smart but nontechnical friends. It proved that end-to-end encryption is not just for nerds who use PGP and Linux and go to "keysigning parties".

WhatsApp is rolling out end-to-end encryption to 800 million people, most of whom have never heard the word "cryptography" and have no idea what a "key" is. It's incomplete and imperfect, but still a huge step forward.


Unfortunately, while been lots of progress for messaging apps, email is still insecure. This sucks because email is the system of record. Messaging apps come and go. The messages themselves are often ephemeral as well. If you lose your phone, all your SMS and all your Signal messages are gone. Messengers deal in plain text... sometimes you can add pictures or emoji


Email is more real. It's an open standard. It lasts forever. It's global. It supports rich text and attachments and everything. It's the modern replacement for mail, for quills and parchment and envelopes. Here in America, the Fourth Amendment guarantees people

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures

That there could be a big building where bureaucrats rip open every letter, read it, reseal it, and send it on to its destination, like in East Germany, sounds ridiculous. We're a free country, that's not how we roll. And yet that extra letter, the e in email, the implementation detail where mail is sent digitally rather than on literal paper, seems to void those protections. In countries like China and Kazakhstan, people are even more vulnerable. It's a chilling thought: a democracy movement, like the one that liberated Chile 25 years ago, might be impossible today because we've accidentally made it easy for states to read all mail.

 

To fix this, end to end encryption must be the default--not just for WhatsApp, but for email. We also need metadata security. To protect freedom of association, an observer shouldn't be able to tell who's talking to whom.


An idea...

1. You install a new mail app on your laptop. It's open source and well vetted.

2. You log into Gmail, your university mail, all the accounts you have. The app syncs your mail. You have a modern mail client with a nice UI and fast search, even when you don't have internet.

3. Bob installs the app as well. The next time you send him an email, it's automatically encrypted, signed, decrypted, & verified.

I want to do for email what Signal did for texts: I want to make end-to-end encryption easy.


Under the hood

Key exchange is automatic and centralized, like Signal. Encryption using Axlotl provides forward secrecy.

Finally, we want metadata security. We don't want to leak who's talking to whom, so we'll send all encrypted mail with a hardcoded From and Subject.

Of course, Bob's app will show him the real, decrypted From and Subject.

The last piece of the puzzle: we can’t just connect to our outgoing mail server directly. That would let it see your IP address and your recipient’s email address, again revealing both sides of the conversation.

Instead, we'll send all outgoing encrypted mail thru Tor.

Easy to use encrypted email, with modern crypto, providing both content and metadata security.


Could this work? Would you use it?

Let me know your thoughts!

Playing to Lose

Ever since the Citizens United Supreme Court decision in 2010, you can give as much money as you want to political candidates. $1000, $1m, $100m, any amount at all, through the pretty thin legal fig leaf of a Super PAC.

As a result, a lot of people worry about corruption, about donors buying elections. Lots of people have already written about that. Glenn Greenwald did it especially eloquently. I've got nothing to add there.

However, I did notice a second, more subtle bit of trollery: donors not buying elections.

Check out this sweet graphic of all the big 2016 donors. The usual suspects, like Jeb Bush, have lots of them: Ray and Nancy Hunt gave him $2m, Trever Rees-Jones of "CHIEF OIL GAS LLC" gave him another $2m, and so on for another 45 big donors. Presumably they're hoping that he'll become president and then remember them as his supporters. In short, they're trying to buy an election.

(Not that it worked in this case. Bush is at 3% in the latest polls, in sixth place, right behind Rand Paul. LOL!)

Bobby Jindal, by contrast, has just one big donor: a guy named Gary Choest, who have him a nice round one million dollars. But unlike Jeb, Bobby Jindal was never expected to win. He was never in any danger of becoming the Republican nominee, let alone president --- so why would someone discard $1m like that on an extreme long shot?

His company gives a clue: EDISON CHOEST OFFSHORE. Offshore means offshore drilling, and a lot of that happens in the Gulf of Mexico. Without even Googling it, I guessed that they're based in Louisiana, where Bobby Jindal is governor... and sure enough, they are!

Unlike Donald Trump, who will presumably go back to playing golf and banging his Slovenian supermodel third wife in a gold plated hotel suite if this president thing doesn't work out, Bobby Jindal is a serious politician with real local clout. Jindal has already ended his presidential run and is back to governing. He has veto power over new Louisiana laws. He decides where bridges are built (hint: to the offshore oil hub of Port Fourchon, using some of the BP oil spill settlement money).

My guess is that Mr. Choest knew that Mr. Jindal wasn't going to be President, and gave him $1m anyway! Because running for President raises your national profile. And it's fun. And it's cheap. A mere $1m wouldn't get you into Jeb Bush's top 10 donors, but with Jindal it makes you his one big supporter, the one who made the whole adventure possible. 

And for the CEO of a big offshore oil services company in Louisiana, that's got to be worth something.

Holy Complexity, Batman

Nylas N1 is a slick, modern email client. It is built to be extensible. All of that is awesome.

It's also staggeringly complex for a program that shows you your email.

  • It’s built as a thin client, with the actual IMAP syncing handled on separate servers

  • The server-side Sync Engine is written in Python and uses MySQL under the hood, with a lot of scaling complexity because it has to handle potentially millions of accounts.

  • The “thin client” is an Electron app, which means it bundles pretty much all of Chromium

  • The client is written in Coffeescript+React+Flux+Electron and uses Sqlite3 to cache the same data on the client. Totally different tables than the ones in MySQL on the server, though.

  • The client is a lot more complex than a typical React app, since it has a custom package architecture, complete with “ComponentRegistry”, “roles”, and so on

Cherry on top: N1 comes with its own custom ORM written in Coffeescript, complete with SQL highlighting so that it prints pretty logs.

Long story short, here’s the game of telephone that happens to show you your inbox:



How can we simplify?

Auto Pwn

Once upon a time, a software upgrade was a physical box with a CD. It looked like this:



Then the internet happened, and companies started using “update managers”.



Things got spammy. Every time you’d turn on a computer, it would ask you if you want to update Java and please upgrade to the latest Adobe Acrobat Reader.

A lot of people just ignored the upgrades, leading to version skew. (That where people are using many different versions of the same software.)



So if you made a web app as recently as 2011, you had to make sure it works in Internet Explorers 9, 8, 7, and best of all 6. Fun!

But in 2008, Google shipped Chrome with a new invention to fix this problem.

As Chrome developer Ben Goodger explains,

Autoupdate is one of Chrome's killer features. [...] Long before we launched publicly in 2008, the autoupdate project was one of the very first we started working on. The idea was to give people a blank window with an autoupdater. If they installed that, over time the blank window would grow into a browser.

How cool is that! 

No more version skew. No popups. Every time you run Chrome you get the latest greatest version. 

There was just one problem.

It worked so well that auto update became ubiquitous. Today, the thermostat where I live auto updates itself, over WiFi. Things that used to be simple are now complex and flaky. For example, my phone will occasionally just grow a new bug one morning and, say, the camera stops working. Not all teams are nearly as reliable and careful and awesome as the Chrome guys.

Not all teams are as trustworthy as the Chrome guys, either, which means there's a much bigger problem:


Through ubiquitous auto updaters, we’ve totally pwned ourselves.

There are now probably 10+ separate organizations that can run arbitrary code on my laptop whenever they want. Same for my phone. Fundamentally, that’s how most auto update mechanisms work.

Most updaters connect to a central server, and if there’s a new version available, they automatically download it and run it.

That’s convenient, but now you're at the mercy of whoever controls that server and has that signing key (assuming they even sign updates, which not all of them do). Just last week, Kazakhstan announced they’re going to MITM all HTTPS traffic in their country. Other governments with similar impulses but a bit more subtlety can leave HTTPS alone but compel their companies to issue an autoupdate. If they want to be sneaky, they can serve a clean version to most users and a compromised version only to specific people, filtered by IP. Compelling Google to do that for you is probably hard, but what about some dude who wrote a Notepad++ plugin?

A popular program with an autoupdater is a lot like a botnet. The owners can push some code. Within a few days and without any more human intervention, millions of computers are running it. The difference is users install them by choice!


How can we fix this?

Autoupdaters aren't going anywhere. They're too useful. So the question is not "how do we get rid of autoupdaters", it's "how can we make a secure autoupdater".


If we must have autoupdaters, I’d like mine to use multisigs and deterministic builds.

It works like this: multiple people have to sign each update, say four out of a list of six trusted keys. Those are held by six different people, ideally spread across different countries. Trustworthy people and organizations, the same ones who are doing the code reviews and audits. When a new version is ready, each of those six checks out the code and builds it themselves. Because it’s a deterministic build, if they’re all using the same commit hash, they’ll all get the same binary, byte for byte. Finally, they sign with their key.

This makes pwning people thru the auto updater a lot harder. There’s no single private key that one person can lose, giving an attacker that power. Getting four out of the six signers to sign an update with, say, a backdoor, is a lot harder than one.

Finally, it would add some accountability. Companies, auditors, and open source developers would be signing their name to each release. I’d like to know which people have the power to run code on my machine. Today, there are a lot of people who have that power, and I have no idea who they are.


Let's fix it!