1
0
Fork 0
mayvaneday/blog/2023/august/interview.txt

345 lines
20 KiB
Plaintext
Executable File

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
VeeChit,
Normally I don't respond to emails that sound like requests for interviews
because they're invariably either an attempt to get me to dox myself or the
person asking the questions doesn't like how blunt and direct I am with my
responses and just calls me a bitch and tells me to kill myself. But today I'm
feeling reckless, so fuck it, I'll take the bait just this once.
> 1. What is the reason for your importance to security and privacy? Is it a
personal interest or a need that must be paid attention to?
I assume by "your importance to security and privacy" you mean to ask why they
are important to *me*, not how *I* am important to *them*. The answer is
straightforward: growing up in a repressive household where writing innocuous
poems online about being gay is worthy of being grounded and socially isolated
from one's support networks and friends for several weeks at a time will turn a
relatively outgoing woman into a paranoid and bitter one. The trauma of not
knowing whether or not sharing my opinions and viewpoints on things will be met
with violence at any given moment is a burden I have carried with me since
adolescence and will likely carry for the rest of my life.
Even though I now live on my own and have far more control over my life than I
did even a year ago, I still have a deep-seated psychological need to protect
myself technologically against random device searches, spyware, and attempts at
stalking through the Internet. I physically cannot bring myself to use any
operating system that doesn't have full-disk encryption either baked into the
operating system (any mainstream Linux distro) or can't be jimmy-rigged to have
FDE (Windows via VeraCrypt), so even though Haiku fascinates me, I can't use it
as anything other than a toy, a curiosity. All of my external USB drives are
encrypted. I store my files in plaintext or free-as-in-freedom file formats
whenever possible to ease the pain of potentially having to jump ship to a
different operating system at a moment's notice. (Since, you know, I might have
to use a different software suite there.) I use terminal programs whenever
possible so I can replicate my Debian setup on every computer I own regardless
of processing power, from my beefy gaming desktop to the ancient 32-bit tower I
inherited from my great-grandmother. If I lose access to one device for some
reason, whether a deliberate confiscation by a "well-meaning" family member or
theft or simply the device dies and doesn't work anymore, I can be up and
running on any other one I own within a few hours.
I am also increasingly paranoid of a potential shutdown or interruption of the
Internet. Living for years in a house with a piss-poor connection that
constantly drops out does that to you, I guess. I keep burned DVDs of the
Debian installer in my personal archives because one DVD will let you set up a
full Debian system with a pretty decent collection of software available for
further installation without needing any Internet at all. As Debian is my Linux
distro of choice, knowing I can bootstrap a new system (or a salvaged one)
without an Internet connection brings me great peace of mind. I also only use
software that can operate entirely without an Internet connection, such as
Hydrus (https://github.com/hydrusnetwork/hydrus). I felt very smug that week in
July when Twitter wouldn't let you see anything without logging in and the
whole Internet was complaining about all the content on the birdsite they
couldn't look at anymore and yet my local collection of funny images was
completely unaffected.
> 2. Considering the number of users of social networks and messengers such as
WhatsApp - Telegram, does it matter if I use Signal or Matrix or PGP email?
WhatsApp isn't used at all where I live. Telegram is only used by nutty
conspiracy theorists. Everyone I know just uses plain SMS. I have more to say,
but I hate repeating myself, so I'll just elaborate more in the next answer.
> 3. Why do people give the least importance to security and privacy? Is it
because of lack of information or not caring about this issue? For example,
most people do not use ad blockers, VPNs, open source software! Or they install
any program on their phones and PCs
You have to understand that most people have more pressing and immediate issues
in their life than the vague-to-them threat of corporate surveillance or vendor
lock-in. If you ask some random person off the street what their top five
concerns are right now, "privacy on the Internet" almost certainly isn't going
to make the list. They're going to say things like "making rent" and "the
rising cost of living" and "going bankrupt from a single medical bill". If
they're the type to glance at the news every so often, they might also say
"climate change" or "nuclear war".
In the disabled community, we have a concept called "spoons". Spoons are like a
measure of mental energy. Usually one gets a limited number of spoons each day
to spend on daily activities like doing one's laundry or feeding oneself or
tidying up the house... You get the point. (Hopefully.) The average person is
using all their spoons on staying alive. If they come home from work exhausted
and only have three spoons, they are going to spend those on making dinner and
showering and maybe some mindless Netflix consumption before collapsing into
bed. They're not going to be learning how to be a sysadmin and setting up a VPS
to self-host things. To them, that is like a second *unpaid* job with little to
no personal benefit. Maybe it would pad their resume out, but if they're not
looking for a tech job, what's the point to them?
Think about the misogynistic stereotype of the "wine mom" who likes to scroll
through Facebook and comment on cringy Minions memes and post unflattering
group photos of her family members taken during holidays. To you and me, she
might be hopelessly caught in the spiderweb of corporate algorithms sucking her
dry for data to feed to advertisers. But to her, she is just socializing with
the people in her life she loves. (Well, whichever ones are on Facebook,
anyway.) In her eyes, she is doing nothing wrong, and people like you and me
are trying to destroy her method of keeping in contact with far-flung family
members and trying to force her to absorb the equivalent of a computer science
degree in order to use a "fedi-what?" whose interfaces aren't nearly as flashy
and whose denizens are nasty and brutish and not as easily shut out as
exclusion from one's Facebook friend list would be.
"Normal" people don't care about privacy and security. They don't care if their
tools are proprietary or spying on them or could go away at a moment's notice
if the company behind them shuts down. They want to play games with their
friends (Windows) and socialize (Discord and every mainstream social media
site) and get help with their homework (Google search). "Normal" people are not
swayed by appeals to ethics or morals when it comes to their technology. The
most that letting them know their iPhone was made with Chinese slave labor will
do is momentarily make them feel bad; they will not stop buying iPhones. If the
privacy community wants to get "normal" people on board, they have to figure
out how to overcome the apathy and make their alternatives more convenient and
less expensive than what the "normal" people are already using.
I wrote a blog post a while back discussing many of these same ideas:
https://mayvaneday.org/blog/2021/september/not-harmful.html
> 4. Do you think having a site and YouTube channel and teaching people can be
useful? Or do people not care?
One of the questions further down in your email implies you want to start a
site (and you haven't already) and you're going around asking people for advice
on how to do that. Listen: you *have* to move beyond caring what other people
think. Trends on the Internet these days are frequently outlived by the common
housefly. If you base your entire online existence on being "useful" to others,
you're going to spend the rest of your life pursuing ghosts with little to no
reward. Chasing the dopamine of online validation is how we ended up with
platforms like TikTok and the lunacy that goes on there. If you're going to put
in the work to make a website, it has to be about something that interests
*you*. The motivation has to come from inside, not outside. You don't know
who's going to look at your site in the future, so you might as well have it
cater to the only guaranteed audience: yourself.
When I'm looking for a tutorial for something online, I always skip the YouTube
section at the top of the search engine results page or just put "-youtube" in
the query. Videos are clunky, bandwidth-intensive, hard to search, and not
easily updated. Don't bother making videos for YouTube unless you're mirroring
them elsewhere, like on a personal PeerTube instance.
> 5. Has the content of your site ever helped someone who thanked you or even
donated?
Literature? Sure, I get plenty of people emailing me out of the blue to praise
my poetry.
Writing about tech? Usually it's people trying to get me to play unpaid tech
support with unparseable grammar or the Lokinet devs harassing me once again
because I said their software sucks. Or it's an email full of misogynistic
slurs for the crime of being a woman on the Internet.
Nobody donates because I have no ways of donating listed on my site. Keeping
everything non-commercial gives me a legal advantage because, if someone tries
to argue copyright infringement or that I've done them some other damage, they
have no evidence that I've seen any monetary profit from the activities in
question. Plus then I don't have to deal with figuring out how to keep myself
pseudonymous from donors while still being able to convert the pretend Internet
money into something I can buy groceries with.
> 6. Why are you not a member of any social media such as Twitter - Instagram -
Mastodon?
Because they all invariably hate women. Every single damn social media site has
a culture where women and their opinions are only welcome if they're peddling
pornography or parroting the party line of the patriarchy. No dissent is
allowed. Even just the simple statement of "I'm a woman" is enough to get waves
of harassment, sexual or otherwise, sent one's way, and the platforms rarely do
anything about it because of the sheer volume of the abuse and "muh freeze
peach". (Have you ever read the book *Haters* by Bailey Poland? You really
should.) Even on a supposedly pro-woman platform like Ovarit, the misogyny
hounds me: I mainly stayed in the circles about technology, and people
frequently accused me of secretly being biologically male because I... knew
more about tech than the average poster. VeeChit, does that sentiment make any
sense to you? "Women are naturally incompetent at technology, so anyone who's a
woman and likes computers is secretly a man"? Because it doesn't make a single
damn shred of sense to me. Especially when coming from a group of
self-proclaimed feminists.
> In your opinion, what is the difference between someone who is not a member
of these networks and someone who uses these social networks?
A person who uses social media is just a person. A person who *doesn't* use
social media is still just a person. If you want me to be like those alt-tech
sites with Pepe frogs or Lain in the header who write thousands of words about
how they're morally superior for not using social media, you're going to leave
this email sorely disappointed.
The effect that a social media network has on you heavily depends on the social
circles you interact with inside that network. There's a world of difference
between the handful of Japanese fan artists that live in my RSS feed reader and
your average "RATIOOOOOO" poster who still consumes "offensive" memes better
left in 2016 and thinks unsolicited references to porn are the pinnacle of
comedy. But both groups are on Twitter. I've had respectful interactions with
people on Instagram the brief period I was on there, and I've had hate
campaigns against me on the fediverse. Sure, Twitter has an algorithm that
optimizes for making its users spend as much time as possible in the app, and
most fediverse servers don't. But clowns will be clowns no matter what circus
they're in.
In the same vein, I've met antisocial creeps who don't use social media but
will still probably end up in a jail cell for hate crimes one day, and I've met
perfectly well-adjusted individuals who like to scroll through their Facebook
feed during their lunch break at work. Holding the reductive opinion of "social
media users bad, non-users good" is unproductive and will just serve to make
you feel isolated and resentful.
> 7. What is the main advantage of being anonymous on the Internet?
People can't hate-crime you if they don't know what slurs to use. Then again,
if you never see any visible minorities on the Internet, if you never see any
opinions that go outside the zeitgeist of the average "straight white
middle-class American male"... it starts to feel like, if you don't fit the
profile of that aforementioned average Internet user, there's no real place for
you on the Internet. Either you have to pretend to be a member of a demographic
who hates your guts - a sheep wearing wolf's skin to avoid being eaten - or you
forgo your anonymity and risk being sexually harassed or having deepfakes made
of you in pornographic situations or doxxed and have violence inflicted on you
in real life.
But you specifically mentioned *advantage*, not *harm*. Assuming you're
*actually* anonymous and not the kiddie's idea of anonymity - "I opened an
incognito window so my daddy can't see my browsing history" - companies can't
advertise to you as easily because their data's all muddled up. If you have a
shared Whoogle (Google frontend) instance accessible over Tor and one person's
searching for programming tips and one's looking up video game walkthroughs and
one's doing price comparison on beauty products and one's doing research on an
ancient historical event, what pre-defined slot, what archetype, is Google
supposed to file any of them under? To Google, it looks like one singular
discombobulated person. I might be in the United States, but the Whoogle
instance might be in Brazil or some obscure European country. Have you ever
tried to turn on a VPN and then rawdog a YouTube video? I get weird ads for
products in Japan. I can't understand a single word of what's going on. The
advertising fails.
> 8. According to your experience, what is the best and most secure VPN
available that you recommend?
All VPNs are scams. Use Tor for the actually sensitive shit. There's nothing
worth watching on streaming platforms, but if you disagree, I leech off of
Riseup VPN for torrenting and I've yet to find a site that blocks me.
> 9. I am planning to start a site with Hugo, but I have no experience on the
server side to set up the web server and security matters... Can you help or
introduce a reference that you approve?
All CMSes are bloat. If you're running a hobbyist site and you feel like you
need seventeen build pipelines just to output some static HTML and CSS, you
seriously need to rethink the structure of your site. I've handwritten every
single page of my site since I switched off of WordPress, and I've never had a
problem.
> What web server do you recommend for clearnet and onion?
There is only one good web server in existence, and it's Caddy. Forget about
copy-pasting incomprehensible configuration files to make nginx happy. Here's a
perfectly functional Caddy site in only 5 lines of config:
mayvaneday.org {
root * /var/www/mayvaneday/
file_server
encode gzip
}
With that, I get automatic TLS renewal, file compression, and HTTP-to-HTTPS
redirection. No weird redirect blocks like with nginx.
Tor sites work the same. You just have to put "http://" in front of the
hostname so Caddy doesn't try to get a TLS certificate.
http://myonionhere.onion {
root * /var/www/mysite/
file_server
encode gzip
}
> 10. From which site should I buy a VPS - Domain, is it safe and accepts
Crypto?
The only way you're going to be "safe" when publishing is if you use Hyphanet
(formerly Freenet) for the whole thing. Otherwise you run the risk of at least
one component of your setup failing: your VPS provider kicks you off on a whim,
your domain provider revokes your domain, you self-host at home and the power
or Internet goes out, you mess up your DNS records and your domain points to
the wrong server...
If you stil insist on setting up a clearnet site, and your site is static HTML
and CSS, you're better off using something like Codeberg Pages
(https://codeberg.page) and then pointing a domain to it. My current domain
registrar is Namesilo. I *think* they accept crypto, but I don't know for sure,
and I don't really give a shit either way since I think all crypto is a scam.
(https://www.stephendiehl.com/blog/crypto-is-a-scam.html)
> 11. What do you think is the main advantage of using Ublock origin, Linux and
free software?
It throws a wrench in the corporate advertising machine. I believe advertising
is cognitive terrorism: companies are trying every trick in the book to force
you to spend time and energy thinking about them and their products. Even if
your sentiment on a product or the ad promoting it is bad, it's still worming
its way somewhere into your brain. I can remember advertising jingles and theme
songs from almost twenty years ago when I was still a toddler, *long* after the
original marketing dollars were spent. Corporations want to live in your head
rent-free. Why else would they make such annoying commercials on TV and
streaming services? Why else would over two hundred *billion* dollars be spent
every year (just counting the USA!) to compete for your finite time, attention,
and neuron space? (https://www.statista.com/topics/979/advertising-in-the-us/)
I'm at the point where I'm going to start committing acts of property damage.
Have you ever seen those photos of European countries where billboards are
banned along the highways? The gigantic swaths of pristine land unmarred by
corporate signage? It feels like I'm on an alien planet.
This is another benefit of having an offline-first setup. Advertisers can't
track me if my data's not going anywhere. They can't burrow their way into my
system like the ads in Windows 10's start menu if my system has no way into it.
> 12. In your opinion, which operating system do you recommend for security
work? Whonix - Tails - Qubes OS
"Security", or "secure"? If I was going to test the security of something, I'd
use Kali instead. Qubes is for when you don't trust your software. Tails is for
when you don't trust your network. Whonix is for when you don't trust your
ability to set up a secure environment and you just need a "good enough"
solution.
VeeChit, please tell me where you got this email address from and how you found
my site because, judging from the fact you addressed me as "Vanevander" without
the space and not as my actual name (Vane Vander), this smells a lot like a
mass email you fired off to multiple webmasters without reading any part of my
site first.
- - vclv
-----BEGIN PGP SIGNATURE-----
iQFOBAEBCgA4FiEEq2j4OrvQF4SeDEtjVj/VgT2D7rUFAmTT+A8aHHZhbmV2YW5k
ZXJAbWF5dmFuZWRheS5hcnQACgkQVj/VgT2D7rXnEgf9GQ8At0mbcp3f6N1FAMno
w+XDyF8eQQ0IHVnw542RN4Fx6aIp10b/hj2WTgSw2OHFfeljLvwk+NTadb6vR2R6
zgPjZHHusMZFBJWWaegf+SwDzeirmAtiVThru6yTnR22Cibn04qO2X949wo9UL3S
tdzWhIwMYiFe32sYuUFxxlQJRKEHjkshHed29YoyJ3lDU3M+nt7hVoeAaby/bzhV
9QtCjfcmf2l+AeXoymQylGv5pIRARy9m/ZsOQiTJEz2CC551R9sOvCWaQJiIHKhZ
1N4nFoLepaWyFwSSy8hJlvyDAUe9+heyJs1tXeA1UTXuYCZnaJaLnvk7YhRXJxOe
uw==
=vdGk
-----END PGP SIGNATURE-----