Becoming Uncle Jim
People are going to do what people want to do. It really is quite that simple. Open minds absolutely have the ability to recognize when a change in behavior is warranted, still so few actually end up making the requisite change at the earliest possible time. Often there ends up being some sort of drastic or traumatic event which triggers the change to take place, despite many warnings and even despite knowing this terrible event was likely to happen.
Much like Newton's first law states, a person's actions will tend to remain the same unless acted upon by an outside force. This outside force may take many forms; from the heavy-handed action of a government agency to the eloquent writings of others expanding the mind and altering an entire outlook on life. Many in the communities surrounding bitcoin and privacy or security in general spend hours upon hours writing guides or talking in chat groups with others they may well never meet in an effort to help them along their journey. This assistance generally relates to helping others set up their own security systems, to run their own nodes, etc. It hinges on personal responsibility; on not relying on trusted third parties wherever possible.
But what about our responsibility to those unable--or even unwilling--to do this for themselves? Is there a responsibility at all on our part? Is Joe Schmoe down the block entitled to the use of tools that you are hosting for your own little slice of digital sovereignty? Many would argue no, and I must admit I am inclined to agree. But what about family and friends? You know, those people you have been trying to explain bitcoin or digital privacy and security concerns to for years but that still have yet to buy the first sat or use the first password manager? Are they entitled to the use of your tools? It changes things quite a bit, sure, but maybe even they aren't entitled.
However, I submit to you that you do, in fact, have a responsibility to make every tool that is within your power to offer be at least available for use by your closest friends and family. This responsibility falls squarely on your shoulders precisely because you have recognized the potential pitfalls and have taken the action to begin hosting as much of your own data as possible. This is because this responsibility is not actually a responsibility to them; it is to yourself.
For most reading this, privacy and security concerns are nothing new, and I would venture to say most of you have your own personal data and security in a better position than 95% of the rest of the digital world. Now, if we only ever communicated or interacted with one another, this may well be good enough for most of us. The problem is, we do not only interact with one another. We most likely have daily interactions with others taking far less care with their digital privacy and security. So what does this mean for you? Well, have you ever sent any data that could be considered sensitive to a loved one? Has your loved one ever received any sensitive data about you in an insecure application or program that they are using?
If you think back on all the conversations and all the data that has been passed between yourself and your friends and family, I can almost guarantee you there is at least one incident that forces that all too familiar look of dread to appear on your face. I would argue it is very likely to be higher than just this one moment, depending on how long ago the digital privacy and security revelation happened in your household. The app or program that was used to pass that information--how strong is the security protecting that? Is it encrypted at rest? Is two factor authentication being used? How about something as simple as a strong password?
You may think you are unaffected, but a quick glance at the security breaches from just last year may reintroduce that same dread-filled look. Of all those passwords exposed, how many do you think are reused? The tools for hackers to use in an attempt to gain access to your accounts are readily available for download today. What's more, a survey of people recently found that only 45% of users would change their password even knowing for a fact their password had been leaked publicly. That statistic should shock you. A quick check on Have I Been Pwned may reveal any hacks you or your friends and family's emails have been exposed in, as well as any other information included in the incidents. Knowing only 45% of people will change their password even after being made aware it was exposed, and knowing that in the US alone up to 66% of people admit to using the same password across multiple services--How safe is your data?
Your digital life will always be under attack. That is just a reality of life in 2021, as we are more connected than ever, and people continue to search for the thing that makes life just a bit easier or faster. Quite often the more convenience a thing adds to your life, the more security and/or privacy it compromises to do so. Counterintuitively, one of the areas available to offer the most convenience, password managers, are overlooked. The vast majority of people are dissatisfied with the number of passwords they are forced to use in their daily lives. This is what leads to insecure, easy to remember passwords being used across multiple services, ultimately leading to increased danger for personal data and even in some cases finances. So what can you, the security and privacy conscious individual, do about it?
Get your family members, and if at all possible the friends you interact with, on to using a password manager. Password managers are not all created equal, and my recommendation is for Bitwarden. This service is open source, undergoes regular audits of its code and security, and importantly can be self-hosted by you, yourself, on behalf of your friends and family members. A vanishingly small number of people are willing to put in the time and work necessary to learn how to host their own data, even when it is something as important as the passwords you use to store sensitive information. Having the ability to host this program and then enable others to use it allows security and privacy to begin to scale. There are several different ways to go about hosting your own instance of Bitwarden, one I wrote about recently involved using a VPS and the YunoHost software. You may also use this same software and instead host on your own hardware using a small single-board computer like a RaspberryPi or even on a dedicated laptop running a VirtualBox VM.
You don't even need to have your own domain in order to use this program, either. If you have a laptop capable of running VirtualBox, you can spin up a Debian 10 VM, install the YunoHost .iso image, and use a default nohost.me domain to get your self-hosted Bitwarden up and running today. Right now. For free. When you install Bitwarden on your YunoHost installation, you will receive an email (see Using the Tools for info on configuring email forwarding) with information about the administrator page for your Bitwarden_rs server where you can enable new user registration. This allows any of your friends and family members then to download and install Bitwarden on their Android phone, iPhone, laptop or desktop computer, Chrome, Edge, and Firefox browser, enabling use on virtually any platform.
You can also host your own Bitwarden server using Docker by following some simple instructions if you have the necessary tech specs to do so. It doesn't require specialized equipment, most normal laptops or desktop computers will do, though it helps to have a domain bought (with bitcoin, naturally) to point this server toward.
Not Quite Finished Yet
Simply installing and running your own Bitwarden_rs server does nothing to remedy the problem discussed earlier. Sure, now your passwords are on your own server, but everyone else's are not. This is where your real responsibility to yourself come in. You cannot force someone to care about something, even when that thing is extremely harmful or detrimental to their own physical health, let alone to protect against an "unseen" enemy. So there is likely less value in trying to get friends and family to use your new server through scare tactics than it is to appeal to their sense of convenience. The most powerful enemy of privacy and security is undoubtedly convenience, yet in this particular case you have the ability to use that same weapon against it.
Instead of sending a link to a scary story that may not even get read in order to try and frighten your family members, ask them if you can install one little app on their device that will remember all of their passwords for them, and which will automatically pop up on any site where their password is needed and offer to fill in the blanks for them. It doesn't get much easier than that, and I would be willing to bet this tactic elicits a more receptive response. Tell them they need only remember one single difficult master password, rather than 25-30 different ones for each site or service they visit. Tell them this one little app will automatically generate them a brand new, strong, safe password for every site or service they will ever use.
Save that link to the results of their email address on Have I Been Pwned or the link to that scary article instead in your back pocket in case the question of "Why?" comes up. This way not only are you able to show them the danger of the problem, but you are able to offer them a solution that--contrary to nearly every other privacy and security tool--does not add friction to their everyday process, but in fact can reduce it tremendously. Few people are so dead set on reusing insecure passwords that they will absolutely refuse to hear any of this information, assuming you don't choose to offer it at the most inopportune time imaginable. They just want this stuff to work, and to work easily. You just want this stuff to be private and secure, but that means you need to make it "just work" as well.
Setting the application up to pull from your server is a very simple process, and you can either perform this for them or walk them through it, either way is very easy. Next all they must do is enter the email account they will use to register and create one, single, secure master password that will be the only one they need remember from this point forward. The reason being, this same Bitwarden vault is just as easily installed on any other device, and can be configured quite easily to auto-populate passwords, be it on an Android device, an iPhone, or using a web browser extension, including for Safari browser.
Through a New Lens
Inertia is a beast that cannot be completely tamed. The best we can hope to do is learn to roll with the punches and be prepared so that we don't get caught in the path of a runaway security train. This rabbit hole has virtually no end, as you will always be able to find an article recommending one product, followed by another telling you all the flaws and recommending another. Nothing is perfect. Luckily, it very rarely needs to be perfection we seek, but instead only incremental improvement. Think back to the difficulty you encountered when trying to change your own poor security and privacy habits, and then realize that the overwhelming majority of people absolutely will not be willing to go through the same thing. What they may be willing to do, however, is take a small step toward you, especially if you have already built a nice, sturdy bridge. They may not be willing to run their own bitcoin full node to back their bitcoin wallet; but they might use yours. They won't learn Docker-compose or how to install a Virtual Machine; but they might download an app and change a url.
This style, known as the "Uncle Jim" model in some bitcoin circles, does in fact scale. Asking everyone to take full personal responsibility for their own data and finances is a pipe dream. It will simply never happen. But a single motivated individual, if given the opportunity to host these tools for not only themselves but their families, can begin to change the world. Change the lens through which you view privacy and security from one of protecting only your first-hand data to one of protecting your entire familial bubble, and we can spread enhanced digital privacy and security outward from out own little corners.
A password manager is only one of several tools able to be hosted yourself that has this ability. I will be continuing to write more articles about various applications to be used in this endeavor, including services that will enable you to severely decrease the amount of information the big tech players have at their fingertips. In a time of increasing censorship and digital witch hunts, these programs and the ability for them to be dependable and easy to use is paramount to provide yourself and your family the autonomy necessary to feel truly free to express opinions. From calendars and contacts to passwords and fingerprints, large corporations like Google have more information about you than nearly anyone else.
We have the ability to drastically reduce this fact, one step at a time. Stay tuned for more to come in the "Becoming Uncle Jim" series. Stay focused on security and privacy, and continue to use the tools available at every possible turn. We can still turn this tide, together.