If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck

When F-Droid has you by the balls, or some such.

Hackers assemble

How many times must the cannonballs fly, before they're forever banned?

Consider for a second that I was a professional architect with a small-time firm, would I be spreading FUD if I report structural inefficiencies of a skyscraper you are building? Or, would you thank me for spending my valuable time reviewing your work out of no obligation? If you say you'd do the former, you're a gem. I have nothing against gems, just that I prefer bitcoins.

Privacy and security are very serious topics in our industry. The advances made in the recent years are nothing short of astonishing. Let's Encrypt , who vend free TLS certificates, now power over 200 million websites. The TLS v1.3 standard drafted by E. Rescorla CTO at Mozilla, is 160+ pages long, took 4 years to draft, has contributions from industry experts from around the world, and is a document full of considerations for end-user's privacy and security. On the other hand, engineers and cryptographers at Signal are pushing the envelope, going where any competent privacy and security conscious organization would aspire to go. Read this preview of just how they secure a user's PIN: state-of-the-art and expensive but that didn't deter them one bit (note: upcoming OPAQUE standard may be a cheaper way to accomplish a similar feat, curious reader). Despite stronger protections on Android, attacks that exfiltrate data are a reality and the world's most vulnerable professionals are at most risk.

If the Meltdown and Spectre exploits are any indicator, the stakes are very high and it is easy to see why companies, even the ones that get a bad rap for privacy, go to extreme lengths to secure their user's data. The recent supply-chain exploits make it clear that the Information Security industry is no place for ego-building or showcasing fake mastery of forbidden arts. Very capable engineers, academics, cryptographers, and hackers have all had their fair share of fails in the face of scrutiny that their work invites. That's the nature of the beast. The best among us, keep their heads down, and off to work they go month after month, year after year, to mitigate threats, and address exploits with utmost consideration, with their hubris, arrogance, and pride firmly tucked away. After all, by being cordial and humble is how the industry got here. If Dan Kaminsky were alive, he'd tell you this is how all of this is supposed to work. There is no competition here, just progress, hand-in-hand, and that's all that matters.

A brave new world

How many years must a mountain exist, before it is washed to the sea?

The RethinkDNS' team own journey started in late 2019, as bravedns.com, with wanting to build an app that lets users be in control of their always-on, always-connected devices. Mozilla generously awarded us a $16K grant in June 2020, in the midst of a terrible pandemic, to help us deliver on that promise. Google's Intra project gave us a strong-base from which to build. But there are several other projects we looked at, notably, Nebulo by Daniel Wolf, DNS66 by Julian Klode, CoreDNS by the CNCF Foundation, and Blokada by Blokada AB (a for-profit? a non-profit? It isn't clear).

Fast-forward to August 2020: Since DNS-based content-blocking forms one part of what RethinkDNS is, we naturally studied the open source projects to inform our own engineering decisions. I appreciate to not have to go through twenty-five RFCs to implement a single feature and these open-source implementations come in handy. So, given the amount of benefit we derived, we decided to open-source everything we build too, including the DNS resolver (server-side code).

In September exactly in the time I was down with covid-19 like symptoms, XDA did a feature on us that brought in a massive influx of new users to our tiny little toy app. Otherwise, nothing of note happened. We did focus on integrating DNSCrypt v3. It supports Anonymized DNS queries which really ups the ante in terms of thwarting surveillance. How could we not implement it? Oblivious DNS-over-HTTPS has our interest piqued as well.

You've got mail

How many times can a man turn his head, and pretend that he just doesn't see?

voting_machines.png

And then came November. I found things in Blokada's code-base that seemed off. For my money (to borrow a term from Football), it was a "clear and obvious error" on part of the Blokada AB employees developers. I was hesitant to engage at first, because RethinkDNS + Firewall does come off as a competitor, even though, it is not, despite the current similarities. RethinkDNS' an anti-censorship and anti-surveillance tool and more spiritually aligned with the now-defunct OpenWhisperSystems (by the same folks that later created the Signal Messenger).

December. We wrote to one of the Blokada employees admins privately on Telegram informing them of one among the issues we had found. The response was rather lukewarm. Later, in January 2021, we informed the employee admin of Blokada's use of an analytics company, rebrandly.com, for their go.blokada.org URLs which were peppered, littered, sprayed across their app. Disappointingly, we were stonewalled, got no response.

We gave it a ninety-days.

In the meantime, RethinkDNS was rocking the all-new dark theme. Integrated Orbot. Got hacker-news'd. Addressed some of its battery-drain bugs. Re-designed the webpages. Survived a DDoS attack. Open sourced the server-side DNS resolver code. Eventually, in one of its finest moments till date, got up and running on F-Droid, too.

New years. For 30 days, a lead developer on RethinkDNS was down with a nasty viral infection. Things slowed down. Life it seems, hits you the hardest when you're down, because they caught another virus, a month later. 30 more days and counting. The feature backlog ever increasing. Sigh.

Store of value

How many ears must one man have, before he can hear people cry?

Where were we? Yeah, 90 days later, that is sometime in March 2021, I reported what I had found to the F-Droid maintainers. They are plenty serious about such things and were quite helpful and gracious.

The F-Droid maintainers gave it a 30 days.

If anyone is familiar with IzzySoft's work, one of the F-Droid maintainers, they'd agree when I say that IzzySoft's one of the most level-headed, soft-spoken, mild-mannered person you're going to meet on the Internet. IzzySoft isn't even a developer but goes out of the way to help out with so many developer related issues, and frankly, it is ridiculous that someone would do so voluntarily year-in year-out, heads-down, full of humility, poise, and class.

A bitcoin of a person.

In light of in-action from Blokada employees developers, The F-Droid maintainers, after their customary weekly sync-up call on 6 May 2021, reached the decision to mark Blokada for Tracking its users.

Two days later, seemingly triggered into action, Blokada employees developers were heads-down addressing those issues; but only for the F-Droid builds. The apparent reason was they were time constrained to act (despite having known about issues for 5 months at this point). So, if you're using other Blokada build flavours, count your lucky stars that F-Droid exists and you can switch to downloading Blokada from there. Also, do not forget to donate to F-Droid. It is a woefully underfunded effort. I would but I haven't made a single dime in the past two years I have been building RethinkDNS and associated services. I wonder how much Blokada AB donates to F-Droid? I'd be pleasantly surprised if it was anywhere close to $fuck-all-a-year.

Talk is cheap

The answer, my friend, is blowin' in the wind

Here comes the kicker though, instead of a mea culpa, the Blokada CEO lead developer claims F-Droid's acting in bad faith, is influenced by a competitor (aka yours truly) spreading FUD:

"We’ve been present on F-Droid for several years now, without ever raising any concern. If you have been following our announcements, you may also be aware that our presence on F-Droid was occupied with a non-explainable tardiness from F-Droid in regard to reviewing our update merge requests, causing at least 2-4 week delays for availability of the majority of our update releases. This together with the recent events begs to question F-Droid's objectivity."

Gem.

You know what's FUD?

"The underlying policy of Blokada VPN is that we want you to remain anonymous."

The Tor project, a 22 people organization of world-class experts, with decades of altruistic and ground-breaking work behind them, don't guarantee anonymity, since they know a lot depends on the users themselves and numerous other attack vectors out of Tor's control. I digress.

See, there's nothing against telemetry or tracking. DuckDuckGo and Mozilla Firefox both engage in it, but they're radically transparent about it. Blokada is free to engage in it too or not engage in it, their decision, but they should be, at the very least, transparent about their choices and claims.

For instance, in their privacy policy or terms of use, you'd be remiss to find any mention of Rebrandly, Google, AWS, Github, and Cloudflare. They use all of the above. For variety infrastructure they host. Again, nothing wrong but that transparency is fatally lacking, the hypocrisy notwithstanding:

What are the benefits of Blokada DNS? Use the DNS service made by the team you have been trusting for many years. No need to use providers with questionable track record, like Cloudflare.

FUD?

"Oh fuck off, Blokada has user's best interest at heart, you clown", you say. I hear you. As they say, the path to hell is paved with good intentions.

Marketing and sales

The answer is blowin' in the wind

In my humble opinion, "an open source project dedicated to developing the best ad blocker and privacy app for Android and iOS" needs to live and breathe those ethos. I can go on, but this has been a mouthful already, and so, I'd spare you and leave you with this:

"We hope you appreciate the level of transparency on our side, and hope you keep enjoying Blokada."

Enjoy.

images: xkcd/574 | xkcd/463.

No Comments Yet