Social Engineering of the Infrastructure

I don’t know if this fits in Architecture or Social Framing or Philosophy, but here goes:

I have been kicking around a vision of how to create a secure Fediverse-like ecosystem that succeeds, competitively with/against current centralized systems. Some key points:

• The system serves people, by enabling them to communicate with other people
• People, at present, are most universally accessible via web browser interfaces
• Behind the browser are layers of network and software interface “magic”
• Ultimately, that “magic” is enabled by a server hardware foundation layer which is maintained (at least paid for) by: people.

The Spritely Institute is new to me, but my impression so far is that the focus here is on the software “magic” of this kind of system?

Here, I’m going to focus on / ramble about the people who would provide the server hardware foundation and how they relate to / connect with the people being served by the system. In a sense, these bottom and top layers just use the software “magic” in the middle that makes it all happen, but I think it’s important to elucidate the motivations, abilities and limitations of the people who provide the server layer. Before I send every reader into TLDR, I’ll ask here: have you encountered this kind of discussion already developed elsewhere? On the Spritely Forums? Anywhere else? Please provide links in replies!

Extensive reminiscence follows, you have been warned. In the 1980s, computer based communication systems were not competitive with paper based bulletin boards, classified ads, etc. In 1989 I walked by a literal bulletin board, saw a handwritten 3x5 card advertising an apartment for rent, called the phone number and ended up living there for three years. In contrast, I was using and occasionally running dialup computer BBS back in 1983-86, but there just weren’t enough users of those systems to make them competitive with paper based systems for “real world” applications like finding an apartment. Around 1985 I considered adding an automatic over-the-wire software update module to my BBS software - the possible malware spreading implications were obvious even then.

So, BBS operators, including myself, provided relatively big expensive computers, tied up phone lines, and did this all as a hobby. Technical challenges were part of the fun. Expenses paid out of pocket mostly, though some would charge subscription fees for BBS access. There were also “big system” dialup providers like CompuServe and AOL who always charged their users. Users themselves had to access these systems through bulky, expensive desktop computers tying up their phone lines. The “cybersecurity” problem was mostly a non-issue - big providers had your CC info, little systems ran on such low bandwidth that malware spread very slowly, and most people didn’t implement automatic updates. Some malware did get around, but it was relatively rare.

In contrast, today, hundreds of millions - perhaps billions - of homes and businesses around the world can provide internet connection, usually via WiFi. Whereas my single user at a time BBS host computer cost roughly $1000 in 1982, $3300 in 2024 dollars, and took up a desk, a WiFi enabled Raspberry Pi or similar tiny computer capable of hosting dozens of message app users simultaneously can be purchased and running for around $100 today, so small and out of the way that most people wouldn’t even notice it’s there. Still, if you want to encourage the existence of a truly decentralized federation of service providers, a large number of people are going to have to provide the hosting service, and even $100 capital plus a little effort and bandwidth sharing of their home network connection is going to meet significant resistance, particularly now that big centralized service providers have captured 99%+ of users’ attention.

Fast forward 30 years and paper based communication is now a quaint curiosity from the past, to reach people you reach them through online services, mostly through their cell phones, but almost always through some kind of web browser. It’s certainly possible to write apps for Android, iOS, various desktops, etc. but… all of those systems host web browsers, and if you provide access to your service through an https:// interface, every digitally connected person on the planet can reach it. But what will it take to get a “critical mass” of distributed hosting service providers to purchase the hardware, set it up and maintain it, providing a competitive decentralized ecosystem infrastructure? My list would include:

• Secure implementation
• Hassle free setup
• Hassle free maintenance
• Tangible incentive

Secure implementation is far and away the most important component of the system. Nobody is going to want to run a server for a bunch of strangers if it means their home network might be compromised. While “cloud deployments” certainly could, and should, be developed, I feel that a truly distributed infrastructure is much more likely to grow and endure if it is easily implemented as affordable widgets that people can plug in and use in their homes and businesses.

Real life is impinging on my available time, all this seems like it may be obvious and already discussed to death, but assuming I get more “writing time” soon, I’ll be back to flesh out the other points.

I hesitate to throw out these spoilers without beefier development, but in their TLDR forms:

Secure, like even from DDOS attacks by simply shutting down and letting other nodes takeover serving if yours falls under attack.

Hassle free install, like: as easy to install as a standard application.

Hassle free maintenance, like: if you just turn it on and start providing service, it should hum along somewhat easier than running folding at home, and possibly even be more resource friendly.

Incentives, there are all kinds.

• The intrinsic satisfaction of providing an access point (kind of weak tea when there are millions just like yours)
• Control of your own applications in the “magic” middle layer.
• Blockchain / Cryptocurrency, there I said it. No, I’m not expecting to entice people with dreams of getting rich in a zero sum pyramid climbing game. However, there could be a “resource tracking” layer which may choose to exchange some kind of tokens to keep resource usage reasonable / fair. And, being open source, people could game around with that and do all kinds of things, and if you don’t like how they do their things you don’t have to play with them (secure system)… Anyway, I do think it has a place in the infrastructure, not as a major raison d’être but as a tool that can be switched on to keep resources like bandwidth and storage from being over-utilized. And, if you don’t like playing blockchain games, you can fork your own open system.

Oh, and anonymous vs identified users and servers becomes a whole thing too, of course.

More later…

O.K. so… on the blockchain side of things, I don’t know what the “Social Framing” is around here, but as soon as I hear “Blockchain” I feel like the whole focus is on get-rich-quick Ponzi-like schemes, and hopefully that’s not the case at all here. Here, (and everywhere) I would highly object to any Proof Of Work or similar schemes. Here, each System Operator (BBS days showing again) would operate their own blockchain records either public or private as appropriate, shared at least among those who participate in exchange of resources. Resources such as:

• bandwidth
• storage
• CPU time
• Strawberries from my garden
• whatever they want…
  Seriously, if I’m growing surplus strawberries and I can trade them to you for a few Gigabytes of online storage, why not keep an accounting of all that on a blockchain? “Prices” could be fixed by the System Operators, or left to float as open market bids: I’ll offer you 100GB of bandwidth in/out of my servers in exchange for 2TB-years of storage capacity, and similar. The default configuration of the server applications could be setup with those kinds of floating “prices” establishing a kind of going market exchange rates for various resources.

Some operators will inevitably sell advertising and similar to get income from their systems, other operators can decide how they want to be compensated for their resources when they are shared with operators who have advertising income… Hopefully, some kind of “hands off” default configuration can run satisfactorily for operators who don’t want to tinker with such things.

About those default configurations - they really do need to be as easy as possible to install and run in appropriate settings, serviceable “out of the box,” controlled by their operators but operators who don’t know how or just don’t care to mess around with resource management should be able to accept defaults that do something like use up to 80% of available resources for the federated system and leave a reasonable reserve of everything (CPU, bandwidth and storage) left over just to keep the system running smoothly. For me, I would be most comfortable running such an application on dedicated silent (fanless) hardware like a Raspberry Pi, but conceivably it could run on just about anything, including intermittently unavailable systems like laptops… Something to keep in mind is that this system would have a (tuneable) high degree of redundancy, so most stored resources would be available from many sources and even if a bunch of them go offline, the resources are still available from the servers that are running.

Diving a little deeper into “control of your own applications” - these could vary tremendously, a few that come to mind:

• participation in an open global social network ala Twitter / Bluesky / reddit / etc.
• running a more private network like the above but for a more tightly controlled set of users
• hosting a family photo repository (all family members have access, those who choose to auto-upload photos and videos from their phones as the are taken.)
• hosting an open game server
• hosting a private shared document collection
• and on, and on…

In a situation like the family photo collection, maybe three members of the family setup servers and the data is replicated among all three. They can add a fourth or more whenever they want, but usually bandwidth isn’t an issue, they just want control of their data. By default most data at rest should be encrypted, but in a case like the family photos hosted on hardware inside family homes, they might prefer that the “data at rest (photos)” are stored in the clear, just for the “warm fuzzies” that it’s all backed up and accessible. I can picture one or two family members getting such a system started, then ‘gifting’ servers to other family members who only have to plug them in (and likely opening a DMZ port on their home router) to start supporting the system as additional storage / access points.

So, question from one who has been out of touch from such developments in the last decade or so: Is there active development of a secure federated server layer happening “out there” at the moment? If so, where? or what might it be called?

Punching through all the way up to the user layer… some users are fine with being 100% positively securely irrefutably identified. Some, but not most in my experience. In my experience, most people would be happier with (and more likely to use) global systems with some level of pseudonymity of full anonymity. Cutting all the way through down to the resource issue at stake: any system that provides actual complete anonymity to users is 100% vulnerable to denial of service / burial in SPAM attacks. There are a myriad of ways to mitigate this:

• Servers might limit resources available to anonymous users, if anon users can only consume 50% of active resources, they can never completely deny service to positively identified users.
• Users may establish some level of pseudonymity, creating an irrefutable positive identity that is only used for a short time. Systems might establish some minimum length of time or record of positive value contribution between identity creation and resource granting. This same kind of cooperation with identities you don’t necessarily have a link to in the real world could be used for server to server cooperation. Of course, the more activity a pseudonym undertakes, the more likely it will eventually become link-able to a real person, ala: Dread Pirate Roberts.
• Holders of “tokens of value” from a blockchain can be trusted as far as those tokens reach. For instance, a SysOp may have 10TB of storage online, and they may “float” 8TB of that out for 3 year’s use during the next five years by whoever on the network might utilize it, but they do so through a token auction, getting various things of value in return - whether that be cash, fungible tokens from other systems, strawberries from my garden, whatever… once the tokens have been assigned as “paid for” in the blockchain - the holder of the token may redeem it to get that storage-time (non-performance of these contracts is a whole other thing with it’s own analysis/system but in the end: identities who reliably deliver on their promises become more valuable trading partners…) So, a token for 24TB-years of storage may be exchanged all over the network through many hands and communication methods, but in the end if an “identity” presents the token and starts using storage, the system that issued that token should readily grant the resource to them, whoever they are, and start deducting resources actually used from the balance for that token as recorded on the resource providing system’s blockchain.

Yes, it’s a lot of complexity… but this kind of accounting / accountability in the underlying infrastructure demonstrates reliability. Security and trust are something else. If I’m storing anything other than public information in a public system such as this, I would store it encrypted, never giving the public serving system the opportunity to “leak” my private information. Direct (person to person) messages should be end-to-end encrypted - taken from the author’s browser encrypted with a public key of the recipient, and only decrypted on the receiver’s system using their securely locally stored private key.

Of course, various establishments from national security organizations through commercial social network operators, media producers and distributors, and local Parent-Teacher Organizations at schools will be pushing back against anything that allows true 100% secure communication between people. “Think of the children! What could they be saying or reading ‘in there’?!!?!!?”

So, anyway, that’s the basic ramble. Of course, perfection is the enemy of done and working, so creating the perfectly secure, easily operated, widely accepted network application infrastructure could arguable take an infinitely long time with an infinitely large development team (the size of the team itself contributing to delays as it grows…)

Deeper details get into things like modularity (replaceable cryptographic algorithms for quantum readiness, for example), automatic available service discovery protocols, interfaces to verify proper operation of remote servers’ advertised services, automated independent auditing and open reporting of service provisioning, uptime, etc. for the various entities out there advertising services. As new services are developed, there needs to be some central (but distributed, Federated?) naming authority that can be referenced to uniquely identify the services and the protocols they support. Server operators would likely “whitelist” the services they are willing to run. An identity “phonebook” with public key and contact address information certainly would seem to be useful, whether global or various kinds of “local” in scope.

Again, ideas are easy - finding existing building blocks that have already solved major pieces of this puzzle becomes interesting. For instance, if the secure server resources piece gets worked out, the various publish/subscribe type distribution systems (AMQP, MQTT, etc.) might be leveraged to distribute the messages that need to travel between the entities, possibly in a secured backend system, possibly carrying securely encapsulated traffic in the open…

Any thoughts on existing building blocks that would implement parts (or all) of the resources secure distributed server layer?

Hi,

I haven’t read all of your second message, but it seems this proposal is predicated on a client-server model. Spritely is building for a peer-to-peer model. While it’s true that we have the Prelay natlayer and will have a full relay netlayer to support network protocols that cannot be peer-to-peer, these relays are intended, as the name suggests, to relay messages between peers rather than to be peers themselves. This sidesteps a lot of the issues you’ve raised since resource usage will be shared evenly, with each user providing most of the resources they use. (Strictly speaking some protocols like WebSockets require a “server” node, but we envision these running user-side.)

All that to say, while it is perfectly possible to use what we’re building for client-server models, it’s not what we target. Maybe giving our Heart of Spritely whitepaper a read can kickstart ideas for building the end user experience you want in a peer-to-peer way

Thanks for the Heart link, I’ll check it out.

As far as: is it client-server? I believe at the user interface that’s going to be hard to get away from, without rebuilding the web browser and getting what you have made ported to, accepted, and maintained on all kinds of platforms. So: if you give the end-user some kind of web-address to load, they can do that through their browser, then hit a server somewhere, anywhere, that taps the whole peer-to-peer layer, likely through a traditional server load balancer that forwards the initial connection off to whatever peer is most ready to handle the request.

Strictly speaking some protocols like WebSockets require a “server” node, but we envision these running user-side.

And there’s a divergence, I think. I wouldn’t call it “user side” until it’s in the user’s hand or on their desk, but that could be waved away as semantics too…

On the hardware layer as well, ultimately bits are being stored, retrieved, processed and communicated by some kind of server or servers. The servers can be peers, the data can be replicated across multiple locations, the processing work can be split, shared, rotated, but ultimately it happens somewhere, on some piece of hardware that somebody has plugged into power and network. In my present semantic frame of mind, these are servers.

building the end user experience you want in a peer-to-peer way

So, I’m an older dog, and have built end-user experiences on systems from 8 bits and up… for the past 15 years or so, I consider “reaching the users” on their mobile devices to be an essential part of any software-system experience that hopes to engage large numbers of people for any substantial / sustained amount of time. I’ve learned many development environments - including Palm Pilots, PCs, embedded devices, etc. and the thing about iOS/Android for me is: it looks like even more of a pointless treadmill than DOS/Windows was back in the 1990s - constantly having to rework existing code just to maintain operability in the latest OS releases, occasionally having to rethink implementations from the ground-up because new standards make the original design obsolete.

Except: for web browsers. Sure, the screens change aspect ratio and size, desktops have mice while phones have swipe-touch screens, but overall, the http (later https) interfaced applications I started building in 1997 still work the same on modern browsers as they did when originally crafted. Sure, some of that is because I have avoided some of “the latest hotness” such as Java in the browser, but overall - the browser is the ultimate in cross platform accessibility and stability over time.

So, that was the vision, I’ll check Heart of Spritely and… maybe do things this way:

too hard on systems that assume traditional client-server architecture and authority models.

Unless your system has “fungible https server endpoints” which sit atop of a peer-to-peer resource ecosystem just below the user interface generation layer.

the ACL permission system is bad

Yep, and Android OS seems to be evolving away from it, slowly, painfully, like peeling off a bandaid pulling each hair out by the root individually…

And, yes, the browser is somewhat “overpowered” in terms of desktop security, but not nearly where applications have been all these years. Individual permissions for things like camera/microphone, file access and even audio output access have been slowly creeping into the browser world for a while now. Good thing my 1997 http applications didn’t care about any of those things

it can only write to the specific file it has been given access to, but it cannot do anything else dangerous

Well, right there is a Denial Of Service / griefer hole in the system defenses, if there is no maximum file size specified in the permission grant…

This object capability security model is built on completely ordinary reference passing

And that’s how the user experience generating layer would be operating, on any arbitrary node in the federation (at the risk of abusing that term) which has agreed to act as server for the application.

“a distributed network of independent objects”

Yep, that’s the idea - below the ui rendering layer. I guess that’s the primary difference between “my vision” and Spritely/Goblins, is instead of doing something “on the user’s device” the ecosystem is providing an interactive website to the user - but with all the same “distributed independent objects” under the site rendering layer.

get retrieves the current value, and 'set replaces the current value with a new value

So, yeah, I started there with a “property bank” project about 10 years back, and after a while in our application another entity became almost as interesting as properties: events. properties have persistent values, values that may be set or change at specific times - such things representing “events” that can trigger things to happen, but eventually it became desirable / efficient to have simple events defined for the property passing system as well. A simple event just happens (at a point in time), and an event may or may not (in the simple case) carry a value, but that value is not persisted - it’s just the value of the event at that point in time. Proper value persisting properties may grab event values as they happen, or not, depending on the needs of the event/property users.

Promise pipelining

I can see how that could be useful, but my property bank concept is that any user of any property always has the most recent (possible) value of that property all the time. It’s not quite pub-sub, but very close… if you’ve defined a property as being of potential interest to the application, then it will always be updated locally as soon as changes can be communicated. This comes in-part from the fact that applications in the system are relatively small / focused in their tasks, and also in-part from the flight-simulator (FlightGear) inspiration for the property bank which did something similar, and typically needed immediate access to “all the things” and so the “set_” calls were more of a push, rather than “get_” being a pull (aka suck) operation.

Even with the most well implemented, bug-free locally implemented code (itself usually less likely a possibility than its authors may think), network connections are fickle, and remote objects may misbehave

Which is another advantage of the “push” paradigm. The local state of properties is updated in the background ASAP, before any particular local process may need them.

Anyway, time and other constraints from real-life impinging on authoring of this… will try to digest the Heart of Spritely a bit more deeply as time permits.