By ~sorreg-namtyv · ~2024.8.29
Let's forget the gawky, warty, pimpled young Urbit of the present, and take a look at one possible fantastic user experience of the future.
Disclaimer: this is not a plan. This is just a dream. But everything in this dream (codename "Butyl") is real and possible and I think it's going to happen.
To join Urbit: there’s a million ways. Here is one. Go to the corner store and buy an Urbit card.
An Urbit card is like a gift card. It costs like $10. On the front is your name. On the back is your secret. It's just a piece of plastic.
The secret is under a scratch-off layer, like a lottery ticket. Scratch it off and put the card in your wallet or purse. Congratulations—you are now on Urbit.
Did you pay cash? Did you leave your phone at home? Were you wearing your Guy Fawkes mask? Did you hire an unlicensed veterinarian in Honduras to remove that AirTag the NSA taped to your left kidney? Then you might be truly anonymous. If you don't have these kinds of fears, it's certainly fine.
Your name, or planet, is a four-syllable nonsense word, like ~mastex-bintyl. Your secret is an eight-syllable word, like ~sorfyl-barteg-poltyv-hopreg. There are 32 bits of information in a planet and 64 bits in a secret.
Go to urbit.org (or install the app). Log in with planet and secret. You're live!
Eventually you start to remember these mysterious pseudo-words. To help you remember, the interface will prompt you regularly, like a memory app. (I also use my secret (with a salt) as a high-security Web password.)
Either way you can lose the card. Burn it. Put it in a sealed envelope and send it to your lawyer. Ideally, you will never need to remember any other magic words—any secrets are made of this wallet. Urbit security is about putting all your eggs in one basket—and watching that basket, as Mark Twain said.
(Or, if you really prefer, you can move your keys to a hardware wallet and use MetaMask. That might be safer against keyloggers, etc. I feel that anyone who can own my keyboard can own my life and is, frankly, welcome to it. Also: Urbit is for all cool people, including but not limited to nerds.)
Your Urbit name (or just "urbit") is a sovereign digital identity. You own it. No one can take it away (without your secret). And you never have to renew it. But what can your urbit do?
First, your urbit is a full crypto wallet. It can store and send Bitcoin, Ethereum, even cool NFTs like urbits or Bored Apes. (Remember Bored Apes?) Once the secret is stuck in your brain and the Urbit card is burned, you have an Urbit brainwallet.
As long as you can remember these words, you can keep money in your brain. If you know a friend's planet, you can send money to their brain. It's not a new idea but frankly I don't think it's been done that well.
(Brainwallets are unsafe if they use human passwords and too difficult if they use full 256-bit keys. The "innovation" is feeding a 64-bit random password and a 32-bit salt to a key extender. If the extender takes 1 second, it takes 2^63 seconds to find your secret. If you're not a nerd, that's a lot of seconds.)
Second, your urbit is also an ENS name (like "sorreg-namtyv.urbit.eth"). You can use it in any Web3 app that supports ENS—for example, Farcaster. (Farcaster is cool!)
Third, your urbit is a Web login. You can log in with Urbit, just like you log in with Google. urbit.org drops a cookie in your browser proving you're you. We do single sign-on with the absolute minimum of inconvenient security.
And fourth—it's your private computer which no one can see, no one can hack, and no one can take away. But we'll get to that part below.
What's in there, anyway? A bunch of apps. What did you expect?
When you log in, you see a tiling window manager with a tree of tiles. The tiles are apps. You can fullscreen zoom into a tile then pop back out of it, or even break out a tile as its own browser or application window.
On the corner of each tile is a colored dot which shows what kind of app it is.
There are four kinds of apps. On the corner of every tile is a colored dot which tells you what kind it is.
Red-dot tiles are wallet apps which can can send your money to Burkina Faso where you can never get it back. You know. Crypto stuff. Be careful!
Gray-dot tiles are public feeds which show you public Web2 or Web3 data.
Green-dot tiles are captive Urbit apps. Captive apps look and work just like decentralized apps and even share code with them, but run on a big central backend. You know, like Facebook.
Blue-dot tiles are private Urbit apps. Private apps run on your personal cloud server. This is your own permanent, purely-functional private sky computer.
Violet-dot tiles are like blue-dot tiles but remind you that you are using confidential computing , where you don't have to trust your hosting service.
Mauve-dot tiles remind you that are using native computing —you brought your own hardware. It's in your closet with the grow-light and the gold safe.
Let's go through all this cool high technology.
There are actually three crypto wallets in your urbit.
The first crypto wallet is your ownership wallet, which owns your urbit itself. The second is your treasury wallet, which owns tokens and NFTs. You know. Crypto stuff. The ownership and treasury keys never leave your browser, of course, or your hardware wallet if you're doing that.
The third wallet is your billing wallet. Paying bills in crypto is annoying. In the non-crypto world, we trust companies to send us bills. We auto-pay them. For various ways of using your urbit—see below—there are also bills.
The way bills work in Urbit: you give the providers the private key to your billing wallet. They take money out of it and send you a receipt. If it is empty, they complain and you have to put more money in. If you don't, they cut off your service. This is like the real world, not the crypto world, and will cause intense pain to anyone with any kind of security Asperger's. The rest of us...
A new urbit should come with 1-3 months of prepaid service in the billing wallet. So you don't have to think about payment till you're fully addicted. Also, if you just use it as a wallet, not a computer, no one ever bills you.
Your urbit is a private computer in the sky. You can install apps on it, like on your iPhone. Like your iPhone, it also has a bunch of apps built in.
(Unlike your iPhone, and unlike a conventional Linux server, your urbit is a purely functional computer—as different under the hood as an electric car from a gasoline car. It has fewer parts and breaks less. But it's still a car.)
Unlike your iPhone, your urbit is the master repository of your whole digital life. This includes all your files, documents, media, etc. Your urbit is also in the business of shepherding all your sundry Web2 accounts. This outdated technology, like COBOL, will outlive all of us.
(Your oldweb data, which is actually yours, morally if not always legally, is spread across two hundred "accounts." You have two hundred slightly different passwords to wrangle all these accounts by hand. One core task of your urbit is downloading and syncing a mirror of this legacy oldweb data, and even taking remote control of your accounts by hook, crook or scrape.)
But the main mission of your urbit is social. Your urbit is a high-quality node in a network of high-quality nodes, each free, sovereign and independent. Any nerd over 45 remembers what the Internet was 30 years ago. That. Sorry, kids. (As Talleyrand said about Eternal September: no one who does not remember the time before can ever know the true sweetness of life.)
A critical aspect of a high-quality network is reputation. Urbit's finite address space (only 4 billion planets ever made, enough for every responsible and independent adult human on earth) is a basic spam control device. But it is also a perfect scaffolding for the more general reputation problem.
In a finite address space, new users are mildly trusted. The cost of booting a new planet does not have to be high, but it has to be higher than the profit that a spammer can capture by creating a new planet and burning it to the ground. A generalization of spam control is the negative reputation service. But when you produce content on Urbit, your main goal is the same goal you have on any other network: to maximize your positive reputation.
(One overlooked way to boot up digital reputations is to import credentials from the real world. Say what you want about a Harvard degree, but it still means something. Since the quality of a network can only decline, the best way to maximize ultimate size is to maximize initial quality. Creating a new online elite and cultivating old offline elites are two sides of the same coin.)
And where does this computer run? On an Urbit hosting service, or hangar, in the cloud. A hangar is just like a commercial hosting service, like AWS, but for people not businesses.
Now, a hangar is run by—people. What keeps your urbit secure against these people? Literally nothing.
But not quite nothing. Yes, in theory, your hangar can reach into your urbit and read or even write it. But it's weird. It's technically hard and cumbersome. And it's violating a barrier in a very clear and concrete way.
So it will happen as a result of a court order—and pretty much nothing else. The cops can come into your garden. But it's still not Mr. Zuckerberg's farm. But for any level of real sovereignty, you'll need a violet or mauve dot.
Before it can get better, it needs to get worse.
The concept of captive computing is exactly what it sounds like. You are not a free man! You are a number. Your sovereign urbit is just a humble username. Your life is just a row in our database. You must submit!
Of course, this is the way "normal" Web2 services work. The difference is just that for captive computing in Urbit, your username is on the blockchain. It's decentralized identity with centralized computing. We call it "AC/DC."
Ideally, the user experience of a captive app on a central server is exactly the experience of a proper decentralized Urbit app. In fact, they're the same app! Not only do they share most of the same code, but you can even migrate your captive app data to your own urbit, when you're ready to go decentralized.
A captive app is just a big cage of shared users of a decentralized app. Your profile on the blockchain has your list of captive apps and their servers. When a private, decentralized app on someone else's urbit tries to message you in your captive app, it speaks the same protocol over HTTP to the app server.
The benefit of captive apps is that they are much cheaper to implement and maintain and scale. You give your billing key to captive apps as well, but they are usually free or cost pennies. Sorry. In the future, money is still a thing.
So when developers roll out apps, they generally start with a captive model until they are ready to deal with all the kinks of decentralization. That way, Urbit's technical ambitions don't get in the way of its social progress.
But are you owned? Boy, are you owned. You should basically assume that any large hosting company is a branch of the government. But then again, almost by definition, most people have no problem with the government.
Protected computing is the opposite: a cloud computer that's really yours. How could this possibly work?
A protected or confidential computer (like AMD SEV) is a virtual computer that runs within a secure enclave. When code runs inside an enclave, the computer outside them cannot see into the enclave. However, the computer outside can prove what code the enclave is running. This is called remote attestation. It is a normal thing that works right now.
When your hangar boots up ~mastex-bintyl for you, it gets a proof that it is running a standard Urbit interpreter on a factory OS on a factory chip—and a proof that, withinf this interpreter, ~mastex-bintyl itself is a standard Urbit stack, running a standard version of the Urbit OS, with standard versions of known applications.
The really cool thing is that by sharing these proofs across the network, any app can know that it is talking to the same app on another urbit. For instance, suppose you want an app that auto-deletes messages, like Signal. Without protected computing, your friend who isn't actually your friend could run a fake app that only pretends to delete messages. With it, he can't. That's cool.
One feature of the Urbit OS (Arvo) is that your urbit publishes a namespace. Like a web server, it takes a path and sends back a file. But Urbit from path to file are permanent, not mutable. The same path always returns the same file. You never have to refresh. But how can other computers trust this property? They can't. But with protected computing, they can. Damn that's cool.
Secure enclaves have a bad name among security nerds, for two reasons. One is that they have been often used in user-hostile ways. Two is that the technology is tricky and complex and not that hard to attack. Counterpoint: knives are good for stabbing. And hangars are rarely motivated attackers.
One way to enhance security against hangar attacks is to automatically and regularly migrate your urbit between hangars. Since any hangar can prove that it is legit, any hangar will do.
Native computing is computing the old-fashioned way: on your own machine.
Of course, nothing is as personal as a server in your closet. Or even just your laptop. Urbit was born on developer laptops and it will always work there. Still, who knows what dark code is running on your laptop? Shudder.
The ideal native computer is a special-purpose Urbit appliance which also does protected computing (for remote attestation). Here we have reality problems, because the good secure enclaves are only on server-class chips. Someone will sort it out, since Urbit can really benefit from custom silicon.
Order this box from Amazon. Plug it into the wall. Connect it to the network. Type in your name and secret on the little keypad on the top. If it runs out of disk, hook up an external drive. Make sure the grow-light doesn't overheat it. Congratulations, you're a system administrator. If the box turns off it needs the secret again, so no one can steal your life. A second box acts as a backup.
Of course, your house has an address. Your box also has an address. If an attacker gets the IP address, they can get the mailing address. So for total digital privacy, set up your urbit so that you can only talk to it throughTor. (To be exact: you register a Tor endpoint for your urbit on the blockchain.)
Tor will make everything slow—but when you need it, you need it. We have seen that when power violates privacy to go after the worst kinds of criminals (my view is that the last terrorist should be strangled with the entrails of the last child molester), it quickly winds up telling everyone what to eat for lunch. When privacy technology leaves no place to grow for even a single cancer cell of power, this malignant death spiral never even gets started. And technology also gives power other new and better ways to catch terrorists and molesters.
Most people who really care about digital privacy aren't criminals at all. They aren't normal people either. They're slightly paranoid and extremely autistic. But as Shaw said, the reasonable man accommodates himself to the world; the unreasonable man makes the world accommodate him. Therefore, all progress depends on the unreasonable man. And the freedom of normal people to eat whatever they want for lunch depends, crucially, on the "herd immunity" from tools built for and by these paranoid, autistic privacy nerds.
Not to mention people who read to the end of 3000-word X articles! Yes, we are few. Now. But the future belongs to us.