Protect your digital identity from Google for $70 per year

I’ve never trusted Gmail. Google does too much creepy stuff, and they have zero customer accountability.

While there’s no escaping Google for some services, I think it’s reasonable to draw the line at email. It’s deeply personal content and the gateway to all of the rest of your internet accounts. If you used a Gmail account for your other account signups, and one day Google decided to take your account away, you could find yourself locked out of your entire digital identity.

Best of all, it’s entirely possible to assemble your own email service—if you can part with a few dollars each year.

Start with a domain

This part is essential. As long as you control your own domain, you can always decide where your email is routed.

If you do nothing else, register a domain. You can at least set up free mail forwarding from your domain to a Gmail address. If one day you need to leave Google in the middle of the night, you can redirect your mail forwarding to a new service.

I like Namecheap. Every registration comes with free whois masking, so no one can look up your address through your domain. Here’s a bit on how to set up email forwarding through Namecheap, but most registrars offer this option. Just search the web for [registrar name] email forwarding.

Once you’re using a custom domain for email, you have a lot more control over how you receive email. But there are limits to the free forwarding service that comes with your registration. It can be finicky to successfully send mail using your new address. For a fully-integrated experience where your address always works consistently for sending and receiving, you have to go further.

Add an email host

You can actually pay Google to be your email host. This is called Gsuite and it costs $5 per month. But the whole point of this is to get away from Google.

This is the beauty of holding your own domain, though: you can decide. If Google happens to be convenient for you, you can point your address there. If you’d rather keep your email private from a company like Google, you can use someone else. While it’s entirely possible to stand up your own server for email, dedicated entirely to you, with no other users, I’m not going to get into those details. Instead, there’s a nice middle ground between complete DIY and revealing all your data to a massive advertising company.

You can use a service like Fastmail, whose only ambition is to provide secure, reliable email for a reasonable price. Also for $5 a month, they’ll host your email and, if you want, completely configure your domain for you. Here are the details.

But Fastmail isn’t the only option. If you’re especially worried about privacy and security, you can use ProtonMail, which is headquartered and hosted in Switzerland. Mmm, Swiss privacy laws.

What’s important here is that, at any moment, you can point your domain to new service if the host you’re using doesn’t work out. Your emails won’t be trapped with one service.

Backing up your email

Web-based email is convenient but it means giving up a lot of power. When you use an email application on your local computer, you can be assured that all of your messages are stored to your hard drive. If you do automatic backups, your email will be safely backed up as well. If you host with Fastmail, they have complete documentation for setting this up on macOS, Windows and Linux. ProtonMail offers something similar, again with a privacy emphasis.

Coexisting with Google

After all of this is set up, you’ll probably still need Google for some things. You can sign up for a Google Account with your email address and not get Gmail. This is convenient for Google Calendar especially—most people seem to use Google/Gsuite for calendaring, so having your invitations automatically caught by Google Calendar is helpful.

Of course, for all non-email services provided by Google, you’re again at their mercy. But your email is safe.

Explainer Technical

ECDSA signatures with node.js and Swift

In the process of de-risking some business model questions for Digamo, I went looking for an open source project that would allow us to generate and verify license keys. We’re not sure what our business model will be there, but understanding the technical costs of licensing is important to making decisions.

While this is a problem that has been solved, I didn’t find anything especially modern, well-maintained, or documented—and nothing in Swift or Node, which I’m using for everything right now.

Some research did suggest that asymmetric cryptography was the way to go, using a private key to sign a registration string, and a public key distributed with the app to verify the signature. This was also the approach used in the older projects that tried to solve this problem for Mac apps.

Still, I found precious little documentation or tutorials to walk me through the implementation. All the signing examples took place within the same context, rather than between client and server. Here’s an approach that appears to be working, using Node and a Swift Mac app.

Try the demo

Generate a signed message file here:

Download, build and run the macOS verification app here:

Once the app is running, you can double-click the signed message files from the Glitch app to automatically load them. File free to tamper with the content of the plaintext field by opening a file in your favorite text editor, then try to verify again. Tampering should cause the verification step to fail.

The public and private keys are included for your inspection and experimentation, as a “known-good” configuration. In your own projects you should use care to ensure your private key is not distributed.

Generate encryption keys

Per the instructions from IBM’s BlueECC project, here’s how you get started:

On macOS you can install OpenSSL using brew:

brew install openssl

Once you have installed OpenSSL, create your private key:

openssl ecparam -name prime256v1 -genkey -noout -out ec256priv.pem

Using the private key, create your public key:

openssl ec -in ec256priv.pem -pubout -out ec256pub.pem

It seems you want to use the prime256v1 curve—other algorithms have some cross-platform issues.

This will leave you with a private and public key. The private key goes on your server to generate signatures. The public key can be distributed with your app to verify those signatures.

Signing with Node.js

The npm module EC-Key will make it easy to load your key:

let ECKey = require("ec-key");

let pem = fs.readFileSync("./privatekey.pem");
let eccPrivateKey = new ECKey(pem, "pem")

Here my implementation gets a little clunky—there may be better ways to do this, but at least it seems pretty flexible. Create a JavaScript object with whatever keys and content you want:

var objectToSign = {}
objectToSign.message = message
let date = new Date().toJSON() = date

Convert that into a JSON string:

let outputString = JSON.stringify(objectToSign)

Then, create a signature from that string:

let signature = eccPrivateKey.createSign("SHA256").update(outputString).sign("base64")

And pack the plaintext string and signature into a second object:

let outputObject = {}
outputObject.plaintext = outputString
outputObject.signatureBase64 = signature

You can then convert the output to JSON and have the user download the file.

See the whole thing in action with this Glitch project.

Verification in Swift

Add the BlueECC package to your project. Install manually, or use the Swift Package Manager. In Xcode, choose File > Swift Packages > Add Package Dependency…

Search for “CryptorECC,” and pick “BlueECC.”

Add your public key file to your project, and import CryptorECC
to the file where you’re working. Then you can grab the public key like this:

let filepath = Bundle.main.path(forResource: "ec256pub", ofType: "pem")!

let keyString = try? String(contentsOfFile: filepath)

let publicKey = try ECPublicKey(key: keyString)

With the public key loaded from your bundle into memory, you can now verify a signature with it:

let signature = try ECSignature(asn1: Data(base64Encoded: signatureBase64)!)

(signatureBase64 is the output from createSign() above)

let verified = signature.verify(plaintext: plaintext, using: publicKey)

The constant verified will tell you if the plaintext and signature match.

Here’s a Mac app you can build and run to see this in action.


Is this a good approach? See anywhere it could work better? Drop me a line:


Review: RGB Mechanical Keyboard and Pioneer Mouse by VicTsing

A couple months ago, the folks at VicTsing reached out and offered to provide their keyboard and mouse for a review. I’m a sucker for input devices so I took them up on it.

Through their contact, Haven, I tried to learn more about the company’s origins and story. Haven was friendly but ultimately couldn’t share much with me. Who started this company? What are their goals?

The answers are a mystery.

Which is a shame. In a sea of commodity junk, VicTsing’s products stood out to me as both thoughtful and well-built. I’d love to understand their philosophy better. What I can tell you is what you can read yourself on their about page: they were founded in 2012 and they sell everything from computer and car accessories to humidifiers.

Checking out these two products can tell us a lot about how electronics commerce works in 2019. Faced with competition from better-known brands and contending with ever-dropping prices, the savvy move for new players is to differentiate through features. What we see here are a keyboard and mouse that do the basics well, but add a little something extra.

The keyboard

I cut my teeth as a spreadsheet jockey, so I grew attached to having a numeric keypad. The problem is, extended keyboards with keypads are huge, and these days I don’t need a numeric keypad that often. As a result I’ve trimmed down to the ten-keyless or “TKL” style in recent years. The typical TKL shaves off the numeric keypad, but keeps the clusters of arrow keys and Insert/Home/Page Up, etc.

Most of the time this is fine. But occasionally, I still miss the numeric keypad.

And I thought I just had to live with it.

But VicTsing came up with a clever alternative1. Using a key to switch modes, it overlaps the numeric keypad with the button clusters you typically find on the right of a TKL. You can have both.

QMK enthusiasts will recognize this trick at once: it’s using layers to shift part of the keymap. But thoughtful design also makes these feature easy to understand: when the numeric keypad is disabled, the light pattern changes to create the silhouette of a typical right-hand cluster.

in TKL mode
in numeric keypad mode

Indeed, the RGB color effects suggest QMK may be driving this under the hood. This would be smart—it lowers the cost of building interesting features like this variable-mode keypad.

More thoughtful touches: the keyboard comes with a blank key you can use to replace the “Win” key if you’re a Mac user, which I appreciated, and it’s stored on the case, which was nice. Alongside it was storage for an included keycap plucker, which is great for those who want to rearrange their keys.

Other than that, it’s an RGB mechanical keyboard. They’re blue switches, so the keyboard is loud and clicky. I think I prefer my Kaihua whites, but they’re perfectly fine switches.

My only gripe is with the shine-through, which has some weird stencil cutout effects. It’s a strictly aesthetic issue, but it makes this otherwise excellent keyboard feel a little cheap.

Still, it’s a pretty great buy, currently retailing at $43 on Amazon. Or, $40 if you don’t want the white frame. I actually liked the keyboard a lot better when I took the frame off, so save a few bucks if you want.

In the realm of budget mechanical keyboards, this one has some nice touches that separate it from the pack. Nice way to try out the mechanical life if you’re tired of rubber cup keyboard junk, too.

The mouse

Meanwhile, I just love the Pioneer mouse. It’s the best rechargeable mouse you can buy for $30, simple as that. You charge it with a USB micro cable, so no batteries to manage. It has scroll wheels for vertical and horizontal, along with some nice side buttons for forward/back in your web browser.

But the best part is: you can use it with three computers at once.

It includes a dongle for a wireless USB connection, but can also pair with up to two more devices via Bluetooth. This is very handy if you have, say, a Mac and a gaming PC, like I do.

But even if you don’t, the fact that you have the option of using a dongle but still have a perfectly useful mouse even if you (inevitably) lose that dongle is a fantastic touch.

The only issue I have with this mouse is its plastic pads, which feel a little rough against my work surface. Compared to my Logitech mice, which glide smoothly, the Pioneer feels like it’s gently scraping.

Still, it’s not a dealbreaker.

Mac users will want to use something like SensibleSideButtons to enable the back and forth buttons.

It’s a pretty good buy at $30. For similar prices, you can get a Logitech G602, which has adjustable DPI settings like the Pioneer, but requires AA batteries. Or you can get the Logitech Triathlon, which allows similar multi-device connectivity, but lacks DPI control and also requires AA’s.

The Pioneer gives you adjustable DPI, multiple devices and a rechargeable battery in one package at a competitive price. It is a right-handed mouse, though as a lefty I don’t find that a dealbreaker. As a hedge against RSI, I try to switch mousing hands every couple years2.

They’re good input devices, Bront

Despite so many competing options in both categories, I think both of these entries are pretty solid. VicTsing clearly has some product vision to help it stand out from the crowd. It’s worth checking these out if you need a keyboard or mouse soon.