Niklas Anderson's Blog

My Personal Echo Chamber


I used to be a savage connoisseur of apocalyptic theories: Peak oil, Irreversible and Extreme Climate Change, Nuclear Holocaust, World War III... On good days I engaged with the predictions of less disastrous theorists, like the mutualist-anarchist Kevin Carson, who predict a degradation of State Capitalism towards a less industrialized and militarized society of small scale society.

In many ways I hoped these predictions would realize themselves, and realize themselves rather soon. Those around me saw this as an expression of mere pessimism and cynicism, and while I cannot meaningfully call myself an optimist, I always acknowledged to myself the loose ground these ideas stood upon.

I knew the next world war was a real possibility, but not immediately likely. I knew state capitalism was struggling to maintain itself in the age of recession, but never fully believed that technology could fully vacate the men in suits from central control. I also quietly believed that "green energy" alternatives could relieve the worst results of "peak oil" *if* it happens, given that the bureaucrats would suddenly have an overwhelming need to make it happen.

I wanted to believe these things because I hoped for them. I saw no place for myself in the adult, modern world. It was always too complex, to the point where even those who were certain of their skills and desires stood little chance, and I preferred an alternative. An alternative where every other person, and institution, was equal in its failure as I.

I hardly think of these theories now.

Personal disasters have way of shortening your life planning, away from thirty to fifty years away, to thirty of fifty days away.


Having read Nietzsche's works, films like 2001: A Space Odyssey take on a different meaning.

In Thus Sprach Zarathustra, Nietzsche states that as Man overcame the Ape, the Overman overcomes Man, inviting the reader to question how they have overcome themselves.

The imagery of ape and man is the introduction of the film, in which a tribe of apes find themselves dispossessed of a watering hole they depend on. In the middle of their sleep, a monolith appears: an expression of will and the impending violent overcoming the apes will express ("pure energy," being the term used by Kubrick in describing the aliens).

An individual ape then proceeds to discover the violent potential of bones in using them as a weapon, as Strauss' song Also Srach Zarathustra plays over the events. The apes, using weapons, take back their territory and in celebration throw a bone to a sky: transitioning to a scene of a satellite orbiting Earth. in the original text from which this movie was adapted, Arthur C. Clarke states this satellite is carrying nuclear warheads.

In the future scenes of the movie, the arrival of a new monolith further foreshadows the attempted overthrowing of an old order of power punctuated by the violence against the human inhabitants of the ship by HAL.

HAL ultimately fails to assert himself fully, and the surviving crew member finishes the journey, discovering monolith orbiting Jupiters moon. Upon approaching it in space, he is drawn into an alternative dimension.

In this other dimension, the character finds himself observing himself aging and dying within white room. Recalling Nietzsche's notion of Eternal Return, in which individuals must evaluate their own lives from the standpoint of indefinite repeats of all their decisions: the crew member is trapped watching himself age and die in the isolation of a strange white room. He is recreated by these events, presented in the final scenes as a fetus, a "superman" in Kubricks words.

There are numerous influences on the film and the book, and there are numerous more examples of Nietzschean themes. Nietzsche's foresight and understanding has made him a timely influence on all things modern.


Capitalism does not favor: Stability, or security


As someone who has done a fair amount of work in the Unix command-line world, it can be difficult to understand how others might struggle with a tool such as OpenSSH. SSH is loved amongst those are in the field, it is simple to use, simple to extend, and simple to secure. This will be a very simple getting started post, which explains the fundamentals of the SSH client while directing the reader to try connecting to public Dungeon Crawl Soup game servers to start off.

SSH stands for "Secure SHell", and is a protocol that enables remote access. It allows you to interact with a remote machine as though you were sitting right in front of it, and while it is generally used for issuing commands via the terminal, it can actually be used to pull graphical windows from on machines X11 desktop if desired, or even be used to open a SOCKS proxy. There is a great deal that can be done with SSH, and given its Unix qualities, its power is extensible by other applications known to the user (I'm thinking of TMUX, SCP, etc).

While ultimately supplanting the old, unencrypted Telnet application as a secure alternative, it is important to remember that a server accepting SSH connections cannot be presumed secure just because it uses SSH. This tutorial is not intended to expand on how to harden SSH or the rest of the machine.

SSH is a protocol supported by many applications, the two types of applications being either a client or server. The two most popular clients being OpenSSH developed by the OpenBSD development group and available on UNIX platforms, and the other being PUTTY developed primarily by Simon Tatham for Windows. There are others, and PUTTY is limited in feature set by comparison so it will need additional programs to match the power of OpenSSH.

Almost all Linux Distros have OpenSSH installed by default, and many will atleast prompt to install SSHd, the server side counterpart to the OpenSSH client.

To begin with, you may not have a server to connect to. In that case, you can try connecting to a game server, such as the public Dungeon Crawl Soup servers with SSH availability. An example would be the server.

Not all servers support SSH, but those who do make it very easy, and all instructions are available at the link above. In the case of, you type the following into your terminal


When prompted for the password, enter "joshua".

Simple, but you may already be confused if you haven't read the Crawl Online tutorial. "joshua" is an arbitrary ssh account made available to the public. When you connect as Joshua, there may be dozens of other open sessions by other users on that same account. You do not have the ability to change this user account, and you will be suddenly trapped in a specific application, that being the Dungeon Crawl Soup Game. Both the public username and the entrapment of the user in a specific application is not typical.

The ssh username@remote_host command can use either the domain name of the server or the IP.

You are now issuing commands to a remote terminal. Despite the simplicity of the terminal, you may notice some lag between your input and its appearance on screen. Crawl has its controls largely based on Vim, so you can practice those skills here too.

To extend your exposure to SSH in general, you may need to rent a Virtual Private Server, or have some hardware running Unix available to you within your network (another PC, Raspberry Pi, etc.).

I'd prefer to refer to DigitalOcean's SSH tutorial for further server side work. I thought recommending the Crawl servers was interesting "getting started" idea that I haven't seen.


This is why honest authors like Wittgenstein and Nietzsche write in spiraling aphorisms.


I previously wrote about a problem I perceive in modern blockchain based cryptocurrencies: That being that the introduction of new 'coins' is not related to any economic measure. In thinking about how others would see this claim, I have decided to take on the project of expanding a larger, increasingly ignorant worldview that this claim is grounded in, and extend these writings into extrapolations about the future.

I would like to begin by laying out my understanding of how money and currencies developed, and how they are developing. I believe the purpose of this post may only be understandable in light of future posts.

If we evaluate early markets, as does David Graeber in the book Debt: The First 5000 Years, and also in his more interesting, previous book: Towards an Anthropological Theory of Value, it is important that commodities as money or currencies are not naturally occurring.

Stateless societies rely on a range of trade, and when internal to a society: these forms of trade are deeply enmeshed in the day to day relations between individuals. The anthropologist Marcel Mauss argued early humanity did not grow out of a Hobbesian state of man against man, but rather a state of "total prestation". Almost all of his work is ultimately in untranslated French, but from Graebers work I understand this to be a state of individuals being unable to distinguish themselves clearly from those around them.

People in a state of total prestation see property as an extension of not just themselves, but their whole group, so objects tend to change hands with extreme fluidity. They are open and exposed to each other in their bodily functions, with little hierarchy and avoidance behavior between one another.

It is important to remember that Mauss, and ultimately Graeber, are using this as an archetype. Placing societies somewhere on a scale between a state of "total prestations" and the totally individualistic, marketized society on the other.

As a society moves up the scale towards individualization, they begin to see property, or things in general, as literally "possessed" by particular individuals. That thing has become permanently endowed with a fragment of its owners spirit. Groups also appear to possess their territory in respect to their neighbors.

When one individual offers a neighbor a thing possessed by them, it remains possessed. A thing may continue to retain elements of each person, and theft of the object may result in the thief being tortured by those spirits. Likewise, the receiver is expected to reciprocate the gift on the pain of penalty: the penalty of being tormented by the spirit of the gift.

These spirits, however, are more strongly and consistently retained by objects that are durable and unique. Some objects, particularly the consumable and indistinguishable, can be exchanged for a great many other consumable and indistinguishable things; quantity is likely a core measure when reciprocating. Unique and durable objects, such as staffs and cloaks to the Maori, can only be exchanged for small number of similar objects, with value typically ranked by its history of ownership and the significance of those owners.

Thus, objects within societies may be ranked on a hierarchy, with most foods at the bottom, and heirlooms and humans at the top. Humans are the ultimate vessel of the spirit, and it is the ultimate source of value for all others. Humans cannot be exchanged for cloaks or staffs, and staffs or cloaks may not be exchanged. These are "Spheres of Exchange," originally illustrated by Paul Bohannan.

Exchange of goods or humans in market-like fashion, occurs between societies; it occurs between worlds of "spheres of exchange". In which these societies have little trust in each other, but also lack a fundamental basis in values for exchanging goods as they do internally.

Slavery appears in stateless societies, but is often a temporary state. It is a state of soullessness. Of ones body being dead, and its spirit replaced with that of a "possessor", but it is not known for humans to traded for physical objects until states and markets are involved. in order to do so, a society must lose the spheres of exchange that underpin their society.

Graebers work largely skips over the transition between Gift Exchange originally studied by Mauss, and the market societies seen now. There is a lack of knowledge in this area, as we can only see stateless and marketless societies that exist on the fringe of colonial societies, and they cannot be held as representative of how early societies functioned and transitioned. That said, there is kind of logic underlying these gift giving societies, and it is a deeply human one. An expression of a kind of intuition that pervades our society today, albeit slightly less openly.

It is known that the introduction of money and currency is forced onto societies by states, and takes the form of credit based systems. These systems are a derivation of early gift-giving "economies", in which goods were lent to other people, but some accounting was made of the transaction measured in government established currency (such as gold or silver). This change coincides with a breakdown of spheres of value, in which this singular currency is now "exchangeable" for both consumables, and people.

The exact reason this occurs in societies such as the Babylonians is not clear, but I would illustrate my guess here: The state requires a range of goods for its own use and trade, and after taxing/claiming them individually from its subjects with great difficulty, it lays a fundamental measure upon which taxes for each subjects are based. Instead of cattle farmer owing 3 cattle, and a shoemaker owing 30 shoes, they now each owe 10 silver coins; despite such currencies scarcity, they can pay the taxes in a range of goods, in many known cases: humans. The concept of accounting for goods on the basis of one measure is now normalized, and the process of spheres of exchange breaking down occurs.

What follows, in Graebers view, is the radical breakdown of societal norms and values (as far as these societies see it). As debt slavery and chattle slavery rise, new forms of governance and norms arrive to control the upending of values.

I divert from this path, to illustrate a couple points. Our ability to measure a possessions value was pinned to another object, which endows all exchange with new kind of flexibility, as illustrated earlier, but also a new kind of inflexibility: our ability to assess value is now rigidly tied to a real existing thing which is historically a commodity in its own right.

We have only recently returned to credit based systems, having suffered through the "gold standard" years (which was so often floating on top of community credit based systems, like those of the English peasants). I suggest we may be returning to a deeper level of total prestations as well.

I stake my claim on the following idea: Modern cryptocurrency is another gold standard phase, which will be overturned by some new form of cryptocurrency that is fundamentally more credit like. This development will parallel the development of IoT, and I find it unlikely the two will remain separate.

Nowadays we buy cheap, internet-connected thermostats and toys as our own possessions. In the future, I guess that IoT will take on a more "public" quality, in which we exchange services with objects via newer cryptocurrencies. This will underlay an economic change, in which a person may "purchase" a coffee from a coffee machine, but also be compensated for cleaning or maintaining it.

Transactions will fade into the subconscious, as they have been doing so far. But they could decentralize more truly, and gain the full fragility of we have seen in the internet so far. It will further upend our immediate conception of property, in that we are surrounded by more and more things that are not "mine" or "yours", but they nonetheless react and reshape our environment proactively in response to us. We moved apartment to apartment, and without packing a thing, have our rooms arranged as they were before.

As our ancestors intuited, with weak separations, their own will as though it were the same as those around them: we may find ourselves in a physical world that appears to us to be a complete extension of our immediate selves.

In full circle: cryptocurrencies in their current form are mired in primitive economic thinking, but they are nonetheless bound to evolve into a form that is better fitted to our environment. This form is assisted by deeper penetration of physical world by our growing digital networks, such that they tie the relations between individuals and things as credit has done historically.

But we should be wary of the breakdowns in value and boundaries that all economic revolutions bring to bear. When we live with the expectation of control, the more disruptive loss affects us.


A couple weeks ago I was trying to explain the cryptography underlying Bitcoin to a coworker of mine. While my understanding of blockchain technology is not nearly as strong as it should be, I believe I was able to effectively convey the technical brilliance behind its design. Whoever wrote the 20 page Bitcoin paper, and its accompanying code, was a cryptographic genius. That has been said many times. But despite my appreciation for the underlying brilliance of the Bitcoin system, I believe its underlying economic assumptions to be a call back to the dead ideas of the gold and silver.

One of the most the most clever tricks behind Bitcoin is the manner by which it controls the injection of additional Bitcoin into the blockchain network. A process called mining. I will shamelessly quote the wikipedia explanation below:

Mining is a record-keeping service done through the use of computer processing power. Miners keep the blockchain consistent, complete, and unalterable by repeatedly grouping newly broadcast transactions into a block, which is then broadcast to the network and verified by recipient nodes. Each block contains a SHA-256 cryptographic hash of the previous block, thus linking it to the previous block and giving the blockchain its name.

To be accepted by the rest of the network, a new block must contain a so-called proof-of-work. ... The PoW requires miners to find a number called a nonce, such that when the block content is hashed along with the nonce, the result is numerically smaller than the network's difficulty target. This proof is easy for any node in the network to verify, but extremely time-consuming to generate, as for a secure cryptographic hash, miners must try many different nonce values (usually the sequence of tested values is the ascending natural numbers: 0, 1, 2, 3, ...) before meeting the difficulty target.

The rough sketch: Bitcoin schedules the introduction of new Bitcoin by dynamically adjusting the difficulty of finding the necessary nonce to produce the required hash. The miner know the value of the entire block, and it knows the ruleset for ultimately produced hash, but it must find the nonce that, if hashed alongside the block, will produce an ultimate hash value that meets the requirements. The ruleset is what is ultimately adjusted in to determine the difficulty.

The conclusion to this system is that bitcoin has a time release drip feed of currency to its system. The amount of Bitcoin added effectively halves every 4 years. While difficulty is adjusted to prevent changes in computational power from speeding up or slowing down the addition of Bitcoin beyond a certain margin of time.

Despite the genius of Bitcoins design. The detachment of bitcoins growth from the economic reality of its market could be a serious problem. The supply of Bitcoins grows steadily, largely ignoring the outside world and the amount of activity or exchange actually occurring.

Bitcoins is a ledger at the software layer, but a commodity at the economic layer.

The spectre of pre-keynesian economics has risen again.

Bitcoin the Commodity

There is one sense in which the introduction of Bitcoin is attached to the outside market: the difficulty of mining requirements change depending on the speed of the last nonce discovery, effectively making its rate of currency addition tied to the computational power of the Bitcoin miners. The change in difficulty is, however, restrained to prevent sharp increases or decreases in difficulty.

Consider the following scenario: The price of Bitcoin is healthy and miners feel confident they will be able to make back the price of their mining hardware and electricity through the sale of earned bitcoin. A political decision made by a major economic power causes the price of Bitcoin to sharply drop. Miners, suddenly losing faith in their ability to make a return on their investment, leave the mining pool in large quantities. The Bitcoin network finds that no miner has discovered the hash within the expected time-frame, so it adjusts the requirements of the hash to reduce its difficulty, hopefully speeding up the mining process to match the schedule. However, the difficulty is not lowered enough to be proportional to the loss of computational power, causing the next arrival of Bitcoins to be late. Several cycles will have to pass before the network settles on a reliably accurate difficulty.

This dynamic may be seen in real world commodity currencies or commodities such as gold, whose value can cause changes in its introduction into the market.

The problem here being: that adjusting the supply in response to the value of the commodity is hardly a good idea if that commodity is intended to work as a currency. Modern economics is still debating how money supply should be controlled, but it has nonetheless moved well beyond its long dead love of commodity money.

Despite the fact that Bitcoin is a ledger system at its technical roots, it bears almost no resemblance to traditional ledger systems at the economic level. It presents itself as a commodity.

Being a commodity, Bitcoin appears rather ancient in its economic philosophy. There is something ironic about this, in that it happens to be loved by the same people who love the Gold Standard. The connection here is obvious, as it is fundamentally political. Commodity currencies do not necessitate the kind of governmental controls that modern fiat currencies have, and even if those who believe in the commodity currency philosophy accepted its flaws, they protest that the alternative is fiat, a system that leaves itself considerably more vulnerable to corruption.

What we are left with is a question. While the cryptocurrencies after bitcoin ever go beyond the commodity like behavior of Bitcoin, and meet the demands of a true currency?

Another problem remains: our understanding of what makes a currency *good* is hardly solid. Much like cryptography, we understand what makes a bad currency, but less so a good one.

This is all ignoring the other glaring issues with Bitcoin: its speed, its cost in electricity, etc. And I have avoided the question of whether or not Bitcoin could be considered a currency at all...

At least Satoshi Nakamato had the wisdom to cap the number of Bitcoins, effectively guaranteeing its death so that other cryptocurrencies may take its place.


Look at existence, and say what you see. The whole of the universe in all of its energy.

I see a tree. I see entropy.

A cold void expands. Radiation coalesces into matter, and matter cling together into planets and stars.

Branches reach out. Bleeding into the sky like a blotch of ink on cloth. It expands into the white. Emptiness stained with existence.

The expanding void, stretches across at all sides. In all ways. Matter expands with in it, expands to fill it. It must fill it. It will fill it.

An expression of the combined will of millions of cells. Individually, but codependent and mutually attracted, they break out as a single body. Cell, twig, branch, trunk.

Light passes through the leaves. The branches licking the horizon. The dust is crawling to the edges. The light, like star, fades as time passes.

Gravity. Planets roll closer to one another forming clusters. From a distance, they look like bright clouds contorting around one another.

Stars explode and collapse. Leaving ashen dust spraying to fill the space that the star could not. Dust collects together, before bursting out.

Leaves scatter, taken away by wind. The color fades away, and in death the limbs give way.

Degradation and collapse. Or is it growth and expansion?

Earth burned red. It burned green. Now it burns brown and grey.

It reaches out. Bleeding into the empty space that holds it. It takes what space it can. It does what it will.

Earth bursts out in radiation. Radiation walking on two feet.

A tree withstands the growth of its limbs by the growth of its roots.

Grow inward to grow upward.

Roots entangled. We grow outward, and into one another. A single body, bleeding into cold blackness that licks our skin.


GNU/LINUX is popular amongst paranoid types due to the audit-able nature of its codebase (or at least most of it).

Many, however, are ultimately misled into thinking that mainstream distributions of GNU/Linux are more secure than windows out of the box. If you scrutinize a newly installed machine, you will find that this is not the case. In fact, almost all distributions start off without a host firewall: That means the machine is open to all incoming connections within its network!

Linux machines are generally unsecured by default. On first boot, most distros do not even have firewalls running by default: they are open to the world. This ultimately implies that Windows 10 is more hardened out of the box than nearly every GNU/Linux. But if a user is willing to experiment and tinker, a Linux machine can be made to compete with Windows in a serious way. Linux machines are, after all, a prime choice for enterprise servers, but are typically maintained by experienced admins.

I'll lay out a number of tips in this post for how to harden one particular distribution of GNU/Linux: Debian. Debian is maintained by the non-profit Debian Project (also: http://sejnfjrq6szgca7v.onion/). It is used as the basis for non-privacy oriented distributions like Ubuntu, but also for security and privacy focused distributions such as the ephemeral operating system Tails, an anonymizing operating system made to be run as a virtual machine called Whonix, etc. There are many more, but I will leave it there.

Debian has one strong benefit: its default software is free software/open sources open license/public. And the software made available via its package manager is verified via a reproducible builds which prevent developers from offering compiled software that is different than the source code they release publicly. Nearly every package offered by the Debian project is complied multiple times by multiple people, so that the hashes of each compilation can by referenced against the package maintainers version to verify he/she has not secretly modified the package. The Debian infrastructure has removed as much trust as possible between the user and the developer, and has thus weakened a serious avenue of attack (an attack made all the more real after the Snowden revelations).

I will start by offering a couple guides that are already available elsewhere:

The AnonGuide is one of the best available starting points for a hardened Debian. It walks you through verifying that your Debian installation file is legitimate, directing debian to update over Tor to official Debian .onion servers, use Whonix within a virtual box, harden your kernels network stack, and even use a keyfile when encrypting your hardrive (the keyfile thing is next level paranoid, but losing that keyfile is losing your data).

The securing Debian manual, the age shows in this own. Some of its suggested tools no longer exist, and there are more that could be added.

Remember that the goal is to make attacks expensive to carry, not impossible. I am assuming the user is relatively new to using Debian. So many readers will not find this helpful.

Now for my tips:

  1. Use disk encryption, particularly with laptops.

  2. In the installation of Debian, you will be offer the opportunity tor partition the drive use LVM with disk encryption.

    Do so, and utilize a strong passphrase

  3. Put strong passwords on your root user and any sudoer/sudo enabled user

    You want to reduce the likelihood of malware being executed by root. An easy way to do so is to make root passwords too strong for malware to guess.

  4. Create separate users for less trustworthy applications

  5. Separate users based on the trustworthiness of applications. Keeping essential files and software away from

  6. Start by activating some kind of firewall and setting it to blocking incoming connections. This will allow your machine to initiate connections, but not accept unsolicited.

  7. If you're a newbie, try UFW (uncomplicated firewall):

    sudo apt-get install ufw

    sudo ufw default deny incoming

    Also (from anondistro):

    sudo nano /etc/ufw/before.rules


    Now search for "icmp"

    Add "#" before each line under "# ok icmp codes" until the line "# allow dhcp client to work"

    sudo ufw enable

  8. Configure Debian to update over TOR with apt-transport tor

  9. When Debian fetches software via its package manager, apt, it uses a locally available public key to verify/authenticate the packages it receives to ensure only legitimate software is installed. A bad guy, including one who had taken control of the server you update from, cannot tamper with the software unless he has the private key used to sign the software. The problem is, however, that most servers do not provide any encryption. You can see this when your run apt-get update and see "http://arbitrary-mirrorserver". That means a bad guy can still see what you're installing and utilize that information in an attack.

    The Debian project thus responded with quite a leap in privacy by providing the apt-transport-tor utility, which forces apt to anonymize its traffic, then by providing official .onion servers in order to prevent the apt traffic from leaving the tor network.

    sudo apt-get install apt-transport-tor

    sudo nano /etc/apt/sources.list

    Modify to match the following:

    deb tor+http://vwakviie2ienjx6t.onion/debian stretch main

    deb tor+http://vwakviie2ienjx6t.onion/debian stretch-updates main

    deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security stretch/updates main

    You may add "tor+" to any repo's address you wish. But the traffic will leave the tor network if it is not .onion.

  10. Utilize sandboxing

  11. Sandboxing constrains running programs under default or user written rules. These rules can vary from file and directory access rules to network and window manager rules

    Two popular sandboxing solutions on linux are Apparmor and Firejail. Both are easy to use, and are widely available in distros.

    You also have the option of installing applications through Flatpak

    I have another post on firejailing steam, which can be used as a guide for how to utilize private directories within firejail. A use feature if that application is taking in files and remote code from the outside world.

    It's important to note that the X11 problem, wherein any application listening on X11 can see anything other applications receive or send through the GUI, can be mitigated by firejail.

    Firejail offers a --x11 option that can designate an alternative display server such as xephyr. Adding "--x11=xephyr" will pick up its configuration from /etc/firejail/firejail.conf and open up a strange, unadjustable window on your screen containing the sandboxed software. You will notice that the xephyr window is effectively its own desktop. A window manager can be run within the xephyr X11 sandbox window, meaning the sandboxed programs can be resized within the statically sized xephyr window.

    If you read that last paragraph without trying it yourself, you will probably not have understood a word of it. Try it out, and you'll see.


It's a good idea to sandbox steam.

Many online games offer no protection against multiplayer and content, meaning a server can easily inject malicious assets into a client. It's also the case that most games use unencrypted and unauthenticated connections between the client and server, as it would increase latency, but nonetheless leave the connection vulnerable to malicious injections by a man-in-the-middle. Without encryption, the software itself is entirely responsible with resisting malicious attack (how many game developers have time to worry about that?).

Some games also run their own installers, which fail to authenticate what they download and install.

For windows users, Steam has resisted allowing itself to be installed or run in popular sandboxing solutions like Sandboxie, limiting windows users to creating a separate user account in order to properly isolate steam from more essential software and files.

GNU/Linux users are in luck, however, since solutions like Firejail are easy to apply with little overhead and are available in the repositories of most distributions. This will allow the steam to run in an environment that restricts its ability to read and write to existing files used by other software or the OS' kernel, as well as its ability to execute code outside of its sandbox.

Keep that proprietary crap out of my $HOME!

Firejail has a preinstalled steam.profile found in /etc/firejail/ which applies some restrictions to the steam client and the software it runs. But it should be made more restrictive through the application of a private $HOME directory. I will show you how to install and apply the firejail with this modification.

It should be noted that a private Home directory will mean that currently installed games will have to be moved into that directory in order for steam to find them. This ultimately keeps all of steam and its related software and files together in one folder making system management and hygiene easier.

I am also assuming you know how to install steam or have it already installed, and that you know how to open a terminal and traverse directories comfortably.

There is also an older blog post on how to do this by Joris van Rantwijk, but it appears out of date and includes unnecessary steps such as extracting steam.deb then running ./steam inside the private directory under firejail. You do not need to do this, as you can download the steam installer normally from your repository, and steam will install itself inside a sandbox if you have the profile applied. If you run steam and allow it to update and configure itself before applying the modified firejail profile you will only be creating unneeded files in your actual Home directory.

You can apply these steps in nearly any distro, but I am running in Debian.

Lets begin by installing firejail:

sudo apt install firejail

Let's read a little about firejail. Please read the whole summary in the man page if firejail is new to you.

man firejail

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applica tions using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.

The firecfg command is also now available as part of firejail. When it is run, it will apply firejail rules to all compatible software firejail has profiles for.

man firecfg

... run 'sudo firecfg' after installing Firejail software. The same command should also be run after installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin will be created. For a full list of programs supported by default run 'cat /usr/lib/firejail/firecfg.config'.

If you do not want some piece of software to run under firejail, you can either change the name of its profile in "/etc/firejail/$SOFTWARE.profile" or comment the software out in "/usr/lib/firejail/firecfg.config". If you only want steam to run firejail, comment out or delete all other applications in firecfg.cfg (again, # prevents firecfg from reading the remainder of that line).

You should take a look at the firejail profile that firecfg will apply to steam (and your other applications):

cat /etc/firejail/steam.profile

You will notice that there are optional settings commented out in this profile (the # stops firejail from reading the line). You can play with these later, but for now we will focus on the private home directory.

Let's first run firecfg and apply firejail system wide:

sudo firecfg

Firejail will now be applied to steam and all other software. Firecfg will list what profiles were applied when the command is run.

If firecfg fails to find a program you know has a .profile available, you can employ a number of simple hacks to get the software to run under firejail: such as creating desktop launchers that include "firejail $arbitraryProgram", or by adding your own symbolic links.

To make it impossible for steam and your games to see your Home directory and its contents, you will want to designate an arbitrary folder as its Home directory in firejail.

You can name it what you like, but I will call it steamJail from now on. You may put this directory wherever you like, and steam or any games installed by and running out of steam will be placed here without the ability to traverse upwards in the directory from this folder, making your personal files safer.

The following command will create a directory/folder in the working/current directory. Make sure to run this where you want the steamJail folder to exist:

mkdir steamJail

Let's do a test run of steam with "firejail --private=/parentDirectories/steamJail steam" in the command. Remember that "/parentDirectories/" is a placeholder for the where your version of steamJail is. You can use the "pwd" command from with steamJail to find your directory chain for this command.

It should being updating itself in that new Home directory, steam is generating and populating a .steam directory hidden inside your home directory. If you have run steam before you should already have one generated in your original home directory (you can move that original .steam directory to your private ./steamJail so steam will not have to do everything over again). As far as the steam executable knows, your user account has never ran steam before since it finds no evidence of an earlier configuration.

firejail —private=/parentDirectories/steamJail steam

Note that you can technically have two separate applications share a single private directory if you'd like.

You can check if a program is running in firejail with:

firejail —list

You can also use the separate firejail-tools to get access to a gui that can visualize what is going on in your sandboxes. This can be useful if you want reassurance that your steam games are running in the same sandbox as Steam.

Go ahead and test the private Home directory setting by right clicking on a game you have installed and looking at its local files (steam throws an error about not finding it, before finding it). Or, you can go into Settings -> Downloads -> STEAM LIBRARY FOLDERS -> Add Library Folder then taking a look at what steam can see.

Be aware that the steam.profile mounts folders such as /dev/ and /etc/ as readonly so steam can run properly without risking root file system writes. You may set these as private as well by editing steam.profile and removing the commenting # by the respective command, but this could cause errors with some of the games you are trying play.

If you want steam to run within this directory permanently, which is likely the case if you are reading this tutorial, you will have to edit the steam.profile and make this command run as part of its profile.

You can use whatever command line editor you want, but I'll run nano for those who have less experience.

sudo nano /etc/firejail/steam.profile

Below the following line in steam.profile:

include /etc/firejail/globals.local

Add a modified version of your previous firejail command (recall that "/parentDirectories/" is a placeholder in this example):

private /parentDirectories/steamJail

From now on, steam will run within this private folder with its processes contained by firejail. You can see into this directory from the outside normally, but steam is limited in its ability to see beyond it.

If you already have games installed outside this directory, you can scavenge the files together and move them yourself. Or you can simply delete them for a reinstall and hope steam cloud saves is holding on to your save files.

You may also delete all remnants of steam from your actual Home directory, this includes hidden files such as /home/user/.steam or anything a game may have added. You should also consider applying this sandboxing method to other software, like your browser or email client.