Fork me on GitHub

We are Hiring!

Posted by Bjarni Rúnar on January 22, 2018

Good news!

We have secured funding, hired Oktavía to manage things and posted ads for the first positions we would like to fill: Windows and Mac OS developers.

Details are on our jobs page.

Please spread the word!

Containing the Spectre

Posted by Bjarni Rúnar on January 7, 2018

Hello everybody!

The year 2018 started with a bit of a bang, for those of us who are concerned with computer and Internet security. By now you have probably heard of the Spectre and Meltdown attacks. These security holes are big news, because they represent a new class of security vulnerability - and almost everybody is potentially vulnerable. The industry is still working through the implications.

Quoting the official site:

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs.

And quoting Bruce Schneier:

... there's no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years. [...] This is bad, but expect it more and more. Several trends are converging in a way that makes our current system of patching security vulnerabilities harder to implement.

So that's the bad news. Is there any good news?

Well, all is not lost: Spectre, Meltdown and similar as-yet-undiscovered CPU bugs are only a problem when a malicious person can run code on a computer you rely on. This happens more than you might think, but this limitation does tell us how we can protect ourselves today, tomorrow and next week.

The most important advice is standard. You've heard it before, but it bears repeating: prompty install any available updates to your browser and operating system, and avoid installing software (including mobile apps) from untrusted sources. Let the professionals help you.

But almost as important, is to run an ad blocker or disable Javascript entirely (I use NoScript to do exactly that). Malicious ads on the web, and to a lesser degree entire malicious websites, are the most immediate risk to the general public.

Although the mainstream browsers have already released updates that make exploiting Spectre from Javascript more difficult, it is worth remembering that attacks always get better and new ones are discovered all the time. Blocking Javascript by default (and then selectively re-enabling it on sites you trust) is a bit like washing your hands - it takes a bit of time and effort, but it's an invaluable first line of defense.

Finally, if you really want to defend against Meltdown, Spectre and whatever the next big bug will be: Avoid shared hardware.

That means avoid VPS servers. Avoid cloud services. If privacy and confidentiality of your data matters to you, you may want to keep it on hardware directly under your control (and make sure you have good backups).

It so happens that this is Mailpile's driving philosophy.

We want to empower everyone, not just techies, to store their e-mail on devices under their control. This is very difficult today. Our primary goal is, and always has been, to make it much easier. For everyone.

If you would like to support our work, we accept donations, code contributions and translations. Or just keep an eye on this blog and help spread the word!

If you would rather support something more immediately related to the problem at hand, the NoScript team also accepts donations. They are absolutely worth supporting.

Thanks, and stay safe!

Holiday Season Updates

Posted by Bjarni Rúnar on December 12, 2017

Happy holidays, dear readers!

It's been way too long since I updated this blog. Way too long!

Back in August, the plan was to quickly post job ads and start looking for people to hire for our next stages of work - building minimal Windows and Mac GUIs, and installers.

That timeline didn't quite pan out, mostly because I was distracted by other work. My other job needed my attention, then the Icelandic government collapsed, so I volunteered some of my time to help the Icelandic Pirates campaign. I also moved back to Italy from Iceland, which always slows me down for a while.

But enough excuses already!

After some intensive introspection and deep analysis of the Mailpile project's structure and history, we have identified our biggest problem: I am a bottleneck. OK, I made that up. We didn't perform any analysis, it's been obvious for a while that this is a problem. However, empowered by Bitcoin's latest shenanigans, we have finally done something about it.

We've hired a project manager!

The talented Oktavía Hrund has been hired to make sure things get done in spite of me. She has a contract in hand, a budget to work with and Mailpile installed on her laptop... she's here to kick ass and chew bubblegum.

We have changed ownership!

Another recent development, is Mailpile ehf, the Icelandic company founded around the project has changed ownership. Mailpile ehf used to be fully owned by the original project founders: Smári McCarthy, Brennan Novak and myself. Since then, Brennan has moved on to other things. Recently he sold his shares to Daniel Yeow. Daniel should be a a familiar face to the the speed skaters amongst you (I hear Mailpile is huge in the speed skating community... huge!), but he has also been helping out with coordination of our Transifex community while researching whether it is possible to use Raspberry-Pi-like devices to make a Mailpile hardware product.

You made this happen!

Your encouragement, your belief in our vision and your gracious donations (including Bitcoin donations) are what makes Mailpile possible. Bitcoin prices have risen dramatically, so much so that we now have enough magical Internet money to fund another round or two of work after this one - assuming Bitcoin doesn't collapse completely in the meantime! So thank you again for your trust and donations. They have given us the motivation and courage we need to keep going and make Mailpile available, easy and accessible to you all! We may be late, but never isn't an option.

That's the news for now.

I'm sure Okta will make me blog again soon. Until then, I hope you enjoy Santaseason, spend some quality time with your loved ones and enter the Gregorian Calendar New Year full of joy and optimism...

Take care!

Still Hacking Anyway

Posted by Bjarni Rúnar on August 13, 2017

Last weekend, I happily attended the Dutch SHA2017 Hacker Camp. I slept in a tent, gave a talk about Mailpile and had too much beer and almost enough interesting conversations.

The advertised title of my talk was "Four years later", because Mailpile itself was launched at the last Dutch hacker camp: OHM in 2013. So I talked about what Mailpile is, what has happened during the last four years and finally I announced our first 1.0 release candiate!

However, I sneakily changed the title to Still Hacking Anyway, because I just liked that better.

Thanks to the Chaos Computer Club media project, you can watch the talk here:

download the talk here

After the talk I gave away a bunch of Mailpile t-shirts and stickers, but mostly relaxed and enjoyed being surrounded by interesting hacktivists at the camp. It was a wonderful event and the organizers and volunteers all did a fantastic job.

The talk ended with a call for help; funnily enough, I'm roughly on schedule and would like to hire a couple of developers to help me complete the Plan for 2017. I will post more details about the positions later this month: if you know Windows or Mac desktop developers that are looking for 3-4 months of contract work, watch this space - or just get in touch!

A correction: I am aware of one factual error in my talk: I said that GnuPG 2.1 was moving towards making TOFU the default trust model. This is incorrect. My apologies!

Older stuff

Some Tweets

Don't panic: Our website is temporarily unavailable as we migrate to a beefier VPS.

In other news, we successfully hired a couple of clever people to help with our Windows and Mac packaging. Work has begun!
@MailpileTeam, Tue, 13 Mar 2018 16:19

Its Friday afternoon in some parts of the world - your inbox is hassling you & you drift off to better future where you have an email client that is a search engine & a personal webmail server that has email encryption built in!
Help us build that future!
@MailpileTeam, Fri, 09 Feb 2018 15:43

Iiiitttt´ssss "Hump Day" everybody!
Did you know that Mailpile is still looking for developers? we would luurv to get Mailpile out to as many as possible, make it accessible for most! Join us to package for Windows and MacOS!
@MailpileTeam, Wed, 07 Feb 2018 15:46

Hey developers! We are still looking for you <3 so much so that we have extended our deadline for MacOS and Windows developers to Feb. 14th <3 <3
Ping us for questions - more info here:
@MailpileTeam, Thu, 01 Feb 2018 12:00

The Mailpile Team is back after being dormant for a while and we are looking for developers to help us Mailpile out for more people to use! Check out for details
@MailpileTeam, Mon, 29 Jan 2018 09:57

We are hiring!

We are looking for Windows and Mac OS developers to help us get Mailpile 1.0 in the hands of as many people as possible.

Check out and spread the word!
@MailpileTeam, Mon, 22 Jan 2018 21:25

Oh, hi! We're not dead. In fact, we're in the process of hiring a project manager to get the ball rolling a bit more visibly again. More news soon.
@MailpileTeam, Thu, 16 Nov 2017 00:21

Have you tried the Mailpile Debian 1.0rc1 packages? We're looking for feedback on what works and what doesn't.
@MailpileTeam, Mon, 21 Aug 2017 10:45

As announced at #SHA2017, we now have a first release candidate for Mailpile 1.0. Linux (deb) packages are here:
@MailpileTeam, Wed, 16 Aug 2017 16:30

We finally finished updating our website SSL certs. Big thanks to @letsencrypt - and all the folks that reported issues with the old certs!
@MailpileTeam, Thu, 03 Aug 2017 10:44

~95% of all e-mail goes through the servers of the top ten e-mail providers. Unencrypted. What does that mean for privacy?
@MailpileTeam, Wed, 02 Aug 2017 21:22

We're going to @SHA2017Camp! Our @HerraBRE will give a talk about Mailpile on Saturday and @smarimc will be flitting around too. Say hi!
@MailpileTeam, Wed, 02 Aug 2017 15:11

The crypto in Mailpile depends on @GnuPG - please support their work if you can!
@MailpileTeam, Tue, 13 Jun 2017 17:12

Ever wondered what sort of work goes into writing a secure e-mail client? We discuss most things in detail on #mailpile on Freenode (IRC).
@MailpileTeam, Wed, 29 Mar 2017 11:03

Looking for a weekend project? Like e-mail attachments? We could use help with these issues:
@MailpileTeam, Fri, 24 Mar 2017 12:41


Please do not send mail to