Writing related to what I do as a web engineer. Read about my background and how I approach my work. Follow via RSS.
Published
I just had my first experience with a subdomain takeover due to a dangling DNS record. It’s been lovely. /s
This note outlines how I came across it, what I had to do to fix it, and what I’ve learned from it.
Published
This suite of tutorials is the result of a recent Agorama Server Co-op workshop day. They cover how to set up a Raspberry Pi, how to use an Ansible playbook to easily get a Pi set up as a server, and how to run Homebase on a Raspberry server.
For almost all of the tutorials below, you’ll need: a computer, a Raspberry Pi, a power supply for your Pi (read more), an SD card appropriate to your requirements (read more), and an SD card reader. You may also find an ethernet cable useful if your Pi has an ethernet port.
Personally, I’m working with: a 15ʺ MacBook Pro with an SD card port; a Raspberry Pi 3 Model B+; a SanDisk Ultra 16GB micro SD card with an 80Mbps read speed that came with a microSD adapter; and the charger from an old Android phone.
Some of these tutorials are like a mini crash course in server administration. You don’t need to know much to get started and mess around, but it is useful to be aware of a few terms. If you’re unfamiliar with any of the terms used, see below for very brief explanations.
.zip file. If you will only be using the Raspberry Pi as a server, such as with Homebase, you may wish to go with Raspbian Lite.Flashing the Raspbian image on to an SD can be done manually instead of using Etcher. For further info, see the base of the “Installing operating system images” page on raspberrypi.org.
If you want to connect the Pi to a WiFi network or enable SSH, complete those steps before booting the Pi.
This tutorial assumes you have flashed Raspbian on an SD card but have not yet booted the Pi. If you have already booted the Pi, see instructions on how to change the existing WiFi configuration on the command line.
Plug your SD card in to your card reader so that it mounts on your computer.
Open the command line and run:
nano /Volumes/boot/wpa_supplicant.confThis will open a blank file using nano. Paste in the configuration below:
country=gb
update_config=1
ctrl_interface=/var/run/wpa_supplicant
network={
scan_ssid=1
ssid="YOUR_NETWORK_NAME"
psk="YOUR_NETWORK_PASSWORD"
}Be sure to change the ssid and psk values to your WiFi network name and password respectively. The country value should be set to the ISO 3166-1 alpha-2 code for the country the Pi is in.
If you are planning to use the Raspberry Pi on a few networks, you should add any other required networks to this file as so:
country=gb
update_config=1
ctrl_interface=/var/run/wpa_supplicant
network={
scan_ssid=1
ssid="YOUR_NETWORK_NAME_1"
psk="YOUR_NETWORK_PASSWORD_1"
priority = 1
}
network={
scan_ssid=1
ssid="YOUR_NETWORK_NAME_2"
psk="YOUR_NETWORK_PASSWORD_2"
priority = 2
}When you are done editing the credentials, save the wpa_supplicant.conf file and close Nano.
If you want to enable SSH but haven’t yet done so, complete that step before you boot the Pi for the first time.
When you are ready to boot the Pi for the first time and test the WiFi connection, insert the SD card in the Raspberry Pi and plug the Pi in to a power source. Give it a minute or two, then view the devices on the network. If the Pi shows up, you’re ready to go.
If you are planning to use the Raspberry Pi as a server, such as to run Homebase, you may wish to keep it plugged in to the ethernet for a more stable connection.
As of late 2016, Raspbian has SSH disabled by default. This is to protect users from accidentally making their Pi accessible to the internet with default credentials. This tutorial assumes you have flashed Raspbian on an SD card but have not yet booted the Pi.
Plug your SD card in to your card reader so that it mounts on your computer.
Next, open the command line and run
touch /Volumes/boot/sshThis will create a new empty file titled ssh in the root of your SD card. This empty file will allow you to connect via SSH when the Pi is first booted.
If you get an error after running the touch command that says No such file or directory, check that your SD card has mounted correctly and check that Raspbian is installed on the SD card.
If you want to connect the Pi to a WiFi network but haven’t yet done so, complete that step before you boot the Pi for the first time.
piThis tutorial assumes you have already flashed Raspbian on an SD card, have enabled SSH, have connected the Pi to the internet via WiFi or ethernet, and have booted the Pi.
Open the command line and run:
ssh pi@raspberrypi.localIf this is the first time you are connecting via SSH then type in the default password raspberry. If you don’t plan to use Agorama’s Ansible playbook to configure your SSH credentials, you must change your default password by using the passwd command (read more). Keeping the default password in place and enabling SSH just invites bad guys to do shady things with your Pi.
If this is not the first time you are connecting via SSH, use the password you configured with passwd or the password you added to the Ansible playbook.
For security reasons, nothing will show on the screen while you are typing your password.
If nothing happens when you attempt to log in, your Pi may not be connected to the internet.
If you receive a Permission denied error, you will need to find the Pi’s IP address. View the devices on the network to determine the IP. Once you have the Pi’s IP address, try logging in as instructed above but replace raspberrypi.local with your Pi’s IP address. If you had to take this step, you may want to write down your Pi’s IP address for use in other steps on this page.
If you receive an error relating to the ECDSA host key changing, see the guidance below guidance below related to ECDSA errors.
Agorama’s Ansible Raspberry server playbook automates a number of fiddly tasks that are required to get a Raspberry Pi set up as a server geared towards use with Homebase. You can get a feel for the tasks that will be performed by the playbook by browsing the files within the playbook, working backwards from all.yml.
As of late April 2019, the tasks performed by the playbook include:
worker group and userapt packages and cachegitgeerlingguy.securitygeerlingguy.ntpgeerlingguy.firewallnodesource.node.npmrcPATHnginx web serverFuture tasks planned for the playbook include DNS configuration and HTTPS support.
Regardless of what method you use to set up a server, and no matter where the server “lives” – on a Raspberry Pi, a DigitalOcean droplet, or anywhere else – the most important thing to remember is that it is your responsibility to keep it secure and up-to-date.
This tutorial assumes you have Python, pip, and git installed on your computer.
Open the command line.
Install the Python packages Ansible and Passlib by running:
pip install ansible passlibNext, clone Agorama’s ansible-raspberry-server repository:
git clone https://github.com/agoramaHub/ansible-raspberry-server.gitand change directories in to the root of that repository by running:
cd ansible-raspberry-serverNow you are ready to add your SSH credentials to this Ansible playbook and configure a Raspberry Pi.
This tutorial assumes you have already set up Ansible and the playbook. It also assumes that you have set up SSH keys (see tutorial on DigitalOcean).
Open the command line and change directories to the root directory of the cloned Ansible playbook by running the command below. Replace the path with the correct path on your computer.
cd /path/to/your/ansible-raspberry-serverTo add your SSH key and change the password for the root pi user, run the command:
ansible-playbook 01-auth.ymlYou will be prompted to add your public key path and set a password for the root user. The default key path should be fine unless you placed your public key somewhere other than the default path when you created it. Set the password to the password you would prefer to use when you log in to the root pi user via SSH. Note that you will not need to use this password often since you are adding your SSH key, however you will need it when you first run the playbook.
When you have finished answering each prompt, the output will be saved to vars/auth.yml with the password encrypted by passlib.
To check and edit the timezone, run:
nano vars/base.ymlto open the base variables file with nano. If you need to change the timezone, edit the ntp_timezone value and save this file.
This tutorial assumes you have already set up Ansible and the playbook, have configured your SSH credentials in the playbook, have flashed Raspbian, have enabled SSH, have connected the Pi to the internet via WiFi or ethernet, and have booted the Pi.
Open the command line and change directories to the root directory of the cloned Ansible playbook by running the command below. Replace the path with the correct path on your computer.
cd /path/to/your/ansible-raspberry-serverWhen you’re ready, run the playbook:
ansible-playbook all.yml --ask-passIf the command fails because it cannot find the Pi, you need to change the hosts file so that the script can find the Pi via its IP address. View the devices on the network to determine the IP, then run:
nano hoststo open the hosts file with nano. Replace raspberrypi.local with your Raspberry Pi’s IP address. You may add additional Raspberry Pi IP addresses to this file if you want to run the playbook on multiple Pis. When you are done editing, save and close this file and then run the ansible-playbook command above again.
You will be prompted for the password you added to the playbook. If your SSH key is added and you can log in successfully then the playbook will proceed to configure the Raspberry Pi, logging tasks as they are performed.
Note: if you configured a passphrase for your SSH key when you set it up, you will be asked for this as well and will be asked for it each time you connect to your Raspberry Pi via SSH in the future. See this StackExchange thread for a few suggestions on how to avoid being asked for the passphrase every time.
dat and homebaseThis tutorial assumes that you have set up a Raspberry Pi and have configured it for use as a server using Agorama’s Ansible playbook or via other means. It also assumes that your configured Raspberry Pi is on and connected to the internet and that you have logged in via SSH.
For security purposes, the Ansible playbook configures worker user on Raspberry server so that we’re not using the root user pi to install and run software. When you first log in with SSH you are logged in as the root user, so we need to switch to worker by running:
sudo su workerNext, install dat:
npm install -g datTest whether or not the dat installation works with the Pi configuration by running:
dat doctorWhen prompted, select the peer-to-peer test and send the command it returns to a friend that has dat installed. Ask the friend to run the command. If dat doctor returns successful, then you’re all good. Disconnect from dat doctor by typing ctrl + c.
Install homebase by running:
npm install -g @beaker/homebaseChange directory to the user root:
cdand then create a Homebase config. Run:
nano .homebase.ymlto open up the Homebase config with nano, then paste in:
dats:
- url: dat://01cd482f39eb729cdcbb479b03b0c76c6def9cfc9cff276a564a17c99c4432f4/
- url: dat://b0bc462c23e3ca1fee7731d0a1a2dc38bd9b9385daa413520e25aea0a26237a6/
- url: dat://f707397e8dacc1893dced5afa285bab1715b70fe40135c2e14aac7de52f2c6bb/
directory: ~/.homebase # where your data will be stored
# For API service. Establish API endpoint through port 80 (http)
ports:
http: 8080 # HTTP port for redirects or non-TLS servingThis config will set up a pinning service without DNS support that pins three Agorama-related URLs. Feel free to replace them with URLs of your choice. Save and close the file when you’re done editing.
Next, run homebase:
homebaseThe response should indicate success and that your URLs from the .homebase.yml file are being pinned.
If you get an error message here or when you ran dat doctor, you may need to check the configuration of your Raspberry Pi.
homebase with systemdThis tutorial assumes that you have set up a Raspberry Pi, have configured it with Agorama’s Ansible Raspberry playbook according to the instructions above, and have installed dat and homebase on the Pi. It also assumes that your configured Raspberry Pi is on and connected to the internet and that you have logged in via SSH.
Daemonizing homebase means that it will constantly run in the background as long as the service hasn’t failed, the server is on, and the server is connected to the internet. This is important because the whole point is that we want the Dat sites specified in .homebase.yml to run in perpetuity.
First, add a service configuration for homebase. As the root user pi, run:
nano /etc/systemd/system/homebase.serviceto open a new file with nano. Paste in:
[Unit]
Description=homebase
[Service]
Type=simple
ExecStart=/usr/bin/env .npm-packages/bin/homebase
WorkingDirectory=/home/worker/
Restart=on-failure
StandardInput=null
StandardOutput=syslog
StandardError=syslog
Restart=always
SyslogIdentifier=homebase
User=worker
Group=worker
[Install]
WantedBy=multi-user.targetThis configuration file indicates (amongst other things) which user will run the service, where to find homebase, and whether or not to restart when the system is rebooted.
To start the service, run:
sudo service homebase startTo stop the service, run:
sudo service homebase stopTo read the logs, run:
journalctl -u homebaseIf the service is running and is working as it should, you should be able to visit any of the URLs you added to your .homebase.yml config file in Beaker Browser.
NOTE
A few friendly folks have suggested pm2 for daemonizing Homebase (see Twitter thread). This is also what is suggested in the Homebase readme, and it’s what I used previously when getting Homebase set up on DigitalOcean. It worked great for me, but this time round we used systemd because two people at the workshop had rough experiences using pm2 with Homebase on a Raspberry Pi. I think it had something to do with a crazy amount of memory usage? Not 100% sure, I think we may cover this in a future workshop.
These are very basic examples of some useful commands. Have a search online for more powerful examples.
To change directory:
cd preferred/directoryTo list the files in a directory (omit directoryname if you want to list the files in the current directory):
ls directorynameTo display the contents of a file:
cat filenameTo edit a file using nano (the file will be created in the current directory if it doesn’t exist):
nano filenameTo reboot a Raspberry Pi, be sure you are connected via SSH as the pi root user and then run:
sudo rebootTo disconnect from an SSH session, type ctrl + d
It isn’t a great idea to just pull the plug on a Raspberry Pi to turn it off since it can cause problems with your SD card or the file system. To shut down a Raspberry Pi:
sudo shutdown -h nowIt can be useful to view all devices connected to a network if you want to check your Raspberry Pi’s WiFi connection or need to identify its IP address.
You can use your router’s admin interface, the mobile app Fing, or the network scanning tool nmap to view a list of the devices connected to your network.
If you are trying to find a Raspberry Pi’s IP address and there are a lot of devices connected, you may need to use the list of devices and the process of elimination (i.e. turn devices on and off and see what disappears).
If you plug in an SD card and it will not mount, try to use your system tools such as Disk Utility to check for the drive. If that doesn’t work, try restarting your computer. If that doesn’t work, try different hardware such as a friend’s computer or an external card reader. I know at least four people with Macbook Pros that have dealt with defective card reader ports.
If you added your SSH key using Agorama’s Ansible Raspberry playbook and then move your Pi on to a new network, you will probably receive an error relating to the ECDSA host key changing. The base of the warning message should indicate that you can fix this by adding the correct host key in ~/.ssh/known_hosts.
One way to resolve this is to re-add your SSH credentials to the Ansible playbook and then run the playbook so that your SSH keys are added again.
If you did not add your new network to your wpa_supplicant.config file when you first set up WiFi on your Pi, you will need to add your new network to this file.
If your Raspberry Pi does not have an ethernet port, it may be easiest to start from scratch (flash Raspbian on to the SD card and configure the wpa_supplicant.conf file).
If your Raspberry Pi has an ethernet port, connect it to the network via ethernet. Open the command line and connect via SSH, then run:
sudo nano /etc/wpa_supplicant/wpa_supplicant.confThis will open up the wpa_supplicant.conf with nano. Scroll down the file and edit the network details as per the WiFi connection instructions above.
When you are done editing, save and close the file then disconnect your Raspberry Pi from the ethernet. To test the connection, check for the Raspberry Pi by viewing all of the devices connected to the network. If the Pi is not connected after a couple minutes, try rebooting the Raspberry Pi.
pm2 to “Daemonize homebase with systemd” tutorialNext steps include configuring HTTPS support, DNS support, and getting more familiar with the maintenance involved in this setup. I think there is also some complication involving DMZ and routers, but I’m very unfamiliar with those implications at this point. I have a feeling we’ll dig in to a lot of this during the upcoming Agorama Server Co-op evenings and workshops. See the Agorama site and their Twitter account for dates.
Thanks to the Agorama folks – organisers and fellow attendees – for a very fun workshop.
Published
Richard Hollis’s Henry van de Velde: The Artist as Designer is out at long last. A lot of love, sweat, and tears has gone in to that book. It is absolutely jam packed, covering pretty much all of HvdV’s life with over 400 images. As part of Occasional Papers, I worked on the permissions, a bit of editing, and compiled the index.
Published
Last night was my third Agorama Server Co-op meet up in Rebecca’s Flat, a delightfully dilapidated space at Raven Row. I think it was actually the fifth though, I missed the last two due to illness which was a real bummer. The weekend jam sounded particularly great.
This particular meetup was more informal and a little smaller than usual. It ended up being a really nice, wandering conversation on the multifaceted possibilities of the distributed web, what it could look like.
The notes below are a sort of a prompt dump, snippets I wrote down at the time because I didn’t want to forget it or wanted to look in to it more. See all Server Co-op write-ups here.
Dark Crystal is now up and running on Patchbay (ssb client). Got Samsung funding, woohoo! Possible to create bot that receives shard? Think they’re trying to avoid that, the human element is kind of critical.
What about physical crypto? Microdots are worth checking out. Microdot tattoos?
Asked what ppl think about potential threat of quantum computing to modern cryptography methods, response was a little not as I expected (this is why I come to these things!). Personally I’ve been feeling a little tin-foil-hat-y, but general consensus from the other voices in the room seemed to be pretty ambivalent since the theory far outstrips the practicalities currently. Which is true, but it also just feels kind of like an arms race (particularly since it involves hardware / infrastructure). Whoever cracks it first wins the golden goose unless we can come up with cryptography that works against it. GP then mentioned the post-quantum crypto contest with NIST due to end pretty soon, looks pretty promising. I didn’t realise there was that much going on with quantum resistant algorithm research, so that makes me feel a bit better. I guess my concern is still there though, to a big degree. Banks, for example, are on notoriously crappy tech that is rarely overhauled. What of them, and the other institutions we rely on? Oh lord, and voting tech…
Got talking about what I’d been up to (not much, see first para…) and mentioned that I ultimately decided not to move my site on to Dat, partly due to scale issues w/ static site generators (read more on this) but more to do with the fact that I think I’d rather use Dat for something new and neato, rather than just repurpose something that already exists and is doing ok in it’s current form. Then we started talking about static site generators more generally and someone mentioned Pelican, which I hadn’t come across before. It’s written in Python and originally released in 2010 (!), so up there with Jekyll as one of the earlier static site generators.
HL demoed his mother-of-all-apps for us, it looks *so great*! Absolutely something I would use. Really excited to see where he takes it. I need to look in to Hypercore and Expo a bit more. The first I’d heard of, the second not so much. Apparently Expo is a cross platform app framework built around React Native. Ppl could not say enough good things about it and honestly, it does look fantastic. Particularly as a tool to dip your toe in to app waters, so to speak.
Towards the end of the demo, the conversation wound through lots of different topics. Blockchain, platforms vs aggregators, a bunch of CS history (need to read more about that…), the sustainability of open source, etc. The rest of this note details snippets from this part of the conversation that I need to look in to more.
Services / apps / platforms I’d like to look in to a bit:
TMYK
A reading list. (Some of these links are painful to open, some orgs really need to cool their jets on the pop-ups and trackers):
Some soundbites. These are paraphrased points made by others that I found super-relevant. Bits in square brackets are added by me for clarity:
So many distributed / decentralised web conversations get quasi-evangelical about how this or that tech will save the world. Why does it have to be winner takes it all? Different needs require different technologies.
We recognise biodiversity as a fundamental requirement of a healthy, thriving biosphere. Why don’t we champion technodiversity in the same way? Embrace the chaos.
Published
I rely heavily on messaging services since many of my friends and family (probably the majority) live outside of the UK, as do some critical professional contacts. I mainly use WhatsApp for encrypted messaging but have wanted to move away from it for some time due to concerns about Facebook. The recent news regarding the integration of WhatsApp, Instagram messages, and Facebook Messenger has been the catalyst for actual change within my group of peers.
The Q&A below is an amalgamation of many different conversations I am having at the moment about moving to a more privacy-first messaging app. I have focused on Signal and Telegram for the time being since they seem to be the most likely candidates.
I’ve done my best to pull together this information in a fairly short time, and some of it is new to me. If any of it seems incorrect, let me know.
There are many ideological arguments against the “I have nothing to hide” viewpoint, most of which I agree with. That said, it can be near-impossible to agree 100% on ideology, so perhaps it is better to consider the practical.
When your messages are not encrypted, their contents are visible to anyone that has access to them. In an ideal world that would only be you, the recipient, and whatever app you use to manage your messages. Unfortunately, the reality is more complicated and there are many weak points that can be exploited. For example, if the WiFi network you’re on is insecure, your messages will be exposed to unintended prying eyes. Think of the last time you connected to WiFi in an airport, hotel, or cafe. Was it always password protected? Was it clear who supplied the network?
You may not be worried even if your messages were compromised, surely there is nothing in your messages that could be of consequence. But what about the photos of your adorable 4 year old niece from your sister? The online banking details you sent to your partner since the rent payment failed and they needed to sort it out? The message to your worried mother about your blood test results? The company Twitter password you sent to a co-worker that urgently needed access?
There are some things that are best kept private, and encryption lets you do just that.
It is certainly a great step in the right direction, but whether it’s enough depends upon how much you trust Facebook and how you feel about Facebook’s role in the spread of misinformation.
As things currently stand, WhatsApp’s privacy policy allows limited data sharing with Facebook even though messages are encrypted end-to-end. Since the integration between WhatsApp and Facebook is only being strengthened, I feel it is reasonable to think that the data sharing will continue or possibly grow.
I don’t personally have much confidence in Facebook regarding their use of my data, no matter how minimal, so WhatsApp is not my first choice for encrypted messaging.
I’m with you! It’s frustrating. I don’t have a good answer for this, except that personally I’m going to try to cultivate a little more patience for multiple apps. The WhatsApp / Facebook “monopoly” is kind of what led us here in the first place.
Besides that, the best advice I can give is to frequently Kondo apps and micromanage your notifications. Smartphones give you great, granular control over notifications nowadays, so take full advantage. Turn off the chimes, turn off the lock screen notifications, turn off the message previews. It makes managing multiple messaging apps (and your sanity) a lot easier.
And finally, if you feel like one particular app is a really great fit, then advocate for it! If you’re enthusiastic about it and get your friends / family on board, you may find you have fewer apps to juggle.
It depends upon the limitations of your specific device.
Signal currently supports Android and iOS. You can find more information about Signal’s operating system requirements in their documentation. Telegram currently supports Android, iOS, and Windows Phone. You can find more information about Telegram’s operating system requirements in their FAQs.
I am not sure about the memory or disk space usage for the different apps though, this is something I would have to look in to further.
This is a very understandable and tricky concern. How best to approach this depends completely on your specific circumstances and relationships. It is impossible to give general advice, but I’ll give it a go.
You could delay the conversation, however I would say that even if you do not have the “should we make the switch” conversation with your contacts now, it will likely come up at some point due to the current trajectory of WhatsApp. When you do broach the subject, perhaps consider focusing on the practical upsides of switching to an encrypted messaging app (see answer to first question above for more on this).
If you feel you simply can’t bring this up, then of course you could always continue to use WhatsApp for certain conversations and use a different app for others. Though every app provider would probably prefer you believe otherwise, there is no rule against using multiple apps!
On a more general note, the mis-use of personal data has led to previously unimaginable consequences and turbulence in recent years. As such, every decision related to the transmission of personal data, even something as mundane as choosing a messaging app, is unavoidably political. So though we cannot avoid the political nature of the choice, we can control how we treat that choice. We can be passive, or deliberate.
If the messaging service is already controlled by private investors, perhaps not much. Here is a very brief summary of how Telegram and Signal are structured as organisations. Note that much of the information that follows has been gleaned via Signal article and Telegram article on Wikipedia.
Telegram is owned by Telegram Messenger LLP and has been funded by Digital Fortress LLC. They have stated that they are not for profit but are not structured as a nonprofit, possibly due to the overhead involved in setting up an official nonprofit. The sustainability of their business model is unclear, however they did put together an Initial Coin Offering (ICO) to fund a new blockchain platform and cryptocurrency. Activity around this seems to have halted in early 2018.
Signal is owned by Signal Messenger LLC which is funded by the Signal Foundation, a 501(c) nonprofit organisation whose mission is to make “private communication accessible and ubiquitous”. Much of the funding ($50 million) used to create this nonprofit came from Brian Acton, a WhatsApp co-founder. Acton left Facebook in late 2017 and is now the foundation’s Executive Chairman. Signal’s open source Signal Protocol is said to be used by a number of large entities (including WhatsApp) for encryption. Part of Signal’s ongoing business model may be to offer services in relation to their protocol, though that is just speculation.
Because of Signal’s nonprofit status, I feel more confident in Signal’s longevity as an independent entity.
Regardless, there will always be churn in this sector, so I would expect to switch again some day. I look at switching messaging apps in a similar way to how I look at switching banks. It is a big hassle to switch, but eventually the arguments for leaving outweigh the reasons to stay. So I switch, and then I keep tabs on it to ensure it remains the best of the options that are open to me.
Perhaps! The best place to find out is the app’s own website, they’re jumping to tell you all of the great things their app can do. Another place that might be worth checking is Slant.
Personally, I am most concerned about conversation backups and mute / unmute capabilities.
I want to have some way of backing up my conversations in case I ever lose my phone. But with convenience comes a cost. Backups are notoriously tricky with encrypted messaging since they introduce another potential weak point, the server that stores the backup. With Signal, you can back up on Android but not iOS (though iOS backups do seem to be on their roadmap). Telegram seems to allow backups of some sort, but it is unclear what this means for encryption. The only easily-available information I could find currently was their related FAQ “Why not just make all chats ‘secret’?” and their founder’s blog post “Why Isn’t Telegram End-to-End Encrypted by Default?”
Both Telegram and Signal seem to support conversation muting according to various documentation and articles I found online. The muting duration and other functionality offered by each service will likely be slightly different from WhatsApp.
The three biggest factors in choosing a messaging app are probably the user base, features, and data privacy.
From a data privacy perspective, Signal is likely the best choice. Signal is fully open source, meaning that the security in every aspect of the service can be reviewed and is publicly-verifiable. Though Telegram has an open API and protocol, the backend software is not open source so the security cannot be fully evaluated by a third party.
From a features perspective, it is probably safe to say that WhatsApp is the most fully-featured encrypted messaging app out there currently. It is hard to tell how those features might change over time in light of Facebook’s plan to integrate it with Facebook Messenger and Instagram. Telegram used to be more fully featured than Signal, but at the moment it seems about neck-and-neck.
In terms of user base, it seems impossible to get very accurate numbers. The better thing to do, perhaps, is to just ask around. See what your friends and family are already using. There is a very good chance that certain circles will prefer one to the other. Personally I have more friends on Signal than Telegram, but that may relate to the sector that I work in.
But as a final point, maybe just don’t choose. There is nothing wrong with using multiple messaging apps. I use FaceTime and iMessage with my family because they all happen to have iPhones (though Apple’s not perfect!). I use Signal with lots of friends. I’ll probably hang on to WhatsApp ultimately as well, for a little while at least, since certain contacts are going to struggle to switch to a different app for one reason or another.
A closing thought. Though I’ve focused on Telegram and Signal here, there are a lot of other encrypted messaging apps out there to explore.
For mobile, take a look at Viber, Line, Threema. For business-y stuff, maybe take a look at Wire or Keybase. If you’re just talking desktop and are interested in getting a little techy, check out Freenode and Scuttlebutt.
This is a conversation worth continuing.
Published
This was originally posted on sb-ph.com. I’ve moved it to my blog since we’ve decided to remove the blog from that site.
Heads up: this post is kind of old! I’ve got mixed feelings about this approach now for a few different reasons, in no small part due to Uploadcare’s new pricing. No dig at them, they gotta do what they gotta do, but it puts this out of most of my clients’ budgets. If you’re interested in additional thoughts on JAMstack CMSs, you might want to take a look at this post.
We’ve recently been exploring a lightweight CMS setup for the Host site. This post summarises the thought process behind our decision to work with Netlify CMS and GitHub Pages.
TL;DR
Though it’s an unusual setup for a client site, I like the stack and would consider using it again for a similar project.
There are two potential downsides that would rule out Netlify CMS for most of our client projects. One is that user account setup isn’t super straightforward, the authentication method makes this a little more complicated than normal. The other is that the hosting “ownership” is tied to a GitHub / GitLab / Bitbucket repository. All-in-all, this approach demands a slightly higher level of technical know-how from the client than most other CMSs we regularly use (Craft, Kirby, WordPress, etc.).
The upside is the relatively low cost to the client, both in the short and long term. Netlify CMS is free, as are a few selected static hosting providers (Netlify and GitHub Pages spring immediately to mind). The login authentication is the only step that requires a server, since the keys have to be kept secret. Previously, the server would be the big ongoing time and money sink. Certain platforms however, such as Netlify, offer selected webtasks / microservices / cloud functions for free.
When evaluating these pros and cons against the Host website requirements, it became apparent that it would be a pretty good fit. The original Host static site was built with Jekyll and jekyll-seo-tag, so we knew it would work nicely with GitHub Pages and Netlify CMS. GitHub recently introduced free private repositories for up to 3 users, so we felt less concerned about the site hosting being tied to a repository that we own since we could transfer it to Host at some point without feeling pressure to make the repository public. And the Host folks are a pretty tech savvy bunch, so I wasn’t worried about them being daunted by things like repositories or GitHub-linked authentication.
So I got started with Netlify CMS. The first thing I dove in to was the widget (field) configuration, and I was impressed. The widget configuration options are more fully-featured than I would have expected for a ~1.5 year-old CMS. While configuring the widgets I also gave the custom editor Preview components a try, however ultimately I abandoned that experiment and disabled the editor Preview. It’s out of the scope of this project, and the maintenance of these React components alongside a non-React site seems a little dicey. Something to explore separately at a later date perhaps.
Media management is a concern on static sites, and this one is no exception. We could have gotten away with hosting the images in a directory in the GitHub repo, but we wouldn’t have any nice image transforms for faster page speed and would have had to ask the client to do all of the heavy lifting with image resizing and optimisation. I would have also worried about the repository size spiraling out of control with overly-large image files. Netlify CMS v2.1.0 offers the Uploadcare media widget by default though. Uploadcare’s free tier seemed to be a very good fit for the Host website, so we got that set up as well. The implementation was pleasingly straightforward. As someone who has spent a lot of time debugging image transformations in more traditional CMSs, Uploadcare’s URL-based system is refreshing.
The final critical step was the authentication configuration. Netlify CMS offers a number of different methods. We knew we wanted to use GitHub Pages for hosting, so the two most likely options were Git Gateway with Netlify Identity or GitHub with Netlify. We went for the latter. It does require that all users have a GitHub account (unlike the former), however this ultimately feels like the right approach since much of the site documentation lives in the repo’s Readme file and we feel it gives the client a bit more ownership over and awareness of the inner workings of their site.
The authentication was a little more complicated than the rest of the Netlify CMS setup. I followed the GitHub Backend instructions, which are relatively minimal and more geared towards a site hosted on Netlify. I found this article more helpful since it addressed what we were after, a Netlify CMS-powered site hosted on GitHub Pages. One potential “gotcha” in these steps is that the OAuth application should be registered on whichever GitHub account owns the repo. I added it to my user account initially which was incorrect, since our organisation account owns the repo.
After following the GitHub backend instructions, I only ran in to two hiccups. I’m documenting them below since I didn’t find much related information elsewhere.
One problem was a post-login “dead end”. After clicking “Login with GitHub” and signing in successfully in the pop-up window, the user should be redirected to the Netlify CMS dashboard automatically. Instead, it just said “Authorized” and did nothing. This is because I hadn’t added the website URL to the Netlify project. I had assumed I didn’t have to add the URL since Netlify is not hosting the site, however the Netlify authorisation callback script checks the host URL against the custom domains. Once I added the URL to the project in Netlify, the issue resolved itself. Note that I did not repoint the DNS to Netlify since we still want to host the site on GitHub Pages, so it shows a little error / warning regarding the URL’s DNS records. This is not a problem.
So I was now being redirected successfully to the dashboard, but the dashboard was just a white screen. The console indicated an error with loading netlify-cms.js from Unpkg, specifically:
Refused to execute as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type
This seemed possibly related to some security-related GitHub Pages headers, so I decided to grab the JS from the Unpkg URL and commit it to the repo and no longer use a CDN for the script. This immediately fixed the problem.
I’d like to do a bit more exploration of Netlify CMS moving forward since it could be appropriate for more use cases depending upon the developers’ roadmap. I will probably look at the Git Gateway with Netlify Identity route for authorisation as well. Besides Netlify CMS though, we’re really interested in exploring Kirby 3. Kirby 2 has been excellent for a number of small-ish websites (<5 stakeholders, not a ton of relational data), so we’re excited to see where they’ve taken the newest version and if it could work with projects of a slightly larger scale.
Published
SB and I went to Mozfest for the first time last Saturday. What a lovely day! Took some haphazard notes throughout, see below for a dump of notes/links related to the sessions I attended. The bits in brackets are mostly thoughts that bounced around my head while taking notes during talks. All quotes are paraphrased.
Published
I finally got round to exploring Homebase yesterday (jump straight to setup steps). My original intention was to get the SB-PH site on Dat + HTTPS à la this blog post by Tara Vancil. As far as I can tell though, without multi-writer support in Dat this setup would effectively lock Sam out of being able to quickly deploy changes. We’re interested in making that site a little bit more of a collaborative sandbox, so making deployment harder than it is currently is not the right step to take there.
So though I definitely want to get the SB-PH site on Dat eventually, we’re putting that on hold for now and I’m pivoting towards my site. In this blog’s earliest incarnation it was on Tumblr, and for a long while now has been a pretty standard WordPress site. The big task in moving to Dat, besides figuring out Homebase, is converting my site from WordPress to a static site via Jekyll/Hugo/Eleventy/GatsbyJS or something similar. It’s taking a while, I didn’t realise quite how much content has accumulated (1000+ tags?!) and there are a few WordPress-y features that I definitely want to build in (“more” tags, descriptions for tags+categories, proper pagination, etc.). More on that in a separate note.
So yesterday I put that aside and focused on getting Homebase up and running on a DigitalOcean droplet. Overall, setting up Homebase wasn’t too bad. The most involved part of the process was setting up the server. I kind of like tinkering with server stuff, so that’s cool. I 100% agree with the caveat at the top of the Homebase README, you should consider Homebase only if you’re comfortable with and interested in server administration. I would add that your interest should be *ongoing*. Servers take maintenance (related, see note on serverless setups). It’s your responsibility if a process stops running, or the software is out of date, or the Let’s Encrypt certificate doesn’t renew, etc. Hashbase looks like a great alternative for those that want the final result but don’t want to deal with the server configuration/maintenance.
The rest of this note is an outline of the steps I took to get Homebase working. Where good documentation exists elsewhere, I have linked to that instead of elaborating.
Published
This past Thursday 18 October was the second Server Co-op meetup in Rebecca’s Flat at Raven Row. See all Server Co-op notes.
I didn’t take as many notes this time, wasn’t feeling fantastic. Very sketchy notes below.
click public button twice if the Patchwork feed seems stuck after first install
how to have Scuttlebutt on multiple devices?
eh, maybe not worth the hassle, just use one device
“sameAs” is currently being worked on by devs in Scuttlebutt community
identity = private + public + network key combo
lib sodium
back up private key and gossip.json
dark crystal for backing up private key using social network
“shamir’s secrets” algorithm
kind of like horcruxes!
with Scuttlebutt, your friends are your cloud/datacentre
nothing is ever deleted (same as Dat)
could technically have multiple identities, but functionality isn’t implemented currently. Would have to swap .ssb directories
Published
Last night I went to the first Server Co-op meetup hosted by Agorama in Rebecca’s Flat. It’s a more-is-more space, and then some. It was a lovely evening. Notes:
Check out infocivics.com by Paul Frazee. “Computing networks are social and political systems. We should attempt to answer how the technical design of a network will influence the internal politics.”
There *is* a mobile Dat browser, but apparently it’s a bit… buggy. See Bunsen for Android (nada for iOS). Still, kudos to them for taking a stab at it. Apparently the project of making a Dat browser sort of hits a brick wall due to node.js, but a bunch of devs have taken it upon themselves to make a Rust implementation of Dat. TBH I don’t understand the ins-and-outs well enough to be able to describe how that lowers the barrier, but it sounds like the future of mobile Dat might be brighter for it.
I haven’t dug in to Scuttlebutt yet, and it sounds like it’s about time. An offline-first protocol, described by KG as a database/social network/community. See also Patchwork. Feel like I heard HL say that it came about after 2011 Christchurch earthquake due to the difficulties at the time with having any sort of connectivity, but that might be wrong?
And crucially, are there ethical conversations around P2P tech that we’re failing to have, or happily skating past? I’m thinking about when Facebook and similar now-giants were in their nascent stages, surely some of the current nastiness could have been avoided if the making was accompanied by a little more thinking, more extrospection? How do you wrap your head around the potential ethical implications of something that doesn’t yet exist? I found KB’s anecdote interesting, when a few fascistic idiots attempted to hijack Scuttlebutt but were almost immediately, organically, blocked from having any meaningful impact. It feels great, but who’s to say they’re not off in their own node somewhere trolling away? Feels awful to think that Scuttlebutt might be harbouring some sort of extreme-right cell, and yet maybe so be it, should it be a decentralised network’s responsibility to police that? How on earth would that work anyway?
Separate: I got my hair cut by Dean last week and am very pleased. When it’s styled it’s a bit Josie Packard (fabulous) and when not styled, it’s very Shawn Hunter (not totally a bad thing).