1. 8

    I was hoping to read a security review of Bitwarden. Does that exists?

    1. 9

      Here’s an audit from 2020, and in that post is a link to one from 2018 [PDF].

      1. 4

        I do not have the knowledge to write one. But I know someone who does. I will contact him and see if he is interested in writing a review.

        1. 2

          That would be very interesting. Are my passwords safe on my own hosted Bitwarden server?

          1. 3

            My current approach is to run bitwarden on my local network and setup the docker networking so that the bitwarden container doesn’t have access to the internet. If I wanted to expose it to the public internet, I’d connect the container to a VPN, not rely on the authentication (since I’m running the bitwarden_rs fork).

      1. 1

        What can we do and who is doing it?

        1. 2

          There’s obviously Tor, I2P, and FreeNet. They’re about as anonymous as you can get.

          The problem is that, while they can hide what you’re after, it’s harder to hide that you’re using an overly network at all. The best you can do is keep the relay that you use to join the network secret. In the limit, this means building a pure F2F network, which is kind of insular.

        1. 9

          This has been discussed before, but I was wondering if anything has changed.

          Several difficulties and problems were raised … have they been addressed?

          Does anyone use it?

          1. 10

            I’ve been there for close to 2 years, and have tried to build my own SSB server from scratch (in a non-JS language). Feel free to ask any questions. For starters:

            • The low level protocol (transport encryption, RPC and discovery) is very well documented.

            • The application level protocol has almost no documentation, and what’s there is outdated. You really have to resort to reverse engineer behaviour from existing applications, or reading other’s code.

            • Replication/gossip mechanism is very inefficient, which leads to clients (especially mobile ones) spending a lot of time during the initial sync. There’s a newer gossip protocol which fixes some of these problems, but has zero documentation, and there’s only one implementation (in JS). There are no plans to port it to other languages since there’s a lot of tricky edge cases in there.

            • Yes, the JSON encoding was a mistake. There’s a new format using CBOR, but it’s still a few ways off in terms of mainstream usage in the network.

            • There are questionable decisions at the application level. For example, anyone can assign you new profile pictures or visible names, which can–and has–lead to bullying/name-calling.

            In terms of community, it’s mostly tech-centric, most discussions are either about SSB itself, or related protocols. The overall spirit is positive, focusing on sustainable living, gardening, off-grid, etc.

            However, the community is very small. This can get tiring, considering that most clients will show any replies to threads you follow at the top of your timeline (you will see the same 3 to 5 people all the time).

            1. 4

              I’ve also built a partial SSB implementation, in C++. I found a C port of the CLI tool (in an obscure Git repo hosted in SSB), which helped immeasurably with the secure handshake and packet codec. I used Couchbase Lite [of which I’m the architect] as the database. This proved a lot faster than the JS data store, but I still found that pulling all the subscribed content from one pub (on which I’m following a handful of accounts) resulted in a 600MB database. It would have helped if the protocol had an option to pull only messages back to a certain date.

              I’d love to know more about the new protocol, but not if the only way is to decipher a JS codebase.

              It’s a shame they’re so JS-centric. That’s a serious problem for iOS, which has security restrictions that disallow JITs outside of a web browser. Not to mention embedded systems. (And on a personal level I dislike doing serious programming in JS; it feels like sculpting in Jell-O.)

              1. 3

                There are two C implementations of the low level protocol: one for the secret handshake and one for the boxstream (transport encryption). There’s also some integration tests that you can run against your implementation to validate that everything works.

                As for the new replication protocol: the new CBOR format includes “off-chain” contents, which means that the actual log only contains a hash of the post content. This should make initial sync much faster, since clients only fetch the chain of hashes, without downloading anything else.

                Messages can also be downloaded out of order, so you only download what you want, if you have the hash for it. As most things, though, the only implementation is in JS.

                As for the database, I planned to use SQLite, but never got far enough to test that. I’m unconvinced that the log is a good abstraction for the kind of apps that SSB is used right now (social media). There are future plans to plug more applications on top of the log replication, but that’s in the long term, while the current use-cases are suffering from it.

                Edit: wanted to say, though, that for me the biggest block when developing an SSB implementation is the lack of documentation w.r.t. the application-level protocol, and forcing you to develop everything on top of the log abstraction. The JSON formatting can be painful, but solved via forking some json library and doing some changes (hacky, but it works).

              2. 1

                Yes, the JSON encoding was a mistake.

                Was JSON not fast enough?

                1. 3

                  It’s not about JSON per-se, but more about how message signing works. In SSB, every post is represented as a JSON blob signed with your publick key, and it expects other clients to validate this, as well as produce valid JSON messages.

                  The spec goes over the requirements of a valid message, as well as the steps to compute a valid signature. Unfortunately, it assumes things like key order (which the official JSON spec doesn’t say anything about), indentiation, spacing, etc. (This all goes back to how the V8 engine implements JSON.stringify()). This adds a lot of complexity when implementing SSB in another language, as most JSON libraries won’t care about specific formatting when printing, and specifically the key order requirement makes it quite complicated.

                  All in all, it’s not the end of the world, but it adds enough friction to make SSB pretty dependend on the “blessed” javascript implementation.

              3. 5

                I use it regularly. Why..? After being a heavy social media user on the usual platforms, I’ve pretty much removed myself and don’t participate, but Scuttlebutt is the exception because it’s a fun place to be. Nothing more, nothing less.

                1. 2

                  I’m one of the core developers. Happy to answer any questions.

                  1. 2

                    What difficulties and problems were raised?

                    1. 11

                      There’s two big obstacles I’ve seen that seem specific to Scuttlebutt:

                      • There’s no easy way to share identities across devices. If you want to use Scuttlebutt on your computer and your phone, they’ll be separate accounts.

                      • The protocol is built around an append-only log, which I’m not convinced is a good principle for any social network. Inadvertent mistakes are forever (eg. I post an unboxing photo that has my unredacted invoice visible; I paste an embarrassing link by accident).

                        It also seems like you could grief pub servers (the Scuttlebutt “hub nodes” that federate content more widely). What happens if someone posts a bunch of illegal content to the pub? As I understand it, all the pub users will pull that content down. You might be able to blacklist certain posts in your client, and you can block users, but their content is still on your device. (Bitcoin has faced similar problems.)

                      1. 2

                        Your objection to log storage is valid, but there are ways around it. The data format could have ways to redact posts out of the log while leaving the overall integrity intact; in fact all revisions of a post other than the latest one could be redacted.

                        Of course the redactions need to be propagated, and there’s no guarantee every copy will be redacted, but that’s an intrinsic problem with most P2P protocols, since distributed caching/replication is so important for availability.

                        1. 1

                          Good points.

                          Also ironically where Facebook could have a chance to differentiate themselves, but chose to go in almost the exact different direction:

                          • “with federated networking you are trusting each and every host that your host ever federated with to delete a post, with us, once you click delete it is gone. Worldwide. Same with sharing: if you share something with your close friends it stays there. With a federated network it depends on every host around the globe sticking implementing the rules correctly and sticking to the rules.”

                          • fortunately IMO Facebook messed up massively early on and now everyone in tech now they are fundamentally untrustworthy.

                        2. 8

                          The main problem I saw when I looked into it was that it was a single program rather than a well-defined protocol that anyone in the ecosystem could implement.

                          This might have changed by now, but (for instance) there were aspects baked into the protocol that fundamentally prevented you from building a compatible client unless you used a JSON serializer with the exact same behavior as node.js, because the cryptographic identity of a post was based on a checksum of the output of that particular serializer rather than some inherent property of the post. An easy mistake to make, but one with far-reaching consequences.

                          1. 6

                            That’s my issue as well. It relies heavily on the interaction of a few dozen NodeJS repos. Different frontends all rely on the same backend code, making it not-that-diverse.

                            Also, while the protocol itself is well documented and designed, there are some obvious shortcomings. The protocol relies on hashes of pretty-printed JSON. The last time I checked for documentation on HOW to pretty-print that json, it was documented as “like v8 does it”. Tell you - it’s REALLY hard to format JSON like V8 JSON.format(x, true) does. Especially floating point numbers.

                            Now this could easily be fixed by changing the protocol from hash-of-pretty-printed-json-subobject to hash-of-blob. ({"data": "{\"foo\" 42}", "hash": ...} vs. {"data": {"foo": 42}, hash: ...} But you can’t do that without breaking compatibility. Worse, relying on hash-chains, you need to implement the old behaviour to be able to verify old hash chains.

                            1. 4

                              That’s my top issue too. Which is sad, because there’s so much prior art on canonicalizing JSON, going back to 2010 or so.

                              The spec is fine, but limited. It doesn’t cover all of the interactions between peers; there are plenty of messages, and properties in the schema, that aren’t documented.

                              A lot of the discussion and information about the protocol takes place on Scuttlebutt itself, meaning it’s (AFAICT) invisible to search engines, and accessible over HTTP only through some flaky gateways that often time out.

                              The main client is (like everything else) written in JS, so it’s a big Electron app, and in my experience very slow and resource hungry. I only joined two pubs and followed a handful of people and topics, but every time I fire up the app, it starts a frenzy of downloading and database indexing that lasts a long time. (They use a custom log-based DB engine written in JS.)

                              Part of the slowness must be because when you join a pub you’re implicitly following every user of that pub, and I believe all of the IDs they’re following. So there’s kind of an explosion of data that it pulls in indiscriminately to replicate the social graph and content.

                            2. 4

                              Reading the previous discussions shows a degree of frustration and scepticism. I’m sure it’s changed, and many of the questions will have been addressed, but the previous discussions are unconvincing.

                              Here are some links to some of them … it’s worth reading them in context:

                              https://lobste.rs/s/rgce6h/manyverse_mobile_scuttlebutt_client

                              https://lobste.rs/s/hncoad/secure_scuttlebutt

                              https://lobste.rs/s/l9vqm4/scuttlebutt_protocol_guide

                              https://lobste.rs/s/xe2z2r/scuttlebutt_off_grid_social_network

                            3. 1

                              Despite the fact it’s in a ‘junkyard’, I believe this issue remains unresolved, which I believe effectively means that:

                              1. scuttlebutt is not cross platform and only works on x86
                              2. It’s difficult to implement scuttlebutt libraries and clients in other languages

                              Limiting development to people who like nodejs, and limiting usage to x86 devices (when it seems like the sort of concept that should work well with mobile devices) massively reduces its appeal.

                              I would be happy to find that I’m wrong.

                              1. 3

                                You’re off on this one. I’m running SSB on ARM64 just fine, also many pubs are actually just raspberry pis on some closet.

                                I is still difficult to implement SSB in other languages mostly because of the amount of work than technical challenges. The mistakes of the past are well understood at this point even if not fixed. At the moment there are 2 Rust based implementations and one based in Go. IIRC there is also implementations in Elixir and Haskell but I am not sure how far they are. I’ve toyed with a client mixing C and Lua (just a toy prototype but it worked).

                                1. 2

                                  It definitely didn’t work on arm last time I tried, so it’s good to hear they’re making some progress. It was the prototype Haskell implementation which pointed to that issue as a blocker: it looks like it hasn’t been updated since, so probably doesn’t work.

                                  1. 2

                                    I know it is not what you’re looking for but the JS implementation works fine under Linux/ARM64, which is also how the mobile apps are running.

                                    My daily driver is a Surface Pro X with an ARM64 CPU. I’ve run go-ssb as native ARM32 binary and the Electron based client apps under win32 x86-32 bits emulation. The reason for it is just that for the love of all that is sacred I can’t find out how to build the native nodejs modules as ARM64 binaries.

                                  2. 1

                                    Could you link to the Haskell implementation? I’d be interested in working on that!

                              1. 1

                                Slightly off topic, but has anybody used tailscale? How is it better than setting up your own cjdns or Yggdrasil network if you’re a techy?

                                1. 3

                                  Yes, I’m running it alongside a wireguard VPN that I hand-configure for devices to talk in a LAN-over-WANs setup. (Spoke, with my home router being the hub.)

                                  Tailscale is much easier to deploy, as it takes care of everything beyond “talk to x securely” which is what wireguard brings. No managing “you have IP .5, router has .254, phone gets .6, etc). Haven’t really made any use of Tailscale beyond “put everything on the same LAN so I can ssh to things” yet.

                                  1. 1

                                    Thanks. I’ll try it

                                1. 1

                                  Why not run database as a service, like these big providers provide

                                  1. 2

                                    Seconded. The article mentions:

                                    Unfortunately, the interesting parts of software are all about state. You don’t casually kill and start containers for your database. Again, you need the configuration manager.

                                    So you’re going to run a configuration manager. The question, then, is whether you need Kubernetes as well?

                                    Just push states out of your services and use what cloud providers offer. Message queues, database, object storage… Then your application will happily work on Kubernetes. Although, I recognize that you can also run applications that are stateful (other than databases) and you need to handle those too.

                                    1. 2

                                      100% agree that until you reach scale (a large large scale) a database as a service is the best path forward. There’s so much that goes into running a production ready database that a service like RDS just takes off your plate.

                                      That said, I kow that some people have run into issues where RDS in particular just couldn’t handle the throughput (even working with AWS support). It was a few years ago, but I talked to someone who was running something like 500 TPS on Oracle and RDS just didn’t work out for them. But they tested and tried before moving to running their own database servers.

                                    1. 3

                                      Would turning off internet on your laptop for a specific time every day have the same effect?

                                      1. 7

                                        The hard part would be the self-control. I’m finding that improving my “study habits” without cutting off the internet altogether is more useful for me, since I almost always have an internet connection. The human tendency to want to constantly be searching and stashing away information is difficult to get over but it’s possible while still staying connected.

                                        1. 1

                                          Do you have some techniques/tricks you can share that seem to work for you for “improving your self-study habits”?

                                          1. 2

                                            I would suggest starting with the Pomodoro Technique (maybe do 15 min work/5 min break to start). I got a good book on it called Pomodoro Technique Illustrated that emphasizes the importance of consistency and all of the surrounding ideas (like making good to-do lists, what to do with interruptions, etc).

                                            You’ll automatically want to stay focused on the topic at hand during the first part of the time. Keeping up the enthusiasm for whatever you’re working on is much easier when you don’t feel like you are allowed to slack off and you know an exact time when you will be allowed to.

                                            I count “mindless internet browsing”, regardless of the topic, to be slacking off. When you’re in work mode, you can still be working on something fun.

                                      1. -1

                                        Thanks

                                        1. 4

                                          build discovery engines instead of search. Search minimizes diversity of result, discovery maximizes diversity under similarity constraints. This is a much more interesting problem, what similarity and diversity constraints are appropriate.

                                          as an example of the limitations of search, searching for a document by typing the whole thing will give you that same document. Discovery engines would likely not be short queries, but entire documents.

                                          1. 3

                                            Do you have an example of such an engine?

                                            1. 1

                                              e.g. pubmed recommends related articles.

                                              I haven’t seen anything net-wide, tho.

                                              1. 1

                                                I would say that, although problematic, the recomendation system for youtube is an example of a Discovery Engine.

                                            1. 8

                                              Decentralise it. I want a compeletely subjective web. I want to subscribe to people whose views and opinions I like and when I ‘search’ I want a breadth first search of all their content, spending increasingly more search resource on stuff that’s more semantically relevant.

                                              1. 2

                                                Huh, that’d be interesting. I’d imagine there’d be “major” nodes (Wikipedia could host their own, for example) or…actually, maybe not. Nodes would be as big as the owner’s time and server/database size.

                                                I like this idea.

                                                EDIT: Seems like you’ve described YaCy (I just learned of this too).

                                                1. 2

                                                  Now you have two problems!

                                                  1. 1

                                                    This sounds like a friend-to-friend version of yacy. I’d use it!

                                                  1. 1

                                                    If the two PCs are connected to separate APs, syncthing might route the traffic via a node on the internet

                                                    1. 24

                                                      Fantastic!! A personal website is a great way to own your identity online and take back your web experience from the big social media silos. So I’m really pleased when I see people making websites!

                                                      Mine’s pretty minimal, which is how I like it. :-)

                                                      https://dn.ht

                                                      It’s a bit of info about me and some of my projects/writing. One thing I’m really happy with is my photography journal: https://dn.ht/journal/

                                                      Hosted on S3 with cloudfront, so it only costs a few cents a month to host.

                                                      I keep the tooling really light so that it’s easy to maintain. Most pages are hand written HTML and CSS.

                                                      I’ve found that it’s really easy to procrastinate on tooling and tech stack. Starting with almost no tech helps me get-on-with-it. My advice is “just start”.

                                                      The photo journal is statically generated using an ERB template and a makefile. It generates html from a directory full of photos exported out of Adobe lightroom. It’s a tiny bit awkward sometimes, but it fits in really well with my personal photography workflow.

                                                      My design aesthetic is quite minimal. For example, my photo journal I was really annoyed with how images on instagram are small and heavily compressed—so I wanted to have something where people can see my photos in large size / high-res.

                                                      I’m using a monospace font called ISO, which was originally designed for the website exif.co so it’s got a vintage camera feel but fits in with my programming interests too.

                                                      1. 6

                                                        A lot of beautiful photos in that journal.

                                                        1. 2

                                                          That’s what I came to say too. The photos are amazing.

                                                          1. 1

                                                            Thank you very much! 😊

                                                          2. 2

                                                            I really like your photo journal idea!
                                                            It actually looks much better in practice than I’ve imagined as I’ve been struggling with photo journal in my own blog - the biggest challenge being how to structure everything so it would be accessible and beautiful. However it turns out that just dumping everything can be quite sexy!

                                                            If you’re interested in my approach I’ve decided to simply redirect to Pixelfed which has a great profile page design. The thumbnails are rather small compared to what you want but it doesn’t crop or compress anything!

                                                            1. 1

                                                              Oh yeah pixelfed looks like a great insta alternative. Something I’d be keen to work out is how to allow folks to subscribe to my journal. One of the downsides of being independent is it’s hard to fit in with the social media sites people use. Is rss still the way to do it? Or can I somehow integrate into the mastodon/pixelfed fediverse..?

                                                              1. 1

                                                                Pixelfed does support rss and federation. Probably some other sub methods too!

                                                            2. 2

                                                              Picklecat is great!

                                                              1. 2

                                                                Oh my gosh picklecat!

                                                            1. 2

                                                              Don’t forget about https://github.com/muesli/beehive An open source ifttt clone. I had it running on my raspberry for some time. 👍

                                                              1. 2

                                                                Oh wow, this is incredible! The UX is better than IFTTT in some ways too. Thanks for sharing!

                                                              1. 1

                                                                If you just want to block third party scripts, isn’t Privacy Badger enough?

                                                                1. 6

                                                                  Privacy badger only block trackers, not potentially malicious JS that you load from some random blog.

                                                                  1. 3

                                                                    works for me.

                                                                  1. 2

                                                                    I use “HTML” for writing the page, IPFS+Cloudflare for distribution. Pinning the website hash on a raspberry pi.

                                                                    Edit: Using gandi’s cli to update the dns record.

                                                                    1. 1

                                                                      Payment services will continue to grow and diversify for some time until we end up with a duopoly or similar there as well.

                                                                      1. 1

                                                                        I tried to budget using a variety of tools but then ended up asking myself why do it at all? I personally wanted to keep me spending under control and put money aside for emergencies and payments I make once a year. I can’t tell you how much I spent on groceries in December 2017 but I really don’t care ;-)

                                                                        I know this isn’t an answer to your question but in case it might work for you please let me know and I’ll share the details of my system.

                                                                        1. 1

                                                                          How do you control your spending?

                                                                          1. 1

                                                                            What do you mean? Specifically knowing how much more you can spend in a given week to have spent less than X? Or dedicating Y amount per month to Z? The latter is simple: transfer money to savings the day you get paid, or toward whatever thing you are budgeting for. If that’s not possible, you’ll need to start cutting costs before budgeting will do anything for you anyway.

                                                                            1. 1

                                                                              I withdraw money in cash and put them in envelopes. I have one envelope for each category of spending + a debit card for groceries (a sort of virtual envelope) + a separate account for paying rent, kindergarten, etc.

                                                                              If there’s $100 in an envelope than I obviously can’t spend more. I need to consciously take money from another envelope.

                                                                              1. 1

                                                                                That sounds like the system GoodBudget is trying to emulate. 👍

                                                                          1. 1

                                                                            Until recently I have used Goodbudget. It’s really good and a paid service. I don’t know about their privacy rules though.

                                                                            What i have started doing recently is connecting to my bank’s open PSD2 API and send myself messages every day containing info about my economy to nudge my spending in the right direction.

                                                                            1. 2

                                                                              The e2e encrypted chat has a subscription model. I wish this were the private communication platform it claims to be. The closest we have now is keybase, which is not optimal either

                                                                              1. 1

                                                                                A subscription model itself is not bad. But if they are selling themselves as a private communication network, it’s strange that the only privacy friendly piece is the one that costs extra.

                                                                                1. 1

                                                                                  I’m interested in your opinion on the deficiencies in keybase. What features would you change or add?

                                                                                  1. 2

                                                                                    If I were to introduce keybase as a communication platform for my less tech interested friends and family, it would have look more like what MeWe looks like. A chat/social network/shared photos.

                                                                                1. 13

                                                                                  Fully hipster compliant if you ask me :D

                                                                                  1. 4

                                                                                    C’s a little too mainstream.

                                                                                    So I’m porting my code to this obscure assembler. You’ve probably never heard of it.

                                                                                    1. 1

                                                                                      Were you doing a Leon3 port, too?

                                                                                      http://soc.microsemi.com/products/ip/search/detail.aspx?id=635

                                                                                      All these heavy-weight, closed, possibly-backdoored CPU’s people are using these days for BCHS stacks. I’d rather just macro-assembler it on a GPL’d CPU I can customize and understand. Open cores also let you do other neat things to improve security later on.

                                                                                      https://people.csail.mit.edu/nickolai/papers/zeldovich-loki.pdf