internet – Capi's Corner

Own your own credentials!

Login with Google. Login with Facebook. It’s convenient. No need to invent and remember a new username, a new password. It’s almost a single-sign-on (SSO) to the entire internet.

The obvious downside, however, is that within a second you could see yourself locked out of many of your accounts. Just imagine that for some reasons your identity provider (Google, Facebook, Apple, …) decides that you have violated their terms of service. And locks you out of your account, and as a consequence also of all the services that you used the account for. Too few people consider this, in my opinion. It can happen quite fast (recent example involving AI).

Of course you can then try to fight this lock and argue your way back into the account. But you need to be very lucky to even get some human’s attention on the other side. Unless you somehow manage to make a huge buzz on it on (social) media, I bet your chances of getting the issue resolved are pretty thin. Google is even proud that you can’t call them in order to sort this thing out (see Google’s Account Recovery support page; yes, they are right that you should not use any external password recovery service).

Don’t get me wrong. I love SSO in a company context. But there is an admin that I can talk to in case something goes wrong, and if my account is terminated, it likely is because my employment is terminated. I just don’t like it for my personal data, where some (perceived) violation of some terms of service of one of the big companies might lock me out of all my other unrelated accounts as well.

I very strongly believe, that anyone making themselves a gatekeeper for things outside their own business should be, by law, required to not terminate your account without any recourse. Yes, they can stop doing business with you. But they should not be allowed to stop authenticating you.

Passkeys as alternative?

For a while, it seemed that Passkeys would become a convenient and secure way of signing in to services. I, however, only started to consider them once KeepassXC with 2.7.7 started offering support for managing them inside the password store, so that I could backup it and would not be depending on a hardware device that could break or that I could lose.

Unfortunately, it really seems that the big companies are using this technology yet again to lock you in their ecosystem, creating exactly the same problem for me as I have with the “Login with…” system. The following articles are a very good summary of what went wrong and also why the current standard and the insistence to resident keys have made this system basically unusable for the concerns I mentioned above.

Maybe good support in password stores (like Bitwarden/Vaultwarden, KeepassXC, Keepass2Android) can maybe still make this a viable alternative. The cryptographic advantages of passkeys over normal username/password are great, so I really think it can be an improvement in the future.

Staying with usernames and password manager (for now)

For now, I’ll still stay with my own setup using my self-managed password stores. With all the work and dangers this incurs as well (backups, distribution, availability).

To quote from the article mentioned above, something that I can absolutely endorse:

And I’m starting to agree – a password manager gives a better experience than passkeys.

That’s right. I’m here saying passwords are a better experience than passkeys. Do you know how much it pains me to write this sentence? (and yes, that means MFA with TOTP is still important for passwords that require memorisation outside of a password manager).

So do yourself a favour. Get something like bitwarden or if you like self hosting get vaultwarden. Let it generate your passwords and manage them. If you really want passkeys, put them in a password manager you control. But don’t use a platform controlled passkey store, and be very careful with security keys.

All Bluesky content is public

Needing an invite to join, the apps, etc. all gives a certain sense of privacy over on Blueskye. But that’s just show. The API that powers the app is publicly available, no authentication needed. Every post made on Bluesky can be queried publicly by everyone, even without having an invite.

Mario Zechner has demonstrated this well with his low-effort (but amazing!) tool Skyview (source-code available on Github).

It’s a pure client-side web application that requires the link to a Bluesky posting as input and then renders the entire discussion thread around it. Pure client-side, no server, no authentication. Amazing!

Screenshot of Skyview with one of my own postings (in German), reminding about the lack of privacy of postings on Bluesky.

That’s not a problem in itself, but just keep it in mind.

Bluesky with own domain-handle and .well-known/atproto-did

TLDR: Beware that there must be no newline at the end of the .well-known/atproto-did file and that the content type needs to be text/plain. echo -n to the rescue instead of vim.

I recently received an invite to Bluesky and so far I’ve enjoyed the experience. Early-day Twitter feeling. Can recommend to check it out if you get an invite.

One very intriguing thing is that Bluesky allows for your own domain to be your handle. So I decided to go with @martin.dont-panic.cc.

The process is described in a blog post by Bluesky. There are two main options to verify your domain ownership, DNS TXT entries or an HTTPS request to https://martin.dont-panic.cc/.well-known/atproto-did (in my case). Since everyone is doing DNS, I wanted to try out HTTPS/.well-known. (Of course, there needs to be a martin.dont-panic.cc DNS entry to get to the web-server, but no special TXT header for the verification.)

I wanted to serve the file as a static file in the filesystem via nginx. So I set up the following static nginx configuration:

server {
        listen 443 ssl;
        server_name martin.dont-panic.cc;

        root /var/www/cc/dont-panic/martin/;
        index index.html;
        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }
        location = /.well-known/atproto-did {
                default_type text/plain;
        }
        # ... lots of SSL stuff omitted ...
}

So basically this tells nginx to try to serve any existing file or fall-back to directory or 404. It forces text/plain for the /.well-known/atproto-did file, since otherwise it is serves as application/octet-stream which violates the requirements.

Then I used vim to simply create the file and validated that the content of the file was accessible correctly via curl.

Looked good, so hit this verify button. And it failed. After a few retries, i decided that maybe it’s because of the final newline that end of the file?

New approach (note the “-n“!):

echo -n "did:plc:njnt2ukwkoljfxnsqsbs5mdm" > /var/www/cc/dont-panic/martin/.well-known/atproto-did

One click on verify later, Bluesky accepted the handle as verified and I could switch over from my previous user name.

So, looking forward to hearing from you either in the comments here or via Bluesky. Follow me! 😉

A geek’s unified instant messaging setup

Today I want to present to you my unified instant messaging setup, which enables me to communicate from any of my computers and also any of my mobile devices (Android, iPhone, iPad). Goal for me was to provide a setup where I have single client per platform with a centralized history I can search if I need to. I want one – and only one – client for my communication. I only care about text instant messages, actually; I hardly ever use voice or video services when communicating online. I really like the asynchronous nature of instant messages. At the moment, I have integrated IRC, ICQ, Google-Talk/Jabber/XMPP (which could potentially also include Facebook), and Skype. The current setup also gives me push notifications to my iOS devices on messages directed at me. Today’s posting is only intended to give you a very high level overview. I will add detailed descriptions of individual setups of the individual components in later posts.

The Unified Instant Messaging Schema

Continue reading “A geek’s unified instant messaging setup”

tr.im to be shut down

To emphasize my demurs against URL shortening services which I have mentioned before, here comes the prove that my thesis is correct: the URL shortening service tr.im is going to be shut down by end of this year. As Robert Scoble put it, this is a “shortcoming” of the Twitter platform, where the shutdown most likely will be felt most.

This is the first time I am aware of actual knowledge/data-loss which will occur due to the shutdown of such a service.

Update: tr.im announced that they will stay in business, due to an overwhelming response. But still, the final shutdown of such a service sooner or latter can and will happen. And even worse would be the continuation of such a service where all the URLs would be redirected somewhere else…

http://blog.tr.im/post/160697842/tr-im-resurrected

URL shortening services soon to be under siege?

I have already written about my opinion about the problems of URL shortening back in 2005. Yesterday, Jeff Atwood pointed out other issues like commercialization. Today, another threat has come true: hackers have manipulated the URLs of shortening service cli.gs.

Given the huge amount of information hidden behind such shortened URLs, and given the popularity and number of these links, especially nowadays on Twitter, these services could see themselves being under permanent siege of hackers/crackers. Being able to manipulate hundred of thousands if not even more vastly distributed and popular URLs to point to a given site could be used for both, generating (lots of?) ad-revenue, or as a new form of DDoS-attack.

At the moment there seems to be no way around using these services (especially with services like Twitter), but in the medium/long run a solution has to be found if we don’t want to lose lots of valuable information.

A first look at Google Chrome

Just played around with Google Chrome. First impression: Wow! This is definitely going to encourage development of other browsers as well!

It feels lightweight, fast for JavaScript applications, and offers some nice features (I especially like the possibility to open an “anonymous window” which will forget all cookies etc. when being closed without being forced to delete all other cookies as well.) Tabs can be dragged out and dropped back into the browser, something I’d always wanted Firefox to be able as well.

Each tab runs within its own process and Chrome offers a “Task Manager” (Shift-Esc), which will display memory usage, CPU usage and bandwidth consumption for each tab, which I consider very handy.

Chrome is available for Windows only at the moment, but is expected to be released for MacOS X and Linux as well. I am really curious how this is going to develop and if this is going to really affect “the Internet as a whole” (I really believe Google has gained enough market power to push their products).

“Here Comes Another Bubble”

I normally try to avoid the “me too” blog posts, but this video is simply hilarious, especially if you or your job are somehow related to the “Web 2.0” hype. Have fun!

Update 2007-12-16: as of today, the video has been taken down due to a copyright sue. What a pity! Read more on TechCrunch.

Update 2007-12-20: a new version without the pictures in question has been published. I changed the video link below to point to the new version, called “Here Comes Another Bubble 1.1”. (via TechCrunch)

[youtube I6IQ_FOCE6I]

(via Scobleizer and TechCrunch)

Amazon S3 Storage in Europe

Logo of Amazon.com Web Services (tm) Amazon announced that they are going to offer S3 storage service inside Europe.

This for sure will provide a great boost in speed for my JungleDisk backup. I am now checking out what I have to do to get my data moved to the European data centers. I suppose I have to re-upload everything because you have to specify for each bucket if it is located in the USA or in Europe. JungleDisk at the moment does not provide support for this. I opened a topic regarding asking if they’ll support this in the near future (article1, article2).

It’s also interesting to notice that storing data in Europe is more expensive. It costs $0.18/GB/month as compared to $0.15 in the US. Bandwidth at the moment do not differ based on location. So I’d only switch if the upload/download speed is significantly higher than to/from the USA.

Writing articles using BlogDesk

I am currently evaluating BlogDesk, a Windows-only software for offline blog editing, supporting a wide range of different blogging systems, including WordPress (the system this blog is running on).

The main reason, why I am trying to switch from using the integrated online-editor of WordPress to a dedicated software, is speed and offline availablity. Lately I tend to work offline again, because I got a nice little notebook which is able to run on battery for quite some time. I now tend to use the time I’ve got for instance when riding a train. And I want to be able to use this time and publish some posts. BlogDesk online editor is very speedy, it is more responsive than using the online editor. One also tends to concentrate more on the content and less on the layout, because there is no preview possibility.

Additionally, BlogDesk encourages using images in your blog posts, because it makes it easy to incorparte them. It warns you if your images are going to be too big and it provides some ncie effects like the drop shadow used in the screenshot above. Images can be inserted from an URL, a file or the clipboard. They will be uploaded when publishing your article.

Unfortunately, BlogDesk does not support tags in WordPress 2.3+ yet. But I am sure they will come.

BlogDesk is free, but the source code is not available. As mentioned, it is Windows only, but it works very well. I’d recommend you to give it a try it if you are using Windows and are contributing to a blog.