Categories
Random Bits Technology and Internet

Managing Secrets With Vault

I’ve been looking into this area, of how to handle and manage a large quantity of secrets and users, for quite a while (old post), because when an organization or infrastructure grow, the number of “secrets” required for authentication and authorization increase as well. Is at this stage that bad practices (that are no more than shortcuts) as reusing credentials, storing them in less appropriate ways or no longer invalidating those who are no longer in required, start becoming problematic.

Yesterday at “Madeira Tech Meetup” I gave a brief introduction to this issue and explored ways to overcome it, which included a quick and basic explanation of Vault and demo about a common use case.

You can find the slides of the presentation here and if you have any suggestion or something you would like to discuss about it, feel free to comment or reach through any of the contact mediums I provided.

Categories
Personal Technology and Internet

Federated Tweets, or Toots

Recently there was been a big fuss about “Mastodon“, an open-source project that is very similar to twitter. The biggest difference is that it is federated. So what it means?

It means that it works like “email”, there are several providers (called instances) where you can create an account (you can setup your own server if you desire) and accounts from different providers can communicate with each other, instead of all information being in just one silo.

Of course for someone that is in favor of an open web this is a really important “feature”.

Another big plus is that the wheel wasn’t reinvented, this network is inter-operable with the existing “GNU Social” providers (uses the same protocol), so you can communicate and interact with people that have an account in an instance running that software. It can be seen like 2 providers of the same network running different software packages (one in PHP the other in Ruby) but talking the same language over the network.

I haven’t tested it much yet, but given it is a push for a solution that is not centralized (which is a rare thing nowadays) and I think it is a small step in the right direction, So I’ve setup an individual instance for myself where I will publish regularly links of posts/articles/pages that I find interesting. Feel free to follow at https://s.ovalerio.net and if you know someone worth following in this network, let me know.

Here are a few links with more information:

List of instances where you can create an account

Categories
Random Bits Startups

Managing a 100% remote company

This video about Gitlab was posted recently and is a very interesting case-study on how a company can normally function while having all of its employees working remotely.

Categories
Random Bits Technology and Internet

Log based analytics are still useful

A long time ago, most of the modern website analytics software made the shift from relying on server logs to use client-side code snippets to gather information about the user, in this last category we can include as examples Google Analytics and Piwik. In fact, this paradigm allows to collect information with greater detail about the visitors of the website and gives developers more flexibility, however this can also be seen as the website owners imposing the execution of code on the user’s computing device that goes against his will and undermines his privacy (some people go as further as putting it in the same category as malware). Log based analytics software, last time i checked, is seen as a museum relic from the 90s and early 00s.

However, as have been explained in a blog post named: Why “Ad Blockers” Are Also Changing the Game for SaaS and Web Developers and further discussed by the Hacker News community, we might need look again to the server-side approach, since the recent trends of using Ad blockers (which have all legitimacy, given the excesses of the industry) can be undermining the usefulness of the client-side method, given that most of the time the loading of the snippet and the extra requests that are required are being blocked. This is why server side analytics can be very handy again, allowing us to measure the “Ghost Traffic” as it is called in the article.

A very high level overview of both methods can be described like this:

Client-side:

  • Pros:
    • Lots of information
    • Easy to setup
  • Cons:
    • Extra requests and traffic
    • Can be blocked by browser extensions
    • The use of a third party entity raises some privacy concerns.

Server-side:

  • Pros:
    • Cannot be blocked,
    • Does not pose a privacy concern since it only records the requests for the website “pages” made by the user.
  • Cons:
    • Less detailed information,
    • If the server is behind a CDN, not all requests will hit the server.

The main issues with the use of log based tool is that they look ancient, some haven’t seem an update for a while and can take some work to setup. Nevertheless, they definitely can be very useful in order to understand the extent of the usage of blockers by visitors and even for the cases when we just need simple numbers. It also puts aside the privacy discussion since it only monitors the activity of the servers.

That’s the case of this blog, I do not run any analytics software here (because I do not see the need given its purpose) and when I’m curious about the traffic, I use a very cool tool called GoAccess, that goes over the nginx logs and generates some nice reports.

Give it a look, perhaps you don’t need Google Analytics everywhere or its results might not be as accurate as you think, specially if your audience has a significant percentage of tech-savvy people.

Categories
Random Bits Technology and Internet

Managing secrets

A few hours ago, I published a small article on Whitesmith’s blog about sharing and managing secrets, inside a software development environment. At first I dig a little into this problem that is very common and later I explain how we are addressing these issues. You can check it through the following link:

Managing Secrets (www.whitesmith.co/blog/managing-secrets/)

I mention some tools on the article that are very interesting in this area, but a more detailed analysis or walk-through was left for a future post as we get more familiarized with them.

Categories
Technology and Internet

Getting started with GPG

Last week I gave a small workshop during the lunch hour (the famous Whitesmith’s “Lunch’n Learn”) about openPGP. It only covered the most basic aspects so that non-technical people could be introduced to this tool, something that can be very useful when someone is sharing or working with sensitive information (either personal or work related).

It covers aspects such as key pair generation, key revocation, exportation/importation of keys and obviously encryption and decryption of documents. Most of the examples use a command line interface but there are several frontends available which are straightforward to use once you are familiarized with the concepts. Perhaps it can also be useful to you (somehow) so here is the link to the presentation, if you have any question feel free to ask in the comments section.

Categories
Technology and Internet

“Bloat”

Last week I’ve read a great post entitled “Web Design: The First 100 Years“, it is a long one but definitely worth reading. I will just leave here a quote (3 short paragraphs) because it puts into words something that already crossed my mind multiple times.

“A further symptom of our exponential hangover is bloat. As soon as a system shows signs of performance, developers will add enough abstraction to make it borderline unusable. Software forever remains at the limits of what people will put up with. Developers and designers together create overweight systems in hopes that the hardware will catch up in time and cover their mistakes.

We complained for years that browsers couldn’t do layout and javascript consistently. As soon as that got fixed, we got busy writing libraries that reimplemented the browser within itself, only slower.

It’s 2014, and consider one hot blogging site, Medium. On a late-model computer it takes me ten seconds for a Medium page (which is literally a formatted text file) to load and render. This experience was faster in the sixties.” Maciej Cegłowski

Categories
Technology and Internet

Now running over HTTPS

2014 was a year where we witnessed a huge amount in Internet related security incidents, in the previous years, the world understood that our Internet usage is not only accessible to us and our service providers but to every middleman in the way as well. So it is natural that the recent trend is to secure our communications through the Internet to make the whole web safer, not only emails or chat conversations but our navigation too.

Last year we saw the rise of many projects that pretend to improve the security of the Internet’s users. For example, most of the big companies enforced the use of HTTPS to access their services, CloudFlare’s launch of Universal SSL, the spawn of “Let’s Encrypt” project and major initiatives to promote the usage of private browsing tools like “tor” and encrypted chat apps like ChatSecure, TextSecure, etc.

In the long run this will certainly contribute to better and safer web. That is why I decided to start this year with a major change on my personal websites and pet projects, for now on all of them will only be accessible through HTTPS. I know it is not a perfect system but it is a step forward.

Full SSL
Cloud flare Full SSL Scheme

I am using Cloud Flare Full SSL, until the “Let’s encrypt” project takes off this summer. This approach however is not an end-to-end encryption scheme since all traffic is decrypted and encrypted again in the servers of the CDN. This is a drawback (and a deviation of the original concept of SSL) but it still is better than nothing and should be fixed by the summer.

Categories
Technology and Internet

The Web We Lost

The Web We Lost, a two years old post with a message that still stands. For those who have an hour to spare, some good points are addressed in the video and in the Q&A afterwards.

Categories
Technology and Internet

Django Resources

As I said in earlier posts in this blog, when i build websites or webapps where there are no technology impositions, i usually choose to do it in Python and in most of the cases, that’s the equivalent to say i choose to do it in Django.

Over the last year, since i started using Bundlr,  I’ve been aggregating some resources like blog entries, tutorials and videos that i found useful and that could become handy in the future.

Today I’m sharing the collection here, since it might helpful to someone else. I hope you like it and if you know more references that should be included in the list, please share it in the comments or send me an email.

The list can be found here.

Edit July 2016: Since I removed my account, the list is not longer available on Bundlr. Check recent posts, it will be published again soon.