jadewang has quit [Remote host closed the connection]
jadewang has joined #sandstorm
bb010g has joined #sandstorm
natea has joined #sandstorm
natea has quit [Quit: natea]
natea has joined #sandstorm
jadewang has quit [Remote host closed the connection]
<ocdtrekkie>
How much data is logged about demo users?
<ocdtrekkie>
Random thought: demo.sandstorm.io for short term anonymous data transfers.
<paulproteus>
Hah.
amyers has quit [Remote host closed the connection]
amyers has joined #sandstorm
amyers has quit [Read error: Connection reset by peer]
amyers has joined #sandstorm
gopar has joined #sandstorm
jadewang has joined #sandstorm
<paulproteus>
Like a fast-expiring Pastebin.
jadewang has quit [Ping timeout: 252 seconds]
amyers has quit [Ping timeout: 256 seconds]
jadewang has joined #sandstorm
<ocdtrekkie>
Yeah paulproteus
<ocdtrekkie>
Use a demo account, and you know the trace of your sharing should be promptly deleted.
<ocdtrekkie>
And assuming Sandstorm uses a relatively short retention policy on whatever access logs might be generated by the web server (which is a good practice, I think, in today's subpoena-heavy times) then all traces of it are gone before anyone knows to look for it.
<kentonv>
we should implement a short-retention policy. But at this time, it's still occasionally useful to dig back through old logs to debug, occasionally...
<kentonv>
although that hasn't happened very often
<kentonv>
so maybe we can implement that now, hmm
bb010g has quit [Remote host closed the connection]
kamalmarhubi has quit [Remote host closed the connection]
<ocdtrekkie>
Re: comments above somewhere about a dropbox replacement. I kinda feel like that's a thing that should be really really lightweight, just upload/delete/rename files and folders, written on the raw api, with read/modify/write permissions and stuff for sharing and API access. So that it's easy for other apps to access it and build off of it without a performance hit.
mquandalle has quit [Remote host closed the connection]
mattl has quit [Remote host closed the connection]
jadewang has quit [Remote host closed the connection]
jadewang has joined #sandstorm
natea has quit [Quit: natea]
<zarvox>
I would like to take this opportunity to point out that the first time that I tried to suspend my laptop while having a VirtualBox VM running, my laptop failed to suspend. And this is the first time this device has experienced such a failure.
<zarvox>
It practically burned my hand when I tried to remove it from the neoprene case 80 minutes later.
<zarvox>
So, uh, yeah, I think I will attempt to continue using the libvirt vagrant backend where possible :S
<kentonv>
my chromebook pixel wakes up in my backpack all the time
<kentonv>
luckily hasn't started on fire yet
<zarvox>
kentonv: do you have anything magnetic in your backpack?
<zarvox>
if it uses a hall effect sensor, that could set it off
<mcpherrinm>
The Novena laptop just got a feature where the firmware won't allow it to wake when the lid is closed
<kentonv>
no, my theory is that squeezing or bending it the right way can cause a keyboard key to be pressed, waking it up
gopar has quit [Remote host closed the connection]
<kentonv>
and gnome's lock screen does not like to go back to sleep until first unlocked
<mcpherrinm>
kentonv: the new pixel or the older one?
<zarvox>
mcpherrinm: nice!
<kentonv>
older
<kentonv>
I think
<zarvox>
mcpherrinm: do you have a Novena?
<mcpherrinm>
zarvox: yes
<mcpherrinm>
(not the laptop though)
<zarvox>
easier to use the Peek Array on the non-laptop one
<mcpherrinm>
I have "just the board" so no peek array either :(
<zarvox>
oh. still a decent board for doing FPGA development and the like
<mcpherrinm>
yeah
<mcpherrinm>
I haven't really used it for much yet
jadewang has quit [Remote host closed the connection]
GeorgeHahn has joined #sandstorm
darius has quit [Remote host closed the connection]
joshbuddy has quit [Quit: joshbuddy]
GeorgeHahn has quit [Quit: Leaving]
bb010g has joined #sandstorm
mattl has joined #sandstorm
jksonc has quit [Ping timeout: 272 seconds]
prosodyContext has quit [Ping timeout: 256 seconds]
bpierre has quit [Ping timeout: 252 seconds]
fkautz has quit [Ping timeout: 256 seconds]
kamalmarhubi has joined #sandstorm
joshbuddy has joined #sandstorm
jadewang has joined #sandstorm
jadewang has quit [Ping timeout: 258 seconds]
mquandalle has joined #sandstorm
hunterm has quit [Remote host closed the connection]
jancborchardt has quit [Remote host closed the connection]
hunterm has joined #sandstorm
jancborchardt has joined #sandstorm
joshbuddy has quit [Quit: joshbuddy]
jksonc has joined #sandstorm
fkautz has joined #sandstorm
bpierre has joined #sandstorm
prosodyContext has joined #sandstorm
ragesoss_ has joined #sandstorm
ragesoss has quit [Ping timeout: 264 seconds]
erikoeurch has joined #sandstorm
<erikoeurch>
happy to hear hosted beta will launch this week! Standing by to test :D
mort___ has joined #sandstorm
mort___ has quit [Ping timeout: 256 seconds]
mort___ has joined #sandstorm
mort___ has quit [Quit: Leaving.]
amyers has joined #sandstorm
mort___ has joined #sandstorm
mort___ has left #sandstorm [#sandstorm]
amyers has quit [Ping timeout: 244 seconds]
natea has joined #sandstorm
natea has quit [Quit: natea]
amyers has joined #sandstorm
amyers has quit [Read error: Connection reset by peer]
amyers has joined #sandstorm
natea has joined #sandstorm
amyers has quit [Ping timeout: 265 seconds]
amyers has joined #sandstorm
amyers has quit [Ping timeout: 265 seconds]
<paulproteus>
erikoeurch: Happy to hear that someone reads what I write : D
<erikoeurch>
paulproteus: I'm sure there are a lot of fellow backers eagerly reading the updates in anticipation of the real thing! :D
<paulproteus>
(-:
<ocdtrekkie>
Hide your wallets. Rumor is Lord Gaben is returning on the 11th.
<eldios>
guys, did anybody had problems with iPython in sandstorm and URLLib?
<eldios>
it doesn't seem to be connecting with a DNS resolution error
<eldios>
even a simple "print socket.gethostbyname('www.google.com')" fails
<eldios>
of course DNS resolution is working outside of sandstorm in that VM :)
<eldios>
maybe it's something with Jupyter?
bb010g has quit [Quit: Connection closed for inactivity]
<dwrensha>
eldios: by default, Sandstorm apps are restricted from making outgoing network requests
<phildini>
it would be kind of awesome if there were a sandstorm mechanism for the app to ask the user whether an out-going network connection is ok.
<phildini>
Now I'm thinking of the full suite of capability permissions ala iOS, and given that "capability" seems to be a magic word here I imagine this is in the works?
<paulproteus>
(I have no point, I just want to say) Dr. Powerboxer
<paulproteus>
kentonv: You should publish that draft blog post you wrote recently (-:
<paulproteus>
I like obscurely referring to semi-secrets here.
<phildini>
Man, I hope that team's name was inspired by the source of the anagram I just posted.
<paulproteus>
Most def
<paulproteus>
posix4e: Hey, are you still interested in making the IRC web chat things work? If so, I hope to sync you up with jparyani so that you can finish it, and I can using things like it (-:
<posix4e>
paulproteus: I am, we were working on it and we decided to get dns working first
<paulproteus>
Great.
<posix4e>
paulproteus: probably going to be in a couple of weeks, but shout and kiwirc work with almost no modifications (just no net yet)
<posix4e>
SHould be a noop with some chanes
<posix4e>
sandstorm is my favorite tech I have played with in a while. I can't wait to move my irc and dropbox to it
<posix4e>
I wonder how things like asm.js impact it.
<posix4e>
REAL LIFE HUMANS. FEAR!. Honestly that sounds fun
<posix4e>
you guys should host the go club at the next one :)
<paulproteus>
(-:
natea has quit [Quit: natea]
natea has joined #sandstorm
amyers has joined #sandstorm
erikoeurch has joined #sandstorm
natea has quit [Client Quit]
mort___ has joined #sandstorm
amyers has quit [Ping timeout: 244 seconds]
natea has joined #sandstorm
jadewang has quit [Remote host closed the connection]
jadewang has joined #sandstorm
mort___ has quit [Quit: Leaving.]
mcpherrinm has quit [Quit: leaving]
natea has quit [Quit: natea]
natea has joined #sandstorm
mcpherrin has joined #sandstorm
natea has quit [Quit: natea]
natea has joined #sandstorm
ragesoss_ has quit [Ping timeout: 252 seconds]
ragesoss has joined #sandstorm
<paulproteus>
I like to say, "Security isn't a feature. Reliability is a feature, and security lets us give people this."
<paulproteus>
But it's always interesting when people seem to value neither of them.
<paulproteus>
This relates to having spent many years of my life being asked by less-technical friends, "How come software isn't more secure?"
<paulproteus>
My usual answer is that there are no incentives driving software to be more secure. You can't really tell during normal use if software has breathtakingly bad security issues.
<paulproteus>
So it's approximately basically impossible to select for safer software as a user of the software.
<maurer>
paulproteus: I mean, not really? It's possible, just more difficult.
<maurer>
*more difficult than it should be
<paulproteus>
Well hence me hedging a lot with "approximately basically".
<XgF>
How many people used Hola who's client *lets companies pay to run stuff as the Windows SYSTEM account*?
<paulproteus>
But as, e.g., a person shopping online, I think it's pretty tough to know that a site has a remote code execution vulnerability in an old PHP "internal API" that no one deleted and everyone forgot about.
<paulproteus>
Not that this is a real example from my past work or something.
<maurer>
paulproteus: Which is why you do not ever shop at a site that implements their own payment service? You send payments via amazon or google or a similar trusted party.
<maurer>
(this is my strategy for this anyways)
<paulproteus>
Sure, but if the site stores your "tokenized" payments information, say, or has other private data, then you might still suffer some loss if the site gets compromised.
<maurer>
Too many experiences with typoing a url and getting sent to something that is obviously a file inclusion or an sql injection
<XgF>
They have your address, they have your order history...
<maurer>
XgF: that I'm much less worried about tbh
<maurer>
It's a risk
<maurer>
but there's some data that has to be guarded, and some that would be nice to have guarded
<XgF>
I actually consider a leak of my credit card details *less* important than my metadata
<maurer>
XgF: it's a massive pain to deal with that kind of theft
<maurer>
the eve-kill site is more hillarious because I stumbled on it because ?a=kll_detail is one of their main pages, which is why I accidentally found it by typoing kill_detail
<XgF>
Credit card fraud? A major pain in the ass. Data in public? Unfixable
posix4e has left #sandstorm [#sandstorm]
<maurer>
XgF: Sure, but much less damage to me unless I was buying something I could be blackmailed over
<paulproteus>
I did that recently.
natea has quit [Quit: natea]
<maurer>
paulproteus: bought something you could be blackmailed over, or stumbled into an inclusion vuln?
<maurer>
paulproteus: the best part btw, is that another part of their site lets you upload text files for parsing into the database
<ocdtrekkie>
maurer: On the bright side, eve-kill isn't exactly somewhere you transmit sensitive data.
<maurer>
ocdtrekkie: It's true
<maurer>
ocdtrekkie: Do you play?
<ocdtrekkie>
Especially since you should never trust those shifty third party EVE devs. ;)
<ocdtrekkie>
They may work for the enemy.
<ocdtrekkie>
That's a hard question to answer.
<paulproteus>
Bought something I could be blackmailed over. At least embarrassed, maybe not literally blackmailed? Anyway.
<ocdtrekkie>
I have an EVE account. I pay for it.
natea has joined #sandstorm
<maurer>
ocdtrekkie: Who are you affiliated with? I am V.N - SOUND - HERO
<ocdtrekkie>
I play more DUST 514 than EVE, but now, I spend more time on politics than gameplay.
<ocdtrekkie>
I have ties to the CFC, sorry Imperium.
<maurer>
ocdtrekkie: wait, didn't they schedule DUST's execution already?
<ocdtrekkie>
maurer: I think DUST is like that survivor of an execution.
<ocdtrekkie>
Sentence carried out, but it still lives. What do we do?
<XgF>
Yay, my TV needs rebooting to finish installing an update...
<ocdtrekkie>
I'm a member of the CPM (Council of Planetary Management), so I'm at least somewhat versed on the internal todos regarding it.
<XgF>
I don't remember buying Windows TV Edition...
<maurer>
ocdtrekkie: Oh, OK. An acquaintance was on the CSM for a two terms, so I've seen how that pulls people out of the game a bit.
<ocdtrekkie>
Yeah, it's a boatload of fun. o_o Full-time unpaid volunteer consulting position, basically.
<ocdtrekkie>
My term's almost over though, we're having our next election next month.
<ocdtrekkie>
\o/
<XgF>
ocdtrekkie: Sounds about right for the game thats a job you pay for
<maurer>
XgF: He's got the position for DUST, not EVE >_>
<ocdtrekkie>
DUST is freemium.
<maurer>
Sorry, I appear to have dragged this off topic
<zarvox>
"recompile virtualbox from source so it can expose more file handles concurrently" is probably not a supportable approach
<ocdtrekkie>
Submit pull request?
<maurer>
ocdtrekkie: to virtualbox?
* ocdtrekkie
shrugs
<ocdtrekkie>
"Make number biggar please." Include Garply photo to ensure someone pays appropriate attention to the request?
<maurer>
ocdtrekkie: I mean, hopefully it works, I'm just balking at the notion of trying to communicate with Oracle and get them to do something, especially something that involves taking something represented as "code" from an outside source
<paulproteus>
I am spending some quality time with the GlobalSign website, apparently.
<paulproteus>
meonkeys: So I was hoping to convince you to maybe write something Sandstorm-y for LinuxJournal, since I saw you'd written stuff for them before! But also, if you know Meteor, I wondered if you'd be willing to be a person who can answer questions from ocdtrekkie who has some Meteor-related Sandstorm patch(es) he wanted help with (months ago, oops).
<meonkeys>
paulproteus: cool, yes, saw you email. I'm considering it! I do love writing articles for LJ. It's been a while, but they might want one.
<paulproteus>
(-:
<ocdtrekkie>
paulproteus: I heavily appreciate that link, actually.
<ocdtrekkie>
I get very get off my lawn about all these frameworks and platforms and newfangled programming languages that manage things for you.
<ocdtrekkie>
When I want to write a web page, I create a new text file, name it index.php and start freaking there.
* ocdtrekkie
fumes
<paulproteus>
: D ocdtrekkie
<ocdtrekkie>
Then I put it on a web server.
<ocdtrekkie>
Maybe I go a little crazy, and let that web server run MySQL too.
<ocdtrekkie>
That's it.
<paulproteus>
meonkeys: https://github.com/sandstorm-io/sandstorm/issues/72 is a pull request where, if you have some time sometime, we (the Sandstorm community) could really use someone with Meteor experience to mentor ocdtrekkie and help him get his proposed change merged.
<paulproteus>
If you're up for that, that's splendid. I think the time requirements on it are, like, "Sometime this month would be nice." If you don't think you have time for that, that could be OK too! I've just found myself spread thin lately between a lot of other things and want to make sure ocdtrekkie has someone to answer questions.
<kentonv>
(Terms of Service and Privacy Policy for managed hosting)
<paulproteus>
You might want to try getting a local dev environment working before saying yes or no; my experience is that a local dev environment for Sandstorm is surprisingly easy to set up if you run Linux, and semi-easy to set up if you use the Vagrantfile provided in the Sandstorm project directory to have a Linux machine to develop Sandstorm on.
<paulproteus>
Either way, I'm grateful to have you here meonkeys so really it's OK if you don't have time; I just thought I'd make the ask clearer.
<meonkeys>
paulproteus: right on. I've used Meteor for a while, so I'll try to make the time to help. Nothing for sure yet, but I'll keep it on my radar.
<paulproteus>
Thanks! (-:
<ocdtrekkie>
There's probably more things I would try to tackle if I could Meteor.
* ocdtrekkie
goes to read the TOS.
<ocdtrekkie>
kentonv: Random thoughts: Why a particular comment on "commercial" pornography? Assuming one has legal license to distribute it or whatever.
<kentonv>
ocdtrekkie: it is very highly correlated to fraud
<kentonv>
they tend to get their own hosting services that specialize in dealing with that
<ocdtrekkie>
Okay.
<ocdtrekkie>
"The Sandstorm user interface offers you options for restricting this re-sharing" <- Not currently, kentonv?
<kentonv>
I guess we might have to add a couple of "not implemented yet" notes in there... :/
<kentonv>
if you can make note of the ones you see and file an issue, that would be great. :)
<ocdtrekkie>
Suggest "may offer", possibly, as a "well, we might/will offer this in the future" and/or "we might not always offer this for some reason platform feature related"
<ocdtrekkie>
Okay, filing issues is fun.
<ocdtrekkie>
"In the case of harassment, if in our judgment the case warrants it (such as if you make explicit death threats towards an individual), we may reveal your identity to anyone who might be interested, such as to the harassed parties or to your mother." <- This is hilarious. But possibly incredibly vague from a privacy commitment standpoint.
<kentonv>
yeah, I'm open to suggestions for more-precise language that accomplishes the intent
<ocdtrekkie>
I think either the metric for qualifying the warrant of the case or the interested parties should be more specific.
<ocdtrekkie>
I dislike "anyone who might be interested". Harassed parties and law enforcement, however, might be more reasonably specific. Also, I think you should retain the right to tell their mother explicitly.
<kentonv>
I could live with that.
<paulproteus>
It could be the case that e.g. we should tell freenode who you are if you're spamming a freenode user.
<paulproteus>
As an example that maybe requires more broad language than ocdtrekkie's.
<paulproteus>
Then again, maybe we should "just" firewall you from freenode at that point? I don't know.
<paulproteus>
Then again again you could probably borrow a freenode capability from a friend of yours in that case : P
<ocdtrekkie>
As Sandstorm grains will, via various protocols, interface with the outside world, perhaps it should be clear as a reporting category that you not use Sandstorm to violate the terms of use of another service?
<paulproteus>
Aw, I like violating terms of service!
<paulproteus>
(not even kidding) (maybe I shouldn't say that if this channel is publicly logged)
<ocdtrekkie>
And in the case you violate those terms, Sandstorm can identify you to the operators of that service?
<ocdtrekkie>
Or something similar to that.
<paulproteus>
That seems sensible enough.
<paulproteus>
I could live with my service providers ratting me out if they deem fit.
<ocdtrekkie>
Because obviously, you don't want people using Sandstorm grains to hide scripts specifically designed to maliciously harass other services.
<kentonv>
this may already fall under "illegal use", but calling it out makes some sense
<paulproteus>
I'm OK with not calling it out too fwiw. Mumble something about lightweight nimble terms of service.
<paulproteus>
agile scrum terms of service
<ocdtrekkie>
My notion is just that specifically highlighting violating terms with other service providers via Sandstorm grains equals you guys identifying them to said service providers puts you in the clear to be more specific on individual harassment.
erikoeurch has quit [Ping timeout: 265 seconds]
<XgF>
I don't think theres such a thing as an "agile terms of service"
<XgF>
(or well there is, but it's reeeeealllly expensive)
natea has quit [Quit: natea]
<paulproteus>
Sometimes I wish it weren't a hobby of mine to read terms of service carefully.
<phildini>
why?
<paulproteus>
Well I just spent like an hour and a half reading GlobalSign's. And I dunno, I'm not sure I feel like my life is clearly better having done so.
<phildini>
ah.
<phildini>
here's a thing you could use/contribute to: https://tosdr.org/
<dwrensha>
i,i "veritas" / "very TOS"
<ocdtrekkie>
Many hosting companies specify where they're hosting, beyond country. As in I'm aware that HostGator uses a data center run by what is now Softlayer, I think.
<ocdtrekkie>
So I'm aware of who has physical access to the place where my data is stored and presumably how quality their physical security measures are.
<kentonv>
ocdtrekkie: I'm curious how you feel about us being on GCE. I've probably asked this before, but I don't remember what you said.
<ocdtrekkie>
I'm not particularly fond of it (I am pretty sure I recall earlier mention of it) but obviously their tendency to data mine everything doesn't work so well with varied hosted software.
<ocdtrekkie>
I'd mind it less with encrypted grains. ;)
<kentonv>
I think it would be extremely surprising and possibly violating policy, contracts, and/or law if they were data-mining GCE instances. I'm also not sure how they'd reasonably do it from a technical standpoint.
<kentonv>
technically speaking, I don't think encryption would actually make a difference, since the keys would necessarily be present on their machines somewhere.
<kentonv>
would you feel better or worse about AWS?
<ocdtrekkie>
Probably a bit better. As I said, I understand GCE is probably safe. But I trust the company very little.
<kentonv>
I'm surprised you trust Amazon more.
<ocdtrekkie>
And sometimes these cloud providers feel very ethereal to me. Like, as I said, HostGator details the physical parameters of each of their data centers. I don't have a 'just trust us' relationship with their measures.
<ocdtrekkie>
Amazon hasn't, to my knowledge, every used my data in a way I didn't expect or permit. Obviously they do a ton of data mining on their store, for example, but the scope of that largely seems contained to that property.
<kentonv>
yeah... problem is softlayer is at least twice as expensive, less performant, probably less physically secure, ...
<kentonv>
well... I have little doubt that Amazon would happily use your Amazon browsing history to optimize their ad network if they had one, and use your web browsing history to optimize your Amazon recommendations if they had access to your web browsing history.
<ocdtrekkie>
But they don't have those things. Which is key.
<ocdtrekkie>
If anything, the most concerning thing is these companies having such a wide control over the ecosystem.
<XgF>
It does seem a weird thing for a bunch of people to do their "google exit" into a service hosted on google infrastrucure
<ocdtrekkie>
The data Google collects on me, spread across twenty companies' isolated services is probably far less concerning than Google, having and collating all of that data in one place.
<ocdtrekkie>
XgF's point is less technical and more... philosophical, but valid.
<ocdtrekkie>
Given one of my ongoing in progress goals is to be off of Google entirely.
<XgF>
(I say this as someone who hosts his own stuff himself, so take that with a pinch of salt...)
<zarvox>
Strictly speaking, if you're unwilling to trust any host, you should run Sandstorm on your own hardware.
<XgF>
(and by "hosts his stuff himself", I mean "host it at Linode" :P)
<XgF>
(Random offtopic question: Any idea what incantations one has to do on Ubuntu to make asan work?)
<zarvox>
I have a couple of boxes in a cage at svcolo.
<ocdtrekkie>
Sure zarvox. And I do intend at some point to go self-hosted, particularly for sensitive data.
<ocdtrekkie>
But it's not that I don't trust any hosts, but rather I trust certain hosts a lot less than others.