• I am rooting for DuckDuckGo

    I was pleasantly surprised to see this email on my inbox earlier this evening:

    A screenshot of an email that I received from DuckDuckGo about being able to respond to emails on the DuckDuckGo Email Protection service.

    I have written about DuckDuckGo’s Email Protection feature in the past. It’s a service that removes trackers in your emails before they hit your inbox. Some may not like the idea of DuckDuckGo being able to read/do that, but it’s okay in the large sense because your email host could very well be reading your emails. Most promise not to, but we never know. Email in general is not a secure protocol for communication. One must be using Signal for such communication.

    Getting back to the original point, DuckDuckGo is no longer a search company. They are expanding fast into various territories including the above-discussed email service and ad and tracker blocker across all apps and websites on Android: App Tracking Protection.

    In an interview with Protocol, DuckDuckGo’s CEO, which they are doing well:

    I think part of the reason there is, a lot of privacy products were not companies. They weren’t built with high-quality UX in mind. They were often run by enthusiasts who had the best intentions in mind, but they weren’t trying to build businesses to compete with the biggest tech companies in the world, like we are. We need to change that narrative over time. There are a couple headwinds on that, though, just to be completely frank about it. One is, people just think it’s not even possible to get privacy. And so we have to educate them that this easy button is real. We have to explain to them, yes, if you stop the trackers from loading, they won’t track you.

    Their daily search query traffic has surpassed 100 million as well. This success is a great testament to a fantastic product suite that they are building. There’s no stopping from here. I am rooting for them. I’d be a paid customer when they announce one.

    There’s also SimpleLogin of which I am a very happy customer. With DuckDuckGo announcing a full-fledged email service now, I am torn between the two, but I’d remain a SimpleLogin customer and split between the two. They have been fantastic over the last two years.

  • One-click emoji reactions on Slack

    Last week at work, I learned that Slack has support for one-click emoji reactions. It’s a workspace-level feature which when enabled allows any member to configure their own top 3 emoji for quick access.

    If your workspace has it enabled, you can configure your options under Messages & media tab on Slack settings.

    A screenshot of Slack settings that show one-click emoji reactions under "Messages & media" tab.
  • Unauthorized LastPass access

    There’s a wild discussion on Hacker News at the moment about certain LastPass users seeing unauthorized access. To summarize that discussion:

    • Certain users are seeing unauthorized access to their LastPass account, using the correct master password.
    • Affected users are seeing access from multiple regions, mostly Brazil; Toronto and Paris too.
    • Unauthorized access is stemming from an IP range starting with 160.

    At this time, there are various unknowns: is LastPass compromised, are these unauthorized logins an act of internal (support teams, for example) division accessing user accounts, related to the log4j vulnerability, or due to a malicious desktop app or browser extension capturing input.

    A master password is a single password that you use to access the LastPass account, which in turn contains individual site passwords. So, you are using LastPass, you’ll need to rotate your master password and individual site passwords right now.

    If you ask me though, I’d strongly recommend moving off of LastPass. Bitwarden and 1Password are great choices, of which the former is free and open source. The latter is paid, commercial, and isn’t open source. But 1Password’s security model looks good enough, in that they require a “secret key” in addition to the password. It’s my favorite: Setting up password managers for family and friends. Also, both Bitwarden and 1Password allow setting up 2FA for the password manager itself.

  • Chamber

    The result of grinding VALORANT for a month! Chamber is here. 🎉

    A screenshot of the VALORANT game that shows an agent named Chamber unlocked.

    I play Spike Rush mostly these days on VALORANT. But my friend suggested giving Unrated a try again and I liked it. With Viper as my mine, a few games were great but the last one was spectacularly bad. A pleasant when I noticed Chamber unlocked though.

  • SPOILER: Spider Man: No Way Home

    Friday evening was one of the greatest moments in my life, especially in the last two years. I saw Spider Man: No Way Home at the cinemas, and my first one in over two years. Since COVID started, I hadn’t visited the cinemas. I had to go alone because the only two friends I had in town this weekend were occupied at work or on personal errands. Anyway, if you haven’t seen the movie yet, stop reading right now! This post is a spoiler. You have been warned.

    I grew up watching Spider Man. I remember watching Tobey’s trilogy when I was young, but I hadn’t become a MCU (Marvel Cinematic Universe) fan until recently. I have been following the movies and TV shows for a while (I am yet to catch up on a few) but being caught up on Tobey’s and Andrew’s versions of Spider Man storylines had me hyped for this release.

    I thoroughly enjoyed the first hour of the movie. The story until here brings fun and builds up to the suspense of bringing together heroes and villains from the other universes. Andrew and Tobey aren’t shown yet.

    A poster of the Marvel Cinematic Universe's heroes, Spider Man and Doctor Strange, from the movie Spider Man No Way Home.

    I wasn’t too thrilled about Andrew and Tobey’s entry though. I was expecting a more dramatic announcement, but that’s okay — them bonding with Tom later in the movie makes up for that downer. Even before the fight began, things started getting predictable.

    Perhaps it’s just me, and perhaps it’s because I didn’t watch it with my friends in a hall packed with audience. Given COVID and reduced interest for this movie in my town, the hall was hardly filled. We had about 30 members and no one really cheered. One of my colleagues said “see it quick on the biggest screen with a large crowd”; I regret not doing that. I went to the movie with End Game vibes, didn’t meet that level.

    All in all, I enjoyed the movie. Andrew’s portrayal was particularly great. When MJ falls, he drops down too and catches her well on time. The scene is a recreation of a similar version in The Amazing Spider Man series when Gwen drops and he is unable to save her. In this particular scene, we can see him tearing up. He was so emotionally invested in the character. I am his newest fan.

    24 hours after the movie, I cannot stop thinking about how great these 148 minutes were.

  • Proprietary email platforms and open standards for email

    Proprietary email platforms like Gmail and Outlook are common in use these days that most users aren’t even familiar with open standards for email: IMAP, POP3 and SMTP. Popular platforms are based on these protocols, but don’t expose them to the customer. Instead, the platforms act as one big wrapper service. For most customers, the concept of email stops here.

    But the idea of email as a federated protocol goes further: it is to make communication possible between different users of different domains to communicate with each others, using the open standards mentioned above. This means, the email inbox is accessible in multiple ways, including using official apps or third-party apps, on the desktop, mobile, shell, or web-based user interface.

    I have sampled about 30 family members but not one is familiar with the concept of owning a domain or purchasing an email hosting plan. Everyone has a @gmail or @yahoo address. Their understanding of accessing the email inbox is to visit gmail.com and yahoo.com, or use their mobile apps. These for-profit platforms are selling convenience.

    Case in point

    I share my email hosting plan with a family member whom I recently encouraged to own a domain. We had to change the mailbox password because they were worried it may be exposed. Changing the password on my hosting admin panel is straightforward but the larger challenge was in helping them navigate their K-9 Mail settings on Android to update the password. Eventually they came home to sort this out, but it’d have been nicer if they could do it on their own. One idea that we spoke about is that, I can update the new password on their Bitwarden vault, which they can later auto-fill on K-9 Mail.

    I wish we can turn this around one day though: by focusing on educating users of the advantages of owning their data, and on how to navigate these open standards and apps.

  • Setting up password managers for family and friends

    I love what Troy’s doing here: setting up password managers for family and friends.

    I have tried that many times in my circle, but only a handful of my audience are open to the idea of password managers. The concept of sharing all login passwords to a single app is just alien to them. Obviously, I do my best to clear up confusion, starting with how password managers are encrypted and don’t have the actual passwords, how they make it easier to generate an unique password for each website/tool, and how different password managers have different security papers.

    In my three years of trying to educate my folks, I have successfully convinced only two members to start with Bitwarden. 1Password is easily a better choice, but the paid plan is a friction for most that are new to this concept, and most importantly for those unbothered by the lack of maintaining security hygiene. The other blocker is likely their worry of forgetting the master password. Fortunately, this is solvable on 1Password using the family member-based recovery feature: Recover accounts for family or team members. If you use that feature, be sure to remember your email login password though. Without that password, you’re locked out forever.

  • Deleting unwanted Google accounts from a decade ago

    Young me from a decade ago apparently had created a lot of Google accounts, one for each purpose: shopping, websites, social media, etc. I didn’t have the habit of using a password manager back then. So, I didn’t realize these accounts even existed until today. I wanted to explore Google’s account recovery flows, and I clicked on “Forgot email” (not “Forgot password”) option on the login page.

    Entering the recovery email address, which is my primary address, shows a whole bunch of accounts that I haven’t used in many years.

    A screenshot from Google login page that shows a list of Google accounts for recovery.

    I ended up spending 15 minutes to reset password for each account, logged in and deleted them one-by-one. I didn’t bother checking what I had on those accounts’ Gmail or Google Drive. If I haven’t missed something in over 10 years, I doubt it’d be useful at all today. Also if I discover something embarrassing on that history, I don’t want my weekend ruined because of it. 😅

  • There’s something special about old school communication

    I sent birthday wishes to a friend from high school over email communication today. I wasn’t too sure if she would still have access to the address, or respond, but to my surprise, I received a response in an hour! We caught up on each other’s life updates over the next several exchanges. I remember our chats being usually short on instant messengers from a few years ago, but in today’s email exchange, I noticed we spoke at length, and I noticed a sense of happiness at her end as well; it’s similar to the sense of receiving a hand-writing letter.

    In today’s world, instant messengers have made it incredibly easy to stand in constant touch. With this advancement in technology also comes the lack of conveying the human, personal touch that hand-written letters offer. Email is modern technology, but in comparison to chat apps that we have at our disposal today, the former still feels a bit personal. It’s also fair to say that email inboxes have become a junkyard for receiving subscription, marketing and transactional emails. So, receiving an email from someone you haven’t spoken with in a long time is a wonderful experience.

    I fondly remember when my cousin of 6 years, at that time, sent me a letter all the way from Japan! She had written a full page message, made an art and packaged it neatly in an envelope for her dad to ship.

    I haven’t written a physical letter in many years. I can’t wait to write one very soon.

  • Free, private pi-hole hosting with Fly.io and Tailscale

    Hosting a network-wide pi-hole for ad-blocking is easy. It comes with a one-step installation guide that you can run on most environments. I run two pi-holes at my house, but the problem with my setup is, if my internet drops, both pi-holes stop working too. Ideally, I’d need to have a pi-hole outside my house, preferably where internet doesn’t go down at the same time as my provider.

    That’s where a cloud-hosted pi-hole proves helpful.

    I learned about Fly.io recently. It’s an app hosting platform that makes it incredibly easy to deploy apps to multiple regions and scales as needed. Their free tier offers a generous 2,340 hours per month of uptime, which translates to about 3 shared-cpu-1x VMs with 256MB RAM full time. My pi-hole consumes about 200MB RAM consistently, so this means I could host upto 3 apps each with pi-hole on it. But I have only one as I have two others at my house.

    A screenshot from Fly.io's pricing page that shows their free tier metrics.
    Fly.io free tier

    Setting up the pi-hole

    This Fly blog post already documents how you can run a pi-hole in a few steps, but there is a problem with this setup: the pi-hole will be publicly query-able by anyone on the internet. We don’t want that because a public, open DNS resolver is not a good idea. We’ll need to lock this down using a secure tunnel that’s accessible only to you.

    Locking down pi-hole access with Tailscale

    If you are following my blog, you’d know by now that I am a Tailscale fan. It’s an easy, useful mesh VPN software that you can add to most devices that you have. For the pi-hole on Fly.io setup, I followed the same guide as Fly documented, but in the Dockerfile configuration, I replaced eth0 with tailscale0 so that my pi-hole listens for queries only on the Tailscale network.

    With that image deployed, I SSH’d into the Fly instance and installed Tailscale using the Debian installation guide here: Install Tailscale on Linux. That’s not quite easy though. I had to use legacy iptables and then run ./tailscaled & under usr/sbin folder. From there, I could run sudo tailscale up.

    Stopping ./tailscaled stops Tailscale, so as a workaround for now, I just close the tab where ./tailscaled is running. I am pretty sure that’s not how I must be doing it, but it works for now.

    I further locked down this Fly instance’s DNS port access to my Tailscale nodes as I don’t want anyone else on my Tailnet (I share it with my friends and family) to make other calls to the Fly node. A handy Tailscale ACL like the one below works:

    { "Action": "accept", "Users": ["group:not-arun-family"], "Ports": ["fly:53"] },

Hey there! I am a Happiness Engineer at Automattic, working on WordPress.com support. If you enjoy discussing online privacy, encryption, and fediverse like I do, you can reach me by commenting on my posts, or by email.