BccAn email blog from <a href="https://npdoty.name" rel="me">Nick Doty</a>.2020-05-04T17:43:50Ztag:bcc.npdoty.name,:atom.xmlCopyright (c)
Bloggart 1.0
four questions, May 3tag:bcc.npdoty.name,2020-05-04:post:57613456097935362020-05-04T17:43:50Z2020-05-04T17:43:50Znick@npdoty.namehttp://bcc.npdoty.name/
<ol>
<li>What did I do today?</li>
</ol>
<p>Coffee, yogurt, granola and banana for video brunch with friends. Did the laundry, and went to the garden, where we thinned out our kale plants, and harvested more snap peas and spinach from one of the neighboring beds than we know what to do with. Had a late dinner of grilled cheese (and fresh spinach) and quinoa chickpea salad.</p>
<p><img src="https://npdoty.name/images/mess-of-spinach.jpg" alt="A pile of cleaned spinach." style="width: 300px;"><img src="https://npdoty.name/images/peas-in-bowls.jpg" alt="Two bowls of snap peas." style="width: 300px;"></p>
<ol start="2">
<li>What did I enjoy?</li>
</ol>
<p>Seeing friendly faces. Pulling snap peas from the community garden. Watching videos on WhatsApp of Jamie's 16 month old nephew -- who lives a short bike ride / infinitely far away.</p>
<ol start="3">
<li>What did I find difficult?</li>
</ol>
<p>Writing letters to the Berkeley administration and still getting pretty upset over the lack of respect in this institution that I care about.</p>
<ol start="4">
<li>What has changed?</li>
</ol>
<p>The tedious task of cleaning has taken on a different meaning. It has higher stakes; I'm cleaning everything more frequently; it feels more satisfying and regular even as it's also more time-consuming.</p>
four questions, April 21tag:bcc.npdoty.name,2020-04-22:post:57646190459617282020-04-22T03:55:14Z2020-04-22T03:55:14Znick@npdoty.namehttp://bcc.npdoty.name/
<ol>
<li>What did I do today?</li>
</ol>
<p>Emails, a Zoom call on local transit advocacy, more emails. Looked at New York Times recipes for simple delicious-looking things. Cooked eggs and homefries lunch, and picked up dinner (and tomorrow's dinner) at the one-man soul-food place down the street. Talked with Jamie and watched TV.</p>
<ol start="2">
<li>What did I enjoy?</li>
</ol>
<p>Empanadas, beer-battered french fries, fried plaintains from Boricua Soul. Deep frying is amazing.</p>
<ol start="3">
<li>What did I find difficult?</li>
</ol>
<p>I feel at a loss about what my role is, or even exactly what I want it to be. How can I help? Is what I'm doing useful or not? What do I want to be doing? Why am I not better at what I'm trying to do and why am I choosing those things to try to do?</p>
<ol start="4">
<li>What has changed?</li>
</ol>
<p>My mood is so unpredictable. Each day still feels a little random, though I'm on slightly steadier footing. But even within days, my mood can be dramatically different from morning to night. I think I just have to accept that this is how it is for now, and not read to much into feeling aimless or into feeling refreshed. This too shall pass, and all that.</p>
<p>Oh, and I have less hair now. I kinda like it. I think I missed feeling a little weird.</p>
<p><img src="https://npdoty.name/images/corona-haircut.jpg" alt="Me, pretty much bald, smiling about it." style="width: 500px;></p>
four questions, April 16tag:bcc.npdoty.name,2020-04-17:post:57564237114900482020-04-17T04:40:46Z2020-04-17T04:40:46Znick@npdoty.namehttp://bcc.npdoty.name/
<p>Answering the <a href="https://werd.io/2020/four-questions">same four questions</a> to record the sense of these unusual times.</p>
<ol>
<li>What did I do today?</li>
</ol>
<p>Woke up, but was slow to get out of bed (looked at the news) and didn't grind the coffee until just before the noon teleconference (<a href="https://www.w3.org/Privacy/IG/">Web privacy</a>). I had breakfast and got dressed and ready before the afternoon webinar (<a href="https://citp.princeton.edu/event/webinar-felten-covid/">COVID-19, contact tracing and privacy</a>). Made <a href="https://octodon.social/@npd/104010243740723789">a diagram of when Durham political officials made different orders and when Google mobility data shows more isolation</a>. Made two lunches because the first lunch was so delicious (grilled cheese with spinach and avocado; hashbrowns and fried eggs). Took a long walk along the American Tobacco Trail and past Forest Hills Park and Orchard Park and talked to a friend on the phone, which apparently works even when wearing a mask. Attended a <a href="https://bikedurham.org/">Bike Durham</a> meeting (Zoom) and the tail end of <a href="https://www.facebook.com/events/2478880615757443">WordHack</a> (Twitch). Popcorn and cookies for dinner.</p>
<ol start="2">
<li>What did I enjoy?</li>
</ol>
<p>The weather was just right for a nice walk, and the birds and flowers are both out in force and easily take up my granular attention.</p>
<ol start="3">
<li>What did I find difficult?</li>
</ol>
<p>Even when the news doesn't overwhelm me with a sense of doom, it's often enough of a distraction that I don't get to the things on my list that I wanted to do (writing a letter, reviewing a pull request, emailing my notes on contact tracing), when there are meetings and meals and such in between. I'm frustrated.</p>
<ol start="4">
<li>What has changed?</li>
</ol>
<p>I attend webinars now, voluntarily. I don't even roll my eyes at the prospect (maybe I do a little afterwards), I'm just happy to have the information and see people. Webinars aren't the most engaging way to communicate, but I'm also coming to realize that they're not the least.</p>
<p>Being far away (from friends or events) is less of a comparative disadvantage. When I'm visiting New York, I always try to attend WordHack and I always lament that the city I live in doesn't have this robust tech-poetry-art scene, but now it actually seems possible that I get some of the same engagement with crazy ideas without actually being in the largest city in the country. Attending the Princeton talk this afternoon was similar -- those are often streamed for people who aren't there in person, but it feels like you're getting less of the experience if you're one of the few remote attendees. And video hangouts with friends in California and New York or family in the midwest let me stay in touch with groups of people who seem suddenly more open to that when they can't just hang out with folks nearby. I'm optimistic that work opportunities are considering that too: I wasn't going to fly to IETF or TPAC anyway (for money/time/carbon reasons), but making those large meetings virtual makes them more accessible to me despite my lack of large corporate backing. There may be jobs of interest that weren't open to remote employees last year that may be open to them this year. It's like that dream of the Internet being the end to the importance of distance, except slightly realistic.</p>
four questions, April 15tag:bcc.npdoty.name,2020-04-16:post:57662688502743042020-04-16T04:10:13Z2020-04-16T04:10:13Znick@npdoty.namehttp://bcc.npdoty.name/
<p>Answers to <a href="https://werd.io/2020/four-questions">four questions</a>, as suggested by <a href="https://werd.io">Ben Werd</a> for keeping a concrete record of life during an exceptional time.</p>
<ol>
<li>What did you do today?</li>
</ol>
<p>Woke up, late -- forgot to set the little alarm clock. Looked at my phone, but didn't stress too much about it. Ground the coffee (the grinder a gift from Haley and Eric), boiled the water (the new electric kettle a gift from Jamie), made coffee (I think Brooks first introduced me to the Aeropress) and ate the last piece of oatmeal cake (Mom's recipe, out of Granddad's old recipe box and baked in one of his casserole dishes). Read emails and RSS feeds and wrote out my small list for the day. Showered and dressed: important steps, I'm finding. Caught up on emails about contact tracing protocols and then had a short videoconference with Deirdre -- possible teaching options, commiserating about the strange fluctuations in moods from day to day, UC Berkeley's financial challenges. Had leftover rajma masala, with spinach and broccoli, for lunch. Called Granddad briefly. Sat on a cushion on the bedroom floor and listened to a short guided meditation on loving kindness. Sent emails and social media posts advocating for local "slow streets" so that it'll be easier and safer to walk and bike at a safe distance during the pandemic. Picked up the compost bin. Got bundled up in coat, scarf and facemask and walked to pick up a burrito and then to Orchard Park to see how the garden plot was doing. Walked home and watched TV on the couch with Jamie, read the news on my phone again but didn't stress too much about it.</p>
<p><img src="https://npdoty.name/images/oatmeal-cake.jpg" width=300 alt="a moist peace of oatmeal cake, with almond topping."><img src="https://npdoty.name/images/kale-seedlings.jpg" width=300 alt="a handful of kale seedlings in a row, with scattered weeds, rocks and wood."></p>
<ol start="2">
<li>What did you enjoy?</li>
</ol>
<p>That oatmeal cake. Baking a comforting cake for myself has been such a highlight of the last couple days. Seeing the community garden plots. TV on the couch with Jamie.</p>
<ol start="3">
<li>What did you find difficult?</li>
</ol>
<p>Granddad sounds lonely and pessimistic, but tells me that we just need to be good to each other. It's sad to keep telling him that I'm not able to visit, not allowed to visit, and won't be able to any time soon.</p>
<ol start="4">
<li>What has changed?</li>
</ol>
<p>From yesterday, I'm feeling so much less hopeless, so much less angry in the sense of raging at a cloud of unfairness and stewing in that unfairness and how unfair it is. I don't know what caused that different reaction from yesterday morning, it just feels like a random choice is made for me each day. From before the March primary, life feels less packed with urgent reaction, anger and mistrust, but I'm also now less certain of what to do or what life will be like next month or next year; less urgent but more aimless. I feel like there's still so many things to do, but I'm less sure of what or how I should contribute. Since a couple of weeks ago, maybe I'm also less scared, less unsteady on my feet. Jamie's work situation seems much less actively dangerous; social distancing measures have been implemented and mostly accepted; I wear a mask whenever I go outside and spend less time worrying about whether I should be doing something differently.</p>
Re: First flights of 2020tag:bcc.npdoty.name,2020-01-23:post:57588731850260482020-01-23T23:56:45Z2020-01-23T23:56:45Znpdoty@ischool.berkeley.eduhttp://bcc.npdoty.name/
<p>Hi Tantek,</p>
<p>Thanks for <a rel="in-reply-to" href="https://tantek.com/2020/021/t1/first-flights-changes-make">posting about personal logging of environmental impacts and different mitigations</a>. I’m thinking now about how I can post on my own site not just <a href="https://npdoty.name/plan/climate/">the actions I’m trying to follow in terms of my own behavior and my advocacy</a> but also a running counter of some of my activities and their carbon emissions (this <a href="https://indieweb.org/environmental_impact">IndieWeb environmental impact page</a> is a great resource).</p>
<p>I don’t know that air travel is singled out inaccurately for its climate change impacts. While aviation as a category has lower impact than many other categories, that seems to primarily be because it is currently accessible only to the rich. For individuals who do fly, each flight emits large amounts of greenhouse gases. This <a href="https://iopscience.iop.org/article/10.1088/1748-9326/aa7541/meta">study from Wynes and Nicholas</a>* suggests that avoiding a single, roundtrip trans-Atlantic flight has a much bigger impact (approximately double) than switching from an omnivorous to plant-based diet for one year. Those authors also reviewed how often reducing air travel was suggested as a mitigation (in corpora of high school science textbooks and government-produced guides) and found that it was recommended far less often than other actions that had less substantial impact on carbon emissions.</p>
<p>Maybe the frequency of that advice is changing, especially as we see <a href="https://www.theguardian.com/world/2019/jun/04/stayontheground-swedes-turn-to-trains-amid-climate-flight-shame">Europeans shifting some travel to trains</a> (over “flygskam” or based on Greta Thunberg’s widely publicized example). I agree that guilt, shame and self-harm aren’t useful ways to make these decisions and I’ve certainly experienced the feeling of freezing up because of my guilt and the enormity of the problem in ways that were unproductive or counterproductive. For me, reviewing comparative data has been meaningful and actionable, both in changing my diet and in changing my travel decisions.</p>
<p>Collectively, I hope we can talk more about how to shift Web standards meetings (and tech and academic conferences more generally) into remote communications or regional satellite meetings. I’ve been inspired by <a href="https://jacob.hoffman-andrews.com/README/2019/07/19/i-will-not-attend.html">Jacob’s pledge</a> and Eliot’s I-D ("<a href="https://tools.ietf.org/html/draft-lear-we-gotta-to-stop-meeting-like-this-01">We gotta stop meeting like this.</a>") and it seems like a fruitful area for the Web and the Internet to contribute solutions, rather than adding to the harm. I’d like to take the train to a TPAC/US-East meeting in DC this October, where room-size videoconferencing is set up for nearby attendees to communicate with the “main” conference in Vancouver. What do you think?</p>
<p>Sincerely,<br>
Nick</p>
<ul>
<li>Wynes, Seth, and Kimberly A. Nicholas. “The Climate Mitigation Gap: Education and Government Recommendations Miss the Most Effective Individual Actions.” Environmental Research Letters 12, no. 7 (July 2017): 074024. https://doi.org/10.1088/1748-9326/aa7541.</li>
</ul>
"no photos please" and other broadcaststag:bcc.npdoty.name,2019-01-11:post:57545379775774722019-01-11T06:33:21Z2019-01-11T06:33:21Znick@npdoty.namehttp://bcc.npdoty.name/
<p>We've spent a lot of collective time and effort on design and policy to support the privacy of the user of a piece of software, whether it's the Web or a mobile app or a device. But more current and more challenging is the privacy of the non-user of the app, the privacy of the bystander. With the ubiquity of sensors, we are increasingly observed, not just by giant corporations or government agencies, but by, as they say, little brothers.</p>
<p>Consider the smartphone camera. Taking digital photos is free, quick and easy; resolution and quality increase; metadata (like precise geolocation) is attached; sharing those photos is easy via online services. As facial recognition has improved, it has become easier to automatically identify the people depicted in a photo, whether they're the subject of a portrait or just in the background. If you don't want to share records of your precise geolocation and what you're doing in public places, with friends, family, strangers and law enforcement, it's no longer enough to be careful with the technology you choose to use, you'd also have to be constantly vigilant about the technology that everyone around you is using.</p>
<p>While it may be tempting to draw a "throw your hands up" conclusion from this -- privacy is dead, get over it, there's nothing we can easily do about it -- we actually have widespread experience with this kind of value and various norms to protect it. At conferences and public events, it's not uncommon to have a system of stickers on nametags to either opt-in or opt-out of photos. This is a help (not a hindrance) for event photographers: rather than asking everyone to pose in your photo, or asking everyone after the fact if they're alright with your posting a public photo, or being afraid of posting a photo and facing the anger of your attendees, you can just keep an eye on the red and green dots on those plastic nametags and feel confident that you're respecting the attendees at your event.</p>
<p>There are similar norms in other settings. Taking video in the movie theater violates legal protections, but there are also widespread and reasonably well-enforced norms against capturing video of live theater productions or comedians who test out new material in clubs, on grounds that may not be copyright. Art museums will often tell you whether photos are welcome or prohibited. In some settings the privacy of the people present is so essential that unwritten or written rules prohibit cameras altogether: at nude hot springs, for example, you just can't use a camera at all. You wouldn't take a photo in the waiting room of your doctor's office and you'll invite anger and social confrontation if you're taking photos of other people's children at your local playground.</p>
<p>And even in "public" or in contexts with friends, there are spoken or unspoken expectations. "Don't post that photo of me drinking, please." "Let me see how I look in that before you post it on Facebook." "Everyone knows that John doesn't like to have his photo taken."</p>
<p>As cameras become small and more widely used, and encompass depictions of more people, and are shared more widely and easily, and identifications of depicted people can also be shared, our social norms and spoken discussions don't easily keep up. Checking with people before you post a photo of them is absolutely a good practice and I encourage you to follow it. But why not also use technology to facilitate this checking others' preferences?</p>
<p>We have all the tools we need to make "no photos please" nametag stickers into unobtrusive and efficiently communicated messages. If you're attending a conference or party and don't want people to take your photo, just tap the "no photos please" setting on your smartphone before you walk in. And if you're taking photos at an event, your camera will show a warning when it knows that someone in the room doesn't want their photo taken, so that you can doublecheck with the people in your photo and make sure you're not inadvertently capturing someone in the background. And the venue can remind you that way too, in case you don't know the local norm that pictures shouldn't be taken in the church or museum.</p>
<p><img src="https://npdoty.name/images/nophotosplease-settings-mockup.png" alt="Mockup of turning on No Photos Please mode. Camera icon by Mourad Mokrane from the Noun Project." style="width:50%;" title="Camera icon by Mourad Mokrane from the Noun Project"></p>
<p>As a technical matter, I think we're looking at Bluetooth broadcast beacons, from smartphones or stationary devices. That could be a small Arduino-based widget on the wall of a commercial venue, or one day you might have a poker-chip-sized device in your pocket that you can click into private mode. When you're using a compatible camera app on your phone or a compatible handheld camera, your device regularly scans for nearby Bluetooth beacons and if it sees a "no photos please" message, it shows a (dismissable) warning.</p>
<p><img src="https://npdoty.name/images/nophotos-camera-mockup.png" alt="Mockup of camera showing no photos warning." style="width:50%;"></p>
<p>The discretionary communication of preferences is ideal in part because it <em>isn't</em> self-enforcing. For example, if the police show up at the political protest you're attending and broadcast a "no photos please" beacon, you can (and should) override your camera warning to take photos of their official activity, as a safeguard for public safety and accountability. An automatically-enforcing DRM-style system would be both infeasible to construct and, if it were constructed, inappropriately inviting to government censorship or aggressive copyright maximalism. Technological hints are also less likely to confusingly over-promise a protection: we can explain to people that the "no photos please" beacon doesn't prevent impolite or malicious people from surreptitiously taking your photo, just as people are extremely familiar with the fact that placards, polite requests and even laws are sometimes ignored.</p>
<p>Making preferences technically available could also help with legal compliance. If you're taking a photo at an event and get a "no photos" warning, your device UI can help you log why you might be taking the photo anyway. Tap "I got consent" and your camera can embed metadata in the file that you gathered consent from the depicted people. Tap "Important public purpose" at the protest and you'll have a machine-readable affirmation in place of what you're doing, and your Internet-connected phone can also use that signal to make sure photos in this area are promptly backed up securely in case your device is confiscated.</p>
<p>People's preferences are of course more complicated than just "no photos please" or "sure, take my photo". While I, like many, have imagined that sticky policies could facilitate rules of how data is subsequently shared and used, there are good reasons to start with the simple capture-time question. For one, it's familiar, from these existing social and legal norms. For another, it can be a prompt for real-time in-person conversation. Rather than assuming an error-free technical-only system of preference satisfaction, this can be a quick reminder to check with the people right there in front of you for those nuances, and to do so prior to making a digital record.</p>
<p>Broadcast messages provide opportunities that I think we haven't fully explored or embraced in the age of the Internet and the (rightfully lauded) end-to-end principle. Some communications just naturally take the form of letting people in a geographic area know something relevant to the place. "The cafe is closing soon." "What's the history of that statue?" "What's the next stop on this train and when are we scheduled to arrive?" If WiFi routers included latitude and longitude in the WiFi network advertisement, your laptop could quickly and precisely geolocate even in areas where you don't have Internet access, and do so passively, without broadcasting your location to a geolocation provider. (That one is a little subtle; we wrote a paper on it back when we were evaluating the various privacy implications of WiFi geolocation databases at Berkeley.) What about, "Anyone up for a game of chess?" (See also, Grindr.) eBook readers could optionally broadcast the title of the current book to re-create the lovely serendipity of seeing the book cover a stranger is reading on the train. Music players could do the same.</p>
<p>The Internet is amazing for letting us communicate with people around the world around shared interests. We should see the opportunity for networking technology to also facilitate communications, including conversations about privacy, with those nearby.</p>
<hr>
<p>Some end notes that my head wants to let go of: There is some prior art here that I don't want to dismiss or pass over, I just think we should push it further. A couple examples:</p>
<ul>
<li>Google folks have developed broadcast URLs that they call <a href="https://google.github.io/physical-web/">The Physical Web</a> so that real-life places can share a Web page about them (over mDNS or Bluetooth Low Energy) and I hope one day we can get a link to the presenter's current slide using networking rather than everyone taking a picture of a projected URL and awkwardly typing it into our laptops later.</li>
<li>The Occupy movement showed an interest in geographically-located Web services, including forums and chatrooms that operate over WiFi but not connected to the Internet. <a href="http://occupyhere.org/">Occupy Here</a>: <blockquote>Anyone within range of an Occupy.here wifi router, with a web-capable smartphone or laptop, can join the network “OCCUPY.HERE,” load the locally-hosted website http://occupy.here, and use the message board to connect with other users nearby.</blockquote></li>
</ul>
<p>Getting a little further afield but still related, it would be helpful if the network provider could communicate directly with the subscriber using the expressive capability of the Web. Lacking this capability, we've seen frustrating abuses of interception: captive portals redirect and impersonate Web traffic; ISPs insert bandwidth warnings as JavaScript insecurely transplanted into HTTP pages. Why not instead provide a way for the network to push a message to the client, not by pretending to be a server you happen to connect to around that same time, but just as a clearly separate message? ICMP control messages are an existing but underused technology.</p>
directions to migrate your WebFaction site to HTTPStag:bcc.npdoty.name,2018-11-27:post:56360278845030402018-11-27T21:01:51Z2016-05-23T01:22:18Znick@npdoty.namehttp://bcc.npdoty.name/
<p>Hiya friends using <a href="https://www.webfaction.com/?aid=61750">WebFaction</a>,</p>
<p>Securing the Web, even our little websites, is important — to set a good example, to maintain the confidentiality and integrity of our visitors, to get the best Google search ranking. While secure Web connections had been difficult and/or costly in the past, more recently, migrating a site to HTTPS has become fairly straightforward and costs $0 a year. It may get even easier in the future, but for now, the following steps should do the trick.</p>
<p>Hope this helps, and please let me know if you have any issues,<br>
Nick</p>
<p>P.S. Yes, other friends, I recommend WebFaction as a host; I’ve been very happy with them. Services are reasonably priced and easy to use and I can SSH into a server and install stuff. <a href="https://www.webfaction.com/?aid=61750">Sign up via this affiliate link</a> and maybe I get a discount on my service or something.</p>
<p>P.S. And really, let me know if and when you have issues. Encrypting access to your website has gotten easier, but it needs to become much easier still, and one part of that is knowing which parts of the process prove to be the most cumbersome. I’ll make sure your feedback gets to the appropriate people who can, for realsies, make changes as necessary to standards and implementations.</p>
<p><strong>Updated 27 November 2018:</strong> As of Fall 2018, WebFaction's control panel now handles installing and renewing Let's Encrypt certificates, and that functionality also breaks by default the scripts described below (you'll likely start getting email errors regarding a 404 error in loading <code>.well-known/acme-challenge</code>). <strong>I recommend using WebFaction's Let's Encrypt support</strong>, <a href="https://docs.webfaction.com/user-guide/websites.html#secure-sites-https">review their simple one-button documentation</a>. This blog post contains the full documentation in case it still proves useful, but if you want to run these scripts, you'll also want to review <a href="https://github.com/will-in-wi/letsencrypt-webfaction/issues/161">this issue regarding nginx configuration</a>.
<p><strong>Updated 16 July 2016:</strong> to fix the cron job command, which may not have always worked depending on environment variables</p>
<p><strong>Updated 2 December 2016:</strong> to use new <code>letsencrypt-webfaction</code> design, which uses WebFaction's API and doesn't require emails and waiting for manual certificate installation.</p>
<hr>
<p><strike>One day soon I hope WebFaction will make more of these steps unnecessary, but the configuring and testing will be something you have to do manually in pretty much any case.</strike> <a href="https://blog.webfaction.com/2018/09/issue-lets-encrypt-ssl-certificates-with-the-control-panel/">WebFaction now supports installing and renewing certificates with Let's Encrypt just by clicking a button in the control panel</a>! While the full instructions are still included here, you should mostly only need to follow my directions for <strong>Create a secure version of your website in the WebFaction Control Panel</strong>, <strong>Test your website over HTTPS</strong>, and <strong>Redirect your HTTP site</strong>. You should be able to complete all of this in an hour some evening.</p>
<p><strong>Create a secure version of your website in the WebFaction Control Panel</strong></p>
<p>Login to the <a href="https://my.webfaction.com/">Web Faction Control Panel</a>, choose the “DOMAINS/WEBSITES” tab and then click “Websites”.</p>
<p>“Add new website”, one that will correspond to one of your existing websites. I suggest choosing a name like <code>existingname-secure</code>. Choose “Encrypted website (https)”. For Domains, testing will be easiest if you choose both your custom domain and a subdomain of <code>yourusername.webfactional.com</code>. (If you don’t have one of those subdomains set up, switch to the Domains tab and add it real quick.) So, for my site, I chose <code>npdoty.name</code> and <code>npdoty.npd.webfactional.com</code>.</p>
<p>Finally, for “Contents”, click “Re-use an existing application” and select whatever application (or multiple applications) you’re currently using for your <code>http://</code> site.</p>
<p>Click “Save” and this step is done. This shouldn’t affect your existing site one whit. </p>
<p><strong>Test to make sure your site works over HTTPS</strong></p>
<p>Now you can test how your site works over HTTPS, even before you’ve created any certificates, by going to https://subdomain.yourusername.webfactional.com in your browser. Hopefully everything will load smoothly, but it’s reasonably likely that you’ll have some mixed content issues. The debug console of your browser should show them to you: that’s Apple-Option-K in Firefox or Apple-Option-J in Chrome. You may see some warnings like this, telling you that an image, a stylesheet or a script is being requested over HTTP instead of HTTPS:</p>
<blockquote>
<p>Mixed Content: The page at ‘https://npdoty.name/’ was loaded over HTTPS, but requested an insecure image ‘http://example.com/blah.jpg’. This content should also be served over HTTPS.</p>
</blockquote>
<p>Change these URLs so that they point to <code>https://example.com/blah.jpg</code> (you could also use a <em>scheme-relative</em> URL, like <code>//example.com/blah.jpg</code>) and update the files on the webserver and re-test.</p>
<p>Good job! Now, https://subdomain.yourusername.webfactional.com should work just fine, but https://yourcustomdomain.com shows a really scary message. You need a proper certificate.</p>
<p><strong>Get a free certificate for your domain</strong></p>
<p><a href="https://letsencrypt.org/">Let’s Encrypt</a> is a new, free, automated certificate authority from a bunch of wonderful people. But to get it to setup certificates on WebFaction is a little tricky, so we’ll use the <a href="https://github.com/will-in-wi/letsencrypt-webfaction"><code>letsencrypt-webfaction</code> utility</a> —- thanks <a href="https://github.com/will-in-wi">will-in-wi</a>!</p>
<p>SSH into the server with <code>ssh yourusername@yourusername.webfactional.com</code>.</p>
<p>To install, run this command:</p>
<pre><code>GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib gem2.2 install letsencrypt_webfaction
</code></pre>
<p>(Run the same command to upgrade; necesary if you followed these instructions before Fall 2016.)</p>
<p>For convenience, you can add this as a function to make it easier to call. Edit <code>~/.bash_profile</code> to include:</p>
<pre><code>function letsencrypt_webfaction {
PATH=$PATH:$GEM_HOME/bin GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib ruby2.2 $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction $*
}
</code></pre>
<p>Now, let’s test the certificate creation process. You’ll need your email address, the domain you're getting a certificate for, the path to the files for the root of your website on the server, e.g. <code>/home/yourusername/webapps/sitename/</code> and the WebFaction username and password you use to log in. Filling those in as appropriate, run this command:</p>
<pre><code>letsencrypt_webfaction --letsencrypt_account_email you@example.com --domains yourcustomdomain.com --public /home/yourusername/webapps/sitename/ --username webfaction_username --password webfaction_password
</code></pre>
<p>If all went well, you’ll see nothing on the command line. To confirm that the certificate was created successfully, check the <a href="https://my.webfaction.com/ssl-certificates">SSL certificates tab</a> on the WebFaction Control Panel. ("Aren't these more properly called TLS certificates?" Yes. So it goes.) You should see a certificate listed that is valid for your domain <code>yourcustomdomain.com</code>; click on it and you can see the expiry date and a bunch of gobblydegook which actually is the contents of the certificate.</p>
<p>To actually apply that certificate, head back to the <a href="https://my.webfaction.com/websites">Websites tab</a>, select the <code>-secure</code> version of your website from the list and in the Security section, choose the certificate you just created from the dropdown menu.</p>
<p><strong>Test your website over HTTPS</strong></p>
<p>This time you get to test it for real. Load https://yourcustomdomain.com in your browser. (You may need to force refresh to get the new certificate.) Hopefully it loads smoothly and without any mixed content warnings. Congrats, your site is available over HTTPS!</p>
<p><em>You are not done.</em> You might think you are done, but if you think so, you are wrong.</p>
<p><strong>Set up automatic renewal of your certificates</strong></p>
<p>Certificates from Let’s Encrypt expire in no more than 90 days. (Why? <a href="https://letsencrypt.org/2015/11/09/why-90-days.html">There are two good reasons</a>.) Your certificates aren’t truly set up until you’ve set them up to renew automatically. You <em>do not</em> want to do this manually every few months; you will forget, I promise.</p>
<p>Cron lets us run code on WebFaction’s server automatically on a regular schedule. If you haven’t set up a cron job before, it’s just a fancy way of editing a special text file. Run this command:</p>
<pre><code>EDITOR=nano crontab -e
</code></pre>
<p>If you haven’t done this before, this file will be empty, and you’ll want to test it to see how it works. Paste the following line of code exactly, and then hit Ctrl-O and Ctrl-X to save and exit.</p>
<pre><code>* * * * * echo "cron is running" >> $HOME/logs/user/cron.log 2>&1
</code></pre>
<p>This will output to that log every single minute; not a good cron job to have in general, but a handy test. Wait a few minutes and check <code>~/logs/user/cron.log</code> to make sure it’s working.</p>
<p>Rather than including our username and password in our cron job, we'll set up a configuration file with those details. Create a file <code>config.yml</code>, perhaps at the location <code>~/le_certs</code>. (If necessary, <code>mkdir le_certs</code>, <code>touch le_certs/config.yml</code>, <code>nano le_certs/config.yml</code>.) In this file, paste the following, and then customize with your details:</p>
<pre>
letsencrypt_account_email: 'you@example.com'
api_url: 'https://api.webfaction.com/'
username: 'webfaction_username'
password: 'webfaction_password'
</pre>
<p>(Ctrl-O and Ctrl-X to save and close it.) Now, let’s edit the crontab to remove the test line and add the renewal line, being sure to fill in your domain name, the path to your website’s directory, and the path to the configuration file you just created:</p>
<pre><code>0 4 15 */2 * PATH=$PATH:$GEM_HOME/bin GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib /usr/local/bin/ruby2.2 $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction --domains example.com --public /home/yourusername/webapps/sitename/ --config /home/yourusername/le_certs/config.yml >> $HOME/logs/user/cron.log 2>&1
</code></pre>
<p>You’ll probably want to create the line in a text editor on your computer and then copy and paste it to make sure you get all the substitutions right. Paths must be fully specified as the above; don't use <code>~</code> for your home directory. Ctrl-O and Ctrl-X to save and close it. Check with <code>crontab -l</code> that it looks correct. As a test to make sure the config file setup is correct, you can run the command part directly; if it works, you shouldn't see any error messages on the command line. (Copy and paste the line below, making the the same substitutions as you just did for the crontab.)</p>
<pre><code>PATH=$PATH:$GEM_HOME/bin GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib /usr/local/bin/ruby2.2 $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction --domains example.com --public /home/yourusername/webapps/sitename/ --config /home/yourusername/le_certs/config.yml
</code></pre>
<p>With that cron job configured, you'll automatically get a new certificate at 4am on the 15th of alternating months (January, March, May, July, September, November). New certificates every two months is fine, though one day in the future we might change this to get a new certificate every few days; before then WebFaction will have taken over the renewal process anyway. Debugging cron jobs can be tricky (I've had to update the command in this post once already); I recommend adding an alert to your calendar for the day after the first time this renewal is supposed to happen, to remind yourself to confirm that it worked. If it didn't work, any error messages should be stored in the <code>cron.log</code> file.</p>
<p><strong>Redirect your HTTP site</strong> <em>(optional, but recommended)</em></p>
<p>Now you’re serving your website in parallel via <code>http://</code> and <code>https://</code>. You can keep doing that for a while, but everyone who follows old links to the HTTP site won’t get the added security, so it’s best to start permanently re-directing the HTTP version to HTTPS.</p>
<p><a href="https://docs.webfaction.com/software/static.html#static-redirecting-from-http-to-https">WebFaction has very good documentation on how to do this</a>, and I won’t duplicate it all here. In short, you’ll create a new static application named “redirect”, which just has a <code>.htaccess</code> file with, for example, the following:</p>
<pre><code>RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</code></pre>
<p>This particular variation will both redirect any URLs that have <code>www</code> to the “naked” domain and make all requests HTTPS. And in the Control Panel, make the redirect application the only one on the HTTP version of your site. You can re-use the “redirect” application for different domains.</p>
<p>Test to make sure it’s working! http://yourcustomdomain.com, http://www.yourcustomdomain.com, https://www.yourcustomdomain.com and https://yourcustomdomain.com should all end up at https://yourcustomdomain.com. (You may need to force refresh a couple of times.)</p>
Re: meritocracy and codes of conducttag:bcc.npdoty.name,2018-06-06:post:56544057811271682018-06-06T21:05:22Z2018-06-06T21:05:22Znpdoty@ischool.berkeley.eduhttp://bcc.npdoty.name/
<p>In thinking about group governance practices, it seems like setting out explicit norms can be broadly useful, no matter the particular history that's motivated the adoption of those norms. In a way, it's a common lesson of open source collaborative practice: documentation is essential.</p>
<div class="quoted">
<p><a href="https://digifesto.com/2018/05/24/thinking-about-meritocracy-in-open-source-communities/">Seb wrote:</a></p>
<p>I have to admit that though I’m quite glad that we have a Code of Conduct now in BigBang, I’m uncomfortable with the ideological presumptions of its rationale and the rejection of ‘meritocracy’.</p>
</div>
<p>For what it's worth, I don't think this is an ideological presumption, but an empirical observation. Lots of people have noticed lots of open source communities where the stated goal of decision-making by "meritocracy" has apparently contributed to a culture where homogeneity is preferred (because maybe you measure the vague concept of "merit" in some ways by people who behave most similarly to you) and where harassment is tolerated (because if the harasser has some merit -- again, on that fuzzy scale -- maybe that merit could outweigh the negative consequences of their behavior).</p>
<p>I don't see the critiques of meritocracy as relativistic; that is, it's not an argument that there is no such thing as merit, that nothing can be better than something else. It's just a recognition that many implementations of claimed meritocracy aren't very systematic about evaluation of merit and that common models tend to have side effects that are bad for working communities, especially for communities that want to attract participants from a range of situations and backgrounds, where online collaboration can especially benefit.</p>
<p>To that point, you don't need to mention "merit" or "meritocracy" at all in writing a code of conduct and establishing such a norm doesn't require having had those experiences with "meritocratic" projects in the past. Having an established norm of inclusivity makes it easier for everyone. We don't have to decide on a case-by-case basis whether some harassing behavior needs to be tolerated by, for example, weighing the harm against the contributions of the harasser. When you start contributing to a new project, you don't have to just hope the leadership of that project shares your desire for respectful behavior. Instead, we just agree that we'll follow simple rules and anyone who wants to join in can get a signal of what's expected. Others have tried to describe why the practice can be useful in countering obstacles faced by underrepresented groups, but the tool of a Code of Conduct is in any case useful for all.</p>
<p>Could we use forking as a mechanism for promoting inclusivity rather than documenting a norm? Perhaps; open source projects could just fork whenever it became clear that a contributor was harassing other participants, and that capability is something of a back stop if, for example, harassment occurs and project maintainers do nothing about it. But that only seems effective (and efficient) if the new fork established a code of conduct that set a different expectation of behavior; without the documentary trace (a hallmark of open source software development practice) others can't benefit from that past experience and governance process. While forking is possible in open source development, we don't typically want to encourage it to happen rapidly, because it introduces costs in dividing a community and splitting their efforts. Where inclusivity is a goal of project maintainers, then, it's easier to state that norm up front, just like we state the license up front, and the contribution instructions up front, and the communication tools up front, rather than waiting for a conflict and then forking both the code and collaborators at each decision point. And if a project has a goal of broad use and participation, it wants to demonstrate inclusivity towards casual participants as well as dedicated contributors. A casual user (who provides documentation, files bugs, uses the software and contributes feedback on usability) isn't likely to fork an open source library that they're using if they're treated without respect, they'll just walk away instead.</p>
<p>It could be that some projects (or some developers) don't value inclusivity. That seems unusual for an open source project since such projects typically benefit from increased participation (both at the level of core contributers and at lower-intensity users who provide feedback) and online collaboration typically has the advantage of bringing in participation from outside one's direct neighbors and colleagues. But for the case of the happy lone hacker model, a Code of Conduct might be entirely unnecessary, because the lone contributor isn't interested in developing a community, but instead just wishes to share the fruits of a solitary labor. Permissive licensing allows interested groups with different norms to build on that work without the original author needing to collaborate at all -- and that's great, individuals shouldn't be pressured to collaborate if they don't want to. Indeed, the choice to refuse to set community norms is itself an expression which can be valuable to others; development communities who explicitly refuse to codify norms or developers who refuse to abide by them do others a favor by letting them know what to expect from potential collaboration.</p>
<p>Thanks for the interesting conversation,<br>
Nick</p>
May there be shared blockliststag:bcc.npdoty.name,2018-01-19:post:57259540306984962018-01-19T22:50:18Z2018-01-19T22:50:18Znick@npdoty.namehttp://bcc.npdoty.name/
<p>A reminder:</p>
<p>Unconstrained media access to a person is indistinguishable from harassment.</p>
<p>It pains me to watch my grandfather suffer from surfeit of communication. He can't keep up with the mail he receives each day. Because of his noble impulse to charity and having given money to causes he supports (evangelical churches, military veterans, disadvantaged children), those charities sell his name for use by other charities (I use "charity" very loosely), and he is inundated with requests for money. Very frequently, those requests include a "gift", apparently in order to induce a sense of obligation: a small calendar, a pen and pad of paper, refrigerator magnets, return address labels, a crisp dollar bill. Those monetary ones surprised me at first, but they are common and if some small percentage of people feel an obligation to write a $50 check, then sending out a $1 to each person makes it worth their while (though it must not help the purported charitable cause very much, not a high priority). Many now include a handful of US coins stuck to the response card -- ostensibly to imply that just a few cents a day can make a difference, but, I suspect, to make it harder to recycle the mail directly because it includes metal as well as paper. (I throw these in the recycling anyway.) Some of these solicitations include a warning on the outside that I hadn't seen before, indicating that it's a federal criminal offense to open postal mail or to keep it from the recipient. Perhaps this is a threat to caregivers to discourage them from throwing away this junk mail for their family members; I suspect more likely, it encourages the suspicion in the recipient that someone might try to filter their mail, and that to do so would be unjust, even criminal, that anyone trying to help them by sorting their mail should not be trusted. It disgusts me.</p>
<p>But the mails are nothing compared to the active intrusiveness of other media. Take conservative talk radio, which my grandfather listened to for years as a way to keep sound in the house and fend off loneliness. It's often on in the house at a fairly low volume, but it's ever present, and it washes over the brain. I suspect most people could never genuinely understand Rush Limbaugh's rants, but coherent argument is not the point, it's just the repetition of a claim, not even a claim, just a general impression. For years, my grandfather felt conflicted, as many of his beloved family members (liberal and conservative) worked for the federal government, but he knew, in some quite vague but very deep way, that everyone involved with the federal government was a menace to freedom. He tells me explicitly that if you hear something often enough, you start to think it must be true.</p>
<p>And then there's the TV, now on and blaring 24 hours a day, whether he's asleep or awake. He watches old John Wayne movies or NCIS marathons. Or, more accurately, he watches endless loud commercials, with some snippets of quiet movies or television shows interspersed between them. The commercials repeat endlessly throughout the day and I start to feel confused, stressed and tired within a few hours of arriving at his house. I suspect advertisers on those channels are happy with the return they receive; with no knowledge of the source, he'll tell me that he "really ought to" get or try some product or another for around the house. He can't hear me, or other guests, or family he's talking to on the phone when a commercial is on, because they're so loud.</p>
<p>Compared to those media, email is clear and unintrusive, though its utility is still lost in inundation. Email messages that start with "Fw: FWD: FW: FW FW Fw:" cover most of his inbox; if he clicks on one and scrolls down far enough he can get to the message, a joke about Obama and monkeys, or a cute picture of a kitten. He can sometimes get to the link to photos of the great-grand-children, but after clicking the link he's faced with a moving pop-up box asking him to login, covering the faces of the children. To close that box, he must identify and click on a small "x" in very light grey on a white background. He can use the Web for his bible study and knows it can be used for other purposes, but ubiquitous and intrusive prompts (advertising or otherwise) typically distract him from other tasks.</p>
<p>My grandfather grew up with no experience with media of these kinds, and had no time to develop filters or practices to avoid these intrusions. At his age, it is probably too late to learn a new mindset to throw out mail without a second thought or immediately scroll down a webpage. With a lax regulatory environment and unfamiliar with filtering, he suffers -- financially and emotionally -- from these exploitations on a daily basis. Mail, email, broadcast video, radio and telephone could provide an enormous wealth of benefits for an elderly person living alone: information, entertainment, communication, companionship, edification. But those advantages are made mostly inaccessible.</p>
<p>Younger generations suffer other intrusions of media. Online harassment is widely experienced (its severity varies, by gender among other things); your social media account probably lets you block an account that sends you a threat or other unwelcome message, but it probably doesn't provide mitigations against dogpiling, where a malicious actor encourages their followers to pursue you. Online harassment is important because of the severity and chilling impact on speech, but an analogous problem of over-access exists with other attention-grabbing prompts. What fraction of smartphone users know how to filter the notifications that buzz or ring their phone? Notifications are typically on by default rather than opt-in with permission. Smartphone users can, even without the prompt of the numerous thinkpieces on the topic, describe the negative effects on their attention and well-being.</p>
<p>The capability to filter access to ourselves must be a fundamental principle of online communication: it may be the key privacy concern of our time. Effective tools that allow us to control the information we're exposed to are necessities for freedom from harassment; they are necessities for genuine accessibility of information and free expression. May there be shared blocklists, content warnings, notification silencers, readability modes and so much more.</p>
Re: a personal mission statementtag:bcc.npdoty.name,2017-12-12:post:57292270642135042017-12-12T02:40:26Z2017-12-12T02:40:26Znick@npdoty.namehttp://bcc.npdoty.name/
<div class="quoted"><p><a href="https://werd.io/2017/i-tried-to-write-the-first-version-of-a-personal" rel="in-reply-to">I tried to write the first version of a personal mission statement this morning before work.</a> It's hard. Feedback is a gift! <a href="https://werd.io/pages/mission">https://werd.io/pages/mission</a></p></div>
<p>Awesome. I hadn't considered a personal "mission statement" before now, even though I often consider and appreciate organizational mission statements. However, I do keep a yearly plan, including my personal goals.</p>
<p>Doty Plan 2017: <a href="https://npdoty.name/plan">https://npdoty.name/plan</a><br>
Doty Plan 2016: <a href="https://npdoty.name/plan2016.html">https://npdoty.name/plan2016.html</a></p>
<p>I like that your categories let you provide a little more text than my bare-bones list of goals/areas/actions. I especially like the descriptions of role and mission; I feel like I both understand you more and I find those inspiring. That said, it also feels like a lot! Providing a coherent set of beliefs, values and strategies seems like more than I would be comfortable committing to. Is that what you want?</p>
<p>The other difference in my practice that I have found useful is the occasional updates: what is started, what is on track and what is at risk. Would it be useful for you to check in with yourself from time to time? I suppose I picked up that habit from Microsoft's project management practices, but despite its corporate origins, it helps me see where I'm doing well and where I need to re-focus or pick a new approach.</p>
<p>Cheers,<br>
Nick</p>
<p>BCC my public blog, because I suppose these are documents that I could try to share with a wider group.</p>