daira/gist:3290388

## gistfile1.txt
(18:37:09) amiller: zooko, i'd like to chat about lae sometime soon
(18:39:45) zooko:  amiller: Hi! Oh, I'd love that. What mode of chat do you prefer?
(18:39:52) amiller: irc!
(18:39:54) zooko: When's the next time you're coming to visit Boulder? :-)
(18:40:00) amiller: sometime!
(18:40:02) zooko: Okay, anytime!
(18:40:05) amiller: how bout now
(18:40:06) zooko: I mean, okay anytime about IRC chat.
(18:40:09) zooko: Okay.
(18:40:38) amiller: i figured out / remembered how to use flogtool again
(18:40:45) amiller: so i can see for the first time that my daily backup completed at least once
(18:40:55) zooko: Aha! You've tried to use it!
(18:40:57) amiller: i actually have no idea how many times it's completed or not but i'm assuming not
(18:41:12) amiller: the most important thing to me are my irc chat logs
(18:41:13) zooko: I can tell you how to find out.
(18:41:39) amiller: so that's primarily what i want to safely tuck away in tahoe.
(18:41:45) zooko: Okay.
(18:41:45) amiller: eventually i would also like to be able to search through them
(18:41:52) ***zooko nods.
(18:42:13) amiller: and more immediately i'm eventually going to go broke unless i work out delta compression
(18:42:27) zooko: Really?
(18:42:37) amiller: yeah because each of my chat log files is huge and changes each day
(18:42:41) zooko: Oh.
(18:42:50) zooko: I assumed it was writing out timestamped log files.
(18:42:52) zooko: "log file rotation"
(18:43:05) amiller: maybe it does at some point
(18:43:09) zooko: That might be an easy way to improve that, if you want, by configuring it to do that.
(18:43:11) amiller: i have no idea, either way i can probably sort that out
(18:43:15) zooko: Also, the cost might not be that bad anywway.
(18:43:18) zooko: Because text is tiny.
(18:43:23) zooko: Let's put some numbers on it!
(18:43:29) zooko: Try "du -sk $LOG_FILE_DIR" for starters.
(18:43:46) amiller: yeah 300 MB right now
(18:43:49) zooko: Hm.
(18:43:51) amiller: before my great fire, it was 2 gigs
(18:43:52) zooko: That's larger than I expected.
(18:43:56) zooko: Awww. :-(
(18:43:59) amiller: i idle in about a hundred channels
(18:44:00) zooko: I'm sorry to hear about your data loss.
(18:44:13) amiller: never again!
(18:44:18) zooko: Okay, so let's figure out how many times "tahoe backup" has successfully run to completion.
(18:44:25) amiller: i have scattered my tahoe aliases to the four corners of the earth
(18:44:25) zooko: You just have to store your read cap safely and then you'll be okay.
(18:44:29) zooko: Okay. :-)
(18:44:34) amiller: i will be able to find them again, like the 7 dragon balls
(18:44:39) ***zooko laughs
(18:45:17) amiller: the other thing i wanted to say is that i've had numerous times now that i wanted to send someone a link to something on my tahoe somehow
(18:45:19) zooko: So when you run "tahoe backup" it creates a new directory every time
(18:45:26) zooko: and links to that directory from your "backup root" directory.
(18:45:30) zooko: Ah.
(18:45:32) amiller: if i had my lafs-rpg up on my laptop i'd probably be able to do that
(18:45:33) ***zooko writes this desire down.
(18:45:40) amiller: i could also probably put it on a server somewhere
(18:45:51) amiller: but if i'm just going to host it on some random server, i'd rather it be your random server
(18:45:56) zooko: That poses an interesting problem for me.
(18:45:59) zooko: I've been chewing on it.
(18:46:11) zooko: I really want to give customers what they want.
(18:46:31) zooko: And LAFS is especially good at this -- hosting/sharing -- as contrasted with other competitors that are only good for backup, or that are bad at security.
(18:46:33) zooko: But
(18:46:54) zooko: I really want to avoid LAE ever having any privileged access -- more than the public has -- to any user's data.
(18:47:04) zooko: So, I'm a bit in a dilemma.
(18:47:15) amiller: i understand that position
(18:47:28) zooko: I've been noodling on whether there is any technique which can achieve both desires.
(18:47:30) zooko: Still not sure.
(18:47:58) zooko: The closest I got was this crazy scheme where there is a public, world-readable collection of all files that have ever been shared through this mechanism.
(18:48:00) zooko: Everyone can browse it.
(18:48:19) amiller: and you can check to see if any of your caps are in it
(18:48:21) zooko: Therefore, when customers use this mechanism to share files with each other, they immediately figure out that, yes, the contents of these files really are available to everyone.
(18:48:38) zooko: The point is, I don't believe in "user education" about something like this.
(18:48:48) zooko: do you know about the experience we had with the Fuck Great Firewall people?
(18:49:05) amiller: No, but please tell me, sounds like a good story. Does it have to do with pubgrid?
(18:49:11) zooko: I don't believe in educating users about something like this by lecturing them,
(18:49:19) zooko: but I do believe in educating by *showing*.
(18:49:29) zooko: The way Firesheep changed everyone's understanding of https login
(18:49:45) zooko: and that simple hack to show the iPhone's stored GPS data on a map changed everyone's perception of the stored GPS data.
(18:50:04) zooko: The story is that Tahoe-LAFS had a publicly usable gateway
(18:50:11) zooko: for demo/playing-around purposes.
(18:50:26) zooko: And Fuck Great Firewall started using it to exchange instructions in how to bypass the Great Firewall of China.
(18:51:09) zooko: So, I posted emails and twitter messages telling them that using the public gateway for that is vulnerable to all sorts of things, including the http-not-https connection to http://pubgrid.tahoe-lafs.org, and the fact that this one guy whom I've never met who claims that he lives in Austria is the operator of that server.
(18:51:20) zooko: They never wrote back, or indicated any awareness of what I'd written.
(18:51:44) zooko: So next we asked for a Chinese translator, and Yu Xue translated a warning message for us with the same sorts of explanations, and we posted that visible on the default page of the demo gateway.
(18:51:53) zooko: And they kept doing it and never evinced any awareness of our waring.
(18:51:55) zooko: warning
(18:52:01) zooko: So we finally took down the public demo gateway.
(18:52:18) zooko: The end.
(18:52:46) zooko: so anyway, I imagined offering a service that LAE could offer as part of your subscription
(18:52:52) zooko: to run a download-only gateway for you
(18:52:58) zooko: and you could use that to distribute files to your friends.
(18:53:16) zooko: Great! But then I imagined people distributing files that way that they didn't want the public, or law enforcement, or their enemies, or someone to know.
(18:53:27) zooko: And LAE would have privileged access to those files, thus making us a target of people who wanted to see those files.
(18:53:30) zooko: Not acceptable at all.
(18:53:39) amiller: you're absolutely right
(18:53:42) zooko: So then I imagined lecturing these users about the consequences of using an LAE-hosted gateway,
(18:53:45) zooko: and them not getting it.
(18:54:03) zooko: So then I imagined simplifying it down to saying "ONLY PUBLIC STUFF GOES IN HERE!"
(18:54:39) zooko: Then I realized that the current most common way to share stuff that you don't want your enemies to see
(18:55:04) zooko: is to entrust that stuff to web services like dropbox, pastebin, github, or whatever, and rely on the fact that the service doesn't share that access with your enemies.
(18:55:40) zooko: So finally I got up to setting up a publicly visible live view, which is like a log of all files ever shared through this interface, most recent first, plus maybe some search functionality or whatever
(18:55:43) zooko: to "show not tell".
(18:55:59) zooko: Like, somehow append the link to the global view at the top of every page or something.
(18:56:02) zooko: Then I gave up. :-)
(18:56:32) zooko: What do you think?
(18:56:37) amiller: okay so two solutions i've thought of in increasing order of difficulty
(18:56:55) amiller: first is that really a fair solution is for me to just host a file temporarily off my own laptop
(18:57:07) amiller: that's what i did with lafs-rpg, and i can imagine a simple command line so i don't forget how to do that
(18:57:37) amiller: if i close my laptop they're screwed, but that's why my guest should get their own client if they want better availability
(18:57:55) amiller: typically i only want to transfer one thing and it's only in scope for a short time
(18:58:08) amiller: have you ever used pagekite
(18:58:11) amiller: or the ruby equivalent, let me look for it..
(19:00:17) zooko: Hm.
(19:00:17) amiller: well i can't find the ruby one
(19:00:17) zooko: I haven't used it.
(19:00:17) amiller: but the idea is that if you're a developer and you have some local php server you're working on and you want to show a client your progress,
(19:00:17) dwhly_ left the room (quit: Remote host closed the connection).
(19:00:17) amiller: what you can do is with one command, you open up an ssl tunnel to a new subdomain of a hosted service
(19:00:54) ***zooko nods
(19:00:57) amiller: you can still be mitm'd if you don't know how to cope with self-signed certificates so it's not flawless of course..
(19:01:37) ***zooko nods
(19:01:51) amiller: but it's roughly the right way to go and it's pretty easy. And it avoids ambient caps or w/e
(19:02:03) amiller: so i would do something like:
(19:02:16) amiller: $ tahoe webhost --readonly
(19:02:22) ***zooko nods
(19:02:25) dwhly [~dwhly@m940536d0.tmodns.net] entered the room.
(19:02:41) amiller: Ok!: Paste the following url to your friends:   https://leastauthortiy.com/lsjfweoijwj
(19:02:51) amiller: Remind them to check certificate fingerprint: oi239jfo23ijiof32j
(19:02:58) amiller: This webhost will self destruct in 20 minutes.
(19:02:59) zooko: Ah, but that gives us privileged access.
(19:03:16) amiller: oh sorry
(19:03:19) amiller: uh
(19:03:21) zooko: Unless it really does say leastauthortiy.com instead of leastauthority.com. ;-)
(19:03:39) amiller: hrm how did it work
(19:03:42) zooko: I walked all around Halifax one day chatting with Amber about this.
(19:04:08) amiller: that doesn't give you privileged access if it routes the ssl traffic all the way to my laptop
(19:04:11) zooko: And one idea we had was that the customer pays us a one-time fee and we spin up some kind of cloud server or something and then hand them the keys to it and wash our hands of it.
(19:04:22) zooko: amiller: it does if it starts with our domain name!
(19:04:43) zooko: See, it is devilishly difficult to do this if we really want to be sticklers about not being able to stab our customers in the back even if we (later) want to do so.
(19:04:55) zooko: Have you heard the Bloggers Versus Zetas use case/
(19:04:56) zooko: ?
(19:05:09) amiller: hold on, explain ssl to me and why that can't be routed
(19:05:29) amiller: like i would assume it would show the incorrect certificate
(19:05:43) amiller: based on the domain name you'd expect to get LAE's certificate but actually it would go straight to mine
(19:05:55) amiller: ahh but if you actually mitm'd then it would just look like everything is going okay
(19:05:57) zooko: Um, I might misunderstand some details, but it is simply that if your friend goes to "https://leastauthority.com/kljfklhsdafkhsdf", then LAE has the ability to configure things so that
(19:06:01) zooko: Right.
(19:06:05) zooko: If the attacker here is LAE.
(19:06:11) zooko: So, let me tell you the Bloggers Vs. Zetas story.
(19:06:15) amiller: or LAE-under-duress
(19:06:16) zooko: It is kind of grim, but
(19:06:18) amiller: ok go on
(19:06:50) zooko: This Mexican community organizer blogger wants to share files with her friends about how to defend themselves against the depredations of USA-military-trained drug cartels.
(19:06:59) zooko: She hears that LAE offers the safest way to do that.
(19:07:47) zooko: But then her enemies contact LAE and say "If you turn over her private files to us within 30 days, we won't dismember all of your loved ones and dangle them from an overpass."
(19:07:59) zooko: So now LAE is dedicated to violating her confidentiality.
(19:08:17) zooko: The end.
(19:10:09) zooko: This has similar technical characteristics, but a different flavor, to "Terrorists vs. National Security Letter Senders" or "Drug Peddlers vs. DEA". :-)
(19:11:20) zooko: Or even "Chinese Democracy Activists vs. Chinese Army"
(19:11:30) amiller: i suppose all of the above are acquired tastes.
(19:12:32) amiller: it should be okay if you are able to route auth/encrypted traffic to my laptop as long as you're sure you can't see it or mitm it
(19:12:40) amiller: but i suppose there's no sane way to do that with normal https urls
(19:12:47) zooko: I think that's true.
(19:13:25) amiller: okay so next best thing
(19:13:31) amiller: suppose i find my own way of tunneling
(19:13:51) zooko: Ok.
(19:13:55) amiller: i would like to give someone a cap, they use it by going through my laptop, but they're able to then request shares from LAE
(19:14:02) amiller: so i'm not really burdened with the storage
(19:14:08) amiller: er the transport
(19:14:19) amiller: but i'm still in the loop
(19:15:11) zooko: Sounds like they would have to run Tahoe-LAFS gateway themselves for that.
(19:15:15) zooko: Which would work perfectly for this!
(19:15:42) zooko: Maybe we should be investing in a way that you send them a message and when they click the link in it then it installs and launches a LAFS gateway. :-)
(19:15:59) amiller: hmm
(19:16:25) amiller: you're right it means they would have to assemble the shares on their end, so they must have tahoe-protocol awareness
(19:16:26) amiller: yeah
(19:16:37) zooko: So we implement LAFS in Javascript.
(19:16:47) zooko: And their web browser offers some way to be sure they're running the right implementation.
(19:16:48) zooko: :-)
(19:17:44) amiller: if i give them a link, they should be able to get exactly the version of JS-LAFS that i recommend
(19:17:53) zooko: Yeah, that would be awesome.
(19:18:11) zooko: You give them a link, and then they click it it tells their web browser to install an add-on, but only if that add-on hashes to the link you gave them.
(19:18:16) zooko: Something like that.
(19:18:37) zooko: In the nearer term,...
(19:18:37) zooko: Hm.
(19:18:56) zooko: There could be a public readonly gateway that you could use, as long as LAE doesn't have privileged control over it.
(19:19:24) zooko: You could run one on EC2, but it would cost too much, like $10/month.
(19:20:07) zooko: We should have had this conversation on #tahoe-lafs. :-)
(19:20:41) amiller: it turns out i have had lots of successful daily backups!
(19:20:48) amiller: since february
(19:21:18) zooko: Great!
(19:21:26) zooko: I wonder how much aggregate space it takes.
(19:21:27) amiller: i'd expect to be using several gigs of storage by now.
(19:21:34) zooko: You could:
(19:21:34) amiller: i might be hugely overestimating my chatlog churn
(19:21:50) zooko: 1. check your most recent bill from AWS
(19:21:51) amiller: for a while i was idling on a channel that relayed all the data from the bitcoin network
(19:22:01) zooko: 2. mount it with FUSE and run "du -sk" on it
(19:22:07) zooko: 3. run a "deep check" operation
(19:22:15) ***zooko tries that last one to see if it reports aggregate data size
(19:23:24) amiller: my last bill was under a dollar so i assume i'm not using a whole lot
(19:24:19) amiller: that flogtool thing is very useful, it should definitely be promoted to a command "tahoe watch" or something
(19:24:26) zooko: Hm, which thing?
(19:24:28) zooko: flogtool tail?
(19:24:47) amiller: i don't remember
(19:25:09) amiller: yeah flogtool tail logport.furl
(19:25:38) ***zooko writes this down
(19:26:02) dwhly left the room (quit: Remote host closed the connection).
(19:26:46) amiller: (i don't know why i didn't ls laebackup:Archives in the last several months because i would have clearly seen that the backups were working fine)
(19:26:52) dwhly [~dwhly@69.111.59.168] entered the room.
(19:27:02) davidsarah: (18:49:29) zooko: The way Firesheep changed everyone's understanding of https login
(19:27:12) amiller: i can gradually symlink in a few more things, i'm not including any of my adium logs for example
(19:27:14) ***davidsarah knew https login was required before Firesheep :-)
(19:27:18) davidsarah: so not everyone
(19:27:32) zooko: davidsarah: I meant to exclude you from "everyone". :-)
(19:27:34) davidsarah: (I'm sure lots of other people knew it was required)
(19:27:45) zooko: I meant to exclude everyone who knew that from "everyone".
(19:27:56) zooko: Maybe I should be more precise with my universal quantifications.
(19:28:34) amiller: oh yeah so my entire personal use case relies on my backup-symlinks patch
(19:28:43) amiller: so i should probably put that up as an actual ticket
(19:28:56) zooko: Hm.
(19:29:00) zooko: I think there may already be a ticket.
(19:29:51) amiller: my lab at school just installed a new server for hosting our code repositories, so i'm still planning on setting that up with a tahoe grid as well, although it's pretty clear at this point that no one is actually going to use it anyway
(19:30:24) zooko: #641
(19:30:32) zooko: Heh.
(19:30:36) zooko: Because they put all their code on github?
(19:31:05) amiller: no because we don't use any of our code
(19:31:25) davidsarah: (18:57:37) amiller: if i close my laptop they're screwed, but that's why my guest should get their own client if they want better availability
(19:31:25) davidsarah: guest downloaders getting their own client doesn't solve the sharing problem adequately, because it's too much work to share sufficient info to get their client working (at least introducer furl as well as the URI you wanted to share)
(19:32:51) amiller: i should be able to produce a short file on my end that has everything they'd need to talk to the lae nodes
(19:33:13) amiller: including a hash of the source code to the whole client
(19:35:07) davidsarah: (19:24:19) amiller: that flogtool thing is very useful, it should definitely be promoted to a command "tahoe watch" or something
(19:35:07) davidsarah: (19:24:26) zooko: Hm, which thing?
(19:35:07) davidsarah: (19:24:28) zooko: flogtool tail?
(19:35:21) davidsarah: there is a patch to add 'tahoe debug flogtool'
(19:35:24) ***davidsarah finds the ticket
(19:35:42) zooko: I need to have a 20 minute nap to prepare for standup followed by Sprint Retrospective.
(19:35:53) davidsarah: #1693
(19:36:02) zooko: amiller: it was good chatting with you!
(19:36:07) amiller: likewise! cheers
(19:36:26) zooko: amiller: I'd like to hear more about how things are working -- is it that you are using very little aggregate storage because your logs are actually being rotated and hence deduplicated...
(19:36:29) zooko: Bye for now!
(19:37:21) davidsarah: ah, it is already in trunk, so will be in 1.10: https://tahoe-lafs.org/trac/tahoe-lafs/changeset/379901bf8f2b4c177dc96e8728e2de30434ab706/git
(19:37:50) Phoul [~Phoul@sourcemage/guru/Phoul] entered the room.
(19:39:59) amiller: davidsarah, cool, i'll look forward to that
(19:40:28) amiller: my memory is such that i can't really remember anything past typing "tahoe" and working out what i can from there
	(18:37:09) amiller: zooko, i'd like to chat about lae sometime soon
	(18:39:45) zooko: amiller: Hi! Oh, I'd love that. What mode of chat do you prefer?
	(18:39:52) amiller: irc!
	(18:39:54) zooko: When's the next time you're coming to visit Boulder? :-)
	(18:40:00) amiller: sometime!
	(18:40:02) zooko: Okay, anytime!
	(18:40:05) amiller: how bout now
	(18:40:06) zooko: I mean, okay anytime about IRC chat.
	(18:40:09) zooko: Okay.
	(18:40:38) amiller: i figured out / remembered how to use flogtool again
	(18:40:45) amiller: so i can see for the first time that my daily backup completed at least once
	(18:40:55) zooko: Aha! You've tried to use it!
	(18:40:57) amiller: i actually have no idea how many times it's completed or not but i'm assuming not
	(18:41:12) amiller: the most important thing to me are my irc chat logs
	(18:41:13) zooko: I can tell you how to find out.
	(18:41:39) amiller: so that's primarily what i want to safely tuck away in tahoe.
	(18:41:45) zooko: Okay.
	(18:41:45) amiller: eventually i would also like to be able to search through them
	(18:41:52) ***zooko nods.
	(18:42:13) amiller: and more immediately i'm eventually going to go broke unless i work out delta compression
	(18:42:27) zooko: Really?
	(18:42:37) amiller: yeah because each of my chat log files is huge and changes each day
	(18:42:41) zooko: Oh.
	(18:42:50) zooko: I assumed it was writing out timestamped log files.
	(18:42:52) zooko: "log file rotation"
	(18:43:05) amiller: maybe it does at some point
	(18:43:09) zooko: That might be an easy way to improve that, if you want, by configuring it to do that.
	(18:43:11) amiller: i have no idea, either way i can probably sort that out
	(18:43:15) zooko: Also, the cost might not be that bad anywway.
	(18:43:18) zooko: Because text is tiny.
	(18:43:23) zooko: Let's put some numbers on it!
	(18:43:29) zooko: Try "du -sk $LOG_FILE_DIR" for starters.
	(18:43:46) amiller: yeah 300 MB right now
	(18:43:49) zooko: Hm.
	(18:43:51) amiller: before my great fire, it was 2 gigs
	(18:43:52) zooko: That's larger than I expected.
	(18:43:56) zooko: Awww. :-(
	(18:43:59) amiller: i idle in about a hundred channels
	(18:44:00) zooko: I'm sorry to hear about your data loss.
	(18:44:13) amiller: never again!
	(18:44:18) zooko: Okay, so let's figure out how many times "tahoe backup" has successfully run to completion.
	(18:44:25) amiller: i have scattered my tahoe aliases to the four corners of the earth
	(18:44:25) zooko: You just have to store your read cap safely and then you'll be okay.
	(18:44:29) zooko: Okay. :-)
	(18:44:34) amiller: i will be able to find them again, like the 7 dragon balls
	(18:44:39) ***zooko laughs
	(18:45:17) amiller: the other thing i wanted to say is that i've had numerous times now that i wanted to send someone a link to something on my tahoe somehow
	(18:45:19) zooko: So when you run "tahoe backup" it creates a new directory every time
	(18:45:26) zooko: and links to that directory from your "backup root" directory.
	(18:45:30) zooko: Ah.
	(18:45:32) amiller: if i had my lafs-rpg up on my laptop i'd probably be able to do that
	(18:45:33) ***zooko writes this desire down.
	(18:45:40) amiller: i could also probably put it on a server somewhere
	(18:45:51) amiller: but if i'm just going to host it on some random server, i'd rather it be your random server
	(18:45:56) zooko: That poses an interesting problem for me.
	(18:45:59) zooko: I've been chewing on it.
	(18:46:11) zooko: I really want to give customers what they want.
	(18:46:31) zooko: And LAFS is especially good at this -- hosting/sharing -- as contrasted with other competitors that are only good for backup, or that are bad at security.
	(18:46:33) zooko: But
	(18:46:54) zooko: I really want to avoid LAE ever having any privileged access -- more than the public has -- to any user's data.
	(18:47:04) zooko: So, I'm a bit in a dilemma.
	(18:47:15) amiller: i understand that position
	(18:47:28) zooko: I've been noodling on whether there is any technique which can achieve both desires.
	(18:47:30) zooko: Still not sure.
	(18:47:58) zooko: The closest I got was this crazy scheme where there is a public, world-readable collection of all files that have ever been shared through this mechanism.
	(18:48:00) zooko: Everyone can browse it.
	(18:48:19) amiller: and you can check to see if any of your caps are in it
	(18:48:21) zooko: Therefore, when customers use this mechanism to share files with each other, they immediately figure out that, yes, the contents of these files really are available to everyone.
	(18:48:38) zooko: The point is, I don't believe in "user education" about something like this.
	(18:48:48) zooko: do you know about the experience we had with the Fuck Great Firewall people?
	(18:49:05) amiller: No, but please tell me, sounds like a good story. Does it have to do with pubgrid?
	(18:49:11) zooko: I don't believe in educating users about something like this by lecturing them,
	(18:49:19) zooko: but I do believe in educating by showing.
	(18:49:29) zooko: The way Firesheep changed everyone's understanding of https login
	(18:49:45) zooko: and that simple hack to show the iPhone's stored GPS data on a map changed everyone's perception of the stored GPS data.
	(18:50:04) zooko: The story is that Tahoe-LAFS had a publicly usable gateway
	(18:50:11) zooko: for demo/playing-around purposes.
	(18:50:26) zooko: And Fuck Great Firewall started using it to exchange instructions in how to bypass the Great Firewall of China.
	(18:51:09) zooko: So, I posted emails and twitter messages telling them that using the public gateway for that is vulnerable to all sorts of things, including the http-not-https connection to http://pubgrid.tahoe-lafs.org, and the fact that this one guy whom I've never met who claims that he lives in Austria is the operator of that server.
	(18:51:20) zooko: They never wrote back, or indicated any awareness of what I'd written.
	(18:51:44) zooko: So next we asked for a Chinese translator, and Yu Xue translated a warning message for us with the same sorts of explanations, and we posted that visible on the default page of the demo gateway.
	(18:51:53) zooko: And they kept doing it and never evinced any awareness of our waring.
	(18:51:55) zooko: warning
	(18:52:01) zooko: So we finally took down the public demo gateway.
	(18:52:18) zooko: The end.
	(18:52:46) zooko: so anyway, I imagined offering a service that LAE could offer as part of your subscription
	(18:52:52) zooko: to run a download-only gateway for you
	(18:52:58) zooko: and you could use that to distribute files to your friends.
	(18:53:16) zooko: Great! But then I imagined people distributing files that way that they didn't want the public, or law enforcement, or their enemies, or someone to know.
	(18:53:27) zooko: And LAE would have privileged access to those files, thus making us a target of people who wanted to see those files.
	(18:53:30) zooko: Not acceptable at all.
	(18:53:39) amiller: you're absolutely right
	(18:53:42) zooko: So then I imagined lecturing these users about the consequences of using an LAE-hosted gateway,
	(18:53:45) zooko: and them not getting it.
	(18:54:03) zooko: So then I imagined simplifying it down to saying "ONLY PUBLIC STUFF GOES IN HERE!"
	(18:54:39) zooko: Then I realized that the current most common way to share stuff that you don't want your enemies to see
	(18:55:04) zooko: is to entrust that stuff to web services like dropbox, pastebin, github, or whatever, and rely on the fact that the service doesn't share that access with your enemies.
	(18:55:40) zooko: So finally I got up to setting up a publicly visible live view, which is like a log of all files ever shared through this interface, most recent first, plus maybe some search functionality or whatever
	(18:55:43) zooko: to "show not tell".
	(18:55:59) zooko: Like, somehow append the link to the global view at the top of every page or something.
	(18:56:02) zooko: Then I gave up. :-)
	(18:56:32) zooko: What do you think?
	(18:56:37) amiller: okay so two solutions i've thought of in increasing order of difficulty
	(18:56:55) amiller: first is that really a fair solution is for me to just host a file temporarily off my own laptop
	(18:57:07) amiller: that's what i did with lafs-rpg, and i can imagine a simple command line so i don't forget how to do that
	(18:57:37) amiller: if i close my laptop they're screwed, but that's why my guest should get their own client if they want better availability
	(18:57:55) amiller: typically i only want to transfer one thing and it's only in scope for a short time
	(18:58:08) amiller: have you ever used pagekite
	(18:58:11) amiller: or the ruby equivalent, let me look for it..
	(19:00:17) zooko: Hm.
	(19:00:17) amiller: well i can't find the ruby one
	(19:00:17) zooko: I haven't used it.
	(19:00:17) amiller: but the idea is that if you're a developer and you have some local php server you're working on and you want to show a client your progress,
	(19:00:17) dwhly_ left the room (quit: Remote host closed the connection).
	(19:00:17) amiller: what you can do is with one command, you open up an ssl tunnel to a new subdomain of a hosted service
	(19:00:54) ***zooko nods
	(19:00:57) amiller: you can still be mitm'd if you don't know how to cope with self-signed certificates so it's not flawless of course..
	(19:01:37) ***zooko nods
	(19:01:51) amiller: but it's roughly the right way to go and it's pretty easy. And it avoids ambient caps or w/e
	(19:02:03) amiller: so i would do something like:
	(19:02:16) amiller: $ tahoe webhost --readonly
	(19:02:22) ***zooko nods
	(19:02:25) dwhly [~dwhly@m940536d0.tmodns.net] entered the room.
	(19:02:41) amiller: Ok!: Paste the following url to your friends: https://leastauthortiy.com/lsjfweoijwj
	(19:02:51) amiller: Remind them to check certificate fingerprint: oi239jfo23ijiof32j
	(19:02:58) amiller: This webhost will self destruct in 20 minutes.
	(19:02:59) zooko: Ah, but that gives us privileged access.
	(19:03:16) amiller: oh sorry
	(19:03:19) amiller: uh
	(19:03:21) zooko: Unless it really does say leastauthortiy.com instead of leastauthority.com. ;-)
	(19:03:39) amiller: hrm how did it work
	(19:03:42) zooko: I walked all around Halifax one day chatting with Amber about this.
	(19:04:08) amiller: that doesn't give you privileged access if it routes the ssl traffic all the way to my laptop
	(19:04:11) zooko: And one idea we had was that the customer pays us a one-time fee and we spin up some kind of cloud server or something and then hand them the keys to it and wash our hands of it.
	(19:04:22) zooko: amiller: it does if it starts with our domain name!
	(19:04:43) zooko: See, it is devilishly difficult to do this if we really want to be sticklers about not being able to stab our customers in the back even if we (later) want to do so.
	(19:04:55) zooko: Have you heard the Bloggers Versus Zetas use case/
	(19:04:56) zooko: ?
	(19:05:09) amiller: hold on, explain ssl to me and why that can't be routed
	(19:05:29) amiller: like i would assume it would show the incorrect certificate
	(19:05:43) amiller: based on the domain name you'd expect to get LAE's certificate but actually it would go straight to mine
	(19:05:55) amiller: ahh but if you actually mitm'd then it would just look like everything is going okay
	(19:05:57) zooko: Um, I might misunderstand some details, but it is simply that if your friend goes to "https://leastauthority.com/kljfklhsdafkhsdf", then LAE has the ability to configure things so that
	(19:06:01) zooko: Right.
	(19:06:05) zooko: If the attacker here is LAE.
	(19:06:11) zooko: So, let me tell you the Bloggers Vs. Zetas story.
	(19:06:15) amiller: or LAE-under-duress
	(19:06:16) zooko: It is kind of grim, but
	(19:06:18) amiller: ok go on
	(19:06:50) zooko: This Mexican community organizer blogger wants to share files with her friends about how to defend themselves against the depredations of USA-military-trained drug cartels.
	(19:06:59) zooko: She hears that LAE offers the safest way to do that.
	(19:07:47) zooko: But then her enemies contact LAE and say "If you turn over her private files to us within 30 days, we won't dismember all of your loved ones and dangle them from an overpass."
	(19:07:59) zooko: So now LAE is dedicated to violating her confidentiality.
	(19:08:17) zooko: The end.
	(19:10:09) zooko: This has similar technical characteristics, but a different flavor, to "Terrorists vs. National Security Letter Senders" or "Drug Peddlers vs. DEA". :-)
	(19:11:20) zooko: Or even "Chinese Democracy Activists vs. Chinese Army"
	(19:11:30) amiller: i suppose all of the above are acquired tastes.
	(19:12:32) amiller: it should be okay if you are able to route auth/encrypted traffic to my laptop as long as you're sure you can't see it or mitm it
	(19:12:40) amiller: but i suppose there's no sane way to do that with normal https urls
	(19:12:47) zooko: I think that's true.
	(19:13:25) amiller: okay so next best thing
	(19:13:31) amiller: suppose i find my own way of tunneling
	(19:13:51) zooko: Ok.
	(19:13:55) amiller: i would like to give someone a cap, they use it by going through my laptop, but they're able to then request shares from LAE
	(19:14:02) amiller: so i'm not really burdened with the storage
	(19:14:08) amiller: er the transport
	(19:14:19) amiller: but i'm still in the loop
	(19:15:11) zooko: Sounds like they would have to run Tahoe-LAFS gateway themselves for that.
	(19:15:15) zooko: Which would work perfectly for this!
	(19:15:42) zooko: Maybe we should be investing in a way that you send them a message and when they click the link in it then it installs and launches a LAFS gateway. :-)
	(19:15:59) amiller: hmm
	(19:16:25) amiller: you're right it means they would have to assemble the shares on their end, so they must have tahoe-protocol awareness
	(19:16:26) amiller: yeah
	(19:16:37) zooko: So we implement LAFS in Javascript.
	(19:16:47) zooko: And their web browser offers some way to be sure they're running the right implementation.
	(19:16:48) zooko: :-)
	(19:17:44) amiller: if i give them a link, they should be able to get exactly the version of JS-LAFS that i recommend
	(19:17:53) zooko: Yeah, that would be awesome.
	(19:18:11) zooko: You give them a link, and then they click it it tells their web browser to install an add-on, but only if that add-on hashes to the link you gave them.
	(19:18:16) zooko: Something like that.
	(19:18:37) zooko: In the nearer term,...
	(19:18:37) zooko: Hm.
	(19:18:56) zooko: There could be a public readonly gateway that you could use, as long as LAE doesn't have privileged control over it.
	(19:19:24) zooko: You could run one on EC2, but it would cost too much, like $10/month.
	(19:20:07) zooko: We should have had this conversation on #tahoe-lafs. :-)
	(19:20:41) amiller: it turns out i have had lots of successful daily backups!
	(19:20:48) amiller: since february
	(19:21:18) zooko: Great!
	(19:21:26) zooko: I wonder how much aggregate space it takes.
	(19:21:27) amiller: i'd expect to be using several gigs of storage by now.
	(19:21:34) zooko: You could:
	(19:21:34) amiller: i might be hugely overestimating my chatlog churn
	(19:21:50) zooko: 1. check your most recent bill from AWS
	(19:21:51) amiller: for a while i was idling on a channel that relayed all the data from the bitcoin network
	(19:22:01) zooko: 2. mount it with FUSE and run "du -sk" on it
	(19:22:07) zooko: 3. run a "deep check" operation
	(19:22:15) ***zooko tries that last one to see if it reports aggregate data size
	(19:23:24) amiller: my last bill was under a dollar so i assume i'm not using a whole lot
	(19:24:19) amiller: that flogtool thing is very useful, it should definitely be promoted to a command "tahoe watch" or something
	(19:24:26) zooko: Hm, which thing?
	(19:24:28) zooko: flogtool tail?
	(19:24:47) amiller: i don't remember
	(19:25:09) amiller: yeah flogtool tail logport.furl
	(19:25:38) ***zooko writes this down
	(19:26:02) dwhly left the room (quit: Remote host closed the connection).
	(19:26:46) amiller: (i don't know why i didn't ls laebackup:Archives in the last several months because i would have clearly seen that the backups were working fine)
	(19:26:52) dwhly [~dwhly@69.111.59.168] entered the room.
	(19:27:02) davidsarah: (18:49:29) zooko: The way Firesheep changed everyone's understanding of https login
	(19:27:12) amiller: i can gradually symlink in a few more things, i'm not including any of my adium logs for example
	(19:27:14) ***davidsarah knew https login was required before Firesheep :-)
	(19:27:18) davidsarah: so not everyone
	(19:27:32) zooko: davidsarah: I meant to exclude you from "everyone". :-)
	(19:27:34) davidsarah: (I'm sure lots of other people knew it was required)
	(19:27:45) zooko: I meant to exclude everyone who knew that from "everyone".
	(19:27:56) zooko: Maybe I should be more precise with my universal quantifications.
	(19:28:34) amiller: oh yeah so my entire personal use case relies on my backup-symlinks patch
	(19:28:43) amiller: so i should probably put that up as an actual ticket
	(19:28:56) zooko: Hm.
	(19:29:00) zooko: I think there may already be a ticket.
	(19:29:51) amiller: my lab at school just installed a new server for hosting our code repositories, so i'm still planning on setting that up with a tahoe grid as well, although it's pretty clear at this point that no one is actually going to use it anyway
	(19:30:24) zooko: #641
	(19:30:32) zooko: Heh.
	(19:30:36) zooko: Because they put all their code on github?
	(19:31:05) amiller: no because we don't use any of our code
	(19:31:25) davidsarah: (18:57:37) amiller: if i close my laptop they're screwed, but that's why my guest should get their own client if they want better availability
	(19:31:25) davidsarah: guest downloaders getting their own client doesn't solve the sharing problem adequately, because it's too much work to share sufficient info to get their client working (at least introducer furl as well as the URI you wanted to share)
	(19:32:51) amiller: i should be able to produce a short file on my end that has everything they'd need to talk to the lae nodes
	(19:33:13) amiller: including a hash of the source code to the whole client
	(19:35:07) davidsarah: (19:24:19) amiller: that flogtool thing is very useful, it should definitely be promoted to a command "tahoe watch" or something
	(19:35:07) davidsarah: (19:24:26) zooko: Hm, which thing?
	(19:35:07) davidsarah: (19:24:28) zooko: flogtool tail?
	(19:35:21) davidsarah: there is a patch to add 'tahoe debug flogtool'
	(19:35:24) ***davidsarah finds the ticket
	(19:35:42) zooko: I need to have a 20 minute nap to prepare for standup followed by Sprint Retrospective.
	(19:35:53) davidsarah: #1693
	(19:36:02) zooko: amiller: it was good chatting with you!
	(19:36:07) amiller: likewise! cheers
	(19:36:26) zooko: amiller: I'd like to hear more about how things are working -- is it that you are using very little aggregate storage because your logs are actually being rotated and hence deduplicated...
	(19:36:29) zooko: Bye for now!
	(19:37:21) davidsarah: ah, it is already in trunk, so will be in 1.10: https://tahoe-lafs.org/trac/tahoe-lafs/changeset/379901bf8f2b4c177dc96e8728e2de30434ab706/git
	(19:37:50) Phoul [~Phoul@sourcemage/guru/Phoul] entered the room.
	(19:39:59) amiller: davidsarah, cool, i'll look forward to that
	(19:40:28) amiller: my memory is such that i can't really remember anything past typing "tahoe" and working out what i can from there