• There’s something special about old school communication

    I sent birthday wishes to a friend from high school over email communication today. I wasn’t too sure if she would still have access to the address, or respond, but to my surprise, I received a response in an hour! We caught up on each other’s life updates over the next several exchanges. I remember our chats being usually short on instant messengers from a few years ago, but in today’s email exchange, I noticed we spoke at length, and I noticed a sense of happiness at her end as well; it’s similar to the sense of receiving a hand-writing letter.

    In today’s world, instant messengers have made it incredibly easy to stand in constant touch. With this advancement in technology also comes the lack of conveying the human, personal touch that hand-written letters offer. Email is modern technology, but in comparison to chat apps that we have at our disposal today, the former still feels a bit personal. It’s also fair to say that email inboxes have become a junkyard for receiving subscription, marketing and transactional emails. So, receiving an email from someone you haven’t spoken with in a long time is a wonderful experience.

    I fondly remember when my cousin of 6 years, at that time, sent me a letter all the way from Japan! She had written a full page message, made an art and packaged it neatly in an envelope for her dad to ship.

    I haven’t written a physical letter in many years. I can’t wait to write one very soon.

  • Free, private pi-hole hosting with Fly.io and Tailscale

    Hosting a network-wide pi-hole for ad-blocking is easy. It comes with a one-step installation guide that you can run on most environments. I run two pi-holes at my house, but the problem with my setup is, if my internet drops, both pi-holes stop working too. Ideally, I’d need to have a pi-hole outside my house, preferably where internet doesn’t go down at the same time as my provider.

    That’s where a cloud-hosted pi-hole proves helpful.

    I learned about Fly.io recently. It’s an app hosting platform that makes it incredibly easy to deploy apps to multiple regions and scales as needed. Their free tier offers a generous 2,340 hours per month of uptime, which translates to about 3 shared-cpu-1x VMs with 256MB RAM full time. My pi-hole consumes about 200MB RAM consistently, so this means I could host upto 3 apps each with pi-hole on it. But I have only one as I have two others at my house.

    A screenshot from Fly.io's pricing page that shows their free tier metrics.
    Fly.io free tier

    Setting up the pi-hole

    This Fly blog post already documents how you can run a pi-hole in a few steps, but there is a problem with this setup: the pi-hole will be publicly query-able by anyone on the internet. We don’t want that because a public, open DNS resolver is not a good idea. We’ll need to lock this down using a secure tunnel that’s accessible only to you.

    Locking down pi-hole access with Tailscale

    If you are following my blog, you’d know by now that I am a Tailscale fan. It’s an easy, useful mesh VPN software that you can add to most devices that you have. For the pi-hole on Fly.io setup, I followed the same guide as Fly documented, but in the Dockerfile configuration, I replaced eth0 with tailscale0 so that my pi-hole listens for queries only on the Tailscale network. With that image deployed, I SSH’d into the Fly instance and installed Tailscale using the Debian installation guide here: Install Tailscale on Linux.

    I further locked down this Fly instance’s DNS port access to my Tailscale nodes as I don’t want anyone else on my Tailnet (I share it with my friends and family) to make other calls to the Fly node. A handy Tailscale ACL like the one below works:

    { "Action": "accept", "Users": ["group:not-arun-family"], "Ports": ["fly:53"] },
    
  • Stories are coming to Signal

    I learned that stories are coming to Signal from a commit message shared on Signal community forums earlier today. Stories is one of the top requested features, and something I personally like too.

    A screenshot of a commit message from GitHub that indicates stories may be coming to Signal soon.

    Many of my friends are reluctant to move over to Signal because of the lack of engagement functionality, which includes features like stories, bots, multi-player gaming. The latter two feel a bit far-fetched, yeah. It is easy for messengers like Telegram to implement them because it’s not end-to-end encrypted by default. Anyway, these are exciting times and I am keen on seeing where Signal heads. They promised usernames in 2021 too, fingers crossed.

  • Poor confirmation UI after email address change on Amazon

    Amazon India has a poor flow for email address change confirmation. A sensible flow would be one where you are prompted to verify the new email address in the form of a unique URL that needs to be visited once, or by entering an one-time password (OTP) that’s sent to the new email address. Amazon does the latter, but requires one to enter the account password to save the changes.

    In the image below, we can see a messaging that reads Your current email address has been verified and in green. That’s indication that the new email address is saved to the cloud. But, that’s not the case just yet.

    Only by entering the password and by clicking on Save changes, are changes saved to the cloud. I don’t understand the need to check for authentication one more time. I am able to initiate this flow only because I am logged in!

    If I remember well, this is the second time this is tripping me off. The last incident was well over an year ago.

    I wonder if it’s just Amazon India that does this or if Amazon in general behaves so.

    I contacted their customer support team by chat as well, and they were clueless at best. They insisted they arrange a call back from the involved team, one that handles accounts questions. I am just glad I managed to figure it out before we took that approach.

  • Private Among Us games on the Tailscale network

    Among Us can be hosted on the public servers. Games can be private or public, but the problem with public server-hosted games is that, games disconnect sometimes. That’s because these public servers are popular that it doesn’t handle surge in active sessions. A solution is to host the games locally on a private network.

    That’s where Impostor and Tailscale come in.

    Tailscale is a mesh VPN software that makes it incredibly easy to connect all of your devices and services running on those devices. Impostor is an open source re-implementation of the Among Us server that can be self-hosted on any device. In my case, I am hosting Impostor on my Raspberry Pi, which is linked to my Tailscale tailnet. This unlocks all of my devices on the tailnet to access Impostor too.

    Setting up Private Among Us Games

    The first step is to install Tailscale on all of your devices and connect them to the same Google, GitHub, or supported auth provider account. This ensures all of the devices are in the same tailnet. Use the same Tailscale account for your Tailscale installation on the Raspberry Pi too.

    Install Impostor on the Raspberry Pi. The process involves installing Dotnet runtime (in my case, I installed the full SDK), installing the server build, modifying the configuration file to set the Raspberry Pi’s Tailscale node address as the public server and running the server itself. To elaborate a bit,

    Other devices can join this custom Among Us server by following the instructions on this page.

    Finally, anyone can start the game, mark it as Public and then other devices can join this public room. Make sure that the “World” in your “Online” mode is set to “Impostor”, not “Asia”, “Europe” or “Americas”.

    Other notes

    It’s okay to disclose the Raspberry Pi Tailscale node address to the public as it’s of no one for anyone else. It can be accessed only if the device is connected to my Tailnet, which requires authenticating using my GitHub account. I have also locked down that node’s port 22023 to be accessible only by certain devices using Tailscale Access Control Rules. And, ACLs also help make sure other devices can access only this port on my Pi. They wouldn’t be able to access services that I run on other ports.

    Right now, it’s just my family that can access this port on my Raspberry Pi (called mewtwo):

    { "Action": "accept", "Users": ["group:arun-family"], "Ports": ["mewtwo:22023"] }

    With this setup, anyone from any part of the world can join your custom Among Us games without depending on the official Among Us servers. I also learned that switching from WiFi to mobile data doesn’t disconnect the game. I imagine that’s possible due to Tailscale’s graceful handling of network changes.

  • dnsmasq: Custom DNS resolvers for specific domains

    Learned a neat thing today — it’s possible to set custom DNS resolvers for certain domains. I can create a custom config file for dnsmasq and specify the DNS resolvers to use for those domains. I don’t have a need for it today, but may be handy in cases like archive.is not loading on Cloudflare DNS.

    These requests still go through pihole, so ad-blocking capabilities are available. It’s just the upstream that changes. My test below confirms so: I have set dnsleaktest.com to be queried using Google DNS but requests still pass through pihole.

    /etc/dnsmasq.d/02-test.conf
    
    server=/dnsleaktest.com/8.8.8.8 
    server=/dnsleaktest.com/8.8.4.4
    A screenshot from my pihole dashboard that shows requests to dnsleaktest.com made using Google DNS, but requests still pass through the pihole.

    I use two Raspberry Pi devices at home, both running pihole with Unbound as a recursive DNS resolver. These devices are connected to my Tailscale network, so all of my devices (and my friends) can enjoy Unbound and pihole’s ad-blocking capabilities.

  • Google Drive backup for WhatsApp

    A lot of folks don’t realize that the Google Drive backup for WhatsApp is not end-to-end encrypted like messages and files within WhatsApp. When that backup to Google cloud happens, all messages and files are visible in plain to Google.

    The same problem exists in Telegram, which backs up messages to the cloud. The only exception in Telegram are messages and files sent within their “secret chats” feature, which is end-to-end encrypted. When folks move from WhatsApp to Telegram, it’s important that they understand that this is a step down.

    WhatsApp without Google cloud backup is a good option, and even better when WhatsApp’s new end-to-end encrypted backups feature is fully available. If I remember well, it’s available only on iOS at the moment but for some reason that support document doesn’t mention that. Or, is it available for everyone already?

    The best option, without doubt, is Signal: it is end-to-end encrypted by default and offers encrypted backups too. One problem with Signal is that it doesn’t offer cloud backups. So, the backups are stored locally on the device.

  • Lucky last shot

    A screenshot from a VALORANT Replication gameplay that shows Raze clutch the game with a last shot of Jett.

    I got very lucky with this last shot. In a VALORANT Replication game, both teams were at 4-4 mark. Spike was nearby but I didn’t have enough time to plant. Decided to go for the last kill, but I am a Judge player all the time, which means Jett being far was a tough kill.

    The Jett opposite me had an Operator too, I think, but luck favored me and I could reach her. Got the shot in the last 3 seconds. Phew!

    A screenshot from a VALORANT Replication gameplay that shows Raze as the game MVP.
    A screenshot from a VALORANT Replication gameplay that shows the last round stats from the game.
  • jq magic to create contacts for SimpleLogin aliases

    One thing that I found lacking in the SimpleLogin API is that, it doesn’t expose an API endpoint to create a contact based on the alias’ email address. Rather, the POST /api/aliases/:alias_id/contacts endpoint requires the alias ID. So, I ended up downloading all aliases as multiple batches (each query returns upto 20 results) and saved them as json files in a folder.

    With them in a folder, I could use jq to parse all of these json files for an alias email address, get its ID and further use it to create a new contact. All of this works like a charm now. My entire process works independent of the dashboard now: create a new alias, get its ID, create a contact, copy the reverse contact address, paste it on my email client.

    The first part for getting the alias ID involves this command:

    cat ~/Documents/SimpleLoginFiles/* | jq '.aliases[] | select(.email=="aliasAddress")' | jq '.id' | tr -d '\n' | pbcopy .

    It was a pleasant surprise when I learned that I could pipe in all files in a folder to jq, instead of having to implement some sort of a loop logic. I don’t know if it’s bash’s magic or something that jq handles elegantly.

    The second part for creating the contact involves this command:

    curl --location --request POST 'https://app.simplelogin.io/api/aliases/aliasID/contacts' --header 'Authentication: token' --header 'Content-Type: application/json' --data-raw '{"contact": "contactAddress"}' | jq '.reverse_alias' | tr -d "\\"" | pbcopy .

    If you are wondering what the tr -d "\\"" part is, it’s to remove the unwanted escape characters that appears as a part of the SimpleLogin API output. I imagine it’s possible to remove that using jq, but for now, the current workaround is sufficient.

    The contact’s reverse address is finally in my clipboard, which I can paste on Apple Mail:

    A screenshot of my Apple Mail on Mac, that shows an email address pasted to the "To" field of the composer.
    Reverse alias on the “To” field of the composer

    SimpleLogin recently announced an update to their Firefox extension too, to create reverse aliases (contact reverse address) on the go, but I like this API-based process better. The extension takes a while to populate all aliases.

  • Storing 2FA codes on my 1Password

    I definitely agree with what James writes here:

    Storing them in your password manager is probably as safe, or even safer, than using your phone

    Many people, like Google or the government, text a code to your mobile phone when logging in. That might be visible on my mobile phoneโ€™s lockscreen, or my SIM card could be cloned and used elsewhere. Itโ€™s much better than having nothing at all, of course: but itโ€™s not quite as secure.

    If youโ€™re storing your 2FA code using Google Authenticator or Authy on your phone, and your password is saved on your phone, then youโ€™ve no two-factor authentication anyway. Both are being stored on the same device, just like your password manager would.

    Lose your phone with Google Authenticator installed, and you lose your codes. If you change phones, you can manually transfer those codes these days, assuming that you still have access to your old phone, but itโ€™s a monumental hassle to switch otherwise.

    Most people feel that storing 2FA codes would equal putting all eggs in the same basket, but password managers these days are locked down with themselves supporting 2 step authentication. In my case, 1Password goes one step beyond by offering an unique Secret Key method.

    My 1Password’s 2FA code is stored on Authy today, but I guess it’s time to replace that with a physical key.

1 2 3 12
Next Page

Hey there! I am a Happiness Engineer at Automattic, working on WordPress.com support. If you enjoy discussing online privacy, encryption, and fediverse like I do, you can reach me by commenting on my posts, or by email.