Hi there!

I'm alberthrocks, a [something something related to admin/mod stuffs, don't know because I'm a weird member]. I'm a very boring member - don't post much (if at all), but I do provide servers and support on occasion. I'm probably best known for running withgusto, a community hosting server that provides hosting (duh), along with a nice shell environment, an awesome** development envrionment, IRC bot hosting, and ZNC IRC bouncers. A lot of people use my services, and (I think) they enjoy them! Despite that, they also know I'm probably one of the more lazier server admins out there, having promised a migration a year ago and never delivered...

That said though, I do listen to everyone's feedback, and when I do get a chance, I make an effort to further withgusto's progress. Often, though, I'm really busy - in fact, I've been gone the past week or so thanks to school midterms. (And coming back now, I was kinda surprised - this little topic popped up!)

Why mention withgusto? Simply said - my situation is somewhat like the other admins. I'm not an admin of Omnimaga by any means - yeah, I do have moderation privs, and yeah, I help out from time to time, but I don't participate per-say in these "admin discussions". However, I know the admins pretty well, and had some experience firsthand.

Simply said - people are busy! Eeems has a paid job (full-time, no less), geekboy as well, while others either are in college or working. (Deep Thought, in fact, is in a pretty intense college right now and is working very hard!) So things can get busy from time to time, and it can look like the admins are a bunch of lazy bums (like me!) who are doing nothing. Not true - just busy, that's all.

The next thing you'll say: why not hire new admins? Sure, we can - but it ALSO takes time to vet potential new hires. You wouldn't want a random internet stranger to become a new admin, right? We understand that we need new fresh blood to replace the oldies - and believe me, the admins know this better than anyone else. We just don't have a lot of time to do it, but we try to make things work when we get a chance.

Remember the topic about shifting roles and all that? That was created because the admins had a short burst of time to make things work. But as always, Murphy's Law comes into effect, and it takes a LOT longer... making it stall, as you can see now. (I'm probably still CoT, which probably should be given to somebody that is actually working on a project!)

So don't assume we're not listening - we ARE! But we just don't have time, and we wish we did. It's a never-ending vicious cycle, but we love the community, and we want to make sure that things go right. I agree that we probably need one admin to be the publicity guy so it doesn't look like we're shady folks with cigars...

One other thing - THAT admin who is pretty harsh. I'm gonna name him - it's Eeems! He can sometimes be a bit brash...

*runs*

No joke, he does make some brash comments sometimes. But you're seeing his bad side. His best is not when you see him at his worst! (Using that in a movie start's at $0.50 per box-office dollar made!) But in all seriousness, yeah he can be a bit brash, and I'm saying that as his friend. We've all had our bad moments, and in no way am I condoning his behavior. I've even seen it firsthand myself - and yeah Eeems, you could make it sound a bit better. As people have said, if you think he's being a bit brash, message us admins here and we'll talk to him about it. Yes, it's awkward, but everyone - Eeems, the admins, and the community as a whole - appreciates it. We can all work to better each other and ourselves - admins included.

Finally (finally!), I agree that Eeems (et. al.) should have a bigger say. It's a dictatorship that accepts community feedback - and it's perfectly fine with me. Eeems does pay upwards of $100/mo - and out of his own wallet, too! Sure, we could move the forum to a free forum host... but believe me, you and I know that it would sorta not work out well...

But again, we're not here to rule with iron fists. Yeah, we have the final say, but we all have ears too, and we're working based on your feedback. Pretty much all communities are like this - community driven, with a few upper guys to make the final decisions. It just sounds terrifying when the word "dictatorship" is used - and yeah, let's not use that word again. (BAD ADMINS! STOP USING IT!) Instead, let's go back to the original word, the word that we're all aiming for - community.

So yeah, don't feel too upset. We're actually pretty receptive, and the way our community works as a whole (not just the admin side) is pretty unique. Even if I started a new community (withgusto Forums! WOAH!!!), or anyone else, it wouldn't feel the same as the others. (And if you went to a certain other English calculator community out there, it would certainly be very different!) And honestly, I'm glad - that's why many of us here can call this place home.

tl;dr We're trying, be patient!

P.S. - withgusto migration delayed.    Gotta run, bye!

** IMO it's awesome! Not sure what the others think, though... especially with the above P.S.

EDIT: P.S.S.: Eeems told me to put this link in: http://ourl.ca/finances

We're getting ready to migrate! We are finalizing the server details, as well as tooling.

This is your FINAL chance to declare activity. The form will close this Friday, November 7th, 2014 at 11:59 PM EST.

The following people have filled out the "I'm Alive!" form: (withg usernames)
pimathbrainiac
juju
Ben_g
PentiumII
Eeems
Caleb
geekboy

That said, the remaining users WILL BE ARCHIVED:

(Some names are censored because they may be IRL names...)

If your name is listed above, and you do not fill out the form by this Friday, your account will NOT be available on the new server and will have to be manually unarchived.
(If you've already filled out the form, and you're in the list, either I made a mistake or haven't updated it yet. No worries, you're safe!)

I know this sounds evil, but if you notice, there are a LOT of inactive users on withgusto. We're cleaning up these inactive users to make the server faster and better! Declaring that you are active helps us with this process.

So again, if you haven't already, PLEASE FILL THIS OUT:
https://docs.google.com/forms/d/1Cw1VSGm7Vq-SQKcryLwA1rs63pwGrXYaL4ckRTvGIOk/viewform

Again, this form will close this Friday, November 7th, 2014 at 11:59 PM EST.

Quote from: Eeems on October 27, 2014, 12:14:42 pm

Quote from: rcfreak0 on October 27, 2014, 12:51:47 am

So I need to be active to be staff?

...Crap.

Support staff, no. Just let us know you are alive and sometimes be around to, you know, support.

I'm around!

Me too!

Migration Update - 10/17/2014

Importance: URGENT
Author: albert
Date: Fri, October 17th, 2014 at 9:36:06 AM PDT
Blog post: http://withg.org/blog/index.php?post=1413563766

Migration Update - MANDATORY FORMS
==================================

Almost there!
-------------
We're almost done with tooling for the migration, so migration is
imminent!

(HW peeps might've heard about tooling before! In this context,
tooling is designing tools to help manage the migration - no worries,
this is NOT like last time - these are very specific tools designed to
do very specific things for the migration process.)

MANDATORY FORM
--------------
That said, you MUST fill out the "I'm alive" form ASAP, if you haven't
already!

http://bit.ly/withgalive

NOT filling this out can lead your account to be "archived". The
unarchival process does exist, but it will be a hassle, since you will
be considered inactive in our system.

(Essentially, you're filling out a form like the sign-up form to get
your account back. Your data is still there, but your account just
doesn't exist.)

We're not trying to be evil - there's a LOT of users on this server
that we would consider significantly inactive! Freeing up resources
allows us to make the migration smoother, and for the resulting server
to be much faster and lighter!

So please - help us help YOU - fill it out!

http://bit.ly/withgalive

RSS/Pushbullet Support!
-----------------------
Random aside - our blog now supports RSS and Pushbullet Channels!
(Thanks to Sorunome for adding the support!)

RSS: http://withg.org/blog/?rss
Pushbullet Channel: https://www.pushbullet.com/channel?tag=withgusto

Subscribe to receive updates on your RSS reader or mobile device
(via Pushbullet)!

---

Also there's an RSS feed now.

(Yes, thank you Sorunome! )

SSL Certificate Update - 10/12/2014

Importance: IMPORTANT
Author: albert
Date: Sun, October 12th, 2014 at 11:13:51 PM PDT
Blog post: http://withg.org/blog/index.php?post=1413180831

SSL Certificate Update
=======================

We noticed that the SSL certificate was expiring soon. Rather than let
it expire (and wreak havoc on everybody using this server!), we renewed
it again for another year, and installed the renewed certificate!

ZNC and HTTPS should now use the new certificate. The new expiration
date should be in October 27, 2015. Please check to make sure that this
is indeed the case!

If you have any issues after the SSL update, please let us know!

But is it 100% guaranteed that all countries in the world will not try to force their way in to get the info without CloudFlare's permission? I know that CloudFlare will be transparent about it but the possibility that a government agency goes that far (eg China or North Korea, for example) is probably what compu is concerned about. Not that I have anything to hide, personally, although I am not too comfortable about the idea of my Paypal login/password falling into the hands of random strangers since we never know what people might be up to.

Most of the time, you'll survive as long as you don't accept invalid certificates! However, if an agency were to be able to request a falsified certificate, then it's game over... but that applies for every secured website out there.

I quite like cloudflare's policies. They will only release information if required by law, and even then they will only release the limited scope of the information without any of the keys that would make all of it accessible. They will also release transparency reports about requests by government agencies and if possible inform users on what of their information was requested by government agencies.

If you followed the news over the last year, you would know that these policies are worth nothing if the US government can just send them a National Security Letter or force their way in.

So.... I read up a few more things and have a better grasp of the situation now.

Let's start off by stating a few facts:

• Cloudflare is using a MITM (a "trusted" one) to secure websites. That means they do encrypt and decrypt using their certificate, and then send the traffic over to origin server by re-encrypting it with origin server's keys.
• Cloudflare does it interestingly by using one node and signing their own certificates for all domains that use that node. So they sign for cloudflare.com, *.cloudflare.com, and then client domains, like bla1.com, coolwebsite.com, etc.

That said, let's clarify...

They will only release information if required by law, and even then they will only release the limited scope of the information without any of the keys that would make all of it accessible. They will also release transparency reports about requests by government agencies and if possible inform users on what of their information was requested by government agencies.

Yes... if this was a regular warrant search. If this was NSL'd, then this would not be the case.

However - they are being slightly transparent by using something called a warrant canary, in which they discreetly notify everyone that they have been NSL'd by removing a certain phrase. But don't interpret this as something that is 100% transparent - if your node got NSL'd on Cloudflare, they won't (and can't) tell you.

If you followed the news over the last year, you would know that these policies are worth nothing if the US government can just send them a National Security Letter or force their way in.

Yes, but this applies to plenty of things:

• Your web service provider can be NSL'd to monitor traffic;
• Your server hosting provider can be NSL'd to install a backdoor on your server;
• Your SSL provider can be NSL'd to give up your private key;
• An American SSL provider can be NSL'd to forge a certificate for your website, and MITM it.

I should note that while the first three are probably nothing to worry about for those in other countries, the last one is very real, and can have global impact for those trying to visit your website.

That said, should I, a server admin, go crazy over all of this? Nope, and here's why:

• Encryption and protection on a server you don't physically control is not going to help. In fact, virtualized instances are not secure at all. The only secure server is a dedicated hardware node that you physically have in your house. And even that isn't necessarily secure!
• Security many websites at once isn't too bad of an idea. This is really big because if suddenly, if millions of websites start being HTTPS, it's harder for the agencies to determine who's who. (In the past, with fewer SSL sites, it's easier to say, "Oh this guy is using SSL, he must be hiding something".)
• Cost vs. benefit. This is probably the biggest reason. If this service provides more security to those who wish to protect sensitive information (or just prevent easy snooping), AND provides DDoS mitigation, AND provides caching, etc. etc., I think the benefits outweigh the costs. Yes, it's true that some agencies see this as a good chance to hop on in and intercept, but there are plenty of other ways for them to do that, and plenty of other opportunities to secure your data with my own efforts.

Nevertheless, I agree that privacy is a major concern that has been overlooked by lawmakers and the like. "Why don't you want the law enforcement to know about what you are doing?" is a strange question to ask - sure, I don't mind (I'm not doing anything illegal), but you're just asking to get mauled.

"They can do X now, so what?" is a question that many people ask. Then said agencies that "do X" will do even more, like Y and Z, which people will really not like! (What if Z was installing a camera in the bathroom and monitoring your "activities" there? Surely you won't mind then? )

That aside - in terms of overall security, going with Cloudflare still seems like the best choice. My only reason for not setting this up yet is due to compatibility concerns, and that Cloudflare shares the same certificate with other domains, which may or may not become an issue - still researching. Of course, for those who are really concerned, I'd be happy to provide a secret, alternate route to access my server without going through Cloudflare.

tl;dr Cloudflare is not immune to NSLs, but they provide more benefit vs. cost; alt methods are available for securing server; despite all of this your privacy is still something you should value!

https://blog.cloudflare.com/introducing-universal-ssl/

Dubbed Cloudflare Universal SSL, they are now offering free SSL to everyone, including free plans!
This includes if you are running a non-secured (no HTTPS) website, in which they will still give you HTTPS, but warn you that their server to your website will be unencrypted. (Do NOT try to run a e-commerce website if this is the case!)

The catch? For free users, they are deprecating support for older browsers by enforcing newer security standards - ECDSA and SNI.
(ECDSA is a newer and more secure encryption algorithm, and SNI is just a way to emit different SSL certificates from one IP!)

SNI support:

Desktop Browsers

• Internet Explorer 7 and later
• Firefox 2
• Opera 8 with TLS 1.1 enabled
• Google Chrome:
   Supported on Windows XP on Chrome 6 and later
   Supported on Vista and later by default
   OS X 10.5.7 in Chrome Version 5.0.342.0 and later
• Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later).
• Note: No versions of Internet Explorer on Windows XP support SNI

Mobile Browsers

• Mobile Safari for iOS 4.0
• Android 3.0 (Honeycomb) and later
• Windows Phone 7

Source: https://www.digicert.com/ssl-support/apache-secure-multiple-sites-sni.htm

Warning: Technical jargon follows!

ECDSA support gets murky, though. According to Cloudflare, it is not available on Windows XP (and below), or anything older than Android 4.0 ICS.
To clarify, they're saying you MUST have Windows Vista (and newer), as well as Android 4.0 ICS (and newer).

...but wait! Does that mean everyone using Windows XP is screwed? Not quite.
According to https://github.com/client9/sslassert/wiki/IE-Supported-Cipher-Suites, SSL support for IE depends on the OS's SSL support. Running IE8 on XP means that the SSL support will suffer, since IE8 will use XP's SSL support, which doesn't have the new ECDSA. (Not totally sure about SNI, though.)

So what does Firefox and Chrome use? They use their own library called NSS, which is their own SSL stack that supports EVERYTHING - so as long as you're running a pretty recent version of Firefox/Chrome, you're fine! Safari/Opera support is still unknown though. Supposedly, Opera should be using NSS since they've moved to Chrome's core, but not too sure...

In Plain English
If you're on Windows XP and you use IE: regardless of version, you will NOT be able to access a Cloudflare SSL secured site.
If you're on Windows XP and you use the latest Firefox/Chrome: you WILL be able to access a Cloudflare SSL secured site.
If you're on Windows Vista and you use the latest browser: you WILL be able to access a Cloudflare SSL secured site.
If you're on Linux and you use the latest browser (with a recent OpenSSL): you WILL be able to access a Cloudflare SSL secured site.
If you're on Android and you use Android ICS 4.0 or later: you WILL be able to access a Cloudflare SSL secured site.
If you're on iOS/Mac OS X and/or using Safari/Opera: UNKNOWN. See the next section for more details.

Finding out if you have ECDSA/SNI:
A lot of websites run with Cloudflare (including Omnimaga) - however, many will probably wait to see whether SSL support is available yet for a good amount of platforms.

That said, if you're unsure (or wanna help us out), take our survey:
https://docs.google.com/forms/d/1tXP6uoqoZUQmvPV5tclc16Nlwuza2U60_xRCAJ4BL9g/viewform

In the survey, there is a website that will tell you everything - including whether you have ECDSA and SNI or not!

withgusto...
We're not too sure whether we want to adopt this yet or not - we'll probably make a decision once the migration is complete.