Menu

Author: Kev Quirk

Hi, I'm Kev and I'm a cyber security professional from England. I use this site to share my thoughts and ideas from time to time.

CodeFund Adverts & This Site

You may have noticed that over the last month, there has been an advert at the top of this site. They looked something like this, depending on whether you loaded the dark version of this site or not:

Screenshot of CodeFund advert on this site.

The advert is from CodeFund, an ethical advertising agency. Their ads have no tracking, no cookies and no nonsense.

Why?

I started using CodeFund at the beginning of June following a recommendation on Fosstodon. I wanted to see if I could use it as a way of getting a bonus for some of the many hours I spend on this blog.

Things were pretty successful. I hadn’t had any complaints from visitors, and I was able to make around $80.

CodeFund earnings

While this won’t allow me to retire any time soon, I was planning on using the funds to save up for a new desktop computer. CodeFund announced today that they are having to close their doors unfortunately.

The time has come for us to shut down CodeFund. As many others, we were unable to survive the economic downturn.

CodeFund

This is a real kick in nuts for me – I had finally found an ethical company that provided useful ads to my visitors, without tracking them or sacrificing their privacy.

While I’m not desperate to monetise this blog as I have a full time job; it would be nice if I could get a little bonus back for the time I put in.

The powers that be clearly had other ideas and stepped in to stop that from happening. Oh well, maybe other ethical monetisation options will appear in the future. Until then, I’ll keep chugging along and churning out content, like I always do. 🙂

If you have any recommendations of ways to ethically monetise this blog, please get in touch, or leave a comment below.

Email Is Not Broken

I’ve been reading a lot of hyperbole lately around how broken email is. Sure, email has problems, but is it actually broken? I don’t think so.

A lot of this hyperbole appears to have come about following the release of Basecamp’s new email service, Hey. I’ve signed up for a Hey trial, and although it seems like a good service, I don’t think it fixes any of the problems with email.

What is email?

A good place to start a discussion about something as polarising as email, is to articulate what email actually is. That way, you guys will hopefully understand where I am coming from right from the start.

To me, email is a way of receiving simple communications that have a short time to live.

That’s all email is to me. They’re mostly unimportant messages that I receive, deal with, and move on. I imagine that’s what they are to many other people too, especially when you consider how many people have hundreds of unread items in their inbox. How important can the vast majority of email actually be if there’s so much unread mail floating around?

To be clear, I’m not one of those people that has lots of unread mail. I’m a zero inbox kind of guy personally. But I couldn’t count the amount of times I’ve seen someone’s unlocked phone and noticed a mail icon sporting a red blob with an inordinately large number displayed in it.

When I migrated my wife and I from Gmail to Zoho, the amount of unread mail she had in her mailbox was ridiculous. I thought she didn’t reply to my emails just because she didn’t like me, turns out she just doesn’t check her email! 🙂

The problems with email

Now we have established what I believe email is, let’s look at some of the problems with email. To me, the main problems are threefold:

  1. Spam
  2. Privacy
  3. Workflow management

Spam

Spam is by far the biggest problem to plague email. No spam filter is perfect and it takes work to keep on top of it.

Many email providers allow you to manage your spam on the fly. You can mark emails that slip through the net as spam, so the next time they will be caught. And conversely, you can mark false positives as safe.

Let’s say that I received a spam email and it hits my inbox. I won’t delete it, I’ll actually mark it as spam so that my spam filter learns what spam is. If I were to delete it, my spam filter would be none the wiser and I would be perpetuating the problem.

Conversely, if a legitimate email gets incorrectly marked as spam I won’t just move that mail into my inbox. I will mark the sender as safe, then move the email. Again, it’s giving my spam filter the opportunity to learn.

I’ve been using Zoho for a few years now and by doing this, the spam filtering is excellent and I receive very few spam mails to my inbox.

Hey’s spam solution

If you receive an email to your Imbox (seriously? Imbox…what a ridiculous name) that has come from an address Hey has never seen before, it forces the user to screen it first.

Hey email screening

I think this is a good solution, in that it forces people to vet any potential spam as it comes in. But although this specific workflow isn’t baked into any other email provider that I know of, the ability to vet and manage spam is the norm these days.

Email isn’t broken in this case – peoples’ inability to manage their incoming mail is.

Privacy

Apparently there are 1.5 billion people using Gmail globally. I’ve made efforts to significantly reduce my Google usage, but a lot of people are happy with Gmail and that’s fine.

What isn’t fine is the complete lack of privacy that Gmail affords its users. Apparently Google will no longer read your email to personalise adverts. I don’t believe that for a second, but even if they do, there’s still adverts in Gmail and they wouldn’t provide a service to billions of people for free if they weren’t making a profit from it.

When the product is free, you’re the product.

Email is not private, so I don’t treat it as such. If I have something that I want/need to email that is private, I will either encrypt the email, or send an encrypted attachment. My email provider, Zoho, has a very open privacy policy but I still wouldn’t use their service to send private data.

It’s not just Gmail that’s the problem here – most free email providers have privacy issues.

Hey’s privacy solution

When it comes to privacy, Hey has a great policy, saying the following on their manifesto:

There are lots of “free” email services out there, but free email costs you one of most valuable things you have – your privacy and your personal information. We’re not interested in your personal data. It’s always yours, never ours. We simply charge a flat, all‑inclusive $99/year fee for HEY. That makes our business work without having to sell your data, advertise to you, or otherwise engage in unscrupulous marketing tactics.

The Hey manifesto

I love this. As a Hey user you’re not being advertised to, or tracked and your data isn’t being harvested. Awesome. However, that’s no different than an untold number of other paid for email services like Fastmail, Mailbox.org, Tutanota, Proton and Zoho.

So although Hey’s approach to their users’ privacy is great to see, it isn’t anything innovative and it isn’t fixing any problems. The only true way that I see for people to fix the privacy problems with email, is for people to stop using these free services and pay for a privacy respecting one.

Most privacy respecting email services cost less than the price of a cup of coffee per month. I think this is a relatively small cost for a service that many people use every day.

Workflow management

You have an email address and over time hundreds of people and companies get that address. This means that tonnes of mail is just arbitrarily dumped in your inbox. Which in turned leads to that red blob on your phone’s home screen that displays a very large number.

No one has time to deal with that crap, am I right?

Establishing an email workflow is extremely important. Every email provider I can think of has some sort of filtering system that allows you to filter emails into certain folders automatically.

For example, if you buy a lot of stuff from Amazon or eBay, you could create rule that automatically puts shopping and delivery receipts into a Shopping folder and marks them as read.

You don’t need to deal with them at all then. They’re dealt with automatically and you know where they are if you need them. Same with newsletters – the ones you want to keep, file them away. The ones you don’t, unsubscribe from the newsletter. If there is no unsubscribe link, make a rule that automatically deletes those newsletters.

By working through your incoming mail and filtering out the noise, you’re left with a much smaller collection of mail that you need to actually deal with.

Hey’s email workflow

This is where I think Hey really lets itself down. The traditional setup of a folder tree down the right-hand side of the screen, and the ability to easily flip between them is logical to me.

However, the workflow on Hey is completely broken in my opinion. There are three main parts to Hey’s interface:

  • The Imbox (still a stupid name)
  • The Feed
  • The Paper Trail

The Imbox is exactly the same as your Inbox, just with a silly name. The Feed is where newsletters etc. are suppose to be delivered to and The Paper Trail is for things like receipts.

This all sounds good, but there’s no single-click way of getting to and from those interfaces. The UI for each is also slightly different, which is jarring.

There is no sent items folder in Hey (not that I could see at least). Everything just goes into an ever scrolling feed of mail below your Imbox, called Previously Seen.

Managing email in Hey

If I have a newsletter I’m saving for later, along with an email I need to deal with, I have to flip between multiple interfaces within Hey. Whereas both would be in my Inbox in a traditional mailbox.

If I want to move something between the three Hey feeds, there’s no way to drag and drop. Instead I have to go into the email, click More, click Move then finally select the right feed.

Hey more dialogue
Hey move dialogue

That’s 4 clicks compared to a single click (or drag & drop) in a traditional mailbox.

I should note here that there are keyboard shortcuts throughout Hey. I really like that they list the shortcuts by the menu items too. However, the vast majority of people prefer using a mouse.

Power users tend to prefer keyboard shortcuts in my experience (myself included). But if Hey are trying to “fix email” the interface needs to be efficient for everyone to navigate.

Email is NOT broken

All three of the problems with email that I have talked about in this post boil down to the user and their choices, rather than email as a service.

Hey is an interesting take on email and it may be the next big thing for email. But I personally feel that it’s a lot of hype, purely because it’s a new shiny thing for techies to play with.

If I were to give my wife a Hey mailbox, she would get very lost, very quick. It’s an interesting concept, but I can’t help but think that Hey are trying to fix a problem that doesn’t exist.

Email is far from perfect, but it’s well established and mature. With a little bit of work your inbox can be a highly moderated list of only items you need to deal with.

My inbox (almost empty)

Conclusion

I’d like to end this post by saying that this is just my opinion. Some people may not want to invest the time to manage their incoming mail like I do.

That’s absolutely fine and in such cases services like Hey may work better for you. But just because you’re not prepared to put the work in, doesn’t mean that email is broken.

Email is far from perfect, but I don’t think it’s broken. What do you think?

How To Use A TP-Link Router With Sky Fibre Optic

How to use a TP-Link router with sky fibre was originally written on 07th June 2017, but has been updated on 24th June 2020.

The Sky OEM router is fine for the vast majority of cases, but if you want more functionality, better signal strength, or advanced features like VPN support or parental controls, you’re going to want to use a TP-Link router with Sky fibre.

In this article I’ll be showing you how you can replace the OEM Sky router with a much better, TP-Link device.

Why Change?

The OEM Sky router is fine for most uses, but some people want more functionality than what “normal” routers can offer. Or, maybe your router is simply swamped in a sea of wireless networks from your neighbours, and you want a better signal strength.

Whichever it is, an after-market router is generally a much better alternative to the OEM routers that are made as cheaply as possible so they can be given to thousands of people for free.

After having a lot of issues with wireless myself, I decided to replace my OEM Sky router with a TP-Link AC1200 (costing approximately £45 from Amazon) for my Sky fibre connection. I’m so glad I did!

June 2020 update: I’ve since upgraded my Wi-Fi network with a TP-Link Deco M5 mesh Wi-Fi system which has vastly improved my wireless network.

Setting It Up

Setting up the TP-Link router with Sky fibre is extremely simple. Whilst it’s not quite plug and play, the process is very simple:

  1. Plug in your TP-Link to a power supply and connect the grey DSL cable to the corresponding port on the back of your router.
  2. Connect the other end of your DSL cable to the micro-filter than comes with the router and connect it to your phone socket. If you already have a micro-filter, replace it with the new one.
  3. Connect the network cable to port 1 on the router, then connect the other end to your laptop.
  4. Open a browser window and navigate to http://192.168.1.1.
  5. The TP-Link will ask you to set an admin password – make sure you use something secure, as Password123 ain’t gonna cut it!
  6. Once in, the TP-Link setup wizard will start:
    • Input your location and time zone. Click Next.
    • Select Sky(MER)_VDSL from the ISP list. Make sure it’s this one, as this is Sky fibre. The other Sky option in the list is for Sky Broadband and will not work for fibre connections.
    • In the username field, enter abcdefgh@skydsl
    • In the password field, enter 1234567890abcdef
    • Click Next, then set up your wireless network how you see fit.
    • The TP-Link will then test the Internet connection and you should see a success message. If you do not, wait for the DSL light to stop flashing and try again – it should work just fine.
  7. That’s it! You’re now connected to Sky fibre via your new TP-Link router.
Tp-Link Admin UI

Explore

Now you have your new router connected, you can start to have a look around the admin interface and change the settings as needed. Here are some of the changes I made:

  • Disabled WPS – it’s insecure and easily hacked, so turn it off.
  • Added my NAT rules so that traffic will route to my server.
  • Turned on and configured the guest network, so guests don’t have access to my server.
  • Changed the IP Subnet and DHCP pool. This was only so I didn’t have to re-configure all my existing devices that have static addresses.

Conclusion

Overall, I’m very happy with the TP-Link VR200. The connection has been rock solid and it has served me well for over 3 years now.

Using a TP-Link router with Sky fibre has many advantages and it’s an extremely well priced router compared to the functionality it offers. The only downside is that it is a lot bigger than the OEM Sky router. But I can live with that for the additional functionality it offers.

I have had feedback from hundreds of people that this process works, but if you’re struggling I would suggest the Sky fibre forums. But if you’re really stuck, feel free to leave a comment below, or contact me.

How To Create An IndieWeb Profile

I’ve written about the IndieWeb in the past, but it can be little complicated and confusing to get started. In this post I’m going to take you through creating an IndieWeb profile.

What is the IndieWeb?

The IndieWeb is a way of connecting your personal website with lot of other peoples’ sites from around the world. So if you’re on the IndieWeb and I link to your blog in one of my posts, you get a notification. These are called Webmentions and you can see the Webmentions for this post in the comments section below.

Think of it as an inter-linked commenting system that traverses the entire Internet. Websites aren’t physically connected, but they can communicate with one another. You can learn more on the IndieWeb site.

What is an IndieWeb profile?

An IndieWeb profile, or h-card as they’re officially known, is a snippet of code that tells other websites connected to the IndieWeb a little bit about you and your site.

I like to think of it as my business card for the IndieWeb.

Why do I need an IndieWeb profile?

Well, like any inter-connected social system, a profile help people recognise you within the network. A profile is also useful for discovery purposes on the IndieWeb.

You can create a h-card in a number of ways, but in this post I will show you how I have created my h-card and what it all means.

Example IndieWeb h-card

Let’s take a look at my IndieWeb profile first, so you can see what they look like and what we need to configure.

Kev's IndieWeb Profile

As you can see, my IndieWeb profile contains a fair amount of information. But there’s a lot more you can add if you wish. This link lists all of the h-card identifiers that are available.

Enough of this preamble, let’s get started and actually make the thing, shall we?

The Basics

There are a number of ways you can create a h-card. Some people like to markup their about page, others like to add the identifiers to their posts and pages. Personally, I opted to create a simple block of hidden code on my homepage that handles the whole thing.

I think this is the easiest way of doing it, as it then acts as a single profile within your website’s code that is easy to update.

So with that we will start by creating a new HTML section what will house our h-card profile:

<section style="display: none;" class="h-card">

</section>

So display: none; tells your browser to hide everything within this section when the page is loaded. This ensures your visitors will not be able to see it, but other sites on the IndieWeb will traverse this code and find your profile. We’re also giving the section a class of h-card, which tells the IndieWeb that this is your h-card profile.

About me

Now we have the basic section setup and we have hidden it with some inline CSS, let’s add some basic information to the profile. My name and a short bio seems like a place to start:

<section style="display: none;" class="h-card">

<!-- About me -->
<span class="p-name">Kev Quirk</span>
<span class="p-note">I'm a cyber security professional and privacy advocate from North West England. My interest include drawing, fishkeeping, motorbikes & open source software.</span>

</section>

By using p-name and p-note as the class for the two lines of code, we’re telling the IndieWeb what our name is and a little bit about ourselves.

Profile picture

No profile is complete without a profile picture. For this we simply add an img tag and set its class to u-photo:

<section style="display: none;" class="h-card">

<!-- About me -->
<span class="p-name">Kev Quirk</span>
<span class="p-note">I'm a cyber security professional and privacy advocate from North West England. My interest include drawing, fish keeping, motorbikes & open source software.</span>

<!-- Profile picture -->
<img class="u-photo" src="https://cdn.kevq.uk/wp-content/uploads/2019/11/400px-round-grey-glasses.png"/>

</section>

Location

Adding your location is totally optional, but I decided to add it as a lot of people assume I’m American. I’m not sure why, they just do, so I thought by adding my rough location this would help.

Privacy note: If you’re going to do this, make sure the location you specify is very vague. I’d recommend Town/City at most.

<section style="display: none;" class="h-card">

<!-- About me -->
<span class="p-name">Kev Quirk</span>
<span class="p-note">I'm a cyber security professional and privacy advocate from North West England. My interest include drawing, fish keeping, motorbikes & open source software.</span>

<!-- Profile picture -->
<img class="u-photo" src="https://kevq.b-cdn.net/wp-content/uploads/2019/11/400px-round-grey-glasses.png"/>

<!-- My location -->
<span class="p-locality">North West England</span>

</section>

Social Links

The next step is to add some links. These are really important as they show the IndieWeb what your other online identities are. This is a great way of validating your various online accounts so people know they’re legitimate.

<section style="display: none;" class="h-card">

<!-- About me -->
<span class="p-name">Kev Quirk</span>
<span class="p-note">I'm a cyber security professional and privacy advocate from North West England. My interest include drawing, fish keeping, motorbikes & open source software.</span>

<!-- Profile picture -->
<img class="u-photo" src="https://kevq.b-cdn.net/wp-content/uploads/2019/11/400px-round-grey-glasses.png"/>

<!-- My location -->
<span class="p-locality">North West England</span>

<!-- Links -->
<a class="u-url u-uid" href="https://kevq.uk"></a>
<a class="u-email" rel="me" href="mailto:kev@craves.coffee"></a>
<a class="u-url" rel="me" href="https://fosstodon.org/@kev"></a>
<a class="u-url" rel="me" href="https://twitter.com/kevquirk"></a>
<a class="u-url" rel="me" href="https://keybase.io/kevq"></a>

</section>

The first link has two classes, u-url and u-uid. The u-url class is a generic identifier that simply says that this URL is owned by me. So this could be a social profile, or a link to your homepage.

u-uid is a little different. This is your universally unique identifier, so it’s the daddy of all your links – it’s your main home on the IndieWeb. A link to your homepage should always include both the u-url and u-uid classes.

We then have u-email which is pretty self-explanatory – it’s your email address. I personally use the same email address as the one listed on my contact page for this.

Finally we have a few links to my social profiles that only contain the u-url identifier.

Categories

Adding categories to your IndieWeb profile shows other people on the IndieWeb the kind of things you’re interested in and write about on your blog.

<section style="display: none;" class="h-card">

<!-- About me -->
<span class="p-name">Kev Quirk</span>
<span class="p-note">I'm a cyber security professional and privacy advocate from North West England. My interest include drawing, fish keeping, motorbikes & open source software.</span>

<!-- Profile picture -->
<img class="u-photo" src="https://kevq.b-cdn.net/wp-content/uploads/2019/11/400px-round-grey-glasses.png"/>

<!-- My location -->
<span class="p-locality">North West England</span>

<!-- Links -->
<a class="u-url u-uid" href="https://kevq.uk"></a>
<a class="u-email" rel="me" href="mailto:kev@craves.coffee"></a>
<a class="u-url" rel="me" href="https://fosstodon.org/@kev"></a>
<a class="u-url" rel="me" href="https://twitter.com/kevquirk"></a>
<a class="u-url" rel="me" href="https://keybase.io/kevq"></a>

<!-- Categories -->
<span class="p-category">Blogging</span>
<span class="p-category">Fish keeping</span>
<span class="p-category">InfoSec</span>
<span class="p-category">Motorbikes</span>
<span class="p-category">Open Source Software</span>
<span class="p-category">Privacy</span>
<span class="p-category">Web Design</span>

</section>

Adding more items

That’s pretty much it for my h-card, but I mentioned earlier in this post that you can add other items to your profile if you would like. A full list of all supported identifiers can be found here.

For example, let’s say I want to add my title, which is Mr. The additional code to be added to my h-card would look like this:

<!-- My title -->
<span class="p-honorific-prefix">Mr</span>

If you want to add others, just follow this same process, referencing the specific identifier for the field you wish to add.

Note: Wherever I’ve added <!-- XXXX --> throughout my h-card is optional. These are just HTML comments that make reading the code easier for me.

Adding it to your website

All you need to do now is copy and paste the complete h-card somewhere inside your <body> tags on your website’s homepage. Personally, I would recommend putting your h-card right at the bottom, just above your closing </body> tag. This way it won’t interfere with anything else on your page.

Once you have added your h-card to your site’s code, save it and uploaded it to your web server and you should have a working IndieWeb profile. If you want to test your profile to see if it’s working, you can use this page.

Do you have a different way of managing your IndieWeb h-card? If so, why not tell me how you have done it in the comments below.

How To Backup Nextcloud

“How To Backup Nextcloud” was originally written on 03 July 2019, but has been updated on 19 June 2020.

I recently wrote a guide on how to setup your own Nextcloud server; it’s a great way of ensuring your personal data is kept private. However, it’s also important to backup Nextcloud too.

Isn’t Nextcloud My Backup?

No it isn’t. Nextcloud is not a backup solution, it’s a way of syncing your data, but it’s not a backup. Think about it, if you delete a file from computer A, that deletion will immediately be synced everywhere via Nextcloud. There are protections in place, such as the trash bin and version control, but Nextcloud is not a backup solution.

Since building my own server I have come up with a pretty decent way of backing up my data that follows the 3-2-1 principle of backing data up.

At least 3 copies of your data, on 2 different storage media, 1 of which needs to be off-site.

— The 3-2-1 backup rule

Requirements

In order to effectively backup Nextcloud, there are a few pieces of hardware and software involved. There is an initial cost to the hardware, but it isn’t significant.

To backup Nextcloud you will need:

  1. An Ubuntu based server running the Nextcloud Snap
  2. A USB hard drive that is at least double the size of the data you’re backing up (I’d recommend getting the biggest you can afford)
  3. Duplicati backup software installed on your Nextcloud server
  4. A Backblaze B2 account
  5. Around 30-60 minutes to set it all up

At this point I will assume that you have connected and mounted your USB hard drive to the server. If you haven’t done that yet, take a look at my guide on how to mount a partition in Ubuntu.

Note: this process is designed around the Nextcloud Snap installation, not the manual installation.

Overview

Following this post, you will be able to do the following:

  1. Automatically backup your entire Nextcloud instance (including your database) every day
  2. Create a log file so you can see if the backup worked
  3. Sync the backup to B2 cloud storage (it will be encrypted before transmission)
  4. Delete old backups so your hard drive doesn’t fill up
  5. Receive email alerts once the backup completes

User Setup

I would reccomend using a dedicated user for backing up. This will allow us to keep the backup routine separate from the normal user account you use, making the setup more secure.

In this guide, I will be using ncbackup as the user account. You can use whatever username you feel is appropriate. Let’s start by creating the user and the directories we will need to store our backups.

# Create new user
sudo adduser ncbackup

# Switch to new user account
su - ncbackup

# Make directories for Backups
mkdir Backups
mkdir Backups/Logs

# Logout to switch back to normal user
logout

Now we have the directories setup, let’s create the script that will run our backups. In this example, I’m using nano, but feel free to use any text editor you like. To learn more about nano, click here.

nano /usr/sbin/ncbackup.sh

We’re using the usr/sbin directory because it is used for system-wide binaries that require elevated privileges. You can store your script wherever you like, but usr/sbin is good practice.

Backup Nextcloud

Populate the file with the following, ensuring you change the username and path to whatever the appropriate values are for your setup.

#!/bin/bash
# Output to a logfile
exec &> /home/ncbackup/Backups/Logs/"$(date '+%Y-%m-%d').txt"
echo "Starting Nextcloud export..."

# Run a Nextcloud backup
nextcloud.export
echo "Export complete"
echo "Compressing backup..."

# Compress backed up folder
tar -zcf /home/ncbackup/Backups/"$(date '+%Y-%m-%d').tar.gz" /var/snap/nextcloud/common/backups/* 
echo "Nextcloud backup successfully compressed to /home/ncbackup/Backups"

# Remove uncompressed backup data
rm -rf /var/snap/nextcloud/common/backups/*
echo "Removing backups older than 14 days..."

# Remove backups and logs older than 14 days
find /home/ncbackup/Backups -mtime +14 -type f -delete
find /home/ncbackup/Backups/Logs -mtime +14 -type f -delete
echo "Complete"

echo "Nextcloud backup completed successfully."

Now we need to make our backup script executable:

sudo chmod +x /usr/sbin/ncbackup.sh

A lot of the commands in our script will require sudo access, but we don’t want to give full sudo access to our ncbackup user, as it doesn’t need elevated rights globally. However, we do want to be able to run the backup script with sudo rights, and we want to do it without requiring a password.

To accomplish this, we need to use visudo. We can configure visudo to allow the ncbackup user to run the backup script as sudo, without a password. Crucially, the ncbackup user will not be able to run anything else as sudo.

# Allow ncbackup to run script as sudo ncbackup ALL=(ALL) NOPASSWD: /usr/sbin/ncbackup.sh
# Open visudo
sudo visudo

# Allow ncbackup to run script as sudo
ncbackup ALL=(ALL) NOPASSWD: /usr/sbin/ncbackup.sh

Enabling sudo access for the backup script introduces another potential security risk. The ncbackup user can run the backup script as sudo without a password. So a threat actor could potentially edit the script and run any command as sudo without a password.

Bad times.

However, we saved the script in /usr/sbin, which means the ncbackup user will not be able to edit the ncbackup.sh script. By doing so, we have prevented the system from becoming insecure.

As an extra layer of security, we will stop the ncbackup user from being able to login to the server at all:

sudo usermod -s /sbin/nologin ncbackup

If at a later date you need to be able to login using the ncbackup user, you can revert change this by running the following command:

sudo usermod -s /bin/bash ncbackup

Schedule Backups

Now have the backup script setup, we need to schedule the backup to run automatically; for this, we will use Cron.

Run the following command to enter the Cron settings for the ncbackup user:

sudo crontab -u ncbackup -e

Once you’re in crontab, you need to add the following lines to the bottom of the file:

# Nextcloud backup cron (runs as 2am daily)
0 2 * * * sudo /usr/sbin/ncbackup.sh

The settings above will run the backup script at 02:00am every day. You can change this to whatever value you like, but I would recommend running the backup every day.

The first value represents minutes, then hours, then days etc. So if you wanted to run the backup at 03:30am, your Crontab entry would look something like this:

# Nextcloud backup cron (runs as 03:30am daily)
30 3 * * * sudo /usr/sbin/ncbackup.sh

Now Wait…

That’s most of the setup complete at this point. The next thing to do is to wait 24 hours for your backup to complete automatically (or you could run the script manually yourself).

Once the script has run, you should see a tar.gz file within your backup folder with a name that corresponds to the date the backup ran:

kev@server:~$ ls /home/ncbackup/Backups/
2020-06-10.tar.gz  Logs

Within the Logs folder, you should also see a <date>.txt file that corresponds to the backup. You can open this to see how your backup went:

kev@server:~$ cat /home/ncbackup/Backups/Logs/2020-06-10.txt 
Starting Nextcloud export...
WARNING: This functionality is still experimental and under
development, use at your own risk. Note that the CLI interface is unstable, so beware if using from within scripts.
Enabling maintenance mode...
done
Exporting apps...
              0 100%    0.00kB/s    0:00:00 (xfr#0, to-chk=0/1)
Exporting database...
Exporting config...
Exporting data...
         15.90M 100%  109.87MB/s    0:00:00 (xfr#105, to-chk=0/139) 
Successfully exported /var/snap/nextcloud/common/backups/20190703-130201
Disabling maintenance mode...
done
Export complete
Compressing backup...
tar: Removing leading `/' from member names
Nextcloud backup successfully compressed to /home/ncbackup/Backups
Removing backups older than 14 days...
find: ‘./home/ncbackup/Backups/’: No such file or directory
Complete
Nextcloud backup completed successfully.

With the echo statements we put in the script, you can see at what point in the backup things failed, if they do in fact fail.

Note: there are masses of improvements that can be added to this script, but this satisfies my needs. If you do add improvements, please let me know and I’ll post an update.

Setup Duplicati

You now have a single layer of backups for Nextcloud. However, if you want to abide by the 3-2-1 rule of backups (which I highly recommend), then we now need to use Duplicati to add additional layers to our backup routine.

To install Duplicati, go to this link and right click ‘copy link location‘ on the Ubuntu DEB. Then amend the commands below as appropriate.

# Download Duplicati DEB
wget https://updates.duplicati.com/beta/duplicati_[version].deb

# Install Duplicati
sudo dpkg -i duplicati_[version].deb

# If you get a dependency error, run the following
sudo apt --fix-broken install

We now need to enable the Systemd service for Duplicati so it runs automatically on boot:

# Enable Duplicati service
sudo systemctl enable duplicati

# Start the Duplicati service
sudo systemctl start duplicati

By default the Duplicati service will only listen on localhost, so if you try to access the IP of the server from another device, you won’t get the Duplcati webGUI.

To fix this, edit the DAEMON_OPTS option within the Duplicati config to the following:

# Open Duplicati config
sudo nano /etc/default/duplicati

# Additional options that are passed to the Daemon.
DAEMON_OPTS="--webservice-interface=all"

Restart Duplicati so the config changes take affect:

sudo systemctl restart duplicati

You should now be able to access the Duplicati web interface by going to http://server-ip:8200. You will be asked to set a password for Duplicati when you first login, make sure this is a strong one!

Security Note: My server is hosted at home, and I don’t expose port 8200 to the internet. If your server is not at home, then I would strongly suggest you configure something like IP Tables, or Digital Ocean firewall, to restrict access to port 8200.

Configure Duplicati Backups

Now its time to configure our backups in Duplicati. We will configure 2 backup routines – 1 to USB and another to Backblaze B2 for off-site.

Let’s do the USB backup first. Within the Duplicati webGUI, click on the Add Backup button to the left of the screen.

This is a very straightforward process where you choose the destination (our USB drive), the source (the output from our backup script) and the schedule.

Duplicati USB Backup

When creating your backup routines in Duplicati, always ensure you encrypt your backups and use a strong passphrase.

Also, always make sure your Duplicati backups run at different times to your other backups. Personally, I go for the following setup:

  • 02:00 – Local Nextcloud backup script runs via Cron
  • 03:00 – Duplicati backs up to USB
  • 04:00 – Duplicati backs up to Backblaze B2

I always leave the Backblaze backup to run last, as it then has up to 22 hrs to complete the upload before the next backup starts, so they shouldn’t interfere with one another.

Off-Site Backups

When it comes to configuring your Backblaze backups, change the destination from Local to B2 Cloud Storage. You will need your B2 bucket information and application keys from to complete the config.

Once you have entered your Backblaze Bucket information, click Test Connection to make sure Duplicati can write to your B2 bucket correctly.

Important note: You will need to add payment information to your Backblaze account before backing up, otherwise your backups will fail.

To give you an idea of what Backblaze costs, I’m currently backing up around 150GB of data to my Buckets, and I’m charged less than $1/month.

Personally, I only keep 7 days of backups on BackBlaze, as I only have it for disaster recovery, where all my local backups have failed. I don’t need data retention in the cloud, that’s what my USB drive is for.

Duplicati Email Notifications

You can configure email notifications for Duplicati backups, this way you will always know if your backups are working.

To do this, head into the Duplicati WebGUI and click on the Settings option to the left of screen, scroll all the way down to the bottom where it says Default options. Click the option that says Edit as text, the paste the following into the field:

# Change as needed
--send-mail-url=smtp://your.smtp.server:587/?starttls=when-available
--send-mail-any-operation=true
--send-mail-subject=Duplicati %PARSEDRESULT%, %OPERATIONNAME% report for %backup-name%
--send-mail-to=your@email.com
--send-mail-username=smtp-username
--send-mail-password=smtp-password
--send-mail-from=Backup Mailer &lt;backups@email.com>

I personally use Amazon SES for this, but you should be able to use any SMTP server.

That’s It!

You’re done. That’s it. Finito. You now know how to backup Nextcloud in such a way that it abides by the cardinal 3-2-1 backup rule, and it lets you know when your backups have run.

TEST YOUR BACKUPS!

I can’t stress this enough. Once your backups have been running for a few days, make sure you run a test restore (not on your live system) to make sure you can get your data back. After all, there’s no point in having backups if you can’t restore from them!

To restore the backups you have made of Nextcloud into a vanilla Nextcloud snap installation, you need to decompress your backup to /var/snap/nextcloud/common then use the nextcloud.import command to restore it:

# Decompress your backup
tar -xvzf /path/to/nexcloud/backup.tar.gz -C /var/snap/nextcloud/common

# Restore your Nextcloud backup
sudo nextcloud.import /var/snap/nextcloud/common/backup-to-restore

Yes, restoring your Nextcloud snap from backup really is that simple!

Conclusion

This is by no means the perfect way to backup Nextcloud, but it does work and it has worked for me for quite some time now. You may have a different/better way of backing up, if you do, please leave comment below, or get in touch with me.

Finally, I’d like to thank my friend Thomas from work, who helped improve my script a little and gave me a couple of ideas to improve to the security.

Thanks, Tom. 🙂

Finishing My Website Redesign

So I recently wrote about how I decided I was going to redesign this website to give it a fresh new look. Well, I’m happy to say that I’ve now finished the “redesign.”

What do you think?

Pretty much the same, right? Well, I started designing a whole new site with a custom theme that I built from the ground up using the Divi framework.

It looked similar to what I have now, but it was a lot heavier and had a tonne of functionality that I didn’t really need. So after spending a couple of weeks building it, and even giving my newsletter subscribers a sneak preview, I decided to ditch it.

Instead I went with updates to my old theme. So I’ve done a few tweaks to improve things here and there, but nothing major. Here’s what I’ve done:

  • Complete redesign of the commenting system, which have now been re-enabled across the site.
  • Added more splashes of blue to buttons, links etc.
  • Improved typography everywhere.
  • Reduced the content width to 640px.
  • Improved the notes page.
  • Removed posts categorised as notes from the homepage feed.
  • Numerous other miscellaneous tweaks.

I’ve now started maintaining a Github repository for this theme, so if you want to fork it and use it yourself, be my guest. As with everything on this site, it has an open license.

My Theme On Github

I’m really happy with the decision I made to keep this theme. I’ve worked so hard on it and I know the code intricately, so it’s easy for me to fix issues or make tweaks when I need to.

For the time being I’m going to stop pissing around with my theme and concentrate on actually writing content, I think.

Why Does Logitech Hate Left Handed People?

I’ve recently been looking at switching my traditional mouse for a trackball mouse. I asked for recommendations on Fosstodon and the overwhelming recommendation was the Logitech M570. Unfortunately, Logitech don’t make a left handed version, and after a bit of research it seems that the issue goes much further than just this device.

Now, many standard mice can be used with either hand as they’re symmetrical. But if you want to use an ergonomic mouse, be it trackball or traditional, these are specific to one hand or another.

The problem with Logitech is that they don’t make any left handed mice, in any of their ranges. So although my initial search was for a trackball, this covers all mice they produce. For example, this one.

Why Logitech hates left handed people

If you take a look around the Logitech forums, you will see 279 pages of search results from people complaining about the lack of left handed support from Logitech.

There are posts going back years; some have responses from Logitech team members, others have just been ignored. The problem is, every post I’ve seen has had the same regurgitation of a cookie cutter response.

Posts like this one from 9 months ago where the poster is requesting a left handed mouse, gets the following response from Logitech:

The left handed version the MX Master 3 is not yet available and we do not have any information on when a left handed version would be available.

I’ll have this post forwarded to the proper team here on my end…

Logitech support

In another post, also from 9 months ago, Logitech reply 4 months later with the following:

Thank you for reaching Logitech! We deeply apologize for not providing a prompt response.

As with your inquiry about the MX Master 3, the manufactured device at the moment are intended for people who use their mouse using their right hand.[…] We will forward this post to our team for consideration.

Logitech support

There’s also this post from 5 months ago, this post from 2 years ago and this post from 3 years ago. And that’s just in the first 3 of those 279 pages of results!

The forums are littered with posts from fellow lefties pleading with Logitech to create a left handed mouse. But many years later, we’re still left out in the cold.

Discrimination?

According to Wikipedia, around 10% of the world’s population are left handed. Ten percent may not sound like a lot, but that’s the equivalent population of the USA, Japan, Brazil & Germany combined. That’s a lot of people!

On their website, Logitech say the following about their MX Ergo trackball mouse:

Logitech’s most advanced trackball for trackball enthusiasts and consumers searching for alternatives to mice and touchpads. Delivers 20% less muscular strain compared to a regular mouse.

Logitech

So does the muscular strain of left handed people not matter to you, Logitech? I suppose those 780 million left handed people worldwide don’t really matter, hey?

I’d like to finally add that the title of this post is facetious. I know that Logitech don’t hate left handed people. It’s ok Logitech, I still really like your hardware, but it would be wonderful if you offered some ergonomic mice for left handed people. 🙂

How Much Does It Cost To Run This Blog?

My wife recently asked me how much it costs me to run this blog. I wasn’t really sure to be honest, so I looked into it and the results were surprising. So I thought I would share the details to give you guys a general idea how much it costs to run a blog.

This post contains affiliate links. More info here.

Starting a blog is very simple to do, and can cost you nothing except your time. But over time your blog will likely grow, and with it your needs and therefore your costs will rise too. I’ve been running this blog for a few years now and that’s certainly been the case for me at least.

So a few nights ago I was working on my blog (as I often do) and my wife said…

You spend so much time working on that website. How much do you think it costs us every month?

My wife

Good question, I thought. I obviously had a rough idea of how much this blog costs me, but there are that many moving parts to it these days, I wasn’t completely sure.

If I had been put on the spot right that second, I would have guessed around £40 ($50) per month. But I wanted to know for sure…

Preface

I want to preface this post with a little bit of information about my traffic numbers, as traffic volume tends to have a direct correlation to the costs involved with hosting a site.

Here is a breakdown of my visitor stats so far in 2020. If you want to know more about what each column means, take a look at the AWStats glossary.

Visitor stats June 2020

So my overall page views for this site is approximately half a million per month. Ignore the Hits column as that doesn’t equate to true visitor numbers.

Note: these numbers do not include web crawlers, such as search engine bots.

How much does it cost to run my blog?

Ok so like I said, if I were to estimate my running costs, I would have guessed around £40 ($50) per month. But I wasn’t sure, so I sat down to work it out and the results are listed below.

Note: many of the payments I make for this blog are annual, but monthly costs seemed easier to digest. Therefore everything is broken down into their equivalent monthly prices.

ItemMonthly Cost
Domain registration£0.49 ($0.62)
VPS hosting£12.00 ($15.23)
DNS hosting£1.54 ($1.95)
WP Rocket plugin£0.79 ($1.00)
ShortPixel credits£0.65 ($0.83)
Updraftplus SFTP plugin£0.79 ($1.00)
Yoast SEO plugin£8.90 ($11.30)
Total:£25.16 ($31.93)

That’s nearly half what I was expecting. Happy with that!

You may be thinking that all the services listed above are excessive for a personal blog like this one. And you may well be right, dear reader, but these service all have a purpose. Let’s discuss further…

Domain registration

I use Namecheap for all my domain registrations. Mainly because they’re really cheap, costing less than £8.00 ($10.00) per year for the kevq.uk domain.

They also offer domain privacy for free, so your details are hidden from the WhoIs database. I believe this is now free for all .uk domains, but Namecheap offer this service across all of their domains, no matter what the extension.

If you’re considering buying a domain name, you may want to read this post about choosing the right one.

VPS hosting

I use Ionos (formerly 1&1) as my VPS hosting provider. While they’re not the cheapest of VPS providers around, their service has been excellent for me.

Plus their servers all have the option of having the Plesk control panel installed for free, which makes managing the web server really simple. I also think that Plesk is superior to cPanel.

Ionos VPS packages

I personally have the VPS M package, which gives me an 80GB SSD, 2GB RAM and 2 virtual CPU cores. This is more than enough for my current needs, as the graphs below show…

Server CPU usage from the last 30 days
Server RAM usage from the last 30 days

£12 (~$15) per month may sound expensive, but when you look at a comparable server on Digital Ocean, the deal with Ionos is actually better.

Note: the extra £2 I pay monthly is tax.

IonosDigital Ocean
RAM2GB2GB
CPU2x vCPU2x vCPU
BandwidthUnlimited3TB
Storage80GB SSD60GB SSD
Control PanelPlesk (optional)None
Price per month£12 ($15.23)£11.82 ($15)

DNS hosting

DNS hosting isn’t necessary for many users. Actually, it probably isn’t necessary for me either, as I can configure DNS either using Plesk on my server, or with Namecheap.

However, I prefer to separate web and DNS hosting, and having a separate host for my DNS means I also have DDoS protection.

My DNS hosting is provided by ClouDNS. I’ve used them for years and their service really is excellent. They also have a free tier if you want to give them a try.

Like I said, external DNS hosting isn’t a necessity, but I prefer to have it.

Content Delivery Network (CDN)

My VPS is hosted in an Ionos data-centre in the UK. If you’re also in the UK, my site should load nice and quick. However, if you’re in New Zealand my site needs to be transmitted to the other side of the globe before you see it.

CDNs help with that issue by caching the majority of my site on servers distributed throughout the globe. So wherever you visit my site from, my CDN provider will connect you to the closest server to you geographically. This can significantly reduce load times.

I use Bunny CDN as I really like their pay as you go approach to charging for their service. With my traffic numbers, that’s only around 80p ($1) per month. Which is a ridiculously small amount compared to other CDN providers.

WordPress plugins

That’s the end of the external hosting charges that I pay every month. But I also have annual subscriptions to a number of premium WordPress plugins and services that keep my blog ticking along.

WP Rocket

WP Rocket is probably the best caching plugin I’ve ever used. I know there are alternative caching plugins out there, many of which are free. But what I like about WP Rocket is that it can be as simple or as complicated as you need it to be.

If you just want some basic caching, check a box in the admin UI and the WP Rocket defaults will optimise your site really well. If you’re more technical and want to go into the weeds of caching, WP Rocket will let you do that too.

WP Rocket also has CDN support out of the box. So to get this site working with Bunny CDN, all I have to do it enter my CDN pull zone into WP Rocket, and it does the rest.

WP Rocket CDN config

At the time of writing this post, the WP Rocket team are close to releasing their next version which includes font pre-loading. This is going to be huge for site owners who use their own fonts, like me.

Yoast SEO

Around £9.00 ($11.00) a month for an SEO plugin seem expensive, right? It is, and it’s a big chunk of the cost of running this blog. But SEO is crucial if you want to get organic visitors. I don’t know a great deal about SEO, but the Yoast plugin allows me to get SEO right so I can concentrate on writing content.

There is a free version of Yoast SEO, which I have used for years without issue. But the paid version has a few goodies that the free one doesn’t. Including multiple keywords, synonyms and prompts for things like internal linking.

The feature I use the most though is their readability analysis, which tells you in real-time how well written your post is.

To be honest, I could get by just fine with the free version of Yoast SEO, but I think their plugin is superb, so I wanted to support them by paying for a plugin I get so much use from.

ShortPixel

ShortPixel is a free service that optimises your images as you upload them to WordPress. Images are usually the largest part of a website, so optimisation is important to ensure your pages load quickly.

By default you get 100 free optimised images per month, but that usually isn’t enough for me, so I bought an image optimisation bundle to bolster the free credits I get.

The great thing about ShortPixel is that it can significantly reduce the size of your images without any obvious loss of quality.

Thanks go to Nathan Degruchy for the original recommendation.

Updraftplus SFTP

Backups are ridiculously important and that’s what UpdraftPlus does – it backs up WordPress. Again, this is a free plugin, but I’ve purchased an addition to UpdraftPlus that allows me to backup to my Synology NAS via SFTP.

On the free version of the plugin, you can backup locally, to an FTP server, or to services like Dropbox and Google Drive. I wouldn’t recommend using FTP though, as credentials are transmitted in the clear. That’s why I bought the SFTP add-on, as it does this securely over SSH.

Time costs of running a blog

Time is something you need to consider when running a blog, as it’s the thing you will burn the most of. The average long-form (1,000+ word) post will take me a minimum of 8 hours to research, write and edit.

I designed the theme on this blog, so development tweaks take up roughly 8 hours or so a week. Finally there’s responding to comments and engaging with readers. That’s easily another 4-5 hours a week on top.

On average I will publish around 2 posts per week, so that’s around 28 hours a week that I spend working on my blog. Most weeks are probably more that that though these numbers don’t include writing shorter posts, updating pages & existing posts, as well as working on new ideas for the blog.

Conclusion

In terms of money, running this blog – or any blog for that matter – doesn’t cost a great deal. The main cost of running a blog is time.

None of the plugins and services I’ve listed above are necessary for running a blog – you can easily run a basic blog on Blogger or WordPress.com for free.

But if you want the performance and flexibility a self-hosted blog provides, you’re going to have to put your hand in your pocket unfortunately. The bright side is that it doesn’t actually cost that much to run a blog. 🙂

How do you run your blog? Why not tell me about it in the comments below.

This post is day 27 of my #100DaysToOffload challenge. If you want to join in, visit the 100 Days website.

How Does Mastodon Work?

“How Does Mastodon Work?” was originally written on 04th August 2018, but I have updated it on 11th June 2020.

Before going through this post, I’d recommend reading my post on getting started with Mastodon.

I’ve spoken about Mastodon numerous times on this blog. It is the social media platform I use more than any other, but for a new user it can be confusing because it doesn’t work like other social media sites.

A new member of my Mastodon instance, Fosstodon, wrote their first post stating that they’re not really sure how it all works on Mastodon. Being the dutiful admin that I am, I pinged them back to let them know that I would find decent guide an post a link. To my surprise, I couldn’t find a decent guide anywhere, so I decided to write one.

I’m going to try and cover all of the basics of Mastodon in this post, as well as the details of how it all works. By the end of this post, you should have a pretty good idea as to how Mastodon works. So, settle in and get a coffee, as this is going to be a long one I think.

Toot Toot

Let’s start with the basics; Mastodon works like Twitter, but with a few key differences:

  • A “Tweet” on Mastodon is called a “Toot” and you have a 500 character limit by default.
  • You can set the privacy of a Toot. The default is public, but they can also be unlisted, follower only, or direct.
  • You can also @mention other users, as well as add media, links and hashtags to your Toots.
Mastodon new toot privacy

Reply

You can, of course, reply to any Toot that you can see – after all what’s the point in having a social network if you can’t have a conversation.

Boost

If you come across a Toot that you like, you can boost that Toot. This basically re-shares that Toot to your followers.

Unlike Twitter, you cannot add your own commentary to a boosted Toot. This is by design so that a person’s Toot is only boosted in a way that gets the message they intended across.

It’s basically a way of preventing people being trolled via Boosting. E.g. you can’t add “This Kev Quirk guy is a complete moron” to one of my Toots that you have boosted (although many would probably like to).

Favourite

You can also favourite a Toot. Which basically means that you support or agree with a Toot. It’s the same as a Facebook like, or a Twitter heart.

All Toots have a set of icons below them that allow you reply, boost or favourite. The icons look like this:

Mastodon toot actions

The Fediverse

If you read about Mastodon, you will often hear about The Fediverse, or Federation in general. This is a unique concept to Mastodon when compared to more mainstream social networks. This means that many new users are likely to find the concept of federation confusing. Let’s clear things up, shall we?

What is federation?

When you sign in to Twitter, you have a single timeline that is made up of the Tweets from the people you follow. Mastodon is different, as it has three timelines – Home, Local and Federated.

Each of these timelines has a different function that I will explain later on, but for now let’s look at how the Mastodon network communicates. The different timelines should then make more sense.

Here’s a quick video that introduces the concept of Mastodon’s federation:

To explain Mastodon federation a little better, I’m going to use email as an analogy – hopefully this will make things easier to digest.

The Mastodon network is made up of individual servers, called Instances. If we use our email analogy; think of Mastodon as email as a whole. So if Mastodon is “email”, then an Instance would be an email provider. For example, Gmail, Hotmail, or Zoho.

They’re all completely different servers that are run by completely different companies, but Gmail, Hotmail and Zoho can all send email to one another.

Mastodon is the same. My instance, Fosstodon, is run my myself and my friend Mike. Yet we can Toot with thousands of other Mastodon servers around the world that we do not run.

Mentioning people

If you want to Tweet someone on Twitter, you @mention them. It’s the same on Mastodon. If I want to Toot to my friend Mike, I can simply add his handle (@mike) to my Toot.

But what if I want to mention someone else on another Mastodon instance? Well, I would use @user@instance.name to mention them.

For example, I interact with Basil quite a lot on Mastodon, but he’s on a different instance to me. So if I want to mention him in a Toot, I would add @basil@sarcasm.stream to my Toot. If Basil wanted to mention me, he would add @kev@fosstodon.org to his Toot.

Mention Basil in a toot

Don’t worry about having to remember people’s username and instance names though. Mastodon has an auto-complete feature that helps to populate a person’s handle/instance once you start typing an @mention.

Basil mention auto-complete

How do instances connect?

If someone decides to start a new instance, how does the rest of the Fediverse know that they’re there and to start communicating with them? Well, this is where the community and federation comes in.

There are thousands of Mastodon instances all over the world, and all instances are connected by their users.

Instance A may not be aware of instance B, but if a user on instance A follows a user on instance B, instance A then knows that instance B exists and they will start communicating with one another.

Furthermore, instance A may not have known that instance C existed, but B did. So a user in instance A could then follow a user on instance C, at which point instances A and C are also federated.

I know that’s difficult to follow in text, so let’s break it down with a few diagrams:

Instance A to B federation
Instance B to C federation
Instance A, B & C federation

This process goes on and on, which causes a snowball effect of exponential growth of the Fediverse.

The timelines

Ok, now we know how the Fediverse works, lets go back to our three timelines and take a look at what they do:

  • The Home Timeline – This is a simple one. It’s basically the same as your Twitter timeline – it’s the Toots from all the people you follow from across the Fediverse.
  • The Local Timeline – This is all of the public Toots from your instance. So whether you follow someone or not, you will see all of the activity that’s going on within your instance. This is a great way of finding new people to follow locally.
  • The Federated Timeline – This is a timeline of all Toots from all instances that your server is federated with. Again, this is a great way of finding new people to follow as it literally contains Toots from thousands of people. But be warned – the Federated timeline can contain posts that some users may find offensive.

Talking of potentially offensive Toots, that brings us quite nicely onto the next section…

Moderation tools

If you find something you don’t want to see on Mastodon, there are a number of ways to deal with it. If the Toot is particularly egregious, I would recommend reporting the Toots to your instance’s staff. They can then review the report and take appropriate action.

If you feel that a Toot is just something that you would rather not see, then there are personal moderation options available on Mastodon too.

You can see all moderation options using the three dots icon below any Toot. Within the menu, you have a number of moderation options:

  • Mute – This will stop you seeing any of the Toots from that particular account.
  • Block – This will prevent that account from being able to interact with you. It will also Mute their Toots.
  • Report – This will send a report to the staff of an Instance. They should then review the report and take appropriate action. This can be no action, a warning to the user, or banning them from the Instance.
Personal moderation options

Don’t worry Yarmo, I’m not going to block you! 🙂

Filters

You can’t really talk about how Mastodon moderation works without talking about filters.

Filters are great, because they allow you to filter out certain keywords globally. This can be swear words, or just topics you don’t’ want to hear about.

For example, when COVID-19 first started there was lots of chatter about it on the Fediverse. I totally understand why, but I didn’t really want to read about it on Mastodon, so I decided to filter it out until things died down.

I also filter out the #WeAreNameless hashtag, mainly because I find it confusing. To add a filter, just go to yourinstance.com/filters

Mastodon filters

Why Mastodon?

So you now know the basics of how Mastodon works, and how to use it. But why would you want to use it over something like Twitter or Facebook, and why do I use it? Here are some of the reasons why…

It’s open source

It’s open source so what, right? Well, no actually. Open source means that anyone can see the Mastodon source code to understand how it works under the hood. You can’t do this on many other social networks, so you have no idea what the site is doing in the background.

Of course, many of Mastodon’s users aren’t software developers so they won’t know what Mastodon’s source code does (myself included), but there are hundreds, or even thousands of developers out there that have seen the code for Mastodon. If it was doing anything nefarious, trust me, we would know.

Being open source gives us reassurances that our data is not being harvested, or that we’re not being spied on. Plus, if the main developer of Mastodon, Eugen, decides to hang up his keyboard, someone else can take his place and fork the project’s source code.

Chronological timeline

This may seem like a small thing, but for me it’s one of the most important features of Mastodon. You see, Facebook and Twitter have “clever” algorithms that are designed to change the order of the content you see on every refresh. This is designed to give the perception of new content, hopefully keeping you engaged longer.

That isn’t the case with Mastodon; all three of the timelines are always chronologically displayed. So you can easily see what people have Tooted from when you were last online. This means that Mastodon isn’t specifically designed to take over your life (although it does, because it’s awesome!) It easily allows you to see what has been going on since you were last online, then go about the rest of your day.

No adverts or tracking

That’s right, NO ADVERTS! No sponsored posts, no “we think you might like this” and no tracking. Mastodon is designed to bring people together, not make money. It’s that simple.

Having said that, most instances do have Patreon pages, as running a Mastodon server can get expensive. So if you use Mastodon and enjoy it, I would urge you to contribute whatever you can to your instance of choice. In my experience, the money is often used to improve the project.

On Fosstodon, we use any donations over and above our ongoing fees to make donations to various open source projects. Which projects we donate to is decided by those who donate.

No single owner

Because Mastodon uses a collection of instances, you’re not at the beck and call of one site owner. If you don’t like the direction an Instance is taking, you can pack your virtual bags and go. Mastodon even has a migration tool that allows you to migrate your account from one instance to another.

Interest specific, but not really

The beauty of having different instances is that many of them are aligned to one interest or niche. For example my instance, Fosstodon, is specific to Free and Open Source Software (FOSS), hence the name. However, we encourage the users of Fosstodon to talk about all sorts of interesting things, not just open source software.

So although all the members of our instance have a common interest (FOSS), there are lots of topics that get discussed regularly. There are also many generalist instances that you can join if you wish. These are more like Twitter in that they don’t have a specific interest underpinning them.

Remember, you can also follow people who have different interests on other instances, so your home timeline can be extremely diverse – I know mine is!

Finding an instance

There are thousands of Mastodon Instances across the Fediverse, so how do you find the right one? Well, finding the right one is very difficult. The Mastodon homepage has a signup section which displays a number of key instances within specific niches.

Here are some recommendations based off of my interactions with the many interesting people on the Fediverse:

If none of the instances above work for you, you can take a look at Instances.Social which is basically a search engine for Mastodon instances. However, I’ve always found the site awkward to use as it doesn’t have many filtering options.

Mobile apps

There are a number of mobile apps available for Mastodon. I have tried many of them for both Android and iOS. My recommendations would be Tusky for Android and Toot! for iOS.

However, if you want to check out all the other apps that are available, including desktop apps, take a look here.

Final thoughts

Hopefully by now you have a decent grasp on how Mastodon works. Mastodon is awesome; it’s full of friendly, interesting people. There is no tracking and no adverts which is bonus.

Like most social sites, there are trolls out there – it wouldn’t be the Internet without them! But the moderation tools within Mastodon make it a great place to be generally.

Hopefully this guide will help get you started with Mastodon, but if you have any other questions that this guide doesn’t cover, feel free to leave a comment below, or get in touch, and I’ll do my best to help.

Finally, if you’re already on Mastodon and want to follow me, you can do so here.

Centralisation and Mastodon

The founder of Mastodon recently announced that he has started a second flagship instance. Is it a good thing to have flagship instances, or does the centralisation of Mastodon do more harm than good?

New flagship instance announcement

Many users of the Mastodon network have long said that the flagship instance, Mastodon.social, goes against the fundamental concept of a decentralised social network.

The problem with Mastodon centralisation

According to The Federation website, Mastodon currently has approximately 2.6 million users across all instances. The top 3 instances account for nearly 1.5 million of those users.

That’s nearly 60% of the entire Mastodon network! That doesn’t sound like much of a decentralised network to me.

I think Eugen did the right thing by not letting Mastodon.social grow even bigger. By creating another instance, there is still an “official” Mastodon instance that’s accepting new users. It also means that people aren’t putting all their eggs in Mastodon.social’s basket.

Why is this a problem?

Having the majority of users being spread across a handful of instances is better than everyone being on 1 instance. Right? I think so. However, having such a small amount instances housing a disproportionally large amount of the network’s total user base is a problem.

Let’s say that Mastodon’s biggest instance, Pawoo, decided to close down tomorrow. That’s over 600 thousand users who need to find a new home. Luckily Mastodon allows its users to migrate to other instances, which is great. But many instances would not be able to scale quick enough to support those kinds of numbers. Potentially causing a DDoS of our own network and bringing the entire thing crashing down.

Not only would have over half a million users without a home on the Fediverse, but instances all over the network could potentially go down with the amount of traffic they’re being hit with.

Bad times.

What can we do to help?

The short answer to this question is; use other instances to truly distribute this network of ours. This will help prevent the centralisation of mastodon.

It’s great that we have these flagship instances, as it shows new users that Mastodon is a popular network and they won’t be joining a ghost town. However, by joining other instances you’re spreading the load, thus creating a truly distributed social network.

I don’t think we have a distributed social network at the moment. Instead we have a handful of very popular instances that are surrounded by much smaller satellites.

All instances on the Mastodon network have the ability to communicate with one another, so by choosing a smaller instance, or even starting your own, you’re not missing out.

Conclusion

I applaud Eugen’s decision to create a new Mastodon instance – I think it’s just what the Fediverse needs.

If you’re thinking about joining Mastodon, don’t just join the first instance you come across. Take a look at the sign up section of the Mastodon homepage. There is a list alternative instances that you can join, all arranged by topic.

In my opinion, Mastodon is a huge improvement over sites like Twitter and Facebook. But I think there are still things we can do to make Mastodon even better.

What do you think?

This post is day 26 of my #100DaysToOffload challenge. If you want to join in, visit the 100 Days website.