Techie Feeds

SMBs lack resources to defend against cyberattacks, plus pay more in the aftermath

Malwarebytes - Thu, 10/31/2019 - 21:41

Cyberattacks, many have noted, are the fastest growing economic crime not only in the United States, but also around the world. This upward trend has been observed since 2014, according to PricewaterhouseCoopers (PwC), and won’t likely be slowing down anytime soon.

Cyberattacks—much like the advancement of technology, the interweaving of digital lives among familiars and strangers via social networks, and the broadening adoption of the Internet—are here to stay.

As much as the Internet has changed individual lives on the planet—for better or for worse—it’s changed the way people do business even more. The current reality is that a business is not much of a business if it’s not online. Even local small businesses, such as restaurants, home renovation companies, or dance studios, require some kind of Internet presence to flourish.

However, stepping into the online realm as a business is, in itself, a double-edged sword. While the visibility the Internet affords entrepreneurs almost guarantees growth, on the flip side, organizations also put themselves at risk of Internet-borne threats. Online retailers may run afoul of web skimming tactics. Online publishers and bloggers using content management systems can be hacked, or their advertisements poisoned via malvertising. Even simply opening emails can put an enterprise at risk.

Organizations of all sizes must understand that in today’s world, cyberattacks are an inevitability.

Unfortunately, a majority of small- to-medium-sized businesses (SMBs) are unprepared for any form of digital assault, much less aware of its inevitability. In the end, some affected organizations emerge from an attack with such excessive losses that they are put out of business—permanently.

So exactly how unprepared are SMBs for an eventual cyberattack? To help paint a picture of their current cybersecurity posture, we gathered a few noteworthy statistics. Suffice to say, they aren’t good.

Cybersecurity posture of SMBs

We took a look at several factors impacting SMB cybersecurity, from rate of incidents and staff shortages to costs shouldered after an attack. Here’s how they pan out:

Cyber incidents

Non-enterprise businesses reported more cyber incidents in 2019 compared to the previous year, according to the Hiscox Cyber Readiness Report.

  • For small businesses reporting at least one or more cyber incidents, the proportion has increased from 33 percent of respondents to 47 percent.
  • For medium-sized businesses, the increase is even greater, moving from 36 percent in 2018 to 63 percent in 2019.
  • Verizon’s 2019 Data Breach Investigations Report found that 43 percent of all breach victims were small businesses.
Lack of resources

SMBs typically have fewer resources for cybersecurity protection, whether that’s a smaller budget for software solutions or overtaxed or undertrained IT staff. This can result in negligence that ultimately leads to breach.

  • On average, an SMB can face up to 5,000 security alerts per day, yet only 55.6 percent of them investigate these alerts, according to Cisco.
  • According to the aforementioned Keeper Security-Ponemon Institute report, 6 out of 10 SMBs report that attacks against them are more targeted, sophisticated, and damaging; yet 47 percent of them have no idea how to protect their companies from cyberattack.
  • 52 percent of SMBs claim they don’t have an in-house IT professional on staff, according to Untangle’s 2019 SMB IT Security Report.
  • Untangle also found that 48 percent of organizations claim that limited budget is one of a handful of barriers they face when it comes to IT security.
Cost of an attack
  • SMBs shoulder a heftier cost relative to their size compared to larger organizations, per IBM’s Cost of a Data Breach Report.
  • Organizations with a headcount between 500 and 1,000 shelled out an average of US$2.65 million in total data breach costs.
  • The total cost for organizations with more than 25,000 employees averaged $204 per employee, whereas organizations with between 500 and 1,000 employees had an average cost of $3,533 per employee.

Interestingly, two independently published reports, namely Cisco’s Small and Mighty special report [PDF] on small and mid-market businesses and Keeper Security and the Ponemon Institute’s State of Cybersecurity in Small & Medium Size Businesses reflected a similar range of costs.

In the same Small and Mighty report, Cisco also reveals that SMBs are more likely to give in to paying threat actors their ransom demands as they cannot operate without access to critical data and cannot afford the usual 8+ hours of downtime.

Top SMB threats and ways to fight them

Does this mean SMBs should stay away from the Internet? Clearly, that’s not the answer. However, if organizations large and small don’t take steps to secure their businesses against cyberattacks, they’re not only putting themselves at risk for profit loss, but may be stunting global economic growth. According to Accenture, a trusted digital economy could stimulate an additional 2.8 percent growth in organizations over the next five years, translating into $5.2 trillion in value creation opportunities for society as a whole.

Yet SMBs face sophisticated cyberattack methods with far fewer resources than large enterprise organizations to fight them. We list a few of the top SMB threats below, as well as our recommendations for the best ways to combat them—keeping in mind budget and staff constraints.

Malware

When it comes to online threats, malicious attacks by cybercriminals via malware still rank as the top challenge for SMBs in several reports. In most cases, not only is malware difficult to detect, but it’s also costly to remediate and mitigate. Whatever the threat is, let’s not forget that potential threat actors are motivated toward financial gain via extortion, coercion, fraud, or stealing sensitive and classified information that can be sold to the highest bidder.

In 2019, SMBs have been especially impacted by ransomware and Trojans, such as Emotet and TrickBot, according to our product telemetry.

Recommendations: To address the challenge of sophisticated malware attacks, SMBs should first and foremost create a backup plan so that they won’t lose critical data in the event of a ransomware attack. Data can be safely stored to the cloud and accessed anywhere, should machines be frozen out in an attack. In addition, purchasing a budget-friendly endpoint protection solution that blocks sophisticated attacks can help carry some of the load in place of a highly-trained IT staff.

Web-based attacks

Based on Accenture’s The Cost of Cybercrime report, web-based attacks are among the top reasons why businesses lose revenue. Such attacks normally make use of an Internet browser and an SMB’s official website as the attack launchpad to perform criminal acts, such as accessing and stealing confidential client information or compromising the site to make it infect visitors. Examples of web-based attacks are cross-scripting (XSS), drive-by downloads, and SQL injection (SQLi).

Recommendations: The majority of web-based attacks start off when threat actors attempt to manipulate or tamper with a website’s functionality using code as input to entry fields. Preventing such code from rendering is a general security measure that SMBs could begin adopting. This way, businesses can have better control over the types of user input their websites accepts and renders when someone interacts with them.

For SMBs, mitigating web-based attacks and threats may involve inviting a security professional to audit their website’s code for potential gaps that miscreants can exploit, and advising on how best to address them. While we’re on the subject of coding, SMBs such as app developers or others with programming staffs will want to make it a priority to train on how to code well with security in mind.

Distributed denial of service (DDoS) attacks

DDoS attacks often result in extended downtime for business websites, and that’s never good for the targeted organization. This means clients are denied access to the site, which stops them from transacting with the business, and the business loses precious opportunity, money, and productivity.

Recommendations: Perhaps the easiest way a business can thwart off DDoS attacks is to avail of services from a good content delivery network (CDN). However, prevention can also be done in-house without breaking the bank. Expect a DDoS to happen in the future and plan ahead for it. Establish workplace protocols on what to do in the event of a DDoS attack to your company’s website. If you can, include in the planning phase what, how, and when you would communicate with your clients about a website outage caused by this attack.

Phishing and social engineering attacks

A whopping 85 percent of organizations experience this type of attack, especially now that the top threats to businesses, Emotet, Trickbot, and various ransomware families, are often delivered via phishing email. With fraudsters and social engineers getting wilier, their tactics are getting more sophisticated and polished. And we can expect this to increase unless businesses start taking these threats seriously.

Recommendations: Train all members of staff. There are some simple methods you can use to help employees identify phishing emails vs. legitimate ones. Many examples of phishing emails and current scams exist online. Make cybersecurity awareness a top priority. Step it up by creating an intentional culture of security within the company.

Insider threats

Dangers posed by current and former employees with malicious intent will always loom over SMB executives. However, insider threats are not just limited to the obvious. Often, it’s the staff who are negligent, inattentive, and abuses their privileges that become an accidental insider and trigger a data breach.

Recommendations: The topic of insider threats must be included in every cybersecurity training staff undergoes. Doing so likely decreases the likelihood of accidental insiders but not address the deliberately lax or professional insiders however. In this case, implementing controls can further minimize insider threat incidents.

Remote workers

Whether remote workers like it or not, they are a risk to their organizations. Sad to say that many organizations are unaware of this, nor do they realize the magnitude of the risk remote workers pose on company assets, including intellectual property, as well as customer, staff, and vendor information. As such, they fail to conform to best practices set by the US Small Business Administration, and they fail to implement the most basic of cybersecurity measures.

Recommendations: Education and policies, once again, play a role in securing an SMB’s remote workers.

Long term effects of cyberattacks

Many from the outside looking in may assume that once organizations are back up and running after a data breach, apart from a few hiccups, business will continue as normal. Nothing could be further from the truth.

Depending on how much damage a data breach has caused a business in total, it may take awhile for them to regain back what they lost and become profitable again. Sometimes, years-long consequences after a breach are felt by SMBs. This includes damage to the business’s reputation and loss of trust from current and potential clients.

The best course of action SMBs can take after a cyberattack is to learn from their experience by improving their overall cybersecurity posture and state of cyber readiness going forward. Make cybersecurity and privacy a priority. Create multiple backups of your most sensitive data. Regularly monitor and conduct risk assessments. Educate workers. Lastly, make sure that all devices connecting to your network are properly configured and protected with anti-malware software and strong encryption protocols.

Stay safe!

The post SMBs lack resources to defend against cyberattacks, plus pay more in the aftermath appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Help prevent disaster donation scams from causing more misery

Malwarebytes - Wed, 10/30/2019 - 20:36

It’s a sad day when we have to warn people about medical charity scams, or tax fakeouts, or even have a week dedicated to foiling charity fraud—but here we are. With so many natural disasters occurring, from wildfires in California to tornadoes in Dallas, disaster donation scams remain a top resource for scammers looking for free cash.

Unfortunately, disaster donation scams are nothing new. Back in 2013, I spent many hours tracking and shutting down fake charity scams focused on Typhoon Haiyan and many more. Some of those tricks from way back when are still in use, and we need to do what we can to inform and ward off potential attacks.

Avoiding fake disaster donation scams: part 1

A handy list of tips has been posted to KQED, detailing all the ways you can steer clear of these scams. While many of them may seem obvious to regular readers of this blog, there are always folks out there who haven’t heard of these, much less realize that people are actively trying to rip them off through charitable causes.

If you have relatives who donate after a disaster (or just donate generally), feel free to send this post their way. To summarize the tips quickly, and of particular note:

  • Keep track of payments to charitable organizations
  • Watch your payment method: don’t make donations via cash, gift card, or by wiring money
  • Steer clear of pressure—especially in relation to paying “as soon as possible”
Avoiding fake disaster donation scams: part 2

I’d also like to add some of my own suggestions, based on things I’ve experienced while tackling these scams and talking about them at events through the years.

  1. Door-to-door visits should always be treated with caution. At the bare minimum, they should have a recognisable badge, and a way to verify they are who they say they are. I don’t think I’ve ever run into a house call where you couldn’t take a leaflet or web address and go make the donation in your own time.If they really, desperately need the money now? Ask yourself why and then do some digging once they’ve gone. If you think it’s all a bit suspicious after that, report it to the most appropriate contact point.
  2. Cold calling is a popular past-time of donation scammers. It’s easier than ever to spoof caller ID, so simply matching numbers to legitimate sources on official websites is not 100 percent foolproof. I’ve mentioned the infamous FEMA cleanup crews in the past, and they’re often one of the first scams to hit the ground running. Be on the lookout for similar fakeouts involving Red Cross, United Nations, UNICEF, and more. If it’s a big name, it’s a potential target.Again: don’t be pressured into handing over payment details to cold callers. It’s worth noting that fake websites abound, both on free and paid hosting.
  3. Scammers will often pretend to be a charity organisation, sending missives claiming to be Red Cross or Salvation Army, or pretty much anyone else they think may be relevant to a disaster. Nothing odd there. However, what they will do is frequently include a real email address in their request for money. Why? To keep things looking as real as possible.The sting in the tail is where they also insist you CC an email address belonging to the scammer when you send bank details, because “high server load” may mean the real address never gets the reply. They’ll also request you give them a week or two to reply as they’re experiencing high volume of mail. This is also just a way to get you to leave them alone for a week as they happily plunder your bank account without question.
  4. Scammers will exploit the fear of lost/missing relatives to make more money. They’ll post up pictures of missing people culled from news services and ask for money to “help find them.” They’ll make use of those fun automatic newspaper headline generators to present you with fake headlines about rewards if only you send X amount of cash to Y (also a tactic used by 419 scammers).Relatives will naturally post lots of personal information to social media, and scammers will happily use that, too, in their social engineering exploits. I saw this a lot during Typhoon Haiyan, a problem exacerbated by people not really being familiar with genuine ways to locate missing people. Myself and others made extensive use of Google’s crisis map and their person finder to help steer people away from fakes.Note that these services are still operational whenever they may be needed, and there are many other ways to attempt reunification without being ripped off.
  5. Finally, never underestimate how weird the scams may be in their attempt to pull the rug from under you. “Whale crashes into building” was a popular social media scam back in 2011, because the more sensational-sounding viral a video you have the better. “Earthquake relief” via the promise of a few clicks went a long way to making someone money and not much else. There’s “miracle escapes” which often aren’t, rogue installs, and and even Twitter spambots firing out links to expensive “radiation health” ebooks. They’ll do whatever it takes.
Report scammers

I’ll leave you with a few more links, so you can report anything suspicious that comes your way, or at least use the below as a way to get your information where it needs to be:

Scammers hope a combination of tragedy and your sympathy will provide them with the keys to your bank account. Any and all donations given to criminals are potentially causing misery and loss of life where the money is actually needed, so it’s down to all of us to step up and tackle this scourge head on.

The post Help prevent disaster donation scams from causing more misery appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Dweb: Building Cooperation and Trust into the Web with IPFS

Mozilla Hacks - Wed, 08/29/2018 - 14:43

In this series we are covering projects that explore what is possible when the web becomes decentralized or distributed. These projects aren’t affiliated with Mozilla, and some of them rewrite the rules of how we think about a web browser. What they have in common: These projects are open source, and open for participation, and share Mozilla’s mission to keep the web open and accessible for all.

Some projects start small, aiming for incremental improvements. Others start with a grand vision, leapfrogging today’s problems by architecting an idealized world. The InterPlanetary File System (IPFS) is definitely the latter – attempting to replace HTTP entirely, with a network layer that has scale, trust, and anti-DDOS measures all built into the protocol. It’s our pleasure to have an introduction to IPFS today from Kyle Drake, the founder of Neocities and Marcin Rataj, the creator of IPFS Companion, both on the IPFS team at Protocol Labs -Dietrich Ayala

IPFS – The InterPlanetary File System

We’re a team of people all over the world working on IPFS, an implementation of the distributed web that seeks to replace HTTP with a new protocol that is powered by individuals on the internet. The goal of IPFS is to “re-decentralize” the web by replacing the location-oriented HTTP with a content-oriented protocol that does not require trust of third parties. This allows for websites and web apps to be “served” by any computer on the internet with IPFS support, without requiring servers to be run by the original content creator. IPFS and the distributed web unmoor information from physical location and singular distribution, ultimately creating a more affordable, equal, available, faster, and less censorable web.

IPFS aims for a “distributed” or “logically decentralized” design. IPFS consists of a network of nodes, which help each other find data using a content hash via a Distributed Hash Table (DHT). The result is that all nodes help find and serve web sites, and even if the original provider of the site goes down, you can still load it as long as one other computer in the network has a copy of it. The web becomes empowered by individuals, rather than depending on the large organizations that can afford to build large content delivery networks and serve a lot of traffic.

The IPFS stack is an abstraction built on top of IPLD and libp2p:

Hello World

We have a reference implementation in Go (go-ipfs) and a constantly improving one in Javascript (js-ipfs). There is also a long list of API clients for other languages.

Thanks to the JS implementation, using IPFS in web development is extremely easy. The following code snippet…

  • Starts an IPFS node
  • Adds some data to IPFS
  • Obtains the Content IDentifier (CID) for it
  • Reads that data back from IPFS using the CID

<script src="https://unpkg.com/ipfs/dist/index.min.js"></script> Open Console (Ctrl+Shift+K) <script> const ipfs = new Ipfs() const data = 'Hello from IPFS, <YOUR NAME HERE>!' // Once the ipfs node is ready ipfs.once('ready', async () => { console.log('IPFS node is ready! Current version: ' + (await ipfs.id()).agentVersion) // convert your data to a Buffer and add it to IPFS console.log('Data to be published: ' + data) const files = await ipfs.files.add(ipfs.types.Buffer.from(data)) // 'hash', known as CID, is a string uniquely addressing the data // and can be used to get it again. 'files' is an array because // 'add' supports multiple additions, but we only added one entry const cid = files[0].hash console.log('Published under CID: ' + cid) // read data back from IPFS: CID is the only identifier you need! const dataFromIpfs = await ipfs.files.cat(cid) console.log('Read back from IPFS: ' + String(dataFromIpfs)) // Compatibility layer: HTTP gateway console.log('Bonus: open at one of public HTTP gateways: https://ipfs.io/ipfs/' + cid) }) </script>

That’s it!

Before diving deeper, let’s answer key questions:

Who else can access it?

Everyone with the CID can access it. Sensitive files should be encrypted before publishing.

How long will this content exist? Under what circumstances will it go away? How does one remove it?

The permanence of content-addressed data in IPFS is intrinsically bound to the active participation of peers interested in providing it to others. It is impossible to remove data from other peers but if no peer is keeping it alive, it will be “forgotten” by the swarm.

The public HTTP gateway will keep the data available for a few hours — if you want to ensure long term availability make sure to pin important data at nodes you control. Try IPFS Cluster: a stand-alone application and a CLI client to allocate, replicate and track pins across a cluster of IPFS daemons.

Developer Quick Start

You can experiment with js-ipfs to make simple browser apps. If you want to run an IPFS server you can install go-ipfs, or run a cluster, as we mentioned above.

There is a growing list of examples, and make sure to see the bi-directional file exchange demo built with js-ipfs.

You can add IPFS to the browser by installing the IPFS Companion extension for Firefox.

Learn More

Learn about IPFS concepts by visiting our documentation website at https://docs.ipfs.io.

Readers can participate by improving documentation, visiting https://ipfs.io, developing distributed web apps and sites with IPFS, and exploring and contributing to our git repos and various things built by the community.

A great place to ask questions is our friendly community forum: https://discuss.ipfs.io.
We also have an IRC channel, #ipfs on Freenode (or #freenode_#ipfs:matrix.org on Matrix). Join us!

The post Dweb: Building Cooperation and Trust into the Web with IPFS appeared first on Mozilla Hacks - the Web developer blog.

Categories: Techie Feeds

Dweb: Building a Resilient Web with WebTorrent

Mozilla Hacks - Wed, 08/15/2018 - 14:49

In this series we are covering projects that explore what is possible when the web becomes decentralized or distributed. These projects aren’t affiliated with Mozilla, and some of them rewrite the rules of how we think about a web browser. What they have in common: These projects are open source, and open for participation, and share Mozilla’s mission to keep the web open and accessible for all.

The web is healthy when the financial cost of self-expression isn’t a barrier. In this installment of the Dweb series we’ll learn about WebTorrent – an implementation of the BitTorrent protocol that runs in web browsers. This approach to serving files means that websites can scale with as many users as are simultaneously viewing the website – removing the cost of running centralized servers at data centers. The post is written by Feross Aboukhadijeh, the creator of WebTorrent, co-founder of PeerCDN and a prolific NPM module author… 225 modules at last count! –Dietrich Ayala

What is WebTorrent?

WebTorrent is the first torrent client that works in the browser. It’s written completely in JavaScript – the language of the web – and uses WebRTC for true peer-to-peer transport. No browser plugin, extension, or installation is required.

Using open web standards, WebTorrent connects website users together to form a distributed, decentralized browser-to-browser network for efficient file transfer. The more people use a WebTorrent-powered website, the faster and more resilient it becomes.

Architecture

The WebTorrent protocol works just like BitTorrent protocol, except it uses WebRTC instead of TCP or uTP as the transport protocol.

In order to support WebRTC’s connection model, we made a few changes to the tracker protocol. Therefore, a browser-based WebTorrent client or “web peer” can only connect to other clients that support WebTorrent/WebRTC.

Once peers are connected, the wire protocol used to communicate is exactly the same as in normal BitTorrent. This should make it easy for existing popular torrent clients like Transmission, and uTorrent to add support for WebTorrent. Vuze already has support for WebTorrent!

Getting Started

It only takes a few lines of code to download a torrent in the browser!

To start using WebTorrent, simply include the webtorrent.min.js script on your page. You can download the script from the WebTorrent website or link to the CDN copy.

<script src="webtorrent.min.js"></script>

This provides a WebTorrent function on the window object. There is also an
npm package available.

var client = new WebTorrent() // Sintel, a free, Creative Commons movie var torrentId = 'magnet:...' // Real torrent ids are much longer. var torrent = client.add(torrentId) torrent.on('ready', () => { // Torrents can contain many files. Let's use the .mp4 file var file = torrent.files.find(file => file.name.endsWith('.mp4')) // Display the file by adding it to the DOM. // Supports video, audio, image files, and more! file.appendTo('body') })

That’s it! Now you’ll see the torrent streaming into a <video width="300" height="150"> tag in the webpage!

Learn more

You can learn more at webtorrent.io, or by asking a question in #webtorrent on Freenode IRC or on Gitter. We’re looking for more people who can answer questions and help people with issues on the GitHub issue tracker. If you’re a friendly, helpful person and want an excuse to dig deeper into the torrent protocol or WebRTC, then this is your chance!

 

 

The post Dweb: Building a Resilient Web with WebTorrent appeared first on Mozilla Hacks - the Web developer blog.

Categories: Techie Feeds

Dweb: Social Feeds with Secure Scuttlebutt

Mozilla Hacks - Wed, 08/08/2018 - 16:01

In the series introduction, we highlighted the importance of putting people in control their social interactions online, instead of allowing for-profit companies be the arbiters of hate speech or harassment. Our first installment in the Dweb series introduces Secure Scuttlebutt, which envisions a world where users are in full control of their communities online.

In the weeks ahead we will cover a variety of projects that represent explorations of the decentralized/distributed space. These projects aren’t affiliated with Mozilla, and some of them rewrite the rules of how we think about a web browser. What they have in common: These projects are open source, and open for participation, and share Mozilla’s mission to keep the web open and accessible for all.

This post is written by André Staltz, who has written extensively on the fate of the web in the face of mass digital migration to corporate social networks, and is a core contributor to the Scuttlebutt project. –Dietrich Ayala

Getting started with Scuttlebutt

Scuttlebutt is a free and open source social network with unique offline-first and peer-to-peer properties. As a JavaScript open source programmer, I discovered Scuttlebutt two years ago as a promising foundation for a new “social web” that provides an alternative to proprietary platforms. The social metaphor of mainstream platforms is now a more popular way of creating and consuming content than the Web is. Instead of attempting to adapt existing Web technologies for the mobile social era, Scuttlebutt allows us to start from scratch the construction of a new ecosystem.

A local database, shared with friends

The central idea of the Secure Scuttlebutt (SSB) protocol is simple: your social account is just a cryptographic keypair (your identity) plus a log of messages (your feed) stored in a local database. So far, this has no relation to the Internet, it is just a local database where your posts are stored in an append-only sequence, and allows you to write status updates like you would with a personal diary. SSB becomes a social network when those local feeds are shared among computers through the internet or through local networks. The protocol supports peer-to-peer replication of feeds, so that you can have local (and full) copies of your friends’ feeds, and update them whenever you are online. One implementation of SSB, Scuttlebot, uses Node.js and allows UI applications to interact with the local database and the network stack.

Using Scuttlebot

While SSB is being implemented in multiple languages (Go, Rust, C), its main implementation at the moment is the npm package scuttlebot and Electron desktop apps that use Scuttlebot. To build your own UI application from scratch, you can setup Scuttlebot plus a localhost HTTP server to render the UI in your browser.

Run the following npm command to add Scuttlebot to your Node.js project:

npm install --save scuttlebot

You can use Scuttlebot locally using the command line interface, to post messages, view messages, connect with friends. First, start the server:

$(npm bin)/sbot server

In another terminal you can use the server to publish a message in your local feed:

$(npm bin)/sbot publish --type post --text "Hello world"

You can also consume invite codes to connect with friends and replicate their feeds. Invite codes are generated by pub servers
owned by friends in the community, which act as mirrors of feeds in the community. Using an invite code means the server will allow you to connect to it and will mirror your data too.

$(npm bin)/sbot invite.accept $INSERT_INVITE_CODE_HERE

To create a simple web app to render your local feed, you can start the scuttlebot server in a Node.js script (with dependencies ssb-config and pull-stream), and serve the feed through an HTTP server:

// server.js const fs = require('fs'); const http = require('http'); const pull = require('pull-stream'); const sbot = require('scuttlebot/index').call(null, require('ssb-config')); http .createServer((request, response) => { if (request.url.endsWith('/feed')) { pull( sbot.createFeedStream({live: false, limit: 100}), pull.collect((err, messages) => { response.end(JSON.stringify(messages)); }), ); } else { response.end(fs.readFileSync('./index.html')); } }) .listen(9000);

Start the server with node server.js, and upon opening localhost:9000 in your browser, it should serve the index.html:

<html> <body> <script> fetch('/feed') .then(res => res.json()) .then(messages => { document.body.innerHTML = ` <h1>Feed</h1> <ul>${messages .filter(msg => msg.value.content.type === 'post') .map(msg => `<li>${msg.value.author} said: ${msg.value.content.text}</li>` ) }</ul> `; }); </script> </body> </html> Learn more

SSB applications can accomplish more than social messaging. Secure Scuttlebutt is being used for Git collaboration, chess games, and managing online gatherings.

You build your own applications on top of SSB by creating or using plug-ins for specialized APIs or different ways of querying the database. See secret-stack for details on how to build custom plugins. See flumedb for details on how to create custom indexes in the database. Also there are many useful repositories in our GitHub org.

To learn about the protocol that all of the implementations use, see the protocol guide, which explains the cryptographic primitives used, and data formats agreed on.

Finally, don’t miss the frontpage Scuttlebutt.nz, which explains the design decisions and principles we value. We highlight the important role that humans have in internet communities, which should not be delegated to computers.

The post Dweb: Social Feeds with Secure Scuttlebutt appeared first on Mozilla Hacks - the Web developer blog.

Categories: Techie Feeds

Introducing the Dweb

Mozilla Hacks - Tue, 07/31/2018 - 14:00
Introducing the Dweb

The web is the most successful programming platform in history, resulting in the largest open and accessible collection of human knowledge ever created. So yeah, it’s pretty great. But there are a set of common problems that the web is not able to address.

Have you ever…

  • Had a website or app you love get updated to a new version, and you wished to go back to the old version?
  • Tried to share a file between your phone and laptop or tv or other device while not connected to the internet? And without using a cloud service?
  • Gone to a website or service that you depend on, only to find it’s been shut down? Whether it got bought and enveloped by some internet giant, or has gone out of business, or whatever, it was critical for you and now it’s gone.

Additionally, the web is facing critical internet health issues, seemingly intractable due to the centralization of power in the hands of a few large companies who have economic interests in not solving these problems:

  • Hate speech, harassment and other attacks on social networks
  • Repeated attacks on Net Neutrality by governments and corporations
  • Mass human communications compromised and manipulated for profit or political gain
  • Censorship and whole internet shutdowns by governments

These are some of the problems and use-cases addressed by a new wave of projects, products and platforms building on or with web technologies but with a twist: They’re using decentralized or distributed network architectures instead of the centralized networks we use now, in order to let the users control their online experience without intermediaries, whether government or corporate. This new structural approach gives rise to the idea of a ‘decentralized web’, often conveniently shortened to ‘dweb’.

You can read a number of perspectives on centralization, and why it’s an important issue for us to tackle, in Mozilla’s Internet Health Report, released earlier this year.

What’s the “D” in Dweb?!

The “d” in “dweb” usually stands for either decentralized or distributed.
What is the difference between distributed vs decentralized architectures? Here’s a visual illustration:


(Image credit: Openclipart.org, your best source for technical clip art with animals)

In centralized systems, one entity has control over the participation of all other entities. In decentralized systems, power over participation is divided between more than one entity. In distributed systems, no one entity has control over the participation of any other entity.

Examples of centralization on the web today are the domain name system (DNS), servers run by a single company, and social networks designed for controlled communication.

A few examples of decentralized or distributed projects that became household names are Napster, BitTorrent and Bitcoin.

Some of these new dweb projects are decentralizing identity and social networking. Some are building distributed services in or on top of the existing centralized web, and others are distributed application protocols or platforms that run the web stack (HTML, JavaScript and CSS) on something other than HTTP. Also, there are blockchain-based platforms that run anything as long as it can be compiled into WebAssembly.

Here We Go

Mozilla’s mission is to put users in control of their experiences online. While some of these projects and technologies turn the familiar on its head (no servers! no DNS! no HTTP(S)!), it’s important for us to explore their potential for empowerment.

This is the first post in a series. We’ll introduce projects that cover social communication, online identity, file sharing, new economic models, as well as high-level application platforms. All of this work is either decentralized or distributed, minimizing or entirely removing centralized control.

You’ll meet the people behind these projects, and learn about their values and goals, the technical architectures used, and see basic code examples of using the project or platform.

So leave your assumptions at the door, and get ready to learn what a web more fully in users’ control could look like.

Note: This post is the introduction. The following posts in the series are listed below.

The post Introducing the Dweb appeared first on Mozilla Hacks - the Web developer blog.

Categories: Techie Feeds

Pages

Subscribe to Furiously Eclectic People aggregator - Techie Feeds