

Thimbl - Decentralized Microblogging with SSH + finger - mgunes
http://www.thimbl.net/

======
tricknik
Hi everyone, thanks for the interest, Thimbl is not ready for public release,
we are still working on it, so you'll have to patient. Regading why we use
SSH: Because it is already available on your servers and is a standard, thus
there is no barrier to getting started. Don't want to share "your" ssh
password with some random website? No problem, how you implement access to
your finger .plan files is up to you, create a special server with ssh service
just for your .plan files, don't want to give your users shell accounts? creat
a shell-less ssh service using something like conch or zope, etc whatever!
Still not happy? Clone thimbl.net and run your own web interface! The point of
using established standards is that everyone can do it there way. Thanks for
the comments. With thimbl and thibl user can use any thimbl.net clone, and it
make no difference.

~~~
tricknik
BTW, if you want to be notified when there is more to see, follow us on
twitter @thimbl (or me @dmytri) (or identi.ca or friendfeed) or join our
facebook page <http://facebook.com/telekommunisten>

Thanks Hacker News! Nice to see this pop up here, even if I wouldn't have
posted it here just yet ;)

------
mgunes
See also:

[https://docs.google.com/present/view?id=ajgtbbdpw978_327dxhv...](https://docs.google.com/present/view?id=ajgtbbdpw978_327dxhvp8d3)

------
agentultra
I like the idea. I'm still an old wort who uses usenet, irc, and email for
most of my communications. I might still be using finger too if most hosts
hadn't turned it off. Turns out finger was quite the security risk. If that
has changed then I could see myself using it again.

As long as we can get a better peek into their implementation... I am curious,
like others, why they're not using public key authorization, etc.

------
mjh
~/.ssh/authorized_keys:

from="proxy.thimbl.net",command="finger-wrapper" ssh-rsa AAAA...

Very doable.

Based on what tricknik has said so far, this strikes me as an HTML5 WebSocket
spawning SSH. Similar to what was discussed here:

<http://news.ycombinator.net/item?id=1694607>

Great idea, I had awesome .plan files way-back-when and spend most of my time
in my shell.

Updating my micro-blog with cat >> .plan ... ^D would be enjoyable. I am
looking forward to your work!

~~~
tricknik
will be through an http to finger+ssh gateway initially, but ssh+finger
directly in the browser is the longer term goal. cat to your .plan wont work,
thimbl stores json in the .plan, however we will add support for cat >
.project, but not in the first release.

------
drdaeman
No publickey auth? Sorry, I thought it is 2010, so everyone uses
authorized_keys (and passwords are only for emergencies)...

But the main problem that this completely lacks any technical description.

~~~
tricknik
thimbl.net store no user data. Not even a key. Nothing.

~~~
pyre
A few things:

* I have to trust thimbl.net and/or you that you aren't storing anything.

* Even if you released your codebase on github (or similar) there is no guarantee (to outside users) that it is the same one that you are running on your servers.

* Your site is _not_ https, meaning that my ssh password is going plain-text over the internet.

* Even _if_ your site is 100% not doing anything funny, there is the possibility for _someone else_ to sniff the passwords flowing through your site.

~~~
tricknik
you can host a thimbl.net clone our your own server. There is no site yet, the
system is not yet released. The login will certainly be ssl protected.

------
shaggy
It could just be me, but it seems that the sort of users who know and
understand finger and SSH are not the sort of users who want to use a micro
blogging service.

~~~
tricknik
Understanding finger and ssh will not be required to use thimbl, only to set
up thimbl service for your users, which we imagine will be the same people who
set up the email and web for there domain: the sysops. Wether the sysops
microblog or not is irrelevant ;)

------
devmonk
I thought about this before (P2P communication similar to Twitter), but not
via ssh. Why not just dedicate an incoming port (configurable) per group that
you want to associate with?

\- As soon as you started the connection, it would try to connect to all group
members via their ports. If the group list is old, or if some are offline,
maybe some/all wouldn't work.

\- Whoever has the fastest response time, if their group list is newer than
the existing group list, the client requests an updated group list from (just
in-case it is out of date). If no one is online, obviously this doesn't
happen. The user of the client trying to update must ok the changes to the
group list (to keep someone from gaming the system). You could also specify
who to get the grouplist from.

\- At this point the client must be ok'd by the others if his IP/port has
never been accepted into the group before.

\- If accepted, at this point the client is flagged as someone who has a group
list to share.

\- At this point the client can communicate with others in the list, and if
you want it to be microblogging or just IM'ing, anything goes, depending on
the client.

------
Semiapies
I'm not clear what's ultimately different here from running your own blog on
your own server and offering feeds.

That it resurrects finger? ...So?

Of course, that's the problem - there isn't really anything here to talk
about, just some 90s _Wired_ magazine fodder of a slideshow and a plea for
community help.

~~~
tricknik
Yes, all that there is at this stage is a slide show. (all projects start
somewhere). More will come soon very soon (mammatus is already finished and
release, the ui is getting there) There is no plea for community help (though
of course help is always welcome) it is a plea for sysops to turn their finger
service on so their users can use thimbl, and an offer to help where help is
needed. As for the difference between a decentralized microblogging service
and a bunch of blogs with fees... we'll leave that as an excersise for the
reader. Interesting that you bother to post a comment when you believe there
is nothing to talk about, but thanks for the feedback in anycase.

~~~
Semiapies
_"There is no plea for community help"_

From your slideshow: "THIMBL will succeed with a community. join us and help
make a free, open social network"

 _"and a bunch of blogs with fees"_

What "fees" for running free blogging software on my server?

 _"Interesting that you bother to post a comment"_

It's called having an opinion. If you can't deal with skepticism after
publishing PR material without having anything more substantive handy, rethink
your strategy.

~~~
tricknik
You can have whatever opinion you want, my opinion is that is curious to post
opinions on things you think are not worth talking about. If you don't get
that, well, we have different opinions then. I meant 'feeds' not fees. sorry.
we didn't publish anything, I just shared a link to a text I wrote on my own
twitter account (not even @thimbl), somebody else posted it here. We have
never claimed to have anything more substantive handy at this stage, when we
do, which will be soon, we will post that. Every project starts somewhere. Not
sure where you see a "plea for help" in what you quote it is an invitation, we
want people who are interested in using thimbl to know they are welcome to
contact us, and if they need any help, that we will help. Thanks for the
comments.

~~~
Semiapies
_I_ think it is very curious when someone builds a website and a slideshow to
promote something, then claims he isn't publishing anything. Or when that
person feels the need to misrepresent another who makes any sort of criticism.

First hint: I at no time said that I found this "not worth talking about".
Those are words _you_ tried to put in my mouth to distract from my noting that
there's not much here to go on.

Second hint: People say "community, come help us succeed" in order to blame
the lack of community help when they go nowhere.

~~~
tricknik
He Semiapies, I'm really not sure why you think a project can't start with a
website and a slideshow to try to explain what it is, or wether you are
suggesting that we should only ever put anything on our website when we are
done. Or what. No need to distract that there is not much here, there is not
much here, I said so myself. In terms of criticism, and blame, again, I'm
really not sure what you are talking about, we have no need to blame anyone
for anything, and we're very much interested in criticism, I simply can't
understand what yours is. That we should keep our slide show secret until the
system is ready for launch? Well, as I said, I have a different opinion and
prefer to be open. Whatever.

~~~
Semiapies
Tricknik, try actually responding in good faith to something I say - this
involves not defensively putting words in my mouth - and I might bother.

~~~
tricknik
I am trying. Can you summarize what you are saying?

------
anthonyb
Hmm. There's a lot of hyperbole, and very little description of how it
actually works. And no, I'm not about to give a random website my ssh password
:P

Anyone care to enlighten me further as to how it works?

------
zimpenfish
Truly putting the micro in microblogging - or am I not supposed to be getting
a totally blank page for <http://www.thimbl.net/about> ?

~~~
mooism2
No, you're supposed to get a wall of bold white text on a screaming pink
background, with no spacing between paragraphs. Not terribly readable.

~~~
tricknik
All this is in early stages. We will have a proper "thimbl is comming page"
soon! (and git repos)

------
willvarfar
wait, the login asks for my server and ssh password? oh how can we trust
this???

~~~
phsr
you could always set up a super stripped down user with a random password. Not
to say that I'm about to do that

~~~
tricknik
Is there a more secure way that a non-data-retaining service can connect with
your server so a user can update there .plan file than sftp?

~~~
pyre
There _are_ ways of locking down an incoming ssh connection to scp-only, you
can even filter the files it has access to. I looked into this once, but never
implemented it b/c we went elsewhere with the project.

Note: This is by making the handling script the thing that runs for a certain
ssh key, I don't think it works with a password though.

~~~
tricknik
Excatly! There are many ways to set up secure ssh access. Which is why a
solid, know protocol like ssh is the right one to use for remote login,
because it provides many options and all sysops can configure access for their
own users as they see fit, yet all users, on all systems can still follow each
other.

~~~
pyre
See: <http://news.ycombinator.com/item?id=1732738>

------
tricknik
In case anybody is still reading this thread, here is an ugly diagram of
Thimbl's network topology:

[https://docs.google.com/drawings/edit?id=182y8FZDPvY1R-SQnYC...](https://docs.google.com/drawings/edit?id=182y8FZDPvY1R-SQnYC4n2pvRBrz6NyebRbwaTet5RgQ&hl=en)

------
drv
Seems like a neat idea, but the retina-burning color scheme is a bit much.

(For anyone working on the site that might be reading this, there's a "where"
that should be a "were" and an "it's" that should be "its" in the first
paragraph; I stopped reading there.)

------
iamapipebomb
Independence from capital-driven data-mining freedom-subverting services is
relevant, but hosting the manifesto of sorts on google is a bit ironic.

~~~
tricknik
Yeah, we have to get there before we get there. Get it?

------
tricknik
btw, the reason we don't use public key is simple: thimble.net stores no user
data. none.

------
pitsch
could i run it on my router? how much does it differ from a friendly botnet?

~~~
tricknik
which part? in order to be followed by thimbl, all you need is ssh and
xinetd/finger running. That's it. If you want to clone the thimbl http to
finger&ssh gateway, the current implementation uses twisted / mammatus. If you
want to run the UI, it's just static html/css/js that does jsonp calls to the
gateway. more details will be posted in the next few days.

------
joubert
the About page is blank??

