Paulo Laureano's Writefreely


Read the latest posts from Paulo Laureano's Writefreely.

from Paulo Laureano (EN) posts

Photo by Towfiqu barbhuiya on Unsplash

Let's talk about reasonably secure options and why they are the road less traveled.

People love their shiny new phones and last-generation computers running the latest niceties. They adore the latest, fully featured software and frictionless new tech. The problem is that it's tough, or better yet, downright impossible, to secure fat systems with millions of lines of code aiming to provide every possible feature to consumers. It is much easier to make simpler systems reasonably bug-ridden and secure.

Photo by Cayetano Gil on Unsplash

Welcome to the wild, wild west!

It pains me to say that the software industry is still in its infancy after half a century of mass-market-driven choices. I sound like a broken record since I have been repeating the reason behind that observation for my entire professional life. Software publishers can ship whatever they want without legal liability for how buggy and insecure their product is. People want more features and functionality, and that is what they sell. Security is an afterthought, handled if and when it becomes problematic and inconvenient.

In the corporate world, regardless of how often they tell you otherwise, the same trends are followed with slightly different flavors of stupidity. The “professional editions” add more features to the software, not a more spartan and guaranteed less vulnerable version of their mass-market aimed for hobbyist counterparts. I don't even know what the “pro” label means in the software market...

Corporate computers are usually the consumer versions of the software with managed restrictions (some control masked as “advanced features”) on top in a vain effort to mitigate the most apparently dangerous user behavior. For example, the users cannot install additional software; password changes are mandatory, and I.T. enforces upgrade cycles.

Market maturity means legislation making software companies liable for the quality of their products. The same happened in other industries as markets matured. For example, can you imagine a world where cars and airplanes did not meet minimum security and reliability standards? Well, in the software world, we are still living in a new frontier, the wild west, as far as law enforcement goes.

Photo by Markus Spiske on Unsplash

Bad ideas are hard to kill; embrace them!

Can you keep a secret? Really? Can you?

It's hard to keep a secret. It's not a matter of people realizing the importance of not sharing confidential information, like their credentials, on corporate servers; they understand they are supposed to do it. The problem is that they can be tricked or coerced into giving them away.

How many of you would keep your phone/computer passcode secret under the threat of violence? It's tough to argue the merits of risking physical integrity in the name of a company's information security. However, a hammer and your two knees are an unbeatable combo making your silence and loyalty to a corporation a tough sell.

Judging by their actions, corporations do not care much about messaging security. The technology to digitally sign and encrypt communications has been available for years, yet email in the corporate world mostly does not use it. As a result, phishing scams and identity theft exist because no one seems to have them identified as severe problems worth a few lines/clicks configuring profiles and issuing certificates for every email user.

Is it reasonable to expect users not to be tricked into revealing their secrets in a world where user credulity is used instead of cryptography-identified identities? It's a rhetorical question with an obvious answer.

The best way to protect users from hiding corporate secrets is to provide them with none. Instead, you can authenticate connections using asymmetrical encryption and challenge-response dialogs using USB security keys that cost a dozen dollars rendering phones/computers useless without them as authentication methods. In addition, biometric reading devices have been available for decades, and you can ensure only a live individual can even use the authentication devices.

The tools needed to spare users the burden of keeping secrets are known and have been available for years. For example, geolocation and synchronized clocks are not rocket science, and you can limit the power of authentication tokens by limiting their use when an abnormal pattern is detected. For example, users are not likely to travel at light speed or be in two locations simultaneously. In addition, you can (and should) restrict privileges based on regular usage patterns. For example, you can render an authentication match null and void in the wrong location or off-the-clock times.

Passwords and shared secrets (used for second-factor time-based authentication codes o HOTP and TOPT) are terrible ideas. Spreading “secret keys” in both the systems and user end is an accident waiting to happen. While it's rather apparent that on the user end, the protocol designers expected the authentication devices not to be used to authenticate their connections, unfortunately, that is not what happens in the real world. In many ways, this secondary authentication approach is even more fragile than the primary authentication method. We can do much better.

Google and Yubico created FIDO U2F and support from NXP, with the vision to take strong public key cryptography to the mass market. As a result, large-scale services, including Facebook, Gmail, Dropbox, and GitHub, have successfully deployed U2F. The next evolution of the FIDO U2F modern authentication protocol is FIDO2, which introduces passwordless authentication capabilities.

Add biometric, time, and location-based restrictions to access the security enclave where private keys are stored, and you will effectively protect users from a myriad of problems and risks.

Since many systems will not support decent solutions, use a password manager. If you must use a fragile authentication solution, at least do it as well as possible. I like Bitwarden.

Do yourself a favor and go buy a pair of hardware security keys! Make sure you pick one that supports FIDO2 (because that is what you want to use on any site that provides the best option available today). I use Yubico keys.

Please avoid using the same device to store primary and secondary authentication secrets (that is why I recommend using security keys). While you can do a lot to make your devices safer, most people reading this are clueless on security beyond “I probably need some sort of firewall, anti-vírus, and should be careful about clicking on email links and attachments”.

The latest shiny new and trendy device will always be a user favorite!

Did I tell you that keeping fat, feature-rich, general-purpose systems secure is really hard? It is. You cannot do it. Ensuring an acceptable level of security in general-purpose products like MacOS and Windows is downright impossible, so use both operating systems for what they are: insecure machines for general-purpose usage. Control and sanitize the output of work done on such systems and ensure they cannot access sensitive information or perform critical operations.

While Windows and MacOS can be locked down to a level where the ease of use and versatility that makes them user favorites is no longer there – both operating systems can be stripped of bloatware beyond recognition for a specific use case. Still, you will likely end up with a universally hated Frankenstein setup that is borderline unusable.

The same goes for iPhones and Android devices; they are great mobile computing platforms people love and are awful second-factor authentication devices. Like their bigger laptop or desktop counterparts, they are general-purpose devices running bloated and insecure operating systems. What you want in a device that stores secrets is the opposite of accessing random sites, insecure emails, receiving an SMS and installing apps. If you want the user to carry a single phone, at the very least, provide them with a security key that stores and uses private keys; it's already a bad idea, so don't make it even worse.

Mission-critical operations should happen on secured systems unable to run non-signed binaries with minimal connectivity according to their purpose. Authentication should be decoupled from the system and require human intervention, like touching a Hardware key and passing a biometric test on a security enclave (system on a chip).

Secure systems are synonymous with minimalistic installations, only the necessary software to fulfill their mission, and nothing else. Top-of-the-line hardware is cheap when compared to the cost of risking not isolating and securing systems.

I like the “reasonably secure Qubes OS” approach, implementing a security-by-compartmentalization using virtualization technology. Cubes OS isolates programs and sandbox many system-level components, such as networking and storage subsystems, so that the compromise of any of these programs does not affect the integrity of the rest of the system. Furthermore, virtual machines are not persistent and revert to a known secured state between uses.

Critical-mission users need separate devices. Unfortunately, there is no way to avoid it. However, these users are usually a tiny percentage of a company's workforce. For most employees, the focus should be on zero trusting the toolset and ensuring control over what they can access and share.

Security is a balance between letting users use whatever tools they need to perform the job efficiently and limiting the potential damage they can inadvertently cause. Unfortunately, it is not easy to achieve the perfect balance. But on the other hand, that is why I.T. exists in organizations. So be glad you have the job, and while you are at it, do it.

Microsoft Office scripting language and macro support

I would love to meet the people that thought running scripting languages in Office documents was a good idea! It sure enables a ton of otherwise impossible options for ill-prepared software engineering. But unfortunately, while I am a proponent of letting people use the best productivity tools they can find, we should limit the number of bad options allowed in a corporate setting.

While running alternative safer Office-like packages with fewer “features” is the easy way out of many headaches, there are ways to enable power users instead of shutting them down. Office applications and data should only run in chrooted (isolated) environments with strict per-document and toolset limitations. Running them online is not the worst possible approach.

I have been managing I.T. for the better part of 30 years. During that time, I saw fantastic stuff created by power users with Microsoft Office tools that delivered great value to companies. While a whole lot of risk and (security) issues come with some (let's call it) creative approaches, the solution is to find ways to accommodate those “solutions”. They even existed because conventional systems to solve a particular problem were unavailable. So I hired the individuals behind some of those insane projects.


from Paulo Laureano (EN) posts

I have been a client/user for a long, long time

I have been an Microsoft Office user since there was an Office package. I have been an Office365 user for half a dozen years (the company I work for is all-in into the Microsoft ecosystem) and use Microsoft Teams for eight hours daily.

I have been a Gmail user since the service was created. In addition, I have been a reseller for many years and have helped several companies take advantage of their ecosystem of apps.

I started using Nextcloud five years ago. I was looking into replicating some of the features I found in both Google and Microsoft in my personal life. So I self-hosted Nextcloud and started sharing it with friends and family. Much to my surprise and wonder, I found it to be an equally capable alternative to the previous two commercial options. It can be self-hosted or used hosted by a third-party as a service (SAAS) like the Microsoft and Google alternatives.

I like LibreOffice and OnlyOffice. Used both extensively for years. They both have a much better security track record than the Microsoft equivalent, and I honestly don't see the point of paying for a less secure proposition. While I understand some individuals have some limitations that make them have difficulty adapting to slightly different interface options, I never met a single one that could not make the transition. For many years the Microsoft offering was head and shoulders better than anything else on the market; I don't think that has been the case for years now.

I have personal biases... so take my opinions with a BIG grain of salt.

I have administered Linux and *BSD systems for 30 years. While I have no system administration responsibilities in my current job, I never stopped doing it.

While I understand the rush to cloud hosting, mainly when scalability is an issue, it is not a silver bullet solution and creates some problems. Price is one of those issues, and latency is another (if you have a mix of on-cloud and on-premises systems that are mutually dependent)—not even going to touch on issues like security, optimization, and backups. In addition, good system administration is not cheap and does not scale down well for small and medium-sized organizations. Also, it's hard even to grasp the concept of micro-companies and individuals being able to self-host projects with anything that resembles sound system administration practices. It is just too expensive and risky.

As a former professional with 30 years of experience, I have some options that most people don't have. For example, I self-host my social media (Mastodon, Writefreely, and Publii servers), Nextcloud, and Bitwarden services. The option to host the services makes me favor them compared to alternatives.

What about big(ger) companies?

If random scaling (up or down) is an issue, there is no alternative to the cloud. Organizations with thousands of employees have options regarding email services, group calendars, video/audio conferences, and contact management. Running email services internally and using Nextcloud may be a better fit. There are a lot of hurdles to doing it right, but keep an open mind because it can be done, and you can save a small fortune.

Email, in particular, would benefit significantly from (eventually being self-hosted and) changing paradigms: ensuring every internal email is at a bare minimum digitally signed and ideally end-to-end encrypted (using either S/MIME or PGP/GPG), and information should never leave the company systems. Impersonation (identity theft) would be a thing of the past; instead of the number one spear-phishing weapon in every hacker's arsenal. You need to self-host the servers to implement rules to reject every non-encrypted email message between internal emails, signed with recognized keys.

Encryption keys and client certificates should be hardware-based, locked, and centrally managed, and users should have zero capability to transmit them to third parties. Thus ending phishing attempts to steal credentials. In addition, requiring user touch (or biometric authentication) makes life much harder for attackers, even if the device is compromised.

I am a big fan of zero-trust environments and protected VPN tunnels to critical services, and all those should be hardware locked. You cannot exploit 0-days vulnerabilities in the software you cannot access.


from Paulo Laureano (EN) posts

At some point, I knew I had to write my version of the “new to mastodon” user guide. Plenty of good ones cover the basics well, so start by bookmarking this page to get back to it later and then explore.

Want a video introduction? The Linux Experiment has a good one: “How to use MASTODON: the COMPLETE GUIDE (join, use, find people to follow, etiquette...)”:

Picking a server (you can switch later effortlessly)

The “official guide to Mastodon” suggests that you should “somewhat carefully” pick up a Mastodon server to join from the “” list. That's fine as long as you find one that looks like a good fit for you.

  • Pay special attention to the instance allowed languages (i.e., some are “English” only, while others may cater to some specific language).

  • Some servers are themed around a particular interest (i.e., ones that only allow a specific topic or are filled with people that want to focus on it). There are “generic” instances where every issue is allowed.

  • Every server has a particular set of rules. The owner or moderators enforce these rules. Please read them carefully because it is easy to be expelled from a Mastodon instance. Some restrictions may be obnoxious and, for example, forbid users to use certain words or letters or promote or even talk about a particular topic.

  • There are many pros and cons to joining a big server. I want a server that is as fast as possible. On the other hand, I am not interested in “local” and “federated” timelines; I look forward to seeing the people I follow and their interactions with others. So for me, it's a personal server I self-host at for friends and family.

  • You can have your own server, entirely administered by professionals, even if you don't know a thing about servers. For example, check out NOTE: I have no relation with the company and never hired them, but their track record of hosting Mastodon servers is outstanding.

  • If you feel like looking at random strangers and don't mind being in crowds with a server that sometimes is not exactly the fastest, is probably your best bet!

  • If you want, you can switch to a different server later. So, don't worry too much. Just don't get expelled; that will complicate migration to a new server, assuming you want the people you follow and those that follow you to move along with your account.

Congrats on having created a Mastodon account!

Make a nice profile for your new account!

No one likes interacting with a faceless profile. Let people know who you are and what topics (hashtags) you are interested in. You will be surprised by how many people will want to follow you and interact with the content you post.

Now, follow people!

You need to follow at least 100 people; otherwise, your Mastodon feed will look deserted, and you will feel like you hear crickets. Since in Mastodon, there is no algorithm attempting to guess which posts you probably like to see; you need to populate your feed by following people. Some suggestions:

  • Look on the web for “Mastodon accounts worth following” (use Google or whatever search engine you like). The search engine will give you some suggestions.

  • From time to time, visit to find who the people you follow are following. It gives you some excellent suggestions of people you will likely find interesting.

  • Visiting other mastodon instances and looking at their “local” and “federated” timelines will probably help find exciting people.

One of the many five stars reviews on the App Store If you are on iOS (or an Apple Silicon Mac) ice cubes has an amazing super-power: you can follow “local” timelines from multiple instances, making small instances feels exactly like big ones. It's the App killer feature! Download and install it, even if you primarily use some other App (it is free and open-source).

  • Install Streetpass for Mastodon in your browser. This plugin will check for author links in articles you read on the web and suggest you follow the authors.

  • interact with people. Favorite (it tells the author you liked it and has no effect other than that) the post their best posts, and share (boost) the ones you find helpful or entertaining to your followers.

If you have a feed that feels too quiet, follow some wrong people. Over time you will make a better selection, but do build a network.


Give people stuff to read!

Set the language correctly in every post. You can set a default language on your Mastodon. Set it correctly when you switch to another language occasionally. Some instances have automatic translations, but for them to actually work, it is important that you inform them of what language you are using for each post.

Use hashtags in your posts! They do wonders for the discoverability of your content! Some people follow certain hashtags, not necessarily the authors that write on those topics, so give them something to work with.

Mobile Apps

If you are on iOS, you will be spoiled with fantastic paid Apps from top-rated authors; look at app store reviews, and you will find one good fit. The best free option is, by far, “ice cubes”.

On Android, I have no idea what your options are. Sorry. I am sure there are some. I heard about “Tusky for Mastodon” being good but never used it.

Desktop user?

Roam with Mastodon plugin

I use the instance site with the “Roam with Mastodon” browser plugin. This plugin gives you the equivalent of quoted retweets on Mastodon.

I heard wonders about “Elk” but never tried it.

Sometimes I use “ice cubes” (the iOS App) on my Apple Silicon Mac... but I am still waiting for a decent native Mac App that beats the web interface...

Are you have a blog or a website?

If you want banners to link to your mastodon account or timeline, look at


from Paulo Laureano (EN) posts

Image by Jordan Harrison on Unsplash

The teenage years (from the Amiga to Linux/BSD)

In the '90s, I started a BBS. I was a teenager living in my parent's house with a Commodore Amiga and a 2400 baud modem (without error correction protocols); it seemed that the entire world was just a phone call away.

BAT BBS ran the marvelous Xenolink BBS by Jonathan Forbes on a Commodore Amiga 3000 computer. The software was blindingly fast and very configurable, and it made my teenager-self want to learn more about system administration (sysop) and managing an online community (moderator).

The BBS's popularity grew significantly, and I joined Fidonet. At the time, the best modem was the USRobotics Courier Dual Standard, so I got one. Mind you; the Internet was not widely available outside universities. So we used Netmail for private messaging, with gateways that allowed me to reach email addresses and any user on any Fidonet BBS and Echomail (forums) for public messages (local and worldwide).

I became proficient in programming C, administering the heck out of the Amiga and OS/2 machines, and as a host to BBS users. Those skills earned me my first job as a SysOp at one of the biggest BBSs in Portugal (Visus) and a few years later at the first Portuguese private ISP (Esoterica).

I moved from Amiga and OS/2 to Linux and later *BSD, and I still administer machines running those operating systems today.

image by Solen Feyissa on Unsplash

Administering Email (Sendmail) servers for three decades

During the period I worked on the Internet Service Provider (Esoterica), the main focus of my job was email and Usenet news servers. Although I completely let go of the Usenet stuff over time, I kept my own email servers to this day.

The problem with email is that it was never meant to be a private or secure medium for transmitting and storing in-transit messages. Furthermore, it has been abused by spammers and other bad actors for decades, with no signs of slowing down. Although tools are available to encrypt messages, like PGP/GPG and S/MIME, very few people use them. Since emails are stored in plain text, there is no way I will ever rely on third parties to host my email.

There is no other option. Since email is used to recover and reset passwords on critical systems, it's insane the amount of misplaced trust people (and corporations) place in email operators.

Image by C Dustin K on Unsplash

Cloud storage, video calls, and backups with Nextcloud

I run my own Nextcloud server. While it does not bother me in the slightest people using big-tech services to sync and ensure backups of non-critical data, I need to keep some of the stuff (personal notes, contacts, and calendars) going to all my computers private and protected from bad actors.

Nextcloud talk is what you should be using instead of WhatsApp (a Facebook company) for messaging and (voice/video) calls. It has apps for iOS and Android and runs on Mac, Windows, and Linux on a browser. Of course, trusting a Facebook platform is not a good idea, and you don't have to...

Nextcloud is amazing open-source software with an excellent track record for updating services and keeping them secure. I host for myself, family, and close friends.

image by Nelly Antoniadou on Unsplash

Bitwarden to keep my passwords on hand on every device

Everyone needs a password manager. There are no exceptions. I used 1Password for years, then switched to self-hosting Bitwarden. It is open-source and can be used for free.

Due to the nature of the service, as long as you do not use web interfaces and the hosting is just a gateway to sync the vault, self-hosting is not mandatory. However, I do it anyway, just because I can.

Image by Aaron Burden on Unsplash

Social media hosting

Social media companies are evil. They use you as the product they sell to advertisers and try every possible trick to keep you engaged in the platforms. The effects on society have been nefarious, from the rise of extremism, online scams, and a culture of hate. But it does not have to be that way. It was not that way with Fidonet and Usenet. You can socialize online and exchange experiences without being explored and used by corporations.

I self-host distributed open-source Fediverse platforms (again primarily for family and friends) that have all benefits of “social media” without making its users the target of advertising. No algorithms are trying to hook into discussions, “influencers” can't buy their way into popularity by being obnoxious freaks, and society looks “normal” again instead of the twisted black mirror created by Facebook and Twitter.

Short-form blogs on Mastodon on It's similar to Twitter without the hate and with a much smaller population of morons. I absolutely love it and use it daily.

Long-form blogs on Writefreely on Similar to Medium, it provides you with a clean interface for writing and ways to monetize your blog, but without a company handling the money distribution (whatever money readers send your way is yours, I don't take commissions, and want nothing to do with your income). there are no algorithms promoting posts; you will have to earn your readers, but, on the plus side, you don't have to feed the machine with regular posts. Instead, create good content, and you will gain a following if that is what you crave.

Feel like using my self-hosted services?

If I know you really well, I will give you access to email, Nextcloud, and Bitwarden servers. Otherwise, no, you can't. Sorry, but no cigar. You may ask (send me an email!); the worst possible outcome is that I will say no.

You can use my Mastodon and Writefreely instances as long as you understand and agree to the rules I have set (they will be presented to you when you apply to register). I am not some corporation; I will die someday, get sick, lose my job, or some other life-altering event. On such a day, these services will disappear without warning. Backup whatever data you publish there if that is important to you!

You are welcome if you get the scope of what I have just explained in the last paragraph. Please note that I do not allow rude behavior or any illegal content on my hosted services, and I will expel you without a second thought if you misbehave. Act like a normal educated human being that would make your mother proud, and we will get along just fine.

The servers are the fastest you will ever find (south of hosting your own locally using top-of-the-line hardware), and I keep them updated and safe to the best of my ability.


from Paulo Laureano (EN) posts

Security matters!

Support for PGP/GPG and IMAP/SMTP with SSL support is necessary.

Email is by a nautical mile the most abused service on the Internet. I want to know who I am exchanging mail with, and I do not trust Internet service providers to handle security properly. I digitally signed all my emails, and all data must be encrypted when exchanging sensitive information.

Sadly, many of my contacts don't bother configuring PGP/GPG or S/MIME to provide a layer of authentication and integrity checking to their emails. As a result, their emails can be altered or impersonated by system administrators and bad actors that gain access to servers. Many potential damages could be mitigated if they configure their email clients correctly in five minutes.


Configure S/MIME on Outlook, Apple Mail, Thunderbird, or whatever email client you use...

Create self-signed certificates at the very least, if you don't want to deal with certification authorities... people who exchange mail with you only have to set their trust in the certificate once and will notice if it changes or fails to validate.


Configure PGP/GPG locally on your Mac, Windows, or Linux to create your certificate and import it to your mail client. Outlook and Apple Mail need plugins, but most other clients (like Thunderbird) have built-in support for PGP/GPG.

Microsoft Office365 integration (email, calendar, and contacts)

The company I work for uses Microsoft tools, so I need them... Outlook would obviously fit my needs, but I hate it. Like most Microsoft tools, it's bloated with features I don't care about, and the UX is designed by people with a sense of taste I don't share. So if you like it, good for you, but I will not go near Microsoft productivity tools if I have better options.

I do not use Windows for anything other than games, so I don't even have an email client installed...

Apple iCloud integration (email, calendar, and contacts)

I use Apple Macs and iPhones in my personal life. I like native Apps like AppleMail, Contacts, and Calendar that come with MacOS, iPad, and iPhone. While in my professional life, I need the Microsoft ecosystem of Apps and access to the company contacts directory and calendars, in my own time, I need access to my personal ones in iCloud.

Apple Mail

On the Mac, I use Apple Mail with “GPG tools” extension.

On my iPhone and iPad, I use mostly Canary Mail simply because it's my best bet supporting PGP/GPG. Unfortunately, apple Mail supports only S/MIME (I keep it on my devices for that reason; I may need S/MIME from time to time).

Canary Mail

I use Linux on my main laptop...

I code and do a ton of system administration with my Linux desktop. That is what I take with me whenever I go on vacation or on business trips.

I use Thunderbird with the OWL plugin. It works well with Office365, iCloud, and Gmail.


Thunderbird has spent a few years in limbo but is now again being actively developed, and it is simply the best email client for Linux.


from Host admin announcements

Hello there! Nice to meet you!

You are likely reading this because you attempted to deliver some emails to and failed miserably. Assuming you are not a spammer or a hacker, and that is a big assumption, let's go with it: I have some recommended reading for you:

It's a jungle out there! Unfortunately, email is the most abused Internet service, so you must be careful about what mail you accept on your server and what you discard. However, there are some basic rules I have set on this server that you must follow; otherwise, I will not accept your messages:

Your DNS name must point to your IP. Your reverse DNS must point to your name. Easy pizzi, right?

DNS lookup and reverse

If you can write to me, I must be able to respond, meaning I will try to call you back (send you an email), and if you are using an open relay or refuse my email, I will not accept any of your messages. I will look up your DNS MX records for the domain you are using to message me and try to message you. It is only fair; after all, you contacted me first.

This should not bother you if you are a legitimate email sender. However, if you are a spammer, it forces you to set up at least an account that receives mail to the address you are using to spam people.

Your DNS must have a valid DMARC, SPF, and/or DKIM. Head to and test your domain name. The report should look similar to the image below.

MX Supertool

While you are at it, check your status on blacklists for the domain. You see, people talk to each other, and some friendly folks compile and maintain lists of email servers that distribute spam/malware.

If all of this is too much for you to handle, set up an account with some professionally administered mail provider. Mail administration can be a pain; it is not for everyone.

Have fun, happy emailing, and take care.

Paulo Laureano


from Host admin announcements

The virtual machines

Both Mastodon (short-form blogs) and Writefreely (long-form blogs) servers are virtual machines (VMWare) running on my home network. Bandwidth is limited (1000/200Mbits), and I use Cloudflare Argo tunnels to expose the servers.

The virtual machines have plenty of memory (8Gb each), CPU (4 cores, 8 threads), and disk space (1Tb) to spare.

This should be fine (and faster than most Mastodon servers) for a few users. The servers are primarily for my personal use, so I will not let an excessive amount of guests fill them to capacity.


VMWare snapshots are used daily (this allows me to roll back to a previous machine state easily if something goes wrong during upgrades). Databases and server configurations are backed up daily. Every other day they are copied to another machine on my network. I make an offline copy of the backups monthly. There are no offsite backups.

This is enough for my personal data; I will give your account data the same level of protection I use for myself. If I die, become unable/unwilling to administrate the server, the house burns down, or something along those lines, you will lose your account. There is an obviously awesome solution to achieve different/better data security: host your own server!


The only non-visible publically data is your e-mail address. I'll try my best (effort) to keep the servers updated and patched to the latest versions; however, I give no warranty of any kind against someone eventually getting to it.

You should use a unique password on these servers and (if supported) two-factor authentication. At the time I am writing this, Mastodon supports 2FA, Writefreely does not. It's your call to use two-factor authentication, but identity theft (of these social media accounts) is the most severe risk you are taking here.

it is essential you understand the risks as I have presented them to you. While I care about this, bad things beyond my control may happen. A terrific strategy to avoid/mitigate these risks is to delete your account or set up your own server to protect your personal data/identity.

My commitment to keep these servers running

I will keep them running for as long as I want or can do so. I do not plan to shut them down without notice, but shit happens. You will have the servers running for as long as I have them for myself. You can always run the servers yourself; if reliability and longevity are essential to you, that is the way to go.

Sometimes stuff will happen that I do not control, like electricity failing, computer components dying, etc. That's life. Again, you can achieve a different result if you host your own servers.

Being perfectly blunt: you are a guest, and the party may end at any time. There are no warranties of any kind that you will find a working server the next second after you read this.


from Paulo Laureano (PT) posts

Upgrades em várias máquinas de linux (ubuntu servers e Mint desktops) fizeram a minha tarde. Correu tudo normalmente, com um par de horas de puzzles à mistura no caso dos upgrades para o Mint 21.1, mas não mais complicado que o expectável.

Pelo meio nasceu este novo servidor de Writefreely, muito pelo charme minimalista da plataforma. Eu adoro este tipo de abordagens. Tinha de experimentar a plataforma, gostei do que vi e vou manter a instalação.

Espreitei também o, que é muito na linha do Mastodon, e de que não gostei particularmente. Em particular a ideia de não haver crosspostings (boosts), porque alguma coisa ser viral é forçosamente “negativa” decididamente não me agrada.

Gostei (muito) de ver em ambos os casos as respectivas comunidades a pagar hosting. O modelo de que uma coisa que custa dinheiro (a alguém) pareça ser gratuito é insustentável no médio/longo prazo. É claro que pode haver sempre malta super-generosa a pagar a festa de todos, mas duvido que escale ou dure muito tempo.

Eu não me sinto confortável como “convidado” dessas pessoas. Esse é um dos motivos que me levam a fazer hosting dos meus próprios servidores. Partilho os mesmos com familia e amigos, como partilho a minha casa quando recebo pessoas. Toda a gente sabe que a festa acaba quando não me apetecer pagar mais copos ou perder a pachorra para andar a limpar a casa. Há zero compromisso meu de manter a festa indefinidamente. É porreiro e divertido enquanto durar e quando acabar ficam as memórias.

Um amigo perguntou-me se não era uma situação precária usar o meu servidor de Mastodon. Se não era melhor ir para um que fosse mais estável e tivesse um compromisso de longo prazo com utilizadores... é. É melhor. Se isso for real. Talvez esse servidor seja mais lento em determinados momentos, mas fora isso, só vejo vantagens. Boa sorte a descobrir a base desse compromisso entre quem estiver a pagar as contas e quem estiver só a gozar o prato. É só uma questão de perspectiva e fé, se um servidor aleatório de Mastodon tem (de facto) um compromisso maior que qualquer outro.

É por isso que eu gosto do contexto de servidores pagos. Porque há uma relação contratual e o crescimento é sustentável, equilibrado e, se calhar, até apetecível para ambas as partes. Se por outro lado a aposta é de “ter fé” que quem paga as contas continuará a pagar, porque sim, e quem faz manutenção continuará a fazer, também porque sim... não me parece uma situação confortável. Pelo menos não é confortável para mim.

Prefiro mesmo pagar as minhas próprias bebidas, estar em minha casa, e receber por cá apenas as pessoas com quem gosto de partilhar o oxigénio. Se isso dura um dia ou anos? Sei lá. Estar vivo é uma condição precária e com um péssimo diagnóstico de longo prazo. Não sei se terei a mesma capacidade financeira que tenho hoje no futuro. Nada é certo, excepto que o destino das minhas contas está nas minhas mãos, depende apenas de mim, e em nada da boa-vontade de terceiros.

É exactamente como gosto que seja.