Stuff happening with Tinfoil

Tinfoil opened up a couple of weeks ago, serving as a fairly persistent and easy-to-use place to discuss digital security and journalism. Very cool to see how we've got so many people interested in these issues (now around 100) in the same place, coming from nonprofits, academia, media orgs, and other businesses, as well as folks working independently. It's also exciting to see people talking about security questions from the real world - as well as hypotheticals - sharing security resources, talking pedagogy, as well as surfacing a lot of general food for thought.

I want to keep everyone on the same page about how Tinfoil is evolving, so this is a general brain dump about what's going on.

• I've been talking to @eugene at Auth0 about integrating a Discourse plug-in that will let everyone use multi-factor authentication either (1) on their Tinfoil account, or (2) through Google. (Huge thanks to Auth0!) The idea is that many of us have already set up MFA on Google.
• I've been talking to a couple of friends in news orgs about how to support Tor hidden services.

Some problems I'm running into:

• Discourse plugins are giving me hell. After a lot of troubleshooting on multiple forums, I've come to the conclusion that I'm going to have to reinstall Discourse on the server, and then restore it with a backup. In practice this means Tinfoil will need a few hours of maintenance some time soon.
• Discourse's nginx isn't playing nice with the forced SSL configuration I'm using now. I'm getting some assistance on this.

Some questions for everyone:

• It's worth pointing out that Discourse is javascript-heavy. Even if you're not using hidden services, this makes Tor users sad. How do we make them happy?
• Anything else you'd like to see?
• What's on your mind?

Happy to chat about this stuff.

Nothing really to add, except to say thank you. This was badly needed.

Not much to contribute, other than I've enjoyed discussion here over the past week or so.

One thing that could be a neat addition, though I'm not sure how to implement it, would be some sort of "required reading" page/list? It seems like a lot of questions are coming up like "How should I do X? What should I think about when Y happens", etc. So aggregating some of the most common, well recommended articles, blogposts, etc, would be neat.

I'm hesitant to make any suggestions as to how, because the answer for every other website would be a wiki. That sounds lame, and IDK if anyone would have any interest in that. Obviously this isn't reddit/hn, but maybe some sort of voting system could be available where posts/urls could be given a thumb up/down sort of thing, and the best posts would be aggregated as a way for new users to quickly catch up on topics?

I'm not sure of the solution, but as Tinfoil grows, it would kinda be lame to see a bunch of the "Does anyone have a good PGP guide" posts come up over and over.

Agreed, we don't want a bunch of redundant threads for well-explored topics. There are a lot of different ways to address this... Wikis, some sort of readme. Perhaps an FAQ?

I want to +1 on the organization of information. I think forums are where information goes to die.

If the information isn't pulled out and made easy to find in a more searchable format, it is basically useless. I don't know if a Wiki or a FAQ (or something else) is the best approach, but definitely having a canonical location for "best information on this topic" is critical to actually providing long term value.

Forum threads to explore a topic and answer specific questions. Canonical location of distilled wisdom which people can easily find a reference.

My only other thing is that this forum is kinda confusing because it is flat. There's no organisation or hierarchy. Which is probably fine for "answer the most pressing question" stuff, but will really hinder the ability of future users to find the information they are looking for.

+1 all of the above. We can definitely fix hierarchy with a bit of of organizing by category. Now that we're starting to see a good number of threads, I will probably open up some new categories. Let me know if there are particular categories that you think will work best.

Re: Places for storing wisdom (or "the best information on this topic"), it would be good to open that up for discussion.

Hey folks, another Tinfoil brain dump.

Tinfoil is growing slowly. There are now ~115 registered users. Since it opened up, we’ve been averaging about 14 unique user logins each day. Enjoying the consistently great discussions here so far.

A few updates

• I stamped out a bug that was preventing me from installing plugins.
• Tinfoil now uses LetsEncrypt!
• Tinfoil now supports logins from Google, since many of us already have MFA set up through Google. Let me know if you'd like to see other types of 2FA support here.
• Added categories - feel free to recommend new ones if these need iteration.

More stuff to fix up

• Now that we can use plugins, I'm experimenting with Auth0 to see if it will fit the needs here. (Again, thanks to @eugene at Auth0 for helping out.)
• Fixing a problem with Discourse’s nginx configurations so we can have a Tor hidden service.
• Right now there’s a lot of interesting discussion about the best way to retain useful information from previous threads. While there are a lot of great ideas being floated, it’s still not entirely clear to me what's the best way to move ahead. Any thoughts? If anyone here wants to try experimenting with one of the ideas outlined in the thread, definitely share it for everyone to see. Proof of concepts would be helpful.

Anything else on your mind? Happy to chat about this.

Re: retaining useful info, is the goal to:

-create consistent and up-to-date documentation, independent of this forum

or

-create a "table of contents" of important categories of information, with links back to relevant conversations here?

The first option might be useful, but it would require a lot of work. I'm not sure how people would be motivated to coordinate on that.

The second option seems more realistic. It just requires one admin to tag useful threads and link to them on the "docs" page, so that people can browse by category and be referred to the relevant forum post/thread

I agree that option 2 is more realistic - both in terms of effort, and for the purposes here. While some of the "best information" might seem straightforward, there are likely places where context matters quite a lot. For example, practices might vary on a regional basis. Like @stuohy mentioned, it'd be good to distill the themes, but link to the relevant threads for context. However, it probably needs to be housed outside of tinfoil.press for clarity.

Martin, perhaps just a FAQ page to start, with basic information and links to other threads and resources? I'd help editing that.

Hey, that sounds good. Any thoughts on a good place to put it?

Is there some sort of sticky page feature that you could deploy here?

Let's try this out. I just opened a FAQ wiki. Of course, not everyone loves wikis. Alternatives are welcome; be sure to share links with the folks here.

Just a gentle reminder to maybe push out tinfoil.press to the various groups and networks we are all part of. It's been a very good start so far but need strong moment to keep the growth going. Also. opentech.events is a good place for a useful community calendar. Spread the word!

Appreciate that, Rory.

Time for another Tinfoil brain dump!

We now have a Tor hidden service, which can be found here: v245twftq76pls6n.onion

You can see a bit about how it's all set up here: https://github.com/OpenNewsLabs/Tinfoil.press

As always, the site relies on a lot of JS, so NoScript breaks a lot of things. I'll keep looking into ways to make it more friendly to Tor users, but I'm happy about the first step. Appreciate the help from @s-rah and @mtigas for troubleshooting along the way. <3

I'm goofing around with Auth0. Long story short, it works great, but if I want to support MFA it appears to require MFA during login. I'd like it to be optional, so I'll switch on Auth0 when this is addressed.

Right now there are 170 Tinfoil users. If we define active users as those who have logged in within the last two weeks, 52 are active. Interestingly, 22 (!) people signed up within the last week. Some sign up momentum.

We also now have a Twitter account, (@tinfoilpress) for those who would like to get live updates about the site.

I'd love your feedback on how to make Tinfoil more useful to folks here. Perhaps the next step is going through some previous posts to work on our FAQ wiki. What do you think?

. . .

greetings all,

great forum, many minds fomenting merry mischief

Issue? Working with people across the Pacific, my experience is that what works fab in one country dies an ugly death in another. Doesn't work, doesn't connect, can't access it, user confusion, abandonment, infosec lost. Yay.

Solution suggestion? That we could up country/region based pages of best practice. If we partner with a group like, in my own region, @picisoc, we could access testers in each country. Fellow journos tend to be a bit crap with tech, and insanely busy. So not them. Maybe tech clubs. Whatever works.

Not all countries need Snowden levels of security. *looks around, nervously

So, countries could be rated by threat level, with layered defense options. On a #trafficlight scale. Let's say life-or-death journalism in #westpapua gets a red light, and is referred to the whisper-systems-tails end of the spectrum. High school media in French Polynesia, a greenlight to the whisper-systems-win-android-ios at the other end of the spectrum.

Not sure if this approach might create more problems than it solves, but one for the #suggestionbox

Background: Pacific Freedom Forum covers nearly 30+ countries across Oceania including 'development partners', usually former and existing colonialistas.

Main lesson: We need idiot4dummies level of simplicity for most journalists, FOE advocates, activists and campaigners, especially outside of urban elites. Whether it's a cash-strapped media boss, or a hungry freedom of speech worker, the main focus is on raw survival, often literally.

Takeaway: When it comes to security, we need practitioners using these recommendations to network with confidence and say tinfoil? #itjustworks

. . .

Edit: Flag interface. Hacks dig flags.

. . .