I began recently applying myself to building free online web based tools that help people implement the technical processes that you learn in a permaculture design course.
I'm only competing with myself. I'm not competing with anyone else.
The philosophical approach to designing this technology is I really wanna bridge a gap in my full stack web development skills from back end to front end.
I had been working in the tech field and building websites for clients, maintaining e-commerce and community websites, and all of the Web 1.0 and early Web 2.0 stuff.
Then I stopped that career path for various reasons, and I left off really around Druple 6, if that means anything to you.
Then I picked back up with Word Press, and then got more interested in cyber security.
It was really a process of disillusionment with all of the open source code libraries that you can use freely without scrutinizing and just build these monstrosities of tech stackts that have minds of their own and all kinds of back doors and all kinds of attack vectors.
So without giving a discourse on what I've learned, I definitely have realized that for more sound cybersecurity, best practice compliance to meet my risk appetite, which is basically zero, because I don't wanna be the security operation center running 24 seven and I don't wanna hire people to do it for me.
Web applications that are just optimized by default to preclude a lot of potential vulnerabilities.
Doesn't mean that there's any such thing as a state of security. But with that said, for me, it's not about plugging in all the apis that are available and learning all of the new, fancy, shiny plug ins and whatnot.
Because the more I learn about it, the more I realize that what is the design standard that should be or that could be more appropriately put to use in far more instances than it is...
It is what's called the practice of a hermetic build, or hermetic code, whereby, rather than having an application on the Web or on the desktop or on mobile boot itself up and pull in all of these hot live feeds of source files from all of these different third party vendors and repositories and whatnot.
...basically assemble itself into this emergent experience out of this potentially limitless, almost infinite array of black boxes or transparent boxes, there's so many of them that you can't possibly comprehend. There is no reasonable process of vetting the status of the security of any of these components that come in.
You become a wishful thinker whistling past the graveyard and there's a lot of regulation throughout the world and some very close to home in the United States that are addressing these issues with notions of more liability for open source development, which is a controversial topic.
And, of course, software bill of materials, so that at least government contractors can be audited for or forced to show that they have some clue about what is entangled up with their code.
The reality it's virtually impossible to know what is in the product that you build and sell because of the presumption of baking in so many different third party sources beyond your premises. Because you could patch something one day, and it might solve a problem for that one day.
But the bigger, more terrifying problem is that there are unknown vulnerabilities that have not yet been disclosed, and are often referred to as zero day vulnerabilities because there have been zero days since they've been disclosed.
For for the developers of the product of the software code actually fix an update and patch that, that vulnerable code.
So those are vulnerabilities that the code authors are unaware of and that are being exploited, in the wild in ways that can be extremely damaging and compromising.
And if in they’re in the hands of very immature, very short sighted, profit seeking cyber criminals, then they would burn or blow a zero day vulnerability for a run of the mill crypto scam.
Frivolous, selfish exploitation of that vulnerability leads to them getting caught.
Then that vulnerability is discovered as their Modus operandi for the crimes committed. And then that gets exposed, hackers rush to exploit it before the developers rush to patch it, but eventually it gets patched and that zero day is no longer in ongoing versions.
But the more sinister zero day menace is that of what they call advanced persistent threats, or nation state actors, or state backed hackers.
They're all basically long term thinkers who have deeper, more mature agendas to acquire footholds in cybernetic network infrastructure and to remain persistent within networks without being caught, without being discovered, without the bull in the china shop effect of going around trying to do ransomware, encrypt files and exfiltrate files, deface websites and all of that less mature activity.
The more mature activity is the deep rooted, deeply embedded, advanced persistent threat.
Zero day exploits thankfully do come to light and get discovered from time to time. But the existence , the discovery of one probably alludes to the existence of ten or a hundred more.
So it's safe to say that mantra that the info sec community would say, assume every computer is compromised already, and operate with that assumption. That leads a lot of people to segment different types of data into different degrees of being air gapped or kept offline and never being in contact with an Internet connection.
So there's all kinds of nuance to that, and all kinds of nefarious ways to bridge those gaps.
Anybody who's interested in this type of material, I've got lists upon lists of materials that I subscribe to, shows that I listen to, Dark Net Diaries is probably the most entertaining and listenable for lay people.
All this is to say I don't consider myself to be all that sophisticated because I didn't grow up as a real computer savvy person, and I'm kind of a late bloomer with all this stuff.
But I think I started on the path at a good time in my development.
I'm at a point now where I feel like if I'm gonna create a web application of any kind it's not gonna have cookies, it's not gonna have any form of tracking, it's not gonna collect personally identifiable information that is not encrypted and that lives in places that I don't control without strong encryption.
So there's a whole list of things that I do now that I would consider, influenced by the culture of what some people call extreme privacy.
That's actually kind of a brand. And if you want to look that up, you'll find out a lot about that.
For me now there are less unknown unknowns, I have more of an understanding about my threat model, my attack surface, and I've definitely stopped the bleed, digitally speaking on a lot of things, deleting apps and accounts and just going very hermetic myself in real life and in digital life, and then getting to a point where, rather than throwing myself into catching up into the modern pace of coding open source web applications.
I'm going to take this very austere hermetic route and acknowledge the trade offs to it.
All of my research is coming together and helping me.
I find myself now feeling blessed as I do web development now, after like a ten year break, not so much a break, but ten years since having done it every day, in an office in a startup corporate environment.
Those were simpler times and security was not as much of an issue therefore, wasn't prioritized.
Now the modern browser, the amount of computing power and the amount of functionality that it has built in out of the box, it's basically almost like its own operating system.
So with where great power comes great responsibility. It's so powerful that it has to be treated with utmost standards of scrutiny and care to the security of the code, just like an operating system needs to be patched as often and updated as often, and updates need to be consistent.
A double edged sword, something very powerful but but also dangerous.
Thankfully there are more security conscious and privacy conscious browsers that are free to use, and are well vetted and well respected.
They're not hard to find. I'm not gonna name names at this moment, but they are so powerful, and they are so full featured.
The basic base level scripting languages that bring browsers to life, they're so full featured now that
healthy criticism of all the move fast, break things, track everything, sell everything, basically pimp your traffic and risk all kinds of of gnarly heinous attack vectors against yourself.
Reducing that risk appetite a little bit, and considering moving in a direction of actually quieting down all that noise and writing code that functions in these powerful browsers in a way that doesn't make a million connections to sketchy external ad servers and font servers and analytic script servers.
So once you start looking under the hood and getting into things like Wire Shark and T Shark and Linux command line terminals, and writing your own BASH scripts and tools to monitor servers and monitor desktops.
It has been said, that running a Linux environment, meaning desktop or server, it's like driving a vehicle that has a stick shift, that gives you more control.
I think that was probably the best characterization. I was a late bloomer to Linux, and I was derided and laughed into a pathetic state of embarrassment when I was working with a developer mentor, and he asked me what OS I used, I won't say what it was but he laughed at me so hard and for so long that it actually was what I needed to finally hear. I needed to embrace the learning curve of Linux.
The best way to look at it is like that convenience to security trade-off. The empowerment and control trade off that an automatic transmission to a manual transmission would be.
My process has been to cut out all of those middle ware providers, reduce the compliance burden by removing cookie functionality and allowing people to enjoy and utilize the fruits of my coding labor in a manner that's private to them.
Just by using HTML, java script client side, these are not even the most technical terms, but basically.
There's the, the, the limit to what can be to what can be designed and implemented using HTML and javascript that operates at the endpoint of the end user or the website visitors Browser.
It's a one directional experience. Go to the website url. Your browser will load the main HTML page. That HTML page will make references to other relevant files that live on my server.
Once that request is made by clicking on a link to open a page that I design. That browser loads the main page and the pages that it references, which are just sitting right next to it, in the image folder, in the style sheet folder, in the script folder, etc.
But they are all coming from one single source, which is my IP address, my domain, my file system on my server, and nowhere else, with no other calls out to other networks where I don't know what could possibly have happened between today and yesterday, that could create a vector and a supply chain attack vector that could be loading malicious content, malicious code into a website that I invite people to that I that I am liable for the security of and the privacy compliance of.
So this is just a bit of a overview of the of the journey into going from Web 2.0 and a little bit of Web 3.0 to reeling it in to a Hermetic build Hermetic code position.
The code that I write, it's not pulling in libraries. It's not pulling in anything, it's only giving instructions to your browser.
So the security of your browser is where my liability ends and your contract service level agreement begins with the proprietor of the browser that you're using, which, to me is a very elegant hand off.
It's reasonable to be a lot more trusting of a browser level security update regimen than open source repos coming from, god knows where, and having no idea if they've been corrupted, stolen, infiltrated, sold on the dark web, the ownership of the repos...
So the headlines get worse and worse. I feel like, if it all possible, you can build a web application that doesn't require all those things. Obviously, there are plenty of examples where those compromises are necessary.
I can get up early and spend half the day outside, living my life on the land and working the land, and the other half the day giving back and using my semi retired freedom to have this renaissance romance with web development and web application development and coding, really fill in gaps that I missed over the years.
Then I'm gonna continue to do so with this standard of Hermetic code, and I'm going to push the limits.
Really learn and explore and maximize the potential of how much functionality you can build into a client side javascript application, in other words a web application that runs privately on a local users machine, gives them the ability to do more private things with the 100% hard coded baked in assurance that there are no third party scripts and files that I don't have control over.
When you go to that network inspection tab on your browser, you will see there are no cookies, and you will see there are no network connections being made other than to my domain, my IP.
The only files that are being drawn from are on the file system that is as simple as it has ever been in Web 1.0, but that leverages the beautiful, evolution of media rich and animation rich and just all of the capabilities of computer science and even the more advanced programming languages that are able to run and execute code that is “sandboxed” within your browser so you don't have to download files and install them with administrative privileges, install executable files onto a desktop environment, and then have no clue what that does, because it's a compiled binary file, meaning you couldn't even read what it does.
You don't know unless you were to do packet sniffing on your network, monitor your traffic and D-N-S queries going out of your out of your network you wouldn't know what a compiled binary executable file, meaning a program that you download install, would do.
You would have no idea what it was doing in the background, it could be exfiltrating files.
It could be setting up ransomware operations and and it could be maintaining persistence and spying on you.
You never who that could be. So the idea of the the activities, the interactivity, all happening in the browser with temporary files that disappear out of memory when you close the tab, that run with least privilege access.
Hopefully, no matter what system you're running on you are not running with administrative privileges on full time, that the escalation of privilege is something that you very seldom do with very acute care and consideration to the context.
So that gives me a lot more confidence. I'm having this Renaissance, and it's a lot of fun.
So the thing I wanna share, which is probably the first of many, is what I'm calling a design trainer. It's like the early Nintendo sort of Excite Bike experience, where you had the ability to program your motorcycle race course with Excite Bike. It's basically about as primitive as Excite Bike, relative to AUTOCAD or something like that.
I’ve applied my permaculture, background experience of designing and installing to where, if you imagine being able to paint a canvas with permaculture system elements like different materials and compost and mulch and different types of plants and plantings and the seven layers of a food forest and structures and solar panels.
I don't know what I'm up to now, maybe almost a couple of dozen of design elements that you can click on from a side bar of design elements, you click on them and then you can drag the cursor hold the shift, key and basically paint with these materials and these design elements and mark up a theoretical permaculture site.
It's kind of like somewhere between Excite bike and digital Legos, in the sense that, somewhere between etch-a-sketch, light bright, excite bike, but very primitive, very pixelly, but gets the job done. And with an aesthetic of early Nintendo style.
But more important than how perfect the shading is and the shadows are and the orientations and how smooth the rounded edges are.
The main point being, to teach permaculture to work with clients and allow clients to play around, and actually, most importantly, be constrained by the um, the limitations that I have placed on what those materials are gonna be made out of and what those elements are gonna be so that you start to think oh, it's not just whatever I can shop for and whatever is at the home improvement center.
It's actually a filtering of materials to where almost everything is nontoxic, or moving in that direction, or a means to an end, to become less toxic.
But for me, this is very practical in the sense that from now on, anything that I ever design will be with these ideals.
Actually the reason I moved ahead with this tool as a priority was that I'm actually working with a client remotely, where I wanna be able to basically upload the site plan of a property and upload it as the background layer of this tool.
Then paint the design that I'm imagining of the layout of the paths and the garden beds and the perimeter fencing, etc.
However, the designs gonna be, I'm gonna mock it up almost to scale, orienting to what's on the property already and the structures and whatnot, and then have that be this sort of reference material that gets used in the back and forth between myself and the client about what to put where.
I love the idea of them for the first time, with no real training in permaculture, being able to play with this tool and go, oh, I never considered that.
Oh, well, with the ingredients of this palate, I can paint this site, I know it's gonna be safe.
I know it's gonna be eco friendly, nontoxic, productive, and I'm gonna learn a lot in the process.
Now I realize I could actually teach a permaculture design course, literally, with this Excite bike, nintendo kind of a tool.
So that's my intent is to be able to have a representation, a micro pixel art very primitive almost eight bit type primitive representation of of almost everything within reason at least at a high level that you would encounter in the permaculture design course.
So that you can assemble these guilds and these interconnected, stacked function systems, feeding systems, type of methodology of the engineering, human ecological landscapes, and have everything not only be sort of like just an exercise, but actually yield a literal design.
So it could be that you do your permaculture design course, final project of your first implementation of what you've learned on into a design.
I'm sure there are better tools in existence, but again, I'm just in my little hermetic coding environment and enjoying the process.
What I can continue to iterate and build upon, is the nuance of functionality, where you bring in more advanced programmatic elements, like the effects of the changing of seasons, the solar angle, the slope and the energy vectors.
And zonation theory. But I really feel like, um, whatever I can implement within this experience of a web app that is straight out of the designers manual and informed by my experience, I'm grateful to say that it's been pretty diverse and my design and implementation experience, the range of budgets that I've worked with on crews and as my own service provider.
I'll continue to add features. There's lots of things that that need to continue to be added.
I feel blessed with these mentor voices I'm consuming to come out at the right time and remind me of things.
I hope that I'm gonna be blessed by folks coming forward and saying, hey, what you did in ten lines of code can be done in one line of code.
Things like that, elegance, the reduction of bloat in code by having the mastery that comes from decades of experience.
Right now, I'm at that stage of just getting minimum viable products, proofs of concept, and then going back and discovering and rediscovering ways to make the code itself more elegant.
I'm extremely thrilled about what is an underestimated and undervalued realm, hermetic code that runs in the private local environment that is the end users web browser sandbox.
Just allowing the browser to do the magic and the security behind the browser to be what allows me to sleep at night.