Alternatives to New Year Resolutions

Overview

I’m not a big fan of new year resolutions. I suppose it’s all those past years of self created disappointments. My theory is that ‘resolution’ as a word is somewhat pointless. The word has a certain sense of certainty when there is no such thing. I prefer ‘goals’ or ‘intentions’ which can be done at any time of the year.

The good thing about the new year resolution time of the year is that I get a chance to glimpse the approach of other people. This year I found some interesting ideas and approaches to goal/intention setting from some people that I respect and like. In this post, I point to the techniques and the folks that mentioned them and my hope is to use them throughout the year.

Here’s the TLDR; of what I cover:

  1. Getting rid of the old through David Allen’s approach
  2. Considering the quality of time and life from DHH.
  3. Using Jeffrey Way’s approach to create concrete lists that collect both the good and the bad of the past year and how to use these lists for the new year.
  4. Snapping yourself out of the unimportant/urgent moment-to-moment parts of your life through the Eisenhower Box
  5. And using some Core Intuition to guide your projects and next-action creation.

Buckle up 🙂

From the godfather of GTD: Get rid of everything that you can!

In his first post of 2016 in the GTD Newsletter – David Allen talks about the value of getting rid of everything you can. I’ve been imperfectly using GTD for over a decade (with an especially imperfect review component…sigh). For the past few years I’ve used OmniFocus (OF) as my tool of choice for organization.

Some great and actionable advice from David’s post include:

It’s time to purge.

The start of a new year is a great metaphorical event to use to enhance a critical aspect of your constructive creativity—get rid of everything that you can!

Your psyche has a certain quota of open loops and incompletions that it can tolerate, and it will unconsciously block the engagement with new material if it has reached its limit. Release some memory!

I challenge each of you reading this to test out the following hypotheses, and prove me wrong. (And if you discover that any of these work, please email me with your story, and I’ll do a post-mortem on this essay at some point with the results!)

Want some new visions for your life and work? Clean up and organize your boxes of old photographs.

Want to know what to do with your life when you grow up? Start by cleaning the center drawer of your desk.

Want to trust your day-to-day, moment-to-moment decisions more? Get rid of any email backlog that is taking up real estate in your inbox.

You will have to do all this anyway, sometime. Right now don’t worry about the new. It’s coming toward you at lightning speed, no matter what. Just get the decks clear so you’re really ready to rock ‘n’ roll.

For me my OF project list is full of old projects, on hold projects and general crap. This post encouraged me to create a “Projectfill Trash Dumpster” folder (‘projectfill’ as opposed to ‘landfill’…I know…clever :-O ). I created a 2015 folder and I’m in the process of moving all the old cruddy projects into it. It’s the first step. The next step is to put all of these projects in an “on hold” status, and eventually (when I’m feeling really brave), I will put the projects in “delete” status and archive them via OF’s excellent archive feature.

From the Godfather of Ruby on Rails – DHH: WTFAYQH – where … are your quality hours?

DHH has an interesting article about “quality time” and how to deal with the “I must juggle it all to be productive” mentality (Read it! It’s going to be 5 minutes of quality). The key point of the article is this singular sentence:

If I have a trick, it’s a focus on the quality of each individual hour.

I think that the techniques mentioned below (like the Eisenhower Box) can help with the concrete creation of quality time. But it’s important to step back and really consider what is important and what is urgent. After all, when everything is important, then nothing is important. When everything is urgent, then nothing is urgent. You might as well go to bed and take a nap…it’s a better use of your time than running around like hamster on a wheel. Another way of saying this (per the article) is:

Covering your ass to yourself or others might give you some temporary comfort, but it won’t cover the deficit of ambition in the long run. Resignation is a coping mechanism for the beaten.

It’s ironic that in running faster you are resigning yourself to the false idol of the immediate urgency, when the really important is not coming from you…the core of what you really want and who you really are.

The article is focused about work related time. But what about the rest of your life?

Do I really need to be involved in this? (“I should be able to do this sheet rock fix…I just need to watch YouTube for how to do this thing, then go to Home Depot and get the repair items, then come home and watch YouTube again and then attempt to to this thing which I’ll never do again”)

Could this wait? (“But all the other parents join the PTA…so I definitely absolutely need to join”)

Can I bail on this? (“Well how about this email from my buddy John…he wants me to come and help him move because he’s too cheap to pay movers…so I should go and potentially hurt my back for pizza…sounds peachy”)

Am I ready for this? (“I MUST learn __name any JavaScript framework__ because it’s the hot thing right now…it’s guaranteed to be in demand for next 2 years/months/weeks/days/hours/minutes”)

Quality is an overloaded word. But I think that if you look back at the past hour, you can tell fairly quickly tell if it was a quality hour or one full of hamster wheeling busy-ness.

From Laracasts creator Jeffrey Way: Using 3 Simple Lists to Look to figure Future Planning by looking at the Past for Feedback

I really like short podcasts and Jeffrey Way’s “The Laracasts Snippet” fits nicely with a 5-10 minute discussion about mindsets related to technical subjects. I like Jeffrey’s brashness and no-nonsense approach in ‘telling it how it is’ (for him).

His “Prioritize, Incentivize, Optimize” episode covered an interesting approach in reflecting on 2015, and using that reflection as feedback for the new year. It’s 8 minutes of delicious reflecting/planning gold.

His approach is as follows (starting at 00:57):

  • Create 3 lists with the following headings and meanings:
    • “Prioritize” (i.e. prioritize the things that you love)
    • “Incentivize” (i.e. incentivize the things that you need to do)
    • “Optimize” (i.e. optimize the things that you hate to do)
  • Start with 2015:
    • (01:40) On the “Prioritize” sheet write out the things that you really love doing. The focus for this is on writing the things related to your day-to-day not that one-off vacation that you had or that one moment during the year where you felt at peace. So your list is about the day-to-day…what is it on a daily basis that you love doing…that thing that hits your butter zone. This should be a quick list – just list out 5 things (so you don’t get bitten by your own analysis-by-paralysis piranha).
    • (02:47) On the “Incentivize” sheet write out the 5 things that you may not love to do on a day-to-day basis, but it’s something that you need to do. For example, working out may be something that you need to do for your health, but it is not something that you love to do on a day-to-day basis. A way to detect these items is anything that you can argue yourself out of. For example, “well – I got too many things to do today, so I I’ll skip my 10,000 step walk…I’ll do 20,000 steps tomorrow…worst case I’ll do 50,000 steps by the end of the week”.
      • So what do you do to do these things? You find incentives to do these things. Jeffrey refers to the Freakonomics podcast about some approaches that he found. Two approaches:
        1. Join the thing that you don’t want to do with a thing that you do want to do (for example: “I’ll watch ‘The Blacklist’ only when I work out”). The key point is that you’re not allowed to do the thing you like unless you do the thing you don’t like (either at the same time or first).
        2. Another approach is to provide some kind of backlash (for example: if you don’t work out 4 days a week, then something bad will happen like – give $100 to your best friend or do a shame tweet, or dance a weekly jig in front of your office mates). The idea is to find something that you are averse to that you’ll have to do if you don’t do the thing that you have to do. It’s basically a negative incentive.
    • (04:56) On the “Optimize” sheet write out the 5 things that you hate to do. Think back on 2015 on a day-to-day basis – what are the things that you hated to do? Now figure out a way that you can potentially optimize it. For example, lets say that you need to answer customer support emails as part of your business and you hate doing it (lets say an hour per day). Write this down and ask yourself ‘how can I optimize this?’ Maybe it’s a SASSy solution like zendesk. Maybe automate common questions. Maybe you need to fix something in your product to fix/remove these questions.

The goal of these lists is to do more of what you love in this new year and less of what you hate.

So these 3 lists are Jeffrey’s approach to new year resolutions (i.e. replacing the resolutions approach). I really like this approach because it is extremely concrete and it uses last year as feedback for your current/upcoming year. It also lends itself for more frequent value calibration through something like the 3-list review on a monthly basis than just a yearly basis.

This approach is has a bit of intersection with the Eisenhower Box that I describe below. The key benefits are:

  • It is easy to do (just pick 5 things for each list).
  • It focuses on concrete things that happen in your life.
  • It is a clear sharpen the saw activity that you can do at any time

The Eisenhower Box

When I think of the word “Eisenhower”, I think 1950s conservatism and wearing a suit at work. However, the Eisenhower Box is quite different.

The Asian Efficiency (AE) Podcast (episode 72) had an excellent discussion about new year resolutions and the various approaches that were used by AE’s team. The item that caught my eye (or better said ear) was a passing comment about using the Eisenhower Box for prioritization. In episode 72’s show notes they link to a great article by James Clear about the origin and usage of the Eisenhower Box.

Covey’s “Put First Things First” comes from the Eisenhower Box (I didn’t know this until now). In any case, it’s a great approach to looking on both a moment-to-moment basis and a long-term basis and evaluating whether the project/task/action that you’re doing – whether it is:

  1. Important/Urgent: DO aka Do it now!
  2. Important/Not-Urgent: DECIDE aka Plan – schedule a time to do it.
  3. Not-Important/Urgent: DELEGATE aka Who can do it for you?
  4. Not-Important/Not-Urgent: DELETE aka Eliminate it

As mentioned before, Jeffrey’s approach is in line with this approach (but more concrete and simple). The mapping would seem to be as follows:

  1. Prioritize = Important/Not-Urgent
  2. Incentivize = Important/Not-Urgent
  3. Optimize = Not-Important/Urgent and Not-Important/Not-Urgent

I think the Not-Important/Not-Urgent would fall into the optimization list by way of “eliminating/deleting” the item. In fact, James Clear in the Eisenhower Box article states this very thing:

Elimination Before Optimization

There is no faster way to do something than not doing it at all. That’s not a reason to be lazy, but rather a suggestion to force yourself to make hard decisions and delete any task that does not lead you toward your mission, your values, and your goals.

Too often, we use productivity, time management, and optimization as an excuse to avoid the really difficult question: “Do I actually need to be doing this?” It is much easier to remain busy and tell yourself that you just need to be a little more efficient or to “work a little later tonight” than to endure the pain of eliminating a task that you are comfortable with doing, but that isn’t the highest and best use of your time.

As Tim Ferriss says, “Being busy is a form of laziness — lazy thinking and indiscriminate action.”

Tim Ferriss’ quote reminds me of the hard ass Unix professor that I had at one point. One of my peers was doing a lab exercise and ended up going down some pointless rabbit holes that had nothing to do with the exercise that he was solving. He was in a sense pursuing any problem that he could think of to show the professor that he was doing something (“hey professor – look at me – I’m doing something by spinning this hamster wheel”). So the prof comes over and looks at what he’s doing and in a loud vehement voice the prof says “STOP doing mental masturbation on this exercise and do the damn exercise already!” I suppose that productivity tools can be that, a way of not doing the things that we need to be doing.

This elimination approach fits in with Allen’s “Get Rid of Everything” approach and DHH’s quality discussion. You need to get rid of the crap that is of poor quality which is the same stuff that is not in sync with your mission/values/goals.

Core Intuition 214

In the Core Intuition’s episode 214 Daniel Jalkut speaks of his disbelief in resolutions. In a tongue and cheek way he says that his whole life is one big resolution. That’s both a funny and a strangely profound thing to say. If all our lives are one big resolutions, then is the issue that many of us don’t figure out what that resolution is before our lives end? (i.e. the holy grail of finding our “life’s purpose”)

At time mark 33:38 he mentions a comment from Dennis (from Core Intuition’s live chat at the time of the podcast). Dennis indicates that this is how he approaches resolutions:

  • Resolutions are for long term goals for things you wish were true.
  • Values are the metrics for choices on deciding on a daily basis the way to prioritize things.
  • Practices are the concrete activities which make your goals come to pass.

Dennis’s reflection caught my attention. Initially, I was resistant in considering resolutions as long term wishes. After all, I may wish for the fuzzy goal of “world peace” but how likely it is that I would accomplish this? Perhaps this is an issue of specific versus vague? I would rephrase the first point as Resolutions are for SMART long term goals for things you wish were true (where SMART = Specific, Measurable, Achievable, Relevant, Time-bound).

The values piece is directly reflective of DHH’s quality approach as well as the Eisenhower box prioritization.

The practices piece refers to actually “doing it”. It’s David Allen’s next action question of “the next physical, visible activity that needs to be engaged in, in order to move the current reality toward completion.”

In a sense, all the approaches that I have covered reflect and bounce around in this small silver resolution box that Dennis creates through his comment.

Conclusion

Are there alternatives to New Year resolutions? Absolutely! I personally like the above sources and how I ordered them (from somewhat fuzzy conceptual to more concrete/actionable). So to review:

  1. Begin by getting rid of the old through David Allen’s approach
  2. Then consider the quality of your seconds, minutes, hours, days, months, and the whole (past) year.
  3. Use Jeffrey’s approach to create concrete prioritize/incentivize/optimize lists that collect both the good and the bad quality things/activities of the past year and use these items for the same set of lists for the next year.
  4. On a daily basis snap yourself out of the unimportant/urgent moment-to-moment parts of your life using the Eisenhower Box
  5. When creating projects and next actions for those projects during your day or week – use the guideline from Core Intuition. This is also useful for periodic reviews of what you’re doing and where you are in your life.

There is a “write your obituary” exercise that many life coaches promote. That seems like a bit of a downer (but it may be effective I suppose). I think a more interesting question is encompassed by a quote that I saw on John Gruber’s site on Martin Luther King Day:

‘Life’s most persistent and urgent question is, ‘What are you doing for others?’
>Martin Luther King, Jr.

At the end of the day, our actions, goals and aspiration are not in their own bubble. They are ripples on a vast ocean that reflect out and affect others. The ripples of all of our resolutions, goal settings, and various machinations – these ripples are the ones that form our ultimate legacy or lack thereof.

Peace!

eli4d


Please let me know via Twitter if you found this post useful.

Excellent Coverage of Vue.js and the Beard CSS Framework through Episode 33 of the Full Stack Radio Podcast

The Full Stack Radio podcast had an excellent episode covering Vue.js and a CSS framework named Beard through a discussion with David Hemphill.

I’ve mentioned Vue.js before. In this case, I like Hemphill’s discussion (starting at 11:19 of JavaScript fatigue and his reasons for using Vue.js. This discussion reminds me of the old days of switching from the obscure in-document symbology editors to full WYSIWYG type editor. In a sense Vue.js is the WYSIWYG equivalent to other JavaScript view interfaces/frameworks that obscure their operation with short codes of their own that will “do everything for you”.

I haven’t looked much at CSS frameworks but Hemphill’s pragmatic approach to product creation makes the Beard CSS framework interesting because he seems to apply the same pragmatic sensibilities to the creation of this framework. The discussion about Beard begins at 27:31.

As a side note – David Hemphill’s home page blurb about himself is really funny (besides the fine beard that he displays):

Builder of web things. Family man. I used to fight. I used to music. I’m an introvert, but I still like you.


Please let me know via Twitter (@eli4d) if you found this post useful…it encourages me to write more of this.

QP: How to View the Full URLs on Firefox

I came across an excellent tip from Security Now (https://www.grc.com/sn/sn-542.txt). To view the full URL on Firefox just do the following:

Why would you do this? Well – if you want to see the full URL before copy/pasting or if you just want to be sure you are looking at the correct site.

If you found this useful – let me know via @eli4d on Twitter

Time Machine Slowdown Issue and Resolution

Problem:

Right after coming back from the holidays I noticed that my machine was completely unusable when Time Machine (TM) would run (on Yosemite). It was so bad that I would need to pull the external USB hard disk without ejecting any partitions (while cringing inside) to be able to get control of my machine.

My system’s specs: mid 2014 MacBook Pro 15″ with a 2.5 GHz i7 CPU running Yosemite.

Solution:

This solution worked for me but the usual disclaimers apply.

Initially, I ran TM overnight thinking it had to catch up on some holiday weeks that it missed in terms of backups. This assumption was wrong. When I looked at the 1 TB partition that I had made available for TM it had only 25 GB left. It seemed like TM was thrashing my whole machine in attempting to clean up old backups.

The next thing I did was to shut TM off so that I could use my system while figuring how to delete old backups off the TM partition. I first tried to delete individual backups and I found this Stack Exchange article to be extremely useful: http://apple.stackexchange.com/questions/39287/how-can-i-manually-delete-old-backups-to-free-space-for-time-machine.

I tried both the command line approach of deleting specific TM backups and I also used the TM interface. The biggest problem was that I couldn’t tell which backups were extremely large (running ‘du’ on the directories was useless due to permission issues and a long response time). Additionally, when I used the TM interface, it would block me from using my system for anything besides Time Machine (command line was much better). I then decided to delete all the backups using command line and I got tons of error -36 messages. So this didn’t work well.

My solution was the nuclear option – i.e. nuke the TM partition and start over:

  1. Shut off TM via system preference
  2. Disconnect TM partition via Finder
  3. Use Disk Utility to erase partition:
    • name it with current year so it’s different name than original
    • it will complain giving an error while it removes the encrypted partition that TM created
    • re-erase partition after the initial error so actual erasure occurs
  4. In TM system preference:
    • remove the old disk (you can’t do this until the partition is gone)
    • create new TM disk by selecting the new TM partition

This is probably old hat to experienced users of the Mac but it was new to me.

If you found this useful – let me know via @eli4d on Twitter

Book Review: Neptune Crossing (The Chaos Chronicles Book 1) by Jeffrey A. Carver

Note:  This post contains affiliate links to Amazon.

Spoiler Free review of Neptune Crossing (The Chaos Chronicles Book 1) by Jeffrey A. Carver.

Review

Rating:

  • Harlequin level: n/a
  • Plot/action/story: 5
  • Solid conclusion: 5
  • SciFi thrill: 4
  • Fantasy thrill: n/a
  • Part of a series but doesn’t skimp (as applicable to this book): 5

Overall thoughts about the book

I’ve decided that for this year, I will endeavor to do quick reviews that are spoiler free.

If there’s one thing that has allowed me to read a ton of books (as in 10-15 books) last year it was my purchase of the Kindle Voyage.  The reading quality and compactness of this device has been amazing.

Before I talk about Neptune Crossing I should mention a couple of things.  First of all, I found out about it through BookBub.  I used to get many of the free books that BookBub suggested.  However, after reading a few duds, I’ve become more careful about my choices.  These days I look at the reviews (especially the negative ones) to see if it’s worth reading.  It certainly has become more difficult to find good books from new authors (just like app selection on the App Store).

My first introduction to Jeffrey A. Carver was Panglor which I got through BookBub (Neptune Crossing came through the same route).  I really tried to read this Panglor but the character was so exhaustingly trite and without any redeeming qualities that I gave up on the book fairly quickly.  If I need whining, I need to look no further than real life humans.  Why would I spend delicious reading time on whining?

I was in between books in terms of the Kindle Owner’s Library (once per month you can borrow a book), when I decided to read Neptune Crossing since it was in my Kindle library.  Thankfully, Neptune Crossing was nothing like Panglor.  I should also say that I had no background about the author when I read both books (not that this really matters…if a story is bad, then it’s bad regardless of the author’s fame and other books).

It was slow going initially (first 70 pages or so) and I didn’t like John Bandicut, the main character.  But John was sufficiently ‘real’ to see me through the first part.  The other thing that bugged me about the first part is that the initial alien is rewritten after the first 70 pages or so which really bugged me.  In the afterward, Carver mentions that he changed point of view when writing the book and had to rewrite the whole beginning.  This may be why the beginning was disappointing.

The other thing is that Carver seems to be obsessed with the phrase “hooked his thumb”.  He uses this throughout the book and it actually took me out of the story because it’s somewhat of an unusual phrase for me.  I recognize that it’s a minor nit picky thing to mention but it was a minor thing that made an impact on the book’s readability for me.

So the first third sucked a little bit.  But the last two thirds of the book took off just like the spaceship that is described in that part of the book.  I couldn’t put down the last part of the book even if the last few pages took a weird “2001 A Space Odyssey” (http://amzn.to/1RvFr9O) turn where everything became odd and weird and a setup for the second book.

The writing was very good and very descriptive.  No minor editorial errors to take you out of the story.  While the character is not fully likable, he is ‘real’ which is what redeems him.  To be truthful, I really don’t like John Bandicut through the whole book, but he plays the role of the reluctant hero well.  He is a regular guy with regular abilities.  Heck, he’s a regular guy with some short-circuited regular abilities.

The story ended up being pretty good with a good mixture of solid scifi technology, chaos theory and lots of action.  The last 20 pages were kick ass and I couldn’t help but finish the book.

Lastly, the book stands on its own regardless of other books, so kudos on that.  I certainly didn’t feel the need to read any more of The Chaos Chronicles books to feel a sense of closure and satisfaction with this book.

Some nicely described sentences/phrases from the book (a few among many):

Before he could ask, he felt a sudden sense of memories falling into place like the tumblers of a lock…

The solar system was a vast, cold, dark, and lonely place and he had just set course for himself across its enormous emptiness.

He imagined the planets gathered around, watching and applauding as he smashed straight into the ___, and he wanted to look right for the event.

…but his thoughts were like chunks of ice in a packed floe, vibrating with energy, but too jammed together to move.

Fullstack Radio Podcast Episode with DHH – shaping your technical patterns based on your organizational patterns

On the Fullstack Radio Podcast this week there is a great technical/design discussion with DHH about technical versus organizational patterns, Basecamp 3 and Ruby on Rails 5. Sadly there was not enough cowbell in the form of curse words (only around 5 🙂 ). I kid around about this but one of the great things about DHH is his opinionated and eminently pragmatic approach. He justifies his reasons really well and he stands his ground regardless of the sh*t storms that stir up around him.

Beyond all the technical choices and decisions for Basecamp 3 the discussion that caught my attention was the one about technical patterns versus organizational patterns (starting around 09:19 and ending around 18:45. Most outlets of technical information (whether high profile developers, companies, etc…) focus on architectural patterns and there’s never any talk about organizational patterns. In other words, does the architectural pattern that you choose fit your organizational pattern?

DHH discusses the intersection between organizational patterns and technical patterns. For a small team (like Basecamp’s) of 12 developer/designers a micro-services architecture would be disastrous in terms of implementation and maintenance. Whereas micro-services might be a perfect fit for an organization like AWS. In the case of Basecamp 3 the organizational pattern (i.e. very small dev team) causes the following choices in architectural patterns:

  • hybrid native apps (i.e. do as much on the server as possible with fast web views while doing native side optimizations for high fidelity features)
  • Basecamp 3 as a “majestic monolith” rather than a constellation of micro-service (11:08)

The point is that you have to fit your technical pattern to your organizational pattern, not the other way around. The question fundamentally is: “does this technical pattern fit our organizational shape?”

Best quote of the episode: “whatever Facebook is doing do the complete opposite of that and in many cases you’re closer to finding patterns to your organizational shape if you’re a company of 5, 10, or under 50” (13:50). Basically, trying to clone architectural patterns of companies with unlimited resources is a very bad approach.

Micro-services make complete sense for someone like Amazon (15:05). Amazon has lots of people and lots of business units. Amazon was an early adopter of service oriented architecture. Team sizes are what they are at Amazon but you need teams to collaborate, so micro-services fit this model.

The majestic monolith has wrongly been discarded because (second best quote) “people have been looking at giants for inspiration for ants” (17:42).

This is a very interesting approach. I never thought about it in this way always looking at the technical patterns. I’ve been at start-ups where the software architect is so focused and in love with technical patterns that s/he loses all perspective of anything else. In fact, I don’t recall any start-up where the organizational pattern shaped the decisions of the architectural pattern.

For RoR enthusiasts there are lots of Basecamp and RoR 5 information beyond the above section.

More DHH info can be found here:

Notes on installing an FTP server on a Digital Ocean virtual machine running Ubuntu 14

Overview

These are some quick notes/lessons related to vsftpd installation on Ubuntu 14. My reason for creating such a server was that I wanted to collect photos for an event (from the guests that came to the event). I had originally thought this was going to be easy with my 1 TB Dropbox account. What I didn’t realize was that in order for anyone to upload to a shared Dropbox folder, that person has to have an account on Dropbox.

So rather than hassle people about creating a Dropbox account, I figured that a temporary FTP server through Digital Ocean* would be easier. While I deployed the server and got it working for my needs I later realized that I was trading the ‘you need to create a Dropbox account’ hassle with ‘you need to upload using a FTP program’. I realized that this was a bad approach too since I was dealing with users that had a wide (wide) range of technical comfort and knowledge.

* Note that my Digital Ocean links in this post are referral links – they’re a great service which I really like and I definitely recommend.

Creating a virtual machine on Digital Ocean

Creating a virtual machine (i.e. a ‘Droplet’ per Digital Ocean’s jargon) on Digital Ocean (DO) literally takes 55 seconds (which is pretty amazing). DO’s support center (https://cloud.digitalocean.com/support/suggestions) walks you through clear instructions on doing this.

I went with Ubuntu 14,04 because it is an LTS version and was likely to be quite stable. Of course I didn’t need long term support for such a short-lived server but I figured the stability would be worth it.

Creating a virtual machine on Digital Ocean

SSH Keys

DO will email your root password or you can create SSH keys and put the public one on your instance for easy log-in.

I used the https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys–2 instructions for ssh key association with my droplet. This line from the instructions did not work for me:

 cat ~/.ssh/id_rsa_digitalocean.pub | ssh user@123.45.56.78 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

So I ended up destroying and re-creating my droplet and pre-associating the public key that I had just generated. Since it’s really fast, there was no big negative in doing it this way. Of course I could have used scp to the copy of the public key too if I didn’t want to re-create the droplet.

Installing and configuring the FTP server (vsftpd)

Installing vsftpd

I found pretty good instructions on https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-on-ubuntu-12-04 for the initial installation.

The key is to install vsftpd and configure /etc/vsftp.conf:

 apt-get install vsftpd

When looking at vsftpd’s configuration – Vim drove me a bit batty with the built-in color syntax-ing (tons of dark shades of unreadable color) and I had to turn that off. The instrutions at http://vim.wikia.com/wiki/How_to_turn_off_all_colors explained how to do this (just put these at the end of the .vimrc):

 syntax off
 set nohlsearch
 set t_Co=0

550 error

My initial run of vsftpd per the tutorial that I found yielded a 550 error. This was one of a cavalcade of errors when testing different vsftpd configurations. The long and short of it is that the ftp server can be configured in different ways (anonymous download only, download and upload, etc…). Each of these possibilities yields different permutation of options in /etc/vsftpd.conf and the potential of other supporting files (for example – virtual users need more configuration files).

My configuration goal was a single user that could upload files to his home directory. This was going to be a shared user among different people that attended the above mentioned event. My assumption was that each would put their photos in a sub-directory that I created for them (see “Conclusion” section of this post for why this was a poor assumption).

So…I needed a chrooted ‘regular’ user for this configuration. Below is my final /etc/vsftpd.conf configuration and here are some useful sources of information.

550 error

Creating the ftp user – 1

I created the user using:

 useradd ftpuser

How-To Geek has a good article about useradd. Ubuntu also has an adduser command too. Both do the same thing but I found useradd to be easier to use.

After creating the ftpuser I decided to give my ftpuser a brilliantly simple password and it was ftpuser.

 passwd ftpuser

My intent was to make it easy on my users. This was a fatal (and dumb) security mistake. I am well versed in the stupidity of security by obscurity and I fell for it thinking that ‘no one is going to find the ip of this droplet’. I cover this lesson in the “Conclusion” section of this post.

Creating the ftp user – 2

One initial issue with my user and vsftpd was this error:

 500 OOPS: vsftpd: refusing to run with writable root inside chroot()

The problem was that ftpuser’s home directory didn’t have proper permissions for chroot to work correctly. Basically, the home directory of ftpuser cannot be writeable but sub-directories need to be writeable. So I did the following:

 As ftpuser within ftpuser's home directory:
 ftpuser@myawesomedroplet:~$ chmod 755 ../ftpuser/
 ftpuser@myawesomedroplet:~$ mkdir _test
 ftpuser@myawesomedroplet:~$ chmod 555 ../ftpuser/
 ftpuser@myawesomedroplet:~$ touch test
 touch: cannot touch ‘test’: Permission denied
 ftpuser@myawesomedroplet:~$ exit
 As root:
 root@myawesomedroplet:/home/ftpuser# service vsftpd restart

The _test directory is where I would have my logged-in user put their photos (well something better than _test)

For more info on this see: http://askubuntu.com/questions/239239/500-oops-vsftpd-refusing-to-run-with-writable-root-inside-chroot-keep-user-j

Some insecurities

Everything looks good but…

After the above configuration for both vsftpd.conf and my local user I was all set. I tested logging-in via an ftp client, changing to _test and uploading a file and it all worked swimmingly. Then the next day I tested the exact same thing and I couldn’t log into the ftpuser account. I changed the password back to *ftpuser* and in 24 hours the exact same thing happened.

Well maybe it’s a security patch thing

I thought that perhaps my system wasn’t sufficiently patched (the magical thinking trap kicking in). So I went ahead and patched it. I also used the script from https://www.digitalocean.com/community/questions/updating-new-ubuntu-droplet-security-updates to make it easier on myself.

Chris Fido in his Servers for Hackers has an even better approach to get automatic security patches using cron and the specific Ubuntu distribution.

Nope it’s not a patch thing

My ftpuser kept being inaccessible after a few hours passed since changing its password to my brilliant password of ftpuser. So I decided to ask my question on askubuntu.com:

http://askubuntu.com/questions/691375/on-ubuntu-14-04-3-something-is-changing-regular-users-password-within-24-hour

Nope it's not a patch thing

Vincent Flesouras rocks!

I got a fantastic answered from a gentleman named Vincent Flesouras.

The short answer: security by obscurity doesn’t work. I feel like Bart Simpson at the black board repeating this sentence over and over again.

Vincent Flesouras rocks!

Next action

The next step would be to throw away my Digital Ocean droplet and re-create it with something like Ansible. Since Digital Ocean charges me based on an the existence of an instance (whether it’s online or shut off it still costs), this would also save my some money and create a repeatable virtual machine.

I stopped here because I realized that the FTP server approach was the wrong approach for my audience. I think a better solution would be a webserver approach for easy upload of files (perhaps Caddy with some Golang goodness) but this will have to wait for another time because I’m out of time.

Conclusion

I learned the following lessons:

  1. Before diving into something, make absolutely sure you know how your least technical user will use your product/creation/monstrocity. I had assumed the built-in pervasiveness of ftp clients within all web browsers. The problem is that this is true but in the wrong direction for my use case. Most web browsers can connect to an anonymous ftp server to download files not upload them. Of course there are plenty of web based ftp clients, but then I’m giving a third party access to this ftp server with personal items (i.e. photos) on there. So…an ftp server was the wrong solution for this problem to begin with.
  2. Never ever ever use a super simplistic password relying on the obscurity of your server (i.e. ‘just’ an IP without an associated domain). Rationally, I knew this to be the case but there’s nothing like your brand spanking new user account on a brand spanking new virtual machine changing passwords ‘by itself’ every day.
  3. I should have used Ansible or some such orchestration software for the creation of the server. It would have allowed me to quickly and cleanly destroy/create server instances. This would have helped with testing of my server’s configuration (security and otherwise).

This was definitely a learning experience both about vsftpd and security.