[HN Gopher] Helm is a personal server that lives where you do ___________________________________________________________________ Helm is a personal server that lives where you do Author : philips Score : 89 points Date : 2021-08-29 21:04 UTC (1 hours ago) (HTM) web link (thehelm.com) (TXT) w3m dump (thehelm.com) | giantg2 wrote: | Seems pretty cool. A little pricey and maybe even overpowered. | The biggest thing that holds me back from hosting my own server | is probably lack of static IP and the time/cognitive overhead of | maintenance/security. | fsniper wrote: | The name and terminology is unfortunately too close to the other | helm. [helm.sh] | miked85 wrote: | > _Truly private email._ | | The marketing is heavy on this site. | yashasolutions wrote: | This should be encouraged and supported. | | While I do have many questions, which would definitely delay an | impulse buy, it is of general interest to have more companies | trying to create easy to use products that help people to cut the | cord with 5 companies that rules our digital lives today. | | Now on with the questions I'd love to clarify: | | - How to ensure the hardware is not chipped with some low level | spyware? | | - Can we install stuff on this machine? How is the upgrade | process working? Do we have root on the machine if need be? | philips wrote: | I have one and really like it! | | 1. Like most things you have to trust the company producing | everything. The closest thing I have seen to auditable hardware | is Bunnie's Precursor. | | 2. You cannot install your own applications right now. And the | updates happen automatically. | gsreenivas wrote: | Great questions: > - How to ensure the hardware is not chipped | with some low level spyware? | | We use a verified boot process to ensure trusted bits are | running on the HW. | | > - Can we install stuff on this machine? How is the upgrade | process working? Do we have root on the machine if need be? | | Not yet - but we are planning for customers to be able to run | their own services in the future. We have quite a few updates | to do before we get there. The upgrades happen OTA, seamlessly | in the background. There is no root access on the machine | locally or remotely. | pluc wrote: | It's a little odd that the whole premise is own your data and | then when you go to order and there's a recurring subscription | fee that you can't opt out of | 1MachineElf wrote: | According to their blog post _How Helm Works - Part 1: | Networking_ [0], on the AWS side of things, for each Helm unit, | they are provisioning an EC2 instance, an Elastic IP, and a Route | 53 config. I suppose the 128GB backup is also part of this. From | my perspective, $99 /yr is not a bad deal for all this to be | automatically managed. | | [0] https://blog.thehelm.com/post/how-helm-works- | part-1-networki... | stefan_ wrote: | So the first thing this "personal server that lives where you | do" does is spin up some AWS instance? No thank you. | sneak wrote: | If the TLS is terminated on the device and all it's using AWS | for is a static ip and inbound port for email, that seems | pretty harmless. | gsreenivas wrote: | That's exactly how it works | thesausageking wrote: | So you're tied to an EC2 instance? That seems like an | unnecessary centralization point. | awill wrote: | yep. It serves to justify the subscription though, which is | what all businesses want. Ongoing money vs a one-time | purchase. | | I personally quite like the idea of an appliance for email. | But adding a permanent subscription that not only costs a lot | of money, but will stop working if the company has an outage | or goes out of business. | | If you require AWS and have offsite backups, why not just | page for managed email. It's cheaper, and probably easier to | migrate if there are problems. | Saris wrote: | $99 a year for 128GB of backup space is really high, but I | suppose it's partially paying for the OS updates or something | like that? | | I also wonder about name confusion with Helm the Kubernetes | management system.. | | That said it looks like a nice setup, the hardware price is | pretty reasonable for a completed product, and the website is | trying to keep things simple. | rodolphoarruda wrote: | And I wonder how this could work for the 1TB version. Would it | compress things locally so they could fit into the available | 128GB space? | gsreenivas wrote: | Hi there - Helm co-founder/CEO here. We will have additional | tiers of subscription for customers to back up additional | data with us. Everything is locally compressed before | uploading and all backups are encrypted with keys only | customers have. | Saris wrote: | Is it not on the site maybe? So far I haven't been able to | find anything but the 128GB option. | Saris wrote: | Unless it's really specific content that wouldn't even be | possible, I assume you just don't get your stuff backed up | lol | satyanash wrote: | Dockerized Nextcloud + Postfix + Dovecot + Strongswan + OpenLDAP | + SpamAssassin running on an ARM machine. | | Sounds mostly alright, although it seems you cannot buy it | without the $99/yearly subscription, which makes me wary. | | Sure, a static IP and domain registration is good, but it ought | to be an optional addon. | gsreenivas wrote: | Hi there - co-founder/CEO of Helm here. | | We don't make the subscription optional at this time because | the overwhelming majority of people on the Internet do not have | a static IP address with a corresponding PTR record, which is | required if you want to have deliverable email. There are other | ways to handle domain registration, DNS and backups on your | own, but we believe the subscription is a pretty great value | for the convenience it provides. | TedDoesntTalk wrote: | How do you manage the spam reputation of the IP addresses you | use for mail delivery when some of your customers may be | sending spam? | gsreenivas wrote: | We have relationships with key ESPs and email security | providers to help with managing reputation/deliverability | issues. | | There are much cheaper ways to send spam effectively than | using a Helm so we haven't seen real issues around this. | noncoml wrote: | I love your idea and execution. But requiring yearly | subscription is defeating the purpose of "Break away from big | tech" as I am now tied to your company instead of big tech. | What's the point in this? | gsreenivas wrote: | You can see elsewhere where I discuss what the subscription | provides. I think there's a huge difference between | subscribing to companies that share customer values around | privacy and security vs being at the mercy of companies | looking to extract as much value from your data as | possible. | noncoml wrote: | OK, thanks for your reply. JFYI It's not what you think | that will make or break your business; it's what your | potential customers think, that matters. | allset_ wrote: | The required subscription also means it's useless if they go | out of business. | xvector wrote: | That's one of the biggest problems with subscription | services. My favorite band's album was pulled from Spotify. | Wouldn't have been a concern if I had set up Lidarr on my | NAS. | remram wrote: | It seems that Nextcloud, Postfix, and Strongswan are copyleft. | | > You may obtain the complete corresponding source code from us | for a period of three years after our last shipment of this | product by sending a money order or check for $5 to: <snailmail | address> | | Without being illegal this is rather hostile. But then again | they are selling subscriptions to open-source software so I | expected something shady. | codetrotter wrote: | See https://www.gnu.org/philosophy/selling.html | | It's perfectly ok to charge for GPL software. | | Providing the source on a physical medium for a price is | reasonable because no one should be forced to run a digital | distribution setup and infrastructure just because they build | software that derives from GPL pieces. | | Their customers have a right to receive a copy of the source. | But the company is not obliged to host an online accessible | version of it. | | Charging a small amount for a copy of the source is fine. | | And I will go so far as to say that making demands about | access to the source code in a manner beyond what the GPL | requires, is actually hurting the adoption of GPL software, | not helping it. Why should a company base their work on GPL | licensed software if they are going to meet pushback even | when they are complying with the letter of the GPL? They | might just build something different all together, and with | no open source at all. And where does that leave us? | Definitely in a worse place. | chrisfosterelli wrote: | Hypothetically, could one not use this to get around GPL by | modifying GPL software and agreeing to make the changes | available to others but only at a ridiculous price? | azundo wrote: | My understanding is that the customers would be allowed | to distribute/modify the source at that point though so | you're not really getting around the GPL. | [deleted] | anamexis wrote: | No, the GPL covers this case. In the FAQ linked in the | parent comment, check out the "High or low fees, and the | GNU GPL" section. | | In particular, section 6(b) of GPLv3: | | > Convey the object code in, or embodied in, a physical | product (including a physical distribution medium), | accompanied by a written offer, valid for at least three | years and valid for as long as you offer spare parts or | customer support for that product model, to give anyone | who possesses the object code either (1) a copy of the | Corresponding Source for all the software in the product | that is covered by this License, on a durable physical | medium customarily used for software interchange, for a | price no more than your reasonable cost of physically | performing this conveying of source, or (2) access to | copy the Corresponding Source from a network server at no | charge. | chrisfosterelli wrote: | Gotcha, thank you! | remram wrote: | As I said, it is legal, but strikes me as unnecessarily | unfriendly. It is likely that I have unrealistic | expectations, but putting their modified source code on | some "archived" GitHub or similar would have been easy and | free. Looking around at Purism, Pine, and remarkable, they | don't make it that easy either, so I guess my complaint | shouldn't be directed at Helm specifically. | | My point is that we're not in 1997 anymore (date this GNU | document was written), and thus I cannot believe that | mailing disks is the easy way to do this. They are making | this deliberately difficult, for both them and their users, | by doing this over mail. | | As for discouraging companies to deal with GPL, I am with | you. I think this is a little bit different though, as they | are not adding much value on top of the open-source code... | mjg59 wrote: | > Their customers have a right to receive a copy of the | source. But the company is not obliged to host an online | accessible version of it. | | While true, this is misleading - if distributing under the | "Written offer" term (rather than including the source code | alongside the binaries), _everyone_ has a right to receive | a copy of the source. | dmurray wrote: | Do the customers have the right to republish the source? | Under the GPL (I checked GPLv3) I don't think they do, but | this section (my emphasis) is unclear to me: | | > You may convey a covered work in object code form under | the terms of sections 4 and 5, provided that you also | convey the machine-readable Corresponding Source _under the | terms of this License_ , in one of these ways... | | Is "under the terms of this License" a clarifying clause | that narrows down exactly which "Corresponding Source" we | are talking about? That doesn't seem necessary given that | "Corresponding Source" is already well defined. | Alternatively, does it mean that you must convey the | Corresponding Source and grant a GPLv3 license to the | conveyees for that source? If so, it could be written more | clearly. | | If my second interpretation is correct, surely it doesn't | matter much that the company has a slightly user-unfriendly | policy to providing their source code - someone will just | mirror the code on Github anyway. | lamontcg wrote: | It might be interesting to produce seriously cut down | reimplementations of those utilities for purely home use. | | Similar to how a home router/switch/NAS doesn't need anywhere | near the same number of options and possible misconfigurations | and code that isn't helping you at all. | | (I'm skipping past all the issues with this particular unit by | this particular company to the point that this is a good idea | and I'd be nice to see a lot more options in this space along | with less complexity...) | kderbyma wrote: | working on an open source version of these. called the Calliope | Muse+ - it should be available for pre-order soon. if you want a | non-subscription option | 71a54xd wrote: | No thanks, this wreaks of a monthly subscription I don't want | that would result in unsupported buggy "hardware" in 10 years | guaranteed. I'll keep my ZFS server with a text file reminding me | how I configured it for now (since I usually forget after a few | months)! | MonadIsPronad wrote: | "reeks" was the word you wanted, I think | pnw wrote: | Helm v1 user here, very happy with the product. For 99% of people | without the desire and skills to run their own servers, this is | the best solution. | philips wrote: | I am a Helm v2 user and I agree. I got tired trying to keep a | NAS running and later configuring a Raspberry Pi 4 correctly to | run off the right disks, stay up to date, and configured | correctly for NextCloud. With two kids I don't have time to | tinker. | [deleted] | ritcgab wrote: | A raspberry pi 4 can do everything this machine does. | gsreenivas wrote: | Actually no. There is no support for secure boot or proper | encrypted storage with a protected key. | | We prototyped on Pis a while back before we shipped our v1 but | there are meaningful limitations. | smoldesu wrote: | 1. Secure boot _is_ supported on Raspberry Pi, just not out- | of-the-box. There 's plenty of solutions in this field for | your respective needs. | | 2. Raspberry Pi supports LUKS perfectly fine, making disk | encryption a snap. | philips wrote: | I have a raspberry pi and tried to run something like this and | it is just so much work. So I bought a Helm v2 and like it thus | far for photo backup and my secondary newsletter email domain. | | If there was a company offering an auto update OS service with | nextcloud and email for Pi I would love to see it! Better yet | if it tied to encrypted cloud backup/restore too. | digitalsushi wrote: | If I could reliably transfer my gmail legacy freebie grandfather | thing account without it taking 7 to 11 days of API rate limited | transfer at 100% luck, I would get my email out of there. Alas. | eps wrote: | If it's a one-time thing, then even it taking _weeks_ is quite | acceptable. | h4waii wrote: | Fire up gyb [0] now, and by the time this (or whatever solution | you want) is ready for an import, you'll be done. | | 0. https://github.com/jay0lee/got-your-back | philips wrote: | Why this and not takeout? | breakingcups wrote: | Would Google Takeout not suffice in this, maybe after some | post-processing? | flixic wrote: | It seems they are targeting "normal" people (to whom word | "dockerized" sounds like a misspelling of something happening in | a port). | | Mixing "normal" people and self-hosted email is a recipe for very | bad experience. | eps wrote: | I don't think the do actually. Not with "a hardware root of | trust" in the description. | ttul wrote: | I suppose this is their gamble: can they make something that is | so easy to use, even a normal person will be happy with it. | That being said, how many "normal" people are really so | concerned about email security that they don't trust one of the | big clouds? | smoldesu wrote: | Looks really cool, but the subscription is a total dealbreaker. I | might pick one up used a few years down the line if someone | manages to load custom operating systems on it. | miked85 wrote: | I feel like anyone technical enough to know and care what this | product is, are also totally capable of setting it up themselves. | old-gregg wrote: | Are you saying that millions of people who order sunny side up | egg breakfast aren't capable of making one for themselves? :) | miked85 wrote: | In many cases, yes. But that is a poor comparison. | azinman2 wrote: | Disagree. We pay for convenience all the time. I just did | in buying a synology NAS even though I could have pieces | together my own solution (and have in the past). Having a | working, maintained, stable, full featured email server | that interops with the world isn't something you can do | quickly on your own even if you have the skills. | miked85 wrote: | Of course, I agree with that. But this is, at least in my | opinion, a very niche product. People who even understand | what the product is would probably not be willing to pay | a subscription for something they could setup on their | own. Of course I could be completely wrong :) | rblatz wrote: | Email is hard to do right, first I'm likely going to | spend 2-3x the price on a server, so instantly we have 5 | years of subscription covered by that price. | | Then I have to buy an IP in a space that has a good | reputation. Then I need to setup offsite backups, setup | TLS and DKIM, plus a lot of stuff I'm sure I'm missing. | Then I have to stay on top of patches and general | maintenance. Plus I have to buy a domain name. Suddenly | we're looking at let's say a 10 year lifespan before you | need to upgrade. You are probably going to be basically | even on costs but home built has a hundred of hours sunk | into it too. | old-gregg wrote: | I care about owning my own data very much. This makes me | conservative when it comes to these solutions, despite otherwise | being an early adopter of everything tech. | | For that reason I always recommend Synology NAS machines. They | have been around forever, they work for years on autopilot and | feel very similar to a microwave in terms of operational | overhead. One-time purchase. No subscriptions. But most | importantly, the ecosystem is stable and mature. And they are | easy to understand and reason about and come with a slick UI with | mobile apps. My favorite feature is having my massive photo | collection always available on my phone, served from my own | basement (with encrypted AWS Glacier backups). | | [EDIT] This is Brandon Phillips of CoreOS fame sharing this! | Maybe I should take a closer look then. | azinman2 wrote: | How do you access your NAS remotely? Does it end up creating | some kind of backdoor into your network with cloud support? | That makes me nervous... | old-gregg wrote: | In a very boring and traditional way: you buy a domain name, | configure dynamic DNS, and then use port forwarding in your | home firewall. No 3rd party proxies. | eps wrote: | Synology boxes phone home, to Chinese IP space no less. | OrvalWintermute wrote: | Is the phone home to Taiwanese IP space, or mainland China IP | space? | ValentineC wrote: | > _to Chinese IP space no less_ | | What's wrong with this? | bananabreakfast wrote: | Is that a joke? | sneak wrote: | The device in TFA seems to primarily serve as a mailserver. | | AIUI that's not really what a NAS does. | [deleted] | wcerfgba wrote: | From [1]: | | > Does Helm have access to my emails? | | > The architecture of the system has been designed so that it's | not possible for Helm to access your emails. Email senders now | support sending emails over an encrypted SSL/TLS channel where | the email is only decrypted once it reaches your personal email | server. Helm is not able to decode these emails because we don't | have access to the encryption key. In the limited situations | where the sender's email server doesn't send the email to you | over SSL/TLS, Helm does not log or store these messages and | therefore we are still not able to access them. | | SSL/TLS is transport security, and email is inherently multi-hop, | so this reads as bogus to me: each hop might use SSL/TLS but that | doesn't mean the message content or metadata is end-to-end | encrypted until it gets to my Helm server. | | [1] https://thehelm.com/products/helm-personal-server-v2 | philips wrote: | I received my Helm v2 last week and it has worked great for | Android photo backup and email subscriptions like substack. I | have not been bold enough yet to move my primary email domain | over yet. Apple mail and Fairmail on Android give a nice non-web | email experience. | | I like the product concept, the execution seems solid, and I like | the auto update flow compared to manual update of most NAS | products. | | I really want this product when my kids get their first phone to | keep their photos, calendar and emails off the cloud. At least | until they can make the choice that they want that stuff being | tracked. ___________________________________________________________________ (page generated 2021-08-29 23:00 UTC)