[HN Gopher] Helm is a personal server that lives where you do
___________________________________________________________________
Helm is a personal server that lives where you do
Author : philips
Score : 89 points
Date : 2021-08-29 21:04 UTC (1 hours ago)
(HTM) web link (thehelm.com)
(TXT) w3m dump (thehelm.com)
| giantg2 wrote:
| Seems pretty cool. A little pricey and maybe even overpowered.
| The biggest thing that holds me back from hosting my own server
| is probably lack of static IP and the time/cognitive overhead of
| maintenance/security.
| fsniper wrote:
| The name and terminology is unfortunately too close to the other
| helm. [helm.sh]
| miked85 wrote:
| > _Truly private email._
|
| The marketing is heavy on this site.
| yashasolutions wrote:
| This should be encouraged and supported.
|
| While I do have many questions, which would definitely delay an
| impulse buy, it is of general interest to have more companies
| trying to create easy to use products that help people to cut the
| cord with 5 companies that rules our digital lives today.
|
| Now on with the questions I'd love to clarify:
|
| - How to ensure the hardware is not chipped with some low level
| spyware?
|
| - Can we install stuff on this machine? How is the upgrade
| process working? Do we have root on the machine if need be?
| philips wrote:
| I have one and really like it!
|
| 1. Like most things you have to trust the company producing
| everything. The closest thing I have seen to auditable hardware
| is Bunnie's Precursor.
|
| 2. You cannot install your own applications right now. And the
| updates happen automatically.
| gsreenivas wrote:
| Great questions: > - How to ensure the hardware is not chipped
| with some low level spyware?
|
| We use a verified boot process to ensure trusted bits are
| running on the HW.
|
| > - Can we install stuff on this machine? How is the upgrade
| process working? Do we have root on the machine if need be?
|
| Not yet - but we are planning for customers to be able to run
| their own services in the future. We have quite a few updates
| to do before we get there. The upgrades happen OTA, seamlessly
| in the background. There is no root access on the machine
| locally or remotely.
| pluc wrote:
| It's a little odd that the whole premise is own your data and
| then when you go to order and there's a recurring subscription
| fee that you can't opt out of
| 1MachineElf wrote:
| According to their blog post _How Helm Works - Part 1:
| Networking_ [0], on the AWS side of things, for each Helm unit,
| they are provisioning an EC2 instance, an Elastic IP, and a Route
| 53 config. I suppose the 128GB backup is also part of this. From
| my perspective, $99 /yr is not a bad deal for all this to be
| automatically managed.
|
| [0] https://blog.thehelm.com/post/how-helm-works-
| part-1-networki...
| stefan_ wrote:
| So the first thing this "personal server that lives where you
| do" does is spin up some AWS instance? No thank you.
| sneak wrote:
| If the TLS is terminated on the device and all it's using AWS
| for is a static ip and inbound port for email, that seems
| pretty harmless.
| gsreenivas wrote:
| That's exactly how it works
| thesausageking wrote:
| So you're tied to an EC2 instance? That seems like an
| unnecessary centralization point.
| awill wrote:
| yep. It serves to justify the subscription though, which is
| what all businesses want. Ongoing money vs a one-time
| purchase.
|
| I personally quite like the idea of an appliance for email.
| But adding a permanent subscription that not only costs a lot
| of money, but will stop working if the company has an outage
| or goes out of business.
|
| If you require AWS and have offsite backups, why not just
| page for managed email. It's cheaper, and probably easier to
| migrate if there are problems.
| Saris wrote:
| $99 a year for 128GB of backup space is really high, but I
| suppose it's partially paying for the OS updates or something
| like that?
|
| I also wonder about name confusion with Helm the Kubernetes
| management system..
|
| That said it looks like a nice setup, the hardware price is
| pretty reasonable for a completed product, and the website is
| trying to keep things simple.
| rodolphoarruda wrote:
| And I wonder how this could work for the 1TB version. Would it
| compress things locally so they could fit into the available
| 128GB space?
| gsreenivas wrote:
| Hi there - Helm co-founder/CEO here. We will have additional
| tiers of subscription for customers to back up additional
| data with us. Everything is locally compressed before
| uploading and all backups are encrypted with keys only
| customers have.
| Saris wrote:
| Is it not on the site maybe? So far I haven't been able to
| find anything but the 128GB option.
| Saris wrote:
| Unless it's really specific content that wouldn't even be
| possible, I assume you just don't get your stuff backed up
| lol
| satyanash wrote:
| Dockerized Nextcloud + Postfix + Dovecot + Strongswan + OpenLDAP
| + SpamAssassin running on an ARM machine.
|
| Sounds mostly alright, although it seems you cannot buy it
| without the $99/yearly subscription, which makes me wary.
|
| Sure, a static IP and domain registration is good, but it ought
| to be an optional addon.
| gsreenivas wrote:
| Hi there - co-founder/CEO of Helm here.
|
| We don't make the subscription optional at this time because
| the overwhelming majority of people on the Internet do not have
| a static IP address with a corresponding PTR record, which is
| required if you want to have deliverable email. There are other
| ways to handle domain registration, DNS and backups on your
| own, but we believe the subscription is a pretty great value
| for the convenience it provides.
| TedDoesntTalk wrote:
| How do you manage the spam reputation of the IP addresses you
| use for mail delivery when some of your customers may be
| sending spam?
| gsreenivas wrote:
| We have relationships with key ESPs and email security
| providers to help with managing reputation/deliverability
| issues.
|
| There are much cheaper ways to send spam effectively than
| using a Helm so we haven't seen real issues around this.
| noncoml wrote:
| I love your idea and execution. But requiring yearly
| subscription is defeating the purpose of "Break away from big
| tech" as I am now tied to your company instead of big tech.
| What's the point in this?
| gsreenivas wrote:
| You can see elsewhere where I discuss what the subscription
| provides. I think there's a huge difference between
| subscribing to companies that share customer values around
| privacy and security vs being at the mercy of companies
| looking to extract as much value from your data as
| possible.
| noncoml wrote:
| OK, thanks for your reply. JFYI It's not what you think
| that will make or break your business; it's what your
| potential customers think, that matters.
| allset_ wrote:
| The required subscription also means it's useless if they go
| out of business.
| xvector wrote:
| That's one of the biggest problems with subscription
| services. My favorite band's album was pulled from Spotify.
| Wouldn't have been a concern if I had set up Lidarr on my
| NAS.
| remram wrote:
| It seems that Nextcloud, Postfix, and Strongswan are copyleft.
|
| > You may obtain the complete corresponding source code from us
| for a period of three years after our last shipment of this
| product by sending a money order or check for $5 to: <snailmail
| address>
|
| Without being illegal this is rather hostile. But then again
| they are selling subscriptions to open-source software so I
| expected something shady.
| codetrotter wrote:
| See https://www.gnu.org/philosophy/selling.html
|
| It's perfectly ok to charge for GPL software.
|
| Providing the source on a physical medium for a price is
| reasonable because no one should be forced to run a digital
| distribution setup and infrastructure just because they build
| software that derives from GPL pieces.
|
| Their customers have a right to receive a copy of the source.
| But the company is not obliged to host an online accessible
| version of it.
|
| Charging a small amount for a copy of the source is fine.
|
| And I will go so far as to say that making demands about
| access to the source code in a manner beyond what the GPL
| requires, is actually hurting the adoption of GPL software,
| not helping it. Why should a company base their work on GPL
| licensed software if they are going to meet pushback even
| when they are complying with the letter of the GPL? They
| might just build something different all together, and with
| no open source at all. And where does that leave us?
| Definitely in a worse place.
| chrisfosterelli wrote:
| Hypothetically, could one not use this to get around GPL by
| modifying GPL software and agreeing to make the changes
| available to others but only at a ridiculous price?
| azundo wrote:
| My understanding is that the customers would be allowed
| to distribute/modify the source at that point though so
| you're not really getting around the GPL.
| [deleted]
| anamexis wrote:
| No, the GPL covers this case. In the FAQ linked in the
| parent comment, check out the "High or low fees, and the
| GNU GPL" section.
|
| In particular, section 6(b) of GPLv3:
|
| > Convey the object code in, or embodied in, a physical
| product (including a physical distribution medium),
| accompanied by a written offer, valid for at least three
| years and valid for as long as you offer spare parts or
| customer support for that product model, to give anyone
| who possesses the object code either (1) a copy of the
| Corresponding Source for all the software in the product
| that is covered by this License, on a durable physical
| medium customarily used for software interchange, for a
| price no more than your reasonable cost of physically
| performing this conveying of source, or (2) access to
| copy the Corresponding Source from a network server at no
| charge.
| chrisfosterelli wrote:
| Gotcha, thank you!
| remram wrote:
| As I said, it is legal, but strikes me as unnecessarily
| unfriendly. It is likely that I have unrealistic
| expectations, but putting their modified source code on
| some "archived" GitHub or similar would have been easy and
| free. Looking around at Purism, Pine, and remarkable, they
| don't make it that easy either, so I guess my complaint
| shouldn't be directed at Helm specifically.
|
| My point is that we're not in 1997 anymore (date this GNU
| document was written), and thus I cannot believe that
| mailing disks is the easy way to do this. They are making
| this deliberately difficult, for both them and their users,
| by doing this over mail.
|
| As for discouraging companies to deal with GPL, I am with
| you. I think this is a little bit different though, as they
| are not adding much value on top of the open-source code...
| mjg59 wrote:
| > Their customers have a right to receive a copy of the
| source. But the company is not obliged to host an online
| accessible version of it.
|
| While true, this is misleading - if distributing under the
| "Written offer" term (rather than including the source code
| alongside the binaries), _everyone_ has a right to receive
| a copy of the source.
| dmurray wrote:
| Do the customers have the right to republish the source?
| Under the GPL (I checked GPLv3) I don't think they do, but
| this section (my emphasis) is unclear to me:
|
| > You may convey a covered work in object code form under
| the terms of sections 4 and 5, provided that you also
| convey the machine-readable Corresponding Source _under the
| terms of this License_ , in one of these ways...
|
| Is "under the terms of this License" a clarifying clause
| that narrows down exactly which "Corresponding Source" we
| are talking about? That doesn't seem necessary given that
| "Corresponding Source" is already well defined.
| Alternatively, does it mean that you must convey the
| Corresponding Source and grant a GPLv3 license to the
| conveyees for that source? If so, it could be written more
| clearly.
|
| If my second interpretation is correct, surely it doesn't
| matter much that the company has a slightly user-unfriendly
| policy to providing their source code - someone will just
| mirror the code on Github anyway.
| lamontcg wrote:
| It might be interesting to produce seriously cut down
| reimplementations of those utilities for purely home use.
|
| Similar to how a home router/switch/NAS doesn't need anywhere
| near the same number of options and possible misconfigurations
| and code that isn't helping you at all.
|
| (I'm skipping past all the issues with this particular unit by
| this particular company to the point that this is a good idea
| and I'd be nice to see a lot more options in this space along
| with less complexity...)
| kderbyma wrote:
| working on an open source version of these. called the Calliope
| Muse+ - it should be available for pre-order soon. if you want a
| non-subscription option
| 71a54xd wrote:
| No thanks, this wreaks of a monthly subscription I don't want
| that would result in unsupported buggy "hardware" in 10 years
| guaranteed. I'll keep my ZFS server with a text file reminding me
| how I configured it for now (since I usually forget after a few
| months)!
| MonadIsPronad wrote:
| "reeks" was the word you wanted, I think
| pnw wrote:
| Helm v1 user here, very happy with the product. For 99% of people
| without the desire and skills to run their own servers, this is
| the best solution.
| philips wrote:
| I am a Helm v2 user and I agree. I got tired trying to keep a
| NAS running and later configuring a Raspberry Pi 4 correctly to
| run off the right disks, stay up to date, and configured
| correctly for NextCloud. With two kids I don't have time to
| tinker.
| [deleted]
| ritcgab wrote:
| A raspberry pi 4 can do everything this machine does.
| gsreenivas wrote:
| Actually no. There is no support for secure boot or proper
| encrypted storage with a protected key.
|
| We prototyped on Pis a while back before we shipped our v1 but
| there are meaningful limitations.
| smoldesu wrote:
| 1. Secure boot _is_ supported on Raspberry Pi, just not out-
| of-the-box. There 's plenty of solutions in this field for
| your respective needs.
|
| 2. Raspberry Pi supports LUKS perfectly fine, making disk
| encryption a snap.
| philips wrote:
| I have a raspberry pi and tried to run something like this and
| it is just so much work. So I bought a Helm v2 and like it thus
| far for photo backup and my secondary newsletter email domain.
|
| If there was a company offering an auto update OS service with
| nextcloud and email for Pi I would love to see it! Better yet
| if it tied to encrypted cloud backup/restore too.
| digitalsushi wrote:
| If I could reliably transfer my gmail legacy freebie grandfather
| thing account without it taking 7 to 11 days of API rate limited
| transfer at 100% luck, I would get my email out of there. Alas.
| eps wrote:
| If it's a one-time thing, then even it taking _weeks_ is quite
| acceptable.
| h4waii wrote:
| Fire up gyb [0] now, and by the time this (or whatever solution
| you want) is ready for an import, you'll be done.
|
| 0. https://github.com/jay0lee/got-your-back
| philips wrote:
| Why this and not takeout?
| breakingcups wrote:
| Would Google Takeout not suffice in this, maybe after some
| post-processing?
| flixic wrote:
| It seems they are targeting "normal" people (to whom word
| "dockerized" sounds like a misspelling of something happening in
| a port).
|
| Mixing "normal" people and self-hosted email is a recipe for very
| bad experience.
| eps wrote:
| I don't think the do actually. Not with "a hardware root of
| trust" in the description.
| ttul wrote:
| I suppose this is their gamble: can they make something that is
| so easy to use, even a normal person will be happy with it.
| That being said, how many "normal" people are really so
| concerned about email security that they don't trust one of the
| big clouds?
| smoldesu wrote:
| Looks really cool, but the subscription is a total dealbreaker. I
| might pick one up used a few years down the line if someone
| manages to load custom operating systems on it.
| miked85 wrote:
| I feel like anyone technical enough to know and care what this
| product is, are also totally capable of setting it up themselves.
| old-gregg wrote:
| Are you saying that millions of people who order sunny side up
| egg breakfast aren't capable of making one for themselves? :)
| miked85 wrote:
| In many cases, yes. But that is a poor comparison.
| azinman2 wrote:
| Disagree. We pay for convenience all the time. I just did
| in buying a synology NAS even though I could have pieces
| together my own solution (and have in the past). Having a
| working, maintained, stable, full featured email server
| that interops with the world isn't something you can do
| quickly on your own even if you have the skills.
| miked85 wrote:
| Of course, I agree with that. But this is, at least in my
| opinion, a very niche product. People who even understand
| what the product is would probably not be willing to pay
| a subscription for something they could setup on their
| own. Of course I could be completely wrong :)
| rblatz wrote:
| Email is hard to do right, first I'm likely going to
| spend 2-3x the price on a server, so instantly we have 5
| years of subscription covered by that price.
|
| Then I have to buy an IP in a space that has a good
| reputation. Then I need to setup offsite backups, setup
| TLS and DKIM, plus a lot of stuff I'm sure I'm missing.
| Then I have to stay on top of patches and general
| maintenance. Plus I have to buy a domain name. Suddenly
| we're looking at let's say a 10 year lifespan before you
| need to upgrade. You are probably going to be basically
| even on costs but home built has a hundred of hours sunk
| into it too.
| old-gregg wrote:
| I care about owning my own data very much. This makes me
| conservative when it comes to these solutions, despite otherwise
| being an early adopter of everything tech.
|
| For that reason I always recommend Synology NAS machines. They
| have been around forever, they work for years on autopilot and
| feel very similar to a microwave in terms of operational
| overhead. One-time purchase. No subscriptions. But most
| importantly, the ecosystem is stable and mature. And they are
| easy to understand and reason about and come with a slick UI with
| mobile apps. My favorite feature is having my massive photo
| collection always available on my phone, served from my own
| basement (with encrypted AWS Glacier backups).
|
| [EDIT] This is Brandon Phillips of CoreOS fame sharing this!
| Maybe I should take a closer look then.
| azinman2 wrote:
| How do you access your NAS remotely? Does it end up creating
| some kind of backdoor into your network with cloud support?
| That makes me nervous...
| old-gregg wrote:
| In a very boring and traditional way: you buy a domain name,
| configure dynamic DNS, and then use port forwarding in your
| home firewall. No 3rd party proxies.
| eps wrote:
| Synology boxes phone home, to Chinese IP space no less.
| OrvalWintermute wrote:
| Is the phone home to Taiwanese IP space, or mainland China IP
| space?
| ValentineC wrote:
| > _to Chinese IP space no less_
|
| What's wrong with this?
| bananabreakfast wrote:
| Is that a joke?
| sneak wrote:
| The device in TFA seems to primarily serve as a mailserver.
|
| AIUI that's not really what a NAS does.
| [deleted]
| wcerfgba wrote:
| From [1]:
|
| > Does Helm have access to my emails?
|
| > The architecture of the system has been designed so that it's
| not possible for Helm to access your emails. Email senders now
| support sending emails over an encrypted SSL/TLS channel where
| the email is only decrypted once it reaches your personal email
| server. Helm is not able to decode these emails because we don't
| have access to the encryption key. In the limited situations
| where the sender's email server doesn't send the email to you
| over SSL/TLS, Helm does not log or store these messages and
| therefore we are still not able to access them.
|
| SSL/TLS is transport security, and email is inherently multi-hop,
| so this reads as bogus to me: each hop might use SSL/TLS but that
| doesn't mean the message content or metadata is end-to-end
| encrypted until it gets to my Helm server.
|
| [1] https://thehelm.com/products/helm-personal-server-v2
| philips wrote:
| I received my Helm v2 last week and it has worked great for
| Android photo backup and email subscriptions like substack. I
| have not been bold enough yet to move my primary email domain
| over yet. Apple mail and Fairmail on Android give a nice non-web
| email experience.
|
| I like the product concept, the execution seems solid, and I like
| the auto update flow compared to manual update of most NAS
| products.
|
| I really want this product when my kids get their first phone to
| keep their photos, calendar and emails off the cloud. At least
| until they can make the choice that they want that stuff being
| tracked.
___________________________________________________________________
(page generated 2021-08-29 23:00 UTC)