"It's all gone black... Aghhh!"

My current lighting desk is a Vista by ChromaQ. I have two surfaces, the MV and an EX. With all the other bits like a good screen and all the cables, etc, to make it work, it goes into a Peli case that weighs 26kgs, Ideal for flights. Indeed, this set-up has been all over the world on all kinds of gigs and it has never, but I mean, never let me down..!

Despite the reliability of my system, it's always in the back of my mind that I don't have any kind of backup. I have the potential for surface failure or laptop failure, or worse, both! This is no different, of course, from any all-in-one lighting desk; in fact, an all-in-one system is very vulnerable in the event of failure. But let's be honest, the reliability of all these systems, whether it's all in one box or separate computer or surface, is very good today, and no, I don't want to get into a desk-bashing forum here...!

Sure, I can have another laptop on the same network as the spare console and the rig silently tracking, and just move the dongle between the two laptops, but I'm so scared that I will lose the dongle, which the Vista system uses, and to replace my 4098 channel dongle would be too much of a hard, and embarresing pill to swallow. Believe me, I know, I've lost one before, many years ago!!! Doh!

So what options are there for some kind of backup?

Options. What are they?

1. Buy another surface and a second dongle. Obvs!

Lots of expensive kit to cart about. But this might work for you in your case, or in a fixed rig environment.

Pros: The best and most reliable way of having a tracking backup. The "real" way to do it. Cons: Expensive. Needs another Peli case and more space. So now I'm dragging two desks around!

2. Buy just another dongle.

Not as expensive as the first option. Two laptops in the same network, each with a dongle, but those dongles are still pricy!

Pros: Gives a reliable and stable tracking backup. Cons: No surface, so if your show is complicated and requires a lot of button and fader work, then it might be fiddly playing back on a laptop, plus if you have a two-screen layout, you will find that the backup laptop will gather all of the Vista windows into one screen, unless you have a backup screen as well, so will require a bit shuffling about to get to where you want be.

3. Use a KVM switch or just a USB A B switch.

This keeps your system in place, a surface, a screen and two laptops, a main and a backup laptop again in the same network.

Pros: Cheap... Requires just a tiny investment in a USB A B switch. It works! Cons: Don't buy a cheap switch; buy the best you can get. How your system is built may require a bit of replugging. It means that the dongle is out and about. There might be a bit of delay while the hardware detects the licence and completes the handshake with the dongle, etc, and you could hit a Vista "no dongle inserted" thing!

4. Install a lighting cue recorder.

This is a small box that listens to Ethernet/DMX on the network and triggers a cue or sequence when there is no Ethernet from the desk.

Pros: Gets the lights up on stage with no replugging anywhere. Space footprint is small. You can play a single static cue or a full sequence that you grab from your desk. Cheaper than a second dongle. Keeps the dongle in the hardware. Nice and safe, for me anyway! Cons: There is NO tracking, there is no second laptop, so choose your triggered cue or sequence carefully!

Believe me, I have looked and tried all of the above options.

If I'm on a tour, or a biggish gig in my home territory. I'll get production to provide a full backup, surface, dongle, laptop and screen. A full mirrored setup. The issue I have is that any size of show overseas is that not everyone has or can get a Vista system; I'm on my own. Small gigs/lighting providers don't have Ethernet; they are still on copper, yes, they do still exist! My system is just right as it is for what I do, so I need to find a simple, reliable, no-fuss way of getting lights up! As I've said, I don't like having the dongle out of the surface, especially on load-ins and outs, "shit, where's the dongle...?" I never want to have to say that.

Option 1. I really can't afford it! The money, the space and the weight. I'm just a sole trader who does lights and has my own desk. But where I can, I get production to replicate mine

Option 2. The dongle price for existing users, etc, is still too expensive, which I get. Maybe a different licensing system is now required? I use Capture, and the licensing system there is quite nice.

Option 3. I will lose the dongle, whether it's a switch or just hot-swapping the dongle between computers.

Option 4. This is my current chosen way of "...shit! Quick get some lights up..." solution. There are a couple of DMX recorders, but I favoured the Enttec S Play Lite. It is a tiny box, so easy to store and move around. It will store single static cues, which is good enough, but it will also store full sequences. 16 universes of ArtNET or streaming with 2 physical DMX outputs.

The tiny Enttec S-Play Lite

However... Do we really need a backup nowadays?

If you go to, or do gigs these days, you will not see kit 'backed up'. I've never seen a spare FOH sound desk, monitor desk or VT mixer. Sure, they may have a UPS's etc, but that's to protect against a power outage; but if the amps go off or the lights lose power, all the UPS is doing is keeping the control end active until the amps, etc, come back on, the lights have reset, and the LED screens have powered up. However, I have been to gigs and seen spare lighting desks. Why's that? We have all seen it and done it, 2 GMAs, a pair of Hogs, etc. Curious.

How to secure your SSH connections

A simple layperson… yes, that’s me, I'm afraid. I’m not a coder, or a network wizard, or an expert scripter. I'm a hobbyist who enjoys tinkering with computers. I’m just a guy who hosts his own stuff from home using a tool that makes that journey so easy. The tool I use is Yunohost. They have put together a nice system that, for people like me, is easy to deploy, use and maintain. They have an excellent catalogue of applications, which are all packaged for use on their platform. This means that the security of the apps is already taken into account, allowing you to install with peace of mind. There are other systems around that do similar, but I have found the Yunohost system to be the better one (FWIW). I make a monthly contribution because it's worth it. You can see my system and what's in it here.

That's the advert done with, now to the reason for this article.

Despite the excellent YNH offer, the excellent catalogue of apps, and ease of use, sometimes you do have to get your hands dirty, and when I say that, I mean using a terminal application and something called SSH to log in to your system and do admin 'stuff' or even more terrifying, fixes... Gulp!

What does SSH mean?

It means Secure SHell (or Secure Socket Shell). It is a collection of utilities that provides encryption, key authentication and strong passwords. SSH is used by us users (admins) to manage our systems and applications remotely, enabling us to log in over a network, remotely or locally, to execute commands and to fix and add things, move files from one place to another, and so on. It's a bit more technical than that, obviously, but that's the basics of it.

Something you should probably do first... Maybe. If you want. I would!

Once you have successfully installed and tested your new Yunohsot system, change the SSH port number. SSH is one of the most scanned ports used by hackers to get into your system. The default port is 22, so change it to something else; anything above 1024 should do the trick. So, using terminal and log in to your system with:

ssh username@123.123.123.123 (the username you used to install YNH, the numbers are your server's IP address).

Hit return and enter your password; this is the one you set when you installed YNH in the first place.

Now type in, or copy:

yunohost settings set security.ssh.ssh_port -v 1234

The 1234 should be your chosen port number above 1024 that you want to use. If you really fancy getting your hands really dirty, you could do the following in terminal:

sudo nano /etc/ssh/sshd_config

This will open up a Linux editor called Nano, and you will have the SSH configuration file in front of you. Scroll down to the line that says #port 22. Delete the hash symbol (the comment) and enter a new port number so it will now say port 1234, the number of the port that you want to use. This method will require a restart of the SSH service, which you can do in the YNH GUI under Services, or while you are here in terminal type:

sudo systemctl restart ssh

However, if you want to keep things nice and simple, use the command yunohost settings set security.ssh.ssh_port -v 1234, which will keep things in order for you.

Some folk will probably say don't bother changing the port number if SSH is not forwarded on your router to your server, but whatever, I'd change it. You do have to remember the port number, though, when entering some commands that require SSH access, like logging in using terminal in the future. You will need to enter the port number prefixed with a -p. We shall see that later.

So once you have changed your port number and restarted the SSH service, instead of logging in with:

ssh username@123.123.123.123, you will now need, ssh -p1234 username@123.123.123.123

To be or not to be...

Ask yourself this question. Do I want to access my system via SSH inside my local network, outside or both? Don't be afraid to access your system outside of your network; you just have to think about a few extra things to stay secure.

Here is a little cut-out and keep table of your options and what you should consider.

Personally, I want both. So I have a Raspberry Pi with a VPN server installed on it. Many places on the internet tell you how to install a vpn on a Pi and how to include it in your network. Once you have installed the vpn server, you only need a vpn client on your device(s). I use WireGuard on all my devices. If I need to do anything, I just fire up Wireguard, make the connection and open a terminal app and log in using my username and password. Everything appears to me as local, as if I am in my living room or kitchen with a cup of tea by using: ssh -p1234 username@123.123.123.123 (Yes, I changed my port number, so I need to remember the -p switch and use -p1234.

Can I be even more secure?

So far, we have been using SSH using a username and password for authentication, whether we are local or remote. (IP address when local, domain names when we are remote, unless you are using a vpn, then it's local.) There is another level of security I have recently tried called Key Authentication. This is a process of generating encrypted public and private keys, one on the server and one on a device that you will use to access your server. When you attempt to log in, if the keys match, you get in; if they don't match, you can't. If you lose your device or it gets corrupted, then you are effectively locked out of your server, but there are backdoor ways to get back in and reset. You'll need a monitor and keyboard connected to your server. More on that later.

So let's assume that for this example, we want to access our server, called myserver.com, remotely. We have changed the default port number for SSH from 22 to 1234. We have configured our modem's firewall to port forward SSH 1234 to our server's IP address. When we open a terminal in the coffee shop down the road and type:

ssh -p1234 username@myserver.com

Followed by the password. We now have our server in front of us, and we can do some stuff. But what happens if we are snooped on, wifi sniffed, our credentials compromised or found, whatever...? We can set up our device or devices to use an authentication key so that only those devices can access the server. Let's just do one device for now, a MacBook Pro 16.

Open up a terminal session on your MacBook Pro 16 (other computer manufacturers and models are available!) and type the following:

ssh-keygen -t ed25519 -C device_name Here the device name will be macbook16 so:

ssh-keygen -t ed25519 -C macbook16

When you hit enter, you will be given a path name to save to. Accept it as it is, just hit return. You will then be asked for a passphrase, which is just another word for a password. You could just not bother and hit return, but I'd advise you to set one. Make it a good one, a long one, so long you need a password manager app to remember it. Again, some may say you don't need it, but what if someone gets a hold of your device? You will be asked to confirm the passphrase.

Your device will now create two keys, a private one and a public one. We need to copy the public keys to our home server with:

ssh-copy-id -i ~/.ssh/id_ed25519.pub username@myserver.com

Hit return. Oh no, you got a connection error. Hmmm. This command assumes that you are using port 22 for SSH, but we have changed it to 1234. Remember that little -p switch? So now type:

ssh-copy-id -i -p1234 ~/.ssh/id_ed25519.pub username@myserver.com

That's it. Done. Close all your terminal sessions, and log in using,

ssh -p1234 username@myserver.com 

Now you will be asked for your passphrase and not your password. Enter your passphrase. If you get the server prompt, then the key authorisation for your MacBook Pro 16 to your server works. You still have the old method of logging in using your username and password. We can turn that off so that you can only use key authentication on your MacBook Pro. To turn this off, again, whilst in terminal type:

sudo nano /etc/ssh/sshd_config

You will have probably been here before if you chose to change your SSH port using Nano, the Linux text editor. Scroll down the open file and find the lines:

PasswordAuthentication yes and edit this line by changing the yes to a... no, so now it will read:

PasswordAuthentication no

Also, change the line:

PermitRootLogin yes to no

Save the file and exit. Again, you will have to restart the SSH service through the web GUI, or while you are in terminal type:

sudo systemctl restart ssh

You are all done. Access to your server at home can only be done with your MacBook, remotely. However, can you see the problem here? Your MacBook craps out, breaks down, gets stolen, whatever... You can no longer access your server. You have turned off the username/password method of getting access in favour of key authentication. What do you do?

If you want to use key authentication only, then just repeat the above steps on other devices, iPhone, iPads, Android, and just change the "device name" to the device name you are adding. You can use one key for all, but don't, just don't do it. Create a key for each device. It's safer and easier. You will be able to get access if you lose one device by using another.

Help...! I can't log in. My server is 'bricked"

So you have lost all your devices, or the key authentication process is just not authenticating anymore. How do we get access to our server and reset back to logging in using a username and password? This is where, when you get back home, you get the keyboard and monitor out. Plug them in and log in as admin locally, and let's turn back on password authentication with:

sudo nano /etc/ssh/sshd_config and change the lines:

PasswordAuthentication yes 

PasswordAuthentication yes

Restart the SSH service with:

sudo systemctl restart ssh

Now you can reset or recopy your keys from your device as we did above. Of course, if you are using a VPS, then you will have to use the provider's console to do the above.

Basic Security Tips

These are not in any order or preference, so take your pick of either or a combination of:

• The easiest one is to use SSH locally only, take the port off your router, so no port forwarding.
• Change the port number for SSH.
• Recycle passwords every few months.
• Use key authentication on more than one device.
• Keep your admin group small.
• Use a VPN on a Pi to log in remotely.

There are probably more things you can do, like check that Fail2ban is working and so on.

I told you that this was a layman's guide, so I might have got one or two things wrong. Please let me know. I'm trying to make this easy for those of us who have had difficulty understanding and securing SSH and using Key Authentication.

There is, however, excellent documentation on SSH and key authentication at the Yunohost website, which, of course, should be the definitive guide rather than my 'Janet & John", ABC version. I only write from experience, trial and error.

dj

After using both, which one do I prefer?

Instagram: Probably the world's most popular photo-sharing platform?

When Instagram came on the scene back in late 2010, I was a big user of the platform as an amateur photographer. I didn't boast a huge following, but the community was great to get involved with. It was easy to find like-minded people and to share your photos, get comments, good and bad, share techniques and so on. The community was large, so it was easy to connect with people; you could get your followers up, which meant more exposure, and the likes soon followed. It was a good place to be as a photographer, amateur or professional, and I was a constant uploader of pictures from my phone and my camera; it was, I hate to say it, addictive sometimes.

As time went on, of course, the tone changed on Instagram, and my enthusiasm shifted. I can't quite put my finger on what or how it changed at the time; it just did. It started to feel like another place, comments started to get "funny", which soon turned into "nasty". People would barge in on your feed with comments not related to the content. Then the ads came, then came Meta, and in my view, they destroyed what Instagram set out to do, and Instagram just became a mini Facebook.

Facebook, never and still don't understand it. Why?

I drifted around other platforms like 500px and Flickr. I'd had an account with both for years. I know these things cost money to put up, but I felt the ever-increasing cost was becoming too much for both 500px and Flickr. Yes, I wanted it cheaper or free!

PixelFed, probably the best behaved photo sharing platform?

As an open source junky, I discovered PixelFed. It was in its infancy but looked promising. Very Instagramish in its presentation and use, but it was decentralised, with better privacy controls, and it felt like a 'proper community', just a bunch of people putting up their work and others liking it and or commenting. It was a small community; it was new after all. I was curious about the whole federated idea or PixelFed, multiple private servers all connected, decentralised and so on, a very interesting concept, so I gave it some time and started posting. It was slow and not very... vibrant. Give it time, Del...

Fast forward a few years, and recently I created a new Instagram account, after binning off my account years ago. I hate it... Sorry, but I do. I found it just full of junk and difficult to connect with. Maybe I've got older, maybe I'm not using it right, maybe it's just not for me, the ads, the constant life hacks, the shouting, the constant '...I'm here, look at me...' feel. Maybe I just need re-educating. It's just a loud, noisy place.

At the same time that I recreated my Instagram account, I dipped back into my PixelFed account, and found that it had changed, but it had changed a lot, it was quicker, stable and the community base had grown, so I started by posting some old photos first, just to see how it went, and to my surprise, it felt like a new home. That sounds a bit crass, I know, but it just felt... nice... Lots of people are showing some fantastic work with a phone or a camera, no noise, no shouting, no ads, just people liking and commenting on other people's pictures, with a good helping of privacy control. A bit like... Instagram was back in 2010! It's all about the data...

Today I'm using PixelFed. I like the style, the feel and the community. Sure, you still get the odd bozzo, but that will always happen. I like PixelFed, and it has, for the moment, become my go-to photo-sharing platform. I like the control, the privacy and the true community spirit of the platform. Long may it thrive

Money, money, money....

It's free...! While I have already bemoaned the cost of the likes of 500px, Flickr and others, it's not just the financial cost. It's your data and privacy cost. If you're going to put photos out on the internet, then you are not being very private in the first place, but at least you can control how your data is analysed and distributed. I do contribute some money to open source apps, it might be small, but it's a contribution, something we should all consider doing once in a while. Again, it doesn't have to be much.

A BIG SHOUT OUT!!!!

To the folks who make PixelFed and other good open source software available to us all. Thank you!

See my PixelFed profile.

They don't come very often, but here is my third short story

Yes, I know it's all been done before, so when and if you read it, you will probably say, "Oh, Stephen King - Christine". That's not what I intended; it wasn't. I saw the film many years ago, but I don't really remember anything about it except seeing a throbbing, vibrating old car in a lot of smoke and with lots of headlights.

Anyway, here it is, my second short story. Many Careful Owners. Written under my pen name, Bill Whyte. Enjoy, if you dare! Is it Christine...?

Why bother?

There are many reasons. For me, it's a hobby, but it might be different for you, of course. I have also become more resistant over time to letting big corporations be responsible for my data. How many times have you heard that such and such has been hacked? Of course, that can happen to anyone self-hosting as well, but at least I will be responsible for any loss. I can also react quicker and shut it all off, and as long as I have a backup, I can rebuild and be up and running again quite quickly.

So, what do I self-host, and how did it come about?

Back in the day, my email was hosted by FastMail and my files by SugarSync. Ah, those were the days. To be fair to them both, they were never hacked while I was with them, but I quite liked the idea of having everything under my control, files, photos and music, but how? I'd heard and seen a demo of OwnCloud. It was a file-sharing and sync server; it was in its infancy at the time and a pain to get and to keep going. 

I invested in a QNAP NAS, a small but slow one to start with. It was quite good and did more or less what I needed. I could store and share my own files and photos, and music, but my email was still with FastMail. The slow speed of the server started to become a pain, so I upgraded to a larger, faster model. Now we were talking. It was a much better experience. I also had a slow Raspberry Pi that ran the file sharing and application suite, Nextcloud. Again, Nextcloud was a bit troublesome, but it soon made rapid improvements. It’s just that the Pi could not keep up with the demand of Nextcloud, and I found it offline more than on.

While on a trip, I was searching the internet for self-hosting solutions and discovered, by accident, a community of people that had put together a self-hosting server called Yunohost. A bit of an odd name, but it had a good application catalogue that included Nextcloud for files, Piwigo for photos and Navidrome for music. 

My new fast QNAP NAS came with an app called Virtualisation Station, which allowed you to install a full operating system in its own container. Interesting, I thought, and installed Yunohost into a container and set it up to speak to the outside world. It was a eureka moment. It was quick and very stable, and very soon I had Nextcloud working and usable. Next, I moved my website over, which was easy to do; all I had to do now was move my email over. A scary thought indeed. 

With the fantastic help of the Yunohost community and some fiddling with DNS records at my domain registrar, I was off and running. Now I had everything I needed, working from a small server in my garage at home. Excellent… until… I was hacked! There were a bunch of hackers that had been targeting QNAP NAS machines online, and mine was one of them. I was locked out with ransomware. My blood turned cold when I logged into the server and saw the message. Fortunately, the container that my new test server was in was isolated from the ransomware that had changed the file name of every file on the system, but the isolated server within the server was still clean, and I had a backup, but everything else was gone; the backup was 4 weeks out of date. No way was I going to pay £530 in bitcoin to release my files. Instead, I wiped the QNAP NAS clean and sold it. I couldn’t wait to get it out of the house; never again will I buy a QNAP product.

The next day, I bought a small form factor desktop computer on Amazon, installed Yunohost and restored from my backup. Since that day, five years ago, I have had a flawless system; only once was I hacked with some porn on my photo server, and that was my fault and was quickly fixed.

Pros and Cons

So what are the pros of self-hosting?

• The obvious one is that you are in control of your data.
• If you do the right thing, your data will be safe.
• Cheaper. Online service providers are charging more and more each year to host your stuff. Sure, there are free services, but they are not really free.

...and the cons?

• Power outages that are out of your control. UPS? Backup?
• You must keep the system up to date to avoid security breaches.
• Keep the server apps up to date.
• Don’t forget to backup.
  • If the system fails, you will need to recover from it.
  • If you are hacked, you will need to recover from it. Make sure that the apps are set up correctly and understand permissions. Again, porn was dumped on my photo server due to bad permissions. I’ve learnt since!!!
• You’ll need an understanding of how the internet works; things like DNS and DNS records will suddenly become a new thing for you to learn and understand.

Is it really worth it?

If you have the time, do some preliminary research and try a bit of trial and error work, then yes, it is worth it. My server runs smoothly, is backed up every day, and is updated weekly. I have several websites on my server, including photo galleries, file storage and sharing, as well as a large music library. Sure, I have faced a few ups and downs, but with some reading and help from the community, I have been up and running within a couple of hours. You will also gain a good understanding of how networks and the internet work. It's very rewarding to know that everything is under your control and knowledge. You don't need to know too much, but the more you learn, the more beneficial it is to keep your homelab server running.

My Yunohost Homelab

Have a look at my set-up at digitalcarnage.co.uk, and if you have any questions, do reach out 

dj

How did it happen?

Back in 2008, I was looking to own my own lighting desk. I don't know why, I just did, it kinda felt like the right thing to do at the time, I could operate a Whole Hog and an Avolites desk. I was also, before then, quite proficient on the Vari*Lite consoles. Whatever happened to them? Ah, them's were the days. I had just been asked that year to do the set and lights for the Cliff Richard and the Shadows' World Tour, so I thought that would be a good opportunity to buy a desk, but which one? 

One wet Wednesday, I was in a well-known lighting hire company's warehouse, and they had a Jands Vista S3 console setup and running it with a MacBook. They allowed me to have a look and to play around with it. I liked it, I liked it quite a lot. There were a few things that I couldn't quite get my head around. The approach to some things was quite a bit different from what I had previously known, so I put the software on my laptop, took it home, and spent a lot of time with it. Soon, I was finding my way around it quite quickly and developing some new muscle memory along the way. 

Quite by chance, the S3 came up for sale, complete with an unlimited dongle and the MacBook, so I took a deep breath and bought it. My newly acquired Jands Vista S3 was going on a world tour with an, at the time, large and well known act. Had I done the right thing? Fortunately, it was already flight-cased and ready to go.

My first Jands Vista setup. (with Catalyst)

The tour consisted of a large screen, 20m x 5m of high-resolution LED screen, that was it, really, and a pile of lights. The idea was to push all 5 cameras and content to the screen, make them spin and slide on and off and tumble through a Catalyst media server, which would be fired by my desk along with the lighting, quite a challenge back then. Of course, these days it's easy peasy, but back then, in 2009, it was considered a challenge.

I had help from a wonderful chap, Andy Ryhmes. I'm sure he won't mind a mention here. He was brilliant on the Catalyst side of things and getting the Vista to talk to it. After three weeks in rehearsals, we had a show, a great show that went down a storm. A happy client and happy fans. With my new confidence, I was ready to say goodbye to Andy and face the world on my own.

The tour was a great success, and I continued to do lots of work with my S3, which I soon added to with an S1/M1 combo for smaller gigs. There were plenty of gigs for them all, and my desks were always busy. I loved it!

My Jands Vista Collective...

One day, while touring in Europe, with a band that will remain nameless, I learnt the news that ChromaQ in Canada had acquired the rights to the Jands Vista brand. I was shocked and a bit nervous, but a quick call to the wonderful Jack Moorhouse soon put those fears to rest as he told me the future was good for Vista. he wasn't wrong. I bought the new Vista MV and EX combo, which I have had ever since. This little system has worked very hard for me, with the whole system fitting neatly into a single Peli case, under 32 lbs, just, and has been all around the world doing music tours, corporate events and once of events. Each new release of the software brings something new and useful. I have never ever had a single problem with.

As a side note, I was on a corporate gig in Wembley two years ago, and the console was my old S1/M1 system that I sold. Awww!

I'm not into console wars; they all do the same thing now, especially my Vista by ChromaQ. I'm quite happy to sit on a riser with my small footprint console, providing what my clients want. I have, over the years, fraternised with the GMAPC and the Chamsys desks. I like the small form factor, I like just jamming it all into a Peli and leaving for a hotel or airport, pulling it behind me.

My current Vista by ChromaQ setup

I'm looking forward ot seeing more from Vista by ChromaQ in the future. Bring it on...