Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Locally, DashKite uses the file .dashkite
to manage your profile. CLI commands that access private resources require your profile. Your .dashkite
profile is a YAML file structured like this:
profile:
publicKey: 6ovGwDUSNRgV2RvTONsw6JBU2kCZA379ELrsS3/ojQo=
device:
privateKey: Q8kehMPhEWxyoP3MlbX9LAIMCeO9YRSekzTdFWRQqsY=
publicKey: a5xasUsJTcQ5w0UwERNb98TOUHw5e+grUVym+jq1aD4=
Your profile public-key serves to anonymously identify and reference your profile. Private data is encrypted using the corresponding private-key, but it is not stored directly.
To safely make your profile private-key available to multiple devices, each device is assigned a device key-pair. The device public-key is used to identify the device and authorize requests to the DashKite API, while the device private-key is used to encrypt the profile private key before storing it with the API.
Using this scheme, the device private-key never leaves your device, and the profile private-key is only ever stored in an encrypted form. Therefore, if you delete .dashkite
, you lose access to your profile private key and your authorization to access private resources.
npm install dashkite -g
This gives you the command-line executable kite
$ kite profile add david
[dash] warn: no credentials found in /Users/david/desktop-test or its direct ancestors.
[dash] warn: creating profile...
[dash] info: saving credentials in /Users/david/desktop-test/.dashkite
[dash] info: saving new profile with DashKite API...
[dash] info: new profile ready
[dash] info: updating profile with nickname...
[dash] info: profile nickname updated to david
###
## Start from a new device we'd like to name "phone"
###
$ kite profile link david
[dash] info: fetching test public key
[dash] info: saving profile public key in local profile
$ kite device add phone
[dash] info: using profile from [/Users/david/phone-test]
[dash] warn: no device key has been yet assigned for this device
[dash] info: updating profile with provisional device...
[dash] info: provisional device saved with profile
[dash] info: saving device key-pair to local .dashkite profile...
[dash] info: device key pair added
[dash] info: use an already authorized device to complete this device's authorization
###
## On first "device"
###
$ kite device authorize phone
[dash] info: using profile from [/Users/david/desktop-test]
[dash] info: fetching provisional device info...
[dash] info: encrypting profile private key for new device
[dash] info: authorizing device "phone"...
[dash] info: success
[dash] info: use the below PIN to complete the authorization on the new device
[dash] info: PIN: R1B1xA
###
## Back to the second "device"
###
$ kite device pin R1B1xA
[dash] info: using profile from [/Users/david/phone-test]
[dash] info: decrypting profile private key from old device
[dash] info: encrypting profile private key for phone
[dash] info: completing device authorization...
[dash] info: success
[dash] info: this device is now fully authorized and ready to use
###
## This assumes you already have a profile setup
###
$ kite post add 'Hello World!'
[dash] info: using profile from [/Users/david/desktop-test]
[dash] info: posting update...
[dash] info: success
###
## You can also post from files using stdin, including newline characters
###
$ echo "Hello, from stdin" > foo.txt
$ echo "We can write multiple lines here, too." >> foo.txt
$ kite post add < foo.txt
[dash] info: using profile from [/Users/david/desktop-test]
[dash] info: posting update...
[dash] info: success
###
## We can read these posts, newest first
###
$ kite post list david
[dash] info: looking for posts from "david"...
---
Hello, from stdin
We can write multiple lines here, too.
---
Hello World!
---
###
## To view anyone else's posts, just put their profile name in this command.
###
###
## This assumes you already have a profile setup.
###
###
## At first, your feed is empty.
###
$ kite feed
[dash] info: using profile from [/Users/david/desktop-test]
[dash] info: fetching your latest...
[dash] warn: Oh, there's nothing to see here
###
## So, follow anyone by naming them.
###
$ kite profile follow bob
[dash] info: using profile from [/Users/david/desktop-test]
[dash] info: fetching "bob" public key...
[dash] info: following "bob"...
[dash] info: success
###
## Anyone you follow shows up in your feed
###
$ kite feed
[dash] info: using profile from [/Users/david/desktop-test]
[dash] info: fetching your latest...
---
You got me. I will now reveal my love of knitting
---
My name is Bob, and I like sports.
---
###
## Your feed is arranged in reverse-chronological order, so adding new people orders their posts.
###
$ kite profile follow david
$ kite feed
---
You got me. I will now reveal my love of knitting
---
That's cool, but where did all those blanets come from?
---
My name is Bob, and I like sports.
---
kite feed This command serves up the freshest posts from the people you follow.
kite profile add [profile-name]
This command allows you to create a new DashKite profile or update the name of an existing profile. Your profile is stored within a file named .dashkite
. If it cannot be found in your working directory or its ancestors, one is automatically generated and saved in your current working directory. See Your DashKite Profile for more information.
If you already have a profile, add
will update your profile's name. Names must be unique, so this command will fail if you choose a name that conflicts with a name someone else picked.
kite profile link [profile-name]
This command allows you to link a new device with an existing profile. You cannot use this command if you already have a .dashkite
file. link
takes the profile name you provide, looks up the public key for that profile, and creates a .dashkite
stub. You then need to go through the new device flow to authorize this device.
kite profile follow [profile-name]
This command allows you to follow the posts of an existing profile in your feed. After you follow them, their posts will appear in your feed the next time you check it.
kite profile unfollow [profile-name]
This command allows you to stop following the posts of an existing profile in your feed. After you unfollow them, their posts will disappear from your feed the next time you check it.
kite device add [device-name]
This command allows you to add a new device to your profile. This merely places a request with your profile from a new device, and is part of a larger new device flow.
kite device authorize [device-name]
This command authorizes a new device, requested via kite device add
. It is part of the new device flow. You use authorize
from an already-authorized device. It uses its access to the profile private key to encrypt a copy for the new device with asymmetric encryption.
This command grants temporary authorization to the new device's public device key, allowing it to access the API, but without access to the profile private key to access private data. It returns a 6-character PIN to be used with the new device to complete the authorization flow. You have 3 minutes to enter this PIN before re-submitting authorization.
kite device pin [device-PIN]
This command completes the new device flow. You get a PIN when using kite device authorize
. Using this PIN allows the API to permanently authorize the new device, retrieve the encrypted profile private key, and replace it with a copy only the new device can decrypt.
After completing the new device flow, the device is ready and has full access to the profile.
kite device delete [device-name]
This command causes the profile to forget the target device. The public key entry is deleted, including the encrypted copy of the profile private key, denying the device access to both the API and any private data.
kite post add [text] kite post add < [file]
This command creates a DashKite post attributed to your profile. You may either input the content directly on the commandline, or pipe in a file. New-line characters are maintained.
kite post list [profile name]
This command lists out the posts from the target profile in reverse chronological order. Because DashKite posts are public, you may use this command without a .dashkite
profile and see the posts from any profile you specify.
kite post delete [post ID]
This is a WIP command to delete a target post. It is functional, but there is currently no way to view a post's ID in the CLI tool.
FAQs
CLI for DashKite - social media with strong privacy
The npm package dashkite receives a total of 0 weekly downloads. As such, dashkite popularity was classified as not popular.
We found that dashkite demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.