Stacker looks nice, but why is it better than the other options that have been around for a long time? At $349/app/mo (or $3480/app/yr) it seems more expensive than the others but perhaps the value is there.
Where we try to differentiate ourselves is that while Bubble etc. can theoretically let you create any app/product, in reality that means you're building all the small parts from scratch, and you end up having to basically think like a programmer.
We want to solve a much smaller set of problems really well – turning spreadsheets into Internal Apps and Customer Portals.
That means we've spent a bunch of time focussing on getting the things that everyone needs (User login, data security, lists, forms) really excellent so that you can build something really easily.
In fact, there's not really any "building", just "configuring" – you start with a working app as soon as you connect your data, and then customize it to look how you want.
Contrast that with tools like Bubble where you have to build out each screen, each form, the login page etc. manually.
While Twilio does a lot right, they still only offer SMS and their own proprietary Authy solution for 2FA for their website. No TOTP (and still no plan to offer the industry standard) means that this has a whiff of hypocrisy.
Perhaps, but you still cannot use this to authenticate to Twilio itself. Twilio requires either using unsafe SMS or some version of EEE[1] in their console.
The argument then goes back to, why pick up an external dependency and cost for open standard authenticator when you could just include a library and generate it yourself.
This allows a developer to have all the benefit of the Authy API, including enhancing the experience using push authentication or dropping back to SMS if needed, as well as allowing users to use an authenticator app of their choice. It's the best of all worlds in this case.
But if building and maintaining app based TOTP using a library is good enough for you, then go for it. I'm certainly not going to make you use Twilio's APIs, but plenty of businesses do see the benefit.
Twilio seems to have some great engineers and I'm often impressed by the quality of their technical writing, but you'd never know it from their console horrowshow UX.
For ease of setting up self-hosted apps, Yunohost (https://yunohost.org) is less polished than Cloudron (https://cloudron.io) but is free. There's also Sandstorm (https://sandstorm.io) which had funding at some point and was looking slick, but it's not clear if development is continuing.
This is a great project and really easy to use if you're even slightly technical. If you're looking for something that someone else manages at the cost of giving away sensitive organizational data, Duo Insight is free from a well respected vendor (Cisco acquisition notwithstanding) - https://duo.com/resources/duo-insight
You're absolutely right, and I highly recommend Duo Insight! While I developed Gophish, I also work at Duo so I'm happy to discuss the differences between the two. :)
While my experience with Gophish was one of the things that brought me to Duo, Insight is not based on Gophish at all. I had the privilege of working with the team of engineers who built Insight and they are amazingly talented. It's a really high-quality product from an incredible team.
You hit the nail on the head as to why someone may prefer Insight to Gophish. Gophish, while being easy to set up, still requires _some_ setup and hosting. With Insight, everything is managed for you. This has significant time savings and infrastructure savings.
The downside to this is flexibility, which is what Gophish offers. Insight offers a good few pre-built templates while Gophish lets you create your own. You control everything and have the ability to tailor phishing campaigns exactly how you want them. Gophish was also built from the ground-up to be driven by an API, and has other features that may useful in more red-team scenarios (such as credential capture).
The other benefit to Gophish that you mentioned is that, since you control the infrastructure, you control all of the data end-to-end.
So while they're in a similar space, they're pretty different products with different strengths and weaknesses. If you're just starting to look into running a phishing simulation, I'd lean towards giving Insight a shot since it's super quick and easy to get a campaign out the door. Once you need more flexibility and power, Gophish is an easy transition. :)
FirewallIP is what's kept me on jailbroken iOS since the 3GS, but the lack of updates (or responses from the developer) and annoyance of dealing with jailbreaking is pushing me towards Android where rooting is well supported and can be done while keeping the OS up to date.
The solution I've settling on has been AFWall+ to ensure that only a limited set of apps can talk at all, and Netguard to control where those apps can talk. The interface is not as elegant as FirewallIP, but it does allow an easier ability to interactively allow and block specific destinations without firing up a text editor.
Equifax is a global company headquartered in America that operates in 24 countries, including 3 where people are covered by GDPR: UK, Spain and Portugal[1].
It's good to see another option for an outbound firewall, but as an industry we still have a long way to go. As with many security solutions, there is a conflict between flexibility and usability. I want:
1) To be able to choose the exact host/subnet/domain that an application can access with a good UX
2) Have someone else curate a list that I subscribe to that handles most cases
3) Work on desktop and mobile
For choosing the exact host/subnet/domain on a per-application basis, the best UX I've seen on any platform is FirewallIP[1], the unmaintained software on a jailbroken iPhone. So many desktop solutions[2] only let you choose Allow everything or Deny everything, Little Snitch and Windows 10 Firewall Control[3] are exceptions, but even they are limited.
The curated list option should be easy enough to support on most platforms. Easylist has shown how well it can work on the browser when combined with uBlock Origin. Install it for someone who is technically naive and they'll just see no ads with no negative experience.
The mobile platform is harder to support as under Android you need to root the phone to get access to the underlying iptables firewall with something like Afwall+, or you run a fake VPN back to the device and filter there which is prone to failure (is it working? has it stopped itself for some reason) and has less flexibility. Under unjailbroken IOS, products like Surge, Potatso2 and Shadowrocket run a local proxy that is similar to the fake VPN under Android, but requires manually editing a text file for configuration and seem to be designed to get around the Chinese internet restrictions rather than privacy.
Also highly recommended for people who are willing to spend a little more time to control where their browser retrieves content is uMatrix[1]. Written and maintained by the most esteemed Raymond Hill who creates uBlock Origin.
If you're on Chrome, don't forget to also install uBO-Extra[2] along with uBlock Origin[2], otherwise you don't get WebSocket coverage.
Actually, Chromium (and uBO) has supported blocking WebSockets via webRequest for a while now[1], despite the desperate protests of a MindGeek employee[2].
Stacker looks nice, but why is it better than the other options that have been around for a long time? At $349/app/mo (or $3480/app/yr) it seems more expensive than the others but perhaps the value is there.