One safety tip: disable SSH Agent Forwarding before you connect, otherwise the remote server can theoretically reuse your private key to establish new connections to GitHub.com or prod servers (though this host is unlikely malicious).<p><a href="https://www.clockwork.com/insights/ssh-agent-hijacking/" rel="nofollow">https://www.clockwork.com/insights/ssh-agent-hijacking/</a> (SSH Agent Hijacking)
I can't test this due to the product being out of stock, but I wonder what their approach to PCI compliance is.<p>Processing credit card data has a high compliance burden if you're unwilling to use a secure widget made by an already-authorized provider like Stripe. That's for a good reason, most web and mobile apps are designed such that their backend servers never see your full credit card number and CVV. You can't do this over SSH.<p>I also wonder whether you could even do this if you had to handle PSD2 2-factor authentication (AKA 3d Secure), which is a requirement for all EU-based companies. This is usually implemented by displaying an embed from your bank inside an iframe. The embed usually asks you to authenticate in your banking app or enter a code that you get via SMS.<p>You can take the easy way out of course and make the payment form a web page and direct the user to it with an URL and/or a Unicode-art rendition of a QR code.
A lot of people don't know that before Amazon started, there was a company out of Portland, OR called Bookstacks selling books via a telnet interface. In the early days, Bezos was quite worried about their potential to get "there" first (wherever "there" was going to be). It was a fairly cool interface, at least for 1994.<p>[ EDIT: worried to the point that we actually implemented a telnet version of the store in parallel with the http/html one for a few months before abandoning it ]
hey! i'm one of the people who worked on this, we actually launched a few days ago and sold out quite quickly - we'll remove the email capture so you can poke around<p>we'll be back in a few weeks with proper inventory and fulfillment<p>we'll also be opensourcing the project and i can answer any questions people have about this
I'm curious how they built this. It's SSH but the IP address is Cloudflare's edge network. It could be using CF Tunnel to transparently route all the SSH sessions to some serving infrastructure, but I didn't know you could publicly serve arbitrary TCP ports like that.
Building it in serverless fashion on CF Workers would be ideal for scalability, but those don't accept incoming TCP connections.
<p><pre><code> ┌──────────┬────────┬─────────┬───────┬────────────────────┐
│ terminal │ s shop │ a about │ f faq │ c checkout $ 0 [0] │
└──────────┴────────┴─────────┴───────┴────────────────────┘
nil blend coffee
whole bean | medium roast | 12oz
$25
Dive into the rich taste of Nil, our delicious semi-sweet
coffee with notes of chocolate, peanut butter, and a hint
of fig. Born in the lush expanses of Fazenda Rainha, a
280-hectare coffee kingdom nestled in Brazil's Vale da
Grama. This isn't just any land; it's a legendary
volcanic valley, perfectly poised on the mystical borders
between São Paulo State and Minas Gerais. On the edge of
the Mogiana realm, Fazenda Rainha reigns supreme, a true
coffee royalty crafting your next unforgettable cup.
sold out!
────────────────────────────────────────────────────────────
+ add item - remove item c checkout ctrl+c exit</code></pre>
> # use the command below to order your delicious 12oz bag of Nil Blend coffee<p>> ssh terminal.shop<p>Oops, I thought I was supposed to enter it directly into the prompt on the webpage. The styling makes it look like an interactive console, I figured they included an embedded javascript SSH client for users who might not have one.
Reminded me of Hacker Scripts, specifically `fucking-coffee`:<p>> this one waits exactly 17 seconds (!), then opens a telnet session to our coffee-machine (we had no frikin idea the coffee machine is on the network, runs linux and has a TCP socket up and running) and sends something like `sys brew`. Turns out this thing starts brewing a mid-sized half-caf latte and waits another 24 (!) seconds before pouring it into a cup. The timing is exactly how long it takes to walk to the machine from the dudes desk.<p><a href="https://github.com/NARKOZ/hacker-scripts">https://github.com/NARKOZ/hacker-scripts</a>
Before a bunch of you run off and make more of these “because it’s cool”, they’ll likely lose access to stripe once stripes security team pay attention and realize that this can be trivially man in the middled and doesn’t actually offer the equivalent protection to https.<p>I wrote up a little demo and explainer at<p><pre><code> https://mitm.terminal.shop.rag.pub
ssh mitm.terminal.shop.rag.pub</code></pre>
Hmm, a CLI interface for consumer purchasing.<p>Can I pipe that order through to a payment processor and delivery method? Script my meals for the week?
>is ordering via ssh secure?# you bet it is. arguably more secure than your browser. ssh incorporates encryption and authentication via a process called public key cryptography. if that doesn’t sound secure we don’t know what does.<p>Strong disagree. The encryption is the easy part, the hard part is the symmetric key exchange. And PKI used by browsers is much more robust for this usecase then TOFU model of ssh. Of course the proper way to fix this is checking the ssh key fingerprint, but almost nobody does this.
So unless you mean to exclusively sell coffee to users who don't have a white terminal background, you may want to consider your color scheme. I was missing the white text.<p>(I know this is considered an atrocity by some, but I happen to not really care enough about my terminal color to change the default)
Love the idea! Congratulations (?) on being sold out!<p>My constructive feedback is that the text contrast is so low (in iTerm2 anyway) I can barely read anything. I thought only web pages had that problem, but I guess sufficiently sophisticated TUI apps have designer color problems too! What's next, incredibly tiny terminal fonts? (jk, designers...sort of)
I really like Fellow Drops: <a href="https://fellowproducts.com/pages/fellow-drops" rel="nofollow">https://fellowproducts.com/pages/fellow-drops</a><p>It is SMS based. Each week they offer a different bean from a different roaster, and you reply with the number of bags you want. I've discovered a number of great roasters this way.
The authenticity of host 'terminal.shop (172.65.113.113)' can't be established.
ED25519 key fingerprint is SHA256:TMZnO7N8mmR/Pap3urU2P4uBNuhxuWtDUak0g9gyZ8s<p>That's a bit different than the key listed
Reminds me of<p>"Before Google, Sergey Brin tried (and failed) to let us order pizza by fax"<p><a href="https://news.ycombinator.com/item?id=5264626">https://news.ycombinator.com/item?id=5264626</a>
Reminds me of my friend’s zine-via-telnet:
<a href="https://anewsession.com/" rel="nofollow">https://anewsession.com/</a>
If you're looking for a movie to enjoy with your coffee, <a href="https://ascii.theater/" rel="nofollow">https://ascii.theater/</a><p><pre><code> ssh -a -i /dev/null -o StrictHostKeyChecking=no watch.ascii.theater</code></pre>
Was kinda hoping this was some place selling made coffee, but I do realize the reach of that would be small.<p>But I do kinda like the idea of something as... niche as this popping up in a highly tech area and then offering the ability to buy and get your coffee without ever seeing someone.<p>Like you just walk into a room with a rotating door (like one you might see at a doctors office for samples) or something like that.<p>Feels very... introvert and would be kinda fun.
The founders have a great (if conversational and sometimes off topic) podcast about development topics:<p><a href="https://podcasts.apple.com/us/podcast/how-about-tomorrow/id1651741524" rel="nofollow">https://podcasts.apple.com/us/podcast/how-about-tomorrow/id1...</a>
From the FAQ:<p><pre><code> will Nil make me a better developer?
legally we cannot guarantee that it will, but...
is it true your coffee contains the sweat of @theprimeagen?
we can neither confirm nor deny these rumors.
is it true your coffee contains the tears of @thdxr?
yes, this is true.</code></pre>
FAQ:<p>> is ordering via ssh secure? you bet it is. arguably more secure than your browser. ssh incorporates encryption and authentication via a process called public key cryptography. if that doesn’t sound secure we don’t know what does.<p>Doesn’t TLS use public key cryptography too?
It would be awesome if I can do something like this:<p>> ssh terminal.shop "register foo $pubkey"<p>> ssh foo@terminal.shop "set shipping address to $addr, credit card info $info, email address $email"<p>> ssh foo@terminal.shop "order one 12oz light roast"
Reminds me of the pizza cli app that would order Domino's Pizza.<p><i>EDIT</i> Pizza Party is what I am thinking about.<p><a href="https://www.youtube.com/watch?v=J691aLfkWP0" rel="nofollow">https://www.youtube.com/watch?v=J691aLfkWP0</a>
Another service that is completely controlled through a ssh tui : <a href="https://nixbuild.net" rel="nofollow">https://nixbuild.net</a>
This is really cool. I wonder how they pipe the data to stripe?<p>As an aside kind of funny to see this pop up. I was just talking about if anyone was doing ordering through a cli a while ago: <a href="https://news.ycombinator.com/context?id=39817617">https://news.ycombinator.com/context?id=39817617</a>
I am very curious how this is built, I would like to build similar SSH interactive experiences. Any resources and how to get started would be really appreciated. (I know how to setup a basic TCP server that listens on SSH port, but I really don't know how to implement navigation etc for the SSH experience)
While it's cute, it's a small business not a startup and still a gimmick that doesn't solve the problem that coffee is a commodity and so the business is fundamentally not defensible. It's equivalent to being a meal kit business, which is one notch away from being a restaurant.
Since I can't currently order, can someone say how the ordering process works? Do they send back a link to be used with stripe? Or do they try to handle everything within the terminal? The latter seems to invalidate their claim that this is just as secure as using a web browser.
Looks like they're sold out now.<p>The "enter your email for restock updates" part of the screen showed up as white-on-white on my light-mode-by-default Gnome Terminal on my first try and so I was slightly confused; sshing from `uxterm` worked fine though.
Neat — big fan of TUIs! But I’m an even bigger fan of coffee… so show me where that coffee actually is sourced from…<p>Did you go and source it from farms?
Is this sourced from another company?
Whose blend?
Do you provide the roast date on the bag?
I love TUI's. And now that Sixel exists, we can even have images in the Terminal.<p>The massive simplification this provides over rendering HTML/CSS should be attractive to startups.<p>Now I wish we had a CLI/TUI for things like Amazon...
So cool! Congrats on selling out!<p>I was curious to see if I could connect using mosh. I could, but I wasn't able to use the hotkeys to browse the different screens like I was when I connected via ssh.
Happy to see this didn't work<p><pre><code> scp foo.txt terminal.shop:.
</code></pre>
I was worried for a second they hadn't thought of that.
Kind of disappointed that there is no option for commands like “ls” or “whoami”. I think it would be a nice addition, especially if this inspires other people to launch similar pages for other types of products.
Not to dunk on the coffee which I haven't tried but this seems like a viral ad? I get it's cool that this actually works, but in practice how is it different to selling coffee through an API through a generic web interface served by shopify? In the end in both ways they are selling you coffe beans for money. It's still cool to see it in your terminal though.