Back from Defcon 25.

Aug 01 2017

Back from Defcon 25.

Exhausted.

Dealt with multiple crises at home.

Didn't spend as much money as I usually do, which isn't a bad thing.

Spent quality time with some old friends.  I hope I made a few new ones.

I have opinions.  They'll have to wait until I get some sleep.

'twas the week before DefCon.

Jul 16 2017

UPDATE - 20170902 - Typos, finding emergency exits.

So, after many years I've decided that it's my turn to write a first-timer's guide to Defcon.  There are many like it, so I'll try to be as frank as I can about the topic.  I'm going to try to write for people who've never been to Defcon before (but may have been to other hacker cons).  I'm not going to lie or joke around (which some of the guides tend to do) and give as much personal advice as I can.  I'm also going to try to not sound like your parents, because nobody likes to read stuff like that.

It's been said that it is a common thing for people to write about their OPSEC protocols for Defcon that they don't use any other time, with the implication that they aren't serious about their security or privacy any other time and are sitting ducks any other time.  I would politely like to point out that not everybody has the same threat model: Defcon has one of the most hostile network environments on the planet, one which is not often found anywhere else.  It is erroneous to assume that people who only talk about how they prepare for Defcon do not take the same kinds of precautions at any other time.  What those people do may not be your business or anyone else's at any other time.

To that end, here are some of the security protocols that I use at Defcon, and happen to use at other times while I'm traveling, as well as some friendly advice to folks new to Defcon.

Click for the rest of the article...

One live body, brains still somewhat intact.

Jul 09 2017

I'm still around, just been too busy to get a lot of other stuff done really.  I need to get a couple of articles written and maybe a tutorial or two.  My overall health seems to be on an upswing right now, which is a really good sign.  First good sign in a while, really.

It's funny, how the tools that you already have are the ones you tend to be afraid of using, because you don't know what'll happen.  Confidence is one of those things that comes with knowing what the hell's going on, or at least having a better idea of same.

When you finally have some answers you can start asking better questions.

12 July 2017 - Battle for the Net!

Jun 23 2017

On 12 July 2017, websites, Internet users, and online communities will come together to sound the alarm about the FCC’s attack on net neutrality. Learn how you can join the protest and spread the word at https://www.battleforthenet.com/july12.

As of right now, new FCC Chairman and former Verizon lawyer Ajit Pai (local mirror) has a plan to destroy net neutrality and give big cable companies immense control over what we see and do online. If they get their way the FCC will give companies like Comcast, Verizon, and AT&T control over what we can see and do on the Internet, with the power to slow down or block websites and charge apps and sites extra fees to reach an audience.  We're also seeing some shenanagains taking place, in the form of tens of thousands of fraudulent comments being entered on the FCC website. (one, two, three)  Funnily enough, all of the comments are exactly identical.  I sure as hell didn't post a comment saying that net.neutrality was a bad thing, and I've never been a customer of Comcast.  I also don't live in Seattle. (local mirrorYou might want to check to see if your name is in there without your permission, too.  Additionally, properties of some of the bigger ISPs (such as Tumblr, owned by Verizon) are being pressured internally to not support net.neutrality or July 12. (local mirror)

If we lose net neutrality, we could soon face an Internet where some of your favorite websites are forced into a slow lane online, while deep-pocketed companies who can afford expensive new “prioritization” fees have special fast lane access to Internet users - tilting the playing field in their favor.  We could also be facing a Net in which little websites like mine will not exist for all intents and purposes because folks like me won't have the money to even buy into the "slow lanes" of throttled Internet access.  We may even be facing a Net in which censorship of "inconvenient" websites may be imposed under the guise of failure to pay or not falling into one of the defined content types required to buy into one of the speed classes.

But, on July 12th, the Internet will come together to stop them. Websites, Internet users, and online communities will stand tall, and sound the alarm about the FCC’s attack on net neutrality.

The Battle for the Net campaign will provide tools for everyone to make it super easy for your friends, family, followers to take action. From the SOPA blackout to the Internet Slowdown, we've shown time and time again that when the Internet comes together, we can stop censorship and corruption. Now, we have to do it again!

Learn more and join the action here: https://www.battleforthenet.com/july12

Point in time documentation of the Keybase Chat API

Jun 19 2017

A couple of months back I did a brief writeup of Keybase and what it's good for.  I mentioned briefly that it implements a 1-to-n text chat feature, where n>=1.  Yes, this means that you can use Keybase Chat to talk to yourself, which is handy for prototyping and debugging code.  What does not seem to be very well known is that the Keybase command line utility has a JSON API, the documentation of which you can scan through by issuing the command `keybase chat help api` from a command window.  I'm considering incorporating Keybase into my exocortex so I spent some time one afternoon playing around with the API, seeing what I could make it do, and writing up what I had to do to make it work.  As far as I know there is no official API documentation anywhere; at least, Argus and I didn't find any.  So, under the cut are my notes in the hope that it helps other people work with the Keybase API.

The API may drift a bit, so here are the software versions I used during testing:

Client:  1.0.22-20170512224715+f5fba02ec
Service: 1.0.22-20170512224715+f5fba02ec

Click for the rest of the article...

Technomancer tools: Tiddlywiki

Jun 17 2017

I've been promising myself that I'd do a series of articles about tools that I've incorporated into my exocortex over the years, and now's as good a time as any to start.  Rather than jump right into the crunchy stuff I thought I'd start with something that's fairly simple to use, straightforward, and endlessly useful for many purposes - a wiki.

Usually, when somebody brings up the topic of wikis one either immediately thinks of Wikipedia or one of the godsawful corporate wikis that one might be forced to use on a daily basis.  And you're not that off the mark, because ultimately they're websites that let one or more people create, modify, and delete articles about just about anything one might be inclined to by using only a web browser.  Usually you need to set up or be given an account to log into them because wiki spam is to this day a horrendous problem to fight (I've had to do it as parts of previous jobs, and I wouldn't wish it on my worst enemy).  If you've been around a while, when you think of having a wiki you might think of setting up something like WikiWikiWeb or Mediawiki, which also means setting up a server, a database, web server software, the wiki software, configuring everything... and unless you have a big, important project that necessitates it, it's kind of overkill and you go right back to a text file on your desktop.  And I don't blame you.

There are other options out there that require much less in the way of overhead that are also nicer than the ubiquitous notes.txt file.  For the past couple of years (since 2012.ev at least) I've been using a personal wiki called Tiddlywiki for most of my projects which requires just a fairly modern web browser (if you're using Internet Explorer you need to be running IE 10 or later) and some room on your desktop for another file.

Click for the rest of the article...

Notes toward the Network 25 unhosted social network application.

Jun 16 2017

Quite a few years (and a couple of re-orgs) ago on the Zero State mailing list we were kicking around the idea of building an unhosted social network to keep in touch, which is to say, a socnet that was implemented only as a single file, with all of the JavaScript and CSS embedded at the end.  Some of the ideas included using a distributed hash table so each instance could find the others, as many crazy but feasible ways as possible to bootstrap a new member of the network into the DHT, and using using the browser's built-in local storage database to hold all of the information.  A lot of this stuff already exists, from the local storage functionality (which has been there, albeit silently, in every modern browser for years) to the DHT in JavaScript so I think that a fair amount of it would consist of tinker-toying it together.  However, and I must confess, the front-end stuff is well beyond me.  Not from lack of trying, mind you: The HTML5 and JavaScript classes I've taken over the years were largely toward the goal of making this happen.  However... I suck.  Web apps are not my thing, unfortunately.

Additionally, this was before I'd ever done any serious information architecture and communications stuff, so you will undoubtedly cringe upon reading some of my assumptions and JSON sketches.  Additionally, this was before I discovered PouchDB (which is basically CouchDB in the browser) so a few of my ideas really wouldn't wash today.  So, please consider these notes somewhat naive toward the goal of building the application.  Please don't facepalm too hard, you'll give yourself a concussion.  Maybe somebody will find them useful in their own work.

Click for the rest of the article...

Restarting a Screen session without manual intervention.

Jun 11 2017

EDIT - 20171011 - Added a bit about getting real login shells inside of this Screen session, which fixes a remarkable number of bugs.  Also cleaned up formatting a bit.

To keep the complexity of parts of my exocortex down I've opted to not separate everything into larger chunks using popular technologies these days, such as Linux containers (though I did Dockerize the XMPP bridge as an experiment) because there are already quite a few moving parts, and increasing complexity does not make for a more secure or stable system.  However, this brings up a valid and important question, which is "How do you restart everything if you have to reboot a server for some reason?"

A valid question indeed.  Servers need to be rebooted periodically to apply patches, upgrade kernels, and generally to blow the cruft out of the memory field.  Traditionally, there are all sorts of hoops and gymnastics one can go through with traditional initscripts but for home-grown and third party stuff it's difficult to run things from initscripts in such a way that they don't have elevated privileges for security reasons.  The hands-on way of doing it is to run a GNU Screen session when you log in and start everything up (or reconnect to one if it's already running).  This process, also, can be automated to run when a system reboots.  Here's how:

Click for the rest of the article...

Aprilween at Turbo Drive - 29 April 2017

Jun 01 2017

A month or two back (tired of me saying this over and over?) I had opportunity to attend the Aprilween edition of Turbo Drive at the DNA Lounge and dance the night away in costume to fine music and so much artificial fog that the Sisters of Mercy would have to admit their envy.

Well, I was sort of in costume.  I wasn't sure if I was going to be able to make it at the last minute, so I didn't actually put together a costume.  Danny Delorean, however did an awesome Driver cosplay from Drive that night, down to the varsity jacket.

Okay, enough of me going on about a night over a month ago.  Here are the pictures, few though they be.