Jun 02 2018
It's been an interesting couple of weeks, to be sure. While lots of different things have been going on lately, none of them are related in any particularly clear or straightforward fashion, so fitting all of this stuff together is going to be a bit of a struggle. You may as well kick back with the beverage of your choice in a responsible fashion while I spin this yarn.
I suppose it all started with wardriving in northern Virginia many years ago. In a nutshell, I had loaded Windbringer up with a rather small for the time USB GPS unit, installed Kismet, put the wifi NIC into monitor mode so it would pick up frames from every access point within range, and went driving around for a couple of hours. The idea is that the software records the datestamp and GPS coordinates at which you picked up the strongest signal from a wireless access point. Rinse, repeat for as long as your power cells hold out, or as long as you care to drive, bike, walk, ski, or employ any other means of personal transportation to move around. At the time I was uploading my results to wigle.net to contribute to their crowdsourced global map of wireless coverage. Then I moved, and I seem to have accidentally tripped Wigle's bot detector (probably because I was going out for many hours at a time to cover very large areas). End result, I didn't go wardriving for a very long time.
A couple of months back I decided that I needed to get more exercise than I could get at home (which I'll probably ramble about in a later post) so I joined the local gym. Doing so gave me access to a much more broad selection of equipment to work with, and a lot more space than my office at home. There isn't much to say on that particular point other than it's been a great investment, and I spent a nontrivial amount of downtime there working out. While I haven't lost weight per se, I do seem to be trading some amount of body fat for muscle mass. I don't know how much adipose tissue I've actually lost but my clothes are getting tight against my body in different ways than before. I guess that's something.
Click for the rest of the article...
Jun 03 2018
If you're plugged into the open source or business communities to any degree, you've probably heard buzz that Microsoft is considering buying Github, an online service with a history of having a toxic work environment due to pervasive sexual harassment but still remains the de facto core of collaboration of the open source community - source code hosting, ticket tracking, archival, release management, documentation, project webpage hosting, and generally learning how to use the Git version control system. At this point it's unclear if they're considering merely investing in the company (currently valued in the neighborhood of $5bus) or buying it outright, the way they did LinkedIn. Github is certainly an attractive property for Microsoft to consider: The service currently has something like 23 million user accounts and 1.5 million organizations. I don't think anybody's tried to count the lines of code that Github stores and serves copies of. It's been observed that Microsoft seems to be carrying out a strategy of controlling as many of the access points to the tech job market. Not only is Github a highly useful service for managing software projects, but if you're trying to get a job in a technical field having a Github account and a couple of repositories is practically a pre-requisite.
There's also the issue that at least some parts of Microsoft have no qualms against stealing things they think will be useful and filing the identifying features off (local mirror), and fuck the license. By this, I refer to Learna. But now I'm getting a little off-track.
As one might imagine, once word got around people began expressing their intention to bail on Github if the takeover went through. Not that there are no alternatives to Github which not only have many of the same features but are self-hosted, meaning that all you need to do is get an inexpensive virtual machine someplace, install the package, set up backups (you DO back your stuff up, right?), pull your stuff out of Github (easy to do because just about everything is a Git repository), and then push it all back up to your new server. This is possible because when you clone a Git repository, you get the entire history of the repo - every change ever made, from the very first gets copied to your workstation. This means that if you then do a `git push` to a new repository, you're effectively making a backup copy of the entire thing to that new remote. This also means that if there is even a single copy of a Git repository someplace, you can reconstitute the entire project. This is how I maintain multiple copies of my projects' source code repos simultaneously. Among these self-hosted alternatives to Github are Gitlab (which is a bit of a bear to maintain, I'm told), Gogs, Gitea, and even Keybase's Git support.
There is, however, another option that I'd like to talk about a little, which I think would be a good alterantive to Github. It's called Fossil.
Click for the rest of the article...
May 27 2018
vulnerability - noun - A group of one or more blockchains.
(source: Sarah Jamie Lewis)
May 20 2018
A fact of life in the twenty-first century are data breaches - some site or other gets pwned and tends to hundreds of gigabytes of data get stolen. If you're lucky just the usernames and passwords for the service have been taken; if you're not, credit card and banking information has been exfiltrated. Good times.
You've probably wondered why stolen passwords are dangerous. There are a few reasons for this: The first is that people tend to re-use passwords on multiple sites or services. Coupled with the fact that many online services use e-mail addresses as usernames, this means that all someone has to do is try to log into... well, everything.. with those stolen credentials and see which ones work. The second is that attackers now have lists of passwords that people actually use, and not huge dictionaries of potential passwords assembled for completeness. This means that password cracking attacks can be much more precisely targeted and will probably take less time.
There is no shortage of helpful suggestions for generating passwords that are relatively strong and easy to remember. The one that I find the most useful is the Diceware technique, which is fairly straightforward.
- Get a handful of six sided dice.
- Take a large dictionary of words where each word is numbered, and each number consists only of the digits 1 through 6, i.e., 41524
- Roll the dice. Find the word with the corresponding number in the dictionary.
- Do this until you have a long passphrase.
It's a bit tedious, though. Of course, people have written their own implementations of Diceware for various platforms and with varying states of usability. I use plain old diceware on Windbringer, mostly because it's available through the AUR but it lacks a few features that I really find useful. For one, to mix things up I like to sprinkle numbers over my generated passwords, like so: rerun-anteater-idly-00877-lining-paddling-8283
(No, I don't really use that passphrase anywhere. Come on.)
So, I decided to write my own Diceware utility in Python. I wrote it to be as self-contained as possible, which is to say as long as you have Python installed on a system it should run. The wordlist is built into the utility (which accounts for most of its size) and it's as easy to use as I can make it. I deliberately did not make some options I prefer defaults because I wanted it to be as helpful to people as possible. Per GNU standard, running ./diceware.py --help will print the online help. It's also open source so feel free to use it anywhere you like. I've tested it on Arch Linux and Mac OSX, and I don't see any reason why it wouldn't work on, say, Ubuntu or Raspbian.
Share and enjoy!
May 05 2018
If you have multiple systems (like I do), a problem you've undoubtedly run into is keeping your bookmarks in sync across every browser you use. Of course, there are services that'll happily do this job on you behalf, but they're free, and we all know what free means. If you're interested in being social with your link collection there are some social bookmarking services out there for consideration, including what's left of Delicious. For many years I was a Delicious user (because I liked the idea of maintaining a public bookmark collection that could be useful to people), but Delicious got worse and worse every time it was sold to a new holding company. I eventually gave up on Delicious, pulled my data out, and thought long and hard about how often anybody actually used my public link collection. The answer wound up being "In all probability, not at all," largely because I never received any feedback at all, on-site or off. Oh, well.
For a couple of years I used an application called Unmark to manage my link collection, and it did a decent enough job. It also had some annoying quirks that, over time got farther and farther under my skin, and earlier this year I kicked Unmark in the head and started the search for a replacement. Quirks like, about half the time bookmarks would be saved without any of the descriptions or tags I gave them. No search API. The search function sucked so I couldn't plug my own search function in. Eventually, the Unmark hosted service started redirecting to the Github repository, and then even that redirect went away. Unmark hasn't been worked on in eight months, and Github tickets haven't been touched in about as long. In short, Unmark seems dead as a doornail.
So I migrated my link collection to a new application called Shaarli, and I'm quite pleased with it.
Click for the rest of the article...
Mar 31 2018
I didn't really do anything for my birthday this year, in part because I just wanted some downtime (rather than go to Pantheacon I stayed in a hotel and caught up on my reading, and later on went on a coffee shop crawl) and in part because my birthday gift this was a a road trip to Joshua Tree, California for a long weekend in March. It's been a long time since I was last in the high desert and, even though it didn't seem like it at the time I was looking forward to both the road trip as well as a couple of blessed days in the middle of nowhere in a rented AirBnB flat. Even though we were in the middle of the desert, I was most certainly not off the grid. I didn't expect to have strong cellular connectivity there, though DSL bandwidth was bobbins.
We didn't drive ten hours to the high desert to goof off online, though.
The first time I was in the high desert, I was there on assignment. When driving to the flat we'd rented we drove past Edwards AFB, and it felt like I was coming home. There are few places that I've ever really felt at home, and the high desert is one of them. I felt welcome someplace for the first time in a long while, and took full advantage of it by spending a good four or five hours a day hiking and rock climbing in the desert of Joshua Tree, exploring the desert, following some trails, taking pictures, and discovering that I haven't been climbing in a long time indeed (causing my knees and lower back to complain mightily for a couple of days). We made a couple of trips to Joshua Tree Outfitters to pick up a few things, and while I was there the owner was nice enough to repair one of the seams of the backpack I was using on this trip. I didn't bring any of my radios with me (probably unwise) so I didn't spend any time working local repeaters.
I haven't seen that many stars in the sky since I used to go camping at Four Quarters Farm back east. There was practically no light pollution that far out, and we could hear the wind almost the entire time. I felt a little regret packing up at the end of the long weekend to go home, when fate threw a spanner into our plans.
After packing up the TARDIS and getting ourselves settled in, the first thing we did was turn on the air conditioning... and a curious thumping, fluttering sound filled the passenger cabin, swiftly followed by a strange, almost acrid scent.
"Oh, shit. Did something climb into the engine compartment and get shredded when the engine turned over?"
The next couple of hours was spent searching for a garage in the vicinity that could work on a fairly recent hybrid, by way of a stop for breakfast to both get our blood sugar up and give whatever it was that might be inside the engine compartment a chance to either climb or fall out. Ultimately, we were only partially correct, much to our relief. The mechanic we saw informed us that, in the high desert it is not uncommon for local mammalian wildlife, including kangaroo rats to climb into the engine compartments of vehicles from below to stay warm overnight. Of course, they also tend to bring food with them, and we found a couple of seedpods cached here and there inside the engine compartment. We were also shown a nontrivial amount of leaf litter and assorted cruft that had accumulated atop the cabin air vents beneath the hood that probably wound up inside the ventilation ducts. In short, no dead critters, just some amount of plant matter that was dislodged and fell inside the ductwork. It's a fairly straightforward fix, but one that we can't do ourselves.
Since I last worked on this article a couple of days ago, the TARDIS was taken in for maintenance. I'm sorry to say that the initial assessment was incorrect; there is, in fact, a dead desert rat trapped in the environment control system. It sounds as if the air circulation fan didn't do in the critter because none of the usual adjectives were used to describe the situation (shredded, chipped, pureed, liquified, needs a squeegie). It also didn't sound like it was a very large desert rat because, we were informed, if it was bigger it would smell a lot worse than it does now. So, in addition to sundry repairs and tune-ups, the environment control system is being dismantled, cleaned out, and rebuilt, to the tune of $1200us.
Anyway, enough of my rambling. Here are the pictures I took while I was out hiking and rock climbing.
Mar 31 2018
GSCA - acronym, verb - Using grep, sed, cut, and awk on a Linux or UNIX box to chop up, mangle, or otherwise process data on the command line prior to doing anything serious with it. This is not to preclude the use of additional tools (such as sort).
Mar 31 2018
nopefully - adverb - Something in a state or manner in which one fervently hopes something does not happen.
Mar 27 2018
A couple of weeks back, as part of our continuing education program at my dayjob I ran a hands-on class on locksport, the quasi-science (perhaps art) of picking locks for fun and... well... fun. I'm a security wonk so most of the talks I run have some security content in them, but I wanted to do something that was fairly suitable for everyone (coders and not). So, I got the go-ahead to expense a few more locks and some intro picksets to give away from The Lockpick Shop (no consideration for mentioning or using them, they had what I needed at a good price) and hauled most of my collection of locks and tools to work over the course of a couple of days.
I used the Creative Commons licensed lockpicking village slides from the TOOOL website for my talk after editing them a bit to condense them for time and spent a couple of evenings practicing both my slides and craft to gear myself up for the class.
What follows are some pictures and ruminations I have on the topic of locksport that come from years of playing around with locks (after spending about as long trying and failing to get any locks open) and doing formal and informal sessions on the topic. Please bear in mind, I'm far from a master of this particular art. I've competed only once (and pulled a Charlie Brown by picking the lock backwards, thus jamming it at the worst possible time) and, while I recognize that there are some very talented people out there who are into locksport for the sheer artistry of it, I'm not one of them. I'm a pragmatic lockpicker: I'm on assignment, I need into something, I'm going to pick the lock and get in. I'm not a spring steel artist.
Okay. Enough chitchat, here's what I actually wanted to write.
Click for the rest of the article...
Mar 27 2018
Going rogue - noun phrase - Ignoring the directions Google Maps (or whatever map navigation application you have on your phone) gives you in favor of using the knowledge inside your head and local area expertise. The thing about map navigation applications is that so many people use them, the moment you deviate from the main course you have almost entirely empty streets, with a significant reduction in travel time.