guest - flak

using yubikeys everywhere

Everybody is getting real excited about yubikeys recently, so I figured I should get excited, too. I have so far resisted two factor authorizing everything, but this seemed like another fun experiment. There’s a lot written about yubikeys and how you should use one, but nothing I’ve read answered a few of the specific questions I had.

It’s not a secret I’ve had a dim view of two factor auth, although many of my gripes are about implementation details. I think a lot of that remains true. Where two factor auth perhaps might succeed is in limiting the damage of phishing attacks. I like to think of myself as a little too savvy for most phishing attacks. That’s sadly true of most phishing victims as well, but really: I don’t use webmail. I don’t have any colleagues sharing documents with me. I read my mail in a terminal, thus on the rare occasion that I copy and paste a link, I see exactly the URL I’m going to, not the false text between the <a> tags. Nevertheless, if everybody else recommends secure tokens, I should at least consider getting on board with that recommendation. But not before actually trying these things out.

Continue reading using yubikeys everywhere...

Posted 2017-02-20 07:14:52 by tedu Updated: 2017-02-20 07:14:52
Tagged: computers gadget security software

newspaper subscription experiment

Back in November I subscribed to a few newspapers, the theory being that paying for a newspaper was the only way to save journalism, and thus democracy. Instead of choosing one, I just subscribed to them all, figuring I could sort it all out later. Here we are, a few months later, with the introductory rates expired, and it’s time to evaluate which of our contestants can advance to the next round. Our entrants are the New York Times, the Washington Post, and the Wall Street Journal.

First, I’ll note that I have a pretty much unlimited media budget. If I can afford to spend a hundred dollars per month poisoning myself with tequila, I can spend that much on information. So it’s entirely possible for there to be three winners; this isn’t necessarily a contest of elimination.

Continue reading newspaper subscription experiment...

Posted 2017-02-14 16:24:23 by tedu Updated: 2017-02-14 16:24:23
Tagged: business

medium rare

Is it crazy that a Medium post about javascript bloat would have itself have megabytes of javascript and stylesheets? I wouldn’t know, since I didn’t see it. I have a little proxy like service running that rewrites its HTML. This particular service was an experiment to replace some python code with go, to evaluate suitability for future hacks.

I’ve been using the python lxml library for HTML parsing for ages. Seems to work pretty well. There’s actually a bunch of little one off scripts that share a similar skeleton, which is modified as needed. After all, the best code isn’t reusable, it’s reeditable. A little while ago that turned into a script to download Medium posts after I read them and save the important parts, so that sometime later when I want to read about the Riemann Hypothesis, it’s all still there in a place I can find it.

Continue reading medium rare...

Posted 2017-02-13 14:13:00 by tedu Updated: 2017-02-18 20:10:56
Tagged: go programming web

mplayer ktracing

In my ongoing quest to find the most inefficient software that still appears to work, I happened to notice that mplayer was chewing up 16% CPU while playing an MP3 (an audio format from the time before youtube). This was somewhat surprising because extrapolating back to the 20 year old computer I first used for MP3 listening, this would mean in excess of 100% CPU usage. Is efficient MP3 decoding really a lost art or was mplayer spending all its time doing something other than decoding? ktrace to the rescue.

Continue reading mplayer ktracing...

Posted 2017-02-11 18:45:52 by tedu Updated: 2017-02-11 18:45:52
Tagged: software

RC40 card cipher

The Solitaire cipher is perhaps the best known encryption algorithm implemented with a deck of cards. Ignoring security, it has a few drawbacks. It’s pretty complicated. I can never quite remember the rules. Sure, with practice it’s possible to memorize, but ideally we want something easy to teach. It’s also pretty slow. Even with practice, the shuffling and cutting manipulations take time.

Critically, in this modern age of bitcoins and twitter handles, the supported character set is also a bit limited. Letters only. If we need to transmit a message like “The password is Hunter2.” that could be trouble. Oh, and no spaces.

Continue reading RC40 card cipher...

Posted 2017-02-10 14:27:51 by tedu Updated: 2017-02-10 14:27:51
Tagged: gadget security

openbsd changes of note 6

In a bit of a hurry, but here’s some random stuff that happened.

Add connection timeout for ftp (http). Mostly for the installer so it can error out and try something else.

simplefb for framebuffer on armv7 devices like rpi.

Complete https support for the installer.

find -delete support like all the other kids have.

The ongoing effort to rewrite many libssl and libcrypto man pages is still ongoing.

Remove “CVS tips” section from the web site. This forbidden knowledge is now forbidden.

Add cross compiler build support for clang.

Prevent boot from crashing on amd64 by allocating a buffer on the heap instead of the extremely tiny stack.

Build with -fno-builtin because otherwise clang would optimize the local versions of functions like _dl_memset into a call to memset, which doesn’t exist.

Continue reading openbsd changes of note 6...

Posted 2017-02-07 13:55:57 by tedu Updated: 2017-02-07 13:55:57
Tagged: openbsd

to errno or to error

Unlike other languages which have one preferred means of signalling an error, C is a multi error paradigm language. Error handling styles in C can be organized into one of several distinct styles, such as popular or correct. Some examples of each.

in band sentinel

One very popular option is the classic unix style. -1 is returned to indicate an error.

Continue reading to errno or to error...

Posted 2017-01-24 20:52:42 by tedu Updated: 2017-01-24 20:52:42
Tagged: c programming

Samsung 960 EVO

Thought I was happy with my gaming PC, but there was a Steam sale, and suddenly 256GB just doesn’t stretch as far as it used to. Even purchasing only a few games per year, at 20GB or so each, that’s not much. Looking for a bit of future longevity, decided to make the switch from SATA to NVMe. Best drive on the market is probably the Samsung 960 PRO. Saved some money by going with the EVO line, which might be the best value.

It’s an older motherboard, so I needed one of these gadgets to plug it in. Seems a bit silly to spend $20 for a bit of plastic and copper. No boot support, but that’s just fine. It’s only for storage.

It’s as fast as promised. For reference, the existing drive is a Samsung 840. Copying all the game data across, the destination drive was almost entirely idle. (For funsies, I made a second copy, both from and to the 960, and it screamed.)

Posted 2017-01-07 21:51:18 by tedu Updated: 2017-01-07 21:52:07
Tagged: computers gadget

python 3k17

New year, time for a new python, right? I’ve been sticking for python2 but two related events led me to try python3. The first was python3.6, which has a bunch of new features, notably finalized async support. No plans to actually use said support myself, but it seems like the kind of landmark feature that will convince other people to switch, so I figured I would hop on board. The second thing was python3.6 being available as an OpenBSD package. The scene was set for a day spent updating code. If you don’t use python, this will probably not be of much interest.

I don’t have that much python to begin with. A few utilities, somewhat larger than scripts, but much smaller than anything you’d call an application. The most important libraries I use are lxml, feedparser, and pygments. All are available in python3 flavors. So how much trouble can I have? Let’s start with the mechanical 2to3 conversion tool.

Continue reading python 3k17...

Posted 2017-01-05 17:30:40 by tedu Updated: 2017-01-05 17:30:40
Tagged: python

turn your network inside out with one pf.conf trick

I think this falls somewhere a little short of common knowledge, but obvious once you know it. It lets machines roam in and out of the network without too much config fiddling. Instead, we configure machines to always use “cloud” services but intercept the packets to provide local services.

Here’s the pf.conf rules I have on my router.

pass in on cnmac1 proto { udp , tcp } from any to any port domain rdr-to port domain pass in on cnmac1 proto { udp , tcp } from any to any port ntp rdr-to port ntp

This steals any DNS or NTP traffic bound for the internet and redirects it back to the local machine, servicing it locally.

Normally one gets a DNS server via DHCP, but I usually prefer to use So I override that option in dhclient.conf. Works great outside the house. But when I’m home, then I really do want to use the local server because that’s the one that knows about other hostnames on the network. This lets me keep a hardcoded config on my laptop and fix it at the router.

Similarly with NTP, although the situation is a little different since we don’t usually get that from the DHCP server. Instead it’s configured once. I could use the server pool, but it’s silly to have a half dozen machines each probing several upstream servers. For a while I used a config that pointed at the router directly, but then when I take a laptop on the road, it can’t sync time at all. Solution: point everything at in ntpd.conf, and again have the router fix it up. (Bonus benefit: Windows and Apple machines will also now use the router’s time service with no config fiddling either.)

In short, permanently configure laptops for mobile use, and then configure the router to provide optimized services. This is typically easier than trying to configure the laptop to detect which network it’s using.

Posted 2017-01-04 09:16:52 by tedu Updated: 2017-01-04 09:16:52
Tagged: openbsd