guest - flak

using yubikeys everywhere

Everybody is getting real excited about yubikeys recently, so I figured I should get excited, too. I have so far resisted two factor authorizing everything, but this seemed like another fun experiment. There’s a lot written about yubikeys and how you should use one, but nothing I’ve read answered a few of the specific questions I had.

It’s not a secret I’ve had a dim view of two factor auth, although many of my gripes are about implementation details. I think a lot of that remains true. Where two factor auth perhaps might succeed is in limiting the damage of phishing attacks. I like to think of myself as a little too savvy for most phishing attacks. That’s sadly true of most phishing victims as well, but really: I don’t use webmail. I don’t have any colleagues sharing documents with me. I read my mail in a terminal, thus on the rare occasion that I copy and paste a link, I see exactly the URL I’m going to, not the false text between the <a> tags. Nevertheless, if everybody else recommends secure tokens, I should at least consider getting on board with that recommendation. But not before actually trying these things out.

Continue reading using yubikeys everywhere...

Posted 2017-02-20 07:14:52 by tedu Updated: 2017-02-21 17:07:50
Tagged: computers gadget security software

RC40 card cipher

The Solitaire cipher is perhaps the best known encryption algorithm implemented with a deck of cards. Ignoring security, it has a few drawbacks. It’s pretty complicated. I can never quite remember the rules. Sure, with practice it’s possible to memorize, but ideally we want something easy to teach. It’s also pretty slow. Even with practice, the shuffling and cutting manipulations take time.

Critically, in this modern age of bitcoins and twitter handles, the supported character set is also a bit limited. Letters only. If we need to transmit a message like “The password is Hunter2.” that could be trouble. Oh, and no spaces.

Continue reading RC40 card cipher...

Posted 2017-02-10 14:27:51 by tedu Updated: 2017-02-10 14:27:51
Tagged: gadget security

Samsung 960 EVO

Thought I was happy with my gaming PC, but there was a Steam sale, and suddenly 256GB just doesn’t stretch as far as it used to. Even purchasing only a few games per year, at 20GB or so each, that’s not much. Looking for a bit of future longevity, decided to make the switch from SATA to NVMe. Best drive on the market is probably the Samsung 960 PRO. Saved some money by going with the EVO line, which might be the best value.

It’s an older motherboard, so I needed one of these gadgets to plug it in. Seems a bit silly to spend $20 for a bit of plastic and copper. No boot support, but that’s just fine. It’s only for storage.

It’s as fast as promised. For reference, the existing drive is a Samsung 840. Copying all the game data across, the destination drive was almost entirely idle. (For funsies, I made a second copy, both from and to the 960, and it screamed.)

Posted 2017-01-07 21:51:18 by tedu Updated: 2017-01-07 21:52:07
Tagged: computers gadget

OpenBSD on HP Stream 7

Recent events have rocked the mobile computing world to its core. OpenBSD retired the zaurus port, leaving users in desperate need of a new device. And not long before that, Microsoft released the Anniversary Update to Windows 10, but with free space requirements such that it’s nigh impossible to install on cheap 32GB eMMC equipped devices such as the HP Stream series, leaving users searching for a new lightweight operating system. With necessity as both mother and father, the scene is set for a truly epic pairing. OpenBSD on the HP Stream 7.

The HP Stream line is a series of budget computers in a couple form factors. The Stream 11 is a fairly typical netbook. However, the Stream 7 and 8 are tablets. They look like cheap Android devices, but inside the case, they’re real boys, er PCs, with Intel Atom CPUs.

Continue reading OpenBSD on HP Stream 7...

Posted 2016-09-10 13:17:55 by tedu Updated: 2016-09-12 14:46:42
Tagged: computers gadget openbsd

charge this

The Times asks, Should you charge your phone overnight? The answer is obviously no. I mean, yes. Or, maybe.

As the Times points out, your phone won’t overcharge. No harm there.

But, but, but... all charging “harms” your phone. Which is both alarming and useless. What am I supposed to do? Not charge it? That’s not very useful. But apparently I can charge it if I’m replacing it in two years, which sounds like it has the cause and effect somewhat reversed. Nor does it provide me with a plan if I intend to keep it.

Finally, the article drops a hint that the real issue is that fast charging pushes a lot of current into the battery, which may shorten the lifespan. This makes some sense as I understand battery chemistry. Their suggestion to use a lower rated charger seems pretty weak however. It may work, but it’s haphazard.

Keep in mind that I am not an officially licensed li-ion whisperer.

Modern chargers switch between constant current (when the battery is low) and constant voltage (when the battery is nearing full). Refer to AnandTech charge graph.

If we want to avoid the damaging high current charging, then we should aim to charge our phones frequently, topping them up with low current charging. I believe the Times article misleadingly suggests minimizing the number of charges; i.e., letting it run down and then charging, which would actually result in the most exposure to high current charging.

Posted 2016-08-24 00:54:06 by tedu Updated: 2016-08-24 00:56:20
Tagged: gadget

random failures

Lots of examples of random numbers failing, leading to cryptographic failure.

The always classic Debian, OpenSSL, and the year of the zero.

The time Sony signed Playstation code with the same nonce and leaked the keys.

Samy phpwned session IDS.

The Bitcoin app Blockchain used for entropy. Bonus giggles for not following the HTTP redirect, but actually using “301 Moved Permanently” as a random number.

The paper Mining Your Ps and Qs has pretty extensive investigation into weak keys on network devices, many of which result from poor entropy.

Continue reading random failures...

Posted 2016-08-05 18:15:21 by tedu Updated: 2016-08-19 04:19:31
Tagged: gadget security software

master lock speed dial

In addition to earbuds, I have a tendency to lose padlocks. As a result, I tend to go through more of them than I should. Note to locker designers: place the loop on the inside frame instead of on the outside of the door so that after I open the door, I have somewhere to hang the lock where I won’t forget it.

Cheap combo locks have never been that secure, but since things have gone from bad to worse, I figured I’d try a new lock. Enter the Master Lock Speed Dial.

Instead of numbers, the combination is a sequence of cardinal directions. The packaging promises I can pick any combination of any length, though I doubt they have really invented an infinite data storage device. The default sequence length is only four inputs, which is far too short for my comfort and they should recommend at least eight. 4^8 combinations just tops the 40^3 of a very precisely machined 40 digit combo lock (to say nothing of less precise models). Despite the length, with very little practice it’s easy to enter the combo quickly and accurately. Trying to spin a dial too fast I would frequently over rotate and have to start again. The speed dial can be consistently unlocked one handed in about five seconds.

Continue reading master lock speed dial...

Posted 2016-04-27 18:41:45 by tedu Updated: 2016-08-19 19:59:03
Tagged: gadget

iphone 6s plus

Replaced my 5s with the new top of the line, 6s plus. Kind of an awkward name. I propose 7P and 7Ps for the next gen.

History: iPhone (no suffix), 4 (quite the upgrade!), 5, 5s (purchased in store on 6 release day to emergency replace 5; that was fun), 6s plus.

I was waiting to see if a new 5 sized phone would trickle down the line, but it appears it’s all big phones from now on. Given the choice between larger and much larger, though, I went with much larger. I spent a fair bit of time reading on my phone and was tired of squinting. Curiously, I bought an iPad for much the same reason, as a dedicated viewing device, but it’s not always with me. At this point I think I’d even consider an iPad mini if they made one with full phone functionality (not just skype or whatever). Can’t quite live without a phone (or can I???), but if it’s only 1% of what I do with the device, maybe it’s time to stop selecting form factors for that purpose.

Continue reading iphone 6s plus...

Posted 2015-10-30 01:44:46 by tedu Updated: 2015-10-30 01:44:46
Tagged: gadget review

cheap earbuds

I consume earbuds at a fairly constant rate. They get lost, or washed, or fall apart. And then I need new ones. Unlike the collection of large headphones, or “cans” if you will, that I’ve accumulated over the course of ten years without casualty, earbuds are practically disposable. So I don’t like paying a lot of money for them. Nevertheless, I want a product with some level of quality.

For a few years, I started with V-moda Vibe earbuds. Not cheap, but this was before I realized I’d be purchasing so many. Good sound, a little bass heavy perhaps (also good?), but prone to wearing out. The cable would eventually split at the jack. In hindsight, this was because, for reasons that defy my understanding of physics, the iPod Nano in my pocket would always get turned around with the jack on the bottom, forcing the cable to make a sharp 180 turn. These are no longer made, but Amazon will let you have a pair for only $150. Even more than when new!

Continue reading cheap earbuds...

Posted 2015-09-19 22:03:40 by tedu Updated: 2016-08-24 01:17:55
Tagged: gadget review

OpenBSD on EdgeRouter Lite

The Ubiquiti EdgeRouter Lite machine is an interesting alternative for a light router/gateway. It’s cheap, small, low power, and includes three network interfaces. Almost like it’s purpose built to be a router. The OpenBSD octeon port supports the ERL. Note that the EdgeRouter X is a quite different machine and not supported.

The web page and INSTALL.octeon file have more extensive notes, but sometimes it can be too much info. Here’s the short version.


On the network side, you need a DHCP and tftpd server, with the octeon bsd.rd in /tftproot.

You’ll need a serial cable like this one. The port is set to 115200, so to connect you run something like cu -l /dev/cuaU0 -s 115200. Plug it in, watch it boot, smash enter a few times to halt the boot process. First command: dhcp to get an IP. Then tftpboot 0 bsd.rd to load the kernel over the network. And finally bootoctlinux to actually run the kernel. This will take you to the installer.

Continue reading OpenBSD on EdgeRouter Lite...

Posted 2015-08-18 12:03:38 by tedu Updated: 2016-07-11 23:51:35
Tagged: computers gadget openbsd

as always bundling fixes is bad

I generally like my iPhone. I think it’s fairly secure, and Apple seems pretty motivated to keep it that way (even if they don’t have the purest intentions, caring perhaps more about jailbreaking than my safety). But the way the way they go about releasing security fixes is terrible.

Highlighting two lines from a preview of iOS 8.3. First:

“As always, it’s a good idea to wait a few days to see if the update causes any problems.”

Sound advice. My phone is pretty important. I don’t like when it doesn’t work.

“As always, the iOS update includes a slew of security fixes.”

Cupertino, we have a problem.

I figure 24 hours is about the amount of time it takes from a security patch to be released until weaponized exploits show up. After that, if you’re not patched, you’re living dangerously, depending on the nature of the bug. Bundling new features with a high risk of regression with security fixes means users wait to upgrade.

The iOS 8.3 update is 280MB. It can’t even be downloaded over the air, only via wifi. Security patches are important enough that they should always be made available separately. Then I could download them, even OTA, without fear of regression.

What aggravates me most is that this is business as usual. As always. We’re training people not to patch. Users should be embarrassed to admit they’re running unpatched software; instead it’s regarded as the prudent choice.

Posted 2015-04-09 16:02:55 by tedu Updated: 2015-04-09 16:02:55
Tagged: gadget security

easy mobile passwords

Matthew Green asked for a password generator that’s easy to enter on a phone.

Here’s one solution that works for the iPhone keyboard. To make it easy to type with your thumbs, it alternates sides of the keyboard for each letter. Sometimes it throws in a shift. Sometimes it throws in a symbol, but only one from the right side since it requires before and after left taps to get there. In practice, it appears to generate passwords that I can or could at least learn to type fairly quickly.

Continue reading easy mobile passwords...

Posted 2014-09-01 23:00:27 by tedu Updated: 2014-11-30 22:18:32
Tagged: gadget lua programming security web

catastrophic weather movie alert

Went to a movie this afternoon because it was raining. Because it was raining, the government issued a puddles of unusual depth alert, causing everybody’s phone to blow up mid movie, within the space of a few minutes. The weather catastrophe alert tone could have been a credible sound effect, coupled with some great positional surround sound, but all the lit up screens gave the trick away. Then it kept happening as the less important people were notified and started interrupting the movie. There’s always a few idiots who can’t turn their phone off, but the number of alerts received made it seem likely the alerts can override vibrate or even silent settings.

The good news is the alerts can be turned off (somewhere in phone settings) to avoid disturbance at the movies or elsewhere. I did so last summer after noticing alerts happen whenever it rains.

The movie was Edge of Tomorrow. I liked it. Groundhog Day meets Starship Troopers.

Amber Alert update: Amber Alert worked well. Apparently, their definition of success was waking people up at 4am, since there’s no mention of how the alert influenced the outcome of the children, which is how I would determine if it worked well or not.

Posted 2014-06-10 23:08:33 by tedu Updated: 2014-08-08 19:21:34
Tagged: gadget philly politics rant

leave my bluetooth alone

Dammit, Apple, stop turning Bluetooth on after every iOS update. I turned it off for a reason.

Posted 2014-03-11 17:02:01 by tedu Updated: 2014-03-11 17:02:01
Tagged: gadget rants

OpenBSD on BeagleBone Black

Everything I wish I knew before installing the newly renamed armv7 port on a BeagleBone Black.


First, all the assorted hardware you need. The devkit (includes one USB cable for power). The magic USB serial cable. A micro SD card. A powered USB port (I used an old cell phone charger, but there’s some talk of dedicated 5v power supplies working better). Network cable. An OpenBSD PC.

The installation takes a while and you may screw it up, so you probably want to download the OpenBSD sets locally first. This subsequently saved me quite a bit of time. (I use thttpd as a quick server I can run with no config as any user: thttpd -d . -p 8000 will serve the current directory.)

Continue reading OpenBSD on BeagleBone Black...

Posted 2014-01-25 17:41:47 by tedu Updated: 2014-08-07 12:10:09
Tagged: gadget openbsd

if it ain’t mangled, don’t unmangle it

I have a song on my iPod, “Don’t Pull Your Love” (nonsensical fake video) by the grammatically ambiguous Hamilton, Joe Frank & Reynolds. Three dudes, four names (two first, two last). The software on my iPod Nano sees this and decides that at some point in the past some other software must have mangled up the artist name, and therefore the Nano must attempt to unmangle it. Result: appearing in both the artist directory and as the song artist I have Joe Frank & Reynolds Hamilton.

Update: It appears the iPod is not to blame, but Apple certainly is. The song was purchased through iTunes, but the artist info in the .m4a file is wrong, too. The corruption goes all the way to the top!

The album title (Hamilton, Joe Frank & Reynolds-Greatest Hits) did escape unmangled, perhaps due to the dash or perhaps because only artist names get special treatment.

Posted 2013-11-20 02:26:11 by tedu Updated: 2013-11-20 04:47:21
Tagged: bugs gadget

iPad Air review

Very early thoughts. Upgraded from the iPad 4 because that was too heavy. Almost went with the new iPad Mini, but reading magazines is a primary use case for me and I wanted something that more closely matched a real magazine in size. Also, the Mini isn’t shipping yet while the Air is sitting on my lap.

Air is an appropriate name. It’s lighter and thinner. Of course, this is far more noticeable because I have a full case on the old model, pushing the combined weight up to about two pounds. The Air is exactly half that. (I bought a case not so much to protect the back from scratches, but to protect my house from the iPad. The iPad may be made of indestructium, but the many mostly glass surfaces I leave it on are not.) Now I’m in a quandary. A similar case will increase the weight of the iPad Air out of the comfortable one hand territory.

Continue reading iPad Air review...

Posted 2013-11-05 21:40:31 by tedu Updated: 2013-11-14 15:33:47
Tagged: gadget review

Brother HL-3170CDW printer review

I bought a new printer, the Brother HL-3170CDW (sometimes stylized HL3170CDW, as on Amazon). It’s a small office color laser, with all the doodads (wireless, ethernet, duplex, color). I didn’t really need it, the HL-2070N black and white printer I’ve had for several years now was working fine, but every once in a while I wondered if I’d find use for a color printer. Maybe I was making due with B&W because that’s all that was available, and having a color printer would unleash a creative blast of fancy greeting cards. I mulled it over for a few years, but then the price briefly hit $170 on Amazon. Done.

Continue reading Brother HL-3170CDW printer review...

Posted 2013-10-10 22:27:48 by tedu Updated: 2013-10-10 22:27:48
Tagged: gadget review

roku three

Got the new Roku 3. I had the very first original Roku (video player) from not long after it came out, then the upgraded XD model which honestly changed just about nothing. The model 3 is significantly improved.

It’s much faster. This shouldn’t have been an issue (how hard is it to scroll a few thumbnails? why was that slow?), but in any case it’s much snappier.

The remote uses radio instead of infrared. Major usability improvement. Worth the price of admission on its own? Maybe.

Very small. Meh. The previous models were hardly consuming too much space.

The USB port works well with a hard drive of movies (other previous models had them, but not mine), and is more convenient than turning on one of the other USB video playing devices.

Roku the company is in a precarious position. There are so many devices plugged into my TV it needs an HDMI switch. Every one of them is Netflix and Hulu and whatever capable. What use is a device that can only do streaming video? Because, for now, they do it better, mostly by being always on. If the PS4 comes with a 4W always on mode that can stream video, Roku is going to be in serious trouble.

Posted 2013-05-15 06:15:51 by tedu Updated: 2013-05-15 06:15:51
Tagged: gadget review

m4 msata upgrade and OpenBSD

When my T430s arrived, OpenBSD didn’t yet support Sandy/Ivy Bridge graphics, so I stuck with Windows and OpenBSD in VMWare. Things change and now I want to run OpenBSD natively. I’m using TrueCrypt on the whole drive and trying to resize that while introducing another boot loader seemed a risky proposition, so I cheated a little by taking advantage of my laptop’s mSATA port and installed a 64GB Crucial m4 mSATA SSD, a trivial upgrade.

Plug in an external hard drive I keep around for booting OpenBSD and boot bsd.rd. In keeping with protecting all the data on this laptop, I encrypted the whole drive as well. By the time I got to the disk setup part of the installer, I was up to sd3 (Samsung SSD, m4 SSD, USB disk, softraid). A few years ago I would have marveled at installing OpenBSD on a laptop with 4 “SCSI” disks.

Continue reading m4 msata upgrade and OpenBSD...

Posted 2013-04-25 15:58:28 by tedu Updated: 2013-04-25 16:05:21
Tagged: computers gadget openbsd review