Category Archives: Ramblings

Diceware in a box

Leave a reply

1 minute, 2 seconds

I’m really happy with my most recent project I did at the shop. For some time now I’ve been wanting to upgrade from a mostly secure password to a phenomenally secure passphrase. For some down home good entropy, you should use the Diceware method to generate a passphrase. In order to achieve this, I made a “Diceware in a box”.  The ingredients for this recipe are:

Here’s what the final product looks like (click to see larger version):


    

The only changes from my original design I would do is instead of scrounging up some rubber feet to put on the side so the dice bounce instead of slide, is that I’d just lay down long strips of hot glue on the inside. This would achieve the same affect and be a lot easier.

Here’s the product in action:

https://vimeo.com/155320354
And here’s the result (please do not post your passphrase to the internet ;)

https://vimeo.com/155320347

range herr vq fr kirby dad pp!!!

Top Posts Update

Leave a reply

0 minutes, 54 seconds

A while ago I did a write up of the top blog posts on this site.  Oh…um, I guess that was 5 years ago now.  Wowaa.  Well, Here’s the same script run again to give you an idea of what’s popular:

$ grep 'GET /blog' plip_log/access_log|cut -d" " -f 7|egrep -v '.png|.jpg|wp-includes|.css|/page/|/category/|xmlrpc|wp-trackback|/feed/|wp-login|/wp-content/|/trackback/|wp-comments|wp-app.php|wp-admin|comment-page|index.php|?p=|page_id|comments|feed'|sort|cut -d"/" -f 3|uniq -c|grep -v ' 1 '|sort -nr|head
   1026 free-idea-abstracted-facebook-nonymizer
    959 adendum-to-ashleys-law-problematic-imac-vesa-mounts-and-new-desks
    805 toss-your-salad-code
    693 thoughts-on-very-large-monitors
    650 photos-food-bikes-sunsets-and-stars
    635 sunset-and-rainbows
    385 oakland-sf-photos-coffee-and-scotch-whiskey
    373 wayback-machine-privacy-and-old-plip-com
    361 how-i-make-coffee
    330 our-pet-venus-fly-trap

This may make them all the more popular, but here’s the links for them:

1026 free-idea-abstracted-facebook-nonymizer
    959 adendum-to-ashleys-law-problematic-imac-vesa-mounts-and-new-desks
    805 toss-your-salad-code
    693 thoughts-on-very-large-monitors
    650 photos-food-bikes-sunsets-and-stars
    635 sunset-and-rainbows
    385 oakland-sf-photos-coffee-and-scotch-whiskey
    373 wayback-machine-privacy-and-old-plip-com
    361 how-i-make-coffee
    330 our-pet-venus-fly-trap

A few updates on these post’s topics:

  • A lot of the images are broken on older posts. I think this has to do with going all HTTPS and as well some munging of the markup to rendered HTML.  I’ll try and fix these, but sorry!
  • I’ve been using an AeroPress to make my coffee of late (though the Chemex’s siren song is wooing me)
  • Lastly, I’m proud to see my top 3 posts are what they are ;)

66.3 bits of entropy and grackles

Leave a reply

0 minutes, 25 seconds

No relation to each other, aside from happening on the same day: My daughter gave me a note with a password on it:

20151223_160535

I was then to speak the password into the “walkie talkie” (mouse) when I needed help. I liked this because:

  • She even knew what a password was at all
  • She decided that her service needed a password
  • She used a pretty decent password, 66.3 bits of entropy!

Later that night, at sunset, just like the for the past 2 months, the grackles came to roost in our palm trees. Lovely!

https://vimeo.com/150132661

On really nice standing desks with really nice computers

Leave a reply

3 minutes, 53 seconds

A good friend of mine is setting up a new workstation in his new lab and wanted some advice on what would be the best setup. Being a bit of a geek about monitors and having set up my own desk, I had a lot of ideas on this. After a detail-packed email to him, I realized it’d make a great post for others looking to do the same thing.

The overall question I got: What would be the best standing desk with the best monitors for a new Mac Pro (nMP)?

This is fun!  I get to spend imaginary money for a dream set up.  For my “what’s the best” type of questions, I always try to refer to  The Wirecutter, they’re great. As well, I try to use Amazon whenever possible for all of my shopping needs

The Desk

Though Wirecutter has a newer, cheaper recommendation, I still like their step up, the NextDesk Terra, which was their “regular” recommendation when I got mine. I see it’s now down to $1,500.terra

NextDesk upgrades: You can get a ton more bells and whistles including CPU stands, software integration, casters, batteries (for use when moving on casters) and more. The bare minimum I would get is the “Power Management,” which is really well done. Also – think on whether you want the hole(s) for cables in the desk. I regretted getting a single center one. I might have gone with none or two side ones.

Monitors and Stands

standsI use Ergotron’s single and dual arm mounts. Amazon pictures the dual with two monitors on top of each other, but it can easily do two side by side (as well, they rotate for one portrait and one landscape). You can also order the single and then add a second arm to the same pole at a later date if you decide to add another monitor.

IPS 60hz 4k displays used to be $3,000+.  This is no longer the case! The Dell P2715Q 4k 27″ is down to $500! This is insane. You could get two of these no prob for your Mac Pro. IPS means that the viewing angles are perfect.  60hz means that the refresh rate is super fast and your mouse/window movements don’t feel sluggish.  dell4k means that you can either run HiDPI for super crisp text or 1:1 for TONS of real estate. Well, assuming you have good eyes for the 1:1 ;)

Though 4k is ready for prime time, there are a few bumps in the road, specifically around displaying the boot process. As well, I see Apple’s nMP page boldly advertises “connect up to three high-resolution 4K displays.” However, I’ve also seen reports that the 3rd will be only at 30hz (boo!).

I forget which cables Dell comes with, but you can always get a 3, 6, or 9 foot (or more!); it’s nice to have the perfect length cable with no extra slack. cableSame for ethernet, USB, firewire and thunderbolt cables too! For example, here’s a 6ft mini display -> display port cable for just $7. Oh yes – don’t use any ugly looking dongles!  Get the right cable for the job.

Mac Pro and peripherals

I don’t actually have a new Mac Pro (aka nMP aka 2013 Mac Pro), so I don’t have too much to say about which CPU and GPU to get.  However, I did just get a 5k iMac that works great with the Dell         4k display! (Well, as long as you don’t mind some UI degradation. Ok, not so great, but worth the trade off for me.). To save money on the most expensive item in this monster desk setup, I strongly recommend using refurb.me – they’re the best way to effortlessly get good deals on Apple refurbed products! These are direct from Apple and include an Apple warranty.

mac.proOne new Mac purchasing trick I did learn is about buying your new Mac with more RAM direct from Apple.  Don’t do it! For example, 64GB of aftermarket RAM only costs $664 instead of Apple’s $1,300. ramConsider putting the saved money toward more cores or disk or graphics card! I love Crucial for cheap aftermarket RAM, but I usually end up buying their stuff on Amazon. Here, B00GEC3ZJQ on Amazon is cheaper than the exact same part (CT5019226) on the Crucial site. Order two kits to max out your nMP to 64GB.

Keyboard and keyboard mouse – I love Wirecutter’s recommendations for wireless versions of both mice and keyboards. They really add to the clean lines of VESA stands on the awesome desk.mouse

Despite loving the wireless mouse and keyboard, my new boss got me a “welcome to your new job!” gift of a fancy Das Keyboard 4 Pro which I NEVER would have bought on my own given it’s price. If I had office mates, they NEVER would want me to use it because it’s too loud. That said, I actually love this keyboard so much that I alternate it with Wirecutter’s bluetooth pick, but the cable does ruin the lines of your desk. ;) Oh – I see it comes in “soft tactile” model as well. This might be a more quiet option!

das.keyboardI love following this topic so drop me a note if you have any questions or want to update me with your experiences in this area!

On The Register’s security posts

1 Reply

3 minutes, 12 seconds

Intro: 2 posts, 1 bored security tinkerer

I was stuck on a cross-country plane trip recently, and I started reading up on some security posts.  I found two interesting ones, both of which happened to be written by Darren Pauli:

As a best practice, from way back in my journalism undergrad days, I try to always go to the source of news articles I read.  So, for both of these posts I dug in and tried to see the facts and chronology as the articles reported them vs what the actual sources said. Let’s dig in and see what we find!

Article 1: How unresponsive and culpable was CyanogenMod?

The first article  was published by The Register on 13 October 2014 and claimed that 10 million phones were vulnerable to a Man in the Middle (MitM) attack and it was a zero day exploit.

On October 14th CyanogenMod (CM) responded, ‘In Response to The Register “MITM” Article.

Then McAfee jumped on the bandwagon of an exploit possibly affecting a lot of Android users. On October 17th the McAfee blog published a piece on this vulnerability as well saying, “it appears easily fixable once it’s actually acknowledged and addressed by the CyanogenMod team.”

The issues I see with the scenario painted in these articles are threefold:

  1. The initial piece by Pauli states that the source of the attack is open source code in a 2 year old vulnerability. How can this be both a zero day exploit AND a 2 year old vulnerability?  Unsurprisingly, CM’s response cites this point as well.
  2. A whole 3 days had passed when McAfee posted their blog piece stating that CM hadn’t responded when, in fact, they had.  CM’s response was published 24 hours after the original Register article.
  3. The issue purportedly affected “10 million users” already sounds good, so there was no need to erroneously report that it affected “12 million” as the McAfee piece did.

Article 2: Was TOR really vulnerable?

In the second post, Pauli’s title starts off with, “STAY AWAY” and the subtitle “USB plugged into Atlas, Global servers.” He goes on to pull a quote from the tor-talk mailing list, citing Thomas White saying, “the chassis of the servers was opened and an unknown USB device was plugged in.”

More so than the first article, there’s a number of issues with this piece. Some are minor, but some are egregious:

  1. The only link to the thread about the incident on the tor-talk link is wrong.  He cited a thread about hidden services instead of the one on possibly illicitly inserted USB devices.
  2. The subtitle “USB plugged into Atlas, Global servers” references White’s instances of Atlas and Globe as if they were the one and only ones, when in fact they’re not. The Tor Project instead links directly to atlas.torproject.org, from their homepage no less.
  3. By the time the story was published, the issue had been fixed and Tor users at large didn’t even notice:
    1. Dec 21 20:17 UTC  – Initial post to the tor-talk list is made by White
    2. Dec 21 20:55 UTC  – White posts the fingerprint of all the servers he felt could have been compromised.
    3. Dec 21 21:05 UTC – Jacob Appelbaum rejects the possibly compromised nodes so that general public Tor users won’t unknowingly use them.
    4. Dec 21 23:54 UTC – White gives an extensive update.
    5. Dec 22 05:58 UTC – Pauli writes his piece for The Register.
  4. The title of the article, “STAY AWAY” goes against a explicit request from White in his 23:54 update, “Tor isn’t broken. Stop panicking.” White’s request was penned before Pauli even published his article.

Clicks clicks clicks

I feel like The Register’s articles, and the related McAfee piece, though having quite a bit of truth to them, take advantage of the facts.  The Tor piece borders on fearmongering.  Put it all together and I think that tech writers and bloggers can easily shoot out a piece that gets the clicks.  To make matters worse, both Register pieces haven’t been updated to reflect not-so-recent updates:  issues cited aren’t of concern by the developers and maintainers of CyanogenMod and Tor respectively.

Given I’m new to critiquing news pieces, I reached out to Pauli for comment. He didn’t get back to me. If he does, and it turns out I’ve gotten any of the facts wrong, I’ll be sure to post an update!

On ClouldFlare’s use of reCAPTCHA

Leave a reply

1 minute, 13 seconds

I’ve been using Tor quite a bit of late.  It’s awesome!!  I encourage you to check it out today. One of the drawbacks to using Tor is that some content deliver networks (CDNs) block traffic from the Tor network by default. For example, the way CloudFlare blocks Tor is to present a captcha for Tor visitors. The Tor blog had an interesting write up of this back in August of 2014.

Inspecting the HTML of a CloudFlare reCAPTCHA on meetup.com

Inspecting the HTML of a CloudFlare reCAPTCHA on meetup.com

Being a web developer, I’ve implemented many captchas and, specifically, reCAPTCHA which CloudFlare uses.  Google has recently come out with v2.0 of reCAPTCHA which looks freakin awesome. That said, I think the “no captcha” term in that blog post isn’t quite accurate as you do have to click to prove you’re human in their v2.0 GUI.

Today’s post, which falls clearly into the “rambling” category, is about CloudFlare’s implementation of reCAPTCHA.  They’re using an early version, v1.0, on their site.  If you look at the customizing reCAPTCHA guide for v1.0 it clearly spells out the changes you can make on how it looks:

You must state that you are using reCAPTCHA near the CAPTCHA widget.

Though CloudFlare has the question mark icon which links to reCAPTCHA, I don’t think it follows the proper branding guides.

To wrap up this ramble, I posit:

  • CloudFlare should heed Tor’s advice on handling Tor traffic
  • CloudFlare should properly attribute reCAPTCHA

PS – the astute, Tor using reader may note that I’m using an outdated version of the Tor Browser in the above screenshot.  This has since been rectified ;)

Shady Notices

Leave a reply

0 minutes, 24 seconds

I got this slipped in my door the other day:

001

It’s lame. It uses fancy pants legal lingo to attempt to convince you that you’re in deep poop if you don’t send them money right away. I get postcards for car insurance too, but I forgot to save them. Next one I get I’ll update this post.

Doing a spot of research shows the problem is rampant. Doubly lame.

Source: markturner.net

Source: markturner.net

HOPE X

2 Replies

3 minutes, 45 seconds

I’m on the plane back home having just attended Hope X in NYC. What fun! I’ve attended other hacker conferences, and I found Hope to be comparable.

As prep for attending, I wondered if it would be OK to carry on my lock pick set (side note: I think there’s an overlap of hackers and gun fans). Since I’m not on social media, my friend posted to her network about carrying on picks. She’s friends with a lot of hacker-lock-pick types and we got back some great responses. Here’s a bunch of anecdotal, if not contradicting, advice if you’re considering doing the same:

other countries are much saner than TSA.

Spouse’s are going in the checked bag, but mostly because there are other more pointy things in the same kit this trip. Other times they have gone carry-on. Domestically, it’s “probably” ok if you aren’t already one of TSA’s special customers. I’m sure PreCheck doesn’t hurt, either.

TSA has their own special set of bullshit to deal with. Avoid when possible.

all I can say is that wearing them as jewelry works out fine. I don’t know that I’d want to carry them.

Lockpicks can be carried on if your not a jerk. I have flown with mine and up to 50 sets(pics did happen).

I carried mine through LAS last year. TSA found them-Nevada police told then to shut up

I have been carrying an extended serepick set in my wallet for years with zero issues.

I’ve never had any issues packing mine in carry-on bags. I think I’ve traveled to/from 3-4 DefCons, + trips to SFO/PDX/LAX YMMV

added a 8″ shovit tool to carryon and had no problem through 6 or so countries so far.

As to my own experience? I had zero problems flying from LAS -> JFK and from JFK -> LAS. Though, I will say I was *SUPER* bummed I didn’t have my backpack with picks on me when I saw world lock pick champion Jos Weyers at the lockpick village. I coulda bugged him about how to pick tubulars. Next time!

The conference itself was awesome. It had the mix of talks that were spectacular and ones that were so so. The complete list is below, but here’s some highlights:

  • With out a doubt the ultimate highlight of the show was being in the room with Daniel Ellsberg to hear his keynote which was followed by a Q&A with Edward Snowden via a video chat to Russia. I was that emotional, geeky guy in the audience who kinda freaked out at how amazing it was to be in the audience listening to this event. Snowden’s parents were there in person too!
  • Nadim Kobeissi’s talk Usable Crypto: New Progress in Web Cryptography covered a neat idea about doing client side encryption in JS. Coupled with an easy way to share your public key in less than 64 bits (think 64 letters like A-Z and 0-9) and helpfully simplified (but obfuscated!) private key storage, his miniLock project looks promising.
  • Deviant Ollam and Howard Payne’s talk Elevator Hacking: From the Pit to the Penthouse was hugely entertaining and edifying. They REALLY know their stuff and are great story tellers. Note: Elevators may be your weakest point when it comes to physical security!
  • Brian Knappenberger spoke and then there was a showing of his film, “The Internet’s Own Boy: The Story of Aaron Swartz”. Aaron’s brother and Brian had a round of Q&A afterwards. It was a horribly depressing film but wonderful to watch it with the geekiest of audiences.
  • Christopher Soghoian’s talk Blinding The Surveillance State was awesome. I’ve been following him for years since way back and always make a point of seeing him when ever he speaks. He gave an update on how better policy can be changed by embracing Washington’s use of the term and concept of “Cyber” and not saying, “NSA is Evil! We need encryption”. Instead we should be coming up with solutions to security scenarios that further protect our citizens from criminals and terrorists (and SHHHHH! also from the NSA!).
  • Phillip Hallam-Baker is a smart, smart man as witness by his talk PRISM-Proof Email: Why Email Is Insecure and How We Are Fixing It. He helped Tim Berners-Lee with a little project back when, and he’s looking to do something similarly impressive with encrypted email.

Talks Attended

Solve the Hard Problem

Steepest Dissent: Small Scale Digital Fabrication

Lockpicking, a Primer

Per Speculum In Ænigmate

SecureDrop: A WikiLeaks in Every Newsroom

Keynote Address – Daniel Ellsberg

A Conversation with Edward Snowden

Usable Crypto: New Progress in Web Cryptography

Social Engineering

Movie: “The Internet’s Own Boy: The Story of Aaron Swartz”

Ethical Questions and Best Practices for Service Providers in the Post-Snowden Era

PRISM-Proof Email: Why Email Is Insecure and How We Are Fixing It

Elevator Hacking: From the Pit to the Penthouse

North Korea – Using Social Engineering and Concealed Electronic Devices to Gather Information in the World’s Most Restrictive Nation

Blinding The Surveillance State

Addendum to “Ashley’s Law”, problematic iMac VESA mounts and new desks

Leave a reply

2 minutes, 29 seconds

I’ve been thinking recently about items you use a lot in life. For example, the internet thinks we sleep for 20+ years in our lifetimes[1][2]. As well, the internet suggest a person with a desk job will spend 80k hours sitting [3]. What does this mean? It means that you shouldn’t skimp on your mattress and your chair! In fact, you should buy the best mattress you can afford. Well…no, you should by the best mattress on which you sleep well and should try to not be price conscious. Same for your chair and your desk. So if you recall Ashley’s Law said:

If you don’t have it, you can’t use it.
– Ashley Jones, 2011

So the addendum would be:

If you’re going to use an item for more than a 1/4 of your life, it should be a quality item you didn’t skimp on.
– Ashley Jones, 2013

The list of applicable items should be quantifiable! Despite having recently purchased not one, but two cars, I would say for most folks they don’t spend 1/4 of their lives in their cars. So, unless you’re a trucker, my advise is to not spend a lot of money on your car.

Speaking of this new addendum, I wanted to set up my iMac to be mounted on an articulated arm on my desk so it could be be the perfect ergonomic height when I work on it for hours a day (8+). This would also giv my desk those really clean lines with the monitors floating over the surface. Here’s my advise to those who want to also endeavour to have this setup:

  • The $115 Ergotron MX will indeed support a 2012 30lb, 27″ imac[4]
  • Be sure to get the iMac VESA mount[5] and not the Cinema Display mount which is cheaper[6]
  • Read the instructions for your iMac VESA mount carefully.
  • Especially the warning after step 4:imac.VESA.warning
  • If you don’t follow this step and after you take off your iMac stand you see the VESA mount suck back into the dark depths of Mordor[7] otherwise known as the inside of your iMac, chill out. Go down stairs and grab a cold beer. Crack off that top, take a nice long sip.
  • Back with your beer? Great. Skip the the top search result[7] which you find where they say you’ll have to disassemble your entire iMac and void your warranty to get your VESA mount back out:

    Hopefully you can fish the inner bracket back up and out the slot, because if not the iMac may have to be completely disassembled to recover it.

  • Take another sip of beer.
  • Check out the post waaaay down yonder in the search results. That’s right, the one with pipe cleaners[8]. See? You’ve got those supplies in your house to fetch that nasty guy back out. Here’s another variation that I came up with:vesa.retreval.2vesa.retreval.1

    Yes, that’s right, using some needle nose pliers, some picture hanging wire or what ever else you have around the house, you retrieve your precious and get back to setting up your desk.

After heeding my own addendum, following the wire cutter’s advice on standing desks[8] and recreating the “you can’t stump me, I’m the internet” solution to get my VESA mount back, I have a great desk set up that’s really quite nice. I highly recommend treating yourself right with the items you use the most:

newdesk

Thanks to the artists in my life

Leave a reply

0 minutes, 26 seconds

I walked into our bedroom the other day and saw this:

991

Upon closer inspection you might notice the wonderful colors and fabrics in that quilt:

994

And then your eye might wander up and pause on that subtle, wonderful piece above the quilt on the wall:

1008

The quilt and print were both gifts to us. I feel blessed that I have the likes of Steven Holloway and my sister Lindsey Jones who made the print and quilt respectively. Thanks to you both!

Top this all off with my lovely and talented wife and I can’t help but see beauty everywhere I look!