I live in Canada and have become an unwilling expert on snow shovels. From the grip, to the material, to the width of the scoop and more, I know it all. I’ve frequently been left in the snow shovel aisle of various stores poring over the options until the lights snap off and someone tells me to leave. With my new shovel.
A few years ago we had a prolonged snow storm. Ever day we’d wake up to 15–30 centimetres of snow. I’d dutifully shovel it away and then have to do it all over again. Every day. It got to the point where snow piles were as high as second story windows. At one point I was shovelling the path from the side-walk to my house and I had to throw the snow several feet above my head onto the ever growing piles on either side of my path. I remember thinking “this is what people must feel like when they’re digging their own grave.” That’s a normal thought, right?
I ran across this gem yesterday - some enterprising researcher folks used electrical tape to alter the number 3 on a 35 MPH speed sign and then pointed a few Teslas at it. Predictably, the Teslas read the sign wrong and accelerated past the speed limit. But is that a hack? A human can also be fooled by a creative sign modification, too. Granted, this sign’s particular modification would be unlikely to fool a human, but artificial intelligence is weak and new and stupid still, so it’s a really attractive target for bad guys. Where do we draw the line between a “hack” and crappy software? One is a crime, the other is the modern standard way of delivering service over the internet.
I’ve lost track how many times someone has come wandering up to me with a bunch of private keys and a cert and thrown it all at me saying “I dunno which key was used!”. The slow way to figure that out is to put them into your web server config and see if it starts. The easier way is to use openssl.
Assuming the certificate is in $CERTFILE and the key is in $KEYFILE, these two openssl commands will extract the modulus out of each:
Quora has been the butt of internet jokes for as long as I can remember. Want an incorrect answer? Go to Quora. Giving ridiculously incorrect answers is just Quora’s thing. It’s what it does, man! Despite that, it turns out that there is an extremely large population of authors on Quora making actual money asking and answering these questions. But, does that make it a good resource?
Let’s start by taking a bird’s eye view of the internet’s most incorrect site.
This has been a weird week, culminating with the loss of my beloved Xiaomi Mix 3 phone. I loved that phone, partially because the Xiaomi UI is amazing, but also because of the way the selfie camera is hidden. Watch the video…it’s very satisfying. The phone still appears to power on, but the screen won’t come on, so it’s not usable.
This led to my first experience of restoring all my data onto a new phone without using Google services. I de-Googled last year, and although I know there is still some surveillance DNA in my Android phone, I don’t use any Google services like Gmail or contacts, calendar, etc. I provide all those services to myself using a self-hosted and encrypted NextCloud instance.
My verdict is that getting all my data onto a new phone was harder than if I used Google services, but not so much harder than I regret it. The basic difference is that logging into my phone’s Google account would normally restore everything to it, but in my case I have nothing in my phone’s Google account. I had to re-install the apps I use (which are not Google apps and therefore are not pre-installed) and then log into each of them to start the sync down from my NextCloud server.
I was thinking about port knocking the other day (yep, that’s how I roll) and while I consider it to be a valid security layer, it occurred to me that it would be pretty easy to set up a poor implementation of it that was susceptible to being gamed. Here’s how that thought process went.
Caveat: This is a proof of concept and has many points against it which I outline at the end of this post.
For the uninitiated, port knocking is a process whereby some port on a server can be fire-walled off until some pre-determined set of ports are ‘knocked’ on, and then the firewall can be reconfigured to open some other port. A practical example is a server where you need SSH access, but you don’t want to leave the SSH daemon running wide open to the world all the time. You can use a port knocking daemon like knockd, coupled with an IPTables firewall to protect that port. The normal configuration would be to have the SSH daemon running on some arbitrary port and have the firewall dropping connections to that port until a valid set of ports are knocked on, and then the IPTables would be rewritten, usually temporarily, to allow connections to the SSH port.
You can’t get by on bringing doughnuts and sharing jokes.
image courtesy of pixabay.com
The general idea of remote work is that you do the same job you would do in the office, but you don’t have to actually go to the office. This removes all the problems with people and politics of the office. That’s viewed as a huge benefit, but the reality is that many people only keep their jobs because of the people and politics of the office. Remote work strips all that away and leaves you standing naked in a meritocracy where only your skills matter.
I’ve worked remotely for 7 out of the last 9 years. For 4 years I was a remote contractor left to my own devices. I spent 2 years working as a remote worker for a non-remote company and I’ve spent the last year-ish working as a remote worker for a remote company. While sitting at home looks the same in all cases, each of those situations were very different from each other.
Here’s what I have learned from each of those situations:
The tagline for my Death By Tech blog is “Mostly tech. Lots of Linux. Some fiction. A few dogs. The ramblings of a career sysadmin working in infosec.” This is one of those posts that definitely fit into the “rambling” category. There's not much tech here, but I hope you enjoy it anyhow.
I am not a very political person. I find life is full enough that I don’t really have the desire to follow our politicians very closely, or create a deep understanding of who is who in our government other than knowing which party is in power and the identity of my local representatives. But, like everyone else, there are periods of time when I become more focussed on politics because of something that is happening at the time. The Coronavirus pandemic is one such thing, and I have been paying closer attention to our politicians and government during these days. With that heightened awareness comes exposure to some ideas and processes that I normally don’t think about. Namely, how my closest neighbour, the United States is faring through the pandemic.
There is a class of internet users that are “builders” or “makers”. I’m one of them and the characteristic that distinguishes us from all you normies is that we don’t just use the internet, we inhabit it. We build things for you to use, and we build things for us to use. We deliberately make decisions about moving parts of our lives to the internet by using products that we’ve built, others have built, or, frequently, we glue those two types of things together to build new things.
Killed by Google
Over the last decade or so, Google has been a great ally for builders because it is always launching new things for us to play with. However, even more recently, things have changed and Google is becoming our enemy because it kills things off as quickly as it produces them. It takes a lot of work and effort to adopt new technology, and Google’s habit of ripping the rug out from under us, which means throwing all our work and data away to start again, is getting very old very fast. Tech people are shying away from new Google tools these days because our trust in their longevity is at an all-time low. This problem is so pervasive that one of us internet denizens (not me) maintains a list of all the services Google has introduced, then unceremoniously killed off https://cmp.cx/7f8cd, typically with little or no warning. There’s 223 as of today.
“If you’re not paying for the product, you are the product”, or so the saying goes. Free internet services abound and in the beginning, we did not put much thought into why; we were just happy to have the free email account or free social media arguments with strangers or whatever the case may be. Over time, we became a little savvier and started asking questions as to how these companies paid for this “free” service, and by now it’s so obvious that our personal data is valuable that even bad guys are stealing it and selling in on the black market. But how valuable is our data, really?
Setting the value of anything is difficult. There are many factors, such as how much money it took to get the item into a saleable state and how much desire there is in the market for that item. In the case of personal data, it gets even more granular.
