Category: Computers

CyberSecurity Done Right

I received an email. It came from TaskRabbit, a company about whom I don’t know much. I used them to get moving help when my containers were delivered and had a really strongly positive impression. Also, they had some heavy-handed product placement in Unbreakable – Kimmy Schmidt, which still was endearing.

While I know little about the company, I know something about their handling of a cybersecurity incident. Here is what they had to say:

Dear Marco,

TaskRabbit is currently investigating a cybersecurity incident. We understand how important your personal information is and are working with an outside cybersecurity firm and law enforcement to determine the specifics. In the meantime the app and the website are offline while our team works on this.

We will be back in contact with you with more information once we have it. As an immediate precaution, if you used the same password on other sites or apps as you did for TaskRabbit, we recommend you change those now.

If you have any questions in the meantime, please reply to this email.

Thank you for your patience while we investigate the issue and for being such an important part of our community.

TaskRabbit Team

Now, the reason I feel comfortable quoting the message is that I can only applaud it. If the content is accurate, TaskRabbit is taking this seriously, is proactive with information, and says it is doing the right things.

Compare that to another company that knew it has lost the information of half the population of the United States of America and didn’t say anything for an extended period of time, while it was “investigating.” Or the other company with which I used to do business, who lost my credit card information (including the CCV it is not supposed to store), leading to a series of charges to the tune of $10,000 on Bing Search and a heavy downgrade in credit rating.

I don’t know. How can we continue pretending that identity theft is a problem for the individual and not for the companies that leaked that information? How can the customer be responsible for fraudulent charges when the gas station didn’t do anything about the skimmer on their premises? Why do we accept that a company hiding a massive data breach can get away claiming oopsies while thousands or even millions of their customers have to worry every day about getting ripped off?

Installing Dual-boot Linux on Asus Chromebook Flip C302

asus flip c302[YO! In case you didn’t know, installing a new OS on any computer is always risky. You are likely to lose all your data, brick your Flip, and suffer grievous injury if you follow the steps below.]

I’ve been a big fan of the Flip line of Chromebooks from Asus. It started with the absolutely fun 10.1″, which was a goddess-send on cramped flights (hello, Spirit?). I moved on to the C301, a plasticky thing that was all standard Chromebook and not as much fun. But once I saw the almost identically named C302. an all-aluminum unibody beauty, I knew I needed one.

On the other Flips, I installed Crouton. That’s software that allows you to run Linux on top of ChromeOS. That’s very useful: ChromeOS is great for media consumption and online work, but it lacks in everything else I want from a laptop. You can’t program, you can’t use software that isn’t available online, etc. Crouton allows you to do all that and then some and I loved it. 

Still, I run Linux natively on all my computers and it was a pain to deal with the limitations of an add-on. Cron jobs wouldn’t work, init scripts weren’t run, and whenever something didn’t work as expected, the first task was always to figure out if it was a problem with the environment or with my code. I wanted real Linux, not just an emulation. But I wanted to be able to continue using ChromeOS because Google is powerful enough to force media companies to run their stuff on its platform.

Dual-boot it had to be. Fortunately, since installing on the C301, the options for Linux installation have vastly improved and gotten more stable, easy-to-use, and reliable. Also, the first Linux distributions specifically meant for Chromebooks have appeared and sounded quite awesome.

(more…)

Profiling Satoshi Nakamoto

Intro

For the rest of the world, it all started in the Fall of 2008. There was a mailing list that only the most geeky geeks listened to, and one dude nobody had ever heard of before posted a whitepaper. People started working with him because he seemed to have a great idea. Then things took off. Then they really took off. Then, one day, the man didn’t say good-bye, but handed over the keys to the idea to a bunch of friends. And disappeared. And then, a little over three years later, he sends a message from the cyber-grave. Only to tell us he’s not someone.

When Bitcoin was young, there were services that gave Bitcoins away so people could play with them. You logged onto one of the sites and got 5 Bitcoin (or BTC for short) for free, just like that. You could go back as many times as you wanted. Today, those 5 BTC are enough to buy you a car. Depending on the day it’s a beater or a beemer.

The man that published the whitepaper and then disappeared has a name, Satoshi Nakamoto. Nobody knows if that’s the man’s real name. Nobody, in fact, knows if Satoshi Nakamoto is a single person, or a woman. He claims to be Japanese, claims to have been born and to live in Japan, but we have good reasons to believe neither is the case. He says he was born on April 5th, 1975, but nobody can verify that.

And yet, Satoshi Nakamoto has given us a technology that has the potential of changing the world. He’s like a faceless prophet that leads his people to a better land and vanishes in self-exile once we get there, following the commandments of a God we do not understand. And because he vanished without a trace, because he didn’t leave a whole lot of traces to begin with, and because Bitcoin has become so huge, everyone is asking the same question: Who is Satoshi Nakamoto?

(more…)

Pebble Is Dead – What Now?

The last we all heard of Pebble, they had funded a successful KickStarter campaign to get the new version of their smartwatches out. They had the Pebble 2, Pebble Time 2, Pebble Round 2 in the pipeline. I was waiting for my Pebble Time 2 to arrive any second – the Pebble 2 had already been shipped.

Yesterday, I received not one but three updates. As Pebble put it, “due to various factors […] Pebble is no longer able to operate as an independent entity.” So they shut down operations. While Pebble gear is still available on Amazon and other sites, Pebble itself is not selling any more inventory, nor updating their products. Software is not going to be updated, either, and after a while the Pebble app is going to die, when the first OS incompatibility hits, best guess about a year from now.

What happened? Fitbit apparently agreed to buy out the developers, and not much else. Refunds are being processed: they were supposed to be done by March of 2017, but now they are saying December 16. That probably means a cash infusion from Fitbit before the deal can get fully consummated.

I cannot tell from the release what the driving force behind this decision was. Likely culprits:

  • The smartwatch segment is growing much more slowly than expected; even Apple admits it sells only about 2 million units a quarter, which completely crimped the market
  • There may have been problems developing the new models; in particular, the timing of the pledges required Pebble to get shipped units out by the end of the year. Maybe it was the impending deadline and the realization there were problems with the new devices that could not be addressed in a reasonable amount of time
  • As usual in the USA, a lawsuit may have prompted this; wearable devices have a way of causing skin rashes and similar ailments, and the Pebble is definitely not immune to that. Heck, even I developed more than one wrist rash after not taking off the watch for more than a day. This might explain why the blog article is adamant about the fact that only “certain assets” of Pebble were bought, pre-empting a lawsuit against the acquirer
  • There may have been some personal event going on, like a dissatisfied CEO or the like. 

(more…)

SSL Certificates with Let’s Encrypt

You probably noticed a microscopic difference when accessing the site: suddenly, when you type in mrgazz.com, you get redirected to the secure site, https://www.mrgazz.com. Why, and how?

First the why: Google announced it was going to prioritize search results according to the security of the site. That makes a lot of sense: “secure” sites have a modicum of respectability and require extra work compared to plain HTTP sites. You have to set up a secure server, which means you have to do more than simply point a DNS name to an IP address. 

If you think it’s unfair that HTTP sites get downvoted, it’s an argument that makes sense. At the very least, sites that have been running on HTTP for years should not be suddenly penalized because someone else abuses HTTP. But Google does what Google wants, and frankly the number of search hits this site gets is not a hot priority.

Setting up SSL on a web server is not tragic. In essence, you need a server certificate, you install it according to the instructions of the server, and you set up a separate web server instance that responds to secure requests. It’s a bit of a pain, especially if you only have a single web site to transition, but it’s not a huge stumbling block.

First, getting the certificate. What’s that? It’s a document (file) that certifies that you are who you say you are. When you connect to www.mrgazz.com using SSL, the web server presents this certificate (the public version of it) to your client (the browser), and the browser verifies it. Technically, the browser has a list of trusted authorities that are allowed to certify my certificate, and if one of those authorities says I am good, then your browser agrees. 

Which also means that you have to get an authority to certify you. For the longest time, this meant you had to fill out a form and pay money for a certificate to be issued. Certificates would last a year or so, then you’d have to go and renew. This was a double pain point: on one side, a whole year is a lot of time and lots of mischief can happen during that period. Ideally, certificates should last shorter. On the other hand, if you forgot to buy your new certificate, all browsers that connected to your site would suddenly sound alarm bells and tell the user that your site was fishy. They would also generally make it really hard to connect.

Let’s Encrypt is a new project that has a completely different approach. Instead of making the web site owner fill out a form and make a payment, Let’s encrypt matches who you are and who you say you are by running software on the web server. You install the Let’s Encrypt client on the machine that runs the web server, then the software tries to connect to itself using the DNS name. If it succeeds, then it knows you are who you say you are. It then issues a certificate.

The most amazing thing about Let’s Encrypt is not the approach, no matter how amazing it is and how wonderful it is not to have to pay $10 a year. What’s really special is how easy it is to set up on the standard web servers on the Internet. If you run a latest-version Debian or Ubuntu, installing Let’s Encrypt is as simple as:

sudo apt-get install python-letsencrypt-<webserver>

[Note: until recently you had to download an archive and install manually, which I really, really, really didn’t like, because I had no idea what that package would so. Having a package file from the default repository makes me feel much better!]

Running the software for the first time is also completely braindead:

sudo letsencrypt --<webserver>

In my case (as in many), the webserver is apache:

sudo letsencrypt --apache

But letsencrypt comes in a variety of styles for the most common web servers on the Internet.

From the command prompt, you get into an interactive series of dialogs where you essentially confirm which ones of your available sites you want to convert to SSL, and whether you want to allow access to both HTTP and HTTPS or only to HTTPS.

Magically, letsencrypt will write new site rules to make your new SSL connection available. I tried it both with sites that had no SSL configuration at all, as well as this site, which ran a mix of secure and insecure sites, now all converted to secure. letsencrypt figured out how to change the configuration for both types and restarted everything, so that there was the absolute minimum downtime.

This is where I found the absolutely only downside of letsencrypt, and it’s really not its fault. You can access this site, like many web sites on the Internet, under both mrgazz.com and www.mrgazz.com. The former is what geeks call the domain name, while the latter is the server name. If you want to know the difference, you must educate yourself on the Domain Name System and the beauty of A records and CNAMES. That’s beyond the scope of this article. 

Suffice to say that letsencrypt refuses to generate certificates for domain names and will issue them only for server names. That means you cannot have https://mrgazz.com, because letsencrypt will not issue a certificate for that server.

You could go about it two ways, just as outlined in the dialog that letsencrypt presents: you could have https://www.mrgazz.com run independently of http://mrgazz.com. That is, users could connect to either independently. In that case, you don’t have to do anything. 

If instead you want all traffic to your site to go to the SSL version, you need to do a little extra configuration: in the Apache configuration file, you will see this section:

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.mrgazz.com 
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

What this does is to take the requests sent to the insecure version and redirect them to the secure version. THe problem here is that it does so only for www.mrgazz.com, so you have to add mrgazz.com. Also, the rule redirects to SERVER_NAME, which would redirect to mrgazz.com. You need to change that, so that it always redirects to www.mrgazz.com. In the end, you get this section:

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.mrgazz.com [OR] 
RewriteCond %{SERVER_NAME} =mrgazz.com 
RewriteRule ^ https://www.mrgazz.com%{REQUEST_URI} [END,QSA,R=permanent]

Notice the [OR} at the end of the line. Once you reboot the server, everything is just as you wanted.

Extra points:

  • letsencrypt configures your secure web server almost flawlessly. When you check the configuration from a security perspective, you get an A rating for security.
  • letsencrypt security certificates can run multiple web server names from a single web server. You can put as many secure sites as you want on your web server, letsencrypt will configure them all correctly.

Ubuntu on an ASUS Chromebook Flip

Ah, yes, my glamorous life of jet-setting and international travel! OK, so I barely managed to fly out to ski resorts this year, and instead of flying first class, business class, or any class at all, I had to make do with budget airlines and seats so cramped, my knees routinely touch the seat in front of me. Particularly annoying when you have a six-year-old in front of you who is bored to the point of kicking the chair during the entire trip.

The other thing that the cramped seats won’t allow is typing on a full-size computer. There is simply no room, between the seat’s angle and the tiny, half-size tray table. Which, incidentally, wouldn’t fit a tray, either. Someone should sue budget airlines on their misuse of the word, tray table!

I can’t fix airline seats, I won’t want to afford expensive tickets, so I am left with two options: (a) not type while flying, and (b) get a small computer. Of course, I can also do both and get a small computer and not use it.

I researched for a while. What I wanted was something that I would use only while traveling and not as a primary computer. That meant it had to be economical. It also had to be lightweight (obviously) and sturdy (obviously). It needed to have a decent keyboard on which I would want to type for hours, and it had to run all the software I wanted to run even when disconnected.

I ended up with one logical choice for the hardware: a 10″ tablet or Chromebook. I would buy a keyboard for the tablet and make do, or take the Chromebook as is.

(more…)

Publishing with Dates and Times in Joomla 3.x (and Time Zones, Too)

I love Joomla like I love my favorite sweater: it’s old, it’s ratty, but it’s comfortable and does its job marvelously. Unlike the sweater, it’s not easy to replace. Also unlike the sweater, I know how to teach it new things.

When publishing articles, Joomla insists on displaying the date in the format, “day Month year.” Nothing wrong with that, but I’d generally want the day of the week, too. And maybe the time in certain categories, like surfing.

It turns out it’s relatively easy to change the behavior, as it’s something the good people of joomla.org thought about (unlike the behavior of the Prev/Next button, that is hard-coded to follow category with no option to go through all articles chronologically).

Theory: the display of the date chunk is controlled in layout files stored under layouts/joomla/content/info_block. The info block we are interested in, in this case, is created_date.php. If you look at that file (it’s very short), you’ll notice that the relevant line is:

<?php echo JText::sprintf('COM_CONTENT_CREATED_DATE_ON', JHtml::_('date', $displayData['item']->created, JText::_('DATE_FORMAT_LC3'))); ?>

(more…)

Creating Pebble Apps: A Guide for the Novice (Like Me)

Great News! The intro I had written about smartwatches in general and why the Pebble is better than others is gone! Now more Pebble App Development tips!

Developing for Pebble is fun! No, really! It’s complicated, but it’s fun. It has lots of moving parts, but it’s fun!

I am going to skip the part where I tell you why you should develop for Pebble. Because it’s fun! And that’s all anyone needs to know, really.

The first decision to make is not easy: develop online or on your machine? CloudPebble or local SDK? The good news (more good news!) is that both give you essentially the same results. The difference is mainly one of trust and access. With CloudPebble, you have to have an Internet connection (access) and you have to trust Pebble with your code. With the local SDK, development works on Linux and iOS (not Windows) and you have to trust yourself with the installation.

I chose to go the SDK route, but if you are just trying things out, you should go for CloudPebble. It’s much easier, and you can do pretty much the same things there. If you do so, follow the instructions on CloudPebble. If you do the SDK, you’ll end up having more control, but will also need to get your hands dirty with the command line. You can, incidentally, still run the SDK if you are a Windows user. You just have to install Linux on your Windows machine, which is really easy. Pebble (and I) suggest that you do so by installing a virtual machine (think VirtualBox) on your Windows computer and run Linux on it.

(more…)

Automate Instant Messages with Pidgin and DBus

Despite being an overall fan of KDE, I always preferred the Gnome version of the Instant Messenger, Pidgin. It is really designed for ease of use, it is extensible with incredibly useful plugins, and is available on a ton of platforms. Also, it can be easily configured and you can synchronize the configuration files with no issues, even using OwnCloud or Dropbox.

No surprise then that I would use Pidgin to automate all sorts of tasks. I will send myself a message so I get notified on all my phones, using whatever mechanism I want to use. Pidgin comes with a plethora of protocol plugins. If you need something that isn’t on the list, you can also look for third-party plugins. And you can, of course, write your own. I am doing that as a side project to include small social networking sites that only use a web interface.

One of the advantages of Pidgin is that it is scriptable. You can either write scripts internally (using the plugin mechanism) or you can direct Pidgin from the outside. If you want to call Pidgin methods and make them do things, you use the universal DBus interface.

DBus is universal in that you don’t need a particular environment or programming language to make it work. In fact, DBus was born out of the desire to make different bus interfaces work together. KDE used to have DCOP (which frankly was far superior to DBus). Gnome, if I am not mistaken, used CORBA.

You can send DBus messages using a shell script, or from the command line. DBus comes with utilities that send messages to various interfaces, making it easy to script things.

In my case, I decided to use Python. The Python DBus interface is rock solid and stable, and the language fairly easy to use and parse. If you want to send a message to a DBus object, you simply invoke it.

(more…)

Legendary Creatures (all letters)

Legendary creatures for no reason
Letter Main Candidate Secondary Comments
A  Alp Antaeus  
B  Banshee Basilisk  
C  Centaur Chukwa, Chimera  
D  Dragon    
E  Elf Encantado  
F  Firebird Faun, Fairy  
G  Garuda Gorgon, Goblin, Gnome, Griffin  
H  Hydra Hippocamp, Hesperides  
I  Incubus Imp, Irin, Inugami  
J  Jinn    
K  Kraken Kinnara, Kobold  
L  Lilith Lindworm  
M  Mermaid Mogwai, Manticore, Mandrake, Minotaur  
N  Numen Nawao  
O  Ogre Ouroboros  
P  Pegasus Phoenix  
Q  Qilin Quetzalcoatl  
R  Rompo Revenant  
S  Sphinx Siren, Sandman  
T  Titan Thunderbird  
U  Unicorn    
V  Vampire Valkyrie  
W  Werewolf Wyvern  
X  Xana    
Y  Yale    
Z  Zombie