Author Archives: bluedepth

Ysabel’s Room

Posted on by
1

We’ve finally got Ysabel’s Room in order. I moved the bed to the library where the resident cats eat and hang out. It’s next to a big pair of windows, so that’ll work out for bird watching and relaxation. We set up the introduction crate with a kitten cavern and a poly pad cushion on the base of her crate. The crate is in the corner so she will feel maximally safe and protected.

Then we put one of the Google Homes in the room and set Spotify to play feline relaxation music in the background.

Ysabel will be ours at 3pm tomorrow, Friday 6/29/2018. We’ll go to KL Cat Hospital and then home.

Wish us all luck!

Keybase Redux

Posted on by
Reply

The current ecosystem out there in the Internet is not one that wants for communication nor security. Not at least in options for either, but rather in the popularity contest between the oldest forms of communication on the Internet versus all these new ways of communicating out there. There are so many ways!

Email and web-based sites like Reddit and Facebook have all proven themselves over and over again, perhaps not quite as secure as any of us would hope, but in uniquity of use. Everyone had to get over the hump of everyone they knew having an email address or a Facebook account. Once the novelty wore off, the security headaches appeared. Most notably how difficult it is to get people to adopt basic security methods when dealing with email, the death and burial of PGP and GPG technologies rendering email plaintext for anyone to snoop on who might have access to do so.

Then the parade of other sorts of solutions exploded. Signal, WhatsApp, Snapchat, Telegram, and Facebook Messenger exploded. People talking to each other, sometimes privately, sometimes not. Facebook ate a little bit of Signal, but so far I haven’t seen anyone actually use it to protect their chats.

Recently I have come across another app like this, called Confide. It brings forward a lot of the features that attract me to things like Signal and Telegram, the end-to-end security between chat partners without worrying about anyone in between eavesdropping. Confide also eliminates a huge privacy hole present in Snapchat, which is Confide appears to have eliminated the possibility of screen shotting the content of the message so it can break out. This obviously has limits, because you can very well take camera-based pictures of the Confide process and eliminate the screen-shot security, but it does push that envelope further out where people have to perform a lot of extra steps to be clever.

Signal was the first app that I saw that introduced exploding messages to this marketplace. Within the Signal app, and Confide as well I presume, you can set a lifetime counter to a message and after the timer has expired, the message is irretreivable.

There were other solutions that came along as well, more colaborative and team-based, like Slack and Discord, services that supplanted text messages like SMS and iMessage for me, especially at work. The further along I went, the more I realized that for a lot of these systems they unfortunately have two big things running against them, they are a change in how people communicate and change is one of the scariest things out there; the second thing is just how oddly resistant people are to actually collaborate. Quite often I am struck by the dial tone I get from folk when I attempt to explain why collaborative solutions like Google Docs and Slack/Discord are so amazing. So I pretty much make an elevator pitch and then let things lie where they land.

Enter Keybase. Originally the site appeared to be a central hub to link personal identity and personal avatars to PGP/GPG keypairs. I suppose you could affectionately regard it as trying to plug in Frankenstein’s Monster just to get a few more twitches out of the poor bastard. However just today, I received an email inviting me to check out Keybase again. They have teams, chat, files, and exploding bits that seem to mingle elements of Signal and Slack together.

What platform wins? Winning is population. When everyone collectively agrees that a solution is so good that it wins by sheer existence alone, that platform wins. Facebook tried it by manipulating human emotions and reward centers, and monetizing all our data that we wanted to share with each other. Right now the platform du jour is Facebook and the corruption of that system is starting to exact a toll on the people who use it. I have abandoned Facebook, and my life has improved. I don’t have the social reward mechanism in place any longer, but it has given me more time to read books and articles online and helped me become a happier person.

What then for these other applications and what they have to bring to the party? I have almost all of them, but use them all very sparingly. What is the point of a communications platform if you don’t know anybody who is using it? It’s the lesson learned by Google Plus in how it attempted to fight with Facebook. If the people aren’t there, then nobody is there. There is a reflection of this all the way back to the start of email as a communications mechanism. PGP/GPG was released back in the late 90’s, and because it didn’t take off, it spiraled out of control and went pear-shaped when it crashed to the surface.

Only time will tell, but from what I’ve seen of Keybase, I’m pleased and intrigued. However again, without anyone to actually use this platform with, it’s just another app that I don’t use on my phone or computer.

Ysabel Josephine

Posted on by
2

Last week Scott approached me and mentioned that he saw an article online from the Kalamazoo Animal Rescue, a local no-kill animal shelter and fostering service that places cats and dogs with their new forever homes. The kitten he met was named Baby by her foster mother, and she was born on April 11th, 2018.

Scott met her first, then I met her afterwards in a second encounter. These photos cover that experience. After we did a lot of soul-searching and talking it out, we decided that we had room and heart enough for this new kitten to be a part of our lives. In these pictures, she was just washed and was cold and shivering. By the time we were done holding and cuddling with her, she was almost dry. The shivering gave way to some loud purring and she napped gently on both my chest and on Scotts.

She’s scheduled to be fixed tomorrow, and then after that we’ll take her home to live with us. As kittens go, she is incredibly sweet and even tempered. She’s been bottle fed by multiple humans, she has socialized with many other cats and kittens, dogs, goats, and pigs, so integrating with our two at home shouldn’t be too much of a problem for her. She is FELV and FIV negative, something that was important to make sure of before we could get any further. The link below will take you to the iCloud Photo Sharing site with her baby pictures.

https://www.icloud.com/sharedalbum/#B15GfnH8tGpb1UY

Welcome Home, Ysabel Josephine. We love you.

Bailey Being Silly

Posted on by
Reply

 

Some cats, when they perform a body roll and ask for a cat hug, there is more to it than simply wanting affection. Bailey is a simple cat, he is predominantly composed of wiggles and cuddles as this video depicts.

200 Hours

Posted on by
Reply

The last time I was logged into Facebook was June 9th at 11:45pm. I was scrolling along the wall feed and I distinctly felt ill that I was on Facebook. It wasn’t making me happy, it wasn’t rewarding, it was a chore. More than that, it was an unpleasant chore, and at the time it felt repulsive. The kind of repulsion that makes your stomach go sour, hurk a little and the metallic acid tang at the back of your throat, that sort of raw physical displeasure. I closed the tab, and wrote a little in my journal.

It’s been 200 hours and a few since that moment. I haven’t logged on once since. I don’t feel like I am missing anything, except when I have something to cheer or gripe about. There are a few things that I could have posted on Facebook, and thanks to Yelp, some of that has made its way on to Facebook, but that was automation doing the sharing, not me.

I made a break with Facebook. I’m not going to close anything or remove anything, that would require more exposure to their platform. I simply won’t be there. I’ve got this blog, where I can share things, and of course my journal. Almost everything ends up in the journal anyways, the important things in the blog, and I will leave Facebook and Twitter to the machines, let them suffer it. The universal answer to “Did you see on…?” will default to no. I didn’t see it. I don’t really want to see it, but you’ll show it to me anyways. There may never be freedom, true freedom from Facebook, because it leaks in around the edges and is in the news a lot, so it will become something like a persistent fungal infection. Nothing that actually hurts me, but it makes my toenails ugly. Just leave the socks on.

Facebook, and Google both have contributed to the death of smalltalk. What’s the point of saying anything when nobody believes you and they tell you that you are wrong, up until they read it on the platform and then you hear in a small voice, “Oh, yeah… there it is.” So, whatever. It’s best to just leave everything to the platform, it has in so many ways replaced so much for us. The matter of record, truth, facts, and even basic conversation. The only thing left is to pretend to be a dullard. You don’t know anything, you have nothing to say, and everything is a mystery novelty.

The platform is very interesting. We created something we can’t control, it’s bad for us, but we don’t really care. We’re throwing flowers at Frankenstein’s Monster and celebrating it with daily parades, despite the fact that it rampages and burns down random buildings and causes such conflict and suffering. Hooray for the Monster.

I won’t see it on Facebook. Save your bus fare. Keep whatever it is to yourself. Whats the point of talking about it anyways? All the possible conversations are there, up on that platform, go there, knock yourself out. The Monster loves daisies.

Random Passwords: Idle Hands Are The Devils Workshop

Posted on by
Reply

I started toying around with the idea of capturing randomness for a source of good n-length random passwords. There are numerous PRNG and TRNG sources out there to make an endless stream of random passwords to use, so this was mostly just an effort in light curiosity.

I thought about a good “fat” source of potentially random data, what did I have on me that could generate a nice big file? My iPhone can do it, specifically the camera. However, I need something random, so I marked up a checkerboard using a piece of paper and cut it into little squares. I put it all in a styrofoam cup and shook the daylights out of it. Dumped the paper from the cup onto my desk and spread out all the paper. Then I took a shot with my iPhone.

This created shot1.jpg. It’s a file with 1,893,984 bytes to it. Since the paper marks will never be in that arrangement ever again, I’d say it’s a pretty good source of randomness.

Next up, I used the shuf command to shuffle the lines of the image together, on a Mac I only had access to GNU’s coreutils via homebrew, so for me it’s:

gshuf shot1.jpg > shot1.rnd.

Then to turn the data into text, I thought about base64 encoding. The command was:

base64 -b 20 shot1.rnd > randpass1.txt

This created a text file with 126,266 lines. Since each line is a password, that’s my next 126,266 passwords. They look something like this:

Gkmd12A/IecVMjSsNnzS
45BrC+HsYh0X7VGzFnXD
gLRhg3NaF5kQAiMZHb1r
0IvqeO63YEyG7U7y0jFl
p+1Bi/Xrnj8PpWlkYX1s

Finally, with the text file handy and in a safe place, I’ll always have a nice random 20-character password handy for quite some time.

So of course, at the end, cleaning up using gshred, but on a journaled file system like HPFS on my Mac, chances are some parts of the data may hang around for a while. However, I was never seriously going into it, so technically a plain delete is good enough, but anyways:

gshred -n 3 -z -u file.ext

 

Automatic Blacklisting using iptables

Posted on by
Reply

My home server, an elderly Mac Mini with Debian 8 was recently exposed to the public Internet on port 22, sshd service. I did that on purpose, so I could use the dynamic DNS addressing so I could open a secure shell from wherever I might be, even if that’s not home.

Of course, with a port opened up like this, I have exposed this Mac Mini to the wilds of the public Internet, and it has been scanned thoroughly. When I looked at /var/log/auth.log, it was full of attempts to login using root, admin, and pi. The last one, pi, is hilarious because the hostname was never changed when the OS was migrated from running on my Raspberry Pi, so people who scan the IP and get the hostname think it’s a Raspberry Pi.

This has led to a curious exploration of how to prevent people from scanning and attempting to brute-force my sshd server running on this machine. The passwords are complex, so I’m not really worried about anyone breaking into the box, but I do want to dissuade people from even trying. So after some research, I came up with this iptables definition:

iptables -N LOGDROP
iptables -A LOGDROP -j LOG
iptables -A LOGDROP -j DROP
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –set
iptables -A INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –update –seconds 86400 –hitcount 3 -j LOGDROP

I adapted a bunch of good ideas floating around on other help pages, and these instructions are rather straightforward until the end. I found the LOGDROP chain to be really useful, it will log and then drop traffic in one call, without having to mess around with multiple log and drop jumps. The next keeps any current SSH shell running no matter what, then everything from loopback, and then everything from my internal network. The next sequence sets up a tracking database in the server, if someone attempts to chat up my sshd server more times than three in a day, their IP addresses are installed in a blacklist and their traffic is dropped.

Obviously this is overkill, and my next step is to add 2FA to PAM on this server so that I will need to enter a password and a six digit 2FA code that changes every 30 seconds and never repeats. If anyone else out there is looking for something similar to this, you’re welcome to try it out. Good luck!

Hyundai – Never Again

Posted on by
2

This tale of woe begins in October of 2015. I take my 2007 Hyundai Santa Fe into Maple Hill Hyundai for an oil change, and I learn about a service campaign, there is a recall on the Valve Cover Gasket for all Santa Fe’s like mine. Maple Hill performs the operation; I get a new gasket and a new alternator and the oil change. I drive away happy; everything is back to normal.

At the end of 2017, I start noticing some odd lights in my car, and generally odd behavior starting to crop up. I’ve got 130000 miles on the vehicle, so I figure that it’s cold weather and old age. The gas tank needle gets daffy, not registering full tanks of gas, so I use the trip-o-meter to measure out 200 miles and then fill up from there. I can adapt. Then on really cold mornings, I notice the battery light flickers for a little bit, alternating with the seatbelt light, but after a few minutes both go out. I drive it around, and everything is normal.

Then we went to Chicago, Illinois to C2E2. The Santa Fe loaded with suitcases and comic books, I drive it into the parking structure, and that’s that. We have a wonderful time in Chicago, and then we pull it out of the parking structure. I notice that the battery light and seatbelt light have started to blink, but then it goes away and I figure that it’s business as usual. I drop off my niece and her boyfriend at their car and then drive off. As I approach the highway, the battery light and seatbelt light continue to flicker. We get on I-94, headed back to Michigan, and right after we cross from Illinois to Indiana, the battery light is on. Then TPMS, BRAKE, ABS, AIRBAG, all the lights turn on and Check Engine comes on. Then the lights get dimmer and dimmer, and we roll into a Walmart parking lot.

I’m panicking. My car is dying, I’m 125 miles from home, and it’s late Sunday night. After I chill out in the Walmart, we get back to the car, and I turn it on. Check Engine is still on, but everything else is off, and the car is behaving like everything is fine. So we tool around the parking lot a few times, and everything remains fine. So I get on the highway again. We get 25 miles down the road, and then the battery light starts to blink. Then again, everything goes downhill. The car gradually slows down, until I’m pretty much just crawling along on idle speed, the gas pedal is hilariously worthless. We turn a few times and get right up to the parking lot of an Econolodge. All that is left is one tiny little lamp in the instrument cluster, and it’s half-lit anyhow. The car is fully dead. Transmission is stuck in everything but park, and so I get out, and with Scott’s help, we try to push the Santa Fe up the little incline to the parking lot of the Econolodge Hotel. A stranger appears out of nowhere and runs over and asks if he can help, and all three of us push the Santa Fe to the middle of the empty parking lot. I turn the car off, but the panic sets in again because I can’t put the transmission in park. I wait a few minutes and try to turn the car on, I get accessories to come on, and the transmission goes to park. I turn everything off and get a room at that Econolodge.

Now, here is where we place a mental pin in the tale, keep this spot in mind because what happens next is full of consequence.

I wake up the next morning, I don’t know what is wrong with my car, and my first idea is to see if I can find a repair shop. There are lots of auto dealers around, there’s a Kia, there is a Chevy, and a Toyota, but no Hyundai. So I figure I need some sort of shop, so I search Yelp for “auto repair,” and I find Adam’s Towing and Service of Porter, Indiana. I call them, reach Adam, and tell him what happened to my car. He suggests that it’s the alternator and I ask for a tow so he can work on it. The tow guy comes, super amazing fellow, and they get my Santa Fe on the skid and tow it away. I follow after in a rental car I picked up from an Enterprise location in Burns Harbor. We get to Adam’s shop, and they start working on it. I take the rental back to Kalamazoo and drop off everything; we get a call from Adam, my car is ready. He replaced the Serpentine Belt, and the Alternator and everything is back to normal. We get back, drop the rental car and pick up the Santa Fe and drive it back to Kalamazoo. Everything is back to normal. While talking to Adam, he asks if there was anything about motor oil with my car, because the alternator was soaked with oil and that’s why it died. I remember back to the service campaign that Hyundai performed and immediately do a Google Search, and many other people have had the gasket go out on them and struggle with Hyundai about repairs. So I’m thinking that’s what is going on with my Santa Fe. I go to Maple Hill Hyundai, and I learn that the job cannot be cleared because the leak is coming from the Timing Cover Gasket and that repairing that is a $1200 to $1600 process. For me, that totals the Santa Fe.

So then I start talking with Hyundai Corporate, talk to many people about my problem, and I believe that the problem is still the valve cover gasket. That motor oil that was inside my engine got outside and killed the alternator. I’d like my money back from the repair job, and I’d like someone to fix the gasket, just like Hyundai did in October 2015. Just like all those other Santa Fe owners who had this EXACT SAME PROBLEM.

So then, after being told that it wasn’t covered by Maple Hill, I reached out to another shop where I had my brakes done previously and brought it to them. The owner said “How do they know where the leak is, did they clean the side of the engine and run a dye test?” and the answer is no. While we had the hood open, he also pointed out that the plastic cowl that covers the engine was missing nuts, and one was cross-threaded and abused badly by a torque driver. But I don’t know who did it, so who is to blame? Haven’t a clue, but there are only three shops in this tale, Maple Hill, Adam’s, and the place where it sits now.

So then this morning I call Hyundai and I relate the tale to the rep, updating with my misgivings about which gasket really is the problem, and that I want proof that it is either the valve cover gasket or the timing cover gasket, and that I don’t want my money back from the alternator fix, but I really want to prevent this from happening again because I want my car to work for me for a while longer if I can manage it. I relate the tale, and then when I mention Adam’s Towing and Service and the shop that will wash the engine block and run the dye test, the Hyundai rep stops me and tells me that I can stop right there. Hyundai refuses to honor any warranty, expressly or implicitly formed because I took my vehicle to an Independent Repair Facility. So, go back to the pin I mentioned about the momentous choice I made. I was stranded on the highway, no warranty from Hyundai, no clue it was the gasket, and so because I didn’t push the vehicle to a Hyundai dealership, I’m quite shit out of luck.

So that’s the end of it. Hyundai walks away, from a service campaign that they botched, maybe, how can anyone tell? Nobody but the IRF even mentioned cleaning the engine and running a dye test! And what burns the most is that while I was regaling the Hyundai Corporate Rep with my tale of suffering, she searches for a Hyundai dealer in Chesterton, Indiana. Norris Hyundai. She then proceeds to waggle this Hyundai dealers location in my face, over the phone. If only I had pushed my dead 2000 pound Santa Fe to Norris Hyundai, then maybe Hyundai would talk to me. But because I was in the middle of the dark, with a dead car, work on Monday, and all the other stress, that I didn’t search for Norris and I didn’t PUSH MY CAR THERE, that there is nothing left to talk about and that I should have a nice day.

So I am done with Hyundai. I am done with the brand; I’m done with Maple Hill. There is no point in calling Fox Hyundai or Norris Hyundai, or anyone else. Hyundai only has one thought, and that is to hide in their fine print and treat me with such disrespect that it takes my breath away. They have no interest in their customers, no interest in repairing what is their fault. So I’m going to find out since it doesn’t matter now, I’m throwing in all the way with my new repair shop. This fellow will wash the side of the engine block, add the dye, and give me an authoritative answer as to which gasket is leaking. And then I’ll face the question of what to do from that point forward. It will answer the question, is it the timing cover gasket or the valve cover gasket? And if it is the valve cover, I might pay to have this new fellow do the work.

It is clear to me that Hyundai is uninterested in being human to me. They want to be a company, and that is their prerogative. It is my choice to associate with humans or companies, and I make my choices based on what I perceive to be the humanity of whom I am dealing with. Hyundai hides behind their fine print and their rules. That’s perfectly fine. I don’t want anything to do with a company like that. And if that means that I burn all the bridges to all the automakers in my life, then so be it. I have to make a stand, and I will live with the consequences. I will fucking walk if I have to. This deep violation of the Golden Rule is so upsetting to me that I cannot even see straight, so that’s fine Hyundai, hide behind your fine print and your rules and utterly fail to treat others as you would have them treat you.

There is a place in hell for you, and the punishment for a company is expressed regarding karma. You deserve what you get.

Cisco SmartInstall Vulnerability Mitigation

Posted on by
Reply

At work, I use Cisco gear everywhere. Recently the SmartInstall Hack has become a security concern. There is a vulnerability in the SmartInstall system that allows bad actors to send arbitrary commands to your network infrastructure.

So I started out knowing how my network is shaped, that I customarily keep the 10-net IP space organized by state, then by city, and then finally by kind of equipment. Out of the four octets, the first one has to be 10, the second one is the state, and the next is the city in that state, and finally, I prefer to keep all my infrastructure gear between 250 and 254.

I started with nmap because I wanted a memory refresher so that I wouldn’t miss a device.

nmap 10.1-10.1-10.250-254

This command provides me a handy report of all the places on the inside of my network where ssh or telnet (depending on the age of the gear) reside. I print off the list, and it becomes an authoritative checklist for all my infrastructure gear.

Then one at a time, either ssh or telnet into the infrastructure devices and issue these commands in one paste command:

conf t
no vstack
end
wr mem

I don’t care if the command fails, it’ll write NVRAM to Flash either way which suits me fine. Once I was sure I got all the equipment that could be affected, I know that at least for this vulnerability, we’re all done. There won’t be anything, at least for this, at work for me to worry over.

Now if you use vstack or SmartInstall, your mileage may vary, but I certainly don’t use it. The default is to leave it on, so the smart money is in forcing it off. Why leave it open as a vulnerability if you don’t have any chance of bad actors on your LAN? Because it is one less thing to worry over.

Dreamscapes of Chicago

Posted on by
Reply

While I’ve been enjoying Chicago, and we’ve been pretty much carless the entire time with the Santa Fe parked in the hotels parking structure and taking Uber rides everywhere it has done nothing to reduce the nightmares that I suffer every night sleeping in this place.

Car Theft.

These nightmares are riffs on a theme, different thieves, different cars, different lives, different settings. Cars without wheels, somehow rolling away, cars without any internal parts whatsoever operating as if they had them. Thieves that are anonymous or thieves that are caught but chatty occupy the dreamscape.

I’ve had three cycles of sleep here, and in each cycle, the same exact thing. My vehicle is stolen. When I try to stop the thieves, they explain to me that it has to be this way, that it always has to be this way.

And while I’ve had a delightful time at C2E2, I am going to welcome my exit from this place. I can’t stay in Chicago much longer, if nothing more that I can’t endure many more of these nightmares every single night, like clockwork.