I Don’t Want Your Mail

You can’t have my email address and I don’t want your junk.

There’s my grumpy old man cry, but it’s not without merit.  Too often, when I sign up for a service, I’m required to provide my email address.  Often, this is for practical reasons, but just as often, the site just doesn’t have a justifiable need-to-know.  They just want to send junk and promotions.

But rather than disconnect myself, I needed a solution.  To address this very problem, people often create a separate email account for these types of websites, knowing that it’ll become overwhelmed with junk, whilst leaving their primary email a sacred haven for more important correspondence.  Failing to find an alternative to the mandatory email-divulging requirements (because these sites always require that you confirm it’s a valid email by clicking a link sent to it), I, too, finally relented and adopted this solution.  But I’m a techie, so I’m not simply going to Gmail for this.  No, I’m not creating a run-of-the-mill dummy email, I’m creating an alter ego!  A doppelgänger!  An…Arbiter of Techno-Ethereal Ontology!

Okay, that might be a little cumbersome to adopt as a username, but as this mystical stand-in must remain a spectral whisper, I shan’t divulge its true name, because…you know…then you’d be immune to its powers.  Some LeGuin shit right there.

And because I don’t want to divulge its true name, I couldn’t use it as the email user name, so instead, I will use my server’s email platform to create…an alias!  That’s right, an alias to my doppelgänger–additional layers of mystery.  I shall become a shadow of the Internet.  WHOIS ain’t got shit on me!

Okay, “subscriptions” is a rather anticlimactic alias considering the pretentious melodrama from earlier, but I needed it simple to remember and type.

And so, I created the doppelgänger user account on the server,  then by leveraging the server’s mail software, I designated the aforementioned alias.  Now I can simply use the server’s Roundcube-based webmail client and sign into the doppelgänger account as needed (no push notifications!).  I sent a test email from my primary account to subscriptions@moorheadfamily.net and…

Success!  So why bother with this more difficult solution that essentially does the same thing as a free mail service?  Well, there’s the reason that I can, but also that I can then enable and disable the email address at will, without losing the inbox, so if I start getting too much junk mail in the dummy account, I’ll disable the alias and make a new one, which will cause all future junk mail to bounce, and I won’t have to change my login to the main doppelgänger account–just set up a new alias and forward that to the doppelgänger instead.

Why can’t all just play nice on the Internet to begin with?

–Simon

Community

This story begins with a little bit of mystery.

Well, initially I was just involved with another one of my web design projects.  I had previously built a dashboard of sorts–a web page that had embedded widgets.  I would open the page with my Raspberry Pi, and plug it into the TV.  Then I could just switch inputs and see the displayed info–weather and news–on my main TV.

The problem with this method is that I could never figure out a way to automatically open the browser upon boot and enter kiosk mode.  Usually this wasn’t a problem, but whenever the Pi got unplugged, I had to hunt down a mouse and keyboard so I could relaunch the browser.  The Pi’s browser also had a habit of timing out, so I’d have to refresh it manually, which again meant hunting down a mouse/keyboard.  Eventually, the novelty of the project wore off and the irritations outweighed the benefit, so I moved the Pi to the basement where it sits idle–serving only the purpose of being a low-risk device with which to practice remote shell Linux commands from the command line terminal.

Then I realized that since the Xbox has a native browser, perhaps I could revive the dashboard project to simply run on the Xbox.  I dug up the URL from where I had buried it, and launched the site.

The news feed wasn’t working, and the embedded calendar was redundant as I had a setup already running that in the basement.  So the dash would need a redesign after all.

I settled on 3 panes: my embedded NOAA radar, a weather forecast widget, and a news feed.  The first 2 I already had working, and some CSS got them positioned right.  But for the life of me, I could not find a reliable news feed that allowed iframe embedding.  The former method I had been using was a free Google service, which they had since deprecated.  Everyone wants you to sign up for things now.  Apparently something as minor as general news is no longer considered a free service.  Pity.  After failing to find a replacement, I abandoned the news feed idea.

I needed something else to fill the space, and I concluded that I would just complete the weather theme and find a free webcam.  I began with local news stations, but as with their Doppler radars and news feeds, nothing was intuitive, embeddable, or truly free.  Does everything have to be a source of revenue?  There was a time when the Internet was considered a free medium.

Further searches revealed a local webcam.  It was good resolution, too, and a genuine live-feed (something that rarely exists anymore).  Plus, the hosting server didn’t have any lockouts on iframe embedding.  Some more CSS and I had the webcam feed on my dashboard.

It could have ended there, but I grew curious.  Who would host a publicly-available webcam?  I began poking around the hosting domain.

The website’s design was pretty basic by modern standards–no HTML5, no adaptive content, no CSS styling.  It was a refreshing throwback to the Internet of the 90s.  The site itself was a resource on radio: HAM, scanners, AM PSA; and where to learn about them and buy equipment.  I tuned in to 1660 AM–the listed station, and heard a local broadcast of a High School sports event.

Further intrigued by this grass-roots site, I did a WHOIS search on the domain, and found to my surprise that the site’s registrant’s information wasn’t blocked.  The address of his office was public, and as it turned out, just a mile north of my house.  The webcam couldn’t have been much more local than that.

Something about the site inspired me.  Maybe it was guilt at having access to free information and a webcam, or a desire to give back.  Maybe I just wanted to see if I could help someone, or simply needed an excuse for another project.  Who knows?  Whatever the reason, I spent a couple evenings coding a new front page for the site.  I modernized it and organized the information so it was easier to navigate.  I assigned this redesign it’s own subdomain and hosted it on my server.  Then, I sent the owner an email.

I told him I liked the information on the site and the webcam, and offered the redesign code freely were he interested.  I told him that it was nice to see such a site, obviously self-hosted, and offering a public service.

The email was a Yahoo! domain, and as I was a random stranger reaching out from the internet, I didn’t expect to receive any response.  But to my surprise, hours later, he answered.

He explained in great detail the site’s content–the public radio station for citizens to make announcements and what he uses to transmit local high school games.  He confirmed the webcam is for public use, and that the local Channel 2 news uses it sometimes in their weather reports.  He explained that his maintenance of the business he’s mostly retired from, but keeps it running for extra revenue for his hobbies.  Consequently, he wasn’t interested in help with the web design, but he thanked me for offering.

I confess, I had always found HAM hobbyists to be weirdos, but this man was surprisingly normal, giving off a vibe of being an older man with hobbies that overlapped a personal business.  We should all be so lucky.

I thanked him for the information and told him this was an interesting experience as a segue into another world of communications technology for me.  It reminded me that while a technology inevitably becomes commercialized, and the large companies garner the most attention, niche groups and hobbyists remain, using the technology for its original purpose, free from the capitalistic motivations of shareholders.  It remains as evidence that intellectuals still pursue knowledge for knowledge’s sake, and offer free benefits to the population as a whole in the process.

–Simon

Certificate Renewal #3

In accordance with Lets Encrypt’s 90-day certificate expirations (as mentioned previously), this site’s TLS certificate has been updated.

SHA1 Fingerprint:

11:F9:27:44:67:C8:F8:F6:F2:A3:51:53:1E:1E:38:32:4E:24:1F:C3

SHA-256 Fingerprint:

86:3E:0A:94:2D:35:43:2D:81:81:6F:32:BF:F9:3B:82:CB:09:C5:96:72:D4:F7:01:AD:FF:53:91:91:A0:22:F1

The new expiration will be 12/15/17.

–Simon

WordPress Comment Spam

For those who don’t know, WordPress has a comments option.  In practice, reading article comments is generally of very limited value, but depending on the type of article and the people it attracts, the comments can at times still prove to be thought-provoking.  And what writer doesn’t appreciate the occasional thumbs up?  So I leave them enabled.  However, in order to ebb the potential abuse of said comments option, WordPress has various controls in place.  I keep the defaults enabled, which require the user to self-identify.  Obviously, there are problems with that policy.  But, the defaults also require the admin to personally approve each initial post from an individual.  Consequently, I’ve gotten some spam comments, but I haven’t approved them.  For amusement though, I will post them here, with all information which could prove beneficial to the spammer appropriately redacted.

The first comment I received was from a “Jean Miller” in response to S/MIME Email Encryption:

Emails stored on some third party servers can never be secure. [REDACTED COMPANY NAME] on the other hand bypasses cloud storage servers making it very safe to send secure email. See [REDACTED URL].

There’s a lot wrong with this.  First of all, unless you’re self-hosting email, all servers are 3rd party, or 2nd party if you’re considering the relationship between yourself and the email provider.  In any case, you can’t generally determine what security measures are in place beyond the company’s privacy policy, and even that isn’t a guarantee.  And any email you send is going to someone else’s email provider, which is beyond your control as well.  And the communication protocol behind email itself doesn’t enforce encryption–that’s the problem with email as a whole.  Also, “the cloud” is just internet servers, sooooo you can’t bypass cloud storage for email, unless you’re considering self-hosted to not be cloud per se.

The second comment I received was from a “Web Scripts” in response to Pumpkins!:

i love funny stuffs, but i specially like funny movies and funny videos on the internet**

I read once that spam intentionally utilizes bad grammar.  The concept is that an attentive reader will immediately identify the message as spam, and thus ignore it.  This is to mitigate wasting time of the spammer, for presumably the attentive spamee in this instance would more readily identify a scam, whilst the non-attentive reader might not.  It sounds like a good theory anyway.  And what’s with the double “**”?  Is there more to follow?  Are there specific conditions under which this spammer likes humor that I should be aware of?  If nothing else, they at least honestly self-identified as a bot.

Lastly, I received a comment just recently from a “private event security services” in response to “Mantis“:

My family members all the time say that I am killing my time here at net, however I know I am getting experience every day by
reading such pleasant posts.

It almost sounds like a believable comment, as the grammar could be attributed to the “.de” domain, except I’ve never heard someone mention that the Scandinavians have any trouble with the English language (also, there’s the name that was used).  I’d like to think that someone somewhere just wanted to compliment my writing.  Except, who has family that actively criticizes one’s internet usage, unless they’re an adolescent?  On a related topic, France and Denmark are the only two foreign countries that I whitelist (after receiving numerous attempts by Russian and Chinese IPs to brute-force my mail server) because I had family over there for a time.  Interesting that a bot there found this site.

So there we have it.  I’ve turned an irritation into entertainment.  Only humans and fully-autonomous AIs may leave comments.

–Simon

Password Expiration

For anyone who follows infosec, or even just basic tech, news–NIST has made a landmark change to their password guidelines:

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

The change came last month, with the NIST Special Publication 800-63B.  Now, to clarify, NIST cannot enforce these standards upon the private sector.  However, as a general best-practice, businesses incorporate the NIST standards anyway–a decision with which I personally don’t find any fault.

But a consequence of this has been the eternal password debate.  I jested at the very-popular entropy argument, and offered my own thoughts on the matter, specifically that the mathematical models change depending on how one views a password’s derived length.  And while this argument still continues, as least now we can finally acknowledge that once a “good” password has been created, the human elements create enough points of failure as to render any advantages of regular password changes negated.

I therefore beseech you, my employer: can we now please stop with the mandatory 90-day password changes?

–Simon