Category: Technology

Posted on

Community

This story begins with a little bit of mystery.

Well, initially I was just involved with another one of my web design projects.  I had previously built a dashboard of sorts–a web page that had embedded widgets.  I would open the page with my Raspberry Pi, and plug it into the TV.  Then I could just switch inputs and see the displayed info–weather and news–on my main TV.

The problem with this method is that I could never figure out a way to automatically open the browser upon boot and enter kiosk mode.  Usually this wasn’t a problem, but whenever the Pi got unplugged, I had to hunt down a mouse and keyboard so I could relaunch the browser.  The Pi’s browser also had a habit of timing out, so I’d have to refresh it manually, which again meant hunting down a mouse/keyboard.  Eventually, the novelty of the project wore off and the irritations outweighed the benefit, so I moved the Pi to the basement where it sits idle–serving only the purpose of being a low-risk device with which to practice remote shell Linux commands from the command line terminal.

Then I realized that since the Xbox has a native browser, perhaps I could revive the dashboard project to simply run on the Xbox.  I dug up the URL from where I had buried it, and launched the site.

The news feed wasn’t working, and the embedded calendar was redundant as I had a setup already running that in the basement.  So the dash would need a redesign after all.

I settled on 3 panes: my embedded NOAA radar, a weather forecast widget, and a news feed.  The first 2 I already had working, and some CSS got them positioned right.  But for the life of me, I could not find a reliable news feed that allowed iframe embedding.  The former method I had been using was a free Google service, which they had since deprecated.  Everyone wants you to sign up for things now.  Apparently something as minor as general news is no longer considered a free service.  Pity.  After failing to find a replacement, I abandoned the news feed idea.

I needed something else to fill the space, and I concluded that I would just complete the weather theme and find a free webcam.  I began with local news stations, but as with their Doppler radars and news feeds, nothing was intuitive, embeddable, or truly free.  Does everything have to be a source of revenue?  There was a time when the Internet was considered a free medium.

Further searches revealed a local webcam.  It was good resolution, too, and a genuine live-feed (something that rarely exists anymore).  Plus, the hosting server didn’t have any lockouts on iframe embedding.  Some more CSS and I had the webcam feed on my dashboard.

It could have ended there, but I grew curious.  Who would host a publicly-available webcam?  I began poking around the hosting domain.

The website’s design was pretty basic by modern standards–no HTML5, no adaptive content, no CSS styling.  It was a refreshing throwback to the Internet of the 90s.  The site itself was a resource on radio: HAM, scanners, AM PSA; and where to learn about them and buy equipment.  I tuned in to 1660 AM–the listed station, and heard a local broadcast of a High School sports event.

Further intrigued by this grass-roots site, I did a WHOIS search on the domain, and found to my surprise that the site’s registrant’s information wasn’t blocked.  The address of his office was public, and as it turned out, just a mile north of my house.  The webcam couldn’t have been much more local than that.

Something about the site inspired me.  Maybe it was guilt at having access to free information and a webcam, or a desire to give back.  Maybe I just wanted to see if I could help someone, or simply needed an excuse for another project.  Who knows?  Whatever the reason, I spent a couple evenings coding a new front page for the site.  I modernized it and organized the information so it was easier to navigate.  I assigned this redesign it’s own subdomain and hosted it on my server.  Then, I sent the owner an email.

I told him I liked the information on the site and the webcam, and offered the redesign code freely were he interested.  I told him that it was nice to see such a site, obviously self-hosted, and offering a public service.

The email was a Yahoo! domain, and as I was a random stranger reaching out from the internet, I didn’t expect to receive any response.  But to my surprise, hours later, he answered.

He explained in great detail the site’s content–the public radio station for citizens to make announcements and what he uses to transmit local high school games.  He confirmed the webcam is for public use, and that the local Channel 2 news uses it sometimes in their weather reports.  He explained that his maintenance of the business he’s mostly retired from, but keeps it running for extra revenue for his hobbies.  Consequently, he wasn’t interested in help with the web design, but he thanked me for offering.

I confess, I had always found HAM hobbyists to be weirdos, but this man was surprisingly normal, giving off a vibe of being an older man with hobbies that overlapped a personal business.  We should all be so lucky.

I thanked him for the information and told him this was an interesting experience as a segue into another world of communications technology for me.  It reminded me that while a technology inevitably becomes commercialized, and the large companies garner the most attention, niche groups and hobbyists remain, using the technology for its original purpose, free from the capitalistic motivations of shareholders.  It remains as evidence that intellectuals still pursue knowledge for knowledge’s sake, and offer free benefits to the population as a whole in the process.

–Simon

Posted on

Certificate Renewal #3

In accordance with Lets Encrypt’s 90-day certificate expirations (as mentioned previously), this site’s TLS certificate has been updated.

SHA1 Fingerprint:

11:F9:27:44:67:C8:F8:F6:F2:A3:51:53:1E:1E:38:32:4E:24:1F:C3

SHA-256 Fingerprint:

86:3E:0A:94:2D:35:43:2D:81:81:6F:32:BF:F9:3B:82:CB:09:C5:96:72:D4:F7:01:AD:FF:53:91:91:A0:22:F1

The new expiration will be 12/15/17.

–Simon

Posted on

WordPress Comment Spam

For those who don’t know, WordPress has a comments option.  In practice, reading article comments is generally of very limited value, but depending on the type of article and the people it attracts, the comments can at times still prove to be thought-provoking.  And what writer doesn’t appreciate the occasional thumbs up?  So I leave them enabled.  However, in order to ebb the potential abuse of said comments option, WordPress has various controls in place.  I keep the defaults enabled, which require the user to self-identify.  Obviously, there are problems with that policy.  But, the defaults also require the admin to personally approve each initial post from an individual.  Consequently, I’ve gotten some spam comments, but I haven’t approved them.  For amusement though, I will post them here, with all information which could prove beneficial to the spammer appropriately redacted.

The first comment I received was from a “Jean Miller” in response to S/MIME Email Encryption:

Emails stored on some third party servers can never be secure. [REDACTED COMPANY NAME] on the other hand bypasses cloud storage servers making it very safe to send secure email. See [REDACTED URL].

There’s a lot wrong with this.  First of all, unless you’re self-hosting email, all servers are 3rd party, or 2nd party if you’re considering the relationship between yourself and the email provider.  In any case, you can’t generally determine what security measures are in place beyond the company’s privacy policy, and even that isn’t a guarantee.  And any email you send is going to someone else’s email provider, which is beyond your control as well.  And the communication protocol behind email itself doesn’t enforce encryption–that’s the problem with email as a whole.  Also, “the cloud” is just internet servers, sooooo you can’t bypass cloud storage for email, unless you’re considering self-hosted to not be cloud per se.

The second comment I received was from a “Web Scripts” in response to Pumpkins!:

i love funny stuffs, but i specially like funny movies and funny videos on the internet**

I read once that spam intentionally utilizes bad grammar.  The concept is that an attentive reader will immediately identify the message as spam, and thus ignore it.  This is to mitigate wasting time of the spammer, for presumably the attentive spamee in this instance would more readily identify a scam, whilst the non-attentive reader might not.  It sounds like a good theory anyway.  And what’s with the double “**”?  Is there more to follow?  Are there specific conditions under which this spammer likes humor that I should be aware of?  If nothing else, they at least honestly self-identified as a bot.

Lastly, I received a comment just recently from a “private event security services” in response to “Mantis“:

My family members all the time say that I am killing my time here at net, however I know I am getting experience every day by
reading such pleasant posts.

It almost sounds like a believable comment, as the grammar could be attributed to the “.de” domain, except I’ve never heard someone mention that the Scandinavians have any trouble with the English language (also, there’s the name that was used).  I’d like to think that someone somewhere just wanted to compliment my writing.  Except, who has family that actively criticizes one’s internet usage, unless they’re an adolescent?  On a related topic, France and Denmark are the only two foreign countries that I whitelist (after receiving numerous attempts by Russian and Chinese IPs to brute-force my mail server) because I had family over there for a time.  Interesting that a bot there found this site.

So there we have it.  I’ve turned an irritation into entertainment.  Only humans and fully-autonomous AIs may leave comments.

–Simon

Posted on

Password Expiration

For anyone who follows infosec, or even just basic tech, news–NIST has made a landmark change to their password guidelines:

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

The change came last month, with the NIST Special Publication 800-63B.  Now, to clarify, NIST cannot enforce these standards upon the private sector.  However, as a general best-practice, businesses incorporate the NIST standards anyway–a decision with which I personally don’t find any fault.

But a consequence of this has been the eternal password debate.  I jested at the very-popular entropy argument, and offered my own thoughts on the matter, specifically that the mathematical models change depending on how one views a password’s derived length.  And while this argument still continues, as least now we can finally acknowledge that once a “good” password has been created, the human elements create enough points of failure as to render any advantages of regular password changes negated.

I therefore beseech you, my employer: can we now please stop with the mandatory 90-day password changes?

–Simon

Posted on

Certificate Renewal #2

In accordance with Lets Encrypt’s 90-day certificate expirations (as mentioned previously), here we go again.  Fear not, the Certificate Mismatch warning is normal.  But again, for the paranoid, here are the fingerprints to verify:

SHA1 Fingerprint:

16:CA:65:79:A6:D5:44:3E:5C:9D:39:1D:34:E3:5C:57:F7:09:13:F7

SHA-256 Fingerprint:

F7:90:29:3F:04:0D:F2:A4:87:A3:9A:12:FF:3D:CA:EE:F4:23:04:64:2B:EA:0B:08:5B:AB:74:8E:94:84:BA:EE

The new expiration will be 10/4/17.

–Simon