Nathan Willis

Inaccessible Island

Nathan Willis, Verified

  • Keys

    2017-01-15T09:14:46Z via Pumpa To: Public CC: Followers

    • 1. I recently re-generated some PGP keys in full-on paranoid, proper form (unnetworked live OS, masters stored offline, subkeys on smartcards, embedded JPEG). That part feels good.

      1.a. I still have not found a proper solution to the "turn an existing PGP key into a subkey of another key" problem, which I need to do to consolidate UIDs. A lot of people have my old address; I would prefer to merge the identity in with my others.

    • 2. That tangent aside, the op-sec problem now becomes "what exactly do I do to ensure the security of the storage device that has my master private key on it?" I find surprisingly little written about this topic.

      On the one hand, I want to be able to access it whenever I feel like it, so locking up in a safety-deposit box is right out. But I'm also not the only person who can enter my current residence, so I feel like some sort of security is warranted.

    • 3. That led me down the rabbithole of looking at tamper-evident storage products, which you can easily buy online. (I know are other options; this is just the one I wanted to talk about.) So, in theory, I could seal the storage up in a small box with a seal on it, and know afterward if anyone has opened the box while I was away.

      However, what I can't figure out is how you could prevent an attacker from buying a set of identical tamper-evident seals on Amazon and just sticking a new one on the box after they clone the data off of the thumb drive or whatever.

      And that problem seems to plague all tamper-evident storage options. What am I missing here?

    Show all 6 replies

    Maybe I'm just tougher than you.

    Nathan Willis at 2017-01-15T10:34:22Z

    Regardless, the real question at hand is whether [A] these tamper-evident products are 100% useless or [B] I misunderstand how they're meant to be used — for any bag-contents. They seem to be popular as "bank bags" ... but if you can buy identical replacement tabs in bulk on Amazon, what's the point?

    Nathan Willis at 2017-01-15T14:24:39Z

    @Nathan Willis One thing I've heard of is to paint the keyhole with glitter nailpolish and take a picture of it when it's dried. The nailpolish should make a unique pattern every time you do it.

    I haven't done this myself, though.

    Christopher Allan Webber at 2017-01-15T15:05:33Z

    der.hans likes this.

    Note that this was originally a suggestion for screw heads on laptop, now that I'm remembering right. Maybe it would mess up the lock.

    But maybe you could paint a unique dab of nailpolish on the tamper-evident seal?

    Christopher Allan Webber at 2017-01-15T15:07:35Z

  • 2017-01-14T10:09:00Z via Pumpa To: Public CC: Followers

    Possible conference talk titles:

    "Sustainable funding for free software projects through blackmail."

    Scott Sweeny , Stephen Michael Kellat , Jason Self like this.

    Stephen Michael Kellat shared this.

    I predict standing room only...

    Charles ☕ Stanhope at 2017-01-14T16:38:42Z

    Emotional or another sort of blackmail?

    Stephen Michael Kellat at 2017-01-14T18:00:13Z

    Come to the talk and find out. #SpolierFree #TellYourLocalConfTalkCommittee

    Nathan Willis at 2017-01-15T09:05:04Z

  • 2017-01-13T10:10:04Z via Pumpa To: Public CC: Followers

    Being a little bit scatterbrained this morning trying to organize my thoughts for the various social-media responses to the Republicans voting to end health coverage today.

    So I beg a small amount of mercy from you if I'm ineloquent about things. Presumably that will pass?

    Show all 8 replies

    It's worse than that, because red & white are actual categories. More like "hints of currant and leather with fish," "herbacious finish and reminiscent of grassy meadow with beef."

    Nathan Willis at 2017-01-13T15:58:10Z

    But your example actually describes the flavor, while the color of the wine doesn't.

    Claes Wallin (韋嘉誠) at 2017-01-13T20:15:26Z

    >> Nathan Willis:

    “I feel like we should put all discussions about "what should we do" and policy details into the 'we'll agree to disagree' category.
    I tried not to voice my opinions in this post for that reason; I'm just expressing the frustration that I experience caused by trying to articulate a little about politics after spending such a long time intentionally not discussing the subject and writing solely about tech instead.”

    My view is rather quite jaundiced. You were looking at it from a policy standpoint. I'm looking at it as someone who works in the agency charged with making it work, who gets frustrated heavily with trying to make it work, and was on the receiving end Thursday from a hysterical lady over an ACA mechanics issues that frankly almost got her watchlisted as she came way too close to qualifying for "suicide caller" handling.

    There's a reason I keep trying to run away from being a federal civil servant. Above is just one facet as to why.

    Stephen Michael Kellat at 2017-01-14T04:06:57Z

    >> Nathan Willis:

    “Perhaps I'll just change the subject and talk about fonts instead. Here's a starter: the entire notion that "serif" and "sans serif" are the top-level categories of Latin typefaces is a modernist lie brought about by lack of historical awareness with a dash of HTML 1.0 specification sprinkled on top.”

    In trying to learn about LaTeX, this font is really calling to me as something I want to style a document in:

    I haven't found anything that replicates old-time federal typing pool typewriter, though. This vision of the past from LANL kinda intrigues me:

    Stephen Michael Kellat at 2017-01-14T04:13:06Z

  • Status update

    2017-01-13T08:54:49Z via Pumpa To: Public CC: Followers

    Gathering materials to road-test a new debugging methodology:

    I put a kitten in a box and deny it food & water until you have answered my question about how to configure BlueZ & PulseAudio.

    Presumably I'll need a webcam and a box; not buying the kitten until I actually open the bug report to avoid the inevitable NAK claiming that I did not take care of it properly before filing the issue.

    So: webcam recommendations?

  • 2017-01-12T07:52:52Z via AndStatus To: Public

    Got TLS / HTTPS running on my domains with Let's Encrypt. Feel free to check if you're unfortunate enough to read my blog at, for example. But getting Apache to serve up *only* HTTPS is a whole different level of headache. I can understand why people decide to write new web servers....

    Charles ☕ Stanhope likes this.

    Show all 8 replies The RequireSSL directive-family is where it stops being a straightforward solution and explodes into a combinatorics nightmare where no one else's example works.

    Nathan Willis at 2017-01-13T09:22:47Z

    (and yes, I agree that it should be no headache. There's a lot of things that should be easy.)

    Nathan Willis at 2017-01-13T09:24:13Z

    Now I'm down the rabbithole of trying to find a quality two-factor authentication plugin for WordPress....

    So many freemiums ... so many version-compatibilitiy warnings ... so much duplication of effort....

    Nathan Willis at 2017-01-13T10:21:10Z

    >> Nathan Willis:

    “[...] Now I'm down the rabbithole of trying to find a quality two-factor authentication plugin for WordPress... [...]”

    Two Factor Authentication works for me.

    James Dearing 🐲 at 2017-01-13T12:14:39Z

    Nathan Willis likes this.

  • Question

    2017-01-09T20:10:57Z via Pumpa To: Public CC: Followers

    I'm looking for sources of Creative-Commons–licensed music that could be used in podcasts. Where do you recommend?

    My gut feeling is that this used to be easier than it is today; I did some hunting for a different project ~5–6 years ago and it seems like the same sites aren't really around (not to mention that the CC site has a lot of outdated information cluttering it up). But those are side issues; really I'm just interested in personal experience! i have used Jamendo, via the creative Commons media search engine.

    Stephen Sekula at 2017-01-09T21:26:15Z

    you almost certainly have checked jamendo and and already...

    mray at 2017-01-10T00:08:58Z

    Musopen has a ton of classical music. Many of their recordings are public domain (CC0 if memory serves), others are under various CC licenses. All the underlying compositions are public domain.

    ccMixter is another great resource.

    If metal's your thing, check out Open Metalcast. I particularly like their instrumental episodes, called instrumetalcasts.

    There's a good amount of CC-licensed music on Bandcamp, but it can be hard to find - there's no way (AFAICT) to filter out non-CC music.

    James Dearing 🐲 at 2017-01-10T02:47:15Z

  • 2017-01-03T11:00:00Z via Pumpa To: Public CC: Followers

    Maybe I don't want a full email notification every time somebody else favorites a comment by a different somebody else on some old post.

    Jason Self likes this.

    >> Nathan Willis:

    “[...] Maybe I don't want a full email notification [...]”

    Would you prefer half a notification? :P

    James Dearing 🐲 at 2017-01-03T12:53:16Z

    Maybe a subtle implication.

    Nathan Willis at 2017-01-03T13:32:59Z

  • keywords

    2017-01-02T22:36:12Z via Pumpa To: Public CC: Followers

    I have reluctantly come to the conclusion that any work of fiction, in any medium, that uses the term "badass" or "kick ass" to describe a character is worthless tripe, no exceptions.

    Whether or not this has any bearing on the latest installment of ANewStarWarsProductEverySixWeeks will be left up to the student, but it hardly has an impact on the overall trend.

  • Resolution

    2016-12-31T10:09:52Z via Pumpa To: Public CC: Followers

    In 2017, please join me in my personal campaign to put an end to stop-energy replies on discussion forums.

    Starting with the insidious "Why would you want to do that?"

    Every time I encounter that reply in 2017, I'll be posting the following:

    "How many Linux users does it take to change a lightbulb? Why would you change a lightbulb? You're not using your house right."

    With that as a link if references are allowed. Mad kudos to @climagic for originating the joke; I only hope I can put it to good use.

    Alex Jordan , Stephen Michael Kellat , Stephen Sekula , Lars Wirzenius like this.

    Ilpo Nyyssönen , Ilpo Nyyssönen , Alex Jordan , Alex Jordan and 2 others shared this.

    Why would you want to start such a campaign? You're using campaigns wrong ;)

    JanKusanagi at 2016-12-31T12:31:26Z

    Iñaki Arenaza , Alex Jordan , Stephen Sekula , Nathan Willis like this.

  • 2016-12-31T08:28:12Z via AndStatus To: Public

    Post-Christmas thought::
    I spent the last few days of my break fixing things, including some car repairs, but most significantly trying to get my "open source sprinkler" working in a consumer friendly manner.

    That meant buying and wiring-in an RTC module, since the controller board is run off of a Raspberry Pi (which has no hardware clock, and therefore cannot run without an NTP server and thus an active internet connection; no clock == no ability to reliably schedule sprinkler runs). Naturally, that step first required buying a specialized expander header so that I could hook up the RTC module to the Pi's I2C bus and also keep the sprinkler board connected to the headers it needed.

    And naturally getting the Pi to actually use the clock hardware requires two hours of googling for web forum threads, since the Adafruit documentation is useless garbage. And there's nothing worse than wading through forum threads for trying to extract real information from arguments and mid-discussion re-edits. Regardless, it did eventually tick.

    Anyway, once it was up and running, I had the displeasure to discover that even after all of that, my fancy sprinkler system will not run without a live internet connection, because the web interface attempts to load a JavaScript file from a fixed URL.

    It is possible to modify the code to self-host the JavaScript, but I had to go get on an airplane. Ironically, what does work without modification us the accompanying Android/iOS app for the sprinkler, which can connect entirely over the LAN to private IPs or .local hostnames. But what a frustration. I may have genuinely become one of those curmudgeons who will gripe endlessly about IoT security now. My house has WiFi but no internet; there's no reason why my open-source sprinkler system should fail when all my other devices (including DVRs and a Nest thermostat) work fine.

    If I had it to do over again, I might just wire up a cheap LTE modem with a Google Fi sim card (no monthly fee) and let that serve as an accidental internet-request safety valve.

    On the other hand, I've become a huge fan of RTCs   and may opt in the future to build one of those GPS-driven NTP sources for each router I use. I certainly like the idea of running a functional network completely disconnected from the internet. I just didn't realize that it was a challenge at the outset.

    Oh, and the sprinkler controller I have is the OpenSprinkler from Ray's Hobby. Apart from the JS issue, I have no complaints about it, and there are board variants for several other SBCs besides the Pi.

    Charles ☕ Stanhope likes this.

  • S/N

    2016-12-29T22:00:40Z via Pumpa To: Public CC: Followers

    Life is demonstrably better after unsubscribing from every email newsletter & commercial correspondance for which it's possible to opt out. Presumably the same is true for unsubscribing from FOSS mailing lists and other mail that I don't usually read, but I like knowing that those are there, in their respective filter folders.

    Blaise Alleyne likes this.

  • 2016-12-24T15:49:08Z via Pumpa To: Public CC: Followers

    Local friends in 'Blene (back home, visiting for Christmas) seem to think I'm not posting enough information about the MATD type-design degree.

    Partly that's because they're predominantly Facebook people and I prefer not to post anything on Facebook beyond the bare-minimum heartbeat to let others know I'm alive.

    But I do wonder: on platforms where I do write what I want, like this one, should I talk more about the font-development stuff I'm learning? I tend not to since I suspect it's not of primary interest, but I could.

    If you have the desire, feel free to post. You could then post links to your Facebook people. :)

    Charles ☕ Stanhope at 2016-12-27T13:40:23Z

  • Update on the low end

    2016-12-16T20:22:51Z via Pumpa To: Public CC: Followers

    Have made some progress on turning the single-core NUC into a useful #lowlife machine. Which mostly means learning one's way around ncurses applications.

    Don't get me wrong here; I LOVE ncurses applications and it would be awesome to use them all the time. I'm just normally lazy (and don't do much work on remote servers). But the old-school feel is pretty sweet, especially when using a terminal multiplexer. #wargames

    Here's what's working at the moment:

    • - rainbowstream for Twitter
    • - irssi for accessing IRC channels and Slack (via the IRC gateway service)
    • - calcurse for calendar access, with gcalcli as a backup (I had to compile calcurse from source, since the distro repo is way out of date and lacks CalDAV support)
    • - cmus for audio playback
    • - ranger for filesystem browsing

    All via a giant, full-screen gnome-terminal split up with tmux.

    I'm not totally sold on cmus; partly because my preference is to keep music and podcasts in separate libraries. I may just utilize cmus for podcasts and try out mpd/ncmpcpp for music. Either way, I have yet to solve the Bluetooth headset problem, so that comes next.

    I'm also experimenting with hnb, which I like; I can export notes from GNote on my laptop, convert them to plaintext, and hopefully have access to them via hnb. We'll see how convenient that is. I know there are a lot of OrgMode fans out there who are probably fuming now, but that's a different animal.

    Still have yet to tackle email and (the latter will probably use p, but sadly that's a non-interactive client.). There are a few decent browser options, but that's not too interesting when I have a laptop handy, too.

    Same with video; I do plan to still pursue building the patched kernel driver for the Broadcom VAAPI card, but it's just as interesting to play around with ascii video output when I feel like using the NUC. After all, I have timg working for images, which is a blast. Way more fun than popping open EOG.

    Charles ☕ Stanhope likes this.

    And yes, I do want someone to write an ncurses client for Pretty please.

    Nathan Willis at 2016-12-16T20:23:25Z

    >> Nathan Willis:

    “And yes, I do want someone to write an ncurses client for”

    Not that exactly, but do you know the PyPump shell?

    JanKusanagi at 2016-12-17T01:43:04Z

    I know of it; it looked to me like it was not an actual client, though. Just a tool for pretty raw/low-level PyPump function calls.

    Is that wrong? Or are you just suggesting that it's a decent starting point for interested development?

    Nathan Willis at 2016-12-17T13:36:18Z

    I'm not sure, but IIRC, the PyPump Shell has several "semi-high end" funtionalities, to read the timeline and such. I might be misremembering, of course.

    I wasn't suggesting you use PyPump (the library) to build anything =)

    JanKusanagi at 2016-12-17T14:11:37Z

  • 2016-12-13T08:13:44Z via AndStatus To: Public

    So... How good/bad of an idea would it be for me to start a campaign wherein I open a "describe your effing software" issue on every public project in the world that lacks an explanation of the project purpose on the homepage, README, and doc introduction page?

    Alex Jordan , Stephen Michael Kellat , Mike Linksvayer , Claes Wallin (韋嘉誠) like this.

    Stephen Michael Kellat , Claes Wallin (韋嘉誠) , Claes Wallin (韋嘉誠) shared this.

    Show all 6 replies

    My only hope is that it catches on via social media and the multiplier effect makes some non-zero portion of the developers fix their instance of the bug.

    I don't quite have the community reach that I used to have via LWN, but it could still happen. Non-zero is greater than zero, at any rate.

    Nathan Willis at 2016-12-13T13:14:45Z

    Claes Wallin (韋嘉誠) likes this.

    Your DYES project seems like it would be a noble and underappreciated effort, but I notice that is available. ;)

    Charles ☕ Stanhope at 2016-12-13T13:31:19Z

    Claes Wallin (韋嘉誠) , Christopher Allan Webber , Nathan Willis like this.

    I have no idea how I repeated "yoursoftware" (sometimes the web interface jumps out of the edit box while I'm typing), is available. (^_^;)

    Charles ☕ Stanhope at 2016-12-13T13:34:51Z

    Claes Wallin (韋嘉誠) , Nathan Willis like this. I suspect it wouldn't be long before the centralized host for decentralized  development would suspend your account. at 2016-12-14T04:27:51Z

  • 2016-12-03T20:06:25Z via Pumpa To: Public CC: Followers

    There needs to be a word for when a site, person, project, or company has a blog feed, and they do some random site/framework refactor/rewrite/management-change and stop publishing their news through the feed ... then start publishing news through some OTHER feed URL.

    A four-letter word.

    Timo Kankare , Claes Wallin (韋嘉誠) , Douglas Perkins , Charles ☕ Stanhope like this.

    Claes Wallin (韋嘉誠) , Claes Wallin (韋嘉誠) , Stephen Michael Kellat shared this.

    Lest you think this is an imaginary problem:

    Out of curiosity, I looked at a bunch of dead feed URLs in my feed reader this afternoon, including a lot of the NPOs I follow that do humanitarian FOSS development or open data stuff, and found 20+ of them that have dead feeds not updated since 2013 or 2014.

    For some, the project seems to be gone. For one, trying to visit the feed URL in a web browser redirects the user to the project's shiny new Medium account. Does that get any news to the feed reader, though? No, of course not.

    But the best has to be the project who's original feed URL is dead, but whose site now boasts a top-level masthead link labeled "Blog" that connects to a feed at (I kid you not) domainname/blog-2/

    Funny how all the people who voluntarily followed your feed two years ago didn't stop randomly one day, your look at your new Fad.js-based site, find your new feed at a different URL, and start following that, too, huh?

    Nathan Willis at 2016-12-03T20:13:40Z

    Stephen Michael Kellat , James Dearing 🐲 , Christopher Allan Webber like this.

    I think FOAAS is called for here.

    Stephen Michael Kellat at 2016-12-04T01:43:28Z

    Claes Wallin (韋嘉誠) likes this.

  • Do Nate 2016

    2016-12-03T12:44:37Z via Pumpa To: Public CC: Followers

    Pun retroactively intended.

    Doing my annual last-minute charitable donations dance (I *really* intended to set up monthly recurring donations instead, as I talked about a year ago, but I forgot, and then I became a full-time student and have no income, further confusing matters, but the main point is that I wanted to document which options supported monthly donations as 'regular membership' and which made that more difficult, then I forgot to).

    Random thoughts:

    1 - Adding the Freedom of The Press Foundation to the list; they develop the SecureDrop tool and also support some outside efforts like LEAP and OWS:

    2 - Thinking of phasing out Amnesty International; their fundraising tactics have turned abusive and ugly (e.g., deceptive labeling disguising appeals as personal letters and inaccurately telling you your 'membership' has expired when it's been, say, five months...). I was thinking of switching my support over to Human Rights Watch, but my research indicates that they're funded by a few large donors, so maybe they don't need the assistance.

    3 - It's really nice to have a "student" membership support level; some of us are only students temporarily and (hopefully) will return to gainful employment, but getting cut out because of that doesn't feel good. FTR, I still pledged the normal amount to several FSW organizations that don't offer this option, but not all. Everything is scaled back; it's unavoidable for me.

    4 - I mainly donate for the swag, so please for the love of Emacs have more than a single 50x50 pixel thumbnail image of the t-shirt options I have to choose from. (This is a slight exaggeration only; when we have to choose, however, not being able to see what's printed on the shirt/hat/sticker/mousepad/tattoo is really annoying. People do wear these things in order to help spread your message; let them see what you're going to send.) likes this.

    James Dearing 🐲 , Stephen Michael Kellat , shared this.

    Show all 6 replies
    5.1 - In case it's not clear, monthly donations are better for the non-profit as well, because they stabilize the financial flow. Not knowing until December how much you will have available for staffing, logistics, campaigns, and bill paying is Not Fun.

    Nathan Willis at 2016-12-03T13:36:03Z

    0 - Please feel free to reshare. I know this is a topic few people are interested in, but I'd like to think that we can improve a lot of not-for-profit endeavors by being deliberate about how we do things.

    Nathan Willis at 2016-12-03T13:51:33Z

    I donate through Combined Federal Campaign. Trans World Radio, USCG Foundation, American Radio Relay League, University of Guam research foundation, and Heritage Foundation all get money from me. Nothing free software related in the Combined Federal Campaign book, alas.

    Stephen Michael Kellat at 2016-12-03T19:50:54Z

    Nathan Willis likes this.

  • Changes I didn't think about

    2016-12-03T08:02:00Z via Pumpa To: Public CC: Followers

    Now that I'm not a reporter, I get way, way less of my news directly from primary sources. Because I don't have the time to.

    On the other hand, I do still think I have the ability to recognize real journalism, so I'm not talking about the Facebook "news" problem. I just mean it's weird to have a secondary connection — particularly w.r.t. the FOSS world. Of course even that's rather different; I could still dig down into mailing lists and blogs and talk to people if I carved out the time to do it. And, naturally, so could almost anybody else: that's the beauty of working-in-the-open.
  • In case you were wondering

    2016-11-30T08:08:35Z via Pumpa To: Public CC: Followers

    ...what Mozilla chooses to spend money on rather than Persona, FirefoxOS, Lightning, Prism, Raindrop, …Thunderbird….

    Claes Wallin (韋嘉誠) , Claes Wallin (韋嘉誠) shared this.

    A real teaser for those of us who have that spy-site blocked =)

    JanKusanagi at 2016-11-30T09:52:54Z

    Digital privacy is a bigger issue than any single Mozilla project.  This is probably the most important thing that Mozilla can be working on right now.  You'd certainly never see Google partnering with the Tactical Technology Collective on an exhibition like this!

    Benjamin Cook at 2016-11-30T13:01:37Z

  • 2016-11-26T14:40:34Z via Pumpa To: Public CC: Followers

    TIL that if I want to automatically insert the current date in a @scribus document, I have to install 1.1GB of TeXLive and write some scripts.


    bthall , Claes Wallin (韋嘉誠) , Stephen Michael Kellat like this.

    Claes Wallin (韋嘉誠) , Stephen Michael Kellat shared this.

    Will Scribus export LaTeX?

    Stephen Michael Kellat at 2016-11-27T01:52:19Z

    For our wedding 7 years ago, I designed the placement cards in Scribus, modified the XML with awk to insert the names of the guests, and then printed them.

    Claes Wallin (韋嘉誠) at 2016-11-27T14:16:32Z

    bthall likes this.