Nathan Willis n8@identi.ca

Inaccessible Island

Nathan Willis, Verified

  • PDFthis

    2017-02-22T12:11:42Z via Pumpa To: Public CC: Followers

    Somebody wanna 'splain why it is that Evince has a pair of "Next/Previous History Item" buttons on the menu bar, that as far as I can tell serve no function, but it does not have "Next/Previous Page" buttons?

    #uxchaos

    seems like you found an awesome bug. m(

    mray at 2017-02-22T12:36:04Z

    Nathan Willis likes this.

    You did find an awesome bug; you're not the first to find it: Atril, which is a fork of Evince, has working next/previous page buttons.

    James Dearing 🐲 at 2017-02-22T12:45:20Z

    Nathan Willis likes this.

    I'd love to know why the Evince developers imagined that people would be using the application in some manner that involved storing a long 'history' of something. Talk about your disconnects of use-case....

    Nathan Willis at 2017-02-22T14:30:41Z

  • Whatthe

    2017-02-21T20:33:40Z via Pumpa To: Public CC: Followers

    So I did finally install 2FA-authentication and forced-SSL on my newly Let'sEncrypt-ed blog sites. Along the way, one of the plugins offered to send email notifications about rogue login attacks it's thwarted.

    Which leads to the surprise. Between the two blogs, one of them is getting hammered non-stop with automated attempts to log in to the administrator account, the other is getting none. But the one under attack is my old, personal blog, which I have not posted to since 2011, and which is not linked to from anywhere on Earth. The one getting no frontal assault is my FOSS-related blog, which I do post to (admiteddly not frequently) and which is syndicated in the planetsphere.

    So what's the attack scenario here? Do automated attackers assume that a more dormant blog is more likely behind on its security updates and/or has more guessable passwords? I'm not clear....

    Claes Wallin (韋嘉誠) , Stephen Michael Kellat , Christopher Allan Webber like this.

    Claes Wallin (韋嘉誠) , Claes Wallin (韋嘉誠) , Stephen Michael Kellat shared this.

    If I were writing an attack bot, I think I would only consider a blog's dormancy as a last resort. First I would try to find what software the blog runs, including version numbers. Then I would use that info to look up default passwords and other known vulnerabilities.


    Examining my own blog, for instance, I found my WordPress and JQuery versions just by watching which files got downloaded when I loaded the main page in Firefox:

    jquery.js?ver=1.12.4

    wp-embed.min.js?v=4.7.2


    I would suspect that the age of your blogs is more relevant than their activity level. Your older blog probably got discovered some time ago - including whatever software versions it was running at the time - and added to a list of known blogs they could attack. The list gets passed from person to person. Now some script kiddie gets a copy of it and decides to use your blog for target practice.

    James Dearing 🐲 at 2017-02-22T01:32:14Z

  • 2017-02-17T17:46:17Z via Pumpa To: Public CC: Followers

    Coining a new term today: selfcongratulacracy.

    Can't wait to use it in a talk at a FOSS conference.

    Elena ``of Valhalla'' , Nathan Willis like this.

    Stephen Michael Kellat shared this.

    I bet you feel pretty good about yourself for coming up with that word!

    Christopher Allan Webber at 2017-02-17T17:47:12Z

    Elena ``of Valhalla'' , Blaise Alleyne , Tyng-Ruey Chuang , Scott Sweeny and 1 others like this.

    I think if you don't like your own comment here, I can't take it seriously.

    Nathan Willis at 2017-02-17T17:48:26Z

    Elena ``of Valhalla'' , Tyng-Ruey Chuang , Christopher Allan Webber , Nathan Willis like this.

    @Nathan Willis If you don't reshare your own top-post, I can't believe its sincerity.

    Christopher Allan Webber at 2017-02-17T18:32:22Z

    Elena ``of Valhalla'' , Tyng-Ruey Chuang like this.

  • Current mood:

    2017-02-15T22:39:28Z via Pumpa To: Public CC: Followers

    Charles ☕ Stanhope likes this.

    but which one are you?

    Dana at 2017-02-15T22:42:15Z

  • Confound it!

    2017-02-15T12:32:59Z via Pumpa To: Public CC: Followers

    It never fails. Openings like this only appear when I have committed to being someplace else for the coming ~1 year.

    https://www.torproject.org/about/jobs-comm-director.html.en

  • 2017-02-13T23:39:04Z via AndStatus To: Public

    I mean, seriously — why can't I have Double Ratchet, OTR, secure timestamping, ZRTP, and some stupid blockchain nonsense running in FOSS on a secure smartcard? "Not a lot of people write smartcard software" and "when they do, it's proprietary" just don't excite me as explanations. #preachingtothechoir

    Lars Wirzenius , Stephen Michael Kellat like this.

    Lars Wirzenius , Stephen Michael Kellat shared this.

  • 2017-02-12T10:51:17Z via AndStatus To: Public

    Possible conference talk topics: the free-software gap in smartcard programming.

    HSPD-12 sorts of smartcards?

    Stephen Michael Kellat at 2017-02-12T21:39:22Z

  • Arrrrrrgh!

    2017-02-10T12:57:43Z via Pumpa To: Public CC: Followers

    Why does this throw a "no module named 'xudd.tools'" ImportError?

    import sys
    sys.path.append("../asyncio")
    sys.path.append("../xudd")
    sys.path.append("../PyPump")
    sys.path.append("../oauthlib")
    sys.path.append("../requests-oauthlib")
    sys.path.append("../dateutil")
    
    from xudd.hive import Hive
    from xudd.tools import join_id
    

    (and not one on xudd.hive)

    Nathan Willis at 2017-02-10T13:02:14Z

    Yes I realize this is intro-level Python stuff in all likelihood, but (a) my brain is only wired for functional languages and (b) packaging/module-loading failures happen in project-specific ways that don't extrapolate to other systems.

    Nathan Willis at 2017-02-10T18:51:14Z

  • PGP Stuff

    2017-02-10T12:40:15Z via Pumpa To: Public CC: Followers

    If anybody out there would like to help me test something, you can send an OpenPGP-encrypted message (content irrelevant) to my old LWN address (nate@ .net).

    I'm trying some hand-futzled message filtering-fu, since that address is now a forwarding-only alias.

    However, I only really need one taker ATM, so if this appeal strikes your fancy, please leave a reply below.

    Send one.. Hopefully to hte right place :)


    If not Let me know and I'll try again

    Freemor at 2017-02-10T13:16:20Z

    If you'd like me to sand another after the various tweaks, just let me know.

    Freemor at 2017-02-10T19:58:41Z

  • Word Station One

    2017-02-10T11:27:46Z via Pumpa To: Public CC: Followers

    Here are various things people may or may not mean whenever they use the term "the media" in some sort of online political argument:

    - Journalists
    - The owners of publishing companies
    - Big-city newspaper front pages
    - The broadcast networks' Nightly News
    - Big Cable News Networks news programs
    - Guest editorials written by celebrities on the opinion pages of big-city newspapers
    - Monthly magazines
    - Talk radio shows
    - Political commentary shows on cable news (as distinct from the news broadcasts)
    - Talk shows where hosts and guests discuss current events
    - The entertainment industry: the commercial TV, movies, music business
    - Entertainment gossip news magazines/shows/sites
    - The advertizing industry
    - Web sites where individual contractors write and publish their own posts and are paid by advertizing revenue
    - Social media networks highlighting popular discussion topics

    These things are not interchangeable. Be precise in your language.

    Charles ☕ Stanhope , Freemor like this.

  • $

    2017-02-10T09:44:17Z via Pumpa To: Public CC: Followers

    Hmm... I have free electricity for most of the rest of a year; I wonder what Bitcoin mining rig I ought to get to take maximum advantage of that.... Ideas?
  • 2017-02-07T22:59:37Z via AndStatus To: Public

    My #OldestInboxMessage is from November 2014. I was pleasantly surprised, but am still curious how others compare on that metric. Do have a reply in Drafts, though. I would say who, since it's a free-software person, but it is kind of embarrassing to reopen old wounds...

    Claes Wallin (韋嘉誠) , Claes Wallin (韋嘉誠) , Claes Wallin (韋嘉誠) , Claes Wallin (韋嘉誠) shared this.

    My oldest is August 2016. I prefer Inbox Zero but I can't delete that message.

    Aaron Gibson at 2017-02-08T05:34:46Z

    @n8@identi.ca At work I keep inbox zero. On gmail I don't move anything out of inbox. So my oldest is from 2006, if I would hazard a guess.

    Claes Wallin (韋嘉誠) at 2017-02-08T06:56:27Z

    Oldest in INBOX is from yesterday. Oldest in =needs-response is from Jan 13.

    Lars Wirzenius at 2017-02-08T08:21:30Z

  • Enough news for the day

    2017-02-07T20:06:14Z via Pumpa To: Public CC: Followers

    I don't wanna talk about Earth stuff.
    #references

    Christopher Allan Webber likes this.

  • SSL

    2017-02-04T11:08:44Z via Pumpa To: Public CC: Followers

    Identi.ca SSL errors anyone?

  • 2017-02-01T11:00:39Z via AndStatus To: Public

    Ugh. This is going to take a while.
    `ImportError: No module named 'xudd.tools'`
    Literally the very first thing I installed with pip. And as unfun as debugging other people's Python is, it's 96 times worse when their GitHub project has the issue tracker turned off.  :rage: :murder: :nojuryintheworld: :canthavenicethings: :abandonware:

  • 2017-01-27T09:48:48Z via AndStatus To: Public

    I'm afraid I can guess the answer to this, but ...
    Has anybody used a free-software program that can browse through photo/image collections that live on a UPnP / DLNA server?
    All the mediarenderers I've encountered either work with audio or with video ( a few do both).

    Did you check out KODI ?

    They do have a clear focus on video, but also handle images and video...

    mray at 2017-01-27T12:50:01Z

  • 2017-01-24T08:34:50Z via AndStatus To: Public

    This sort of BS is exactly why people don't run fully free-software stacks on their mobile devices. Seriously; if you develop mobile FOSS, you stop and fix this crap before you even run your next test build. It's ludicrous.

    Hubert Figuière , Stephen Michael Kellat like this.

  • 2017-01-20T17:32:40Z via Pumpa To: Public CC: Followers

    I'm not a web developer. Ever. Would any web developers like to join forces and help me build a working DescribeYourEffingSoftware .org site?

    {Prompted by seeing this comment thread: https://lwn.net/Articles/711198/ .... I had brought the topic up, only somewhat in jest, in December: https://identi.ca/n8/note/_bbrRVS9RlKXDUOI6RuOkw ... but now I'm thinking about actually trying to push it forward.

  • #Lowlife update 2

    2017-01-20T16:51:30Z via Pumpa To: Public CC: Followers

    More progress made on converting my single-core Atom NUC (which is incapable, for example, of running even a single-tab instance of Firefox) into a useful machine.

    The majority of the CLI & ncurses applications I have installed are a pleasure to use, once one gets used to how to wrangle them. Increasingly, you cannot install applications through your distribution package management system, for instance: so you end up doing things like wrangling a bunch of Python virtualenvs, one-per-app, and installing junk through pip. This seems unsustainable in the long run.

    Hooray if you think this means Snap/Flatpak/AppImage will solve all the world's problems. What it will undoubtedly do, however, is isolate users on desert islands where they are never sure what the right way to install something is (and if there's a security update? forget about it).

    So that's problem #0. Problem #1 is a bit different, which is that no two ncurses applications seem to use the save set of keybinding conventions / command shortcuts — not the same as each other, and not the same as the GUI world. This, too, makes them less useable in the long run,

    An example: The ncurses audio player Cmus, which uses the "C" key to pause and resume playback, and the numerals 1–7 to switch between different views on the audio library. There is literally no reason playback should not be started/paused with the spacebar, as is done in every modern audio/video app.

    Christopher Allan Webber likes this.

    The lack of UI conventions for terminal programs is a real pain.

    Charles ☕ Stanhope at 2017-01-20T17:35:13Z

    Nathan Willis likes this.

    Obviously the solution is to run emacs fullscreen for everything. You'd get consistency, at least...!

    Christopher Allan Webber at 2017-01-20T19:46:40Z

    Charles ☕ Stanhope likes this.

  • Keys

    2017-01-15T09:14:46Z via Pumpa To: Public CC: Followers

    • 1. I recently re-generated some PGP keys in full-on paranoid, proper form (unnetworked live OS, masters stored offline, subkeys on smartcards, embedded JPEG). That part feels good.

      1.a. I still have not found a proper solution to the "turn an existing PGP key into a subkey of another key" problem, which I need to do to consolidate UIDs. A lot of people have my old @lwn.net address; I would prefer to merge the identity in with my others.

    • 2. That tangent aside, the op-sec problem now becomes "what exactly do I do to ensure the security of the storage device that has my master private key on it?" I find surprisingly little written about this topic.

      On the one hand, I want to be able to access it whenever I feel like it, so locking up in a safety-deposit box is right out. But I'm also not the only person who can enter my current residence, so I feel like some sort of security is warranted.

    • 3. That led me down the rabbithole of looking at tamper-evident storage products, which you can easily buy online. (I know are other options; this is just the one I wanted to talk about.) So, in theory, I could seal the storage up in a small box with a seal on it, and know afterward if anyone has opened the box while I was away.

      However, what I can't figure out is how you could prevent an attacker from buying a set of identical tamper-evident seals on Amazon and just sticking a new one on the box after they clone the data off of the thumb drive or whatever.

      And that problem seems to plague all tamper-evident storage options. What am I missing here?

    Show all 6 replies

    Maybe I'm just tougher than you.

    Nathan Willis at 2017-01-15T10:34:22Z

    Regardless, the real question at hand is whether [A] these tamper-evident products are 100% useless or [B] I misunderstand how they're meant to be used — for any bag-contents. They seem to be popular as "bank bags" ... but if you can buy identical replacement tabs in bulk on Amazon, what's the point?

    Nathan Willis at 2017-01-15T14:24:39Z

    @Nathan Willis One thing I've heard of is to paint the keyhole with glitter nailpolish and take a picture of it when it's dried. The nailpolish should make a unique pattern every time you do it.

    I haven't done this myself, though.

    Christopher Allan Webber at 2017-01-15T15:05:33Z

    der.hans likes this.

    Note that this was originally a suggestion for screw heads on laptop, now that I'm remembering right. Maybe it would mess up the lock.

    But maybe you could paint a unique dab of nailpolish on the tamper-evident seal?

    Christopher Allan Webber at 2017-01-15T15:07:35Z