• Security Implementation

    Yubikey and LastPass, are a pair of services that I use for storing my passwords and personal data. The Yubikey functions as an authentication token for the LastPass login, and is used to decrypt the password vault.

    In theory, I should consider a service where the passwords aren’t stored on their cloud, even in an encrypted format. However, I like LastPass, and I like their software. I like that their password validator seems to actually give accurate ratings to the various passwords in the vault during their security check function. Some sites will fail simple passwords that actually are very hard to crack, simply because they don’t fit a scheme. The fact that the tool also monitors for duplicate passwords and sites whose passwords have been compromised; and then request that you change those, also really handy.

    The Yubikey is a little plastic dongle that plugs into your USB drive and acts as USB keyboard, typing out a One Time Password (OTP) as if you’d typed it into the keyboard directly. The chip on the Yubikey is set up to do a few fancy things to ensure that the password is hard to spoof.

    There are some potential problems with any password scheme, especially the sort where there is a single point of failure. Using the Yubikey to generate the OTP for the LastPass in theory, makes it much more secure, since in order to access your Password Vault, they require both the digital key and the physical key. So, that’s what I had been using for my personal passwords for the last year, but I hadn’t been able to convince too many other people to switch over, until recently.

    When I first got my Chromebook, I was slightly annoyed that there wasn’t a way to use the Yubikey to log into it. Then, by accident, the other day, I found out how to manage that. The Yubikey configuration tool has the ability to set up what is stored in the two slots on the Yubikey. In the main slot, is the OTP, for doing the main login. In the second slot, a variety of different configurations could be set up. The only option that made sense for my purposes is the Static Keystring.

    By storing a preset keystring of up to 38 characters that will be typed in whenever I activate the second slot on the key, I have a password that I can use to log into offline devices. The activation of the secondary slot is simply holding down the button on the yubikey, rather than tapping it.  I can use this preset key to log into a secondary gmail account, which logs me into the chromebook. Once inside that gmail account, I can log into the lastpass browser plugin, verifying with slot 1 on the yubikey, and open up my gmail account. This whole sequence can be done fairly quickly, especially if the lastpass browser plugin has been told to save the master password, so the login sequence becomes essentially boot computer, long press on the key, wait for the screen for the Yubikey OTP, short press, and you’re logged in. That system, as long as you aren’t worried about losing the key, is actually pretty secure. It does have a few obvious flaws.

    Though, with a few minor alterations, can be made considerably more secure.

    The first main flaw, is that with the key and the knowledge, anyone can get in. Convenience has compromised the security. The single press a button bypasses the first login, and the second login is saved, the third login is just another button press.

    So, what’s the easy way to fix that? Pad the static keystring. Have a few characters that need to be typed in manually, before you press the button. That means even with the key, they’ll still need to guess that initial password, before it’ll let them in.

    This actually also helps with the second flaw, which is that since the static keystring is static and emitted whenever the button is pressed to activate that slot, it’s easy to steal. That’s why I’m not using it on my main gmail, but on a secondary gmail that really only exists so that it grabs a copy of the LastPass browser plugin from the chrome store when I log on.

    Beyond that, I’m sure there are plenty of other flaws, but these are the ones I’ve discovered so far. And since my google account has other forms of verification on it, specifically the whole two-factor authentication whenever you log in from a new device, I’m not currently concerned.

    I know someone could compromise my security, if they had reason to, but for the moment, I doubt there are any with the skills, malicious intent, and motivation. I am sure there are some with two of the three, but I can’t think of anyone with all three; most would only have but one.

  • Design – Combined SoaC + VPN as a secure thin client.

    Earlier tonight, while discussing ideas for potential new products, I think we accidentally stumbled onto something big. Something that could be worth building. Something that could actually be worth putting together a kickstarter / indiegogo campaign for. Something that is keeping me awake, so I’m going to type it and hope that clears my head.

    A piece of modular hardware, built on a combination of open source software and proprietary hardware, creating something that is both extremely flexible and extremely secure.

    The basic concept is an office-in-a-box, a thin client based set-top box/system on a chip, with  an attached hardware VPN router. This little box plugs into any HDMI based TV, accepts standard Bluetooth & USB interface devices, and has an onboard ethernet & wifi network card. Similar in function to the Apple TV, Chromecast, Steam PCs and various other set-top boxes, this one is designed to function as an office. It connects to available Wifi or Ethernet, opens a VPN connection to either the main server or to your own personal server, and then loads the thin client interface, which is basically a preconfigured (but easily modified) software package. Something similar in nature to Google’s Docs/Sheets/Drive/Calendar/Etc or Amazon’s cloud Workspaces, or Microsoft’s Office 365. One major function that I think would be worth adding would be a dedicated SIP client. SIP clients are used for phone calls, and ideally this one would be combined with a virtual PBX. When the box is active with a solid connection, you’d show up as a valid extension to be called. When it was on a bad connection, you’d show up as being only available for Voice/Text Messaging, and when you were offline, you’d be available for forwarded calls.

    Beyond the basic idea, we’ve come up with a few ideas for building this and making it workable. The protoype SOAC would be put together on a Raspberry PI for the full box version and a Chromebook for the Laptop Variant. The basic operating system would be open source, for flexibility, probably working with Open Office and Asterisk for the basic functionality. Given that it would be web based, there would be the option to access web-based services like the Google, Amazon and Microsoft cloud services. However, that would be at the discretion of the user.

    The VPN could be done in a few different ways, currently I’m thinking a customized firmware on a Mikrotik routerboard. I’m also thinking it would be nice to have an OTP solution integrated into it, something that supports FIDO U2F.

    One of the biggest selling points of this device would be that when the customer was using the provided office software, their data would only be travelling through the VPN between their virtual office and the server at the other end, be it their own, or one that we’ve set up. In the case of ones that we’ve set up we’d nationalize the server for the client.

    In our case, given that we’re Canadian, we’d have our servers here in Canada. In theory, this means that the data would be kept within the country for legal reasons. For professionals who have legal reasons for their offices to remain within their own country, this would be an obvious advantage over other cloud services.

    Given that the VPN is already encrypting all data passing through it, all calls made using the phone system would also be encrypted. For customers who have two of our boxes, the entire call would be handled within the internal network and thus be very difficult to intercept. For calls outside the network, they’d be able to be intercepted at the point where the server connects to the normal phone system.

    Given that we are in the age of 3D printers and rapid prototyping, I see no reason we couldn’t develop multiple variants of the basic box for different client needs. The two basic versions are a set top box and a dongle that plugs into a netbook. It would be easy to develop additional versions based on the needs of the customer.

    Given the range of configurations that are already possible using Raspberry Pi, such as the version with the 3.8″ touchscreen, I can even see a variant of this box that functions as the modern equivalent of a pager. Running on battery power and a WiFi/cellular connection, it would alert on you the touchscreen if someone wanted to reach you. You’d be able to tap them a quick message, and then if need be, plug it into your monitor and switch to full office mode in a matter of moments.

    Given that it’s a set-top box, it could also be configured as a media centre, with the added functionality of letting you know when something had happened that you needed to be aware of. Watching Netflix while waiting for an email, the box pops up a window letting you know that a message or call has come in, and then you decide if you want to switch modes.

    On some level, there isn’t really much that is revolutionary about this idea, it’s simply evolutionary. Combining good ideas in new ways, building something that has functions that you want.

    Still, I think it’s an idea worth exploring, and I think I need to reach out to some of the people I know to put this idea together. I think together, we could put together a nice little crowdfunding campaign and build a product that people will really appreciate. And right now, that’s what people seem to be doing. So why not us?

     

    Open Source software allows us to adapt to your needs in the most cost effective manner. Proprietary security software and hardware keeps our systems, and your data, secure.

  • Netflix algorithm

    So, people claim that Netflix have stated that they generated the House of Cards based the fact that they saw a solid intersection between people who liked Kevin Spacey and people who enjoyed watching political thrillers. And they’re using this to generate other shows.

    This gives me two thoughts, the first being, we need to watch more geek shows on Netflix, rather than pirating them. This will encourage more content we enjoy being added to Netflix.

    The second thought, is wondering if it’s possible to manipulate these algorithms. Some nefarious individuals could construct a little program that used various methods to poll Netflix looking for specific shows, in order to encourage Netflix to generate new content according to specific criteria. Said program could then be spread across the internet, covertly.

    The possibilities. Just no Armoured Penguins, please.

  • time of long shadows

    Recently, I began taking steps to change some things in my life. It’s unclear what all I plan to change, but I believe that I’d like to have more options. One way to get those options is to remove the obligations I’ve got. So I began searching for someone who could pick up the slack, if I decided to retreat into the shadows.

    I’ve done the front and centre thing, and at some point in the last few years, when I reflected on how I was coming across, I decided to tone things down a bit, and that’s resulted in my coming across more serious. Beyond that, I’ve also become less likely to connect with people. I’m not entirely sure of the source, but I seem to be far more reserved in some respects than I was in the past.

    In any case, when I’ve said I’m going to fade into the shadows, I don’t mean I’m going cross the eternal veil, I mean something far more mundane. There has been some concern over my mental health, and as far as I can tell, my mental state is functional but drained. I need to find more things that envigorate me, though I’ve no clear idea how to do that.

    I suppose the writing helps sometimes, as I go from being distracted and unfocused to a state of sharpness. Though that state is still lacking something.

    I know many people have turned to music for this envigoration. Hell, there’s even a playlist function for it on many of the streaming services. The problem is I find music hard to engage with. In many cases, the songs are about something I can’t relate to.

    Currently, I’m listening to Repo, the Genetic Opera. It has a certain intensity to it; something I can’t put into words. Other pieces I enjoy are of a similar genre. Reefer Madness, Jesus Christ Superstar, even Wicked.

    I’ve gone far afield. I meant to say, I plan to change my life, not to end it. I might wander off in a different direction, but I don’t plan on closing any doors or burning any bridges. I tend to save the burning for those who’ve earned it, and it’s usually my preference to let them light their own pyres.

  • Doomtown!

    Saturday Afternoon, I headed over to Magic Stronghold, to check out the new Doomtown : Reloaded Organized play sessions.

    I was late, because of the events of the night before, and the extended period of taking care of Nikita and Guinness, over at my parent’s place. And the transit problems created by Hat’s Off Day, and the related road closures.

    Had I had more sleep, and had more time to properly rebuild my decks, I’d have enjoyed the game more. The deck I built, terrible design. Not enough starting influence. Maybe I should use other people’s deck designs off Doomtown DB, until I get better at it.

    That’s the big stalling point of Doomtown, the deck construction is just a little too heavy, when compared to every other game out there. Balancing the deck structure and the draw structure, balancing influence and bullets. Being sure to have enough starting influence and enough money to keep working on the game. It’s tricky.

    Again, I recommend watching Willingdone’s videos.

    The hosts was a friendly guy, I’ve proposed we do another game in a couple weeks, and hopefully that’ll get things ready for the tournament he wants to run next month. Hopefully that gives me time to get a decent deck built. Still, $5 entry fee, so no big deal if my deck isn’t strong.

  • Summoning

    There was trouble nearby, so I went to save the day.

    Summoned by the cries of a damsel in distress.

    An outcast, who has been banned from a few events, is being creeperly to a newbie. And someone who I’d brought the hammer down on, called me for backup, mostly subconsciously.

    I’d been in bed, reading, getting ready to sleep, but duty calls. So, I get up, throw my clothing back on and I’m out the door.

    I get there, and I take up a position to keep an eye on things, and check in with the girl who summoned me. She provides details while we observe.

    No negotiations, hardly any discussions… It is not a good start.

    His technique is … Just sad.
    The need for control is there. Too desperate, too needy.

    The newbie seems into it, her more experienced friend seems concerned.

    Roughly an hour passes, and #translack has ceased being an option. I tell the friend that it’s time head out, and this manages to get the newbie ready to go.

    We head out the back way, walk north to the Co-op car. Along the way, the two of them talk, and the newbie’s attitude quickly changes. She goes from being happy with the activity to regretting it. How much of that is caused by her friend’s disapproval is unclear, how much is caused from coming out of the scene, who knows. It reminds me that there are too many possibilities.

    On one hand, this fellow has been banned from a couple of events; on the other hand, I’ve said a few times that I distrust promoters because there are several of them who I don’t think would be welcome at events, unless they were running their own event. It’s a complicated subject.

    Either way, it’s a 20 minute drive to get them back someplace safe, then another 30 back to my place.

    An hour driving, an hour at the thing. At least two hours past when I’d planned to sleep.

    Why do I do these things? What part of me is broken so I’m compelled to do so?

     

  • Odd Thomas (The book and the Movie)

    This morning, I finished reading the novel Odd Thomas. I’d previously seen the movie, and like Horns, John Dies at the End, and pretty much every other movie that comes from a book, I’ve heard the book was better. Since I’d bought myself a kobo the other day, I’d loaded Odd Thomas onto it, and read it over the last few days. This is my thoughts, on both the book and the movie.

    If you haven’t seen the movie, I’d probably suggest that you see it. If you’ve got the patience for it, I think you might want to read the book first.

    It’s hard to write about this story without spoiling it, but I’ll give it a shot. The book is quite self aware, just a little bit more so than the movie. The main character has an Odd name, an odd life, and this is something of his origin story. Given that there’s 7 other books in the series, I think that’s a good thing. The character, while perhaps not overly easy to relate to, comes across as a good person. Flawed, as we all are, but with good intentions.

    The plot, the twists his life takes, the place where it takes place, have a similar quality. You can’t quite relate to it, but you can appreciate it. Where he lives, and how it feels is actually tied into the plot, which is something I appreciated.

    This is the end of the spoiler free section. I’d not bother reading below this line, until you’ve either read the book or seen the movie.

     

    Yes. I know there’s nothing here. I don’t trust you. Go read the damn book first. Or watch it on Netflix at least.

  • Recipe for disaster?

    Minimal Sleep, Bad Dreams, and possible neuro-chemical shifts.

    There is a small chance that today might be my last day at my current job. It’s actually probably vanishingly small, but right now the little voice in the back of my head that warns me about such things won’t let me forget it. (No, I don’t mean I hear voices, I mean I have a recurring doubt. Excuse the turn of phrase/hyperbole.)

    Anyone close to me knows that I’ve got a prescription for an anti-anxiety medication, something I’ve been taking for a while, to help deal with certain things in my life that I’ve had to accept that I can’t change. I could get into them, but right now, they aren’t overly relevant to the matter at hand.

    They were costing me around $300 a year, because of my medical deductible. My family doctor, being aware of this, recently switched me to a different medication. I’m not entirely sure this was the right idea. I’d been offered to switch over to the generic, which would have saved me a fair bit of money, but instead I switched to something else. In the same family apparently. In theory, I should have done more research before consenting to this switch. I should have at least asked a few people I know who’ve done some reading. I didn’t bother though. A few weeks back, my supply of the generic had been used up and so I started on the new stuff. I’m not sure if there are any practical differences, or if I’m just being paranoid if there might be. Either way, that’s one ingredient in this recipe. The possibility of neuro-chemical change, and the associated Fear, Uncertainty and Doubt.

    Next we have the dreams. I dreamed that I was going to a conference on sexuality, with a pass provided to me by Reive. He’d given me one of the ordinary guest passes to get past the door. This is in fact pretty standard, when I’m volunteering, I don’t usually bother getting the volunteer ID. And in the past, this hasn’t been a problem. Usually the fact that I’m pulling my weight means that security, venue staff and other attendees understand that we aren’t bothering with the formalities, that there is an “arrangement” or an “understanding”, there just isn’t paperwork for it, because there usually isn’t a reason for it. In the dream, I was feeling pretty alienated, partially because I was being treated as one of the gawking rubes, or as a wannabee, rather than someone who’d been part of things. Partially, this relates to my own fears of alienation and exclusion, and partially this is something that I’ve seen happen. And partially this is my ego and my vanity, seeing myself as a part of something when I’m probably not all that vital to the enterprise.

    In the dream, when security had “stamped” me, they’d included notes that I was a security risk. In the dream, it had been done with yellow highlighter that was visible under the black light, and somehow I hadn’t noticed. When I’d been trying to catch up with people I’d dealt with in the past, either security would check the notes and bar me access, or I’d get blown off. When trying to network with new people, similar things. I caught on eventually and was in the process of trying to find Reive to get the matter sorted out when I woke up.

    I woke up about an hour before my usual alarm time. I’d fallen asleep roughly 4-6 hours after my usual bed time. I’ve had about 3-5 hours of sleep, and I suspect I’m probably going to be in that state that I’ve come to refer to as sleep depraved. It’s a higher energy, highly impulsive state. Not really a good state for a call centre job, though it’s served me well in certain tasks in the past. How long I’ll be able to maintain functionality, I’m not sure.

    It would probably be wisest for me to call in sick today, except I don’t feel that that is an option. There isn’t really anyone able to cover for me at work, not without someone taking on a fair amount of overtime. Like 5-8 hours worth. A few weeks back, after I’d had a cavity filled, I’d taken the night off, as I’d been unable to talk for a bit and then more pain than I’d expected. I probably could have worked part of the shift, but didn’t. I feel guilty about that.

    So, that’s the recipe. Combine it with the events that I obliquely referenced yesterday, and you’ve got something interesting. Something the voice in the back of my head is telling me might be a disaster. Maybe that’s just pessimism. Maybe it’s fatalism. Maybe it’s my fear of failure motivating me to turn possible failure into a disaster, as a form of ego defense. I’m not really sure.

    And I’m not sure what I’m going to do about it, beyond a cup of coffee and a hot shower.

    24 hours later, I’m considering whether or not to post this. After I wrote it up initially, I hit the draft button, so I’d be able to post it later, after I’d reviewed it, as I wasn’t sure I trusted my judgement at the time.

    In fact, that’s a big part of my concerns, is that I constantly question my judgement. Part of this is being aware of consent culture and how some of the assumptions that have developed are toxic and dangerous. Part of it is probably just paranoia, though the difference between paranoia and situational awareness is a debate for another day.

    As it stands right now, I survived the day, didn’t get into any conflicts, managed to function reasonably well, and I am feeling much more functional today.

    With regards to posting this, on one hand, there is information in this post that could be used as ammunition against me, such as my mental health status, and some would say it’s foolish to post such things in a place where people can easily acquire it to use it against you. On the other hand, I don’t think there is really anything here that would surprise anyone who knows me, so I don’t really see a reason not to post it. At the very least, I can at least claim the virtue of honesty in this case.

  • Seeds of distrust

    I have trouble dealing with passive aggressive or deceptive individuals. If I get told something second hand, whether or not I accept it as the truth depends on various factors, but if I find out that it was manipulation, and someone attempts the same play again, it’ll irk me. In theory it should anger me, but it doesn’t.

    It instead creates a certain comfort; establishing a pattern. And since they’ve established a pattern; they’ve given me something I could use against them, should things escalate to that level. It then becomes a question of what response is appropriate. In many cases, while there is a temptation for confrontation, it is wiser to consider the how to diffuse the impact of the their manipulation, or to fold that energy back into a new direction.

    If they’ve lied to you, they’ve lied to others; a subtle knowing word, something that’ll speed up their understanding of the situation, without tipping your hand too much. That seems a wise course of action.

    If the lie has created friction with others, as it did in the original example that I am deconstructing, then the obvious first step is to accept your failure, admit your foolishness, and offer apology to those who were on the wrong side of your misguided actions.

    For many, that step is a difficult one, but it is an important one. You have to admit and acknowledge the problems your actions created, without passing the blame back to the original source of the mistake. You can acknowledge that you were mislead, but you must own your actions. After that, reparations, repairs, and generally learning from it.

    At that point, you have earned the ability to be honest with others about the manipulation, and in so doing, create exposure for the deceiver. This must be done in the right manner, as done wrong it will harm you more than the one who misled you.

    While there is always the option of confrontation to bring about change, through conflict, rendering your adversary impotent is often wiser.

    In some cases, when the person has established themselves, or has established a cult of personality, this can be difficult, and perhaps nigh impossible. Still, patience and solidity should endure over the slippery tongue.

  • Advice on ants

    A dying man once told me that time was like a river of angry ants, devouring our flesh and pressing ever onward, down a path we can’t accurately predict, leaving a clear swath behind them.

    While most of you can accept that part, it was the rest of it you’d have trouble with.

    It’s when you start playing with time travel that the similarities really stick out. Just like with the ants, you can try to change the flow, but they just continue to climb over whatever you toss in. Sure, with a large enough obstruction, you might cause some of them to route around, but in the end, they’ll reconnect with the mass.

    It really doesn’t matter what you throw at them, they’ll continue to move forward, endlessly.

    His final warning was to avoid anything that might create one of those damn ant balls. I can only guess he meant a time loop.

    Of course, given that he was me, I’m pretty sure he knew his advice was likely to be passed down ineffectually when I became him, watching me fail to understand the lessons that we shared.