Saturday, April 4, 2020

Stateless Password Managers

An idea I've had for a while is a password generator where you take a master password, an optional per site password, and the site domain name, combine and hash them to get a unique password for any site.

This system has a unique benefit over traditional password managers in that you can't lose your passwords.  Even if all your electronics were destroyed and you woke up naked in China tomorrow you could get your passwords just by using an online version of the tool (or failing that, manually doing the steps yourself with a hash generator).

However, the system has a unique drawback of not remembering what the password requirements are.  Some sites require special characters, some don't allow them, some require more than 10 characters, some allow for a max of 8.  It would be easy to translate your hash into whatever set of requirements you have, but you still need to either remember that, or store it somewhere else.

Today I discovered this idea has been implemented, a lot.  It's called a stateless password manager, or a deterministic password manager.  Two examples are:

https://masterpassword.app/

https://lesspass.com/#/

And here is an article discussing the flaws in this system:
https://tonyarcieri.com/4-fatal-flaws-in-deterministic-password-managers

Tuesday, March 24, 2020

Social Distancing Scoreboard

According to the World Health Organization and the CDC, social distancing is currently the most effective way to slow the spread of COVID-19. We created this interactive Scoreboard, updated daily, to empower organizations to measure and understand the efficacy of social distancing initiatives at the local level.


https://www.unacast.com/covid19/social-distancing-scoreboard

Sunday, March 15, 2020

How do laser distance measures work?

I recently bought a laser tape measure; it's pretty great.  One button to turn it on, then it gives you instant distance measurements to wherever you point the laser.  There are more expensive ones that do further distances, but the one I got was $30 and goes up to 65 feet.  I compared it to a normal tape measure and it was accurate and repeatable to an eighth of an inch.  I was pretty impressed with it, and it was a great toy to add to my collection of measuring devices.

However, I began to wonder how it worked, especially since it worked so well, and was so cheap.

How laser distance measures don't work

In principle it would be simple.  Light has a very well known speed, so all you have to do is measure how long it takes for the light to go out and reflect back.  Distance = speed x time.  You could encode a binary number in the laser, just a counter incrementing and resetting when it runs out of numbers.  Measure what number is being reflected back and how long ago you sent that number out and you know how long it took to come back.



However, the devil is in the details, and getting that time precise enough to measure an 1/8th of an inch is going to be hard.

An 1/8th of an inch is 3.175 mm.  The speed of light is 299,792,458 m/s.  Or 299,792,458,000 mm/s.  3.175 mm / 299,792,458,000 mm/s = 1.059066002254133e-11 seconds.  Which is about 10.59 picoseconds.  Take the inverse of that and it's 94.42 Gigahertz.  I'm going to go out on a limb and assume that the $30 laser tape measure I have in my pocket doesn't have a 100 GHz clock inside of it.

How do they actually work?

Instead of transmitting a counter, just send an alternating pulse.  It doesn't have to be very fast, a MHz would be enough.  Then your reflected pulse is the same wave, but delayed slightly.  You only care about measuring the difference in time of the leading and falling edges of the two waves, or delta.  This means you can just compare the two waves using an XOR gate, which is just a fancy way of saying "tell me whenever these waves are different".

Here's an example


Where the top red line is the original signal, and the second blue line is the reflected version.  Then the third green line is the XORed delta of the two.

When you measure something slightly further away the reflected wave gets more delayed and the delta version gets a longer pulse.


Are logic gates fast enough? 

Logic gates like these are cheaper and faster than the circuitry you'd need for a timer.  However, they still aren't quite fast enough for the precision we see in these tools.  Luckily though, a delay doesn't really impact the measurement.  As long as it's a consistent delay on both the rising and falling edges of the two waves.


All you end up with is a slightly offset delta signal.

Who will measure the measurer?

It might seem like we're back to square one here, with the need to precisely measure the time of that pulse, but we actually just need take the average of that signal.  There are a variety of ways we can do this, but as a proof of concept, imagine the delta signal is charging a capacitor, which is simultaneously being drained by a constant resistor.  You'd end up with a level of charge in the capacitor which would translate into what percentage of time the delta single is high.

Now, all you have to do is measure the charge in the capacitor and turn that into a measurement you display.  Let's review what we need:
  • Laser transmitter and optical sensor.
  • MHz clock to turn laser on and off.
  • XOR circuit to compare the two transmitted and received signals.
  • A capacitor and resistor circuit to find average of the digital signal.
  • A way to measure the charge in the capacitor.
  • Something to take that measurement and convert it into the distance.
  • A display.
None of this is very expensive.  I'm pretty amazed they can combine them for less than $30, but at that point, you'd be losing money not to buy one.

Saturday, February 29, 2020

Guessing Smart Phone PINs by Monitoring the Accelerometer

https://www.schneier.com/blog/archives/2013/02/guessing_smart.html
In controlled settings, our prediction model can on average classify the PIN entered 43% of the time and pattern 73% of the time within 5 attempts when selecting from a test set of 50 PINs and 50 patterns. In uncontrolled settings, while users are walking, our model can still classify 20% of the PINs and 40% of the patterns within 5 attempts.

Tuesday, December 31, 2019

Predictions for the decade, from 2010

https://news.ycombinator.com/item?id=1025681

This is a good look back at what people thought the 2010s would bring at the start of them.

Wednesday, October 30, 2019

A comparision of AWS S3 Glacier Deep Archive region pricing


I'm considering using S3 for personal backups.  They recently introduced a new tier of storage called "S3 Glacier Deep Archive" which is intended for storing files that you will likely never, or perhaps once need to read.  Every geographic region AWS offers storage in has its own pricing.  I couldn't find a nice table with all the prices compared so I found the price to store 1 TB for 1 year in each region:


Using their tool: https://aws.amazon.com/s3/pricing/

If you're considering this keep in mind there are some important caveats.  First you pay for each request, which means if you're storing 1,000,000 files you will pay $50 just for the requests.  Doesn't matter if each file is 1 MB, or 1 KB, or even 1 byte each, it's $0.50 per 1000 PUT requests.  You will then also pay storage fees every month on top of that.  As far as I can tell, you don't pay for the bandwidth to upload the files.

Retrieving the files has more caveats.  First you need to pick a speed, standard or bulk.  Standard takes up to 12 hours, and bulk is up to 48 hours.  Standard also costs about 10x as much as bulk.  And here you pay for the individual requests, the data retrieved, and (I believe) bandwidth to download from S3.

So if you're storing many smallish files (documents) you're probably much better off combing them all into a single zip file, to reduce the number of requests you have to do.  On the other hand if you're storing large files (videos), you'd probably be better off leaving them on their own so that ideally you just need to recover one or two, and then don't have to pay for the bandwidth to download them all.


I made this table to compare some scenarios.  The first 3 rows shows the costs to retrieve 1 TB split across either 1, 1024, or1048576 file.  The less file scenarios are cheaper, but not by a ton, and keep in mind if you only needed a few of those files it'd be much cheaper to just grab those individual files if they weren't zipped together.

The bottom 2 rows shows the cost to get 1 GB of files, either as 1 file or 1024 files.  Here the cost is negligible, pretty much however you store and access it.

So it seems in any case the bandwidth is the biggest cost.  Still, since you generally only pay for bandwidth out of S3 and not in to it, you should never really have to pay this, unless you're recovering from a pretty major disaster.  There is also the option to use AWS Snowball, where they will mail you a physical drive which you keep for up to 10 days then mail back.  That works out to be $200 + $0.03 per GB vs just $0.09 per GB for bandwidth.  So you need to be transferring 10s of TBs before it makes sense.

Wednesday, August 14, 2019

nandgame.com

Build a computer out of NAND gates in stages.  This is essentially a game version of my post about how computers work.

http://nandgame.com/

Sunday, July 7, 2019

Social Science Research Network

 I've been into reading random papers from SSRN lately.  There's some really good stuff on there, like the paper I mentioned in my last post.


https://hq.ssrn.com/rankings/Ranking_display.cfm?TRN_gID=10

Sunday, June 30, 2019

The law of small numbers

I was listening to a podcast when I heard about an interesting probability result in the same vein as the Monty Hall Problem.  The new problem is this: Flip a coin 100 times and record the results.  Now pick random flips in the set and see if the next 3 flips are all heads; if so we call this a streak.  Repeat until you find a streak of 3.  Now what is the probability that the 4th flip is also heads?  Is it 50% like we would expect?  It turns out to be closer to 46%, which is not very far from 50%, but is also a clear trend.

You can download the paper here, and I recommend you read through the introduction, which is pretty easy to follow.  I think does a good job of explaining what is going on.  Since no one will do that, here is a table from the paper which helps give some intuition.


This represents every possible outcome from flipping a coin 3 times and looking for a 'streak' of 1 heads.  There are eight total possible outcomes, all equally likely.   In the first two, the streak of 1 heads never happens, or happens on the last flip where there is no following flip to look at.  Those are thrown away and ignored.  In the other six possible outcomes we do get a streak, at least once, and earlier than the last flip.  The underlined flips represent the possible candidates for the flip that is following a streak.  If we pick the preceding streak, then the underlined flips will be the one we are trying to predict.  In three out of the six outcomes with a streak, the following flip will not be heads.  In two out of the six outcomes the following flip will always be heads.  And in the remaining possible outcome it could be either head or tails with 50/50 probability depending on which streak you pick.

If you list out all the possible outcomes from any combination of streak length and total flips, you can see that some number of the heads flips are 'consumed' by the streaks themselves.  Those flips can never be following a streak, because they are part of the streak needed to define the streak.  On the other hand, the tails have no restrictions, they are all available to occur in the flip immediately following a streak.  There are simply more tails available to go in the candidate position.  The effect gets smaller as you decrease the streak length or increase the total number of flips in a set.

I found this very surprising, so I wanted to test it out.  I wrote a Ruby script to simulate various coin flips and look for streaks of different lengths, and output the results.  I then decided to rewrite it in a compiled language so it would be faster.  I decided to try out Go, as I've never used it before and I was hoping for something with a bit more syntactic sugar than C.

https://github.com/StephenWetzel/coin-flips-go

Here are the results of a bunch of combinations of streak lengths and numbers of flips from the Go program:
Looking for a streak of length  1 in    10 total flips. Performed 10000 rounds, and   9973 were successful, found 45.29% continued the streak.
Looking for a streak of length  1 in   100 total flips. Performed 10000 rounds, and  10000 were successful, found 49.43% continued the streak.
Looking for a streak of length  1 in  1000 total flips. Performed 10000 rounds, and  10000 were successful, found 49.91% continued the streak.
Looking for a streak of length  2 in    10 total flips. Performed 10000 rounds, and   8203 were successful, found 38.16% continued the streak.
Looking for a streak of length  2 in   100 total flips. Performed 10000 rounds, and  10000 were successful, found 47.72% continued the streak.
Looking for a streak of length  2 in  1000 total flips. Performed 10000 rounds, and  10000 were successful, found 50.15% continued the streak.
Looking for a streak of length  3 in    10 total flips. Performed 10000 rounds, and   4797 were successful, found 34.88% continued the streak.
Looking for a streak of length  3 in   100 total flips. Performed 10000 rounds, and   9995 were successful, found 45.84% continued the streak.
Looking for a streak of length  3 in  1000 total flips. Performed 10000 rounds, and  10000 were successful, found 49.78% continued the streak.
Looking for a streak of length  4 in    10 total flips. Performed 10000 rounds, and   2152 were successful, found 35.83% continued the streak.
Looking for a streak of length  4 in   100 total flips. Performed 10000 rounds, and   9637 were successful, found 40.61% continued the streak.
Looking for a streak of length  4 in  1000 total flips. Performed 10000 rounds, and  10000 were successful, found 49.21% continued the streak.
Looking for a streak of length  5 in    10 total flips. Performed 10000 rounds, and    985 were successful, found 37.36% continued the streak.
Looking for a streak of length  5 in   100 total flips. Performed 10000 rounds, and   7860 were successful, found 38.66% continued the streak.
Looking for a streak of length  5 in  1000 total flips. Performed 10000 rounds, and  10000 were successful, found 48.91% continued the streak.
Looking for a streak of length  6 in    10 total flips. Performed 10000 rounds, and    388 were successful, found 35.82% continued the streak.
Looking for a streak of length  6 in   100 total flips. Performed 10000 rounds, and   5190 were successful, found 35.24% continued the streak.
Looking for a streak of length  6 in  1000 total flips. Performed 10000 rounds, and   9996 were successful, found 46.68% continued the streak.
Looking for a streak of length  7 in    10 total flips. Performed 10000 rounds, and    140 were successful, found 40.71% continued the streak.
Looking for a streak of length  7 in   100 total flips. Performed 10000 rounds, and   2997 were successful, found 33.83% continued the streak.
Looking for a streak of length  7 in  1000 total flips. Performed 10000 rounds, and   9761 were successful, found 42.40% continued the streak.
Looking for a streak of length  8 in    10 total flips. Performed 10000 rounds, and     52 were successful, found 36.54% continued the streak.
Looking for a streak of length  8 in   100 total flips. Performed 10000 rounds, and   1634 were successful, found 33.60% continued the streak.
Looking for a streak of length  8 in  1000 total flips. Performed 10000 rounds, and   8365 were successful, found 38.27% continued the streak.
Looking for a streak of length  9 in    10 total flips. Performed 10000 rounds, and     17 were successful, found 47.06% continued the streak.
Looking for a streak of length  9 in   100 total flips. Performed 10000 rounds, and    784 were successful, found 33.04% continued the streak.
Looking for a streak of length  9 in  1000 total flips. Performed 10000 rounds, and   6037 were successful, found 35.80% continued the streak.
Looking for a streak of length 10 in    10 total flips. Performed 10000 rounds, and      0 were successful, found NaN% continued the streak.
Looking for a streak of length 10 in   100 total flips. Performed 10000 rounds, and    381 were successful, found 30.71% continued the streak.
Looking for a streak of length 10 in  1000 total flips. Performed 10000 rounds, and   3615 were successful, found 33.91% continued the streak.

Tuesday, April 30, 2019

Should You Time The Market?

https://ofdollarsanddata.com/even-god-couldnt-beat-dollar-cost-averaging/
You have 2 investment strategies to choose from.
  1. Dollar-cost averaging (DCA):  You invest $100 (inflation-adjusted) every month for all 40 years.
  2. Buy the Dip: You save $100 (inflation-adjusted) each month and only buy when the market is in a dip.  A “dip” is defined as anytime when the market is not at an all-time high.  But, I am going to make this second strategy even better.  Not only will you buy the dip, but I am going to make you omniscient (i.e. “God”) about when you buy.  You will know exactly when the market is at the absolute bottom between any two all-time highs.  This will ensure that when you do buy the dip, it is always at the lowest possible price.


Making a DIY smartwatch

https://imgur.com/a/FSBwD3g


Friday, March 15, 2019

Everything Smarthome

This is a long, but enjoyable article in broken Russian-English about everything smarthome in 2019.

https://vas3k.com/blog/dumbass_home/

Wednesday, February 27, 2019

Password strength

Dropbox has a password strength estimator called zxcvbn that I like a lot.  It estimates entropy in your password by looking for dictionary or password list leak matches.  It's long bothered me when sites estimate password strength purely based on complexity.  These sites say a password like Password!1 is much more secure than one like zbuwcramudbpvreorkno (a score of 72% vs 21% respectively).  I discuss this in more detail in my How to be secure online post.

However, a while ago Dropbox changed their algorithm to favor length over resistance to dictionary attacks.  There is some logic in their decision, but I really feel like something is lost by not having the old algorithm.  So, I made a demo comparing the two so you can find passwords both algorithms agree are strong.  At the same time, I finally hooked up this domain I bought a while ago to my github pages site.

Thursday, January 31, 2019

Time


Friday, November 16, 2018

Invisibly inserting usernames into text with Zero-Width Characters

https://medium.com/@umpox/be-careful-what-you-copy-invisibly-inserting-usernames-into-text-with-zero-width-characters-18b4e6f17b66 

https://www.umpox.com/zero-width-detection/
Zero-width characters are invisible, ‘non-printing’ characters that are not displayed by the majority of applications. F​or exam​ple, I’ve ins​erted 10 ze​ro-width spa​ces in​to thi​s sentence, c​an you tel​​l? (Hint: paste the sentence into Diff Checker to see the locations of the characters!). These characters can be used to ‘fingerprint’ text for certain users.

Sunday, November 4, 2018

The FBI of the National Park Service

https://www.outsideonline.com/2353856/national-park-service-investigative-services-branch
Last August, I traveled to Yosemite National Park to meet up with Shott’s colleague, ISB special agent Jeff Sullivan, an affable, self-deprecating, 35-year veteran of the Park Service. Sullivan has played a role in investigating nearly every major crime and mystery that’s taken place in Yosemite over the past quarter-century, which made him the ideal guide for a tour of the shadowy side of America’s fifth most visited national park. See that grassy expanse, dotted with wildflowers? That’s where park visitors discovered the skull of a still-unidentified young woman, a murder claimed by the prolific serial killer Henry Lee Lucas. That lush meadow? Once, someone found a dead bear there, its head neatly severed from its body. (The ISB sent the bear’s remains to the park’s wildlife lab in Oregon, hoping to discover clues about who’d poached it. The lab called back a few weeks later: The poacher you’re looking for is a mountain lion.) 
Sullivan and I drove up to Glacier Point, where he told me about the rockslide in 1996 that killed one and injured at least 11. The dust cloud it kicked up was so massive it blocked out the sun; until Sullivan arrived on the scene, he’d been sure there would be dozens of casualties. Next to us, a bored teenager flung a water bottle into the abyss. Watching it fall seemed to cause Sullivan physical pain. He leaned in close and flashed his badge at the kid. “Don’t throw water bottles,” he said quietly.

Monday, October 22, 2018

How to set up Raspberry Pis without a keyboard, mouse, or monitor

There are plenty of guides out there about how to set up headless Raspberry Pis, but they get out of date quickly, and I do this often enough that I'm constantly searching for up to date ones.  So for my own benefit here's my documentation of the process.

Download Raspbian Lite.  This is the version without the GUI components.

Put your SD card in your computer and use lsblk to identify which drive your SD card is. Be careful, if you use the wrong drive below you will overwrite your main hard drive.

Use dd to copy the date over.  They constantly recommend you use the program Etcher, but I've never had it work successfully.  The command is sudo dd bs=4M if=2018-10-09-raspbian-stretch-lite.img of=/dev/sde conv=fsync status=progress

Your card should have 2 partitions, open the boot partition and add an empty file called ssh to enable ssh, and create a file called wpa_supllicant.conf to configure wifi.  The contents of the file are this:




country=US
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
    ssid="YourSSID"
    psk=abcdef1234567890
    key_mgmt=WPA-PSK
}

You can either put your actual password in there as the psk, or use the tool wpa_passphrase to convert your password into a hash that will also work.

Put the card in the Pi, boot it up, and it should connect to your network and you should be able to ssh in with username pi and password raspberry.  Note that you need to boot once for it to expand the filesystem.

You should put your public key in ~/.ssh/authorized_keys and turn off password ssh access.  You should also run sudo raspi-config once you ssh in, and update with sudo apt update && sudo apt upgrade

Saturday, October 6, 2018

Blockchain Technology Overview

https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8202.pdf

NIST just published a good overview of blockchain technologies.  Very thorough, yet digestible for non-technical readers.
Blockchains are tamper evident and tamper resistant digital ledgers implemented in a distributed fashion (i.e., without a central repository) and usually without a central authority (i.e., a bank, company, or government). At their basic level, they enable a community of users to record transactions in a shared ledger within that community, such that under normal operation of the blockchain network no transaction can be changed once published. This document provides a high-level technical overview of blockchain technology. The purpose is to help readers understand how blockchain technology works.

GoogleMeetRoulette: Joining random meetings

https://www.martinvigo.com/googlemeetroulette/
Let’s see… I generated a meeting, got a Google Meet phone number, and all subsequent phone numbers are also from the same carrier. Let me call and see if I get the Google Meet greeting to confirm. Bingo! For countries like Australia and Spain, Google Meet phone numbers are assigned in batches that are sequential. I can generate a meeting myself and just check the subsequent phone numbers to obtain more Google Meet numbers. You can use them to join/find meetings in the US as the phone numbers from other countries are not specific to meetings in that country, they are global.

10 seconds per call, 3 PINs at a time, 10,000 PINs to try. It would take about 9 hours to cover all PIN combinations making one call at a time. Because Twilio is designed to make calls at scale, we can make hundreds of calls at the same time making the process much faster. The script fires so many calls that the line will be busy sometimes. Not a problem! The script will detect failed calls and simply retry. Actually, Twilio notifies of failed calls immediately using webhooks making the script very efficient handling calls that did not go through.  
I did some benchmarks and on average it takes 25 minutes to try all 10k PINs and find 15 different valid PINs for 15 different meetings for a cost of $16. Not bad!

Saturday, September 29, 2018

Man in the browser attack

Recently I heard of the man in the browser attack and thought it was interesting.  This is malware that is installed in your browser (as an extension for example), and silently waits for you to do a bank transfer.  When you do it can simple change the to account and routing numbers you submit to that of the attacker.  Everything looks fine to you, and wire transfers already take days to process.  Things like strong passwords and 2 factor authentication won't help since you are logging into your real bank's website.

https://en.wikipedia.org/wiki/Man-in-the-browser

Monday, August 27, 2018

wideNES - Peeking Past the Edge of NES Games

http://prilik.com/blog/wideNES
At the end of each frame, the CPU updates the PPU on what has changed. This involves setting new sprite positions, new level data, and —crucially for wideNES— new viewport offsets. Since wideNES runs in an emulator, it’s really easy to track the values written to the PPUSCROLL register, which means it’s incredibly easy to calculate how much of the screen has scrolled between any two frames!

Hmm, what would happen if instead of painting each new frame directly over the old frame, new frames are instead painted overlapping the previous frame, but offset by the current screen scroll? Well, over time, more and more of the level would be left on-screen, gradually building up a complete picture of the level!


Friday, August 24, 2018

How I recorded user behaviour on my competitor’s websites

https://dejanseo.com.au/competitor-hack/
I spoofed the back button in Chrome and sent people to my version of search results and competitor websites where I recorded everything with Lucky Orange.

Friday, May 25, 2018

How Ikea took over the world

http://fortune.com/ikea-world-domination/
One way Ikea researchers get around this is by taking a firsthand look themselves. The company frequently does home visits and—in a practice that blends research with reality TV—will even send an anthropologist to live in a volunteer’s abode. Ikea recently put up cameras in people’s homes in Stockholm, Milan, New York, and Shenzhen, China, to better understand how people use their sofas. What did they learn? “They do all kinds of things except sitting and watching TV,” Ydholm says. The Ikea sleuths found that in Shenzhen, most of the subjects sat on the floor using the sofas as a backrest. “I can tell you seriously we for sure have not designed our sofas according to people sitting on the floor and using a sofa like that,” says Ydholm.

Monday, March 12, 2018

Smart homes and vegetable peelers

https://www.ben-evans.com/benedictevans/2018/1/4/smart-homes-and-vegetable-peelers
Many of the things that get a connection or become 'smart' in some way will seem silly to us, just as many things that got 'electrified' would seem silly to our grandparents - tell them that you have a button to adjust the mirrors on your car, or a machine to chop vegetables, and they'd think you were soft in the head, but that's how the deployment of the technology happened, and how it will happen again. The technology will be there, and will become very very cheap, so it will slide unnoticed into our lives. On the other hand, many things that people did think might get electrified did not, and many of the ideas that did work were not adopted in a uniform way. Most people in the UK have an electric kettle, but that's not true in the USA, and most people in Japan have a rice cooker, but this in turn isn't true in the UK. Anyone who's baked a few times has bought an electric whisk for $20, but not many people use electric carving knives.

Friday, February 16, 2018

The “hydrogen economy” may be a thing after all.

https://www.vox.com/energy-and-environment/2018/2/16/16926950/hydrogen-fuel-technology-economy-hytech-storage
The first product, scheduled to debut in April, is the key to everything else.
It’s called Internal Combustion Assistance (ICA), a modification to internal combustion engines that enables them to substantially increase their fuel efficiency and reduce their air pollution. It does this by adding tiny amounts of gaseous hydrogen and oxygen to the fuel just before it is combusted in the engine’s cylinders. The HHO mix lends intensity to the combustion, allowing the fuel to burn more completely, generating more oomph and less pollution.
The ICA system can technically work on any internal combustion engine, but to begin with, HyTech is targeting the dirtiest engines with the fastest return on investment, namely diesel engines — in vehicles like trucks, delivery vans, buses, and forklifts, but also big, stationary diesel generators, which still provide backup (and even primary) power by the millions across the world.

Let's Learn About Waveforms

https://pudding.cool/2018/02/waveforms/

Monday, January 29, 2018

Password Management

I've long maintained that the only sites that really need strong passwords are emails (because they let you reset other passwords) and financial sites.  I've memorized long random passwords for those sites, and I have a few similar passwords I use for the rest of things.  I've never been too concerned about sharing passwords between other sites, because I literally don't care about the security of those accounts.

That being said, sites are increasingly instituting arbitrary restrictions that are intended to make things more secure.  This means I need variations of my common passwords for every permutation of rules, and then variations of those for when I'm required to change them.  Having to try all these permutations has finally made me break down and start using a password manager.

It's probably no surprise I didn't just go with LastPass, and not just because of my general aversion to the most popular choices, but as I've heard the company they are owned by is shady.

Password Manager

There are a lot of password managers, but if you're looking for open source, and managing your own password file, the clear choice is KeePass.  However, as is an open source tradition, you can't just go with KeePass; you have to follow the forks, to find the version that is currently up to date and being maintained.  That version is KeePassXC.

If you go with KeePassXC you'll have a client on every device you want to use it with.  Then you'll have a password file, which is the encrypted file holding all your passwords.  In theory if your master password for that file is long and secure you won't need to worry about keeping that file too safe (don't post it publicly).  I'd recommend getting to at least centuries on the 10k/second tier of zxcvbn.

You can also use a keyfile, which is a random file you'll need in addition to a master password to decrypt your password file.  This adds some security, but keep in mind that if someone gains access to a device with your password file, they also probably gain access to the keyfile.  It mainly helps if you are worried about your password file getting intercepted during syncing between devices (you wouldn't sync the keyfile, you'd move it manually to new devices).

Syncing the Password File

This felt like it was going to be the hardest part, but it turned out to be the easiest.  Certainly, the biggest convenience of LastPass is that someone else manages the password file for you.  A lot of people use Dropbox to sync the KeePass file, and I was ok with this (as the file is encrypted so you aren't really trusting Dropbox with anything), but I hate the idea of installing Dropbox's bloated, always running, client on every device.

Luckily I found Syncthing.  Which is essentially an open source, bit torrent based, version of Dropbox.  You install it on all your machines and then point it to the folder you want to share and it keeps it synced.  My biggest issue was having to enable discovery on every device so that they would share the list of devices they are sharing with too.  This makes sense to have turned off if you were sharing with other people, but if you're only using it in a closed personal ecosystem it's much easier to have it enabled.

I was slightly worried about the password file becoming out of sync, getting written to by two different computers and getting corrupted.  But my mild stress tests have been unable to make this happen.  I've been using this set up for half a year now without issue, so I'm comfortable recommending it.  That being said, Syncthing does allow you to maintain history files (where it keeps the last few versions of the file every time it overwrites it), and I still have that enabled on my PC.

Browser Integration

KeePassXC uses a protocol called KeePassHTTP to share passwords externally.  This basically just sets up a server and allows http requests for your passwords.  This is risky because there could be external requests.  KeePassXC only allows localhost requests, which should mitigate that risk.  If you're still worried you can disable that and use autotyping where you place the cursor in any text field and the it types the password in that field.

Just searching for "KeePassXC Firefox" or Chrome shows the extensions for either.  I've been happy with both of those, although they do feel like the weakest link.

On Android the app Keepass2Android works well.  If you search for the site in the app it then gives you another keyboard to choose from which only has two buttons "User" and "Pass".  Pressing those fills in that info for the site you have selected.

The closest thing to a problem on the phone is that it takes a few seconds to unlock the file.  This is important though, it should take at least half a second to unlock your password file on a fast PC.  If you make it faster to open, it'll be easier to brute force.

Thursday, December 28, 2017

Create fake videos of famous people saying anything you want in real time.

Google has software that can create dynamic audio indistinguishable from a real person (scroll to "Tacotron 2 or Human?" at the bottom):

Combine with this which lets you to put your facial movements on a real person:


Wednesday, December 20, 2017

Google Map's Moat

https://www.justinobeirne.com/google-maps-moat
Annechino and Cheng spent months researching one city. But not only did Google capture all of their commerical corridors (and several more), it somehow came up with them for thousands of cities across the world. (Even my tiny hometown got a few.)

Sunday, October 29, 2017

Designing a Hammock Stand

2017 note: This is a post I wrote in 2013 about a hammock stand I never built.  My plan was to build it first so I could add finished pictures, but I think I'm about ready to give up on my prospects of ever actually building this.

Every night I sleep on, what is essentially, a pile of garbage.  A while back, someone started a thread on reddit about sleeping in a hammock every night.  He had nothing but praise for hammocks and some research showed the internet generally agreed that hammocks were an excellent bed replacement.

I decided I would give it a try.  As I backpack too, I bought an ENO Doublenest that can be used for camping.  Although I have no real plans to do that.

Calculations

Before I could plan a stand for nightly, indoor, hammock use, I had to know what kind of forces it would have to handle.

The hammock's max weight rating is 400 lbs, and since it is probably better for the hammock to fail before the stand I used that as my load.

Each end of the hammock has to support half the load, however, this is not just 200 lbs.  To find out why, and see what the actual tension is we will break the force vector into its x and y components

We don't know the x force, and are trying to find the resultant force.  We do, however, know the angle and the y force.  The y force must be equal to just half the weight supported by the hammock.  This assumes the weight won't get shifted too much to one end.

The ideal hang angle is widely reported to be 30 degrees down from a horizontal.  A preliminary test of mine showed I liked it closer to 45.  Shallower angles increase the stresses, so I planned for 30 degrees.

The forces form a right triangle with all known angles and one known side.  It's a 30-60-90 triangle and the vertical leg is 200 lbs.  This means the horizontal force is 347 lbs and the resultant force on the line is 400 lbs.  To be clear, this means that for a 30 degree hang, each line must support the full weight in the hammock.  If we let the hammock sag more to 45 degrees it reduces the tension on the line to only 283 lbs.

Hanging Possibilities

The guy in the reddit thread said he simply hung his from eye bolts in the wall studs.  I don't have wall studs in the basement, and I wouldn't trust them if I did.  I considered hanging from the 2x8 ceiling joists.  The problem was the height would mean I would need a huge span between the two hang points.  Also, I wouldn't recommend anyone hang perpendicular to the direction of the joists, as this will cause deflection.  It might not seem like it would be a big deal, but it is generally a bad idea to introduce new stresses in directions that structural members were never designed to handle, particularly when they are holding up your house.

After some debate I decided on building a stand.  Since most the force is in the horizontal direction I thought about just hanging from a 4x4 post that I would elevate off the ground with some sort of stands on the ends.  I didn't like this idea since it would be annoying to have the post above me while sleeping, and even more annoying when it failed and crashed down on my face.

In order to deal with the high horizontal load, whatever the hammock is actually hanging from would have to be angled out.  This leads to the classic hammock stand shape of angled arms.

Will 2x4s Work?

I decided to angle my arms out at 60 degrees above the horizontal.  This meant that the hammock would hang between 30 and 15 degrees above the arm (for 30 to 45 degrees below horizontal).  To calculate the stresses in the arm I rotated the axes such that the arm was now vertical.  I then calculated the x and y force vectors in this new rotated orientation.

Drawing out the forces shows the 30 degree hang produces the same force triangle as before, just flipped.  There will be 200 lbs of force perpendicular to the arm, and 347 lbs of force parallel to it.  For the 45 degree hang it shifts to 274 lbs parallel to the arm and just 74 lbs perpendicular to it.  You can see what a significant factor the hang angle is to the forces involved.  If I were actually planning on hanging at 30 degrees I'd probably adjust the arms out further to shift more of the torque to compression.

We now have two forces which means we can see what types of load they produce on the arms.  The parallel force results in a axial compressive load, ie, like a column.  This handy calculator tells me that a 2x4 can support 1000-1500 lbs of compression over 5 unbraced feet, depending on grade.  So axial load shouldn't be a limiting factor.

The perpendicular force will produce moment (torque).  The amount will depend on the arm length, which is not yet known.  An estimate of 4.5 feet gives us 340 ft lbs for the 45 degree hang, and 900 ft lbs for the 30 degree hang.  The above calculator's brother tells me that a 2x4 should be able to handle about 375 ft lbs of bending.  This roughly matches the calculations I did on paper as a sanity check.

So, we can see that for a 30 degree hang a 2x4 wouldn't be enough.  Keep in mind we started with a load of 400 lbs in the hammock, and I'd guess that calculator has a safety margin built in, so I'd guess that a 2x4 would hold, at least for a while.

My Design

I began my design with this simple design.  Reading through the comments and several other sites I changed the design significantly.  A goal of my design was ease of construction with a total lack of tools and experience (which admittedly might impair my ability to judge what is easy to build).

After some concern about the torque in the joint I decided to create something like a half lap joint.  I will layer two 2x4s to make a quasi 4x4 as my horizontal base.  First, however, I will make a 60 degree cut through one of the 2x4s at about 2 feet from the center.  I will cut the other 2x4 at 2 feet from the center in the other direction.  Thus, both 2x4s will have a 60 degree cut, 2 feet from the center, but on opposite sides of the center.  I will then gap the cut enough to fit the 2x4 for the arm in there, and cut the bottom of the arm at 60 degrees to make it flush against the floor.  This means the two arms won't be exactly in line, but rather slightly offset.  Looking at the stand head on, the left edge of one arm will be aligned with the right edge of the other.

The two 2x4s along the base will be wood glued and screwed to form a solid 4x4 like piece.  At the end of the base 4 foot long 2x4s will be screwed into the base, forming an I shape.  They will provide stability.  At this point the design looks similar to the starting design, albeit with major, if subtle, differences.  The last change would be side bracing similar to what people in the comments added.  Each side brace would be about 4 feet long and set up at a 60 degree above horizontal angle.  For no reason I decided to put each brace on opposite sides of the ground 2x4 they connect to.  That changes their length by a bit.  It took me much longer than I care to admit to calculate what that difference would be, finally resorting to just using CAD.

Here are some preliminary CAD drawings I did.  I still plan on testing the hang length a bit more before these are final.  Since I'm well aware that no one could be expected to visualize what I described, and that these drawings don't help much, I won't publish this until I'm ready to follow this post up with a construction post with actual pictures.




In lieu of finished shots I did this render in Tinkercad:






Friday, September 22, 2017

10 iconic logos. 156 Americans. 80 hours of drawing from memory.

https://www.signs.com/branded-in-memory/


A High-End Mover Dishes on Truckstop Hierarchy, Rich People, and Moby Dick

https://longreads.com/2017/09/21/a-high-end-mover-dishes-on-truckstop-hierarchy-rich-people-and-moby-dick/amp/
Since I now work for a boutique van line doing high-end executive moves, all of my work is what we call pack and load. That means I’m responsible for the job from beginning to end. My crew and I will pack every carton and load every piece. On a full-service pack and load, the shipper will do nothing. I had one last summer that was more or less typical: The shipper was a mining executive moving from Connecticut to Vancouver. I showed up in the morning with my crew of five veteran movers; the shipper said hello, finished his coffee, loaded his family into a limousine, and left for the airport. My crew then washed the breakfast dishes and spent the next seventeen hours packing everything in the house into cartons and loading the truck. At destination, another crew unpacked all the cartons and placed everything where the shipper wanted it, including dishes and stemware back into the breakfront. We even made the beds. We’re paid to do all this, of course, and this guy’s move cost his company $60,000. That move filled up my entire trailer and included his car. It was all I could do to fit the whole load on without leaving anything behind, but I managed it. I do remember having to put a stack of pads and a couple of dollies in my sleeper, though.

Wednesday, August 30, 2017

A history of branch prediction from 1500000 BC to 1995

https://danluu.com/branch-prediction/
One way you might design a CPU is to have the CPU do all of the work for one instruction, then move on to the next instruction, do all of the work for the next instruction, and so on. There’s nothing wrong with this; a lot of older CPUs did this, and some modern very low-cost CPUs still do this. But if you want to make a faster CPU, you might make a CPU that works like an assembly line. That is, you break the CPU up into two parts, so that half the CPU can do the “front half” of the work for an instruction while half the CPU works on the “back half” of the work for an instruction, like an assembly line. This is typically called a pipelined CPU.