Warning Me Softly

I already wrote about post-quantum cryptography before. If you check the dates, you’ll see that this is not a new topic. However, it’s still quite common to see standard key exchange for SSH sessions. Well, this might be about to change.

With version 10.1, OpenSSH will present you with the following warning:

** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html

In reality, this change nothing as everything will continue to work as before. But, knowing the human nature, I forsee a lot of people moving to a newer key exchange just to avoid the warning. In no time, projects will face their security review teams. And if security team doesn’t like warnings, projects will oblige.

My own network is in surprisingly good state. Most of my SSH connections already uses sntrup761x25519-sha512 key exchange algorithm. However, there are two notable exceptions: Windows and Mikrotik.

Mikrotik, I pretty much expected. It took them ages to support ED26619 so I don’t doubt I will see the warning for a long while before they update software. I love Mikrotik devices, but boy, do they move slow.

But Windows 11 came as a surprise. They still advertise curve25519-sha256 at best. I guess all that time spent making start menu worse prevented them from upgrading their crypto. I predict that, as always, when warning starts, Microsoft forums will be full of people saying that warning is wrong and that Windows can do no wrong. Only to eventually be dragged into the future.

State of YouTube Ads

While my site currently doesn’t contain ads, it did contain them before. And I still do a sponsored post or two on occassion. Primary reason why I removed ads from these pages was because they were becoming vehicle for a snake-oil salesman. I was ok with ads that try to sell real stuff. I was not ok with ads that sell perpetuum mobile of any kind. Google ads didn’t allow me to remove later category so I simply disabled them all.

But that doesn’t mean I removed ads from my life. While amount of ads online is increasing, one site is becoming more and more unusable due to them - YouTube. Pretty much all ads I get these days from YouTube are ads for either scammers or republicans. But I repeat myself.

And length of the ads has been increasing substantially. For example, I got ad for Ben Shapiro show. Curious on how long it would go, I left it running. Darn thing ran for more than 1 hour (don’t worry, I muted him after a minute or two in order to preserve my sanity). The whole freaking show was the “ad”. Total duration of the “ad” was 1:07:41. Duration of the video this ad was playing on was 46:33. So, ad was more than 20 minutes longer that the content. WTF?

And this is just one ad that made me write this. I cannot even count how many ads for the revolutionary new device that “the government wants to destroy” I saw. Be it a flashlight, binoculars, night-vision, or some magic bean, YouTube will give it an audience.

This is not a normal thing. It never was, and it should never be considered normal. While ads on TV were never perfect and there was an occasional scammy ad or two, you had some standards. For one, I never saw and ad that was longer than the content. And I never saw as many political garbage on TV (admittedly, I didn’t grow up in the USA).

I guess we all bought into an argument that it’s “too difficult to check all the ads”. I guess multibillion company just cannot afford it.

That said, I don’t believe solution is in more rules. Solution, as it often happens would be in more competition. I doubt that YouTube would allow for crappy ads if they had any proper competition. But it might be that ship has sailed.

Disabling AMD Turbo Boost

Recently I upgraded my trusty Framework 13 laptop to AMD motherboard. It’s not my primary laptop mind you, but it does come handy whenever my F16 is too cubersome to lug around. For me, that often ends with it in my lap.

And this laptop can get hot. AMD CPU always wants to give it all, even when it’s not necessary. Often I will have a long-running task in background, that CPU will try to speed up as much as possible by boosting its clock and fans to max. And those are tasks I care not if they finish in 30 or 35 minutes and thus extra heat is unappreciated.

Easy solution for this is just turning off turbo boost. And that is easy enough by writing 0 to a file:

echo 0 | sudo tee /sys/devices/system/cpu/cpufreq/boost

However, I usually remember to do so only once my legs start smoking. So, I decided that it was about time for my system to use that setting as a default. And, since my Kubuntu uses systemd, all starts with creating a service

cat << EOF | sudo tee /etc/systemd/system/cpu-noturbo.service
[Unit]
Description=Disable Turbo Boost

[Service]
ExecStart=/bin/bash -c "echo 0 | tee /sys/devices/system/cpu/cpufreq/boost"
ExecStop=/bin/bash -c "echo 1 | tee /sys/devices/system/cpu/cpufreq/boost"
RemainAfterExit=yes

[Install]
WantedBy=sysinit.target
EOF

Whenever service is started, it will disable turbo boost. Once service is stopped, turbo boost will be reenabled.

Of course, to make sure it starts on every boot, we need to enable it. And because we don’t want to reboot system to apply settings, we might as well start it immediately.

sudo systemctl daemon-reload
sudo systemctl enable cpu-noturbo
sudo systemctl start cpu-noturbo

PS: The same behavior for Intel CPU can be achieved by using slighly different commands. Note that 1 and 0 are swapped:

echo 1 | tee /sys/devices/system/cpu/intel_pstate/no_turbo
echo 0 | tee /sys/devices/system/cpu/intel_pstate/no_turbo

Obtaining Hash as a Part of 11ty Build

Last week I stated in post that I’m not singing my software anymore. So someone might be wondering how do I check I have executable coming from you. Well, together with that post I also added SHA-256 to every file that gets downloaded from my site. If you don’t know how, I even created Summae in order to bring this information into the context menu. And, to make the whole task of generating SHA-256 easier on myself, I added it as part of the build process.

First, I had to add crypto-js package to my 11ty package:

npm install crypto-js

Then, in eleventy.config.mjs, I added an import:

import cryptojs from "crypto-js";

Lastly, into eleventy.config.mjs default function I added the sha256 shortcode:

eleventyConfig.addShortcode("sha256", async function (file) {
  const filePath = path.join(eleventyConfig.directories.output, file);
  if (fs.existsSync(filePath)) {
    const fileContent = fs.readFileSync(filePath, 'binary')
    const sha256hash = crypto.createHash('sha256').update(fileContent, 'binary').digest('hex');
    return sha256hash;
  } else {
    console.error(`File not found: ${filePath}`);
    process.exit(1);
    return "";
  }
});

Whenever I want to use the shortcode, I just add a call to it using the file name as an argument.

{% sha256 "/download/file.zip" %}

Now, in reality, there is a bit more code - especially in the templating area. But that code is just to read data from variables, style the output, etc.

So, how does this help?

Well, it allows the end user to check file validity. If hash code matches you know that download was successful and you got the file I was intending to provide. And I can offer this at no cost to myself.

Not Signing Software Anymore

I used to sign my software. And not with my personal code signing certificate - I used a “proper”, third-party one. Since my software offered here is freeware, this wasn’t really cheap - about $50 a year or so. But I could justify it to myself. Barely. All for a green checkmark.

However, since some time in 2023, pretty much all code signing certificate providers trusted by Windows started requiring hardware tokens. And that is indeed more secure. But it also raises certificate price to about $200 a year. For a software company, it’s a trivial matter. For somebody who offers their code for (mostly) free, it’s quite an increase.

So, what does the certificate give you? Blue checkmark when you install your software under Windows. Nothing more, nothing less.

For me, that checkmark is not worth $200. It wasn’t worth $50 but, for that price, I liked having it. And remember, this applies to Windows only. All my Linux software has no benefit whatsoever.

So, when my last code signing certificate expired, I never bothered to get a new one. And I didn’t get a single complaint about it in 2 years now.


PS: Please note that software signing doesn’t protect you from malware. Signing software just means somebody paid money - malware authers can sign their software too.