In the Year 2016

As before, the first post of (UTC) 2017 is reserved for some stats.

The most notable update this blog saw was a move from jmedved.com to medo64.com domain. It came on a whim and without too much trouble.

In regards to posts this year, there we 69 of them - again a few more then the year 2015. As my plans were to keep up a post every six days, I cannot be dissatisfied. For this year, I will aim for five and let’s see what happens. :)

The most posts were in the electronics category (14%) closely followed by general updates (13%). Programming got 12% as did Mikrotik - something I started playing with again after a while. Lastly we have the Linux category at 10%.

I got a bit lazy with YouTube channel and all chances are that this’ll continue in 2017. Making even a single video simply takes time and that is one thing I rarely have.

Traffic-wise it is annoyingly hard to tell as I changed domain mid-year. Yes, I could spend some time and consolidate numbers but I cannot be bothered. Based on random month selection, traffic is in the same ballpark and that is good enough for me.

For the first time slightly more than 50% of readers is using Chrome, and Firefox is a distant second with 20%. Somehow Internet Explorer is still third at 15%. Safari is further away still at 6% and I cannot believe crappy Edge has almost 3%. I guess Microsoft’s practice of making it default with every Windows update kinda works. Either that or 3% of my readers have lost their mind.

20% of my traffic comes from USA, with Russia at second place with 10%. This is really a surprise to me as Russia wasn’t even in the first 10 previous years. Closer look at sources shows this is probably just due to Russian spam-bots as in the first 10 I could verify only a single source. Germany is thus third at 8%. United Kingdom, France, Japan, and India share the fourth place at 4% each.

Total of 196 countries visible in my logs is again down from the 207 last year - I am losing countries left and right. My favorite single-visit country was definitely São Tomé & Príncipe which gets extra style points for its Unicode rich name.

All the best in 2017!

Fountain Pens on the Plane

As a fountain pen user, I’ve always heard about precautions you must take before you board the flight. Most people I spoke with recommend to clean the pen completely or, if you really want to use it, keep it fully inked as to minimize possibility of air expanding and pushing the ink out.

On the first glance, all this seems logical so I always took precautions. Considering that all my flights lately have been cross-Atlantic, it seemed as a wise choice. However, on my last flight I decided to experiment a little.

On my trip from USA to Croatia (Seattle-Frankfurt-Zagreb) I carried four of my pens: Pilot Custom 74, TWSBI Diamond 580, Platinum Cool, and Pilot Metropolitan. Custom 74 was attached to my notebook while remaining pens had home in the case located in my backpack. All were fully loaded with different inks: Noodler’s Heart of Darkness, Diamine Oxblood, Private Reserve DC Supershow Violet, and Private Reserve Sherwood Green respectively.

I used Custom 74 with Noodler’s during the whole flight and, outside of the nib creep Noodler is famous for, I had no issues what-so-ever. And yes, I used it both during take off and landing - just to be sure. Other pens I took just a few scribbles with for test purposes but I haven’t noticed anything wrong.

On the way back I expected slightly different results as I have used some ink and didn’t refill any pen. Custom 74 was close to being empty, TWSBI was around 50%, while Cool and Metropolitan were reasonably full at around 75%. I expected trouble.

Surprisingly, nothing happened. My pens operated just fine with TWSBI taking more of an main pen role from Custom 74. Absolutely no leakage occurred during any of two flights (Zagreb-Frankfurt-Seattle).

Based on my, admittedly limited, test I don’t see any justification of additional pen preparation before the flight if you are bringing it in cabin with you. Any pressure change in the cabin during flight is small enough that any modern fountain pen can handle it just fine. Yes, in the case of sudden decompression, pen would probably leak but then you’d have more important things to worry about than 2 mL of ink.

If you are transporting pen in unpressurized cargo area I would always go with cleaning out the pen completely. In all other cases relax and write on. :)

Seattle Code Camp 2016

My third time at Seattle Code Camp is done. All that remains is to hear a few other talks and have some fun.

This year I gave two talks. First one was Crash course in foreign language support for ÜS developer. Not a line of code in sight but a lot of useful information - or so I hope. In this messy multicultural world knowing where things go wrong is an asset.

Second was an example driven Bash primer. It was an introduction into a command line possibilities that come as a part of Git for Windows. Despite the title, this talk dealt not only with bash commands but also with general GNU tools. And yes, all examples work on Linux too.

As always, PowerPoint slides are available for download but they are not a substitute for being present.

Should You Take Password Advice From a Comic?

Many have seen comic on the right explaining how to select a good password. Some might have even seen security expert Bruce Schneier claiming it is a wrong approach. And then there were several rebuttals. It was as close to celebrity fight as it comes in the computer industry.

As somebody who implemented password generator and a junkie for a good statistics, I’ll dare to throw bit of my opinion here.

For analysis, first thing we need to know is how fast you can crack passwords. And here assumption of 1000 guesses per second mentioned in cartoon is highly optimistic. Mind you, it is not wrong, as it specifies online attack and assumes proper hash used for computation. But, more often than not, your password will leak in one of stolen database dumps. Now attacker can do stuff offline.

With the advent of graphic cards and massively parallel processing, I believe we can go with assumption of 100 x 1012 guesses per second for basic MD5 hashing. Yes, it is highly exaggerated if password uses any stronger hash, but in the case of password strength analysis it is best to be paranoid and assume not only lousy hashing but a strong attacker with access to many computers. And do check this video to see what a “simple” server can do - it peaks at 38 billion (38 x 109) guesses per second. For a single server.

Now we take claim from cartoon of its password having entropy of 244 (17 x 1012) we can see that attacker can go over that whole search space within 5 hours assuming usage of the server from video. Using our imaginary powerful attacker, same space can be searched in less then a second. Does that mean XKCD was really wrong? Well, it’s kinda complicated…

Assumption we made is that attacker knows exact dictionary and exact way how you selected your password. Baring that, you have 25 character password that, using brute force only, would require checking of (on average) 1 x 1035 combinations. That means even our all-powerful attacker would need 30,000,000,000,000 years (again, on average) to find it. More observant might have noticed that there is a slight disparity between 1 second and 30 trillion years.

Issue at hand is how well the attacker knows you and what “rules” it feeds to its cracking engine. If it has all these words in its dictionary and it assumes you used comic as a password selection authority, you’re toast. However, if guy goes for low-hanging fruit, it will ignore everything longer than 12-14 characters and your password is safe.

And anything you add is going to make that long phrase only better. Add a three digit number at the end, you increase time by the factor of 1,000. Add it anywhere in the middle, you increase it by factor of 25,000. Add a special character, complexity goes up still. And that is for somebody who perfectly knows how your password was created. While XKCD method alone is a bit too optimistic, it is on the right track. If you select password you can remember and you spice it enough, brute force cannot touch you.

But I believe what comic omits is one important fact. Developers are lazy and some just simply don’t care. It is not uncommon for password leaks to have no password hashing at all. If you use the same password for multiple sites, sorry but you are fucked no matter which password you have.

First important rule about passwords is to never ever reuse them. Every site must have a unique password. This ensures that any password leak, even if developers were extremely lazy, only impacts a single account. For example, prevents attacker using your leaked LinkedIn password to login to your PayPal.

Second rule is to never, ever, know more than one password. XKCD is correct, humans are simply not made to handle passwords. So don’t. Remember one password and use a password manager to create and manage others.

You can use my own Bimil or you can use Password Safe - they both actually use the same file format. Or you can use something else you feel is secure enough. But, for the love of god, don’t use your web browser for remembering any password you don’t wish to leak.

PS: If you wish to be informed when your password leaks, do consider subscribing to ';–have i been pwned?. It won’t protect you, but it will at least keep you informed.

Ham Check 1.10

After a few months, a first update for my ham exam program is in order. Nothing much to see here, just a small refresh.

A new exam type has been added. Flash exam will provide you with an usual exam practice experience, the only difference being that it gives you the correct answer immediately. When learning for the first time, quick determination of the correct answer might be quite beneficial.

Useful for presentation is the ability to independently scale menu and content. This is a nice option to have when dealing with different resolutions - especially on annoyingly small projectors.

That is all for the first update, download the latest version from program’s pages.

73

QR Authentication Key

Two-factor authentication is a beautiful thing. You have a key, apply a bit of TOTP magic and you’ll get an unique code changing with time. To use it just run a mobile application of your choice (e.g., Google Authenticator) and scan the QR code.

If you have a bunch of pre-existing keys in textual format (e.g., recovering after phone reinstall), wouldn’t it be really useful to generate a QR code based on them?

Fortunately, the key format is really well documented in the Google Authenticator repository. In its simplest form it is otpauth://totp/**LABEL**?secret=**KEY**. Simply swapping LABEL and KEY for desired values should do the trick - e.g., otpauth://totp/**Test**?secret=**HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ**.

To generate a QR code scannable by mobile phone application, any QR service supporting simple text encoding will do. I personally prefer goqr.me as they offer a lot of customization options and (supposedly) they don’t store QR data. Final QR code will be perfectly well read by any authenticator application out there and the key will be imported without any issue.

For the advanced scenarios, there are quite a few more advanced setting and tweaks you can do but this simplest format probably covers 90% of needs.

In the Year 2015

As in the previous years, first post of 2016 is reserved for some stats. And yes, since I publish my blog posts in UTC times, I am aware it might not be a new year everywhere yet. So what? :)

This year saw 58 posts - slightly more than the last year but not nearly as much as the years before. What can I say, I got lazy. I did manage to keep it roughly at a one post a week which is my goal for the next year too.

As it became usual, there is around 20% posts about programming, Windows and Linux got 12% each, and electronics got slightly less at 10%. I did make a few videos too but I am definitely sticking with the textual blog for now.

Traffic decreased slightly as compared with the last year and pretty much all decrease can be traced back to a single post going away due to DMCA complaint toward Google. Regardless of post only describing the officially supported functionality, some smartass decided that it must be bad with the title like that. I’ve tried complaining and challenging takedown but pretty much never got a human to answer me. And yes, despite Microsoft being behind removal, Bing still happily returns the page. Too bad nobody is using it.

Visitor browser stats are almost the same as in the previous year: 44% comes via Chrome, 24% chose Firefox, and 21% is still using Internet Explorer. Microsoft Edge is as successful as Windows Mobile at about 1%. Newcomer is Maxthon at 0.2%, something I didn’t even know existed. And guess what, same as last year, only 5% visitors decided to squint at their mobile phone.

There was a slight change to visitor’s locations. First is still USA at 21% and second is Germany at 11%. The newcomers are UK and Japan, both at 5%. India has dropped of the radar to only 4% compared to 10% it held previous year. Either I lost a whole country or they just started to hide their location. Total of 207 countries visited the site with Caribbean Netherlands being my favorite single-visit country. Before seeing it in stats, I had no idea it even existed. Again, as the vast majority of traffic comes from an unknown location, I cannot really tell how accurate stats actually are.

That’s it for year 2015 - have fun and drink beer.

Mini Metro

I don’t play often nor I have a long gaming sessions anymore. Yes, I do throw occasional multiplayer game with my kids but but solo-plays are rare and far between. Most of the games I buy are the old ones I get for nostalgic reasons; rarely I buy a new game. Yep, definitely, I’m getting old.

However, these holidays one game peeked my curiosity. Same as with FTL, something simply “clicked” and, with reasonable $10, at GoG.com I saw no reason not to try it out. And boy, is this game fun.

Premise is easy - you create a subway lines to keep various shapes moving to their destination. With time your city grows, you get more lines to deal with, and eventually you fail. If you got emotionally connected to your town, you can continue playing even after you lose or you can decide to call it quits. Game is as simple as you can probably make it to still be interesting. But it is a loads of fun.

And game is completely DRM and Internet free. It might be just a pet peeve of mine but I hate when game requires Internet for no good reason (yes Starcraft II, I am looking at you) and when I cannot play game on whichever computer I feel like. Yes, DRM can be done right - Torchlight II is a nice example of a game that is minimally invasive. But there is something better than a well implemented DRM and that is no DRM at all. And any game that treats its users fairly, deserves to be bought.

Uni-ball Signo 307

Most of my writing is done on computer so I don’t use pen that often. But when I do, I pretty much always use Uni-ball Signo 207. It is a pen that has been available for ages now in multiple tip widths, my favorite being alternated between 0.5 and 0.7 millimeters. It is comfortable, has a good quality ink, a reasonable price, and it can be found pretty much anywhere. Now Uni-ball decided to give it a bit of an update with the new Signo 307.

General shape is pretty much exactly the same between those two. If 207 fits your writing style, 307 will fit too. Major difference is omitting a few metallic details found on the 207 with all-plastic design. This slightly decreased pen weight but it’s hardly noticeable. For me it had mostly visual and durability impact as the new plastic clip seems a bit more prone to breaking.

Visually it is a black barell with a nice checkered background on upper cylinder. Clicker, clip, and ring details are in the ink color. I find blue looks the best, red details are a bit too bright for me and black looks really dull. Interesting tidbit is the clip plate which has a thin plastic tooling mark on 207 but it is beautifully smooth on 307.

Clicker is a bit harder to press on the new 307 but I don’t see it as a major problem. Since spring looks identical in both you can always swap it from the 207. It also might be just a slight manufacturing difference as all my 207 were bought in previous years. If that is the case, just grow some muscles. :)

Existing Signo series gel is really smooth, nicely colored, and dries reasonably fast. Although the new Signo 307 comes with supposedly better gel formula (UMR-87E), I found no discernible difference between it and older 207 (UMR-87). Even if somehow ink update makes a difference in your case, barrels are fully compatible so you can mix and match to your liking. At this time Signo 307 is available only in 0.7 mm so those preferring thinner writing will have to stick with the 207. However, I have no doubt that other widths are going to become available in near future.

In the end, it all comes to the looks and I find Signo 307 looks are a slight improvement over 207 despite its all-plastic design. But either one will do.

Git Push to Multiple Repositories

There is no use in having the whole ZFS pool with backups if you won’t use it for your repositories. Backup for the private repositories is trivial - just create a repo on the server and push to it. But how do we add a new repository if one already has a remote (e.g., on GitHub)?

First step is to check current remotes. This information will come in handy a bit later

git remote -v
 origin  git@github.com:medo64/QText.git (fetch)
 origin  git@github.com:medo64/QText.git (push)

Next step is to create a bare backup repository, followed by adding both current and new destination as the push URLs:

git init --bare ^^//ring/Repositories/QText.git^^
git remote set-url --add --push origin git@github.com:medo64/QText.git
git remote set-url --add --push origin ^^//ring/Repositories/QText.git^^
git push -u origin --all

Reason behind the double add is due to Git “forgetting” its default location once the first manual add is executed. Any further update will not be affected.

Now a single push command will update both repositories.