Chromecast in Isolated Guest Network

My home network pretty much revolves around Asus RT-AC56U with Asuswrt-Merlin firmware. Nice, stable, and full of features. One feature I absolutely love is multiple isolated guests networks. And I do not use it only for guests.

While my computers are all in main network, all my devices (Chromcast, printer, IoT, …) are in guest network without any intranet access. They can get on Internet but they cannot access my internal network. Considering all is done on the same router, it is not ideal, but it does increase security considerably.

Initially one device presented some trouble. You see, to cast YouTube from my computer I had to have it in my main network. But I didn’t want to. I wanted it to be in isolated guest LAN together with all other devices. But I did want to access it from my internal network. Since the whole network isolation for guest networks is done via firewall rules, that meant it was time for some hole poking.

Prerequisite is to have Asus JFFS enabled. This will enable saving scripts so they can be executed upon startup. Yes, you can do it manually every boot but that gets old quite quickly. For the actual firewall setup, the only thing needed is MAC address of Chromecast device and we can make it an exception to the rule. I prefer to do it via script:

echo "#!/bin/sh" > /jffs/scripts/firewall-start
echo "ebtables -I FORWARD -p ARP -o ! eth0 -j ACCEPT" >> /jffs/scripts/firewall-start
echo "ebtables -I FORWARD -s ^^A4:77:33:33:48:85^^ -o ! eth0 -j ACCEPT" >> /jffs/scripts/firewall-start
echo "ebtables -I FORWARD -d ^^A4:77:33:33:48:85^^ -i ! eth0 -j ACCEPT" >> /jffs/scripts/firewall-start
echo "logger Poked hole for Chromecast" >> /jffs/scripts/firewall-start
chmod a+x /jffs/scripts/firewall-start
reboot

First rule pokes a hole through isolation in order to allow for ARP requests. Second two rules allow everything coming from and to specific MAC address. Everything else is a bit of plumbing making script run on router’s startup.

To make this a bit more secure, one might want to restrict this only to interface where device is actually located. Every router firmware might do things a bit differently but guest networks on mine were setup in a reasonable fashion. They all followed formal wlX.Y where X was 0 for 2.4 GHz guest networks and 1 for 5 GHz. Y was number between 1 and 3 directly corresponding to guest network index.

Since my Chromecast device was first guest network in 5 GHz range, its designation was wl1.1 and thus hole could be made a bit smaller:

echo "#!/bin/sh" > /jffs/scripts/firewall-start
echo "ebtables -I FORWARD -p ARP -i ! eth0 ``-o wl1.1`` -j ACCEPT" >> /jffs/scripts/firewall-start
echo "ebtables -I FORWARD -s ^^A4:77:33:33:48:85^^ ``-i wl1.1`` -o ! eth0 -j ACCEPT" >> /jffs/scripts/firewall-start
echo "ebtables -I FORWARD -d ^^A4:77:33:33:48:85^^ -i ! eth0 ``-o wl1.1`` -j ACCEPT" >> /jffs/scripts/firewall-start
echo "logger Poked hole for Chromecast" >> /jffs/scripts/firewall-start
chmod a+x /jffs/scripts/firewall-start
reboot

To make these firewall rules even stricter, one can also restrict ARP to allow only certain IPs but I will leave this as an exercise for some other time.

PS: Using pretty much the same basic procedure one can get any device accessible to other isolated guest networks. This is not only nice for Chromecast but really useful for getting printer working too.

Random Blog Description for WordPress

Ages ago, back when I created my first dynamic ASP web pages, they had an ever changing tagline. Some taglines were funny, some were sad, some were crazy, but I enjoyed them as homage to the, now forgotten, BBS era. As I moved from one hand-built platform to another, I kept this feature alive.

I started blogging much later on the Google’s Blogspot and it wasn’t possible to get dynamic taglines there. Later, when I moved the whole blog to WordPress and merged it with my original pages, end result was more of a blog. And thus taglines were no more. They were relegated to manually changing Skype status to entertain a friend or two. Until now.

My goal was to create the simplest and reasonably performant way of selecting a random tagline from flat text file.

One approach fitting with WordPress would be to create plugin but I opted not to. Since I really wanted to change tagline once a day, plugin would be probably a bit of overkill. Instead I opted to (ab)use fact WordPress already has tagline-like field called Blog description and all we need to do is change it to text of our choice.

Of course, before we even come to that step, we have to extract tagline from file. Fortunately Linux offers shuf utility to randomly select one line of many. All needed is to give it a plain text file. Of course, we should escape all single quotes to avoid any SQL issues. If we (hopefully correctly) assume text file with taglines is under your control, simple escaping is sufficient:

TAGLINE=`shuf -n 1 ~/taglines.txt | sed "s/'/''/g"`

With tagline in hand we can go and change blog description directly:

mysql --execute="UPDATE wp_options SET option_value='$TAGLINE' WHERE option_name='blogdescription';"

While this will change description, if you use caching plugin, it won’t be enough. You also need to clean cache. The easiest approach is to simply delete cache folder. As we do it only once per day, this won’t be too much of a hit. Different caches might use different locations, but for W3 Total Cache I use here, following is enough:

rm -R ~/www/wp-content/cache

All left to do is getting this script to be executed daily by either using web interface of your web provider or setting it up in crontab manually.

PS: Instead of using shuf, you can use sort -R ~/taglines.txt | head -1.

PPS: Full script I use is here:

#!/bin/bash

MYSQL_USER=^^WordPress MySQL user^^
MYSQL_PASSWORD=^^WordPress MySQL password^^
MYSQL_HOST=^^WordPress MySQL host^^
MYSQL_DATABASE=^^WordPress MySQL database^^

TAGLINE=`shuf -n 1 ~/taglines.txt | sed "s/'/''/g"`

mysql --host=$MYSQL_HOST --user=$MYSQL_USER --password=$MYSQL_PASSWORD --database=$MYSQL_DATABASE --execute="UPDATE wp_options SET option_value='$TAGLINE' WHERE option_name='blogdescription';"

rm -R ~/www/wp-content/cache 2> /dev/null

Open Source Peddling

I am fan of free software. Heck, I make quite a few of free programs myself. That is why it pains me to see what is happening last few years with it - malware, malware, everywhere!

For example take CamStudio, once a decent screen recording program. I’ve downloaded my setup from www.camstudio.org and everything seemed legit. Until I was offered was Search Offer powered by Bing during setup - I of course declined. After that I was offered ByteFence (which ironically promises protection against malware) and Yahoo powered search. Yes, the same install offers both Bing and Yahoo powered search. I declined them both. Guess what, it tried to install Search Offer regardless.

I found this slightly unnerving so I removed all traces of it and checked for the source code. I did find it on SourceForge after a bit of googling (camstudio.org doesn’t offer a link toward it). Installer found there was actually without malware (as far as I could see) but it was also unsigned and more than 10 times the size (11 MB vs 1 MB).

So, on one side we have install downloaded from SourceForge, 11 MB in size and unsigned. On other side we have 1 MB setup digitally signed by Path Quality (Alpha Criteria Ltd.). Which one looks more official? Yes, a search for Alpha Criteria Ltd. will show its malware roots but I still find it disturbing that such shady figures actually have a valid digital signature.

There is a real danger in someone taking your installer and making setup with malware. You cannot really do anything about that. But this is not the case here. Not only that camstudio.org is officially looking, with forum and everything, but also you can see that Nick Smith is one registering domain. Going to SourceForge pages, you can also find Nick Smith there as one of the main contributors.

What we have here is one of, possibly rogue, developer intentionally packing malware into product’s setup for profit.

This is something I have noticed for a while now. Freeware programs (regardless if open source or not) have been having more and more aggressive and misleading ads in recent years. Every time I go to download something I need to figure which link is actual download and which ones are “download” links designed to click-bait you into ad. It is a shitty and misleading practice but at least it only wastes your time. Packing malware into what amounts to officially looking software package on the officially looking pages, is another, more devious approach.

Realistically, you will not earn money on freeware. If you expect open source to get you some quick money, you are an idiot. Building open source and/or freeware software is something you should do for enjoyment and because you have an itch to scratch. You might not get money out of it but it will provide great learning experience, it will get your name out there, and possibly you might even get a tangible benefit out of it.

Or go the money route and make application for sale - there is nothing bad with that. For example, developers of Bandicam, also a screen recording program, decided to charge for their software. That is an honest approach.

Earning money by incorporating malware into your freeware application is not only dishonest but deserving of its own circle in hell.

Bimil 1.30

Here is another small update for my password manager Bimil.

A single major feature for this release is local QR code generation for two-factor key. Up to now, if you wanted to use Authenticator or similar application, Bimil would use QR Code Generator API. While they do use HTTPS and they claim not to record keys, sending this information over the Internet was a security issue in my mind. As of this version, QR code is generated within application without any external components.

Other notable change is allowing timeouts to be configurable. While I do like timeout functionality, not everybody does and now it can be turned off or adjusted.

As always, feel free to download the latest release.

Kindle Oasis

First thing you will notice as you open Kindle Oasis is how small it looks. On a first glance one would tell it has smaller screen than previous Kindles. However, it is all an illusion as screen is well known and lowed 6" diagonal.

I find screen as good as one on Kindle Voyage and, although Amazon claims Oasis’ is better, I cannot say anything bad about the either. My eyes see no significant difference between them. Curiously Oasis abandoned ambient-controlled backlight present on Voyage and I can only say good riddance.

After a long time we finally have physical buttons back. I don’t find them as enjoyable as ones on grandpa Kindle 2 but they are better than press-buttons on Kindle Voyage. Unfortunately there is no way to turn off swipe gestures on the touch screen so accidental page turns are still possible.

It took a while but we finally have a Kindle suitable for lefties among us. As device is mostly symmetric, simple rotation will make it fit in your left hand as comfortable as it was in the right. Even better, it will auto-rotate screen as soon as you do it. Only drawback is that suddenly power button is on the bottom and not possible to press using left hand. It is a minor thing and completely ignorable if you keep cover on and rely on auto-wake.

One of the more important things about any Kindle for me is how it fits and here Oasis is perfect. A slight tapering on the back leaves just enough place for the tip of your fingers to grab and rubbery material they are using makes holding it really comfortable. Unfortunately, that all goes away as soon as you put the cover.

With the cover on, Oasis becomes a bit unwieldy for me. I struggle to hold it both securely and comfortable for any longer duration as nice resting place for my fingers is suddenly displaced by a step requiring me to essentially keep my fingers straight. I found myself simply removing cover for any longer reading. Someone with smaller hands might not have these issues.

Cover itself is beautifully looking but thinness of leather doesn’t really instill much faith it will age well. As it is slightly thicker than Oasis itself, it sort-of seems as an afterthought and a way to offset small capacity of the main battery. It does that reasonably well as I can definitely say it outlasts both Voyage and Paperwhite.

All said, I find Oasis a beautiful albeit expensive device. I believe Kindle Paperwhite is a great benchmark for enjoyable reading and I wouldn’t be dreadfully punished if it was only device I could use. Voyage enhances that experience and Oasis brings it near to the perfection. But, as always, the great enjoyment comes at a great cost.