Own Pwned

For a while now ';–have i been pwned? has been providing two services. One more known is informing people of data breaches. One slightly less known is their API. My personal favorite are their password search interface. So, I was really sad to see when Troy started charging for it.

While I understand Troy’s reasons, I used this API in freeware application. And yes, I could “swallow” $3.50 this service cost but I wasn’t willing to. My freeware hobby is already costing me enough. :)

Fortunately, Troy is allowing download of password hashes so one could easily make API on their own server. So, over a weekend I did. In my OwnPwned GitHub repository there’s everything you might need to create your own verification service. But there are some differences.

First of all, this is not a substitution for ';–have i been pwned? API as due to dependency on the data from it, it will ALWAYS be one step behind. Also, I haven’t implemented full API as I only needed the password verification portion. Even for password verification portion, I trimmed all extra data (e.g. password breach count) and focused only on passwords themselves.

To make use of the project, you first need to download the latest password dump (ordered by hash). Once you unpack that file, you would use PwnedRepack to convert this to a binary file. I found this step necessary for both speed (as you can use binary search) and for size (as it brought 25 GB file to slightly more manageable but still huge 12 GB).

With file in hand, there are two ways to search data. The first one would be PwnedServe application that will simply expose interface on localhost. Second way forward it serving PwnedPhp on Apache server. Either way, you can do k-anonymity search over a range using the first 5 hexadecimal characters of password’s SHA-1 hash.

Something like this /range/12345/.

And yes, code is not optimized and probably will never be due to the lack of free time on my side. But it does solve my issue. Your mileage may vary.

PS: Please note, Tray Hunt has opensourced some elements of HIBP with more to come. If you need fully-featured interface that’s probably what you should keep eye on.

HexDump's Illegal Seek

After I upgraded to Ubuntu 21.04, my TmpUsb script suddenly started reporting the following hexdump: stdin: Illegal seek.

Line causing issue was the one determining partition serial number:

dd if=/dev/sda bs=512 skip=1 count=1 | hexdump -s39 -n4 -e '4/1 "%02X"'

It seems that hexdump got a bit too stricter with its input parameters and now disallows skipping bytes in fifo stream. I haven’t investigated much but my guess is that skipping 39 bytes probably messes with its internal buffer. In any case, dd has no such issues so the same code can be done without skipping in hexdump.

dd if=/dev/sda bs=1 skip=551 count=4 | hexdump -n4 -e '4/1 "%02X"'`

The best part is that this is compatible with older versions too.

Segmentation Fault Using Threads With Static Compile

I was playing a bit with threads in C++ and all was going well. For the final compile I wanted a static binary (don’t judge me, I have my reasons ;)). Compile passed as expected but executing program resulted in Segmentation fault (core dumped) error:

g++ -pthread -static test.cpp
a.out
 !!Segmentation fault (core dumped)!!

Well, these were definitely not the droids I was looking for.

Strangely enough, issue was with my thread.join() statement. Something that shouldn’t cause any issues.

It took me some time (in addition to helpful GCC ticket and StackOverflow answer) to finally come to the following compilation line:

g++ -static -pthread -D_GLIBCXX_GTHREAD_USE_WEAK=0 -std=c++0x \
    -Wl,--whole-archive -lpthread -Wl,--no-whole-archive test.cpp

And now my static binary worked happily ever after.

Recipes

Over the years I occasionally used this blog to introduce the food I like. It got bad enough that it even got its own category. Discussing some of those recipes with my wife made me realize how many other recipes are not written down but just in our heads. Even worse, we saw how many recipes have gone away when our respective mothers died. Food we can only try to recreate from memory.

And no, these are not necessarily Croatian recipes in their purest form. While both my wife and I are Croats, our families have a really mixed culinary identity. Moving to USA only made things more diverse as we couldn’t easily find Croatian ingredients or they came at exorbitant prices. Even worse (for purity), we found some new ingredients we really like and those pushed out some that are more authentic.

Different ways wife and I cook, approach the ingredients, and generally think about food also made our family cooking something unique. While there might be a better recipe for each food item we prepare, our variant is not half bad and it’s definitely easier to cook within the limited confines of one’s own home. If nothing else, it’s food our kids adore and maybe having a recipe at some point in the future will allow them to make their childhood food and recreate those flavors.

If Croatian, or more precisely Croatian/American, food is something that piques your curiosity, do check out medved.cc and maybe make a meal or two.

Small C# InfluxDB client

Well, after doing InfluxDB client bash and Go, time came to do the same in C#.

I will not go too much into details as you can see the source code yourself. Suffice it to say it supports both v1 and v2 line protocol. And usage is simple as it gets:

var measurement = new InfluxMeasurement("Tick")
  .AddTag("t1", "Tag1")
  .AddTag("t2", "Tag2")
  .AddField("f1", 42)
  .AddField("f2", true);
client.Queue(measurement);

Source code is of course on GitHub and project is available and NuGet package.