1. 2

    And this finally get’s rid of the python2 dependency \o/

    1. 2

      Gonna watch some FOSDEM talks and at the moment restoring my backups after reinstalling my desktop with btrfs. I’ve mainly switched for btrfs to be able to use LXD containers for local development with a full TLS setup using step-cli and maybe step-ca and ACME.

      1. 1

        I work at smallstep and we’re partnering with yubico to give away five build kits for this project. DM us at @smallsteplabs on twitter to enter. See also: https://twitter.com/smallsteplabs/status/1341800787291168768

        1. 2

          Is there any support for the Nitrokey (HSM) keys in smallstep / step-ca ?

          1. 2

            @sigio, it appears Nitrokey support PKCS# 11. Right now we have native support for AWS KMS, Yubi, and GCP KMS. We will be releasing full PKCS# 11 support in the next month. While not everyone follows that standard, it should be plug and play at that point. If you have other questions or would like me to ping you when support is available hit me up at maxey at Smallstep dot com.

          2. 1

            Nice! I started using step-cli at work for setting up all our development env’s for web application/server development to have a trusted TLS setup and I really like it, as it’s a lot better then openssl :)

            I’ve also figured out you can generate s/mime certificates with step-cli which was neat, the only thing which is still lacking is pfx/pcks12 support. (But that’s pretty obscure anyway :P)

          1. 6

            The rust dog dns client has an awfully familiar name :)

            1. 18

              Well, README says outright “It’s totally inspired from dog which is written in Rust”.

            1. 2

              Sad to hear about the price of the insurance. In the Netherlands I insured my 4500 euro bike for 450 euro for 3 years. E-bike insurance was even cheaper for some reason. I hope that as bicycle usage will go up, the insurance costs will go down.

              1. 2

                If you own an e-bike, you’re likely to be older, not bike a lot, and have a house with the space to store a bike inside. If that 4500€ bike is not an e-bike, you might just be into competitive cycling. I expect insurance companies to do some “threat modeling” of their own :p

                1. 2

                  Yeah, insurance companies have their threat models figured out quite well I should hope ;). The trend in the Netherlands is currently moving towards E-bikes for everybody, except the competitive cyclists. My bike is bit overkill, but very nice for cycling holidays.

                2. 1

                  Here in Canada bikes are covered under your house insurance (or tenant’s insurance).

                  1. 2

                    In the UK that is true too but you generally require specialist insurance if:

                    • You keep it outside (common in towns)
                    • Your bicycle is worth as much as a small car (fairly common for people into their bikes)
                    • You want to be insured if it is stolen off the street (don’t think household insurance covers that)
                    1. 1

                      My household insurance specifically says my bikes are covered “whever they are, even if not at your house”

                      It do have a $1k deductible, though, so useless if your bike is cheap.

                  2. 1

                    From what I’ve heard the batteries are mostly stolen from ebikes? Is that true?

                    1. 5

                      I had to search into this, but according to this article, mostly the e-bikes of younger people are being stolen, because they are not kept in sheds or other indoor areas (unlike e-bikes owned by people aged 55+). At the end they state that Shimano and other manufacturers are working on better locks for the batteries, because they are very valuable to thieves. The locks protecting the batteries are not certified at the moment and can be forced open relatively easily.

                      Most of the thieves that are caught come from the eastern part of Europe, and are part of, or steal for an organised crime organisation. The E-bike is relatively common and widespread in the Netherlands, so it’s also easy picking for the criminals. Once stolen, they are shipped over the border immediately.

                      To combat the theft and keep the insurance premium down, the insurance policy for e-bikes requires a GPS chip to be installed in the lock. This has resulted in a recovery rate of 60% of stolen bikes. An added benefit is that they sometimes find storage units with stolen bikes.

                  1. 5

                    Plottwist, because twitch chat is based on irc :-)

                    1. 15

                      I don’t think this was intentionally placed by the Canadian government’s developers, but it shows how much is wrong with the current system of surveillance capitalism. Many software frameworks/libraries have pretty harmful defaults and are keen on using services by and submitting data to Google and other companies (AWS, etc.) without giving it much thought and only thinking about convenience.

                      Other good examples are Google Fonts, Google Hosted Libraries, Microsoft Ajax CDN, CDNJS (Cloudflare), jQuery CDN (MaxCDN), jsDelivr (MaxCDN), Yandex CDN, Baidu CDN, Sina Public Resources and UpYun Libraries, just to name a few.

                      Start hosting your own stuff so you can remove those shackles and actually demonstrate that you care about privacy.

                      1. 1

                        You raise a good point, but at the same time hosting any moderately successful software project is extremely costly (bandwidth alone). It’s not a coincidence that the easy examples are CDNs: most hosting providers overprice their outbound bandwidth.

                        And when I say “moderately successful” I’m definitely talking more about access/popularity which doesn’t easily translate into income. Which is to say: just because a site gets a lot of views doesn’t mean it makes any money to pay for hosting.

                        1. 7

                          A VPS with 10TB of traffic and 20 GB of storage costs roughly 3€/month at Hetzner, and they offer very good hosting in multiple countries, if you are inclined to offer a CDN (which makes no sense most of the time, see below). Is that too expensive? I know of some downsides of VPS’s, but it fits 95% of cases, and people should stop thinking they need Google-scale-solutions for their projects.

                          Most importantly: 10TB can get you a long way if you don’t overbloat your websites into megabyte-behemoths.

                          People are always talking about efficiency, green energy and climate change, but they don’t seem to relate it with obvious things like not serving 1.5MB of JavaScript and 2MB of CSS for each page. Sending less data also has a much greater impact on page loading speeds than the benefit of a CDN, with exceptions of course.

                          People throwing more hardware/CDNs/etc. at the website obesity problems are like those recommending headphones as a remedy for fan noise or nose-clips as a remedy for a lack of personal hygiene.

                          1. 3

                            Maybe developers would be less keen to using those massive frameworks if they had to pay for sending out those bytes.

                            1. 1

                              What massive frameworks? I don’t see any relation between using a framework like React and the size of your page. My simple react app uses 145 kB of JavaScript resources. And that’s thanks to the tools the JavaScript ecosystem provides to reduce the size of JavaScript ;)

                              The frameworks aren’t the issue, Developers should be aware of the cost of the data they are sending.

                        1. 25

                          Safari is a joke.

                          Why? Personally I use it a lot and I really like it. Moreover WebKit wouldn’t exist without Safari, and Chrome was forked from WebKit. Back in the time, even IE wasn’t a joke and killed NetScape. Could you elaborate?

                          1. 15

                            I’m a bit puzzled by this statement as well. The most heard criticism for Safari is that it’s slow to implement new features, if it implements them at all. Given the rest of the article, it’s safe to assume that the author doesn’t share in this criticism.

                            1. 9

                              It’s a funny statement as Safari actually will not implement 16 Web API’s due to privacy/tracking concerns. So they aren’t adding the bloat which Drew complains about ;-)

                              1. 3

                                It was my preferred browser on Mac too. You can disable tabs with it, which is pretty much impossible in Firefox or chrome now.

                                1. 3

                                  WebKit wouldn’t exist if it wasn’t for KDE and KHTML. We can thank Apple and now Google for creating forks that just fragment the community.

                                1. 5

                                  First paragraph is about no firewall running. Not sure I even want to continue reading…

                                  1. 4

                                    First paragraph is about no firewall running. Not sure I even want to continue reading…

                                    Further along in the article, a firewall is mentioned and it seems the recommendation is to disable ICMP respones which can be annoying.

                                    1. 5

                                      Annoying is the least of it - disabling all of icmp breaks networking in subtle ways.

                                      http://shouldiblockicmp.com/

                                      1. 7

                                        It’s even worse for IPv6 where ICMP is used for what ARP is used in v4 and, more importantly, where packets are never fragmented and clients rely on path MTU discovery to determine the largest size packet they can send.

                                        That also relies on ICMP and those messages absolutely should pass firewalls or we‘ll forever be stuck with the smallest guaranteed packets (1280 bytes which is better than it was in v4. But still)

                                      2. 1

                                        Yeah, not sure when I last heard about a real ICMP flood attack, must be 10+ years ago. And no one except AWS disables it (at least I never noticed, except in company networks)…

                                        1. 2

                                          It’s quite commonplace for ICMP traffic to be deprioritised below other traffic types by routers—especially with off-the-shelf equipment from many large vendors—but it is, rightly, quite rare to see it filtered altogether these days. Dropping or disabling ICMP can be harmful as it throws away important information that would allow hosts to recover from some network conditions. A prominent example is path MTU discovery.

                                    1. 1

                                      I’ve been exporting my data automatically from the garmin webservices with the intention to make a grafana dashboard myself. So this is interesting, but do you still need the garmin app to sync the data?

                                      1. 1

                                        From what I’ve read, you can access the data on the smartwatch by plugging in a USB cable. The watch will connect over MTP, and the data will be in .FIT files. You can just copy-paste them with a file manager.

                                      1. 3

                                        The article would have been a lot more constructive if it gave some examples of better alternatives for the various projects mentioned.

                                        1. 18

                                          Are you suggesting they should say something like

                                          What To Use Instead?

                                          To replace GPG, you want age and minisign.

                                          To replace GnuTLS or libgcrypt, depending on what you’re using it for, you want one of the following: s2n, OpenSSL/LibreSSL, or Libsodium.

                                          which they said at the bottom of the article?

                                          1. 2

                                            Except Age/Minisign is not a GPG replacement?

                                            1. 5

                                              Age replaces file encryption. Minisign replaces signatures.

                                              Read https://latacora.micro.blog/2019/07/16/the-pgp-problem.html

                                              A Swiss Army knife does a bunch of things, all of them poorly. PGP does a mediocre job of signing things, a relatively poor job of encrypting them with passwords, and a pretty bad job of encrypting them with public keys. PGP is not an especially good way to securely transfer a file. It’s a clunky way to sign packages. It’s not great at protecting backups. It’s a downright dangerous way to converse in secure messages.

                                              Back in the MC Hammer era from which PGP originates, “encryption” was its own special thing; there was one tool to send a file, or to back up a directory, and another tool to encrypt and sign a file. Modern cryptography doesn’t work like this; it’s purpose built. Secure messaging wants crypto that is different from secure backups or package signing.

                                              You may think you want some cryptographic Swiss Army knife that “truly” replaces GPG, but what you really want is secure, single-purpose tools for replacing individual use cases that use modern cryptography and have been extensively reviewed by cryptography and security experts.

                                              1. 2

                                                What tool handles the identity and trust mechanism that GPG providing?

                                                With the multi-tool approach, the user has to re-establish the web of trust every time and learn about each disconnected tools as well.

                                                1. 2

                                                  What tool handles the identity and trust mechanism that GPG providing?

                                                  I hear webs of trust don’t work. Not sure why, but I believe it has to do with the difficulty of changing your root key if it ever becomes compromised.

                                                  Otherwise, maybe something like minisign, or even minisign itself, could help?

                                                  1. 1

                                                    Trust in what context?

                                                    For code-signing, I designed https://github.com/paragonie/libgossamer

                                            2. 1

                                              Totally agreed. But hey, a blog article poo-pooing a thing is much easier to write than one constructively criticizing it and offering solutions. And who has the time these days?

                                              On a related note, it was once a guaranteed way to get your latest blog article to the top of the orange site if the title contained something like, “Foobar: You’re Doing it Wrong” or “We Need Talk About Foobar”. Phrases like this are the equivalent of “One Weird Trick” headline clickbait for devs.

                                              1. 8

                                                Pretty sure the article offers solutions. It’s at the very bottom though.

                                            1. 26

                                              This article doesn’t introduce anything new on the table, and it shrugs away security as “just use PGP” which is not a reasonable alternative. Why doesn’t anyone encrypted mails? Because PGP tooling sucks, it’s UX sucks and it doesn’t work as user friendly as for example signal/whatsapp/you name it.

                                              1. 12

                                                I’ve been training non-tech people on practical computer security. In the past couple of years we’ve switched from introducing PGP as a viable but very difficult/brittle option to just using it as an exercise to understand the ideas behind public-key cryptography and not strictly hierarchical trust models.

                                                Given how easy it is to accidentally downgrade the channel, using it for very sensitive information is just a bad idea. Email clients with PGP plugins etc. just aren’t a “reasonably safe by default” option.

                                                1. 7

                                                  I agree. I find the “email is not private, so I don’t treat it as such” argument a bit moot. PGP is so easy to misuse that it nearly shouldn’t be seen as secure. Why try convincing people that the privacy story of email is okay instead of attempting to do better? :(

                                                  1. 2

                                                    That’s because the point of the article is not privacy; it’s spam, privacy and workflow management.

                                                    1. 2

                                                      Another problem with PGP and email are mobile devices. I do not want to download whole inbox to my phone, but I want to be able to search through them. With chats it is less of the problem, as I search history a lot less frequent than my email.

                                                      1. -7

                                                        PGP tooling is completely fine! You can’t just say something sucks without giving any reason for it!

                                                        1. 15

                                                          The first time I used PGP, I started by generating a key pair for myself and the first thing the program asked me was if I want to use Elliptic Curve Cryptography or RSA. Then it proceeded to ask for various details like key size and so on. At the time, I was either in the final year of my computer science degree or already obtained it, and there were some real head-scratchers among those questions. Is Elliptic Curve Cryptography really more secure? What is a good key length? Question over question. Now, if this is what the onboarding process feels like for someone who has spent a significant amount of their life studying computers, I cannot imagine what it feels like if you’re new to computers. There is no way the masses are going to use a tool that asks you deep cryptographic questions, some of which cannot even be answered by industry experts.

                                                          PGP is fine in the sense that the software is robust and it works (though I’m really not a fan of the lack of perfect forward secrecy - I think it’s an issue that is hand-waved away far too often). But it’s not fine for people who just want to quickly connect without having to study cryptography - and that should be the target audience if you want widespread adoption.

                                                      1. 9

                                                        Awesome effort again by the Guix team! At the last Reproducible Builds Summit I learned more about the bootstrappable builds projects and hope in the future to at least be able to bootstrap some compiler/utilities on Arch Linux.

                                                        1. 1

                                                          Is arch interested in reproducible builds, per se? I remember reading that the build process of pacman packages isn’t as isolated and deterministic as debian or guix/nix, or what that just a rumour.

                                                          1. 6

                                                            Sounds like a rumour :) We are actively working on reproducible builds and have been part of the reproducible builds community for a few years, in the summit 2 years ago we had 4 Arch team members who attended.

                                                            Our builds are isolated as they are done in a chroot which only installs the packaged required for building as this is a requirement for reproducible builds.

                                                            Check out our progress on the following links: https://reproducible.archlinux.org/ https://wiki.archlinux.org/index.php/Reproducible_Builds

                                                        1. 1

                                                          The author is free to do whatever he wants with his children, if he lives in a free country, but the authority with which he dictates what to do or not to do with other people’s kids makes no sense. Useless.

                                                          1. 6

                                                            Isn’t that the case with all “and neither should you” articles, to me it already sends a negative predicament.

                                                            1. 3

                                                              It’s clickbait. Tell people what to do and they’ll click.

                                                            2. 7

                                                              This is a noop statment, nobody questions any of this.

                                                            1. 12

                                                              That’s interesting, however OpenRA is already great if you want to play Red Alert :)

                                                              1. 11

                                                                OpenRA is indeed super, amazingly great. One comment EA said is they are releasing this code under the GPL so it will be compatible with OpenRA, so I assume the expectation is OpenRA can become even better with this.

                                                                1. 4

                                                                  I’m pretty sure the original code will help with some edge cases, but still… it could be remarkable if they released that code when OpenRA needed it for real. Releasing it when OpenRA is already a better engine overall sounds more like “since assets is all we can sell now…”. Even then, idSoftware used to open source their engines before they became retrogaming engines.

                                                                  1. 3

                                                                    so I assume the expectation is OpenRA can become even better with this.

                                                                    Unless there were secret ancient programming techniques locked away, I doubt this would be the case.

                                                                    1. 11

                                                                      Perhaps “better” means “a more exact rendition of the original”, and yeah, I do think the original code could help there.

                                                                      1. 3

                                                                        It can help understand some game behaviours.

                                                                      2. 1

                                                                        Will the assets be there too?

                                                                    1. 4

                                                                      I remember being optimistic regarding e-ink a decade ago. I was expecting open hardware book readers to pop up left and right.

                                                                      Fast forward to today, not even one, and thus I still do not have any e-ink reader despite being ready to buy one.

                                                                      1. 5

                                                                        That’s not true, there is actually an open hardware book reader and I’ve been to plenty of hacker camps with eink badges such as SHA2017

                                                                          1. 1

                                                                            It doesn’t seem to be made for the purpose, but it looks pretty useful for else, regardless.

                                                                          2. 2

                                                                            Eink badges (and small such eink screens, I own a few) I was aware of.

                                                                            The open book, on the other hand, I had not heard about. From the link, it does look quite recent. And it fortunately is not Linux-based.

                                                                            Thank you, I’ll investigate. I’m a little happier now that I am aware :-)

                                                                        1. 14

                                                                          I’m a disappointed in the lack of e-ink ubiquity as I am in the fact we never got the flying noodle-bars promised by science fiction. I want walls of e-ink. That stuff should be everywhere.

                                                                          1. 6

                                                                            I agree. There was a post here a month or so ago where someone had made a pretty large e-ink display to hang on his wall. The entire thing cost around 4k USD if I remember correctly. It’s stupid expensive for something that should be ubiquitous. Same goes for OLED displays. I really want to have rooms plastered in them to have cool effects on the walls. Patterns and videos and whatnot.

                                                                            And while we’re at it…. Where’s my flying cars?!

                                                                            1. 1

                                                                              We do have hover bikes to be fair

                                                                            2. 2

                                                                              Any one have an idea on what the barriers for e-ink are? Is it the low refresh rate preventing it from wider use and subsequent economies of scale? Or is there some other issue?

                                                                              1. 9

                                                                                remarkable made an e-ink drawing/reading tablet with amazing responsiveness and fair price. I consider them a fairly small company, so it is really possible to make a wide spread product based on e-ink.

                                                                                1. 7

                                                                                  Mostly patents I think. Those that can afford to license them are mostly interested in selling commercial signage. It’s definitely not the refresh rate, the use-cases where refresh rates really matter are always going to be better suited to emissive displays, e-ink has value because it keeps state.

                                                                                  1. 4

                                                                                    +1 e-ink (the company) appears to have a monopoly on the technology via patents, though that could change in the future if competition authorities decide that the patent is harmful to consumer welfare (see this link).

                                                                                    1. 4

                                                                                      IIRC there is one company who really designs and makes on e-ink panels which might be a problem…

                                                                                    2. 3

                                                                                      That’s the main problem, yeah. It’s lovely for things which don’t update very often but you have to think very carefully about your UI to make anything work.

                                                                                      1. 2

                                                                                        It’s certainly possible as remarkable did, e-ink has a partial refresh feature so if you are clever enough you don’t have to do a full panel refresh. It certainly costs more effort but ereaders have already proven that it can work

                                                                                  1. 2

                                                                                    For more boot process security information I’d recommend Trammel Hudson’s talk @ CCC https://www.youtube.com/watch?v=2kNnTsgujIA

                                                                                    And the modchip (bloomberg) talk which is related :) https://www.youtube.com/watch?v=C7H3V7tkxeA

                                                                                    1. 4

                                                                                      I did something along these lines but at a fraction of the cost, here is my eink display. It’s 7” and controlled by a RaspberryPi Zero and shows me the latest news, weather for the week, and public transport info.

                                                                                      1. 1

                                                                                        The WaveShare link seems to point at a regular screen, not an e-ink display.

                                                                                        1. 1

                                                                                          Woops sorry updated! They have a lot of displays btw https://www.waveshare.com/product/displays/e-paper.htm

                                                                                          1. 1

                                                                                            I’m considering getting one of them, actually. I have several Raspberry Pis that I can use, but I’ve just been hesitant to buy one because I don’t know how the interface between the Pi and the display works. If it supports HDMI, that’s familiar to me; however, many of these seem to use SPI, which I don’t think I’ve ever used before. If I get one, I want to know that I can actually write a program that can communicate over this connection (and I want to know there are programming language options other than just Python, which most libraries I’ve found seem to be written in).

                                                                                            1. 1

                                                                                              Yeah it is SPI and for my usage I use Python with a little forked lib. I’m not sure if there are any eink displays with HDMI.

                                                                                        2. 1

                                                                                          I eagerly await the day when these things become affordable as a computer screen.

                                                                                          This one looks interesting https://www.waveshare.com/product/displays/e-paper/12.48inch-e-paper-module-b.htm?___SID=U

                                                                                          12” with three colors. Also if you look closely at one of the photos is that a raspberry pi under it?