1. 13

    This is so close to a project I’ve wanted to do myself: in Judaism, a day begins at sunset, and the day is divided into twelve variable hours that run sunset to sunrise, and twelve variable hours that run sunrise to sundown. I’ve long wanted to build a clock that works this way, with the hands running faster or slower depending on the time of day and the season, but watchmaking is far outside my skills. But doing a variant of this might just be something I can actually pull off.

    1. 4

      The Japanese used to keep time in a similar way, as a sunrise to sunset measure. I saw an exhibit at a museum in Tokyo on analog clocks which tracked the date to correctly render the time. Quite amazing machines.

      1. 2

        It should be possible to get a smart watch and create a custom face for it.

      1. 3

        This is AWESOME! I remember many many years ago wanting to do client side certs, but the UI’s in browsers were totally miserable that there was zero chance I could ever get a user to use it. Is there an ignorant person’s guide on how to do this these days?

        Ideally with and without something like a Yubikey/PIV. Cause I really want to try this out now and see if I can make it usable for us.

        1. 1

          This doesn’t really change the UX at all; it just means another storage option is supported.

          You probably only want to use client certs in an environment where you have some provisioning system running out of band, and so it’s helpful for Firefox to support the same storage as the OS native browsers (and chrome)

          1. 4

            OH. :( So the UX is still miserable to the point of useless? That totally sucks.

            ETA: we do provision our users machines, so that’s not an issue for us. I deliver SSH certs for instance, because the SSH cert UX is not miserable(though windows didn’t support SSH certs last I checked, making it harder to use… in fact I should check again, now that MS is blessing OpenSSH directly these days…) For windows clients we are using vault’s SSH OTP instead.

            1. 2

              Well the selection UI for picking a cert is the same. But the setup cost is better user experience imho.

              P.S.: Hi, Matt. I think we were in the same intern cohort Winter 2011/2012?

          1. 1

            Rerouting 127.0.0.0/8, now that would be a fun thing to expiriment with

            1. 1

              Prior to the VNET work, you would often do shenanigans with loopback adaptor to give each jail a separate IP on a FreeBSD machine. I had one setup where each jail had a different IP in the 127.0.0.1 subnet for its loopback adaptor and localhost set up to point to that address in /etc/hosts.

              In hindsight, it probably wasn’t a good idea.

              1. 1

                TFA says:

                …and it certainly will not be done by mistake.

                I dunno – I’m sure there’s amusing experimentation to be done there, but it also seems like the kind of thing where, in the rare cases in which it does happen, odds of it being unintentional might actually be quite high.

                1. 1

                  I worked on a multi-cpu system (connected via Ethernet over PCIe) that was logically one “system”, and we used a portion of 127.0.0.0/8 to direct traffic to the other CPUs. Unusual, perhaps, but it worked and was purely internal.

                  This change in curl wouldn’t have changed anything though, as 127.0.0.1 was still localhost.

                1. 3

                  The power supply has a small board holding the control circuitry. This board compares the voltages against a reference to generate the feedback signals.

                  I am curious how the board stores a reference voltage, if anyone knows. Dissimilar metals?

                  1. 3

                    Check out footnote 8, which mentions the voltage reference, and has a link to another of his posts which has information about just that component: http://www.righto.com/2014/05/reverse-engineering-tl431-most-common.html

                    1. 1

                      Neat, thanks.

                  1. 2

                    Tried this on Safari with TouchID (which normally works like a security key…) and it didn’t work :(

                    anyone else have any luck?

                    1. 3

                      It looks like they only support a couple of security key manufacturers, with yubikey being the biggest. I doubt TouchID provides the kind of manufacturer attestation needed for this scheme (but I could be wrong about that).

                      1. 1

                        Yeah, they say that they only support attestations by Yubikey, HyperFIDO and Thetis FIDO. TouchID probably provides attestation(though I’m not sure), but it just hasn’t been whitelisted by them yet.

                        1. 2

                          Apple does have an attestation scheme for TouchID, but it’s not the “standard” one. It’s anonymous and can’t be tracked, which probably isn’t desirable for Cloudflare’s use. Presumably they are misusing this feature so they can block “bad” users, which Apple’s feature doesn’t let them do.

                          Ctrlf for Apple Anonymous Attestation on https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/

                          1. 1

                            You can’t “block bad users” as is right now. Each attestation key is used in at least 100,000 tokens, there’s no reasonable way to block a single one of them with the way it’s done. Apple’s way meanwhile, is quite a bit more complicated, requires connection to Apple’s servers from your machine, and creates a new attestation certificate each time that is signed by “master” Apple’s certificate on their servers (and seems like it’s opt-in?). I’m not entirely sure if there’s much difference in the privacy front besides Apple not having to worry about somebody extracting attestation keys from their machines and spoofing their attestation.

                            1. 2

                              I think 1 in 100k, combined with additional signals like client fingerprinting, IP, etc, is absolutely enough to identify and block a bot. Even in the worst case where you block whole batches of yubikeys, the attacker cost goes up as they buy more keys, but legitimate users just fall back to captchas.

                              1. 1

                                The whole point of this for them was to decrease their CAPTCHA usage. Turning users back to using them is counterproductive for them. 1 in 100k is a tiny amount, and with carefulness, a bot writer can easily blend into a group that size.

                                1. 1

                                  Most of that 100k set of users will not be visiting any particular website at a time.

                                  If the point of this isn’t to block bad boys, then what is it? Bot writers will have a yubikey-as-a-service API from somebody soon, probably using a rotating set of some dozens of security keys. So it’ll be even easier for bots than captchas are today, if cloudflare isn’t using the key batch as a signal to block.

                    1. 3

                      I was wondering how it would save state between “reboots”, and while the video didn’t directly answer, it mostly implies it: The answer is obvious in retrospect, but it uses the already existing “saved game” functionality.

                      1. 27

                        I’d recommend a NUC here. I’ve tried using an RPi 1, and then an RPi 3 as desktops, but both were painful compared to a NUC, which was drama-free. I’ve never had any problems with mainstream Linux on mine. IIRC, it comes with either SATA or M.2.

                        1. 4

                          I’ve also used an Intel compute stick when traveling. It has the added benefit of not needing an hdmi cable.

                          1. 2

                            It has its benefits, but it was slow when it came out five years ago… I used one for a conference room and it really is disappointing. A NUC would have been better. Harder to lose if you do take it traveling, too.

                          2. 3

                            I agree with this: If you don’t want a laptop, a very small form factor PC is a better choice than a more barebones SBC for use as a general-purpose PC. The NUC is great, though there’s some similar alternatives on the market too.

                            I have a Zotac ZBOX from a little while ago. It has a SATA SSD, Intel CPU and GPU, and works great in Linux. In particular it has two gigabit NICs and wifi, which has made it useful to me for things like inline network traffic diagnosis, but it’s generally useful as a Linux (or, presumably, Windows) PC.

                            The one I own has hdmi, displayport, and vga, making it compatible with a wide selection of monitors. That’s important if you’re expecting to use random displays you find wherever you’re going to. It also comes with a VESA bracket so it can be attached to the back of some computer monitors, which is nice for reducing clutter and cabling.

                            1. 2

                              Never heard of a NUC before now but I can agree that trying to use an RPi as a desktop is unpleasant.

                              1. 1

                                Yeah the Pi CPUs are very underpowered, it’s not even a fair comparison. They’re different machines for different purposes. I would strongly recommend against using a Pi as your primary Linux development machine.

                                I think this is the raspberry Pi 4 CPU, at 739 / 500:

                                https://www.cpubenchmark.net/cpu.php?cpu=ARM+Cortex-A72+4+Core+1500+MHz&id=3917

                                And here’s the one in the NUC I bought for less than $500, at 7869 / 2350 :

                                https://www.cpubenchmark.net/cpu.php?cpu=Intel+Core+i5-8260U+%40+1.60GHz&id=3724

                                So it’s it’s 4-5x faster single-threaded, and 10x faster overall !!! Huge difference.

                                One of them is 1500 Mhz and the other one is 1600 Mhz, but there’s a >10x difference in computer. So never use clock speed to compare CPUs, especially when the architecture is different!

                              2. 2

                                Yeah I just bought 2 NUCs to replace a tower and a mini PC. They’re very small, powerful, and the latest ones seem low power and quiet.

                                The less powerful NUC was $450, and I got portable 1920x1080 monitor for $200, so it’s much cheaper than a laptop, and honestly pretty close in size! And the CPU is good, about as powerful as the best desktop CPUs you could get circa 2014:

                                https://www.cpubenchmark.net/cpu.php?cpu=Intel+Core+i5-8260U+%40+1.60GHz&id=3724

                                old CPU which was best in class in a tower in 2014: https://www.cpubenchmark.net/cpu.php?cpu=Intel+Core+i7-4790+%40+3.60GHz&id=2226

                                (the more powerful one was $800 total and even faster: https://www.cpubenchmark.net/cpu.php?cpu=Intel+Core+i7-10710U+%40+1.10GHz&id=3567 although surprisingly not that much faster)

                                This setup, along with a keyboard and trackball, is very productive for coding. I’m like the OP and don’t like using a laptop. IMO the keyboard and monitor shouldn’t be close together for good posture.

                                In contrast the tower PC in 2014 was $700 + ~$300 in upgrades, and the monitor from ~2006 was $1000 or more. Everything is USB-C too on the NUC/monitor setup which is nice.

                                I guess my tip is to not upgrade your PC for 7-10 years and you’ll be pleasantly surprised :) USB-C seems like a big improvement.

                                1. 4

                                  Yeah I just bought 2 NUCs to replace a tower and a mini PC. They’re very small, powerful, and the latest ones seem low power and quiet.

                                  NUCs are great machines, but they are definitely not quiet. Because of their blower-style fan, they become quite loud as soon as the CPU is just a bit under load. Audio proof: https://www.youtube.com/watch?v=rOkyFLrPc3E&t=341s

                                  1. 2

                                    So far I haven’t had a problem, but it’s only been about 3 weeks.

                                    The noise was the #1 thing I was worried about, since I’m sensitive to it, but it seems fine. For reference I replaced the GPU fan in my 2014 Dell tower because it was ridiculously noisy, and I have a 2012 era Mac Mini clone that is also ridiculously noisy when idle. The latter honestly 10x louder than the NUC when idle, and I have them sitting side by side now.

                                    The idle noise bothers me the most. I don’t have any usage patterns where you are running with high CPU for hours on end. Playing HD video doesn’t do much to the CPU; that appears to be mostly GPU.

                                    I’m comparing against a low bar of older desktop PCs, but I also think Macbook Airs have a similar issue – the fan spins really loud when you put them under load. For me that has been OK. (AdBlock goes a long way on the Macbooks, since ads code in JS is terrible and often pegs the CPU.)


                                    I think the newer CPUs in the NUCs are lower power too. Looking at the CPU benchmarks above, the 2014 Dell i7 is rated a 84 W TDP. The 2020 i5 is MORE powerful, and rated 10 W TDP down and 25 W TDP up.

                                    I’m not following all the details, but my impression is that while CPUs didn’t get that much faster in the last 7 years, the power usage went down dramatically. And thus the need to spin up fans, and that’s what I’ve experienced so far.

                                    I should start compiling a bunch of C++ and running my open source release process to be sure. But honestly I don’t know of any great alternative to the NUCs, so I went ahead and bought a second one after using the first one for 3 weeks. They’re head and shoulders above my old PCs in all dimensions, including noise, which were pretty decent at the time.

                                    I think the earlier NUCs had a lot of problems, but it seems (hopefully) they’ve been smoothed out by now. I did have to Google for a few Ubuntu driver issues on one of them and edit some config files. The audio wasn’t reliable on one of them until I manually changed a config with Vim.

                                2. 1

                                  I have also been using a NUC for a year now, and it works well. A lot of monitors also allow you to screw the NUC to its back, decluttering your desk.

                                  Just watch out, it has no speakers of it’s own!

                                1. 9

                                  All I gathered from this blog post was “OpenSSL has incomprehensible error codes or the entire cert ecosystem is too complicated”.

                                  1. 20

                                    Correction: “OpenSSL has incomprehensible error codes AND the entire cert ecosystem is too complicated”

                                    I’m currently trying to figure out why connections between older stunnel/openssl versions and newer versions of the same software aren’t working. My current hypothesis is that the certificates used are “invalid” according to the newer versions, and because of this they refuse to use them as client certificates - but they do this silently, so the other end just sees a connection with no client certificate. Yum yum.

                                    1. 3

                                      While the cert ecosystem is complicated, openssl’s bad errors are what make it incomprehensible I think. I’ve spent a fair amount of time debugging TLS in different situations. OpenSSL and stunnel was sufficiently opaque and hard to debug that we ended up replacing it entirely with a version written in Go, which has a TLS stack that actually gives half-reasonable error messages.

                                      1. 3

                                        Absolute shot in the dark but how long are your keys? OpenSSL recently started erroring out when asked to use short keys, and that messed me up for a while. 2048 bit minimum for RSA, don’t know about any of the others off the top of my head. My code didn’t fail silently, but I was using Python and for all I know I only ever saw error messages because of that. Feel free to message me if you hit a dead end or just want to chat, I can’t promise I can help but happy to try.

                                        1. 3

                                          That’s one possible problem, thanks for the suggestion! One part of the system uses 1024 bit RSA keys, I think.

                                          Finding out about this kind of requirement seems to be on the level of “oh, I saw a comment on a Stack Overflow post about something remotely related”… Perhaps I just don’t know where to look.

                                      2. 2

                                        I actually ran into this problem last week and my takeaway was that Google’s server expects a server name indicator (SNI) in https requests; don’t know how familiar you are with TLS, but SNI can be sent by the client during negotiation to indicate which certificate the server should use. Handy for servers that host multiple domains and need to know which certificate to present before they receive a Host header. Anyway, if Google doesn’t get SNI it apparently falls back to a self-signed certificate that has this message buried in it, since it doesn’t know to use the www.google.com certificate or whatever.

                                        Edit: None of that actually justifies this outcome. Google’s doing something weird and nonstandard to draw attention to what it perceives as a defect (and probably 99% of the time, they’re right), because there’s no official way to raise the error they want to raise. How much of that is on Google and how much of that is on the ecosystem is debatable, but it creates a headache when the solution to “The server uses a self-signed certificate!” is “Send SNI in your client”, and also there’s no good way to look this up.

                                        1. 5

                                          In the age of cloud/CDNs everywhere, it’s safest to treat SNI as a hard requirement. Take Cloudfront as an example:

                                          % openssl s_client -connect cf.feitsui.com:443
                                          CONNECTED(00000006)
                                          4559363692:error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/ssl/ssl_pkt.c:386:
                                          ---
                                          no peer certificate available
                                          ---
                                          No client certificate CA names sent
                                          ---
                                          SSL handshake has read 5 bytes and written 0 bytes
                                          ---
                                          
                                          % openssl s_client -connect cf.feitsui.com:443 -servername cf.feitsui.com
                                          CONNECTED(00000006)
                                          depth=4 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
                                          verify return:1
                                          depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
                                          verify return:1
                                          depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
                                          verify return:1
                                          depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
                                          verify return:1
                                          depth=0 CN = *.cloudping.cloud
                                          verify return:1
                                          
                                          (...)
                                          

                                          It’s only really ancient clients that don’t support SNI - think IE on XP and Android 1, maybe? As a result you find SNI is often a requirement or CDNs give the option to pay extra for the dedicated IP you need for non-SNI connections. I know Cloudfront charges $600 a month for dedicated IPs/SSL certificates, and I know others (Fastly, Cloudflare, etc.) charge as well.

                                          And your server would have to be dangerously old (think “pre-dating TLS”) to not support it.

                                          1. 3

                                            Android got SNI support around 2011 in versions 3 and later. Internet Explorer on Windows XP would have been the last holdout. I can’t imagine either of those can effectively use the internet today, especially given they’re both TLS 1.0 only clients and many servers require TLS 1.2 or later; at least anything under PCI-DSS scope.

                                      1. 18

                                        This appears to be using the passphrase as an hmac key directly, with the URL.hostname as the value.

                                        Unless the user memorizes a proper randomly generated key, this is going to be brute-forcable based on a single website’s generated password, which would then allow all other websites to be accessed.

                                        Also, if a website ever changes its domain name, you’re going to have trouble.

                                        This appears to be a weekend project, and I don’t want to be overly negative, but do not use this as-is. This is more than dead-simple: this is deadly simple.