Doing lots of 44CON stuff this week, including a TNMOC tour ticket giveaway. If anyone wants to see the new Bombe gallery at TNMOC over in Bletchley Park, sign-up details are here.

Hopefully getting some time to work on more ANSI art for the 44CON BBS and moving the raw hex site away from shopify, which has totally screwed us.

It’s a long weekend and it’s sunny, so I’m going to try to deploy an OpenBSD router I’ve been building and then I’m going to braai.

If it’s not too hot, I might have a play with a Bluetooth CTF I saw a while back.

I laughed when I saw this as historical. I was working on a Z Series security project last year. They’re everywhere.

I wasn’t aware that RSS and Atom was at risk of disappearing. I use the excellent rss-bridge to get non-RSS feeds into reasonable formats (instance here if anyone wants to try it out) and rss2email for most of the stuff I pull from there.

I also use the news reader on Nextcloud as a place to put links to investment notices, and use newsboat for tracking sites I like. I’m contemplating reinstalling selfoss for mobile RSS, but tbh I found myself using wallabag more.

I would love to use my smartphone less. I laze around on it in the morning and at night. I wish there was something that autodisabled my phone when I’m on my bed.

That all said, the smartness of a smartphone is invaluable for me. I use to to look up directions, change plans on the fly, learn about artists when I see artwork, read in the subway. I need a humane smart phone, instead of one filled with apps that aim to colonize my mind.

I sometimes save time by eating out. Quick meals at home are cheaper and less time consuming that going somewhere, ordering, waiting for the food, eating, and coming back. But anything more involved than oatmeal is hard for someone living alone. It takes lots of time to organize recipes, get the ingredients, and cook. You have to choose between eating lots of leftovers or even more time per meal. It can be sensible to eat out if you can, from a time point of view.

There are arguments for and against HTTPS for static sites, but what I’ve seen is Troy (and to some extent Scott) making valid points, then talking past other people online (who in turn talk past them). Neither side budges and it descends into the usual online bickering.

There are good reasons to implement HTTPS on a static website, as illustrated by Troy. HTTPS isn’t the only way to secure a transport layer, nor does HTTPS magically stop 100% of man-in-the-middle attacks. There are plenty of attacks on TLS (which is why we use TLS 1.3 and not 1.0), plenty of problems with the openssl monoculture and a web of trust broken by companies and governments to contend with.

It makes sense to advocate for people to use HTTPS where practical to protect their site and users from casual interception. It does not make sense to resort to dark UX patterns, nor to mandate HTTPS. Browsers mandating HTTPS, or warning users that not using HTTPS with full WoT is insecure, then they are against decentralization. The WoT is a centralized transport layer on top of a decentralized protocol.

In the 90s, there were many that advocated for mandatory IPSEC. Indeed, IPSEC is integrated into the IPv6 spec. Better solutions came along, and now IPSEC is losing ground to TLS VPNs.

Protecting user data is a good idea. Pushing users into a fully centralized web, open to abuse by governments and corporations is a bad idea. There are alternatives to TLS out there for people that want them, and we can even build better decentralized alternatives, but if we mandate moves to a centralized web there’ll be too many incentives to stop moving off.

BBQ today at a friends place. Tomorrow I’m probably working sadly. I worked the full weekend last weekend, so I really could do with some time to just chill out and spend with my partner. Hopefully the week after next will be free.

The main (only?) argument for putting static sites behind HTTPS is to prevent visitors from getting MITM’d. I’m a little uncomfortable about the unspoken implication that content publishers should be responsible for the security of their visitors but that’s a separate point.

What really annoys me about the push for HTTP on static sites and other benign content is two things:

1. HTTPS is touted as the best thing since sliced bread but we already know the existing TLS certificate trust chain in mainstream browsers is pretty weak. Certificate authorities have suffered serious security lapses and/or incompetence (Symantec, Wosign), or delegate too freely to likewise entities. Pretty much all developed countries in the world either have government-run CAs or can swoop in and “borrow” the private keys of commercial CAs to sign fraudulent certs or (more likely) decrypt traffic as it goes by. There are things happening to make incremental improvements to these problems but right now the mainstream opinion is just to keep putting band-aids on the system. Don’t get me wrong, HTTPS is better than nothing but the whole trust chain is very half-assed and nobody seems interested in fixing it.

2. HTTPS is arguably not the right tool for public, non-secret content. As a static content publisher (yes, I use that term loosely), I don’t want to encrypt my content, I only want to sign it to show that it hasn’t been tampered with. But with HTTPS it’s all-or-nothing. If we had secure DNS (however implemented), this would be fairly straightforward: public key in a DNS record and a signature for the page in the HTTP headers. The browser can show the page as signed, clients who don’t have the technology to verify the signature or who don’t care are free to be MITMed at their leisure.

Start of article:

Disclaimer: The views in this article are my own, and do not necessarily represent the views of my employer.

End of article:

I’m very excited about the real business improvements that will be enabled by the technical innovations my team is making at VMware. If you would like to join us, please reach out either to one of us directly or through our careers portal.

I’m not being snarky, I just found this funny.

He mentions self-hosting a personal wiki but doesn’t mention what software he’s using. Anybody have suggestions?

Getting some time for electronics projects, and doing a bit of a grab and grin:

• I’m doing a project with HIDIOT and Neopixel rings for a festival with Devoxx, CERN and the University of Lancaster, to create a particle accelerator simulator for kids.
• I’m also getting the final 44COIN prototype hardware off to the fab.
• Meeting a few partners and clients about security consulting projects.

If I get time, I’m going to do some more work on moving the rawhex site off shopify. It’s been a total nightmare since we moved our main site hosting over as it’s broken SPF and DKIM, so we can’t do mailing list mails or anything.

As with most of Gary Bernhardt’s writing, I loved this piece. I read it several times over, as I find his writing often deeply interesting. To me, this is a great case study in judgement through attempting to apply Americanized principles to speech between two non-Americans (a Pole and a Finn) communicating in a second language.

There are several facets at play here as I see it:

1. There’s a generational difference between older hackers and newer ones. For older hackers, the code is all that matters, niceties be damned. Newer hackers care about politeness and being treated well. Some of this is a product of money coming in since the 90s, and people who never would’ve been hackers in the past are hackers now.

2. Linux is Linus’ own project. He’s not going to change. He’s not going to go away. If you don’t like the way he behaves, fork it. Run your own Linux fork the way you want, and you’ll see whether or not the niceties matters. Con Kolivas did this for years.

3. There are definitely cultural issues at play. While Linus has a lot of exposure to American culture, he’s Finnish. Finnish people are not like Americans. I find the American obsession with not upsetting people often infuriatingly two-faced, and I’m British. I have various friends in other countries who find the much more minor but still present British obsession with not upsetting people two-faced, and they’re right.

Go to Poland, fuck up and people will tell you. Go to Germany, do something wrong and people will correct you. Go to Finland, do something stupid getting in the way of a person’s job and probably they’ll swear at you in Finnish. I’m not saying this is right, or wrong, it’s just the rest of the world works differently to you, and while you can scream at the sea about perceived injustices, the sea will not change it’s tides for you.

Yes Linus is being a jerk, but it’s not like this is an unknown quantity. Linus doesn’t owe you kindness. You don’t owe Linus respect either. If his behaviour is that important to you, don’t use Linux.

Some thoughts:

1. Microsoft’s acquisition of Github gives them Electron, a competitor to React native.
2. Gary Bernhardt’s prophecies are coming true

This week I’m:

• Donating 50 EUR to OpenBSD
• Updating the list of 44CON talks
• Continuing the Raw Hex migration to self-hosting everything without external dependencies

Last week I was at two conferences which was fun but I’ve been pretty ill. Finally started getting better this weekend, so I’m going to take it a little easy but I have a lot of catching up to do.

This should be merged into the github thread.

This just makes me think of when Facebook bought Oculus and everyone was like, “Well fuck, I really wanted on, but I guess not now.”

It’s interesting even how, a decade past the days of Bill Gates as a Borg, even as our community has matured and we don’t had on MS anywhere near as much as we use to, we still see this as not something we really want.

I agree, Microsoft is really not the company to be running Github. I wonder if it will still stay strong or end up going the way of Source Forge.

This week I’m:

• Sorting out talk and speaker announcements for 44CON to go live on Wednesday
• At Infosecurity Europe’s Geek Street doing soldering workshops
• At BSides London on Wednesday doing soldering workshops, 44CON table and mentoring a rookie
• Dying on Thursday
• Sorting out a HIDIOT project involving Devoxx, Cern and the University of Lancaster to teach kids coding and hardware hacking this summer.

At least on Friday I’ll be playing with Neopixels most of the day. I hope.

Observed MS since the the early days. And depending on how long you have been around is probably how well you really know them. This is not a company that you want to be working around or dependent on. And no they have not changed.

Moving all 108 of my repos to Gitlab now. If you are smart you will as well. Do not be fooled by these people. The purchase of Github is solely to make you a pawn, a play thing, in their 10-Q “Cloud Revenue” report to Wall Street. They will screw you over in a heartbeat and will do so without fail or regret. Not a whit. Oh, they are much more careful now and will do things slowly, but their goal is clear, to solely manipulate and corral you over time. MS does evil. It has been so, is today and always shall be their very DNA.

GitLab is really worth a look as an alternative. One big advantage of GitLab is that the core technology is open source. This means that anybody can run their own instance. If the company ends up moving in a direction that the community isn’t comfortable with, then it’s always possible to fork it.

There’s also a proposal to support federation between GitLab instances. With this approach there wouldn’t even be a need for a single central hub. One of the main advantages of Git is that it’s a decentralized system, and it’s somewhat ironic that GitHub constitutes a single point of failure.

BASIC programming and 6502 assembly, possibly with some COBOL.

I’m nearing the point where I can start writing my next debugging book review which is themed around old-school debugging. I’ve read four books and have another couple in the pipeline. The advice in the books is, unsurprisingly, not totally applicable (although I love the hint for adding debugging code to your card stack: use different coloured cards for your debugging instructions!). So to try to understand the advice a bit better, I’ve been doing some old-school programming. BASIC is the easiest to work with since mainframe emulation is not a great time.

That said, if anyone knows a decent mainframe emulator for 70s architectures, I’d be happy to check it out.