Dholdrums

It's 2018. There's pretty much no excuse for not having two factor authentication (2FA) setup on on all your accounts.

One of things you should have 2FA setup on is your servers that you SSH into. Of course, you should be disabling SSH password logins, and only use SSH keys. But you may have some bastion hosts that you allow password logins on, and on those server, you should setup TOTP authentication.

Here's how to do it on FreeBSD:

• Install Google Authenticator (or some other TOTP-based 2FA program) on your phone or device.
• Install the Google Authenticator PAM module:

$ sudo pkg install pam_google_authenticator

• Next, generate a token for your server and answer some simple questions:

$ google-authenticator

Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth....
Your new secret key is: SN6DNZ2W7Z2R56BL
Your verification code is 934157
Your emergency scratch codes are:
  38875904
  94027394
  76418491
  71483023
  75284805

Do you want me to update your "/home/user/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

• Go to the URL given, and you will see a QR code similar to the follow. Add it into your Google Authenticator app.

• Add the following line to /etc/pam.d/sshd:

auth  required  pam_google_authenticator.so

• Restart SSH: sudo service sshd restart

You should know be prompt for your TOTP token when you log in now:

$ ssh example.org
Password for user@example.org:
Verification code:

I started using Let's Encrypt recently. It is as good as they say it is.

Let's Encrypt allows you to get free SSL certs for your site, provided that you can prove that you own the domain. They do this by putting a nonce into your webroot, which they then pull via http. The whole process took all of 30 seconds, and that includes the install of the actual software.

$ sudo pkg install py27-letsencrypt-0.1.0

$ sudo letsencrypt --webroot -d example.org --webroot-path \
        /usr/local/www/data/example.org certonly

I was blown away by how easy it was.

Did I mention the certs are free?

The certs have an expiration date of 3 months, which is fine since they are free (free!) and can be easily renewed, I've heard reports of people re-generating them from scripts in cron.

This is great news. This basically means we can slap SSL certs on pretty much everything, and that's a good thing. Like this blog for example. Hmm...be right back.

I switched jobs a few months ago, so I had to return my work laptop. It was an HP EliteBook 2560p.

The thing ran BSD very poorly due to bad/nonexistent support for HP's proprietary hardware. I probably would have kept at trying to get FreeBSD to run properly on it, but my work used Google Hangouts for pretty much everything, so I was relegated to using Ubuntu on it.

I'm not a terribly big fan of Ubuntu, but all I really need is a proper terminal (I use gnome-terminal with Inconsolata fonts), a good shell, and Firefox, and Ubuntu does the trick with in that department, so there you go.

My new job gave me a brand new shiny laptop. A Macbook Pro Retina 15. It's supposed to be the shiznit, according to all reports.

But I hate it it. It's Unix, but barely. I definitely dislike it more than Ubuntu. It's a huge monstrosity. I tried using MacPorts to make my environment BSD-like, but nothing worked. Part of the problem is that the new job doesn't allow us to keep a running workstation on our desk, so I don't really have a server at work to connect to, so it's very annoying. It's a powerful machine to be sure, but for the sort of work I do, I barely use 1% of its power.

Right now, I'm sort of managing by running a FreeBSD vmware instance on the laptop. Whenever the laptop is running, that is my "server".

But I've given work trying to get things right and resigned myself to this ghetto.

But at home, I refuse to use this MacBook for any of my work. So I went to Amazon and bought a used HP EliteBook 2560p. In retrospect, I probably should have looked at similar sized Thinkpads, but it was sort of an impulse buy. I got it for only $180.

My wife was horrified, but it works great for what I need it to do.

In case anyone decides to run BSD on it and wants to make it work, I sort of made some progress:

• In the BIOS, switch the hard drive to not use AHCI, use IDE instead
• in the installer, don't use GPT, use BSD labels instead
• to get X to run properly, put kern.vty=vt in loader.conf

I had to go on a long trip, so I reverted to using Ubuntu on it just have something useful running, but I will try to get it to work with BSD again soon.

I was once given a netbook, ca. 2009, in the golden age of netbooks.

It was a Dell mini 10v. My boss at the time wanted to upgrade to a larger screen laptop, so I got the netbook.

I thought I would hate it, the keyboard was much smaller than I was used to, and I initially hated the 10in screen.

I used it for 3 years and ended up loving it. Reasons:

• the fact that it was so small and light. It was a pleasure to carry it around in my messenger bag, it weight about 1300grams (2.9lb)
• I got used to the keyboard fairly quickly
• it ran Ubuntu (and later Ubuntu netbook remix); while Ubuntu isn't BSD, I prefer it over Windows/Mac OS
• best of all: it had Dell's equivalent of a retina display, the screen was ultra sharp and colorful

I never noticed it being slow. In fact, the only downside to it that I remember was that the screen (10.1 inches) was sometimes too small to view a page in Firefox. But I only noticed that sometimes.

It was work hardware, so I didn't pay for it myself, but the pricepoint ($300) was great as well.

But around 2010, the netbook market died. Mostly for two reason:

• newer versions of Windows couldn't handle the slower Intel atom processors and smaller screens of netbooks
• tablets came in and mostly supplanted the category

Dell discontinued it's mini line, and so did everyone else. The last time Asus made an Eee PC was in 2013, and it was dead for a few years before that.

A shame, a netbook would be perfect for me right now. I mostly just live in a terminal with Firefox running. That's about it.

But alas, everyone stopped making them. The closest thing I can find are 12.5" laptops. They are okay, but netbooks would be better.

Oh well.

Here's the thing about movie critic reviews: while they are not perfect, you can generally trust them. When they tell you to skip Sharknado, but that Guardians of the Galaxy was pretty good, they are usually right. There are of course exceptions to this rule—for example I thought Snowpiercer was the worse piece of garbage film I've ever set my eyes on in recent years, but it was almost universally lauded by critics.

But overall, you can trust them by and large.

But, and this cannot be overemphasized, this is only true for Western film critics.

When Indian film critics tell you a movie is good or bad, do not trust them.

Here's a fun exercise to prove my point: Go and find all the movie reviews you can on Slumdog Millionaire. Once you have done that, divide these into two categories, those done by Indian film critics, and everyone else. Take the Indian pile, and further divide it into two more piles, every review made before the film swept Oscars, and every review after. Now, read through the reviews.

Notice something interesting about them? Most of the Western reviews say something along the lines of, "This is a very good movie." At the time I saw it, shortly after it had come out, I agreed. I thought it was excellent and encouraged everyone I knew to watch it.

Indian reviews on the other hand, all panned the film. They all said the same thing: (1) it was a terrible story, and (2) it did not accurately represent India.

Now if you read the Indian reviews of the film after it won the Oscars, they all changed their tune, they all said that it was an excellent film and totally worthy of praise. Interestingly, these were written by those same reviewers who panned the film a few weeks/months earlier. Some of them had the honesty to say as much, and admitted they were not really objectively judging the film earlier, but most did not refer to their hypocrisy.

So what was the problem? I believe that Indain film critics, do not hold themselves to objective standards when they review films.

Their reviews are colored by the actors in the film, the amount of money it costs to make the film, etc. Very few reviewers actually review the film.

Which brings me to the topic of my current post. I decided to watch Mardaani based on Indian film critic reviews (my mistake). They all loved it and said was a lovely film.

It was not. The plot was completely unbelievable, the acting was fake, the characters were caricatures of cops and gangsters. And I, like a fool, kept waiting for it to get really good. Because I had read the reviews (from Indian critics).

It was, in short, a terrible movie. Skip it. And you can believe me when I say that.

Whenever someone tells you that a Bollywood film is science fiction, never believe them. PK is no exception. Like all Indian movies claiming to be science fiction, the sci-fi element is basically loosely used for the setup, and not really explored. PK is an alien who comes from another planet, gets stranded on earth, and largely spends the whole movie trying to "find God".

Not that this makes it a bad movie. PK was a bad movie on its own, without the sci-fi elements. PK is very preachy, showing the hypocrisy of various religions, but it fails to entertain, or even give a coherent plot.

Am I surprised or angry that this was not a very good film? No, that's par for the course for Bollywood. I'm more upset that it received positive reviews from critics. Indian film critics are the real hypocrites here. They judge movies based simply on stars and budget. If this was not an Aamir Khan film, then it would have been panned.

My recommendation: skip this film, there's nothing to see here.

This movie brings out mixed emotions in me. On the one hand, I do like the fact that Bollywood is tackling non-traditional storylines, in this case: a man and a woman want to get married, but things are complicated by the fact that he is in the process of divorcing his current wife and have to deal with the sorts of issues that come with that.

The problem is that this is a hard subject to make work as a romantic comedy (which is what I presume this movie was). Not to say it isn't possible, but it's hard to make it work. And this movie did not make it work.

The acting was stiff, which is par for the course for this type of film. In addition, neither the roles nor the dialogue were any good. I went into the movie theater coming off a bout of stomach flu, and I'm glad my system was empty, or I think I would have retched in the middle of the movie.

My only consolation was that I went for the first showing, so I only wasted about $6.50 for a matinee ticket as opposed to the usual $15.

So a few weeks ago, after hearing some good things about it from friends, I started using Uber.

I also started using Lyft, because according to reports, drivers like it better (perhaps this has to do with the fact that they can get tips through the app). The first couple of Uber rides I took, the drivers were also Lyft drivers, and when I asked them, they said they all preferred Lyft.

I want to like Lyft. I really do. But there are some things that are annoying about it:

• Authentication: You can't login with normal username/password credentials like everyone else in the whole world. In order to login, you enter your phone number into Lyft's website, and they send you a code via SMS.

  I'm not sure how they handle things if you need to login through some other phone/device. What happens if you change phone numbers?

• Profile pic: Even more annoying, there is no way to add your profile picture through the app. So right now, I have no profile pic in Lyft.

  Lyft seems to think that everyone uses Facebook, so they want you to use the app that way. Facebook, presumably, is how one would set a profile picture.

  UPDATE (2015-06-15): Three days after I wrote this post, Lyft updated their iPhone app to fix this problem. You can now set your profile picture through it.

• Fare Estimation You cannot get a fare estimate through the Lyft app

  What you have to do instead is open up a browser, go to the Lyft webpage for your city, and punch in two addresses, and get an estimate that way. Completely annoying and very hard to do if you're not exactly sure where you are.

Neither Uber's nor Lyft's app is perfect, both definitely has rough edges, especially the UI around setting a pickup location, but you get over these quickly enough.

But Uber's is light years ahead of Lyft's.

So Yahoo's silly DMARC policy, which they introduced in April of 2014, bit me today.

I setup a mailing list for someone for a group they volunteered with, sent out a couple of test messages to ensure everything was working, and handed it over.

Everything was working until they mentioned that they didn't get a message from the main organizer of the group. The only reason they knew it was even sent was because I was subscribed to the list myself, and mentioned to them in passing "Oh, so-and-so sent an email" when I first saw the message come through on my phone.

A few hours later, when they were sitting at their computer, they mentioned that they hadn't received the aforementioned email from the organizer. A little digging revealed the mail was in the GMail spam folder. A little further digging revealed that the original poster was using a Yahoo email address.

I'm not going to go into why I think Yahoo's policy is dumb. They have a right to publish their DMARC policies as they see fit. It does however break electronic mailing lists, and apparently Yahoo doesn't care too much about that.

So the rest of this post is about how we dealt with this problem.

My first inclination was to ask the user to use an alternate (GMail) address instead of their Yahoo one. But I rejected this because this was a nontechnical user on a nontechnical list and I didn't want to inconvenience them for their ESP's stupidity.

My next option was to turn on list munging for my list. This would rewrite the From: line of all the messages sent to the list.

So something like this:

From: Joe Blow <jblow@yahoo.com>
To: Foo List <foo@example.org>

would turn into something like this:

From: Joe Blow via foo <foo@example.org>
To: Foo List <foo@example.org>

I knew this was possible with GNU Mailman, and the setting itself is pretty simple:

from_is_list = 1

But the problem is that that this munges everyone's address, not just those from yahoo.com. It was then I discovered these two gems:

dmarc_quarantine_moderation_action = 1
dmarc_moderation_action = 1

Basically this means that if dmarc_quarantine_moderation_action is turned on, then dmarc_moderation_action is taken on sites that basically have p=reject. In this case, the 1 means to munge. So basically, munging is done only on sites with this DMARC policy.

These features are available in GNU Mailman version 2.18 and greater.

Major thanks to the GNU Mailman devs for implementing this—they did it pretty quickly after the start of this fiasco too, judging by the release dates.

Even before I stumbled onto the jewels that are Pelican and other static site generators, I had longed to replace my gallery albums.

Gallery was one of the first good open source image gallery systems out there. It did an okay job, but like WordPress, it was written in PHP and massively overengineered and overfeatured.

I once spent months setting up Gallery for a client. Apart from building and installing the software (pretty easy with FreeBSD's ports) and actually getting the images together, most of the time spent was trying to integrate the gallery output pages into the look and feel of the client's existing website. That was massively painful, but in the end, it worked beautifully.

Some time later, some devs overhauled the website, and my work was put on the shelf. A bit after that, the powers that be decided the new website was aesthetically challenged (a euphemism for ugly), and wanted me to revert back to my old site. Which I did. Except that Gallery broke. I'm not sure how. The database and files were restored to their exact states (we had been meticulous about backups), but we could never get it to look the same again. I talked to some gallery devs, and everyone just recommended I upgrade from gallery 2 to gallery 3.

In the end, the gallery images were only a small subsection of their website, so we ended up not restoring it, deciding it was not worth the trouble.

Since then, I've longed for something that would just spit out raw HTML and CSS, just like pelican.

It looks like Sigal is it.

It's not perfect, by default it wants to spit out new-agey Javascript galleries, blech. But it works with Jinja2, so it should be pretty easy to make it do what I want.

Stay tuned!