{ "version": "https://jsonfeed.org/version/1.1", "title": "The Grumpy Troll: The Grumpy Troll", "home_page_url": "https://bridge.grumpy-troll.org/", "feed_url": "https://bridge.grumpy-troll.org/feed.json", "favicon": "/troll-dalle-1-64x.png", "authors": [ { "name": "Phil Pennock" } ], "language": "en-US", "items": [ { "id": "https://bridge.grumpy-troll.org/2024/02/hugo-generated-text-file/", "url": "https://bridge.grumpy-troll.org/2024/02/hugo-generated-text-file/", "title": "(Go)Hugo Generated Text File", "date_published": "2024-02-23", "tags": [ "hugo", "gohugo", "CMS", "go template", "text", "blog" ], "summary": "I migrated this blog to Hugo in 2013. At the time, I wrote features for Hugo to support the migration. For a while, I knew every feature of the software. Those days are long past. Much of what I knew, I have forgotten.\nI almost entirely just have post content, setup in a pattern which predates the themes and so forth. I have some static files, of course. But when it came to setting up a plain-text file outside of the blog area, but with the content being generated with Go text/template, I found it surprisingly hard to find clear explicit guidance on how to do this. [...]" } , { "id": "https://bridge.grumpy-troll.org/2024/01/configuration-objects/", "url": "https://bridge.grumpy-troll.org/2024/01/configuration-objects/", "title": "Configuration Objects", "date_published": "2024-01-22", "tags": [ "configuration", "YAML", "docker", "container", "versions", "deployment", "configuration management", "kubernetes" ], "summary": "I’m going to pick holes in an approach which I think is actively harmful to our industry and the maintainability of the systems we write and manage. The problem is one of approach, and nothing is unfixable.\nThe way is which YAML is used and abused is symptomatic of flaws in how we approach systems design and configuration. This is not the fault of YAML, as whichever language we use would suffer the same fate. [...]" } , { "id": "https://bridge.grumpy-troll.org/2024/01/tailscale-docker-remote/", "url": "https://bridge.grumpy-troll.org/2024/01/tailscale-docker-remote/", "title": "Tailscale and Docker Remote", "date_published": "2024-01-14", "tags": [ "tailscale", "VPN", "docker", "container", "TLS", "ACME", "authentication", "security" ], "summary": "I recently wanted a way for my team to run throw-away containers on a remote box, for development and testing. I did not want Kubernetes or a lot of overhead, I just wanted the ability for people to throw containers on the box and run them. The only access control needed was “is in the list of people allowed to talk to the container-runner service”: if you can talk to it, you can run containers. [...]" } , { "id": "https://bridge.grumpy-troll.org/2020/07/small-mailserver-bcp/", "url": "https://bridge.grumpy-troll.org/2020/07/small-mailserver-bcp/", "title": "Small Mailserver Best Current Practices", "date_published": "2020-07-24", "tags": [ "SMTP", "email", "BCP", "DNS", "DNSSEC", "MTA", "SPF", "DKIM", "DMARC", "TLS", "DANE", "OpenPGP" ], "summary": "(This post was originally written as a reply on the mailop mailing-list, but a friend asked me to turn it into a blog post. I’ve edited it, mostly adding more links to elsewhere, but there are some additions here.)\nContext: someone with a mail-server hosted in a German facility with a poor reputation for handling abuse reports was asking for help on sending email to their Gmail-using friends; they had SPF and didn’t see the point of DKIM; they had TLS setup for their mail-server, using a certificate from CACert. [...]" } , { "id": "https://bridge.grumpy-troll.org/2020/07/shell-locality/", "url": "https://bridge.grumpy-troll.org/2020/07/shell-locality/", "title": "Shell Locality", "date_published": "2020-07-16", "tags": [ "shell", "posix", "bourne", "bash", "zsh", "portability", "programming", "scripting" ], "summary": "When a shell function declares a variable to be local and then unsets it, does the name return to being global in scope or is it still “known” to be local, even though unset (via some kind of tombstone mechanism, perhaps)?\nLet’s test it. Spoiler: the results vary.\nNote that POSIX does not provide local, this is a shell extension.\nThe Test Here is our test as a pasteable one-liner: [...]" } , { "id": "https://bridge.grumpy-troll.org/2019/12/slack-tax/", "url": "https://bridge.grumpy-troll.org/2019/12/slack-tax/", "title": "Slack Tax", "date_published": "2019-12-12", "tags": [ "competition", "corporate behavior", "market dominance", "slack", "team chat" ], "summary": "Chambers of commerce should be urgently talking with the FTC to try to stave off an imminent forced tax on their members, by Slack.\nNB: I have no vested interest in any company mentioned here, unless my retirement index-tracker fund has done so, in which case I’m probably hurting myself by writing this.\nSlack as a company makes Slack, the product. It’s for team communications and basic use is free but there are paid tiers which bill per active user. [...]" } , { "id": "https://bridge.grumpy-troll.org/2018/07/git-aliases-shell/", "url": "https://bridge.grumpy-troll.org/2018/07/git-aliases-shell/", "title": "Git Aliases & Shell", "date_published": "2018-07-22", "tags": [ "git", "shell", "internals", "aws" ], "summary": "Today I took a look at one particular git repository’s configuration and saw something slightly off in the configuration for a credential helper, dating from an old experiment with AWS CodeCommit. I decided to dig deeper to figure out what the actual rules are for shell commands inside git configuration files.\nThis side-diversion took a bit longer than expected. It’s a Sunday. Ah well. I’ve seen too much cargo-culted incorrect information online, so it was time to figure out an accurate answer. [...]" } , { "id": "https://bridge.grumpy-troll.org/2018/03/alpine-arm/", "url": "https://bridge.grumpy-troll.org/2018/03/alpine-arm/", "title": "Alpine Linux on ARM (Turris Router)", "date_published": "2018-03-18", "tags": [ "alpine", "linux", "arm", "router", "package-management", "bootstrap", "containers" ], "summary": "My home router is a Turris Omnia, which provides the option for running LXC containers; I use this for SSH jumphosts and other such things as belong “on the router itself”.\nLast night I decided that it was time to install an Alpine Linux container, to complement the Debian container which has been predominantly used to date. This presented a few issues, but all was done. In this post: networking from no-network, CIDR (classless) routes accepted over DHCP, and other quirks. [...]" } , { "id": "https://bridge.grumpy-troll.org/2017/11/boot2docker-xhyve-dns/", "url": "https://bridge.grumpy-troll.org/2017/11/boot2docker-xhyve-dns/", "title": "boot2docker xhyve DNS", "date_published": "2017-11-14", "tags": [ "docker", "macOS", "boot2docker", "VMs", "containers", "DNS" ], "summary": "Using macOS with Docker can be “interesting”. When I got started, I followed the useful advice at https://pilsniak.com/how-to-install-docker-on-mac-os-using-brew/. This approach appealed to me, especially the use of xhyve. Because sometimes I just make life difficult for myself.\nThus my initial setup was:\nbrew install docker docker-machine xhyve docker-machine-driver-xhyve f=/usr/local/opt/docker-machine-driver-xhyve/bin/docker-machine-driver-xhyve sudo chown root:wheel $f; sudo chmod u+s $f # because yay, more setuid root binaries; it's written in Go, which is # something at least. [...]" } , { "id": "https://bridge.grumpy-troll.org/2017/04/golang-ssh-redux/", "url": "https://bridge.grumpy-troll.org/2017/04/golang-ssh-redux/", "title": "Golang SSH Redux", "date_published": "2017-04-25", "tags": [ "meta", "golang", "ssh", "CVE", "security" ], "summary": "I’d like to set a couple of things straight, for the record.\nI’ll cover the post/blog, and then I’d like to counter some misconceptions. While part of me thinks “I must’ve been very unclear to have so many people misunderstand”, I also saw how many people commented without bothering to read, so really there’s a limit to how much self-flagellation will happen.\nI am not a security researcher. I do not try to get bug bounties. [...]" } , { "id": "https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/", "url": "https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/", "title": "Golang SSH Security", "date_published": "2017-04-02", "tags": [ "golang", "ssh", "identity", "CVE" ], "summary": "This is a tale of two attitudes.\nWorking on a project for a client recently, I needed to speak the SSH protocol in Golang code. So I started with the x/crypto/ssh package, part of the suite of libraries from the Golang developers which is not part of the standard library and not part of their usual compatibility guarantees, but more along the lines of “useful stuff which might graduate to the standard library”. [...]" } , { "id": "https://bridge.grumpy-troll.org/2017/03/docking-compute/", "url": "https://bridge.grumpy-troll.org/2017/03/docking-compute/", "title": "Docking Compute", "date_published": "2017-03-25", "tags": [ "future", "hardware", "idle thoughts" ], "summary": "What I would like to see emerge as technology is “compute docking”. A dock which provides, as part of the peripherals, more CPUs and RAM.\nThis partially demonstrates a failure of software, in that the operating systems approaches in widespread use today have abandoned the idea of the OS and trust boundaries being spread over multiple machines. You get clusters, and software written to run across clusters with a lot of heavyweight infrastructure for scheduling, deployment, etc. [...]" } , { "id": "https://bridge.grumpy-troll.org/2017/03/ocsp-oops/", "url": "https://bridge.grumpy-troll.org/2017/03/ocsp-oops/", "title": "OCSP Oops!", "date_published": "2017-03-13", "tags": [ "TLS", "PKIX", "OCSP" ], "summary": "Conceptual Background OCSP provides a means for a TLS client to check that a certificate issued to a server is still valid, by asking for a “current proof”. In its original form, it’s a disaster: clients need to talk to the TLS server (typically a secure web server), find out who issued the certificates and where on the Internet they can talk to, to get a current cert, go off and talk to that OCSP server, get a current proof, then resume talking to the original server. [...]" } , { "id": "https://bridge.grumpy-troll.org/2017/02/jitsi-certificates/", "url": "https://bridge.grumpy-troll.org/2017/02/jitsi-certificates/", "title": "Jitsi & Certificates", "date_published": "2017-02-15", "tags": [ "XMPP", "TLS", "PKIX", "Certificates", "Cryptography", "Jitsi", "macOS", "Java" ], "summary": "I’ve been on the lookout for an XMPP client I could trust, for macOS. Trust is a loaded term, but in this context, it means:\nEither not written in C, or very proactive about security updates OTR support Source code available, should I choose If installing binary packages, signed releases which can be verified. Today I installed Jitsi.\nIt’s written in Java and is a little slow to start, but I’ll take that if it means my account isn’t compromised by anyone who can send me a friend request. [...]" } , { "id": "https://bridge.grumpy-troll.org/2017/02/im-back/", "url": "https://bridge.grumpy-troll.org/2017/02/im-back/", "title": "I'm Back", "date_published": "2017-02-05", "tags": [ "blog" ], "summary": "This blog saw a bit of a hiatus; I’m back, I might post a little more often.\nLonger version:\nI had used custom-patches to the engine’s code-base to get group-by-time functionality for constructing the side-bar, but while I offered the patches upstream, I lost the time to write tests too. Life at a start-up, my time disappeared again and various factors led me decide to not spend what little time I had on the static site generator’s codebase. [...]" } , { "id": "https://bridge.grumpy-troll.org/2016/08/keybase-unwedging/", "url": "https://bridge.grumpy-troll.org/2016/08/keybase-unwedging/", "title": "Keybase unwedging", "date_published": "2016-08-31", "tags": [ "PGP", "Keybase", "Identity", "Keyring manipulation" ], "summary": "[ This post originally appeared as a Facebook note. ]\nDisclaimer: this goes deep into computing, cryptography policy, gross Unix fiddling with keys and the like. If computers bore you, spare yourself and just stop reading now.\nI first tried out Keybase.io so that I could provide an informed opinion for my then-CEO, at a previous employer. I was unimpressed with the security model, but conceded that it might improve usability enough to be worthwhile anyway. [...]" } , { "id": "https://bridge.grumpy-troll.org/2016/02/onwards-unto-tomorrow/", "url": "https://bridge.grumpy-troll.org/2016/02/onwards-unto-tomorrow/", "title": "Onwards Unto Tomorrow", "date_published": "2016-02-05", "tags": [ "employment", "lifestyle" ], "summary": "[This post originally appeared on Medium]\nToday was my last day at Apcera, Inc. It’s a little bittersweet.\nI’m proud of the products we’ve built and cheered by the friendships made.\nThe product we’ve worked on is incredible; it pretty much defines the market, having been repeatedly ahead of the curve. We’ve won multiple technical evaluations by sophisticated customers, where we’ve easily surpassed the competition, with product which exists and works today. [...]" } , { "id": "https://bridge.grumpy-troll.org/2015/05/komments/", "url": "https://bridge.grumpy-troll.org/2015/05/komments/", "title": "Komments", "date_published": "2015-05-10", "tags": [ "blog", "comments", "social media" ], "summary": "Choosing how to handle comments on a website is non-trivial, if you care about doing it right. There are trade-offs to choose between, so as to handle the spectrum of concerns, between “Big corporations are evil data-gatherers who want to know where you live so that they can send the killbot drones when the day comes, so never use social media” to “there are a lot of people on the Internet, and only 0. [...]" } , { "id": "https://bridge.grumpy-troll.org/2015/03/mum/", "url": "https://bridge.grumpy-troll.org/2015/03/mum/", "title": "Mum", "date_published": "2015-03-25", "tags": [ "Mum", "funeral", "goodbye", "eulogy" ], "summary": "Mum had layers, strong opinions, and an unwavering moral compass. When she set her mind to a matter, no institution of man could turn her aside. I once, as a compliment, told her that she presented a sweet little old lady exterior, but that she was like a shark underneath, comparing her to Agatha Christie’s Miss Marple. Mum took this as the intended compliment, with a smile on her face which still shines in my memory. [...]" } , { "id": "https://bridge.grumpy-troll.org/2014/11/synology-nas-rsync/", "url": "https://bridge.grumpy-troll.org/2014/11/synology-nas-rsync/", "title": "Synology NAS & rsync", "date_published": "2014-11-29", "tags": [ "synology", "NAS", "OpenSSH", "SSH", "rsync" ], "summary": "I own a Synology DS413j NAS (home fileserver, four disks); this is mostly a rather nice box, albeit with some quirks.\nSome quirks might drive me away from buying a replacement box from this manufacturer; I am perplexed that to fix two-factor authentication sign-on, using a locally generated TOTP code, I had to clear cookies for Google. This is a home box and there should be no third-party tracking cookies for how I access devices within my own household. [...]" } , { "id": "https://bridge.grumpy-troll.org/2014/09/pgp-tls-updates/", "url": "https://bridge.grumpy-troll.org/2014/09/pgp-tls-updates/", "title": "PGP & TLS updates", "date_published": "2014-09-06", "tags": [ "PGP", "TLS", "PKIX", "Certificates", "Cryptography" ], "summary": "Some changes in local anchors and identity.\nPGP I am now completely cut over to using my PGP key generated in 2013, as a 4096-bit RSA key, to replace the previous 1024-bit DSA keys from long ago.\nThe new key, 0x4D1E900E14C1CC04, is in the strong-set: I took care to ensure that was the case before cutting over to it. It has been signed by both my older keys, with a Signature Policy URL which ends /self and the text retrieved therefrom asserts that it’s an “it’s me” binding. [...]" } , { "id": "https://bridge.grumpy-troll.org/2014/06/four-miscellaneous-things/", "url": "https://bridge.grumpy-troll.org/2014/06/four-miscellaneous-things/", "title": "Four miscellaneous things", "date_published": "2014-06-07", "tags": [ "FreeBSD", "mount", "jails", "nullfs", "ZFS", "hacks", "bazaar", "synology", "authentication", "2factor", "Amazon", "status history" ], "summary": "Four small things, none on their own worthy of a blog post; the first three are debugging notes from the past week or so and the last is … stunned admiration for PR skill.\nFirst up: FreeBSD Jails and nullfs and ZFS\nZFS is very handy in FreeBSD 10, where you can now boot from ZFS. Note though that zfs maintains its own internal mapping of where names should be mounted, used via zfs mount -a in /etc/rc. [...]" } , { "id": "https://bridge.grumpy-troll.org/2014/05/xmpp-dane-with-prosody/", "url": "https://bridge.grumpy-troll.org/2014/05/xmpp-dane-with-prosody/", "title": "XMPP & DANE with Prosody", "date_published": "2014-05-11", "tags": [ "TLS", "DANE", "XMPP", "Prosody" ], "summary": "Last night (or very early this morning), the XMPP service for spodhuis.org (this grumpy troll’s primary domain) received an upgrade. TLS trust verification for outbound connections can now be performed via DANE lookups.\nDANE is a mechanism, using DNS, DNSSEC and a TLSA record type, to provide verifiable information in DNS about the trust anchors for reaching a particular service, such that verifying the certificate or public key identifying the remote end of a TLS connection need only rely upon the data in the DNS. [...]" } , { "id": "https://bridge.grumpy-troll.org/2014/05/golang-tls-comodo/", "url": "https://bridge.grumpy-troll.org/2014/05/golang-tls-comodo/", "title": "Golang, TLS & Comodo", "date_published": "2014-05-01", "tags": [ "TLS", "Golang", "Go", "X.509", "Comodo" ], "summary": "Had an interesting spot of debugging today, which highlighted a few issues. One of them is my “Oh, I knew about that feature, interesting to see how it interacts here.”, which might cause some programmers to chuckle darkly.\nOne server component which my employer maintains talks to a third-party API for an ancillary service; this is over HTTPS with secret API keys. All certificates and hostnames are validated, etc. Recently, the connectivity broke. [...]" } , { "id": "https://bridge.grumpy-troll.org/2014/04/dmarc-stance/", "url": "https://bridge.grumpy-troll.org/2014/04/dmarc-stance/", "title": "DMARC Stance", "date_published": "2014-04-17", "tags": [ "DMARC", "email", "privacy", "mlm" ], "summary": "DMARC is in the email tech news once more, following Yahoo’s decision to publish a DMARC policy on some of their domains, telling recipient systems to reject mails which do not have valid origin information. I’ve previously written here about DMARC in the context of its privacy implications, covering mailing-list disclosures and then revisiting, for bug interactions making matters worse.\nIn addition, my name has come up in various circles because of a patch to Mailman which I contributed to. [...]" } , { "id": "https://bridge.grumpy-troll.org/2014/03/lxc-routed-on-ubuntu/", "url": "https://bridge.grumpy-troll.org/2014/03/lxc-routed-on-ubuntu/", "title": "LXC Routed on Ubuntu", "date_published": "2014-03-08", "tags": [ "Ubuntu", "LXC", "Containers", "Routed" ], "summary": "Containers are a decent technology, whether they’re FreeBSD’s Jails, Solaris Zones or Linux’s version. Linux comes with the LXC tools which can be quite useful to managing the containers.\nIf you’re happy to use NAT in front of each container, or a proxy (such as SSH configuration using ProxyCommand to ssh to the containing host) or a web-proxy in front of services, the defaults are decent enough; to be able to directly connect to container service, you want the containers to be on a network which is reachable from outside that machine. [...]" } , { "id": "https://bridge.grumpy-troll.org/2014/03/cacert/", "url": "https://bridge.grumpy-troll.org/2014/03/cacert/", "title": "CACert", "date_published": "2014-03-01", "tags": [ "TLS", "PKIX", "Certificates", "Cryptography" ], "summary": "Retro-commentary from 2025: We have far better solutions today than CACert ever offered.\nThis post pre-dated the existence of Let's Encrypt. We now have Certificate Transparency, keeping nation-state CAs from issuing certs for whatever they pleased; we have the CA/Browser Forum meaningfully improving standards instead of MD5 usage lingering for a decade past when it should have been fully retired; we have ever-improving audits to ensure that verification processes are followed; and CAs have been removed from trust-stores for violating their commitments. [...]" } , { "id": "https://bridge.grumpy-troll.org/2014/01/bitcoin/", "url": "https://bridge.grumpy-troll.org/2014/01/bitcoin/", "title": "Bitcoin", "date_published": "2014-01-03", "tags": [ "Bitcoin", "Crypto", "Cryptocurrency" ], "summary": "I’ve had a few people ask me about Bitcoin recently. Rather than repeat myself more than I already have, I’m going to collect together some insightful links and copy/paste liberally from a public Facebook post’s comments, where I wrote on the topic when asked. My thanks to Marc Whitmore for prompting the initial discussion, hosting my diatribe in his comments with nary a cross word, and generally being a true gentleman. [...]" } , { "id": "https://bridge.grumpy-troll.org/2013/12/blog-moved/", "url": "https://bridge.grumpy-troll.org/2013/12/blog-moved/", "title": "Blog moved", "date_published": "2013-12-23", "tags": [ "Administrivia", "GitHub" ], "summary": "As I mentioned in Forthcoming blog move, I was planning to switch my site hosting away from Google Blogger. Of course, that post was back in September.\nI just spent a little time applying the fixes needed to have some basic styling; on the advice of my colleague Jon, I took a look at Foundation as a site framework; major points in its favour are that it touts semantic markup and accessibility, which are two issues that matter to me. [...]" } , { "id": "https://bridge.grumpy-troll.org/2013/12/tcp-fastopen-security/", "url": "https://bridge.grumpy-troll.org/2013/12/tcp-fastopen-security/", "title": "TCP FastOpen Security", "date_published": "2013-12-19", "summary": "A colleague recently enthused about TCP FastOpen being in the Linux kernel; being a grumpy old fart, this troll had ignored such things as always being security holes, such as T/TCP proved to be. So I just looked back over LWN’s article on the topic, to better understand why we might want to enable this on our webservers.\nAs far as I can see, if you have a path link where others can observe Server→Client traffic, but not influence its routing, and can inject packets without being subject to BCP 38 Network Ingress Filtering, then TCP FastOpen lets an attacker send data, using a purloined TCP cookie, and have it acted upon by a server without the server verifying that the stated IP really did send the traffic, bypassing source-bound security checks. [...]" } , { "id": "https://bridge.grumpy-troll.org/2013/09/forthcoming-blog-move/", "url": "https://bridge.grumpy-troll.org/2013/09/forthcoming-blog-move/", "title": "Forthcoming blog move", "date_published": "2013-09-01", "tags": [ "Administrivia", "social media" ], "summary": "Some might notice that this blog has been a little bare of posts lately. Aside from the time pressures of work, I got fed up enough with Google Blogger and the Comments duplicity that I constructed a new blog, but have yet to deploy it. I have been procrastinating on new posts, to avoid redoing migration work.\nThe New World Order shall consist of a static site, probably hosted by GitHub (of whom I am a paying customer), JavaScript protecting SocialSharePrivacy buttons (so that access to the blog doesn’t even send requests to various social platforms, and you need to click on a button to “unlock” it, at which point your browser talks to the social media site), and the choice of commenting media therefrom. [...]" } , { "id": "https://bridge.grumpy-troll.org/2013/04/mysql-ssltls-and-ubuntu/", "url": "https://bridge.grumpy-troll.org/2013/04/mysql-ssltls-and-ubuntu/", "title": "MySQL, SSL/TLS and Ubuntu", "date_published": "2013-04-27", "tags": [ "TLS", "AppArmor", "mysql", "OpenSSL", "SQL", "Ubuntu" ], "summary": "Some notes, from having set up a MySQL server on Ubuntu and worked to make sure it offered SSL (TLS) for the connections. In this case, Ubuntu 12.04.2 LTS running inside a VMWare Fusion 5 virtual machine. (I write TLS for the generic protocol support, SSL as it pertains to MySQL in particular because that’s the term the MySQL documentation uses). I installed MySQL 5.5.\nThis is purely for testing purposes, so there was no MySQL performance tuning done for the VM; the only relevant tuning was existing tuning, just making sure that the Linux kernel did not try and treat the virtual disk, provided from a backing store as a file in the outer filesystem, as a spinning disk but instead as just a dumb backend (even more appropriate since the laptop has an SSD): [...]" } , { "id": "https://bridge.grumpy-troll.org/2013/04/administrivia-comment-system-google-plus/", "url": "https://bridge.grumpy-troll.org/2013/04/administrivia-comment-system-google-plus/", "title": "Administrivia: comment system & Google (Plus)", "date_published": "2013-04-19", "summary": "Administrivia: I had the new Blogger/Google+ integrated comment system turned on for about 24 hours but have now reverted.\nMy policy is that I want the minimum barriers to commenting consistent with limiting spam. For a while, I was open commenting relying upon Google’s excellent spam detection systems and cleaning up the little that slipped past. I do not want to require that folks submit their data into a particular fiefdom to be able to talk with me. [...]" } , { "id": "https://bridge.grumpy-troll.org/2013/03/isp-liability-and-bcp-38/", "url": "https://bridge.grumpy-troll.org/2013/03/isp-liability-and-bcp-38/", "title": "ISP liability and BCP 38", "date_published": "2013-03-30", "summary": "A couple of days ago, I came up with a thought about the ideal way to get ISPs to actually deploy BCP 38 (aka “don’t let out traffic with source addresses that are spoofed to be from elsewhere”).\nThe good news is that it’s appropriately evil enough that folks I mentioned it to last night really appreciated it.\nThe bad news is that it involves legislation, and it impacts folks with deep pockets, so will never get passed without being corrupted to, at the very least, have severe side-effects, and more likely accomplish the opposite of that which was intended. [...]" } , { "id": "https://bridge.grumpy-troll.org/2013/03/arms-control-in-civil-society/", "url": "https://bridge.grumpy-troll.org/2013/03/arms-control-in-civil-society/", "title": "Arms control in civil society", "date_published": "2013-03-29", "summary": "[I wrote this in a Google+ post on December 24th, 2012. I am reposting to my blog, for discoverability.] [Since G+ has disappeared, I guess “for persistence” too.] In the aftermath of tragedy, people reach out for solutions. Sometimes the obvious approach is very wrong for reasons which are not immediately obvious. When you’re upset, taking the time to understand those reasons can be difficult. Part of being adult is taking a deep breath and working to understand them anyway before forcing changes on everyone. [...]" } , { "id": "https://bridge.grumpy-troll.org/2013/03/household-infrastructure/", "url": "https://bridge.grumpy-troll.org/2013/03/household-infrastructure/", "title": "Household Infrastructure", "date_published": "2013-03-07", "tags": [ "DNSSEC", "OpenWRT", "home sysadmin", "dumbass", "NTP" ], "summary": "So, I need to get one of these plug computers up and running, so it can be my monitoring server for my household.\nThis morning, DNS resolution broke at home. My router, running OpenWRT, is using unbound, so I can get DNSSEC validation. DNSSEC validation broke, on being unable to validate the keys for the root zone, so I could only get DNS service back by disabling DNSSEC.\nTurns out, the clock on the router said it was November 27th, 2012. [...]" } , { "id": "https://bridge.grumpy-troll.org/2012/09/tls-crime-beast-and-you-the-programmer/", "url": "https://bridge.grumpy-troll.org/2012/09/tls-crime-beast-and-you-the-programmer/", "title": "TLS, CRIME, BEAST and you the programmer", "date_published": "2012-09-13", "tags": [ "TLS", "GnuTLS", "security", "OpenSSL", "BEAST", "zlib", "OAuth2", "deflate", "HTTPS", "authentication", "authorisation", "golang", "CRIME", "compression" ], "summary": "Before continuing: I am not a cryptographer; merely someone who, on a good day, can use cryptographic libraries with what might pass for intelligence. I write this post with 20/20 hindsight.\nOne of the security maxims I hold dear is to not freely mix data from different security contexts. Programmers often see this with “don’t mix code and data”, and guidance to prepare parameterised SQL queries and then execute them with untrusted data in parameters, rather than try to sanitise the data into an SQL query. [...]" } , { "id": "https://bridge.grumpy-troll.org/2012/09/go-error-construction-loop/", "url": "https://bridge.grumpy-troll.org/2012/09/go-error-construction-loop/", "title": "Go error construction loop", "date_published": "2012-09-04", "tags": [ "git", "debugging", "golang" ], "summary": "One of the really nice things about the Go programming language is that you have the complete source to the compiler and the standard library, as very readable code which can be used to investigate problems.\nWhen merging a feature branch in a git repo I, of course, rebuilt my test frontend server to be sure everything still worked, as a check before committing. So I found that a client call was never returning, while my program was now chewing a whole CPU. [...]" } , { "id": "https://bridge.grumpy-troll.org/2012/08/spam-abatement/", "url": "https://bridge.grumpy-troll.org/2012/08/spam-abatement/", "title": "Spam abatement", "date_published": "2012-08-24", "summary": "Various folks fight the good fight and tackle spammers and we read news reports about “took down the botnet responsible for X% of the world’s spam”.\nPerhaps the volume of spam drops for a day or two. In exceptional cases, for a week.\nBut the spam returns, and with changed characteristics which do not filter so readily.\nAt heart, it’s an economics problem. There is demand, therefore there will be supply. [...]" } , { "id": "https://bridge.grumpy-troll.org/2012/08/musings-on-in-game-paid-consumables/", "url": "https://bridge.grumpy-troll.org/2012/08/musings-on-in-game-paid-consumables/", "title": "Musings on in-game paid consumables", "date_published": "2012-08-01", "summary": "This post references “I” quite a bit, as I’m exploring my reactions and thoughts on a particular topic; all ethics are subjective at some level, and I hope that by exploring my reactions a little I can contribute towards a healthy debate, while noting that my reactions are not absolutes that should guide others. Particularly, I am not a psychologist and many of the issues here could do with input from such for someone trying to come to an informed conclusion of action to take. [...]" } , { "id": "https://bridge.grumpy-troll.org/2012/07/mailing-list-recipient-disclosures-with-dmarc-redux/", "url": "https://bridge.grumpy-troll.org/2012/07/mailing-list-recipient-disclosures-with-dmarc-redux/", "title": "Mailing-list recipient disclosures with DMARC, redux", "date_published": "2012-07-17", "tags": [ "email", "dkim", "VERP", "dmarc", "privacy" ], "summary": "In February, I wrote the post How private is your mailing-list subscriber list?.\nIt gets worse.\nCombine authentication-failure reports, VERP, mailing-lists and what appears to be a buggy verifier.\nVERP is Variable Envelope Return Path, a name for a technique where a mailing-list encodes information about the recipient’s email address into the SMTP Envelope Sender. This is used so that if there is a delivery problem, the “bounce” which comes back will, for any not-massively-broken mail-system generating the bounce, identify the subscriber to the list who had problems. [...]" } , { "id": "https://bridge.grumpy-troll.org/2012/06/google-io-thoughts/", "url": "https://bridge.grumpy-troll.org/2012/06/google-io-thoughts/", "title": "Google I/O Thoughts", "date_published": "2012-06-27", "tags": [ "calendaring", "tablet", "Android", "google", "WiFi" ], "summary": "I am a stupid grumpy troll. I was invited to Google I/O Extended, but got the date wrong and set aside tomorrow to attend, a day late. Not only have I missed it, but I’ve denied someone else a slot. That’s really embarrassing. More embarrassing than it is annoying to have not attended.\nHow did this happen? I’m human, I made a mistake when entering the event in Google Calendar. [...]" } , { "id": "https://bridge.grumpy-troll.org/2012/06/chrome-profiles/", "url": "https://bridge.grumpy-troll.org/2012/06/chrome-profiles/", "title": "Chrome Profiles", "date_published": "2012-06-23", "tags": [ "MacOSX", "Chrome" ], "summary": "As someone who uses a laptop for work, and may also check personal email with it, this Grumpy Troll has noticed how … inadequate the current multi-signin support with Google’s suite of tools is. Too many products forcibly sign you out of everything when you choose to use the second identity in the list of “current identities” for that product. And yet, Chrome remains the trollish browser of choice, with using multiple browsers as a work-around too often just leading to frustration. [...]" } , { "id": "https://bridge.grumpy-troll.org/2012/06/macosx-launchd-macvim-chrome-editwithemacs/", "url": "https://bridge.grumpy-troll.org/2012/06/macosx-launchd-macvim-chrome-editwithemacs/", "title": "MacOSX launchd, MacVim, Chrome & EditWithEmacs", "date_published": "2012-06-21", "tags": [ "MacOSX", "vim", "plist", "launchd", "Chrome" ], "summary": "One of the biggest productivity enhancements you can make to a browser, when working with web-based services, is to add the ability to edit any text area in a real text editor. Today, I realised that I had not set this up on my work laptop, and my personal laptop is not with me so could not crib the setup. Since I’ve had to debug this twice, it’s time to blog it for next time. [...]" } , { "id": "https://bridge.grumpy-troll.org/2012/06/tabletphone-wowing-step-1/", "url": "https://bridge.grumpy-troll.org/2012/06/tabletphone-wowing-step-1/", "title": "Tablet/phone wowing: step 1", "date_published": "2012-06-16", "summary": "For those who remember my post, A tablet that wows, and thought “I’d like something like that”, then perhaps you should take a look at the Sensordrone kickstarter project.\nIt’s not a tablet, but a bluetooth peripheral with some number of the things I suggested would be good to see. Open source drivers.\n-The Grumpy Troll, unaffiliated with the Sensordrone folks" } , { "id": "https://bridge.grumpy-troll.org/2012/06/apcera/", "url": "https://bridge.grumpy-troll.org/2012/06/apcera/", "title": "Apcera", "date_published": "2012-06-09", "summary": "In February, my friend Brady Catherman became my business partner, as we founded Trivial, Inc.\nWe worked on developing infrastructure tools which are designed to make software development and maintenance on systems far easier, with an eye to serving the cloud-based scripted serving market. During the initial weeks of this company, a mutual friend, Mike Abbott, introduced us to Derek Collison, an entrepreneur who was founding Apcera and gathering engineers with a passion for infrastructure problems. [...]" } , { "id": "https://bridge.grumpy-troll.org/2012/05/the-path-to-exim-4.80/", "url": "https://bridge.grumpy-troll.org/2012/05/the-path-to-exim-4.80/", "title": "The path to Exim 4.80", "date_published": "2012-05-31", "tags": [ "Kerberos", "TLS", "exim", "GnuTLS", "security", "OpenSSL", "BEAST", "NSS", "SASL", "rfc", "crypto", "SNI", "programming" ], "summary": "This is long, detailed and rambling. If you don’t want the editorial, then just peruse the git tree, including:\nREADME.UPDATING NewStuff ChangeLog A while back, The Exim Maintainers held a mini-conf(erence) where we sorted out policy for issues such as “when do we release”. We decided that if not forced sooner by something urgent or the wrap up of major new features, we’d release about every six months with whatever we have. [...]" } , { "id": "https://bridge.grumpy-troll.org/2012/05/pangolin-update/", "url": "https://bridge.grumpy-troll.org/2012/05/pangolin-update/", "title": "Pangolin update", "date_published": "2012-05-25", "tags": [ "exim", "bind", "GnuTLS", "Ubuntu", "svn", "certificates" ], "summary": "One of this troll’s two “homes” on the network is a Xen VM from prgmr, to provide a West Coast USA presence to augment my (FreeBSD) colo box in Amsterdam NL. It was running Ubuntu Oneiric (11.10) and is now running Ubuntu Pangolin (12.04). This mostly went smoothly.\nThe two exceptions: certificates/subversion and bind.\nCertificates I had set up my system to just check out of svn the same layout used on my FreeBSD machine, which has a set of certificates under my control, some adjusted c_* scripts (mostly c_rehash which generates hash symlinks for both OpenSSL pre-1 and 1, with the two different hash schemes used, so applications using either system can still find the certs) and a Makefile, so that updates are just a “make”. [...]" } , { "id": "https://bridge.grumpy-troll.org/2012/04/favicon/", "url": "https://bridge.grumpy-troll.org/2012/04/favicon/", "title": "Favicon", "date_published": "2012-04-28", "tags": [ "favicon", "troll" ], "summary": "Kudos to www.favicon.cc: this Grumpy Troll lacks talent in the visual arts, but their site provided a tool at the complexity level I wanted: a grid of pixels, basic colour management, draw something in pixels, download favicon.\nI didn’t know how to portray ‘grumpy’. Ah well, at least the troll’s teeth display fine British dentistry.\nThis one is 16x16 only. Probably a good thing …" } , { "id": "https://bridge.grumpy-troll.org/2012/04/social-medianetworking-sites/", "url": "https://bridge.grumpy-troll.org/2012/04/social-medianetworking-sites/", "title": "Social Media/Networking Sites", "date_published": "2012-04-13", "tags": [ "social networking", "human psychology", "social media", "fashion" ], "summary": "Time for this Grumpy Troll to state publicly an opinion previously only passed on in speaking. Nothing presented here is given as anything other than the opinion of one person.\nSocial networking sites are items of fashion. They come, they go. They may get fabulously large and generate a lot of money while they’re in, but if so then they’re aimed at the general population and sooner or later they’ll always fade from prominence. [...]" } , { "id": "https://bridge.grumpy-troll.org/2012/03/porting-python-wsgi-app-to-nginxuwsgi/", "url": "https://bridge.grumpy-troll.org/2012/03/porting-python-wsgi-app-to-nginxuwsgi/", "title": "Porting Python WSGI app to nginx/uWSGI", "date_published": "2012-03-20", "tags": [ "WSGI", "PGP", "nginx", "python", "SKS", "Apache", "proxy" ], "summary": "One of the pieces of software this troll runs is the Synchronising Key-Server, SKS, which serves keys for PGP via the HKP protocol (based on HTTP). Recently, Daniel Kahn Gillmor brought an issue to the attention of the keyserver operator community, relating to undesirable behaviour of the server-code when faced with certain types of request, which makes it wise to run the key-server behind an HTTP proxy.\nUntil now, my SKS website [edit: defunct, link removed] had been running under Apache, with a simple redirect for traffic that matches /pks/ to bump over to the HKP port (11371), plus a WSGI app I wrote, for spidering the key-server mesh and reporting stats. [...]" } , { "id": "https://bridge.grumpy-troll.org/2012/03/cryptographic-algorithms-uncomfortable-thoughts/", "url": "https://bridge.grumpy-troll.org/2012/03/cryptographic-algorithms-uncomfortable-thoughts/", "title": "Cryptographic algorithms: uncomfortable thoughts", "date_published": "2012-03-17", "tags": [ "RSA", "cryptography", "ECC", "NSA" ], "summary": "In an earlier blog post, “Why deploy ECC in SSH?”, I noted:\n“It’s not that I have any reason to fear that RSA or DSA might be weak, but that I have no reason to believe that either is too weak, so running both in parallel does not hurt security and does improve my ability to respond to a changing environment, which at some point in time will critically improve my security. [...]" } , { "id": "https://bridge.grumpy-troll.org/2012/02/back-up-your-books/", "url": "https://bridge.grumpy-troll.org/2012/02/back-up-your-books/", "title": "Back Up Your Books", "date_published": "2012-02-23", "tags": [ "trust", "cloud", "BarnesAndNoble", "eBooks" ], "summary": "Discovered that this is mostly a UI problem.\nMrs Grumpy Troll was bemused by my setting up Calibre on our home computers, with imports of all the eBooks we (legally) own. With the DRM stripped so that this would be possible. “But you can always re-download them!” she said. She is no longer bemused.\nThe other day, as we sat down to eat in a diner, she asked me if I knew what had happened to a book we’d both read on our Barnes & Noble Nook account. [...]" } , { "id": "https://bridge.grumpy-troll.org/2012/02/calendar-event-scheduling/", "url": "https://bridge.grumpy-troll.org/2012/02/calendar-event-scheduling/", "title": "Calendar event scheduling", "date_published": "2012-02-23", "tags": [ "calendaring", "caldav" ], "summary": "In discussion with nomad, over the topic of calendars? We don’t need no steeken’ calendars! [see text preservation below], I noted that the core problem is the absence of a standard for exchange of data about calendar availability.\nVarious Calendar implementations, such as Google’s, let you choose who to share calendar content with, including just free/busy, but that only works if the other attendees all use that same implementation. Google Calendar also lets you find a time suitable for all attendees, if they’re using Google Calendar. [...]" } , { "id": "https://bridge.grumpy-troll.org/2012/02/ssh-and-zeroconf/", "url": "https://bridge.grumpy-troll.org/2012/02/ssh-and-zeroconf/", "title": "SSH and Zeroconf", "date_published": "2012-02-12", "tags": [ "dns", "SSH", "Zeroconf", "OpenSSH" ], "summary": "Memo to self: while ending a ~/.ssh/config file with a block supplying defaults for * is good (as each attribute uses the first match found for that attribute), and adding security checks is good, DNS based checks do not necessarily play well with Zeroconf. In particular, VerifyHostKeyDNS ask is problematic.\nTo avoid major delays on connecting, it may be helpful to precede that block with:\nHost *.local VerifyHostKeyDNS no -The Grumpy Troll" } , { "id": "https://bridge.grumpy-troll.org/2012/02/how-private-is-your-mailing-list-subscriber-list/", "url": "https://bridge.grumpy-troll.org/2012/02/how-private-is-your-mailing-list-subscriber-list/", "title": "How private is your mailing-list subscriber list?", "date_published": "2012-02-02", "tags": [ "email", "dkim", "dmarc", "privacy" ], "summary": "If you have a supposedly private mailing-list, you may be surprised how much information about your subscriber-list may be disclosed to anyone who can post, by the operators of the mail-systems of those who subscribe. Not email addresses, but counts of subscribers at gmail, indications of forwarding services used, and more.\nSimilarly, if you’re hiding behind a mail-forwarding service but use one of the big freemail providers, someone who wants to may be able to identify which provider you’re using. [...]" } , { "id": "https://bridge.grumpy-troll.org/2012/01/sign-up-to-google-mailing-list-with-external-address/", "url": "https://bridge.grumpy-troll.org/2012/01/sign-up-to-google-mailing-list-with-external-address/", "title": "Sign up to Google mailing-list with external address", "date_published": "2012-01-17", "tags": [ "mlm", "email", "google" ], "summary": "This grumpy troll is sometimes old-fashioned; I’m inclined to self-levitate my own patch of fog and call it a cloud. I run my own mail-server, where I receive the bulk of my mail. For anti-spam reasons, the addresses that go to companies and to the less clueful will be for a Gmail account, but for reading mail in bulk, I prefer to use mutt(1) pointed at my own IMAP setup. [...]" } , { "id": "https://bridge.grumpy-troll.org/2012/01/goodbye-nook-color/", "url": "https://bridge.grumpy-troll.org/2012/01/goodbye-nook-color/", "title": "Goodbye, Nook Color", "date_published": "2012-01-09", "tags": [ "complaint", "Nook", "books", "BarnesAndNoble", "Borders", "eBooks" ], "summary": "At first, I loved my Nook Color from Barnes & Noble. It was so neat, and ran Android, and I could boot into Cyanogen, even if I chose to stick with the supplied OS for now. The Nook app on my Android phone worked well too.\nGoogle Books is very nice, but it inherently ties books to your Google Account identity, which means that you can’t share an account without sharing email, contacts, docs, everything. [...]" } , { "id": "https://bridge.grumpy-troll.org/2012/01/timelessness/", "url": "https://bridge.grumpy-troll.org/2012/01/timelessness/", "title": "Timelessness", "date_published": "2012-01-07", "tags": [ "DNSSEC", "dns", "Coloclue", "time", "colocation", "unix", "VPS", "NTP", "Netherlands" ], "summary": "This troll’s colocation box was physically moved to a new location today. In preparation for this, extensive backups were taken, but this troll did not find time to sort out niceties such as “backup MX”. There is now a VPS second instance which will become usable as a backup, but more work is required.\nThe machine, “redoubt”, is in Amsterdam, NL, where I used to live and where I still have friends; it has moved less often than I have, since I moved to the USA, while providing continuity of service. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/12/new-years-resolution-2012/", "url": "https://bridge.grumpy-troll.org/2011/12/new-years-resolution-2012/", "title": "New Year's Resolution 2012", "date_published": "2011-12-31", "tags": [ "MacOSX", "cloud", "home sysadmin", "backups" ], "summary": "My tweet of just now:\nNew Year’s Suggestion: do a computer backup today, before the alcohol starts. Start a habit. With decent software, it’s easy.\nSeriously: with something like Time Machine, you just need to make sure the external drive is plugged in and turned on, it should happen automatically after that.\nIf you’re cautious, part of your reason for taking backups is to protect against system corruption, so you won’t leave the backup drive turned on, or perhaps even plugged in. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/09/medicine-future/", "url": "https://bridge.grumpy-troll.org/2011/09/medicine-future/", "title": "Medicine future", "date_published": "2011-09-20", "tags": [ "USA", "health-care" ], "summary": "As we end up with more and more devices being able to be constructed by personal manufacturing and it becomes more routine, it will be interesting to see the effect upon the medical analysis industry.\nA family member had a soft tissue injury to the knee; before the insurance company would pay for the MRI, they required an X-Ray, despite X-Rays not showing soft tissue injuries. It’s bad enough that money and time is wasted on this, no matter who pays. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/09/trust-x509-pki-dnssec-and-associated/", "url": "https://bridge.grumpy-troll.org/2011/09/trust-x509-pki-dnssec-and-associated/", "title": "Trust, X.509 PKI, DNSSEC and associated ramblings", "date_published": "2011-09-06", "tags": [ "x509", "DNSSEC", "TLS", "pki", "crypto", "ssl", "internet", "federation" ], "summary": "This grumpy troll has long been miffed by the state of the X.509 trust system and the power placed in Certificate Authorities. See, for instance, https://lopsa.org/SSLIntro from October 2006; written as a guide for LOPSA members, which goes into the trust models of Kerberos, PGP and SSL’s Public Key Infrastructure (PKI).\nAlso, a CA certificate can include nameConstraints, which restricts what names the CA claims authority over. Most CAs claim global authority and most clients don’t appear to offer a way to impose name constraints by local policy instead of based on the certificate. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/08/a-tablet-that-wows/", "url": "https://bridge.grumpy-troll.org/2011/08/a-tablet-that-wows/", "title": "A tablet that wows", "date_published": "2011-08-10", "tags": [ "tablet", "innovation", "Android" ], "summary": "I’m getting tired of seeing the same old tired specifications lists for phones and for tablets.\nVarious manufacturers lust after the sales figures of the iPad, and see Android as a good way to at least be part of a viable ecosystem of apps, making their devices sellable. Yet few seem to understand that if you’re not “very cheap” then you need to make the potential customer go “Wow!” and actively want to hand over the money you charge, of wanting to save up money and forgo something else to be able to afford to drop $500 on a small computer. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/08/the-purpose-of-life/", "url": "https://bridge.grumpy-troll.org/2011/08/the-purpose-of-life/", "title": "The purpose of life?", "date_published": "2011-08-07", "tags": [ "life", "philosophy", "religion" ], "summary": "A thought experiment. I’m not sure that I believe this, but I put it out for your consideration.\nThat which lives is that which opposes the second law of thermodynamics. Life is the balancing counterweight to the second law.\nCreatures remain alive, instead of dissipating. Further, various creatures impose order on the world, where the non-living merely degenerates. Beavers create dams. All mortal living organisms reproduce and impose their pattern of structure upon the matter which makes up their forms, in the next generation as in the current. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/07/niche/", "url": "https://bridge.grumpy-troll.org/2011/07/niche/", "title": "Niche", "date_published": "2011-07-21", "tags": [ "Linux" ], "summary": "There was a time when the Linux kernel was part of niche OSes, used only by a few hackers.\nDevelopers made much of the importance of porting to Linux in improving code quality, by running on more OSes.\nNow the systemd developers class any Unix that is not Linux as niche and not worthy of supporting.\nSwings and roundabouts." } , { "id": "https://bridge.grumpy-troll.org/2011/07/diversion-into-macosx-launchd-ssh-agent/", "url": "https://bridge.grumpy-troll.org/2011/07/diversion-into-macosx-launchd-ssh-agent/", "title": "Diversion into MacOSX launchd & ssh-agent", "date_published": "2011-07-19", "tags": [ "MacOSX", "OpenSSH" ], "summary": "Well that was an educational diversion. Aka, “I broke things and learnt by repairing them.”\nAfter demonstrating that an OpenSSH ControlMaster problem was only an issue with the ancient OpenSSH shipped with MacOS (10.6.x), I aliased the ssh commands to be the 5.8 versions installed from MacPorts. After doing this, I decided that I should try to switch out the ssh-agent too, so that I can load ECDSA keys and use ECC to reach my colo box. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/07/rpm-version-labelling/", "url": "https://bridge.grumpy-troll.org/2011/07/rpm-version-labelling/", "title": "RPM version labelling", "date_published": "2011-07-08", "tags": [ "Linux", "RPM", "versioning" ], "summary": "For those experienced with RPMs, this post will doubtless be hilarious in its naïveté.\nThis troll has recently had to start dealing with RPM-based Linux systems. The .spec file system is “interesting”, with documentation scattered and incomplete. Debian’s and FreeBSD’s systems are much cleaner and better documented, but RPM is what I have to deal with.\nOne thing I’ve noticed when building site-local RPMs for software is that people tend not to worry about a future OS upgrade bumping version numbers of the upstream package to where a locally-built package is replaced, or how packages will be disambiguated if upstream has the same version number. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/06/counter-incentives-to-buying-legitimately/", "url": "https://bridge.grumpy-troll.org/2011/06/counter-incentives-to-buying-legitimately/", "title": "Counter-incentives to buying legitimately", "date_published": "2011-06-22", "tags": [ "iTunes", "MP3", "music", "Android", "Amazon", "google" ], "summary": "When I buy music online, I prefer to buy an .ogg or .mp3 from the artist’s website, cut out the middle man.\nNote that this is not in contrast to getting music without buying it. I do not download music for which I haven’t the right to have a copy, whether by license, public domain or purchasing it. No, this is in contrast to not getting new music. I am a boring grumpy troll. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/05/ecdsa-ssh-redux-server-key-compromise-attack-may-exist/", "url": "https://bridge.grumpy-troll.org/2011/05/ecdsa-ssh-redux-server-key-compromise-attack-may-exist/", "title": "ECDSA SSH redux: server key compromise attack may exist", "date_published": "2011-05-23", "tags": [ "ECDSA", "cryptography", "timing attack", "ssl", "security", "OpenSSL", "OpenSSH" ], "summary": "[edit: per my comment below, OpenSSH is apparently not vulnerable]\nAris Adamantiadis posted something worrying to the OpenSSH developers’ mailing-list today [MARC archive, Google Groups archive] referencing this paper, https://eprint.iacr.org/2011/232 by Billy Bob Brumley and Nicola Tuveri.\nIn short, the authors manage to recover a TLS server’s private ECDSA key because of a timing flaw in OpenSSL. Timing flaws are when an implementation takes different amounts of time to do different work, so by measuring how long certain operations take, you can glean information that you’re not supposed to have about the private key. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/05/standards-and-time-passing/", "url": "https://bridge.grumpy-troll.org/2011/05/standards-and-time-passing/", "title": "Standards and time passing", "date_published": "2011-05-09", "tags": [ "C", "ANSI", "standardising", "C99" ], "summary": "I recently realised that there are very few views of computing and “the right way to do things” which I hold now as unchanged from when I started at University in 1994.\nOne of them is “Ten years is enough time to pass after a C language standard before you can rely on it. If your system doesn’t support the current C standard after ten years, then your system is unsupported by the vendor and other people should be hesitant to support it. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/03/standard-components/", "url": "https://bridge.grumpy-troll.org/2011/03/standard-components/", "title": "Standard components", "date_published": "2011-03-31", "tags": [ "sqlite", "software design", "Chrome", "standardising" ], "summary": "It’s good when applications build on top of standardised components.\nFor instance, Google Chrome stores most of its data in sqlite3 databases in the profile directory. When I started at $current_employer I had a tendency to type calendar.google.com rather than the relevant calendar.example.com to get to my work calendar. After a couple of mistakes, this became self-reinforcing, because the auto-complete would preferentially show the most common completion of “calendar” as I typed that, which would be the wrong completion. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/03/employment-change/", "url": "https://bridge.grumpy-troll.org/2011/03/employment-change/", "title": "Employment change", "date_published": "2011-03-16", "summary": "Today I worked my last day at Google.\nOn March 28th, I start at Twitter, Inc." } , { "id": "https://bridge.grumpy-troll.org/2011/03/computers-and-sleep/", "url": "https://bridge.grumpy-troll.org/2011/03/computers-and-sleep/", "title": "Computers and sleep", "date_published": "2011-03-08", "tags": [ "MacOSX", "night", "Windows", "sleep", "colour", "Ubuntu" ], "summary": "I am somewhat prone to using my computer late at night.\nSometimes, this is before I go to bed. Other times, I am “oncall” for a service and get woken up at 2am, 4am, etc and then need to be able to get back to sleep after dealing with an issue.\nThe best change I’ve made to accommodate this? Installing f.lux, which has binaries for MacOSX, Windows (7/Vista/XP) and “Linux” (by which they mean Ubuntu). [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/02/why-deploy-ecc-in-ssh/", "url": "https://bridge.grumpy-troll.org/2011/02/why-deploy-ecc-in-ssh/", "title": "Why deploy ECC in SSH?", "date_published": "2011-02-22", "tags": [ "crypto", "ECC", "OpenSSH" ], "summary": "In an earlier post on SSH I described my experiences of deploying Elliptic Curve Cryptography (ECC) in OpenSSH 5.7. Over on the LOPSA tech mailing-list, Tom Perrine asked for peoples’ opinions on ECC. I wrote a reply, which I then realised belongs here, since it clarifies why I would do something, whereas my previous post merely covered the mechanics of how I did it.\nI believe in algorithm agility and not being critically dependent upon any one system. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/02/unit-of-measurement-for-idiocy/", "url": "https://bridge.grumpy-troll.org/2011/02/unit-of-measurement-for-idiocy/", "title": "Unit of measurement for idiocy", "date_published": "2011-02-22", "tags": [ "dumbass" ], "summary": "I send the announcement for the Exim 4.75 RC1 release candidate. I discover that a change in the build tools broke the doc/ directory population and that I’d failed to spot it before release. Mail a follow-up apologising. Fix the problem instead of heading to bed when Mrs Grumpy Troll wished me to. The next day, I take a couple of other fixes and put together the RC2 release. I send the RC2 announcement as a follow-up to the RC1 announce, so that there’s context and I don’t need to repeat everything I notice that I forgot to change the Subject: line Clearly this is not going as well as it might. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/02/previewing-font-contents/", "url": "https://bridge.grumpy-troll.org/2011/02/previewing-font-contents/", "title": "Previewing font contents", "date_published": "2011-02-18", "tags": [ "Preview", "code2000", "unicode", "font", "pdf", "google" ], "summary": "Those who read “Typing Weird Stuff” or “How long is a piece of string?” may have noticed that I like exploring the non-ASCII parts of the Unicode assignments.\nIn order to actually view these characters, it’s necessary to have fonts which support the necessary characters. Even on an Apple Mac, the default fonts don’t have great coverage. So far, the best font I’ve found is the shareware “Code2000”, costing $5. [website has been down for a couple of weeks and my attempts to contact the author have failed]. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/02/the-dns-root-zone-international-governance-icann-and-dnssec/", "url": "https://bridge.grumpy-troll.org/2011/02/the-dns-root-zone-international-governance-icann-and-dnssec/", "title": "The DNS root zone, international governance, ICANN and DNSSEC", "date_published": "2011-02-11", "tags": [ "ICANN", "DNSSEC", "dns", "governance", "federation" ], "summary": "When it comes to “who controls the DNS?”, passions start to run high, nationalistic sentiment comes to the fore and the noise level rises. I’d like to step back and point out a difference between the official nominal control of DNS and the actual, de facto, practice, and how things are changing.\nDNS is a federated system, whereby DNS operators own their own little corner of the DNS and can control and delegate as they see fit. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/02/dns-dont-implement-edns0-to-bypass-implementing-tcp-fallback/", "url": "https://bridge.grumpy-troll.org/2011/02/dns-dont-implement-edns0-to-bypass-implementing-tcp-fallback/", "title": "DNS: don't implement EDNS0 to bypass implementing TCP fallback", "date_published": "2011-02-10", "tags": [ "TCP", "dns", "EDNS0", "UDP", "debugging" ], "summary": "This grumpy troll occasionally hacks on scripts which use DNS in slightly unusual ways. As part of this, I was sending queries directly to authoritative DNS servers, which with dnspython necessitated sending UDP queries explicitly, rather than invoking an interface that would fall back to TCP.\nTo test things, I created two DNS zones, “toomanyns.test.globnix.net” and “toomanyns-eth.test.globnix.net”; the label “www” exists within those. These are set up with, respectively 7 and 20 NS resource records (RRs), each with a leading label 63 octets long. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/02/i-was-wrong-about-wikileaks-cablegate/", "url": "https://bridge.grumpy-troll.org/2011/02/i-was-wrong-about-wikileaks-cablegate/", "title": "I was wrong about wikileaks cablegate", "date_published": "2011-02-05", "tags": [ "middle-east", "politics", "diplomacy", "democracy", "wikileaks" ], "summary": "I’ve long been of two minds about Wikileaks and what it does. This is not an area of simple truths, but of competing demands and trying to find a balance.\nWhen Wikileaks released their Afghanistan documents, I wrote of my reaction to the political reaction.\nThen came Cablegate.\nOn the predominant hand: the value of diplomacy and diplomatic immunity is so high that it’s hard to overstate their importance. Cool heads prevent wars, save incalculable lives and generally preserve peace. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/02/importance-of-checking-return-values/", "url": "https://bridge.grumpy-troll.org/2011/02/importance-of-checking-return-values/", "title": "Importance of checking return values", "date_published": "2011-02-03", "tags": [ "x509", "unicode", "ssl", "python" ], "summary": "Hacking last night on a Python (2.6) conversion of a Perl tool I wrote, I ran into a stumbling block. I couldn’t figure it out then. I tried again tonight, after a couple of hours I finally tracked it down.\nThe tool is verifying x509 certs from a TLS connection. To do this, I quickly discovered that Python’s ssl module is horribly insecure until Python 3.2, not providing cert verification. pycrypto’s OpenSSL package doesn’t support using a ca_path directory-of-certs on MacOS. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/02/2011-nobel-peace-prize/", "url": "https://bridge.grumpy-troll.org/2011/02/2011-nobel-peace-prize/", "title": "2011 Nobel Peace Prize", "date_published": "2011-02-02", "tags": [ "peace", "politics", "democracy", "wikileaks" ], "summary": "One cited source of fuel for the middle-east regime changes is the US State Department cables, leaked by wikileaks. Turns out, when a people get to see honest assessments of the corruption in their own governments, it drives their determination.\nIn light of this, I wonder if the US State Department will sponsor a campaign to nominate Julian Assange for the Nobel Peace Prize?\nI suspect not. But the thought makes me smile. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/02/tying-oneself-in-pythonic-knots/", "url": "https://bridge.grumpy-troll.org/2011/02/tying-oneself-in-pythonic-knots/", "title": "Tying oneself in Pythonic knots", "date_published": "2011-02-02", "tags": [ "IDN", "charset", "unicode", "python", "google", "punycode" ], "summary": "A couple of weeks back, I knocked together a short script “puny”, to let me give it a domain-name containing punycode or unicode and show me the conversions either direction. I opted to use Python 3 because it was a simple script and would let me practice using the newer variant of the language.\nToday, I decided I wanted to add automatic translation to the tool, using Google Translate’s API. The problems which were resulted were all Pythonic in origin. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/01/exim-novel-experiences/", "url": "https://bridge.grumpy-troll.org/2011/01/exim-novel-experiences/", "title": "Exim: novel experiences", "date_published": "2011-01-31", "tags": [ "backport", "exim", "release", "Debian", "security" ], "summary": "Last year I became an Exim Committer. I shepherded the recent 4.74 release, which was the first one not done by The Usual Victim. As such, there were some teething issues, but it went okay.\nUnfortunately, it was a security-fix release, which meant that it was done on a compressed schedule. I’d much rather my first Exim release not have been so constrained, but that’s the way the dice rolled and I just have to suck it up. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/01/how-long-is-a-piece-of-string/", "url": "https://bridge.grumpy-troll.org/2011/01/how-long-is-a-piece-of-string/", "title": "How long is a piece of string?", "date_published": "2011-01-29", "tags": [ "unicode", "perl" ], "summary": "When I was a teenager and I asked a teacher how long they expected an essay to be, I’d get asked in response, “How long is a piece of string?” — which I found infuriating as I was trying to establish expectations to, uhm, determine how little work I needed to do. cough\nFast-forward to today and I’m banging my head against the way that in modern computing, where “string” has a specific meaning, there are three different answers to the question. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/01/idn-python-perl-and-my-woes/", "url": "https://bridge.grumpy-troll.org/2011/01/idn-python-perl-and-my-woes/", "title": "IDN, Python, Perl and my woes", "date_published": "2011-01-28", "tags": [ "IDN", "dns", "グランピートロル", "exim", "unicode", "JP", "python", "perl", "punycode" ], "summary": "With the help of a friend who lives in Japan, I have registered an IDN domain, for working on improving the non-ascii support of some software I use; in particular, Exim.\nThe domain is “https://www.グランピートロル.jp”, “grumpy troll .jp”.\nIn order to do much with this, it’s necessary to get the IDN format. Yet in testing basic Perl and Python to get the IDN, I was seeing values which I knew were wrong. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/01/openssh/", "url": "https://bridge.grumpy-troll.org/2011/01/openssh/", "title": "OpenSSH", "date_published": "2011-01-24", "tags": [ "ECDSA", "dns", "cryptography", "ECC", "SSH", "SSHFP", "IANA", "OpenSSH" ], "summary": "Today, I updated OpenSSH. There’s a longer tale of trials and tribulations involved in a requisite Heimdal update which I had wisely put off, but foolishly then embarked upon. A tale for another time.\nOpenSSH now (release 5.7) supports some elliptic curve cryptography! Excellent to have modern crypto, and something not based on prime number factorisation. I am put in mind of baskets, containing all of ones eggs.\nSo, time to add ECDSA to my running OpenSSH setup, so that if there’s ever a reason to disable RSA and/or DSA, I still have a way in. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/01/re-pairing-apple-magic-mouse-after-battery-swap/", "url": "https://bridge.grumpy-troll.org/2011/01/re-pairing-apple-magic-mouse-after-battery-swap/", "title": "Re-pairing Apple Magic Mouse after battery swap", "date_published": "2011-01-22", "tags": [ "MacOSX", "Repair", "Mouse", "Battery", "Paired mouse", "Bluetooth" ], "summary": "The Troll was using Mrs Troll’s iMac, with an Apple Magic Mouse, when the low-battery warning popped up on screen. The mouse is about a month old and comes with non-rechargeable batteries. Fortunately, being of a technical persuasion, this Troll keeps a supply of AA batteries on hand. Even today. Yes, a quaint Troll.\nWhat happened next? The mouse refused to work after the batteries were swapped.\n< Cmd-Space "bluetooth" down-a-few-times Enter > (a Spotlight search) pulled up the Bluetooth preferences pane. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/01/macos-x-changing-argv--the-troll-erred/", "url": "https://bridge.grumpy-troll.org/2011/01/macos-x-changing-argv--the-troll-erred/", "title": "MacOS X: changing argv -- the troll erred", "date_published": "2011-01-14", "tags": [ "x509", "MacOSX", "Keychain", "client certs", "argv", "WebGL", "Chrome", "debugging", "GUI", "Chromium" ], "summary": "My so-called “solution” in MacOS X: changing argv for launched apps has a serious problem.\nChanging CFBundleExecutable causes code signing to fail. Once code-signing fails (silently!), access to items in the Keychain is impeded.\nThis led to problems using x509 client certificates for https, with a mis-leading error message coming out of Chrome.\nSo, don’t do that. Just … run the command manually from the command-line, if you want to enable flags. [...]" } , { "id": "https://bridge.grumpy-troll.org/2011/01/snowblower/", "url": "https://bridge.grumpy-troll.org/2011/01/snowblower/", "title": "♥ snowblower", "date_published": "2011-01-12", "summary": "Snowblowers rock." } , { "id": "https://bridge.grumpy-troll.org/2011/01/macos-x-changing-argv-for-launched-apps/", "url": "https://bridge.grumpy-troll.org/2011/01/macos-x-changing-argv-for-launched-apps/", "title": "MacOS X: changing argv for launched apps", "date_published": "2011-01-10", "tags": [ "MacOSX", "argv", "WebGL", "Chrome", "GUI" ], "summary": "This is what I did, but it is wrong. Do not do this. See the follow-up post, MacOS X: changing argv – the troll erred\nI just had to figure this out for the second time, since I forgot how I did it the first time, however many months ago that was. So, a post to record the results. Note that I’m a Unix person, not a MacOS person and have not yet invested the time that I should have into how my desktop OS functions. [...]" } , { "id": "https://bridge.grumpy-troll.org/2010/12/pgp-keyserver-interface/", "url": "https://bridge.grumpy-troll.org/2010/12/pgp-keyserver-interface/", "title": "PGP keyserver interface", "date_published": "2010-12-28", "summary": "This evening’s minor tinkering: my web UI front-end to querying my PGP keyserver now uses AJAX to populate a list of servers that you can query instead of having to query mine.\nNo JavaScript, no problem, you just don’t even get shown a list of alternative servers and the functionality still works for querying mine.\nThe list of servers is populated from the complete list of servers in the SKS peering mesh. [...]" } , { "id": "https://bridge.grumpy-troll.org/2010/12/verizon-fios-dns-redirectionhijackingsp/", "url": "https://bridge.grumpy-troll.org/2010/12/verizon-fios-dns-redirectionhijackingsp/", "title": "Verizon FiOS DNS redirection/hijacking/spoofing", "date_published": "2010-12-05", "summary": "Recording the solution here, after trawling through innumerable forum posts, broken support links, etc.\nVerizon FiOS supplies, by default, DNS recursors which spoof answers in place of NXDOMAIN, but ameliorate the impact by only doing so for queries in which the first label is “www”. The page is a Yahoo/Teoma search. My, what a juicy target, should a government ever turn tyrannical — force the revocation of domain registration for an unfavoured group, then serve Yahoo! [...]" } , { "id": "https://bridge.grumpy-troll.org/2010/11/shell-anti-pattern-security-hole/", "url": "https://bridge.grumpy-troll.org/2010/11/shell-anti-pattern-security-hole/", "title": "Shell anti-pattern security hole", "date_published": "2010-11-11", "summary": "I consider myself proficient in shell programming (POSIX sh, with variants). Today, I learnt of a surprising behaviour, which I then realised meant that some error-handling code wasn’t firing when it should, which led to spotting why this is a rather common problem and, in certain circumstances, a security hole resulting from an anti-pattern.\nThe anti-pattern:\ndie() { echo >&2 "$0: $*"; exit 1; } foo() { local tmpdir=$(mktemp -d -t foo. [...]" } , { "id": "https://bridge.grumpy-troll.org/2010/11/happiness/", "url": "https://bridge.grumpy-troll.org/2010/11/happiness/", "title": "Happiness", "date_published": "2010-11-03", "summary": "It’s 18:43 and I still have home Internet connectivity.\nIt’s a very bad state of affairs that this makes me so happy. That’s how bad Comcast (business class) was. Verizon FiOS for the win!" } , { "id": "https://bridge.grumpy-troll.org/2010/11/scratch-the-notion-ink-adam-off-the-wishlist/", "url": "https://bridge.grumpy-troll.org/2010/11/scratch-the-notion-ink-adam-off-the-wishlist/", "title": "Scratch the Notion Ink Adam off the wishlist", "date_published": "2010-11-01", "summary": "I finally got an answer to my question of Notion Ink about whether or not there will be DRM locking down the OS image, and it’s not the answer I was hoping for. Oh well, I guess I need to look more seriously at the competition. I’m not happy at this, I’ve been waiting for the Pixel Qi display for a long time now.\nI mailed info@, per their web-site. I got a boiler-plate response which didn’t answer my question but said they’d be happy to reply to specific questions. [...]" } , { "id": "https://bridge.grumpy-troll.org/2010/09/ipv6-troubles/", "url": "https://bridge.grumpy-troll.org/2010/09/ipv6-troubles/", "title": "IPv6 troubles", "date_published": "2010-09-06", "summary": "As those who know The Grumpy Troll are aware, the troll uses IPv6 fairly extensively. I like it as a protocol suite, mostly. I have some negative opinions about the standards work behind transition mechanisms and some of the areas and will acknowledge that many of the improvements have been back-ported to IPv4 already. But still, I like the expanded address-space for my own use.\nI’m having to disable IPv6 to home for the time being, until I am Less Grumpy. [...]" } , { "id": "https://bridge.grumpy-troll.org/2010/08/the-wikileaks-afghanistan-documents/", "url": "https://bridge.grumpy-troll.org/2010/08/the-wikileaks-afghanistan-documents/", "title": "The wikileaks Afghanistan documents", "date_published": "2010-08-03", "summary": "The US Constition, Article III, Section 3, defines, “Treason against the United States, shall consist only in levying war against them, or in adhering to their enemies, giving them aid and comfort.”\nIf the US government is supplying money to a regime which they know is forwarding some of it on to a group which the USA is at war with, then we appear to have a whistle-blower who has provided proof of treason at the highest levels. [...]" } , { "id": "https://bridge.grumpy-troll.org/2010/07/latitude/", "url": "https://bridge.grumpy-troll.org/2010/07/latitude/", "title": "Latitude", "date_published": "2010-07-19", "tags": [ "trust", "brokenness", "balance", "google latitude", "google", "privacy", "relocation", "google maps" ], "summary": "Everyone has different boundaries when it comes to sharing and privacy. Some services are great for those that use them, but horrifying for those that don’t. Google Latitude is one of those. It normally falls outside my comfort zone. It’s not even something you might normally have on, but turn off when you want privacy, as the act of turning it off draws attention to the time-period when it was turned off. [...]" } , { "id": "https://bridge.grumpy-troll.org/2010/07/a-brief-parting-of-ways/", "url": "https://bridge.grumpy-troll.org/2010/07/a-brief-parting-of-ways/", "title": "A brief parting of ways", "date_published": "2010-07-19", "tags": [ "connectivity", "waxing poetic", "internet", "relocation" ], "summary": "Farewell, sweet Internet. I know you so well, your inner workings and your dark secrets. But it shall be but a brief parting; filled with sorrow and pain, but yet brief, as time is reckoned outside your embrace. For though I shall disconnect the cable-modem shortly, in but nine days time I and mine, having become ensconced in our new domicile, shall be reconnected unto thee once more. Nay, not merely reconnected, but on more intimate terms, as Business Class shall bring us together without the vines of sand attempting to throttle us or the watchman limiting our total bandwidth per lunar cycle. [...]" } , { "id": "https://bridge.grumpy-troll.org/2010/06/who-benefits-from-referendums/", "url": "https://bridge.grumpy-troll.org/2010/06/who-benefits-from-referendums/", "title": "Who benefits from referendums?", "date_published": "2010-06-08", "summary": "In the below, please note that I am a Resident Alien in the USA and do not get to vote. That will change when I become a citizen.\nI currently live in Santa Clara. Santa Clara operates its own municipal electricity company. SC also delivers, to all residents, a calendar/agenda each year which includes a summary of finances. So we get to see a huge amount of money flowing in as revenue and a huge amount flowing out again as costs. [...]" } , { "id": "https://bridge.grumpy-troll.org/2010/06/firewall-features/", "url": "https://bridge.grumpy-troll.org/2010/06/firewall-features/", "title": "Firewall features", "date_published": "2010-06-05", "summary": "In discussion with a friend, he writes,\n“[…] and [censored].. which is an SSL-VPN that we currently have, has allowed an awesome work/life balance\nbecause nobody can work from home”\nNice feature-set." } , { "id": "https://bridge.grumpy-troll.org/2010/05/pseudo-intellectual-latin/", "url": "https://bridge.grumpy-troll.org/2010/05/pseudo-intellectual-latin/", "title": "Pseudo-intellectual Latin", "date_published": "2010-05-15", "tags": [ "latin" ], "summary": "There’s a fairly common theme in the tech industry, that when something goes wrong, the incident report is called a “post-mortem”, even though nobody has died. That’s fair enough.\nWhat still irritates me is the use of the term “post-morti” to describe a collection of post-mortems. Here’s what I wrote on the topic when correcting the usage in a wiki page, before it was uncorrected because the wrong version was considered funnier. [...]" } , { "id": "https://bridge.grumpy-troll.org/2010/05/the-value-of-paying/", "url": "https://bridge.grumpy-troll.org/2010/05/the-value-of-paying/", "title": "The value of paying?", "date_published": "2010-05-11", "tags": [ "iStore", "games", "tetris", "iPad", "paid apps", "EA", "Apple" ], "summary": "My wife was pleasantly surprised to get an iPad as a birthday present. She knew my opinion of it, so knew that this was a tech toy for her, not a “look what I got me^Wyou” gift.\nOn the surface, very capable. When I set up IMAP access to our mailserver, I found out how shallow that is, but that’s another story of poor feedback and buggy diagnostics.\nThis evening, Mrs Troll decided to install some games. [...]" } , { "id": "https://bridge.grumpy-troll.org/2010/04/email-address-validity/", "url": "https://bridge.grumpy-troll.org/2010/04/email-address-validity/", "title": "Email address validity", "date_published": "2010-04-28", "tags": [ "rfc", "smtp", "email", "brokenness" ], "summary": "This is a valid email address to reach me:\nPhil Pennock <a~`*&^$#_-={}'?b@spodhuis.org> Does your mail-handling code accept that perfectly legitimate email address? It’s not a catchall, it’s explicitly configured as an address to reach me. If it can’t be parsed, why not?\nFWIW, I’m quite happy that this address is not likely to be successfully harvested by spammers. :-)\nOther addresses that are legitimate in form:\n<""@example.org> <"fred ;bloggs"@example.org> <" ;foo "@example. [...]" } , { "id": "https://bridge.grumpy-troll.org/2010/04/mysql-security/", "url": "https://bridge.grumpy-troll.org/2010/04/mysql-security/", "title": "MySQL Security", "date_published": "2010-04-24", "tags": [ "mysql", "ssl", "cargo cult", "security" ], "summary": "[My last couple of posts have been rather long, so I dug out an old issue which is short; I did the MySQL setup in 2005, they might have fixed things since then, I don’t know as I haven’t touched MySQL in years]\nWhen deciding what to do about security of a product, it’s important to think about your threat model. What are you defending against? Failure to do this can lead to situations that are most politely described as ‟silly”. [...]" } , { "id": "https://bridge.grumpy-troll.org/2010/04/email-cooperation/", "url": "https://bridge.grumpy-troll.org/2010/04/email-cooperation/", "title": "Email Cooperation", "date_published": "2010-04-23", "tags": [ "trust", "dns", "crypto", "email", "dkim", "spf", "federation" ], "summary": "People blather on. Today, they do it online. There are several different ways of going about it:\nEntering short messages into a transcript which others read over, such as forums or social networking websites, where later participants can see older messages Entering longer messages onto a website, with indexing and optional commentary; blogs Voice communications online, or video, typically not archived, but can be Short back-and-forth realtime messages, ‟Instant Messaging”, IM, such as XMPP, MSN, ICQ, etc; some clients log these communications, and some server software does too Online memos, sent around, often delivered quickly but left in an inbox to be worked through. [...]" } , { "id": "https://bridge.grumpy-troll.org/2010/04/typing-weird-stuff/", "url": "https://bridge.grumpy-troll.org/2010/04/typing-weird-stuff/", "title": "Typing Weird Stuff", "date_published": "2010-04-22", "tags": [ "zsh", "compose", "x11", "vim", "digraphs", "unicode", "unix" ], "summary": "I speak English, for certain values of ‟English”. I speak varying amounts of other languages which use the Roman alphabet. For the most part, I can work in plain ASCII. I like to be able to use currency symbols too, whether working with £1 or €1. The former can be met with ISO-8859-1 (Latin1), the latter can be met by using ISO-8859-15 (Latin9). But that’s not enough for me, because I’m picky enough to want to use accurate characters for many other purposes. [...]" } , { "id": "https://bridge.grumpy-troll.org/2010/04/the-troll-awakens/", "url": "https://bridge.grumpy-troll.org/2010/04/the-troll-awakens/", "title": "The Troll Awakens", "date_published": "2010-04-21", "tags": [ "intro" ], "summary": "Once, I sneered at the word “blog”. Today, I still feel that the word is abysmal and a sign of social exclusion, rather than having any real purpose. Yet I have become a realist and the word “blog” is now generally accepted.\nSo this grumpy, cynical, troll has finally succumbed.\nWhat will I be posting?\nMostly technical content. How-tos, rants, monographs and more. Over the years, I’ve written a number of emails with useful content; I’ll probably dig through some archives and extract some and massage them into blog postings. [...]" } ] }