ejrnl

About a year ago, I was a heavy user of Day One. I think that journaling is very beneficial. I stopped because I didn’t feel comfortable with having my private thoughts so readily available to employees or hackers. Initially, I needed to trust Dropbox but, I definitely don’t anymore. More recently, Day One set up their own sync solution and they’ve been working on adding encryption but, it still hasn’t been released. I also no longer utilize MacOS, so I needed something else. I couldn’t find something that worked exactly how I wanted it, so I built it myself. I called it ejrnl, for encrypted journal.

ejrnl is a command line utility for creating encrypted journals. It is written in Go and it utilizes Go’s standard library’s implementation of cryptography. It utilizes scrypt for generating the encryption key and it utilizes authenticated encryption with aes-128 being the algorithm. It should work on any un*xy system.

I put a lot of thought into designing the file format. It is designed to be synced between machines using some sort external process, i.e. Dropbox. I happen to use Nextcloud but any sync service should work fine. Due to this, I tried to design the storage system around problems that I’ve experienced in the past. Typically, what I’ve seen is file syncing being delayed or conflicting edits. Therefore, the format is designed to reduce the chance of conflicts. As such, each journal entry is stored as its own file. Since entries aren’t modified on multiple devices often, this should prevent most conflicts from happening. As lots of entries are added, rereading every entry to sort them by date would be extremely expensive. To speed this up, there is an index file that indexes every entry by its date. As this file is encrypted, everytime it changes, its contents are completely changed. This makes it very likely to encounter conflicts. As this is a probable outcome, this file can be regenerated as needed.

ejrnl is currently very light on features. It currently has the minimum features for me to be able to use it. I have many plans for features that I would like to add in the future. If you’ve been looking for an app to make an encrypted journal, please take a look at ejrnl.

Defending Democracy

Americans are no wiser than the Europeans who saw democracy yield to fascism, Nazism, or communism. Our one advantage is that we might learn from their experience. Now is a good time to do so. Here are twenty lessons from the twentieth century, adapted to the circumstances of today.

  1. Do not obey in advance. Much of the power of authoritarianism is freely given. In times like these, individuals think ahead about what a more repressive government will want, and then start to do it without being asked. You’ve already done this, haven’t you? Stop. Anticipatory obedience teaches authorities what is possible and accelerates unfreedom. 

  2. Defend an institution. Follow the courts or the media, or a court or a newspaper. Do not speak of “our institutions” unless you are making them yours by acting on their behalf. Institutions don’t protect themselves. They go down like dominoes unless each is defended from the beginning.

  3. Recall professional ethics. When the leaders of state set a negative example, professional commitments to just practice become much more important. It is hard to break a rule-of-law state without lawyers, and it is hard to have show trials without judges. 

  4. When listening to politicians, distinguish certain words. Look out for the expansive use of “terrorism” and “extremism.” Be alive to the fatal notions of “exception” and “emergency.” Be angry about the treacherous use of patriotic vocabulary. 

  5. Be calm when the unthinkable arrives. When the terrorist attack comes, remember that all authoritarians at all times either await or plan such events in order to consolidate power. Think of the Reichstag fire. The sudden disaster that requires the end of the balance of power, the end of opposition parties, and so on, is the oldest trick in the Hitlerian book. Don’t fall for it.

  6. Be kind to our language. Avoid pronouncing the phrases everyone else does. Think up your own way of speaking, even if only to convey that thing you think everyone is saying. (Don’t use the internet before bed. Charge your gadgets away from your bedroom, and read.) What to read? Perhaps “The Power of the Powerless” by Václav Havel, 1984 by George Orwell, The Captive Mind by Czesław Milosz, The Rebel by Albert Camus, The Origins of Totalitarianism by Hannah Arendt, or Nothing is True and Everything is Possible by Peter Pomerantsev. 

  7. Stand out. Someone has to. It is easy, in words and deeds, to follow along. It can feel strange to do or say something different. But without that unease, there is no freedom. And the moment you set an example, the spell of the status quo is broken, and others will follow. 

  8. Believe in truth. To abandon facts is to abandon freedom. If nothing is true, then no one can criticize power, because there is no basis upon which to do so. If nothing is true, then all is spectacle. The biggest wallet pays for the most blinding lights.

  9. Investigate. Figure things out for yourself. Spend more time with long articles. Subsidize investigative journalism by subscribing to print media. Realize that some of what is on your screen is there to harm you. Bookmark PropOrNot or other sites that investigate foreign propaganda pushes.

  10. Practice corporeal politics. Power wants your body softening in your chair and your emotions dissipating on the screen. Get outside. Put your body in unfamiliar places with unfamiliar people. Make new friends and march with them. 

  11. Make eye contact and small talk. This is not just polite. It is a way to stay in touch with your surroundings, break down unnecessary social barriers, and come to understand whom you should and should not trust. If we enter a culture of denunciation, you will want to know the psychological landscape of your daily life.

  12. Take responsibility for the face of the world. Notice the swastikas and the other signs of hate. Do not look away and do not get used to them. Remove them yourself and set an example for others to do so. 

  13. Hinder the one-party state. The parties that took over states were once something else. They exploited a historical moment to make political life impossible for their rivals. Vote in local and state elections while you can. 

  14. Give regularly to good causes, if you can. Pick a charity and set up autopay. Then you will know that you have made a free choice that is supporting civil society helping others doing something good. 

  15. Establish a private life. Nastier rulers will use what they know about you to push you around. Scrub your computer of malware. Remember that email is skywriting. Consider using alternative forms of the internet, or simply using it less. Have personal exchanges in person. For the same reason, resolve any legal trouble. Authoritarianism works as a blackmail state, looking for the hook on which to hang you. Try not to have too many hooks.

  16. Learn from others in other countries. Keep up your friendships abroad, or make new friends abroad. The present difficulties here are an element of a general trend. And no country is going to find a solution by itself. Make sure you and your family have passports. 

  17. Watch out for the paramilitaries. When the men with guns who have always claimed to be against the system start wearing uniforms and marching around with torches and pictures of a Leader, the end is nigh. When the pro-Leader paramilitary and the official police and military intermingle, the game is over.

  18. Be reflective if you must be armed. If you carry a weapon in public service, God bless you and keep you. But know that evils of the past involved policemen and soldiers finding themselves, one day, doing irregular things. Be ready to say no. (If you do not know what this means, contact the United States Holocaust Memorial Museum and ask about training in professional ethics.) 

  19. Be as courageous as you can. If none of us is prepared to die for freedom, then all of us will die in unfreedom. 20. Be a patriot. The incoming president is not. Set a good example of what America means for the generations to come. They will need it.

Timothy Snyder, Housum Professor of History, Yale University

Why it’s different this time

I’ve found myself wondering if a Trump presidency will really be as bad as I fear. After all, there are always fears about a new president. This time, it really is different.

When George W Bush was elected, we were mainly concerned about his economic plan and the possibility of war. It turns out that our fears were well-founded. When Obama was elected, people were afraid that he’d give us healthcare and, he did. They were also afraid of many other things but not what he said.

Trump is different. He was elected based on hate and bigotry. In his campaign, he promised to deport millions of Mexicans, prevent Muslims from entering the country (regardless of citizenship) and to reinstate our tourture program. None of these things are things that we should allow to happen and yet they’re why he was elected. Even if he doesn’t do any of these things, rhetoric is harmful as it is.

His actions since being elected have only reinforced why it’s different this time. His pick for chief strategist is an actual Nazi. His pick for Attorney general was eliminated during the Reagan administration due to his racial views. He is not moving his assists to a blind trust as is ethically required. He is instead of figuring out how to properly maximize his profit. He has also started disseminating fake news. He claimed that Ford was going to move a plant to Mexico and because of him, they aren’t. They were never planning on moving it.

Failure

On Tuesday, we elected a child rapist, mediocre businessman, sexist, racist pig to be our leader. We elected the man endorsed by the Ku Klux Klan. He has no experience in politics, his only experience is in business, where, he managed to lose money running a casino. The man’s only discernable features are a hatred of all non-white people.

I was aware of how racist the US is, I just didn’t expect white supremacy to be the only issue that mattered to 26.5% of the population. I want to be clear, furthering White Supremacist causes make you a White Supremacist and therefore, voting for Trump makes you racist.

These are what he has promised:

  • Build a wall between the US and Mexico
  • Deport all of the illegal immigrants
  • Deport US citizen because they’re “anchor babies”
  • Prevent Muslims from entering the country
  • Bring back water boarding and introduce worse forms of torture
  • Kill the civilian family members of terrorists
  • Reverse Women and Trans rights
  • Remove millions of people’s health insurance
  • Jail his political opponent
  • Reverse the legalization of Gay marriage
  • Reverse Roe v Wade
  • Restrict the freedom of the press (ironic since they handed the presidency to Trump)
  • Restrict the freedom of assembly
  • destroy the economy in order to induce riots

None of that sounds like making America great again. None of those things are things that should ever happen. This is not ok, we are not fine. These things can not be allowed to happen.

This is the result of a number of systemic failures. The GOP failed to prevent one of the fascist candidates from securing the nomination. The GOP failed in what should be a primary purpose, ensuring that our country doesn’t fall to fascism. The primary process for the Democrats resulted in a candidate that was not compelling enough to win.

Our final hope is the electoral college fulfilling their purpose and protecting us from a threat to our democracy. I think it is very unlikely to actually happen. While this is the explicit purpose of the electoral college, it has never been done before. It is also likely to cause extreme backlash from those who supported Trump. While this backlash is likely to be pretty damaging, a Trump presidency would be worse.

I could have done more. I’ve been too consumed with taking care of my family with our 5 month-old daughter. I haven’t been following along with the presidential race as much as I should. I, as well as much of the country, thought that the chances of Trump actually winning were negligible. We were very wrong.

Backups gone awry

I recently moved hosting providers for my sites. This in itself isnʼt particularly interesting. I had thought that they would automatically charge me for each month’s of service but, that turns out to not be the case. So, when my invoice for mid April came in, I didnʼt pay it which, resulted in my hosting being suspended. Again, this isnʼt particularly interesting. When I paid for this invoice, my server didnʼt quite come back correctly. This shouldnʼt have been an issue, all of my siteʼs content is backed up using tarsnap.

Restoring should have been a relatively simple process. I just needed to copy the tarsnap key to the new server, install tarsnap and then run the restore command. I checked 1Password for the key and, oh, crap the key wasnʼt there. I quickly searched my desktopʼs drive and didnʼt find anything. Shit. I guess I need to rebuild the site by hand. Luckily (and sadly) I havenʼt written very much recently. Everything Iʼve written prior to November of last year. The rest of the things Iʼve written were easy to pull out of Googleʼs cache.

While I was able to recover all of my writing, it wasnʼt without a big time commitment and pain. I also lost quite a number of old projects that I only had in the git repository on the server. This isn’t a huge loss as I wasnʼt doing anything with these repositories but, it still stings. The “moral” of the story is to test your backups in the worst possible scenario. Make sure that you everything that you need to do the restore.

Linksys WRT1900ACS

I recently moved into a large residence and my Time Capsule was having some coverage issues. The edges of my residence had very weak wifi signal with somewhat frequent dropouts. Iʼve also been playing with a Raspberry Pi recently (headless, of course). With the time capsule, there’s no way to see your connected devices. There is also a complete lack of visibility into the operation of a Time Capsule. You canʼt see the amount of network traffic or see what the deviceʼs load looks like. All of these things led me to pick out a new router.

I initially considered using a Ubiquiti Edge Router and Access point but, I wanted AC networking and Ubiquiti’s AC offerings are pretty spendy. I also like to have a web interface to check on the current networking conditions. Given that the software was my primary motivation for moving away from the Time Capsule, I decided to pick that out first. In the past, Iʼve had great experiences with openwrt and so I decided to pick out a router that could run it. After a great deal of searching, I decided upon the Linksys WRT1900ACS.

The WRT1900ACS has pretty impressive hardware specs. It has a dual-core 1.6 GHz processor but, it has a paltry 512mb of ram. While that is probably plenty for what it is meant to do, it seems quite small for a device that you’re spending over $200 on. It has a simultaneous dual-band AC radio. The 2.4 GHz band runs at up to 600 Mbs and the 5GHz band runs at up to 1300 Mbs.

Iʼm not a huge fan of its appearance. While I do get a bit of nostalgia when I look at it (the design is similar to the first wifi router that my family ever owned), it sticks out a bit more than I think that it should. I am thankful that it isnʼt this bad. It is a bit larger than I expected. It is by far the largest router I’ve ever owned. I donʼt find it to be too big of a deal but, its a bit hard to hide. I’m not really sure how much the external antennae help but, it has four of them.

All of the Linksys WRT1900AC* models are marketed as “Open Source Ready”. Given the model number, that makes sense. It was a bit of stretch when these models were originally released as not many details nor support was given to the open source projects. Things seem to have improved here as the larger open source projects have added support for these models. Flashing OpenWRT onto this router is very simple. The web interface does complain that the build isn’t recognized, it will flash it for you just fine.

That being said, it has a forced setup process. Prior to this, I canʼt remember ever needing to run through a setup process in order to make the wired portion of a router work. Until you complete the setup steps, the router refuses to route traffic to its wan port. Its obnoxious. Iʼm really glad that I didn’t buy this for stock firmware. Iʼm sure that it is full of these user hostile choices.

I didnʼt know this at the time when I purchased it but, OpenWRT support for the ACS model was a bit experimental. While I found that it worked pretty well in use, it did reboot at least once per day. I never really noticed the reboots as it is incredibly fast to reboot. Openwrtʼs luci interface also looked quite dated. It was still reminiscent of the design of early Linksys routers. I always found it to be quite functional but also very displeasing. Luckily, both of these things have changed with the recent 15.05.1 patch release. Since I installed 15.05.1, the router has been incredibly stable, exactly what youʼd want from your router. It also features a much-improved design. It feels a bit generic as its now using what appears to be the default bootstrap theme. While I do feel that its a bit plain, I really appreciate how much better it looks.

Iʼm very pleased by this router. It has greatly increased the wifi coverage at my residence. I no longer have any dead zones and the connection is always quite fast. I really like openwrt as well. It is a fantastic firmware for a router. It has given me all of the visibility that I missed on the time capsule. Its a great piece of hardware with support from a great open source software project. I highly recommend this setup to anyone that is willing to dig in enough to reflash their router.

Let’s Encrypt

Recently, Iʼve been in the process of setting up a new site from scratch. Completely from scratch: new domain, new design, and new content. This, of course, means new tls certificates. Instead of buying them with Gandi, as I have done a couple of times for this site, I thought Iʼd use Let’s Encrypt.

Letʼs Encrypt is a new certificate authority that provides free and automated certificates. While you could previously get tls certificates from StartSSL, they really burned you on revocation, even in cases of mass revocation. Buying them from Gandi was much better because of these sorts of issues but, there is a cost associated with it. In both cases, getting a certificate issued is a cumbersome process. I was hoping the Letʼs Encrypt could make this process easier.

When you head to Let’s Encryptʼs website, itʼs not immediately apparent how you go about getting a certificate issued. It turns out that you need an ACME client in order to do this. Luckily, there is an official client. On Debian Jessie, its available from the stable repo, so its just and aptitude install away. The letsencrypt utility contains a number of different ways to authenticate a site. Since I was setting up a WordPress site and I use Nginx as my webserver, I found the webroot option to be the simplist way. All you need to do is run letsencrypt certonly --webroot --webroot-path {{website root}} --domains {{domain name}} If you donʼt already have a webserver running, you can have the letsencrypt utility set up a temporary webserver just to authenticate the domain. All you need to do is run letsencrypt certonly --standalone. Both of these methods require you to already have the domain pointed at the serverʼs IP. The end result is a directory in /etc/letsencrypt/live with the certificate and private key. You can just configure your webserver to read the files from there.

Letʼs Encrypt is a much simpler, faster and cheaper way to get tls certificates. Thereʼs also a module for Apache that takes care of generating the certificate for you. Iʼll be glad when the Nginx module is no longer experimental. Iʼll be using Letʼs Encrypt for all of my certificate needs.

Plex

Recently, Iʼve been in the process of setting up a new site from scratch. Completely from scratch: new domain, new design, and new content. This, of course, means new tls certificates. Instead of buying them with Gandi, as I have done a couple of times for this site, I thought Iʼd use Let’s Encrypt.

Letʼs Encrypt is a new certificate authority that provides free and automated certificates. While you could previously get tls certificates from StartSSL, they really burned you on revocation, even in cases of mass revocation. Buying them from Gandi was much better because of these sorts of issues but, there is a cost associated with it. In both cases, getting a certificate issued is a cumbersome process. I was hoping the Letʼs Encrypt could make this process easier.

When you head to Let’s Encryptʼs website, itʼs not immediately apparent how you go about getting a certificate issued. It turns out that you need an ACME client in order to do this. Luckily, there is an official client. On Debian Jessie, its available from the stable repo, so its just and aptitude install away. The letsencrypt utility contains a number of different ways to authenticate a site. Since I was setting up a WordPress site and I use Nginx as my webserver, I found the webroot option to be the simplist way. All you need to do is run {%raw%}letsencrypt certonly --webroot --webroot-path {{website root}} --domains {{domain name}}{% endraw %} If you donʼt already have a webserver running, you can have the letsencrypt utility set up a temporary webserver just to authenticate the domain. All you need to do is run letsencrypt certonly --standalone. Both of these methods require you to already have the domain pointed at the serverʼs IP. The end result is a directory in /etc/letsencrypt/live with the certificate and private key. You can just configure your webserver to read the files from there.

Letʼs Encrypt is a much simpler, faster and cheaper way to get tls certificates. Thereʼs also a module for Apache that takes care of generating the certificate for you. Iʼll be glad when the Nginx module is no longer experimental. Iʼll be using Letʼs Encrypt for all of my certificate needs.

ZFS on Linux 4.13 in Debian Jessie

The first question that comes to mind is why bother? The big reason, for me, is thunderbolt hot-plugging. Thunderbolt hot plugging made it into 3.17. Unfortunately, Debian Jessie ships with 3.16. Luckily, 4.12 and 4.13 are available from jessie-backports. If you want to use zfsonlinux, youʼll need to do quite a bit of extra work. zfsonlinux ships packages that depend on the 3.16 kernel. It’s also not as simple as just building the zfs package as they first create rpms and then convert them to debs. This is an issue because rpmbuild doesnʼt like the versioning scheme that is used for Debianʼs backported kernels.

To start with, youʼll need to download the source for the kernel to compile:

sudo aptitude install linux-source-4.3

Then youʼll need to untar the source into a writable directory. i.e. cd into the desired directory and run:

tar zxvf /usr/src/linux-source-4.3.tar.gz

This next step is going to take quite a while, building the kernel. From the untared linux source directory:

cp /boot/config-3.16.0-4-amd64 .config
make deb-pkg LOCALVERSION=-custom KDEB_PKGVERSION=$(make kernelversion)-1

You can feel free to change either LOCALVERSION or the suffix to KDEB_PKGVERSION just make sure that the values that you specify don’t contain a ..

Its much easier to do this without zfs already installed, so Iʼm just going to assume that is where you are at. Install the newly compiled kernel and reboot.

sudo dpkg -i linux-headers-4.3.3-custom_4.3.3-1_amd64.deb linux-image-4.3.3-brendan_4.3.3-1_amd64.deb
sudo reboot

Now you have a custom kernel version running. The next step is to install zfs. This is mostly following zfsonlinux’s instructions on generic debs but, their instructions are missing a couple of steps. Youʼll need to download spl and zfs from zfsonlinux. I would suggest grabbing the latest release. You’ll also need a few build dependencies.

sudo aptitude install build-essential gawk alien fakeroot linux-headers-$(uname -r) \
  zlib1g-dev uuid-dev libblkid-dev libselinux-dev parted lsscsi wget
wget http://archive.zfsonlinux.org/downloads/zfsonlinux/spl/spl-0.6.5.4.tar.gz
wget http://archive.zfsonlinux.org/downloads/zfsonlinux/zfs/zfs-0.6.5.4.tar.gz
tar zxvf spl-0.6.5.4.tar.gz
tar zxvf zfs-0.6.5.4.tar.gz
cd spl-0.6.5

Now we need to compile spl and install the development packages which are required for building zfs.

./configure
make deb-utils deb-kmod
cd module
make
cd ..
sudo dpkg -i kmod-spl-*.deb spl-*.deb
cd ..

Finally, we’re going to build and install zfs

cd zfs-0.6.5
./configure
make deb-utils deb-kmod
ln -s /lib64/libnvpair.so.1 /lib/nvpair.so.1
ln -s /lib64/libzfs.so.2 /lib/libzfs.so.2
sudo dpkg -i zfs-*.deb kmod-zfs-*.deb libnvpair1_*.deb libuutil1_*.deb libzfs2_*.deb libzpool2_*.deb

Finally reboot, and you should be all set. While that is a bunch of steps, it really isnʼt too bad.

2015: The Tools I Use

Continuing on what I started last year, here is the list of tools that Iʼve used this year.

Mac

Again this year, my Mac is my primary work device.

  1. neovim — I continue to do most of my work with text, whether that is Ansible playbooks or code. I could easily just use vim but, neocon has a couple of nice extras, mainly that it properly handles pasting without using paste mode.
  2. iterm 2 — iterm continues to be great to use. I donʼt really like the built-in terminal on OS X so Iʼm lucky that iTerm exists, especially since I do almost all of my work in the terminal.
  3. tmux — I generally keep iTerm running full screen since, I do most of my work there. While this works pretty well, itʼs a bit of a waste as its a huge amount of space for just one thing at a time. I use an inverted T, where I have one large split on top and two smaller ones on the bottom. The big split on top is generally used for neovim and then I can run related tasks in the bottom two.
  4. git — git is basically the standard for version control. Git has it flaws but, I really like it.
  5. mailmate — I switched email clients since last year. Mailmate definitely feels more like a traditional email client. Itʼs really well done.
  6. Alfred — Alfred is a keyboard launcher. It does many more things than just launching apps. I use it all of the time.
  7. Arq — Arq is a great secure backup solution. It supports many cloud storage providers so youʼre able to pick your favorite.
  8. Textual — Textual is a pretty good irc client for OS X.

iPhone

  1. Tweetbot — I like using Twitter but, I really donʼt like Twitter’s design decisions. Tweetbot fits me much better, Iʼm not looking forward to the day when Twitter cuts off access to 3rd party access.
  2. Prompt — Prompt is good to have around in case you need to access a server over ssh. Prompt is a very well done ssh client but, ssh on a phone sized device isnʼt a fun experience.
  3. Spark — While the built-in mail client on iOS is perfectly functional, I find it quite cumbersome to use. Spark is a really great iOS email client.
  4. Unread — Unread is a pretty great RSS reader on iOS.

Multiple

  1. 1Password — Keeping yourself secure online is hard. Having to remember a unique password for each service is pretty much impossible, particularly if you try to make them secure. 1Password solves this problem. Itʼs so good that itʼs easier than using the same username and password for everything. Their recently announced team features are bringing this same great setup to teams. Available for Mac, iOS and a bunch of other platforms.
  2. slack — We continue to use Slack at work. Slack definitely had momentum last year but, it seems like everyone is using them this year. I like Slack but, Iʼm not sure itʼs good enough to have this much attention on it. I also think that itʼs unfortunate that many open source projects are starting to use it as their primary communication method.
  3. Dash — Dash is great documentation viewer for Appleʼs platforms. I use it everyday. Available for Mac and iOS.

Server

  1. WordPress — As I previously mentioned, Iʼm back to using WordPress to manage ruin. While there are definitely some things that I don’t like WordPress but, itʼs pretty great at handling writing.
  2. ZNC — ZNC is an irc bouncer. It has quite a number of features but, I donʼt use that many of them. I mainly just use it so that I donʼt miss anything when my machine is offline.
  3. tarsnap — Tarsnap is great solution for secure backup. The siteʼs design looks pretty dated but, its a great backup solution.