Stavros' Stuff

Angry rants of programming and other things.

How to use FIDO2 USB authenticators with SSH

Secure, easy to use, cheap: Pick three

I recently installed Ubuntu Wacky Whatever, the latest version, and I’m very excited about it shipping with SSH 8.2, which means that I can finally use hardware USB keys for secure, easy to use authentication. If securing your devices has been something you’ve wanted to easily do yourself, read on, because it’s finally happening.

FIDO2

One of the most exciting security-related developments recently has been the development of WebAuthn and FIDO2, which are basically euphemisms for “nice security stuff”. In summary, WebAuthn and FIDO2 aim to make it really easy to use security devices with stuff by standardizing the way the two talk to each other, and using better terms than “stuff”.

This is great news for us, because now we can have dirt-cheap USB keys that can be used to secure all our authentication very easily, without requiring any special security knowledge. All you need to know to be completely immune to phishing, password theft, and a whole host of other ways of losing Bitcoin is to just plug your USB key in, press the little button/type your PIN/enter your fingerprint, and you’re logged in.

What does this have to do with SSH? Very little, but

Continue reading…

Using FastAPI with Django

FastAPI actually plays very well with Django

You know me, I’m a Django fan. It’s my preferred way of developing web apps, mainly because of the absolutely vast ecosystem of apps and libraries it has, and the fact that it is really well-designed. I love how modular it is, and how it lets you use any of the parts you like and forget about the ones you don’t want. This is going to be emphasized rather spectacularly in this article, as I’m going to do things nobody should ever have to do.

My only issue with Django was that it never really had a good way of making APIs. I hate DRF with somewhat of a passion, I always found its API way too complicated and verbose, and never managed to grok it. Even the simplest things felt cumbersome, and the moment your API objects deviated from looking exactly like your DB models, you were in a world of hurt. I generally prefer writing a simple class-based view for my APIs, but then I don’t get automatic docs and other niceties.

It’s no surprise, then, that when I found FastAPI I was really excited, I really liked its autogenerated docs, dependency injection system, and lack of magical “request” objects or big JSON blobs. It looked very simple, well-architected and with sane defaults, and I seriously considered developing the API for my company’s next product on it, but was apprehensive about two things: It lacked Django’s ecosystem, and it didn’t have an ORM as good and well-integrated as Django’s. I would also miss Django’s admin interface a lot. Three things.

It would have been great if FastAPI was a Django library, but I guess the asynchronicity wouldn’t have been possible. Still, there’s no reason for DRF not to have an API as nice as FastAPI’s, but there’s no helping that. A fantastical notion caught hold of me: What if I could combine FastAPI’s view serving with Django’s ORM and apps? Verily, I say unto thee, it would be rad.

And that’s exactly what I did. Here’s how:

Continue reading…

Make your own PCBs with a 3D printer

More PCBs, less hassle

Listen, anyone can make a PCB at home, it’s easy. PCBs (printed circuit boards) are those flat things with all the components that are inside all electronic devices, you’ve seen them. All you need is a laser printer, some glossy magazine pages, print your circuit onto the page, use a clothes iron to transfer the toner onto your copper clad, if that doesn’t work use some water and some lacquer or something, I don’t know, I stopped reading at that point because the last time I saw a laser printer, a magazine and a clothes iron was in the nineties.

Until recently, the only ways I knew to make PCBs was to practice the dark art above, to pay $10 and wait three weeks to get professional-looking PCBs from China, or to pay $60 and wait three days to get professional-looking PCBs from Europe. It was “cheap, fast, actually doable by a human person, choose two”.

That always bugged me, it shouldn’t be like that, I have always been of the opinion that there shouldn’t be things you can’t make when you have a 3D printer, but PCBs have consistently eluded me. I yearned for them, I wanted to be able to make them at home, but it seemed impossible.

One day, everything changed.

Continue reading…

Behold: Ledonardo

A revolutionary new invention that lets you take slightly different photos than before

A few years ago, I set out to reinvent photography. I didn’t have a good idea how to do this, I just knew I wanted to make something original, and combining photography with my electronics skills seemed like a good way to do that. It failed at reinventing photography, but I succeeded in writing a clickbait first sentence, and the process was lots of fun too.

It all started one night, when I was having drinks with a friend and looking for something new to do with photography. Our conversation went something like this:

  • I need to do something original with photography.
  • Mmhmm.
  • Maybe I could combine technology and photography to create something new, but what could it be?
  • Hmm.
  • I know! I’ll make a light stick thing.
  • Mmm.

The idea was great, I would use a LED strip to display images in mid-air, like those persistence of vision displays. I could set the camera to record a long exposure, then move the strip and trace a pattern in the air. I had never seen anyone do this before, so the first thing I did was what everyone does when they have a groundbreaking idea: I searched the web to see if this already existed.

Continue reading…

Seven tips for a great remote culture

Make Remote Great Again

Did you like that clickbait title? I’ve been practicing. This article doesn’t contain seven tips because I hate listicles. It’s just a recounting of my experience working remote for fifteen years now and observations on what works and what doesn’t, but it doesn’t matter, because the amazing title has piqued your interest.

For a bit of background, my first job was working in an office, as IT support for a construction company. I did that for three years, and then I got a remote job and never looked back. Personally, I enjoy the freedom that comes with being able to work from anywhere, and I’m lucky enough to be one of the people who can. Many of my friends have to be at their home office or a coworking space to get work done, but I can focus anywhere, which allows me to travel to another country for a week or two and work from there.

I’m not going to go into the pros and cons of remote working, I assume they’ve been beaten into you by the myriad of other posts, since it’s a trendy topic. Instead, I’ll assume you are interested in improving your existing remote culture and I’ll detail

Continue reading…

Revolut doesn't care about you

Do you like having money? Stop using Revolut.

UPDATE: Revolut has refunded me, I will update the post with more details soon.

MORE UPDATE: I had filed an official complaint with them, expecting it not to go anywhere, and I just received a reply to that. I don’t know if this post had anything to do with it, I’d like to believe that it didn’t and they were going to rule in my favor anyway, but who knows. They told me that ruling against me was a mistake and that they are taking measures both to not repeat the mistake and to improve the UI with my suggestions. They also offered me one year of premium as a gesture of good will.

Unfortunately, I don’t think I will keep using them, because it has been an extremely stressful four days. The timing was doubly unfortunate because it fell on my birthday, and stressing over theft is not how I wanted to spend the day. I would like to hope that they will improve and that my experience doesn’t befall anyone else, because they’re very convenient otherwise.

Thank you all for your support and comments, I have certainly learnt a lot during this process.

ORIGINAL POST:

So I’m extremely careful about my financial security, yet I just had over a thousand Euros stolen and Revolut is siding with the thief.

In case you don’t know, Revolut is one of a new generation of banks that are app-only: You open an account with them by downloading the app to your phone and ordering a card from that, they have no physical branches. I’ve been using them since 2016, and I referred many of my friends to use them as well.

I also use them as my main debit card, because I (mistakenly) thought that the immediate notifications and safety limits would keep me safer in case of fraudulent transactions. Instead, they made me less safe. Here’s how:

Continue reading…

Towards a more collaborative OSS model

No more abandoned OSS projects

A few days ago I started (and finished) working on my latest hardware project, which I call “Home”. If you’ve ever worked with MicroPython, which this project uses, you may have come across mpfshell, an extremely useful utility which makes managing the program on the microcontroller very easy.

I use mpfshell for my projects, and I wanted to upload compiled scripts to the microcontroller, but mpfshell did not do this natively. “No matter”, I thought, I will just write the feature and issue a pull request to the original developer, who can then incorporate it into the main program. I went to GitHub to see if something similar was already under way, but I saw the project in a semi-abandoned state, with issues and pull requests piling up and receiving no response.

This prompted me to think about a pervasive problem in open source, which I want to discuss here and offer a solution

Continue reading…

Securing your users' authentication

Please follow this advice

A few days ago, I saw an article about someone’s Playstation Network account getting stolen. The problem wasn’t so much that the account got stolen, as this apparently happens more often than not, but that Sony has created a system so convoluted that it’s possible for the thief to keep your account, without you having any recourse, not even after you prove your name, purchases, and anything else about the account.

Having worked in web security for years, I know how hard it is to get authentication right, especially when users will find ingenious ways to defeat your system, such as storing their “do not store these codes on your phone” two-factor authentication (2FA) codes on the phone and then throwing the phone in the ocean. Another user surprised me when, instead of properly setting up their authenticator app, they brilliantly used one of the ten backup codes to finish their 2FA setup (and didn’t even store the rest), thus locking themselves out of their account immediately. I fixed that bug immediately and found new respect for the bug-finding abilities of users.

Those (and many more) occurrences have made it painfully obvious to me that securing an authentication system is very hard UX, and, since the user is always right, we need to find ways to make systems that are both secure and easy to use. While working for my previous employer, an encrypted communications company called Silent Circle, we had to find ways to solve this problem, and we arrived at something I believe provides a very good balance between security and usability. I will explain how this system works, and urge you to implement something similar for your authentication, especially if it’s protecting high-value accounts like Playstation Network’s.

Continue reading…

How to easily configure WireGuard

WireGuard is pretty great!

You might have noticed the buzz around WireGuard lately. WireGuard is a very simple VPN that uses state-of-the-art cryptography, and the buzz comes from both the fact that it’s simple and good at what it does, and the fact that it’s so good that it’s going to be included in the Linux kernel by default. Linus Torvalds himself said that he loves it, which took the software world by storm, as we weren’t aware that Linus was capable of love or any emotion other than perkele.

The only problem I’ve found with WireGuard is a lack of documentation, or rather a lack of documentation where you expect it. The quickstart guide, the first thing I look at, mentions a configuration file that it never tells you how to write, and it also assumes you’re more familiar with networking than I am.

Since the initial conditions at the creation of the universe set things up so WireGuard would eventually be underdocumented, I am going against Creation itself and showing you how to easily configure and run it. Let’s

Continue reading…