Password Enterer

Password Enterer

We’re all told to have strong passwords for everything. Long, good, complicated passwords with symbols, numbers, capital letters. Passwords that are a pain to enter without a passwords manager, in essence. Because password managers exist, that’s all good for nearly every situation, except when it comes to logging in to your desktop.

I know this kind of thing exists already, but I don’t think they exist quite as simply (and potentially as un-securely) as this.

What I’ve made, using an old Digispark ATTiny85 arduino board with a built in USB-A plug, is a device that, when plugged in to a USB port, and the button is pressed, will type in a pre-determined string of characters followed by the enter key. There are two use-cases I can think of for this. Logging in to your desktop where there’s no password manager available, and entering your long-winded password into your password manager when setting that up.

There are obviously security issues with this – it’s a single factor authentication system. And you’re keeping the entire password available to anyone who picks up the doodad, plugs it in, and presses the button. There are things that could be done to make that safer – like only keeping part of the long-winded password on the device, requiring user input for to complete the password. But as a little one-hour project, this was fun.

My soldering is a mess, but it works. The button circuit includes a pull-up resistor, to stop any erratic button behaviour when there isn’t a definite high or low signal, as per a tonne of tutorials online. Like this, straight from the Arduino source: https://www.arduino.cc/en/Tutorial/BuiltInExamples/Button

Here’s the completed product:

The code that’s running it is as below. Firstly, import the HID library from Digispark (there are tutorials on how to get that happening on the Digispark website). Initialise the button state, configure the required pin to wait for signal, then repeatedly wait for button press. If there’s a button press, send the defined string to the computer, and to prevent multiple entries, wait for a second before moving on.

#include "DigiKeyboard.h"

int buttonState = 0;

void setup() {
  pinMode(5, INPUT);
}

void loop() {
  buttonState = digitalRead(5);
  if (buttonState == HIGH) {
    DigiKeyboard.sendKeyStroke(0);
    DigiKeyboard.println("notmyactualpassword");
    DigiKeyboard.delay(1000);
  }
}

Self-hosted Evernote Alternative

Self-hosted Evernote Alternative

I think I installed ownCloud in 2014 when v6 was the latest. It’s not perfect, but considering I have access to a virtual machine host for no cost, it’s pretty good value, and I’m willing to overlook the small issues I have with it.

I used Evernote for a while, and quite liked it, but fell further and further out of like with it as the features of the free version were stripped back, and the cost of the basic paid tier increased. $10 a month is pretty steep. I tried Google Keep for a while, but I didn’t like it at all. And do I trust my thoughts with Google? Yeah, kinda, but not completely.

In comes Joplin. A FOSS (free, open source software) note taking application that works with WebDAV (amongst other platforms/protocols).

ownCloud is fully conversant with WebDAV, which means that you can keep your notes safely stowed away on your ownCloud server, which is handy. I created a folder called Joplin in my ownCloud folder, then configured the software with the following settings, consistent across every platform (Android, Windows, and Ubuntu):

Synchronisation target: WebDAV
WebDAV URL: https://yourdomain.example/remote.php/webdav/Joplin (replace Joplin with the name of the folder your chose)
You also need to set your username and password, but they’re self-explanatory.

Installing Joplin on Ubuntu gave me a nice surprise. I ran “sudo snap install joplin” and it went through the motions of installing the software. But I couldn’t find it in the GUI to launch it. So I typed “joplin” at the terminal and a text-only version of Joplin appeared in terminal. Very good! I ran “sudo snap install joplin-desktop” and that installed the graphical version of the software and I was good to go.

Configuring the text only version of Joplin isn’t quite as easy as the graphical one. It’s a bit vi-y, which means that any commands you want to run are preceeded by a semi-colon. So, if you want to see the current configuration, type :config and press enter.

To configure the text version of Joplin to use WebDAV, first run

:config sync.target 6
to set the target to WebDAV, followed by

:config sync.6.path https://yourdomain.example/remote.php/webdav/Joplin
:config sync.6.username yourusername
:config sync.6.password yourpassword

The .6. in the config commands refers to target id of 6, which is what was set in the first command.

Run :sync to manually sync this instance to your server.

Bonus: in the ownCloud desktop application, untick the Joplin folder. This will remove it from your ownCloud folder on your local machine, but it will still exist on the server, which is where the Joplin applications will read it from directly. It will stop you from accidentally making a mess of the folder structure.

Switching Software

Switching Software

Microsoft Word. Adobe Photoshop. Whatsapp. Some software is so ubiquitous that you don’t even think that an alternative might be a good idea, or even exist. But often they do exist, and you should consider switching.

Why do I think you should switch? The two biggest reasons, are Google and Adobe. Adobe removed the ability to purchase software outright, forcing users into a monthly subscription. Google are just…well…Google. They sell your soul to the highest bidder.

I stopped using Google Analytics a few months ago on here, opting instead for a locally hosted Matomo analytics plugin, which does everything I want it to (and more). What it doesn’t do, which is the real drawcard, is send the analytics on to anyone else. The analytics are for me, and for me only.

I subscribe to a daily email called The Sizzle (https://thesizzle.com.au/), and today it alerted me to the website called Switching Software (https://swiso.org/). It’s super simple: look for the program you use, click on it, and it will tell you what the open source/free/non-evil/ethical alternatives that are available.

I’ve written about Signal before here: Why do I use Signal?, and it is one of the alternatives to WhatsApp – the one that I recommend. It has an edge over WhatsApp in that it will take over (if you want it to) as the default SMS app and allow you to keep SMS and Signal messages in the same encrypted database on your phone.

Switching Software mentions Matomo as the replacement for Google Analytics, along with another few options – a switch I already made.

I dumped Adobe for the Affinity software suite – which isn’t free, but all three applications cost $150 all up when they were on special, for a permanent licence.

I use OwnCloud instead of Dropbox. This is a faff, and not for everyone, because you have to host your own server. But if you have access to a machine that’s always online, it’s a good option.

I host my own mail server using Mail In A Box (https://mailinabox.email/) rather than relying on Gmail. Also a faff, because spam restrictions are so tight these days that if you aren’t one of the big players (Microsoft/Google) you’re very much a second class netizen. With patience and some polite emails to whatever spam filter is blocking you and it’s possible to get unblocked and then it works a treat.

It’s worth while investigating these. I’ve just downloaded kdenlive, a non-linear video editing application to replace Adobe Premiere Pro. I’ll see how it is and maybe post a review down the track.

Getting an A+

Getting an A+

If I run this domain through Qualsys’s SSL Server test, I get an A+. Which feels like a good score. I followed someone else’s instructions on how to do this, but I can’t remember where that was, so I figure putting the configuration here will be handy for me and, potentially, you.

SSLEngine		on
SSLProtocol		all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite		HIGH:!aNULL:!MD5:!3DES
SSLHonorCipherOrder	on
SSLCompression		off
SSLOptions		+StrictRequire
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"

Ghost

Ghost

Background

I had a reason to see if I could get Ghost running alongside this WordPress install today, and it turns out that once you follow the correct and up-to-date instructions, it’s quite simple. I run Apache rather than nginx, so the default instructions don’t work. The magic happens with the RequestHeader line and the whole https component of the VirtualHost looks like this:

    <VirtualHost *:443>
            ServerAdmin webmaster@localhost

            ServerName ghostblog.domain

            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined

           ProxyPass / http://127.0.0.1:2368/
           ProxyPassReverse / http://127.0.0.1:2368/
           ProxyPreserveHost On
           RequestHeader Set X-Forwarded-Proto "https"


            Include /etc/letsencrypt/options-ssl-apache.conf
            SSLCertificateFile /etc/letsencrypt/live/ghostblog.domain/fullchain.pem
            SSLCertificateKeyFile /etc/letsencrypt/live/ghostblog.domain/privkey.pem
    </VirtualHost>

There’s also the redirect from http to https but I do that in a separate VirtualHost with a permanent redirect. Without the RequestHeader line, you end up with a lot of internal redirects when you try to access the site over https.

Following the official installation works well, and if it detects that nginx isn’t installed, Ghost-CLI will let you skip that part of the configuation and it trusts that you’ll figure it out some other way.

Ghost-CLI also performs the database configuration and stuff for you, assuming you know the/a MySQL username and password on your server.

Thoughts

I only had a cursory look inside Ghost and my first thought is that it’s so quick. Really, really quick. I’m tempted to move this site there. Or maybe I’ll make bitterswede.com a thing in Ghost and slowly migrate across. The main thing that’s getting in the way of moving over is that I’ve used a theme called Divi which I suspect has inserted a lot of garbage into posts made with the Divi Builder.

One day, maybe.

.

.

.

Building a Family Week Planner

Building a Family Week Planner

“Are you home Thursday night, or do you have yoga?”

“Are the kids going anywhere this weekend?”

“I’m sure I mentioned that!”

I’ve wanted to build a family week planner for ages that puts everyone’s week on a easy to read screen somewhere in the house. Maybe somewhat surprisingly, I’m not a big fan of home automation or a “smart” house, so I don’t want this thing to alert me in the morning that “Today J has five appointments blah blah”. I just want to be able to look at it every now and again and see what’s coming up.

I used to run an Exchange server for all my various email accounts, and that was good, but it started becoming an issue with out-of-date software. The option to move to O365 was there, but it feels expensive, especially since several of the accounts are for the kids and aren’t “serious” mailboxen.

I spun up a cheap (US$10/month) Ubuntu server on Linode and ran the setup script for Mail-in-a-Box, which has worked (touch wood) nearly perfectly since. The issues so far have been pretty minimal. Microsoft was blocking my IP address for all Outlook-themed email services (live.com, hotmail.com, etc), but emailing them asking them to stop worked. When I reboot the server, the Outlook app on an iPhone stops syncing, and the account has to be removed and re-added. I also need to figure out how to make it send calendar invites properly over email.

Considering I have about 10 mailboxen on there, I’m way ahead in terms of cost.

The Mail-in-a-Box script installs NextCloud (an OwnCloud fork), which has a WebDAV implementation for calendar and contacts.

Step 1 for getting a week planner up will be to figure out how to interrogate the CalDAV server with some sort of programming language. I’m comfortable with PHP, so that’s what I’m going to do it with. Specifically, using cURL from PHP and then stuffing the results into an array to display later.

A bit of reading and digging in the WebDAV standards has lead me to being able to grab calendar entries for an account on the serer with the following command:

curl --request REPORT --header "Depth: 1" --header "Content-Type: text/xml" --data "<c:calendar-query xmlns:d='DAV:' xmlns:c='urn:ietf:params:xml:ns:caldav'><d:prop><d:getetag /><c:calendar-data /></d:prop><c:filter><c:comp-filter name='VCALENDAR'><c:comp-filter name='VEVENT'><c:time-range start='20210218T000000' end='20210225T000000'/></c:comp-filter></c:comp-filter></c:filter></c:calendar-query>" --user nextclouduser:nextcloudpass https://box.example.com/cloud/remote.php/dav/calendars/nextclouduser/personal/

The time-range field will limit the calendar entries that will be grabbed based on the starting-time.

This spits forth a large blob of data that will be interrogated later.

There will be tricky things to over-come like multi-day events and the like, but based on some work I’ve done previously with a calendar and loading events, I think I have a plan.

That’s step 1 done.

Step 2 to come.