The Agape Red Interview

May 13, 2019 Life, Programming No comments ,

Anyone who knows me well has likely heard the “the difference between the GUI and the code” story. I think it’s because not only is it incredibly frustrating, but it outlines how you can be placed in a lot of different situations where someone in a position of power before you tells you you’re flat out wrong when really they either haven’t really thought about what they’re asking or they’re not educated enough to even understand the answer.

The Story

So I applied for a programming job at a place called Agape Red in Downtown Omaha. It was in the Old Market, right next to where I was living! I could literally walk out my door and within a block be at work – how cool would that be? So I head to the interview, and all seems to go pretty well until I get to the “technical question” portion.

This is where the guy interviewing me asks, “What’s the difference between the GUI and the code?” I immediately start remembering my experience designing GUIs using Netbeans and flipping back and forth between the generated code from the UI designer and the designer. Anyone who has used this before will know what I’m talking about, and non-programmers will have to simply take it on faith that a GUI is simply lines of code directing the computer how to draw lines, where to put checkboxes, and where to display whatever text at whatever coordinates.

Anyway, I’m thinking about all of these files of code and so perhaps rather obviously to me, I respond, “There is no difference. It’s all just code.” The interviewer’s face suddenly turns saddened and disappointed. “No. The GUI is where the user clicks things with their mouse and types things in. The code is the actual “code” behind the program.

Upon hearing this, I’m obviously in a complete state of shock and amusement. Being that I suffered from pretty severe anxiety at the time, I wasn’t going to cause a scene in the middle of an interview. Before I had much time to process what just happened, the guy stands up and says, “I think we’re done here.” Being a young, anxious kid and not knowing how to handle the situation, I’m led out of the building.

Later I receive a phone call from the staffing agency informing me that they weren’t interested because I didn’t seem to understand much about programming.

I think if there’s a lesson to be learned from this event, it’s that just because someone is in a position of power in a certain social setting (an interviewer, an instructor) doesn’t actually mean that they know what they’re talking about or understand really what they’re asking you. Without inflating my own ego too much, I’d like to say that it’s possible that you have more knowledge about the subject that is quite simply just beyond their understanding.

Strong TLS Encryption at Alureon.net!

October 31, 2017 Apache, Linux, MySQL No comments

You may (or may not) have noticed that alureon.net is now served over strong TLS encryption!  This is a big win for me, as it’s always been something that has puzzled me.

You can check the certificate yourself in Chrome using Developer Tools

TLS in Chrome's developer tools

Aww yeah!

 

 

 

 

 

 

 

 

 

 

 

 

 

What Not To Do

Tempting as it might be, you apparently cannot self-sign a certificate and expect any browser not to freak out about it.

openssl req -x509 -new -nodes -key alureon.key -sha256 -days 1024 -out alureon.pem

(This opens up a whole new basket of problems with Subject Alternative Names as well.  Just don’t do it.)

Expecting users to click through the “INSECURE” prompts or install your root certificate seems a bit unreasonable in most cases.

What To Do

A buddy of mine pointed me over to https://letsencrypt.org/

Using certbot, I was able to get myself a legitimate, trusted cert (for free!) with little hassle.  I opted for:

certbot certonly --apache -w /srv/http -d www.alureon.net -d alureon.net

I answered a few questions, and it generated my SSL cert and key.  Super easy.  The only other steps are pretty much uncommenting the SSL module in httpd.conf.

LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf

Also, you have to set up extra/httpd-ssl.conf to point to your new SSL cert and key.

SSLCertificateFile "/etc/letsencrypt/live/www.alureon.net/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/www.alureon.net/privkey.pem"

I opted for some other pretty extreme settings as well, forcing only the latest version of TLS.

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GC
SSLProtocol -all +TLSv1.2

Fixing Insecure Resource Requests

After you go full TLS, browsers still claim you’re insecure if you make any requests to insecure resources (resources not served over http).  This includes fonts, javascript, and even images.  I wanted the green Secure text in Chrome badly enough to go the extra mile, so I continued to fight the good fight.

I’m sure there’s a better way to do this, but I did

UPDATE wp_posts SET `post_content` = REPLACE (`post_content`, 'http', 'https');

This worked wonderfully, but it also changed the literal text “http” in all of my posts to “https”.  This had some funny side effects, but I think I changed everything that actually needed to be “http” back.  There was one post where I had pasted text of myself working in a directory named “/srv/http”.  It changed the directory name to “/srv/https”, which I though was kind of funny.

Forcing TLS at the Domain Level

This worked great for manually navigating using SSL (typing https:// in the browser), but I’m guessing most people aren’t going to do that.  How do we force them to use SSL at the domain level?

I found this hack on some random website, and it seems to work great (aside from appending an extra forward slash to my TLD).

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVERNAME}/$1 [R,L]

I just appended that to the bottom of my httpd.conf, and it worked!  If anyone knows a more efficient way, let me know.

Psuedo-Secure Authentication With Weechat

October 30, 2017 IRC No comments

So you’ve opened up your IRC client and connected to a server.  Now what?  You do this:

/msg nickserv identify $uper$ecretPa$$word

If you’re having to authenticate like this every time, SASL is just what you need!

SASL

SASL stands for Simple Authentication and Security Layer, and is a framework for authentication and data security.  If you’d like to read more about SASL, click here.  We won’t go too in-depth with the technical details of how SASL functions here, but we will walk through the setup with Weechat.

Supported SASL Authentication Methods

Also, aside from plaintext or external cert authentication (which freenode doesn’t support), none of these are standard SASL authentication methods.

So, you’re basically left with a choice between using a plaintext password, or the nist256p challenge.  While none of these seem like great options, but I feel like nist256p is still a step in the right direction.

Using SASL With ECDSA-NIST256P-CHALLENGE

Now that you understand all your options are essentially shitty, let’s set up SASL!

First, we need to generate a private key using OpenSSL.  We need to use the following curve: prime256v1: X9.62/SECG curve over a 256 bit prime field

openssl ecparam -name prime256v1 -genkey -out ~/.weechat/prime256.pem

This will generate a private key and save the key to ~/.weechat/prime256.pem

Now that you have your private key, we will extract the public key from it, and hand that to freenode for authentication.

Extract the base64 encoded public key with the following command:

openssl ec -noout -text -conv_form compressed -in ~/.weechat/prime256.pem | grep '^pub:' -A 3 | tail -n 3 | tr -d ' \n:' | xxd -r -p | base64

This is your public key.  Assuming you are connected and authenticated on freenode currently, set your public key with

/msg nickserv set pubkey AwdtVZR19Cw9gJjaz2ARLJCqBuNjvk1LJgTENV6g8N9J

Obviously, don’t use the public key I generated for this tutorial, use yours.  Now that your keys are setup, all you need to do is configure your client to use it!

Set the following:

/set irc.server.freenode.sasl_mechanism ecdsa-nist256p-challenge
/set irc.server.freenode.sasl_username "your_nickname"
/set irc.server.freenode.sasl_key "%h/prime256.pem"

Once you’ve done that, you’re ready to rock-n-roll, my friend.

/reconnect freenode

Happy SASLing!

Secure IRC Communication With Weechat

October 29, 2017 IRC No comments

TLS

To use SSL/TLS you are going to want to go to the server settings for your client.  I use iset to change settings.  If you don’t have iset, you can install it with the instructions below:

Installing iset

  1.  Type /script and hit enter
  2.  At the script menu, either navigate to iset or type iset and hit enter to use the script filter.
  3.  Once you’ve selected iset, press ‘i‘ and hit enter.
  4.  Now you should be able to run /iset

Assuming you now have iset, you should be able to simply type the name of your server and hit enter to get to the server settings.  In my case, I use the filter ‘freenode‘ because I named my connection something that makes sense.

Using iset

When inside of the iset menu, you can select any value you wish to edit with the arrow keys.  Once a desired value is selected, press ALT+Enter to pre-populate the text to set it in the command line.  You can edit it as you wish, and press Enter to update the value.

If that doesn’t work (I’ve seen ALT+Enter bug out before with certain window managers), you can still type the text manually.  You’ll type /set blah.blah.blah.blah value

To toggle the value of a boolean, (on/off) press ALT+Space.

Setting the TLS port

For the address, you are going to want to set a TLS port after the freenode address.  You cannot use TLS unless you do this.

freenode provides SSL client access on all servers, on ports 6697, 7000 and 7070. Users connecting over SSL will be given user mode +Z, and is using a secure connection will appear in WHOIS (a 671 numeric).

I opted for port 6697, and set that accordingly.  Set a TLS port after the value for “irc.server.{servername}.addresses”.  You should know how to do this using iset and the above instructions.

ssl port

 

 

 

This is what you should see now.

Turning SSL/TLS on and setting the key size

Next, turn SSL on and set the Diffie-Hellman key size to something that makes you feel good about security.  I chose 2048 bytes for pretty much no particular reason.

key size

 

 

 

Other Settings

Ensure ssl_verify is turned on for the best security

/set irc.server.freenode.ssl_verify on

You can also customize your cipher suite using priority strings from gnutls.  I prioritized good security with the following string, which enables the 192-bit and 128-bit secure ciphers, and allows only TLS 1.2 (which does work on freenode)

/set irc.server.freenode.ssl_priorities "SECURE192:+SECURE128:-VERS-ALL:+VERS-TLS1.2"

Reconnect

That should do it.  Do /reconnect freenode and you should now have mode +Z in channels and be happily communicating on an encrypted line!

Notes

If you’re behind some kind of corporate firewall (i.e. you’re at work or school), don’t be surprised if this fails.  Why this is blocked is beyond me, but I’ve had mixed luck connecting to IRC servers on work and school networks.  Sometimes not using a secure connection is the only connection you can make, so keep that in mind.

Database Corruption

October 28, 2017 MySQL No comments

My old Raspberry Pi 2’s sdcard fell victim to sdcard corruption.  I wasn’t able to dump my MySQL tables cleanly because the database was unable to start by the time I realized what was going on.

I’ve restored what I could of my wonderful little blog, but there was data loss during the migration to a new sdcard.  That’s why things look a bit different.

Lessons Learned

What doesn’t work

If you’re moving MySQL tables, do not simply copy the directories from /var/lib/mysql

Worse yet, if you’re using InnoDB, you’ll be missing the /var/lib/mysql/ib* files that InnoDB requires.

MySQL is very picky and if it senses anything is amiss it will simply throw its hands in the air and give up.

What works

Ideally, you need to dump your databases while connected to the MySQL server with something like this:

mysql -u root -p wordpress > wordpress.sql

This dumps the entire database into an SQL script you can re-import on your new database.  You suck it back up with the same syntax:

mysql -u root -p wordpress < wordpress.sql

 

Fun & Educational IT-Related Challenges

October 28, 2017 Linux, Programming No comments

I’ve decided to compile a list of fun and educational IT challenges out there.  Any challenge on this list I have either completed, or I’m still trying to complete in my spare time 🙂

NameDescriptionLocation
CryptopalsSolve cryptography challenges derived from weaknesses in real-world systems and modern cryptographic constructions. Use any programming language you wish.https://cryptopals.com
BanditSolve Linux-related challenges as you try to find the location of the ssh key to get to the next level. Early levels are very easy, and beginner-friendly, but the difficulty ramps up as you get further into the game.https://overthewire.org/wargames/bandit/

The Bash For Loop

July 15, 2017 Linux, Programming, Shell No comments

This week at work, I had been tasked to copy a directory in Linux 6 times, all with different names.

This, of course, is not that directory, but let’s pretend it is.

We want 6 copies of this, one for each employee

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


Easy enough, just cp -r the directory 6 times, right?  Well, you could, but we always strive to be as clever and efficient as possible.

Let’s say for this example we need a copy of this directory for all 6 employees: David, Mark, Jeremy, Clyde, Warren, and Sam.

well, that won’t work

 

 

 

 

 

There’s a lot of things that surprisingly won’t work, mostly because the directories don’t exist.  We could make them, or, as my boss showed me, we could use a little for loop magic.

surprisingly simple!

 

 

 

 

Is it really all there?  Yes!  This is truncated, but you can see these users have a clone of the original directory.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

So how do I use this?

Well, the items you want to iterate through go after for x in

The command you want to execute goes after do and you use the variable $x to iterate through the items.

If we wanted to create 10 files named each letter of the alphabet, we would use

for x in a b c d e f g h i j; do touch $x; done

and you will have those files.  You can remove them with an equally simple line:

for x in a b c d e f g h i j; do rm $x; done

Adding Driver Package (.sys .cat .inf) on Windows 7+ With PowerShell

July 15, 2017 PowerShell, Windows No comments

Ever download a driver package that has no installer and just seemingly random driver files in a directory like this?

 

 

 

 

 

 

 

 

While you could copy these files manually, today I found an easier way.

You can simply use PnPUtil.exe to install a driver package from the command line.

 

 

 

 

 

 

 

 

My device flashed a couple times and voila!  Took about 5 seconds.

(note: you have to point pnputil at the inf file, and it assumes the other files are in the same directory like my example)

Repulsive Java Coding Style

June 24, 2017 Programming No comments

I get that everybody has their own coding style, or that people follow different coding conventions, but I find the examples in my Data Structures book to be some of the most hideous Java I have ever seen.

awful java code style

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

For the sake of comparison, here’s the converted code to what I believe to be textbook Oracle coding convention (the convention I have always followed).  The only exception is that I typically prefer to use 4 spaces instead of 8, but I’ve used both in the past.

java oracle coding convention style

Shelled-out Commands

May 20, 2017 Programming, Shell No comments

So I remember shelling out commands in Java, and it was quite a process.  It turns out it’s essentially the same for Go.

In interpreted scripting languages like python or ruby, it’s not really something you have to put any thought into.


So because bash is a shell you don’t have to do anything.

#!/bin/bash

ls -l

Ruby supports backticks.

#!/usr/bin/env ruby

`ls -l`

In Python, you can call os.system()

#!/usr/bin/env python
import os

if __name__ == "__main__":
    os.system("ls -l")

So what about real programming languages? Well, there’s a little more involved to shell something out if you’re expecting the output much like an actual shell.


Using Go, I wrote this to shell out a command.

package main

import (
    "os/exec"
    "fmt"
    "bufio"
    "os"
)

func main() {
    // create command and arguments
    cmd := "ls"
    args := []string { "-l" }
    command := exec.Command(cmd, args...)

    // connect to stdout and stderr
    stdOutReader, err := command.StdoutPipe()
    checkErr("Error creating stdout pipe", err)
    stdErrReader, err := command.StderrPipe()
    checkErr("Error creating stderr pipe", err)

    stdOutScanner := bufio.NewScanner(stdOutReader)
    stdErrScanner := bufio.NewScanner(stdErrReader)

    go func() {
        for stdOutScanner.Scan() {
            fmt.Printf("%s\n", stdOutScanner.Text())
        }
    }()
    go func() {
        for stdErrScanner.Scan() {
            fmt.Printf("%s\n", stdErrScanner.Text())
        }
    }()

    // run the command
    err = command.Start()
    checkErr("Error starting command", err)

    err = command.Wait()
    checkErr("Error waiting for command", err)
}

func checkErr(msg string, err error) {
    if err != nil {
        fmt.Fprintln(os.Stderr, msg, err)
        os.Exit(1)
    }
}

Here’s the output of that program compared to ls -l

 

 

 

 

 


In reality, when simply using ls, we could have probably ignored stderr.  If you want stderr messages though, the code above will provide that output as well.