Stuff Yaron Finds Interesting

Technology, Politics, Food, Finance, etc.

How do we exchange identities in Thali without making our users hate us?

In Thali identities are public keys. But typing in a 4 Kb RSA key or even a 512 bit EC key isn’t exactly easy. So how do users securely exchange their keys? Our original approach was using QRCodes. But lining up the phones, scanning the values, etc. is all a serious pain. So if ultimate security isn’t a requirement our backup plan is to use a variant of Bluetooth’s secure simple pairing with numeric comparison which itself is just an implementation of a coin-flip or commitment protocol. The main downside of this approach is that it provides a 1:1,000,000 chance of an attack succeeding.
Read More
m4s0n501

Buying a sit-stand-walking desk

My job has increasingly become almost completely coding focused which means I’m sitting, a lot. I need to get up and move. Knowing my personality I decided the right way to do this is with a sit/stand desk using a treadmill. But I also need to be able to sit and I don’t have the room to move the treadmill around. So I’m buying the 72 inch iMovR Omega EVEREST desk which has enough room to put the treadmill and my chair next to each other. I’m picking the TR1200-DT3 treadmill. I’m adding an ERGOTRON LX HD Sit-Stand Desk Mount LCD Arm and it’s lighter non-HD sibling. I’ll also need to pick up two VESA mounts for my Apple hardware. Apparently being healthy requires breaking the bank. See below for the absurdly painful process by which I figured this all out.
Read More

Derived keys and per user encryption in the cloud

I use a program called ESPlanner to help with planning our insurance and retirement portfolio. ESPlanner wants to move to the cloud. Below I explore who I imagine would want to attack a site like ESPlanner and what sort of things cloud services like ESPlanner can do to frustrate their attackers. I especially look at using derived keys and per user encryption to potentially slow down attacks. But in the end, I'm uncomfortable with the legal protections afforded me as a service user in the US and so I really want a download version of ESPlanner.
Read More

node-gyp and node.js on mobile platforms

As I’ve previously discussed I want to get node.js running on Android, iOS and WinRT. But to make that happen we need to understand the node.js ecosystem and that includes native add-ons and node-gyp. So I created a node package, node-gyp-counter, to heuristically determine how frequent node-gyp usage is in the node.js world. If my numbers are right then less than 3% of downloads of packages in 12/2014 involved node-gyp in any way. Of that 3%, just 27 packages account for 80% of node-gyp root package downloads. Only 19 of those 27 packages seem relevant to smart phones.

Read More

Thali and the Mesh Mess

Thali's base communication mechanism is Tor hidden services. This enables Thali devices to reach each other regardless of what NATs or Firewalls are in their way in a manner that is resistant to traffic analysis. But what happens when one isn’t on the Internet at all? We still want Thali devices to be able to communicate so a goal has been to support some kind of ad-hoc communication mechanism. That is, if two Thali devices are close enough to reach each other directly via a technology like Wi-Fi or Bluetooth they should be able to communicate securely and privately.
Ideally however we would go a step farther and use a technology that supports ad-hoc mesh networking. We list below some candidates but it is a bit early to jump on the mesh bandwagon. More on that in future articles.
The purpose of this article is to collect information on what appear to be the main players in the ad-hoc connectivity and mesh building contest.
[Note: This is a complete re-write of the existing Mesh Mess article.]
Read More

I think T-Mobile ripped me off

I was pretty excited about T-Mobile because it's much cheaper than my current AT&T account and they have free data roaming in a bunch of countries including Canada. So I went to the T-Mobile store, gave them my home address and they claimed to have excellent coverage of my house. So I put down $80 to get a prepaid SIM and took it home. I have to wonder what they think 'excellent' connectivity means since I was barely able to get an edge connection while sitting at my kitchen table much less a 3G or LTE connection. My AT&T SIM card, in the same phone, got a (weak) LTE signal. Of course it's a pre-paid SIM so there is no refund. So even though I believe T-Mobile was misleading I'm out the $80. Oh well, better to find out now on a throw away SIM then have transfered my phone number and canceled my AT&T account. Live and learn.

ESPlanner – Figuring out life insurance, retirement and more

How much life insurance do we need? How much do we need to save for retirement? How much do we need to save for our daughter’s college education? These are basic financial questions and they are unanswerable because they require perfect (or at least reasonable) knowledge of the future and as the song goes “the future is not ours to see”. But, regardless, we still have to muddle through. So this is where the program ESPlanner can be helpful, if you understand what it’s doing and what it’s limitations are. Below I explain how our family uses ESPlanner primarily to figure out how much life insurance to get but also as a spot check for our retirement and college savings plans. [Note: Updated on 12/23/2014 to account for switching to ESPlanner Plus]
Read More

Thali and the Internet of Things (IoT)

The decision to switch from Java to Javascript continues to be interesting. One of the consequences of it is that it made it much easier to have conversations with the IoT community who it turns out like Node.js a lot and have problems that Thali is perfect for solving. So we are talking to potential customers who we can then leverage to get resources to build Thali. I wrote an article explaining what it is we want to build in that context. Please give it a read and let me know what you think!

11/4/2014 – General and Special Election, Seattle, King County, Washington State

There are quite a few meaty issues on our ballot this year. There is State Initiative 1351 which would force the state to fund our schools at something like a reasonable level. An easy yes. There is Initiative Measure No. 591 which would further reduce rules on the ability to transfer killing machines (known as guns) without any form of safety check. Bad idea. No. And of course Initiative Measure 594 which would require that nobody can just hand out a killing machine without a background check, an easy Yes! We can return Jim McDermott to Washington, always a good idea. There is an infinite number of judicial races, most of which I’m not going to vote in because I believe the candidates have tainted themselves by raising money that puts them in hock to the people they are supposed to oversee and in many cases candidates couldn’t even be bothered to put up websites to fully inform voters. If a judicial candidate can’t spend the time to talk to the voters then don’t expect the voters to vote for them. For those in Seattle there is a metro bill we really need to support. For those who haven’t read one of my ballot cheat sheets before you should probably know that with the exception of Jim McDermott I generally don't vote for Democrats or Republicans.
Read More