Friday, 30 December 2011

Yodelice is a Vampire

In my spare time I like to narrate my tramp-stories. These are not stories about tramps, but the (possibly) romanticised idea that some tramps would exchange stories of their travels, in exchange for shelter and food.
( When I don't have an audience I tap the fragments and scenarios into a computer, but that does not make me a writer. )

I was given the Yodelice CD Cardioid this yule. I was taking to see him back in 2009 and spent much of 2010 listening to his Tree of Life album. I have come to the conclusion that he is one of the greatest musicians of this century, (and possibly the next), and that he is a vampire.

My latest story involves vampires, so I'm going to notice the signs more readily than even Renfield.
I have not formally been introduced to Yodelice, but I did get to sit at the table next to his at the after party back in 2009;
So I have seen him on stage and in a social environment, but surely that is not enough to make a determination. I fully agree. We need his confession, and thankfully he has put it in his lyrics:

When a vampire is made they go through all sorts of emotions that are hard to envisage unless you are going to live forever. This is far more alien than any human ever expects, and shows up in the line:

"What if I don't get over you"

This is part of a lament about spending eternity with one person.

If this seems flimsy then how about these fragments as clearer evidence:

"There is more to us than meets the eye."
"The dream was a nightmare."
"Blacker than the knife thrust in my back"
"The pain feels just right."
"Unseen and forsaken"
"Ripped off my flesh. Betrayal and sadness, booming in my chest"
"Silent howling in the night"
"My life cast aside"
"I've been hoping for someone like you for 5000 nights; Let me be the one to love you for 5000 more." (We know he means years.)

..and for those sceptics out there:

"Real life just died tonight".

These are just some of the examples, (possibly I would understand more if I was a vampire), maybe every line is a code?
None of this compares to the clear boredom I observed at his after party and the life-wrenching humanity stealing power of his performances, (and don't claim that he was just tired from being on tour and having just spent the whole evening rocking the lives of hundreds of people: Vampires have almost endless strength at night!)

That said,

Yodelice is worthy of the worship by his audience of acolytes. I may have been bitten by this troubadour's music, but I feel that it is not possible to overstate
this person's talent. (AND now he even turns up in a film, "Les Petits Mouchoirs")

If you like this game then the whole of "Wake me up" with lines like "Mama, what's the cold in my veins?" is going to blow your mind.

And don't get me started on his collaboration with his "photographer" (more like faux-(all)-together) in the track "My Blood is Burning". Ha!
 Alice is more than just a photographer! (Though she is clearly very talented.) One article she did is entitled "The height of fashion six floors under" the gall! How much more obvious could she make it?

I do not think we have anything to worry about as long as we let them continue to produce their art.

Sleep well, children of the night.

This is for entertainment purposes and should NOT be used to ask Yodelice, (or rather Maxim Nucci from the band Yodelice) to turn into a shaved-mouse.

Thursday, 29 December 2011

Testing SpiderOak

I am still testing SpiderOak [0], but use this link and we both get 1GB extra storage!

If you are thinking of using "the other team" then you can use this referral link.

[Edit: 2014-07-26 I'm verifying the security of (link is , as usual, my referral.]

[0]Checking the destination, rate and flow of the communications to see if they leak any information about the files being transfered.

Passwords; Where do you stick yours?

If you have multiple machines in multiple counties with multiple operating-systems with multiple account  and multiple backups - how to do you sync passwords?

Over the years I have tried perl: { stenography, openssl, Shamir's Secret Sharing}, Password Gorilla and GPG, KeyPass, (both versions and various ports), and even CSV.

A large percentage of my passwords are for sites that I hardly every visit; All these web passwords seem VERY VERY WRONG when I look at how I access hundreds of servers using openssh. I should have just one key that I would keep on some USB stick. The browser would request the public key and an "access" version of the private one. The public one would be stored as a cookie and then any site that wanted to authenticate me would be able to use my public key and the browser would use the access key to prove who I was. Close the browser and the access key is either encrypted or deleted.

I used to just remembered every password and phone number that I needed. Then at the end of the 90ies I got my first mobile phone. I entered every phone number and from then on, (I think it was an Ericsonn GH337.) Then, in 1997, I got a Psion 5. This became the central repository for all of my data and thoughts, (backed up on my PC). I also had various shell account round the Internet, ( one was a solaris computer called, that I used to upload data to as a remote backup.

Then in 1998 I started to use whisper32, (I think that Shish, one of my colleagues at the time, suggested this) so I ported all of my passwords from my password-protected Psion 5 sheet.

At this point, (2011) for windows I use KeyPass and for Linux I use a vim plug-in that I have hacked about to store passwords in a p^3.s.v. (pipe-percent-pipe separated values) encrypted using openssl -e -a aes-256-cbc (all triggered by a bash alias so that in just 5 keystrokes, (Ctrl+Alt+T,p) plus the master password, gets me access to my password list from any of my linux desktops. If I'm already in a shell then it is just 2. )

When I was on mac I used a database driven AES-in-javascript PERL CGI::Application that encrypts the password client side and then sends it to be stored in my database. (Notice::Email::Alias_details) This was an extension to my (exim/dovecot) email management system, (I was creating a new address for each site/sign-up/contact and naturally I needed, for each one, to record a website URL; username; password; random notes for password recovery, (why would you EVER tell a website your dogs name? - my pet is always called apg -n1 -cyn1 12 14)
Once I started storing passwords with websites my password back-up solutions grew to include all of my vital-data backup.

So I have three systems and would like them to automatically synchronise.
Keypass understands CSV but when it imports it does not know the categories, (because it deals with all CSV as if it were keypass version 1.x). So much as it pains me XML seems to be the system that is going to be compatible with keypass 2.x.

Hacking a perl script to export my linux database into XML is trivial, but I want this to be automatic, (crontab/rsync) but would never leave the master password on any system unencrypted.

Because each password stored in Notice has an independent AES key that is not stored anywhere, automatically exporting passwords in plain text is impossible. (Actually the key is optional, so it is possible that the password is in plain text and as Notice also generates random passwords that resemble encrypted strings, and makes no record of the key or every if there is a key, it is not possible to tell if the password is already encrypted.)

This means that the system with the most complexity determines the extent to with my script has to understand without losing data, and the system with the highest granularity of security, (not necessarily the highest encryption security) is going to be the central database. This means that by forcing these three systems to play together I would be sacrificing complexity, (functionality) and possibly security, (though having a {possible and optional} separate key for each password does mean that if one key is compromised the others are still secure.)

So pushing keypass into Notice is possible with a single export, (I can upload the .xml to Notice and it can import the details.)
openssl.vim into Notice is done using a single perlscript.

Just because you can, doesn't mean you should

I decided that firefox sync was the answer. Not the '42' but the 'for-now'. Despite digging through their code to check that it was not doing anything naughty, (it wasn't) I set up my own server, (just because AES cracking using quantum computers don't exist yet, does not mean that they never will; Once they do I expect it will be a short-lived party trick, to decrypt publicly available files and all the other things that will be stored in the various clouds for a very long time. )
 This would let me store my passwords in the browser, (where I needed most of them anyway.) This just meant that I had to find some way to store my ssh-key passwords, my (operating-system_username+password)s and $(everything else that was not a website.)
I had tried openID, and though I can see where it would be useful, (I even set up my own server) I still felt that it was making some of the sites that visited second-class citizens. I found that I would only use openID on sites where I did not mind if my account was compromised, (well I would mind, but it did not matter.)

...then my server got DoSed, (I still visualise this as little blue-UDP packets singing, "laaa laaa la-la-la laaa"). I needed a password that I had encoded using
echo "Password"|openssl enc -aes-256-cbc -a -pass pass:verysecret
(and I get it back using
echo "U2FsdGVkX19Hu9wSFkTBY6UNl/oZQkvYRF7ZJiIDuRM="|openssl enc -d -aes-256-cbc -a -pass pass:verysecret
and had stored as a comment for a bookmark, (this was my hack to store additional data using firefox sync.

The Sun went into the Cloud

So back to the drawing board. During 2010 I hacked together two BATCH.bat files that could use a PortableApps openssl to decrypt and encrypt my original p^3sv file.
 This meant that if I could seperate the data-storage from the encryption then I could use any online data-storage service. I looked at the most popular and Ububtu-One, but in the end I decided to go for SpiderOak.
(I already have my public code in github/CPAN.)

So what do we really need? Passwords, Contacts, Bookmarks, private data, (the last being 'other', but in my case it is { agenda/calendar, (of things that are going to happen, like meetings and flight details); (non-)fiction/poems; notes/ref; diary, (things that have happened.) }

So how do I maximise portability and minimise keystrokes-to-access-a-password?

I thought about putting the data into a truecrypt file and keeping that on SpiderOak, but that required me to install truecrypt - which failed the Internet-cafe-no-install situation. If the data can be read and decrypted using javascript then a tiny jQuery page seemed to be the answer that I was looking for.

1. Log into SpiderOak
2. Download the encrypted file and the single html page, (Notice::Passwords)
3. Opening Notice::Passwords in a web browser and read the datafile.

Step 2. could be "download paswd.7z" which would include the two files.

Alternatively, thanks to Mark Percival and Vincent Cheung you can just store all of your passwords encoded in your blog.

About this blog

Sort of a test blog... until it isn't