Quick Notes

Posted on 2015-02-26 by jcs

In my continuing quest to make better use of the Org mode agenda facility, I’ve implemented a way of capturing quick notes that are meant to be ephemeral and not saved long term. It’s a good way to capture information while I’m on the phone or otherwise need to capture some data quickly and deal with it later. For example, maybe someone calls and wants to change the time of an appointment. I can just capture the new time and update my calendar after the call.

The capture template is ridiculously simple. It just grabs a headline and any associated text and puts a timestamp at the end. The capture template is 

("q" "Quick Note" entry (file "~/org/quick-note.org") "* %?\n%U")

The quick-note.org file has #+FILETAGS: QN in the header so that it’s easy to find them with a custom agenda view. Here it is: 

("q" "Quick Notes" tags "QN" nil)

Once I’ve acted on the note, I can type 【Ctrl+k】 to delete it from the agenda and quick-note.org file.

This is a really simple thing but something I’m almost certainly going to use a lot. Even though it’s simple, I had to do a bit of research to figure out all the details so I’m recording my process here in case any of you want to do the same thing.

Posted in General | Tagged , | Leave a comment

A New Stock Photo for a Hacker

Posted on 2015-02-25 by jcs

Christopher Soghoian has an excellent suggestion

If that picture isn’t scary enough for you, how about this one?

Posted in General | Tagged | Leave a comment

Capturing Blog Ideas

Posted on 2015-02-25 by jcs

I’ve been refactoring my workflow lately, trying to make better use of Org-mode, especially Org agenda. I’m always on the lookout for promising blog subjects and usually find them when reading my RSS feeds. My normal process was to bookmark a promising post1 in a “Blog Ideas” folder and then look through that when I was searching for Irreal post subjects. The problem is that the folder is huge because I don’t actually use most of the posts I bookmark. Half the time, I forget why I saved a post.

My new workflow is to save my ideas in an Org file. I capture the ideas using org-capture. That makes it easy to record a link to the post and to add notes about my initial ideas for transforming it into an Irreal post.

Here’s my org-capture template for blog entries: 

("b" "Blog" entry (file "~/org/b-ideas.org")
 "* TODO %? \n%U\n%(jcs-retrieve-url)\n")

It’s pretty much conventional except for the %(jcs-retrieve-url) that calls jcs-retrieve-url to get the URL of the current Browser page and inserts it into the TODO entry. The jcs-retrieve-url function is just a call to some Apple script requesting the URL of the current Safari page. It’s the same call that I used in jcs-get-link. I have a similar template that gets its link from the killring. I use that for capturing blog posts that include a link to a tweet.

Here’s what a typical entry looks like: 

* TODO Abo-abo's remapped keyboard                                    :emacs:
the =;= key acts as an escape to remapped keys.
Abo-abo claims that the main disadvantage is that QWERTY seems
sluggish after he got used to using it. 
[2015-02-14 Sat 17:19]
http://oremacs.com/2015/02/14/semi-xmodmap/

One nice thing about this scheme is that I can accumulate notes about the post before I actually write it. With my old scheme, there was no way of doing this so if I had an idea about the post there was no easy way of recording it. Now I just add some notes to the TODO entry. I can also add links to related posts so that I have them all available when I start writing. Before I could save additional links but there was no way of tying them together other than remembering that they were related.

Even better, I can start writing the post, mark it as a DRAFT, and add a link to the DRAFT in the agenda. Then I can accumulate ideas directly into the post before I’m ready to post it. Because the draft post is still anchored by the agenda item, it doesn’t get lost—it still appears in my agenda until I publish it and mark it DONE.

EDIT: I just noticed that Sacha Chua has a great post on using org-capture and efficient note taking. If you’re interested in leveraging Org mode for note taking you should definitely take a look.

Footnotes:

1

For this post, the term “post” means someone else’s post or article that I found on the Internet. The term “Irreal post” means one of my posts that appears or will appear on Irreal.

Posted in General | Tagged , | Leave a comment

Handling Windows

Posted on 2015-02-24 by jcs

A while ago I wrote about abo-abo’s application of Hydra to switching windows. It was an idea apparently inspired by Sacha Chua’s use of his def-rep-command to switch windows but went further to handle many chores involving windows and buffers. I had also recently written about John Kitchin’s use of Helm to do the same sort of thing, and remarked that I really liked both methods but couldn’t make up my mind as to which to implement.

Abo-abo’s method seemed easier to implement so I decided to try it on an experimental basis. If I didn’t like it, I could always try Kitchin’s method instead. My version is almost the same as abo-abo’s except I use x and y for vertical and horizontal splits and I added magit-status.

I’ve been using it for a couple of weeks and really like it. It definitely gives Emacs a further Lisp Machine feel. The Lisp Machine had a SELECT key that was used to initiate window operations and hydra-window has the same feel. It’s really convenient how I can perform several operations in a row with one hydra invocation. For example, I can switch to another window, load an existing buffer or bookmarked file and switch back to the original window almost instantaneously.

I find that I now use bookmarks all the time whereas before I seldom did. It’s so easy: invoke hydra-window, press 【m】, and then one other letter to bring up the file. A lot of my work flow involves the same set of files so this really speeds things up. It’s faster, even, than just keeping the files open and switching to them with ido. I made this work better by stealing another idea from abo-abo and upgrading to bookmark+ and arranging to have distinct starting letters (or in some case 2 letters) for the bookmark names. That, with headlong-bookmark-jump means I can select a file with a single letter or two. I also added book marks to call Ibuffer and open Irreal in my browser.

It’s startling what a different feel using this set up gives my Emacs workflow. Things just seem faster and smoother. The only problem I haven’t resolved is how to invoke hydra-window. Currently【F1】, 【F10】, and【y y】 are all bound to hydra-window. I’m trying to determine what the best sequence to simulate the SELECT key is. I like【F1】 but dired+ steals it. I could probably remap that after dired+ is loaded but I’m finding 【F10】 more natural. I’ll probably keep experimenting with different bindings for a while.

A final benefit is completely unexpected. For some reason, I have stopped fretting so much over open buffers.

Posted in General | Tagged | 8 Comments

A LaTeX Tip

Posted on 2015-02-23 by jcs

Here’s something from John Cook that I didn’t know:

Posted in General | Tagged | Leave a comment

And So It Begins

Posted on 2015-02-23 by jcs

The lawyers will be happy.

Posted in General | Tagged , | Leave a comment

Everybody Wants Ta Get Inta Da Act

Posted on 2015-02-23 by jcs

Apologies to Jimmy Durante but everyone, it seems, is waging man-in-the-middle attacks. The latest perpetrator is the provider of in-flight WiFi, Gogo. Google security engineer Adrienne Porter Felt, while on a flight, discovered that Gogo was serving up fake SSL certificates that claimed to be from Google.

Unlike the SuperFish exploit, Gogo couldn’t put a fake root CA certificate on their users’ laptops so those users got a warning that the Google certificate was not signed by a trusted issuer. Of course many users don’t understand any of that stuff and just click OK. Once they do, Gogo can read their HTTPS conversations.

Gogo’s excuse is that there is very limited total bandwidth available for everyone on the plane so they want to prevent users from streaming video from YouTube, which is prohibited by their terms of service. That’s reasonable. What’s not reasonable is staging a man-in-the-middle attack on their users to enforce that prohibition. Add in what some describe as Gogo’s over solicitous cooperation with law enforcement and you can see why privacy advocates are concerned.

Really, this behavior should be illegal. Arguably, it already is but it needs to be made explicit: break into an HTTPS connection and you get treated just like any other cracker regardless of your reasons. In the mean time, spread the word: Never continue with a connection that your browser warns is questionable.

Posted in General | Tagged , | Leave a comment

Lenovo Denies Security Problems

Posted on 2015-02-22 by jcs

It’s infuriating that Lenovo continues to deny that SuperFish is a security threat. They keep saying that they’ve stopped installing it but that in any case SuperFish didn’t collect or store any private information. Doubtless that’s true but it’s a straw man that no one is claiming. The problem is that SuperFish installed a fake CA root certificate and that this certificate can be and was recovered by third parties. Anyone holding that certificate can easily set up a man-in-the-middle attack in coffee shops and other places offering free WiFi.

Robert Graham, who demonstrated how easily the certificate could be extracted has provided a demonstration of a working MITM attack. He shows it collecting a (fake) login credential to Bank of America. Yet, Lenovo continues to say, “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.”

If you have an infected Lenovo laptop, Graham’s demonstration should terrify you. Everything you do is subject to surveillance by anyone with a modicum of technical ability. Or for that matter, anyone who can read Graham’s article.

Lenovo, to their credit, has made a SuperFish removal tool available on Github. The Github repository also has a link where you can download an executable. If you’re paranoid—and who could blame you—you can read the code and build the app yourself. Again, if you have an infected laptop, it’s imperative that you do this. Either that or share your banking credentials with J. Random Cracker.

Posted in General | Tagged , | Leave a comment

MITM Coming to a Job Near You

Posted on 2015-02-21 by jcs

Just in case you think that man-in-the-middle attacks are just for the victims of Lenovo’s shenanigans, there’s this

Posted in General | Tagged , | Leave a comment

Lenovo

Posted on 2015-02-21 by jcs

You’ve almost certainly heard about the astoundingly stupid actions on the part of Lenovo. Forget about the security implications for a minute. What this boils down to is that Lenovo sold out their customers for a few pieces of silver by installing adware that, despite Lenovo’s protestations, no customer would want. Think about that for a moment. You pay good money for a relatively expensive product and the company selling it to you purposely makes it less useful than what you thought you were buying: unwanted ads pop up and other software stops working.

But of course security is the main story here. The adware, SuperFish, works by intercepting the victim’s HTTP stream so that it can inject ads. That’s bad but even worse is that it also snooped on SSL/TLS (HTTPS) connections by waging a man-in-the-middle (MITM) attack. It’s as if Lenovo had never heard of what happened when sony tried something like this. The spying on encrypted connections is arguably illegal and you can be sure there will be law suits, perhaps from the states as happened in the Sony case. Regardless, Lenovo’s reputation has suffered significant, perhaps mortal, damage.

But it gets worse. The MITM attack was effected by installing a self-signed certificate to act as a trusted CA certificate. Of course, if SuperFish could use the certificate, so could anyone else. SuperFish encrypted it but, obviously, the key to the encryption had to be in the binary in order for SuperFish to use it. It took Robert Graham no time at all to recover the key and decrypt the certificate. That means that anyone using an infected laptop at a coffee shop or some other public WiFi hot spot is subject to being hacked.

Lenovo’s reaction to all this is appalling. The best interpretation is that they’re clueless about the security implications. The more likely explanation is that they’re in CYA mode. Lenovo continues to insist that SuperFish represents no security problems despite Graham’s definitive demonstration to the contrary. As I said, expect law suits.

UPDATE: certificated → certificate

UPDATE2: I just don’t understand this. Lenovo has proven they don’t care about their users or their safety. Why would you reward them with your trust or money?

UPDATE3: Here’s Robert Graham again putting the lie to Lenovo’s “theoretical concerns” with an actual working exploit. If you’ve got one of these laptops, you need to take action immediately.

Posted in General | Tagged , | Leave a comment