Code Snippets in Org Mode

Everyone who’s hung around Irreal for a while knows that I’m a big fan of Org mode and that I use it to, among other things, write all my blog posts. One of the really nice things about it is the way it handles the embedding of code snippets in the text.

Matthew Keeler has posted an excellent video on embedding code snippets in Org mode. He starts with a simple document and exports it to PDF through LaTex. Then he adds a bit of Python to the document and demonstrates the Org features that support embedding code in documents. Even this short video serves to demonstrate what you can do in Org mode.

If you write documents that include code you really should watch this video. It will make your work much easier. It’s just a little over 6 minutes long so you can watch it while you’re waiting for the coffee to brew.

Posted in General | Tagged , | 3 Comments

Safe Password Hashing

I have written several times about the absolute necessity to properly hash passwords. The tricky part is that properly. It’s a bit subtle to get it right. Happily the folks over at Defuse Security have an excellent guide that

  • Tells you what to do
  • Tells you what not to do
  • Provides source code to proper implementations in PHP, Java, C#, and Ruby

If you’re a developer tasked with the customer authentication system, be sure to read this. There’s lots of good advice in it. And whatever you do, don’t store the passwords in plain text. If you do, you’re going to end up here and be the object of universal derision and scorn.

Posted in General | Tagged | 1 Comment

Dual_EC_DRBG

One of the recently released Snowden documents mentions the NSA’s success at weakening a 2006 NIST encryption standard and getting it accepted as an international ISO standard. While the standard isn’t named, it is widely assumed to be NIST Special Publication 800-90A with the DualECDRBG random number generator being the weakened algorithm. Indeed, the algorithm was weakened to such an extent that it can be said to have a backdoor.

Matthew Green, a John Hopkins research professor, has a great post on DualECDRBG and its flaws. He explains what the flaw is and how it is exploited. The article is fairly technical but not overly mathematical so interested Irreal readers should be able to follow it without problems.

Ironically, DualECDRBG is very slow (about 3 orders of magnitude slower than the other RNGs in SP 800-90A) so there is no reason to use it except these types of algorithms can be proved to be secure and the cautious implementer may be willing to sacrifice the performance for the security. Unfortunately, NIST neglected to include such a proof in SP 800-90A and when cryptographers took a close look they discovered many problems with the algorithm. Read Green’s post for the details.

Incredibly, despite these problems having been known since 2007, there are still implementations using the algorithm. Meanwhile, NIST has reopened public comment on SP 800-90A and is strongly recommending that DualECDRBG not be used until the standard is reissued.

Posted in General | Tagged | Leave a comment

Tracking Emacs Packages

Via Xah Lee’s blog, I came across a really interesting project. Artur Malabarba’s EAT (Emacs Archive Tracker) project checks the Gnu, Marmalade, and Melpa archives every couple of hours and displays a graph showing the number of packages added recently. The data shows that about 75 news packages are being added every month. That’s pretty impressive and shows how active the Emacs community is.

Of course, EAT is written in Emacs Lisp. That shows not just that the community is willing to eat its own dog food but that Elisp really can be used as a general purpose computing platform.

Update: the → the community

Posted in General | Tagged | 1 Comment

Emacs Startup Packages

Xah Lee has a roundup of emacs Starter Kits on his blog. He’s got a list of 5 such kits so there’s a lot to choose from.

Lee also notes that you can just install Emacs and add things as you need them. That’s the approach I took, probably because there weren’t any starter kits when I first came to Emacs. That approach has worked well for me. When a user of one of the starter kits writes about some wonderful feature in his setup, I just add it to mine. Of course, I’m a programmer so this is natural for me. If you’re a bit less technically inclined, one of the starter kits may be the right answer for you. I’ve heard good things about all the kits that Lee lists so pick one and start building your own configuration from there.

Posted in General | Tagged | Leave a comment

Apple and Fingerprints

Anyone who’s been following Irreal lately is painfully aware that the NSA scandals have kicked my paranoia into hyperdrive. Still, there are limits. Apple’s recent announcement of their fingerprint reader on the iPhone 5S has provoked those poor souls even more inflicted than I into paroxysms of suspicion that the NSA is plotting to steal their fingerprints.

Fortunately, my pal Watts has an excellent post that assuages their concerns and debunks the whole foolish notion. Watts explains how the system actually works and why this really is tinfoil hat thinking. If you’re an Apple user and worried about the technology or you just want an entertaining read, head over to Coyote Tracks and enjoy.

If you want some additional technical details, which corroborate what Watts says, there’s a nice description of the technology over at Quora.

Update: have → has

Posted in General | Tagged | Leave a comment

Trusting Microsoft

If you’re a Microsoft user and at all concerned about the security of your computers, you need to read this BoingBoing story about Microsoft’s cooperation with numerous 3-letter government agencies. If ever there were an argument for open source, here it is.

I love my Apple systems and I haven’t seen much about Apple doing this sort of thing but it does give me pause. If nothing else, it makes sense to use third party (open source) applications for full disk encryption and other security measures. It’s pretty clear that it’s foolish to trust any vendor large enough to be worth the government’s attention. If this sort of thing worries you too, check out Prism Break for some alternatives.

Posted in General | Tagged | Leave a comment

Bastien Guerry on Org Mode

I just stumbled across this video by Bastien Guerry on Org Mode. It’s a couple of years old but is an excellent introduction to Org Mode and pretty much up to date. If you’re wondering what Org Mode is all about or if you should take the plunge, this is an good place to find out more.

Guerry is one of the heroes of Org Mode. He took over the maintainer role from the Org Father, Carsten Dominik, for some time and is still active in its development. He’s an interesting guy as you can see from this excellent interview with Sacha Chua. Guerry has a surprising background for someone who has been so instrumental in the development of Org Mode.

The video is just short of an hour so block out some time if you’re interested. As regular readers know, I’m a longtime Org Mode user but I still learned a couple of things I didn’t know. Org Mode is like Emacs in miniature: there’s always something new to learn, even in the elementary stuff. Well worth your time if you’re at all interested in Org Mode or think you should be.

Posted in General | Tagged , | Leave a comment

The Perfect GPG Pair

If the NSA scandals are making you paranoid—and they should—one of the first steps you should take is to install email encryption software. Every time you read an article recommending the use of encryption software, the author inevitably remarks that it’s “hard” or “tricky” to set up GPG or PGP. That isn’t true. Really. Even your Mom can do. In the case of OS X, you just download GPG Tools and install it in the usual way. Other operating systems have similar packages.

If you’re extra paranoid and have a C compiler available, you can download GnuPG and compile it yourself. Of course, unless you’re a cryptography expert, in which case you already know all this, you’re still trusting GnuPG’s authors to implement the crypto correctly and not insert any weaknesses or backdoors. Since GnuPG is open source and lots of people who are crypto experts are looking at the source code, this seems an acceptable risk. As a practical matter, what better choices do you have?

That brings us to generating the keys that you use for encryption and signing. GnuPG walks you through that process and you don’t have to understand any of the technical details; just follow the prompts and choose the defaults. If you want to generate the strongest possible keys, Alex Cabal has an excellent post on Creating the Perfect GPG Keypair. Cabal walks you through the key generation process and tells you what choice you should make at each step to ensure a strong keypair.

Cabal also explains how to limit the inconvenience of a lost or compromised key. This is mostly for laptop users who may have their computer lost or stolen. On the other hand, your keys should be protected by a strong password so you may or may not want to take this additional step.

If you’ve been thinking about setting up email encryption or want to strengthen your current keys and encryption as much as possible, head on over and read Cabal’s post. It’s a good resource and shows you what to do even if you don’t understand the technical details of the crypto.

Posted in General | Tagged | 2 Comments

Why It Matters: A Story From Sweden

I ended my Dinner With General Alexander post with the observation that when the Government collects data, regardless of the stated rationale, there will inevitably be mission creep that sees the data being used in new, unintended ways and that it always leads to abuse. If that sounded hyperbolic to you, consider this article from Rick Falkvinge over at Falkvinge & Co. on Infopolicy.

Sweden, in 1975, started requiring that hospitals take a blood sample from every newborn child. This was specifically to test for and track Phenylketonuria, a genetic disease that can have severe consequences. The samples were preserved to enable research into the disease. Taken is isolation, this seems like a perfectly reasonable program. Help research into a dangerous genetic disease and track those that are susceptible to it. Unfortunately, the iron law of data abuse had a perfectly predictable outcome.

As early as 1998 the police began accessing this data to facilitate investigation of criminal cases. As I’ve said before, I’m an American and view these things through American eyes but this would be blatantly illegal here. It’s very hard to compel DNA from a suspect in America. I would imagine that Europe, with its more robust privacy laws, would have similar restrictions. Yet here we are with the Government seizing DNA data from individuals who had no opportunity to object to its collection.

If the data is there, anyone with an interest in exploiting it will demand access. The only way to prevent this is to prevent the collection of the data in the first place. We are, of course, way beyond that now. Our only recourse is to demand that the Government stop collecting it and destroy what it already has.

Posted in General | Tagged | Leave a comment