Jan Harasym

Designing highly scalable/resilient infrastructure by day; running hacker communities by night.

Read this first

GPG::SSH; notes for current best practices

When I start at a new company, I always do a refresher on my key security.

One thing I always hate about SSH is that the encryption scheme is pretty basic actually, and once your ssh-agent is loaded- anything can just request a sign/authorize.

So, in tried and true “over engineering” fashion, I’ve taken to using my GPG key as my ssh key instead, and using gpg-agent instead of ssh-agent.

Another thing is to use elliptic curves instead of RSA, RSA is still secure, but ECC (ECDSA) is faster and theoretically more resistant, and everything from 2016 onwards supports it, so it’s fair to assume it is supported in my SSH programs of choice. :)

First, to create a ECDSA key we have to use expert mode with the --full-gen-key:

jan.harasym@sm-mbp-jmh ~ % gpg2 --full-gen-key --expert
gpg (GnuPG/MacGPG2) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free
...

Continue reading →


Fair warning: do not cold-mail me.

When you start a new job, one of the best things is that the spam stops.

For a brief period, all mail is relevant. Truly a beautiful experience.

it’s only a matter of time before the automated mail and sales pitches start rolling in. Maybe you sign up to some service, maybe you’re added to a mailing group…

But some overzealous sales people seem to have clairvoyance, they know you’ve started at a new company, they know what email address you have…

How the hell do they know?

Well, I don’t know.. So let’s find out.

If you cold-mail me at my work email address, I’m going to reply with one of these:

Since I have not signed up for service or derivatives I am hereby requesting access according to Article 15 GDPR. Please confirm whether or not you are processing personal data (as defined by Article 4(1) and (2) GDPR) concerning me.

In case you are, I am hereby requesting access to the...

Continue reading →


Master branch considered harmful

Sitting on the fence with respect to political issues leaves me with few allies at a time when lines seem so firmly drawn. Looking in on US discourse, where this polarisation has become most acute, is odd for someone with a European mindset. The insular nature of American politics, and the myopic framing of issues by Americans, makes it difficult for an outsider to wade into, even when the outcomes affect them.

That said, this is important.

git logo
GitHub recently unveiled plans to alter the name of the master branch for git repositories to something less politically heated. This is quite a noble sentiment, and selecting main as the branch name would bring it more inline with quite old though widely used version control systems like perforce.

However that is entirely overshadowed by the fact that GitHub will not stop supporting ICE1. The C.E.O of GitHub, who came out directly in support of...

Continue reading →


The history we lost

There are some things that I feel are intractably good in tech history; things that when I was a younger man I considered to have a high degree of craftsmanship and intuitive “niceness” to them.. Little things that perhaps you disagree with. But this is my love letter to them, and my appreciation for the creators.

Windows 2000 background

This lovely background colour is what greeted you, warmly, to your newly installed PC. There is something very soothing about this particular background and that was later mirrored in Windows XP (albeit a little lighter and “fresher”) and Windows 10 (darker, more “mature”).

Win2k

Since this is simply a colour you can bring this back in Windows 10 by setting your background colour to the hex value 3B6EA5

Harddisk activity lights

The first computer I had that forwent this was my Macbook Pro from 2011, and I lamented it at the time; but it’s a trend that...

Continue reading →


Hiding in plain sight: Requirements for avoiding the Snoopers Charter in the UK

Preface

Snoopers Charter is the colloquial name we use to refer to the Investigatory Powers Act in the United Kingdom. If you’ve been living under a rock this past couple of years you can read a very detailed description of it here. tl;dr It forces ISPs to keep records of your internet history and gives the government the right to read that data; it is the first of it’s kind in a western country and has unfortunately been summarily repeated in countries such as The Netherlands

Amber Rudd seems to be highly in favour of it but she’s not known for being tech savvy and she’s not a known supporter of free speech.. But I digress.

This Article is not about the investigatory powers act itself, this is meant to provide my slightly less technical friends with some advice about how to go about being a bit more private in that kind of hostile climate, and to talk about the sliding road we’re...

Continue reading →


Cloudflare is turning off the internet for me

Ok, I’ll admit, I’m not the largest fan of centralisation, but rarely do I so swiftly and effectively feel the crushing weight of it.

I happen to use a very nice Chromium-based web-browser which, when it opens has javascript disabled. Often I find that nothing works so I re-enable javascript and continue about my day.

This morning I went to work, as normal, turned on my laptop and as my laptop dutifully reloaded all my tabs from the day before I saw a few sites error-ing out.

This is relatively common when I haven’t connected to the network yet, or some sites which don’t even attempt to load without javascript, so I check my connection, enable javascript and went about reloading the offending pages.

But I noticed quite a few of the pages were the following:
bakadesuyo

Let me copy that for those who don’t like to read images:

Sorry, you have been blocked

Why have I been blocked?
This...

Continue reading →


Defuse, wait, “forget”

Yes, I’m that annoying guy in the office that is never really happy with how things are working. So, please just indulge me.

Every time I bring up a concern, I am met with a calm and rational response which usually indicates a solution is right around the corner. The solution, as it happens, never does come around.

“We will adapt to change as required” is a common aphorism when a team responsible for reinventing some solution does not actually have a real answer to a commonly held issue.

I’ve had so many of these kinds of topics kind of just “vanish” or never get taken into consideration and they tend to follow the same pattern. So I’m going to outline a few of these, in the hope that someone can tell me it’s either in my head, intentionally malicious or just plain incompetence.

Office Space

Normally what happens is that pain builds over time until there is enough pain to rally...

Continue reading →


How to survive an open office.

my office

I’ve been struggling for some time to find a decent enough guide to actually accomplish anything meaningful (other than ad-hoc break-fix work) in my office.

One of the things I know is that this problem seems to affect me more than others, so for many people this advice (or lamentation) might seem like it comes from a weird place.

Especially since this is the first-worldiest of first-world problems.

However, for me, if I have some work that really must be done I end up doing it at home. When I’m in the office I just work on things as I get interrupted and cannot possibly focus on anything for more than 15 minutes. When I go home I feel exhausted, if I have enough energy I do the work I really needed to do in the day. – it’s not even that I don’t have the time to do it during the day, it’s just that I end up procrastinating because I can’t get focused.

Ironically I get...

Continue reading →


GPG GIT Commits.

If anyone is interested in setting up their system to automatically (or manually) sign their git commits with their GPG key, here are the steps:

  1. Generate and add your key to GitHub
  2. $ git config --global commit.gpgsign true ([OPTIONAL] every commit will now be signed)
  3. $ git config --global user.signingkey ABCDEF01 (where ABCDEF01 is the fingerprint of the key to use)
  4. $ git config --global alias.logs "log --show-signature" (now available as $ git logs)
  5. $ git config --global alias.cis "commit -S" (optional if global signing is false)
  6. $ echo "Some content" >> example.txt
  7. $ git add example.txt
  8. $ git cis -m "This commit is signed by a GPG key." (regular commit will work if global signing is enabled)
  9. $ git logs

IntelliJ IDEA Integration

If you perform git commits through IntelliJ and want them to be signed, add the following line to your ~/.gnupg/gpg.conf file:

 This option tells
...

Continue reading →


RacAdmin Quick and dirty cheatsheet

iDRAC racadm quick and dirty cheatsheet. racadm command can be issues via iDRAC/CMC/OS if svradmin-racadm is installed. Also you can specify -h option to access remote servers RAC as long as you have network access. Also if you are having problems with racadm “Failed to initialize transport” install openssl-devel. full documentation for iDRAC7 can be found here.

% Get all iDRAC settings in a file

racadm get -f config.txt

If you like you can change the contents of config.txt and apply it back to iDRAC

racadm set -f config.txt

% Set password for root user

racadm set iDRAC.Users.2.Password PASSWORD"

% List all ssh keys for root user

racadm sshpkauth -i 2 -v -k all

% Add ssh key to root user

racadm sshpkauth -i 2 -k 1 "CONTENTS OF PUBLIC KEY"

% Delete ssh key for root user

racadm sshpkauth -i 2 -d -k 1

% Get iDRAC IP config

racadm getniccfg
racadm get iDRAC.NIC

% set iDRAC IP

...

Continue reading →