RememBear Password Manager

A few weeks ago I received an email offering to let me try the premium variant of the RememBear password manager for a year for free. I assume that I received this since I currently have an active TunnelBear subscription that I use for my VPN. I didn’t bother looking into things too closely, but my understanding is that you can normally use RememBear for free, but syncing your passwords between multiple devices requires a premium subscription… meaning that in 2020 when people have a phone, a tablet, and at least one computer, a premium subscription is basically a requirement. I figured that I may as well give it a shot in order to see if it could possibly tide me over until Dropbox Passwords is a bit more mature; a year of free service seems like a good bit of time for the Dropbox team to improve upon their product.

The RememBear apps for macOS, iOS, and iPadOS are all very slick. They feature the same cute, cartoon bear as TunnelBear. If I type in my master password on macOS, the bear will even move its head to follow along as I type. That being said, typing in my master password happens infrequently since the apps on all 3 platforms work really well with Touch ID and Face ID.

The apps on all 3 platforms also do well with auto-filling passwords for me, including with the browser extension for Safari on macOS. Likewise, the iPadOS app is, mercifully, an iPad application rather than the expanded iOS app. I did run into a few random bugs on macOS where the application would be blank after unlocking it, showing as if I didn’t have any logins stored. I saw another issue where my logins were all listed, but using the search feature wouldn’t return any results even if there were matches. In both cases, closing out of the application and re-opening it fixed the problem, and I only encountered each bug once.

Adding new devices or recovering your account is streamlined with a QR code mechanism that leverages another device which already has RememBear configured on it. This makes the setup quick and easy, though it remains unclear what recourse there is if the master password itself is lost and no other devices are configured. They don’t give you anything like the secret word list for Dropbox Passwords or the secret key from 1Password.

One of the nice benefits to RememBear over the immaturity of Dropbox Passwords is that it does offer an option for creating and syncing secure notes. I frequently use these for things like saving WiFi pre-shared keys. Unfortunately, I’ve had to start using these for saving API keys, too, because RememBear doesn’t offer the option to add multiple credential fields for each login. I can also store them, much as I did with Dropbox Passwords, in the provided notes section for each login, though it does make copying and pasting the keys a bit more annoying than in something like 1Password or Bitwarden which simply give you the option to add multiple credential fields.

The biggest issue with Dropbox Passwords, though, is unfortunately shared with RememBear: there is no web-only option. Installing the browser extension for Firefox, for example, will not work on my Manjaro Linux laptops because the desktop client is still expected and there is no Linux application. This was really surprising to me since one of the reasons I initially started using TunnelBear as my VPN service was due to the fact that they offered a standalone browser extension that I could use back when I had Chromebooks which couldn’t install any type of full-fledged VPN client. Given that RememBear has been around for at least a few years and is by no means a new product, I did a little bit of digging to see if there were any plans to support Linux or Chrome OS (while I no longer use Chromebooks because Google is pretty gross, Chrome OS support would indicate a standalone browser extension.) The latest I could find was a comment from May of 2019 on the Chrome extension which simply confirmed Linux and Chrome OS weren’t supported.

With its slick, cute, and bear-laden UI, RememBear is probably one of the nicest-looking and most user-friendly password managers around. For the overwhelming majority of people, it also likely ticks all of the boxes they would care about as far as features are concerned. Any Linux users out there, though, will be disappointed with the complete inability to use it with their operating system of choice. Here’s to hoping for web support or a standalone browser extension at some point in the future, but for the time being Linux aficionados are better off sticking with something like 1Password or Bitwarden.

Keychron K2 V2

I recently ran into a problem with my keyboard at home, a Logitech K350, AKA a Logitech Wave; the O key stopped reliably working. Sometimes it would work fine, sometimes it would work only when pressed with an excessive amount of force no touch-typist could reliably muster (at which point the key would clank down awkwardly), and sometimes it just wouldn’t work at all. Unsurprisingly, the letter O is one that I use with a good bit of regularly, so this presented a problem. I decided to go ahead and order a new keyboard and started sizing up my options. I didn’t do much research, though, before Craft Brew Geek recommended the Keychron K2 V2. He hadn’t used one but had seen positive feedback on it from some highly respected people (MKBHD, anyone?), and I think he wanted someone he knew to try it out before he decided if he should get one. I was happy to oblige after doing a little research of my own and seeing almost exclusively positive feedback.

The first thing worth noting is that this is Version 2. That’s important because you can find the first version floating around on the cheap. It’s important to not mix them up, though; the initial offering of the K2 was fraught with problems that V2 tackles nicely. V2 comes in a few different variants based on the lighting and body style that you want, along with how much you want to pay. I went for the variant with RGB lighting (cool but not that important) and an aluminum frame (extremely important.) I had read online that the keyboard sans frame was light to a detriment without enough weight to properly hold it down on the desk. I did pay more for the frame, but with the build and the features, this is still relatively cheap in the world of mechanical keyboards.

The K2 is a TKL (tenkeyless) keyboard, meaning that it doesn’t have a number pad. Unlike many other TKL models, though, it has 84 keys because it still features dedicated arrow keys and dedicated Home, End, Page Up, and Page Down keys. Memorizing another function layer for keyboards that don’t feature dedicated keys like this isn’t the end of the world, but I view having them as a significant quality of life bonus.

The bigger quality of life bonus, though, falls to the keycaps. The K2 features macOS-based keycaps. It comes with replacement keycaps for Windows in case you use an that operating system and need to swap Option for Windows and Command for Alt. This is pretty common among mechanical keyboards, though it’s worth mentioning that the K2 has a dedicated physical toggle to control if it’s operating in macOS or Windows mode; most keyboards use a software function for that. The bigger difference, though, is in the function row. Along with having the standard F1 – F12 markings, the keycaps also show the corresponding macOS function. As a macOS user, I can’t stress how helpful it is to have the keycaps appropriately marked so that I know which key is going to turn up my volume and which one will launch Exposé, for example. As another quality of life bonus, the K2 also features a dedicated screenshot key that’s the equivalent of hitting Command + Shift + 4 on macOS. That’s extremely cool in my opinion.

On top of all of this, Keychron also provides orange keycaps that you can opt to use on Escape and on the key which controls the backlighting. I thought they looked snazzy and decided to use them, though you can swap to more standard keys if you wish. I was also a pleasant surprised that a wire keycap puller was included rather than one of the cheaper plastic ones that’s all but guaranteed to scratch up your keycaps. While there are plenty of dedicated keys, there’s even more functionality of the K2 tucked behind key combinations in conjunction with the Function key. The included instruction booklet clearly highlights all of these, and it was a matter of minutes to get everything configured the way I wanted it.

The lighting in my photo isn’t great, but rest assured that you can eschew RGB in favor of locking the lights in to a nice shade of pink.

I’m the type of person who rarely uses any type of adjustable riser on my keyboards, and this was one of the biggest flaws with the original take on the K2; it was almost completely flat. V2 of the K2 has a nice, gentle slope that’s pretty much exactly where I want it to be. For those who want more of an angle, there are 2 sets of adjustable feet on the bottom. The official website only calls out the difference of 9 degrees, which has to be for the more drastic of the pairs. I’d guess the other is 4 degrees, but I wasn’t about to dig up a protractor to find out. The default slope makes for a very nice typing experience for me, so I haven’t even worried about the feet beyond confirming that they exist.

Typing on the K2 is an overall pleasant experience with one minor issue I’ll touch on later. Keychron offers three choices of switch: Gateron Blues, Browns, and Reds. This was my only real hesitance in deciding to buy the keyboard since I’ve always been a stickler for Cherry switches. I opted for the Gateron Browns even though I would prefer Blues simply because I’m using this keyboard for work, and I don’t need my typing to be any louder than it already is while I’m thundering out 120 WPM on calls. While the Gateron Browns don’t feel quite as nice as Cherry Browns in my opinion, they’re really close. Both Cherry and Gateron Browns even actuate at the same 55 grams. I feel good that my concern over the switches wasn’t warranted.

The K2 can connect to devices either via Bluetooth or USB-C. I’ll likely never use it via Bluetooth if my Plum Nano serves as any indication, so USB-C will be my go-to method. This is where one of the two issues I have with the K2 V2 comes into play. The USB-C port is on the left side of the keyboard rather than the back, which you can see in the top image. The provided USB-C cable accounts for this by connecting at a right-angle so that it can immediately be directed behind the board, and this seems to work fine… as long as I have that cable. If I’m ever forced to use a different, more standard cable, that’s going to make for a janky setup.

The other issue I have with the K2 V2 I hesitate to even really call an “issue”; it’s more something I need to adjust to a little bit as a touch-typist. The right Shift key is a little bit shorter than it would be on a standard ANSI QWERTY keyboard. This is done to allow for the dedicated arrow keys. I would say that 98% of the time (yes, I’m completely making up this number), it’s not an issue. The other 2% of the time, I accidentally extend my pinky just a bit too far and hit the up arrow or awkwardly catch the edge of the Shift key. It’s not a huge ordeal, and as someone who has periodically dealt with using ISO keyboards before I know I’ll adjust quickly; it feels worth mentioning, though. It’s also good practice for me since my Starlabs Lite Mark III that’s currently sitting in customs in the UK has a much shorter right Shift key for the exact same reason.

On the whole, I’ve been extremely pleased with the K2 V2 so far. I’ve used it for a little over a week, generally spending 9 – 14 hours a day on it between work, training, and personal projects. It’s a treat to type on, the functionality is nice without being overkill, and I think the size really hits the sweet spot between not taking over my desk and not forcing me to re-adjust it every 5 lines of code because it’s constantly moving; the aluminum frame that I opted for undoubtedly helps it in that regard. I really do think that for $90 USD you could do significantly worse, and the K2 V2 has features and a build quality I’d be expecting from a mechanical keyboard in the $120 – $150 USD price range. I think this is a great keyboard for anyone, but especially if you’re a macOS user in the market for a mechanical keyboard, the Keychron K2 V2 would be a smart place to start.

Apple Music: Back in the Saddle

For anyone who listens to the Same Shade of Difference podcast, you may have heard a brief discussion between Mark and I about how I had switched from Apple Music to Amazon Music. I’ve previously been a fan of Spotify, though I became increasingly irritated with the focus they started giving podcasts rather than music. I know it’s weird coming from someone who has spent the past couple of years creating podcasts, but I don’t listen to them. Additionally, I don’t really want them being advertised to me when I’m trying to look for music. When I swapped to an iPhone about a year ago, I decided to try out Apple Music since I could get a few months of it for free. After my free 3 months, I decided to stick with it. Recently, though, I swapped away from it and decided to give Amazon Music a shake. After about a month and a half, though, I quickly abandoned ship back to Apple Music.

First, let’s start with why I left Apple Music in the first place. After all, I use a MacBook Pro, an iPhone, and an iPad. Shouldn’t Apple Music be my best choice? The main issue is that the Apple Music application on macOS is, to be blunt, a dumpster fire. The application has a plethora of issues when it comes to responsiveness and playback. “Did I accidentally miss clicking on that button or is the application just being super slow?” is a question I find myself asking on the regular. The biggest issue, though, is when it just randomly decides to either 1.) not load or 2.) skip every song as though playback is unavailable. It’s not at all uncommon, for example, for me to click the Browse option from the menu only to be presented with a completely blank UI. No buttons, no albums, no genres. All I can do is quit the application, re-launch it, and hope for the best. In other instances, Apple Music will rapid-fire skip through tracks as though they’re unavailable. It’ll select a track from whatever album or playlist I’m trying to listen to, pause for a second or two, immediately skip to the next track, and just repeat this endlessly. Searching online shows plenty of people experiencing the same issues. Usually some secret handshake combination of signing out and back in, de-authorizing and re-authorizing the device, and switching networks (yes, really) will sometimes take care of the problem. It’s frustrating to the extreme.

With that being said, what would make someone switch back? First, let’s talk about what’s good about Amazon Music. The application on both macOS and iOS/iPadOS is rock-solid. I didn’t experience any errors, playback problems, bugs, etc. Beyond that, though, it was just an incredibly lackluster experience; while there wasn’t anything I’d qualify as “bad”, there also wasn’t anything I’d qualify as “good”. To start off, the application regularly would pester me about doing a free trial for their Premium offering that allows you to stream music at a higher bit-rate. It would offer 3 months of that, after which time it would automatically swap me from paying the standard $10 USD a month that everyone charges for their individual plan to $15 a month. Hard pass.

While that was irritating, the bigger issue was the lack of personalized content. Apple Music and Spotify both offer a handful of customized playlists each week showcasing music that you like, music to fit different moods, etc. Amazon Music gives you one; you get a discovery playlist, and it doesn’t even necessarily focus on new releases. That was a major letdown for me.

I had initially thought that I would just step up the manual work to discover music on my own, but this is where Amazon Music really fell apart. As anyone who knows me is likely already aware, I listen mostly to indie music. Amazon Music doesn’t even delineate indie into its own genre; to see indie music, I had to browse through the “Alternative” section. This means that when I’m trying to check out new releases for discovery, I’m shifting through garbage like Coldplay while trying to reach gold like Falcon Jane. Music discovery in Amazon Music quickly became less enjoyable and more frustrating. To make matters worse, shortly before I switched away from it, the macOS application received a complete overhaul that did away with the normal ability to browse through different genres and playlists. Everything suddenly revolved around searching, and while it worked to get me to the same content as before, it was ultimately a very clunky and unintuitive experience.

The nail in the coffin, though, was that Amazon Music doesn’t bother to get the rights to a not insignificant amount of international music. For example, when Lee Suhyun’s track ALIEN released, I was surprised to see that it wasn’t available on Amazon Music. The same thing happened with Reol’s track Q?. At this point, I realized that I just really needed to switch to a different service.

So now the last big question: why did I switch back to Apple Music instead of going back to something like Spotify? There were several reasons. One of the big ones is that I’ve been interested in subscribing to Apple One. I was wanting to bump my iCloud storage space up a little bit, and if I was using Apple Music then it seemed like the easy decision that would also get me access to Apple TV+ and Apple Arcade. Additionally, I’ve been interested in the Apple HomePod for a while but never wanted to spend the $300 USD on one; when they started dropping to $200 USD over the past few months, I figured that had to be due to something new and exciting being on the horizon. Sure enough, the HomePod Mini recently released, and I decided to pull the trigger on one. While Apple Music does work with Amazon Echo devices, of which I have several, I figure the HomePod Mini will offer a much more elegant experience. The final reason is pure laziness; I didn’t want to bother with trying to update all of my playlists yet again. When I moved from Spotify to Apple Music, I spent more time than I care to admit moving all of my playlists over by hand. When I decided to try out Amazon Music, I went through the same process again. I didn’t relish the thought of moving nearly a year’s worth of playlist updates from Amazon Music to Spotify; if I stuck with Apple Music I’d only have to worry about catching up my playlists on the last month of content… a month that was a bit of a discovery drought due to the issues already mentioned.

After switching back, I’ve already discovered significantly more music than I had while I was using Amazon. I’ve also run into a couple of issues with the macOS application for Apple Music, but I’m trying to keep my hopes up that things will be better with it on the new Macs running on the M1 chip. In the meantime, I’ve updated the links on both my About page and jfabhd.com to point to my Apple Music profile; feel free to scope out my playlists!

Books: Attack Surface

Attack Surface is the latest novel by amazing author and journalist Cory Doctorow. Cory is one of those people with whom almost anyone interested in digital rights and online privacy is likely at least somewhat familiar. While I followed Cory on Twitter (back when I still used Twitter) from my early days on the platform and regularly read his content on Boing Boing, I never read any of his books until Craft Brew Geek convinced me (not that it took a lot of convincing) to read Little Brother and Homeland. The two are young adult novels in a series that ostensibly address the fallacy of “I don’t need to worry about my privacy if I have nothing to hide.” While categorized as science fiction, the books are set in a very near future, featuring invasive technologies that are either 1.) actually present today or 2.) aren’t that far off. The novels should essentially be required reading at this point for anyone who uses technology (i.e. basically everyone.) They were the topic of Episode 15 of the Unusually Pink Podcast, while Mark and I more recently discussed them in the Same Shade of Difference.

Attack Surface is the 3rd novel in the series. Set a few years after the events of Homeland, it switches things up a little bit by focusing on one of the supporting characters from the first two novels, Masha. In the first two novels, Masha has been on the inside of extremely invasive government surveillance programs and also has had some whistleblower run-ins. Attack Surface zeroes in on her perspective.

In a vacuum, I feel like Attack Surface is an extremely good book, and I would highly recommend that everyone give it a read. It provides a very real and very terrifying look into the type of surveillance that’s possible in the world of state-sponsored threat actors. Operational security guidelines are almost always prefaced with the idea that not everyone has the same opsec requirements. Attack Surface showcases the absolute worst case scenario of state-sponsored ATPs and what they’re capable of doing in terms that aren’t very far-fetched. I also enjoyed the change of Masha becoming the main character. In my opinion, at least for the first two thirds of the novel, she provided a nice dose of realistic pragmatism that contrasts sharply with the almost wistful naïveté provided by Marcus in the first two books. That being said, I’m a bit more critical of the writing in Attack Surface than I was with Little Brother and Homeland for reasons that I’ll get into a little later on. Likewise, I feel like the novel had an excellent opportunity to really set itself apart from the first two books in the series, but in the end it kind of fizzled out into more of the same.

As I mentioned previously, Little Brother and Homeland are categorized as young adult novels; the publisher, Tor, published them under their Tor Teen line. Attack Surface is published under Tor, and from the start of the novel it’s apparent why. I haven’t dug into things to see if this was the intent, but it certainly feels like the novel is aimed at a slightly older audience. Masha regularly drinks to excess and enjoys using colorful language; maybe that’s why I enjoyed her so much as a protagonist. The subject matter for the book often ventures into areas untouched by the first two novels; Masha regularly deals with sexual harassment, the violence depicted is frequently more severe than before, and a rape is described with enough detail to make anyone with a moral compass feel uncomfortable and angry at the same time. Personally, I feel like this setup works well, if indeed that was the goal. Readers who may have actually been in the “young adult” range when the first two books came out would likely now be old enough to be looking for something with a bit more substance to it.

However, I feel like this comes with an additional price tag for an author when it comes to telling the story, and I didn’t feel as though Attack Surface was really up to the task. The story is told alternating between Masha operating at the present and Masha reliving moments of her past. It’s a nice technique that slowly bridges the gap between what happened behind the scenes in material not covered in the first two novels and brings Masha up to speed in the present. Only… it doesn’t. After covering how Masha originally got started with the DHS and how she moved into the private sector with security contracting for the government, it covers how she eventually came under scrutiny for possessing the classified intelligence she had that she gave to Marcus in Homeland. After the resolution of Homeland, though, there’s just a massive gap in time. At the start of Attack Surface, Masha is working for yet another security contract firm… after she was literally kidnapped and imprisoned in Costa Rica by the last one? What on Earth has to happen to make someone decide that’s a good decision? While it may be easy to think sweeping those details under the rug isn’t a big deal, I personally think it’s extremely relevant when she spends such a significant amount of time in the present debating her lifestyle and what her next security job should be even while she grapples with the knowledge that the work she’s been doing doesn’t make the world a better place. She has direct, firsthand knowledge of the seedy inner workings, rife with illegality and no one questioning if because we can means we should. This seems like a hole in the plot extremely relevant to Masha’s present state of mind.

Likewise, the ending just felt haphazard to me. Masha ends up moving back to Berlin to do… what? No one knows. She laments multiple times throughout the novel that she has a lot of money at her disposal but not that much money. Being able to continue earning money is a common quandary for her when she’s trying to figure out her next move, and she ends up giving up many opportunities for that during the climax of the story. Are things good for her? Did she end up making an even bigger sacrifice than she had conceived in the moment? I feel like the latter could have added some gravitas and made the climax less campy.

Speaking of the novel’s climax, as mentioned before I couldn’t help but feel disappointed that it just turned out to essentially be the same as the first two novels. The book started out very strong and very different from the rest of the series, with Masha doing contract work in a fictional eastern European country simmering on the brink of revolution against an authoritarian government. Masha is playing both sides, installing intrusive Internet trackers by day and helping protesters avoid them by night. Shit hits the fan almost immediately, which leads to Masha being terminated from her position. She ends up going back to the United States, and by the halfway point of the novel Marcus and Ange are once again prominent characters. The story settles into a bit of a familiar routine, and suddenly it’s up to the same handful of white kids to save the Bay Area… for the third time. I know I’m tainted a bit by my view as a jaded millennial, but that was why I liked Masha’s pragmatic and frankly realistic outlook so much. While I understand that part of the novel is exploring her personal growth while she changes her viewpoint, I saw the erosion of that pragmatism to the same flavor of “everything’s going to work out if we stick together and do the right thing!” viewpoint coming straight from Saturday morning cartoons in the 90’s and spouted by Marcus as disappointing. The unrealistic kumbaya session after the final protest could have been tempered a bit if we had more details of Masha’s aftermath, but as I mentioned that information wasn’t shared.

If anyone is still reading this, they’re likely confused as to why I said at the start of the post that Attack Surface is an extremely good book since all I’ve done over the past 5 paragraphs is rip into it. I really do think it was a good book, but it’s a good book in the way that Little Brother and Homeland were already good books. I don’t feel like Attack Surface did anything to differentiate itself; it’s basically telling the same story for the third time, and that’s why I’m so critical of it. I feel as though the first half of the novel set the plot up to tell a fresh story with a fresh take and fresh consequences to a more mature audience. Instead, it played things safe by going back to the same story we’ve heard twice before. While that’s a strong and important story, don’t get me wrong, Attack Surface could have been so much more.

Even More Storage: Yearly Bonuses For Paid ProtonMail Accounts

It’s no secret around this blog or for anyone who listened to the Unusually Pink Podcast that I’m a fan of ProtonMail. While it’s unfortunate that privacy in the world of computing often comes with an associated monetary cost, the simple fact of the matter is that if you aren’t paying for your email account then chances are the provider is making money off of your data that happens to be stored in it. Google, for example, is happy to give you free email so that they can scrape your data out of it and make a comprehensive profile about your life for advertising purposes. ProtonMail takes a firm stance against this practice, and they actually do permit users to create completely free email accounts that are never scraped or monitored; their setup actually ensures that they couldn’t access the plaintext content of your email even if they wanted to. Doing this is only possible, though, because some users opt to pay for additional features and thus subsidize the free accounts. I happen to be one of those people who has been paying for a few years now both to help support the ProtonMail mission and to get access to a custom domain in my account.

ProtonMail occasionally likes to give special perks to their paid customers as a token of appreciation; I’ve written before about how they’ve given away a bonus 5 GB of storage for paid accounts. They’ve done the same thing another time since that post, giving me 10 GB of bonus storage on top of the 5 GB that comes with my paid plan. While I said at the time of my original post that I didn’t really need the storage at the moment but was happy to have the extra bits just in case, ProtonMail has subsequently stated that the storage can be shared with the upcoming ProtonDrive secure cloud storage offering once that’s available.

As another token of gratitude, ProtonMail has announced regular storage increases for paid accounts; each year that a paid account remains active, it receives 1 GB of bonus storage on the anniversary. Even better, this is retroactive. Since I’ve had a paid account for 3 years, when the initiative was implemented I immediately received 3 GB of bonus storage. I’ll get a 4th GB on my yearly anniversary coming up later this month:

The general principle is straightforward:

– When you sign up for any paid Proton plan, you are automatically eligible for Storage Bonuses.

– On the one year anniversary of your paid subscription, you will receive 1 GB of additional storage for free that can be used with your ProtonMail inbox. (In the future, your storage will be shared between your ProtonMail inbox and your ProtonDrive vault.)

– This will happen every year, and your Storage Bonuses will accumulate as long as you have a paid plan with Proton without interruption.

While the current bonus value is 1 GB right now, they say this will increase in the future, though it’s unclear if the increase is also retroactive or if it will only apply to new bonus accumulations going forward:

The current Storage Bonus is 1 GB per year, but this will be increased in the future.

The full details are available, along with a FAQ, from their support article. The tl;dr is basically that you get bonus storage every year on the anniversary of your paid account as long as you remain with a paid subscription on any Proton product. This means that if you pay for ProtonVPN but not ProtonMail, you’re still eligible for the bonus storage. That eligibility and current storage accumulation continues to apply even if you stop paying for ProtonVPN and start paying for ProtonMail (or ProtonDrive when it comes out) as long as the two periods overlap. Having a lapse in paid subscription will reset the accumulation of bonus storage.

All told, I think it’s another nice perk from ProtonMail, and with the ability to leverage the storage for ProtonDrive, a product that I’m highly looking forward to, the more storage that I can get my hands on the better.

Books: Hands On Hacking

While I’ve been stuck at home as the global coronavirus pandemic rages on (currently on day 241 of quarantine, for those who listen to the Same Shade Of Difference), I’ve been trying to make the most of my time in captivity with lots of reading, training, and personal projects to learn as much new stuff as I can. One of the items that came on to my radar a few months ago was a new infosec book titled Hands On Hacking from Wiley. Written in part by Hacker Fantastic, who I’ve followed on Twitter for quite a few years across my various accounts, I figured it would be a good refresher for some of the hacking concepts I’ve used before and a primer for newer tooling that I’m not as familiar with.

As you can see from the book’s cover, the idea is to teach “purple teaming”, which is the idea of doing away with the silos for the “red team” that tries to breach systems and the “blue team” that tries to defend them. The book covers the full gamut of hacking, starting with open source information gathering to get as much data as you can about your target before actively engaging with any of their systems all the way through compromising web applications and moving laterally through internal systems.

All throughout, the book uses purple teaming as a focus; it very clearly outlines that taking part in any of the activities covered without the express consent of the owners of the system can carry severe legal penalties. The goal is to assist you with either a career as a penetration tester or to give you the tools and knowledge to be able to pen test and secure your own systems that you manage. You will not read the book and immediately find yourself living the life of a Mr. Robot character.

The book, in my opinion, is very well written. While I was familiar with most of the concepts covered, I think it was written in a way that makes the material approachable even for readers without much prior knowledge in the world of infosec. That being said, while there is a good bit of hand-holding in the introduction to Linux, I think there are some basic, assumed competencies in the world of computing. I don’t think that’s a fault; you really have to draw the line somewhere, and I think the authors did a fantastic job of making everything as approachable as possible.

The book comes with a complete lab environment with virtual machines pre-configured to be exploitable in a fashion to demonstrate the concepts covered in each chapter of the book, giving readers the option to either read the book purely for information or to work through the labs and practice executing the material discussed. In my mind it’s essentially like a self-guided, DIY version of something like the excellent Foundstone Ultimate Hacking class that I was fortunate enough to take a few years ago.

If you’re already a skilled hacker, is the book going to enlighten you to new, next-level exploits? Definitely not. But if you’re a systems administrator who is responsible for the managing servers at your company, a SaaS admin responsible for identities, or a developer responsible for creating applications exposed to the Internet at large, it’ll give you a very solid baseline for making sure that your own systems aren’t vulnerable to the most egregious of issues. I personally found the open source intelligence gathering chapter very useful; it covered techniques and services for determining the amount of information about your company and specific details regarding the employees that’s available to literally anyone with an interest in finding out more. It’s allowed me to work through setting up some scripts to automatically check on this and notify me when perhaps more information is leaking out than it should due to things like 3rd party breaches where users may have signed up with a company email address.

Similarly, I think the book is also a good read for leadership-level people who may not need to know the technical details of how hacks are accomplished but need to be mindful of what’s possible and what their employees should be looking for when developing and administering systems. These readers likely don’t need to go through things like achieving the exploits themselves in the lab (though obviously it’s cool if they want to), but the book can serve as a nice reference for what the company’s employees should be looking for when they decide to roll out a new service or application.

Trying Out NextDNS

I recently decided to take a little bit of time to set up NextDNS. While on the surface it’s similar to the myriad other DNS resolvers out there you can opt to use instead of the likely horrible DNS servers provided by your ISP, NextDNS is essentially a cloud-based Pi-hole. You can use some of the built-in blacklists in the product to block things like advertising, trackers, malware domains, and more. There are a few key benefits to blocking things at the DNS level rather than relying on something to do the blocking your web browser. First off, most mobile browsers don’t offer the same robust extension ecosystems we’re all used to with full computers; you might be able to toggle some settings to block trackers, for example, but advertising is often a different beast altogether (though the really bad advertisements typically also have egregious tackers, meaning that blocking the trackers will block the ads.) Additionally, there are some nefarious browser extension posing as ad-blockers, and there have been instances of legitimate extensions being sold and turned nefarious. Google’s extremely sleazy war on ad-blocking also makes DNS-based filtering attractive, though I’d still recommend people avoid Chromium-based browsers if at all possible. The other nice part is that you can easily configure DNS settings on a router, meaning the same degree of protection can apply to IoT devices with no accessible network settings of their own. This similarly applies to applications on your computer that connect to the network outside of a browser, as we’ll see later.

NextDNS handles this by allowing you to specify your public IP address in their portal, thus linking traffic from your home with your NextDNS profile and all of the configurations that are in place there. The only caveat to it is needing to configure DDNS in some way or simply remembering to go to the portal in order to update the IP address should it ever change. Additionally, they offer apps for basically every major platform for configuring your devices and pointing them to the appropriate account. While you can just update the DNS settings in your host operating system rather than using an app, the app is still required for linking your device to your profile so that it will leverage the appropriate block lists. What I found to be really nice was that the iOS and iPad apps are able to leverage the new iOS 14 DNS profiles, meaning that it doesn’t need to create a shell VPN tunnel just for your DNS requests; that’s a huge win.

To really test it out, for about 2 weeks I disabled the ad-blockers in my common browsers and tried to let NextDNS handle the brunt of my filtering needs. Getting it configured everywhere was fairly simple. The web portal will tell you what your current public IP is and offers a simple button to update your account to leverage that IP address. This made it simple to get basically everything in my home network using it after I modified the DNS servers in my router. I still went ahead and configured the settings individually on my devices, too, for the rare instance during a global pandemic when I’m on a network other than my home network. The iOS and iPad apps just need you to tap a button to add the new DNS profile to the device. Likewise, the macOS app simply adds a new icon to your tray at the top-right and offers a toggle for turning on your NextDNS settings. Unsurprisingly, there’s no Manjaro Linux app, though the service offers a bevy of examples for configuring your DNS settings on Linux; you’re just stuck in the position of not being able to link the device to your NextDNS account if you happen to leave the home network. The only real problem I ran into was that I had configured Firefox to use DNS over HTTPS and forgotten about it; once I realized I needed an additional change beyond the OS DNS settings, everything was fine.

Operating this way, for the most part browsing the web was business as usual. Not quite as many advertisements were being blocked as I would have expected with a browser extension enabled (more on that later), but on the whole the experience was still positive. What really surprised me, though, was the degree to which IoT devices are just an absolute dumpster fire; checking the metrics NextDNS generates showed that anywhere from 10 – 20% of my total DNS requests were being blocked, but nearly all of the top 10 blocked domains were based on under-the-hood queries being made by my devices phoning home rather than from actual advertising or tracking on web pages. All of this is nicely showcased with graphs in the NextDNS portal:

While I expected the combined privacy invasion of my two Amazon Echo devices to be the worst offender, my single Roku device actually took the top spot by a significant margin. My top 10 blocked domains were:

  • scribe.logs.roku.com – 17,226
  • device-metrics-us-2.amazon.com – 1,327
  • telemetry.dropbox.com – 1,121
  • giga.logs.roku.com – 1,095
  • device-metrics-us.amazon.com – 794
  • mads.amazon-adsystem.com – 717

The only non-device domain making the top 10 was from telemetry queries from Dropbox, the frequency of which was a bit disturbing. Roku really caught me off guard, though, with a single device making over 18,000 queries in just a couple of weeks. While using more domains, the two Echo devices made under 3,000 (which is still really bad!)

As a bit of an aside, I was curious if the devices would simply give up on whatever they were phoning home about and drop the information or if they were storing it locally to upload in a bulk at the first opportunity. I ended up disabling NextDNS on my router around 9 AM and checked on the traffic of both my Echo and my Roku, neither of which were being actively used at the time. The Roku showed zero data use since the time I had been streaming with it the night before:

The Echo, on the other hand, immediately spiked with network usage to transmit who-knows-what. That’s nice and terrifying:

The other insight I found particularly interesting was just how deeply some of the biggest players on the web have their claws embedded across the Internet. For example, I don’t think any big Internet company is more evil than Facebook (though Google is trying hard), so I created a custom blocklist preventing facebook.com from resolving. This prevents not just Facebook from loading but also some of Facebook’s other properties. For example, I hate and don’t use Instagram, but some friends occasionally send me posts from there. Instagram straight up won’t work if the main Facebook domain can’t be resolved. How gross is that?

NextDNS operates by giving you 300,000 customized DNS queries per month where your policies and blacklists will be applied. After 300k queries, the service will act like a normal DNS resolver; while your devices won’t suddenly stop having functioning DNS, they won’t be benefiting from any of the blocks you might be expecting. For just a couple of dollars a month, you can get access to unlimited DNS queries, and subscribing for a year gives a month for free. I found staying on top of my query usage to be a bit confusing, though. As is shown in the screenshot above, my total number of queries for the month is provided, along with how many were blocked. I was averaging around 30,000 queries per day on this graph. I realized after the first week, though, that going into my account settings in the NextDNS portal gave me a different metric on how many of my free queries had been used, and the data there was significantly lower. I ended my testing after using 280,000 queries according to the analytics graph, while my account settings showed that I had used just shy of 200,000 queries. I have no idea how those two numbers are different by 80,000 queries, especially when the two weeks of testing were done in the same month.

While I liked NextDNS, it wasn’t perfect. I had mentioned previously that the blocking wasn’t quite as good as what I’d expect from just relying on an extension when browsing the web. The main reason I could see for this is that some companies host trackers and advertising on the same domain they use for other, more legitimate purposes. For example, checking the blocked tracking metrics within Safari 14 showed that bing.com was still high in the running. Naturally a service like NextDNS can’t just block the entire Bing domain without breaking plenty of services people actually might want to use. If “close enough” satisfies your needs for blocking ads then I could see NextDNS being a good solution. If you’re like me and want to block everything, though, then you’re still going to need extensions in your browser, and that makes the value proposition for paying for something like NextDNS for unlimited queries a bit less tenable. What ultimately made the decision for me, though, was that I ended up running into a handful of issues with the app I used the most: the one on macOS. I’m willing to own that the issue might stem from my setup or my device, as my MacBook has 4 different VPN clients on it that I use (and frequently switch between) for work, the network stack on the device crashes with semi-regular frequency, and my home network is significantly more convoluted than most. What I saw, though, was that my DNS queries would periodically just fail. Trying to dig from the CLI would give me a timeout error, like the NextDNS servers weren’t responding. Pings to known IP addresses worked fine. If I turned off the NextDNS macOS application, then everything worked fine. Toggling it back on would result in broken queries again. Fixing this was a mixed back that ranged from completely closing and re-launching the app to disabling my wireless network in macOS all the way to rebooting my laptop. Between that problem and the fact that it wasn’t a standalone blocking solution for me, I opted to not dive into paying for the service, even though it has a lot of promise and does keep my Roku from being the chattiest device possible.

SSIDs Everywhere

As someone who has been an apartment dweller for a relatively long time, there are some extremely solid perks to it. It’s nice to never have to worry about things like maintenance, for example; if something goes wrong, I open a service ticket and someone shows up to fix the problem. When my furnace wouldn’t start on a cold day, for example, I wasn’t scrambling to figure out who to call. There are some downsides as well, though. For one, many people are frustrated by the fact that they can’t customize their home to the degree they’d like with respect to things like the color of the walls. Anyone who knows me knows that I couldn’t possibly care less about that. What does give me grief, though, is how significantly the spectrum around me is completely polluted by my neighbors.

I had issues with this in my last apartment, which was roughly the same size as my current apartment but with a longer, narrower layout than my current home. When I moved my home office to the bedroom, which was at the opposite side of the apartment from where my router was, I saw a noticeable performance decrease in my home network; this was a problem when I was working from home and an even bigger problem when I was trying to reach Platinum in Overwatch (spoiler alert, I didn’t manage to do it.) At the time, I replaced my cheap home router with a mesh WiFi setup so that I could utterly drown out my neighbors with sheer WiFi dominance. I ended up buying a pack of 3 access points because it was only slightly more expensive than buying 2 access points individually. That was more than enough to blanket my 900 square foot apartment, and I didn’t really think too much about my setup after that.

Fast forward to my current apartment, which is located in a much more populous area than where I previously lived. Pre-pandemic, I still didn’t think too much about my home network setup. The only bandwidth-intensive activity I did was video streaming, and that was mainly done from streaming sticks connected to my TV that was literally right on top of the router/access point connected to my modem; I never ran into issues with it. After the pandemic kicked into high gear in this area, though, I started living from my home office and spending unholy amounts of time on web conferences. While they worked well enough most of the time, I’d periodically have spikes of extremely high latency that would cause me to sound like Megatron’s cousin while on calls. This was annoying on work calls and infuriating when trying to record podcast episodes.

At first I assumed that the problem had to be upstream with my ISP being overloaded since suddenly everyone was staying home all the time. As the problem persisted, though, it made less and less sense to me. It would be reasonable if this behavior happened during the evenings when everyone is sitting around binge-watching their favorite shows because they can’t go out. When my network is choking to death on a 9 AM call, I was scratching my head. Surely not enough people could be doing video calls at that time, right? While latency affects VOIP traffic heavily, it isn’t exactly the most bandwidth-intensive thing to be doing in 2020.

Thinking my mesh network was the problem, I even tried ripping it out and replacing it with a single router connected to my modem. While it at first seemed to have a bit more stability, I still ran into some of the same problems. Finally, I realized that I was seeing a lot of networks when I just looked at what was available from any of my client devices. I fired up WiFi Explorer and was presented with this nightmare.

If you’re thinking that looks disgusting, you’re correct. Every channel in both the 2.4 GHz and 5 GHz bands is completely packed with networks. I’ve been checking this periodically since realizing it could be the problem, and I regularly see anywhere between 50 and 70 different wireless networks from my apartment. Yikes.

Admittedly, I’m part of the problem. I’m broadcasting with a 5 GHz and a 2.4 GHz network from a router that I use exclusively for work. I’m also broadcasting a main and guest network on my main mesh setup. That causes matching SSIDs to broadcast on both the 2.4 GHz and 5 GHz spectrum on each of the 3 access points per network, meaning I’m technically broadcasting 12 SSIDs. Even so, I’m still competing with, at minimum, 40-ish other devices crowding the same spectrum.

After coming to the realization that I may have been blaming all of the wrong things, I adjusted the setup of my access points so that the main router/access point which is connected to my modem is in direct line of sight across my apartment from the mesh access point at my office desk (which moved from the desk proper to a table next to the desk.) Since doing that, knock on wood, things have at least seemed to be a bit more stable for me. Either I’ve been having a better experience on web conferences or no one bothers to complain to me about it when my audio suddenly sounds like garbage because they’re just used to that happening from my end.

All that being said, I do still have an issue where the network stack on my MacBook Pro will crash, leaving me with no network connectivity until I disable and then re-enable WiFi. I haven’t managed to find a fix for that particular problem yet, though I imagine having 4 different flavors of VPN client installed probably isn’t doing me any favors.

Ubuntu Linux GRUB Error After 20.04 Upgrade

While I’ve nuked my personal VPS, I still have a VPS that I use for work; it comes in handy for things like running cron jobs, maintaining persistent shells, and generally handling things where a Linux shell seems better than a macOS shell (I’m looking at you, remote PowerShell sessions connecting to Microsoft Exchange.) This week I decided to upgrade it from Ubuntu 18.04 to Ubuntu 20.04. I like to stick on the LTS (long term support) releases for my servers, but I do typically prefer to keep even the LTS releases upgraded rather than waiting for them to go end of life. I could have kept using Ubuntu 18.04 with maintenance updates until 2023 and security maintenance until 2028, but what’s the fun in that?

Upgrading a VPS is always a bit of a nerve-wracking situation just because I don’t have local access to the host in case something goes extremely awry. Ubuntu tries to help alleviate this by opening a second SSH daemon on a different port just in case the primary daemon crashes during the upgrade, but if the machine ends up in a non-bootable state I’m still more or less hosed. Fortunately for me, things almost went off without a hitch… almost.

While the upgrade did complete, I received an error toward the end of the process that GRUB failed to upgrade successfully. This was mildly terrifying since GRUB is the bootloader; if it’s not working properly the system won’t boot, and I can’t access the host of the VPS to troubleshoot it. Luckily, GRUB continued to work in my case, and my system was able to reboot successfully after the 20.04 upgrade and beyond. GRUB just wasn’t getting upgraded. I quickly noticed that I also received an error from GRUB every time I ran sudo apt update && sudo apt upgrade to update my system. Again, the other packages would upgrade successfully, but GRUB would always complain:

dpkg: error processing package grub-pc (–configure):

installed grub-pc package post-installation script subprocess returned error exit

status 1

Errors were encountered while processing: grub-pc

E: Sub-process /usr/bin/dpkg returned an error code (1)

After spending some time just ignoring the problem since it wasn’t exactly critical, I finally decided to do some digging. It turns out that problems like this have apparently plagued Ubuntu upgrades for a while, as I found a thread with the same problem all the way back with an upgrade to Ubuntu 14.04. The solution in that case was to simply “nuke and pave” by removing GRUB and then re-installing it. It’s once again a bit of a white-knuckle situation since if anything happens between removing and reinstalling GRUB the system will not have the ability to boot. The steps were very similar to the linked thread with some minor differences in the era of Ubuntu 20.04. The first step was still to purge GRUB:

sudo apt-get purge grub-pc grub-common

Running this command in 2020 removes /etc/grub.d/ already, so there’s no reason to manually run the removal. Instead, I next moved straight to re-installing GRUB:

sudo apt-get install grub-pc grub-common

The installation process kicks off an interactive wizard asking which disk(s) GRUB should be installed to. In my case, I only needed it on the main disk, which is /dev/sda. With that done, I updated GRUB and then rebooted:

sudo update-grub
sudo reboot now

This part kind of sucked as I was left running nmap against the SSH port for my VPS and hoping that GRUB was properly set up to allow the system to boot. After a nervous 15 seconds, though, the port started to respond again, and I could successfully SSH into the server. Re-checking for updates showed that everything was fine; the errors about GRUB having a needed upgrade that couldn’t be installed were gone. Admittedly, it was probably unnecessary to go through this upgrade without any specific reason for it, but the beauty of Ubuntu is its popularity. Rarely will there be an issue someone else hasn’t encountered, solved, and documented before, and this problem was no exception.

Offsite Podcasting

I’ve written before about how difficult it can be to record podcasts remotely, something that has continued to be a struggle throughout the pandemic. For the Unusually Pink Podcast, the irritation of recording remotely was enough to make both Brandi and myself decide it was best to throw in the towel after a year. Mark and I have managed to continue doing well with the Same Shade Of Difference podcast, though significantly more work is involved in getting an episode together when done remotely. I say that like I have anything to do with it, but it’s really all Mark going through the work of recording our podcast episodes that we do over Discord, editing the files, adding in the music, and everything else. It’s substantially more effort, and at the end of the day we still don’t end up with as clean and natural of a product as we would while recording in person; latency means we still periodically try to talk over one another even as we endeavor to avoid exactly that with video calls.

What we’ve been experimenting with lately, though, are offsite recordings. It gives us a similar experience to the onsite recordings we used to do from our old podcast studio but in random locations. We first actually gave this a shot at Dead Lizard Brewing Company in Orlando when we were there for the Podfest Expo, AKA the last thing we did before the pandemic ground everything to a halt here. That was a surprisingly good experience, and you might be surprised at how infrequently even the loudest background noise comes through to the recording.

With how cool the experience was at Dead Lizard, Mark and I have been trying to basically emulate that experience now from places that allow us to sit outdoors, away from everyone else. We’re racing against time a bit as the weather continues to get colder, but it’s mostly been a great experience thus far. We first recorded at the West Sixth Farm for the “How We Work in the COVID-19 Era” episode. The Farm is a terrific location, with a covered pavilion area that has picnic tables, accessible WiFi, and outdoor power we can use. Barley the farm dog came to hang out with us for a little while, and it’s a very difficult view to top while recording.

The one downside of this setup is that, with things being relatively out in the open, we do end up at the mercy of the wind. We attempted to record a second Same Shade Of Difference episode there maybe about a month ago, but we had to scrap the idea because the windscreens for our microphones couldn’t quite keep up with the wind that would have caused a constant disruption to the episode.

More recently, we recorded at Idlewild Park in northern Kentucky. This was also a cool experience where we were able to take a quick look around, find a pavilion with no one else at it, and post up to record without having to worry about being too close to anyone. We were fairly close to Cincinnati/Northern Kentucky International Airport, but even that sound barely came through the microphones.

That episode isn’t live yet, but look for it soon over at the Same Shade Of Difference website or your podcast source of choice.

As with anything, there are caveats to offsite recording. While the West Sixth Farm is an insanely good location due to this, things like electricity and Internet access aren’t guaranteed when you’re trying to stay away from everyone else. While at Idlewild Park, we just leaned on the batteries for our gear and used the hotspots from our phones and tablets for connectivity. The pavilions at both locations were clutch for the possibility of inclement weather. For both locations, either Mark or myself had to travel at least a bit to get there, so having backups of pretty much everything is helpful. Spare batteries, memory cards, headphones, etc. is useful to save yourself from a scrapped recording session. I say this as if I provide any of it, but it’s really all Mark who has both everything you need and backups of everything you need in his bag at all times. I give him a lot of grief over how heavy his backpack is, but I’d be lying if I said it hadn’t saved me more than a few times.

On the whole, I would highly recommend anyone struggling with remote podcast recording over the Internet try meeting up at an out of the way place to record in person while being outdoors and socially distant, weather permitting. The elephant in the room for this topic, of course, is how you record the episode since dragging something like the RODECaster Pro out there isn’t feasible, even if it’s technically possible since the device will run off of D batteries. The recordings in Orlando and at the Farm were done with Mark’s Zoom H4n Pro, and while that device did a terrific job of recording, it still left a lot to be desired with regard to the amount of edit work that was required afterward. Without any built-in soundboard someone (AKA Mark) would have to go in and actually edit our recording to insert things like our intro music. To alleviate this, Mark recently got the new PodTrak P4. I won’t share any thoughts on that here, though, as that’s the topic of a future podcast episode! Stay tuned to the Same Shade Of Difference if you’re interested in our take on that particular device.