Stavros' Stuff

Angry rants of programming and other things.

Securing your users' authentication

Please follow this advice

A few days ago, I saw an article about someone’s Playstation Network account getting stolen. The problem wasn’t so much that the account got stolen, as this apparently happens more often than not, but that Sony has created a system so convoluted that it’s possible for the thief to keep your account, without you having any recourse, not even after you prove your name, purchases, and anything else about the account.

Having worked in web security for years, I know how hard it is to get authentication right, especially when users will find ingenious ways to defeat your system, such as storing their “do not store these codes on your phone” two-factor authentication (2FA) codes on the phone and then throwing the phone in the ocean. Another user surprised me when, instead of properly setting up their authenticator app, they brilliantly used one of the ten backup codes to finish their 2FA setup (and didn’t even store the rest), thus locking themselves out of their account immediately. I fixed that bug immediately and found new respect for the bug-finding abilities of users.

Those (and many more) occurrences have made it painfully obvious to me that securing an authentication system is very hard UX, and, since the user is always right, we need to find ways to make systems that are both secure and easy to use. While working for my previous employer, an encrypted communications company called Silent Circle, we had to find ways to solve this problem, and we arrived at something I believe provides a very good balance between security and usability. I will explain how this system works, and urge you to implement something similar for your authentication, especially if it’s protecting high-value accounts like Playstation Network’s.

Continue reading…

How to easily configure WireGuard

WireGuard is pretty great!

You might have noticed the buzz around WireGuard lately. WireGuard is a very simple VPN that uses state-of-the-art cryptography, and the buzz comes from both the fact that it’s simple and good at what it does, and the fact that it’s so good that it’s going to be included in the Linux kernel by default. Linus Torvalds himself said that he loves it, which took the software world by storm, as we weren’t aware that Linus was capable of love or any emotion other than perkele.

The only problem I’ve found with WireGuard is a lack of documentation, or rather a lack of documentation where you expect it. The quickstart guide, the first thing I look at, mentions a configuration file that it never tells you how to write, and it also assumes you’re more familiar with networking than I am.

Since the initial conditions at the creation of the universe set things up so WireGuard would eventually be underdocumented, I am going against Creation itself and showing you how to easily configure and run it. Let’s

Continue reading…

Kubernetes 101

It's simpler than I thought

A few weeks ago, my task as work was an interesting one: To deploy a Kubernetes cluster and write the associated tooling so that developers can deploy the code in the branches they’re working on to it, so they can test their changes.

Until that point, I’ve been wanting to learn Kubernetes because it sounded interesting (even though the name is rather problematic when you’re Greek), but I never had an opportunity because I don’t have anything that needs to be on a cluster. So, I jumped at the chance, and started reading up on it, but all the materials (including the official tutorial) seemed too verbose and poorly-structured, so I was a bit dejected.

By the way, since you asked, the name is problematic because it's a Greek word, so it's awkward when you're talking to other Greeks about it. If you pronounce it like in English, you sound a bit pretentious, and if you pronounce it like in Greek, people don't understand what you mean, since that's not strictly the name of the software. Greek world problems.

Anyway, after a few days of research, things finally just clicked and I was deploying machines left and right with wild abandon, quickly racking up thousands in AWS bills, like any self-respecting backend developer in 2018. Since my resume now said “Kubernetes expert”, a thought immediately occurred: “Why not take my vast, unending knowledge of this system that I have collected over hours of research and make it more accessible for people?” Since I couldn’t convince myself I shouldn’t write another rambling article, I quickly got to it.

This is

Continue reading…

A short 3D printer primer

Everything you ever wanted to know about buying a 3D printer

Today, it got into my friend Harry’s head that he wants to buy a 3D printer. Normally, I would applaud the decision, so I did. I’ve bought lots of expensive crap I ended up regretting (damn you, quadcopters and photography), but the 3D printer wasn’t one of them. Sure, I don’t use it every day, but it’s amazing to be able to design small things for around the house or parts for hobby projects and seeing them turned into objects in a few minutes.

Since Harry has many questions, as I did when I was his age, I figured I’d answer them all in an article so more people can benefit from them. If you have questions that aren’t covered here, please tweet or toot them to me, and I might add them. Let’s start!

Continue reading…

On increasing productivity

You too can be more productive with this ONE WEIRD TRICK

Sometimes, when I show people another crazy side-project of mine, they ask me how I manage to be so productive. I never have a good answer to give them, because I don’t really consider myself very productive (unless you count my 2,000 hours of sucking at DotA2 as creative output), but they are invariably unsatisfied with that answer.

I saw another post about productivity on Hacker News today, and it made me finally express something I’ve been feeling for a while but had never managed (or taken the time to) put into words. It wasn’t so much the post itself (I didn’t read it), but the fact that I saw it, and that it exists. It made me realize my stance on productivity, and today I’ll share it with you, right in this article.

Continue reading…

Startup Mistakes: Choice of Datastore

Spoiler: Don't use MongoDB.

A great advantage of having a large network of technical friends is that they ask you for advice on things, which I love giving. One great disadvantage of people is that they rarely take my advice without justification, even though I think everybody should know better by now. A discussion I frequently have with friends (and which they don’t just blindly take my advice on), is their choice of datastore, which invariably goes something like this:

- Trust me, don’t use MongoDB.
- Why, what’s wrong with it?
- Look, how many times have I given you some advice, you didn’t listen, and later on it turned out I was right?
- Ah, so you’re saying I should use Cassandra.

So, since I keep having to justify my opinion (can you believe that? Just ridiculous.), I figured I’d do it once, in this post, and then I can just point people here when they’re about to do something dumb. If I linked you to this article, this means you.

EDIT: Apparently the self-deprecating sarcasm above wasn’t really very obvious, and it comes off as arrogant, but my intention was for it to be satire (cleary opinions should be justified, even mine). Also, the Cassandra joke was a reference to this lady. Like an ancient Greek proverb says, “the best joke is one you have to explain on your blog”.

Datastores are important

The datastore is often the most important part of

Continue reading…

How to deploy Django on Dokku

It's a dream come true

Ever since I was a wide-eyed little boy, I would look up at the stars and wonder in wonder: “What if I could lease my very own, beefy, dedicated Hetzner server and have an easy way to deploy all my projects onto that?” But lo, my dreams were dashed because Docker wouldn’t be invented for another twenty years, and Hetzner did not accept Mastercard at the time.

Decades later, with Docker finally invented and Hetzner accepting all major credit cards, my dream lay all but forgotten, because Docker could not do zero-downtime deploys natively and I hated it. That was how things remained, until my friend Theodore told me that he tried Dokku and that it worked very well.

I had heard of Dokku (and Fig, Deis, Flynn, Kubernetes, etc etc), but I never paid too much attention, as these PaaSaaSes struck me as too webcale for my simple projects. All I wanted was a way to skip through all the boilerplate configuration of deploying a Django app, and Ansible wasn’t cutting it, as it was still too much plumbing.

Since Theodore tried it and said it was apparently pretty easy to deploy with, though, I figured I’d give it a shot and see. It helped that Dokku was explicitly designed to be light and self-contained, whereas Kubernetes is for much larger deployments, so Dokku fit my use case exactly.

Trying Dokku out

To try Dokku out, I needed a project. Luckily,

Continue reading…

The scourge of web analytics

I hate the web.

I’ve been making web apps since 2003, which means that I’ve been doing this for fourteen years now, or it means that I can’t count. So, there are few people more qualified than me to tell you this:

The web is crap.

If you disagree with the above statement, you spent more than $1000, less than two years ago, on the device you’re currently reading this on, so websites feel fast to you. There are many factors that make the web crap, but today I’d like to talk about one of them:

Web analytics.

A brief retrospective

The web was created in, like, the nineties, and was initially envisioned as

Continue reading…

Making a garage remote motorcycle mount

Spending twelve hours to make something that saves two

I recently got a motorcycle, and with it came a problem. My motorcycle jacket has very little pocket space, and I was told that I shouldn’t put any weight (i.e. extra keys) on the keyring. However, I still need to carry my house key and my bulky and heavy garage remote, which means that I need a second keyring just for these two, which is the problem.

Another issue is that using the remote is a hassle, as I have to always be removing my gloves, unzipping my jacket pocket, fishing for the remote in it, pressing the button, zipping the jacket pocket back up, and wearing the gloves again, it’s a nightmare, almost something out of a Lovecraft novel.

However, a thought occurs: Since I have a 3D printer and CAD software and I’m not afraid to use them, I can design an enclosure and mount for the remote so that I can permanently have it mounted on the handlebars, which both frees my pocket and is easily reachable, even with gloves. This thought is so exciting that I can hardly contain myself, and don’t.

In this post, I will take you through the process of designing and 3D printing the mount,

Continue reading…