Stavros' Stuff

I am unreasonably excited about passkeys, I’ve long been looking for a better/more convenient way than passwords to do authentication, and I think passkeys are finally it.

However, whenever I see passkeys mentioned (for example on the recent Tailscale post about them), there are always a lot of misconceptions that surface in the debate. I’d like to clear some of them here, and hopefully explain a bit better what passkeys are.

A bit of backstory

Passkeys are a user-friendly name for, and an implementation of WebAuthn, which in turn is part of the FIDO2 project. All that is basically a way to say that passkeys are an open standard, developed by a consortium of companies that want to make authentication more secure and more usable. My personal opinion is that passkeys are a great solution to that problem, and that’s why I’m so excited about them.

At their core, passkeys are just a way for a website to ask your browser for authentication. That’s it, they aren’t tied to a specific piece of hardware or a way for that hardware to work. I’ll expound more on this further on.

I want to lay out some common misconceptions about passkeys that I’ve been seeing, and

Continue reading…

There’s an old saying I just made up, it goes “a man has a problem. Give him a solution, now he has two problems”, and that’s how I felt when I came across the LilyGo T5, a beautiful e-ink display with an ESP32 microprocessor and an 18650 battery holder.

I needed to find something to make with it.

The idea

I realized that one thing that’s missing from my life right now is more time pressure. I have a job, which got me most of the way there, but I’m bad at remembering the time of each of the twenty meetings I have every day. I really needed something that would allow me to see my daily calendar at a glance, and I realized that a 4.7” e-ink screen was the perfect thing for that use case, so I quickly started working on making this a reality.

The result was…

The Timeframe

Continue reading…

Recently, my weight shot up again, and I’ve gone over the weight where I start snoring in my sleep. Since my BMI is now somewhere in the range where I get my own orbit, I decided to do something about it. I recently found out about Semaglutide, and I figured I should give it a shot.

Semaglutide is a new drug for weight loss, or, more accurately, an old drug for diabetes. However, the diabetics who were taking it reported suppressed appetite, so the pharma company thought “hmmmmmm…”, and we got a nice weight loss drug.

Since I don’t like snoring or being overweight, I was curious to try it and see what happens, so I talked to a medical professional and got some prescribed, more out of curiosity than out of need. I think it’s going to be an interesting experiment, and am eager to see whether (and how) it works.

Continue reading…

I was searching for a laptop to replace my 5-year-old Dell XPS, and I came across the Framework laptop. I had heard good things about it, and I liked the hackability, so I thought I’d give it a shot, and ordered it. My first impression was extremely positive, it came with the RAM sticks in boxes, and I had to use the built-in screwdriver to open the laptop up and install the RAM. All the components inside have QR codes with guides on how to install things, and opening the laptop is a matter of unscrewing five (captive, yay!) screws and popping up the magnetic keyboard, it took twenty seconds to slot the RAM sticks in and be ready to go.

Unfortunately, I made a grave mistake

Continue reading…

Note: To skip the story and immediately go to the script that will fetch Cloudflare IPs and whitelist them using ufw, scroll down.

An interesting thing happened today: Someone contacted one of my clients and told them that he found a catastrophic regex backtracking vulnerability in one of their apps. This was interesting, because the app is a simple Next.js site that doesn’t use regex. Also, as far as I could see, Next.js doesn’t have any such vulnerabilities reported against it, so we were curious to figure out what was going on.

My client asked him to demonstrate the vulnerability, and he did. Sure enough, it brought the service down, but it also brought down the entire server, which was a bit odd. “Oh well”, I thought, “maybe it took up enough CPU to make the machine unresponsive”. The reporter then asked for a fee of 6 ETH to give my client information about the vulnerability and how to fix it, and gave references from other services. He even asked about possibly being hired by my client in a full-time position, to help with security.

Observing the vulnerability first-hand

I wanted to see the request for myself, though, so I could figure out which path it hits, reproduce it, and fix it. I asked my client to put the reporter in touch with “their security person” (me), so I could ask for another demonstration, this time being ready with logs to see what was going on.

The reporter agreed, and I logged onto the server to look around for

Continue reading…

Images are just too big. A 3 MB bitmap compresses down to a 500 KB JPEG, which, don’t get me wrong, 16% of the original size is great, but why 500 KB? That’s still pretty large.

This is 2022, we shouldn’t have to put up with large images. Our websites might load 60 MB of stuff for a pageview, but that stuff shouldn’t be images, it should be Javascript, as Brendan Eich intended.

We shouldn’t have to put up with fat images, but, until now, we had no choice.

Now we do.

Continue reading…

As you may remember from a previous post, I have a blind cat whom I made some eyes for (which, incidentally, were a great success). One of the perennial and enduring problems every couple faces when they have a cat is how to divide the poop scooping. At least, that’s what I imagine, extrapolating from a sample size of 1.

Over the years, I have tried to come up with various equitable solutions that would be fair to both me and my partner. A few days after implementing the first solution, “just leave poop where it is”, we realized that we needed to add “be fair to the cat too” to the above equation, and I went back to the drawing board.

In this post, I will guide you through the various solutions

Continue reading…

You know the problem: You’re driving through winding city streets, minding your own business, immersed in your thoughts about the kind of poor road planning that leads to a city having winding streets. Suddenly, what you can only assume is an inconsiderate, egotistic driver who revels in causing mild annoyance to everyone around them rudely cuts you off.

What can you do?

Pretty much the only recourse is available to you is to honk your horn at him, hoping he gets the exact meaning behind your honks. This, however, has always struck me as a crude and uncouth instrument. My elaborate, intricate feelings towards which exact plague should befall him are too nuanced for a simple horn to express.

I needed something more. Something succinct, yet expressive. Something complex, yet simple. Something unique, yet recognizable.

Luckily, someone solved the problem long before me:

Continue reading…

When I was a teenager, I had a CD player in my room, and I used to listen to fairy tales to fall asleep. The narrator’s voice would relax me and I’d fall asleep quickly. Fast forward to yesterday, I was playing with Google Text-To-Speech for an unrelated project, and had gotten one of their code samples to generate some speech for me. I had also played around with OpenAI’s GPT-3, which I had found wonderfully surrealist, and it had stuck in my mind, so I thought I should combine the two and create a podcast of nonsensical stories that you could listen to to help you fall asleep more easily.

Having already played with Google’s speech synthesis, I thought it would be pretty quick and easy to create this, as all I’d have to do is generate some text with GPT-3 and have Google speak it. GPT-3 is an AI model that can generate very convincing text from a sample. You basically give it a topic and a few sentences, and it continues in the same vein, writing very natural-sounding prose. Half an hour later, I had an AI-generated logo, AI-generated soundscapy background music, an AI-generated fairytale, and an AI-narrated audio file. A day later, I have seven:

The Deep Dreams podcast.

Here’s how I did it:

Continue reading…

This post is going to be short, but hopefully will help you avoid the troubles that befell me. I wanted to make a Slack bot using Python. “How hard can it be?”, I thought. “I’ve done it many times before”, I thought.

Think again.

The problem is that Slack has changed the way their APIs work. The old way is now referred to as a “classic app” with a “bot scope”, and that way is deprecated and you can’t really create apps like that now, so you have to do a whole other thing.

In this post, I will detail the steps necessary to create a simple bot that will listen for messages and reply to them. That’s all the scaffolding you’ll need (or that I needed) to create your apps, but I had to search for many hours to discover this information. Hopefully Google will be kinder to you and

Continue reading…