Dumb Phone

This is a reminder to myself: You are chained to that smart phone and shouldn't forget it. You aren't chained to a smart phone and shouldn't forget it.

I've been giving some long and hard thought to giving up my iPhone in favor of a dumb phone and simplifying my day-to-day communication tech. The result that I came to was that I'm stuck with it. At this point in my life, these are the things I'm having issue separating with: I started writing this post to convince myself and serve as a reminder that I don't want to give up some conveniences in exchange simplicity. With some time and thought, I realized that I was wrong and now this article's purpose is the opposite. I started creating a list of apps and rituals that I don't want to change or give up, but the list split into two: Things I can't do without and things that would be costly to change. The first list is now empty.

These are the things I can't live without:

  • Google Authenticator -- You may not know this, but the Google Authenticator application can be used for non-Google sites and services like Amazon (AWS) and GitHub. Sure, some 2 factor auth support SMS, but having the app is really convenient.
  • Audible -- I listen to audio books regularly, especially on road trips and when working out. If I got a dumb phone, I'd have to change a reading habit that is important to me.
  • Google Music / Pandora -- I listen to a lot of music, including when I drive and am on road trips.

This second list are the things that I can change, but would be difficult to do or wouldn't be cheap to do so.

  • Smart Things -- Without a smart phone, I'd have to carry around a key fob. Also, to use the routines that I've programmed would require a separate device. Having that wouldn't be the end of the world, but it would be a change. If I had a tablet, I could get away with having a key fob with me (leaving it in my car most likely). I primarily use Smart Things routines when I'm at home, so it wouldn't be that much of a deal.
  • Scannable -- I scan important documents and store them in Evernote. Scannable is a really great app that makes that a lot easier. I don't have a separate device for scanning, so I'd either have to get one or change my filing system. If I had a tablet, like an iPad Mini, this wouldn't be an issue. The change would be small because everything gets filed and organized at home anyway.
  • Starbucks -- I go to Starbucks a lot and I use my phone to pay for stuff. This wouldn't be a deal breaker because I can always carry the card with me, but it would be one more thing to keep in my wallet.
  • Slack -- I work remotely so staying connected is important. We use slack and it is one of the ways that people get in touch with me. After I thought about it, not being 100% available via slack is what I'm actually going for.
  • Google Music / Pandora -- I listen to a lot of music, including when I drive and am on road trips. Not having the level of access that I currently do would be an adjustment, but I think that I could make do. I do use XM too and bringing an iPad on road trips is reasonable. Most of the music I listen to is on my computer anyway. For day to day driving, maybe not being distracted with selecting music isn't a bad thing.
  • Audible -- I listen to audio books regularly, especially on road trips and when working out. If I got a dumb phone, I'd have to change a reading habit that is important to me. The biggest change would be while working out, but I could get used to it.
  • Google Authenticator -- You may not know this, but the Google Authenticator application can be used for non-Google sites and services like Amazon (AWS) and GitHub. Sure, some 2 factor auth support SMS, but having the app is really convenient. After a little investigating, all of the services I use support SMS.

Web applications with TypeScript and Sequelize

I've been using TypeScript professionally for a short while now and enjoy working with it. I think it really smooths out some of the rough parts of developing server software in JavaScript. At Colibri, I've been working on a NodeJS project that is starting to move to TypeScript with some success. One part of that project, the storage subsystem, hasn't been ported yet and I've done some research to best understand how to tackle it.

With that, I created a small proof of concept application that demonstrates how Express web applications that use Sequelize (ORM) on top of Postgres can be written in TypeScript.

https://github.com/ngerakines/express-typescript-sequelize

I think there is a time and a place for tools like gulp and grunt, but most of the time they aren't necessary. For this project, I'm using the scripts block to create a chain of actions. The lint target uses the tslint tool to verify that standards are enforced. That target is dependency of the build target the runs the tsc command that compiles the TypeScript code into JavaScript. The build target is a dependency of the test target that executes the unit tests through mocha and istanbul. After tests are run, that same tool verifies that coverage requirements are met.

The end result is that I use two commands to build and run this application:

$ npm run build && npm start

This application has a handful of dependencies but the main ones are express, sequelize, and TypeScript. I've also gotten pretty used to including bluebird, moment, lodash, and node-uuid by default in everything that do. For template rendering, I'm using dustjs, which I had never used before and find appealing.

The application code is split into three areas:

  • src/index.ts is where the express application is constructed and configured.
  • src/routes.ts contains the definition of the ApplicationController that does all of the request handling work.
  • src/storage.ts contains the storage manager, including the sequelize implementation.

The storage manager is a fairly simple interface that is used to define and interact with the Account and Address objects. For this small example application, I just have the two. An account is a registered site user (register, login, logout, etc) and they have one or more addresses as managed on the settings page. The relationship between accounts and addresses is one to many.

When using the Sequelize library in a TypeScript application, you need to know how the object interfaces are defined and relate to each other. The important thing to know is that for each application object (account, address, etc) there are 3 interfaces that need to be defined: An attribute definition interface, an instance interface, and a model interface.

export interface AccountAttribute {
    id?:string;
    name?:string;
    email?:string;
    password?:string;
}

export interface AccountInstance extends Sequelize.Instance<AccountAttribute>, AccountAttribute {
}

export interface AccountModel extends Sequelize.Model<AccountInstance, AccountAttribute> { }

In the above code block, the AccountAttribute is defined. That object has 4 managed fields including the id (a generated uuid), name, email, and password. That interface is then referenced by the AccountInstance and AccountModel interfaces. The instance interface is used to describe what an instantiated instance of an account object looks like and how it behaves. It includes all of the attributes of the attribute interface but also some sequelize specific methods like updateAttributes and save. The model interface is used to describe how, through sequelize, instances of objects are managed. The model interface includes methods like find and create.

When the sequelize implementation of the storage manager is created, within the constructor the define method is called which binds the schema definition and model interface to an instance of the model and it can be used.

this.Account = this.sequelize.define<AccountInstance, AccountAttribute>("Account", {
        "id": {
            "type": Sequelize.UUID,
            "allowNull": false,
            "primaryKey": true
        },
        "name": {
            "type": Sequelize.STRING(128),
            "allowNull": false
        },
        "email": {
            "type": Sequelize.STRING(128),
            "allowNull": false,
            "unique": true,
            "validate": {
                "isEmail": true
            }
        },
        "password": {
            "type": Sequelize.STRING(128),
            "allowNull": false
        }
    },
    {
        "tableName": "accounts",
        "timestamps": true,
        "createdAt": "created_at",
        "updatedAt": "updated_at",
    });

In the above code block, the private Account variable is set and the schema defined. In the third param I'm instructing sequelize to manage the created at and updated fields, but I'm specifying what the column names should be. Later in that same storage manager implementation, I reference those model instances like this:

register(name:string, email:string, rawPassword:string):Promise<any> {
    return this.sequelize.transaction((transaction:Sequelize.Transaction) => {
        let accountId = uuid.v4();
        return this.hashPassword(rawPassword)
            .then((password) => {
                return this.Account
                    .create({
                        id: accountId,
                        name: name,
                        email: email,
                        password: password
                    }, {transaction: transaction})
            });
    });
}

The rest of the application is pretty standard. The storage manager is created early and used in both creating the express application as well as the application handler. Open an issue on GitHub or message me on twitter @ngerakines if you've got any questions or comments.

Warrant Canaries

Wikipedia defines a warrant canary as:

... a method by which a communications service provider informs its users that the provider has not been served with a secret United States government subpoena.

Practically, this ends up being a file or web location that states something to the effect of, "As of date, we have not received a subpoena." The notice usually includes a disclosure stating that no warrants have been served to the entity or its employees and no searches or seizures have been performed on the entity or the employees of the entity's assets. It will also include a date as to when the notice was updated and may also include links to external websites with time-relevant information such as news articles, major headlines, tweets, etc.

The most important part of the warrant canary is the signature and signed content. All of the above information is cryptographically signed, and the public key made available to verify the signature. The act of signing the notice increases the difficulty in forging a warrant canary.

There are many cases where warrant canaries exist and are used by commercial and non-commercial entities. One of the oldest and well-known instances is the rsync.net warrant canary. Other examples include:

There is, however, speculation that warrant canaries have questionable legal ground or could be used as an effective way to indirectly communicate said legal action by a government agency or court. At this time, there have been no cases where warrant canaries have been upheld. For more information, see the EFF Warrant Canary FAQ.

Creating A Warrant Canary

Creating a warrant canary is a fairly simple process. It requires just a small amount of time to become familiar with tools like GPG. After creating a warrant canary notice, it can be published by anyone with access to your website.

Before You Begin

To begin, you will need to install GPG and create a signing key. Create the signing key by following the official GPG Getting Started guide. A key is only created once and will be used to update your canary in the future; it is crucial that the same key be used for subsequent canary updates.

Creating The Notice

As with previous examples, the notice should contain the disclosures that are most relevant to your needs as well as information and data that can sufficiently be determined as both accurate and time relevant. This often includes the current date, sports scores, weather information, etc. For example:

It is Friday, December 26th, 2014 at 4:50 pm EST.

To this date no warrants, searches or seizures of any kind have ever been performed on my assets or any assets belonging to members of my household.

Headlines from http://www.npr.org/sections/news/archive?date=12-31-2014
Body Of Catholic Priest Found In Southern Mexico
Businesses Buzz With Anticipation In Wake Of U.S.-Cuba Thaw
Military Policy Impedes Research On Traumatic Brain Injuries
In The Nation's Capital, A Signature Soup Stays On The Menu
Already Bleak Conditions Under ISIS Deteriorating Rapidly

Week 16 NFL Scores
Giants 37 Rams 27
Cols 7 Cowboys 42
Bills 24 Raiders 26
Seahawks 35 Cardinals 6

You can verify this document using the public key 953023D848C35059A2E2488833D43D854F96B2E4.

With your notice saved as warrant_canary.txt, sign it with your GPG key.

$ gpg --clearsign warrant_canary.txt

Running this command will create a file named warrant_canary.txt.asc.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

It is Friday, December 26th, 2014 at 4:50 pm EST.

To this date no warrants, searches or seizures of any kind have ever been performed on my assets or any assets belonging to members of my household.

Headlines from http://www.npr.org/sections/news/archive?date=12-31-2014
Body Of Catholic Priest Found In Southern Mexico
Businesses Buzz With Anticipation In Wake Of U.S.-Cuba Thaw
Military Policy Impedes Research On Traumatic Brain Injuries
In The Nation's Capital, A Signature Soup Stays On The Menu
Already Bleak Conditions Under ISIS Deteriorating Rapidly

Week 16 NFL Scores
Giants 37 Rams 27
Cols 7 Cowboys 42
Bills 24 Raiders 26
Seahawks 35 Cardinals 6

You can verify this document using the public key 953023D848C35059A2E2488833D43D854F96B2E4.
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCAAGBQJUndq1AAoJEDPUPYVPlrLk2fYP/jGFb1vxR2sXEu5DzHJU9urd
Q8ia1srhm4UogchTuN6nGv39zlBgpT1H75xwLYYSyiEbjpV7CYPqwYOgZvv8xF5D
hMRGoHu2WE7RCllQr49cKyzro0m9TEWHUt8HLxlaV/Go58Q2i3TbiKo5z0QdlB7B
XXyQSA5ZDFSKqrdMl6oVqHI1dJhM3TRGpxmkrF/mD7RRpdqw0yJKMefqxGRFLavI
Vg8su3XlYgl6xmlL+BAcd0Pc0SiSCH/IIiLbpBrNaWeOFeEnaAbeC4apYn45np5G
jXPQ7+xdfcxmyt+VUSJ9aSw6WxHSYYBR2YhOvnunssCI6dev06Ot3p5+zOkgsFZt
2rqvNFKjp92J/vB8cKCoFi8UwizftcyvrwZHHtzFcLPEg4mhqWQp4DE3ToMOp37o
wieVqWbYhqRDMlFgQGr9Zdx0xPipnz5JwcSeaJuUZTOYUbN2L4w5s25yvCtuyT4p
yac0D+mxoFhG96UuSXsQjtwbiot7Kddt0TeaXzfbR7nk7n9Cv5thEEQlgtoV4Htv
f8jXua2/L3+Cl8j+WM+C9S5lXXR3t3RGy555lYcssDXAAcWsSY4UJasHaVU0vRTu
CqDPfOJmCnqI9Pv7tlP4iBWMkkAVV9ToqyRoM4fIQ41jTDn+ncc52du4M1+LZNJq
2tQPWQHVW8/oQtwo2W7W
=HQN5
-----END PGP SIGNATURE-----

That file is your current warrant canary and should be made available as you see fit. The most common url used to present your canary is "/canary". In this case, the canary is available at http://ngerakines.me/canary.

Next Steps

With your canary online and available, you'll need to be sure that the signing key used to sign the notice is also available. Please refer to the Exchanging Keys and Distributing Keys documentation to export your key to share with others and make available through a GPG key server.

It may also be in your interest to have third parties verify your key and identity. This allows other key owners to demonstrate trust. More information can be found on the GPG documentation: Validating other keys on your public keyring.

Securing Your Canary

When a canary is not updated or is removed, it means that several things may have happened.

The first is simply human error. For safety and security purposes, the act of signing a warrant canary is a manual process. That means that a human has to be at a computer and run the commands to create and sign the warrant canary notice. There are plenty of reasons from sickness to changing companies and even simply forgetfulness that could be the reason why a canary is not updated.

It could also mean that the the entity no longer wants to include the notice. A change in management or ownership could result in the canary is neglected or removed.

Lastly, it could mean that harm, detention or a lack of control is preventing the canary from being updated.

A watchdog or Dead man's switch can be used mitigate damage or loss of data or reputation.

Dead Man Switch: Revocation

Using a revocation certificate, a trusted third party can publicly revoke the key used to cryptographically sign canaries.

A core component of the warrant canary is the signature. The signature is used to determine that the contents of the canary have not been tampered with and provide a way to identify the owner of the signing key through the web of trust. When the GPG key used to sign the canary is created, a revocation certificate should be created along with it.

If you forget your passphrase or if your private key is compromised or lost, this revocation certificate may be published to notify others that the public key should no longer be used. -- The GNU Privacy Handbook

A revocation certificate can be securely given to a trusted third party responsible for publishing the revocation certificate under certain conditions.

Conditions could range from:

  • The warrant canary not being updated after a certain period of time.
  • Unusual behavior or contact with the company.
  • A cue or hint that it should be done so through information contained in a dead drop or press release.

Multiple Signers

As a way to reduce the risk of human error from raising false concern, multiple signers can sign a canary or multiple canaries can be published used. The most common way to do this would be to have two or more members of an organization create signatures of the canary and append it to the notice.

This can be done by creating one or more detached signatures along with the canary.

$ gpg --output canary.sig1 --detach-sig canary

When the above command is run, a file named canary.sig1 is created that contains a signature of the canary file. You can publish these additional signatures along-side the canary or append them to the bottom of the canary file.

IOT and Home automation, 10 months later

In December of 2013 I was given a SmartThings kit and that kicked off a home automation project. I didn't go all-out and try to automate all the things, but instead tackled a single area, specifically my home office. Nearly 10 months later, I hardly think about it but use it every single day.

  • If the office lights are on and I leave the house, the lights are automatically turned off.
  • When I enter the house from being away, turn on the lights in the office.
  • When I'm at home, but there isn't any movement in my office after 15 minutes, turn the lights off automatically.
  • When I'm home, there is movement in my office and the lights are off then turn the lights on.

This started with some z-wave light switches and the SmartThings kit. I use a motion/presence detector (battery powered) that detects movement in the office. The z-wave light switches are used to software control the lights and then my phone is connected to the SmartThings system to determine when I'm nearby.

That isn't the only system in place, but it is the one that I use the most. Additionally, I've got motion sensors in other parts of the house, including on the garage door, and presense fobs in the cars. I also have a nest installed as well as door locks that support z-wave.

So what is next? I'd like to get the rest of the light switches in the house replaced with z-wave switches and find a way to automate the garage door. Having an "away mode" able to turn off all of the lights, lock the doors and set the nest tempature would be nice too. Maybe someday.

Parts:

Clean Build Versions With DocOpt

With some recent Go projects, I've been using docopt.go for command line argument parsing. It greatly reduces the complexity of dealing with arguments and options. On it's own, arguments can be processed without much work:

package main

import (
    "github.com/docopt/docopt.go"
)

var (
    githash string = ""
)

func main() {
    usage := `Awesome

Usage: awesome [--help --version --config=<file>]
       awesome daemon [--help --version --config <file>]
       awesome thing [--verbose... ] <with> <more>...

Options:
  --help     Show this screen.
  --version  Show version.
  --verbose  Verbose
`

    arguments, _ := docopt.Parse(usage, nil, true, version(), false)
    // ... do something with arguments
}

func version() string {
    previewVersion := "1.0.0"
    if len(githash) > 0 {
        return previewVersion + "+" + githash
    }
    return previewVersion
}

What I've also been doing is using a small Makefile to add extra information to the version:

all:
    go build -ldflags "-X main.githash `git rev-parse --short HEAD`"

If the go build command is used, then the version given to docopt is just 1.0.0, but if the main.githash is set as it is in the Makefile, then the version ends up being something like "1.0.0+b74276b".

$ ./awesome --version
1.0.0+b74276b

You can take it one step further and have the version set as a var that can easily be updated with sed or awk. An example would look something like:

package main

var (
    AWESOME_VERSION = "1.0.0"
)

Using awk to update the version would look like this:

$ awk '/AWESOME_VERSION/ { sub($3, "\"2.0.0\""); print; next}1' version.go
package main

var (
    AWESOME_VERSION = "2.0.0"
)