Friday, December 3, 2021

Giving Bitcoin as a Gift, Initial Thoughts

 'Tis the season and I'm thinking about how to give bitcoin as a gift, to non-technical people, without requiring them to do anything like create an account or download software in order to accept it.

Paper Wallet

Bitcoin paper wallets have been around a long time.  The concept is simple.  Generate a send/receive address pair (private/public key pair) and print them on a piece of paper.  Basic operations:

  • To add bitcoin to the wallet, send some bitcoin to the receive address
  • To check your balance, type or scan the public key into any blockchain explorer 
  • To gift that bitcoin, just hand over the piece of paper
  • To send the bitcoin on the blockchain, type or scan the private key into the bitcoin wallet software of your choice

Pros:

  • simple, no fancy hardware or software required for them to receive the bitcoin
Cons:
  • No guarantee that the giver didn't keep a copy of the private key
  • Private key could be easy for someone else to see/copy
  • Private key could be easily lost
  • If you want to add more funds, you have to reuse the same receive address, which is bad for privacy

Hardware "paper" Wallet

There is a hardware solution to the first problem, the Opendime. It's essentially the same thing as the paper wallet, except it generates the key pair and keeps the private key hidden until you mechanically alter the device.  If someone gives you an Opendime, it's easy to see that they have not altered the device and seen the private key.  It has the same address re-use downside of the paper wallet.  It's also pretty expensive if you just want to give a kid $5 worth of bitcoin.  Even more so if you want to give a bunch of nieces and nephews bitcoin!

I thought more about keeping the private key private and realized that some niece or nephew is likely to lose either a piece of paper or an Opendime and then come to me and ask what they can do to recover their bitcoin.  I think that in this scenario of mine, it would be best if I did keep a copy of the private key someplace safe.  That turns the first con into a pro!

Full Hardware Wallet

For my own private keys, I use a Trezor hardware wallet.  It generates the private key on the device and never lets anyone see it, except once at setup time in the form of a backup seed phrase.  It uses the Hierarchical Deterministic Wallet (HD Wallet) structure, which is really cool.  You can generate a sequence of private keys and corresponding public keys from the main private key that comes from the seed phrase.  You can also generate a sequence of keys under each of those keys, making them parent keys of a bunch of other keys (thus, hierarchical).  But the really cool part is you can generate just the sequence of public keys from a given public key, no private keys have to be involved in that calculation.

A practical example of why this is great.  I use Swan Bitcoin (affiliate link, we each get $10 if you sign up with it) to buy my bitcoin.  Swan automatically transfers the bitcoin from their account to mine on a regular basis.  I could give them a single public-key (address) that they always use for those transfers, or, I can give them a public-key from my hierarchical wallet and they can generate a series of public keys to send the bitcoin to, using a new key each time.  This eliminates address reuse and I don't have to manually give them a new key for each transaction.  If I keep that public key private between me and them, then nobody knows that each of those transactions from Swan are going to me.

Back to giving bitcoin as a gift.  I could give each person a parent public key from my Trezor.  There is a nice bitcoin wallet app called BlueWallet that also knows how to do the HD Wallet thing that they can use to manage the public keys.  That would keep the private keys totally safe.  I could still print the master public key onto a piece of paper.  The basic operations become:

  • To add bitcoin to the wallet, type or scan the main public key into BlueWallet, get the next public key (receive address), send some bitcoin to the receive address
  • To check your balance, type or scan the public key into BlueWallet
  • If you want to gift that bitcoin, just hand over the piece of paper
  • To send the bitcoin on the blockchain, they have to call me up and I have to use the Trezor to send it

Pros:

  • Simple, no fancy hardware or software required for them to receive the bitcoin
  • No address reuse
  • Private key is safely backed up with me

The downsides to this are:

  • They have no control over the private key

That is a pretty big downside, they really don't own the bitcoin.

HD Paper Wallet

Once I figured out this whole seed phrase and HD wallet thing, I came up with another idea.  I could generate a seed phrase and the corresponding master public and private key pairs and give them those.  I'd keep a copy of the seed phrase myself just in case they lose it.  Now the operations become:
  • To add bitcoin to the wallet, type or scan the main public key into BlueWallet, get the next public key (receive address), send some bitcoin to the receive address
  • To check your balance, type or scan the public key into BlueWallet
  • If you want to gift that bitcoin, just hand over the piece of paper
  • To send the bitcoin on the blockchain, type or scan the main private key into BlueWallet

Pros:

  • Simple, no fancy hardware or software required for them to receive the bitcoin
  • No address reuse
  • Private key is backed up with me

The downsides to this are:

  • Private key could be easy for someone else to see/copy
  • Private key could be easily lost

I feel like this is the best compromise.  There is one more downside.  No websites or tools exist to make a pretty paper wallet out of HD wallet master public and private keys.  I'm going to have to make that on my own.

Any thoughts?  Please let me know in the comments.  I sometimes think I'm over complicating this with the HD wallet.  Who cares that much about a little address reuse?  I like the tech (math, really) of the HD wallet though.  Or maybe the Trezor is the best way?  That keeps the private keys safest.  They can check their balance with their public keys and feel like they own it.  Is that good enough?

Wednesday, June 30, 2021

Traffic in Little Cottonwood Canyon

This is my comment on the Utah Department of Transportation's plans to "to provide an integrated transportation system that improves the reliability, mobility and safety for residents, visitors, and commuters who use S.R. 210."

This is long, but I have tried to order it in such a way that the most important points come first, so don't give up now.  At least read the first 3 paragraphs, please.

First and foremost I'd like to ask, what problem are we really trying to solve?  Roughly 355 days a year there are no reliability, mobility, or safety problems on S.R. 210.  The weather is good, the roads are clean and clear, and traffic flows at or above the speed limit of the road.  We all need to understand that the problems with reliability, mobility, and safety only happen about 10 days a year, if the skiers are lucky and we get that many big snow storms.

Mobility

Congestion on roads is annoying, but we need to seek to understand it before we try to fix it.  Congestion on a road happens because it leads to a popular place.  Lot's of people want to get to that place, so they get on that road.  The road gets congested and nobody can get to the popular place as fast as they could if there was no congestion.  This is what bothers us.  We have a road that could allow travel at a given speed, but because of the over crowding on the road, we all have to go slower than that speed.

Solutions to congestion are all temporary.  When a road is congested, there are some number of people that will simply choose not to go to the popular destination.  If you widen the road or add alternative means to get to the popular destination, at first the congestion will be alleviated, but before too long the people that were avoiding the popular place because of congestion will see that there is no congestion and they will start traveling to the popular place again.  Before too long you will have congestion again.  Anyone who has seen the progression of I-15 over the years here in Utah can understand this.  There will be more people getting to the popular destination than there were before, but there will still be congestion.

Understanding all that, we can better talk about what we are really doing.  We are not alleviating congestion (increasing mobility) long-term.  We are alleviating it short-term only, and we are providing the means for more people to reach the popular destination.  Is that really what we want in Little Cottonwood Canyon?  Can the ski resorts, hiking trails, picnic areas, climbing routes, etc. handle more people?  Or will they become congested too?

Reliability and Safety

These are essentially the same concern.  When it snows, cars and busses are less reliable because they might get stuck or slide off the road.  In extreme cases they might slide into each other or off the road which is a safety issue.  This is where I would like to point out how strange it is that UDOT has recently stopped talking about these concerns in Big Cottonwood Canyon (S.R. 190) and is now only talking about Little Cottonwood Canyon (S.R. 210).  I would really like to see data on reliability and safety in both canyons because in my following of the two it appears that S.R. 190 has far more accidents and slide offs than S.R. 210.  S.R. 190 is a much longer, windier road with areas of very steep drop-offs down to the creek.  I have noticed that S.R. 190 gets closed to deal with accidents (stranding skiers on the road or at the resorts for hours on end) far, far more often than S.R. 210.  Is any of this plan really concerned with reliability and safety?  If so, it should consider both canyons.

Bus Lanes vs. Gondola

Now, all that being said, let's address this specific plan which seems to assume that yes, the canyon can and should accommodate more people and is in dire need of more reliability and safety.  Considering all the above, I believe neither solution is a good idea.  Both will be incredibly costly and have very real negative impacts on the environment.  Neither will make a difference on the 355 good traffic days a year, and in the long run, neither will solve the congestion problems on the 10 bad days a year.  The one thing the gondola plan has going for it is the increased reliability and safety on those 10 bad days, but I see no data that justifies the extreme cost for what is likely to be only very small increase in reliability in safety in the one canyon that doesn't have that big of a reliability and safety problem anyway, while we ignore the other canyon that does have real reliability and safety problems (on those 10 days a year).

My belief is we should look for more cost effective ways to address the reliability and safety issues only, in both canyons(!), and not proceed with either a road widening or gondola project.

Friday, April 30, 2021

Fix for Cura's Ender 3 gcode

A child of mine finally asked for a 3d printer.  I knew that if I tried to push it, no kid would be interested, so I didn't.  But finally, one of them asked for one.  We ordered the Creality Ender 3 that night from their website and some filament from Amazon.  It all arrived a couple days later and we enjoyed the process of assembling it and then finally printing the gcode files that were on the SD card that came with the printer.  Including those was a really nice touch.  Once we got the bed close enough to the nozzle it all worked great.

After the initial success we found some models on thingiverse, sliced them with Cura, and then saw the printer do something like this (not my video) over and over.  Too much filament in the wrong place, no filament in the wrong place.  It was a strange and bewildering start-up sequence to watch.  I searched the internet for advice and didn't find much.  I finally just opened up the gcode file that Cura created and compared it to the gcode files that came with the printer.  There was definitely a more complicated start-up sequence in the Cura file.  I deleted it, replaced it with what came with the printer, and prints are all working again.

You can make this change permanent in Cura by clicking Settings->Printer->manage printer.  Then click on your printer and click the Machine Settings button.  In the text box on the left labeled "Start G-code" delete all the gcode there and replace it with this:


; Ender 3 Custom Start G-code
G28 ; home all axes
G29
G92 E0
G1 E-10.0000 F6000
G1 Z0.750 F1002
; process Process1
; layer 1, Z = 0.450
T0

Now your Cura-sliced prints will work nicely on your Ender 3.

Monday, March 15, 2021

Linux Environment Management: direnv does it all

 

Linux Environment Management: direnv does it all

A few years back I wrote about different options for linux environment management.  I recently learned about another option, direnv.  I think I'm convinced that it is the only tool you need.  Read this as if it's another section added to that previous post.

Use direnv

Straight from the direnv website: "direnv is an extension for your shell. It augments existing shells with a new feature that can load and unload environment variables depending on the current directory.  Before each prompt, direnv checks for the existence of a .envrc file in the current and parent directories. If the file exists (and is authorized), it is loaded"

This happens automatically, so it solves the problem of the "Explicit Environment Files" solution above in a way that is much more convenient than the "Per-command Environment Files" solution. The .envrc files are in standard shell syntax and it properly unloads environments like the "Smart Environment Manager Tool" mentioned above as well.  It has the downside that it is not easy to share the same environment setup in multiple directories.

I'm not sure if there is a simple solution that gives us both of those things, but we have the option with direnv to choose any of the three the discussed environment setup solutions in any given terminal.

Why not all three?

direnv is powerful enough to allow all three techniques for shell configuration described above.

Standard direnv

The default automatic direnv behavior is enabled by putting this in your .bashrc file:

eval "$(direnv hook bash)"

If you want to easily choose between standard direnv and the below option when you start a new shell you could encapsulate this in a shell function named direnvenable.  When your terminal starts up, you would run that function if you want standard direnv behavior.

The equivalent of Shell Initialization Files

To "source" a given .envrc file you can just spawn a subshell using the direnv exec command, passing it the path to a project and its .envrc file:

direnv exec $(readlink -f /path/to/git/clone) $SHELL -i

I would suggest wrapping this a shell function to make it easier.

The equivalent of Per-command Environment Files

This can work in conjunction with the automatic direnv behavior (you can run direnvenable and still use this for commands outside of any project directory).  This is a good way to run commands in scripts using the correct shell environment.  It's the same direnv exec call above prefixing any shell command:

direnv exec $(readlink -f /path/to/git/clone) <command>

I would also suggest wrapping this in a shell function to make it easier.


Conclusion

direnv gives you the power of never needing to manually source an environment setup script when you are working in a git clone of a project. It also gives you the ability to use project settings from a git clone in other directories if needed.

Saturday, October 17, 2020

Effectively Internet Filtering in 2020

(To skip my rambling intro and get to the nitty gritties, search this page for, "After that long introduction")

In college, back when the internet was young, I hated the clumsy ineffective internet filtering that was in place on campus. It often blocked sites that were perfectly fine, and did not catch all the sites of the type that they were trying to block. Fast forward 10 years or so and I saw my children stumbling upon some content that I didn't want them to see on my unfiltered home internet and my attitude changed a bit. Back then web filtering was pretty easy. Nothing was encrypted and DansGuardian was the go-to tool. You set up a transparent web proxy and DansGuardian would scan the entire content of every website that you downloaded in your home. Incriminating words and phrases would trigger its blocking and it would replace the website you were downloading with an explanatory message. The beauty was that there was no need to scour the web, categorize every website in the world, and maintain lists. It still had its false positives and if a website hand objectionable images but otherwise benign text there was nothing it could do, but it took the edge off the raw internet.

Today, it's not so easy. The HTTPS Everywhere campaign bothered me at first. It felt unnecessary, and it most definitely broke my DansGuardian filtering. I have since come to understand the importance and necessity of HTTPS and I'm very glad that Let's Encrypt has made it easy for all of us to use it. But I do still have kids.

DNS filtering came to the rescue, first with OpenDNS, and now I use CleanBrowsing. It's pretty good, but sometimes I want more control. One night our school had a parent-night presentation about internet safety for kids and they had invited some vendors to pitch their wares. One of them was RouterLimits. They had a small box that you simply connected to your network and it would filter internet traffic based on categories or individual sites you listed. No software or configuration of other hosts or your router required. It could also enforce time windows with no internet. "How is this possible when this box is just another client on the LAN?" I pressed their salesman. It was a small company and I think he was also an engineer because he realized I was one, and he slyly said to me, "ARP spoofing."

"That's evil!" I instinctively replied. And then I thought a little more about it and realized it was evil. Evil genius! I bought one right there. Their model was great. Pay $80 for $5 worth of hardware and you get their service for life. Plug the little box into your LAN and connect to their web service. The little box collects a list of hosts on the LAN by paying attention to broadcast traffic, then it floods each host with ARP replies to tell them all that it is the gateway and begins its Man in the Middle attack. If a kid tries to visit badsite.example.com, or any site during the time window when internet is configured to be off for their device, the RouterLimits box sees that and just drops the packet. If a kid tries to visit goodsite.example.com, the RouterLimits box simply forwards the packet along to the actual gateway. Simple and very effective.

The schedule was the thing I loved the most. I had never had that with DansGuardian or CleanBrowsing alone. Sadly, RouterLimits was bought by a bigger company that changed the business model to a yearly subscription. Also, right about the same time, the RouterLimits box lost its ability to block my Roku for some reason. Kids were watching Netflix late into the night on school nights again, dang it. I worked with the RouterLimits support team a bit, but they couldn't figure out what was going on. I wasn't super motivated to debug it myself, because I didn't want to start paying a regular fee for this service anyway.

I still wanted my kids kicked off the internet at a decent time on school nights, though, so I started looking for solutions. The first thing I tried was a pi-hole. It doesn't have scheduling built-in, but I was able to hack together a script that modified the pi-hole database directly to put my kids' devices into a group that had a blocklist that filtered everything. That mostly worked, but it was really a hack. And then my raspberry pi's SD card died and I didn't have a backup. I started looking for another solution. I remember ARP spoofing and did a little research. Sure enough, there is a tool called ettercap that make it pretty easy, especially if you just want to block everything.

After that long introduction, some nitty gritties. To run ettercap in text-mode and see what it can do, run this command:

sudo ettercap -Tq

Play around with it a bit, it's pretty cool.

To filter (perform a Man in the Middle Attack), you'll want to scan and save a list of hosts on the LAN, like so (change the 1000 to your user ID):

sudo env EC_UID=1000 ettercap -Tqk lan-hosts

To man-in-the-middle a host with IP 192.168.1.193, and if your gateway is 192.168.1.1, run this:

sudo ettercap -Tq -M arp:remote /192.168.1.1// /192.168.1.193//

For me that didn't really do anything because it simply forwarded the packets it was intercepting on to the gateway. To do something with the packets ettercap is intercepting, you need to create a filter. My filter is simple, just drop every packet:

drop();

Put that in a text file named drop-all.ecf and run this to compile the filter

etterfilter drop-all.ecf -o drop-all.ef

You can read the ettercap-filter man page for more information about what you can do. I image the RouterLimits box had some more interesting filters (assuming they were using ettercap).

Once you have your filter compiled, add it to the above ettercap command like so:

sudo ettercap -Tq --filter drop-all.ef -M arp:remote /192.168.1.1// /192.168.1.193//

You have successfully performed a Denial of Service attack against 192.168.1.193. If you have, for example, two kids devices you want to block, you need the lan-hosts file you made earlier, and you do this:

sudo ettercap -Tz -j lan-hosts --filter drop-all.ef -M arp:remote /192.168.1.1// /192.168.1.193\;192.168.1.221//

You can add as many ip addresses as you like to list, separated by semi-colons. As far as I can tell, they all need to be listed in lan-hosts too. I believe you could use MAC addresses instead of IP addresses, but I have my router giving out fixed IP addresses to all my kids devices (that was to make the pi-hole hack work), so I just use the IP addresses.

All that's left is to run ettercap with --daemon, make a cron job or systemd timer to start and stop it at the times you want to block your kids' internet access, and you are done! It just so happens that I have written an ansible playbook that does all this for you. You'll have to modify lan-hosts and the internet-stop.service to use your own devices MAC and IP addresses, then run ansible-playbook to deploy this to a raspberry pi (or some other linux box on your LAN that you leave on all the time) and you are good to go.

P.S. This even block the Roku. ettercap couldn't detect the Roku on my LAN like it could other hosts for some reason, so that's probably why Router Limits couldn't block it, but once I manually entered the Roku's IP and MAC into the lan-hosts file, ettercap was able to DoS it just like all the other hosts.