Stavros' Stuff

On programming and other things.

The UX people

Who are they?

Today, at work, I was debating with other engineers on what the wording of the message should be, when a patient tries to register an already-registered blood test kit. The specifics (or the people) aren’t really important here, but what struck a chord was when someone said “this is up to the UX people”.

We don’t have “UX people”. “UX people” don’t exist.

The UX people

The unspoken assumption here is that

Continue reading…

Spam spammers back

Now with added ChatGPT

I’m writing this post sleepless and with a headache, which I find is the best way to write posts, because it removes all the verbal guardrails, so, be forewarned.

Back in 2016, a year before recorded history, I stole a simple idea: What if I wrote a bot to reply to spammers, pretending to be interested in their wares, and wasting their time? After some creating this, it turned out that it was possible, and Spamnesty was born.

Spamnesty was cleverly disguised as a company, Mnesty, LLC, Asia’s premier maritime logistics company, strategically located in the land-locked Mongolia. Of course, this didn’t tip spammers off that the whole thing was fake, because why would they even care to look at the site? This resulted in untold amounts of entertainment, whiling the small hours of the morning away, reading about the likes of the hapless Abdullah Ishaq, whose attempt of selling LedTrading.com to my bot did not

Continue reading…

Use your Wii Balance Board as a scale (again)

We did it again, internet

If you’ll recall, once upon a time I managed to get my Wii Balance Board to connect to my computer and function as a scale. At some point throughout the years, Linux changed, and that method broke. It would still measure your weight fine, but you could no longer activate the balance board by tapping its front button, you had to flip it over, remove the battery compartment lid and press the red button every time. This was too much of a hassle, so I stopped using the board, hoping that a solution to this problem would arrive one day to liberate me from the scourge of adipose tissue.

This day is today (well, a few months ago, actually, but I couldn’t be arsed writing about it until today, so). I received an email from a reader called Jawaad Mahmood, who had read my balance board article and spent a bit of time figuring out how to get the balance board to work, and packaged his work into a library called bbev.

I was initially sceptical because many people contacted me throughout the years, but nobody managed to get rid of the red button requirement. Talking to Jawaad for a bit, though, he confirmed that he could painlessly get the board to pair with his computer with the front button. Apparently something had changed in the Linux Bluetooth stack, and made pairing possible again, and he managed to figure out how.

This was great news! However,

Continue reading…

Clearing up some misconceptions about Passkeys

I love passkeys so much

I am unreasonably excited about passkeys, I’ve long been looking for a better/more convenient way than passwords to do authentication, and I think passkeys are finally it.

However, whenever I see passkeys mentioned (for example on the recent Tailscale post about them), there are always a lot of misconceptions that surface in the debate. I’d like to clear some of them here, and hopefully explain a bit better what passkeys are.

A bit of backstory

Passkeys are a user-friendly name for, and an implementation of WebAuthn, which in turn is part of the FIDO2 project. All that is basically a way to say that passkeys are an open standard, developed by a consortium of companies that want to make authentication more secure and more usable. My personal opinion is that passkeys are a great solution to that problem, and that’s why I’m so excited about them.

At their core, passkeys are just a way for a website to ask your browser for authentication. That’s it, they aren’t tied to a specific piece of hardware or a way for that hardware to work. I’ll expound more on this further on.

I want to lay out some common misconceptions about passkeys that I’ve been seeing, and

Continue reading…

I made an e-ink display that shows my calendar

Time to relax? Think again.

There’s an old saying I just made up, it goes “a man has a problem. Give him a solution, now he has two problems”, and that’s how I felt when I came across the LilyGo T5, a beautiful e-ink display with an ESP32 microprocessor and an 18650 battery holder.

I needed to find something to make with it.

The idea

I realized that one thing that’s missing from my life right now is more time pressure. I have a job, which got me most of the way there, but I’m bad at remembering the time of each of the twenty meetings I have every day. I really needed something that would allow me to see my daily calendar at a glance, and I realized that a 4.7” e-ink screen was the perfect thing for that use case, so I quickly started working on making this a reality.

The result was…

The Timeframe

Continue reading…

Hacking my appetite

This must be how normal people feel

Recently, my weight shot up again, and I’ve gone over the weight where I start snoring in my sleep. Since my BMI is now somewhere in the range where I get my own orbit, I decided to do something about it. I recently found out about Semaglutide, and I figured I should give it a shot.

Semaglutide is a new drug for weight loss, or, more accurately, an old drug for diabetes. However, the diabetics who were taking it reported suppressed appetite, so the pharma company thought “hmmmmmm…”, and we got a nice weight loss drug.

Since I don’t like snoring or being overweight, I was curious to try it and see what happens, so I talked to a medical professional and got some prescribed, more out of curiosity than out of need. I think it’s going to be an interesting experiment, and am eager to see whether (and how) it works.

Continue reading…

Making a security key for the Framework laptop

I'm loving the Framework

I was searching for a laptop to replace my 5-year-old Dell XPS, and I came across the Framework laptop. I had heard good things about it, and I liked the hackability, so I thought I’d give it a shot, and ordered it. My first impression was extremely positive, it came with the RAM sticks in boxes, and I had to use the built-in screwdriver to open the laptop up and install the RAM. All the components inside have QR codes with guides on how to install things, and opening the laptop is a matter of unscrewing five (captive, yay!) screws and popping up the magnetic keyboard, it took twenty seconds to slot the RAM sticks in and be ready to go.

Unfortunately, I made a grave mistake

Continue reading…

Block non-Cloudflare IPs with ufw

DDoS and DDon'ts

Note: To skip the story and immediately go to the script that will fetch Cloudflare IPs and whitelist them using ufw, scroll down.

An interesting thing happened today: Someone contacted one of my clients and told them that he found a catastrophic regex backtracking vulnerability in one of their apps. This was interesting, because the app is a simple Next.js site that doesn’t use regex. Also, as far as I could see, Next.js doesn’t have any such vulnerabilities reported against it, so we were curious to figure out what was going on.

My client asked him to demonstrate the vulnerability, and he did. Sure enough, it brought the service down, but it also brought down the entire server, which was a bit odd. “Oh well”, I thought, “maybe it took up enough CPU to make the machine unresponsive”. The reporter then asked for a fee of 6 ETH to give my client information about the vulnerability and how to fix it, and gave references from other services. He even asked about possibly being hired by my client in a full-time position, to help with security.

Observing the vulnerability first-hand

I wanted to see the request for myself, though, so I could figure out which path it hits, reproduce it, and fix it. I asked my client to put the reporter in touch with “their security person” (me), so I could ask for another demonstration, this time being ready with logs to see what was going on.

The reporter agreed, and I logged onto the server to look around for

Continue reading…

Compressing images with Stable Diffusion

You get the gist

Images are just too big. A 3 MB bitmap compresses down to a 500 KB JPEG, which, don’t get me wrong, 16% of the original size is great, but why 500 KB? That’s still pretty large.

This is 2022, we shouldn’t have to put up with large images. Our websites might load 60 MB of stuff for a pageview, but that stuff shouldn’t be images, it should be Javascript, as Brendan Eich intended.

We shouldn’t have to put up with fat images, but, until now, we had no choice.

Now we do.

Continue reading…

Poop analytics

The poop analytics I've always wanted

As you may remember from a previous post, I have a blind cat whom I made some eyes for (which, incidentally, were a great success). One of the perennial and enduring problems every couple faces when they have a cat is how to divide the poop scooping. At least, that’s what I imagine, extrapolating from a sample size of 1.

Over the years, I have tried to come up with various equitable solutions that would be fair to both me and my partner. A few days after implementing the first solution, “just leave poop where it is”, we realized that we needed to add “be fair to the cat too” to the above equation, and I went back to the drawing board.

In this post, I will guide you through the various solutions

Continue reading…