Hello! I’m Justin Fairchild, a full-time IT engineer and spare-time songwriter.

Blue Mormon

MP3 ↓ 3:21

Bug Catchers

MP3 ↓ 4:16

Nowhere Bells

MP3 ↓ 3:15

Toadstools

MP3 ↓ 3:35

If everything has supposedly been said in music already, at least we’re not at risk of running out of new fashions and styles for saying the same old things.

Stamped Secure

At some point after I discovered Linux and the joys of running my own Internet services, I began wanting security assurances. No matter where in the world I was, I wanted to guarantee that I was communicating with exactly the network endpoints that I had originally configured, and that no-one could casually intercept network messages to my servers. (Read More...)

This is how most people are introduced to the realities of TLS certificates in the Web’s Public Key Infrastructure (PKI). But certificates and signing are either a deep rabbit-hole or a bottomless pit! To truly comprehend the lifecycle of a certificate in the Web PKI, you’ll find yourself creating your own Certificate Authority, rather than simply purchasing certificates from an online third-party.

Managing my own personal CAs has been a non-trivial side project. The most difficult part is not technology or tooling, but understanding the spectrum of design choices and cohesively reasoning and documenting all of them. Hopefully this series on PKI design helps you understand one of the Internet’s foundational technologies, even if you decide that building your own PKI is better left as a thought exercise!


Why Build Your Own CA?

  • Your servers use non-public DNS names that a third-party CA won’t support
  • Alternative: Purchase a public DNS name, but only configure its resolution for your internal networks. Then you can utilize third-party certificates as well.
  • You don’t trust a third-party CA having an inventory of your sensitive systems
  • Alternative: Outside the enterprise, most people don’t fall into this category. Let’s Encrypt not only offers free certificates, but certificate updates and lifecycle automation. Although any automated system offering free service at this scale is open to misuse, Let’s Encrypt TLS configurations are better-maintained than nearly anyone’s hand-configured settings.
  • You want to permit or deny access to an enterprise network using client certificates (802.1x)
  • Alternative: So-called BeyondCorp vendors are beginning to sell managed PKI services. While these offerings are still young, as they mature they should become cheaper than running an internal PKI just for network authentication.
  • You have a passion for security, a distrust of third-party processes, and an unyielding desire to comprehend the meaning of your web browser’s green lock
  • Alternative: If you study PKI, you’ll understand how difficult it is to guarantee security assurances between hosts on the Internet. PKI technologies have structural weaknesses when storing private keys at rest, and when revoking certificates that have been compromised. However, the Internet is full of technologies that have critical security flaws or lack any form of security engineering or review. It’s good knowing why the lock is green or not, but chances are that’s the least of your problems.


What Does PKI Trust Mean?

When you trust a server’s certificate, you are allowing your computer to begin an encrypted network connection to that server. Having trusted communications is valuable, but more important are the standards for how businesses securely store data on their servers. Web PKI and Transport-Layer Security standards have nothing to do with the security of data at rest on a server. Even an Extended-Validation certificate could easily be issued to someone who’s server has been secretly compromised without either the server admin or the issuing authority’s knowledge.

Green Question

PKI trust only refers to the security of the network communication to a server. While this trust ends up being weak, it’s still better than having no assurance you’re actually communicating to, say, your bank. A good metaphor for PKI trust is checking someone’s driver’s license and saying “you resemble the person in this photo — carry on!” As a random observer, you’re not trained in how to validate the details of a license, though you can judge on appearance and fit/finish that a cheaply-made fake ID might lack.

If your computer shipped without a pre-installed set of trusted certificates, all Internet trust decisions would be similar to the “gut” decision around validating a driver’s license. Fortunately, operating systems or browsers make trust decisions on your behalf by including a set of default-trusted Certificate Authorities. Trusting your OS is one component of the indirect trust involved in the Web PKI. To understand the others, I’ll need to discuss how signing chains work in a future installment.

Conceptually, indirect trust is very weak, only one level above “gut trust”. And the more levels of indirection, the more fragile the trust. However, it’s possible to manage your trust chains and certificate issuance more directly, by creating your own Certificate Authority, and managing your OS’s list of CAs. For signing chains, the more you control the keys and system security of each step of the signing, the more you can trust the server certificates in the chain.


Takeaways about Trust

With all that indirection, the green lock in your browser starts feeling pretty fungible! Your OS trusted a third-party CA, and you trust your OS, therefore you should trust the remote server is the rightful recipient of your web traffic. But the remote server might be compromised, and the remote service’s data security practices might be questionable, and the OS vendor or CAs may have shady dealings with governments or institutions you don’t personally trust. Heaven forbid that a CA owner decides to sell their service to a new company — should you just trust that the new company has the same interests in managing the CA they purchased? Who knows!?

People whining in line

PKI trust can be modelled like any series of trust relationships between institutions, where any link in the chain appears brittle under the microscope, and yet there is great public and economic value in maintaining the chains and offering some definition of trust, even a weak one. Crucially, the social and political management of PKI services should be the basis of whether you trust a section of the Web PKI or not. Trust and risk management cannot be automated or programatically solved in the same way that other computer science and data management tasks can.

Permalink

One of the Maruyama Red Panda twins, Kin, passed away suddenly last week due to a bowel obstruction. She left behind her mate, Singen, and a panda cub that’s not even two months old. Kin was gentle, sweet, good at sharing but still willing to tussle and defend herself. She’s given me such joy, and now that Kin is a star in the sky, I wanted to share some video memories of her life.

Permalink

As I get older, I’ve started rejecting cynicism outright, since it’s emotionally blinded me to so many new ideas and opportunities. Skepticism and doubt are useful tools that compel you to prove something that is uncertain, while cynicism is at best a self-defense against bad-faith arguments. With reasoning and strong principles, proof (and doubt in its absence) should protect me well enough against deception.

Kin and Gin

Happy Birthday to Maruyama Zoo’s precious, beautiful basketcase twins, Kin and Gin, born on July 20th, 2012. Both are recent red panda mothers, with Gin’s baby girl Marumi being born June 15 of last year, and Kin’s newborn having arrived on July 7 of this month! To spread the joy these little ones have given me, I’ve created a playlist of Kin and Gin favorites, starting with the classic “Who are you? Red Panda has seen it” featuring their cutest, coldest stranger-stares. Watch for cameos from the rest of the family bears! ♥

Permalink

Kobaïa

With a new version of Constantina released and live, I thought I’d indulge a graphic idea I’ve had for a couple of months. While the project might have only taken 30 minutes, the design employs a retro-futuristic typeface that's at least 50 years old, whose name has been collectively forgotten from the entire English-speaking Internet. (Read More...)

Meanwhile, on the fantasy Kobaïa-On-Line intergalactic network, their financial institutions and official documents are liberally slathered in this unknown typeface. At small type points, hopefully they used something vaguely more readable, though no less delightfully obscure.

So, the plan was to take two of my favorite science-fiction egyptological musical passions, harmonize them into a unified design, and sell a tiny batch of T-Shirts. Whoever buys one of these fusions of the Hieroglyphics and Magma band logos, is a very precious snowflake that I would love to talk music with!

Hiero Day 2015Stevie’s Alien Baby

But after three evenings of almost-totally failed searching on fontspring, whatthefont, identifont, and countless others, ingesting new typography jargon, searching by foundries and original creators, and grasping at metadata for anything resembling my curio vampiric triangular block capitals, I almost wanted to recreate this nameless enigma from scratch! For now though, I have a typeface that almost hits the same pre-disco apocalyptic emotional cues. I grimace at its relatively amateur feel, and how its name actively mocks my attempts to bend the Internet towards appreciating rare typographical wonders that only appear on album covers by Magma and Stevie Wonder.

Magma, Y'all

The typeface is called Bollocks. Yep. Hiero, y’all. Fire for your third eye.

Permalink

I record all my music on Linux workstations, using only the finest janky little open-source apps. Audio professionals might kindly call this “suffering for one’s art”.

Broken and Fixed

Just a quick update. Codaworry was offline all of last week, since I underestimated the work it would take to massage this special snowflake onto the latest version of Constantina. The software now supports authentication, and as a result, I ended up shuffling around lots of files that were public-by-default into files that become inaccessible given that authentication is turned on. It’s one of those infuriating things where nothing looks different on the outside, but the soul was reincarnated into something new.

Permalink

Doing it wrong if this text ever loads

As I get older, I’ve had some age-related changes in how I think about what’s important. One of my favorite things now is seeing people, animals, and other life that is growing, well-taken-care of, able to be happy just by being. This feeling came about slowly over time, but now the feeling is so intense and fundamental that it has become non-conveyable, like how I can share why I’m happy about a sunny day but not what it feels like to have blue eyes or be a man. Today I’ll show you where this came from. (Read More...)

CocoSeita

At the Maruyama Zoo in Sapporo, Japan, there are two red pandas, Coco (an 11-year-old female) and Seita (a 12-year-old male). Coco came from Saitama Children’s Zoo in November 2007, and Seita joined her from Chisuyama Zoo in July 2008. They might not be special if it weren’t for Miyano Mayu’s blog, where she has celebrated “the little things in Hokkaido” nearly every day since moving to Sapporo in 2005. The number of photos and videos she’s posted of Maruyama’s red pandas must be in the tens of thousands, but her joys of observing life extend around and beyond her beloved zoo animals, parks, mountain-trolleys, and the epic snowfall of her home city.

Red pandas are rare and precious, less than 10,000 remaining in the wild, limited to the stretch of highland jungles and bamboo veins around the Himalayas, across China, Nepal, Bhutan, India, and Myanmar. Through Mayu’s succession of three blogs and her YouTube site (Mmovies21), you can slowly watch Coco and Seita growing up together, fighting for apples, climbing up and down and sideways around their enclosures, snoozing and relaxing in the sun, safe from predators like snow leopards, and poachers who could sell their pelts for the price of a small car. Humankind cannot account for what we consume in the world, but we do have zookeepers and volunteers that can make space for these animals to just be, where we can learn enough to care for them.

Zoos are required by their charters and policies, to vouch for the conservation of species, and to appeal to our desire to protect the world for our children. Perhaps this appeals to our self-interest, how if we don’t preserve the world, we’ll be worse off in the future. But it’s subtly disingenuous, because I think the best outcome for a zoo is giving a place for animals to be loved. Humans have no ways to deeply interact with red pandas, and these adorable little creatures are not actually that warm, caring, or emotionally relatable, being devoted to eating bamboo and sleeping 16 hours a day. Like newborn babies that just need but have no means to give back, they can only be loved.

Standup Eita

Coco and Seita have conceived three times, first giving birth to twin girls Lily and Lila in 2010, another set of twin girls Kin and Gin in 2012, and finally a boy Hokuto in 2014. With all the girls being born, Maruyama Zoo brought in a sprightly 2-year-old male from Chiba Zoological Park named Eita in late 2013. They’ve had wonderful spaces to live, full of overhead bridges and tracks, a giant oak tree, and both indoor and outdoor enclosures. The more videos you watch, you start recognizing their unique faces and tails, as well as their little moods and attitudes and power-structures with each other. When Kin was moved to Kushiro Zoo and separated from her sister Gin in May 2016, after seeing those two grow up together in hundreds of videos, I was devastated.

However, Kin’s move helped Maruyama make space for something wonderful. After unsuccessfully trying to conceive in 2015, Gin and Eita had a baby girl in 2016. Baby red pandas are covered in fluffy gray fur and are tiny enough to be weighed in small plastic buckets, which is done frequently to track that the baby is growing successfully and being fed appropriately by the mother. Red panda infants have a high mortality rate, subject to both neglect or over-parenting, as well as fungal infections and diseases like canine distemper. So every time Mmovies21 or Cattail Sapporo posted a new video, and the baby’s weight ticked up slightly higher, and after every passing day it seemed more likely that the baby would survive, it was something to celebrate and cherish. Marumi is now 8 months old, a puffy round bundle of fur and spirit, and I’ve watched her learn to eat apples and grapes, learn to shimmy over logs and eventually climb, discover how fun it is to chase her mother’s tail, and explore the world with wide-eyed wonder. Coco and Seita are now grandparents, and Maruyama’s family bears continue to thrive and be loved.

Gin and Marumi

I don’t think happiness is a journey or a right or something you discover. I think you build and cultivate it with the world, and are thankful for it, because it cannot be promised or guaranteed. In October of last year, San Jose got its very own red pandas, a 2-year-old male named Will Smith and a 5-year-old female named Gaila. One of my favorite hobbies is visiting Happy Hollow Park and Zoo, catching the lemurs with their arms stretched out laid back in the sun, witnessing the goats make advances at anything that looks like a grass pellet, or seeing Will do whatever he likes, even if it’s nothing at all. And now you know why!

Winning at Cute

Special thanks to Maruyama Zoo and Happy Hollow Park and Zoo for taking care of my precious bears, and to Miyano Mayu who sees the extraordinary in the small things of the world.

Permalink

start-fan-out

Why is it so hard to start something new? I’m not sure if it’s knowing the time sink of a project prior to starting, not wanting to fail after spending that time, being afraid of new things or changes that you can’t expect, or maybe just fear itself — nothing to be afraid of! (Read More...)

I want Constantina, the engine behind this site, to become a community platform. When I first wrote Constantina in 2014, my goal was having a easily-browsable web journal that gave you my thoughts and feelings in the exact structure and aesthetic I intended. In the three years since, I’ve become more interested in connecting with peers and less interested in having an audience. Although I want people to care about the things I have conviction in and spend hours on, without power or excess social signalling, nobody really cares about what I do. While doing projects in my isolated way fuels the engine of my life’s meaning, that engine doesn’t power anyone else. So hopefully Constantina helps me find a small group whose engines run together.

In the meantime, the juggling continues. Barber’s violin concerto is on my practice list, the authentication/session handling for Constantina has been designed and awaits becoming real code, and San Jose is recovering from one of the nastier floods in recent memory. May none of your life’s new beginnings turn out to be false starts!

Permalink

Trust

Since my last update, the Constantina engine that powers Codaworry has grown by 600 lines, though closer to 1000 lines of code have seen serious refactoring. Until recently, very little appeared to change, but under the hood I was fixing the card distribution and randomness functions, refactoring complex objects into simpler smaller ones, tidying the backing file stores, fully rewriting how input is validated, and squashing a subtle off-by-one error that quietly hid every 10th news post. You may notice the most recent change though, where each page refresh randomly chooses from three different site themes. This visible feature wouldn’t have been possible without all the invisible ones supporting it. (Read More...)

I’m within a month of releasing Constantina publicly, as a blog-engine with emphasis on responsive layout and randomly distributed static content. But my motivations for Constantina finally becoming release-quality had little to do with altruism, and more to do with trust.

The Slow Mail Movement

Coming online and of-age in the mid 1990s, the Internet was three wonderful things at the same time. Firstly, it was rounds of deathmatch Quake or Worms against total strangers. Secondly, it was a wealth of information that felt as well-researched as books from the library, but much quicker to use. Finally, it was a way to socialize and share with people at the speed of writing, possibly the only type of socializing I’m categorically comfortable with. I love the idea of discovering truth slowly and conversationally, with ample time to consider details and sand-down the rough logic of instantaneous thought.

The Internet now connects us right down to our handsets, and the medium of text-image-video communications have been thoroughly explored, such that futurism compels you to imagine a world of deviceless telepathy and telepresence. An Internet user from 1997 would be enthralled with today’s Internet, though the Facebook-style socializing would definitely be confusing at first. Over time, as the reality of having an online social life and reputation sets in, perhaps they’d marvel at how completely the utopian fantasies of Internet pioneers have evaporated. The closer society moved to the Internet, the more the Internet reflected everyone’s base desires, needs, struggles, and weaknesses — consequentially, the Internet is a place where trust is earned, never assumed.

The early days of ISPs, trust and PKI, networks and services, have a sepia-tinged innocence to them now. Network surveillance would bother our transplant-from-time no less than us, and the variety of techniques for compromising software is clever beyond the wildest fantasies of 20th-centry science fiction. Network security problems were a distant shadow at the edges of my wasted hours on Perl WWWBoards — today they are unavoidable facets of our networks and our software engineering. Having social media accounts, making calls or using maps on a cellphone, or relying on a free email provider, equate to consenting being watchable and trackable indefinitely. Social pressure and convenience put nearly everyone in the same bucket of mutually-assured disclosure.

Don’t get hurt, bird!
You’re the bird, and the hand provides your social network.
(Not pictured: long-term trust, security)

In computer security, it’s impossible to account for all threats or compromises in a system. Your goal as a system designer is to make it as expensive for your adversary as possible. In the corporate world, this amounts to hiring a computer security team and keeping a watchful eye. If you run an Internet service, it means you do regular pentests and code reviews, and design protections in line with the value of your data. As someone with a seed of 1997’s Internet still inside, I find myself thinking about the categorical version of this security problem: on a global untrusted network, how do you make it expensive to steal the private data of the network’s users?

While Facebook and friends have some incentive to protect the data exhaust you share with them, it’s a standard principal-agent problem — there will never be a mechanism to compel Facebook to value your data the same way you do. I believe the only way to categorically protect data on the Internet is for people to own and manage it themselves. This is the direction I’m taking Constantina, beyond a blog platform and into the realm of managing a small community of peers that write, share, plan, and grow with each other, in relative privacy.

Permalink

Sometimes failures are more interesting than successes. Last week marked the end of my focused efforts on the Gapless-5 library. Properly implemented, this library would enable a web jukebox to play multiple songs in order, without audible gaps in between the songs. (Read More...)

Web Browsers have two audio APIs. The first (the HTML5 Audio API) is intended for playing individual audio files, while the second (the Web Audio API) is focused on mixing and loading short clips into a buffer or effects-processing chain. Gapless-5 attempts to leverage the first API for playing the initial song, while using the second API to create a rolling buffer of subsequent songs.

Gapless-5 has an unfortunate litany of problems. One crucial issue relates to audible pops caused by inexact timing of the cutover between the two audio APIs. This issue is beyond fixable for me, since browser schedulers don’t treat audio as a priority in terms of service workers/timing. A second issue involves memory management — once Web Audio API buffers are created, browsers do a poor job at deallocating the memory these buffers have used. The only chance at garbage-collecting this data results in hitting a browser limit for the number of processing chains a webpage can initiate over time. Finally, the Web Audio API is poorly supported on mobile platforms such as iOS, which happily sleeps audio upon lock-screen activation, even in the middle of song playback.

Longplay
The not-quite Gapless (and release-less) Longplay Jukebox

Gapless playback is a nuance championed more by music purists than developers. As a result, the two APIs that might be extended to support gapless lack sufficient testing or engineering. It also works against Apple’s or Google’s interests to have their mobile browsers support high-quality audio playback outside the scope of their own Apple/Google Play stores. Mobile browsers frequently overstate their support of modern APIs, failing to mention their shortcomings versus the mature API implementations in desktop browsers.

Ironically, my biggest lesson is that it’s important to risk succeeding. The chances of Gapless-5 working in a high-quality way were always small, given the anti-competitive nature of mobile platforms. The flipside is basically the broken-window fallacy with a silver lining — although software platforms increase the cost of implementing a cross-platform project, if you’re skilled enough to push through the barriers, you’re likely to be in valuable, uncharted territory.

Permalink

CSS background-attachment: cover is great for centering a background of a webpage on a focal point, even when the window resizes. Unfortunately iPhone and friends stretch the background to match the page content, rather than the on-screen viewport, making it useless on mobile.

Make It Happen!

I have no idea what to do to finish my songs, to get the final effects I want. But the journey is quite fun, as long as I don’t fixate on the final outcomes.

The last time I recorded string quartet parts, the balance of parts was pleasing in some areas, but not in others. So I went back and added long crescendo/diminuendo markings to the three violins part and one viola part. I had my audio workstation playing back the existing recordings on one side, while at my mixing desk I made tweaks to the sheet music on my laptop. Even when not recording strings “in the box”, being surrounded by computers is helpful!

Permalink

More Reading

Loading...

376072627758:xp1:i2:s18:q3:n9