The office is dead

Or is it? After years of companies praising WFH as the future of work, both for employers and employees, it seems like everything is reverting to the world before the pandemic. Companies are asking (also known as threatening with termination, in most documented cases) employees to please, please, please come back to the office, but only after hiring loads of people who all took their jobs with the expectation that it was going to be remote even after the whole Covid-19 debacle was over, and made plans around such promises accordingly (those people should've probably made sure their position was finalized in writing, but that's a whole other topic). I'm not going to quote Mark Zuckerberg or Jeff Bezos here, plenty of reputable publications have done that already (this is the blog of a 20-year-old techie, what were you expecting? I'm not Wired), but what I am going to do is chip in and add my oh-so-requested take on this hot potato of a topic.

Why return to the office?

Honestly, the reasons are probably a combination of the following:

• Many companies get tax breaks from the cities where their hubs are located because their workers boost the local economy around them. This seems to be mostly a US-specific problem though, so I don't think it explains the broader trend that has been going on lately

• Most managers, for some mysterious reason, seem to believe that having a bunch of people all sitting close together typing at their keyboard is the definition of top-tier productivity. Not only is that provably false, both by research (no I'm not going to quote any articles because I'm lazy, do your research, there's plenty) and anecdotal experience (anyone who has chit-chatted for more than 5 minutes with their colleagues will attest to how much time is lost just doing that), but it's also an incredibly old-fashioned way of looking at office jobs and work culture in general

• Companies tend to sign multi-year leases with real estate owners to get their offices at a steep discount. No more people working in the office means those investments are effectively wasted

• Some CEOs are just, let's say, not exactly the kind of people I (and probably any of their workers for that matter) would like to hang out with (I'm looking at you, Jamie Dimons and Elon Musks of the world). The trust issues that managers have regarding work performance are most likely coming from above

• This is not true for all companies (although it is relevant to the industry I work in, which is tech), but some of them hired tons of people during the pandemic (even if those people ended up just twiddling their thumbs for most of their day) just because they were sitting on piles of money, not in small part thanks to the fact that their profits skyrocketed after everyone and their mom was suddenly forced to hop onto their computer to work (did anyone seriously care about Zoom before 2019? It's a genuine question). Why? Well, some of that might be manglement (yes, you read that right) making short-sighted hiring decisions (although I find that unlikely), but I think it was just another sneaky way to dodge taxes on the newfound profits: after all, you can't pay taxes on your profits if you reinvest all of it into "developing" the company, right? And, I mean, you can just lay off all of your extra workers once the pandemic ends, right? Maybe by forcing them to return to the office while knowing that most of those who were hired to work remotely will be forced to resign, therefore not needing to shell out costly severance packages? It can't be that, right?

• Companies tend to copy each other: this is true with products as well as with managerial decisions. I wouldn't be surprised if the reason many of them were forcing RTO mandates was "because Google/Amazon/Facebook did it" (Yes, Facebook. I ain't playing your rebranding game, Mark). Is it stupid? Yes. Is it human? Unfortunately, also yes. Silly humans doing their humaning, I guess

P.S.: Just FYI, this post (most of this blog actually) is a reflection of my opinions. None of this stuff should be taken as fact, cold hard truth, or anything of the sort. I'm a young tech guy ranting, not Andrew Tate: If you disagree with me, that's fine. I'm also not saying WFH is the best thing to ever be invented after toilet paper. All I'm arguing for is to let people choose the way of working that they feel makes them the most productive and happy, and that works best with their current way of life. We don't live to work anymore, this isn't the 1970s: work should adapt to us, not the other way around.

Conclusion

As I said in my LinkedIn post: employees make choices with their feet. I know many people can't afford to just quit their jobs right now, but if you have the option I think it should be time to reflect on what you think is more important: your career, or your life? The choice is yours. Most companies, whether they like it or not, will be forced to realize that remote work is here to stay, but that can only happen if we stand united and teach their execs that no, we aren't going to trade our quality of life so they can give themselves another 2M yearly bonus while the raises they give to employees don't even keep up with inflation anymore.

P.S.: Thanks to the great folks at HyperBit for hosting an instance of this awesome piece of software and letting us know early, by the way!

P.P.S.: Since HyperBit is hosting the plausible instance, you should refer to their privacy policy to learn more about how your data is handled and what your rights are. Please do not hesitate to contact me via email at nocturn9x@nocturn9x.space or using the contact form on my website if you have any questions or concerns.

See you soon! :)

Have you ever found yourself looking for a document in your PC and not being able to find it because you only remember its contents and not its name? If so, then this post may be for you!

First attempt: find + cat + grep

If you're not terribly fond of the command line, you might try something along the lines of this

find ~ -type f -name "*.ext" | cat | grep -i "your match"

Unfortunately, this doesn't work. The reason is that cat cannot be piped into like that: looks like we need another option.

Note: The -i option to grep just makes our match case-insensitive so as to maximize our chances of finding something

Second attempt: find with -exec

Digging into the manual pages for find yields this:

[...]
-exec command ;
              Execute command; true if 0 status is returned. [...]

This will allow us to execute a certain command* after each file with the given extension is found. So, our command now becomes something like

find ~ -type f -name "*.ext" -exec grep {} -i "your match" \;

The curly braces are replaced by find with the current filename, while the semicolon terminates the argument to -exec (we just need to escape it using a backslash so the shell doesn't try to interpret it literally. Using ";" would've worked too).

This works! It will print the matched content of each file to the screen, but we're not done yet...

*: You can use the -exec flag multiple times to execute multiple commands!

Getting the filename

We are now able to find documents in our system by their content, but we're not getting any new information out of our command: after all, we already knew part of the file content anyway! What we need to do next is hack our way back from the file's content to its name.

The -l option of grep

Fortunately, man comes to the rescue again:

[...]
-l, --files-with-matches
              Suppress normal output; instead print the name of 
              each input file from which output would
              normally have been printed. [...]

So our command has now become

find ~ -type f -name "*.ext" -exec grep {} -li "your match" \;

If we try it in our command line, we should get something like this out of it:

/path/to/file1.ext
/path/to/file2.ext
[...]

Restricting the output size

So, now we can find files by their content, but what if we want to limit how many lines of output are printed? We can use the beauty of the POSIX shell and pipe our previous command into the useful head and tail utilities.

find ~ -type f -name "*.ext" -exec grep {} -i "your match" \; | tail -5

This only prints the last 5 matches. Things get interesting if we wanted to fetch the first 5 matches:

find ~ -type f -name "*.ext" -exec grep {} -i "your match" \; | head -5

If you tried running the command above, you'd get your filtered output, but you'd also get a bunch of errors that look like find: grep: interrupted by signal 13. Looking up what signal corresponds to number 13, we find it means EPIPE: Broken Pipe: this is because find (or, well, its subprocess running grep), was still trying to write to head's standard output after the fifth match, but head's process had already exited causing the end of the pipe to be broken.

According to this stackoverflow answer, the solution is to pipe our command into tail -1 +1 first (remember, tail did not give us any problems before!) and then pipe that into head. If we do that, we get

find ~ -type f -name "*.ext" -exec grep {} -i "your match" \; | tail -1 +1 | head -5

Go ahead, try it! You'll see that it produces the expected results.

Conclusions

Hopefully you've learned something new from this post: I sure learned a lot by writing it! To close this article I'd like to point out that this is not very efficient if you're looking among a large amount of files, as find scans each and every one of them sequentially. There are specialized programs (of which I do not know the name, though) that perform more intelligent file indexing (on Windows and MacOS this is done automatically) that are a much better fit for this, but it's nice knowing you can do this with just a plain POSIX shell!

To make things more spicy, maybe you could filtering the files by age using the -mtime option of find or ordering them alphabetically by piping find's output into sort: the possibilities are endless!

Bye bye, Google!

Together with a bunch of friends, I'm slowly starting to host my own little suite of cloud services under the *.nocturn9x.space domain. Our goal is to host many privacy-focused alternatives to popular services like Google Search, Google Mail, Reddit, Twitter, YouTube, Discord, and many others.

Currently, the following services are active:

• Nitter -> An alternative Twitter frontend
• Invidious -> An alternative YouTube frontend
• Libreddit -> An alternative Reddit frontend
• Whoogle -> A privacy-focused search engine alternative to Google search
• Mailcow -> A fully fledged SMTP server and webmail client
• Gitea -> A wonderful self-hosted alternative to GitHub
• Nimforum -> An instance of nimforum, which will act as a mirror for this blog

We plan to add more services to the list like XMPP, Matrix Home Server, Mumble, DogBin, BitWarden, Bibliogram and many others that can't fit here for space reasons (turns out there is a lot of stuff to be self-hosted these days!).

Cool! How do I use them?

Currently only approved users can access the services (we have a Telegram group for that, you can contact me to join), but please do note that everything is in public beta right now: things are likely to break or change without warning as we iron out the kinks of running so many services on our own. If you are willing to help us set things up, we'd love to have you in our little crew! We especially need security experts to try and break into our server so we can make sure to patch potential security vulnerabilities

And that's all, folks!

This article is kind of a rant, so please excuse any formatting or spelling mistakes (and the snarky tone). I'll be honest: I'm outraged. I am not in the mood to deeply research what happened and its implications thoroughly, but I'll try my best. (Check the linked articles for better sources)

How Fortune 500 Companies Are Making FOSS a Living Hell

The recent events regarding two popular JavaScript libraries used by ~30 million users worldwide have once again brought the recurring issues with Free Open Source Software to the surface: Companies like Apple, Google, Microsoft and many others are using free software in their services without paying a single penny, stifling innovation in the community while improving their own closed source products.

Some backstory

The gist of it is that the owner of two very popular JavaScript libraries, called Marak Squires, has gone rogue and corrupted said packages by adding infinite loops and weird log messages into them, causing a lot of issues to people who relied on them. The repository of one of these packages (namely Faker.js, a package used to generate real-looking personal information such as names, street and email addresses and more) has since been replaced with an empty skeleton, while the README reads: "What really happened with Aaron Swartz?". If you don't know (I didn't) Aaron Swartz was a software developer and entrepreneur who ended up killing himself in 2013 because of reasons I'm not informed enough to discuss in detail

The backlash

Shortly after people noticed their beloved packages were exploding, users all over the world were outraged: many wanted GitHub to transfer Marak's repository (which he owns) to another user and they were actually temporarily banned from the platform for unknown reasons (and have since been unbanned, it seems). To all of those, I kindly say: you're incompetent fools. If this issue has caused more than an annoying couple of hours to fix, you are a babbling idiot and should be fired on the spot. No one, and I repeat No one, should ever pin dependencies to their latest release in production specifically to avoid this from happening, but I guess that since I'm talking about an ecosystem where one of the most depended upon libraries literally just implements element in array that best practices aren't really known to JavaScript developers.

Why Open Source is in Danger

Let's get to the core of this very SEO-attractive title and what led me to write this in the first place: Free Open Source Software in its current state is at serious risk. Why? Well, just ask any maintainer of a large package depended upon by many, and they'll all more or less tell the same story: Multi-billion dollar companies taking advantage of awesome open source code for their own proprietary crap and that do not spend a single dime towards actually improving said software. I'm sure Stallman would disagree here, but there needs to be a brake of some sort: it just isn't beneficial to the long term survival of free software to be taken advantage of this easily by any big corporation. Maybe a license that requires a fee to be paid if a big tech company is using a piece of code for commercial purposes, while still leaving the rights of individual unharmed, would help (and in the meantime, double licensing seems to do the trick just fine), but I'm no lawyer nor a free software expert: just a random 19 year old guy who's outraged by the current state of what could (and should) be a system meant to let communities thrive and software develop in a more streamlined and controlled fashion.

Closing Thoughts

I'm still boiling with rage, but I'll try to wrap this up as decently as I can: Something needs to change. We're heading towards a future where it's fine for [insert fortune 500 company name] to just breach copyright laws like it's nothing. Where it's fine for a user to be banned from a code sharing platform just because of the changes they made to their own freaking code. Where it's fine for people devoting their life and their valuable time towards FOSS to only get total financial (and mental) bankruptcy in return.

And to Marak and all the authors of large open source software I say Thank You. Thank you for having tried to (or still being in the process of) improve the community with your awesome work. I know it probably doesn't mean much to get comforting words from a random penniless computer science student, but you have my greatest respect, esteem and gratification. You're awesome, keep doing what you're doing, and I hope you to join soon in a fight for a better world.

With so much information being handled, there needs to be some way to make sure it arrives to its destination unaltered and that only the intended recipient can read it: think about what would happen if just about anyone had all your passwords, that would be pretty bad right?

SSL to the rescue

But fear not! Some very smart people have in fact figured out a way to transmit information into the ether and have it arrive safely and away from prying eyes: SSL certificates, or better, the SSL protocol.

SSL stands for Secure Socket Layer, and it's what makes your browser show that nice green padlock next to the website's URL: a "guarantee" (in fact, a certificate) that makes sure your info is secure.

Technically, today we use TLS (or Transport Layer Security) as SSL was deprecated ages ago due to it being ridiculously insecure, but the name SSL certificate has stayed, and for all intents and purposes this terminology is fine

DigiCert is a popular Certificate Authority, or CA for short, which is an entity that signs and provides (in this case, selling them) trusted SSL certificates

Ensuring trust

So, you want to protect your website? It may sound like rocket science, but it's surprisingly simple, there's even a website that does all the dirty job for you (although I personally wouldn't trust it), but all of these alternatives have one characteristic: they're "self signed", which means they are not emitted by any registered entity like DigiCert or Let's Encrypt.

This may sound bad, but it's actually not an issue as far as security is concerned: SSL certificates (or more accurately your browser) will still encrypt all information that is sent and received to a website even if it is using a self-signed one. The issue arises when you want the browser to actually trust your certificate: you might have realized by reading that stackoverflow post I linked before, that the fatal flaw of self-signed certificates is that they cause browsers to whine about "Privacy Errors" or that "Your connection is not private" and to show a strikethrown red padlock instead of a green one as you'd expect, complaining that the website is not secure and that the owner may have malicious intents. There are ways to create your own trusted certificate authority and add it to your browsers, but it's a cumbersome process which will only work on your local machine, so it's not a viable option for production.

Google Chrome complaining about a self-signed certificate

Why CAs?

The idea behind a CA is that it makes it impossible for a third party to perform a MITM attack by pretending to be the site you're visiting and eavesdropping all of your traffic. If the browser had no way of knowing which certificate is the "right" one for a given website, a malicious user could just intercept your traffic, swap the website's certificate for his own so that he can see all of your traffic, and then forward it (encrypting with the website's certificate this time) to its intended destination so that you, the user, don't notice anything fishy going on: Boom, your precious credit card details are now in the hands of some Russian hacker, with all the implications that brings.

The problem of (most) CAs

Protecting user's traffic is a noble cause, but sadly (as with all things) companies have found a way to make this a business by selling trusted certificates for money, sometimes charging hundreds or even thousands of dollars for what's functionally identical to a self-signed certificate, except for the fact that the company's name is mentioned in your browser's list of trusted certificate issuers.

image.png

$600+ for a 3-year certificate from DigiCert, wtf?!

The light at the end of the tunnel

Fortunately for us though, there is hope: Let's Encrypt is a Certificate Authority that issues trusted SSL Certificates for free (they even have a super handy website to automate that). They last 90 days (but can be renewed free of charge indefinitely), not because they're free, but for security reasons (if a certificate lasts less time overall, there is a shorter time window during which it can be leaked!).

Yay, free SSL!

Conclusions

Whether your website needs an SSL certificate or not, knowing what options are out there might come in handy to you in the future: maybe you'll save a lot of money thanks to this article. Thank me later!

Imgur, a popular image hosting and sharing website

A quick rundown

The concept for this article came from a recent video on the popular tech YouTube channel Linus Tech Tips. Specifically, the host (Linus Sebastian) shows how a popular image sharing service named LightShot allowed anyone to access any picture given an identifier constructed using 2 letters of the alphabet, followed by any combination of 4 digits.

Note: This isn't actually correct, and any combination of digits and letters is valid as long as it doesn't start with a 0 and it is less than 15 characters long

The homepage of LightShot

The cold hard truth

This fact in itself doesn't sound too bad: it's a public image sharing service after all.

What's actually frightening is that it took surprisingly little research to find out the truth: the identification system LightShot uses is not random at all, it is in fact sequential, but just so happens to use a numeric system that's pretty uncommon.

While we as humans are mostly used to numbers in base 10 and computers process information in base 2, many other formats exist: one of them is base 36, which encompasses both the 26 letters of the alphabet and the usual Arabic digits from 0 to 9 (hence why it's called base 36, because 26 + 10 = 36) in its representational form.

An example of base36 numbers

Scraping the data

Knowing this, writing a simple script that can iterate all the base36 IDs under 64 bits and download every image that ever existed on the platform was trivial. Not even CloudFlare was of any help, as libraries to bypass the so-called "Under Attack Mode" are readily available in the open source community, therefore making our little scraping endeavor almost invisible.

An interesting finding is that LightShot doesn't seem to like IDs starting with a zero, as those just redirect to the main page, but that was an easy one-line fix. Another quirk that I found is that LightShot is exploiting other image hosting services such as ImgUr and ImageShack to serve its content.

Correction: They did so in the past, but then changed it and they now serve them via https://image.prntscr.com

The script in action: it retrieves the "true" URL where the image is hosted (on the far-right) as well as the original ID (the one labeled 'x') on the LightShot platform. The 'i' value is the LightShot ID converted to a base 10 number

Findings

What's even more scary though, is the information that I found. As you may expect, a good chunk of it was just innocent screenshots: games, presentations, graphs, reports, homework, chats, stuff like that. What I also found however, was an unholy amount of confidential information such as credit card details, bitcoin wallets keys, banking credentials, nudes, gore, and much more: probably not the kind of stuff you'd want everyone to know about, right?

For good measure, I've attached a couple of probably very confidential screenshots I was able to find out in the wild (obviously stripped of the most sensitive information):

Some login credentials to a crypto trading platform and wallet addresses

A screenshot of a Telegram chat with banking credentials and full credit card details

This was achieved with only 57 lines of Python code and 3 open source libraries in around 2 hours, and I managed to download more than 20 thousand images with a simplicity that I can just describe as jaw dropping.

The kind of data I gathered in so little time is enough to ruin many people's lives— and the worst part is they did this themselves.

Conclusions

Drawing a conclusion from all of this isn't too hard then: think twice about what you post and especially where you do so, because your boyfriend may not be the only one enjoying your new tanga.

This should also be a lesson for software developers and engineers all over the world that using sequential identifiers in public services is a terrible idea and a recipe for disaster.

Credits

• Numpy - For its amazing base_repr function
• Cloudscraper, which allowed me to bypass LightShot's cloudflare protection with ease
• Requests, for its no-nonsense and dead-simple API which made downloading images a breeze