[{"content":"I was born in Poland, studied at ii at the University of Wroclaw, and I currently live with my wonderful wife in London. Most of my day consists of writing software and making sure that it works. Software is usually a lot of fun, especially when mixed with Open Source and some custom hardware, e.g this site is self-hosted in my HomeLab (soon to be solar-powered). It will also be ads-free. I like to think, read books, hike, and generally care about the mind and body. I was also playing in various brass bands for more than 10+ years (mostly a trumpet, and tuba). Music \u0026amp; Math seems like the opposite things, but I see them as complementary.\nMany years ago, I was a member of a small team (big thanks to Asia, Kasia, and Jakub!) which developed beautiful games for kids. See them for yourself: https://pl.pinterest.com/kiooik/memollow-coloring-pages-from-fans/ https://www.behance.net/gallery/8061249/Memollow-Coloring-Pages https://www.behance.net/gallery/11366765/Math-in-action-an-app-for-kids Designed and implemented from scratch in a short few months on both Android and iOS. (all graphics and animation created by Asia and Kasia too!!!)\nI spent many years at Opera Software, writing mobile software, also having episodes like implementing pre-release fixes for Samsung Omnia in Toronto, Canada, working with people from many different companies to get things done. This was fun too (well, probably not many people understand this kind of fun :D)\nGood books I can recommend are: Fooled by randomness - Nassim Taleb The choice by Edith Eger The checklist manifesto by Atul Gawande My OpenSource projects: github.com/macvmio tomekjarosik/bytecheck tomekjarosik/qivitals I plan to write about things that I\u0026rsquo;ve seen and have personal experience with and about ideas how to improve life around us.\n\u0026ldquo;This is for everyone.\u0026rdquo; — Tim Berners-Lee\nConnect Find me on:\n","permalink":"https://tomasz.jarosik.online/about/","summary":"\u003cp\u003eI was born in Poland, studied at ii at the University of Wroclaw, and I currently live with my wonderful wife in London. Most of my day consists of writing software and making sure that it works. Software is usually a lot of fun, especially when mixed with Open Source and some custom hardware, e.g this site is self-hosted in my HomeLab (soon to be solar-powered). It will also be ads-free. I like to think, read books, hike, and generally care about the mind and body. I was also playing in various brass bands for more than 10+ years (mostly a trumpet, and tuba). Music \u0026amp; Math seems like the opposite things, but I see them as complementary.\u003c/p\u003e","title":"About"},{"content":"I recently started practicing challenges on the picoCTF website. One of the challenges is to obtain a flag from a program. And the program despite its .exe name was ELF binary. Ok, so few initial steps:\nCan I run it? -\u0026gt; no, it complains about some dependencies There were some missing libgnat-7 dependencies. Hmm, how to install them? Docker containers come in handy. Especially that a binary while viewed in hex, had a Ubuntu 18 string. Thus I used Ubuntu-18 container and installed libgnat-7. 2) Can I run it now? -\u0026gt; Yes, but it hangs\nWhy does it hang?\nLet’s install GDB in our docker container and run it with gdb and use the below steps:\n1root@37a6e515eafa:/workspace# gdb svchost-patched1 2GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1 3Copyright (C) 2018 Free Software Foundation, Inc. 4License GPLv3+: GNU GPL version 3 or later \u0026lt;http://gnu.org/licenses/gpl.html\u0026gt; 5This is free software: you are free to change and redistribute it. 6There is NO WARRANTY, to the extent permitted by law. Type \u0026#34;show copying\u0026#34; 7and \u0026#34;show warranty\u0026#34; for details. 8This GDB was configured as \u0026#34;x86_64-linux-gnu\u0026#34;. 9Type \u0026#34;show configuration\u0026#34; for configuration details. 10For bug reporting instructions, please see: 11\u0026lt;http://www.gnu.org/software/gdb/bugs/\u0026gt;. 12Find the GDB manual and other documentation resources online at: 13\u0026lt;http://www.gnu.org/software/gdb/documentation/\u0026gt;. 14For help, type \u0026#34;help\u0026#34;. 15Type \u0026#34;apropos word\u0026#34; to search for commands related to \u0026#34;word\u0026#34;... 16Reading symbols from svchost-patched1...(no debugging symbols found)...done. 17(gdb) c 18The program is not being run. 19(gdb) run 20Starting program: /workspace/svchost-patched1 21warning: Error disabling address space randomization: Operation not permitted 22^C 23Program received signal SIGINT, Interrupt. 240x00007f7e9ba4d654 in __GI___nanosleep (requested_time=0x7ffc66294bb0, remaining=0x7ffc66294bc0) at ../sysdeps/unix/sysv/linux/nanosleep.c:28 2528 ../sysdeps/unix/sysv/linux/nanosleep.c: No such file or directory. There is some kind of call to nanosleep() function there. Maybe we can somehow make it sleep for a shorter period? Or even zero? How would I patch that?\nWith a little bit of Googling, I found this tool: https://ghidra-sre.org/ Which can show disassembled versions of a binary and much much more. Browsing through different functions I discovered this:\nAnd fortunately, Ghidara can simply replace the value with an arbitrary value by right click -\u0026gt; Patch Instruction (or Ctrl_+ Shift + G)\nNow, what’s left is to export the modified version of a program with “O” (or File -\u0026gt; Export Program) and run it in the docker container.\nAnd, as expected, the wait is no longer there\n","permalink":"https://tomasz.jarosik.online/posts/reverse-engineering-picoctf/","summary":"\u003cp\u003eI recently started practicing challenges on the picoCTF website. One of the challenges is to obtain a flag from a program. And the program despite its .exe name was ELF binary. Ok, so few initial steps:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eCan I run it? -\u0026gt; no, it complains about some dependencies\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eThere were some missing libgnat-7 dependencies. Hmm, how to install them? Docker containers come in handy. Especially that a binary while viewed in hex, had a Ubuntu 18 string. Thus I used Ubuntu-18 container and installed libgnat-7.\n2) Can I run it now? -\u0026gt; Yes, but it hangs\u003c/p\u003e","title":"Reverse engineering – simple patch"},{"content":"I’ve recently discovered two great papers about password security. Both from Google. One is for users and one for system designers. We all use passwords so I consider the one addressed to users a must-read for (almost) everyone. I include here just best practices, to give you a snippet of what’s inside them.\nFor users https://cloud.google.com/solutions/modern-password-security-for-users.pdf\nFor system designers https://cloud.google.com/solutions/modern-password-security-for-system-designers.pdf\nThere is a nice demo provided by a password manager (in this case Bitwarden) to see how password encryption works behind the scenes: https://bitwarden.com/crypto\n","permalink":"https://tomasz.jarosik.online/posts/online-security/","summary":"\u003cp\u003eI’ve recently discovered two great papers about password security. Both from Google. One is for users and one for system designers. We all use passwords so I consider the one addressed to users a must-read for (almost) everyone. I include here just best practices, to give you a snippet of what’s inside them.\u003c/p\u003e\n\u003ch2 id=\"for-users\"\u003eFor users\u003c/h2\u003e\n\u003cp\u003e\u003ca href=\"https://cloud.google.com/solutions/modern-password-security-for-users.pdf\"\u003ehttps://cloud.google.com/solutions/modern-password-security-for-users.pdf\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"security-for-users.png\" loading=\"lazy\" src=\"/images/security-for-users.png\"\u003e\u003c/p\u003e\n\u003ch2 id=\"for-system-designers\"\u003eFor system designers\u003c/h2\u003e\n\u003cp\u003e\u003ca href=\"https://cloud.google.com/solutions/modern-password-security-for-system-designers.pdf\"\u003ehttps://cloud.google.com/solutions/modern-password-security-for-system-designers.pdf\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"security-for-designers.png\" loading=\"lazy\" src=\"/images/security-for-designers.png\"\u003e\u003c/p\u003e\n\u003cp\u003eThere is a nice demo provided by a password manager (in this case Bitwarden) to see how password encryption works behind the scenes: \u003ca href=\"https://bitwarden.com/crypto\"\u003ehttps://bitwarden.com/crypto\u003c/a\u003e\u003c/p\u003e","title":"Modern password security guides"},{"content":"Have you ever wondered what happens when you go to some website on the internet? For example, you search something on the “Google Search” page and it’s just always there. Many other pages work almost always as well. But sometimes something like that happens:\n“Early June 8, a customer pushed a valid configuration change that included the specific circumstances that triggered the bug, which caused 85% of our network to return errors.”\nhttps://www.fastly.com/blog/summary-of-june-8-outage And Fastly actually powers a lot of websites, so 85% meant a lot of websites were down.\nThe topic of how to make services/websites more available still fascinates me. And it’s actually pretty hard to achieve. I found this article a great introduction to HA: https://www.atlassian.com/blog/statuspage/high-availability What if we are not satisfied with 99.9% availability? What can we do? I found these resources very useful:\n“Beyond Five 9s” https://aws.amazon.com/builders-library/beyond-five-9s-lessons-from-our-highest-available-data-planes/ (Amazon builders library contains great content in general) And the idea of shuffle sharding from the above explained in more detail: https://aws.amazon.com/builders-library/workload-isolation-using-shuffle-sharding Caches: use two TTLs: a soft TTL and a hard TTL. from https://aws.amazon.com/builders-library/caching-challenges-and-strategies/ Google SRE book https://static.googleusercontent.com/media/sre.google/pl//static/pdf/building_secure_and_reliable_systems.pdf This book is much more than just about availability. The book explains the topic of reliability and security thoroughly. I’d recommend for anyone involved in programming/designing to at least skim through it and read the most useful chapters for them. ","permalink":"https://tomasz.jarosik.online/posts/interesting-discoveries-high-availability/","summary":"\u003cp\u003eHave you ever wondered what happens when you go to some website on the internet? For example, you search something on the “Google Search” page and it’s just always there. Many other pages work almost always as well. But sometimes something like that happens:\u003c/p\u003e\n\u003cp\u003e“Early June 8, a customer pushed a valid configuration change that included the specific circumstances that triggered the bug, which caused 85% of our network to return errors.”\u003c/p\u003e","title":"Interesting discoveries - High availability"},{"content":"Many of us now work from home or stay at home and spend many hours online. Being online it’s almost a necessity: from ordering food through work to entertainment. I’ve been wondering how to keep myself safe online. It’s obviously not possible to not get hacked, just take a look at the richest man Jeff Bezos got hacked [1], or recently many big US corporations and government agencies [2]. So the question about being safe online is not so much about if it’s possible, but how to limit the possibility of it.\nThere is also one more problem: security often means additional work and better habits. And if we have to follow 100 rules to stay safe, we won’t do all of them. Complexity is the enemy of execution. For example, imagine that a website asks you for a strong long password with many special characters. And then you have to remember it… brr… There is a big chance that you won’t remember it or you will just reuse one of your well-known passwords. And you might use this password on other sites. And later you will get this password as plaintext in your email messages. Heh, it’s getting complicated. How to make it simpler? My top 3 steps are:\nA) Use a password manager\nB) Use hardware key, e.g. YubiKey (at least 2 of them for redundancy)\nC) Pause for few minutes after a unexpected virtual stimulus (sms, email)\nLet me explain a little bit of each of these steps.\n(A) Password manager To use password manager means that you have a single strong password that unlocks it. I myself use Bitwarden because it also allows for self-hosting, but there many good ones. The password manager gives you more than passwords. You can store important files or notes. Everything is stored encrypted of course. It also allows you to fill in website login forms based on URL. It basically saves you time and you don’t have to worry about many passwords. Additionally, it has features to generate random passwords with given criteria, so you don’t have to think of any strong passwords anymore. And you can use it with a hardware key and on a smartphone. Below screenshots are from the Bitwarden password manager because I use it myself and know it very well. Do your research and choose one that fits you best.\n(B) Hardware key A hardware key is a key you have to put into your USB port and you must be physically present to touch it. It’s the second factor of security but it is also much more. You can have some authenticator app on your phone and type 6 digits code… Or you can touch a key that sits in your USB port. Not only hardware key offers better protection but it also saves time. Of course, not all websites allow that, that’s why we have password manager, but even when websites allow you 2nd factor in an authenticator app, you can install the Yubico Authenticator app and use Yubikey [3]. Please, please, take a few minutes to read more reasons why here: https://www.yubico.com/why-yubico/for-individuals/ And remember, that it’s best to have multiple keys for redundancy (it’s also easier than having the app on multiple smartphones)\n(C) Pause for few minutes The (A) and (B) are really important, but there are many more things we can do. I wanted to only have 3 items for maximum value with minimum cost. So the 3rd one is a little bit more general and I think it’s easiest to understand when we look at these scenarios. Scenario 1: Your friend on Facebook is asking you for money immediately, because . You know him so why not just do it? He even sends you a link so you can finish the payment in a few simple steps. What should you do in such case? I’d argue that this is one of the cases where procrastination helps 😉 Take a deep breath, call your friend if this is what he really wants (it’s best to use some other means of communication, so you can confirm if he really sent this message and not some automatic bot)\nScenario 2: HMRC sends you an SMS with a tax refund. It happened to me a few months ago. See https://tomasz.jarosik.online/2020/03/gov-uk-warning/ I was excited… for about 2 seconds. But it is important to wait and think a bit. Without the pause, you don’t have a chance to notice weird or surprising bits that don’t match.\nScenario 3: You get an unexpected call from your bank. And someone just wants you to check your few personal details so they can authorize you. Well, again, you can just say: “sure, I’ll call you back in 5 minutes”. This gives you time to think if you have any open cases with your bank, how do you often contact them, even more important, it will be you who will now choose a phone number or website to call/go to.\nI think these are steps that give the most protection with minimal effort. Sure, you can do much more than that, but you must ask yourself if you will follow through and if the effort is worth it.\n[1] https://www.theguardian.com/technology/2020/jan/21/amazon-boss-jeff-bezoss-phone-hacked-by-saudi-crown-prince\n[2] https://www.nytimes.com/2021/01/02/us/politics/russian-hacking-government.html\n[3] https://www.yubico.com/products/services-software/download/yubico-authenticator/\n[4] https://www.yubico.com/why-yubico/for-individuals/\n","permalink":"https://tomasz.jarosik.online/posts/3-steps-to-stay-safe-online/","summary":"\u003cp\u003eMany of us now work from home or stay at home and spend many hours online. Being online it’s almost a necessity: from ordering food through work to entertainment. I’ve been wondering how to keep myself safe online. It’s obviously not possible to not get hacked, just take a look at the richest man Jeff Bezos got hacked [1], or recently many big US corporations and government agencies [2]. So the question about being safe online is not so much about if it’s possible, but how to limit the possibility of it.\u003c/p\u003e","title":"3 steps to stay safe online"},{"content":"This year allowed many people to work from home and because of that most of the communication had to be moved online. I always wanted to try to setup some easy to use video conferencing system, but my impression was that it’s really hard thing to do and to maintain. This year I finally discovered Jitsi (https://jitsi.org/) for myself. Looked nice and simple: just send an URL and open it in a web browser, that’s it! But… can I self host it? Well, yes! I’ve been using my self-hosted version of Jitsi to chat with friends and family for last 6 months, and it works really well. Especially audio, it’s so clear and feels like real (not sure if it’s just a feeling, or a latency is very minimal or something else). Video is OK, similar to other video chat apps. And they provide apps for Android and iOS as well.\nHow to use it I think it’s the best to try Jitsi for real here: https://meet.jit.si/ They offer a lot for free, so you can try functionality without any hosting. Just go to a link, create a room and invite someone. You will have access to all features. If that is not enough, e.g. you want control over your communication channels, integrate with LDAP, etc. you can host it yourself. Read below.\nHow to set it up There is documentation to set it up here: https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart I used it to setup my own instance. It’s really straightforward if you have a machine that has its own public IP address and you don’t have anything else on the machine. And you only want single instance of it. I had some more work to do, because I use load balancer in my HomeLab, so I needed to follow behind NAT section. It’s also trivially simple to test the setup: just open 3 tabs in a web browser.\nBy default, it allows everyone to create and join a room. I think it’s important to set up some basic authorization, so not everyone can create rooms (but everyone can join, for example, without any account). Rooms can be also protected by temporary passwords (e.g. just for a meeting itself).\nSeems like there is much more info here: https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker\nWhat ‘Encrypted’ means? There is work in progress for fully end-to-end encryption, but currently encryption means that your video/audio streams are encrypted from a client to the Jitsi server. As long as your server is secure, the whole end-2-end connection between users is secure. You can also use Jitsi behind VPN.\n","permalink":"https://tomasz.jarosik.online/posts/jitsi-2020/","summary":"\u003cp\u003eThis year allowed many people to work from home and because of that most of the communication had to be moved online. I always wanted to try to setup some easy to use video conferencing system, but my impression was that it’s really hard thing to do and to maintain. This year I finally discovered Jitsi (\u003ca href=\"https://jitsi.org/\"\u003ehttps://jitsi.org/\u003c/a\u003e) for myself. Looked nice and simple: just send an URL and open it in a web browser, that’s it! But… can I self host it? Well, yes! I’ve been using my self-hosted version of Jitsi to chat with friends and family for last 6 months, and it works really well. Especially audio, it’s so clear and feels like real (not sure if it’s just a feeling, or a latency is very minimal or something else). Video is OK, similar to other video chat apps. And they provide apps for Android and iOS as well.\u003c/p\u003e","title":"Self-hosted, encrypted, open source video-conferencing system"},{"content":"“An example of a really responsible system is the system the Romans used when they built an arch. The guy who created the arch stood under it as the scaffolding was removed. It’s like packing your own parachute.” ― Charles T. Munger\n","permalink":"https://tomasz.jarosik.online/posts/pack-your-own-parachute/","summary":"\u003cp\u003e“An example of a really responsible system is the system the Romans used when they built an arch. The guy who created the arch stood under it as the scaffolding was removed. It’s like packing your own parachute.”\n― \u003cstrong\u003eCharles T. Munger\u003c/strong\u003e\u003c/p\u003e","title":"Pack your own parachute"},{"content":"Internet today is not as it used to be. There is an enormous amount of data. Some people even call it Big. Big data.\nHowever, it does not mean that information, knowledge or wisdom benefit in the same way. The data still needs to be processed. More data = more processing time. Can we get more wisdom out of it?\n","permalink":"https://tomasz.jarosik.online/posts/dont-believe-everything-on-the-web/","summary":"\u003cp\u003eInternet today is not as it used to be. There is an enormous amount of data.\nSome people even call it Big. Big data.\u003c/p\u003e\n\u003cp\u003eHowever, it does not mean that information, knowledge or wisdom benefit in the same way. The data still needs to be processed. More data = more processing time. Can we get more wisdom out of it?\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"img.png\" loading=\"lazy\" src=\"img.png\"\u003e\u003c/p\u003e","title":"Don't believe the web"},{"content":"","permalink":"https://tomasz.jarosik.online/subscribe/","summary":"","title":""}]