In reverse chronological order Thoughts and Writings

About me About me

Current interests

  • Learning the Rust programming language. I wrote a library for collision detection in 2D, quadtree-cd.
  • ReScript, a robustly typed language that compiles to efficient and human-readable JavaScript. I wrote a virtual DOM library for ReScript, bs-virtualdom. Like Elm, it's based on the functional/reactive application model.
  • TypeScript, a typed superset of JavaScript. I'm the author of ts-postgres, a PostgreSQL client library written in TypeScript which supports pipelining.

Most of my open-source contributions are available via Github.

Fri, 25 September 202022:28:03 GMT

Mitigating 2FA abuse by bad actors

A friend of mine was recently scammed into handing over a six-digit verification code to her WhatsApp account. She lost access to her account within seconds from when the interaction began.

The mechanism is that you're able to recover your account if you can receive a text message sent to the account number, verifying to WhatsApp that you have the SIM-card.

Six-digit verification code for WhatsApp account recovery
WhatsApp account recovery verification.

The attacker will typically use social engineering to send you a request from a known contact:

> Hi Bob! Please help me recover my account. Did you receive a 6-digit
  code just now?

Some people will simply paste in the received code without thinking twice.

Locked out

There was no easy way to recover it despite being able to receive SMS messages on the registered number, needed for Two-Factor Authentication (2FA) – the scammers had effectively locked her out through efficient use of "too many attempts" abuse control.

You tried to verifying your phone number too many times. Contact support for assistance.

The account would be locked for a period of 7 hours after which the same thing would repeat, seemingly to no end.

Now, six digits is not a whole lot in the face of brute force. But instead of locking the account, why not just offer to send a 2FA verification code with additional digits to provide the necessary security? This seems like an easy fix and a missed opportunity for ensuring the swift recovery of the account:

  1. Use 6-digit for first few attempts.
  2. Use longer sequence for subsequent attempts.

If the required number sequence is sufficiently long, there is really no reason to limit the number of attempts.

Wed, 14 August 201916:42:00 GMT

Using built-in transparent compression on MacOS

Saving disk space with MSDOS.

Ever since DriveSpace on MS-DOS (or really, Stacker), we've had transparent file compression (with varying degrees of automation.)

It's built into Apple File System (APFS) as well, usable on any modern Mac – but no one's using it!

While the DriveSpace-compression on MS-DOS was a fully automated system, the built-in transparent compression in newer filesystems such as ZFS, Btrfs, APFS (and even HFS+), is engaged manually on a per-file or folder basis.

On my system, compressing /Applications saved 18GB (38.7%).

Compressing existing data

MacOS doesn't actually come with a utility to do this even though the core functionality is included with the operating system, so you'll need to install an open source tool in order to use it.

For installation using Homebrew:

$ brew install afsctool

To compress a file or folder, use the -c flag like so:

$ afsctool -c /Applications

(You might need to use root for some application and/or system files).

To use Apple's LZFSE compression which decompresses two to three times faster, specify the LZVN algorithm:

$ afsctool -cv -T LZVN -j1 /Applications

Sat, 5 May 201808:19:00 GMT

Security questions as 2FA violate GDPR

I have an on-going discussion with Kucoin, a cryptocurrency exchange, on the issue of whether I can remember security questions that I alledgedly have entered into their system such as:

  • What is my first dog's name?
  • What is your mother's maiden name?
  • Etc.

Now, you should never put real information in such fields, but it turns out that if you put in random strings, someone might eventually prompt you for them which is why it's a good idea to write them down — which I didn't.

But here's the thing: they're still considered private information. And so as part of GDPR, I have a right to see this data, or have it removed from their system. Hence, in terms of 2-Factor Auth, using security questions is as weak as being able to reset authentication by e-mail.

QED. But Kucoin still hasn't succumbed to my argument.

Sat, 10 Dec 201608:30:00 GMT

The technical interview

Dilbert, Wednesday August 27, 2003

Fri, 26 Sep 201411:00:00 GMT

A Skip Dict for CPython

A skip dict is a data structure that maintains a sorted set. There's an implementation of it in Redis — see for example the ZADD command — but I needed something simple that worked inside Python itself and ended up writing a package with an implementation in C that still provides a fairly idiomatic Python interface.

It's released and available on PyPi as skipdict and works on CPython 2.7+ and 3.3+. For more reference, see this answer on StackOverflow.

Wed, 26 July 200611:00:00 GMT

Art