brhfl.com

Inline audio player

For the purposes of an upcoming post or more, and some other upcoming projects, it occurred to me that I might need to come up with a UI for incorporating audio samples in with posts. It needed to:

Little snippets of audio have different requirements from, say, video. In keeping with my requirements, for example, I opted to omit a mute button. The snippets are short and trivial enough that pause should suffice. In fact, I opted for only five possible actions: play, pause, 13 volume, 23 volume, and full volume. This boils down to two controls: one play/pause control and one three-position volume control. The result looks something like this weird ringing sound.

Audio is just linked from inside a certain class of span1. The link remains – so users who want to or who don’t have JS enabled or who don’t have a modern browser can simply download the file. Each control is inline SVG. The play/pause button is one SVG, with either button being shown or hidden via CSS. Likewise the volume control is one SVG element, and each of the three bars defaults to the ‘off’ state. Any given bar will have the class active, and the CSS darkens the active class plus the next bar plus the next bar. Each bar has an invisible rectangle atop it that spans that entire third of the SVG, to make for an easier target.

The code is obviously snatchable, and I may release it at some point, but it’s definitely not pretty. I… don’t code pretty. I have some other reservations as well, namely accessibility. I haven’t really used SVGs quite like this before, and I don’t really know how to make AT handle it sensibly. I guess if nothing else, the link is a guaranteed fallback. Unrelated, but I was pleasantly surprised to see it working in IE11.


  1. I’ll probably change this at some point soon to just be the <a> tag and have jQuery wrap the span around it. ↩︎

Compromised

Recently, a financial account of mine was compromised. As a person who, while entirely fallible, is pretty well-versed in infosec, I have a lot of thoughts on the matter. Honestly the whole thing has been more fascinating to me than anything. Maybe it’s because my bank has been very accommodating so far, maybe it’s because (relatively speaking) trivial amounts of money have been sucked from my accounts, or maybe it’s because I’m petty and vengeful and when you make a direct bank transfer your name, the recipient’s name, it is revealed to the sender1.

I’m curious about the vector of attack. My assumption is that primarily my card was physically compromised, but I’m not sure. The timeline began with the reception of notifications that my online banking password had been reset. I assumed, or, hoped for a glitch and reset it. Then it reset again. And again. Then a transfer account was added. Then, while I was dialing in to the bank, $100 had been transferred out. This is when it gets a little panicky, but having that information, having a number of controls in front of me to mitigate the situation, and having quick response from the bank’s customer service all led to a fairly painless resolution.

The means of ingress was not the internet, it was not ‘hacking’. When you start telling people about an attack like this, the overwhelmingly rudimentary understanding of security lends itself to responses like ‘ah, well you have this account and now that account was hacked! The hackers hacked it!’ The term ‘hacking’ evokes some real man-vs.-machine WarGames type shit, but the sort of attacks that tend to affect most of us are far less sexy. Things like malware and card skimmers meticulously mining data to then be sold off in batches to lesser criminals.

So that was the first breach, and then several days later it was followed by fraudulent card purchases. I was able to temporarily mitigate this by disabling the card, before ultimately contacting the issuer and having the card entirely deactivated and a new one issued. In between these two things happening, I received a call from ‘my bank’ enquiring about card fraud (which had not yet occurred). The incoming number (which is trivially spoofed) did appear to resolve to the bank’s fraud department, but the callback number was unknown to the internet. I assume this was an attempt by attackers to phish more information while I was at my most vulnerable.

When I mention that the vector of attack likely began with the card, this is because there are some safeguards in place for doing the password reset over the phone. Some, like driver’s license numbers in many states, are completely trivial to reproduce, and financial institutions really need to stop relying on faux secret information. The card number is another potential identifier, and I think these two things with a dash of good old-fashioned social engineering thrown in probably led to multiple over-the-phone password resets being granted in a fifteen-minute window. Just the handful of dealings I had with the bank gave a lot of insight into how one could pull off such an attack, which itself is a little concerning.


  1. Floridian (felony ID fraud) court records have a whole lot of important authoritative names attached to them, FYI. ↩︎

Americium-241 as a hardware random number generator (external)

Hopefully we all know by now that computers are not good at coming up with random numbers. They can do a bunch of tricky math and come up with numbers that are random enough for dealing your hand of solitaire, but some outside random force is necessary for tasks where patterns, repetition simply cannot occur. One such method involves counting radioactive decay events, and it occurred to me that Americium-241 is readily and affordably accessible – it’s in any good smoke detector. Now, I don’t have a need for this, nor do I intend to go dismantling smoke detectors, but I was curious if anyone else had proof-of-concepted such a thing before, and lo – here we have one such example. Neat.


Brief thoughts on the iMac Pro

Yesterday, Apple announced the iMac Pro, an all-in-one machine purchasable with up to an 18-core Xeon processor. I can’t tell if this is a machine for me or not (I love Xeon Macs but not iMacs so much), but I also have no real reason to think about that beyond fantasy – I’m only on my 2nd Xeon Mac, and I expect to get a few more years out of it. They age well. The current, oft-maligned Mac Pro smashed an impressive amount of tech into a rather small, highly optimized space. It may lack the expansion necessary for typical Pro users, but it is a technological masterpiece. The new iMac, however, seems like an impossible feat1.

What truly excites me is the reinforcement that Apple is committed to its Xeon machines. The iMac Pro is not the mysterious upcoming Mac Pro. So while tech pundits have lamented the inevitable death of the Mac Pro in recent years, Apple has instead doubled down and will be offering two Xeon Macs rather than zero.

One final thought that is more dream than anything – Apple prides itself on its displays, and on its Pencil/digitizer in the iPad Pro. A lot of artists use pro software on iMacs with Cintiq digitizers. Cintiqs are top-of-the-line, but that doesn’t make them great. The digitizers are decent, the displays themselves are alright, but they aren’t spectacular devices – they’re just the best thing out there. I don’t expect Apple to move to a touch-friendly macOS, their deliberate UI choices show that this is a clear delineation between macOS and iOS. But I think working the iPad Pro’s Pencil/digitizer into an iMac2 could very well prove to be a Cintiq killer for illustrators, photographers, and other visual artists.


  1. Credit due to Intel, which seems to be doing a pretty good job lately of cutting down power/thermal requirements for their heavier-duty processors. ↩︎
  2. The thing would need to articulate better than current iMacs do. The Cintiq handles this pretty well, but I have no doubt Apple could do it better. ↩︎

Discoveries

‘Timeline’ is a game that I’ve been pushing to non-gamers lately. The premise is very simple – everyone has a (public) hand of several historical events, inventions, artistic creations, discoveries, etc.; anything notable and dated. The flip-side of every card has the corresponding date. One event starts the timeline date-side up. Players must then choose one of their cards and make an educated (or not, I suppose) guess as to where it goes in the timeline relative to the other events. Place it, flip it, leave it in place if correct or pull a new card if not. Gameplay is simple, fast, and almost educational. There are a whole bunch of sets, and they can be freely mixed-and-matched.

One of these sets is ‘Science and Discoveries’. Something always felt a little off about this set, and the last time I played it, I think I figured it out. There are 110 cards in a given set, and I have (to the best of my ability) narrowed this one down to a handful of categories:

I had to make a few executive decisions so that I could neatly categorize things, and if I did this categorical exercise again right now, everything would likely be give or take a couple cards. But the heart of the matter is that the creators (rightfully) marked 22% of the cards as having been discovered (by Europeans). If my categorization is even remotely accurate, that’s 40% of the physical/corporeal ‘discovery’ cards.

Now, that ‘rightfully’ up there is important – I am glad that Asmodee opted to point out that these peoples and places were only ‘discovered’ in a very surface manner – the pygmies already knew that the pygmies existed. And this isn’t a very deep thought, hopefully it’s immediately obvious to any given American or European that their history textbooks are written with a bias and to a purpose. But I guess what fascinated me were those percentages.

This is by no means representative of a history textbook, nor the average person’s understanding of history. But I can’t imagine it’s terribly far off, either. Coming from a colonialist sort of viewpoint, a lot of our ‘big moments in history’ come from finding this or that ‘savage’ population and treating them not as humankind, but as a scientific subject. And here we have a truly trivial history game telling us that >20% of the notable achievements the creators could come up with are, in fact, just stuff we’ve decided we can claim as having discovered. Despite either it (for lack of a better phrasing) having discovered itself, or other (‘lesser’) civilizations having beaten us to the punch. I suppose there is far more important stuff to worry about right now, even in the context of colonialism, but I still find it to be an intriguing glimpse into our historical ownership.