Important update!

If you're rather astute, you may notice that this post isn't actually a post! I'm just sloppy handwriting this into my index.html file, and the reason for this is a bit of a bummer. I got a new laptop recently, and in the process of trying to breathe new life into my old laptop, I lost some data. While I don't really know the extent of the loss, I'm also not that concerned as I just don't keep that much stuff around that I really need to preserve. Unfortunately, I seem to have lost a lot of what I need to update this blog - notably, the template files. I've been holding off making this 'post' because I didn't really want to admit that I didn't have a path forward. But, in procrastinating, I found a backup of the relevant files. I haven't figured out yet how outdated these files are, but whatever the case may be, I have a path forward. So, bear with me. I should be able to get things patched up relatively soon. I have some posts in the works, we'll be back in business soon enough. I will say that while I'm entirely to blame for my scattershot backup strategy, a big part of my issue was that I was using OneDrive as cloud storage. OneDrive did not lose my data, but it was never there in the first place because OneDrive is miserable to use. I've been in the process of moving everything over to pCloud, and I've actually been using it far more responsibly because using it does not immediately make me irate. Anyway, that's that. Back soon.

File Managers

Microsoft’s File (or Windows) Explorer1 has never been good2. Early Windows felt like a GUI for the sake of a GUI, competition to the Macintosh. The Mac’s Finder was itself quite simple, and also never really quite grew into anything for power users. This makes sense for Apple, but Microsoft started off with a weak simulacrum of Finder and never really got around to embracing its power users. Before Windows was ever released, Peter Norton was selling an incredibly powerful file manager for DOS, Norton Commander3. Far more of a power tool than Explorer could ever dream of, Norton Commander set the guidelines for an entire class of file browser, the Orthodox File Manager or OFM.

Windows 11 has seen a revamp of Explorer that further dumbs down what should be a first-class component of any operating system. Even after shipping this atrocity, they kept stripping it down further, though quickly reversed that one. All this to say that Explorer has never been a viable option for the sort of user that actually uses their file manager to manage files, and it’s only getting worse. A perfect opportunity to talk about alternative file management paradigms and the software I personally use on Windows.

Orthodox File Managers

So let’s start with OFMs. Dr. Nikolai Bezroukov, who seemingly coined the term, has a whole page dedicated to the philosophy of these managers. In it, he lists many characteristics (‘notions’ as he calls them) of OFMs. Some, like ‘minimal UI chrome’ are vague in definition and feel more like consequences of the overall design and user base and less like requirements. Two of the notions that tend to be sticking points, however, are a ‘command channel’ and ‘tiled, nonoverlapping windows with minimum decorations.’

The ‘command channel’ aspect is simultaneously one of the defining features of an OFM and also one that… is less of a big deal on Windows. The idea here is that the file panes are tightly integrated with a CLI window; both OS and internal shell commands can be executed on a selection in a file pane. This is great on a Unix-like system, but CLI interaction on Windows is… not good. The ‘DOS prompt’ is minimalist; PowerShell is an abomination. Accordingly, while some OFMs on Windows still treat the CLI as a first-class citizen (Far Manager), others relegate it to a small corner of the interface (Total Commander) and others still do away with it entirely (OneCommander).

‘Tiled, nonoverlapping windows’ generally refers to the dual-pane design of OFMs which, on Windows at least, personally feels like the defining characteristic. Bezroukov and others would certainly disagree with me here, but the fundamental paradigm that makes working with non-orthodox file managers untenable is a display that is nominally split into source and destination panes. Fingers on the home keys, navigating to a ‘From:’ and a ‘To:’ directory before making a selection and firing off a single command is, quite frankly, the only way that GUI file operations really make sense to me. The alternative is to spawn two disparate, floating Explorer windows and play the alt-tab game while copy/cut/pasting and/or shudders drag and drop. On a Unix system, complex file operations are quite simple from the CLI itself. On Windows, this is less true, and while a GUI feels more necessary to me, the ideal GUI is still one that shows me a lot while allowing me to fully interact from the keyboard.

NeXTSTEP Innovations: Miller columns and drop stacks

While it’s hard to find any innovations that have come out of Windows Explorer, the long-dead predecessor to macOS, NeXTSTEP, was full of clever ideas. One that is still often re-implemented today (and in fact has been a core function of the Macintosh Finder for decades) is a columnar breadcrumb view known as Miller columns. Put simply, you start with a column for your root directory, and every step that you drill down the tree creates a new column to the right with that step’s directory listing. While it isn’t the best for file management, it is incredibly useful for directory navigation. Aside from file management, it routinely comes up in music software as the mechanism for drilling down from, say, genre to artist to album.

NeXTSTEP had another useful paradigm which, unfortunately, has largely disappeared from the world of file managers. More of a broader shell function, the drop stack lived in the dock as a sort of limbo for files. Files could be added to the stack from all manner of disparate locations, and then a single operation could be performed on this whole stack at once. For my broken brain at least, it is far easier to keep track of everything if I can have this little temporary list of files to review before I commit a change vs. poking around various places and doing multiple smaller file operations. While it is, as mentioned, an uncommon feature, Cocoatech’s Path Finder is a modern file manager that implements a drop stack4. While I have not used Path Finder in years, it always served me well and it still seems like the top choice for an advanced file manager on the Mac.

Visualizing the file system

If you’ve read much of my blog (or even just this very post), you probably know that I’m not overly fond of GUIs. The advent of all this fancy graphical stuff does very little for file navigation and management, in my opinion, but it does open up a lot of possibilities for advanced visualization. This can be as simple as color-mapping the age of files or a complete treemap view of a file system, showing relative directory and file sizes across the board at a glance. Dreamt up in 2001 by Ben Shneiderman and Martin Wattenberg, treemaps are miserable things to look at, as evidenced by Darío Weitz’s assertion that “Treemaps are one of the visual elements most employed in Business Intelligence (BI) presentations”. But despite having the aesthetics of something that was imagined for the worst people who have access to copious amounts of data, they do offer an overview of massive data sets that allow a viewer to easily discern the highest-ranking data for a given parameter.

Space constraints have always been an issue with computing, and treemaps are a reasonable way to let users drill down into the most storage-hungry corners of their machines. It’s hard to pin down what software did this first, but TreeSize was certainly an early example, as was WinDirStat. Easier on the eyes, some utilities such as KDE’s FileLight or DaisyDisk for the Mac rely on stacked pie charts.

My personal file management toolbox

I’ve mentioned quite a few pieces of software already, including everything that I use on a day-to-day basis. But (hopefully) it’s worth expanding on why I use what I use, why I’ve migrated away from other pieces of software, and how I navigate features that may be missing or oddly implemented.

Total Commander (Commercial/$60)

Let’s just get the obvious one out of the way – if you ask any power user dork for a Windows Explorer replacement, they’re likely to respond with ‘Total Commander’. This is justified – it’s powerful out of the box, extensible with a healthy plugin ecosystem, and incredibly customizable. Bezroukov doesn’t seem to care much for it, as it lacks a strong command interface. I’ve already said my piece regarding this, but I just don’t find it to be all that useful on Windows. The misery of the Windows CLI experience is one of my biggest gripes with this operating system. As far as a dual-pane system, however, Total Commander works great. All the menus and keyboard shortcuts are customizable, to the point where I’ve mapped [ and ] as touch-typist-friendly alternatives to the up/down cursor keys. Sync browsing – that is, navigating both panes at the same time if the directory structures are mirrored – is not readily available by default, but it can be added to the menus and/or keyboard via the internal command, cm_SyncChangeDir.

Speaking of synchronization, basic file sync is also included. It won’t monitor/perform realtime sync, but it does a fine job of manual sync. Sync, copy, and move operations all support optional file verification. As is typical for OFMs, the two panes can be switched from source/destination to browse/preview. The preview pane is extensible, and while it doesn’t cover every type of file I might like it to, it falls back on a raw text output which is often a useful fallback. Things like determining whether Windows binaries are x64 or i386 are easy without stepping into an additional application5.

One feature that I mentioned is useful but seldom supported – the drop stack – is absent from Total Commander. No analogue is built in, but a plugin that adds a temporary pane exists, and works well for those times when I really need a drop-stack-style paradigm. Temporary panes appear in OFMs here and there, and do pretty much what you’d expect – they turn whichever pane you set them to into file limbo. All in all, Total Commander deserves its praise as the power-user file manager for Windows.

OneCommander (Commercial/$14/Free feature-limited version for non-commercial use)

OneCommander6 was the first dual-pane file manager I used when I moved back to using Windows as my primary operating system. The free version is feature-rich enough to extensively test, and at the time a full license was in the ballpark of $5. It was an absolute steal for what it was, and I’m honestly happy that the developers are charging more for it now; it’s still a bargain. It was never quite customizable enough for me to use it beyond the handful of times that I really needed two panes, however, leading me to invest in Total Commander.

Over time, it has gotten increasingly customizable. It is very much a modern approach to dual-pane file management. It lacks the OFM-requisite command line entirely, and only runs on Windows 10 or 11. In addition to dual-pane browsing, it offers quite a bit of flexibility with views, including a very nice Miller column view. These paradigms can be combined, yielding a stacked dual-pane Miller column browser. Visually, by default files are color-coded according to age. It has clever little file management ideas like color-coded tags for files and inline notes.

Total Commander requires quite a bit of learning if you’re used to Windows Explorer vs. a different OFM. OneCommander, on the other hand, largely works as a newcomer would expect out of the box. Combined with its approachable, modern UI (and low price), I cannot recommend it enough for folks who are looking for more oomph than what Explorer has to offer, but who are not file management nerds. And while Total Commander remains my daily driver, I’m planning on buying another OneCommander license for my new computer.

TreeSize (Commercial/free version exists as do several license tiers)

Like Total Commander, TreeSize has been around for a while. I mentioned earlier that it might have been the first software to use treemaps to visualize disk usage; certainly it was an early example. The version being sold today still offers a treemap visualizer, as well as a much more palatable pie chart visualization and others. This is TreeSize’s purpose – visualizing and browsing the file system based on file and directory sizes and other metadata.

In its least visual view, essentially a standard file browser pane, it still offers an inline, sparkline-esque visualization of every item’s percentage of the space it consumes of its parent. All of the visualizations can be filtered by other metadata like extension or owner. Much like One Commander, the age of a file can also be factored in. Detailed reports can be generated and compared as snapshots. At the professional license level (which I don’t have and therefore have not tested), this can all be automated into a task scheduler as well. It also comes with a pretty comprehensive file search utility, which seems a bit strange at first but does tend to go hand-in-hand with the sort of cleanup operations one might use a usage visualizer for.

Disk usage visualizers tend to be pretty simple one-trick ponies, and while TreeSize is still primarily suited for one task, it offers a lot of flexibility in how you can visualize and navigate that task. It’s quick to scan as well, and all in all just reliably works the way I expect it to.

Honorable mentions

Far Manager (FOSS/BSD-style license)
Far Manager is a TUI-based OFM in the vein of Norton Commander. It integrates well into Windows, offering things like a (still TUI-based) right-click contextual menu that matches the one in Explorer. It’s a great little program that I rarely use because I tend to just use shell commands for file management when I’m in a CLI. I have been playing more with it lately in ConEmu and if I come to find a setup here that really works with my workflow, I’ll likely write about it in the future. Far Manager does have a built in temporary pane in lieu of a drop stack. Bezroukov likes this one.
ZTreeWin (Commercial/$30)
Much like Far Manager, ZTreeWin uses a TUI, and much like Far Manager, I’ve been playing with it under the pretense of working it into a workflow with ConEmu. Unlike Far Manager, it’s entirely tree-based and not an OFM. It’s a clone of XTree/XTreeGold from the DOS days, and therefore really only shares UI paradigms with XTree and other XTree clones. This happens with OFM’s all tending to follow Norton Commander UI paradigms as well, but I personally am far more used to these as they’ve just had better staying power. But ZTreeWin is very quick and has quite a bit of power behind it. Time will tell if it finds its way into my command-line experience, but it is worth checking out.
Tablacus Explorer (FOSS/MIT license)
Tablacus Explorer is an interesting take on a multi-pane file explorer. It lacks a command interface, and doesn’t offer a ton of functionality beyond what Windows provides. My understanding is that the file panes are just Explorer widgets provided by the OS (though I may be wrong about this). What it offers, then, is a highly modular and customizable approach to viewing and interacting with regularly standard browser views. Inbuilt are 2-, 4-, and 6-pane views as well as tree/list views. An extensive add-on library contains yet more views as well as small UX modules for various customizations. And, while I haven’t managed to dive into this yet, it seems like there are a lot of possibilities for writing add-ons and using Tablacus Explorer as a framework for more niche file browsing needs.
Resonic Player (Commercial/69€ with a free tier available)
This one is a bit niche, and it’s still in beta with the last release being four years old at this point, but it’s good at what it does – browsing directories of audio for the purpose of sifting through samples. It auto-plays as you go through a directory, and importantly it’s quick and responsive while doing this. I doubt I’d shell out for the pro version when development seems stalled, but as long as the free version is available, it’s an indispensable tool if you tend to find yourself needing to go through directories full of audio.

  1. For Windows 10, Microsoft changed Explorer’s name from one generic thing to another. I guess I understand why; though I would certainly claim to prefer the old name, I use ‘Windows Explorer’ throughout this post for clarity. ↩︎
  2. I’ve linked to it before, but Gravis (Cathode Ray Dude) posted a fantastic article showing the evolution of Explorer through the years. ↩︎
  3. While it was released by Peter Norton’s company, Norton Commander was written by John Socha. ↩︎
  4. I did find one file manager that implements a drop stack that runs on modern Windows, UltraExplorer by MustangPeak. As far as I can tell, the last version was released in 2009; MustangPeak’s website no longer exists. I would not do any actual work with an unmaintained file manager from four major Windows versions ago, but it does run and the downloads are preserved on the Internet Archive. ↩︎
  5. Look for the PE header which tells the operating system what type of binary it’s looking at. While this is binary info, the most relevant types we’re worried about here are easily grokked in a text preview: L for 32-bit and d† for 64-bit. ↩︎
  6. The official site uses ‘OneCommander’ as one word on the homepage, and rather inconsistently switches to the two-word ‘One Commander’ in the documentation. I’ve opted for the former here. ↩︎

GemiNaut's clever solution to a peculiar problem

I’m a big proponent of the web being leaner and more text-based. In light of how strongly the web has veered in the opposite direction, it’s probably a radical position to say that I think less of the web should have any visual styling attached to it at all. More text channels where a reader can maintain a consistent, custom reading experience feels like a better solution than a bunch of disparate-looking sites all with their own color schemes, custom fonts, and massive headers1.

I often use text-based web browsers like Lynx and WebbIE. I also tend to follow a lot of people who maintain very webring-esque sites, even moreso than mine. But there is more internet than just the HTTP-based World Wide Web. Gopher is, or was, depending on your outlook, an alternative protocol to HTTP. It was more focused on documents that kind of reference one another in a more bidirectional way, and because it never really got off the ground in the way HTTP did, it also never really got the CSS treatment; it’s really just about structured text. Despite most of the information about Gopher on the web being historical retrospectives, enthusiasts of a similar mind to me are keeping the protocol alive2.

Then there’s Gemini3. Gemini is a sort of modern take on Gopher. For nerds like me, it’s wonderful that such an effort exists. If you’re interested in the unstyled side of the internet, Gemini is worth looking into. I do think it needs a bit of love, however, as curl maintainer Daniel Stenberg points out how lacking the implementation details are. I disagree with a few of Daniel’s points; Gemini falls into a lot of ‘trappings’ that HTTP escaped because HTTP development steered toward mass appeal. Gemini is for a small web, one for weirdos like me. The specification and implementation issues seem very real, however, and while I don’t think Gemini can or should get WWW-level acceptance, an RSS-sized niche would be nice, at least, and software sort of needs to know how to work for that to happen.

All of this only really matters for background context. I’ll likely post more of my thoughts on a textual internet in the future, and I’ll likely also be dipping my toes in publishing on a Gemini site. The point of this post, however, is to talk about a strange problem that happens with unstyled text-based content. While there are certainly far fewer distractions between the reader and the content, there’s also a sort of brain drain that comes from sites being visually indistinguishable from one another. I always just kind of assumed this was one of those annoyances that would never really be important enough to try to solve. Hell, the way most software development is going these days, I don’t really expect to see any new problem-solving happening in the UX sphere. But I recently stumbled across a browser that solves this in a very clever way.

GemiNaut4 is an open-source Gemini and Gopher browser for Windows that uses an identicon-esque visual system to help distinguish sites. Identicons are visual representations of hash functions, typically used for a similar version of the same problem – making visually distinct icons for default users on a site. If everyone’s default icon is, say, an egg, then every new user looks the same. Creating a simple visual off of a hash function helps keep users looking distinct by default. I’ve often seen them used on password inputs as well – if you recognize the identicon, you know you’ve typed your password in correctly without having the password itself revealed.

Don Parks, who created the original identicon, did so to ‘enhance commenter identity’ on his blog5. But he knew there was more to it than this:

I originally came up with this idea to be used as an easy means of visually distinguishing multiple units of information, anything that can be reduced to bits. It’s not just IPs but also people, places, and things.

IMHO, too much of the web what we read are textual or numeric information which are not easy to distinguish at a glance when they are jumbled up together. So I think adding visual identifiers will make the user experience much more enjoyable.

-“Identicon Explained” by Don Parks via Wayback Machine

And indeed, browser extensions also exist for using identicons in lieu of favicons; other folks have pieced together the value in tying them to URLs. But GemiNaut uses visual representations of hashes like these to create patterned borders around the simple hypertext of Gopher and Gemini sites. The end result is clean pages that remain visually consistent, yet are distinctly framed based on domain. It only exists in one of GemiNaut’s several themes, and I wish these themes were customizable. Selfishly, I also wish more software would adopt this use of hash visualization.

Aside from browsing Gemini and Gopher, GemiNaut includes Duckling, a proxy for converting the ‘small web’ to Gemini. The parser has three modes: text-based, simplified, and verbose. The first is, as one might expect, just the straight text of a page. Of the other two, simplified is so stripped-down that apparently this blog isn’t ‘small’ enough to fully function in it6. But it does work pretty well in verbose mode, though it lacks the keyboard navigation of Lynx, WebbIE, or even heavy ol’ Firefox.

I had long been looking for a decent Windows Gopher client, and was happy to find one that also supports Gemini and HTTP with the Duckling proxy enabled in GemiNaut. But truly, I’d like to see more development in general for the text-based web. All the big browsers contain ‘reader modes,’ which reformat visually frustrating pages into clean text. ‘Read later’ services like Instapaper do the same. RSS still exists and presents stripped-down versions of web content. There is still a desire for an unstyled web, and it would be great to see more of the software that exists in support of it adopting hash visualizations for distinction.

  1. Yes, yes. ↩︎
  2. In the article, I have linked to an HTTP proxy of the Floodgap Systems gopher root; this page obviously exists on gopher as well ↩︎
  3. Again, in the article the Project Gemini HTTP proxy is linked; here it is on gemini ↩︎
  4. And again, HTTP proxy in the post. GemiNaut site on Gemini protocol. ↩︎
  5. Wayback Machine archive of “Visual Security: 9-block IP Identification” by Don Parks. ↩︎
  6. It sort of works? Posts mostly work, though footnotes don’t. Importantly, pagination is also busted. But again, the situation is much better in verbose mode. ↩︎

TOTP: It's not Google Authenticator

I’ve been meaning to write about this since Twitter announced that only the eight-dollar-checkmark class would have access to SMS-based 2-factor authentication (2FA)1. Infosec circles got back into heated debates about the security implications of SMS-based authentication compared to the risk of losing access to the more-secure option of TOTP. This post isn’t really about that debate, but the major takeaways from either side are that:

User friction is a very real issue, and TOTP will always be more frictional than SMS; I can’t solve that in this post. Personally, I prefer to use TOTP when available due to the risk of a SIM-swapping attack2. This post, however, is more concerned with the matter of keeping your secret portable and within your control if you decide to use TOTP for 2FA.

If you’ve made it this far without knowing what TOTP is, well, that’s almost certainly by design. I would hazard that most people who are aware of it know it exclusively as Google Authenticator. Getting an increasingly-vital, open standard to be almost exclusively associated with one shitty app from one shitty company is certainly very good for that company, but very bad for everyone else. So the first order of business here is to clarify that whenever you see a site advertising 2FA via ‘Google Authenticator,’ what they actually mean is TOTP, or more accurately RFC 6238, an open standard3. Additionally, if you’re reading this and you currently implement TOTP on a site you manage or are planning to, I implore you to describe it accurately (including Google Authenticator as one of several options, if necessary) rather than feeding into the belief that the magical six-digit codes are a product of Alphabet.

So what, then, is TOTP? Even if you know it isn’t A Google Thing, the mechanism by which a QR code turns into a steady stream of six-digit codes is not entirely obvious. This is, typically, how we set up TOTP – we’re given a QR code which we photograph with our authenticator app, and suddenly we have TOTP codes. The QR code itself contains just a few pieces of URI-encoded data. This may include some specifics about the length of the code to be generated, the timing to be used, the hash method being used, and where the code is intended to be used. Crucially, it also contains an important secret – the cryptographic key that, along with a known time reference, is the foundation from which the codes are cryptographically generated. Essentially, a very strong password is kept secure, and from this an easily-digestible temporary code is generated based on time. Because it comes from a cryptographic hash function, exposing one (or more) of these codes does not have the same security implications as exposing the key itself.

Keeping the key itself secret is, in fact, extremely important. Vendor lock-in aside, I assume this partially contributes to the opacity of what happens in between scanning the QR code and having a functional 2FA setup. A large part of the debate over whether ‘Google Authenticator’ is a good 2FA solution is the fact that once your secret is in the Google Authenticator app, it is not coming out. If your app data gets corrupted, or if something misbehaves during a phone transition, you’re out of luck. Hopefully you’ve kept the recovery codes for your accounts safe somewhere. If to you, as to most people, TOTP means Google Authenticator, then this is a very real concern. One goof could simultaneously lock you out of all of your accounts that are important enough to you that you enabled their 2FA.

When I was de-Googling myself years ago, I went through the somewhat-laborious process of generating all new codes to put into Authy. In addition to (or in lieu of, I’m not entirely sure) local storage, Authy keeps your TOTP info in the cloud, allowing you to keep several devices in sync, including a desktop app. While this is a better solution than Google Authenticator, I’m not linking to it as I still think it’s a pretty bad one. The desktop app is an awful web-browser-masquerading-as-desktop-software creation. The system of PINs and passwords to access your account is convoluted. And, while in theory you can put the desktop app into a debug mode and extract your data, there’s no officially-supported path toward data portability. The unofficial method could go away at any time; in fact, while I will credit Indrek Ardel with the original method4, it seemingly no longer works and one must find more recent forks that do. On top of this, the aforementioned bad desktop app and confusing set of passwords meant that it was still just easier to start fresh with new codes when I recently switched away from Authy. Finally, Authy is another corporate product. It’s owned by Twilio, and they seem to want a piece of that lock-in pie as well, offering their own 2FA service that is a quasi-proprietary implementation of TOTP5, as outlined by Ardel.

For years, I’ve been using various KeePass implementations in conjunction with one another as a portable password management solution. I can keep a copy of the database in my OneDrive (or whatever cloud storage I happen to have access to; right now it’s OneDrive but frankly that’s because it’s cheap — not because it’s good) and have access to it from my phone and various computers. I can sync copies to flash drives if necessary, or drop a copy on an M-Disc with other important files to stash in a safe. I was, for a long time, using an unmaintained fork, KeePassX, because it simply vibes better with how I want computers to look and feel than its replacement, KeePassXC does. On mobile, I’ve been using Strongbox6. At some point, I noticed they added support for TOTP codes! The app will happily scan a QR code and add the relevant data to an entry.

This was interesting and novel, and I was already thinking about moving all of my codes into it, simply because storing them that way meant the data was easily recoverable. If I wanted to switch again in the future, I now had access to the secret and any other relevant parameters, and could generate a new QR code from them if need be. But then I happened to notice that KeePassXC, the desktop software I had been avoiding, also supports TOTP codes. And Strongbox’s implementation is fully compatible with KeePassXC’s! This changed things – suddenly this was a portable solution for accessing my TOTP codes and not merely the data behind them. I generated new codes for everything I use (and upgraded my security on a few things that had implemented TOTP without my noticing) and ditched Authy.

While you can add TOTP codes directly in the KeePassXC desktop app, you can’t do it directly from a QR code. Windows is fond of capturing screenshots to the clipboard7; I would love to see an option in KeePassXC that scans an image in the clipboard for a QR code (and then clears the clipboard). Getting codes out is extremely straightforward. Since the data is just in normal entries in my database, a code I scan in via Strongbox will show up in KeePassXC once OneDrive catches up. It is worth noting that this rather shatters the ‘something you know / something you have’ model of 2FA, but the flexibility is there to manage codes and passwords however the user is comfortable. The most important aspect for me was liberating my TOTP data from a series of lockboxes for which I lacked the key.

Ultimately, I don’t think average users care much about data portability until they’re forced to. By the time their hands are forced, the path of least resistance tends to just be to stick with the vendor that’s locked them in8. With TOTP, the ramifications of this can be extremely annoying. More importantly, however, I think Google has done a very good job at preventing users from even knowing that TOTP portability is possible. Whether I convince anyone to store their codes in KeePass databases or not is immaterial; I really just want people to know they have options, and why they might want to use them. I want people to give just a small amount of thought to the implications of having a login credential that you not only have zero knowledge of, but also have zero access to. Frankly, I want people to stop doing free advertising for Google. And finally, I genuinely want a return to an internet where, occasionally, we make our users learn one little technical term instead of letting multi-billion dollar corporations coöpt everything good.

  1. If you’re coming to this post without a basic understanding of 2FA, I’d suggest reading something like Proton’s introduction to the practice, as it’s a bit beyond the scope of what I’m hoping to cover here. The gist, however, is that a password alone is a single point of failure, and 2FA adds an additional security challenge in the case of a password breach, etc. ↩︎
  2. It is important to note that TOTP is not a panacea, there are other attack vectors to worry about. SIM-swapping, however, particularly freaks me out due to the potential for a social engineering attack. ↩︎
  3. Google Authenticator also supports HOTP, or RFC 4226, an increment-based OTP system. In practice, I’ve never seen this method used on its own, though it is itself the backbone of TOTP. ↩︎
  4. For the sake of crediting, Ardel’s gist can be found here. It’s unlikely to work, and in 2020 Ardel left a note recommending users seek out actively-updated forks instead. ↩︎
  5. Quasi-proprietary is, perhaps, a stretch – it just uses different defaults than most. Seven digits and a ten-second time block instead of six and thirty. Importantly, though, it also completely obscures the fact that it’s just weird TOTP from the user. ↩︎
  6. Strongbox has a MacOS app as well; I have not used it. ↩︎
  7. Phrased this way because I’ve lost track of how many inbuilt screenshotting mechanisms this goofy operating system actually has these days. ↩︎
  8. See: everyone still active on Twitter. ↩︎

Rawwwwwr, let's talk about Wavosaur

Okay, so I promise I’m actually working on my 2022 media retrospective post, but I’ve also been itching to write about a particular piece of software that I’ve been getting a lot of use out of lately. I’ve been dabbling a bit with music production in tracker software, a style which is built entirely1 around the use of samples. As such, I’ve found myself needing to work directly on waveforms, editing samples out of pieces of media I’ve stolen or recordings I’ve made directly2. Having used Adobe Audition as both a multitracker and a wave editor for a long time, I rather like its approach as a dual-purpose tool. I do not, however, like Adobe, nor do I really want to wait for Audition to start up when I’m just chopping up waves. It’s too much tool for my current needs. I’ve also used Audacity in the past, which is a multitracker that certainly can function as a wave editor if you want it to. But, among other issues, it’s just not pleasant to use. So I’ve looked into a number of wave editors over the past few weeks, and have primarily settled on Wavosaur.

Wavosaur is not perfect software, I have a few quibbles that I’ll bring up in a bit. It is, however, really good software, with a no-nonsense interface that at least tries to be unintrusive, and is largely user-customizable. It’s quick to launch, and quick to load files. By default, it will attempt to3 load everything that was open when it was last exited, this can be disabled to make things even quicker. While this is true of pretty much any audio editing software, it supports the import of raw binary data as well as enough actual media formats that I can open up an MP4 video of an episode of Arthur that I downloaded from some sketchball site and start slicing up its audio without issue.

Navigating waves is pretty straightforward. Scrollwheel is assigned to zoom instead of scroll, which I do not like. An option for this would be great. It’s not a huge deal, however, since I’m moving around more by zooming than by scrolling in the first place. Zoom in and out are not bound to the keyboard by default; I set horizontal zoom to Ctrl+/- and vertical to CtrlAlt+/-. I might remove modifiers from vertical altogether, but my point is more that binding them to something logical makes navigating helpful, along with CtrlE and CtrlR, the default bindings for zooming to selection and zooming out all the way.

Wavosaur can deal with two different sorts of markers, and these are stored within the .wav file itself. Normal markers can be used to identify all manner of thing in the file. No data (like a name, for example) can be stored along with the marker, so a somewhat sparing use is probably best, but to my knowledge there is no limit to the number of markers that can be added. Other software does allow for similar markers to be named and then navigated by name, but to my knowledge none of these store these in a standardized way in the .wav file itself. I also haven’t seen other wave editing software that supports the other sort of marker that Wavosaur supports – loop markers. There can only be one pair of these — an in and an out — per file. Set your loops to the note’s sustain duration, and you have a very basic implementation of envelope control. While I don’t know of other software that writes this information, both trackers that I’m currently playing with — MilkyTracker and Renoise — will read it4. Wavosaur doesn’t really have a way to preview loop points in context, unfortunately, but the fact that it reads and writes them still makes for a useful starting point within the tracker.

My second-most-used wave editor over the past few weeks has been NCH WavePad5. Aside from the aforementioned loops, WavePad lacks two features that really makes Wavosaur shine for sample creation. The first is the ability to snap to zero-crossings. Doing this helps to ensure that samples won’t end up popping when they trigger (or, with loop points, retrigger). This can easily be enabled and disabled in the menus, though toggling it can’t be bound to a key for some reason. The second is the ability to universally display time in audio samples6 instead of hours, minutes, and seconds. When fully zoomed in, WavePad switches to time based on audio samples, but I couldn’t find a way to set it as a permanent display. Often, with trackers, it’s advantageous to have a fairy intimate knowledge of how many audio samples you’re dealing with in a given sample. Being able to permanently set the display this way in Wavosaur is very helpful.

Wavosaur allows for resampling to an arbitrary sample rate. It has inbuilt pitch- and time-shifting, and a few basic effects like filters. For everything else, it supports VST in a straightforward way. You can build up a rack and preview things live, editing VST parameters while playing a looped selection of audio, and applying once things sound right. There’s some MIDI functionality, though I’m not sure the extent of it. Basic volume automation is included and works well enough. A wealth of visualization tools – spectrum analyzers and oscilloscopes and such – are included, and even have little widget versions that can live in the toolbar. It includes calculation tools for note frequency, delay, and BPM; BPM detection can also automatically place markers on beats. If you set markers at beats in this way, or manually, it will scramble audio based on markers for you.

I said I had a few quibbles that I’d like to get to. I already sort of mentioned one – while keyboard control is decent, not everything can be keybound. Like toggling snap-to-zero-crossings, there are quite a few actions that I would really like to have keyboard control over. Currently you can easily select between marker points by double-clicking within them, but the same can’t be done from the keyboard; overall, selection could use more granular control via menus and the keyboard. One very annoying thing is that doing an undo action resets the horizontal zoom out to 100%. If I’ve zoomed in on a section of audio that I’m looking to slice out into a new sample, I don’t want to lose that view if I need to correct a goofball mistake I made. Finally, something that a lot of good software has spoiled me for is a one-step process for making a new file from a selection. Right now it’s a two-step process of copying and pasting-as-new, which is fine. But it does sort of add up when you’re chopping up a bunch of samples. These are all pretty minor issues, and overall I think Wavosaur is a great little waveform editor. If you’re working with samples for trackers, I think it may be the best choice (on Windows, at least).

  1. There are modern trackers like Sunvox and Psycle that incorporate synthesis alongside PCM sampling, and using tracker interfaces for synth chips goes back to at least the SID. I think that overall, however, ‘tracker music’ mainly refers to or evokes software and music that is entirely sample-based. ↩︎
  2. I need to upgrade my contact mics, but I’m still liking the Tascam GT-R1 for its Hi-Z input. I also love the Zoom Handy H2n for its five-microphone MS/XY configuration, and the flexibility that affords. ↩︎
  3. A caveat here is that a lot of the sample slicing that I’m doing involves copying from a lengthy file into a new file for the individual sample. Doing this creates a temporary ‘paste.wav’ that won’t exist next time Wavosaur launches. ↩︎
  4. The Tascam GT-R1 supports overdub recording, and some other functionality for practice and jam recording, and part of this is a basic looping functionality. They cared enough about this that it gets dedicated buttons on the front panel! But alas, however it does this is not the same standard used by Wavosaur and the various trackers. ↩︎
  5. I don’t mind linking to NCH WavePad because it is quite good, but I wanted to bury the link down here for two reasons. First, their marketing is incredibly aggressive, to the point where they’ve bought ads that come up advertising it as a ‘Wavosaur alternative’ when you’re searching for Wavosaur (software that I might actually refer to as a free alternative to the $39.95 WavePad). Frankly, I just don’t like that. Second, they have a history of bundling bloatware in with their software. As far as the internet says, and as far as I can otherwise tell, they don’t do this anymore. But I think it’s worth knowing companies’ histories with these things. That said, I used WavePad and other NCH software many years ago, and it was solid then. WavePad was solid for me now as well, and had some UI tricks up its sleeve that I really liked. So, past the caveats, I do recommend checking out NCH WavePad if you need a wave editor and Wavosaur isn’t cutting it for your needs. ↩︎
  6. So, this is slightly tricky. Sampling in music refers to playing back short recordings of instruments, beats, vocals, &c. But in digital communication, when we’re talking about PCM audio, a sample is one point of audio. So, in a 44.1khz mono audio file, every second worth of audio contains 44,100 samples. For the purpose of this post, I refer to these as audio samples. ↩︎

Some things I have been meaning to write about but haven't

So… I have a few posts that I’ve sort of been working on, but they’re involved. I have others that I just haven’t been motivated to actually work on; motivation in general has been difficult lately. And there have been some things I’ve played with or thought about recently, but I just can’t figure out a way to sort of give those things the narrative structure that I hope for when I’m writing here. So, since it’s been a while, here are some things that I maybe should have written about:

The Steam Deck

I bought one of these. It’s weird! A big pile of compromises. I guess where I land on it is that it does what it’s supposed to do. It is a reasonably powerful machine in a handheld game console form factor, for a far lower price than a GDP. The outward-facing console features are horrible, in my opinion. The D-pad is unusable; I average like twenty lines lower in master mode Tetris than on my Switch or my modified DualShock 4. The button placement is too wide; I primarily play shmups and can’t reliably get from A to B for bombs. I think trackpads are the worst sort of input device – the Deck has two of them and they’re the worst of the worst. Put simply, I wouldn’t use this thing if it didn’t solve other problems.

And it does, but again this is mostly just by being the only thing that exists in this form factor and at this price. The parts that actually do the heavy lifting are software – the Proton emulation layer and the SteamOS Linux distribution. Proton does work surprisingly well – I play a lot of doujin games written in obscure languages for Windows 2000, and I’ve had very few compatibility issues. The SteamOS UI/UX is… fine. It’s always very obvious that you’re using a computer and not a purpose-built console, though. Anyway, I don’t love gaming on my laptop, so I have been getting a lot of use out of the Steam Deck. Hopefully more things start to exist in this market.

The Brother P-Touch Stickerkid

I’m probably going to write about this over on Cohost as well, where I’ve been doing more of the nerd stuff that I’ve kind of migrated from place to place over the years. But lately I’ve been kind of fixating on thermal labelmakers. They’re incredibly unsexy devices, and they’re essentially all the same. I think it’s fascinating seeing the slight differences model to model, though, like how the absolutely miserable PT-1400 is one of only like three models that has symbols for electrical polarity (and possibly the only model that does both that and barcodes).

Brother made a few models that really feel like they were trying to milk an existing product line as much as they could. One of the more interesting ones is the Stickerkid, the PT-25. The idea is just, kids like stickers, and thermal-printed labels are just… kinda crappy stickers. This line of thinking makes sense, but it also lends itself to… a really lazy product. Brother didn’t make that. The physical unit is based on an existing mid-grade model rather than the bottom of the barrel (I prefer the feel of it to the aforementioned PT-1400). The ROM is wildly different from normal models. It has a massive bank of symbols, many that can be combined in various ways for making varied faces and face/body combinations. It has a (bad, but still) typing game. It has a ‘piano mode’ which is just that every button makes a different tone (this can be disabled). It has a bank of a handful of phrases in several languages as a sort of half-hearted learning tool. It has physical ‘yes’ and ‘no’ buttons that make menu navigation much more pleasant than my typewriter-sized professional PT-9400. I won’t pretend it’s a great general-purpose labelmaker1, but I will say that Brother went way harder on the implementation of this idea than they needed to.


For a long time, I’ve exclusively used a DualShock 4 for gaming on my laptop. I have it modified with clicky switches, and it’s great for falling-block games and pretty good for shmups. I’ve finally got a working solution, albeit wired, for the Neo Geo Pad 2 PlayStation controller. I assumed that I’d be able to use my existing remapping software with it, since the adaptor I’m using (Brooks) emulates a wired PS4 controller. But the software I was using is picky, only activating a hardcoded list of approved USB devices. There are a lot of options that really feel like they fit in with the shmup lifestyle – often looking as cobbled together as the launchers for these games, and only mapping to keypresses, lacking virtual controller support.

But I didn’t want to need a second piece of software for the rare times I need virtual controller support, so I bit the bullet and bought reWASD. It takes forever to start up, presumably because the UI is all some Electron (or whatever) type bullshit. And there are some weird glitches here and there that seem to demand relaunching. But overall, I really enjoy the experience of this software over what I was using before. It’s far more customizable, the UI is just more intuitive, and it works fine with my adapted Neo Geo Pad 2. Customizability includes shift layers as well as mappings for double-taps and the like. I’m considering a shmup mapping for my Epyx 500XJ where the inner button will be shot, the outer button will be focus, and double-tapping the outer button will be bomb. Anyway, I expected the software to be a minor upgrade beyond just solving my immediate problem, but it is probably the best remapping experience I’ve had.


There really isn’t much to say about this Bluetooth speaker, and even if there were, I’m hesitant to just keep posting about Sony products. The SRS-BTM8 is an old, discontinued speaker that you can easily snag on eBay for about $20. It sounds fine. Not great, but fine. And importantly, it’s powered by 4 AA batteries. It’s pretty rare to find a Bluetooth speaker that isn’t powered by an internal lithium-ion battery, and with the infrequency that I use mine2 – this means I can basically never use it because the battery is bound to be dead. This solves that problem and is perfectly fine in every other way.

Next up…

I think that’s about all I have for right now. There are still a number of posts that I’m hoping I’ll actually follow through with. But even if I can’t build up the energy for any of that, I expect to get my 2022 media recap posted early in January. We’ll see where things go from there! Happy new year!

  1. The plastics used might not be the greatest, but that’s just sort of a ‘90s consumer electronics problem. At any rate, I used my Stickerkid for presents this year and when I swapped out the tape afterward, I snapped off a bit of plastic that holds a spring which presses the tape up to the head via a roller. ↩︎
  2. I don’t mean my LSPX-S2, which gets use but pretty much stays in one place. ↩︎