Disqus(ting) / Fwd: What’s Wrong with Disqus? 2017-05-08 No Comments

What’s Wrong with Disqus? / Replacing Disqus with Github Comments (donw.io)

Fwd: x11-misc/safeeyes: Protect your eyes from eye strain / asthenopia 2017-04-30 No Comments

Hey there!

If you are not subscribed to the new Gentoo packages feed, let me quickly introduce you to SafeEyes that I started using on a daily basis. It has found it’s way into Gentoo as x11-misc/safeeyes now. This article does a good job:

SafeEyes Protects You From Eye Strain When Working On The Computer (webupd8.org)

Best, Sebastian

Fwd: An der Basis gegen Amazon 2017-04-09 No Comments

An der Basis gegen Amazon (jetzt.de, Eva Hoffmann)

Fwd: Wer ist eigentlich meine verrückte Nachbarin 2017-03-27 No Comments

Ohne viele Worte: Wer ist eigentlich meine verrückte Nachbarin (ZEIT Online)

Why I recommend Debian over Ubuntu by now 2017-02-28 No Comments

I recently noticed that I would clearly suggest Debian over Ubuntu to someone about to make that choice.

A few reasons why:

  • The Chromium browser lagged so much behind Debian in Ubuntu recently, that payment on AirBnB would fail on Ubuntu (16.10) while working well on Debian; the update/fix took way too long.
  • The corefonts installer is broken (and not hard to fix) in Ubuntu (16.10). I would not recommend any of the workarounds I have seen, the bug is not fixed for two years. Affected a non-IT friend of mine.
  • The shutdown process of a freshly installed Ubuntu 16.04 took ages due to the cups-browsed daemon. Experienced that at a Linux install party.
  • Pycharm freezes soon after start-up on Ubuntu (16.10)
  • Right now Debian has Postgresql 9.6, latest alpha Ubuntu only has Postgresql 9.5 (while we want 9.6 features on the server at work).
  • The Debian community will like you way better if you are not actually on Ubuntu if you end up asking questions in the Debian channel at some point (say you have questions on Debian packaging)

So much for now.

Creating Fedora chroots on Debian, Gentoo, … easily 2017-02-18 No Comments


Just a quick tip on how to easily create a Fedora chroot environment from (even a non-Fedora) Linux distribution.

I am going to show the process on Debian stretch but it’s not be much different elsewhere.

Since I am going to leverage pip/PyPI, I need it available — that and a few non-Python widespread dependencies:

# apt install python-pip db-util lsb-release rpm yum
# pip install image-bootstrap pychroot

Now for the actual chroot creation, process and usage is very close to debootstrap of Debian:

# directory-bootstrap fedora --release 25 /var/lib/fedora_25_chroot

Done. Now let’s prove we have actual Fedora 25 in there. For lsb_release we need package redhat-lsb here, but the chroot was is functional before that already.

# pychroot /var/lib/fedora_25_chroot dnf -y install redhat-lsb
# pychroot /var/lib/fedora_25_chroot lsb_release -a
LSB Version:    :core-4.1-amd64:core-4.1-noarch:[..]:printing-4.1-noarch
Distributor ID: Fedora
Description:    Fedora release 25 (Twenty Five)
Release:        25
Codename:       TwentyFive

Note the use of pychroot which does bind mounts of /dev and friends out of the box, mainly.

directory-bootstrap is part of image-bootstrap and, besides Fedora, also supports creation of chroots for Arch Linux and Gentoo.

See you 🙂

Fwd: Security (or lack of) at Number26 2017-01-09 No Comments


I would like to share a talk that I attended at 33c3. It’s about a company with a banking license and accounts with actual money. Some people downplay these issues as “yeah, but the issues were fixed” and “every major bank probably has something like this”. I would like to reply:

  • With a bit of time and interest, any moderate hobby security researcher could have found what he found, including me.
  • The issues uncovered are not mere issues of a product, they are issues in processes and culture.

When I checked earlier, Number26 did not have open positions for security professionals. They do now:

Senior Security Engineer (f/m)

The video: Shut Up and Take My Money! (33c3)

Fwd: (German) Telefónica verkauft Bewegungsdaten seiner O2/E-Plus-Kunden (auch blau.de) No Comments

Telefónica verkauft jetzt Bewegungsdaten seiner O2/E-Plus-Kunden

Widersprechen auf:

arc4random_uniform and avoiding modulo bias when using a random number generator 2016-07-30 No Comments

Using the arc4random_uniform function is recommend over using arc4random: Former is advertised as not having “modulo bias” issues, see man arc4random.
(So I got curious, searched the web a bit, found this blog post, this answer and this link to the source code of one version used by Apple’s. It took me a bit to figure things out but when I got it I was surprised how simple the solution is and the explanation could be. So here is my take at a better explanation.)

Say we have a random number generator that produces numbers from 0 to 7 (i.e. 8 different values). Now in our application, we need 3 different values (i.e. 0 to 2, for simplicity). So the maximum source value SRC_MAX is 7, the maximum destination value DST_MAX is 2.

If we calculate random values like

r = source_generator() % (DST_MAX + 1);

we end up with 0s and 1s a lot more than 2s — some people call that modulo bias, because there is bias for/against certain values.
In the semi-visual world, the scenario looks like this (“XXX” marking troublemakers, i.e. values causing bias):


 /---------\ /---------\ /---------\
|   |   |   |   |   |   |XXX|XXX|
 0   1   DST_                SRC_
         MAX                 MAX


Now to solve the modulo bias one could pick some way so that troublemakers are skipped, not taken into account. With troublemakers removed, we return to uniform distribution. To do that, when we hit a troublemaker we just roll the dice again until we no longer have a troublemaker. If our source generator is producing uniformly distributed output, that’s guaranteed to terminate, quickly. In code, it could be a loop like this:

for (;;) {
  src = source_generator();  // [0 .. SRC_MAX]
  if (... no skip needed ...)
return src % (DST_MAX + 1);  // [0 .. DST_MAX]


How many (and which  values need to be skipped?

The number of troublemakers calculates as

trouble_count = (SRC_MAX + 1) % (DST_MAX + 1);

e.g. 2 for our case because (7+1) % (2+1) = 8 % 3 = 2 because 2*3 + 2 = 8.
Our input is a range ([0 .. SRC_MAX]) and our output is a (smaller) range ([0 .. DST_MAX]).
There are two easy places where to skip values: (a) at the beginning or (b) at the end.


a) Beginning
                                    >   for (;;) {
         /---------\ /---------\    >     src = source_generator();
|XXX|XXX|   |   |   |   |   |   |   >     if (src >= trouble_count)
 0   1   DST_                SRC_   >       break;
         MAX                 MAX    >   }
                                    >   return src % (DST_MAX + 1);

b) End
                                    >   for (;;) {
 /---------\ /---------\            >     src = source_generator();
|   |   |   |   |   |   |XXX|XXX|   >     if (src <= SRC_MAX - trouble_count)
 0   1   DST_                SRC_   >       break;
         MAX                 MAX    >   }
                                    >   return src % (DST_MAX + 1);


To me (b) seems more intuitive, the arc4random_uniform sources I looked at went for (a).

Now the only tricky part left is how to calculate

trouble_count = (SRC_MAX + 1) % (DST_MAX + 1);

for SRC_MAX = 0xffffffff = 2³²-1 without (SRC_MAX + 1) wrapping around to 0. I would go with

trouble_count = (SRC_MAX - (DST_MAX + 1) + 1) % (DST_MAX + 1);

The idea is that (k - n) % n equals k % n as we are dealing with modulus.

That’s all.

Gimp 2.9.4 now in Gentoo 2016-07-18 No Comments

Hi there!

Just a quick heads up that Gimp 2.9.4 is now available in Gentoo.

Upstream has an article on what’s new with Gimp 2.9.4: GIMP 2.9.4 Released