roguelazer's website

Yet again, it has come time to rotate my PGP/GnuPG private key. My old key (1ED5E5A301C3D109904022893C7775DD37811E62) actually expired a couple of weeks ago, and I've been procrastinating writing up this transition. The new key is 0xC6496DEB3DA8E9B5 (full fingerprint: 24F8AA354990F3F562EC014BC6496DEB3DA8E9B5) You can also find it at https://files.roguelazer.com/roguelazer.gpg. It has also been attached to my keybase.io account and my Github profile. It is cross-signed by the old key.

My signed transition document is below, and can also be found at 2022-05-28-key-transition-statement.txt.asc if you prefer to download it directly.

After more than two years of successfully dodging it, COVID-19 finally hit my family the week. On Tuesday my wife woke up with a migraine, which isn't unusual for her; on Wednesday morning, she woke up with a low (100.4°F fever) and we belatedly realized that she might be sick. She took an antigen test¹ and the TEST line turned blue basically instantly.

Shit.

Quarantine ensued. Isaac (our son) has been home from school² and we've all been cooped up on the property for the past few days.

So far, Isaac and I have continued to be symptom-free and testing negative on antigen tests. I also got one PCR ³ (so far) which was negative. We've been trying to isolate as much as possible, but Eva and I both have full-time jobs, and Isaac can't go back to day care until this nightmare is over, so there's only so much we can do — we also have a relatively small house which doesn't have any tightly-closing inside doors. Both of us adults have been wearing N95 masks whenever awake, and we have HEPA air purifiers⁴ running in whatever rooms we happen to be occupying.

Eva is fully-vaccinated and has had mild symptoms (runny nose, low fever, etc), but she still is very strongly positive on antigen tests; hopefully she'll recover in the next few days, and then Isaac and I can get PCRs, and then he can go back to school, and then in a few weeks he can finally get vaccinated⁵, and then we'll be done with this... at least, for a little while...

In the meantime, I'm left wondering why Eva got sick and I didn't. It's not like she's gone anywhere I haven't. Is my immune system just stronger — did we both get exposed, and I happened to produce some overwhelming immune response? Or did I just happen to dodge whatever breath carried the disease, and every second I spend in this household is another chance of exposure?

We're, of course, extremely lucky to have made it two years without anyone in this household (or our parents or siblings) getting sick, and we're lucky that neither of us is seriously ill, but damn if this isn't annoying.

Some more reading, if you're in a COVID mood:

• "Post–COVID Conditions Among Adult COVID-19 Survivors Aged 18–64 and ≥65 Years — United States, March 2020–November 2021": a CDC study from two weeks ago showing long COVID may occur in as many as 20% of people. Oof.
• "Why COVID-19 gaslighting by politicians is so dangerous for democracy": I am a registered Democrat, but that doesn't mean I think Democrats' chief motivation is anything other than getting elected. See also: this infamous and awful memo.
• "The Curious Case of Leana Wen, Physician-Advocate Turned Covid Pundit": Some inside baseball that follows up the previous article very well
• "A Negative COVID Test Has Never Been So Meaningless": antigen tests have a sensitivity of as low as 40% and can't be trusted if they show a negative. Thank goodness we're cutting off funding for testing.

À bientôt.

As you might recall, my son Isaac was born a couple of years ago. This was obviously an occasion for joy and family happiness (and an end to regular sleep) — but beyond that, it was the beginning of a capitalist glut, a massive influx of new Stuff. So, uh, I figured I'd write about that in case any of my readers ever have a kid and want to know about various baby support items.

In general, we had a few constraints:

• our house is relatively small (~1200sqft) and has little storage
• when we were making most of these decisions, my wife and I spent a relatively large amount of time traveling (both via local transit options like BART and AC Transit, and on planes to visit our far-flung families)
• money/price is... not a chief concern

Some of my go-tos for researching items before buying them were the Wirecutter, Baby Gear Lab, Consumer Reports but, frankly, none of these had quite the same set of priorities as we did. We also went to some local retail stores (shout-out to the now-defunct Tot Tank in Alameda) and of course talked to all of our friends with kids. For non-safety-sensitive things, Berkeley Parents Network has been a good resource for used items.

Anyhow, read on for all the big-ticket items!

Hello dear readers! Like most of you (and as I've written about before), I've been stuck working from home for the last year and a half, out of the little converted covered porch on my house. For the last six months or so, I've been doing so with my butt firmly planted on an HON Basyx pleather-upholstered office chair that I rescued from my office when we moved out. This chair is, uh, not in the best condition¹:

This chair actually originally belonged to Curse, a now-defunct company that made some kind of WoW fansite. They used to be in my company's old office (2016-2018) and left behind all of their furniture when they were acquired by Amazon. I snagged one of these pleather chairs from their board room and had been using it since.

Anyhow, I finally decided to replace the chair a few months ago and kicked off a long search for a better chair. Something you may not have known: it was really damn hard to buy a chair at the height of the pandemic. Every chair in the universe was backordered and no stores would let you actually sit down in chairs to try them out. Starting this spring, though, things started to lighten up a bit, and I was able to go to some stores (including the local Design Within Reach) and try out some overpriced chairs. In the end, I decided to go for a Herman-Miller Cosm, which is kind of a strange chair. It's designed for public spaces and has very little customization. For most people, I think that's a drawback, but I really hate highly-customizable chairs like the Aeron because when I'm in them, I spend all of my time fidgeting with the levers to try to get a slightly more comfortable experience. For Herman-Miller, it came down to the Cosm or the Eames Executive, both of which are very comfortable, low-configuration chairs. I also of course looked at Steelcase, as well as some of the cheap brands at big-box stores. In the end, I decided that the Cosm was the most comfortable option², and also cost $2000 less than the Eames chairs, so that's what I bought³.

Now if I could just figure out some way to make it not 90°F in this room when the sun's out and 55° otherwise...

Yesterday, California released their Digital Vaccine Record system for securely verifying residents' COVID-19 vaccination status. I took a look at it and thought I'd write up my findings here. At a high level, the DVR consists of a QR code which contains a cryptographically-signed assertion in JSON Web Token (JWT) format. I'll walk you through how to get one, how to decode it, and what it contains in the rest of this article.

Getting one of the tokens is pretty easy; you just go to the Digital Vaccine Record website and put in your name, date of birth, and the phone number or email address you gave when you got your vaccine. I got mine through CVS, and, for whatever reason, they only provided my phone number to the state, not my email address. The state will then send you an email or SMS containing a short-lived link to a website which will show a very large and information-dense QR Code.

You can scan this QR code with the QR code scanner of your choice and you should get back some text¹ like the following:

shc:/56762909524320603460292437404460312229595326546034602925407728043360287028647167452228092861553055647103414321643241110839632106452403713377212638633677424237084126633945392929556404425627596537253338446120605736010645293353127074232853503870255550530362394304317059085244240537...

This very long string is a Smart Health Card token, which is the framework being used by several states. Let's decode it with a little bit of Python!

First, create a virtualenv somewhere handy with python3 -m virtualenv venv. Next, we'll install my forked copy of pyjwt (which adds gzip support, as required for SHC) with ./venv/bin/pip install -e 'git+https://github.com/Roguelazer/pyjwt.git@deflate#egg=pyjwt[crypto]'².

The following code will verify the signature on your SHC and print out the contents:

import jwt
import json


def decode(code):
    if code.startswith('shc:/'):
        code = code[5:]
    # decode the numeric data into binary data
    if len(code) % 2 != 0:
        raise ValueError('code is not the right length')
    d = []
    for i in range(int(len(code) / 2)):
        d.append(chr(int(code[i * 2] + code[(i * 2) + 1]) + 45))
    d = ''.join(d)
    # download the public keys from the CDPH website. Oddity: the .well-known/
    # directory should be at the top-level, but it isn't!
    jwks_client = jwt.PyJWKClient(
        'https://myvaccinerecord.cdph.ca.gov/creds/.well-known/jwks.json'
    )
    # find the matching signing key based on the header
    signing_key = jwks_client.get_signing_key_from_jwt(d)
    data = jwt.decode(d, signing_key.key, algorithms=['ES256', 'RS256'])
    return data


code = input('SHC code: ')
print(json.dumps(decode(code)))

If it works, you should get something like the following:

{
  "iss": "https://myvaccinerecord.cdph.ca.gov/creds",
  "nbf": 1624036526,
  "vc": {
    "type": [
      "https://smarthealth.cards#health-card",
      "https://smarthealth.cards#immunization",
      "https://smarthealth.cards#covid19"
    ],
    "credentialSubject": {
      "fhirVersion": "4.0.1",
      "fhirBundle": {
        "resourceType": "Bundle",
        "type": "collection",
        "entry": [
          {
            "fullUrl": "resource:0",
            "resource": {
              "resourceType": "Patient",
              "name": [
                {
                  "family": "YOUR LAST NAME",
                  "given": [
                    "YOUR FIRST NAME"
                  ]
                }
              ],
              "birthDate": "YOUR BIRTH DATE"
            }
          },
          {
            "fullUrl": "resource:1",
            "resource": {
              "resourceType": "Immunization",
              "status": "completed",
              "vaccineCode": {
                "coding": [
                  {
                    "system": "http://hl7.org/fhir/sid/cvx",
                    "code": "207"
                  }
                ]
              },
              "patient": {
                "reference": "resource:0"
              },
              "occurrenceDateTime": "2021-04-19",
              "performer": [
                {
                  "actor": {
                    "display": "CVS CORPORATE"
                  }
                }
              ],
              "lotNumber": "036B21A"
            }
          },
          {
            "fullUrl": "resource:2",
            "resource": {
              "resourceType": "Immunization",
              "status": "completed",
              "vaccineCode": {
                "coding": [
                  {
                    "system": "http://hl7.org/fhir/sid/cvx",
                    "code": "207"
                  }
                ]
              },
              "patient": {
                "reference": "resource:0"
              },
              "occurrenceDateTime": "2021-05-18",
              "performer": [
                {
                  "actor": {
                    "display": "CVS CORPORATE"
                  }
                }
              ],
              "lotNumber": " 025C21A"
            }
          }
        ]
      }
    }
  }
}

This is pretty much what you might expect and is in line with, e.g., this very good article from the Mozilla blog. It contains the minimum amount of information required to identify someone (ideally paired with looking at their license or something), it can be easily printed or otherwise stored offline³, it's cryptographically verified using standard protocols and technologies. The only thing that worries me is that it doesn't seem to have a human-readable field to encode what kind of vaccine it was that I received⁴, so if it turns out that one of the vaccines is ineffective against a variant and folks with that shot need a booster in order to be considered "fully vaccinated", that will require some gymnastics. That's a pretty minor and hypothetical concern, though.

Good on California for coming up with a reasonable and efficient system⁵! I look forward for using it in the future to be able to go to crowded places and feel confident that I'm not putting my un-vaccinatable son at risk. Hooray!

Yesterday around 10am, I got my second shot of the ModeRNA COVID-19 vaccine (unsurprisingly, I got my first show four weeks ago); at this point I'm in the countdown to be "fully vaccinated"¹. So far, the side effects have been pretty mild:

• I was maybe a little tired yesterday afternoon
• Yesterday evening I had an elevated temperature of 99.7°F, but no clinical fever
• This morning my arm feels like I lost a really intense game of Punch Buggy

I know the pandemic is nowhere near over and people are dying by the thousands around the world, but I'm certainly happy that my chances of serious illness are now very close to zilch.

Speaking of the pandemic being nowhere near over, let me just say how bizarre I find last week's CDC guidance on face masks and social distancing... 48% of the US is currently vaccinated, with some states as low as 33%. Even here in Alameda County, only 60% of eligible adults are vaccinated so far. I've been spending the last year watching an endless sequence of men² who certainly were not vaccinated refuse to take any precautions; now the CDC is saying that I'm all of a sudden supposed to trust that all the newly-unmasked people around me aren't in the 40% who haven't gotten vaccinated? Yeah, right! I know that I, when I am fully-vaccinated, will not be at much risk, but I'd rather not risk that my infant son join the increasing number of pediatric COVID-19 cases. I'm glad that California is being a little more conservative and waiting until June 15th. It's a damn shame that nobody was able to figure out a reliable "vaccine passport" system yet³; Mozilla has a good article on how this could be done that, unfortunately, I don't think any US state will ever bother to implement.

As usual, stay safe out there, readers.

Just Finished

For All Mankind Season Two. This season had a lot of slow moments, and more of Karen than I really wanted but holy shit did those final two episodes deliver. If you've bought an Apple product in the last couple of years, you get this for free, so you might as well watch it!

Half-Way Through

Babylon 5 Season Three. I'd never seen any B5 and $SPOUSE and I decided to watch it over lockdown. It's pretty fun seeing how much DS9 stole from this show. My main complaint is that I don't really care about any of the human characters and really just want to watch the "Londo and G'Kar screw up the galaxy" show.

Just Started

Mythic Quest Season One. We're always on the hunt for a half-hour comedy to watch during nap-time, and this one's pretty good. Unlike Silicon Valley, this doesn't remind me of my day job too much. Came into it expecting Danny Pudi to be the main draw but Charlotte Nicdao really steals the show. Season Two comes out in a few weeks!

As of yesterday morning, I've gotten my first shot of the ModeRNA¹ COVID-19 vaccine!

I'd been trying to get an appointment since Berkeley opened them up to all adults on April 9th, and had no luck until 3am on Friday morning, when I managed to get one of the spots released by the CVS near my house (they were all gone a few minutes later). I was surprised to find when I arrived at CVS that, despite the intense competition to get vaccinated, supply is so tight that they were only being issued 10 doses (one vial) per day.

It's so frustrating that vaccines are still so hard to get here, and yet doses are sitting unused around the country. I don't know what the solution is to convince rural Republicans to get vaccinated, but I hope someone comes up with something to prevent the ultra-conservative parts of America from serving as a breeding ground for weird SARS-CoV-2 variants.

Anyhow, while I'm writing a post on COVID-19, here are some fun links:

• Reverse Engineering the source code of the BioNTech/Pfizer SARS-CoV-2 Vaccine: I assume everyone's read this one already but it's a great explanation of something I know very little about
• Exploring the Supply Chain of the Pfizer/BioNTech and Moderna COVID-19 vaccines: Another very nitty-gritty cool article
• Deep Cleaning Isn’t a Victimless Crime: I feel like all of my news sources have been making it clear that this virus spreads through the air and not through surfaces for the last, like, 10 months, but I guess a lot of people have gotten hung up on crazy and useless "deep cleaning". Hopefully we can get past that and stop making the entire world smell like bleach. I guess this Lancet article has been very influential?

At this point I'm kind of vacillating between optimism that we're all going to be vaccinated and safe soon, and deep pessimism that the right wing media echo chamber has created an insurmountable barrier of misinformed people with a near-pathological antipathy towards science and public health, even if we do make it through this pandemic, the next one is going to be some real Dark Ages shit.

Fun stuff.

Stay safe out there.

Here's a fun game for you: what do you expect to be the state of the filesystem after running the following commands in an empty directory on a Linux system?

$ touch foo:bar
$ tar -cpf foo:bar.tar foo:bar
$ rm foo:bar
$ tar -xpf foo:bar.tar

Do you expect the directory to contain the files foo:bar and foo:bar.tar?

What if I told you that instead the directory would only contain foo:bar.tar and stderr would say

tar (child): Cannot connect to foo: resolve failed

Yep! It turns out that GNU tar, if passed a filename containing a colon, treats the part before the colon as a hostname and attempts to connect to that host over rsh to download the part of the file after the colon. If you're not familiar with it, rsh is the completely-insecure predecessor to SSH. It's been at least 20 years since any reasonable system has shipped with RSH. This behavior is documented in Chapter 9.1 of the GNU tar manual but nobody I polled had ever heard of it.

Anyhow, GNU tar has a --force-local option to disable this behavior. If you ever process tar files whose names you do not completely control, or which might for some reason contain a colon, you should pass --force-local before every invocation.

An enterprising security researcher could probably have a lot of fun experimenting with vendor crap like security cameras and routers that take tar files with user-controlled filenames for firmware upgrades and see how many of them can be persuaded to establish a rsh shell to some attacker-controlled device...

I went into my office yesterday for the first time in a few months to pick some stuff up. We got notified a couple of days ago to get any personal property out of the office before Thanksgiving or else it'd be thrown out, so I guess we're moving out of the office. It was a pretty eerie place to be; even now, 8 months later, most people haven't been back and it kind of looks like the entire office was abducted by aliens in early March.

Despite how weird it is, I still miss working out of the office.