roguelazer's website

Hello dear readers! Like most of you (and as I've written about before), I've been stuck working from home for the last year and a half, out of the little converted covered porch on my house. For the last six months or so, I've been doing so with my butt firmly planted on an HON Basyx pleather-upholstered office chair that I rescued from my office when we moved out. This chair is, uh, not in the best condition¹:

This chair actually originally belonged to Curse, a now-defunct company that made some kind of WoW fansite. They used to be in my company's old office (2016-2018) and left behind all of their furniture when they were acquired by Amazon. I snagged one of these pleather chairs from their board room and had been using it since.

Anyhow, I finally decided to replace the chair a few months ago and kicked off a long search for a better chair. Something you may not have known: it was really damn hard to buy a chair at the height of the pandemic. Every chair in the universe was backordered and no stores would let you actually sit down in chairs to try them out. Starting this spring, though, things started to lighten up a bit, and I was able to go to some stores (including the local Design Within Reach) and try out some overpriced chairs. In the end, I decided to go for a Herman-Miller Cosm, which is kind of a strange chair. It's designed for public spaces and has very little customization. For most people, I think that's a drawback, but I really hate highly-customizable chairs like the Aeron because when I'm in them, I spend all of my time fidgeting with the levers to try to get a slightly more comfortable experience. For Herman-Miller, it came down to the Cosm or the Eames Executive, both of which are very comfortable, low-configuration chairs. I also of course looked at Steelcase, as well as some of the cheap brands at big-box stores. In the end, I decided that the Cosm was the most comfortable option², and also cost $2000 less than the Eames chairs, so that's what I bought³.

Now if I could just figure out some way to make it not 90°F in this room when the sun's out and 55° otherwise...

Yesterday, California released their Digital Vaccine Record system for securely verifying residents' COVID-19 vaccination status. I took a look at it and thought I'd write up my findings here. At a high level, the DVR consists of a QR code which contains a cryptographically-signed assertion in JSON Web Token (JWT) format. I'll walk you through how to get one, how to decode it, and what it contains in the rest of this article.

Getting one of the tokens is pretty easy; you just go to the Digital Vaccine Record website and put in your name, date of birth, and the phone number or email address you gave when you got your vaccine. I got mine through CVS, and, for whatever reason, they only provided my phone number to the state, not my email address. The state will then send you an email or SMS containing a short-lived link to a website which will show a very large and information-dense QR Code.

You can scan this QR code with the QR code scanner of your choice and you should get back some text¹ like the following:

shc:/56762909524320603460292437404460312229595326546034602925407728043360287028647167452228092861553055647103414321643241110839632106452403713377212638633677424237084126633945392929556404425627596537253338446120605736010645293353127074232853503870255550530362394304317059085244240537...

This very long string is a Smart Health Card token, which is the framework being used by several states. Let's decode it with a little bit of Python!

First, create a virtualenv somewhere handy with python3 -m virtualenv venv. Next, we'll install my forked copy of pyjwt (which adds gzip support, as required for SHC) with ./venv/bin/pip install -e 'git+https://github.com/Roguelazer/pyjwt.git@deflate#egg=pyjwt[crypto]'².

The following code will verify the signature on your SHC and print out the contents:

import jwt
import json


def decode(code):
    if code.startswith('shc:/'):
        code = code[5:]
    # decode the numeric data into binary data
    if len(code) % 2 != 0:
        raise ValueError('code is not the right length')
    d = []
    for i in range(int(len(code) / 2)):
        d.append(chr(int(code[i * 2] + code[(i * 2) + 1]) + 45))
    d = ''.join(d)
    # download the public keys from the CDPH website. Oddity: the .well-known/
    # directory should be at the top-level, but it isn't!
    jwks_client = jwt.PyJWKClient(
        'https://myvaccinerecord.cdph.ca.gov/creds/.well-known/jwks.json'
    )
    # find the matching signing key based on the header
    signing_key = jwks_client.get_signing_key_from_jwt(d)
    data = jwt.decode(d, signing_key.key, algorithms=['ES256', 'RS256'])
    return data


code = input('SHC code: ')
print(json.dumps(decode(code)))

If it works, you should get something like the following:

{
  "iss": "https://myvaccinerecord.cdph.ca.gov/creds",
  "nbf": 1624036526,
  "vc": {
    "type": [
      "https://smarthealth.cards#health-card",
      "https://smarthealth.cards#immunization",
      "https://smarthealth.cards#covid19"
    ],
    "credentialSubject": {
      "fhirVersion": "4.0.1",
      "fhirBundle": {
        "resourceType": "Bundle",
        "type": "collection",
        "entry": [
          {
            "fullUrl": "resource:0",
            "resource": {
              "resourceType": "Patient",
              "name": [
                {
                  "family": "YOUR LAST NAME",
                  "given": [
                    "YOUR FIRST NAME"
                  ]
                }
              ],
              "birthDate": "YOUR BIRTH DATE"
            }
          },
          {
            "fullUrl": "resource:1",
            "resource": {
              "resourceType": "Immunization",
              "status": "completed",
              "vaccineCode": {
                "coding": [
                  {
                    "system": "http://hl7.org/fhir/sid/cvx",
                    "code": "207"
                  }
                ]
              },
              "patient": {
                "reference": "resource:0"
              },
              "occurrenceDateTime": "2021-04-19",
              "performer": [
                {
                  "actor": {
                    "display": "CVS CORPORATE"
                  }
                }
              ],
              "lotNumber": "036B21A"
            }
          },
          {
            "fullUrl": "resource:2",
            "resource": {
              "resourceType": "Immunization",
              "status": "completed",
              "vaccineCode": {
                "coding": [
                  {
                    "system": "http://hl7.org/fhir/sid/cvx",
                    "code": "207"
                  }
                ]
              },
              "patient": {
                "reference": "resource:0"
              },
              "occurrenceDateTime": "2021-05-18",
              "performer": [
                {
                  "actor": {
                    "display": "CVS CORPORATE"
                  }
                }
              ],
              "lotNumber": " 025C21A"
            }
          }
        ]
      }
    }
  }
}

This is pretty much what you might expect and is in line with, e.g., this very good article from the Mozilla blog. It contains the minimum amount of information required to identify someone (ideally paired with looking at their license or something), it can be easily printed or otherwise stored offline³, it's cryptographically verified using standard protocols and technologies. The only thing that worries me is that it doesn't seem to have a human-readable field to encode what kind of vaccine it was that I received⁴, so if it turns out that one of the vaccines is ineffective against a variant and folks with that shot need a booster in order to be considered "fully vaccinated", that will require some gymnastics. That's a pretty minor and hypothetical concern, though.

Good on California for coming up with a reasonable and efficient system⁵! I look forward for using it in the future to be able to go to crowded places and feel confident that I'm not putting my un-vaccinatable son at risk. Hooray!

Yesterday around 10am, I got my second shot of the ModeRNA COVID-19 vaccine (unsurprisingly, I got my first show four weeks ago); at this point I'm in the countdown to be "fully vaccinated"¹. So far, the side effects have been pretty mild:

• I was maybe a little tired yesterday afternoon
• Yesterday evening I had an elevated temperature of 99.7°F, but no clinical fever
• This morning my arm feels like I lost a really intense game of Punch Buggy

I know the pandemic is nowhere near over and people are dying by the thousands around the world, but I'm certainly happy that my chances of serious illness are now very close to zilch.

Speaking of the pandemic being nowhere near over, let me just say how bizarre I find last week's CDC guidance on face masks and social distancing... 48% of the US is currently vaccinated, with some states as low as 33%. Even here in Alameda County, only 60% of eligible adults are vaccinated so far. I've been spending the last year watching an endless sequence of men² who certainly were not vaccinated refuse to take any precautions; now the CDC is saying that I'm all of a sudden supposed to trust that all the newly-unmasked people around me aren't in the 40% who haven't gotten vaccinated? Yeah, right! I know that I, when I am fully-vaccinated, will not be at much risk, but I'd rather not risk that my infant son join the increasing number of pediatric COVID-19 cases. I'm glad that California is being a little more conservative and waiting until June 15th. It's a damn shame that nobody was able to figure out a reliable "vaccine passport" system yet³; Mozilla has a good article on how this could be done that, unfortunately, I don't think any US state will ever bother to implement.

As usual, stay safe out there, readers.

Just Finished

For All Mankind Season Two. This season had a lot of slow moments, and more of Karen than I really wanted but holy shit did those final two episodes deliver. If you've bought an Apple product in the last couple of years, you get this for free, so you might as well watch it!

Half-Way Through

Babylon 5 Season Three. I'd never seen any B5 and $SPOUSE and I decided to watch it over lockdown. It's pretty fun seeing how much DS9 stole from this show. My main complaint is that I don't really care about any of the human characters and really just want to watch the "Londo and G'Kar screw up the galaxy" show.

Just Started

Mythic Quest Season One. We're always on the hunt for a half-hour comedy to watch during nap-time, and this one's pretty good. Unlike Silicon Valley, this doesn't remind me of my day job too much. Came into it expecting Danny Pudi to be the main draw but Charlotte Nicdao really steals the show. Season Two comes out in a few weeks!

As of yesterday morning, I've gotten my first shot of the ModeRNA¹ COVID-19 vaccine!

I'd been trying to get an appointment since Berkeley opened them up to all adults on April 9th, and had no luck until 3am on Friday morning, when I managed to get one of the spots released by the CVS near my house (they were all gone a few minutes later). I was surprised to find when I arrived at CVS that, despite the intense competition to get vaccinated, supply is so tight that they were only being issued 10 doses (one vial) per day.

It's so frustrating that vaccines are still so hard to get here, and yet doses are sitting unused around the country. I don't know what the solution is to convince rural Republicans to get vaccinated, but I hope someone comes up with something to prevent the ultra-conservative parts of America from serving as a breeding ground for weird SARS-CoV-2 variants.

Anyhow, while I'm writing a post on COVID-19, here are some fun links:

• Reverse Engineering the source code of the BioNTech/Pfizer SARS-CoV-2 Vaccine: I assume everyone's read this one already but it's a great explanation of something I know very little about
• Exploring the Supply Chain of the Pfizer/BioNTech and Moderna COVID-19 vaccines: Another very nitty-gritty cool article
• Deep Cleaning Isn’t a Victimless Crime: I feel like all of my news sources have been making it clear that this virus spreads through the air and not through surfaces for the last, like, 10 months, but I guess a lot of people have gotten hung up on crazy and useless "deep cleaning". Hopefully we can get past that and stop making the entire world smell like bleach. I guess this Lancet article has been very influential?

At this point I'm kind of vacillating between optimism that we're all going to be vaccinated and safe soon, and deep pessimism that the right wing media echo chamber has created an insurmountable barrier of misinformed people with a near-pathological antipathy towards science and public health, even if we do make it through this pandemic, the next one is going to be some real Dark Ages shit.

Fun stuff.

Stay safe out there.

Here's a fun game for you: what do you expect to be the state of the filesystem after running the following commands in an empty directory on a Linux system?

$ touch foo:bar
$ tar -cpf foo:bar.tar foo:bar
$ rm foo:bar
$ tar -xpf foo:bar.tar

Do you expect the directory to contain the files foo:bar and foo:bar.tar?

What if I told you that instead the directory would only contain foo:bar.tar and stderr would say

tar (child): Cannot connect to foo: resolve failed

Yep! It turns out that GNU tar, if passed a filename containing a colon, treats the part before the colon as a hostname and attempts to connect to that host over rsh to download the part of the file after the colon. If you're not familiar with it, rsh is the completely-insecure predecessor to SSH. It's been at least 20 years since any reasonable system has shipped with RSH. This behavior is documented in Chapter 9.1 of the GNU tar manual but nobody I polled had ever heard of it.

Anyhow, GNU tar has a --force-local option to disable this behavior. If you ever process tar files whose names you do not completely control, or which might for some reason contain a colon, you should pass --force-local before every invocation.

An enterprising security researcher could probably have a lot of fun experimenting with vendor crap like security cameras and routers that take tar files with user-controlled filenames for firmware upgrades and see how many of them can be persuaded to establish a rsh shell to some attacker-controlled device...

I went into my office yesterday for the first time in a few months to pick some stuff up. We got notified a couple of days ago to get any personal property out of the office before Thanksgiving or else it'd be thrown out, so I guess we're moving out of the office. It was a pretty eerie place to be; even now, 8 months later, most people haven't been back and it kind of looks like the entire office was abducted by aliens in early March.

Despite how weird it is, I still miss working out of the office.

It's 9:45am on a cloudless Wednesday morning here in summertime California.

My light meter reads 14 lux pointed directly at the sky — about as much as the middle of the night (with local light pollution), or about 1/1000 as much as a normal morning. They tell me that the skies are this apocalyptic shade of red due to the smoke from the 16 major wildfires currently burning in California¹. Local news has plenty to say on the cause if you want to read up. Damn if it isn't disconcerting to live through, though.

What world did I bring my son into? Remember, this is probably going to be one of the cooler years over the next century... Vote, friends. Vote like your lives depend on it.

Hello hypothetical readers; sorry for my absence, but I've spent the last weeks pretty well busy — as I foreshadowed in May, I have a son now!

It's been quite an adjustment. Isaac was born on August 7, 2020 after a very long¹ labor, but he's happy and healthy now. I got 3 weeks off of work, which I spent with my wife doing intensive child care. Let me tell you, I have a whole new respect for single parents. Caring for an infant with just the two of us (since none of our families or friends can visit or help out due to COVID-19) is hard work. He needs to be fed every 2–3 hours, changed every 0.1 – 3 hours, and while he does sleep a lot, it's not really the kind of deep sleep where you can just put him in a crib and do other work. As of a couple of days ago, I'm back at work², but my wife still has six or so more weeks of parental leave. We're still trying to do our best to spread the load, which means I'm spending most nights up all night³. Again, much props to all the single parents out there. Also: much props to grocery delivery. Things would be a lot harder if I had to gird myself against the pandemic and spend an hour getting groceries every time we ran out of something.

I guess you should prepare yourself for lots more baby pictures in the future.

Sidebar: The American Healthcare System is Truly Awful

My son's delivery was at the nearby hospital, which is owned by Sutter Health Group. Sutter Health also owns every other hospital in the area except the Kaiser in Oakland, which is only accessible to people on Kaiser insurance. I'm noting this first because, like most people in America, we didn't have any realistic choice about what hospital to go to, unless we were willing to drive to a different county (potentially an hour or more drive with traffic to get to UCSF).

Keeping in mind that Sutter Health has a monopoly on delivery centers in the area, you can imagine my surprise when we received the first bill for the delivery, in the amount of $103,736. No, that's not a typo. Nope, it's not missing a decimal point. One hundred and three thousand dollars. More than the average Californian makes in a year before tax. Yes, I have pretty good insurance and they're covering most of that⁴, but Jesus Fucking Christ, we were in the hospital for less than a week, in a labor & delivery ward (no ICU, etc) and had no unusual procedures performed. We weren't even in a very good hospital; there was a concerning level of dirt and grime, the cafeteria wasn't open on weekends, and a scary amount of the medical equipment was broken and had to be replaced during our stay. The doctors and nurses (especially the nurses) were good, but we spent maybe a total of four hours over the entire stay interacting with a doctor, and until the very end over the delivery⁵ we only saw a nurse once every two or three hours⁶. This isn't exactly concierge care!

I was always in favor of socialized medicine, but after seeing how (a) awful the care is, and (b) how incredibly, comically, expensive it is for a hospital stay that basically every human being goes through, I just want to take a moment to offer an emphatic middle finger to every Roger-Ailes-brainwashed voter and politician who's kept us in this nightmare system of private medicine while the rest of the world moved on to treating medical care as a right instead of a privilege.

PSA for folks in the Bay Area: The University of California Botanical Garden has re-opened for limited, outdoor-only visits. Seems like a nice (and reasonably) safe place to go during the pandemic. It's July, so not much is in bloom, but it's still beautiful.