We made it up to three non-working lamps in the house, and re-wiring them can’t be that hard, right? I have had a lot of trouble finding the supplies online, though - Amazon must have them but the search terms eluded me. Anyway I found Grand Brass Lamp Parts which was perfect, and the search terms are set wire with molded polarized plug and lamp holders. They have a knowledge base/faq section that tells you the names of the parts you need and other good details. Despite the items being reliable, UL-listed stuff, their prices are lower than amazon. Overall great, except that they don’t own a world-eating order fulfillment empire, so their fast shipping is expensive.
Speaking of pretty things, I ran across a couple of lovely articles on the history of computers in art and design. The first one, by Amy Goodchild, is a review of early techniques of computer-assisted art, starting with cool patterns people made on oscilloscope screens, and touching on computer-randomized dance, computer automation of physical sculpture, and many more concepts. It’s great to see how early some ideas were tried. Looking forward to the followups that will go into the 70s and beyond.
We had computer-assisted art, so continuing on that theme of greater possibilities of humans + tools or humans + humans, here’s a nice statement of a hunch that I had as a teenager:
The joke version goes thus: I believe in a supreme being, in that I think beinghood is closed under union, thus the set of all beings has a superema (a maximal element).
As a teenager I thought about this kind of thing a lot for a while, for instance I rephrased renowned deity Jesus’s “where two or three are gathered in my name, I am there among them” as “God is what happens when two or three are gathered together.” That seemed a little glib, but I went with it for a while. I was reading Hofstadter and relishing the word “emergent.” I remember explaining it to some adult, and they rephrased it as “oh, it’s like all of creation singing together” and at that point, the glibness level overwhelmed me and I abandoned the thought. But I’m glad to know that someone is having interesting, related ideas, and developing them farther than I ever did!
When you’ve got structures of information flow that are much larger than small friend groups, for instance churches or corporations or governments, they are hard to comprehend or hold to account. So much so that some people date the putative Singularity not to some moment in a decade or two when Artificial Intelligence closes a loop, but back to the start of the Industrial Revolution. Here is a great article by Henry Farrell that argues this point and also touches on Large Language Models and oppression. (When you look at the header image, RLHF is Reinforcement Learning with Human Feedback, a fine-tuning step they do to large language models).
The article also mentions Seeing Like a State, so Farrell joins MacIver in the club of people who have read that book and then written articles that I really appreciate. The book is rumored to be a slog, but maybe I have to read it sometime.
OK, I’m done with segues, here’s what else has been on my mind:
Take a look at your smoke detectors. Do they look yellowed? They are too old. They stop working as well after ten years, even if you keep replacing the battery. Also, you can now get detectors that detect smoldering fires WAY better than traditional ones. I realized that the previous occupants of my house didn’t replace the detectors at their 10 year mark, so most of mine are 20 years old! I’ve started replacing them with dual-detector (photo & ion) models.
Let’s Learn Everything is a podcast I just discovered that’s been a delight. I consume a lot of nonfiction-as-entertainment, and this is fresh and nice! (via)
My computer’s wifi broke out of the blue, didn’t work after rebooting and powering off. Taking my laptop apart, removing and reinstalling the wifi card did the trick though! There’s no trick like an old trick.
During the powerful winter storm in the Midwest late last December, apparently it was too cold to operate a lot of natural gas power plants! We avoided more blackouts because wind energy really came through (it was awfully windy). There’s a system in place to reward resilient generation capacity, and penalize if you say your capacity is resilient but it isn’t. The link is an interesting Union of Concerned Scientists blog post about the whole thing, and the natural gas power plants’ attempts to evade the consequences.
A lot of the failures Lochbaum highlighted over the series felt like pretty normal industrial facility problems that could be controlled by good management, but weren’t. IIRC the UCS’s position is that nuclear plants can be run safely, but that some are clearly run more safely than others, and that the regulators are way too lax with the low performing operators.
I’m not a MeFite myself, but they have RSS feeds of best and popular posts that are consistently interesting to me.
Speaking of RSS, I am still leading that Google Reader lifestyle, with Feedbin and the Reeder app. Updates from sources I choose, in beautiful reverse chronological order. It’s very nice and I recommend it!
Cory Doctorow wrote a scathing article about how “gig work” companies twiddle the amount they pay workers on each job: they lure workers in with high payouts and then taper their pay down to the lowest amount each worker will tolerate. Algorithmic wage discrimination - really sickening.
Two nice interviews about Aardman’s stop motion productions (e.g. Wallace and Gromit) - Adam Savage and Wired
Safety sign generator. I don’t understand why people aren’t more excited about this. My wife and I used it to make safety signs of like a dozen in-jokes, an hour well spent.
I re-read five of the six main Queen’s Thief novels - it turns out that blasting through the audiobooks almost one a day is a little too fast, and the sixth one was a bridge too far. But the series is still great, I’ll get back to the last one soon. Audiobooks are nice when gardening.
as soft as the first, sweet like an apple (apologize)
This is the month I became aware of Mr. Blobby - wow
I’ve been watching through Ben Eater’s series on building a 6502 CPU into a minimal computer. 6502 assembly language is gloriously easy to understand, and he does a great job of going from simple to complex one step at a time. His series on USB and on the “world’s worst video card” are also nice.
Music from the Demoscene - click Listen in the upper right. There are so many bad tracks in the world, it’s nice to have a streaming station of 90% good ones.
Different types of panning demo - Increase stereo image - Dave Rat, a sound guy from huge acts like RHCP, has a youtube channel. I’ve been watching his videos about making live sound work better - maybe someday I’ll run sound for contra dances again, and it would be fun to try his tips like these, or double mic’ing, etc.
Tax Heaven 3000, a dating sim that does your taxes (my taxes are done in a much more sedate way but this is pretty funny)
Cheating and going back to earlier this year -
A Marxist View of Tolkein’s Middle Earth (via metafilter) - “J. R. R. Tolkien’s fantasy world is a medieval utopia with poverty and oppression airbrushed out of the picture. But Tolkien’s work also contains a romantic critique of industrial capitalism that is an important part of its vast popular appeal.” Wouldn’t call myself a Marxist but this was very interesting
TikTok’s enshittification - this seems to have a lot of explanatory power for how online spaces grow and die
Google Authenticator’s Export functionality produces a QR code. You can scan the QR code with another copy of Google Authenticator, to transfer the Time-based One-Time Password secret to a new phone for example. But if you want to use it in another context, it’s annoying and tricky. For example, if you need to authenticate in order to run automated tests, you can’t be getting your phone out each time your CI job runs.
These instructions are for a Debian-based Linux machine.
Click the three dots menu in Authenticator, choose Export, and select the accounts you want to export
Run zbarcam-gtk and point your computer’s camera at the QR code displayed on your phone
Copy the URL at the bottom of the window
Paste it somewhere and delete the prefix, QR-Code:otpauth-migration://offline?data=
Open Python3 and run:
from urllib.parse import unquote
import base64
with open("secret.proto") as out:
out.write(unquote("the rest of the decoded QR"))
Back in the terminal, run protoc --decode_raw < secret.proto
rm secret.proto
Copy the thing that looks like \123WE\012 etc – the binary representation of the TOTP secret – not including its quotation marks.
Back in Python, type
base64.b32encode(b"PASTE HERE")
You should get back a bytes object that’s all letters and numbers. That’s the TOTP secret, encoded in base32.
Now, any time you need a one-time password, you can run
oathtool -b --totp the_base32_secret
This is less secure than your phone, e.g. your secret will be visible in your shell history file. But it can be worthwhile in certain cases.
I did it this way because I didn’t know what TOTP desktop apps were trustworthy or would send your passwords to Nocturnal Aviation Associates. I figured these tools were low-level enough that they wouldn’t be scams?
When cotton was first introduced to Europeans in medieval times, they were mystified. What was the source of this marvelous material? Theories abounded. For a time, the source was thought to be ‘the Vegetable Lamb of Tartary’—a plant with tiny sheep on stems bowing down and grazing the undergrowth. One can only imagine how they thought all those tiny sheep were shorn.
E’en round the Pole the flames of love aspire,
And icy bosoms feel the secret fire,
Cradled in snow, and fanned by Arctic air,
Shines, gentle borametz,1 thy golden hair
Rooted in earth, each cloven foot descends,
And round and round her flexile neck she bends,
Crops the grey coral moss, and hoary thyme,
Or laps with rosy tongue the melting rime;
Eyes with mute tenderness her distant dam,
And seems to bleat – a vegetable lamb
I decided that this lovely misconception needed to be set to music. It’s in iambic pentameter, so I looked through Hymnary by meter and found Magda by Ralph Vaughan Williams to be suitably tender.
So! Here is the sheet music (revision 5) if you would like to sing about this earthy plant-beast. Maybe you can use it in a concert about… misconceptions? Exoticism? Evolution? Fabric? Sheep?
The sheet music is licensed CC-BY 4.0; I would love to know if you use the music, my email address is in the footer. Error reports also welcome.
Engraving by Sir John Mandeville, 14th century
Borametz, Barometz, and Borometz all seem to be valid names. Also Scythian Lamb. ↩
Back in the 90s, before Le Chiffre made asthma inhalers cool, my mother taught me how to tell if my Proventil canister was empty. If there was any of that sweet sweet albuterol left, it would float vertically in water, but if it went horizontal it was empty.
Apparently, in the years since I was a wheezyboy, inhaler technology has advanced a bit. Modern ones have clockwork contrivances to tell you how much is left, which I have to admit is convenient.
I got curious about its inner workings, so I pried the whole thing apart and took pictures. Click through to see!
I like this laptop a lot! It comes with a Chicony power supply, 19V 3.42A 65W. Those are easy to find, but you have to get the right barrel connector. The nominal outer diameter of the barrel is 5.5mm, the nominal inside is 2.5mm. The tip is positive. I ordered this power adapter from amazon, and the brick part is exactly what I got from System76. The barrel fits correctly except it’s a couple mm too long, which I don’t mind. If that link is dead, try searching for “chicony toshiba satellite 19v 65w.” I like supporting System76, but not quite enough to buy replacement AC adaptors from them.
My case screws keep slowly working out somehow, which is annoying. The screws are M2 by 5 mm long if you need to order them. This screw assortment included them.
Welcome back! I’m rehabilitating and taking control of a Waters Network Systems GSM-2112-POE 12-port managed Ethernet switch. You can check out part 1 or part 2 if you feel like it.
In case you don’t feel like it, I’ll sum up where we are in the story: my current Ethernet switch has no character and isn’t rack-mounted so much as rack-zip-tied:
I expect to need more than its four power-over-ethernet ports. I’ve bought a high-quality but decade-old switch from eBay for pretty cheap. The people who sold me the switch did not do a factory reset, and I don’t have the admin password. My attempts to hack the thing over the network have failed up to this point. They could possibly be successful eventually, but they seem like an annoying amount of work. I have bought the cable to go from my USB port to this Serial console on the back of the box:
Okay, I hook the new cable up between the Serial port and my laptop. How do I actually talk to it?
In my youth, my daddy taught me to use a program called Kermit to dial into some computer at his work so that I could read rec.pets. Fond memories, and Kermit is furthermore a great name for a program, but alas: I now find it 100% incomprehensible. GNU Screen seems to be the actual thing to use.1
The baud2 rate 57600 comes from the manual. Here’s the command line to connect and start interacting:
sudo screen /dev/ttyUSB0 57600
And rebooting the switch gives:
Read system parameters from IIC EEPROM...Done!
BIOS v1.07
BIOS(0)> ................................................
.........................................................
............Now booting image...
Followed by the normal login prompt - the login isn’t any different from what I see on telnet. But hey, the BIOS(0)>. The > looks like a command prompt? Yes actually! Apparently you have to be quite speedy, there’s only a few seconds grace period, but after a few tries:
BIOS(0)> help
===========================================================
BIOS Command line interface HELP
===========================================================
help : Help for bios command.
ls : Display the bios command list.
sysconf : System parameter configuration.
flash : Flash Device Utility.
load(r) : Excutable image download[load] & run[loadr] at free memory area.
boot : vLinux Boot Loader can be selected.
dump : Memory Dump Command.
sys : Usage : sys {model|mac{0|1}|prod|ser|hard|mech|ram|flash|show} value .
look : look ext 0 , 1 ,2 .
fill : fill memory (4 byte) .
sdram : SDRAM test .
p1 : p1 {0|1} GBIO Port 1.
rd : rd block sublock reg
===========================================================
BIOS(1)>
Cool! You love to see the text-based tables, for one thing. But more pertinently, it looks like if I created a bootable firmware image, the BIOS would let me load it onto the switch using TFTP and boot into it! So how do I do that?! Actually, it’s not super easy.3 So I put this possibility in my back pocket for now. Another interesting thing we can see here is the name RubyTech. I asked Jeeves, and RubyTech is apparently a Taiwanese supplier of private label network equipment. Presumably it’s where Waters bought the hardware?
I poked around the menu a while longer, which I’ll spare you. The most useful thing turned out to be the memory dump command:
Well, cool - we can see the memory in hexadecimal format. That page doesn’t actually mean anything to me yet, but there’s got to be good stuff in there if we look through everything! At last, a clear direction - time to start hackin’, baby! That’s what real hackers say, right?
Here’s a script using pexpect to start the serial communication and interact with the BIOS menu to record everything to a file, memory_dump.txt.
Assuming you’ve got a Python 3 virtualenv env with pexpect installed, and the script is dump_memory.py, you’d invoke it as sudo env/bin/python dump_memory.py. Once the script is started, you would Reset the switch.
importpexpectimporttime# Start communicating with the switch
child=pexpect.spawn('screen /dev/ttyUSB0 57600')# Tell pexpect to record one side of the conversation -
# everything the switch sends to the laptop - to a file
child.logfile_read=open('memory_dump.txt','wb')# This means to ignore everything the switch sends to us,
# UNTIL we get the '> ' - the BIOS command prompt.
child.expect('> ')time.sleep(0.1)# Start the memory dump at address 0
child.send('dump 0\r\n')# Keep sending Space every time it's done printing
# a block of memory
whileTrue:child.expect('Next Memory Address View')time.sleep(0.1)child.send(' ')
I run it for a while - maybe an hourish? At some point, I notice that it only seems to be reading f8 3f 50 05 over and over and over again. This pattern seems to start at the 20 megabyte boundary (0140 0000 hex). There are a few other bytes thrown in, but this seems boring, so I stop the process.
I don’t want to deal with this as hex, I want to make it a binary file so that I can unzip it if it’s zipped, search for strings, and so on. So I write another small python3 script, to separate the lines with hex data from the lines with BIOS(0), the instructions, and so on, and then convert the hex to the binary characters it represents:
out=open('memory_dump.bin','wb')# Example lines this will deal with:
"""
000000e0:000000ef 00 00 00 00 00 00 00 00 - 00 00 00 00 60 83 21 9c
000000f0:000000ff f8 3f 50 05 60 00 00 04 - 50 00 08 24 4c 00 09 25
===========================================
= 1. Next Memory Address View![Any Key] =
= 2. New Address Input![N] =
= 3. Exit [Q] =
===========================================
00000100:0000010f 00 00 00 00 00 00 00 00 - 00 00 00 00 13 02 04 a0
00000110:0000011f 00 00 00 00 00 00 00 00 - 00 00 00 00 60 83 21 9c
"""forlineinopen('memory_dump.txt','r'):# Exclude lines with only instructions & stuff.
# There's also all kinds of control codes and junk
# in there, but I ignored it and it didn't
# seem to matter?
iflineandline[0]in'01234567890abcdef':line=line.strip()# The sections of the line are separated by double spaces.
# We don't care about the address or the dash, just the
# first and second sections of data.
addr,first,dash,second=line.split(' ')out.write(bytes.fromhex(first))out.write(bytes.fromhex(second))out.flush()out.close()
So I’ve got a 20+ megabyte binary file - what is in there? I have seen people do pretty wild stuff to firmware images with a program called binwalk, so I install that and set it loose. Unfortunately, it misidentifies basically everything. Nope, that’s not a stuffit file, and that other thing isn’t 7zip. I don’t know. It doesn’t do it for me.
Presumably there must be a kernel in there, and possibly file data, but I don’t get as far as figuring that out, because strings turns out to be the only analysis tool I need. strings is a basic Unix tool that looks inside a binary file for parts that look like text. I spend a bit of time paging through the results, but eventually I get bored, and search for admin, the administrator username from the documentation. Boom!
admin
adminpass
guest
guest
0.0.0.0
0.0.0.0
public
private
I had been expecting a normal Linux /etc/passwd or shadow file entry like admin:$1$YjOzcqrf$Zqx4sx5CQRuEIFCdOLAJV0:0:0:admin:... but no, it seems to be sitting there in plain text, no password cracking required! Sure enough:
If you’re doing this on your system and the memory layout is identical, then you should just have to dump one block, starting at 0x011b0400. This switch has the concept of two independent configurations, one that’s used when rebooting and another that can be made active by a command. So that you can really screw up the temporary config, and when everything goes to hell, reboot the switch and everything should be peachy again. Anyway, I did see another copy of the user/pass data at 0x013b0400, two megabytes after the first copy, so maybe that’s how this double config thing works.
Anyhow! Yay! The switch is mine now! My naming scheme for computers is names of fictional musicians (e.g. Jake and Elwood Blues), plus fanciful stage names of real musicians (e.g. Tank Slagknuckle and Stellar Tellar).5 So, I’m pleased to introduce Mr. Fabulous:
Mr. Fabulous been doing strong work for a month or two now, and I’m very pleased. I set up a VLAN for some of my Internet of Shit devices, and the switch’s port mirroring capability made that very easy to debug. The switch’s extremely beefy-looking internal power supply has had zero trouble taking care of the four powered devices on my network - I’ve never noticed the switch get perceptibly warmer than ambient temperature.
Given the one to two decade old network security of the switch’s web interface, I’ve placed that off in an inaccessible subnet, and I do all my admin through the serial console. Just because I’m too lazy and simpleminded to hack this thing over the network, that doesn’t mean everyone is.
Thanks for reading!
Why is Screen a serial communication console as well as a window manager and a bad process supervisor? IDK, I slightly resent Screen. Give me Tilix any day! Except the day I need to talk to a crusty ol’ serial console. Humph. ↩
Re: data transmission, check these videos out if you want to be fascinated, or this paper if you want to be both fascinated and bored! ↩
It’s not the real one, since I told you too much about the institution the box came from. The real password had an air of sadness though. ↩
I made an exception for this switch’s predecessor. I thought that since it was a Power over Ethernet (PoE) switch, it should be called Edgar Allan. But I bet everyone with a PoE switch thinks the same thing :-/ ↩
Its management interface was locked and I didn’t know the password
Good Fans
For problem 1, the solution was obvious: new fans. It needs two of these:
The OEM parts only seems to exist in odd places now, but the concept is universal and cheap: 5 Volt 40x40x10mm fans. PCs use 12 Volt versions, you have to be careful to get 5V. And match or go under the watts of the existing item. I bought Noctua NF-A4x10 5V fans, with 3-pin connections. This worked fine, except that the original fans’ power connectors appeared to be wired backwards from the new ones. WTF wat. I checked with a voltmeter and yeah.
The helpful Austrians at Noctua anticipated this kind of problem, and sent some solderless, insulation displacement connectors and plenty of adaptors and extension cables. This let me fix the wiring without destroying anything actually connected to the fan. The connectors, the transparent orange thingies flopping around below, work great, but only if you squash them COMPLETELY. My fingies, my hands, and even I’m ashamed to say my teeth, were not sufficient to close them and make a good connection - pliers are a must.
The fans are quiet! One reason they’re quiet is that they’re lower power than the old ones, but with only three Powered Devices attached, I’ve never noticed the switch get hotter than ambient.
A weird thing is that I’m 80% sure the fans blow in opposite directions. The one you can see well in the video is an exhaust fan, but I think the other one blows on the “lee side” of the PoE power supply, so that it isn’t becalmed.
Bad Hax
Anyway, that accomplished, it was time to attempt to gain control. The switch’s model number is Waters Network Systems GSM-2112-POE. Here is its manual. As it arrived, I did not even know its IP address - I tried pinging its factory default, but no dice.
To find what it thought of as its address, I connected to it with an ethernet cable and ran sudo tcpdump -i enp38s0f1 (the latter being the name of my wired ethernet device apparently). This worked, it considered itself 10.216.0.210. I set my laptop up as its neighbor, .209, added a route, and sure enough I could ping it now. Time to telnet!
That’s from their manual - it looks so easy! But the default admin/admin login was not in place. I dejectedly tried passwords like admin, nimda, root, toor, wizard, 12345, qwerty, asdf, zxcv, xyzzy, hunter2, and so on, but alas: nuthin.
I poked around for a telnet password brute-force program, and found Hydra plus a list of the 10k most common passwords. I set it going, but it turned out that the telnet service on the box was not actually reliable enough to brute force very well. Apart from actual failed logins, it would also just disconnect pretty often.
I had noticed that if you fail to login, it will eventually provide you help:
Please keep the serial number and contact the sales representative !
213-034101000022-1
L2 Managed Switch - GEPoEL2-SW12
Login:
This implies that there’s some way to reset the password over the network, maybe over telnet or maybe with a magic packet of some kind, computed from the serial number? Without anything more specific to go on, I didn’t feel like investigating further. I did try actually contacting sales, but Waters Network Systems’ sales staff did not get back to me despite my polite and complimentary e-mail. All the phone numbers I tried from the web site were disconnected. I tried hard in google and found a current office for the company in a town called Hayfield: it does seem to exist still, but I was making progress on other fronts so I never did manage to get in touch.
Inside the case are two jumper switches, and on the outside is a Reset button. I thought maybe it would do a factory reset if you cross your eyes, remove one jumper, hold Reset for 22 seconds, and pray to Saint Dunstan (patron saint of locksmiths)? I tried every combination of the jumpers and the button I could think of, but no joy.
The switch runs its management web site on thttpd 2.0.4, which was released in 1998.
But there could still be web app vulnerabilities! Command injection! Arbitrary file reads! That would also be right in style for 1-2 decade old software! Even before I logged in, some of the pages would load skeleton versions with no data. But I was having a heck of a time guessing more than a couple page names, and the manual frustratingly did not show the URL bar on the screen caps. One feeble exception:
At this point, I ordered a USB -> db9 serial cable. I hoped that the console port on the back would give me more privileged access.
My old Asus wireless router was done. Dropped connections, Drawfee constantly interrupted, the black box physically hot all the time. Hardware fault? Crypto miner? Unauthorized host of copyrighted videos and malware? Who could say? I felt the pain, but an excitement was also brewing: A chance to Do It Right, read, obsess, crawl on my belly like a reptile (under the house with Ethernet cable). Yes. r/HomeNetworking shot up the ranking on my new tab screen. (I poked my head briefly into r/homelab before deciding that honestly I do have limits). After a discernment process, I bought a lightly used UniFi ensemble, and the calm blue glow cheered my heart.
I made what I felt were elegant loopies going up to my patch panel.
But what is someone who buys the fanciest system and then… stops? The boring kind of nerd. They have no ambition, only purchasing power from a good job in IT related fields. I thirsted for something more. Something rack-mounted, yeah, and old. Something inscrutable. But something supplying power over Ethernet, because a separate PoE injector is inelegant. And not 100 megabit, hey, even our Comcast is faster than that.
Many fresh faces stared at me from eBay. But too fresh.
BVTech, gadish!
Netgear, at least it’s metal
TRENDnet, entertaining that the status LEDs’ arrangement has no relationship at all to the row of ports
The Cisco Catalyst and HP ProCurve stirred me a little more.
Gigabit is cheap, actually, in the used market, and so is PoE. But the combination is both expensive and bulky. I realized that almost all of the charming ones were a few inches too deep for the tiny network rack I’d bought from a German roboticist in a police station parking lot outside Indianapolis.
Frustrated and increasingly frantic, I returned to the very, very end of my eBay watch list, to a box that had caught my eye a week earlier. Waters Network Systems, you say? Who the heck is that?
A sheet metal office in a Minnesota town literally called Hayfield!
A blue metal case with noisy fans, for $50 OBO. Pulled from a school in Boca Ratón but currently living in Brooklyn. Yes. This is the level of mystery I want in my life. Gigabit, PoE, AND it fit the rack with whole inches to spare. I bought it for $45 plus shipping, and it arrived strong and blue, four days later.
The fans had the shottest bearings I ever did hear.
And the management interface was still password protected. The Reset button wasn’t that kind of reset button. Por favor, get excited to hear how I beat down these obstacles! You can now read part two, in which I fix the fans and don’t quite own the switch, and part three in which I break in!
as soft as the first, sweet like an apple (apologize)
%20%E2%80%93%2065W%20%E2%80%93%20802%203at%20813076025507%20eBay.png)
BVTech, gadish!
Netgear, at least it’s metal
TRENDnet, entertaining that the status LEDs’ arrangement has no relationship at all to the row of ports
