Blog

A while with Google Chrome

A few months ago, I decided to give Chrome a spin for a while. I started out by simply using it to do simple searches on Google and reading articles.
The next step I took was testing it on apps such as facebook and twitter. Then, I progressed to Gmail and complex web apps.

In the following sections, I will outline several pros and cons of Chrome, with some audio examples using NVDA.
/I am exclusively an NVDA user, and thus I never use Jaws, so please don’t ask me how Chrome works with Jaws, because I haven’t tested this. I know how to use Jaws, but just simply do not have a need for a commercial expensive screen reader in my day to day life.

As of June of 2017, Chrome accessibility can be described as mostly sufficient for day to day use, with a few caveats, which are being fixed. In some ways, it is better than Firefox, although it is certainly rough in a few areas.
However, a massive quality control checkup is needed on some areas, as outlined.
Also, keep in mind that Firefox has more than a decade of actual users beating on it and battle testing it, but now has a lot of legacy code that is going to make for some pain in the near future, for a while with the switch to multi process support. Firefox being an old codebase means that it is less buggy, and fantastic, but it also lags in some areas. on the other hand, Chrome is a newer codebase, and has been multiprocess from the start. More on this later.

The benefits

Speed in large complex web apps:

Simply put, Chrome outperforms every web browser in large web apps. If I take Firefox for a spin with Google drive it is very easy to notice lag.
If I press down arrow in the files list, Chromes response time is a lot faster.
This is an audio demo of Firefox, Chrome, and native Google drive.
In Facebook, Chrome is better for speed. I don’t have an audio demo of this, because I don’t want private info from Facebook being exposed to people. However, the effect is not as heavy.
Anecdotally, Twitter seems also faster when navigating from tweet to tweet, although less so than in drive. However, Chrome has other issues on twitter, which make it impractical, and I will discuss that later.
The moral of the story is that Chrome outperforms other browsers in most spaces, at least where speed is concerned.

Security indicators.

One of my favorite things about Chrome is that if you press shift+tab from the address bar, you are placed on a menu with security info. If you press the menu button, a panel expands with a dialog explaining the security settings, and anything this site has asked you permission to use, and the status of whether you granted it permission.
This is very accessible. I was honestly surprised by this. It is very nice.
Also, I get the different level of security indicators such as this site being verified as a company, or just secure, or even no security. (There should be a label of insecure or mixed security on the mixed security menu IMHO).
One of my annoyances with Firefox is as a blind user, I am forced to go view the certificate for this from the page info, and this is painful, and leaves many less experienced users vulnerable to phishing. The padlock is simply not accessible, and the “green” isn’t shown in any way.
I hope that when Google warns users if they put data into a form which is insecure, that this is made accessible, and alerts the user in a similar way to that which we get currently. It doesn’t seem this is blatantly obvious in canary, but it should be in the label of the form or such, so users don’t miss it.
My only annoyance with this is the Google official page seems to not explain this to a screen reader user as well. (In that menu click learn more to see what I mean). They should say what the alt text of this menu is, rather than just the color of the padlock.

accessible extensions bar

The Chrome extensions bar is accessible.
In Firefox, most less than advanced NVDA users, and the clear majority of JAWS users simply can’t get to the addon bar. It requires object navigation with NVDA, and has no built-in keyboard accessible way to get there, and arrow along it. This has always annoyed me, because there should certainly be a way with the keyboard to get to the descriptions 3.
In Chrome, this is a breeze. You simply press f6 from a web page, press tab or shift tab (Either will eventually work), and you are on the bar of extensions.
From here, you can press the arrow keys, do the twist, and eat cake. (Okay, those last two are obviously a joke and a fair bit random, but all people have been commanded to have fun in life, otherwise, they will turn into a prune).
Once on the extensions bar, arrowing along it lets you move to each extension, and you can activate each extension by pressing its button (Assuming the extension is accessible). My only complaint here 2 is that the Chrome bar doesn’t allow you to use single letter navigation.
Firefox doesn’t offer any way for keyboard only users to focus extensions list, or the Firefox menu for that matter (IMO this is a serious shortcoming).

Very simple UI.

The Chrome UI is very simple. For beginners, it gets out of the way.
This is one of the best things about Chrome. I am used to a browser with tons of menus, so it was very weird at first, but it made me realize how little I use the random features that are scattered about. Chrome has most of them still, just not as surfaced.

Shortcomings or annoyances.

Well, those are my noteworthy features. Here are some annoying things. Note that I list general bugs, but I don’t go into super detail on every little bug, because Canary is so rapidly improving that if I list bugs and say every little bug that annoys me, the list will be out of date in a month. That is indeed a good thing.

Chrome live regions are broken.

10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 said Twitter, but alas, I didn’t know!!!
What? twitter is accessible right? Yes, Chrome live region support is broken still in some ways. Some live regions don’t read, and some of them read twice. Aria-atomic is ignored sometimes, and other times, Chrome reads and spells live regions multiple times. In short, this part of Chrome is being worked on and badly needs love.
In a test I did, adding text to pages with innerText and innerHTML yields different results.
Aria-atomic is ignored completely, (It might be fixed in canary based on last minute tests I performed, but there are other broken cases), and acts differently based on the insertion method.
No one supports aria-relevant (From the SR side) so I didn’t test this.
Also, role=”alert” is very different than plain aria-live, and Chrome isn’t marking role of alert with “alert” roles in the IA2 tree.
I need to file a ton of bugs with Chrome for these cases, but I wrote up an aria-live workout page to test things with 3.
there are several controls on the page. The pages divided into 2 major regions, the first is to test polite live regions, and the 2nd is to test assertive live regions.
Within each section, there are many controls.
there are buttons to update the live region for each subsection with the innerHTML and innerText methods, and there are buttons to do each of these things 10 times (to see how well it does at updating the live region multiple times).
The atomic ones should speak hello and then the unique number.
finally, the toggle button which says ” toggle ouch” toggles an alert being thrown every 2 seconds which says ouch. This is designed to test whether the browser properly is working with the alert role.
every time a button is pressed on the page from the regions other than the full-page controls, the status bar updates. The status bar should be treated as a live region as well.
this page is not user-friendly, it’s simply something I wrote so that I can make sure I understand what’s going on before I filed bugs to fix live region support.
in short, this test page that I wrote is giving me the ability to test Chrome live region support against other browsers and the aria spec, and make sure it is working as intended.
when using Google Docs with NVDA in Chrome Canary, the experience was quite decent, even though these applications use lots of life regions. This was after a few bugs were hunted, so the experience will probably be less than stellar on the stable version.

editor bugs

every browser vendor ever has hated doing editors. Editors are extremely hard to get right. After all these years of accessible Firefox and constant effort to make it better, we still don’t have a bug free editor. This is no different in Chrome.
when I say editor, I mean the edit control and associated code for making such things as typing into text fields and complex rich edit support work.
this problem is hard to solve, because there are simply a ton of edge cases. There are no shortage of editor bugs in Chrome, and most of them are very hard to reproduce, which makes reporting them a challenging task. Fixing these bugs is an ongoing job.
I’m sure this will get better over time, but do not be surprised if blank lines report as full of the text on the line before them, or such.

Quality control help needed

Google needs to have stronger accessibility policy in the quality control department.
It is the case that dialogues all over Chrome, (and other Google products) have unlabeled buttons.
This has always been the case, and it seems to happen more with Google products than with other major companies.
It is also common for new apps to be released with tons of easy to fix and easy to catch accessibility bugs, which could be fixed by giving all employees accessibility training and baking awareness of accessibility into developer culture, no matter what role a developer plays.
for a company this size, I am surprised and very disappointed that something as important as the extensions dialog and download manager have simple accessibility bugs such as unlabeled buttons.
A lot of these simple problems, such as links with base 64 encoded gobbledygook text, can be detected with automated testing tools, and could be caught before they ever go live.
Lack of page structure should be caught in code review, and a user should at least be testing core dialogs such as history for usability.
A strong accessibility policy can rocket a company towards fixing these problems. I urge that a strong accessibility policy is implemented in the next few years, which helps to address some of these problems before they ever arise.

Download manager

the download manager has an unlabelled button after each download.
When enter is pressed to download a new file, there is no feedback given to the user that file download is in progress, and until the user presses F6 a few times to land on the new area of the screen which popped up, the user will be clueless to the fact that this exists.
Once a user is in the new download area, they can tab to the controls in it, but the button to open the downloaded files more options is not labeled. Also, it is not clear to the average user that pressing enter on the download will launch the file (potentially causing trouble if it launches an executable program or such).

extensions store

The extension manager’s main page is accessible. However, installation of extensions is where the roses die.
Trying to install an extension is like drinking an entire soda at once. It hurts.
the tabs (I assume) on the top of the page with extensions, apps, and such, are simply links, where a list or tab control would make it feel more like an app.
There are radio buttons, which are half checked labeled “and up”.
Worse, is a very weirdly labeled set of links on the homepage. Snippet below.

klejemegaoblahjdpcajmpcnjjmkmk...
ngghlnfmdgnpegcmbpgehkbhkhkbkj...
kcahibnffhnnjcedflmchmokndkjnh...
lomnfkdphjhajchdfmimbipjciepnn...
kmmpkhpajpecmpdmmbpjmkmcmfdahk...
klejemegaoblahjdpcajmpcnjjmkmk...
ngghlnfmdgnpegcmbpgehkbhkhkbkj...
kcahibnffhnnjcedflmchmokndkjnh...
lomnfkdphjhajchdfmimbipjciepnn...

This is an excerpt of a chunk of the links on this page which I see.
Along with this, are a myriad of unlabeled links, a complete lack of structure for the entire page, and no headings.
From a usability point of view, this page has no value whatsoever for a screen reader user in its current form, other than the search field.
If rated on Wcag2, it isn’t even level A compliant, not even close. I can’t list everything needing fixed here if I want to, because I don’t know what is being presented.

Other notable page quality control issues.

  • The history page is a structure desert too.
    The same is with the bookmarks page.
    These two pages need a complete accessibility rework.
  • The settings page has seen some love in the last few months. If you still see problems, report them.
  • Some dialogs can’t be read in browse mode, and that issue just got triage, so I know it’s being investigated.
  • There aren’t labels for access keys in the menus.
  • lately, right click menus don’t gain focus when the apps key is pressed. This issue was tracked, and triage.
    However, it was a regression and hasn’t bubbled out of canary, so that’s good news. [5]:

Developer tools

The Chrome Dev tools is not accessible enough. As a developer, I understand that some people depend on dev tools for their job. If dev tools aren’t accessible, a blind person can’t develop for Chrome very easily.
It may be the case that if a developer can’t read the JavaScript errors on their page, they lose their job. I really think dev tools needs careful thought at being fixed in Chrome, and that it isn’t sidelined as a low priority issue, because a recent stack overflow survey found that almost 2% of developers are blind, and only 4% of despondence of the survey chose to disclose their disability. 4
If I as a developer (In that two percent) cannot debug my code, I lose my job. If I lose my job because the dev tools aren’t accessible, it is quite frustrating, degrading, and not pleasant, aside from the fact that blind developers face lots of other challenges getting a job in the first place.

Conclusion

Chrome is becoming a great competitive browser for screen reader users, and it is doing this in leaps and bounds. We have progress to make before it is a polished experience, but finally, there is competition in the accessible browsers market. I am very excited to see accessibility in Chrome now, (Back in the old days, when dinosaurs roamed the earth, and I was a boy, it had no accessibility at all). Jokes aside, I will continue to monitor Chrome closely, and keep using it, along with Firefox, on a daily basis.

The Objects: AutoPropertyObject

In this first article, I will begin doing a deep dive into NVDA’s design. I will explain the most base object common to many components, and how it is used. I assume you have familiarity with the NVDA development Guide, and the Design overview.
Starting at the bottom of the inheritance hierarchy of objects you’ll find NVDA using all the time are the AutopropertyObject, of AutoPropertyType. I aim to give you a basic understanding of how to utilize the full power of AutoPropertyType, butt understanding its source code is an exercise left for the reader of NVDA source code, or advanced developers with an intimate understanding of how python works internally.

AutopropertyObject

Okay, what’s this AutoPropertyObject?

class AutoPropertyObject(object):
    """A class that dynamically supports properties, by looking up _get_* and _set_* methods at runtime.
    _get_x will make property x with a getter (you can get its value).
    _set_x will make a property x with a setter (you can set its value).
    If there is a _get_x but no _set_x then setting x will override the property completely.
    Properties can also be cached for the duration of one core pump cycle.
    This is useful if the same property is likely to be fetched multiple times in one cycle. For example, several NVDAObject properties are fetched by both braille and speech.
    Setting _cache_x to C{True} specifies that x should be cached. Setting it to C{False} specifies that it should not be cached.
    If _cache_x is not set, L{cachePropertiesByDefault} is used.
    """
    __metaclass__=AutoPropertyType
...

What in the world is this meta=AutoPropertyType?
To explain this, let’s bring out the NVDA Python Console! Fire up a browser, ensure NVDA is in browse mode, and type this in. Ignore the >>> stuff, that’s the prompt as you probably know by now.

>>>type(focus.treeInterceptor)
<class 'virtualBuffers.gecko_ia2.Gecko_ia2'>
>>>type(type(focus.treeInterceptor))
<class 'baseObject.AutoPropertyType'>
>>> type(type(type(focus.treeInterceptor)))
<type 'type'>

Um … so the type of the tree interceptor (More on those later) is of type virtualBuffers.gecko_ia2.Gecko_ia2. However, things are strange. the type of the type is not type! But it’s type’s type’s type is type.
Most python types are of type type. However, the meta class, which is indeed an advanced topic beyond the scope of this article, changes the type of an object. it’s metta of.
What’s happening here is that virtualBuffers.gecko_ia2.Gecko_ia2 inherits from this AutoPropertyObject with some number of other classes sandwiched in the middle of this hierarchy, thus, it takes on the type of AutoPropertyType. This ‘type’ exists to create some special behavior in the core objects NVDA uses. So let’s discover what AutoPropertyObject does.

The magic starts here!

Assuming you aren’t familiar with python properties, here’s a ten second crash course.
A property is just like a variable, but with magic hooked up. Let’s assume we have a class Rectangle. We instantiate a rectangle with sides 5 and 7, with an area and perimeter.
Let’s get some properties from it.
Here’s class Rectangle.

class Rectangle(object):

    def __init__(self, length=0, width = 0):
        self.__length = length
        self.__width = width

    @property
    def length(self):
        return self.__length

    @length.setter
    def length(self, length):
    if length < 0:
        raise AttributeError("In this universe, rectangles are tangible thingies.")
    self.__length = length

    @property
    def width(self):
        return self.__width

    #Same method name yes, but we have two arguments, so overloading.
    @width.setter
    def width(self, width):
        if width < 0:
            raise ValueError("Negative widths result in invalid rectangles. Learn math, and try again.")
        self.__width = width

    @property
    def area(self):
        return self.length * self.width

    @property
    def perimeter(self):
        return self.length * 2 + self.width * 2

    #You can also use the property method, but that's considered homework for the user.

rect = Rectangle(5,7)
#Let's do stuff.
rect.area #35
rect.perimeter #calculates 5*2+7*2 and outputs 24
#Let's do some horrible things.
rect.area = 55 #ouch, this raised AttributeError? Why?
rect.length = 2 #oh, hey, it worked
rect.length #Hey, looky, it returned 2.
rect.perimeter #calculates 2*2+7*2 and outputs 18
rect.width #Hey, 5 came out.
rect.width = -3 #ValueError is raised. How neat.
rect.area #14 comes out. Wow, it computed that on the fly?

As you can see, properties can allow  us to control what happens when we ask for a value. We can ask python for rect.area, and behind the scenes, a function defined by the property called a getter is asked for the current value. (Getter: get the value associated with the property). If we do rect.length = 1000000, the properties setter is called with the value we want to set. This way, we can make a read only var, or control what val gets set, etc.

Basically, what autoPropertyObject, by way of the AutoPropertyType, does for us automagically, is allows properties to be defined with some fancy method naming. If we read the doc for this class, we see that functions called _get_x and _set_x are mentioned. Why? Also, what’s this caching about?

class TestFancyProperties(baseObject.AutoPropertyObject):
    cachePropertiesByDefault = True
    def _get_x(self):
        return getattr(self, "_x", 1)

    def _set_x(self, x):
        if x < 0:
            raise ValueError("Negative number? Um, I don't think so!")
        self._x = x

    def _get_xSquared(self):
        return self.x * self.x

 def _set_xSquared(self, x):
        raise ValueError("No! You can't change properties of math, not in this universe at least!")

See how cool that is? now, when we instantiate that, and do thing.x, we’ll either get 0, or the previously set x. If we do thing.x = 5, x will magically report as 5 from now on. If we do thing.x*thing.x*thing.x*thing.xSquared*thing.xSquared, you’d think that would be more expensive given that it calls into the _get_x function, right? No. It is actually caching the value of x for one core pump of NVDA. This is good, because thing.x being gotten multiple times will save us from calling the getter. In this example, that is a really cheap operation, but let’s assume that getter is getting the accessible parent of an object. That may easily be a COM call away. We don’t want to write code like this do we?

if self.parent and self.parent.windowClassName == u"window":
    doThingWith(self.parent.windowClassName)

If we do that without a cache, that might be 4 or 5 com calls. We can reduce that too 2 com calls with caching getters, and that’s done magically for us.

Take away message!

Basically, if you see a method _get_thing or _set_thing, remember that you can just say blah.thing and set blah.thing = “to a value”. Also, if you can’t find for example, how self.name is defined on an NVDA Object, that would be because self.name is really an AutoProperty. I have one last word of wisdom about AutoProperties (Or dynamic properties).

This is really really really important. I can’t stress this point enough. If I had known this when I started developing NVDA addons, I would have saved myself several hours of wishing I were not debugging silly errors. Any constructor you override, if the class derives from AutoPropertyObject, Must call super. Yes, you really really should always call super if you override something, but let’s face it. We’re all stupidly lazy. The goal of a programmer is 1. Write the least code possible, and 2. write the least comments possible explaining the code, so that we have job security in 20 years still (Hahahahahahaahahahaha boss, take that). Back to the important stuff. If you ever do make the mistake of forgetting to call super in a class that is derived from AutoPropertyObject, no matter how far down into the chain it is, you will get an error to the effect of “I can’t find _autoPropertyCache.” This is because it tries to cache things, but the cache is never created in the constructor.

I hope this was useful. Please feel free to contact me if you have comments or questions. I’m lazy, and can’t be bothered to deal with comment spam bots on this site. Sorry.

Life Lesson

One day came a breeze in a meadow at night,

That brought on a deep cold full of fright;

So dark and So damp,

It lurked and it ran,

Over the grass covered nulls and tree laden  hills.

as it spread throughout the low topped hills,

and swept across the grand green trees,

it reminded those in its path of the coming seasons.

It reminded the squirrel to eat while it can,

It pushed the dear to wrap up its mating at last,

Then left as quick as it came,

Leaving the meadows alive for a short span.

At last the meadow so sullen and silent,

became home for the weather to do what it shall;

With no brown tailed bird and only a stub for  a plant,

It dropped a blanket on the brown hills.

It then came and pounded the land,

With a vast amount of snow so grand,

Large game who now own the forest,

Can have a hearty try at their long awaited harvest,

Preying on mice that hide away,

Eating bone and meat the same.

On the creek valley floor a figure moved,

It seemed so alone but still not removed,

While it roamed through lonely willow filled meadows,

The mice ran away so scared underneath,

Trying to still stay snug in their burrows.

But they would and could never know,

That what roamed above on the carpet of snow;

Was not wanting to have at them for a snack,

It only wanted to have that first-place plaque.

At the end of the valley was a large town square,

A stand and microphone and a statue of a bear,

It lit up the night and welcomed its share,

Of people in large fur coats and brown fleece ware,

Who watched the people dogsledding to the square.

With magnificent ease and plenty of swag,

A team of five and no one in sight;

The first came in with a bark and a wag,

To a cheer from the crowd and a bang from the band.

Over the hill came the second team,

On top of the sled sat a wool covered guy,

He laughed at the sight of his rival’s golden metal,

For he knew deep down that only a miniscule sliver Was covered in gold that mattered.

When third arrived in the darkening town square,

A judge, king, and artist were there,

To cheer for the one who lacked his share,

Of dogs and training to see the crowd there.

The team, well they didn’t care,

For the bronze, they knew it was for them,

And the other shiny metals that glittered so bright,

Weren’t near as special as that team-building night.

A long ways away struggled the fourth placed team,

There were no cheers to be heard or waves to be seen,

The crowd had dispersed near an hour before,

But neither the leader, nor his dogs cared.

For them and the rest who struggled to that square,

None of them knew that the first place team had a loud fair,

They were happy where they ended up and proud to be who they were,

Untainted by societies abrupt call for the winner.

I ask of whoever reads these lines,

That you remember who you are,

You may not be the first-place team,

But be happy with who you are to be,

For your journey is worth a thousand gold’s.

The Bitter Sweet Autumn

This poem is meant to reflect on the sorrow of unexpected things that occur in life, and the process of coming to piece with ones self over the loss.

My Favorite poem I have written:

The bitter sweet autumn,

Bitter sweet autumn;

During the month of great pride;

In A week of enjoyment,

But the summer did end at last.

End of summer, end of summer, times shall change,

The day of change came,

A sad day;

sad day, sad day, depressingly sad day,

a harsh reality,

A reality of sadness and sorrow;

An unknown surprise.

A surprise, a surprise, a nasty surprise;

But on the other side,

Oh on the other side,

There was a spark of sweetness,

So Complex and so fine;

This spark of great wisdom,

It showed itself to all;

Oh spark of great wisdom, spark so majestic;

For all who did see it,

And for all who did not;

This spark of great wisdom,

It made itself shine.

It shined, it Shined, it fluorescently shine,

Over all the rest;

That sad little blip,

Oh how it was gone.

It was gone for good, and so was the summer,

It never came back.

The past, the past, that beautiful past,

It was gone for good;

And never came back.

Not a Template: A Poem on Disability

This poem was written for a poetry slam that i was going to attend. The poem was designed to explain my viewpoint on having a disability. The poetry slam was canceled for unknown reasons, but I decided the poem was worth publishing.

Not a Template

I am a person, not a thing,

Just like you, but I can’t see;

My eyes don’t work, that’s okay,

For it is who I am meant to be.

In the winter I ski, in the summer I bike,

I have homework, family, and live my life;

My friends help me, and I help them,

We write and sing a similar song.

My ears still work, they hear loud and clear,

My feet still tap to the beats of music;

My life is complete without sight,

I do not wish I could see.

When I introduce myself, I let people see,

That blindness is part of me;

I want to be myself authentically so the world may know,

I am not less because of disability.

Some of us sing loud and clear,

Others sing soft and sad;

We all have a message to tell the world.

I will speak my message so all may know,

It is my job to be me, and not a template.

To be one’s self can be hard at times,

The world wants us to be all the same;

Differences are glorified, then thrown away,

People love containers that brand us all the same.

containment is worsened by disability,

Stereotypes help the containers take their shape;

Breaking out of preconceived notions is hard work,

Sadly stereotypes seal the container of disability.

If I were a template of humanity,

I would be a boring one indeed;

For our differences are what makes positive change come to be.

Let me be myself,

And show the world who I am;

No containers shall seal me in,

For I will break out of them until the very end.

not a template of humanity,

Nor a template of disability;

I’m myself, uniquely so,

I’m myself, nothing more.

A Riddle in Poem Form

It is unknown to most,

Though Its correctness can be shown;

It is beautiful to some, and hated by the rest,

What is it?

It wants to be loved; it is a social thing,

If it were completely known some would go insane,

For many have gone insane over it already.

If it had a price tag it would be hard to calculate without using it, and it is priceless in many ways.

It cannot be quantified,

both tiny or massive,

In fact, it can’t be comprehended in full by the best of us.

The universe can’t show it’s true beauty at its fullest height,

If that were so, it’s beauty would be less so.

Time and space don’t exist to it,

Although it rules them so;

Love and beauty are made from it,

and it rules over them as well!

What is it?

Answer:

Well, I guess someone will love the problem of decoding this answer. Let’s hope that they are familiar with \t\s

The code is between the dashes.

—————————————-


—————————————-

Clues:

Well, I guess there are only n possibilities at this point,

And What about that email you got last night?

Cute cat, ain’t it?

Night

A poem about humanity, the universe, and hope. I like to think about the wheel of fortune when thinking about this poem.

night

If night shall fall to human kind and  dusk does befall us;

Our universe shall go on and make a new, But maybe not more lasting.

When morning did come to us; it came so slow and lazily,

For as the sun came up, it arose ever accelerating and kept itself from fading.

If noon has hit, I do not know,

For that is still being determined;

I indeed do know at least one thing,

This thing which shall be everlasting.

For whether noon has passed Or still to come,

A new day is a making.

In some other place where all is cold,

Some sparks are surely brewing;

If one spark shall set fire and create a new sun,

It’s a new day in the making.

A new day, a new sun,

A new sun, a great beginning,

For all to come from this new sun need only know,

They are part of something crazy.

When tranquility meets a brand new sun,

A force is then created,

The power this force brings is hard to stop,

Just like an angry rally.

Like a rally, the new force changes,

Shaping, Shifting, Splitting,

Sometimes taking hold and going  forth,

Yielding new creations.

New creations often yield,

Other better creations;

Once in a while they grow old,

fading back to  matter.

But just like day is sure to come, night is a mortal Dagger,

It brings down the finest days, and refreshes them forever.

Just as empires grow and fade, they never last forever;

Our world it seems has lived so long, the end will come someday surely;

If all is in this endless cycle, there is one constant to be sure of;

If matter cannot be created nor destroyed, hope exists in matter;

Some still say that all is doomed,

Others are more optimistic;

None of that matters a sliver,

When hope changes never.

Hope is ever lasting,

So all is fine, all is grand,

Beauty can come from dark and damned,

For nothing is ever certain.

For even our god; oh does he sing,

To the waxing and waning of the universe;

A star grows up,

Another dies,

But always something happens.

Heaven and Hell

Intro

If hell were to exist, what could it be,

If hell were to exist, who would it please?

Hell is a place where all are tortured,

a loving and good god would not invent that!

Sadness and sorrow exist to us humans,

If our god exists and we worship him,

We must give recognition of his pain of our sorrows!

Hell is not real,

These lines explain;

Hell is not consistent with god’s moral values.

Message to the sophists (those  who use hell to make their point)

Sophists pass hell from generations before,

They believe in hell falsely.

sophists and their follower’s,

believe in hell blindly,

beliefs which come from a simple misunderstanding.

If you are a sophist, do not take offense,

This is not a ridicule,

It’s a proof of no hell.

Hear my words, believe in heaven.

Hell in its current form

Hell exists and all get punished,

Hell tortures all, at and a god lets it be;

That god punishes all, even the good,

He punishes on belief, not on lively goodness.

Why that god should be worshiped is a mystery.

The problem with Hell.

Hell is a terrorists friend,

Hell is the elite’s mental torturing post,

Do not believe in hell,

Humanity needs forgiveness, and so does our god.

The words I say are not absolute truth,

I speak my mind, without deep knowledge of religion.

An evil king choose who went to heaven and hell,

A king invented hell to scare the masses;

He Modified the scriptures to scare non-believers,

He abused his power, just like they do today.

Middle ages went by, as people purchased a place in heaven,

They paid to gain access,  they truly didn’t believe.

The master to his slave says on hot summer’s day,

“You’ll go to hell you retched slave,

Do your work, god gave me authority;

I believe in him,

I’ll go to heaven surely;

If you do your job for me until you die,

You’ll go to heaven forever where all is good.

If you fail to slave for me ,

you’ll regret. For eternity;

You’ll have worse than now,

Slave, you’ll be sad forever.

I am gods will, I am powerful.

You’ll burn forever,

Retched slave,

While I live in comfort;

It’ll be  like right now.”

Hell is anti-religious,

Here is why;

Religion is power when forced upon those against will;

Hell is a way to oppress the uneducated,

Hell makes everyone cringe.

Hell, and hell’s power,

Often scare children;

Hell works to convince people of falsities.

Why it exists in the modern age,

Why hell can flourish among educated free humans?

God created the universe and set it free,

we wish to believe he is good and loving;

We should not tell our children they will burn if they don’t believe.

Believe in heaven

The purpose of religion was to unite us all,

Religion cares for the poor and gives us hope;

Those of us who believe in heaven,

We must stand big and tall;

Help the poor and unite us all,

God wants us to do this for them all.

A loving god shall except us all,

We shall be rewarded for good and moral deeds;

To help the poor is to help god,

For he is part of us all.

To believe in hell is to pain the great god,

It is our moral authority to enlighten them all,

That Heaven shall except us all;

If Heaven will except us all,

Why don’t we?

How I rolled two factor authentication for ssh access to the server that powers this site.

Update: some details in this post are out of date. I’m not running the same hardware I was when I wrote this now, and converted to systemd.

SSh and two factors (or more) of authentication.

Best practices in IT security dictate that to harden a computer against attacks, one should require a user to enable two-factor authentication. In a two factor authentication scheme, the user who is submitting credentials to a service must submit two different forms of proof they are who they claim to be. (Note that by service, it is most often thought of as a website, but in this case the credentials are to the ssh demon). In my first blog post, we are going to explore possible setups for deploying two factors (or more) of authentication to the ssh demon, such that a user must either provide ssh key, or password. Then they must provide two-factor auth from google authenticator. My current setup is running on a Digital Ocean droplet, and is the cheapest option available (512 mb ram and 1 cpu core and 20 gb ssd storage). I am running Ubuntu 14.04 lts, and have an nginx server setup behind what I am protecting with two-factor auth. It is being used to serve the website you are reading.

Background:

In IT security, two-factor authentication is commonly known as a scheme where you harden a system by ensuring two forms of authentication. Usually you want something you know (password, SSH Key Password) and something you have (SSH key in encrypted form, google authentication codes, biometric thing, Yubikey or smart card). This is what I call the “something you know and something you have” rule. If possible, you need to (either by policy or by technical measures) force the something you have rule. It is hard to do by policy because let’s face it, people are lazy and don’t want to get their phone out to prove the something you have part.

Pre recs

You will need a Linux distribution (any UNIX should work, but I have only tested this on Ubuntu Linux). To keep consistent with what I have, disable root login over ssh, and ensure you have a firewall enabled but allow port 22 (or if you changed the port ssh is served on use that port). I also am using public key auth with an ssh key and a strong ssh key password. I also have sudo privileges on my regular account so that I can upgrade myself to root for any commands or use super user. If you disable root login without enabling sudo privileges for your account you will not be able to use the root account again and you probably don’t want to do that.

Warning:

Keep an extra ssh session open right now before you start. Do not log out of this ssh session or if you break things you may end up trapping yourself out of the server and there will be no idiot switch to enable ssh again. (Have fun using the machines real console). I had two ssh shells running, and logged out of one when I was done, and didn’t log out of that one until I knew things were working properly. Also backup the files I ask you to edit, just in case.

Let’s get started

First things first, (obviously) ssh into your server.

Required packages:

Now, get the packages for google authenticator. I assume you are not running as root and thus use sudo.

$ sudo apt-get install libpam-google-authenticator

Setting it up:

Now, run the google-authenticator command in the context of every user you want to have access to the server. I didn’t use match in the ssh demon file, and therefore, two factor is enabled for all users. There are ways to selectively use two factor for only certain users that I didn’t show. If you need to run google-authenticator as bob and you are logged in as root I think you can use the su command. Up to you to figure out that one. Alternatively, before continuing, make all users of the system run google-authenticator and follow the prompts. Do not continue until all accounts are secured with two factor.

$ google-authenticator

It asks if you want time based codes. I recommend you answer yes.

It asks if you want the config written to your ~ directory. You must answer yes.

Now it will display a qr code (maybe) a secret key, and some rescue codes.

Copy all the rescue codes down somewhere safe. Copy the secret key somewhere safe as well. Note that the rescue codes are your get out of jail free cards. If you lose them and lose your phone with google authenticator on it, you are locked out for good. (In other words, if you lose them change your secret key by running this step again).

Enter the secret key into google authenticator.

IMPORTANT: In order to make the something you have part of two-factor auth work, I really don’t recommend using a two-factor authentication app on the pc you are SSH’ing into. This basically removes the point of two-factor authentication because the something you have is gone. Use a phone or separate PC. Phones are nice because they really are something you have.

Now enter what you wish for these prompts.

When all is done, you should have a  .google_authenticator file in your user directory.

$ ls -a ~ | grep google

If it prints .google_authenticator you should be good to go.

Edit the config files

Use your favorite text editor for this.

$nano /etc/pam.d/sshd

Add this line to the file: For future reference, anything in triple quotes should be added or edited.

“””

auth required pam_google_authenticator.so

“””

One tutorial I saw said to add this to the top, but I added it to the bottom after it failed to work properly. This is just including the shared object (library) for google auth.

Now edit

/etc/ssh/sshd_config

$ nano /etc/ssh/sshd_config

If the ChallengeResponseAuthentication exists, set it to yes. Otherwise, add the appropriate line. Note it may be commented.

“””

ChallengeResponseAuthentication yes

“””

I now added this line to that same file.

“””

Authentication Methods publickey,keyboard-interactive

“””

This sets up a chain of events. If you don’t want to use a public key (I recommend public key crypto over passwords always), then don’t do this, and be aware that if someone logs into the machine with a public key, two factor auth won’t work because it is going to assume that if the user has a public key, they don’t need to enter a password and two factor token.  Log out and try logging back in and see if it worked. If not, you should not log out of the other ssh shell.

Typical chain of events:

  • User Malinda gives her username.
  • SSH shell asks her for public key challenge. Her client provides the appropriate key.
  • Since she is a good and security conscious user of her computer, she is required to type in her ssh key password before the challenge is complete.
  • Now she is asked for her account password. She provides it.
  • The system now asks her for a two factor auth token. She complies.
  • If the two above pieces of information are correct, then she is in. Otherwise, access denied, it asks for password and two factor auth again with no indication of password or auth was wrong.

Other Notes:

If you have a Yubikey, there is a Yubikey module At the Yubikey page. I haven’t played with it because I don’t have a Yubikey.

It is possible to disable password auth altogether so it just requires username>ssh_key>auth_code but I didn’t do that. To do so, see

https://sysconfig.org.uk/two-factor-authentication-with-ssh.html

Also, if you are a company with needs for high security or have multiple (pesky) humans to enforce two factor auth with, you can better enforce the two factors of authentication if you use the Yubikey. This is because it is much harder to install an application to do the second factor of auth. A Yubikey is a physical device and thus is truly something you have.

Enjoy!

Weather app

This is a web app implemented with django that aims to present weather data in  a simple format. I host this on my website running in a django instance. I currently am copyrighting this under the GNU agpl license because I want anyone who wishes to see my code to be able to see it. The core of this app came from a python based command line weather app I wrote to play around with the dark sky companies API. see developer.forecast.io for more info on the quite nice weather API they provide.

how it works:

It uses the native javascript location api to get the users current (quite precise) location. It then loads the weather data requested asyncrinously through ajax. On the back end, I am using post requests and a simple api located at /weather/forecast. Logic decides which subpage to load based on the parameters given in the request. I would do this differently if I rewrote this, it’s a pile of junk how it works, but it was my first web app, so hey. The front-end presents most things textually. I may use the platform I have built to explore audio representations of weather radar. I built a little hacked together weather chart where I map tones to temperature and volume to chance of precipitation. I might explore using 3 dimensional audio and other factors to represent weather phenomena in a audio weather map, for once giving the blind the ability to see oncoming rain storms or threats from thunder or just to look at the next hours radar like a sighted friend might.

URL:

https://django.derekriemer.com/weather