My Github: Why the emptiness?

I recently got an ask: why is my github relatively empty? I’ve worked on a lot of fun stuff, and I seemingly fork a lot of things that end up sitting there. Well the easy answer is to say that most of my work is in private repos / gitlabs. But that doesn’t cover every case.

To start, I had a lot of repos on my public github that were made, and had basically nothing done. These are usually when we have an idea amongst a group of friends and in the early stage I’d throw up a repo to have it. They’d get invited and most of the time things fizzled out. Other projects to work on, or the idea just wasn’t there. But it acted kind of as an anchor to remember the project and toss things if we actually did anything.

But why the forks with no new commits?

The majority of it has to do with the nature of my consulting job. I have shop rights for some things, but not for all. Any time I need to tweak a project to make it work for whatever I’m doing, I typically try to fork it first. That way if I am allowed to push whatever it is back upstream, or want to, I can. More often than not I can’t. Either the code is disgusting and barely functional because I had to write it on the fly, or it would somehow get murky legal waters between client and employer. Often they’re one-offs to do something that’s already an edge case, and often not valuable to upstream devs as they’d also become responsible for maintaining it if I pushed it. I like to write most of my code like I assume the next guy is a homicidal psychopath that knows where I live. However, in practice this is not always feasible due to time constraints. For example this project I bashed out in about 4-5 hours of panic after I was asked to save a botched project at the last minute: )

That’s an example of when I had more time than a lot of the tweaks and scripts I’ve used. I also made a config script and the README for that before I pushed it, as originally the client-specific secret was hard coded. That’s a project that I made for an edge case, but actually was usable outside my specific needs. In my work however, I’m more often trying to make tools work in client-specific cases, where either the need doesn’t exist outside their network or I’d be giving too much away by sharing it.

So most of the code sits, or gets scrubbed. I have a lot of personal projects on private repos still I’ve been mulling the release of.

The End of an Era

It is with a surreal sense of melancholy I announce that on July 15th, 2020, I will be shutting down the last of our user hosting. It has been a long, winding journey for my peers and I. The research projects and personal things will continue here, but it’s time. There are a few branches at the root of this decision: the departure of customers due to their own ends of operation, prospectives that do not follow through with basic requests for information such as amperage requirements or IP justifications eating time I could spend elsewhere getting a serious client, and ultimately COVID causing an inability to spin up new customers. This marks the end of an era for me, and I’ll spend the rest of this post looking back on this journey.

Read More

Lavabit Disconnection

(Updated 2020-02-09 2418 UTC; see bottom)

This is a post I was wondering if I’d ever have to write; the time when I have to disconnect a customer ungracefully.

Earlier this week a spammer cropped up on Lavabit. This would have been a routine situation, except I haven’t had contact with Lavabit through support, abuse, or Ladar in quite some time. There is an SLA requirement per the peering Acceptable Use Policy (AUP), in this case 72 hours, to resolve spam issues. There are many ways to resolve it (locking malicious accounts, resetting passwords for compromised users, better filters). However, without any support contact, and the proprietor incommunicado, I faced a difficult decision.

If I do not disconnect a customer who causes an AUP problem, then Hacking & Coffee assumes the liability on our entire allocation with our BGP peers. I can’t risk the other customers, and general operations, when a situation like this arises.

With Ladar in an unknown status, and no other valid contact points for technical and AUP issues, the decision was made to disconnect the service when the 72 hour window expired.

I hope that the contacts turn back up, and I can turn back on the IP range but even after the disconnect I still have nothing but silence quite some time later (13 hours as of this writing; for comparison a router reboot would get an incident RFI within 30min at any time of day).

As not just the hosting provider, but also as a fellow Lavabit user, I sincerely apologize to all the users of Lavabit for this situation. Having done code review and other contributions to the project since it started to spin back up post-Snowden, I feel like a project I cared about just vanished. I haven’t been involved outside of hosting them under my business for some time, primarily due to other commitments, but I had always wanted the project to flourish and launch the DIME protocol clients.

In the event communication is not re-established with the Lavabit contacts, I’m not sure how to proceed with the user data. Typically when a customer moves out I simply shred the drives and recycle the machines, however in this situation I hope data distribution may be possible. The machines are still running, so if the best happens I can simply reactivate the IP allocation. However, I have started planning for the worst given my current lack of information from Lavabit staff.



Proprietor for Hacking & Coffee, LLC


Update: Contact!

Contact was finally made with Ladar and work is being done to restore service.

Electrokinetic Acceleration with Pancake Coils

Recently at the Dallas Makerspace I had a bit of a crowd when retesting and calibrating my high voltage pulse system. We went through a few different applications, and the most entertaining is always the Pancake Coil Gun.

Read More

New(-ish) Mirrors & Infocon Mirror Rebuild

After review it seems that Infocon mirror built up some errors due to a tracker problem, and an RSS feed problem that prevented torrent files from being replaced as needed. It is being rebuilt currently. RSS P2P clients are a pain to maintain, as none of the headless systems properly support it and, let’s face it, no one wants to tunnel X from a server if they don’t have to.

As for other mirror news, the CentOS mirror became official last week, and other mirrors are in progress in that regard. There are more on the way as well.


Red Team Laptop & Infrastructure (pt 1: Architecture)

I get a lot of questions about my laptop, ranging from “Windows or Mac?” to “do you have a preferred chipset for Ethernet NICs.”

Well, with the exception of “neither” to the first question, most things will vary. Rather than talk about specific hardware or version choices, I’m going to talk about Architecture; in future posts I’ll talk about specific ways of implementing my Infrastructure architecture for supporting penetration testing, but for now we will focus on the high level. This design is Reasonably secure in the right hands, fast, and extremely flexible.

Read More

Unique Policy of Transferring User names by Telegram

Telegram has been around for a little while now, and its user base is growing. However, despite their attempts to be the secure system to beat out the larger social networks, they have one particularly alarming policy: They will transfer a username unilaterally from an established account to another.

Read More

24hr Review: Kodama Trinus 3D Printer

24 hour review of the Kodama Trinus 3d Printer:
In short: I love it as a rock solid, stable, and precise unit.
tl;dr pro/cons


– very fast for a lead screw
– high level of precision
– most robust printer I have put my hands on (and that I can find) suitable for home use
– support for non-official slicers (like Repetier), along with the official Pango
– Support for customer extruders via generic stepper driver & control FET. This might as well be a generic CNC kit that happens to come with a print head. I see this having a large customization community once more are shipped
– Easy enough to use that I could recommend it as a starter unit for those who have never used one and can’t take a large learning curve
– preprogrammed SD cards are useful if you have repeat parts that need printing, but unless you have the LCD screen or another controller it will only be practical with one print set per card since you cannot select the file to print.

– custom print head rather than tried and true RepRap model. This means that if they go under, parts may be hard to come by for things like worn nozzles. However, with the ease of integrating other extruders this may not be as much of a long term issue as some are working to port other print heads (even dual extrusion, though last I checked they had not finished this)
– smaller print area
– bed material choice of Acrylic for the default, rather than a heated bed support by default
– heated bed really was an afterthought (see notes below about motherboard comms)

Longer Description:
It may not be the fastest printer in the west, but it is running lead screws at 70mm/s with accuracy, and I am running 100+mm/s for simpler prints without any real issues.
The biggest gripe: the bed heater is not tied with the motherboard (I didn’t even get the heated bed option anyway for the time being. Since it is not tied into the primary controller might as well make one). Whilst the printer waits for the
nozzle temp to be appropriate, it has no way of knowing the bed temperature before it starts the print. It also cannot shut off the bed after the print is done.
Biggest plus: the thing is rock solid; it is all steel and aluminium with no belts or gears. It doesn’t need bed levelling (smaller print size, with incredible design tolerances). I could travel with this thing and not have to recalibrate anything.
It is not too loud, but not the quiestest printer either. Overall it does not seem to have changed too terribly since the pre-production reviews from during the kickstarter. However, they did take in some backer feedback such as identifying the different Z-Axis leads in the documentation better. It also works fine with or without Pango, and since I may make a build server using a rPi will likely switch to Repetier in the long term.
I have printed 4 items with success, and two had issues. One of the two I tried to print without supports and that was a bad idea with a long bridge (and thus operator error). The second detached from the bed at a faster print speed and stuck to the head. I reprinted that one just fine by lining the bed with painters tape (planning to make a better bed wither by A) better material than the stock acrylic, or B ) just putting said tape down before prints). Regardless I feel I would not have had the detachment with a better bed surface.

I am currently procuring various types of filaments to play with in this unit, and so far have been mostly using standard PLA. I am also waiting on an order of more nozzles before I start doping metal printing since they may cause faster wearing.

Some sample prints:

batman spinner. Printed using Inland PLA @ 100mm/s, 210C, and .15mm layer resolution. For a simpler design such as this perfect for faster speeds.

37mm grenade holster. I needed a belt holder for grenades for my under-barrel launcher. Printed using Polymaker PLA (included with the Trinus, and sold through them at a discount to original backers). Run at 70mm/s @ 205C and .15mm resolution. It printed a belt look without any issues

What is really neat is that I didn’t even bother to calibrate this printer. It does not even have a bed levelling function since it is so robust, and the print area small enough that the bed itself would not introduce much in terms of error.



Read More

2 of 3 Tor Exits Suspended

Well, the upstream IP provider decided they don’t want the Tor nodes there for the time being (partially since they didn’t have an official policy… yet). My node in Canada is still operational, however the beefy nodes operating out of my DC are down for now. They plan to inform me within the next month or so of an official policy. If they form an official stance and allow them, then they will come back online (albeit with the same reduced exit policy).