Yup. One More Year

It's been another year… and what a year its' been.

The first six months of 2017 were filled with quite a bit of excitement, as my wife was pregnant with our first child.

Kyle was born on June 6th, 2016 at about 6 PM. That's a lotta sixes.

My employer gives six weeks of paternity leave, which was nice, as Angela tore pretty bad giving birth, and wasn't much use. So I took care of both Kyle and Angie for those six weeks. There were all kinds of things I thought I'd be able to do during paternity leave, and I accomplished exactly zero of them. In fact, I have no fraking idea how single parents manage. I had respect for them before, but I had to create a whole new category for them.

Kyle is a wonderful baby - very happy, and a sweet temperment. The most he really does is whine a bit - otherwise, it's hard to know he's uncomfortable. I've been blessed with a really great little boy.

Of course, I'm still a computer guy, and I have done a few computer projects lately…

Project #1: Secure my Life Better

Last year, I got a couple of Bit Babblers for true random number generation, so I can have more secure encryption keys. This year, I'm doing something similar:

The first thing that's interested me is a couple of USB tokens: The Yubikey and the Nitrokey.

Both are security devices: Both can act as an OpenPGP card, and store three 4096-bit RSA OpenPGP keys (Encryption, Signing, Authentication/SSH). Once the keys are put on the device, it can't be pulled off. Data is decrypted on the device, and sent back to the computer. (More accurately, at least in the case of OpenPGP: The key will RSA-decrypt the symmetric key that is used to encrypt most of the object, and pass it back to the computer for decryption.) It's nice because a physical device is required to decrypt email - adding some protection against key loggers and against a compromised machine. Both claim to be immune to BadUSB. Both have authentication capabilities, however in fairness, I've only explored the FIDO U2F supported by the Yubikey so far.

The differences: The Yubikey is tough: Completely sealed, and in two form factors (one is truly tiny). The Yubikey has a capacitive touch sensor (and LED) that's used to prove a human is really there (again, this provides key logger protection). The Yubikey also has support for FIDO U2F, OATH-HOTP and OATH-TOTP, as well as a number of password managers, and a Yubico OTP password. The Yubikey has got a lot of authentication options. The Yubikey is effectively a read-only device once RSA keys are transferred into it. No firmware updates. Unlike its predecessors, the Yubikey 4 is not Open Source - its maker claims its because they wanted to use a 'secure' single chip from NXP, and weren't able to have the design open source. Given the device can't be updated, there's not a lot to gain in being open source… Although the chip used by the Yubikey 4 is descended from a questionable chip used previously, it's hopefully a "best of breed" device.

In spite of the adage "Trust nothing" for computer security, at the end of the day, nearly all of us are required to trust: I'm not qualified to audit the source code and hardware even if it was available. The number of people on the planet who can is small indeed. I certainly trust it enough to buy & use it, because while I have formidable computing skills, this is totally out of my area of knowledge.

The Nitrokey is a slightly different animal: It's completely open source, and you can even download the KiCad pboard layouts, full firmware source, and so forth. It's far bulkier, and has a little end cap for the USB-A plug (which I haven't lost yet… but I'm sure it'll happen). The Nitrokey Storage model's firmware is fully upgradeable. The Nitrokey does not have a capacitive touch sensor, and doesn't support FIDO U2F. It does, however, have a few things that the Yubikey doesn't have: 8 GB of storage. Some encrypted, some not, and with the ability to create a "hidden" partition with plausible deniability. There are models with more storage, but 8 GB is enough for my "secure" storage needs.

I haven't really timed it, but the Nitrokey doesn't seem to be as speedy as the Yubikey at encrypting/decrypting email.

Project #2: Know the time

I've always been interested in having my clocks accurate. Ever since I became aware of NTP, I've always wanted to have a "Stratum 1" NTP server. What this means is that my NTP server is listening constantly to a highly accurate, true time source. These days, it means listening to an atomic clock.

I don't have the money to get or make my own atomic clock. (though the $1800 rubidium oscillator chip is tempting…). Even a modest OCXO is pretty pricey. Fortunately, there is a ready supply of constantly transmitting atomic clocks: The world's various Global Navigation Satellite Systems. GNSS receivers are pretty cheap, too. Combine that with a Raspberry Pi 3, and I've got a really good time source for about $100.

The GPS receiver I bought is able to listen to the current and planned GNSS systems: NAVSTAR GPS, GLONASS, Galileo, and BeiDou. At the moment, only GPS and GLONASS are fully operational; with BeiDou and Galileo slated to be complete in 2020.

So the satellite navigation receiver chip is able to listen to transmissions from several of the satellite's hyper-accurate atomic clocks simultaneously, and output a PPS (pulse per second) signal that's accurate to ~40 ns. (If I wanted to be a big spender, I could get a $120 "timing" GPS, which is accurate to 10 ns. Maybe another day…)

After hooking it up (following an extremely useful HOWTO by Eric S. Raymond), and no tuning, my little Raspberry Pi + GPS system is now accurate to about 34 µs, with a per-second precision of about 1 µs. Not too shabby. I hope to be able to get it down to the 3 µs achieved by David Taylor.

I've done some reading, and because the Raspberry Pi's Ethernet goes from the CPU to a USB chip, and finally out to a USB Ethernet (instead of directly from the CPU to Ethernet), it has far higher latency (and far more jitter) than some of its competitors. The BeagleBone Black can be wired up similarly to the GPS, but has a direct ethernet link, and about 3x better less jitter and 2x less offset and than the Pi. Having a direct ethernet link also means it's more practical to use the Precision Time Protocol, which would be able to sync the time of all my network machines into the sub µs range (compared with the millisecond range of NTP).