re: nyman

passbolt - reviewing password managers for organisations

Sun, 31 May 2026 19:26:18 +0300

Testing Passbolt

This is the first article in a longer series on testing password managers for organisations.

I’m looking for a new password manager for a smaller team. While I will start focusing on open source and EU based alternatives neither are strong requirements.

Conclusions

While it looked promising from the start, backend by a well funded company that has been around for 10+ years I ran in to so many problems that I stopped trying.

The main issue was not lack of features (I never got to that part) but rather that the UX was really bad and I ran into issues which prevented me from completing my testing.

Below I have documented my attempt at creating an account, logging in on another browser profile and on the iOS app.

While this write-up is a bit rant-y I think the team behind passkey seem like good people and I hope they succeed. So I wanted to document the issues I ran in-to and provide suggested fixes. Hopefully someone from the team will see this.

Getting started

So I signed up for a seven day trial without giving a credit card. Great. I get a sign-up email and it does not work.

Not sure why, maybe because I tried to copy the link manually. Upon later inspection I noticed that apparently the link they provide for you to manually copy is not the same as the one behind the “Get Started!” button.

No matter, I do another round of “Get Started” and this time I click the “Get Started!” button and set things up.

Security Token

Passbolt has a interesting idea with something they call “Security Token” which is a nice additional “what you know” thing which adds a three letter secret and a colour of your choice to your password field. This is designed to make it harder for phishing to fool you as they shouldn’t know this so any fake password prompt will not have the right colour. Interesting idea, but a bit confusing.

If it’s actually useful or not is another discussion, I would assume that while some might react if they are prompted to enter their passbolt login and it is the wrong colour they react, but if it’s just plain white like 99% of all other websites out there they wouldn’t think twice.

Browser Extension

There is no native app for Mac so I will need to use the browser extension.

The browser extension install is quite slick.

Adding the extension to another browser/profile

If the initial setup was slick, this is the opposite. First you are told you need to look up the unique url from a email to be able to login. Then you are sent to a “Register”

fix: allow people to enter their email and emailed a list of orgs they are linked to, this solves step 2 in the chain at the same time. There might be some confusion with self-hosted instances being on different domains but that can be worked around.

This puts you into the recover account workflow.

Fix: why is this account recovery? I’m not trying to to recover my account just log in on another device/browser. I understand reusing the recovery workflow but I think it’s confusing.

Now you need your secret key. Here you will loose 99% of everyone except your most technical users. Most people will enter their password (the only secret they have been exposed to so far) only to be met with this even more confusing message “The key should be a valid openpgp armored key string.”.

fix: I understand that we want to keep a client-secret but a full GPG key is the least user friendly choice here. Something akin to 1Passwords secret key is much better.

Ok, so now I’m sufficiently technical that I can figure out what it’s looking for, go dig up the secret key, download it, and leave it in my downloads folder forever like everyone. Thus massively increasing the risk someone can steal it in the future.

So I try and drag it to the webpage and of course that does not work. So I manually select it with the file-picker.

Fix: add a droppable field

After that I am prompted for my password. And then I get to pick another Security Token (what the heck? Wasn’t the idea that it would be a secret I know, is it only tied to one browser?).

Fix: the security token is a good idea but not if it’s different on each device/profile

Either way, after picking a new security token I am now logged in.

Mobile App

The mobile app setup looked much more promising compared to setting up another browser profile/desktop. It involves opening a “Mobile Setup” view in the extension which gives you a QR code to scan.

That part seemed to work fine, and I am prompted to enter my password. Then I get “Server and client time is out of sync, please contact your administrator.”

I have not been able to figure out what is wrong, I am using their cloud instance so I don’t think the problem is on my side.

fix: I guess fix whatever is causing this? :-)

End rant

But Gabriel, Passbolt is open source, stop whining and just contribute.

Yes passbolt is open source, from a well funded for-profit company. I want them to succeed and I’m contributing by documenting what isn’t working.

The passbolt people seem to know their stuff security wise, but security must be easy to use.

Magic links are not great but they are the right choice sometimes

Wed, 24 Sep 2025 10:47:50 +0300

LLM disclaimer: this post was written based on a discussion with claude and drafted by claude. I have edited it heavily but if you’re allergic to LLM’s feel free to skip it.

The setup: we’re have a policy compliance system that employees use roughly once per year to check boxes confirming they’ve read our updated policies. The right solution is to integrate this with our existing SSO solution that has proper anomaly detection, brute force protection, and phishing-resistant auth and so on. But for various organizational reasons (aren’t there always), that integration will take longer than I’d like.

So I started thinking - could we build our own lightweight OIDC service? Something that just validates “yes, this person controls this email address” and nothing more. I’m usually not a fan of magic-links, but could they work in this case.

To do some rubber ducking, I asked claude. Claude’s initial reaction was something akin to telling me thats the stupidest idea ever (because I told it to argue with me, not debate and it dutifully complied). It made upp all kinds of stuff like telling me it was outsourcing authentication to email, a fundamentally insecure transport designed in 1982. Every magic link gets cached in browser history, server logs, forwarded emails, screenshots - it’s a mess.

But I pushed back. The tokens are time based and ephemeral. The alternative is to have yet another password, making people pick bad passwords or just click “forgot password” anyway, which… is just a magic link with extra steps. Magic links are not changing the security model, we’re just making it honest about where the security bundary is.

It also had arguments about how it trains people to click links in emails, as if they would training in that. We have told people not to do that for 20 years and it hasn’t done much good. You just can’t have that as a security boundary.

Claude eventually conceded this point (of course it did, it’s designed to please and not fight) but it did raise one thing. Social engineering. If you implement the magic link in a way clicking the link logs you in where you requested it, that lets attackers call pretending to be IT, say “we just sent you a verification link, can you click it?” and boom, they’re in.

The fix is device binding (with a cookie) - when someone requests a magic link, you set a random cookie. The magic link only works if that cookie is present. If they click from a different device or browser, you explain what happened and let them either open it in the original browser or request a new link (invalidating the old one).

But when I considered this, I realised this is the wrong solution. Not because it does not work, but because it introduces a bigger risk. Strong device binding means if I normally check email on my phone but I’m now trying to access the policy system on my home laptop, I’m now forced to log into webmail on my home computer. If that device is compromised, I now have a full email comprimise instead of giving an attacker access to a compliance system. The security measure backfired by pushing risk to a more valuable target.

The alternative is OTP codes - send a 6-digit number to email, user types it in. This solves the device forcing problem but it’s vulnerable to social engineering. “Hi, this is IT, we need that code to complete your compliance verification.” Most people are wired to trust humans over machines, and are likely to comply even when the email explicitly says “DO NOT SHARE THIS CODE.”

(Banks have been fighting this battle for years. The code comes with a big warning saying “DO NO SHARE”, but when the scammer says “ignore that, this is a special case,” many will comply. )

So what’s the right choice? First, let’s be honest: the right choice is to use your existing IdP with proper security infrastructure. If you can’t do that, then it depends on your threat model and what you’re protecting.

For a genuinely low-value system like policy compliance, OTP phishing gets the attacker access to boring checkboxes. Device binding, while stopping the social-engineering angle, introduces the risk of a full email compromise. The math is clear - accept the smaller vulnerability to avoid creating bigger ones.

It’s a running joke that the only answer you get from security people when you ask about something is “it depends” but that’s because it’s true.

Pragmatic security means working within organizational constraints and accepting smaller vulnerabilities to avoid creating bigger ones.

Thank you for blaugust

Sun, 31 Aug 2025 22:05:06 +0300

This is the real end-of-blaugust post.

I really enjoyed taking part, even if my partaking was very isolated.

Now towards the end, I decided to check blog of this years blaugust host and… why the heck did I not do that earlier.

Instead of trying to force out some micro blogs, I could taken inspiration from the massive amount of material available there.

As none of my posts are ready to be posted, I’ll take the opportunity to wrap it up with the suggested “Lessons Learned” topics from the blaugust calendar.

If you could go back in time to August 1st (or whenever you signed up for Blaugust), what would you do differently to prepare?

I would join the discord, and add the blog of the blaugust host to my RSS feed. Feels kind of dumb that I did not do that earlier.

What are your top 3 or 5 takeaways from your Blaugust experience?

I realised once again that I don’t get things done without deadlines (does anyone?). But also that when I put a bit of effort onto it, I can do it.

The other thing is that although I took the opportunity to publish a bunch of my drafts and other thoughts, I had not

Were there any posts your read during Blaugust that changed how you felt about the experience as a whole?

Not really, because I have not read any except a few posts from people I already followed before who happened to take part.

What were your favorite and least favorite parts of participating in Blaugust 2025?

Favourite part was the whole concept and idea. It’s kind of nice that it’s small, because that meant I felt that it was small enough that I would not get lost in the noise.

The least favourite. The first thing I think of is a bit dumb, but that would be the lack of spam.

Yeah you heard me right. Lack of spam.

Maybe I missed to check a box, or maybe the information channels were somewhere else. But I don’t think I’ve gotten any kind of email about my partaking in Blaugust.

Maybe if I’d joined discord I would have gotten the notifications, but I have never gotten into the habit of using discord.

I’m not saying this is something that someone “should” have done, I understand this is a volunteer driven thing so I don’t have any expectations. Just something I realised now at the end.

To conclude

I will definitely take part in Blaugust next year. And in a more active role. I just joined the discord and I’ll keep my eyes out for some other posting “challenge” in order to ensure I keep the words flowing.

Writing is such an important part of our daily communication nowadays, and practice makes perfect.

Thank you for the fish.

Blaugust near the end thoughts

Sat, 30 Aug 2025 23:21:15 +0300

Second to last day

This was going to be the launch of the new version of hasmypasswordbeenstolen.net, but my high standard got to me. It will be out soon-ish but not yet.

As for blaugust, it has been great. Although one blog per day is clearly too much for me. It has still been a great encouragement to get a few old ones out, and some new ones also.

I will try to keep up the posting, but without a specific deadline to hit (midnight) there is a high risk that I just go back to perfecting things forever.

Hopefully not.

More mailinator thoughts

Fri, 29 Aug 2025 23:13:22 +0300

Continuing the trend of praising mailinator, turns out one of the reasons feature creep did not get to it, was that it was or maybe is still “just” a side project, this interview with the creator has a bunch of interesting details.

The interview is a few years old by now, but still interesting.

nathanlatkathetop.libsyn.com/703-the-a…

Also this presentation from a few years later is also interesting, also old. Things have probably changed since then.

paul.mailinator.com/presentat…

Setting up your own mailinator domain

Thu, 28 Aug 2025 23:26:09 +0300

Mailinator is one of those great forever services which I seriously hope will never disappear, it has saved me from so much “newsletters” and other things I don’t want in my mailbox.

Sadly it for some reason people think it’s a good idea to block it sometimes.

Which makes absolutely no sense to me. I mean, I am clearly indicating that I do not want email from you. If you force me to give my own email, and send me emails (which we know you will) I will put them into spam.

I am quite certain Google uses that as a signal to start feeding your newsletter into spam for the users who might actually want it.

Either way, that aside.

Your own mailinator domain

This seems to work with most services which tries to prevent mailinator.com and the other known mailinator domains from being used.

You will need your own domain and be somewhat comfortable with editing the DNS of it for this to work. If you are, there is no risk with doing this. If you do not have your own domain, you can get a free subdomain at afraid.org.

You can do this two different ways, either create a domain which is a CNAME for mail.mailinator.com, this is more easily detected if they are motivated.

The other way is to do the following

create a A record pointing to the same destination as mail.mailinator.com (you have to look it up, it ends at .11.30) , for example nospam.your.domain
then create a MX record like nospam.your.domain 10:nospam.your.domain.

Success!

Mailinator does not seem to mind doing this, at least in 2008 https://mailinator.blogspot.com/2008/01/your-own-private-mailinator.html

Using the A method hides it, but sometimes it still does not work. I assume some people have blacklisted the [redacted].11.30 IP which mailinator uses as MX. That IP has been the same for as long as I’ve used them and probably longer.

Enjoy.

Reviewing the charities annual reports

Wed, 27 Aug 2025 23:18:53 +0300

This is a follow up to [this](blog.nyman.re/2025/08/2… and this.

So we’re continuing the quest to figure if it’s realistic for a normal person in the tech industry to do a life-saving donation.

Let’s look closer at the charities listed last time by reading their yearly reports.

Medeor’s report for 2024

Overall a very good report. Very transparent. From this we can read that they have received, around 34 million in funding. They have a lot of different projects ongoing in different countries.

KidsOR Impact report

This is not the same as the meteor one, it’s a flashy html page. It does not have any numbers, but those are available in the annual financial report.

Their yearly donations are GBP 5,6M in 2023 and 10,6M in 2024. They used 7M for charitable activities and 400K for fundraising.

Chain of Hope’s Annual Review

Annual donations in the range GBP 4,4 M 2023 to 3,4M in 2024. Notable there is that the document says 6% of the money went to support costs, and 16% to cost of generating funds. Without diving deeper into this, it looks higher than the others but it might just be that they are more transparent.

I think based on this, I’m leaning towards KidsOR. And as next step I’ll probably try to figure out if my donation would be big enough that it could be “easily” earmarked so I can know what difference it made.

Medeor says that anything above 1000 euro is considered a large donation, big enough for the donor to contact them beforehand to discuss.

I could not find any info about that on KidsOR.

Dishonest game developers

Tue, 26 Aug 2025 23:23:09 +0300

Note This is a very old blog draft, all the way from 2019 when you could still download Fortnite on your iPad (which you can again but it’s a bit harder and you need to live in EU). But the point still stands I need to publish something. Enjoy, or not :-)

I recently tried Fortnite for the first time, thinking I would check out what the fuzz was about. So I install it on the iPad and get started. Knowing roughly how to play it, I can’t even find a weapon in the first round and get hosed by obvious AI players (henchmen). No worries, I try again… and I go on to beat the crap out everyone the two next rounds, Victory Royale, numero uno, #1. Damn I’m good.. or am I?

I do think I’m above the average gamer but this seems a bit suspicious. Maybe they have some matchmaking and my hideous performance in the first match put me in the lowest bracket?

Or… Maybe the other players were not players but really bad bots? A quick googling confirms that indeed, Epic added bots last autumn (editors note, autumn of 2019).

And there does not seem to be any obvious way to identify them, except that people seem to agree that they are quite bad.

So turns out I am not really good at this game?… sad trombone

I spent some time thinking about this, and I read an article discussing it. Turns out not everybody was happy with this silent introduction of bots. Making people think they are better than they are to make them enjoy the game more does seem, wrong on some level.

Or is it? What is the goal from playing games? I guess most people are not looking to become full time pro-gamers but rather just want to have some fun.

Is it wrong to let them enjoy it? Not everyone enjoys loosing. I recall playing StarCraft 2, where the matchmaking was good and made sure you lost roughly half the time by matching you against better players every time you improved. And that was not always fun. Because when you’re perfectly matched it might well be that you play five games in a row and loose all of them. It was one of the reasons I did not play ladder SC2 but just fooled around in coop and other stuff.

But if we accept that developers cheat a bit to allow us to enjoy the game more. What is “a bit”. I am not sure there are any easy answers, it all depends.

How hard do we want our games to be? I guess the most fun part if you believe you win by a close margin.

And then again, Fortnite was not the first game to do this. Mariokart might have been one of the earlier ones to do it. It really skews the game to give worse players a chance. When you’re in the lead or close to it, you will just pick up bad items. While if you’re at the back you get all the good suff. And in single player the computer automatically adapted to your speed.

Asphalt 9 (at least on iPad) is also a obvious example of this, try playing a single player map with a massively over-powered car (compared to what is the recommended level on that course). Now watch how every computer keeps up/stays ahead until ~70% of the course is done. Then falls behind massively on the last 20% to make sure you win if you “should” win (based on the points in your car).

To conclude, I’ll just say I don’t know what is the right way. If the developers made it too obvious that they are letting you win, most people would not think that to be fun. But on the other hand, people like winning more than loosing.

box-art.css

Mon, 25 Aug 2025 23:06:43 +0300

Today we’re onto something lighter again. A box-art/nfo-style css, in as part of experimenting with a new look for this blog.

This is harder than it looks to do in CSS, but I enjoyed the challenge.

This is also something the LLM’s failed quite hard, but at least claude wrote me a simple javascript page where I could tweak the parameters until it worked.

Also.. I just found this, it’s just beautiful int10h.org also this is also great panr.github.io/terminal-…

Finding a charity where you can see the impact

Sun, 24 Aug 2025 23:37:09 +0300

This is a follow up to the previous one where we defined the question. Read that first

Can I make a direct life saving impact to someone, where my action, with a high degree of probability, leads to the survival of someone who might otherwise not have survived.

If the action is a donation, and the answer is Yes, and I have the means. Then I want to do it.

But let’s clarify what this means in practice.

It must be a monetary donation. Although volunteering is important, I am not in a place where I can do that now.
The money needs to go more or less directly to the cause, preferably quite soon.
There has to be some feedback from the cause.
EU based which accepts IBAN or other ways of receiving donations without paying the credit card companies x%.

3. Feedback loop

This is the main new part for my charitable donations. Previously and currently, my charitable donations go to organisations who I believe do good. But there is little or no feedback loop, so I don’t know what good my money does.

I am doing this exercise, to figure out if there is a more direct way.

When I started, my original idea was to find something where I donate directly to a cause. Like a heart operation for Person X, which would otherwise not happen.

Based on my research, I could not find that. The closest I found was watsi which has names and pictures of the people you help. My impression is that it’s a low-income version of gofundme.

After reviewing the people in need there, it does not meet my criteria for life saving. And when thinking about it, thats a great thing. After all, it would be horrible if there was a website with a list of people who would die unless they raised enough money.

So I expanded my search, instead of trying to find a place with named persons, which adds a lot of overhead I started looking if there would be a way to donate to a clinic, or some other semi direct intervention.

List of potential charities

(Note, I have done only brief research on these and there is likely factual errors. It’s just my personal opinion and not facts)

Chain of Hope (and La Chaîne de l’Espoir)

website website

Focusing on cardiac surgery, especially for kids. Definitely life saving but they seem quite big and from a brief check I don’t see any feedback loop.

KidsOR

website Builds/improves Operating Rooms abroad. Ships out equipment from UK and installs it, trains the technicians and then helps maintain it. Important and valuable but seems there will be quite a long time between my donation and when it would help someone.

Medeor

website

German organisation focusing on providing medicine and equipment, not personnel or health interventions. Seems promising on the feedback part as it says that donations of 1000 euro and above are counted as “major donations” which receives additional feedback. As they are German, IBAN is possible.

Next steps

I still have a bunch of charities to review. Finding the “perfect” charity is not easy, and it would be easier just to pick one and give. But my hopes is that I will find one I really like, which will have a tight enough feedback loop that I feel I made a difference. This in turn, will cause me to want to give more. After all, if I can help, why wouldn’t I?

Currently, the answer is, because even if I donated everything I owned to the Red Cross, it would help someone, but it wouldn’t be effective use of my money.

Large charities are important, they can do work that nobody else can, but small ones are also important. The big ones can’t be everywhere, and there are people in need in a lot of places.

Same thing about long term vs short term donations. Both are important.

Next step here will hopefully be a decision, and motivation and explanation of why. And then later, hopefully a follow up on what kind of difference it made.

What can YOU do?

Sat, 23 Aug 2025 23:58:13 +0300

The world is a big place. Really big. There are a lot of people in it.

And because there are so many people, it means there are a lot of people who, at this moment needs help.

So what can you do? A lot. That’s a too wide question.

Let’s narrow it down to a very specific question.

Can you save the life of someone in need?

Again, yes, there are lots of ways you could, but also a lot of ways which won’t work. The question is still too wide.

Let’s narrow it down more. Let’s focus on money.

How much money would you need to spend to save the life of someone?

If you ask the effective altruism people, it’s very little, just pay for some malaria nets and vaccines and the chances are that you’ll save someone.

But that is very indirect. It might be a cost effective way to save a life, but it will be very hard to know if your money saved a life or not. Statistically, if you buy enough nets it will.

But if you wanted to feel like you made an impact right now, or within the near future so that your giving feels more direct. And you wanted to know with a high degree of certainty that it had a impact, say within the coming three months.

Now we’re close to narrowing down our question which I’ll dive in to in a coming blog post.

Can I make a direct life saving impact to someone, where my action, with a high degree of probability, leads to the survival of someone who might otherwise not have survived.

What does that cost? And what ways are there to do this.

Fri, 22 Aug 2025 23:51:24 +0300

vibecoding feels very productive, but often I’ve noticed it’s just a feeling, I actually know better than the LLM what the problem is, and could fix it faster, but for some reason I get stuck prompting it again and again

not sure why

Hopefully the psychology departments are looking at this

My favourite podcasts

Thu, 21 Aug 2025 23:13:42 +0300

Security Podcasts I Enjoy

In special order, roughly in the order of which I remembered them which says something about how much I listen to them.

Risky Business - the main feed, compact and respects my time. I haven’t missed in on a long time. They have expanded and have other great podcasts now, including a news bulletin. I listen to those sometimes.

Three Buddy Problem - Quite new podcast, entertaining listen but the opposite of Risky Biz when it comes to being compact. Fun mix of Juan ranting and Costin providing deep technical commentary.

Security Cryptography Whatever - Great podcast, very technical, melts my brain sometimes but I feel I learn something every episode.

Säkerhetspodcasten - Swedish podcast, very entertaining, mix of somewhat serious episodes and “unstructured” episodes.

Defence In Depth - Each episode is based on a linked in discussion about some topic. Short and focused episodes. A lot of discussions from the point of CISO or security leaders. I’d recommend looking through their archive and picking a topic you’re interested in.

Darknet Diaries - The best story-telling podcast on infosec, hacking culture and internet-crime related topics. Targets a wider audience so he will explain terms and technologies in detail. Also he has strong idealogical views which he likes to share.

The above are continuously running podcasts, I’ll also mention a few which are just a set of episodes focusing on one topic, and ones that has ended. Also these are not really security focused, but rather technical ones.

Scam Inc - A podcast about the pig butchering scam centres, the scams they do and the victims. The only one on the list that is paid. You can listen to the two first ones for free to see if it’s your thing.

The Lazarus Heist - About the North Korean hacking group called Lazarus Groups and their various hacks. BBC level production quality.

13 minutes(to the moon) - Started with Apollo 11 and has since expanded into related topics.

The Bomb - Also BBC podcast, about the development of the atomic bomb.

Omega Tau Podcast - Super interesting deep-dives into various topics by interviewing people in the area. They did both German and English episodes.

Twenty Thousand Hertz - A podcast about sound. The quality is what you’d expect from someone who seems obsessed with sound and audio. Has some interesting episodes. I’m definitely no audiophile but I like when experts explain things. Check out the episode on the THX Deep Note or maybe the Zelda ones.

Hopefully you find something interesting here. If you’re familiar with these podcasts and have some other that you think I’d enjoy, reach out to me on mastodon or send a email.

A simple devcontainer for your agent with eyes (browser and screenshot capabilities)

Wed, 20 Aug 2025 22:52:49 +0300

These instructions have been tested on a M1 MacBook with podman, your mileage may vary. Note that running playwright/chrome as root might be dangerous so don’t use this for scraping or untrusted content unless you know what you’re doing.

Actually, never feed untrusted content into your LLM and always sandbox it as much as possible. Otherwise you will sooner or later be a sad panda.

Instruction

Put this into .devcontainer/devcontainer.json

{
  "name": "Playwright Dev Environment",
  "image": "mcr.microsoft.com/playwright:v1.55.0-noble",
  "postCreateCommand": "npm install -g @anthropic-ai/claude-code",
  "customizations": {
    "vscode": {
      "extensions": [
        "Anthropic.claude-code"
      ]
    }
  },
  //"remoteUser": "pwuser",
  "runArgs": [
    "--ipc=host",
    "--security-opt=seccomp=unconfined"
  ],
  "capAdd": [
    "SYS_ADMIN"
  ],
  "mounts": [
    "source=claude-code-bashhistory-${devcontainerId},target=/commandhistory,type=volume",
    "source=claude-code-config-${devcontainerId},target=/home/pwuser/.claude,type=volume"
  ],
  "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=delegated",
  "workspaceFolder": "/workspace",
  "containerEnv": {
    "NODE_OPTIONS": "--max-old-space-size=4096",
    "CLAUDE_CONFIG_DIR": "/home/pwuser/.claude"
  }
}

Then create something like this (or ask your llm to do it)

#!/usr/bin/env node
// Playwright-based headless renderer with console capture
// Usage:
//   node pw-screenshot.mjs --url https://example.com --out out.png
//   node pw-screenshot.mjs --html-file page.html --out out.png
//   echo "<h1>Hello</h1>" | node pw-screenshot.mjs --html-stdin --out out.png

import fs from 'node:fs';
import path from 'node:path';
import process from 'node:process';
import { chromium } from 'playwright';

function parseArgs(argv) {
  const args = {
    url: null,
    htmlFile: null,
    htmlStdin: false,
    out: 'screenshot.png',
    wait: 'networkidle', // playwright: load | domcontentloaded | networkidle
    fullPage: true,
    timeout: 60000,
    viewport: '1280x800',
    console: null,
    emulateMedia: null,
  };
  for (let i = 2; i < argv.length; i++) {
    const k = argv[i];
    const v = argv[i + 1];
    switch (k) {
      case '--url': args.url = v; i++; break;
      case '--html-file': args.htmlFile = v; i++; break;
      case '--html-stdin': args.htmlStdin = true; break;
      case '--out': args.out = v; i++; break;
      case '--wait': args.wait = normalizeWait(v); i++; break;
      case '--fullpage': args.fullPage = v !== 'false'; if (v === 'false') i++; break;
      case '--no-fullpage': args.fullPage = false; break;
      case '--timeout': args.timeout = Number(v); i++; break;
      case '--viewport': args.viewport = v; i++; break;
      case '--console': args.console = v; i++; break;
      case '--emulate-media': args.emulateMedia = v; i++; break;
      case '--help':
      case '-h': printHelp(); process.exit(0);
      default: break;
    }
  }
  return args;
}

function normalizeWait(v) {
  const val = String(v).toLowerCase();
  if (val === 'networkidle0' || val === 'networkidle2') return 'networkidle';
  if (val === 'domcontentloaded' || val === 'load' || val === 'networkidle') return val;
  throw new Error(`Invalid --wait '${v}'. Use load|domcontentloaded|networkidle`);
}

function printHelp() {
  const help = `
Usage:
  node pw-screenshot.mjs [--url URL | --html-file FILE | --html-stdin] [--out PATH]

Options:
  --url URL            Navigate to the URL and render.
  --html-file FILE     Load HTML from file and render.
  --html-stdin         Read HTML from stdin and render.
  --out PATH           Screenshot output path (default: screenshot.png).
  --wait MODE          load | domcontentloaded | networkidle (default: networkidle).
  --fullpage BOOL      true/false; or --no-fullpage (default: true).
  --timeout MS         Navigation/content timeout in ms (default: 60000).
  --viewport WxH       Viewport, e.g., 1280x800 (default: 1280x800).
  --console PATH       Write page console JSONL to PATH or '-' for stdout (default: stderr only).
  --emulate-media TYPE Emulate media type: screen | print.
  --help               Show this help.
`;
  process.stderr.write(help);
}

function parseViewport(spec) {
  const m = String(spec).toLowerCase().trim().match(/^(\d+)x(\d+)$/);
  if (!m) throw new Error(`Invalid --viewport '${spec}'. Expected WxH, e.g., 1280x800`);
  return { width: Number(m[1]), height: Number(m[2]) };
}

function openConsoleStream(dest) {
  if (!dest) return null;
  if (dest === '-') return process.stdout;
  return fs.createWriteStream(dest, { flags: 'a' });
}

function writeConsole(stream, record) {
  const line = JSON.stringify(record) + '\n';
  if (stream) stream.write(line); else process.stderr.write(`[console] ${record.type} ${record.text}\n`);
}

async function readStdin() {
  return await new Promise(resolve => {
    let data = '';
    process.stdin.setEncoding('utf8');
    process.stdin.on('data', chunk => { data += chunk; });
    process.stdin.on('end', () => resolve(data));
  });
}

async function main() {
  const args = parseArgs(process.argv);
  if (!(args.url || args.htmlFile || args.htmlStdin)) { printHelp(); process.exit(2); }

  const viewport = parseViewport(args.viewport);
  const consoleStream = openConsoleStream(args.console);

  let browser;
  try {
    browser = await chromium.launch({ headless: true, args: ['--no-sandbox', '--disable-dev-shm-usage'] });
    const context = await browser.newContext({ viewport });
    const page = await context.newPage();

    page.on('console', msg => {
      writeConsole(consoleStream, { ts: new Date().toISOString(), type: msg.type(), text: msg.text() });
    });
    page.on('pageerror', err => {
      writeConsole(consoleStream, { ts: new Date().toISOString(), type: 'pageerror', text: String(err) });
    });

    if (args.emulateMedia) await page.emulateMedia({ media: args.emulateMedia });

    if (args.url) {
      await page.goto(args.url, { waitUntil: args.wait, timeout: args.timeout });
    } else {
      const html = args.htmlFile ? fs.readFileSync(path.resolve(args.htmlFile), 'utf8') : await readStdin();
      await page.setContent(html, { waitUntil: args.wait, timeout: args.timeout });
    }

    await page.screenshot({ path: args.out, fullPage: !!args.fullPage });
    process.stdout.write(`Saved screenshot to ${args.out}\n`);
  } finally {
    if (browser) await browser.close().catch(() => {});
    if (consoleStream && consoleStream !== process.stdout) consoleStream.end();
  }
}

main().catch(err => { process.stderr.write(String(err.stack || err) + '\n'); process.exit(1); });

After that you can instruct claude or some other coding agent (that can view images, e.g. not codex currently) to view the result and describe it.

Hopefully this makes the agents more useful as they can inspect and see if the change they did actually had the expected result.

I have not tested this very much yet, but it’s one of the pet issues I’ve when having agents do any changes to a webpage. The lack of feedback loop for them means I’ve had to view and explain the result.

You cannot hide on the internet

Tue, 19 Aug 2025 21:48:49 +0300

At least not on the IPv4 network, but I would not trust the IPv6 network either, and you have not been able to for a long time.

If you open a port to the whole world, it will get probed. If it’s a popular port like 443 or a sensitive one like 9200, it will get scanned really-fast.

Same goes if you announce it by creating a TLS certificate with a ACME service like Let’s Encrypt. When you do, Let’s Encrypt will publish your certificate on the Certificate Transparency log. And there are multiple entities who sit and watch it and will probe everything on it.

I learned just how fast recently when I was playing around with tailscale funnel, within minutes I had someone from a Russian IP range sending requests my way.

So the tl.dr. is don’t open any services to the wider internet unless you are sure they are safe. If they are more complicated or less battle tested than ssh and nginx, you are better of not exposing it.

Instead use netbird, fireguard, tailscale, zerotier to access things. Or if you can’t or does not want to, hide it behind wildcard TLS certs, or some other way.

LUKS on NVMe: From 40 GiB/s to 4, Then Back to 20 GiB/s

Mon, 18 Aug 2025 13:41:34 +0300

Note: This testing described in this post was done over a year ago. It might be that things changed since then.

At work, we recently upgraded our PostgreSQL servers. This time, however, we encountered an unexpected roadblock when attempting to enable full disk encryption (FDE) with LUKS - our standard deployment. In past benchmarks, enabling LUKS full-disk encryption cost us ~10%. This time, it left us with only 10% of our throughput - a 90% drop.

So a bit of background, the new server is the most capable server I’ve benchmarked to date. 12 Intel P5520 NVMe disks and two 48-core Intel Xeon Sapphire Rapids CPU. Enough horsepower to handle our workloads for the foreseeable future.

With the 12 disks in a RAID10 configuration, we were happy with the raw performance figures: sequential write speeds of around 20 GiB/s and read speeds of 40 GiB/s (note gigabytes, not gigabits).

But our joy was short-lived. As soon as we added the LUKS encryption, performance plummeted. This was not at all what we expected, we had not even planned to do much benchmarking because previous synthetic benchmarking had only shown a 10% decrease, which in reality meant no real world impact.

But I had always had the understanding that modern cryptography is so fast that encryption won’t add any overhead. Most of it probably stems from the push for TLS and http://istlsfastyet.com/. So it might be wrong.

Fortunately, we weren’t the first to encounter such a noticeable impact. When researching, we found that Cloudflare had previously grappled with a similar problem and contributed a fix that was eventually merged into the Linux kernel. Enabling this fix reduced CPU usage to near-zero levels. However, surprisingly, it did little to improve the overall I/O performance.

As I had personally told many that encryption is so fast that there is no reason not to do it, even if the data wouldn’t be sensitive I felt I had to get to the bottom of this. So we set up a more comprehensive testing framework with various options to see if we could figure out how to improve the speeds. We also added a wildcard: the bcachefs filesystem which seemed promising and had some interesting features, like using an NVMe/SSD as read/write cache for spinning disks.

Our test setup consisted of a 10-disk RAID10 array of Intel P5520 NVMe disks, divided into eight equal partitions spread across all ten disks. The reason for not using all 12 was that we planned to do some single disk testing also, and with the unencrypted file system the raid10 scaled quite linearly. We decided the results of the 10-disk tests should apply to a 12-disk raid10 as well.

These were the options we decided to explore

Plain ext4
Plain LUKS
LUKS with --sector-size 4096
LUKS with Cloudflare patches
LUKS with Cloudflare patches and --sector-size 4096
Bcachefs
Bcachefs with encryption
LUKS with --sector-size 4096 and --perf-same_cpu_crypt
LUKS with Cloudflare patches, --sector-size 4096, and --perf-same_cpu_crypt

The server was running the pre-release of Ubuntu 24.04 which was available in March 2024 (in order to get a new kernel 6.8 which supports bcachefs). To test these configurations, we ran four different FIO tests (gist with the .fio) on each of the targets. The tests are designed to test sequential read and write speeds, as well as random small reads and writes to see how many IOPS we can get out of them. While the test parameters might not be optimal (if you have ideas how to improve them, let me know) we stuck with them because it was the same settings we used many years ago, so it gives us an idea how things have improved.

The Results

You can view the full fio results and raw numbers in the google sheet here.

Looking at the graph, the key setting was the sector-size. This change brought us up to around 50% of the raw disk speeds – a substantial improvement.

All the other options we tried for LUKS seemed to have small to no measurable differences.

While we are not experts on the inner workings of LUKS, it does seem to make sense that a bigger block size would speed things up. Our interpretation is that the bottleneck is not the raw encryption but rather somewhere in the process of getting the blocks lined up for encryption. Therefore, reducing the number of blocks eightfold speeds things up significantly.

The younger bcachefs filesystem, did not manage to keep up with the encryption enabled. Our working theory is that since it uses ChaCha20/Poly1305 for encryption, which, while being a fast algorithm, does not benefit from specialized hardware instructions like AES does. It might be that Intel QAT could help but we did not have time to look into that.

Conclusion

In the end, we settled on using LUKS with --sector-size 4096, the Cloudflare patches enabled, and --perf-same_cpu_crypt. While not achieving the same great speeds as using RAW, this configuration provided us with good enough performance to meet our needs while allowing us to maintain the security benefits of FDE.

We also explored the possibility of leveraging the built-in encryption capabilities of the disks through the Trusted Computing Group’s OPAL specification. Unfortunately, our specific NVMe models lacked support for OPAL or any other form of disk-level encryption.

The key lesson: always benchmark, even if it’s just a quick one. Defaults can leave enormous performance on the table, and the fix may be as simple as a sector-size flag.

Special thanks to Björn D. and Niclas J. for their assistance with both the testing and giving feedback on this post.

Internet is big but we humans are not ready for it

Sun, 17 Aug 2025 22:00:56 +0300

I thought it was crazy to think about all the 8.2 billion people.

A even crazier thought is how many internet users there are, who in theory can talk to anyone else.

From an information point of view it’s just a amazing amount of informationand potential available.

Of course, not everyone has something to say to every other user. But the fact that people who are interested in a subject can “easily” talk to so many likeminded people should allow for humanity to develop at a never-before seen pace.

Are we? I don’t know. Feels like things are stagnating, partially because of bad incentives. Or just human nature not having caught up with things.

Anders Hansen, a Swedish psychiatrist talks a lot about this disconnect between what evolution has prioritised during the last 100k years vs what we would “need” right now to thrive in this information and abundance society.

If you have not read his book, “The Attention Fix” I strongly recommend that you do. It’s definitely on the short-list of most influential books I have read within the last few years. It has really allowed me to view things in a new light, which is I think the best a book can do.

Sat, 16 Aug 2025 23:40:37 +0300

There are a lot of people on this planet.

Our brains are not designed for numbers that big.

I put together a little art project about how many people there are.

nyman.re/everyone-…

Makes you feel small doesn’t it?

And still you can make a difference. Magical

Thu, 14 Aug 2025 23:10:26 +0300

Claude Code > Gemini Code > Codex

Based solely on my gut feeling after having played with each one of them on some toy projects.

One pet peeve I had with Codex was that it did not want to finish things, when asked to move stuff, if it thought it was too much it just left at the end of the file.

Gemini Pro worked fine the little I tried it but I dislike on principle because it’s not possible to deactivate the history when it’s part of the Google Suite/Workspace/Apps. I’m actually not sure if that affects Gemini Code.

Claude Code seems to be a good balance.

At some point I will try to compare by giving them the same instructions on the same project and see what actually happens.

Putting your crypto you didn't know about to good use

Wed, 13 Aug 2025 22:42:27 +0300

Do you have an old Keybase account? Or do you know someone who has? If not, you can stop reading now. If you have, and you weren’t into the crypto stuff back in the days you probably have around 500 EUR / 600 USD lying around there in magic internet money.

With the world on fire, those money is not doing any good locked into some internet wallet. So I’d recommend getting them out of there and spend them on either yourself, someone you care about, or something good like charity.

It takes a bit of effort, as Keybase does not allow you to transfer them directly, but thanks to a great writeup from Yael you can do it.

After you have imported them into LOBSTR or some other wallet, you can donate them directly to charity with www.daffy.org (is one of the few I found that accepts XLM) , The British Red Cross accepts some other crypto.

Or you can transfer them to an exchange to turn them into real money and donate that.

Use a reputable exchange if so. Because crypto is mostly crime, you will have to do a lot of KYC (know your customer, sending your ID and such) so pick one you trust with your data. After a bit of research I used bitstamp, and hopefully that won’t turn out too badly. But do your own research and pick one suitable to your jurisdiction.

blaugust

Another blaugust post, not much editing. I have a much longer draft, discussing the various charities which accept crypto and how to make the most out of your XLM. I might publish in the future, will link to it then if so.

The one time my gabriel+website@mydomain paid off.

Tue, 12 Aug 2025 23:35:12 +0300

I have for a long time been using the + format to create “unique” emails for companies. Nowadays I’ve levelled that up with using <word>@rnd.mydomain which is a wildcard for the domain. I’ll write a blog about why it’s better and how to do it sometime.

Either way, this is a repost of an old twitter thread.

Back in 2020, I was been repeatedly called by a bitcoin/CFD company who refused to accept a “I’m not interested”. Let’s call them Company MagicMoney. I had my suspicions on where they got my number from and I got confirmation when I asked them to email me the inf, and they sent me a mail to gabriel+somehwat-legit-trading-platform@mydomain.

And as the original company is EU based I sent them a #GDPR request to see what they are doing with my data and maybe get them to stop giving it to shady trade platforms based in St. Vincent and the Grenadines.

I did get a response with a what looks like a JSON dump which seemed to contain most relevant interactions I had with the site. And it was completed within 30 days so at least their compliance department was working.

But as for how the data ended up in St. Vincent and the Grenadines? They denied ever sharing or selling it.

Which might be true or not, either way I just exercised my right to have my data deleted and called it a day.

Endnote

This happened in 2020, I don’t remember which companies were involved or why had signed up with Somewhat-Legit-Trading-Company. Interestingly, after I asked them to delete all my info, the calling stopped. Coincidence? Maybe.

Blaugust

Another blaugust post tagged as draft.

Logcheck helper draft release

Mon, 11 Aug 2025 22:35:32 +0300

A few days ago I blogged about how great logcheck was. And towards the end I mentioned that writing rules was one of the more annoying parts.

I have for a while been considering how that can be done easier, and while I don’t have my dream solution yet, I have spent a few evenings vibe-coding something that I believe will be helpful.

Logcheck regex helper

You can try it out at nyman.re/logcheck-helper/ right now, or keep reading to learn more about the motivation and possible future development.

Why is writing rules for logcheck hard?

First, it uses egrep (which is an alias for grep -E nowadays), which uses POSIX Extended Regular Expressions. It’s in my experience not the most user friendly regex. Then when you have written one, testing it requires that you do something like logcheck-test -r /etc/logcheck/ignore.d.server/custom -l /var/log/syslog|grep named, but you need to pick the right log and the right rule file.

So what I usually end up doing is writing very coarse matches, which isn’t optimal.

How to fix this

The main problem with logcheck is that it’s noisy, and in combination with writing new ignores being hard, it becomes noise very quickly and nobody reads them. To allow the end user to cut down on the noise, it must really easy to do so. One idea I’ve had is that the alert emails would have a [ignore] button for each line (or all) which will create ignore similar log lines in the future. It would then optionally sync those ignores to all servers so we don’t need to repeat ourselves.

But I am not there yet.

What is Logcheck Regex Helper

It’s a quick proof of concept that tries to help you write the regex. It explores my ideas around providing the user with a working regex, while still allowing them to customise it. In the current version, you can click on the patterns in the pattern-configurator to switch between the regex targeting any text, or that literal text.

This should allow the user to quickly get a decent rule, that can be modified for their use case.

Why vibe coding?

Because this is what it’s good at. Putting together a “simple” proof of concept and allowing for quick experimentation.

And this is all client-side, so there is no risk that it would create a vulnerability.

And what it produces is not critical in any way. If it produces dumb logcheck rules, you will hopefully spot it and worst case you probably just fail to ignore what you wanted ignored.

But the PoC is now deployed?!? So it’s in production?!

Yes. But only because it’s all client side. So there is no risk that bad code could cause issues… (for me).

If this had a server side, I would either sandbox it really hard or not publish it. Probably both.

Will you open source it?

It is open-source… like all client side web applications. It’s not even minified. But if someone asks nicely and would like to contribute or fork it, I will publish the repo. The license is 2-BSD so feel free to copy it.

Blaugust

This is another blaugust post, no editing or spell-checking. Sorry.

Sun, 10 Aug 2025 23:56:25 +0300

Vibe coding is a slot machine. I agree.

You pull the lever and out comes code. Most of the time it’s close but not right, so you pull again.

Meanwhile you watch the funny little loading messages they added to give a bit of extra dopamine kick.

But it’s the most useful slot machine I’ve ever seen.

Sat, 09 Aug 2025 22:17:47 +0300

Why I’m not worried about my job part.

Evidence 17: Google forcibly rolling Gemini everywhere before anyone has had a chance to actually consider the security implications.

www.youtube.com/watch

From the risky biz newsletter

#blaugust

We will need a gym for our brain

Fri, 08 Aug 2025 23:15:39 +0300

This is related to my previous post on LLM’s. Feel free to skip it if had too much LLM.

There have been several studies on how LLM’s seem to make us dumber. And there is probably truth in that. It’s quite logical if we look at the biology. The brain requires more energy when it’s working, and probably even more when forming new memories.

So if there is an easier way, it will prefer that way, as for most of humanity’s existence wasted energy was not good for survival. And biologically, like your muscles will become smaller unless you exercise them, the brain probably does the same.

So I think “brain exercise” will become more important as LLMs become more useful, just like intentional exercise like going to the gym is an important part of our lifestyle because of powered transport like cars.

I don’t know what will it look like. But I’m quite sure it won’t be like the “brain training” applications. They claim to make you smarter, but based on what I’ve understood they are a bit too limited. From what I’ve read, you become better at doing their brain games but it does not translate well effectively to becoming better other things.

So what kind of brain gym should you do? I guess whatever you want as long as it’s closely related to what you want to train and requires thinking, but intentionally leave the LLM out of it.

Although you might actually want the LLM before and after, because an important part of becoming better at something is that the difficulty is right, so it challenges you. Creating customised challenges, and evaluating them afterwards is probably something a LLM is good at.

blaugust

This is another blaugust post, very little editing so it’s marked as draft.