Skip to main content


Is the new post-money SAFE mathematically sound?

Y-Combinator published a new set of documents for their SAFE , short for "Simple Agreement for Future Equity". The new version takes the document from a pre-money investment to a post-money investment. But for those of you that know neither versions, a SAFE is a legal document signed by the SAFE investor and a startup, so that the startup gets cash to build their product and the investor gets equity in the company. How much equity the SAFE investor gets is not spelled out in numbers but in the form of a set of equations that should compute this number at a later stage. "Later" usually means at the next funding round called Series A, where a larger investor injects more cash into an already working prototype of the product. At the point of Series A, it is much more clear on how the product performs and whether there is a market. The Series A investment usually happens a year after the SAFE investment. The assumption here is that it is fair to both the startup and th
Recent posts

Forcing power saving under my broken DPMS implementation

My monitor, or my X version, or my Xorg drivers, or my KMS kernel, or my xscreensaver version, or my goldfish has a broken DPMS implementation, so that my monitor doesn't turn of when idle. This is a particular waste of energy during the night. Luckily my monitor responds correctly to xset dpms force off when issued twice with a small delay. Using xprintidle-ng , I can work around the problem. #!/bin/sh ACTIVATE=$(expr 60 \* 1000 \* 45) # sleep after 45 mins. LASTIDLE=0 while sleep 60; do IDLE=$(xprintidle-ng) if [ "$LASTIDLE" -lt "$ACTIVATE" -a "$IDLE" -ge "$ACTIVATE" ]; then xset dpms force off sleep 10 xset dpms force off fi LASTIDLE="$IDLE" done

PWD-based privilege separation

I am often tempted to try out a random github project with: # mkdir random-repo # cd random-repo # git clone . # ./configure && make [...] # emacs # make However that is naive from a security standpoint. Makefile s can do just about everything to your workstation, e.g. steal your e-banking credentials from .config/chrome . So, I want sandboxing. And I want it in a way that fuses nicely with the workflow above. Basing sandbox activation on my shell current working directory seems to work quite nicely. Consider the following: # id -nu clefru # echo $PWD /home/clefru/devel # pwdjail-mkdir random-repo # cd random-repo $ id -nu random-repo $ echo $HOME /home/clefru/devel/random-repo $ git clone . $ ./configure && make [...] $ cd .. # echo $PWD /home/clefru/devel # id -nu clefru # emacs random-repo/src/ [...] Notice: I use pwdjail-mkdir instead of mkdir . En

Tool to enable Wifi sending for Sony's Alpha cameras

Sony's A6000 has a nice feature to allow it to push images via Wifi. The camera however only does so, if it has been paired with Sony's PlayMemories Windows software. That's a one time thing, also the pairing isn't really a pairing that's strongly enforced anywhere. It's just settings truncated GUID, that the camera will broadcast after connecting to the Wifi Hotspot. One could just grab a Windows device and do the pairing, however I was curios to see if I can cut out this requirement. And I could! I added sony-guid-setter.c to falk0069's sony-pm-alt repository which crafts non-standard USB packages so that the camera thinks it's pairing with PlayMemories. How this is done is documented in the of falk0069's repo.

Native SSH relay

Google's Native SSH client for Chrome supports connecting to SSH via a websocket/HTTP protocol. I reverse engineered the protocol from the published source and wrote a NodeJS counterpart . This is useful if you don't want to expose your SSH port to the world, but want to hide it behind HTTP/Websockets, possibly using an additional authentication flow in front.

Sandboxing Skype

I am in the unfortunate position to have read Silver Needle in the Skype up to PDF page 21, where a successful heap overflow attack makes skype drop to a shell. Since then I decided that I either have to stop using Skype or sandbox it. Since about a year I have been doing the latter, with some bumps in the road, as new versions of Skype needed more files and more sandboxing. However, it worked for me most of the time, and it is time to share the gory details with the world. The sandbox script can be found at , where you can also edit the script.You need to have PulseAudio server running and listening to TCP traffic so that sound can break out of the sandbox. Verify that you have: load-module module-native-protocol-tcp in your PulseAudio config. Please review the variable settings to ensure that it fits your setup ( DIR , XAUTHORITY , PULSECOOKIE ). The sandbox is created for the user invoking the script. This user must have sudo capabilities to call t

Using Wave to collaborate on Latex documents

This blog post is a copy of a much nicer PDF version . I found that Wave could be used as collaborative editor on Latex documents by using a modified export bot and a simple shell script. The exporty2 bot (living at ) allows you to access a wave using access tokens instead of cookie based logins making it easier to fetch those waves using curl. Also the exporty2 bot allows you to export only the text of a Wave using the ``raw'' template. The raw URL given by the exporty2 bot is pasted into the shell script below. It serves as master wave as it is the document that is latex-ed. Additionally it also lists other resources using the special %FETCHURL tag. These resources are pairs of local name and URL. Curl fetchs these resources and stores it under their local name before the shell scripts runs the usual combination of latex/bibtex/latex. I usually put those %FETCHURL tags below \documentclass . #!/bin/sh TITLE="wave-collaboration" TOKEN=c64