Posts on Roman's Random Thoughts

The Convenience Trap: Why Seamless Banking Access Can Turn 2FA into 1FA

Tue, 29 Jul 2025 00:00:00 +0000

Multi-factor authentication (MFA) is the bedrock of modern digital security. Its principle is simple and powerful. As Wikipedia defines it, MFA is:

an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more distinct types of evidence (or factors) to an authentication mechanism.

The key phrase here is distinct types of evidence. These factors are typically categorized as something you know (a password), something you have (a device), and something you are (a biometric). Any financial institution worth its salt implements MFA. Having opened many bank accounts in Switzerland, I’ve seen the full spectrum of authentication methods that are used here. They generally fall into one of these categories:

Splitting a string into multiple lines in Solidity: How hard can it be?

Fri, 24 Feb 2023 00:00:00 +0000

For the on-chain SVG generation of an NFT, I recently needed to split an (arbitrary) string into multiple lines. Each line should contain 40 characters. Pretty easy, right?

Let’s assume that we use an external function which takes a string and returns a string[] array containing the individual lines. A straight-forward implementation looks like this:

solidity First approach


 function lineSplit(string memory text) external pure returns (string[] memory) {
 bytes memory textBytes = bytes(text);
 uint lengthInBytes = textBytes.length;
 require(lengthInBytes > 0, "Invalid length");
 uint lines = (lengthInBytes - 1) / 40 + 1;
 string[] memory strLines = new string[](lines);
 bytes memory bytesLines = new bytes(40);
 for (uint i; i < lengthInBytes; ++i) {
 if (i > 0 && i % 40 == 0) {
 strLines[i / 40 - 1] = string(bytesLines);
 bytesLines = new bytes(40);
 }
 bytes1 character = textBytes[i];
 bytesLines[i % 40] = character;
 }
 strLines[lines - 1] = string(bytesLines);
 return strLines;
 }

When we pass a few strings such as “A”, “AAA”, or "A" * 41, the results looks ok. However, what if our string contains a character like è? When passing the string AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAè, we see the first problem: The function returns two lines, but the last character of the first line and the first of the second line are invalid. This happens because è is a multi-byte character with the UTF-8 encoding 0xC3 0xA8, but our implementation splits on bytes. We therefore need to adjust our implementation such that it does not split between multi-byte characters. This introduces a few complications:

Boost.Python: A minimal CMake Config

Thu, 13 Jan 2022 00:00:00 +0000

Although most of the examples and Boost’s documentation uses bjam, you can also use CMake for your Boost.Python projects. A minimal CMakeLists.txt to compile your Python library is provided below.

cmake_minimum_required(VERSION 3.10)
project(yourlib)
set(CMAKE_CXX_STANDARD 17)


find_package(Boost COMPONENTS system python3 REQUIRED)
find_package(Python3 COMPONENTS Interpreter Development REQUIRED)

add_library(yourlib MODULE your_lib.cpp your_other_files.cpp)

You may want to compile Boost as a static library such that you only have to ship one file. This can be achieved by providing cxxflags="-fPIC" link=static install to b2 when compiling Boost from source. I personally always use Docker containers (one for each Python version with the correct header files) and use the following command to integrate the statically-linked boost library into the container:

Using SavaPage as a Frontend for uniFLOW

Wed, 12 Jan 2022 00:00:00 +0000

A uniFLOW Queue (that is available over SMB) can be integrated quite easily into SavaPage with the CUPS SMB backend. To add it, simply run the following command on the SavaPage server:

lpadmin -p uniflow_queue -v smb://serviceaccount:servicepassword@domain/uniflow_server/uniflow_queue -P path/to/driver.ppd

While this works, all print jobs will arrive at the uniFLOW server with the used serviceaccount. SavaPage sends the username of the user that submitted the job in the For attribute of the transmitted PostScript file. However, uniFlOW considers in its default configuration only the user that submitted the print job to the SMB queue and ignores this attribute. Follow-Me-Printing will therefore not work, as all print jobs are assigned to the account serviceaccount.

Exposing C/C++ Data as a Python NumPy Array

Sun, 26 Dec 2021 00:00:00 +0000

I recently needed to use memory that was allocated inside a C++ library in a Python application which expects a NumPy array without performing any copies. With ctypes, this can be implemented quite easily. Let’s say we have a shared library libcpp.so where a function get_shared_memory returns the pointer to an array of doubles that is stored on the heap:

cpp


double* get_shared_memory(std::size_t num) {
 auto p = new double[num];
 ...
 return p;
}

The function can be called from Python with ctypes:

Setting up Metricbeat on a Docker Swarm Cluster

Sat, 25 Dec 2021 00:00:00 +0000

To monitor your Docker Swarm hosts (and containers) with Metricbeat, you can set up a global sidecar service. You need to mount the host’s filesystem, /sys/fs/cgroup, /proc, and /var/run/docker.sock inside the container to do so. An example compose file for the sidecar looks like this:

yaml docker-stack.yml


version: '3.7'

services:
 metricbeat:
 image: docker.elastic.co/beats/metricbeat:7.16.1
 user: root
 hostname: "{{.Node.Hostname}}-{{.Service.Name}}"
 configs:
 - source: metricbeat-config
 target: /usr/share/metricbeat/metricbeat.yml
 command:
 - -e
 - --strict.perms=false
 - --system.hostfs=/hostfs
 volumes:
 - type: bind
 source: /
 target: /hostfs
 read_only: true
 - type: bind
 source: /sys/fs/cgroup
 target: /hostfs/sys/fs/cgroup
 read_only: true
 - type: bind
 source: /proc
 target: /hostfs/proc
 read_only: true
 - type: bind
 source: /var/run/docker.sock
 target: /var/run/docker.sock
 read_only: true
 deploy:
 mode: global

configs:
 metricbeat-config:
 file: ./metricbeat.yml

The hostname ensures that the sidecar reports metrics with the hostname of the Swarm host (and the service name) such that you can distinguish the reported metrics easily. An example metricbeat.yml for monitoring the Swarm nodes is provided below:

How to perform zero-copy S3 uploads with the AWS C++ SDK

Sat, 11 Dec 2021 00:00:00 +0000

If you’re ever using the AWS C++ SDK in some constrained environment (such as Lambda functions with limited memory) or care about memory copies, you probably run into the issue of how to upload an existing buffer without copying it (as other developers did). You can write your own streambuf wrapper to do so, but if you’re already using boost in your project, boost::interprocess::bufferstream is a very straightforward way to do it:

char* buf;
std::size_t len;
const std::shared_ptr<Aws::IOStream> data = Aws::MakeShared<boost::interprocess::bufferstream>(TAG, buf, buf_len);

data can then be used as usual:

Unicode Normalization Forms: When ö != ö

Tue, 01 Jun 2021 00:00:00 +0000

Some time ago, a very weird issue was reported to me about a Nextcloud system. The user uploaded a file with an “ö” on a SMB share that was configured as an external storage in the Nextcloud server. But when accessing the folder containing the file over WebDAV, it did not appear (no matter which WebDAV client was used). After ruling out the usual causes (wrong permissions, etc…), I analyzed the network traffic between the WebDAV client and the server and saw that the file name is indeed not returned after issuing a PROPFIND. So I set some breakpoints in the Nextcloud source code to analyze if it is also not returned by the SMB server. It was returned by the SMB server, but when the Nextcloud system requested more metadata for the file (with the path in the request), the SMB server returned a “file not found” error, which lead Nextcloud to discard the file. How can it happen that the file is first returned by the SMB server when listing files but then the server suddenly reports an error when requesting more metadata?