Hardscrabble 🍫

By Max Jacobson

See also: the archives and an RSS feed

My baby teeth

May 24, 2023

Wye Oak’s Civilian is one of my favorite songs.

There’s a cinematic, epic yearning here, and it’s no surprise it’s been used in a ton of movies and TV shows.

I don’t need another friend

When most of them I can barely keep up with them

I’m perfectly able to hold my own hand

But I still can’t kiss my own neck

The studio version benefits from a driving drum beat and a ripping guitar solo to help build up its intensity, but this acoustic rendition doesn’t need them.

Jenn Wasner is the coolest. Outside of her work in Wye Oak, she’s also toured with Bon Iver and contributed to their most recent album I, I.

Sweet like Fanta

May 22, 2023

This track by Rema and Selena Gomez from last summer is so good:

You can sing along to it if you want to.

The world is so vast. This song is a massive hit featuring a pop star I’m a fan of1 and I almost never heard about it.

I came across it in a kind of fun way that I want to recommend. I’m big into the Apple ecosystem, including Apple TV and Apple Music. Recently I was clicking around the Apple Music app on my Apple TV and I found a section dedicated to music videos. I put on a playlist of music videos called The A-List: Pop Videos and let it play on shuffle on the TV while I worked on other things. Lots of good, fun stuff came through, but this was the stand out. The experience was great: not cluttered with ads or other non-music segments. They have other playlists for other genres and moods too.

I love music videos. The track opens with Selena Gomez murmuring the word “Vibes” and then Rema declaring that the track is “Another banger”, and it’s hard to disagree when you watch this.

  1. Not only is Selena Gomez a very talented singer (my favorite solo song of hers is the frosty Hands To Myself) but she’s also very funny in Only Murders In The Building 

How and why to use an SSH passphrase

May 1, 2023

While writing about git commit signatures earlier today, a related memory came to mind.

A few months in to my working at Code Climate, back in mid 2016, I confessed to a colleague that I didn’t have a passphrase associated with my SSH key. His eyes filled with horror, and he said “For God’s sake, use a passphrase, man!”1

SSH Keys are used as an authentication mechanism for some very sensitive things like read/write access to remote git repositories and for managing access to remote servers.

But, anecdotally, I feel like a lot of people don’t use passphrases with their SSH keys… So let’s talk about it.

When you generate an SSH Key, you get a pair of text files on your computer. On my computer, I have these two files:

$ ls ~/.ssh
id_ed25519
id_ed25519.pub

The first one is the private key and the second one is the public key. The public key is the one I give out, and the private one is really important for me not to share with anyone at all.

(Yours might be named id_rsa and id_rsa.pub, or something else, but it will come in a pair of a public key and a private key.)

When I add my public key to my github.com account, and that lets me clone private repositories as long as I have the corresponding private key.

We can imagine a scenario where my private key is compromised. Maybe I’m at a coffee shop and I run to the bathroom and forget to lock my laptop. The snoop sitting next to me might quickly run cat ~/.ssh/id_ed25519, take a photo, and then close the terminal window. Now they have my private key, and they can use it from their computer to access whatever I can access.

Eep.

When generating an SSH key, the ssh-keygen command will ask you whether you would like your key to have a passphrase. If you say no, you’re vulnerable to the cafe snoopers of the world2.

If, however, you do provide a passphrase, your private key will be useless to the snooper, because they will need to type in the passphrase when they try to use the key.

Of course, that means that you will also need to type in the passphrase when you try to use the key. That’s super annoying! You probably push and pull several times throughout the day, and if your passphrase is convenient to type, it’s probably not that strong of a passphrase.

To mitigate that annoyance, I have this line in my ~/.zshrc:

ssh-add -q --apple-use-keychain

The effect of this is that I only need to enter the passphrase once, and it will remember it forever. I guess it stores it in the keychain, some secure thing that the Mac manages. I don’t really get how the keychain works to be honest.

But the user experience is pretty great: I have a passphrase, so I can sleep easy at night, but I don’t need to deal with the hassle of entering it all the time.

  1. I paraphrase from memory 😅. 

  2. perhaps a more likely scenario is an attacker stealing your laptop, unscrewing the bottom, yanking the hard drive out, and rummaging around in your files. But if your disk is encrypted, you shouldn’t need to worry about this. 

How to sign your git commits with the SSH key you already use

May 1, 2023

It’s surprisingly easy to impersonate other people in git and GitHub. All you need to know is their name and email address, and then you can configure git with that information and start committing. When you push those commits to GitHub, it looks up the user by email address and attributes the commit to that user, whether or not they actually made it.

For example, if you want to impersonate dhh on GitHub, all you have to do is:

git config --global user.name "David Heinemeier Hansson"
git config --global user.email "dhh@hey.com"

And then start committing and pushing.

impersonating DHH

But, uh, please don’t actually do that, I don’t want to get in trouble.

Being impersonated is not likely to be a big problem for you, but if it’s something you’re worried about, you should start signing your commits. Honestly, you should probably just start signing your commits anyway, because it’s kind of neat and just got way, way easier1.

Here’s what you do:

git config --global commit.gpgSign true
git config --global gpg.format ssh
git config --global user.signingKey "~/.ssh/id_ed25519"

The user.signingKey config should be a path to your private SSH key. It’s possible that your private SSH key has a different path, such as ~/.ssh/id_rsa, so you may need to tweak that.

This bit is optional, but if you use tags, you can also sign those:

git config --global tag.gpgSign true
git config --global tag.forceSignAnnotated true

If you’re following along, now’s a good time to try making a commit and confirm that it works. If anything doesn’t work, you can always undo those configuration changes by editing ~/.gitconfig. But hopefully it does!

When you push these commits to GitHub, you will see an “Unverified” badge next to them until you let GitHub know that you’re using this SSH Key to sign commits now. You can do that by copying your public key to your clipboard (cat ~/.ssh/id_ed25519.pub | pbcopy) and then adding it, taking care to select “Signing Key” as the key type.

If you’re actually worried about being impersonated, you can also turn on vigilant mode which will display that “Unverified” badge on any commits that aren’t signed by one of your registered signing keys.

Note that this signature only exists for commits that are authored locally on your machine. What about commits you author through GitHub’s web interface? For example when you merge a PR, or edit a file on the web. Actions like those will create commits on GitHub’s servers, which don’t have access to your private key for signing. You might be surprised to see that those commits also have a “Verified” badge on them. What gives? If you look a little closer (by clicking on the badge to reveal some details) you’ll see that those commits are signed by GitHub, not by you.

This commit was created on GitHub.com and signed with GitHub’s verified signature.

GitHub is basically saying that they created the commit on behalf of a particular GitHub user. They know who clicked the big green merge button, and they’re vouching for you.

  1. it used to be that you would sign your commits with gpg, but gpg is kind of confusing and finicky to set up. For a while I used a tool called bpb which makes it a little easier, but it was still finicky. Recently GitHub added support for signing commits with the SSH key you already have and I was thrilled to ditch that bpb setup. 

Natasha Beats The Devil

April 21, 2023

In 2004, Natasha Bedingfield released a track called These Words. In 2006, 65daysofstatic released a remix called Natasha Beats The Devil:

I would have found this via Jerome Holeyman’s blog charlatan, which I was a religious reader of back in the Google Reader days, which covered the hard-to-define genre called Post-Rock.

I can’t really imagine listening to this without watching the video. The video is inseparable, remixing the original music video.

In just a few short minutes, this video reliably restarts my brain. The remix starts out humble, not varying too much from the original song (which is also great). But at some point, when it’s supposed to segue from that perfect chorus (“I love you, I love you”) into a bridge and then wind down, it just… doesn’t. It just stays there, like a glitch happened. Like she was supposed to take a turn, drove off a cliff, and her car started flying. “I love you, I love you” becomes IloveyouIloveyouIloveyouIloloveyouIIloveyou. Natasha beats the devil. A new glitchy beat comes in, and some simple chords, and she keeps going, for what feels like long enough that you kind of forget where you are.

Now I’m reminded of this classic Nathan For You moment:

True love will find you in the end

April 21, 2023

This Tiny Desk Concert performance by Daniel Johnston from 2012 really moved me, particularly the fourth and final song, True Love Will Find You In the End.

It has to do, in part, with the impression that Johnston, at 51, is not particularly well. He would die seven years later of a heart attack. He’s singing about how he feels like a mummy, or Dracula, or Mr. Hyde, or a ghost. But he’s not alone up there. He has a friend and an audience that loves him. When he sings about optimism it feels hard-earned and true.

World Chess Championship 2023

April 7, 2023

The World Chess Championship, a head-to-head battle between Ding Liren and Ian Nepomniachtchi, starts this Sunday.

This event happens every two years, and decides who will be the new world chess champion. In the off year, there’s another event called the Candidates Tournament, which decides who will challenge the world champ next time.

Here’s a great preview of the two players by Ben Tippett in Defector: https://defector.com/the-world-chess-championship-begins-on-the-edge-of-the-unknown

If you’re the kind of person who likes being in control, the good news is that you’re responsible for exactly half of what happens on a chess board, but the bad news is that your opponent (who is trying to beat you) is responsible for the other half. You have some control over where you want to steer a game, but ultimately you’re in the boat with your opponent, and you both get the opportunity to row.

I’ll probably catch some of the games live, but I know I’ll be watching the GothamChess recaps after.

I’ve gotten into playing chess and watching chess content in the ~1.5 years since the last world chess championship. In fact it was Tippett’s piece on Defector that caught my attention. That led to watching the GothamChess recaps, including this wildly entertaining summary of this notable game in the match:

As with any niche, there’s a whole ecosystem of personalities, not just this one guy. Here are a few of the popular chess content creators I enjoy following:

  • GM Daniel Naroditsky
    • On YouTube he makes educational videos where he plays lower-rated players, beating them very easily, and explaining every single move in exhaustive detail.
    • On Twitch he grinds speed chess games against top opponents to try and maintain his rating near the very top of the rating charts. He keeps very strange hours, so I will often have him on as I’m falling asleep.
  • WFM Anna Cramling
    • On YouTube she makes educational and entertaining videos that are very accessible and fun. She often plays higher rated players and loses but has a great attitude about it. Both of her parents are grandmasters, and so she will often pull them in, which is quite sweet.
    • She’s also on Twitch although I haven’t caught her stream too many times
  • GM Hikaru Nakamura
    • First, here’s a fun article about him in The New Yorker: The Most Popular Chess Streamer on Twitch
    • On YouTube, he posts tons and tons of content, including videos of him playing against lower rated players and basically stunting on them, much more for entertainment sake than educational sake. But he also posts recaps of his legit tournaments and excerpts from his stream when he’s competing in events like Chess.com’s Titled Tuesday, which he routinely wins.
    • On Twitch where he streams loads and loads of chess
    • On Kick which I guess is some new Twitch competitor that threw a bucket of money at him to also stream there? idk

If you want to play some chess with me, get in touch :)

Joe Camerlengo's New Things

April 2, 2023

Joe Camerlengo, who I’ve previously written about twice before in these pages, has a new EP out (Apple Music, Spotify) and a great interview to promote it.

The subject of these songs is being a first time dad. This quote is beautiful:

I’m more artistically inspired than ever, because I’ve never felt as positive or as strongly about anything as I do being with Ozzy and Courtney. Having that little family is the most incredible environment, and I’ve been creating like crazy.

The highlight for me is the closing track, Life Might Begin.

The whole thing reminds me of this recent post from the popular author John Green, which touches on his experience as an artist whose work was heavily criticized, and what it’s taken for him to continue creating art.

the big lesson from those strange days for me is that if I must choose between being cold to the reality of feeling and being cringe, I always want to be cringe.

Honestly, same. There’s a similar unapologetic sincerity in Camerlengo’s work which I could imagine being offputting, but I encourage you to give it a chance anyway. And, hey, John Green is great too. I’ve read all his books and I’m very much looking forward to the upcoming film adaptation of his novel Turtles All the Way Down, which explores OCD beautifully.

See also: this profile from a few years ago naming Camerlengo the best musician in Columbus, Ohio.

Traffic Altercation

April 2, 2023

This sketch from last night’s SNL made me laugh out loud:

It features host Quinta Brunson from Abbott Elementary and I don’t really want to describe it except to say it’s very funny and features quite a lot of shouting. Enjoy.

It seems like road rage may be in the zeitgeist. I’m very much looking forward to Beef, the new Netflix show starring Steven Yeun and Ali Wong about a traffic altercation that spirals out of control.

This is America

April 2, 2023

When there’s another mass shooting in America my mind often goes to this music video from Donald Glover’s Childish Gambino:

You’ve probably seen it before, but I don’t care, it’s so good. Watch it again.