Posts on Wrongthink

Sanity Check: Platform Masquerading

Wed, 12 Nov 2025 21:17:21 -0500

Many in the alt tech and open source club, and especially the variety who might visit wrongthink, probably go to some length to present their device metrics as some other platform. Often to foil tracking, which insinuates flying the flag of Windows, Chrome or some other predominant platform. Outright lying is enough to mislead simple tracking adversaries. But are we causing long term harm in exchange for short term gain?

One needn’t try hard to imagine that a Google or a Microsoft might desire for, or even covertly encourage, those of us who reject exploitative platforms to scurry away out of sight. To send ourselves into self-exile. Targeted self erasure. It is probably safe to assume that most privacy oriented techies are using some form of Firefox. And according to Cloudflare’s 2025 Radar (warning: javascript) Firefox sits at a despicable 4.1%. Or 7.5% if counting only desktop Linux.

I am going to strech my estimation and, based on my years of interaction with Linux techies both online and in the flesh, surmise that somewhere between one tenth to two fifths of desktop Linux users make efforts to conceal their device attributes. For example, by enabling Firefox ResistFingerprinting. That is up to 40% making an erronious headcount toward Windows in web stat tracking. That unmasks potentially up to an additional 1.64% Firefox users who might actually be rocking Linux under the hood. When looking at single digit metrics, every fraction of a percent holds valid weight.

And when we consider that simply using Firefox, now a statistically niche web browser, already heavily contributes to the uniqueness of those hiding behind a false user agent, it becomes evident that masquerading one’s platform is not only a form of self-erasure but has also grown ineffective at curtailing fingerprinting.

It can be reasoned that if one takes a minor loss in fingerprintability in exchange for a comparatively more substantial gain for accurate platform usage counting, an argument begins to manifest that open source privacy afficianados might have been shooting ourselves in the feet by bolstering numbers in the long term which favor the adversaries.

For years I’ve been sailing with the flags of Windows and x86 when what little traffic I generated could have been counting toward Linux on PowerPC. Don’t think it matters? My aversions kept me away from utilizing Debian Popularity Contest (popcon) with a platform whose user count could be measured only in the thousands, perhaps even the hundreds for most packages. It becomes very easy for maintainers to overlook issues when, in effect, there are no active users. And I’ve seen first hand the erosion of interest in maintaining PowerPC ports, from issues that long go unnoticed, distros dropping entire builds, to developers selling off their POWER gear, to packages that quietly drop ppc64 from their builds. Headcounts matter.

In a trend of critically examining where I stand in my own convictions, I’m finding yet again that perhaps the time has come to relax some of my most stringent battle lines. In a sense, I have broken rank to go fight the ghosts of a battle which hasn’t yet begun. All the while, a war still rages far behind me. I’m alluding to the very real ground being covered in the gaming platform space. Just weeks ago, for the first time, Linux has broken the 3% milestone among Steam users, long since surpassing Mac OS. And, apparently, some of the console prisons have taken to releasing their hostages to PC while at the same time conceding that the PC was the right way, after all.

This is substantial. And even for those of us who have taken an ideological stand in swearing off the use of things like Steam, what happens in that space will have ramifications which echo through the humble encampments of alt tech and open source enjoyers for years to come. It has me feeling as though I’ve been M.I.A. in a time of need. With the recent announcement of Valve’s latest major Linux push, I question the veracity of jumping straight to the idyllic conclusion, having ignored the collective pushing of the needle necessary for it to first materialize. Here’s some wrongthink for you: maybe I’ll even buy a Steam Machine. Probably not for myself, but to repay a friend. To move that needle forward.

With Linux usage share crawling meaningfully upward for probably the first time ever, what things might unfold if a substantial part of the Linux userbase were to begin uncloaking?

Have I Been Too Harsh on uBlock Origin?

Thu, 06 Nov 2025 13:03:15 -0500

Any longtime Wrongthink visitor is probably familiar with my criticisms of uBlock Origin. It originates from a place of frustration: Why did Raymond Hill insist on breaking up the power emeralds™ and hiding them across the land? Was it too dangerous to have it all in one place? But with time and experience, I’ve come to ponder whether I am just demanding unattainable standards. What if the remaining 10% functionality I seek can be scrounged up from elsewhere?

With the right compliment of extensions, uBlock Origin might just be good enough. First a recap: its weak points are in the non-existant handling of cookies and in the incomplete filtering of CSS. One tool I’d been using along side uBlock Origin for years has been Temporary Container Tabs. Temporary Container Tabs has the effect of limiting cookie life to the life of a browser tab. Close the tab, and the cookies are tossed out with that cache bucket. Sadly, it too is unmaintained for years, but still functions as of Firefox 140.

The necessity of blocking CSS is something else I’ve been reexamining. Does the cost outweigh the functionality provided by stylesheets? By running on-access prevention in the Mozilla cache with clamonacc, stylesheets are already subject to some filtering (with additional malware databases ofc). This effectively pulls the security model back a layer from exception-allow to exception-deny while affording most sites basic formatting.

uBlock Origin’s CNAME uncloaking can perhaps replace extensions like Block Cloudflare MITM. Block Cloudflare MITM relies on knowledge of existing CDNs, while CNAME uncloaking does this naturally for any domain fronting simply as a happy byproduct. You can see which third party resources are calling Akamai or Fastly or whatever other MITM might be serving assets under the first party domain.

Completely granular per-asset filtering is actually a thing in uBO! In the logger window, it is possible to select specific scripts or other assets to automatically compose rules for. The only other tool that I’ve seen with this level of fine grained control has been Policy Control/Request Policy. It’s not well advertised, and I admittedly only discovered this feature recently as of version 1.64.X.

And if that level of control sounds too exhausting, what of handling javascript when the few scripts that are allowed to load must also contend with obfuscation by JShelter? With all of the mitigations outlined above, when the “Disable Javascript” option is unchecked for a certain page in uBlock Origin, it loads scripts only for those domains that you have exceptionally allowed, the scripts must then pass checks from clamav-daemon filtering, only to then run in a limited environment whose parameters are adjusted to defeat common fingerprinting.

Minor point: Dark mode!

Considering all of that, and I can hardly believe I’m saying this, but I’m thinking of dropping uMatrix. The tier list will remain unchanged for the time being, as I need to carefully evaluate whether this adequately fixes uBlock Origin.

Debian Upgrade Marathon: 11 Bullseye

Sun, 24 Aug 2025 12:38:54 -0400

Our marathon hasn’t kept pace with Debian. During this writing, Debian Bullseye had been moved from OldStable to OldOldStable, while Trixie has been officially released. It is a marathon, after all. Not a speedrun. Today we step into 2021 and later explore a new, as of Bullseye, tool for dodging the sunsetting of 32-bit that begins as of Trixie.

Once the basis of SteamOS, Debian was displaced in favor of Arch. This was also the year that saw the introduction of Valve’s first successful “steam machines” in the form of the Steam Deck. By 2021, the once mighty Intel had rightfully begun to lose its 1vAll hegemony with the likes of Apple taking up their own silicon design, while AMD’s last decade of stategy began to payout. More than ever, an operating system with as wide a breadth of architectural support was poised to ride out the waves of change.

Upgrading from Buster to Bullseye

dpkg --audit pointed to some transitional dummy packages that I’d long been ignoring.

We finally get off of the archive repositories and update sources.list with the new debian security archive format, changing from */updates to *-security.

deb https://deb.debian.org/debian/ bullseye main contrib non-free
deb https://security.debian.org/debian-security/ bullseye-security main contrib non-free

apt update ✔

We unceremoniously initiate the upgrade.

apt upgrade --without-new-pkgs

“Configuration file /etc/sudoers has been modified by you.”

‘I’, Install package maintainer’s version.

“PAM profiles to enable:”

All default.

apt full-upgrade

“Please specify the workgroup for this system.”

Default “WORKGROUP”.

“Modify smb.conf to use WINS settings from DHCP?”

No (default).

Ending without much issue, it cleanly rebooted into the newer Gnome 3.38 environment.

Post-upgrade

I apt autoremove’d 338 packages and upgraded 12 packages held back during the full-upgrade.

w3m was held back which I upgraded manually as well as removing several python2 packages.

There really is not much of note. Bullseye was perhaps the most mundane release in terms of changes and transitions (in a good way!).

Impressions of Bullseye

Maybe impressions is the wrong term to be using, as this falls within recent memory. There it is, systemd integrated Gnome in all its visually minimalistic fancy. I should mention that I haven’t had to worry at all about display stack issues since around Buster. For all its naysayers, wayland is the the one that works effortlessly while x11 was continuously broken without any user intervention throughout the former half of this marathon.

The sort of thing that might even lead one to believe that wayland is better.

Not to pollute this experiment too much with games, but Minetest (now Luanti) runs better than expected on this old APU.

Bullseye released with SuperTuxKart 1.2, the last in Stable before 1.4 at which it still sits today.

The initial launch had Firefox ESR 78 where it languished due to dependency issues preventing the adoption of then-current Firefox ESR 91. As OldOldStable, Bullseye still receives updates, including for Firefox which got upgraded to 128.14 before uploading this article. It is a bit odd to see contemporary software that I use on my daily driver still available through such an old release. Is anybody still rocking Bullseye today?

Crossgrading from i386 to amd64

Bullseye was the first release to include a new tool designed to orchestrate conversion to CPU architectures foreign to the host. This was already possible for those daring to leverage multiarch and convert packages carefully by hand. But crossgrader introduced a semi-formalized way to handle this while minimizing the possibility of breakage.

It effectively enables Debian installations to move laterally across the supported architectures. Upgrade-Journey is at last jumping over to the x86_64 side of things.

At console terminal, apt remove '~o' cleared many packages left over from as far back as Sarge.

Here, I ran into an issue with libreadline4 causing a dpkg failure “No dir file specified”. Thanks to the helpful account at stackexchange, I was able to comment out the ‘install-info’ line at /var/lib/dpkg/info/libreadline4.prerm and proceed with the obsolete package removal.

This had also left systemd relying on outdated binaries still being run, so we reboot.

apt autoremove to clear out old Python 2.7 packages. And I also checked that all packages were indeed the most recent available for Bullseye.

The crossgrade procedure wants to make sure we have binutils, curl and wget. dpkg reports binutils and wget already installed so we just need to apt install curl.

With that, the environment should be all set to begin the crossgrade.

dpkg --print-architecture; dpkg --print-foreign-architectures tells us that only i386 is currently available.

Per the notes at the Debian Wiki, we add the amd64 build of the kernel ahead of the actual crossgrade:

dpkg --add-architecture amd64

Which now shows up when checking with –print-foreign-architectures.

apt update to pull in the new amd64 package lists.

apt install linux-image-amd64:amd64

With it installs the requisite dependencies for things like gcc and apparmor.

I rebooted and selected kernel 5.10.0-35-amd64 from GRUB.

uname -r does report 5.10.0-35-amd64 is indeed in use. I’m really surprised as I would have thought a bunch more of the system would have to already be migrated to 64 bit packages before functionally booting. gdm3 even loaded up ready to log into a desktop session without any complaints!

I installed the crossgrader package before running once (with elevated privileges):

sudo crossgrade-package-check

And, from here on, we make a point not to touch apt or dpkg directly!

sudo crossgrader --dry-run amd64 reports no issues.

sudo crossgrader amd64

Which first crossgrades dpkg, apt, python3 and python3-apt before advising to run the same step once again. Crossgrader appears to loop over installation selections while deferring packages which fail to be retried until everything is resolved. The wiki essentially recommends to run these steps repeatedly until they finish “quite cleanly”.

The first stage of my crossgrade ended with logsave “might not be in the correct architecture”. And with apt being off-limits during a crossgrade, we address this through the -p switch.

sudo crossgrader amd64 -p logsave

Running crossgrader amd64 no longer spits out warnings so we move on to stage two.

Checked that 64 bit apt and dpkg are now installed and the i386 architecture has taken up the secondary role as a foreign architecture.

dpkg -l apt dpkg | grep '^ii '; dpkg --print-architecture; dpkg --print-foreign-architectures

amd64
i386

✔

crossgrader --second-stage amd64

Which failed at an exception regarding the linux-image-686-pae package. As per the crossgrader notes, the –force-unavailable switch informs crossgrader to proceed, ignoring these exceptions.

Some packages, including gnome-shell and gdm3 did not successfully crossgrade to amd64. I attempted to go back and manually install packages which where holding back the installation of the others.

sudo crossgrader amd64 -p libc++abi1-16 libuwind-16

But to no avail. I thought I was going to need to simply remove and reinstall the remaining packages through apt after removing crossgrader and issuing a reboot.

GRUB continues to default to the linux-image-686-pae kernel so I need to manually select the amd64 kernel. Interestingly, it still successfully reaches gdm3, presumably a franken-mixture of amd64 and the remaining two dozen (or so) i386 packages. gnome-control-center fails to launch, so there is definitely some breakage from these remaining packages.

After dropping back to terminal, I then move on to the third stage which cleans up the remaining i386 packages.

sudo crossgrader --third-stage i386 --dry-run amd64
sudo crossgrader --third-stage i386 amd64

But hit a wall with “…returned non-zero exit status 1”

Well, let’s see how much we can get away with ignoring. Like with every other stage, we’ll just run it again!

But roughly twenty packages still yield “…returned non-zero exit status 1”. A few packages that needed to be manually crossgraded:

sudo crossgrader amd64 -p python3-cairo libwebkit-gtk-4.0-37 libjavascriptcoregkt-4.0-18 libunwind-16 libc++abi1-16 libc++-16

However, my attempts to manually crossgrade these packages failed. Ultimately, dpkg kept complaining about broken dependencies associated with python3-cairo:i386 which turned out to be a known problem at this Debian bug report.

Per the very helpful comment at message #10, I was able to edit the file at /var/lib/dpkg/info/python3-cairo:i386.prerm to append “:i386” after both instances of “gir1.2-ibus-1.0”. Thus, freeing up dpkg’s confusion about multiple installed versions of the “same” package.

Afterwhich, once again running crossgrader --third-stage i386 amd64, it was able to complete and remove the remaining i386 packages.

dpkg -l | grep -F i386 confirmed that the twenty or so remaining i386 packages are no longer present. Time to remove crossgrader.

apt purge crossgrader

Success! And we’re left with a system that is fully 64 bit which began its life as a 32 bit installation.

So Bullseye shipped with a known broken config at /var/lib/dpkg/info/python3-cairo:i386.prerm which affects the crossgradeability of systems using Gnome desktop. And even the final update with 11.11 never implemented a fix for it.

Fun Factoids

Support for alternative init systems was improved for Bullseye. Even so, much of the talent maintaining the other init systems prefer to roll their own distro in protest.

Python 3 replaces Python 2 in Debian Bullseye.

Pipewire packages begin to make their appearance, indicating Debain were already gearing up to switch to pipewire at least as early as Bullseye.

Having effectly run an informal audit of the crossgrading procedure, we can say that converting to foreign architectures is possible mostly without issue. With no more time or effort than for a normal upgrade. Upgrade-Journey is hardly recognizable as the system provisioned on a Pentium 4 with twenty year old software. I’m looking forward to the last upgrade and reflecting back on the changes and oddities over Debian’s history, when I eventually get around to Bookworm.

Infinite Property Rent is an Unpatched Exploit

Tue, 05 Aug 2025 21:58:23 -0400

Sometimes I find unwanted junk cards in my mailbox from organizations seeking to add vacation properties to their portfolio. They go straight into the shredder because A) I bought this place so that I could have a roof to sleep under and B) I am not morally bankrupt. There are currently not enough available houses to accommodate the nation’s individuals or families who need a place to reside. A game of musical chairs where there aren’t nearly enough chairs and a few of the players have resorted to laying their bodies across entire rows of chairs.

How can anybody who owns multiple properties see the plight of their fellow men struggling to house themselves or their families make any other decision than to place those extra properties on the market? To do so, one must be either a scumbag or ignorant to the state of things. An ignorant scumbag. There is one thing the political left are very good with, and that is languagecraft. To borrow a term, these people can be described as overhoused. And that’s to say nothing of the asset management firms buying up residential properties.

Another lefty-devised term I’m fond of is landleech. They are not landlords, but landleeches. Making others pay for the privilege of a life necessity because they happened to get to that tile on the monopoly board first. Society can be broken down into two types of people; those who produce value through their work, and those who parasitize value from those who create value. Landleeches fall squarely into the latter. (I have an entire rant prepared on this dichotomy, but that must await its own post).

To coin another term, I suggest that there are no house flippers. There are only house scalpers. It is not flipping. It is scalping. Even if a property receives improvements in the process, it ultimately serves to lift the baseline for entry further out of reach of first time buyers. Those people who need it most.

Let me share with you a cathartic story. When I bought my place, it was first “sold” but then a week later was relisted again. The seller indicated that it went back up on market only because the current prospective buyer had a deal fall through. At first, I’d harbored some guilt considering that I had swooped in and snatched it up with cash when the other buyer must have been waiting to shuffle some assets around.

A year or two later, I am in town getting supplies when a woman approached me “Are you the guy that bought that house on Mountain Road?” I hesitated and replied yes, knowing that this is an unpopulous area and it’s not uncommon to be recognized by friendly strangers. She continued on “I was going to buy that place and revitalize it to rent out. It would have been my Xth.” expressing a tinge of exasperation, “I hope you like it.” Uncertain whether she was fixing for an argument, I gave her some polite filler to de-escalate before parting ways.

But how awesome it is that some landleech who was eager to parasitize this place had some guy from another state snipe the purchase from under them last minute during a lapse in negotiation. Good. I hope she still thinks about it from time to time. It sits in a beautiful area too. Liberated from the hands of the non-producing segment of society.

Is it all morally bankrupt? Decades ago, perhaps not so much considering there wasn’t such a disparity between the overhoused and those seeking housing, as well as a much healthier housing stock to population ratio. It is relativeley recent that the disparity is reaching extremes where we can safely consider landleeches broadly to be scumbags. And same of the asset management firms. Even the little underlings working within them as lowly desk jockeys share in the harm they cause. Every misfortune that befalls them is well deserved.

But we can fix this. The game is broken and severely in need of a hotfix. You see, the idea that property owners can rent to tenants in perpetuity is an infinite money glitch. Well, not a glitch. An exploit. Rentals were never meant to be lifelong housing arrangements. And hard working people of contemporary society are being forced into forever rentals by manufactured circumstances.

I suggest capping a reasonable grace period of temporary living, up to a few weeks for business travelers, students, vacationers or the like, beyond which any subsequent rental payments begin to confer ownership of the property itself to the renter. There is already a similar model to be found in reverse mortgages. What I propose is that once the payments made by a tenant match or exceed the value payed by the current property owner, that property then fully falls under ownership of the tenant. Tenants who leave before reaching this threshold maintain 10%, 30%, whatever share ownership they paid for.

Additionally, corporate entities should be barred from owning properties designated as residential unless it is to sell to individuals or families as a residence to be occupied. Residential property which sits unoccupied under the ownership of corporate entities or of overhoused individuals should incur extensive taxes during times of housing availability crisis, such as we are experiencing today. Once most people can satisfactorily obtain housing for themselves then, fine, have your vacation cottage.

Debian Upgrade Marathon: 10 Buster

Mon, 28 Jul 2025 00:09:39 -0400

Buster marks the last Debian release made before stepping into this decade. And the first in a streak that I shall refer to as the “B’s”; Buster, Bullseye and Bookworm, a chain of releases that I reason were more iterative than revolutionary. The only substantial changes that I can recall from memory alone include the introduction of pipewire and the creation of a new firmware repository. A far cry from the sweeping and disruptive changes, with the likes of systemd’s introduction.

2019 can feel now like ’the before times’ having enjoyed the calm before the machine learning craze. The days before web services felt the present pressures to deploy bot-until-proven-human measures. The days before everyone and their mother misguidedly decided that every aspect of life must be conducted online. In this way, Buster stood at the threshold of the old and the new. Despite the upheavel in the spheres of internet and computing, this release thankfully possessed many tools helpful in riding out the waves of the early ’20s.

Before committing to a system upgrade, there was some table setting needing to be done. First, the upgrade path for Buster advises modernizing the network interface naming scheme before starting the upgrade. This avoids risk of losing functioning networking on the host after the upgrade.

Check the current names of network interfaces:

echo /sys/class/net/[ew]*

Output:

/sys/class/net/eth2

Check whether it is used in config files:

sudo rgrep -w eth2 /etc

Only one config file on Upgrade-Journey seems to refer to it:

/etc/udev/rules.d/70-persistent-net.rules:...

Test for what ID udev would assign to that interface:

udevadm test-builtin net_id /sys/class/net/eth0 2>/dev/null

Reveals that it would become “enp2s0”.

Move 70-persistent-net.rules to somewhere it can be reverted to if this fails:

sudo mv /etc/udev/rules.d/70-persistent-net.rules /home/traveler/

And rebuild initrd sudo update-initramfs -u, then reboot.

Afterwhich I find “enp2s0” used as predicted.

Secondly, some fresh hardware. Upgrade-Journey with Stretch had everything it needed to be fitted into a socket FM2 AMD platform. Already, I could see an improvement in boot speed and desktop responsiveness. After switching to new hardware host, the network interface acquires the scheme “enp4s0”, so we know the new udev interface naming is working as intended.

Upgrading from Stretch to Buster

dpkg --audit just lists some obsoleted packages which can safely be ignored.

Changed instances of ‘stretch’ to ‘buster’ in /etc/apt/sources.list.

For anyone who may be referencing this post from the future, the entries as of this stage in the process are:

deb https://archive.debian.org/debian/ buster main contrib non-free
deb https://archive.debian.org/debian-archive/debian-security/ buster/updates main contrib non-free

Note that this is the last of the Debian releases to use a forward slash instead of a dash to label the stable updates repository.

sudo apt update

Which threw an error about the APT::Update::Post-Invoke-Success script.

This was fixed by a simple sudo apt-get clean. No mention of this issue appears anywhere in the Buster release notes. It is probably a mess of my own making.

sudo apt-get upgrade

“PAM profiles to enable:?”

Yes to all (default).

Many insserve empty script warnings cascaded by in Apt’s output, which makes sense as insserv is deprecated as of Buster.

sudo apt full-upgrade

It is noteworthy that the packages selected to be upgraded in Buster represent almost 3GB worth of data, this is including only the several few additional packages that I’d opted to install along the way. Prior upgrades did not see this kind of bandwidth and disk space consumption.

“(Configuring AppArmor) Please enter … any additional locations for home user directories.”

Supplied no additional home directories to apparmor.

The full-upgrade again triggers the PAM profiles enablement prompt, but is otherwise more silent.

The procedure stopped at a dpkg failure “Needrestart is being skipped since dpkg has failed:”. I didn’t spend much time perusing logs before deciding to simply reissue apt full-upgrade, afterwhich the upgrade completed without any further issue.

Post-upgrade

I ran sudo apt autoremove to remove 511 megabytes’ worth of obsoleted libraries and purged unneeded remnants of SysV.

apt purge initscripts sysv-rc insserv startpar

I spent some time deliberating with myself whether or not to convert Upgrade-Journey to the merged /usr filesystem format. On the one hand, part of this upgrade project is in examining the kind of historic cruft that accumulates through decades of operating system upgrades. But, on the other, there is a precedent for aligning the system to readily receive further upgrades by keeping up with changes.

Already I had expanded the filesystem attributes, migrated hardware several times, and, as recently as this very Buster upgrade, converted to new network interface naming conventions. With plans to attempt an architecture crossgrade and perhaps a conversion to EFI, I see no reason why Upgrade-Journey should stubbornly cling to the old split directories.

sudo apt install usrmerge

Impressions of Buster

Wayland became the default session with Gnome 3.30. I remember some growing pains with packagekit being unable to run certain graphical software as root under Wayland. Aside from that, the transition was smooth sailing. In the age of Buster, one would have done well to grow confortable running ip instead of ifconfig commands, and nft instead of iptables/ip6tables commands.

Gnome had settled on the flat look that it still uses to this day.

With over 57,000 software packages maintained for Buster, the Debian repository had by then gained a reputation for being expansive. It is a rare day that I find myself hunting down source code to compile a program which hasn’t already been packaged.

Upgrade-Journey has been left with a lot of old bloat. The age and fading relevance of some of these programs can be seen even in their icon art. We can all rest easy knowing that both living users of “KFloppy” can still manage their floppy disk collections.

Still trashed with programs selected waaaay back in Sarge.

It occurred to me how recent the version of Firefox ESR was in this final point release of Buster. So recent, in fact, that it hardly justifies examination. With the way that Debian security repository releases work, once Upgrade-Journey has been upgraded to Bullseye, it will sit at the current supported Firefox ESR.

When did SuperTuxKart begin to look like a professionally developed commercial software? Around 0.9.3, apparently.

Fun Factoids

Where Stretch would have needed AppArmor explicitly enabled, Buster enabled AppArmor by default.

The minimum TLS version was bumped from v1 to v1.2.

Cryptsetup switched to the new LUKS2 format, backward-incompatible with older LUKS1 format.

Buster saw the introduction of driverless printing through IPP.

My earlier assessment that Debian’s upgrade scheme had reached a stable plateau might have been a little bit premature. Here we saw not only minor issues with the upgrade process, but also further complexity requiring special attention in order to avoid breakage. It may have been fine to ignore and proceed anyway, but we’re also trying to avoid building up a sort of technical debt. This is getting into the home stretch next with Bullseye.

Debian Upgrade Marathon: 9 Stretch

Mon, 14 Jul 2025 00:12:00 -0400

At last, software produced within the last decade is in our grasp. The first Debian to have an option for Wayland display server as well as the option for a rootless Xorg display server. nftables was being jockeyed into position for the next release with Buster as replacement for iptables. Stretch launched into a year which saw the Spectre and Meltdown disclosures and which had to contend with rampant WannaCry ransomware. With prominent data breaches peppering the calendar, it was not a great year in computer security. And still, Stretch put its users on better footing to persevere compared to rival operating systems of the commercial variety.

Unlike with the earlier upgrades, there were no breakages requiring adventurous fixes. Prior to Jessie, Debian iterated through many substantial changes which the upgrade process couldn’t hide away from end users. They were as rocky as were to be found in a “rock solid” distro like Debian. Unfortunately for us, that means that this last stretch toward the finish line might grow comparatively dull.

Upgrading from Jessie to Stretch

Starting with some things I decided to tackle beforehand, I removed the LINUX_CMD_LINE=“acpi=off” argument from /etc/default/grub. Way back at the installation of Sarge, I applied this due to an issue with the Intel Pentium 4 platform which was used as the launch point for Upgrade-Journey wherein the system would halt without actually powering off. One sudo update-grub and a few reboots later proves this newer AMD platform capable of ACPI features.

A bunch of cruft built up within Apt’s cache warranted clearing.

sudo apt-get autoclean

Which removed 15 *-dbg packages from the main archive as of Stretch.

All ~40 pending package installations where then deselcted in aptitude.

dpkg --audit

Cries about a dozen transitional dummy packages. Don’t care - skipping.

Finally, we can run sudo apt edit-sources like civilized people. All Jessie entries could be replaced with Stretch easily enough.

sudo apt update

✔

sudo apt-get upgrade

“PAM profiles to enable:?”

Yes to all. (Default)

“What do you want to do about modified configuration file 50unattended-upgrades?”

Install the maintainer’s version.

sudo apt-get dist-upgrade

“Default display manager:?”

gdm3.

“Do you want to set up the BSD lpd compatibility server?”

No.

“Do you want to upgrade glibc now?”

Yes.

“What do you want to do about modified configuration file ssh_config?”

Install the maintainer’s version.

✔

Post-upgrade

With needrestart available since Jessie, it is trivial to check that a newer installed kernel version is available and awaiting reboot. We no longer need to check for this manually.

Instead of subjecting all of your bleeding eyeballs yet again to an LLVM-powered fallback display environment, I allowed firmware-amd-graphics to make its home on this machine by way of the non-free repository. When we began this journey, I specifically chose an Intel host so that the graphics stack could be run without the non-free repository.

Since AMD’s display stack requires firmware blobs (shame on you, AMD!), the integrated GPU on this AMD board will not provide GPU accelleration unless Debian’s non-free repository is added to sources.list and we issue sudo apt install firmware-amd-graphics.

Looking better

Impressions of Stretch

At 3.22, Gnome finally starts to become more coherent. And the programs menu can better cope with organizing many applications into pages, instead of just throwing a wall of icons at the user. I dare say it could pass for a desktop environment that one might see today in 2025.

Stretch feels, to me, less fragile than some of the earlier releases we visited. Maybe it’s just familiarity bias, but changing configurations in GRUB or messing with display settings doesn’t feel like a potentially irreversible decision. And this is in spite of six prior releases worth of artifacts and old configurations having built up. Just look at all these old kernels we’ve been collecting like Pokemon!

Later in this experiment, I should attempt booting from each of those. Sadly, we lost kernel 2.4 as it is incompatible with GRUB 2 and udev.

Firefox 91.11 is as functional as ever in 2025. Not ancient, but antiquated, it too could even be mistaken for contemporary Firefox.

The saved PBS page is basically functional as of Stretch.

Aside from long dead security support and probably being extremely fingerprintable, it could practically be used as a daily driver browser.

And what about 3D rendering? Minetest (now Luanti) was included in Stretch and the RS780 integrated GPU on this board does quite well with the high polygon count. SuperTuxKart 0.9.2, now making use of lighting and other fancy effects, needed to be dropped to lowest settings to remain playable.

The fact that SuperTuxKart has gradually grown more demanding attests to the continuous, long term attention the project has received in the way of gameplay and graphical enhancements. And speaks less to just how poor a performer this RS780 is.

Fun Factoids

Stretch introduced a new naming method for network interfaces. However, the new convention does not apply to upgrades from Jessie and so our Upgrade-Journey machine retains its “eth2” interface.

Xorg display server can be run rootless in Stretch. However, only gdm3 supports doing so.

Debian continue their iterative security improvements with:

Apt in Stretch now fetches packages as the unprivileged user “_apt”.
The Debian installer gained support for HTTPS enabling retrieval of packages from mirrors supporting HTTPS. Which wasn’t many at the time IIRC, and also requiring the apt-transport-https package.
openssh-server drops old ciphers and default disables the SSH1 protocol.

And with that, https mirrors can finally be added in sources.list, not that security had been any kind of priority on this Upgrade-Journey. With this 2008-era hardware platform already being nearly a decade old to our fictitious traveler user, they may once again be eyeing an upgrade for their foray into Debian Buster!

Proprietary Torment and The Just Universe

Thu, 10 Jul 2025 23:05:41 -0400

It’s been a while since we last checked in on the normies to see how their relationship with tech has been going. Let’s relax and take a little tour of what exciting new methods their proprietary overlords are using to rule over them.

Microsoft is charging ahead with a one-two punch. First making Microsoft online account creation and internet connectivity a hard requirement in the Windows 11 installer.

They’re now seeking to follow up by disabling a workaround which had become popular by the useds to sneakily create conventional local user accounts. 7/10, Microsoft. You left some loopholes open but you beat them nearly to submission!

Microsoft will be implementing an “AI agent” to change settings that are difficult to find on behalf of the useds. Just to reemphasize: The multitude of Windows settings menus is so vast, so inconsistent and ever-changing that they feel it necessary to build a bot that traverses their UI just to toggle simple settings. And yet, Linux is the one that is “difficult to use”.

Edge browser (Google Chrome wearing clown makeup) has been baked in as a dependency for “desktop apps” such as the Windows Store. Basically electron, but even worse. When users investigate how to remove Edge, they’re directed to a dark patterns page which seeks to frighten them away from the venture.

A not so sneaky way of promoting Edge to a level of ‘importance for the functioning of the system’.

the next time you have a dozen programs open, open Task Manager and force kill all the “Edge WebView2” processes and watch some of your open programs disappear or break

Windows gamers have been whining about getting disrupted mid-game by full-screen popover ads nagging them to install Windows 11. Nice. Predicably, there are those in the comments huffing and puffing “This time I’ll do it! This time I’m going to switch to Linux! Just you watch!” Of those who actually make an attempt, how much you wanna bet they’re ♫ not going to last? ♪

This one I find hilarious. Microsoft have combined the storage space of what used to be separate email and file storage. Windows automatically backs up the used’s local files to Microsoft’s remote storage, eventually filling it. They then lock the associated email account and demand subscription tribute because all of the ’email storage’ has been consumed. Oh, Microsoft. You really do have the lobes for business.

How about promotional shortcuts that get added automatically by updates? That’s a thing now over in Windows land. Even users running enterprise versions of Windows, a strategy used by some to try feebly to avoid such abuse, report that these ads still get installed unsolicited in the background.

Yes, Tik Tok, Disney streaming and Xbox, such a professional environment. I didn’t intend to single out Microsoft, but this post is already lengthy and sifting through the brain damage at reddit is making me queasy. Anybody who has ever touched a Windows box will know that there is an endless torrent of these incursions on one’s sanity to be had.

“Why don’t they just install Linux?!” you might say. Well, let’s take a moment to remind ourselves what we’re dealing with when it comes to the average person:

Many people don’t even know which continent they inhabit. And you expect them to provision an operating system? Are you delusional?

And even if they could. Would you really want them cluttering up your favorate community distro? There is a very real competency barrier to Linux and that is not a bad thing. Simply a sober observation. There is a large swath of the population who probably should be on the iOSes and Androids and Windows’s of the world. Forever suffering every torment conjured by their proprietary masters.

Debian Upgrade Marathon: 8 Jessie

Fri, 27 Jun 2025 20:28:50 -0400

Jessie marks the halfway point of our journey, from Sarge to Bookworm, from 2005 to 2025. It is here that I enter into more familiar territory, having only used desktop Debian since around the end of Debian 8’s life cycle. Familiar tools make their appearance in Jessie; needrestart, mpv and the oft criticized systemd.

Big changes were unfolding in the PC industry around the time Jessie was introduced. AMD was beginning to carry out their driver strategy transition to AMDGPU, abandoning the mess that was their fglrx proprietary Linux display driver. Intel’s integrated graphics were finally beginning climb up out of garbage-tier performance. Microsoft had brazenly begun force installing the new Windows 10 on home users computers without their knowledge or consent. It was a good time to be stepping into Linux land.

Upgrading from Wheezy to Jessie

aptitude reported 24 packages ‘broken and have been fixed’ and 97 packages to be installed, including kde-base 😡. I deselected openoffice and kde related packages before running the installation of the rest.

dpkg --audit revealed roughly a dozen transitional and dummy packages listed with ‘missing md5sums control file’. Although there are no held packages so I proceeded, ignoring it.

apt’s edit-sources feature still isn’t production ready as of Wheezy, so I continue to sudoedit /etc/apt/sources.list and replace all instances of ‘wheezy’ with ‘jessie’.

sudo apt-get update

All good. ✔

sudo apt-get upgrade

sudo apt-get dist-upgrade

“Disable password authentication for root?”

Yes

“Would you like to balance the IRQs once?”

“Configuration file for ‘/etc/ls.so.conf’?”

Installed maintainer’s version

Upgrading the base-passwd package triggers an update of shell path for system user accounts.

“Change the shell of user ‘daemon’ from /bin/sh to /usr/sbin/nologin?”
“Do you want to change the shell of user daemon?”

Yes

It continued on to ask the same of users bin, sys, games, man, lp, mail, news, uucp, proxy, www-data, backup, list, irc, gnats and nobody.

“Pam profiles to enable:”

Yes to all

With the dist-upgrade having concluded without issue, it comes time for some sanity checks.

The release notes for Jessie have adapted their suggestion to check installed kernels, appending grep -i meta, emphasizing the kernel meta package in hopes of steering users away from manually installing each new version.

dpkg -l "linux-image*" | grep ^ii | grep -i meta

And kernel 3.16+63+deb8u7 got installed automatically, which is assuredly Jessie’s kernel as of the final point release.

sudo apt-get autoremove

Of note, gnome-fallback was removed, udisks was removed (probably in favor of the new udisks2 package) and 249 other packages.

sudo apt-get upgrade

Which added gnupg-agent, gnupg2 and gpgsm.

The package hardening-wrapper was deprecated by the Debian team but dpkg -s hardening-wrapper shows that it isn’t installed anyway.

The moment of truth: sudo reboot

Which reboots to a GRUB splash with fancy new art before launching straight to the gdm3 greeter. Not bad, considering the entire init system has been changed out from underneath.

Frankly, the upgrade to Jessie had been the simplest so far out of all since the start of this marathon. There were hardly any items requiring attention before rebooting. We can see the stable release upgrade process beginning to mature.

The entire procedure is really starting to become very routine, a reflection of the cumulative development hours put into such a large software project over decades.

Impressions of Jessie

Say what you will of systemd, but there are no more boot timing issues like was seen back in Squeeze with boot scripts unable to mount the root filesystem. And to have a unified apt instead of juggling between apt-get, aptitude and apt-cache for everything felt like I was once again standing on solid ground.

Total packaged software was by now over 40,000 which felt substantial. No longer could the entirety of the Debian archive be perused in a single session without skimming over a bunch of items. There was just so much to explore. This particular installation diverges a bit from the baseline in that its programs menu pane is just absolutely littered with junk. Most of it is just patchwork of various games metapackages.

On the graphical side of things, and taking a moment to remind ourselves that Gnome is not representative of Debian (though the default), Gnome was busy borrowing design motifs from popular mobile graphical interfaces. It is no wonder reception of Gnome 3 has been so mixed. It either speaks to you or it doesn’t. One minor detail I like is how the program icon forms the background of the top panel’s active program window.

You might have noticed I was using konsole above. This is because gnome-terminal for some reason refused to launch. When I attempted launching it from terminal, it complained about something with dbus.

Error constructing proxy for org.gnome.Terminal:/org/gnome/Terminal/Factory0 Error calling StartServiceByName for org.gnome.Terminal: GDBus.Error:org.freedesktop.DBus.Error.Spawn.ChildExited: Process org.gnome.Terminal exited with status 0

I attempted to launch gnome-terminal per the friendly advice at askubuntu when the possibility became apparent that the changeover in locale to UTF-8 back in Etch may not have been completed.

Gtk-WARNGING **: Locale not supported by C library.
Using the fallback 'C' locale.

So I issued dpkg-reconfigure locales where it was indicated that ’en_US ISO-8859-1’ had still been selected. I changed it over to ’en_US.UTF-8’.

“Default locale for the system environment?”

en_US.UTF-8

Then rebooted to find gnome-terminal launching successfully. Actually having carefully documented these upgrades shows that en_US.UTF-8 was indeed selected during Etch. I wonder what happened.

Thumbnail generation for video files was now working in Nautilus. A feature which, oddly enough, depends on the presence of Totem. And video playback for HEVC encoded media finally works. Also, newly in Jessie, is the great mpv media player.

Filetype	Functionality	Notes
MP4 Video	✔	Totem 3.14.0, VLC 2.2.7, mpv 0.6.2
Webm Video	✔	Totem 3.14.0, VLC 2.2.7, mpv 0.6.2

馬鹿にしないで。日本の映画を見ているのが好きになりました。

Firefox 68 falls deep within the territory of enshittification that Mozilla has chosen to follow, with its default startup page reflecting so.

Interestingly, Firefox 68 is new enough to be able to use the repository at addons.mozilla.org, but also old enough that the newer webext family of Firefox extensions cannot be installed. Nor can the signatures associated with many older extensions be verified. Probably something to do with the changes following Mozilla’s fiasco involving the expired certificate used in extension signing. The setting xpi.signatures.required in about:config needed to be changed to false before an old version of uMatrix could be installed.

Now we’re getting somewhere. I genuinely did not know that uMatrix once had CNAME uncloaking functionality.

The situation with rendering the cached PBS web page further improves under this more recent browser.

SuperTuxKart 1.8.0, one of the last versions before it was migrated to their custom Antarctica fork of Irrlicht, now sports a story mode, unlockable race tracks and some professional looking animated improvements such as Thunderbird taking on the role of race dispatcher. Much like another airborn race dispatcher found in a popular commercial kart racing franchise. The tracks themselves also start becoming more imaginative.

Fun Factoids

Among the architectures added to Debian Jessie was ppc64le, which I still use to this day!

ssh still does not share common standards with modern clients. no matching host key type found. Their offer: ssh-rsa,ssh-dss

Work on hardening packages by default continued in Jessie, with additional hardening switches applied.

The kernel flavor had been bumped to i586 for the x86 architecture.

I’ve enjoyed going back through the releases that I ‘missed out on’ but there is a different kind of intrigue to be found in revisiting old operating systems that one had once used. Where it can really help frame perspective of just how far things have advanced. Adjacent releases seem iterative, but the improvements accumulated over decades can be staggering. We’ll take a look at even more in Stretch!

Debian Upgrade Marathon: 7 Wheezy

Wed, 18 Jun 2025 22:36:37 -0400

With enough road now behind us, I finally took it upon myself to make a clone of the Upgrade-Journey drive so that I can save scum if the need arises. Today we’re taking on Debian 7 Wheezy. The same Debian that formed the basis of Valve’s first-ever SteamOS release. Where the Debian project really began to hit its stride.

Wheezy launched not long after the ‘world IPv6 day’, and fittingly added support for the installer to work on IPv6-only environments. It was the year of Heartbleed and of the disclosures by Edward Snowden. The modest smattering of newbies that these events may have attracted to Linux would have found a Debian which still assumed the paradigm of the decade prior. Which, for today’s upgrade, makes for an excellent time capsule.

Upgrading from Squeeze to Wheezy

Aptitude was used to check any pending changes which found kde-base and several gnome packages waiting to be installed.

Verified that all packages are in an upgradable state. ✔

I dropped to terminal and pointed /etc/apt/sources.list to wheezy. Despite some sources suggesting archive.debian.org/debian-security/, I found that archive.debian.org/debian-archive/debian-security/ continues to work, still getting hits for both updates/main and updates/contrib repositories.

sudo apt-get update

Wheezy’s Linux kernel includes PAE to expand addressable memory above 4GB on 32 bit computers. Pentium 4 was the CPU family in my first PC, so I knew already that it makes use of PAE. But anyone unsure of it can check whether the extension is available with:

grep -q '^flags.*\bpae\b' /proc/cpuinfo && echo yes || echo no

yes

So no manual intervention is required for the currently installed linux-image-686 kernel. We then begin the upgrade.

sudo apt-get upgrade

Anyone paying close attention to the release notes would have seen that the new directives in the sudoers configuration file aren’t added automatically. They go on to recommend adding one’s existing sudoers to the sudoers conf directory.

mv /etc/sudoers /etc/sudoers.d/mychanges
mv /etc/sudoers.dpkg-new /etc/sudoers

Neglecting to read ahead, I simply opted to compare the difference between the new maintainer’s version and my own.

“[Replace] Configuration for ‘/etc/sudoers’?”

I used the diff option (D) to check that the main user is still listed before committing to use the maintainer’s version. Despite that, immediately upon checking elevated privileges I found that my ’traveler’ user is “not in the sudoers file”.

grep -e sudo /etc/group

Which showed the ’traveler’ user isn’t included in the sudo group. Well, thank goodness the root account is active because the installer all the way back in Sarge didn’t provide any option to disable the root account.

su root
usermod -a -G sudo traveler

Unfortunately, the session would need to be restarted and logged back in before this addition takes effect. And since we’re in the middle of a system upgrade, it would be best not to chance that. So, for now, we take the messier route and run visudo as the root acount to add the standard user back in before exiting from the root user.

traveler	ALL=(ALL:ALL) ALL

Which is probably over-privileged, but this can be tightened up at a later time. I attempted to proceed with the remainder of apt-get dist-upgrade which produced the first package conflict of this entire experiment. initscripts would break nfs-common.

Well, we’re not using network filesystems so we can blow that one away!

sudo apt-get remove nfs-common

Poof! Goodbye!

Attempt #2:

sudo apt-get dist-upgrade

I selected gdm3 as the default display manager because kdm with kde-base yet again found its way back onto this system.

“Should NTFS-3G be installed with ‘set uidroot’?”

“Restart services during package upgrades without asking?”

Yes

“Configuration file ‘/etc/default/rcS’?”

The package maintainer’s version got installed.

“PAM profiles to enable?:”

Yes to all (default)

“Configuration file ‘/lib/lirc/hardware.conf’?”

I installed the package maintainer’s version.

And the dist-upgrade completed to little fanfare.

Post-upgrade items, before rebooting

I compared the installed and running kernel versions:

uname -r

2.6.32-5-686

And then checked the installed kernels:

dpkg -l "linux-image*" | grep ^ii

We see linux-image-686-pae 3.2.102-1 which is indeed Wheezy’s version. ✔

And there remain no pending package additions or removals, according to apt-get. ✔

Wheezy probably had the fewest post-upgrade nails to hammer down out of all the upgrades we’ve done so far.

sudo reboot

Which arrived at a filesystem check that failed and necessitated restarting Upgrade-Journey again.

After which rebooting was all successful.

As a point of interest, I would like to allow old kernels to accumulate. Normally this would have me worried that the /boot partition might not be large enough. du reports that 44MB of kernels reside there at the moment. But Upgrade-Journey’s /boot sits at root on the same partition so it should be fine anyway.

Post-upgrade items, after rebooting

sudo apt-get autoremove

Initiated the removal of 368 packages including OpenOffice, which has by now been replaced by LibreOffice 3.5, and other packages to remove regarding Gnome and KDE.

Impressions of Wheezy

Because an issue with X11 remained from our visit with Squeeze, Gnome 3.4.2 failed to load up the new Gnome 3 convergence desktop. The fallback mode resembles Gnome 2 classic while borrowing visual elements from Gnome’s new design conventions. It maintains a top and bottom bar, with collapsible menus and no full screen programs overview.

How this exercise would have looked had it remained on our trusty old Pentium 4

The X11 brokenness and audio brokenness is beginning to get in the way of capturing the feel of these historic releases. And, seeing as Wheezy was released in 2013, I think it’s nigh time for our imaginary user to finally upgrade their computer. Let’s cast off this crusty old Pentium 4 with its busted audio and its Intel eXtreme[ly bad] graphics in exchange for a fancy AMD Athlon II multicore 64 bit system.

I’d been waiting until after the drive UUID assignments had been sorted out before swapping the physical host. And this change will be important when we later configure multiarch in order to morph this x86 installation into x86_64.

Much better! Even though I select “GNOME” at the greeter, it still uses Gnome fallback. But that is okay, as I think it makes for a very nice bridge between Gnome 2 and Gnome 3 in this upgrade marathon.

Filetype	Functionality	Notes
All Audio	✔	Audio hardware issue confirmed and resolved. Was likely working as far back as Sarge.
MP4 Video	🗷	Segmentation fault. Totem 3.0.1
MP4 Video	🗷	‘VLC does not support the audio or video format ‘hev1’’. VLC 2.0.3
Webm Video	🗷	Segmentation fault. Totem 3.0.1
Webm Video	🗷	‘VLC does not support the audio or video format ‘undf’’. VLC 2.0.3
Web	✔	Mostly working now without certificate issues. Firefox-ESR 52.8.

If I understand correctly, Wheezy started out with IceWeasel 10 but, by EOL, had transitioned to Firefox ESR 52.8. This kind of incredible pace has to do with the rapidly accelerated release schedule that Mozilla adopted in order to compete with Chrome. Mozilla and Debian had finally resolved the branding dispute by the twilight days of Wheezy. There is even a menu entry to convert IceWeasel settings and extensions to Firefox ESR, along with a new Firefox ESR entry.

At version 52.8, it is the first in this marathon to feel like the familiar Firefox of today. And it actually establishes connections with HTTPS certs without much issue, making it feasible to use on the modern web if one were so inclined.

I actually remember using Firefox back when it used to look like this.

The cached PBS page renders… better than before.

Vimeo couldn’t load its web player. Do they even host videos anymore? It looks like Vimeo pivoted to a different business.

SuperTuxKart 0.7.3 continued to receive much love with a revamped menu system and new karts and tracks. It still had a cobbled-together home made vibe by 2013 standards, but definitely better polished.

Fun Factoids

Preliminary support for systemd was introduced in Wheezy as a ’tech preview’. I’d always thought that systemd was added only in the lead up to Jessie.

Debian briefly replaced ffmpeg with libav-tools, citing a release process more congruent with Debian’s.

It is here that Debian began using hardening options at build time.

AppArmor is introduced but disabled by default. I even remember having to go and supply boot arguments in GRUB to enable AppArmor as early as Debian Jessie, before it was enabled by default in Stretch.

PulseAudio is made official as the primary audio daemon.

Wheezy is where new installations would have gotten ext4 root filesystems, but we’re going to camp out on dusty old ext3 without even the full featureset and see what happens.

The Debian installer enabled WPA encrypted wireless links. Those rocking open source ath9k powered Qualcomm cards could have installed their Debian without having to load proprietary firmware and drivers.

Wheezy represents the last of the releases in this marathon to be new to me. The first Debian I’d used as a desktop OS had been Jessie.

All You Need Is SSH

Sat, 07 Jun 2025 20:31:18 -0400

As a self professed minimalist, I’ve long been a fan of the axiom “Perfection is attained not when there is nothing more to add, but when there is nothing left to take away”, penned by Antoine de Saint Exupéry. When working with complex systems, one typically finds that the best solution to a problem is often the simplest. Already this is true in digital security, where complexity itself can stand at odds with the goals of securing a system. But also the operation of a system can suffer. This can manifest when placing abstraction upon abstraction in front of something whose function should be dead simple.

I see it in circles of tech enthusiasts deliberating among themselves the best way to share media to other devices, or to create network drives for aggregate storage, or for distributing backups. It seems every few weeks there is a new contender waiting to gift wrap all this functionality up cleanly into a sleek, web service inspired abstraction that will incur more in maintainence burden than its initial value proposition. Just recently some sailors were up in arms about a popular video streaming abstraction layer beginning to charge for once-gratis features. They were already paying to do something so basic?

I don’t quite understand their plight, because if one has already gone to length to setup a home server, then it should already be equipped with one of the most powerful and versatile tools: OpenSSH.

And, if not, how were they administrating said server? Well, probably through bloaty web front-end abractive layers, right. But we don’t need any of that. We have access to better options.

What are these secret dark arts? You may already know, but here’s a refresher:

Streaming video from an OpenSSH server

Stream video from your massive collection of movies that you ripped from your DVD collection that you legally own.

mpv sftp://192.168.1.123:/home/remote-user/Films/Miami\ Connection.mkv

Need to specify a different user? A different port? Password even?

mpv "sftp://remote-user:[email protected]:13383:/home/remote-user/Films/Miami Connection.mkv"

Transfer files to or from an OpenSSH server

The SCP way, available wherever openssh is installed. Pull a file down from the server.

scp -P 43900 [email protected]:/home/remote-user/Books/The\ Theory\ of\ Generativity\ -\ David\ G.\ Post.pdf Documents/

Or send an entire directory to the server.

scp -P 43900 -r Audio/Album [email protected]:/home/remote-user/Music/

Or with rsync which is even more robust and which you likely already have installed.

rsync -e 'ssh -p 1234' Audio/Album [email protected]:/home/remote-user/Music/

But rsync can leap even higher. Let’s say you want to send something over a jump host hop.

rsync --progress -av -e 'ssh -p 1234 -J [email protected]:22591' Videos/Youtube\ Channels/Jaboody\ Dubs\ Archive [email protected]:/home/remote-user/Videos/

The -p switch nested within rsync’s -e switch arguments specifies the port to the target computer that sits adjacent to the jump host. The -J switch specifies the jump host itself along with its port included in the extended address.

But let’s say you’ve been moving a lot of data around and the remote ISP at your jump host had begun throttling or blocking traffic originating from your IP address. Time to get crafty.

torsocks rsync --bwlimit=0.3m --progress -av -e 'ssh -p 1234 -J [email protected]:22591' Videos/Youtube\ Channels/Jaboody\ Dubs\ Archive [email protected]:/home/remote-user/Videos/

By pushing the transfer over Tor, the effort to block your connection becomes a game of hydra slayer to the remote ISP at your jump host. Additionally, by limiting the bandwidth yourself with –bwlimit=, not only are you being more respectful of the Tor network’s capacity, but your transfer won’t appear so readily as abuse to the remote ISP, even if you opt not to use Tor.

My ISPs watching yet another 50GB of traffic shuffle through Tor
"My

Collaborative documents over an OpenSSH server

LibreOffice exposes functionality for interacting with documents residing on OpenSSH servers. We don’t need to use some “Cloud” (somebody else’s computer). Within LibreOffice Writer, navigate to File > Open Remote…

On the Managed Services dropdown, select Add Service. A File Services dialogue will launch to take your SSH server credentials and documents directory path.

Once it has been added, your remote document files can be browsed and accessed.

LibreOffice Writer can also take domain names for such documents hosted at a server hosted outside the LAN. No need for reimplementations of commercial products which force users through a web application.

Administration

SSH was practically built for this. I feel this hardly needs explaining. Webmin panels aren’t needed and they serve to expose yet another service for bots to pry at. Use top for system monitoring. Take a look at nethogs for bandwidth monitoring. nnn for directory navigation. Local mail and log monitoring. It’s all right there, accessible through the terminal.

As can be seen, the use cases for openssh-server are varied and diverse despite it predominantly being viewed simply as a CLI conduit to remote systems. I think you’ll find that a tiny, low power box running a bare minimum software compliment, tucked away in a dusty corner can serve up quite a lot without having to overthink things.

Debian Upgrade Marathon: 6.0 Squeeze

Wed, 04 Jun 2025 19:30:33 -0400

The backward compatibility of interfaces has been nothing short of heroic. It is easy to forget that I’m plugging networking equipment and USB devices into ports that would be old enough to drink, and still they speak to one another without getting into fisticuffs. Vintage Debian may have been floundering with janky display drivers and broken audio but at least it was ready to transfer memes off of drives from the future!

Anybody doing a complete upgrade marathon, starting with Buzz in the nineties, would get to cross the Y2K barrier before making their way through two new decades of software yet. But here is where we first get to dive into the 10’s. A decade that saw the rapid normie-fication of the web, but also an acceleration of countermeasures in response. Somebody running Squeeze at that time may have used it to test drive Minecraft beta builds or host a server world not too far away. It may have accessed pages through a burgeoning Chrom[ium] browser or have been suffering through a Flash heavy web with the help of the update-flashplugin-nonfree.

Upgrading from Lenny to Squeeze

We are advised to remove splashy before upgrading since it can conflict with init scripts. But splashy was not installed on this system. ✔

No pending package changes ✔

All packages in upgradeable state ✔

sources.list was updated to point to substitute instances of ’lenny’ for ‘squeeze’. This is the first release of Debian for which apt-get is preferred for upgrades instead of aptitude.

sudo apt-get update

Step one of two-part upgrade:

sudo apt-get upgrade

gdm and other services get restarted.

“Keep configuration file for /etc/console-tools/config?”

Install the package maintainer’s version. Again, I haven’t really made any customizations to this system.

We are warned again that Squeeze versions of udev alongside a Lenny version of the kernel could cause issues with networking and storage devices.

dpkg -l "linux-image*" | grep ^ii
linux-image-2.6-686

Since the kernel metapackage is already installed, and the latest version, I move on to the full upgrade step.

sudo apt-get dist-upgrade

“Keyboard settings have been unified between X.org and console. Consider running dpkg-reconfigure keyboard-configuration. Select a keyboard model.”

Generic 104-key PC, USA

“AltGr key: The default for selected keyboard layout.”

No compose key.

“Set Ctrl+Alt+Backspace to terminate the X server?”

No.

Unattended-upgrades gets installed automatically during the Squeeze upgrade. Seeing as there are categorically no more updates to get from Squeeze since it is long unmaintained, and that I will be issuing all package updates and upgrades manually, I select No.

“Enable realtime process priority [JACK]?”

This is not a sound engineering station so No.

“Multiple display manager packages are installed. Select which should be run by default.”

gdm

Somehow kdm had found its way onto this system.

“Upgrading from GRUB 0.97 to GRUB 2.”

As part of the transition to GRUB 2, it recommends manually running upgrade-from-grub-legacy later, which I did later in the post-upgrade tweaks. I opted to keep custom GRUB line “acpi=off”, which I added because this board has trouble powering off on shutdown request. Also the Linux default command line “quiet” was kept.

“PAM profiles to enable:”

Unix authentication

Some obsolete packages, xfree86 and others, prevented migration to the new dependency-based boot system. I’ll need to revisit this.

It offers to update disk device identification to UUID, which we tried during the upgrade to Lenny but walked back after issues. I select Yes, hoping it can clean up the mess for me.

“Boot loader configuration check needed”

Also to investigate.

I kept mplayer.conf maintainer’s configuration file.

“Select PAM profiles to enable:”

Yes to all.

“Register Virtuoso ODBC driver?”

Yes.

And now dpkg reports the installed kernel as the Squeeze version of the package, linux-image-2.6.32-5-686.

Post-upgrade items, before rebooting

Gnome display manager gets held back for upgrades from Lenny, even though new installs of Squeeze get 2.30 from the gdm3 package. The release notes recommend systems coming from Lenny should manually install gdm3 following the upgrade.

sudo apt-get install gdm3

And I selected gdm3 as default display manager.

Debian Font Manager advised to run “defoma-app purge gs”:

sudo defoma-app purge gs

Which purged some old font configurations.

sudo upgrade-from-grub-legacy

I selected /dev/hdc but not /dev/hdc1.

Surprise fun issue

Okay, so it didn’t boot well, prompting me to do some song and dance after letting Upgrade-Journey reboot from GRUB to an unhelpful blank screen with blinking cursor.

Ctrl+Alt+F1 didn’t yield any terminal… buuuut I discovered that if I held Ctrl+Alt+F1 or Ctrl+Alt+F2 brief flashes of terminal screens of an otherwise “successfully” loaded Debian Squeeze would flicker through the blank display. If I timed my release of the keys well enough, à la roulette style, it dropped me into a terminal session at which I could sign in. How’s that for triage?

I proceeded to check dmesg, /var/log/X11 and a few other places that might clarify the issue. But at the end of the day, I’m just making educated guesses. That’s the Wrongthink way! First thing was to clear the additional display managers seen earlier in the upgrade.

sudo apt-get remove kdm

kde-base also needed removal.

I fiddled with the configuration at /etc/X11/xorg.conf hoping to regenerate it, but Xorg’s -configure option threw a fit about one display apparently being one too many. I then dpkg-reconfigure’d several packages and completely purged and reinstalled the X server.

sudo apt-get purge xorg && sudo apt-get install xorg

At last, starting up gdm3 manually loaded up a graphical session at the gdm3 greeter.

sudo /etc/init.d/gdm3 start

I could hardly believe it. Really, I wasn’t even sure how to attack this problem at first. And the system once again boots reliably.

Post-upgrade items, after rebooting

sudo apt-get autoremove

Involved the removal of 475 packages. Most of them being game metapackages, x.org packages, python libraries and other libraries. Maybe this will clean up the desktop session a little bit.

Lastly, I check /etc/fstab /etc/default/grub because a warning during the upgrade indicated issues with the migration to Squeeze’s dependency based boot system and with the migration to GRUB 2. And the UUIDs automatically discovered and applied during the upgrade are there, with the old /dev/hdc* entries automatically commented out.

Impressions of Squeeze

The greeter seems to be a step back in presentation from the one used in Lenny. Harder edges with solid, flat greys in front of a background that, while creative, certainly looks dated for something launched in 2011.

We’re back to 1280x1024. Whatever, at least it works. gnome-screenshot needed to be reinstalled. The dist-upgrade removed it along with much of the KDE package bloat that had been plaguing this system since Sarge.

Is that cursor Adwaita? Gnome 2.30.2 was the last version used in Debian before it got reimagined as the controversial Gnome3. Pre-convergence Gnome hadn’t really changed all that much over the course of our journey. Also I know I just said that the Squeeze background looks dated, but I do like its character with the little spaceship. You don’t see that kind of human touch in today’s very corporate desktop environments.

The drive naming convention got updated to /dev/sdX which had gone unnoticed during the upgrade. Perhaps this was automatically handled along with the conversion to UUID device naming.

Filetype	Functionality	Notes
Animated GIF	✔	Animated gifs finally play in Eye of Gnome. Eye of Gnome 2.30.2
All Audio	?	Still no sound even under PulseAudio. Likely hardware issue. The music had probably been working okay.
MP4 Video	🗷	“Playback of this movie requires a video/x-gst-fourcc-hev1 decoder plugin which is not installed” Totem 2.30.2
MP4 Video	🗷	“VLC does not support the audio or video format ‘hev1’” VLC 1.1.3
Webm Video	🗷	“Playback of this movie requires an audio/x-unknown decoder plugin which is not installed” Totem 2.30.2
Webm Video	🗷	“VLC does not support the audio or video format ‘undf’” VLC 1.1.3
Web	?	No improvement.

Getting browser extensions into distribution package repositories serves more purpose than just convenience. It is also a way to preserve historic software. A helping of various defunct addons can readily be installed by:

sudo apt-get install xul-ext-adblock-plus xul-ext-noscript

Still, only plain HTTP pages can be accessed. SSL and TLS ciphers probably won’t be current in the browsers that we’re testing until around Stretch.

The cached PBS page doesn’t seem to like Iceweasel’s fifteen year old javascript interpreter very much.

Super Tux Kart almost looks like a step backward, but it has occurred to me that the desktop session is probably running in software rendering mode. The CPU gets pegged at 100% with 3D rendering. That might also explain the fallback to 1280x1024 resolution and ugly GTK desktop. In any case, we won’t spend time fixing things unless they get in the way of the upgrade process.

Fun Factoids

Squeeze is the first instance of a distribution making possible the usage of non-Linux kernels, with kFreeBSD.

Squeeze is where backports had been made official, formerly “semi-official”. The backports.org repositories were integrated into Debian’s infrastructure.

This marks the first appearance of ext4 in Debian.

dhcp3 got replaced by isc-dhcp which is still in use today, as of Bookworm.

Squeeze can claim the first release where apt installs recommended packages by default.

I think the effects of chaos theory are beginning to emerge with some notable deviation from clean install releases. Maybe this xserver will heal itself during the upgrade to Wheezy.

Checking the Pulse of OpenPOWER and RISC-V

Fri, 23 May 2025 08:44:34 -0400

Finding computer equipment that respects user freedom and owner control can feel a lot like squeezing water out from stone. You may be one of a few of us who have tepidly followed the developments surrounding RISC-V since its inception last decade. And it looks like the fruits of those efforts are finally coming to bear.

There has been a trend with rights holders of older architectures responding to the emergence of RISC-V by opening up their licensing in hopes of not being overtaken. But it is too little too late. We need only look at what happened with MIPS who open sourced their long time proprietary architecture and only a few years later are now refocusing on RISC-V. Debian have even decided to drop the MIPS architecture from the upcoming Trixie release and free up some space for the new kid on the block.

On the POWER side of things, in addition to being late to the open licensing party, the OpenPOWER effort also suffers from sabotage by its very founders when IBM soiled their architecture with proprietary memory interface firmware. The message this sends is that they dont take the OpenPOWER initiative seriously at all. This has left what few vendors who were actually producing POWER products within reach of average people to scrounge for their own solutions. Developers have been giving up their OpenPOWER workstations while the Raptor Computing Systems TXitter and forums have been wheeled over to hospice care, if activity is any indicator.

Meanwhile, there’s RISC-V which seems to be following one trajectory: UP.

Even when I’m not actively seeking out information on it, there always seems to be some new RISC-V development milestones cropping up [1][2][3]. Team RISC-V enjoys a plurality of vendors producing boards and frequent attention from governments [1][2][3], acedemia and the wider industry. The Debian project’s package stats inform that POWER and RISC-V are currently neck and neck for build coverage, and that’s with POWER getting a two decade head start!

I maintain hope that the world of OpenPOWER will produce yet to be seen libre computing solutions, but my hopes soon return to Earth when we consider that the best OpenPOWER has to offer as of today are expensive (the prices have even gone up since launch!), large[er than I would like] form factor, 8+ years old systems whose components are being delisted as EOL, while there is not a single peep for over a year from the one and only design house who had even been retailing anything.

Meanwhile RISC-V seems to be finding its way into everything lately.

Companies are watching closely and almost every major company has a RISC-V program underway in case they have to react to this outcome.

If every major player has a RISC-V program underway, then they are already reacting.

So I find that I will probably need to keep a few different irons in the fire. For those averse to reading, allow me to summerize the situation thusly:

The inertia behind OpenPOWER right now	The inertia behind RISC-V in contrast

Debian Upgrade Marathon: 5.0 Lenny

Tue, 20 May 2025 21:11:23 -0400

With two versions now behind us, it is a good time to start tracking a sort of “technical debt” as it accrues from upgrades. There are undoubtedly package selections made earlier in Sarge which wouldn’t have been present for users freshly installing Etch or Lenny. This is likely what happened with the oodles of KDE applets bloating up the system menus. Things are also missing, too. For one, SELinux will not get installed automatically in today’s Lenny upgrade.

And I want to go easy on the reigns because it is interesting to see issues corrected by structural changes to Debian. Already, Etch had gotten pluggable USB storage devices working for me. Probably as a result of moving from hotplug to udev. And the display server continues to improve without any administrative touches from me. And longer term, I want to see what interesting artifacts get left over from older releases once we approach the end.

Upgrading from Etch to Lenny

Checked pending changes in aptitude in which some libraries, tuxkart, alsamixergui and moc were marked for removal (*shakes fist!).

Checked that all packages are in an upgradeable state: dpkg --audit ✔

sudoedit /etc/apt/sources.list and modified all instances of ’etch’ to ’lenny'.

Debian, as of Lenny, still recommends aptitude as the primary means of upgrading.

Update the package list: sudo aptitude update

The release notes cite that apt and aptitude should be upgraded first since their solving for dependency chains is much better as of Lenny.

sudo aptitude install aptitude apt dpkg

Which necessarily upgraded libc6 packages and also removed gnome 🤔.

gdm, along with some other services were restarted. I opted to install the maintainer’s versions of configuration files, and will continue to do so as I have not custom configured anything beyond the package selection.

The new Lenny version of aptitude needs to be dry run so that its list of automatically installed packages can be converted to a new format.

aptitude search "?false"

Here I assume no output is good.

Next is the first change we see to the recommended two-step upgrade procedure since the upgrade from Sarge to Etch. They call for the option ‘safe-upgrade’ wherein installed packages will not be automatically removed unless they are unused.

sudo aptitude safe-upgrade

Some whiptail prompts appear during the upgrade:

“Enable saned as standalone server?”

“Add saned user to the scanner group?”

No
Since I don’t want anything scanning or printing related communicating or listening on network.

“Please purge the hotplug package!”

Note to self - will do.

Then the rest of the upgrade (though I see that the modern ‘full-upgrade’ is now an option according to the man pages):

sudo aptitude dist-upgrade

This step replaced ‘gnome’ removed earlier with the ‘gnome-desktop-environment’ package and synaptic also got reinstalled.

“Schedule daily execution of the ‘rundig’ script?”

“Encrypt snapshot [that is written to disk during suspend]?”

“Show splash screen [during suspend and resume process]?”

Yes

Sheesh, all these yes/no prompts are sure to make you feel like you’re at an examination.

I’m beginning to see why recent versions of packages just run with defaults leaving anyone interested enough in customization to explore the conf files. Side note that this leg of the upgrade has taken significantly longer than during the upgrade to Etch. Is it bigger package sizes? More packages? This dist-upgrade reported “12635 new” packages after completion.

I then checked whether the upgrade automatically installed the “new” Linux kernel linux-image-2.6-686:

dpkg -l "linux-image*" | grep ^ii
2.6.26+17+lenny1

✔

Upgrades from Etch are advised to replace sysklogd with rsyslog which the upgrade does not handle automatically. dpkg -s sysklogd reports it still installed, and dpkg -s rsyslog shows no such installation. Time to upgrade this manually:

sudo aptitude install rsyslog && sudo aptitude purge sysklogd

Post-upgrade items, before rebooting

I was right earlier about the way disks are named would rear its ugly head.

“The IDE disk naming convention for the old drivers was hda, hdb, hdc, hdd. The new drivers will name the same disks respectively sda, sdb, sdc, sdd. The problem appears when the upgrade does not generate a new / boot/grub/menu.lst file to take the new naming convention into account. During the boot, Grub will pass a system root partition to the kernel that the kernel doesn’t find.”

I determined to change the identifier for the root file system to a UUID. Find the UUID of the disk:

ls -l /dev/disk/by-uuid | grep hd*

Sure enough, hdc1 is the only disk present.

sudoedit /boot/grub/menu.lst and add the UUID provided by from ls.
from:
kopt=root=/dev/hdc1 ro
to:
kopt=root=UUID=4e76825b-e15b-4ffa-b332-8eb657bacdd4 ro

And sudoedit /etc/fstab:
from:
/dev/hdc1
to:
UUID=4e76825b-e15b-4ffa-b332-8eb657bacdd4

Lastly, finally remove the hotplug package noted earlier (which I think was supposed to be removed after the upgrade to Etch, oh well): sudo aptitude purge hotplug

And restart the system: sudo reboot

Upon first rebooting, it hanged unable to find the root partition. Exactly the issue the release notes described preemptively changing the disk naming convention for. What gives?

I manually edited the GRUB entry to point back to /dev/hdc1 and the system then went on to run a check with fsck. I rebooted it again, this time with no edits to GRUB and it booted successfully to gdm. It is likely that the disk naming convention never actually changed from /dev/hdX. Perhaps this moment will come when I decide to yank the drive and put it into a 64-bit capable host, directly on a real SATA interface.

Post-upgrade items, after rebooting

Both libvte-common and iceweasel needed to be upgraded manually, replacing libvte4.

sudo aptitude install iceweasel libvte-common

moc, openoffice.org needed to be reinstalled manually.

sudo aptitude install moc openoffice.org

The exim daemon didn’t get a chance to restart during the upgrade, so I cleared the warnings posted at startup and shutdown by zeroing the paniclog:

sudo rm /var/log/exim4/paniclog
sudo touch /var/log/exim4/paniclog

Impressions of Lenny

After first logging in, I am greeted with a wallpaper that doesn’t match the aspect ratio and a full wastebasket. For some reason, a Volume Control shortcut ended up in there. I must have inadvertently drag’n’dropped it while exploring Etch. And, for the first time, xserver is rendering an accurate 1440x900 on this 16:10 monitor. At last, proper video output.

The icon theme looks much better with its rounded, glassy design obviously following in the footsteps of the Aero theming direction taken by Windows at the time. Gnome 2.22 doesn’t navigate or feel like something from 2009. Like it hadn’t kept up with UI conventions for the time. Just purely visual enhancements which probably wouldn’t have won me over had I been introduced to desktop Linux back then.

*For the test file set, I will begin omitting file types that had already been found to work. Additionally, I did not use a consistent web page to test against during Sarge and Etch, so I’ve grabbed a local copy of pbs.org to use going forward.

Filetype	Functionality	Notes
Animated GIF	🗷	Eye of Gnome 2.22.3, but mplayer playsback properly
MP3 Audio	?	Decodes but no audio out, all players
OGG Audio	?	Decodes but no audio out, all players
MP4 Video	🗷	“Video codec ‘hev1’ is not handled.” Totem 2.22.2
MP4 Video	🗷	At least began to play but with no video VLC 0.8.6h
Webm Video	🗷	“There is no plugin to handle this movie.” Totem 2.22.2
Webm Video	🗷	No video playback VLC 0.8.6h
Web	?	Many connections fail with “Error code: ssl_error_no_cypher_overlap”, third party frames can also fail with this even if the main page loads. SSL and TLS can be explicitly disabled, at discretion of the user. Local test capture (pbs.org) fails to render webp. Iceweasel 3.0.6-3

Adblock Plus 0.7.2.4 was not compatible with Iceweasel 3.0.6. It offered to locate a newer version but was unsurprisingly unable to do so, likely an issue to do with deprecated SSL standards. So I attempted to manually install a newer Adblock Plus 1.0.2 which should be compatible. And the download is amazingly still live at the Internet archive.

But, sadly, I was unable to install it, with an error “install script not found [-204]”. I tried importing the newer Digicert certificates thinking this might help, but there is additionally no common cypher between the SSL versions being negotiated. Even after navigating to a seemingly compatible .xpi file from addons.mozilla.org using the Wayback Machine, it fails to install citing no_cypher_overlap. By Firefox 3.0 making certificate handling more secure, it has also assured a hard sunsetting once this version fell out of compatibility with modern web standards.

Like with Debian adding GPG signature verification to packages, the immediate way to work around this may be to try to disable certificate checking entirely. I disabled SSL and TLS entirely from the preferences menu and searched for several Adblock Plus versions from the internet archive, but they haven’t captured any copies old enough for the 3.0.6 installer to accept. Maybe we’ll have better luck later with Squeeze.

Anyway, enjoy some completely unfiltered pages accessed via unencrypted plaintext HTTP:

Silly, me. I forgot that Debian has often packaged browser extensions as dedicated packages. Sure enough, adblock-plus could be installed through Debian’s repositories. Much better.

Konquerer and Epiphany both worked for accessing sites while blindly trusting certificates.

SuperTuxKart 0.5 sports settings for full screen and wider aspect ratios. And the additional characters and tracks suggest the game had gotten a little love since Etch.

Adding too many racers into a race would slow things down. Higher resolutions also drag out the framerate on this Intel 845G onboard GPU.

Fun Factoids

The heritage of mpv can be seen in how much mplayer feels like mpv to use.

AMOR “creature for your desktop”, a sort of Bonzi Buddy for Linux, gets installed by some KDE package.

Lenny is the release where the Debian team began preparing the strict exclusion of blobs, having created the non-free repository for bits to reside in.

TLS 1.0 makes its appearance with Iceweasel/Firefox 3.0 family.

vrms reports no non-free software (both on this Lenny system and also before upgrading from Etch), probably overlooking the proprietary kernel modules. vrms has since been renamed to check-dfsg-status.

TIL: H265 dates back as far as 2009, with ffmpeg support via libx265. Neat!

Always a fun way to spend an evening, now I get to look forward to breaking even more things in Squeeze!

Suburbia in Nineties and Aughts Films

Sat, 17 May 2025 16:24:31 -0400

There is something just so alluring about the picturesque, upper middle class suburbs as they are portrayed in film, with their neatly trimmed gardens flanking lawns and quiet network of roads meandering between them. Careful attention is paid to their natural spaces dotted with old trees, road verges and, if it’s really ritzy, landscaped road medians. But what is most striking to me is just how lush and green these spaces are made to look in the twilight years of reel film era movies.

But where these settings really so lush and aesthetic? Or am I just remembering them through the lense of nostalgia? Let’s have a look.

Beethoven (1992)

Cheaper By The Dozen (2003)

Hachiko A Dogs Story (2009)

Matilda (1996)

The Pagemaster (1994)

Even CGI films of the time had been able to capture that look.

Toy Story 2 (1999)

In these we can see a wide range of coloration, and including both high and low light levels. But aside from the CGI of Toy Story, nothing is quite as oversaturated green as I remember. It must be similar to the effect where we recall the graphics of old video games played in childhood being much better than they were in reality.

These samples were just what I pulled from a quick glance over a movie collection, but there are many more. Television shows too, with one that stands out to me being the episode of The Office (US) where they go on a fund raising jog around Scranton, PA. And certain video games as well. The most forefront example in my mind being Cities: Skylines.

Cities: Skylines

Very cozy. But maybe it is not all visual. Maybe there is something about that particular kind of planned space that calls out to me. And where were the filming locations for these movies anyway?


The Pagemaster	Arcadia, California
Beethoven	Los Angeles, California
Hachiko A Dogs Story	Rhode Island
Matilda	Arcadia, Altadena & Los Angeles California
Cheaper By The Dozen	Petaluma, California
Toy Story 2	Likely based on Richmond, California

Understandably, Hollywood uses their home state as the backdrop of many films. Not shocking. With what little time I’d spent in California, I had only seen “sand and dry shrub” California and not “shaded oak cul de sac” California. But if most people are seeking out the latter, it’s no wonder pricing in the region is so insane.

It is not just the greenery, per se, that makes the setting. But I think the idealistic blue sky summer weather with its depictions of people actually outside doing things which these scenes capture that leaves such an impression. I used to reason that the effect was due to the use of film cameras, which some have suggested aided in that warm, saturated look. But then why are video games and CGI films also capable of invoking that perception?

Ryzom

Natural spaces in games can often be just as peaceful an escape as are the real thing, I find. Almost everyone who has played Minecraft can probably relate to looking out at the vast landscape receding into the foggy horizon and taking in all its blocky, digital beauty on at least one occasion. I think there is something primal that speaks to us from the tree lines of curated spaces.

I didn’t mean for this examination of cinema to turn into a psychological analysis of the way that living spaces are designed and perceived. But I do find myself thinking about it frequently. I think there is a balance that must be struck between nature and infrastructure when developing land. The goldilocks zone seems to be somewhere around 3:2, nature:infrastructure. While the surroundings of untamed forest, rivers and mountains enable one to dive deeply inward, I sometimes find myself yearning for developed spaces where neighbors greet each other from over the fence and children can be heard playing on quiet roads.

tl;dr: nature pretty

Debian Upgrade Marathon: 4.0 Etch

Tue, 06 May 2025 20:20:44 -0400

Last month marked the start of an experiment where I upgrade through historic Debian releases, starting with Sarge. I am going at my own pace as, believe it or not, we Linux folks do have lives and responsibilities. So I’m not sure how long this whole journey is going to take.

Etch was released during a time where AMD had just acquired ATI Technologies, the Tiger Direct guy was still wearing button down shirts, Crysis was the plateau of graphics and nothing could look more photorealistic if you were to believe the hype. Any aspiring tech geeks back then should consider themselves lucky. For me, this is a peek into what the world of Linux and open source was tooling up at that time.

Upgrading from Sarge to Etch

The release notes caution against performing the upgrade within a graphical X session, citing necessary display server termination during package upgrades and the relocation of /usr/X11R6/bin. So I log out from Gnome session and Ctrl+Alt+F2 to terminal.

We first check that there are no pending changes in aptitude:

aptitude –> ‘g’ (for go) –> “No packages are scheduled to be installed, removed, or upgraded.” ✔

We then verify that all packages are in an upgradable state:

dpkg --audit –> No ouput ✔

Edit /etc/apt/sources.list to change the codenames from ‘sarge’ to ’etch’.

Since installing Sarge, it has become known to me that apt is just a fancy front end for the collection of apt-get, aptitude, apt-cache and dpkg. It was still in development during the time of Sarge and Etch but not yet ready for usage. According to the apt man pages:

“the snazzy front ends are not yet available. In the meantime, please see apt-get”.

So for now, we use aptitude:

sudo aptitude update

It cries warnings about “No such file or directory … you may want to update the packages lists to correct these missing files”

But this is expected per the upgrade notes. Simply re-running the same command again resolves harmlessly without such warnings. And the Etch upgrade procedure suggests the same two-step upgrade process that is still expected today with upgrades between modern Debian stable releases. One where a minimal package upgrade is issued before applying a full dist-upgrade.

sudo aptitude upgrade

“Configuring debconf”

I chose “Dialog” because that is what I’m accustomed to. And selected “medium” for question priorities.

“Configuring Keymap”

I chose “qwerty / American / standard / standard”.

Because of a changeover from initrd-tools to initramfs-tools, special attention needs to be paid to upgrade this before moving on to the second step.

sudo aptitude install initrd-tools

“Configuring locales”

I changed from en_US ISO-8859-1 to en_US.UTF8 UTF8 and made it the default locale. I also opted to install glibc and restart affected services.

Next, because this Upgrade-Journey host was installed with Gnome desktop, the next appropriate upgrade path is to pull in the X.Org packages which replace Xfree86. I verify that the libfam0c102 and xlibmesa-glu packages are present:

dpkg -s libfam0c102 | grep -e installed
dpkg -s xlibmesa-glu | grep -e installed

Status: install ok installed

And so we upgrade the following:

sudo aptitude install libfam0 xlibmesa-glu

Moving on to the second step of this two-part upgrade:

sudo aptitude dist-upgrade

I disabled “challange-response” authentication for the OpenSSH service I’d disabled back in the Sarge installation. Also set “Trust new CA certificates” to Yes and set “System-side home directories” to No.

The upgrade eventually reached a point where it began restarting services, which dropped me at a new terminal login. Thankfully, I knew to return to the existing shell where the aptitude upgrade was still running by re-keying Ctrl+Alt+F2. God help the person who hit such a situation without having that background knowledge!

“X Server Setup”

I chose to redetect keyboard layout and also selected 1440 x 900 resolution, as that is the display’s native resolution (Maybe it will work better with X.org).

Some packages remain un-upgraded, including apt’s package signature checking mechanism found in Etch.

sudo aptitude update

But this arrived at an issue where the GPG key signatures are now invalid because the repo has long since been archived and individual software (and keys) now unmaintained.

Let’s break some things to get this working again. Courtesy the information at AskUbuntu, I added a custom file at /etc/apt/apt.conf.d/99disablechecks:

Acquire::Check-Valid-Until false;

Aptitude can then proceed with upgrades while only complaining with warnings.

Etch’s upgrade notes that Linux kernels 2.4 or earlier cannot boot with udev. So I check whether Linux 2.6 series was already installed during the upgrade.

dpkg -l "linux-image*" | grep ^ii
No packages found matching linux-image*

I instead search for available kernels:

apt-cache search linux-image-2.6- | grep -v transition

Since the hardware platform is Intel Pentium 4:

sudo aptitude install linux-image-2.6-686

The release notes warn of a possible conflict with changes for /dev.

Debian kernels no longer include support for ‘devfs’, so ‘devfs’ users will need to convert their systems manually before booting an etch kernel.

I checked that it has ‘console’ and ’null’ files in /dev, per this helpful bug report:

Therefore, before trying to boot using udev only, make certain you have a “console” and “null” file in /dev.

TuxKart, AlsaMixer and Firefox have been held back during the upgrade. I’ll investigate those later. I think mozilla-firefox and tuxkart packages were just superseded by newer packages with different names.

Post-upgrade items, before rebooting

The filesystem features on Upgrade-Journey’s /dev/hdc1 does not show the new dir_index attribute

sudo tune2fs -l /dev/hdc1

Users upgrading from sarge could consider adding the dir_index flag manually using `tune2fs’.

So I applied it manually:

sudo tune2fs -O +dir_index /dev/hdc1

Finally, the moment of truth:

sudo reboot

Post-upgrade items, after rebooting

The upgrade had set the default text editor to nano (ew). So I reset it to vim-tiny:

sudo update-alternatives --config editor

And selected /usr/bin/nvi.

It booted cleanly to Gnome’s login greeter and it was immediately clear that the new X.org server config is an improvement over that of the Xfree86 display server. It doesn’t render at the monitor’s native resolution, but is at least now a higher resolution. Without wanting to fix this, there was no further hassle to be had with display configuration. 3D graphics acceleration was still working without a hitch.

At no point in the Sarge installation or Etch upgrade have the standard base directories been created. And I do not want to manually create them in case this is something handled in later versions of Gnome or if xdg-utils gets automatically selected in later Debian releases. And I’ve opted not to delete .gconf settings as I want to see how well existing configurations survive through Stable releases, rather than to see stock Gnome with each version.

My intuitions were correct about the held packages. iceweasel was introduced first as a transitional package for mozilla-firefox, and tuxkart had been superseded by supertuxkart.

Impressions of Etch

It may just be baggage from using Sarge’s Desktop task during installation, but Etch appears to clutter Gnome with a bunch of KDE programs. They work, but I do not recall installing any KDE metapackage in either Sarge or Etch. The Gnome 2.14.3 menu system remains a categorical cascading tree, which translates into a lot of searching through lists to find GUI applications. Though the very classical desktop layout can be admired in its simplicity.

IceWeasel Browser more flexibly allows you to accept certificates which enables the browser to retrieve more modern sites, ignoring the security implications. It also makes things easier having tabs. I had to reach far back into the annals of my brain in order to remember how we used to install browser extensions in the before times. This required I visit an archived page of adblockplus.org in order to locate a version compatible with this ancient, debranded Firefox.

One download was available from around 2008 and I’m not eager to waste time hunting around for a more closely matched release to Firefox 2.0. In IceWeasel, select File -> Open File… -> Navigate to the downloaded .xpi file. IceWeasel then offers to install the extension and restarts. AdblockPlus prompts for blocklists to subscribe to on first startup and is then ready to do its thing.

Is it working? Are ads being blocked? I do see some e-begging here, but I don’t even know what they’d look like anymore. And, realistically, an adblocker extension from the pre-cambrian era probably isn’t going to prevent much anyway. But it does make for a fun museum exhibit. I’m just impressed that the modern web still works at all on this environment.

Filetype	Functionality	Notes
Plaintext	✔	gedit 2.14.4
ODT Document	✔	Openoffice.org 2.0.4 (Test document created in LibreOffice 7.4)
PNG image	✔	Eye of Gnome 2.16.3
Animated GIF	🗷	Eye of Gnome 2.16.3
MP3 Audio	?	Decodes but no audio out, all players
OGG Audio	?	Decodes but no audio out, all players
MP4 Video	🗷	“Video codec ‘hev1’ is not handled.” Totem 2.16.5
MP4 Video	🗷	At least began to play but with no A/V VLC 0.8.2
Webm Video	🗷	“There is no plugin to handle this movie.” Totem 2.16.5
Webm Video	🗷	Still no playback VLC 0.8.2
Web	?	“Iceweasel can’t connect securely to domain.tld because the site uses a security protocol which isn’t enabled.” for most modern sites. But many can negotiate certificates if user accepts them exceptionally.

Etch was the last Debian to have TuxKart, and also the first Debian to have SuperTuxKart replacing it. The game assets received a bit of love, and it shows. Although this version doesn’t scale with window size.

Fun Factoids

An IPv6 address is now successfully acquired, according to ifconfig.

mplayer, the precursor to the mighty mpv makes its debut in Etch.

Etch is the first release to support 64-bit architcture amd64. But I won’t attempt converting it over until later with a version that has multiarch support.

The Debian installer indeed had been two-part up until Etch:

Previously, the installation was split into two parts: setting up the base system and making it bootable, followed by a reboot and after that the execution of `base-config’ which would take care of things like user setup, setup of the package management system and installation of additional packages (using tasksel). For etch the second stage has been integrated into Debian Installer itself…

Etch also saw the introduction of optional root user disablement during installation:

During expert installations you can choose to not set up the root account (it will be locked), but instead set up ‘sudo’ so that the first user can use that for system administration.

The naming of “/dev/hdX” will, in fact, probably will become an issue during this experiment:

For some SATA disk controllers, the device assigned to a drive and its partitions may change from ‘/dev/hdX’ to ‘/dev/sdX’. If this happens, you will have to modify your ‘/etc/fstab’ and bootloader configuration accordingly. Unless these changes are made correctly, your system may not boot correctly.

Outstanding issues

Audio
Still no audio as I begin to suspect whether I’d disabled the audio controller in BIOS or if there is another issue. The auxilliary connector sits fairly loosely in the port.

X Display Server
The higher resolution along with stretching to fit the aspect ratio is a little easier on the eyes but it still fails to detect and match the display’s native resolution.

SSH
There remains no overlapping key exchange method between contemporary openssh-client on my workstation and OpenBSD SSH on Upgrade-Journey.

I am still not sufficiently motivated to fix these side issues. I trust they will work themselves out as we reach further into the future. Next upgrade is to Lenny!

Debian Upgrade Marathon: 3.1 Sarge

Fri, 25 Apr 2025 19:32:26 -0400

Had my priorities been better aligned, I would have first begun building Linux skills sometime during the Bush (W) administration. It has left me feeling as though I should make up for that lost time. So I’ve decided to reclaim that lost experience of installing and using Debian from around the early-mid 2000s. From there, the plan is to upgrade the installation through each stable release up to present day Debian Stable. And hopefully pick up a few tricks along the way. Or at least earn my rite of passage as a bonafide Debian historian.

It is most appropriate that I begin with Debian 3.1 Sarge. Not only because that was the active release around the time I first tried tinkering (and failing) with Linux install media. It is also an appropriate launch point simply because I am no longer in possession of any motherboards predating 2004. And, no, doing this kind of exercise within virtual machines just isn’t the same.

This marathon will be taking reprieves at each release for excursions along the way. Not least of which to test out file compatibility, media playback, web browsing and just absorbing the overall vibes.

Start

The starting machine needed to match as closely as possible the first PC I ever had. I have a suitable socket 478 board, with only about a 1GB of SDRAM installed. We’re going to try to use the glorious Intel integrated “eXtreme” graphics.

It was badly in need of a thorough cleaning and the power supply tested bad. I may have bent a few pins on the Pentium 4 but it was worth setting it up nice and happy with a new heatsink fan. This board is old enough that it cannot use USB flash storage as a boot device, necessitating the use optical discs!

All available PATA optical drives on hand were K.I.A. so I needed to resort to a PATA-SATA converter to use a newer working optical drive. This also made possible the use of a SATA hard drive right from the start, so we get to cheat a little.

I found that the Sarge 3.1 installer would cause the board to reboot back into self-test and POST. The workaround was to launch the installer with linux acpi=off arguments.

The contemporary Debian installer has seen much refinement since its earliest versions, having made its first appearance in Sarge. This original installer waits until after you’ve booted your freshly written Debain before walking through user and config setup, which I found odd.

Debian Sarge also insists that a root password must be created. The option to leave it blank to automatically disable root login must have been added later in the project’s history. Because of this, the standard user that you later setup is not automatically added to the sudoers file, and must be added manually.

Now, because the Sarge repositories have long since been archived, I need to manually point apt sources to the archive repository:

deb http://archive.debian.org/debian/ sarge main contrib
deb http://archive.debian.org/debian-archive/debian-security/ sarge/updates main contrib

And also had to manually disable the Debian CD entry.

The integrated graphics chip for this board is Intel i800 family, so I selected the i810 driver when configuring “desired X server driver”.

The installer asks about setting up the mouse, which perhaps would have made sense in the days of serial port mice. I simply went with the default /dev/mouse option and the USB mouse (manufactured long after 2005) worked just fine.

Gnome login appears to use some kind of visual loading bar but with an SSD it goes by so fast I can’t really see what it is trying to indicate. Did I mention how fast these old single core Pentium systems can feel with solid state storage and fiber connectivity?

Impressions of Sarge

Gnome DE 2.8 (Version 64 according to the package manager) feels very much like LXDE in its menu structure, modularity and snappiness. The thing looks like an interface from the early 00s, perhaps even the late 90s. I appreciate it as a time capsule, but probably would have found it an obstacle to endure had I been using Debian back in the day.

Theming options has the “Gorilla” GTK theme which I find to be so very archetypically 00’s in its aesthetics. A shame that we don’t build UIs to look like that today.

Vintage Gnome, in all its glory.

I see that the Debian desktop environment metapackage even back then supplies a bunch of default programs including some familiar and unfamiliar today; Synaptic, Eye of Gnome, GIMP, Inkscape, file-roller, OpenOffice and several dozen casual games. Debian gets points for consistency.

I was rather surprised to see several familiar programs had existed as far back as 2005.

Surprise cameos:

ffmpeg
clamav
chkrootkit
anthy
blender
cryptsetup
moc
flightgear
git

In fact, git is 20 years old as of this month! I went ahead and installed most of them to make the place feel a little less alien. The apt command hadn’t been introduced yet so cli package management needs to be handled specifically through apt-get:

sudo apt-get install ffmpeg mozilla-firefox lynx chkrootkit vlc evince clamav moc rsync lm-sensors, xfonts-intl-japanese

Which fixed names of some test files that I copied to the drive. Gnome 2.8 apparently needs you to log out and back in for newly installed program shortcuts to appear in Gnome menus.

The mozilla-firefox package (v1.0!) is a separate web browser package from mozilla. It even has rudimentary extension support. AskJeeves is one of the default search engine options in Mozilla. That’s a real throwback! And Mozilla had supported SOCKS proxying as far back as 2005. In fact, their proxy settings page has hardly changed since then. Neat.

It can be seen where priorities were very different back then. The Mozilla web browser had a big “Print page” button along the top bar. And a toggle icon at the bottom for disconnecting from the web (taking Mozilla browser offline). The about:config settings page is a thing in old Mozilla, and some settings were still pointing to netscape.com as of Mozilla 1.7.8, exposing its true heritage.

Only certain sites that negotiate very old SSL cipher sets can be loaded over HTTPS

I devised a few files to test on each version of Debian.

Filetype	Functionality	Notes
Plaintext	✔	gedit 2.8.3
ODT Document	🗷	Openoffice 1.1 (Test document created in LibreOffice 7.4)
PNG image	✔	Eye of Gnome 2.8.2
Animated GIF	🗷	Eye of Gnome 2.8.2
MP3 Audio	?	Totem 0.100 (Decodes but no audio out)
OGG Audio	?	Totem 0.100 (Decodes but no audio out)
MP4 Video	🗷	“codec ‘hev1’ not handled” Totem 0.100
MP4 Video	🗷	“no suitable decoder module for fourcc ‘hev1’” VLC 0.8.2
Webm Video	🗷	“no plugin to handle webm” Totem 0.100
Webm Video	🗷	“no suitable module…” VLC 0.8.2
Web	?	“Mozilla and www.mozilla.org cannot communicate securely because they have no common encryption algorithms.” But other sites, such as www.example.org load and render okay.

Okay, so file standards from the future cannot be read, big surprise. How about something a little more fun? 3D games? TuxKart:

It runs. And it runs better than it probably had on real spinning platter machines from back in the day. But damn does vintage TuxKart feel like some individual’s home grown project. It’s kind of charming, actually. I can envision my younger self having tried Debian Sarge but probably later caving to the allure of games beckoning me back to XP. Or maybe the novelty of such an exotic system would have sustained my interest.

I wonder if this SSD being mapped 'hdX' is going to become a problem later...

Fun Factoids

Even though amd64 ISA hadn’t been a release target until Etch, Sarge had an amd64-libs package. Shared libraries for x86_64 systems.

glxinfo - Mesa 4.0.4 with OpenGL 1.2

The Adwaita icon set has hardly changed in the last twenty years!

aolserver package. Yes, that AOL.

PC speaker chirps on greeter login

Outstanding Issues

SSH

“Unable to negotiate with XX.XX.XX.XX port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1”

SHA1, yikes. I shortly disabled the ssh daemon, for that and for other reasons.

X Display Server
The X server on this installation cannot set the display to anything above 800x600 @ 73Hz so it doesn’t make use of the display’s 16:9 aspect ratio. But it works, with glxgears reporting a healthy 455 FPS and functional 3D animated screen savers. Those also take me back.

Networking
Despite being on a dual stack network, ifconfig reports the system only obtains IPv4 addressing.

But the focus of this undertaking is not on resolving issues in ancient Debian releases - back to upgrading!

In Favor of Plunder

Tue, 22 Apr 2025 19:27:21 -0400

There are times when it becomes necessary to unfurl the sails and set to sea in search of spoils. Nowhere is it more poignant than when a piece of media has been made unavailable to your platform. And those rocking Linux often run into such aggrivation. Even more so when the underlying hardware is anything other than x86[_64] or ARM.

Say you’ve resolved to experience a game. The weaker willed might reach for the WINE bottle, or the more adventerous look to engine reimplementations or full decomp ports. But the game assets still need to be acquired from an original copy. Do you pay the original publisher who had given the world a huge middle finger by releasing a proprietary platform-locked game? *hearty swashbuckling laughter No, we weigh anchor and ready the cannons!

Media relinquishes any expectation to not be pirated when;

A) It is encumbered with DRM (Digital Restrictions Management)
B) It is made arbitrarily unavailable, such as by geographic region locking
C) It uses the content as a vehicle to advertise or proseletyse (ffs, never pay for propaganda)
D) It practices CaaH (Content as a Hostage)

By paying for such content, one financially incentivises these bad behaviors. A vote for wrongdoing. The fact that piracy is an option gives average folks a stronger footing to say “Your product must respect me in X, Y and Z basic ways. Only then will I consider making a purchase.” In this way, it can be a form of protest.

Content piracy even benefits normies (yes, the same ones who will hastily jump down your throat for daring to acquire a copy of that one movie where stranded starfighter pilots share a surprise pregnancy). It acts as a sort of check and balance wherein if publishers push too hard they run up against customer attrition, bleeding the segment of their customer base who are aware that there is even a choice. The prospects of going the extra mile to find bootleg media becomes more palatable as the costs associated with officially accessing the same media endlessly ratchets upward. So really, normies should be thanking their dastardly pirate neighbors with whom they share the net.

Content piracy benefits preservation efforts, with many works having been saved thanks to cracking, dumping and filesharing efforts. I’ve recently been impressed with the momentum of videogame decompilations and their subsequent PC ports. Emulation is itself respectible, but can often feel a bit like conducting a long distance relationship. Running a title natively on your hardware skips the often inefficient emulation process. And having the source code usually means that it can be built and run just about anywhere.

The definition of piracy appears to be expanding. One recent development I was surprised to see is that folks are now equating the usage of ad blockers to content piracy. I’d never considered these to be under the same umbrella, but I suppose I can see their relation. In that case, call me Captain Theftbeard because the web without an ad blocker is simply unusable for any sane person.

You see, digital piracy isn’t just about accessing media when you’re broke, or about preserving works, or even about convenience. It also plays a key role in keeping the “own nothing and be happy” incumbents from running amok.

They hate piracy because it equalizes the power dynamic between publishers and audiences.

Hardened File Backup Routine

Thu, 27 Mar 2025 11:02:33 -0400

One overlooked aspect of data security is availability. If one cannot guarantee the ability to access information, particularly following data damage or loss, one does not have security. Another major component of a good backup system is simplicity. There are hundreds of programs that purport to solve the issue of file backup. But I’m weary of such programs. Who maintains them? If some guy in Nebraska passes away, will that backup program fall out of maintenance? Do you have the gumption to roll your own? I shelved my own overly complicated attempt.

You don’t want to end up in a situation where files that you backed up years ago using XYZ program cannot easily be read or restored by the current year version, such as because the way it compresses or encrypts files having changed since. You also want some certainty that if you’re locked away in a madhouse for questioning the JFK assassination, that your backup files are there, waiting for you when the institution returns your belongings from holding.

It has taken me several reimaginings of my backup system before evolving it into what it is today. A bit of history, starting with me doing things the wrong way:

When I was in my adolescence, my entire “backup solution” was simply to drag and drop files in Windows XP file explorer from my internal drive to a 120GB external hard drive at the other end of a USB 2.0 cable. Complete with the little animated papers flying between folders on the file transfer dialogue. As scrappy as it sounds, such a basic practice remains more forward thinking than keeping no backup at all. Something which my time in computer repair informed me almost nobody does.

Once I’d become more serious about maintaining a consistent backup of my files, and partially motivated by witnessing data loss from a front row seat, I upgraded to a dual set of external hard drives. They both received simultaneous weekly backups using my DE’s file explorer at first but later using automated scripts to do so. That kept me going before finally committing to follow the 3-2-1 backup axiom proper (No, two identical drives and an internal production drive doesn’t count).

It wasn’t until 2018 that I devised the backup routine that I still use to this day.

Good File Backup

First, what makes a good backup? This is my informed opinion, and note that I emphasize file backup since that is not the same as a system backup. A system can be reprovisioned, while irreplaceable personal files cannot be recreated. Hence, I only backup files and some configs. But if you are interested in system backup solutions, I’d like to point you over to Dig Deeper’s Backing up and Restoring Operating Systems.

A good file backup solution should:

Be as simple as possible.
Use cold storage which is seldom connected to any live system.
Employ the “UNIX way” using small, common components together to accomplish a larger sum task.
Be encrypted.
Obligatory three copies, accross two mediums, with one stored off-premises.

A good file backup solution should NOT:

Reside on infrastructure that you don’t own and control. Even if you don’t care about the inherent freedom and privacy issues posed by remote “cloud” storage, it still constricts both your storage capacity and your backup speed, as well as your potential to access it.
Depend on any utility that stores files in a non-standard way in order to view or retrieve data.

Some backup programs (deja-dup I think it was) offer up options to encrypt files during backup. But I consider this the wrong approach, as the files themselves are the only thing being encrypted, passed off to a non-encrypted volume (presumably). This leaves room for tampering, and relies on the backup program to decide for you how and by what encryption tool the files get encrypted. I find it much more reasonable to simply use full disk encryption with something like cryptsetup.

Provisioning

I recommend procuring three external USB hard drives. They should be a mix of both mechanical and solid state storage, with no two drives sharing the same vendor. Purchase in-person, with cash, ofc.

Next setup dm-crypt encrypted volumes on each drive.

cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --use-urandom --verify-passphrase luksFormat /dev/sdX

AES-XTS-PLAIN64 is recognized as one of the most secure encryption modes available for full disk encryption. Note that 512 bit key size is actually the default when using AES-XTS cryptography, and gets split into two AES-256 bit keys anyway. I only include that switch for historic consistency.

Open and mount the new drive (substituting “DriveName” and “VolumeName” for your intended naming scheme):

cryptsetup luksOpen /dev/sdX DriveName
mkfs.ext4 -L VolumeName /dev/mapper/DriveName
cryptsetup luksClose /dev/mapper/DriveName

Set the new volume as writable by your standard user account.

udisksctl unlock -b /dev/sdX
udisksctl mount -b /dev/dm-X
chown -R user /media/user/VolumeName
chgrp -R user /media/user/VolumeName
udisksctl unmount -b /dev/dm-X
udisksctl lock -b /dev/sdX

You may wish to take LUKS header backups, for the off chance that header information gets corrupted or overwritten (or borked by user error):

cryptsetup luksHeaderBackup /dev/sdX --header-backup-file /path/to/destination/luks_header_backup_DriveName

Each drive should perhaps hold the two other headers for each of its sister devices.

Also consider taking a SMART stats read to keep on each drive so that you have something to compare future attributes against.

smartctl -a /media/user/Backup /media/user/Backup/smartstats.txt

Backup Script

rsync meets all the criteria for an established, well-maintained tool. Any script using it does not need to be complex, and in fact shouldn’t be. This is a genericized version of what I run:

#!/bin/bash
rsync -aEvv --delete-delay --progress --files-from="$PWD/file-list.txt" "$HOME" "/media/user/Backup/Files/"

I include –delete-delay because I’m rather paranoid about files no longer in the source being pruned from the backup before the full transfer has finished, just in case something goes wrong.

The –files-from= switch is an easy way to define a list of directories to include without needing to resort to writing for loops. I store my file list among the host files so that independent copies don’t need to be individually maintained across the multiple backup drives. It can look something like this:

Documents
Downloads
Music
Pictures
Videos
.cache
.config
.gnupg
.local
.mozilla
.ssh

Those willing to poke around the guides section may also infer including additional things like .newsboat. Everyone’s backup list will look different, but don’t forget about those hidden directories!

chmod +x backup.sh

I recommend keeping the backup script on the host (just like the file list) to avoid accidentally forgetting to distribute changes out to multiple copies.

rsync also includes a nifty feature to write logs with the –log-file= switch. That way you can keep a historical record of changes made to the backup file set.

Procedure

What I do is take a backup to one drive each week, rotating it back into storage and pushing the oldest one off premises. If you’re not an enemy of the state, the off-premise location can be something like a lock box at a bank. Otherwise it can assuredly go into that capsule buried next to the stone wall in the woods.

Each drive will see roughly eighteen backups in a year. And at year’s end, I like to compress all of the log files into a tarball for posterity.

tar --exclude=*.tar.gz -czvf Logs-2024.tar.gz *2024*.log

The naming convention used for your logs will dictate how that last argument of the tar command is formulated. My backup encodes the year it was taken into the filename so wildcard’ing like that is reliable enough.

Individual disks should be replaced after about five years. Even though they don’t see a whole lot of power on hours, being backup drives, they receive tons of writes. Taking a diff of the SMART stats from the beginning of a drive’s deployment to the end with its retirement only confirms this.

Lastly, consider physically differentiating the drives in some way to simplify their rotation. Otherwise you need to resort to checking the last backup date to confirm you’re indeed updating the least recent of the bunch.

It’s not sexy. It doesn’t use the latest tech trends. It requires diligent habit. And that’s the point. Backups are not something where you want to be trying new and novel tricks. It calls for slow and steady iteration over sweeping changes.

Hardened Application Firewall

Wed, 19 Feb 2025 07:45:30 -0400

Network firewalls for the Linuxes have historically been application-blind. Which is a point of shame for a platform prided on security and privacy, especially considering that proprietary competitor Windows has had per-program discriminating firewalling so much sooner. A while back, I’d found OpenSnitch to be functionally ready. After using it on my daily driver for several months, I’m finally comfortable sharing some operational practices.

Setting Up For First Use

After pulling the opensnitch package down from the repository, edit the file at /etc/opensnitchd/default-config.json and set nftables as the default:

"Firewall" : "nftables",

You will probably want to add an nftables rule to allow ICMP traffic for ping functionality.

nft insert rule mangle output icmp type echo-request accept

Using OpenSnitch’s UI, create a new rule to permit local loopback traffic. Its entry should start with zeroes to ensure it gets parsed first.

That is,

Name: “000-allow-always-localhost”
Enable 🗹
Action: Allow
Duration: Always
(Tab) Network
To this IP/Network: ^(127\.0\.0\.1|::1)$

OpenSnitch can also filter by regular expressions for blocking domains based on predictable strings that indicate intent to use for tracking or adertising. This is easily done through a blocklist.

wget --https-only https://github.com/mmotti/pihole-regex/raw/refs/heads/master/regex.list

Create a rule that points to this regex.list with:

Name: “000-block-regex”
Enable 🗹
Priority rule 🗹
Action: Reject Duration: Always
(Tab) List of domains/IPs > To this list of domains (Regular expressions): /path/to/regex.list

All that heavy lifting your ad blocker has been doing can be offloaded (or duplicated) to OpenSnitch, as it can also filter by static lists of domains. The project unofficially supplies a ready-made script for updating a local filter list.

wget --https-only https://raw.githubusercontent.com/evilsocket/opensnitch/master/utils/scripts/ads/update_adlists.sh

Change the line “adsDir="/etc/opensnitchd/blocklists/domains/” to instead point to the path for your own blocklists directory. Then create a cron or anacron job to run update_adlists.sh periodically.

Now, like with the regular expressions entry, we want to add another priority rule for domains blocking:

Name: “000-block-domains”
Enable 🗹
Priority rule 🗹
Action: Reject
Duration: Always
(Tab) List of domains/IPs > To this list of domains: /path/to/blocklists/directory

Now set the global default action in OpenSnitch’s settings. In Settings > Pop-ups tab > Default options:

Action: deny
Duration: 1h (1 Hour)
Default target: by executable
Show advanced view by default ☐
Filter connections also by: Destination IP 🗹
User ID ☐
Destination port ☐

The rationale for these defaults are explained earlier in OpenSnitch, “uMatrix” for your Entire Desktop.

Permitting Common Programs

Now whenever your system attempts to initiate a new network connection to some resource for the first time, a dialog prompt will check with you whether to allow or deny. This can generate many prompts at first, so you will need to whitelist certain common programs with the always duration.

But there are two main categories of programs that necessitate different classes of rules.

Connects to destination whose domain(s) is already known
Connects to destinations whose domains are not always known

Most programs fall into the first class, while others such as Tor, Mumble or DNSutils’ dig fall into the second class. So for most programs, you should just be able to select “Allow” on the pop-up dialog. But for something like dnsutils’ dig, run a lookup to initiate an OpenSnitch prompt and use it to create a permanent rule. But instead of using the global default “To this host”, select “To this port” and append “53”:

Name: allow-always-usr-bin-dig
Enable 🗹
Action: Allow
Duration: Always
(Tab) Network
To this port: 53

Some utilities which you may want to create permanent Allow rules for include:

Package manager
DNS resolver
NTP daemon
DHCP client
Tor
Clam AV Freshclam daemon
RSS reader

Web browsers are best treated specially, with permitting rules on a per-site basis. For example, you instruct Firefox to visit a website which you will only view for a few minutes and probably never return to again. With our default global settings, that is as easy as clicking “Allow”. And hopefully you’re also using something like uMatrix to limit third party domains, otherwise you might get clobbered with dialogs. Sites that you cherish and visit frequently are worth adding permanent rules for by first scroll-wheeling or hotkeying down the Duration dropdown to “forever”.

OpenSnitch complements browser extension web firewalls extremely well.

Exception Denying

An unintended strength of OpenSnitch is its capacity to preemptively block connections with high specificity. For example, denying connections to www.bitchute.com but permitting connections to old.bitchute.com. That way, mistyping addresses or following other people’s links doesn’t land you on a page you wish not to see. I have many permanent reject rules configured for connections that I don’t want applications to make. A few examples:

Reject connections to archive.today tracking pixel subdomains: Reject: To this host: .*\.pixel.archive.*
Reject all Firefox connections to www.google.com and www.youtube.com.
Reject OpenShot attempting to phone home to www.openshot.org for updates (even though updates are already handled through apt!)

It is important that you select the Reject action for such instances, rather than the Deny action. Otherwise it will leave the program waiting for timeout. It shouldn’t matter that you’re sending a “somebody is home” tipoff, these are outbound connections being intercepted.

Plastered over the OpenSnitch documentation are warnings not to broadly allow programs parsed by interpreters (e.g. Python) to be permitted wholesale, as it would allow any other python program to also access network. But since we set global defaults earlier to discriminate by destination IP as well as to default 1h (1 Hour) for temporary rules, permitting one interpreted program will not universally allow others of that same langauge to access network with impunity.

Common Syntax Shortcuts

I often find that permitting domains and its subdomains in one rule is best handled with .*\.example.com|example.com. Simply using only the first party domain on its own will fail to permit any subdomains.

Specifying multiple ports, such as for a program like Tor, is easily handled through passing a ^(9001|9050|443|8443|9443)$ regular expression to the “To this port” field.

Becoming Second Nature

Once your common programs from your regular regiment have all been accounted for, which could take up to a few days, then OpenSnitch settles neatly into the background. Installing a new networked program, or visiting a new interactive website will occasionally have you wrangling some new permissions. But it will by then be a familiar process.

Running a system wide application-aware firewall alongside browser extension web firewalls makes for an incredible defense-in-depth approach. I hope that OpenSnitch continues to mature, but am also keeping some fallback solutions close by just in case. Originally I was investigating using AppArmor for this. But as I poured over the documentation it became increasingly clear that AppArmor is geared more toward packagers and developers, and not toward end users who need to rapidly allow or disallow permissions on the fly. Not to mention AppArmor is still entirely network access allow or disallowed, with no granularity beyond that.

New Year, New Security Measures: DNSSEC Deployed

Tue, 21 Jan 2025 23:20:06 -0500

While the internet has been taking well to IPv6 deployment, the same cannot be said for the domain name system’s authenticity mechanism, DNSSEC. It is currently only available on somewhere just south of ten percent of all registered domains. And, being the ‘be the change you wish to see’ kind of guy that I am, I decided to roll out DNS authentication for this site. Not the least of which because I do supply downloads containing executable software, as simple they may be.

Those running anonymized DNS resolution may not be able to take advantage of this, but it is there for the more surface level dnsmasq and unbound configurations (or wherever else DNSSEC authentication may be possible). I was also intending to disable information leaks through OCSP stapling, and delightedly found it already disabled in my configs.

OCSP response: no response sent

Anyway, it seems Let’s Encrypt already has us covered this year even if I hadn’t.

We plan to end support for OCSP primarily because it represents a considerable risk to privacy on the Internet. When someone visits a website using a browser or other software that checks for certificate revocation via OCSP, the Certificate Authority (CA) operating the OCSP responder immediately becomes aware of which website is being visited from that visitor’s particular IP address.

Through 2025, solutions will continue to be a focus at Wronthink over lambasting enshittified technologies, a temptation I find almost too difficult to resist. Not to worry, those who enjoy the more mean spirited content, no doubt 2025 will bring a new crop of proprietary idiocy at which to point and laugh derisively.

Designating Digital Rendezvous Points

Wed, 18 Dec 2024 01:01:16 -0500

Problem:

You deployed a remote system that you access at a site which you may not physically visit for weeks, months or even years at a time. But it does not have a static IP. An unexpectedly changed public IP address essentially puts us into the same dilemma as a parent losing track of a child. You want to preselect a known location where both parties will rendezvous in the event of separation.

The “normal” solution:

A corporate IT professional might be quick to recommend dynamic DNS, or to setup a job that emails the administrator (you) upon network changes. But these things often require some form of rent payment, increase complexity and inform intermediaries of things we’d rather they not see (especially if we’re freeloading on their services, more on that later).

The constraints at play:

Being a private remote system that is only used by you, the IP address is sensitive information. Assigning a DNS record would expose this address.
Configuring a dedicated email account for the remote system’s mail transfer agent brings problems - using an established email provider either costs money or complicates/prohibits the use of mail clients, while a smaller email service cannot be relied upon to continue its own existence.
Use as few intermediaries as possible. Email would often mean two points of exchange between you and the remote system, unless both use the same email provider.
Your local public IP also changes and so cannot be relied on for remote systems to reach out to automatically.
Avoid sending alerts to the predetermined location in plain text. Message encryption is a must.
Avoid creating new monthly bills to be paid.

With all that in mind, we’re going to do things the wrongthink way. And one of the perfect places to be used as a rendezvous point is any major Mastodon instance. Even though the microblogging format promotes idiotic human exchanges, it is the perfect place for short message passing by automated accounts. First, let’s setup a Mastodon bot:

Create a profile at any major Mastodon instance, sign in and navigate to the “<development>” tag in profile settings (bottem left as of 2024). The direct URL should be something like: https://fosstodon.org/settings/applications
Click the blue “New Application” button. Or use the direct URL: https://fosstodon.org/settings/applications/new
Give the application a name and check off the “write:statuses” option box.
Submit the form and return to your applications page. Then open the newly created profile and note the access token “Your access token: jY8tpxFTkQ8NZyaOy3rCaopKl2gKHZ51boVXBTGwUdh”.

The account is now ready to receive posts programmatically from cURL.

curl https://fosstodon.org/api/v1/statuses -H 'Authorization: Bearer jY8tpxFTkQ8NZyaOy3rCaopKl2gKHZ51boVXBTGwUdh' -F 'status=This post was made using the Mastodon API.'

The Authorization field is where you supply the access token that only you should ever see.

Next, we want to write a script that checks the remote host’s public IP address, compares it to the last known state and sends an update over Mastodon with any new IP address. Here is the script I devised (Requires curl, gpg and dnsutils be installed):

main(){
if [ ! -f /home/$USER/known.txt ]; then
        getip
	echo "Debug: Creating record!"
        writeip
else
        getip
        if [ "$current" != "$(cat /home/$USER/known.txt)" ]; then
		echo "Debug: IP address has changed!"
                message=$(echo "IP address has changed to $current" | gpg --batch --passphrase my-super-secure-passphrase --symmetric --armor)
		echo "Debug: $message"
                curl https://fosstodon.org/api/v1/statuses -H 'Authorization: Bearer jY8tpxFTkQ8NZyaOy3rCaopKl2gKHZ51boVXBTGwUdh' -F "status=$message"
                writeip
	else
		echo "Debug: IP address has not changed."
        fi
fi
exit 0
}

getip(){
current=$(dig -4 +short myip.opendns.com @resolver1.opendns.com)
if [ -n "$current" ]; then
        echo "Debug: Got an IP address from resolver successfully."
else
        echo "Debug: No IP address returned from resolver. Is network down?"
        exit 1
fi
}

writeip(){
echo "$current" > /home/$USER/known.txt
}

main

Notably, it uses gpg to symmetrically encrypt the actual message containing the IP address. That way other Mastodon users will only see some block of indecipherable text in the toot:

—–BEGIN PGP MESSAGE—–

jA0ECQMCphzIrBCs1iz60lwBGFccBsQUg5fkpUeovno0ZUsXW8U3xlBYRGtWroAp
zRFO5km97WAtJ0EXgbOVvmllz+PdgwkqCOtMLnjSm07KvD+rOsniMCa+GM/cWV+e
037uU25kyWOTDufN6w==
=ZvZP
—–END PGP MESSAGE—–

The reason we don’t use asymmetric keys is that it can inform observers of target email addresses (which is fine in a normal email exchange, which gpg is intended for). So remember to note whichever passphrase you write into the script somewhere on your side so that you can later decrypt this message passing when the need arises.

If it is the first time being run, this script will create a known record of the public IP address at the user’s $HOME. Changed IPs update this known record so that the Mastodon bot doesn’t end up spamming the same message.

Simply point cron to the script and setup a daily job. As a remote system, we can assume it will be powered on 24/7, thus no need for anacron.

crontab -e

15 12 * * * /home/name/address-watcher.sh

Now, on your end, whenever you find that you can no longer reach the target system, the first place to check is that public Mastodon bot. Has it tooted any PGP messages?

Your Linux Devices Are Trying to Talk to You, But Are You Listening?

Tue, 10 Dec 2024 20:30:40 -0500

For the longest time, I had unknowingly been reinventing the wheel. Cobbling together scripts and timers to notify of administrative concerns to the currently active desktop session. I wanted graphical dialogues, because that is what I’d grown up with. But how terribly uninformative it is for a dialog to appear that essentially says “Something is wrong, you should probably look into it”.

/var/log trying to tell you for the 1,435th time that you're running out of disk space

So many daemonized programs define arguments for sending mail when an issue arises and, foolish me, assuming that those options always meant email, never investigated any further. While it is true that with a mail transfer agent such notifications can be sent over the network to an email address which makes sense in a server environment, I always thought it a bit silly for an end user device. But what I didn’t realize was that user mail agents with local mailboxes were ever an option.

The common user mail agents, from my poking around Debian dependencies, are either bsd-mailx or GNU mailutils. And where bsd-mailx is minimalistic, and in fact only supports local mailboxes, it also lacks features such as scaling to different terminal sizes or complete previous/next navigation. I would recommend mailutils, which can be set as the preferred user mail agent through update-alternatives:

update-alternatives --config mailx

And select /usr/bin/mail.mailutils.

Mailutils can be invoked simply with:

mail

Some mail commands I’ve found useful:

z : next window (scroll down)
z- : previous window (scroll up)
$ : view newest message
^ : view oldest message
<number> : view message
d<number> : delete message
h : reprint message list window
n/next : next message
p/prev : previous message

Without having to lift a finger, stdout of actions invoked by both cron and anacron are sent to the user mailbox at /var/mail/$USER. It produces a chronological, easy to view means of checking system jobs. A lazy administrator could even just view the mailbox with pager /var/mail/$USER but will miss out on the cozy formatting afforded by a proper mail agent.

Return-path: <root@Computer>
Envelope-to: root@computer
Delivery-date: Thu, 05 Dec 2024 01:52:44 -0500
Received: from root by Computer with local (Exim 4.96)
	(envelope-from <root@computer>)
	id 1tJ5jA-000YGN-1M
	for root@computer;
	Thu, 05 Dec 2024 01:52:44 -0500
From: Anacron <root@computer>
To: root@computer
Subject: Anacron job 'cron.weekly' on Computer
Content-Type: text/plain; charset=UTF-8
Message-Id: <E1tJ5jA-000YGN-1M@Computer>
Date: Thu, 05 Dec 2024 01:52:44 -0500

/etc/cron.weekly/opensnitch-adlists:
[+] Checking list https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-hosts.txt, urlhaus-filter-hosts.txt
[+] downloading new ads list... https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-hosts.txt -> /home/blocklists/domains//urlhaus-filter-hosts.txt (64242, 63842)   OK
[+] Checking list https://hostfiles.frogeye.fr/multiparty-trackers-hosts.txt, multiparty-trackers-hosts.txt
[-] ads list not updated yet:  507760, 507760 - https://hostfiles.frogeye.fr/multiparty-trackers-hosts.txt
[+] Checking list https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt, firstparty-trackers-hosts.txt
[-] ads list not updated yet:  459805, 459805 - https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt
[+] Checking list https://www.github.developerdan.com/hosts/lists/tracking-aggressive-extended.txt, tracking-aggressive-extended.txt
[-] ads list not updated yet:  6205307, 6205307 - https://www.github.developerdan.com/hosts/lists/tracking-aggressive-extended.txt
[+] Checking list https://adaway.org/hosts.txt, adaway-hosts.txt
[-] ads list not updated yet:  243454, 243454 - https://adaway.org/hosts.txt
[+] Checking list https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext, yoyo-adservers.txt
[!] No content-length header found: https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext
[.] Trying with Last-Modidifed
[+] downloading new ads list... https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext -> /home/blocklists/domains//yoyo-adservers.txt (94727, )   OK
[~] Done

I open my local mail with the same level of enthusiasm as はなちゃん.

Viewed items will be moved to $HOME/mbox upon close. You can always go back and check your read mail history by passing the mbox as the file to be read:

mail -f mbox

And often the programs which are not invoked from cron or anacron, such as those on systemd timers, can be configured to send mail when a condition is met. smartd, for example, can be configured to send messages to the local mailbox when some SMART parameter exceeds a safe threshold. Edit /etc/smartd.conf and append -m root into the entry for your hard drive. Which should look something like:

/dev/nvme0 -a -o on -S on -s (S/../.././02) -m root -M exec /usr/share/smartmontools/smartd-runner

And then restart smartd. You can test that mail notifications are working by temporarily replacing the -M exec argument with -M test and restarting smartd. Then check mail and you should see an entry with the subject “SMART error (EmailTest) detected on host:…”.

Other programs, whose default anacron entries instruct them to run quietly, may need some additional coaxing to make them talkative. For rkhunter, as one example, edit /etc/rkhunter.conf and uncomment MAIL-ON-WARNING=root. Now when rkhunter identifies suspicious changes, it will be sent to the local mailbox with the subject “[rkhunter] Warnings found for Computer”.

Return-path: <root@Computer>
Envelope-to: root@computer
Delivery-date: Sun, 24 Nov 2024 07:48:21 -0500
Received: from root by Computer with local (Exim 4.96)
	(envelope-from <root@Computer>)
	id 1tFC2H-0096VI-2m
	for root@computer;
	Sun, 24 Nov 2024 07:48:21 -0500
Subject: [rkhunter] Warnings found for Computer
To: root@computer
User-Agent: mail (GNU Mailutils 3.15)
Date: Sun, 24 Nov 2024 07:48:21 -0500
Message-Id: <E1tFC2H-0096VI-2m@Computer>
From: root@Computer
X-UID: 64
Status: OR

Please inspect this machine, because it may be infected.

All those failed sudo password attempt incident reports to which everyone likes to joke “I AM the administrator”? Those also find their way to mailbox entries with “*** SECURITY information for Computer ***”.

Mail logging can be further enhanced with the use of log readers like logcheck or logwatch. Logwatch analyzes system log files and mails items of interest (defined by perl script modules) to the user mailbox. Just set Output = mail within /etc/logwatch/conf/logwatch.conf.

Lastly, the most important component in all of this is you and your good habit of reviewing mail daily. A log is of no good to anyone if it never gets read. And a system such as this will help bring broken configs to your attention. It already helped me to discover a few hatches needing to be battened down which would have otherwise gone unnoticed.

Making a Mint Look-Alike

Mon, 04 Nov 2024 21:26:06 -0500

Linux Mint’s greatest strength is its aesthetically coherent GUI whose layout makes it ideal for those who find themselves arriving from a Windows environment. Mint was the distribution on which I first rode into desktop Linux full time, and had been my first choice for no-nonsense deployments to new devices. Especially to those of relatives who had solicited me for guidance. But this usually hassle-free distribution has lately found itself the source of some support woes.

Linux Mint is a downstream distribution. Far downstream. For those who might not know, it is based on Ubuntu, which is in turn based on Debian Testing. The Mint team are very good at keeping their distro highly cohesive and well dressed, but recently I’ve hit enough minor headaches with it to justify dumping the middlemen to just go straight to the source to dress things up myself. After all, my choice to deploy Linux Mint to the devices of interested relatives was primarily driven by the graphical interface.

How to configure a Mint look-alike

Install the Debian metapackage cinnamon-core.

Acquire and install the core theming packages from packages.linuxmint.com:

mint-themes
mint-backgrounds
mint-x-icons (dependency for mint-themes)
mint-y-icons

dpkg --install mint-themes mint-backgrounds mint-x-icons mint-y-icons

Set system fonts to:

gsettings set org.cinnamon.desktop.interface font-name 'Ubuntu Regular 10'
gsettings set org.nemo.desktop font 'Ubuntu Regular 10'
gsettings set org.gnome.desktop.interface document-font-name 'Sans Regular 10'
gsettings set org.gnome.desktop.interface monospace-font-name 'DejaVu Sans Mono Book 10'
gsettings set org.cinnamon.desktop.wm.preferences titlebar-font 'Ubuntu Medium 10'

(*May require the installation of fonts-ubuntu-title.)

Set Mint backgrounds on a rotating timer.

Set matching Mint-X or Mint-Y icons and applications themes.

The second reason that I used to recommend Mint was for its set-and-forget automatic updating. And while mintupdate is a well designed GUI program, I’ve found that almost nobody ever touched it or even knew it was there. So why bother making the automatic update process user facing? Debian’s unattended-upgrades package is thus far better suited to task.

apt install unattended-upgrades
dpkg-reconfigure unattended-upgrades

Configure /etc/apt/apt.conf.d/50unattended-upgrades to automatically reboot following upgrades which necessitate it, such as Linux kernel upgrades, by uncommenting:

Unattended-Upgrade::Automatic-Reboot "true";

And enable additional repositories besides just Debian-security:

"origin=Debian,codename=${distro_codename}-updates";
//      "origin=Debian,codename=${distro_codename}-proposed-updates";
        "origin=Debian,codename=${distro_codename},label=Debian";
        "origin=Debian,codename=${distro_codename},label=Debian-Security";
        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";

Consider removing gnome-software and replacing it with synaptic.

Configure automatic passwordless login for lightdm at /etc/lightdm/lightdm.conf:

[SeatDefaults]
user-session=cinnamon
autologin-guest=false
autologin-user=$USER
autologin-user-timeout=0

I was amazed at just how much of the signature Linux Mint behavior actually just comes from Cinnamon themes. I have long thought that the Mint team should retire the Ubuntu based Linux Mint and replace it with Linux Mint Debian Edition (LMDE). But now seeing the straightforwardness of making a mock Linux Mint setup, even LMDE seems unnecessarily reinventing the wheel.

And by configuring on top of stock Debian, we also get the benefits of;

Stable packages
Consistent, reliable upgrades between releases
No soypack nonsense

culminating in a much simpler system to support at a distance.

The last and final reason that I once held on to Mint was for devices which, due to facilities limitations, could only communicate over wireless during installation. And, now that Debian includes requisite device firmware in the installation media (for better or for worse), Mint has been dethroned as my “boot anywhere” flash drive maintenance distro of choice. It looks like I can finally completely part ways with Linux Mint.

Navigating Donations for Software Freedom

Tue, 22 Oct 2024 20:42:11 -0400

Each year I’ve made it a point to donate the value equivalent to what I would have once paid for Windows licensing to my most used Linux distribution. That is usually followed up by a one-off donation to some individual program of my choosing. Sometimes it would be through their donations portal, and other times directly to core developers who accept direct donations. It can be disjointed and I’ve found myself having to decide whether to send money toward a project’s web or forum hosting, node operators (in the case of Tor) instead of the software development teams, to small one-man projects or to larger established projects, or otherwise.

And that’s where the value of having umbrella organizations that can help fund multiple projects presents itself. Now, at first what might come to mind is something like the FSF or the EFF. But as these organizations increasingly chase social activism rather than technological freedom, one begins to question what value is actually being derived from one’s generosity. You would be forgiven for thinking that the Mozilla Foundation might use it to pay developer hours on Firefox. But if you look closely, they say right there that it gets used for advocacy campaigns (code speak for agenda pushing) and for their annual “MozFest” (where they spend a lot of time discussing things that aren’t Firefox).

So what are some good umbrella organizations acting as stewards of software freedom?

NLnet

NLnet have been absolutely hitting it out of the park for the last few years. NLnet actively seeks out tools and standards which stand to benefit free and private computing and the internet at large. Among the projects to which they have allocated funding;

Servo Web Engine
Marginalia Search
mitmproxy
NoScript
PeerTube
Many ActivityPub adjacent projects
Qubes
LibreOffice
WireGuard
Lots of RISC-V related efforts

It seems like every month I read about something excellent like Coreboot finding itself the recipient of NLnet funding. If you would like to help push the internet and digital technology, more broadly, in the right direction, check out their donation portal.

Software in the Public Interest

SPI had originally been founded for Debian, by folks involved with Debian, but has since expanded well beyond that. They distribute funds to several projects under their wings, including;

FFmpeg
NTPsec
Privoxy
Several Linux distributions
Several open source games
PostgreSQL

They seem to be well aligned with the interests of NLnet, with the two even sharing some recipients. Donation information found at Donations to Software in the Public Interest, Inc.. Don’t be put off by “Inc.” in the name, SPI is wholly a non-profit.

Software Freedom Conservancy

While their association with Outreachy is a bit off-putting, I definitely class SFC with the aforementioned funding organizations. With some stars adorning their shoulders;

Coreboot
Git
Inkscape
OpenWRT
QEMU

If you can overlook some of their personal politics, the actual work they’ve done is voluminous. SFC are most certainly a candidate for strengthening digital freedom. If interested, some information for sending a few shekels their way.

Since discovering these organizations, I’ve shifted my giving strategy. A side benefit of doing so is that the financial intermediaries (and their partners) don’t get information from which they can infer specific software that you use. And instead of seeking out dozens of disparate projects to throw money at, many of them have been collated under the bank roll of these non-profits. If you’ve benefitted from the excellent work of any of these projects and wish to gift back, this may be the most frictionless way to do so.

Libre Software Project Names Suck

Wed, 09 Oct 2024 22:46:39 -0400

I’ve decided I will no longer refer to Linux as GNU/Linux. Linux, with a capital L. I once thought it would lend itself to clarity and understanding, but it only leads to greater confusion. Most people already struggle to grasp simple concepts, so there is little point trying to subtly promote the details. And the real purpose behind the term ultimately serves to appease the sensibilities of Richard Stallman. Anyone with sufficient interest in Linux is already well aware of Stallman’s significant involvement. Those who don’t are not going to be swayed by such GNU-jitsu anyway. This necessitates going back through my works and sed ’s/GNU\///g’ing any instances of this contrivance.

And, more broadly, the names of many libre software projects are often tragic choices. The name of this very article was going to be “Free Software Projects…” but even the very designation of “free software” itself suffers from inexacting terminology. I’ve long thought that the FSF ought to change their name to the Software Freedom Foundation, or the Foundation for Software Freedom (if they’d like to retain their current acronym).

Bad naming can happen for varied reasons.

Placeholder names

Ex. Minetest
Anyone who has started a throwaway software project is probably familiar with lazily naming things like test.py or rendertest.cpp. Sometimes, it seems, a software can take off unexpectedly and carry the name along with it. A desperate stretch to bandaid this unfortunate name might take the direction that “Test” is referring to the game testing your skills.

Update October 22nd: With almost poetic timing, the Mintest project has decided to rename to “Luanti”. They finally did it. They finally dropped the test name. And it only took them nearly a decade and a half. Is Luanti a better name? Well, at least it doesn’t have “test” in it anymore.

Sequels

Ex. mat2, wget2
Creating sequel releases might make some sense in the commercial proprietary space. But libre software has no such incentive. So why do devlopers of such software insist on appending “2” to things?"
If the code requires a full rewrite, then just rewrite it! Or give it a new and unique name.

Alphabet soup

Ex. msmtp, ffmpeg
Not only does this fail to make the name self-descript, but also creates a pain for programs that are invoked from terminal. Alphabet soup names complicate recommending solutions to others, who may already be tepid on the notion of trying something that isn’t a household name or paid mainstream software.

‘Just a clone’

Ex. OpenSnitch, LibreOffice, anything OpenXYZ or LibreXYZ
Tends to establish the solution, however good it may be, as simply an alternative in layperson’s minds. It serves to diminish the significance of what are often really great programs.

Trying to be too witty

Ex. Canoeboot
Only those who know that it is a play on “GNU Boot”, specifically using Stallman’s silly insistence on hard G Gah-noo, will understand why it is named that way and that it doesn’t actually have anything to do with canoes. Granted, this does make it easier to lookup in search engines, as it avoids the issue of name collision. So they get some points back for that.

Any good name should succinctly denote what the program does or manipulates and should be human memorable as an utterable phrase. It should be forward thinking to avoid getting stuck with a title that inadequately represents the program. Free and open source software is absolutely littered with terrible names and it does a disservice to the overall perception of this otherwise fantastic work.

How to Git Gud with Linux (From Zero)

Fri, 20 Sep 2024 23:39:33 -0400

Most of the content on Wrongthink assumes that readers are already competent with Linux and computers. There hasn’t been much here that speaks to the beginner, and we should respect that we all started out somewhere. If you’re just coming into the Linux and libre software side of things cold, with little familiarity to speak of, the starting hurdles can seem like unscalable walls. Some forum interactions had recently reminded me of this, so it’s time for me to try to put myself in the shoes of an aspiring unix autist starting from scratch.

I’m a lifelong Windows user and I really want to switch to Linux. How do?

One of the biggest hang ups is in trying to preserve every little program and aspect of your workflow that you’d grown accustomed to. Before I migrated over, I had compiled a list of all the software that was important to me at the time, much of it games, with the intention to get them installed once they had been ported (if ever). Or by finding the closest fascimile that could be installed at the time. What I’d discovered is that it is often easier to let go of the things you thought you’d need because usually there is a completely different way to accomplish a task that you wouldn’t have imagined before.

I’m afraid that something will break and I’ll lose all my data/access to my PC!

Before you dive into any big change, your files should be safely backed up somewhere from which they can easily be restored. I would recommend a USB hard drive (actually, multiple, following the 3-2-1 rule. But that’s for another post. Having a solid backup available will place you in a position of confidence in your endeavor.

This hurdle is compounded by the habit that Windows induces into people being that the solution to any significant breakage is simply to “nuke it from orbit” and reinstall the OS fresh. Breakage on Linux OSes is often settings in a config file that can be reverted. Looking at system logs and pinning down the cause of a breakage is often the path of least resistance to repair a Linux installation. Plus, you pick up useful knowledge along the way. Not so with wiping clean and restarting from a blank slate.

The ultimate cheat code

The importance of having more than one computer available cannot be understated. If you have a spare device that can be designated as your exploratory system, then there’s no need at all to worry about losing your data or your daily driver suddenly becoming inaccessible. Even just having multiple drives that can be selectable boot devices or physically swapped in is preferable to playing around with your production system.

Virtual machines are not the same in this respect, because they fail to put you into contact with firmware and hardware idiosyncracies that different equipment will confront you with. Particularly of the display stack and networking variety, but also with artifacts that peripherals can present.

To this day I still maintain parallel staging environment on which to test configurations and big changes before applying them to my flagship computer. It is also peace of mind to know that even in the worst of scenarios, that you have additional computers waiting in the wings to fail over to. But the biggest benefit this arrangement supplies to beginners is in the ability to learn rapidly.

Rapid iteration learning

Even if one spends hours daily reading the theory of softare and OSes, picking up tips, and memorizing tools and commands, one will get nowhere without actually getting into a system and tinkering. We learn by making mistakes. Setup a computer to be your sandbox, and dive in anticipating that things will probably break. Pick individual components that you want to tame and tackle them individually.

Where something doesn’t make sense, explore help resources in this order:

man page / –help arguments
Your distro’s wiki
Search engine / Forum search posts asking similar questions
Ask on forums, IRC and mailing lists

I had made my biggest strides as a new Linux user while attempting different configurations on a portable spare and trying to recreate the “loadouts” of beginner friendly distros like Mint or Ubuntu using more modular “DIY” distributions. One rabbit hole you can follow is to create a desktop on top of something like openbox and dress it up with taskbars, file browsers, greeters and so on.

Quick tip: Do not use sudo unless a terminal program specifically requires elevated privileges to run. Some newbies fall into prepending everything with sudo because they’re unsure where it is necessary to do so. Sometimes, trying to run certain programs as standard user will yield “bash: <program_name>: command not found” which is admittedly unhelpful when said program is only executable by root (sudo required). Some programs are nice enough to inform you when permission is denied to normal user accounts:

E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), are you root?

I shouldn’t have to learn a bunch of esoteric commands to be able to use my PC!

These days, you don’t. But, it would be to your great benefit if you did. Unless you want to be a GUI zombie forever.

Going headless, the boost plate to intermediate and beyond

If you don’t have some server you’re going to SSH into, consider exploring different terminal and ncurses solutions for the things you already use in your desktop session. Imagine that you might need to use your computer without a functioning display server. How would you do so? Some of the most fundamental things to know, in no particular order;

Navigating directories:
Enter a directory cd directory_name, Leave to parent directory cd .., Return to top directory cd
Listing directory contents:
List all standard files ls, List all incl. symlinks & hidden ls -al
Creating files & directories:
Create new file without any content touch file.txt, Create new directory dir /home/user/Recipes
Viewing drives:
List storage device tree lsblk, List available drives ls /dev/sd*/ls /dev/nvme*
Mounting and unmounting drives (w/ udisks2 package installed):
Mount udisksctl mount -b /dev/sdb, Unmount udisksctl unmount -b /dev/sdb, Safely power off drive udisksctl power-off -b /dev/sdb
Moving files:
Copy file from A to B cp /home/user/apple_pie.txt /media/user/flash_drive/, Recursively copy a directory cp -r /home/user/Catpics /home/user/Animal\ Photography
Deleting files & directories:
Delete file rm /home/user/Cryptids/yeti.jpg, Delete directory (when it’s empty) rmdir /home/user/Cryptids
Viewing text files:
Print plain text file to terminal cat menu.txt, View plain text file with scrolling pager menu.txt
Editing text files:
Append text to file echo "Maple syrup pancakes" >> menu.txt, Edit with vim tiny vi menu.txt, (Within vim tiny editor) Enter insert text mode i, (Within vim tiny editor) Leave insert mode esc, (Within vim tiny editor) Delete character x, Quit vim tiny editor, saving changes (Within vim tiny editor) Shift + zz
Searching text files:
Search for word match grep -e Word shortstory.txt, Search for word match (Within vim tiny or within pager) /Word + Enter
Retrieve exit codes:
Get exit code of last executed program echo $? (0 indicates no issues)
Compare files:
Print differences to terminal diff file1.txt file2.txt (No output indicates they are identical)

And, ways to do things that you might have thought were only possible with graphical programs:

System monitoring: top
Calculator: bc
System temperature, clockspeed: s-tui
Hardware info: dmidecode
Index and search files: updatedb,locate file_name, package mlocate
Explore file size: du -h file_to_measure.bin
Explore disk space consumption: ncdu /directory/to/view

Some of these may need to first be installed through your package manager. But many, such as top are available pre-installed on pretty much any distribution. There is so much that can be handled through the terminal that, with the exception of visual multimedia, almost any typical task can be done headless. Well, maybe visual multimedia also, depending on how dedicated you are.

And don’t feel silly about recording example commands into a reference file. I still do, and my ffmpeg reference sheet has grown impressive in size. The stuff that you use frequently will become second nature after a while.

I tried installing XYZ program and it broke/doesn’t work!

Use your package manager. Use your package manager. Use your package manager. So many newbies try to continue their Windows habit of going to a vendor’s website, downloading some installer and then attempt to install it. While this is sometimes possible to do, increasingly so with things like snaps and flatpaks, it is really bad hygeine in Linux distros. Get into the habit of only installing software through your package manager.

On many distributions, this takes the form of apt. Although it is certainly possible to use frontends like Synaptic or your desktop environment’s in-house software center. Sticking to software only as packaged for your distribution will keep things much less prone to breakage and make upgrades much simpler. Only after you have gained some proficiency with Linux, should you explore things like adding additional repositories to access more software.

They told me I should install Gentoo!

There is no shame in getting your feet wet with an easy distribution. Linux Mint is an excellent example and is the one that I cut my teeth on when starting out. You can always switch to something more novel later on after accruing some knowledge and familiarity. And still, many even remain on these “beginner” distribtions because everything works to their satisfaction. Isn’t that the end goal? To have a system that you’re satisfied with? There is nothing standing in the way of a knowledgeable user from modifying Linux Mint to suit their own goals.

If you throw yourself straight into the lion’s den from the start, you may find yourself overwhelmed.

Lastly, read the boring stuff

Your choice distribution will likely have a wiki, as well as pages of mailing list threads or a heap of years’ old forum threads. Take some time to parse through these and understand why said distribution has decided on the design and underlying components that it uses, what had been used in the past and why that has changed. Or perhaps this is all just a very polite way of saying RTFM!

RE: Life in a Dysfunctional World

Tue, 27 Aug 2024 22:21:00 -0400

A frustrated individual recently vented some valid complaints over the intrusion of digital technology into daily life on her blog. Close, but missing the mark, I am both warmed at tech commoners waking up a bit and also disappointed in their predictably limited perspectives.

Before I rip into the article I just want to acknowledge that Elayne is probably a lovely lady and I probably even agree with her on much of the state of digital affairs in the abstract. However, a set of boomer blinders appears to be affecting her assessment of things. Let’s dig in!

Fast forward to the 21st century and you will understand the frustrations of living in an impersonal, stressful, infuriating new world. It’s one in which computers and corporations have taken over our lives and made artful obfuscation a new art.

Computers and corporations have taken over our collective lives because the general population has enabled them to do so. When you elect to involve devices in your life without at all considering how any of it works, who controls it, or the ramifications of its design, you enable exploitation by corporations through the use of their technological products.

Remember what it was like before our lives were ruled by algorithms, AI, autopay, QR codes, social media, virtual chats, usernames and passwords?

Nearly all of this is completely avoidable through the simple power of saying “no”. When I am asked to scan a QR code or download an “app”, I politely decline, offering that I do not have a cell phone. Social networking? Just don’t use it. See your friends in person instead. Algorithm[ic feeds] are largely leveraged in social networking. Avoiding the aforementioned stikes this one off the list as well.

Additionally, despite not having signed up for the daily plan, my husband received twelve texts on his cell which shouldn’t have been there. “Oh,” said the first agent, “he should have been on airplane mode.” I explained that he hardly knows how to use a cell phone.

While I also harbor a distain for “smart” phones, even I can understand that there is no excuse to remain ignorant in how to operate a device one expects to use on a daily basis. I hear this excuse all the time from older people, and it is very obviously a thinly vieled attempt to justify one’s laziness. It takes only a few moments to explore the layout of a graphical interface that you’ve never encountered before. And even if it takes you longer, then set aside some time to familiarize yourself with the device. It is not the responibility of others to accomodate you where you’ve put in no effort to help yourself.

When we moved house two years ago, Comcast gave us the wrong email addresses and landline number after I’d printed 500 business cards and alerted family and friends of our new contact information.

Why are you putting yourself at the mercy of your ISP to decide your email service for you? Who actually does that? Exert some agency over your technological decisions. Most normies at least opt to use an email provider that operates independent of their internet service provider. Wait, is this just a holdover from the era of landlines? Where subscribers got their phone service installation and the telecom selects their phone number for them? So this is just a case of boomers applying the lens of legacy telecommunications over the internet, expecting things to work the same way.

Allow me to try to offer a terrible analogy: Your internet service, being a utility, should just be considered a dumb pipe. It moves data in. It moves data out. It is up to you to decide what kind of data moves across it and how. And your water utility is all the same. They will bring water to your home, but it is up to you to decide what to do with it and in which ways it gets used.

Hopefully, you don’t expect your water utility meter man to pour you a glass of water and subsequently raise it to your lips. And if somehow you do, don’t get mad at your water utility for deciding you should be drinking water from a glass instead of filling a pool or showering with that water instead. The idea that people just passively accept an email account tied to their ISP is simply ludicrous to me.

We also went through hell trying to access everything from bank accounts to credit cards to companies who were paid by autopay because their websites wouldn’t recognize our usernames or passwords.

I suspect that the issue in reality was that the wrong credentials were being supplied. Your email address being changed should have little bearing on this.

Sadly, the future looks bleak given corporate power, lack of regulatory policies, and a frightening explosion of artificial intelligence.

Corporations have as much power as people collectively give them. When 90%+ of the general public decide “I don’t want to have to think about it, I’ll just use whatever defaults my computer comes with!” then they shouldn’t be shocked when they later find that the Microsofts and Apples and Googles of the world now rule over ther lives.

But right now, I have to stop writing. Staples has finally called back to say my new laptop is ready.

So you’re having somebody else provision your devices for you? It’s no wonder people “hardly know how to use a cell phone”. Normies have grown so indolent that they must outsource something as simple as device setup. I can’t help but to find that much of the author’s stated injuries are self-inflicted. A cursory, surface level examination is often all it takes to determine if a piece of software seeks to manufacture captive users from which to extract value. Here’s a hint: If you have to agree to any “EULA”, then it is most likely proprietary software. If it is proprietary software, it (and its authors) most certainly seek to subjugate and exploit you.

Yes, the world is increasingly becoming a technological hellscape. But it isn’t solely the fault of corporations. We also have the general public to thank for that. A majority who deem basic technological literacy as “too difficult” to bother with. Just give ’em a big shiny button to get Bread & Circus streaming on Netflix. How it gets implemented and any downstream consequences be damned.

Video Games Need MORE Ideological Propaganda

Tue, 06 Aug 2024 13:00:41 -0400

There has been so much online outrage over the historically recent shoehorning of ideolgical agendas into video games. The industry and the forces which fund them have been hard at work making gaming more palatable for the Inclusive™ crowd. “It just isn’t for you” they quip. And I fail to see how this is even a bad thing.

Those who seek to erect safe spaces at your expense are actively taking up a passtime that is precision engineered to maximally distract and pacify its users. Your ideological aggressors are going to hurt themselves in confusion and you want to prevent it? I say let ’em have it!

Oh, you'd like to have a turn at gaming, would you?

Two possible benefical outcomes:

Dissuade perceptive free thinkers away from wasting their life energy on video games.
Attract radicalized ideologues into the trap of gaming.

Who knows? As they become increasingly pacified playing their coopted games, we may notice a detectible decline in the amount of REEing both online and offline. We should actually be encouraging those who seek to shove their ideologies down our collective throats to explore this “wonderful” medium.

In fact, games don’t have enough progressive pandering. The games industry really needs to get to work packing games chock-full with genderbread men and narratives about fighting the racist patriarchy, overflowing from the brim with dialogues about oppression, mental pathologies and social pecking orders.

And if you’re anything like the PNGtubers and bloggers still caught up with “They’re ruining muh video games!”, this is a really great time to consider putting gaming behind you.

Never interfere with an enemy while they’re in the process of destroying themselves.

Transmitting Material of Consequence

Mon, 10 Jun 2024 17:09:32 -0400

You have a file you would like to share with a friend, or to a colleague. Something personal. Or some damning information. Either way, you want to be certain that only the recipient is able to access the data. But it needs to traverse the internet. How can you do it in a way that minimizes opportunity for SIGINT, adtech or other adversaries to eavesdrop on your exchange?

It’s really quite mundane. And I have shared file sets on occasion in such a way. Sometimes it was just because I didn’t want the recipient to access the files until after a certain date. Or because the person to whom I was sharing resides out on another continent with no chance of ever meeting in person.

The short answer is simply to symmetrically encrypt the data using GPG and then share the passphrase out-of-channel. The catch, of course, is that the lynchpin in this chain of confidentiality often comes down to the OPSEC of the person to whom you are sending files. The longer answer is rarely detailed clearly in an online guide and I would like to offer some additional tips.

Start

Have GPG 🗹

This is your opportunity to redact anything you don’t want the recipient to see. Metadata can end up betraying you, depending on the nature of the exchange and your relationship with the recipient. Strip away usernames and file ownership.

tar -cf info-dump.tar --owner=0 --group=0 --no-same-owner --no-same-permissions /path/to/info-dump

ffmpeg can manipulate file metadata with the -metadata switch parameters. mat2 is an excellent metadata scrubbing tool. And if unencrypted copies of the file(s) fall into the possession of anyone other than the intended recipient, then your device info, username, or other potentially unique information won’t be plastered all over it.

Tip

Consider padding the file(s) with junk data. If what you are transmitting is of a known filesize, an outside observer might be able to infer its likely content by filesize alone, despite it being encrypted. File compression may also foil this, although video data will change comparatively little after compression compared to something textual. It all depends on what you’re sending.

In case you don’t feel like sourcing 80 MB of cat pictures, it is possible to conjure up junk files of any size using dd.

dd bs=80M count=1 if=/dev/urandom of=junk.bin

Just include these when you assemble the file set before encrypting it.

Encrypt the file symmetrically

gpg -c --cipher-algo aes256 info-dump.tar

Will create “info-dump.tar.gpg”, prompting for a passphrase along the way. The -c switch instructs GPG to handle the passphrase with case sensitivity.

Boilerplate: Assume that adversaries will get to retain a copy of the encrypted file set indefinitely with which to brute force against. Select a long, high entropy passphrase that has not and will not be used elsewhere. The LUKS folks have a good writeup on this.

Tip

If you’ll also be transmitting the passphrase electronically, avoid transmitting both the data and its passphrase at or around the same time. Doing so will make it easier for a passive global adversary to correlate the two. Staggering transmission by several hours should suffice, although allotting several days is preferred.

Decide how each component will be sent

Something like Tox is a good candidate for sending the passphrase to the recipient. Although nothing beats offline, non-digital exchange. Pre-shared knowledge is ideal. Maybe something cryptically scribbled on a note. Although if you’re sharing files electronically at all, it stands to reason that face-to-face hand off isn’t an option.

You can use steganography to covertely share the passphrase embedded in an innocuous looking message. Email a picture of your garden “Look! The tomato plant is budding!” in which it has already been pre-embedded using stegosuite. Or send a DM which suggests passphrase reconstruction based on knowledge that you and the recipient already share. Creativity will stretch your options.

The encrypted file itself can be transmitted through any medium. A flashdrive, a file host, your web server. As long as it is through a different channel by which you’ll be sending the passphrase. I would recommend some ephemeral service. Catbox has a good option for this at litterbox.catbox.moe. Anything uploaded there will be removed after a pre-selected duration. So if you can arrange with your recipient to acquire the encrypted file within the next twelve hours or three days or whatever, it later becomes inaccessible which is perfect for this usage case.

Tip

It might be polite to include a SHA sum of the file(s).

sha512sum info-dump.tar > sha512sum.txt

Decryption

Decryption on their end should be a simple matter of

gpg --output /path/to/info-dump.tar --decrypt /path/to/info-dump.tar.gpg

Once it has been decrypted, the ball is totally in their court. It might be helpful to know ahead of time if the recipient is using Windows or some other leaky botnet contrivance. And just how sensitive is the thing that you are sharing?

Hardened Network Time Protocol

Mon, 20 May 2024 18:34:14 -0400

Many contemporary devices still use the original network time protocol devised as it was in the 1980s. It is completely unencrypted and susceptible to time attacks. Disabling or removing the NTP daemon from a system does not workaround the issue since accurate system time is critical to cryptographic functionality.

Luckily, there are projects such as ntpsec which seek to address this issue. ntpsec is a reimagining of the NTP client in a modernized and encrypted fashion. As of Debian Bookworm, ntpsec is now the default time server (but only if you elect to install a time server), replacing old ntp.

ntpsec can be installed through apt. A system daemon will be automatically added and, at least in Debian, automatically disables systemd’s timesyncd. But just in case your distribution does not do this, disable (or remove) existing NTP services.

systemctl disable systemd-timesyncd.service

Just installing ntpsec is not enough to have secured NTP. Even though ntpsec code drops some legacy cruft to reduce attack surface, we still need to point it at time servers which actually support NTS encryption. First, allow port 4460 outbound on your firewall (assuming nftables) for NTS negotiation and port 123 TCP for key establishment:

nft add rule inet fw fw-output tcp dport 4460 accept comment "\NTS\"
nft add rule inet fw fw-output tcp dport 123 accept comment "\NTS-KE\"

Then replace the default timeservers in /etc/ntpsec/npt.conf to comment out entries for Debian’s timepool:

#pool 0.debian.pool.ntp.org iburst
#pool 1.debian.pool.ntp.org iburst
#pool 2.debian.pool.ntp.org iburst
#pool 3.debian.pool.ntp.org iburst

There are not currently very many time servers supporting NTS, some of them can be found in the ntpsec documentation. Add at least three:

server ntpmon.dcs1.biz nts iburst
server ntp1.glypnod.com nts iburst
server ntp2.glypnod.com nts iburst

It is very important to include the parameter “nts”. “iburst” instructs the daemon how to query the time servers when first starting up.

Tie things off neatly by restarting ntpsec to apply the new settings:

systemctl restart ntpsec

You can test to confirm whether system time is now pulling from the new timeservers with some utilities:

ntpq -p

Output:

    remote                                   refid      st t when poll reach   delay   offset   jitter
======================================================================================================
+<domain>                               <ip address>     2 8  296 1024  377  84.7702  -1.4467   0.9012
+<domain>                               <ip address>     2 8  464 1024  377  83.5904  -1.2271   0.2856
*<domain>                               .PPS.            1 8  689 1024  305  92.4504   1.6698   1.5045
+<domain>                               <ip address>     2 8  665 1024  327  87.0531   0.6623   2.4672

“*” indicates the selected primary server based on performance criteria. The field “st” should be two or less on successful negotiation. Field “t” indicates whether cookie is held, it should be 8. The same information can also be viewed in realtime with the ntpmon textmode viewer.

You can probably also safely purge systemd-timesyncd once everything is confirmed working.

Understand that while ntpsec successfully encrypts NTP and avoids some security issues inherent with legacy NTP, not very many people run it as of this writing. And even though your time information is concealed between you and the timeservers, this configuration could make your overall network fingerprint more unique when running through proxies like a VPN. It may survive being placed behind Tor, as ntpsec had done just fine adjusting offsets when negotiating over a satellite link.

Additional mitigations against leaking host time information to be detailed in kernel and operating system hardening.

Olimex TERES-I Review

Thu, 09 May 2024 11:38:04 -0400

An outfit in Bulgaria design and produce single board computers, microcontrollers and DIY laptop kits sold as TERES-I. I’d found so much success with other open source hardware that this kit was a must try. I really wanted to like it but there are some glaring issues.

Olimex’s TERES I is an AllWinner A64 ARM (Cortex-A53) device with non-socketed 2GB DDR3L memory and 16GB eMMC internal storage. It drives a low resoltion display at 1366x768. That places it just at the threshold of what I would consider to be a performant computer for a traveling laptop and Navit navigation solution.

Before diving into the problems with TERES-I, there are qualities to appreciate. These are some of few open source hardware computers to be manufactured outside of China, for those who care about such a thing. Final assembly is on the end user since these are sold only as kits. The keyboard is void of any Windows key, instead opting for a generic “Tux” emblem. The whole laptop is incredibly simple and lightweight, measuring at 14" corner to corner, placing it into the netbook form factor that I miss so dearly.

Being ARM based, it is not subject to many of the speculative execution exploits plaguing the x86 family. TERES-I is also quite affordable. Especially when the landscape of open source hardware often sees devices which command price tags far above what their proprietary competition ask. And, unlike LibreBoot Thinkpads, it is not some reverse engineered device long since EOL’d by the original manufacturer sporting chips designed and fabricated almost two decades ago. Relatively modern components yield it a small, fanless device with decent battery life. Lastly, it is possible to use without installing non-free firmware or drivers. At least according to check-dfsg-status.

However, there are some show stopping usability issues which prevent me from treating Olimex’s device as anything other than a curiosity. First and foremost is the storage and bootstrapping situation. I could have gotten by on the 16GB internal storage but, in order to boot from any OS installed on the eMMC storage, one must follow a convoluted procedure in which you power on the laptop with a bootable microSD card installed. After reaching the U-Boot splash, one must physically remove the microSD at just the right moment, causing the laptop to boot properly into the internal storage instead. Failing this, one will only be met with a blank display.

Additionaly, full disk encryption is impractical unless one builds their own image and, even then, AllWinner chips’ weak cryptographic performance translates to a slow system. The encrypted LUKS LVM provisioning in Debian fails to boot once installed, even when using the above workaround.

Speaking of the Debian installer, it is possible to provision and install debian using the usual whiptail installer, but it must be built in a special way. For those who would like to try this for themselves;

Obtain the images:

wget --https-only https://deb.debian.org/debian/dists/stable/main/installer-arm64/current/images/netboot/SD-card-images/firmware.teres_i.img.gz
wget --https-only https://deb.debian.org/debian/dists/stable/main/installer-arm64/current/images/netboot/SD-card-images/partition.img.gz

Combine the two into a single image:

zcat firmware.teres_i.img.gz partition.img.gz > complete_image.img

Then write the image to microSD card:

sudo dd bs=4M status=progress oflag=sync if=/path/to/complete_image.img of=/dev/sdX

This will create a bootable microSD card that loads the conventional Debian installer from which to install directly to eMMC storage. In my testing, even without using full disk encryption, one is still required to use the above workaround to boot without hanging at a blank display.

It is also possible to transfer an already working image, such as the one supplied by Armbian, from a microSD card to internal eMMC through the use of a script supplied by Olimex. I had a devil of a time locating the script, so here it is along with my copy in case Microsoft ShitHub fahrenheits’ it. Simply boot into the working image you desire to install to internal storage and run the script from within that session. It worked some of the time during my testing.

All of this, plus the limited 16GB capacity, kills any desire to install to internal storage. So that left me with considering a microSD card solution which at least could afford more storage capacity. But the issue remains of how easily an adversary could just detach the card thus gaining access to all your data unencrypted. One could opt to encrypt the home directory or individual files but this is incomplete and cumbersome. I am simply not comfortable with anything other than internally installed, LUKS encrypted storage.

I suppose that one could make use of this design failure as plausible deniability, wherein your TERES-I boots by default to a dummy operating system that is innocent looking and unencrypted (to satisfy border checkpoints, airport “security”, etc) while the obscure boot-to-eMMC workaround procecure is used to access your real OS and data. That would be nice were it not for all the other issues.

TERES-I cannot comfortably be used as a Navit GPS since it currently does not have working audio under any distro that I’ve tried. It is still [email protected]/">awaiting a patch. Armbian even mention this in their errata as a known issue with no known workaround. I’d attempted the pavucontrol configuration documented at Debian’s wiki but pipewire with pipewire-pulse refuses to recognize the audio device. One could maybe live with an external USB sound device consuming one of the two USB ports.

Speaking of consuming USB ports, TERES-I does not have any ethernet ports. So during your operating system installation, you’re either going to need to settle for wifi (if it works) or to have a USB to RJ-45 adapter handy. My house is a wireless-free home (my area doesn’t even have cellular signal which is awesome and I hope they never build a tower) so everything is connected physically. An adapter works well enough, although it is just another thing to tote around.

The AC power adapter is made for European style outlets, since this is a product of Bulgaria after all, so those of us living with type A outlets need an adapter head. The head supplied with the power adapter adds another inch to an already tall wall wart and makes it unwieldy for travel. I suppose with some effort, one could make a DIY cord that hangs out of the other end of the power brick but that’s a lot of effort for an already very needy laptop.

And can the power brick be replaced with one of the correct voltage and amperage? Maybe, although the OEM power adapter has a LED integrated which indicates whether the device is charging or fully charged. I’m not sure if there is some interplay that would prevent a generic AC adapter from stopping once it “knows” that the battery is charged.

Even though Olimex bill this laptop as upgradeable, there have been no upgrades produced in the six or so years that TERES-I has been available. This normally wouldn’t be an issue, but with the hardware specifications teetering on the edge of usability, I find it difficult to throw in for the long haul on a device that can just about run a full desktop environment and web browser. This is not to say anything about my intentions for it to run Navit which can be memory intensive.

And there are the miscellaneous things. It is still ARM. One must contend with the presence of an unmitigated ARM Trustzone. I am not among those who would consider Trustzone any less of a black box than Intel’s ME. It boots to the microSD card slot by default. There is no option for selecting boot order within U-Boot (unless one wants to build and flash their own U-Boot). Documentation is sparse. It took me embarrasingly long to discover that the power button works more like those found on mobile devices than on conventional laptops, needing to be held for a few seconds to power on or off.

Only so many distributions support the device. A list can be found at linux-sunxi, most of which seem to be treated as an afterthought, harboring their own issues and varying states of being unmaintained. Even the official image supplied by Olimex is basically abandoned. Just have a glance;

Debian: Rarely works due to trying to be “one image for all arm64 devices”
Redpill: Seems to be an abandonware, doesn’t work anymore
ArchLinux: Image developed during porting for parabola linux, abandoned due to upstream incompetence
GNU Guix: Patch for an official support, never merged, Patch submitted, but ignored by distro
NixOS: In development..
Alpine: Was fully supported, but maintainer was inactive, now awaits linux kernel optimizations
Ubuntu: Fully supported through the armbian framework (i.e. just kick the can down to Armbian)

Abysmal. And I gather that this is a problem plaguing many ARM family and single board computer systems. Many need to have their own custom images built.

I want to like the TERES-I, I really do. But it is very much in a development state. Maybe a TERES-II or an upgrade to the existing framework could elevate Olimex’s kit to a status of general usability. My intuition also tells me that if they sold them pre-assembled that there would be more buyers. The landscape for open hardware laptops is already slim pickings and I hope that they can move forward on this design.

The netbook that I’m currently using is getting long in the tooth. It cannot be upgraded beyond Debian Stretch, so it is living in a state of limbo as an offline-only airgapped car GPS and portable audio player with no prospects to return to running SIP telephony, web or email. And so my hunt for a suitable replacement continues.

A Message to One's Former Self

Thu, 25 Apr 2024 23:18:25 -0400

Much of what I compose never finds its way beyond the drafting folder. Under a bit of a melancholic mood, I put together what could be a letter to myself of fifteen or twenty years prior. But if it can be to the benefit of any soul who happens to be similarly positioned as I had, then I see no reason to keep it all to myself. Redacted a bit to preserve personal details.

Dear self

You do not require anyone’s permission, or anyone’s blessing, to go and pursue the things you want to do in life. There is no point at which anybody formally tells you “you may now go work toward your goals.” Sitting and waiting only runs down the clock on the precious window of opportunity afforded by the position you occupy in life. Opportunities will periodically present themselves. Act on them! Situations in which you are uniquely suited to answer the call. Ephemeral moments which, once passed, can only reside as a memory – either as an experience or as a regret. Don’t allow them to become regrets. The joy of an accomplishment is made bitter when it is realized only too late. Beyond the window when the milestone can be shared among others. When it could have been more complete and fulfilling had only you done it earlier in life. There is no reset button on reality.

The people around you will drop away. Even if it doesn’t seem imminent. The tumult of society will close doors once open to you. Telling yourself “I’ll get around to it someday” will doom many aspirations to be shut away behind those doors before you ever get to reach out at them.

Whether you are eighteen or twenty five or twenty seven, it is only once that you will ever be. There is nothing wrong with savoring the joy of a peaceful time in life. But do not allow yourself to languish. To overindulge. Remaining captive even to the most favorable arrangements can come at the great expense of your ambitions.

You can avoid such a future. Taking the requisite steps may seem paralyzing. But the consequences for mistepping are seldom as severe as your imagination makes them out to be. While the consequences of failing to act on your ambitions are far more tangible.

Keep up your instrument learning and take it more seriously. Reading sheet music and training it into your muscle memory is key.

Graciously accept the affections of your siblings and relatives. Even if it seems inconvenient or irritating in the moment.

Talk to the girls who make efforts to place themselves into your proximity. Reciprocate their bold gestures.

Having a job, an income, during your youth isn’t the worst thing in the world. The doors it opens are incalculable.

Shoot for a big university rather than settling for what is “safe” and comfortable. They will probably accept you. You are much more intelligent than you give yourself credit for.

Go for the robotics tract. It really begins to grow in a few decades, trust me.

You only play games because it is the one place in which you feel you can exert yourself, exercise power and achieve any goals. But it is all fake, a time sink. It won’t mean anything in the subsequent chapters of your life. Drop gaming and build skills while you still enjoy peak brain plasticity.

Accept invitations to functions, parties and get togethers. The double date that she arranged was because she is interested in you. She’s not just callously testing the waters.

Actually engage in trying to learn the langauge during your French courses. It is easier than you realize, especially when the script is already in romanized character.

Allow yourself to become comfortable conversing with others. You don’t have to be so guarded all the time. They’re not all out to take advantage of you or to belittle you when you fumble.

Don’t give up when that first Ubuntu disc fails to boot. Recheck the installation image and whether it has been burned as bootable media. The years-long head start will set you on a path for incredible knowledge and useful skills. It will also help you break out of the vice that is gaming.

When a friend shares his favorite series with you, accept his suggestion and indulge in it. He really just wants somebody else who knows and appreciates it to talk with. And it will open you up to a whole new entertainment medium while you’re still young enough to be surrounded by others who can share the joys of engaging in it.

Open up with your grandparents. They want to know you and who you are. Their inquisitiveness is not just formalities. A distant grandson is probably a point of dismay for them. Even if you don’t think that what you have to share will be understood, or even positively received at all. The dialogue itself is connection enough for fulfillment. You may even find more common ground than you think. And they would be overjoyed if you’d introduce them to a prospective young lady you’ve met at school.

You already know they won’t be there forever. I’ll refrain from sharing just how brief a time that is.

Once you have your own transportation, nobody is preventing you from taking advantage of it. It’s not as expensive as you envision. And there is no better time than when you have as few responsibilities as you will ever enjoy. You can even leave the country. And if you do, don’t just settle for a week, or two, or a month. Stay for as long as your documents permit. You never know when you’ll be able to return, or if you will ever be able to return again at all.

Stop making excuses for yourself. The financal recession of your early adulthood is not a one-off event. The economy being demolished will be a regular fixture throughout your life. There is little sense waiting around for “things to recover”. Nor should you anchor yourself just because you don’t know how much time is left with certain loved ones. Again, you can travel readily and easily. You are adaptable.

Trying to squeeze out every last drop of an idealic period in your life is an exersize in diminishing returns. The chains binding you to the comfortable and familiar are entirely of your own making. A psychological prison to which you don’t even realize the cell door is unlocked. You can leave whenever you wish. So, will you do it?

Discord is an Inferior Alternative to Mumble

Wed, 17 Apr 2024 00:15:03 -0400

In 2015 the aptly named “Discord” went about “solving” a problem that had already long since been solved: in-game voice chat. The role of voice chat had been fulfilled by Mumble since a decade earlier. What new innovations has Discord brought to the table? Let’s walk through some of its major features.

Discord compels its subjects to surrender a phone number.
So not only is any expectation of privacy or anonymity obliterated, but one is also confined to a single account. Subjects of Discord are thus often conditionally tethered to the ownership of a mobile phone. Those who wish not to be datamined are SOL.
Discord is not self-hostable.
It is infeasible to host a server with Discord since they do not supply any server binaries with which to create an instance. Worse yet, they seem to have re-educated their subjects that the term server means any kind of lobby or chatroom regardless of where or how it is hosted. And the only way to connect with Discord is through their own officially supplied public instances. Those who go through the rigamarole to sign up are merely granted access to a lobby that is benevolently created and hosted for them by Discord. Thus, most zoombies believe that they “own” a server.

Discord is proprietary software.
Discord’s subjects are forced to use the vendor’s client. The vendor regularly blocks third party and liberated client software. Downstream of this, the Discord client can only be run on environments for which the vendor has produced binary releases. E.g. ARM and x86 only.
Discord is spyware.
It is long established fact that Discord is spyware [1]. Like many proprietary programs, Discord gathers metrics about the user, their system and their activity, collecting information about other running processes and in turn using it for the purposes of advertising.
Discord is hopelessly bloated.
They felt it necessary to integrate an entire social networking disservice within a gaming voice chat application. A gaming voice chat application does not need to have timelines, feeds, profiles, bios, etc.
Discord is centralized.
Again, not possible to self-host == not possible to use without going through the vendor’s infrastructure. Users are left totally at their mercy.
Discord is adware.
Discord implements Pavlovian rewards-based integrated advertising within the client. Imagine installing a program to chat with your buddies in-game, only to be met with nagging ad popups seeking to condition you into certain behaviors?
Discord utilizes paywalls.
Some lobbies are made only accessible with paid subscriptions. Transmitting payment information further erodes user privacy and increases dependency.
Discord is censorious.
Because Discord is centralized, and because it requires users to dox themselves, it enables an incredible capacity for censorship. Going so far as shutting down users for off-site behavior.
Discord requires users to submit to a EULA.
It is not possible to use Discord without cucking yourself.
Discord does not support positional audio.
Despite billing itself as gaming software, Discord fails to support positional in-game audio. A feature Mumble has sported since its earliest days.

As we can see, Discord just isn’t ready for primetime yet (we can turn normie lingo around on them ). No self-respecting person would ever install such a hostile program. Especially not when superior programs already exist which do the same job and with less fuss.

Mobile is a Scourge to Online Video

Mon, 15 Apr 2024 21:58:35 -0400

Web video content is gradually being lobotomized. Years ago it was foreseen that vertical video would be ruinous to viewing conditions. But it is not the aspect ratio alone that has sent web video spiraling down the pit of eternal stupidity. The rise of short form videos catering to zoombies with blown out dopamine receptors has accelerated the decay beyond anything I could have imagined. There are a few factors at play in this.

Video Editing on Mobile Environments is Constrained

Linear graphical video editors appear to be absent or impractical on mobile prisons. My observations of mobile-produced edits suggest that mobile zombies are simply offered a select palette of effects that apply in full over the entire video. “Filters”. Among the results are videos which completely remove the original audio to overlay the uploader’s favorite song, an ailment that we had only just recovered from over the last decade and a half (almost as inexcusable as uploading slide shows to Gootube). And videos with distortion effects obscuring the subject or plastered with emoticons and graphics. Fast cuts (technical events, as described in Four Arguments for the Elimination of Television) to retain the viewer’s ADHD attention.

But I suppose my major gripes are with the toxic waste shat out by tiktok. In no particular order;

Uploaders socialized like monkeys to begin their video immediately into a dialogue as though you’ve been dropped into the middle of a long conversation with a close acquaintance. How psychotic. It reads to me as the product of social engineering. The maneuvering of tiktok as one’s close “friend”.
Realtime subtitle transcriptions. One may be so hopelessly addicted that they must watch videos while riding the subway or while having a meal out where it is difficult to utilize audio. But instead of using subtitle files proper, tiktok have decided it better to encode subtitles right into the video itself where it cannot be disabled. To viewers using a proper arrangement where audio is available, they serve only to distract. To further clutter the visual subjects with yet more garbage. Are mobile users so dependent that they must have subs at all times? And not even normal subs, but a kind developed for rapid, hypnotic, lazy reading?
Needless self-inserts.

Most short form videos do not even merit a visual component at all. So often they consist of somebody filming themselves in a car, delivering a dialogue that could have simply been conveyed as text. Remember, most phone zombies are just reading subs anyway. Or at least they could be conveyed as a voice over. Mostly this seems to serve the newly feminized internet. Narcissists can relish their own image and exploit human psychology to draw greater attention to their otherwise mediocre content.

Vapid synthetic speech. It’s as though the synthetic voice is designed to sound like the same half wits they seek to cater to.
The omission of context. Clipping anything down to fit within a minute’s runtime translates into the loss of underlying information and contextual meaning. No, I am not interested in watching just a fifteen second exchange extracted from a debate.

Why not just refrain from viewing such content?

It is increasingly becoming difficult to avoid this intellectually stunted format. Links that people share being inconspicuous .mp4 files. And, more often, longer form video uploaders are including mobile format clips in their works, instead of chasing down the primary source footage. I do not want to see braindead zoombies talking about a subject matter when that subject matter can instead be viewed directly. So we’ve returned to the same problem that was so prevalent on boomer television news. A steady stream of low quality garbage designed to hold the focus of sub-95 IQ normies.

How do we proceed?

On the technical end, I am investigating the feasibility of using mpv to probe video links for aspect ratio and duration properties from which to automate the blocking of probable mobile videos. Higher effort would be demanded for the writing of a browser extension to do the same in Firefox

On the non-technical, it may be worth considering dropping certain groups and individuals from one’s online regiment. If an acquaintance or familiar uploader is sharing out mobile format trash, it is an indicator that they have surrendured a part of their soul to the botnet, fondling their way through the muck of tiktok and TXitter. Owners of online hangouts might serve their communities well by disincentivising the uploading or sharing of short form videos featuring oversocialized talking heads.

Is the long term outlook abysmal?

Will short form ADHD video retire as it had once done following the era of Vine, a similar affliction of millennial flavored braindeadery? The up and coming generation’s total exclusive usage of mobile devices can be our forecast. The population’s computer literacy is going to plunge to depths never before seen. Likely, we will be left yearning even for the days of the baby boomers, replete with their Nigerian princes and with their twelve rows of freeware toolbars.

The trends are already becoming evident. Short form video is being used in place of web search. Users would rather be spoken to than have to read paragraphs of text. Admittedly, humans are creatures of storytelling around the fire. They would more readily digest a feed of mobile clips ranked accoring to the trove of data assembled about them by the surveillance machine.

Solutions Must Attack the Problems at their Source

Sat, 13 Apr 2024 00:38:55 -0400

Is it truly “sticking it to the man” to forge a way to continue to use a product which has had its original user-hostile features mitigated? As a classic example, those who go to lengths to get a Windows binary game running within a translation layer. You have still bought the game, financially rewarding a company that chooses to exclude you and your platform. Okay, what then if one pirates the title? You’re still giving that product your energy, attention and contributing one more active player to the playerbase. Games thrive on social inertia and mindshare.

This dynamic also exists with firmware and hardware. As is the case with products from vendors like Purism and System76. Yes, they’ve ’neutered’ or minimized things like proprietary BIOS and ME firmware. But the entire transaction from OEM supplier, to system integrator, to end user still financially rewards Intel for the continued integration of anti-freedom/anti-privacy features. I suppose that outfits like Technoethic or Minifree are better in that they tap the second hand boutique market. Chips and boards that had already completed their product cycle in the hardware market. Your purchase of such a device isn’t securing Intel additional revenue. It, at worst, keeps the headcount of x86 higher, thus perpetuating the x86 monoculture.

A more optimal way to avoid contributing to a system that hates you (or at least behaves as though it hates you), is rather to make a clean break. Even if that means making some sacrifices. I would hardly call it “winning” to clutter one’s system with container environments and foreign software all for the privilege of further empowering giants responsible for putting you in such a position to begin with. The privilege of forever being treated as a second or third class citizen while you overextent yourself in order to run restrictive, telemetry-addled user-hostile software and hardware. Great deal.

Things that allow you to bypass a restrictive vendor or service, but still leave you sucking at thier teat;

Frontends

Ex: Hooktube, Invidious, Nitter, etc
*Author’s note that two of these three examples are already dead

Emulation, virtualization and translation

Ex: Virtual Box, Wine, Proton, Box64, FEX-Emu, Console Emulators, etc

Firmware/hardware

Ex: Dual booting (esp. shared bootloader), secure boot shims, enabling ME HAP bit, etc

Is this all to say these things have no merit? Not at all. Many of these methods are an incredible asset to have up one’s sleeve. I only sense, however, that some miscontrue these tools as invitations to indefinitely construct their entire user space atop of. They should only be used for so long as it takes to locate a suitable libre replacement which stands on its own, and not as an intermediary for running some proprietary protocol or software format. And this is where things become a bit fuzzy.

Is it a true replacement to primarily use peertube instances, when much of the content is simply mirrored from Youtube channels? Is turning to lemmy instances really breaking away from a hostile format, when the “DNA of reddit” still infests lemmy both socially and in its design? What of metasearch like SearX tapping the resources of big tech vendors, inheriting their censorship? Infogalactic, which I link liberally, being a wikipedia replacement but its pages all frozen in time from the date they were scraped from Wikipedia.

Perhaps it can be said that building solutions is truly a gradual effort. Nothing is going to be instantaneously ready off of the starting line. And languishing on half-solutions, I believe, will only hurt that effort in the long term. A part of me secretly yearns for Google to go all out in blocking the likes of invidious and yt-dlp so that finally I can find the motivational power to completely drop the time vampire that it is. Or for the MS-x86 industrial complex to make their big move to restrict “unauthorized” operating systems from running on their captured ISA. For a great bifurcation to finally unfold.

OpenSnitch, "uMatrix" for your Entire Desktop

Mon, 01 Apr 2024 22:11:17 -0400

But does it live up to such a description? Going into it, I at first had configured OpenSnitch to intercept and restrict connections based on user ID, port number and destination address. But this proved to generate far too much notification activity. Excessive notification dialogues have a tendency to condition users to simply make exceptions uncritically in the wake of fatigue. Reducing these interceptions down to just destination addresses is much more practical while preserving the granularity that OpenSnitch makes possible.

And, like with other interactive firewalls, there is a brief training period where your most frequently accessed net resources must first be committed to persistent rules as you find you will need them. Once these are established, OpenSnitch shouldn’t generate any notifications when there is no operator input.

I find the default rules of allowing, in full, the connections made per application to be too relaxed. However, the default is probably sane for a more typical end user device. Extending a comparison with uMatrix, the “scope” of OpenSnitch is comprised of applications, rule duration and optionally destination addresses, ports, process & user IDs. Permitting domains and subdomains is also independently possible via regular expressions.

The limitation in this “scope”, however, is that OpenSnitch has no context awareness for different functions within the same application (e.g. browser tabs). Programs as sophistocated as Firefox will continue to require a firewall like uMatrix.

Blacklisting is as straightforward as pointing to a single text file containing the addresses to be blocked, and prepending the name with zeroes to ensure it gets parsed before other rules. One benefit is that this allows IP addresses to also be blocklisted and without having to rely on something like dnsmasq. It may be ideal to double-dip the list we generate with hosts-blocking.

One should be certain to avoid globally allowing traffic from interpreters and intermediaries like Python. If you allow Python executable because you are downloading with yt-dlp, it will then enable any Python program to access the network. Instead, select “From: command line” when building rules for such applications. This should IMO be made the default behavior when launching such things.

Since dipping my toes in with OpenSnitch, it has caught a few blind spots in my buildout. For example, despite de-crappifying Firefox with a user.js template, one may find connections still being opened to firefox.settings.services.mozilla.com. Or Gnome calculator connecting to \www.imf.org! Another reason to prefer simpler programs like GNU bc. Or linear video editors that phone home for update checks. Now such leaks can conveniently be discovered and plugged.

Another caveat to look out for is with federated ActivityPub sites in combination with OpenSnitch and uBlock Origin. Due to the distributed nature of federation, when uBlock Origin has “Uncloak canonical names” enabled, a DNS lookup for every domain called by a page will be made. This iniates an OpenSnitch dialogue popup for each, regardless of whether that domain had already been blocked by another extension or whether or not you had opened any links to said third party domains.

One way to work around this is to temporarily disable “Uncloak canonical names” when using a federated site. It is lazy and opens some opportunity for adtech tagging, but avoids being endlessly bombarded with intercept notifications. This is no failing of OpenSnitch, rather it is a sign that OpenSnitch is doing exactly what it advertises on the packaging. The issue stems from uBlock Origin’s lack of contextual awareness as to whether a domain is being blocked by anything other than itself. This same blindness has caused leaks and conflicts before.

OpenSnitch is more highly interactive or “needy” by way of it being realtime. Browser addons, in comparison, cleanly know when a page load occurs and control for it. Network requests are more spontaneous and can originate from a multitude of sources. It is best when going into OpenSnitch to already know your system and which services, daemons and common programs require network connectivity. It can be overly needy when first configured, but once beyond the initial training period becomes a godsend for maintaining silent running on the network. Every request leaving your computer (well, not ICMP/IGMP, more on that later) is fully permissioned with least level privilege default deny sanity.

A more in depth configuration and usage guide will be made up for the ‘hardening’ family of articles. All info subject to change as both OpenSnitch and my own config findings develop.

Hardened Antivirus

Wed, 20 Mar 2024 13:19:48 -0400

Currently only one substantially complete antivirus kit casts itself among FOSS, ClamAV. It actually consists of several different programs. Clamscan, an independent CLI scan utility; Freshclam, a database updater; Clamdscan, a multithreaded scanning daemon; and Clamonacc, a realtime on-access file checker that feeds items into Clamdscan. Most guides to be found online only really ever cover the first two.

Installing the clamav-daemon package will pull in the rest of clamav as dependencies.

apt install clamav-daemon

freshclam

The Debian package has freshclam service configured to check for updates hourly. It is probably a good idea to leave this as is, but if you would like to adjust update frequency, edit freshclam.conf:

chmod 644 /etc/clamav/freshclam.conf
sudoedit /etc/clamav/freshclam.conf

Adjust the line as desired:
Checks 24

The number represents one day divided by N. Return freshclam.conf to read-only.

chmod 444 /etc/clamav/freshclam.conf

And restart clamav-freshclam daemon.

systemctl restart clamav-freshclam

Different databases are available and formatted as db.$LOCALE_ABBREVIATION.clamav.net. The default abstracts this as db.local.clamav.net, however all the official databases I could find are all behind cloudflare. But that doesn’t mean we must be solely dependent on Cisco and their choice of cloudflare. Sanesecurity maintains lists of third party clamav databases.

Edit /etc/clamav/freshclam.conf and specify a few with DatabaseCustomURL that fit the scope of our filtering:

DatabaseCustomURL https://mirror.rollernet.us/sanesecurity/badmacro.ndb
DatabaseCustomURL https://mirror.rollernet.us/sanesecurity/blurl.ndb

Not only does this diversify our signature sources, but also improves the detection rate that some in the tech scene like to bludgeon ClamAV over in side-by-side AV comparisons.

You can check that custom databases and signatures are getting updated from freshclam.log:

grep -e sigs /var/log/clamav/freshclam.log

clamscan

Individual files and directories can be scanned manually with clamscan. The -i switch indicates to only report infected items and the -r switch instructs clamscan to iterate recursively through directories.

clamscan -ir /path/to/scan

The output prints a brief report indicating if any of the scanned files match known infected signatures from the database.

----------- SCAN SUMMARY -----------
Known viruses: 8694987
Engine version: 1.0.3
Scanned directories: 1
Scanned files: 5
Infected files: 0
Data scanned: 0.01 MB
Data read: 0.00 MB (ratio 2.00:1)
Time: 18.876 sec (0 m 18 s)
Start Date: 2024:03:20 13:47:32
End Date:   2024:03:20 13:47:50

Clamscan should be setup to run a daily system scan on most or all of your directories. First create a shell script:

sudoedit daily-scan.sh

And populate it with something like:

#!/bin/bash
clamscan -ir / \
--exclude=/home/user/Directory_that_I_trust \
--exclude=/usr \
--exclude=/var \
--exclude=/lib \
--exclude=/etc \
--exclude=/sbin \
--exclude=/bin \
--exclude=/lost+found \
--exclude=/media \
--exclude=/srv \
--exclude=/lib64 \
--exclude=/sys \
--exclude=/dev \
--exclude=/proc \
--exclude=/net \
--exclude=/mnt \
--log=/var/log/clamav/clamscan.log \
--move=/home/user/.quarantine

–exclude instructs clamscan to ignore a particular directory. This is necessary in the case of some system directories, and so that clamav does not end up inadvertently scanning itself and locking up. There are probably also user directories that you trust are very low risk which don’t warrant a pass from the active daily scan.

This will also send output logs to /var/log/clamav/clamscan.log. And any detected items will automatically be moved to a hidden “quarantine” directory.

Create the hidden quarantine, then set a cron job to run the script.

mkdir /home/user/.quarantine
crontab -e

Append:

15 12 * * * /path/to/daily-scan.sh

This will scan the entire system every day around noon.

clamdscan

Clamdscan is intended to tag team with Clamonacc, but can also be used to run scans manually. Being multithreaded, it is much faster than clamscan. But the default settings have clamdscan omit files larger than 5MB and relax other checks.

clamdscan --multiscan --fdpass /path/to/target

–fdpass is necessary, as of clamav v.0.103, in order for clamdscan to read files owned by other users besides user “clamav”. It might be possible to use this as your full system daily scan instead, but you would want to consider raising that file size limit up from 5MB in /etc/clamav/clamd.conf.

While clamdscan is performing a check, its progress can be monitored through clamdtop. clamdtop opens a textmode viewer that shows all active scan queues along with available threads and memory.

clamonacc

The component that only very few online guides desire to cover. And even those feel inexhaustive. I’m not sure if it’s just poorly documented or just laziness from tech journalists. clamonacc is not automatically configured, at least not in Debian packaging, and needs to be setup manually. However, it is the way to utilize clamav to its fullest potential to protect your system.

Edit /etc/clamd.conf and add options for on-access scanning. Select directories known for handling foreign files from over the network. Here are some general suggestions for a system running Firefox browser:

OnAccessIncludePath /home/user/Downloads
OnAccessIncludePath /home/user/.mozilla/firefox/$YOUR_PROFILE_STRING.default-esr
OnAccessIncludePath /home/user/.cache
OnAccessIncludePath /var/tmp
OnAccessIncludePath /dev/shm
OnAccessPrevention yes
OnAccessExcludeUname clamav

Debian uses clamav user to run clamdscan, so we exclude that username. OnAccessPrevention withholds file access from the system until it has been cleared as safe by clamdscan. Restart clamav-daemon to apply these new settings:

systemctl restart clamav-daemon

Next, we want to create a systemd unit file for running clamonacc.

sudoedit /etc/systemd/system/clamonacc.service

Populate it with:

[Unit]
Description=ClamAV On Access Scanner
Requires=clamd@service
After=clamav-daemon.service syslog.target network-online.target

[Service]
Type=simple
User=root
ExecStart=/usr/sbin/clamonacc -F --fdpass --log=/var/log/clamav/clamonacc.log --move=/home/user/.quarantine
Restart=on-failure
RestartSec=7s

[Install]
WantedBy=multi-user.target

The official documentation wants us to use “Requires=clamav-daemon @service” but since the Debian package does things its own way, we substitute “clamd@service”. Enable and start the new service:

systemctl daemon-reload
systemctl enable clamonacc.service
systemctl start clamonacc

We can check that it is working by dropping a test file into one of the protected directories, and then trying to access it.

cd /path/to/eicar.com.txt /home/user/Downloads/
cat /home/user/Downloads/eicar.com.txt

If it’s working, it should either immediately get moved to ~/.quarantine or you should get a warning “cat: Downloads/eicar.com.txt: Operation not permitted” before it then moves to ~/.quarantine.

On most computers, clamonacc should be pretty quick to scan and detect anything. You may notice a bit of a slowdown in some instances. For example, if one chooses to monitor the entire .mozilla directory, the right click menu in Firefox may take a few hundred milliseconds longer to open. Latency like this will probably be more pronounced on older computers but the tradeoff should be worth it to implement “exception deny” behavior around incoming files.

Last, clamonacc can generate huge log files. Configure logrotate to compress and remove old clamonacc logs. Create /etc/logrotate.d/clamav-clamonacc

/var/log/clamav/clamonacc.log {
     rotate 6
     weekly
     compress
     delaycompress
     missingok
}

And restart the logrotate service. Enjoy realtime antivirus.

Recovering From Bad Flashes

Thu, 07 Mar 2024 00:19:27 -0500

Whether you’re working with free or closed equipment, the underlying firmware can be a fragile beast. And neither are immune to the damages of human error. I’ll admit to putting my best foot forward on this site so I’m overdue to share some blunders which might serve as instructional material. Over the last couple weeks I had bricked some equipment in a bout of overconfidence. Some desktops and some routers each stricken down.

Brick #1

While repurposing a media center desktop for a good friend to use in their new home theater, I figured I’d take the opportunity with it all disassembled to reflash the latest firmware from the vendor. And, crucially, without reading the errata. Had I done so, I would have clearly seen their cautions:

*This BIOS doesn’t support Bristol Ridge CPU, do NOT update this BIOS if Bristol Ridge CPU is being used.

After the board went down to reboot, it returned with absolutely no video output. For a typical user, the only way out of this situation would have been to acquire a newer generation APU. But turning this thing around on the cheap precludes dropping money on a new processor (which would also enrich the backdoored x86 ecosystem). What to do?

Bring out the old SPI programmer! First things first, we want to locate the BIOS chip and get it hooked up. The board had a few likely candidates so we’d want to reference the layout. *Do I want this to be a BIOS flashing guide? Hell, the Coreboot guide can go in its own article!

Normally, a BIOS chip would either be socketed or soldered in place. But with this particular X370 board, the vendor decided on a “socketed” Winbound chip of a style which should normally be soldered into place. It has it’s own enclosure that opens like box lids (seen right of the PCIe slot), revealing the loosely sitting chip.

The clamp will need to be used for this unusual configuration, even though the chip is removable. If you haven’t used a SPI programmer before, look closely at the BIOS chip. There is typically a small circle in one corner indicating where to align the Pin 1 cable (red on mine).

With the programmer connected on a working host that has flashrom installed, we can issue a read command to backup the existing BIOS just in case the recovery attempt ends up making this worse somehow. flashrom generally needs to be run with root privileges.

flashrom -p ch341a_spi -r Firmware-Backups/x370-itx-backup.bin

Review the vendor’s support pages to identify and acquire the BIOS which actually supports the installed hardware. Extract it into a working directory.

wget --https-only https://download.asrock.com/BIOS/AM4/X370%20Gaming-ITXac(5.70)ROM.zip
unzip X370\ Gaming-ITXac\(5.70\)ROM.zip -d Working-Directory/

Issue a write of the firmware file to the chip.

flashrom -p ch341a_spi -w Working-Directory/X370GIA5.70

Output:

flashrom unknown on Linux 6.1.0-18-powerpc64le (ppc64le)
flashrom is free software get the sourcecode at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Winbound flash chip "W25Q128.W" (16384 kB, SPI) on ch341a_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.

Disconnect the SPI programmer and place the BIOS chip back into its socket. Then connect a power supply. The board can be powered on by shorting the PWR and GND pins on the system panel header. We find that all is now working again.

Granted the board is encumbered with a UEFI BIOS as there is no Coreboot port for it, and likely never will be. But at least the firmware is patched as far as it can be taken on the vendor’s disagreeable BIOS, including a fix for the F11 boot menu.

Brick #2

I had absentmindedly flashed one of my routers with the wrong OpenWRT image. The Netgear WNDR3400 retailed in three different revisions, v1, v2 and v3. They all look nearly identical except for the coloration of their illuminated domes. The internals of each revision are actually quite different. It was only a matter of time before my disorganization invited a WDNR3400v1 or WNDR3400v3 OpenWRT firmware to be flashed to my v2 model, thus bricking it. After it restarted it wouldn’t respond to any amount of network probing.

Backing up the current failed firmware was mostly smooth sailing. The specific model flash chip first needed to be passed with -c.

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Macronix flash chip "MX25L6405" (8192 kB, SPI) on ch341a_spi.
Found Macronix flash chip "MX25L6405D" (8192 kB, SPI) on ch341a_spi.
Found Macronix flash chip "MX25L6406E/MX25L6408E" (8192 kB, SPI) on ch341a_spi.
Found Macronix flash chip "MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E/MX25L6473F" (8192 kB, SPI) on ch341a_spi.
Multiple flash chip definitions match the detected chip(s): "MX25L6405", "MX25L6405D", "MX25L6406E/MX25L6408E", "MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E/MX25L6473F"
Please specify which chip definition to use with the -c <chipname> option.

The model print is barely legible on the tiny flash chip.

flashrom --programmer ch341a_spi -c MX25L6406E/MX25L6408E -r Downloads/bricked-wndr3400v2--backup.bin
flashrom unknown on Linux 6.1.0-18-powerpc64le (ppc64le)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Macronix flash chip "MX25L6406E/MX25L6408E" (8192 kB, SPI) on ch341a_spi.
===
Reading flash... done.

I thought it would be a simple rescue with the programmer. But flashrom has an aversion to writing images that are a smaller size than the target flash chip capacity. And I didn’t want to force it since I couldn’t find any data on how flashrom pads space or whether it writes it to the beginning or the end of the ROM sector.

flashrom --programmer ch341a_spi -c MX25L6406E/MX25L6408E -w Downloads/openwrt-23.05.2-bcm47xx-mips74k-netgear_wndr3400-v2-squashfs.chk
...
===
Error: Image size (6230074 B) doesn't match the expected size (8388608 B)!

It didn’t take well to my manually padding the firmware image with truncate either for some reason. So I was sent looking for other solutions which led me to nmrpflash, a brilliant and minimal tool specifically for recovering from faulty Netgear firmware flashes.

Apparently, Netgear devices have their own “NetGear Management Remote Protocol”, or NMRP, which allows thier routers to automatically retrieve firmware images over TFTP, even in a failed state. Since the officially recommended installation method for OpenWRT on the 3400v2 is via the vendor’s original firmware, I determined to grab a copy for nmrpflash to supply. The host running nmrpflash needs to be connected to the router on its LAN1 port.

With the router powered on and connected, confirm that the ethernet interface is listed. (0.0.0.0 is valid here, and what I used to successfully recover the router):

nmrpflash -L

Then power off the router and start nmrpflash, passing the firmware file on that interface.

nmrpflash -i enP4p1s0f1 -f Netgear-Firmware/WNDR3400v2-V1.0.0.54_1.0.82.chk

Finally, power the router back on and wait.

The nmrpflash version in Debian’s repositories was unable to communicate with my WNDR3400v2. It would time out after a minute with “Timeout while waiting for TFTP_UL_REG”. So I begrudgingly built the newer v0.9.22 from source, which worked without any fuss.

Waiting for Ethernet connection (Ctrl-C to skip).
Advertising NMRP server on enP4p1s0f1 ... /
Received configuration request from XX:XX:XX:XX:XX:XX.
Sending configuration: 10.164.183.253/24.
Received upload request without filename.
Uploading WNDR3400v2-V1.0.0.54_1.0.82.chk ... OK (6713402 b)
Waiting for remote to respond.
Received keep-alive request (6).
Remote finished. Closing connection.
Reboot your device now.

Power cycle the router and a moment later it’s back up and usable. Now that looks much better!

Just get it back into its housing, rerun the OpenWRT flashing procedure and reapply the settings in LuCI web interface. jclehner’s tool leveraging NMRP was very helpful, but what does this mean from a security perspective?

There is an interface silently listening for ADVERTISE NMRP packets every time you power on a Netgear router even when the board firmware has been corrupted. As far as I can tell, TFTP uses no cryptography to secure file transfers and includes no login or access control mechanisms. In my time using it, the ethernet cable needed to be inserted specifically on LAN1 (next to the WAN port on most Netgear equipment) but this is no precaution I would seriously rely on.

The whole scheme just reeks of a liability on which to be running a public internet facing network. Maybe we need to start disconnecting such routers at the physical layer when applying firmware updates. It serves to illustrate how just because you’re running some replacement libre firmware doesn’t automatically put you in the clear.

Brick #3

One of my Coreboot systems received a bad build and, where I’d been relying on the internal programmer option from flashrom directly on that host, has no path to recover without hooking this one up as well to the external flasher. To be frank, I still have yet to recover that system, and it makes more sense to include that process in a wider Coreboot writeup. For the sake of keeping this short and digestible, I’ll conclude with this general advice when doing anything involving firmware:

Double check file paths, command arguments, and image versions before committing to a firmware flash.
Don’t initiate a firmware write without both the host and target connected on an uninterruptible power supply.
Backup your firmware before reflashing anything, and consider keeping the backups for posterity.
Read the damned changelog!

The Normalization of Spyware

Sat, 24 Feb 2024 12:59:13 -0500

We shouldn’t refrain from admitting where we’ve lost ground or find ourselves on the losing side. It is something that may be obvious but is seldom formally voiced: spyware has been normalized. There was once a time where raising caution on the dangers of trusting centralization would yeild a degree of receptivity, or at least an understanding of the implicit consequences being raised. When the introduction of some new tracking method was once worth devoted attention from relatively mainstream publications.

Today, it is not uncommon to instead be met with an apathetic response. “Well, they’ll get my data anyway so we’ll just use XYZ.” Especially among those who have grown up submersed in surveillance capitalism. Apathy is also expressed in those who find themselves wanting out but feel so much has been profiled about them that any effort to recitfy this would be rendered futile. And those who do take initiative to reclaim digital privacy often face soft ostracization for not simply going along.

If you’re the one in a group to decline an event group photo being uploaded to Facebook, you’re harangued for being “difficult”. If a representative inquires for your email address, anything other than a @gmail.com domain will elicit “I’m sorry, what? Can you spell that please?” and other friction. Refusing to use an organization’s “app” gets reactions as though you’re a bum. Many of us have squarely lost territory in organizing anything digitally with relatives or friends. The least qualified individuals to be making technical decisions on behalf of a group are often the ones who end up doing so.

So surviellance capitalists and ad network psychopaths may not have succeeded in reeducating you, dear ninja hacker, they certainly have done so with the general population. They have won that battle. Having recognized this, we should respect this fact when building and implementing solutions. Are you targeting your solutions at other techies? Or at the general population? I’m beginning to think it cannot be both.

Hardened Web Blocker

Thu, 15 Feb 2024 22:37:13 -0500

Many web blocker addons take the approach of selectively blocking resources based on finite blacklists. Some have limited methods to allow manually selecting items to block, but generally they allow everything by default and only block elements which match some known bad origin. In some cases, these pushover content blockers will even receive compensation to allow elements of which they otherwise claim to block.

We can skip that entire rodeo by using a more robust, default-deny browser firewall like uMatrix. Its strength is in being able to block everything by default, and then allow or disallow each element on a page with granularity. uMatrix is even stronger than the renowned uBlock Origin, and that’s before hardening it’s default settings!

Install uMatrix and then open its control panel by clicking on its icon. From here, we’re going to configure it to block everything from all web pages except for images and the HTML file itself. The rationale for this being that much of what we do on the web involves reading text and viewing images, and these both present a very small attack surface compared to CSS, javascript and others.

Select the “*” in the upper left to switch to global scope. The cells in the grid below can be toggled allow (green) or block (red) by clicking either the upper or lower half of the cell. Toggle “all” to off. You may need to disable any green cells in the top most row and the leftmost column. It should look like this:

Also open the site wide elements dropdown (three dots) and make sure that the following are enabled:

Forbid web workers
Forbid mixed content
Spoof Referer header
Spoof <noscript> tags

Click on the lock icon to make these settings persistent. Now when you visit any site, you will see just how much garbage they try to load and how many of their marketing buddies they instruct your computer to report to.

Alternatively, this global ruleset can be configured textually through the My Rules tab in uMatrix’ settings. Delete everything under Permanent Rules and set the following:

https-strict: * true
https-strict: behind-the-scene false
noscript-spoof: * true
referrer-spoof: * true
referrer-spoof: behind-the-scene false
no-workers: * true
* * * block
* 1st-party image allow

Once configured, there will be certain pages that need additional elements to enable functional interactivity. For example, logging into a bulletin board forum will require cookies to be enabled. Advanced editor features will require javascript, unless you have memorized BB code tags. Toggle cells to allow resources and then click reload page (rotating arrows) until you get the functionality you need working. If you will frequently be using a site it may make sense to click the lock to save the working configuration.

But this really begins to shine when it comes to visitor-hostile sites. One might be pleasantly surprised to learn that without javascript or CSS, some paywalled articles are perfectly readable in plain HTML. And enjoy just how much faster and lighter everything is when 3rd party domains aren’t allowed to deliver their payloads.

Some general tips for running uMatrix:

When allowing javascript for a domain it is generally also necessary to allow XHR in that same domain scope.
Domains that show up as dark red are being blocked explicitly by uMatrix’s blocklists. Even if you enable the entire column for a resource, resources from that domain will continue to be blocked unless you specifically allow them.
Some highly interactive sites require web workers so don’t forget that is hidden away in the three dots dropdown.
Allowing CSS on a page will usually “unbreak” much of the layout and some interactive functions.
If you are struggling to enable some functionality on a website open the logger (top right icon). It will show explicitly every resource, with full name and info, that is being blocked or allowed.

Once its use becomes second nature, returning to the web without uMatrix might feel a bit like trying to drive a nail with a rubber chicken.

Deadending x86

Tue, 13 Feb 2024 10:57:28 -0500

As OSes begin to entertain dropping “x86_64-v1” support in builds[1][2][3], the clampdown accelerates on generative computing. You vill submit to Intel ME and AMD PSP and you vill be happy!

You might be forgiven if you had thought that the constant addition of new extensions was just engineering teams implementing more efficient instruction paths, and this may even be true some of the time, but it is ultimately due to the finite life of patents being fixed at twenty years. Intel undeniably has self interest in moat building by leveraging their cross licensing for these under-twenty year terms. A problem for the CPU industry is that CPUs really don’t deteriorate (perceptibly) and so if not for the cajoling of users to adopt an endlessly growing list of new critical features, most could otherwise happily sit pretty on their CPUs as they age, even well beyond that twenty year patent life (oh, the horror!).

And so to keep their patenting and associated licensing arrangements alive, it is imperative for Intel (and AMD) to continually devise new extensions, whether or not there is actually a technical need for them. Something to ensure that twenty years down the line, a would-be competitor couldn’t just pick up the ISA spec and begin producing their own x86 feature-parity chipsets. But this alone hasn’t been enough carrot-and-stick to compel sufficient turnover in sales. Intel and AMD got together with major Linux distributions in 2020 to devise baseline feature sets defining extension collections that can be used for chronological product segmentation. The segmentation is as follows:

x86_64-v1 – (Almost all 64-bit Intel and AMD)

CMOV
CX8
FPU
FXSR
MMX
OSFXSR
SCE
SSE
SSE2

x86-64-v2 – (Since 2011, Sandybridge, Bulldozer)

CMPXCHG16B & cmpxchg16b
LAHF-SAHF
POPCNT
SSE3
SSE4_1
SSE4_2
SSSE3

x86-64-v3 – (Since 2015, Haswel, Excavator)

AVX
AVX2
BMI1
BMI2
F16C
FMA
LZCNT
MOVBE
OSXSAVE

x86-64-v4 – (From 2017 onward)

AVX512F
AVX512BW
AVX512CD
AVX512DQ
AVX512VL

And you can bet there will be v5, v6 and beyond just as with the endless profit-booster shots. After drafting this article Intel’s new AVX10 had made itself known to me. Am I Nostradamus?

x86 can today be considered an incredibly mature ISA and nothing substantial has really changed since the switch from 32-bit to 64-bit addressable architectures. The individual additions of things like AVX have been only iterative, not yielding the kind of game-changing leaps of yesteryear such as the jump from single core to multicore processors. From a purely design perspective, it might make more sense for development effort to be spent instead on improving what is already there with additional die space afforded by new lithography. Torvalds himself has railed on the endless barrage of new extensions.

I hope AVX-512 dies a painful death, and that Intel starts fixing real problems instead of trying to create magic instructions to then create benchmarks that they can look good on. I hope Intel gets back to basics: gets their process working again, and concentrate more on regular code that isn’t HPC or some other pointless special case.

And he isn’t alone. Others have raised concern over how unsustainable these market segmented feature sets are becoming.

From a maintenance point of view, it is unreasonable to ask every package manager to compile different versions of projects for different versions of ISAs, to tune for differently platforms, and somehow manage to always build and ship them. Now you’re going to add all of that on top of keeping up with the existing burdens of package management?

I’m not necessarily against specialized instructions that increase the efficiency of certain operations. What makes this an alarming development is that they are being inseperably tied to other “features” that one ought not tolerate. Like with cable television channels, it is not possible to pick and choose CPU features a la carte, instead one is at the mercy of the corporate bundle. If one must utilize x86_64-v3 builds of distributions, it is not possible to arrange without also encumbering one’s device with the restrictive Mangement Engine or PSP.

So now we have Intel and AMD reaching their feet over to the gas pedal to apply a little more throttle down the highway to dystopia in the way of force-obsoleting perfectly functional microarchitecture generations. They always start with enterprise “its just sensible for corporate deployments” but remember that Intel vPro with ME were also just for enterprise purposes at first. They will eventually extinguish the lingering systems which afford owner-operators just a little bit too much freedom.

And that is why I call it the deadending of x86. Those who value autonomy in their computing are afforded no path to modern, performant x86 hardware. Freedom-supporting x86 is a road that leads to a terminated end. No turnaround, one way only. This is also why I assert that the only long term winning move is to abandon x86 in its entirety. Those old Librebooted thinkpads and server boards that the FSF likes to champion are eventually going to fall out of the scope of build targets. At first only in compile selections, and then later in bit rot and technical debt. One might consider exiting now while the cost of migration remains relatively low.

System-Wide Domain Blacklisting

Mon, 05 Feb 2024 21:30:17 -0500

Many of the same block lists used by ad blocker extensions can also be used globally by your hosts file to redirect all requests to that domain to a non-routable address. You may sometimes see this referred to as “blackholing” DNS. If a program initiates any lookups for cookielaw.org, and cookielaw.org is on this hosts file, it should be redirected to 0.0.0.0 which instantly fails out as unresolvable preventing the program from connecting to the actual destination.

The concept of blackholing has been popularized among newbie privacy communities by the likes of “pi-hole”. But I think that pi-hole misses the mark. First of all, we don’t want to rely on a system outside of the host, not just because that introduces yet another device which needs to be rigorously secured but also because you may decide to take your computer with you to connect to another network somewhere else. Especially if it is a laptop. Or what of hopping on to a system-wide VPN connection? Additionally, our tor-wrapped DNS solution detailed in Hardened DNS will evade any such device sitting on the LAN attempting to mediate DNS.

While blackholing can simply be accomplished by manually adding a domain list into hosts, I have substantially transformed a script to automate the process and to allow several different lists to be seamlessly combined. Create a cron or anacron job for the script to run:

sudoedit /etc/cron.daily/hosts-block

And populate it with the following:

#!/bin/bash

#Automated script for maintaining a malware blocking hosts file
#Originally created by user SteveRiley https://www.kubuntuforums.net/showthread.php/56419-Script-to-automate-building-an-adblocking-hosts-file?s=e56f4375b9ded5ca30e26346a06d71f3
#Adapted and extended to only accept lists over https, add working directory, automatically apply to hosts, add configurable list categories, generalize beyond just ad blocking, add support for lists already pointing to 0.0.0.0, and prevent overwriting hosts with empty list (such as network issue)

if [ "$(whoami)" != "root" ]; then
    echo "Aborting: Must be run as root or via sudo."
    exit 1
fi

# If this is our first run, save a copy of the system's original hosts file and set to read-only for safety
if [ ! -f /var/local/hosts-blocking/hosts-system ]; then
	echo "Saving copy of system's original hosts file..."
	mkdir /var/local/hosts-blocking
	cp /etc/hosts /var/local/hosts-blocking/hosts-system
	chmod 444 /var/local/hosts-blocking/hosts-system
fi

# Perform work in temporary files
temphosts1=$(mktemp)
temphosts2=$(mktemp)

# Configurable blocklist files sources
block_lists=(\
#Block advertisements
"https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext" \
"https://adaway.org/hosts.txt" \
"https://hostsfile.mine.nu/hosts0.txt" \
"https://raw.githubusercontent.com/jdlingyu/ad-wars/master/hosts" \

#Block malware
"https://www.malwaredomainlist.com/hostslist/hosts.txt" \
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts" \

#Block crypto miners
"https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt" \
"https://raw.githubusercontent.com/anudeepND/blacklist/master/CoinMiner.txt" \
"https://zerodot1.gitlab.io/CoinBlockerLists/hosts" \
"https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser" \

#Block spam
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts" \

#Block trackers
"https://hostfiles.frogeye.fr/multiparty-trackers-hosts.txt" \
"https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt" \

#Block clickjackers & bad referers
"https://raw.githubusercontent.com/mitchellkrogza/Badd-Boyz-Hosts/master/hosts" \

#Block Facebook
"https://raw.githubusercontent.com/jmdugan/blocklists/master/corporations/facebook/all" \

#Block Google
#"https://raw.githubusercontent.com/jmdugan/blocklists/master/corporations/google/non_localized" \
#"https://raw.githubusercontent.com/jmdugan/blocklists/master/corporations/google/localized" \

#Block Huawei
"https://raw.githubusercontent.com/PikaMikaTuu/huawei-block-list/master/huawei-block-host.txt" \

#Block NSA known domains
"https://pastebin.com/raw/tNBM1j19" \
#STATIC BACKUP OF LAST KNOWN LIST BEFORE CHEF-KOCH TAKE DOWN

#Monotlithic lists to block spyware, ads, scams, spams, shock sites, popups, trackers, etc.
#"https://someonewhocares.org/hosts/zero/hosts" \
)

# Obtain various hosts files and merge into one
echo "Downloading blocklist files..."
successful_lists=0
for list in "${block_lists[@]}"; do
	torsocks wget --https-only --no-cookies -nv -O - "$list" >> $temphosts1
	if [ $? == "0" ]; then
		((++successful_lists))
	fi
done

#Test if temposts1 is empty
if [ -s "$temphosts1" ]; then	
	# Do some work on the file:
	# 1. Remove MS-DOS carriage returns
	# 2. Replace 0.0.0.0 with 127.0.0.1 to handle lists that already point to 0.0.0.0
	# 3. Delete all lines that don't begin with 127.0.0.1
	# 4. Delete any lines containing the word localhost because we'll obtain that from the original hosts file
	# 5. Replace 127.0.0.1 with 0.0.0.0 because then we don't have to wait for the resolver to fail
	# 6. Scrunch extraneous spaces separating address from name into a single tab
	# 7. Delete any comments on lines
	# 8. Clean up leftover trailing blanks
	# Pass all this through sort with the unique flag to remove duplicates and save the result
	echo "Parsing, cleaning, de-duplicating, sorting..."
	sed -e 's/\r//' -e 's/0.0.0.0/127.0.0.1/' -e '/^127.0.0.1/!d' -e '/localhost/d' -e 's/127.0.0.1/0.0.0.0/' -e 's/ \+/\t/' -e 's/#.*$//' -e 's/[ \t]*$//' < $temphosts1 | sort -u > $temphosts2

	# Combine system hosts with blocks
	echo Merging with original system hosts...
	echo -e "\n# General malware blocking hosts generated from $successful_lists out of ${#block_lists[@]} lists on "$(date) | cat /var/local/hosts-blocking/hosts-system - $temphosts2 > /var/local/hosts-blocking/hosts-block

	# Apply final blocklist to system hosts file
	cp /var/local/hosts-blocking/hosts-block /etc/hosts

	# Clean up temp files and remind user to copy new file
	echo "Cleaning up..."
	rm $temphosts1 $temphosts2
	echo "Done."
	echo
	echo "Manually copy malware blocking hosts file with this command:"
	echo " sudo cp /var/local/hosts-blocking/hosts-block /etc/hosts"
	echo
	echo "You can always restore your original hosts file with this command:"
	echo " sudo cp /var/local/hosts-blocking/hosts-system /etc/hosts"
	echo "so don't delete that file! (It's saved read-only for your protection.)"
	echo
	exit 0
else
	# Prevent existing blocklists from being overwritten with empty list
	echo "Aborting: No blocklist content has been retrieved into the working file."
	exit 1
fi

The Configurable blocklist sources section can be adjusted to include lists which have been commented out. Simply remove the leading “#”. You may want to do this if you don’t plan on connecting to any Google services, for example. Also you may find inspiration in adding lists from uBlock, uMatrix or other addons. Just make sure that the list uses IPv4 addresses.

If you want it to be applied immediately instead of waiting for the daily update job to run, just directly run the script with root privileges:

sudo /etc/cron.daily/hosts-block

All of the lists will be updated daily over Tor. You can check the status of your hosts file by running:

grep -e General /etc/hosts

It should reveal whether any lists were skipped which may indicate that a link is broken. For example;

# General malware blocking hosts generated from 16 out of 17
lists on Sat 26 Feb 2022 12:49:16 AM EST

Like with earlier customizations, make sure that Firefox is set to respect your system domain resolution instead of Mozilla’s disgraceful cloudflare honeypot. Now if your adblockers fail for whatever reason, most malicious domains should still be blocked through this defense-in-depth strategy.

Debian Quality of Life Tips and Tricks

Mon, 22 Jan 2024 21:30:17 -0500

There are a number of quality of life tricks for Debian that I wish I’d known when I was first learning the ropes. Mostly package management things. But they’re not expressly stated in the kinds of places that a first timer is likely going to see them. Some are dead stupid, but the ‘wrong way’ is still perpetuated to this day by techtubers who pump out video after video without double checking things beyond surface level. Such is the case with apt commands. It is apt, not apt-get. They only keep apt-get around to maintain backward compatibility of shell scripting.

Much I had to discover through trial-and-error or by crawling through forum threads or man pages. Without further ado:

Easy apt sources

Apt has a builtin for editing the sources file, instead of manually calling a text editor to the sources.list file path.

apt edit-sources

How to keep a lean system

Keeping a lightweight install, especially when adding the first packages on a newly provisioned system.

Debian maintains metapackages for desktop environments which contain only the essential components. They’re fairly consistently named $DESKTOP_ENVIRONMENT-core. Install these, instead of the desktop environments presented in tasksel if you would like to avoid the cruft of having pointless games, “essential” office software and other bloat dumped into your install. For example:

apt install cinnamon-core

Extra bonus if you’re using Gnome, for which there is an even more miminalistic metapackage.

apt install gnome-session

To further minimize unneeded cruft when installing large software packages, apt can be specified to ignore additional packages recommended by the maintainer. Sometimes they like to mark things as Recommends when they really belong in Suggests.

apt install --no-install-recommends packagename

It is much easier to add additional packages and dependencies as you find them necessary, rather than to try to remove unwanted things after the fact and risk running up against dependency hell. But if you do find yourself removing things, purge them instead of removing them.

apt purge packagename

This will also rid the system of residual configuration files for that program (except for those in the /home directory).

Backports and their importance in a stable system

Add the backports repository to your apt sources.

deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian/ bookworm-backports main

What, you’re not stuffing package management through tor? Well you should.

For the sake of compatibility, some programs need to track upstream releases beyond the frozen stable version. Notably yt-dlp, for example. Apt can query the presence of a package from the backports repository via:

apt search -t stable-backports packagename

Substituting the release name for stable, of course. Installing the package with this same switch will ensure that it follows the backports releases.

apt install -t stable-backports packagename

Safe update automation

While unattended-upgrades is great and all, I am more partial to apt-config-auto-update as I have programs I like to check source changes before applying upgrades that can potentially break my boot process. Yes, even the packager maintainers are fallible beings who sometimes make mistakes. This will automatically check for and download upgrades, but leaves the obligation to install upgrades in the hands of the operator.

And before applying any upgrades, it is always good to have resources that one can cross reference before committing to any upgrade.

The official Debian security RSS feed
The Debian Package Tracker, which I link to extensively, useful for versioning changes
Debian Sources for viewing config and source code without having to pull anything down from deb-src

Additionally, when we rely on human presence to apply upgrades, it’s never a bad idea to have notifications. My own in-house solution already has a way of notifying me but there is package-update-indicator available for those who wish to have a visual reminder.

When something is broken, and you wish to temporarily avoid upgrading it, it is very simple to pass:

apt install --only-upgrade packagename1 packagename2

Leaving out the package(s) you wish to leave as-is. Longer term holds should probably go through apt-mark:

apt-mark hold brokenpackage

And unhold it later once things are in the clear. I’ve saved myself a few headaches on servers this way wherein I wasn’t quite ready to deploy some of my own shoddily written scripts still relying on APIs from previous versions.

Cleaning up one’s system

I’ve done it, and you probably have too, having installed several development libraries and other dependencies to compile a program that wasn’t in the Debian repositories (or available for one’s CPU architecture!). And long after you’re done building the program, there are now dozens of libsomething-dev cluttering your install. Which ones to remove? Good luck, I hope you wrote each one down!

…Or we can rely on trusty apt-cache and other tools.

Find out what a given package requires before you install it:

apt-cache depends packagename

Or check the dependencies that an already installed package had pulled in.

apt-cache rdepends --installed packagename

If you’ve really created a mess for yourself, there is the handy deborphan tool for finding packages that are no longer needed. No special switches needed.

deborphan

This will catch things that simply aren’t tracked by apt autoremove. Speaking of apt autoremove, we want to always purge packages, as earlier.

apt autoremove --purge

or simply

apt autopurge

Recent releases of Debian seem to have apt take care of old installed Linux kernels automatically. But this hasn’t always been the case (or maybe it was just the way I’d previously configured my system). The /boot partition is only allocated several hundred meegabytes by default and can fill up fast if one allows too many kernel versions to be installed. Check the current running version:

uname -r

We don’t want to go removing the same kernel that the current session has booted on! List all of the currently installed kernels.

dpkg -l | grep linux-image

Apt can be supplied several items to add or remove in batch.

apt purge linux-image-x.x.x-xx-architecture linux-image-x.x.x-xx-architecture

And of course during the addition or removal of any software, we want to make sure that running processes are all using the most current versions. Debian’s needrestart is indespensible and is a crime it’s not included by default (it’s not, right?). needrestart is pretty hands-free as it will automatically run at the end of any apt install/purge/remove to highlight processes that need to be restarted to run with newly installed libraries and dependencies.

Upgrading, the right way

While it is possible to simply adjust one’s source file to point to a new release and then run apt full-upgrade, this is admittedly a bit dangerous and could misplace things when going through such massive change. The officially ordained upgrade process is pretty well documented in the Debian release notes for any release version. I’ll summerize it here.

Make sure we’re up to latest point release. (sudo supplied where needed. What, I haven’t been doing that?)

sudo apt update

Check Debian packages for any possible conflicts.

dpkg --audit

List possible packages originating from outside of Debian repositories and purge them if necessary.

apt list '?narrow(?installed, ?not(?origin(Debian)))'

Clear packages no longer needed.

sudo apt autoremove --purge

Clear the apt cache of previously and partially downloaded packages.

sudo apt clean

Look through old configuration files and remove if necessary.

find /etc -name '*.dpkg-*' -o -name '*.ucf-*' -o -name '*.merge-error'

Do you have enough free space?

df -ah

Change sources to the new release.

sudo apt edit-sources

Disable *-backports repository until after the upgrade and remove proposed-updates section if it is present to reduce the likelihood of conflicts. Disable apt-pinning from /etc/apt/preferences, /etc/apt/preferences.d/

apt-mark showhold

Pull in changes from sources file.

sudo apt update

In some cases, doing the full upgrade (as described below) directly might remove large numbers of packages that you will want to keep. We therefore recommend a two-part upgrade process: first a minimal upgrade to overcome these conflicts, then a full upgrade.

sudo apt upgrade --without-new-pkgs

Then continue with the main part of the upgrade.

sudo apt full-upgrade

During the upgrade, you will be prompted about differences between the configuration files being installed versus old configs you may have modified. Prefer keeping existing configuration files, and note them down to merge changes later.

Reboot to finish restarting all services

sudo reboot

Finish adjusting apt sources file to re-add the backports repository, if it was previously selected.

sudo apt edit-sources
sudo apt update

List obsolete packages, and optionally purge them.

apt list '~o'
sudo apt purge '~o"

Careful with this! Consider manually removing one package at a time if you’re not sure. Then remove leftover packages that aren’t explicitly declared obsolete from above.

sudo apt autoremove --purge

Like we covered earlier in the Cleaning up one’s system section, check kernel versions, in case autoremove does not handle it.

uname -r
sudo apt purge linux-image-x.x.x-xx-arch

Admittedly a long and not very layuser friendly process, but certainly worth it for the precaution. Especially if you’re upgrading a Debian system remotely over SSH where breakage can potentially prevent you from reestablishing connection to the newly upgraded environment.

Monitoring for presense of non-free bits

Unfortunately very few of us can enjoy running a system totally free of blobs. I sit here typing this, painfully aware that my AMD graphics adapter requires such a binary. Either that or suffer using Aspeed framebuffer with wayland. Luckily, we can track what non-free parts get installed. Formerly vrms:

check-dfsg-status

Will list out the total installed packages originating from contrib, non-free and non-free-firmware repositories, as well as the overal percentage of your installed system that they comprise.
*Note that in its ideologically driven focus, this tool will mark things like fonts “non-free”, even though we as end users don’t really care what license is attached to it. I just want to minimize the execution of black box code. But that’s for another article.

Visually useful top readout

It’s always the corporate type tech bros from which I hear “Use htop bro! It’s so much better! It has usage bars!” The same archetype who use “Neofetch” to post hardware & system info instead of dmidecode or /proc/*info.

"OMG

Of course they’ve never read more than a line into the top manpage (if at all) because otherwise they would have found that this feature is in top. It’s just not enabled by default. Save yourself some bloat and just take advantage of what’s already in Debian.

Quick tip using the following hot keys with top running:
m - Toggle memory usage as bar/block graph
t - Toggle CPU usage as bar/block graph
4 - Display CPU usage as per-core
1 - Display CPU/memory usage bar/block graphs abreast
W - Save current configuration to toprc

Activated, in the above order:

Four cores with SMT4.

There exist additional settings for colors and such. Have a look for yourself.

There are so very many other niceties like using libreoffice-gnome to better visually integrate libreoffice with GTK but this has already drawn on far longer than I intended. Maybe these QoL tips merit their own individual coverage altogether.

Hardened Web Browser

Mon, 08 Jan 2024 21:21:42 -0500

While there remains no ideal browser, there are a few decent options. One that I would have recommended, if not for some glaring issues, would have been the recent Mullvad browser. Unfortunately, Mullvad committed to the following design choices;

Self-updating, foreign to distro repository
Pre-built binaries only supplied for x86 architecture (and if you’re going to compile, you might as well just compile upstream Firefox using Mullvad’s selected compile flags)
Pre-installed addons cannot easily be removed (one must manually delete unwanted extensions from the /extensions directory) as they seem eager to make choices for the user rather than recommendations

Until such flaws can be rectified or another browser beats them to the punch, this config guide will make use of Arkenfox’d Firefox ESR as its foundation. Firefox ESR is the most upstream to security and bug patches in the gecko family, while also insulating users from Mozilla’s “experiments” and silent feature changes, and also being highly configurable. Its default configuration is not entirely sane but will be mitigated via the Arkenfox user.js. Debian should have firefox-esr by default, other distributions may be necessary to explicitly select some firefox-esr package.

While some settings are exposed through the GUI settings menus, which can be used to harden privacy and security features, some critical settings can only be accessed through about:config. So many, in fact, that it can be exhausting to manually adjust each by hand. That is why we are going to deploy user.js scripts.

Arkenfox iterates over hundreds of various settings, vetted by community contributors, which reduce Firefox’s footprint and attack surface while disabling blatant malfeatures. Navigate to your Firefox profile which should look something like:

cd .mozilla/firefox/14a58bc9.default-esr

And download the prefsCleaner.sh and updater.sh scripts into place (consider torsocks‘ifying since github==microsoft):

torsocks wget --https-only https://raw.githubusercontent.com/arkenfox/user.js/master/updater.sh https://raw.githubusercontent.com/arkenfox/user.js/master/prefsCleaner.sh

There are certain settings Arkenfox enables that you may want to leave disabled. Likewise, there are probably settings that are personal preference which you may not want changed by Arkenfox. Create a user-overrides.js file in the same directory.

vi user-overrides.js

The settings format in user-overrides.js follows: user_pref(“some.setting”, boolean/integer);

Here are just a few that you may want to consider adding if you plan to implement customizations from the DNS and metasearch guides:

user_pref("browser.startup.homepage", "http://localhost:8888/");  
user_pref("browser.startup.page", 1);  
user_pref("keyword.enabled", true);  
user_pref("browser.send_pings", false);  
user_pref("network.proxy.socks_remote_dns", false);  
user_pref("network.trr.mode", 5);  
user_pref("network.proxy.failover_direct", false);  
user_pref("browser.urlbar.suggest.engines", false);  
user_pref("browser.urlbar.suggest.topsites", false);

One should really read over the user.js comment notes to get a sense of what settings are being modified and to construct a desirable user-overrides.js. Each individual’s needs will vary slightly, which is the intent behind user overrides. For example, some optimal preferences can be gleaned from 12byte’s overrides.

Once you are happy with your user overrides, it is time to run the Arkenfox updater.sh. Close out any instances of Firefox that may be open. Use the “e” switch to instruct Arkenfox to run ESR preferences and the “d” switch to disable update checking since we just pulled the most recent version with wget above:

torsocks ./updater.sh -de

Run prefsCleaner after the first application of the new user.js. And always run prefsCleaner following major version number changes to the browser.

./prefsCleaner.sh

Now when you launch Firefox ESR, things may look a bit different. If there are borders around the window, this is just incremental padding to help mitigate canvas fingerprinting. There will probably be nuances in how Arkenfox’d Firefox ESR behaves that you will want to tweak through user overrides. Your browser now has a strong baseline resistance to stateful fingerprinting and tracking.

Arkenfox+Firefox ESR is no silver bullet on its own but can be formidable when combined with strong add-ons and system hardening which I will continue to detail in hardening guides.

Hardened DNS With Tor & Local Caching

Wed, 03 Jan 2024 16:50:35 -0500

The industry has been struggling with how to handle securing DNS, an original protocol designed without encryption in mind, which is responsible for informing your computer which IPs map to any domain name. This creates a problem in which any observer between you and the resolver can see all lookups your system makes. Additionally, you place complete trust in the resolver not to manipulate or misdirect domain name responses. Browsers have taken to sending DNS requests over HTTPS which solves only one aspect of DNS privacy but shifts trust over to new potential bad actors. Key things which need to be added to DNS to fix its security and privacy shortcomings include authenticity (DNSSEC), transport encryption (TLS, HTTPS, etc) and trustless resolution with recursion.

Unfortunately, not all three of these areas can be addressed by current solutions at the same time, so we will need to settle for picking two. Root name servers do not yet support encryption with their operators citing hesitancy to be first in adopting relatively immature solutions.

I have devised a DNS buildout which works around these limitations to provide robust, trustworthy, anonymized DNS resolution. In overview, it has two main routes to traverse for DNS lookups, both of which encrypt requests outbound from your computer.

We want to start by making sure Tor is installed, which should be the case if you already setup the metasearch solution earlier.

Now, assign a DNS port in your torrc. Append the following to /etc/torrc:

DNSPort 127.0.0.5:53

Then restart Tor:

systemctl restart tor

You should see that requests made out through 127.0.0.5 should now resolve. I recommend testing with the dig utility from the dnsutils package:

dig @127.0.0.5 www.google.com

If it works, the ANSWER SECTION should have a populated IP address. The Query Time will probably take 100 milliseconds or more.

Now install the dnsmasq caching DNS server through apt and edit the file at /etc/dnsmasq.conf to change the following sections:

listen-address 127.0.0.10 (INCOMING queries)

bind-interfaces      (Allow other installed resolvers to bind port 53, important for Stubby, detailed later)

server=127.0.0.5       (OUTGOING referrals)

cache-size=150
no-resolve
no-poll         (no-resolve & no-poll make dnsmasq ignore resolv.conf and use servers specified in dnsmasq.conf)

Append:

min-cache-ttl=1800  (Forces queries to remain cached for half hour. 3600 for full hour.)

Then restart dnsmasq

systemctl restart dnsmasq

You may need to restart the session if you receive errors about “port binding already in use”.

Now test this address with dig also:

dig @127.0.0.10 www.google.com

At first, it will take 100-300 milliseconds like before. But all subsequent tries for up to a half hour should result in 0 millisecond Query time! This is because dnsmasq is saving the result locally and preventing your computer from reaching out over the network again for the same information.
"UFO

Now, technically, you can use this alone and it would work okay. But the only issue is that in order to connect to a Tor circuit when starting up, you computer needs to first be able to resolve domain names in order to find a Tor node. A catch 22! So a backup is needed.

Install Stubby through apt and edit the file at /etc/stubby/stubby.yml to change 127.0.0.1 to 127.0.0.15:

listen_addresses:
  - 127.0.0.15

The reason for changing the address is that we do not want hosts entries which null route bad domains to actually resolve, which will be covered in an upcoming hosts blacklisting guide. Also make sure that GETDNS_AUTHENTICATION_REQUIRED is enabled, which it should be by default:

tls_authentication: GETDNS_AUTHENTICATION_REQUIRED

There are default resolvers setup through the getdnsapi project that support DNS over TLS. Others may be enabled but just make sure that they support TLS encryption. Then:

systemctl restart stubby

Also test the stubby daemon with dig to confirm it is working:

dig @127.0.0.15 www.example.com

Lastly, it is time to update dhclient to use these local servers. Edit /etc/dhcp/dhclient.conf to contain:

supersede domain-name-servers 127.0.0.10;
append domain-name-servers 127.0.0.15;

The section under send-hostname = gethostname(); can be reduced to:

request subnet-mask, broadcast-address, routers, interface-mtu;

Then reboot or restart dhclient:

dhclient -r
dhclient

Now all DNS requests should be sending through to Dnsmasq to Tor by default. If a query fails through this, it will go to Stubby. Additonal changes may be required depending on your destop environment and distro. For example, network manager should be edited so that it doesn’t overwrite your resolv.conf. /etc/NetworkManager/NetworkManager.conf should have:

[main]
dns=none

Also, Firefox should to be instructed to use system DNS rather than Mozilla’s implementation of DNS over HTTPS. Otherwise, cloudflare will continue getting a detailed log of all your web activity. As covered in Browser Hardening, the about:config setting for this is:

network.trr.mode = 5

Some minutia to be aware of:

Sometimes the Tor circuit you are on will be faulty or slow. Either wait ten minutes or manually switch to a new circuit to restore “fast” domain name resolution.
Certain applications rely on DNS round robin lookups, which always fail over to Stubby in this setup.
While DNSSEC can be implemented on Stubby, there is currently no way to use DNSSEC over Tor. I believe this has to do with UDP packet size, as Tor DNS does not use TCP.
Tor DNS still uses Google for some exit nodes, although this should not be a problem as they cannot see who the resolution is for or where it is coming from beyond Tor network.

This completes a strong, anonymous and sometimes just private DNS system. Things will likely change as root name servers begin to support encryption but this is the best I can think of for now. More to follow on domain name lookup solutions as things develop.

Hardened Metasearch

Mon, 01 Jan 2024 20:38:00 -0500

Update Q4 2024: The reliability of this method has raplidly deteriorated. Commercial search engines may have gotten wise to Tor proxied queries as formatted by SearX. I’ve tested without Tor proxying enabled and almost all engines I’ve tried still result in “Error! Engines cannot retrieve results”. YaCy may be the only currently “viable” privacy compatible search engine left.

All too many resources suggest using smaller privacy respecting search engines, such as Duckduckgo, to avoid Google’s search monopoly. While this mitigates the issue of tailored results and feeding big tech, it is only just a first step. With those alt search engines, one still places trust that they are not selling data, logging, or tracking in some other capacity. Consider that many of these “privacy respecting” alternatives have also been found snooping while others have been bought out by advertisers.

But what if you didn’t need to trust the engine responding to your queries on the other end? With the right tools, it is possible to build a trustless, distributed search portal!

We can probably assume anyone reading this will already have a trustworthy computer and web browser as well as some familiarity with terminal and configuring software. If not, there will be plenty more in hardening posts to come.

If you do not already have Tor installed, now is a good time to install it through apt. We will also need some other prerequisites. Searx is a metasearch engine which can hook into external engines to conduct queries. While there are public instances of Searx hosted around the web, we will want to run our own locally:

apt install searx python3-socks

Copy the configuration file into place and rewrite the placeholder key:

cp -p /usr/share/doc/searx/examples/settings.yml /usr/lib/python3/dist-packages/searx/
sed -i -e "s/ultrasecretkey/`openssl rand -hex 16`/g" /usr/lib/python3/dist-packages/searx/settings.yml

Open the config file at /usr/lib/python3/dist-packages/searx/settings.yml and locate the section for proxy information. Set Tor socks5 as the only proxy.

    proxies:
        https:
            - socks5://localhost:9050
    using_tor_proxy : True

I recommend proxying images as well to avoid leaking data.

image_proxy : True

Try to select only a handful of search engines to keep active. Using too many could create opportunities for adversaries that partner share data to correlate search requests. Comment out or delete the rest. And since this is being routed through Tor, don’t feel obligated to avoid large engines like Bing. They will only see a request originating from some exit node.

~~Increase the timeout value on any engine you select by a few seconds, otherwise Searx may timeout those queries before it completes traversal of slower Tor circuits.~~ As of SearX 1.0.0, there is a global timeout that can be enabled for when proxied through Tor.

    extra_proxy_timeout : 10.0 # Extra seconds to add in order to account for the time taken by the proxy

Create a systemd unit file to control the Searx service:

touch /etc/systemd/system/searx.service
chmod 664 /etc/systemd/system/searx.service

Edit the new file at /etc/systemd/system/searx.service to include:

[Unit]
Description=Searx metasearch engine
After=network.target

[Service]
Type=simple
ExecStart=/usr/bin/searx-run
ExecReload=/usr/bin/kill

[Install]
WantedBy=multi-user.target

Finally enable and start the Searx daemon:

systemctl daemon-reload
systemctl enable searx.service
systemctl start searx.service

Now when you launch your browser, you should be able to navigate to the local address at http://localhost:8888

Search results will list the source engine underneath each result so you can get a sense of the types of results produced by each engine. There’s just no hiding these super secret pancake recipes!

Ideally, Searx is only available directly to you, on your own machine, unless you make it available over the network through Nginx or Apache. Let’s take a broader look at what has been assembled:

Configured this way, Searx will make search queries by POST requests which limit identifying data received by recipient engines. Parties resolving the queries will not even see the originating IP, just some random request arriving from an IP associated to Tor network. Also your ISP will no longer be able to infer when or to whom you have conducted a search. Results censored by one engine, will unlikely be censored by all of your other engine choices making for a censorship resistant solution. Lastly, enjoy your new freedom from the chilling effect, that ominous, ever-present uncertainty of being watched. Well, at least for your web searches.

If you’d like to go a step further, consider bringing even the search index into your own turf by running a local YaCy instance. Searx even has a YaCy template to push queries to a locally running YaCy instance.

  - name : yacy
    engine : yacy
    shortcut : ya
    base_url : 'http://localhost:8090'
    enable_http: True # required if you aren't using HTTPS for your local yacy instance
    number_of_results : 5
    timeout : 3.0

Update Q4 2024: It appears that search vendors have grown wise to this kind of querying and unanimously block Tor since early-mid 2023. The configuration described here may still yield the occasional result, but the majority of searches will time out with unreachable engines. It has become clear that meta search engines are not the way forward, sufferring from the perpetual frontend dilemma.

Refocus on Solutions

Mon, 01 Jan 2024 19:02:56 -0500

Some kind exchanges with readers have inspired a degree of introspective and I’ve since determined that we focus a bit too centrally on trashing the bad to be found in technology. I have resolved to refocus more on building and detailing solutions to the mountains of problems previously covered here at Wrongthink. In light of that, we’re well overdue to dig into a long held stash of internet tracking countermeasures. Criticisms are all welcomed seeing as I’ve tinkered within a vacuum for far too long.

Being introduced today is the new 'hardening' tag for articles covering such countermeasures.

Most of these are going to apply largely to Debian and Debian derivatives, since that is what I primarily use. Although adapting these configs to other distributions should be trivial.

Faux Breakup Threats

Wed, 20 Dec 2023 18:43:29 -0500

“If the oppossing faction’s candidate wins, then I’m moving to Canada/Mexico!”

Had become a meme threat made by blowhards who find themselves on the losing end of a recent political [s]election. And I am always reminded of this third stage of grief in action whenever a new release of Windows looms on the horizon. You begin to hear a similar threat bandied all over the web:

“If Microsoft adds $NEW_ANTIFEATURE/removes $THING_I_LIKE, then I’m switching to Linux!”

ORLY? What is your migration strategy? Have you taken any time to learn at all about your intended destination? Which distro? Those who exclaim such outrage seldom ever carry through with their hollow threats. And if they truly cared, they would have already abandoned Windows long ago.

So if it is not their intention to make any meaningful change, what is their intent? We must first understand that these individuals tend to suffer from a variation of slave morality. Their assumption being that if only they protest loudly enough, then their master may cease beating them so harshly. Despite the master’s long history of known abuse, they believe that a sufficiently intense pleading will inspire a change of heart. It exposes their complete lack of understanding of power dynamics and motivational forces.

Sure ya will, tough guy...

The “or else I’ll switch to Linux!” crowd are unabashedly trying to bargain with a tech giant who likely views them no differently from the way that a farmer views his cattle. That being a desire to maximize their extraction of value from ~~the herd~~ users, and ensure they don’t escape the farm. Microsoft is confident in their knowledge that nearly every single chest beater will eventually roll over and accept whatever impositions are made on them, given enough time.

This dynamic also holds true for those who echo similar cries about leaving youtube for alternatives, or leaving X for mastodon. We know and they know that these are empty threats which will never be seen through to the point of lasting action. There was once a time where upon happening across such outcry, that it would have evoked sympathy in me. But these days, I instead find myself tempted to grill them and pry for simple details that anyone planning any such serious migration to freedom ought to know. My compassion has been exhausted.

Just as those who threaten relocating to Canada or Mexico due to election outcomes have almost no real working knowledge of the adjustments they will need to make in their supposed promised land, so too those who threaten migrating to Linux often have no real working knowledge of the technical, functional or organizational differences it bears to Windows.

Won't Someobody Think of the Advertisers?!

Mon, 11 Dec 2023 17:04:55 -0500

This is an assertion you’ve likely seen normies argue before. When called into question whether sites have a responsibility, as they say, to remove unfavorable posts or individuals, the normie will cite how large platforms depend on advertising to keep operations afloat. They go on to insist that if unsavory opinions (free expression, in sober parlance) are allowed to remian, then advertisers will pull their precious ads and send the big, poor site into collapse. “Oh no!! What are we to do?!” “Those poor advertisers!”

Their rhetoric likely sits somewhere downstream from corporate spellcasting of large social networking sites aiming to preserve their hegemony. It’s like a revised tactic of blame shifting. As though being beholden to an outside party somehow justifies the exclusion of individuals or of their ideas. Or as though the arrangement couldn’t possibly not involve said outside party.

First problem; why, if you care at all about human freedom of expression (spoiler: normies don’t), are you relying upon a site which places itself at the whims of corporate ad networks? Are you a masochist? Second, why are you frequenting any site that sees fit to assail their visitors with ads at all? There is hardly a more substantial red flag which signals just how poorly a site regards their visitors.

It is as though the normie cannot even conceive of any different hosting model. I suspect that they cling to this retort as a sort of rationalization for their continued use of a space dominated by corporate-private censorship. Explaining it away and deferring any self responsibility is way easier than adhering to principles and rejecting the use of popular, convenient sites. To avoid the exertion involved with discovering and migrating to greener pastures. Or to avoid the responsibility of self hosting their own community spaces, which would be the most optimal path.

In fact, this situation only emphasizes the criticality of taking charge with self hosted infrastructure wherever free expression is at stake. Leaving the fox to guard the hen house is only a gaurantee that a community will be made to submit to external influence. As I write in Asymmetry of Digital Literacy…, there are certain demographics who seem content to hop from one adversary controlled infrastructure to the next, getting thoroughly beat down each time and seemingly learning nothing from the experience. And now with a “good guy” (Big air quotes) having taken the helm of twitter, fools are flooding back to it believing that the new management will have no thoughts of mistreating them as before. Those who fail to learn from history are doomed to repeat it.

In a way, the normie isn’t entirely wrong. The people running their playpens maintain the technical capacity to censor. And, so long as they choose to continue down the path of the ad supported model, will always be under the thumb of sugar daddy ad networks. May you reap what you sow.

Innovations Erroneously Attributed to Windows

Thu, 16 Nov 2023 01:06:26 -0500

Concepts, features and creature comforts which existed within linuxes since long ago, that where only later adopted by Windows. Some small, others game changing.

Cursor hover out of focus scrolling
Clean cursor rollover on multidisplay
Tiling window management
Workspaces
SSH
Plug-n-play device drivers
Software repositories (Done the wrong way officially, done the right way unofficially)
Multi user
File permissions
Foreign file systems (and only in a roundabout way)
Bash shell (again, only in a roundabout way)

It is quite possible that, one day, Windows itself will have completely transformed into some encapsulation of legacy Windows as a Microsoft produced linux “distro”. If or when this happens, you just know there will be hordes of ignorant normies proclaiming how brilliant Windows is for “it’s” pioneering innovations. A rewriting of history to paint others as primitive laggards.

I want to facepalm my head through my desk each time there’s a press release over some new Windows adopting anything which has been in Linux distros for ages but neophytes exclaim “Wow, what a great new feature! Why hasn’t anyone thought of this before?!”. Yet we had been screaming from the mountain tops for years how things are better in the free world, if only they would just try dipping their toes in.

February 2024: Introducing Sudo for Windows!

Command Line Image Editing

Fri, 03 Nov 2023 23:39:21 -0400

Some more lines in the streak of command line $THING editing, I’d like to now cover handling images. And here we will naturally lean into the excellent imagemagick. Even though the documentation suggests that imagemagick can be invoked with magick, this does not appear to be the case across distributions. At least not mine, which rather breaks imagemagick up into individual invocations.

Resize an image

Supplying the change as a percentage is the fastest way to maintain aspect ratio.

mogrify -resize 60% sample.png

Be forewarned that mogrify modifies files in place (which is desirable IMO). Alternatively, an exact resultion can be specified:

mogrify -resize 640x360 sample.png

Flip an image

Images can be reversed with flip/flop arguments. To flip horizontally:

convert -flop sample.jpg

Or flip it vertically (while keeping the original file untouched):

convert sample.jpg -flip sample_upside_down.jpg

Crop an image

Remove the edges from images by pixel depth:

convert sample.png -gravity South -chop 0x60 shorter.png

Directional North/S/E/W can be supplied to select the edge to operate over. The boundaries can also be defined as a rectangle:

convert sample.png -gravity center -crop 640x360+0+0 cropped.png

The +0+0 represent the offsets in X and Y directions.

Overlay images

If you’re working with transparency, it may be desirable to superimpose one image over another.

composite -gravity center foreground.png background.png composite.png

Will create an output named composite.png. Note that the last file supplied before the output will be furthest into the background.

Convert between image formats

Super simple and definitely beats opening a graphical editor just to save it as another image format.

convert sample.tiff sample.jpg

Could easily be scripted to iterate over directories and make files consistent, if one desired to do so.

Many possibilities exist, among them applying text and blur as well as other filters. imagemagick is one of the core components relied on by my yt-linkifier tool to create consistently sized thumbnail previews. I consider imagemagick to be the “ffmpeg” of image files and it similarly has saved me a lot of time.

The Different Flavors of the Fediverse

Sun, 15 Oct 2023 01:09:33 -0400

ActivityPub has slowly been siphoning user capital away from giant corpo walled gardens, much to my delight. And like with many other free and open endeavors, the fediverse tends to emulate existing commercial platforms rather than produce formats of their own origination. Simply federating some SNS format under a libre development approach is no gaurantee that it will be free of the problems which that thing it is seeking to replace. The underlying issues of conventional SNS formats get conveyed into the newly minted fediverse clones.

Small minds discuss people

I had made an honest attempt to try the most widely recognized ActivityPub brainchild, Mastodon (and Pleroma and Akkoma). It succeeds as a way to dump thoughts too inconsequantial to deserve a fully fleshed out writeup. It also succeeds at keeping tabs on a loosely knit group of likeminded folks, while maintaining reachability to outsiders. But the twitter inspired microblogging format suffers at an achilles heel: People are the nucleus of all activity.

On it, you “follow” people. Discussions (threads?) are all visible only according to one’s relational adjacency to other people. It lays a foundation for cultivating ego and personality cults. Those with more “followers” carry more clout, and so they grow armies of flying monkeys ready to step in at the first sign of offense to those in their “follow” list. I could even see it happening in myself! Even I wasn’t immune.

All of this may be water is wet tier revelations to anyone who has previously used a microblogging SNS (…okay, Twitter). But it is all new to me, having never seen twitter and only hearing about it from afar. I’d only really remained with Pleroma for a few key individuals but, once they disappeared, I found my motivation to engage in such a space entirely sapped away. Microblogging is dumb and even “fixing” it with libre federated software isn’t enough to cleanse it of the dumb. Although for those who can happily call it home base without having to use centralized big tech, I am glad. It just isn’t for me.

Average minds discuss events

Another brainchild of efforts around ActivityPub is Lemmy, the answer to the cesspool known as Reddit. At first glance, federation would seem to fix many of the ailments that arise from a centralized link aggregator. It is possible for “communities” to create a more amicable home at another instance, or to share the same name as a formerly created community rather than the former squatting the name. The fractured nature of federation limits the reach that would-be “power mods” might otherwise have. But, as with twitter-likes, the reddit-likes also suffer problems inherent to the format.

Lemmy is plagued with the familiar redditor behavior. One-liner zinger replies. “This. So much this!”. Meme comment chains. An undying adherence to the progressive flavor of political tribalism. You can take a redditor out of reddit, but it seems you can never take the reddit out of a redditor.

The group reinforcement mechanisms also remain. An upvote/downvote system remain in place to push content and comments up or out according to the majority consensus of the group (though I will concede that some Lemmy instances seem to disable votes affecting visibility(?)). Then there is the format itself: Link aggregation. Almost every discussion only exists as it relates to a link, usually to some news article. As soon as the news cycle moves on, those ephemeral discussions go dead. Contrast this with proper forums, where individual threads often live for weeks, months, sometimes years, even decades.

The link aggregator eternally suffers from a two minutes hate syndrome. “Hey, guys, here’s this event that outrages me, doesn’t it outrage you also?”. Even though people often call reddit and other link aggregators “forums”, and Lemmy is supposedly “forum” software, I think it is insulting to actual forums to suggest the two are somehow alike. I once ditched reddit for Voat but Voat also fell prey to the same mechanisms, only becoming a conservative flavored groupthink training camp rather than a progressive flavored groupthink training camp.

Again, I’m glad for anyone who has found a safe refuge in Lemmy, distancing themselves from the centralized dinosaur called reddit. But it isn’t my cup of tea.

Great minds discuss ideas

When people post only a hyperlink and thread title to conventional forums, such as those running phpBB or Simple Machines, I’ve often refered to it as reddit posting. It is because these confused users seem to have been conditioned by link aggregator “forums” to treat more fully fledged forums in the same lazy ways. Luckily, they are the exception. Most old school forums to this day remain spaces to solve problems, weigh in with ideas, to learn more about fellow forumites and to share actual, useful information of consequence. Everyone gets a fair shot. Posts aren’t hidden or deranked for being unpopular. A user’s fame or reputation alone isn’t enough to carry an unsubstantiated idea. The pace is slow moving and measured, encouraging thoughtful replies rather than haughty quips.

The problem, however, is that conventional forums have yet to be federated. There is yuforium which is far from being completed. There is LemmyBB, which is basically just a phpBB skin frontend for Lemmy, so not a real solution. And this exascerbates another existing problem with conventional forums: they tend to be hyperfocused around a particular subject matter. One of the only large, general-purpose forums I have seen being city-data, which originally was hyperfocused but outgrew it’s narrow discussion range on population size alone. Forums often delegate more open ended discussion to off-topic sub forums, but that gives them an air of afterthought. And with pretty sparse population, at that.

So if you’re anything like me, you’re left with only a handful of options:

Continue using tightly seggregated dedicated forums for each and any interest you might have, while managing dozens of accounts and waiting on yuforium (or others) to mature.
Stomach Lemmy, the least-worst of the currently federated SNS formats, and ignore the constant stream of mass media two minutes hate circlejerks while sifting for those rare but fleeting semi-intelligent discussions.
Mailing lists ???

Given the circumstances, I’ll probably continue with the first strategy. Although I’ll admit to toying with the notion of spinning up a personal Lemmy instance so at least I can berate normies. But that’s a lot of shit to clutter my systems with (Lemmy uses rust, ew) just to be a helpful nuisance to somebody else. I could try to contribute to yuforium, but I’m more of a systems automation type of guy. As it is, paraMatrix is basically me feeling around in the dark. The measured approach would just be to remain patient and tactful, navigating around as best we can with what little we have at the moment.

Update 2024: Some web 2.0 style forums have announced ActivityPub integration. Both Discourse and Flarum are closer to the general purpose forum model, and have my intrigue.

The Role of Libraries in the Digital Age

Tue, 03 Oct 2023 21:32:02 -0400

Municipal libraries have been given special exemption to operate outside of typical copywrong framework through a lending right scheme. And I welcome any chink in the armor of the monopolistic copywrong industry, even if it happens to be done so through the means of state sanctioned robbery. The earliest libraries were vehemently opposed by publishers who thought it as a way of undercutting their profits. And yet, centuries later there is still a thriving industry for books to be authored. It is as though books are just physical text files and the same intrinsic workings found in file sharing (piracy, according to mid wits) similarly occurs through library lending.

The paradigm that saw public libraries into existence has evaporated in the wake of the new digital age and there is new discourse raging over the lending of digital copies of books… which I suggest is unimportant under the shadow of a larger failing of today’s libraries. In an age when most textual material is now consumed over HTTP, they have neglected to gather collections of web documents of any variety. Why is it that an exceedingly small number of good samaritan organizations have found themselves the proverbial eggs in a basket when it comes to web archival? Accounting for every substantially recognized effort, we basically have only the Internet Archive and Archive.Today to look to for page preservation.

And with so few outfits doing the world’s heavy lifting, it has been made simple to pressure these good samaritans [1] into memory hole’ing inconvenient parts of their archives. The Wayback Machine and, to some extent, Archive.Today are an effective duopoly over cached historic copies of large swaths of the web. This crucial role has failed to be spun up in a decentralized way, even though the tools to make this possible already exist. Programs such as HTTrack, or even the built-in page caching functionality of self hostable web crawlers such as YaCy.

As libraries nearly universally provide internet access for visitors, it is not a far cry to imagine that these institutions could also run, however rudimentary, web indexing. Without digging too deeply, I suspect this lack of foresight comes down to their lazily outsourcing of digital infrastructure to remote managed services. Or to the cultural atmospherics that naturally arise from the disproportionate hiring of people who fundamentally don’t understand digital technology. All such a solution would need is some of the readily available bandwidth, a dedicated server and exposing of the cached pages in a searchable way to, at the very least, systems on the local network.

But what would an ideal situation look like? How about, for example, being able to navigate to any one of the many municipal library websites at such a resource like “webarchive.stchlibrary.org” (St. Charles County Library) to check whether there are any captures of a desired page. The redundancy of so many organizations crawling the web would make chronological captures all the more difficult to censor. And the workload involved with setting up indexing is no excuse not to do so. In fact, I would argue that it is more work to meticulously catalogue and preserve thousands of microfiche slides of decades of newspapers, which so many libraries already do. It is a shame given the criticality of the role the web assumes in contemporary society.

'It's Satanic!' Is Not A Compelling Argument

Thu, 08 Jun 2023 22:19:16 -0400

If you grew up in the ’90s you may have found yourself witness to such ongoings as parents denying their children Pokemon cards or Harry Potter books on the grounds that they are ‘unchristian’. It is possible that such was simply a convenient excuse to avoid dropping money on frivolous expenses, but there were undoubtedly those who made the assertions in earnest. Which raises a really apt observation: In order to believe that stories or toys about magic represent a genuine threat, one must first believe that magic is real.

Those who are not of the persuasion that an Abrahamic god (or any god) exists will also remain unconvinced that ‘unchristian’ things represent any kind of threat whatsoever. And it is this incongruity in perception that makes so many in the freedom advocacy community fail to communicate their message adequately. For whatever reason, there is a disproportionately large representation of Christians within the movements opposing tyrannical power. I am not highlighting this to condemn or congratulate anybody. It is purely an observation. From the link:

“I know many Truthers, and while I would say that a majority are Christians (of various denominations), there are also some Muslims, some agnostics, some New Agers, and within the mix a few people who are outright hostile to Christianity.”

But what this leads to is a frequent tendancy for freedom activists to point at something, which runs counter to the goals of human autonomy, and to call it “SATANIC!” (you can hear my exasperated gasp through the screen, right?). It muddies the waters of the cautions they are trying to share to the general public. X thing is not bad because it centralizes control over your finances or because it makes your private life more transparent to alphabet agencies. No, X thing is evil because it is in league with the antagonist of MY particular holy book REEE!.

Damning evidence of a chain store pushing shoppers into satanism? Probably not, but it sure sounds like a sick rave!

So instead of reaching the widest audience possible (this is what you want for your messaging, given that you are trying to ‘wake up the sleeping masses’), it only speaks to those who also happen to subscribe to your particular brand of religiosity. Good job, guys. You just potentially alienated an unknowable portion of your target audience. They may go on to associate your perhaps perfectly valid alarm raising with religious fundamentalism or worse. And it may have also served as a boon to your opponents who would rather see your messaging get poisoned and ignored.

‘But what about the ritualism and ceremonies of powerful people?’ you may ask. Yes, I have seen the ceremonies and displays that certain middlemen and controlling groups partake in. Does that mean that I think they’re summoning demons? No. Because I literally don’t believe in demons. Likewise for all other related superstition. They aren’t “opening portals”. They aren’t “tapping into the power of Satan”. That is all low IQ drivel. Is it a display of iconography and commonality among the parasites? Perhaps. But it is not their choice of imagery that leads me to conclude that their goals are awash in malicious intent.

New PeerTube Instance at video.wrongthink.link

Mon, 29 May 2023 11:34:35 -0400

Instead of relying on the good graces of some other host, I have finally gotten around to establishing a PeerTube instance to call my own. At the moment it doesn’t follow other instances although I would like to take advantage of the features enabled by federation. For now, there are only two channels; main and other. I’m not really sure yet what I plan to upload. Or whether to reupload anything from my old channel.

Before deciding on PeerTube, I had considered MediaGoblin or just making a videos page with HTML5 tagged videos. Either would have been adequate, but familiarity won out in the end. The links page has been updated.

The Right and Wrong Way to Implement Blacklisting

Sun, 14 May 2023 17:15:19 -0400

Blacklisting tools need to resist the temptation to centralize their blacklists. Sometimes it is not done intentionally, but that makes it no less harmful to user privacy. Barring instances where it is infeasible to distribute such a list due to size, referenceing a list of blocked resources should be possible entirely within the end user’s device.

As example of things done the wrong way see blacklisting DNS providers. I didn’t even know this was a thing until I stumbled across it while evaluating some blockers. Seriously, why are people outsourcing this to upstream resolvers? The local hosts file is the ideal place for this functionality. For a better way, one should look to implementations such as uBlock Origin’s blocklists, Clam AV’s signature databases or any other tools which sagely supply lists of known bad matches in their entirety to the client for direct use.

Some might argue that it is more efficient on network resources for clients to request only what they need to lookup or that it aids security since users could end up keeping stale copies locally. I do not view these things being so important as to justify making the easy profiling of users possible. The reason that many people find themselves even bothering with blacklisting in the first place is because they do not wish to be tracked and profiled.

New Home For The Alternative Information Directory

Sun, 07 May 2023 20:55:57 -0400

The hundreds of informational resources aggregated largely under the efforts of a good acquaintance, 12bytes (12bytes.org), comprise the Alternative Information Directory, or ‘AID’. Some potential logistical issues that cropped up with hosting as a codeberg page meant that the directory needed to find a new location for the time being. So I am honored to offer a space for it at aid.wrongthink.link.

These graphical buttons are available in the Downloads section at AID should you wish to embed a link somewhere within your own site. 12bytes has been exploring suppressed information for much longer than myself and that is reflected in the voluminosity of the Alternative Information Directory. May it ‘aid’ you in refining the accuracy of your understanding of reality.

The Purpose of Safe Spaces

Fri, 05 May 2023 09:17:11 -0400

POV: You are a sociopath. It is the late aughts-mid teens decade. And you have a problem to be solved.

The Problem:

You and your industry buddies would love to pull off a scam against the global public in order to force them, to the maximal extent, to use your products. But you know that the perceptive and inherently distrusting minority of the population will, using the internet, swiftly identify and call out your scam, alerting others, as you begin to roll it out. This poses a serious risk of your plans being undermined.

So, how to isolate that group away from view of the more easily persuaded majority?

Still from After Skool's 'Love Your Servitude - Aldous Huxley & George Orwell'

The Solution:

Part I

Identify (or manufacture!) a social schism and fan the flames to foment ever greater consternation between the factions which form battle lines around it. Once you have generated a sufficiently critical mass of useful idiots willing to die on a hill before your social cause, they can surely be leveraged to enact part II of the solution.

Part II

Within massive and influental online spaces, decry the presence of poeple who are perceptive and alert as “problematic” menaces to the community. Label them as threats, and/or things they have said or done as heinous bullying which must be banished “for the safety of the community” and the legions of useful idiots will cheer as their community’s only genuine social and intellectual immune system is dismantled before their eyes in order to clear the way for “safe spaces” and “inclusive communities”.

Once most of the alert & perceptive crowd have been successfully banned, removed, [self-]censored, or have retreated to enclaves of their own making, away from the larger view of the public, it is now time to begin deploying your desired global scam. Opposition has been successfully mitigated and you, as philanthropath(s), can now control the perceived reality of the masses, totally unopposed.

*Yes, this is a gross over-simplification. But one component which casts the phenonenon of “safe spaces” into a light which begins to make much more sense in retrospect.

Opening Up paraMatrix to Collaboration

Sat, 29 Apr 2023 08:36:46 -0400

Today I am uploading my edits and additions made on top of xiMatrix as ‘paraMatrix’. It has a way to go before it can be considered webworthy. So I’m not yet dogfooding the extension although it will be a pet project of mine for the forseeable future. And anyone is invited to collaborate in its development!

There really are no explicit goals with paraMatrix aside from being an insurance policy against the disappearance of existing web request blockers. I am painfully aware that the current situation completely relies on that one guy in Nebraska doing thankless work. Raymond Hill has already shelved development on uMatrix and God forbid he ever gets hit by a bus or simply loses interest in maintaining his remaining tools. That is partially my motivation to continually explore other options for the Web Content Blocker Tier List.

Some of the niceties I’ve already bolted on so far include:

A column for images, separate from audio/video
Option to refresh the page with changes
Dark theme
Cleaned up the dialogs (and will eventually migrate them to a dedicated in-extension page)

Some bits from the README:

Why use xiMatrix as a basis instead of uMatrix?

xiMatrix is simpler with a smaller codebase and is therefore more suitable to hack upon. It is already built in the spirit of ‘do one thing and do it well’ and implements some of the features I would have liked to see added to uMatrix. uMatrix covers things which may be considered outside the scope of a web request firewall such as spoofing values and managing local storage.

Why not just contribute to xi’s xiMatrix?

He has clearly stated in his project that it is a personal tool and will not likely be extended further. I will, however, try to track changes to xiMatrix to incorprate into paraMatrix. Although it may eventually be spun off as its own fork.

Any and all contributions, be it aesthetic, techincal, big or small, are welcomed. If you would like to build the extension to try it for yourself, just clone the repo:

git clone https://gitler.moe/Wrongthink/paraMatrix.git

Then cd into the root directory and assemble the files into .xpi:

cd paraMatrix
zip -r -FS ../paramatrix.zip * --exclude '*.git*'.
cd ..
mv paramatrix.zip paramatrix.xpi

Either install it unsigned through <variation>Fox’s about:addons > Install Add-on From File… Or, for easy testing, through about:debugging > This <variation>fox > Load Temporary Add-on…

Rough edges abound, I will be slowly chipping away at them. Maybe it will amount to something, maybe not. We’ll see where this goes.

Catbox.moe, An Underappreciated Heavy Lifter

Sun, 23 Apr 2023 12:04:37 -0400

File hosts that accept uploads with minimal friction come and go. So it is a positive find that Catbox.moe, unofficially Voat’s “Imgur”, has maintained some longevity. “But Catbox uses proprietary javascript!”, I can hear you say. But it doesn’t. An upload page has been built specifically for js blocking Chads. Although this introduces a limitation, only one file may be uploaded at a time.

However, we don’t need to hand control over to some javascript to recover this functionality. We take things a step further and ditch the web interface for the much more utilitarian terminal program! MineBartekSA’s CatBox bash script leverages the Catbox API to upload and optionally manage content.

Usage: catbox <command> [arguments]

Commands:
   user [userhash]            - Gets or sets current userhash. If you pass 'off' then it will make you anonymous
   file <filename(s)>         - Uploads files to catbox.moe
   url <url(s)>               - Uploads files from URLs to catbox.moe
   delete <filenames(s)>      - Deletes files from catbox.moe. Requires userhash
   album                      - Album Managment
   usage, --usage, -h, --help - Prints this message
   version, -v, --version     - Prints version

Setting a user hash allows you to later delete files that you no longer require hosted. Although if you’re looking to temporarily share a file, it may be best to use their litterbox.catbox.moe option which allows files to be deleted automatically anywhere between one hour to three days after posting.

Let’s say you have a folder with several items you want to share. This can be done in a single command:

catbox file SecretDocuments/*

The wildcard will grab all of the files in the directory, in order. It is also possible to pass multiple files individually. The resulting link URLs are supplied in the output.

Uploading anonymously...
letter-to-meemaw.txt:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   445    0    35  100   410      8     93  0:00:02  0:00:02 --:--:--   101

Uploaded to: https://files.catbox.moe/bj9k3z.txt
proof-that-aliens-are-real.txt:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   401    0    35  100   366      9    100  0:00:01  0:00:01 --:--:--   109

Uploaded to: https://files.catbox.moe/mbhj46.txt
stalker-notes.txt:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   379    0    35  100   344      7     73  0:00:02  0:00:02 --:--:--    91

Uploaded to: https://files.catbox.moe/3n1hwo.txt

Play fair
It is with only a bit of hesitation that I write about Catbox, as the service is provided on the goodwill of an anonymous do-gooder who thanklessly keeps things running with over 200TB of bandwidth used monthly. So please be respectful of the filesizes that you upload. I know that automated uploads can be tempting to start dumping tons of content. Even a simple 3.5MB video file viewed by just two thousand people easily translates into ~7GB of content that their servers need to deliver.

Addon Conflicts and Data Leaks

Sun, 16 Apr 2023 13:15:00 -0400

A half dozen or so extensions sit happily running along in your browser dutifuly, according to the various “privacy” sites that recommended them, foilng trackers. Surely, gathering these tools is just like collecting Poke’mon, right? If the knowledgeable folks pushing them have taken the time to scrutinize their operation, they just might have posted fair warnings to their individual caveats. Often, extentions end up stepping on eachother’s feet.

One such case can be found in running CSS Exfil Protection behind a generalized blocker. This addon preemptively parses stylesheets to check them against known form data exfiltration attacks outlined in the developer’s blog. The problem that arises from this is that cross-origin stylesheets will be fetched regardless of whether or not that third party domain is blocked in something like uBlock Origin or uMatrix. They show up as behind-the-scenes xhr requests in the logger:

01:16:57        behind-the-scene                xhr     https://fonts.googleapis.com/css?family=Droid+Sans+Mono|Arimo:400,400i,700

So anybody who runs default deny policy from some blocker will have their efforts foiled by CSS Exfil Protection failing to respect the setting and making connections to all kinds of trackers anyway. And it doesn’t help that the priority order for addons to modify requests remains unclear and difficult to influence. The commonly cited workaround being to make sure that the addon you want as “master” be the most recent chronologically installed addon. Which flies in the face of common sense, as addons which users feel are the most important will likely be the first to get installed. Just more unquestionable design wisdom from our friends at Mozilla.

That is just an example of a smaller, relatively unknonwn addon causing problems. But conflicts also arise in much bigger and more widely used combinations. It is still very common that uMatrix users like to also run uBlock origin secondarily in basic user mode, citing its beneficial extensive blocklists and pattern filtering. But let’s look at how nicely they play together when visiting a few sites.

You’ll notice that both uBlock Origin and uMatrix are blocking the associates-amazon.com, cdn.vox-cdn.com, googletagmanager.com and voxmedia.com domains:

Crucially, note that uBlock Origin is permitting the player.megaphone.fm and recaptcha.net domains and permitting some resources from the cdn.vox-cdn.com domain. And viewing the uMatrix logger indicates that these resources are being rejected.

But let’s see what our trusty tcpdump has to say:

23:17:02.250877 IP localhost.34253 > redacted.domain: 2047+ A? cdn.vox-cdn.com. (33)
23:17:02.406477 IP localhost.47270 > redacted.domain: 34547+ A? www.recaptcha.net. (35)
23:17:02.522724 IP localhost.42132 > redacted.domain: 26001+ A? player.megaphone.fm. (37)
23:17:03.447299 IP redacted.domain > localhost.34253: 2047 1/0/0 A 146.75.72.124 (49)
23:17:03.794829 IP redacted.domain > localhost.47270: 34547 1/0/0 A 172.217.23.195 (51)
23:17:04.057974 IP redacted.domain > localhost.42132: 26001 1/0/0 A 205.185.216.42 (53)

Interesting. So DNS queries are made for those “blocked” domains.

To the best of my knowledge, this is probably related to the fact that uBlock Origin unhides domain CNAME aliasing, which necessitates doing a lookup. So I ran the same capture after clearing the container cache and disabled uBlock Origin’s Uncloak canonical names feature. This time the only lookups were for the anticipated vox.com domain.

23:17:57.561083 IP localhost.51548 > redacted.domain: 10194+ A? www.vox.com. (29)
23:17:57.561109 IP redacted.domain > localhost.51548: 10194 1/0/0 A 199.232.37.52 (45)

(Kinda hard to show what didn’t appear. Work with me, here.) One important factor is that our DNS resolver gets to see these lookups as well as the correlating fact that they all arrive at the same time. But do those leaky domain resolutions ever lead to traffic to any of those domains?

Well, it seems not to but is difficult to evaluate (probably due to which addon gets to intercept the request first, I still need to do some investigation on this ). The expected behavior from this addon combination would be to not even bother with the lookups since those domains are blocked by default anyway. The result is that it generates more network traffic than is necessary.

uMatrix users that want to avoid this could opt to disable Uncloak canonical names. Or if you only use uBlock Origin for the blocklists, consider importing compatible lists into uMatrix’s hosts files and dropping uBlock. It also has to be considered whether the cost of fattening out your DNS lookups even outweighs the benefit derived from discovering and mitigating sites who sneakily delegate subdomains to third parties (which uMatrix has absolutely no defense against). Not to mention uMatrix and uBlock Origin have had a history of clobbering eachother over CSP headers. TL;DR: the whole village is on fire.

All of this has me thinking we might be stepping into a world in which external tools outside the browser are going to be required to hold its hand like a little toddler, scolding it “No, DerpFox, don’t touch that resource!” whenever its grubby hands reach out for yet another connection while you weren’t looking.

The Spotispy Hostage Situation

Tue, 11 Apr 2023 21:29:17 -0400

It may not currently be possible, using only libre toolsets, to extract podcasts hosted on Spotispy into local audio files. I had no idea how bad it really was because I’ve dutifully avoided the big tech[nocrat] disservices. So I haven’t tried to interface with Spotify until I recently needed to try pulling down a podcast which doltishly decided to choose Spookify to host their work.

It was no shock to find that no direct download link is provided on the page. “No problem!”, I thought at first, “I’ll just get the media link from the browser console”. Nope. They obfuscate it within a javascript web player. “Alright, yt-dlp will just pull it down”. But support for ripping from the audio monopoly has actually been broken within the youtube-dl family of programs for some time.

So it was time to fall back to specialized projects designed for this godforsaken host. Spotify-dl, in addition to needing npm to install, consistently failed with an error deserving no elaboration. While spotdl, asking for installation through python pip (thanks, let me just clutter my system with a bunch of out of repo crap), says right in their documentation that audio is just matched through GooTube search and downloaded from there. Had to pass on that one.

Defeated, I trudged over to the Firefox addons repository to peruse the downloader options there. Nothing. The walls erected by Spot-I-Spy seem to have been enough to deter even the energetic and adventerous browser addon development world. And the more generalized downloaders also scratch it from their lists of supported sites.

Wow. So there must be some web service offering to grab and convert Spotify-hosted podcasts, right? The big ones all do strictly music only. The others either failed to interpret any format of the links I supplied (sanitized or not) or demanded far more than just running some scripts. Not a swamp I’m willing to go crawling in.

The last resort of any such endeavor, dedicated desktop GUI programs, all suffered from one common flaw: proprietary Windowns or Mac exclusive dumpster fires. They made big promises in their documentation, but what good is it when the program itself cannot be compiled from source within and for a sane environment? And with that, I found that my determination to find some way to acquire the podcast as either .ogg or .mp3 was anything but proportionate with my desire to listen in. Too bad, so sad. Host it somewhere that isn’t malware.

Which highlights something to be observed in the podcasting space. Each podcaster who decides to exclusively host their material with Spyify is acting as a sort of pied piper, leading a train of hapless children into the darkness of an isolated cave. One of the original strengths of podcasts was that they’re democratized and portable. Using this audio giant completely hobbles those strengths. Why would you ever impose it upon your listeners?

Neocities Links Have Been Redirected

Tue, 04 Apr 2023 10:17:44 -0400

Enough time has elapsed that stragglers to the old neocities site should have gotten the message by now that wrongthink.link has replaced it as the primary site. I have pointed all neocities pages to their new counterparts here. If you also operate a site that has migrated away from neocities, and would like to do the same with your own hugo markdown files, here’s how I programatically rewrote all the pages:

for item in * ; do sed -i '1,/---/!d' $item ; echo "Article has moved to https://mynewweb.site/posts/$item" >> $item ; done

Which preserves the fields between hugo’s font matter declarations but strips away all subsequent text, replacing it with a brief hyperlink. And then touch up with a pass of:

sed -i 's/.md//' *.md

Why didn’t I keep the neocities site as a mirror? Neocities’ restriction of media content clashes with my liberal usage of multimedia, making it unsuitable as a mirror. However, I am exploring running a true-to-form darknet mirror. The only stumbling block right now is in assessing how well a physical server will handle graceful shutdowns via apcupsd during power interruptions, which often occurs when you live out in the mountains. This also disqualifies any darknet mirror that I deploy from taking on the status as my primary website. Although some neat ideas are floating around out there.

Was The Old Web Really More Free?

Thu, 30 Mar 2023 21:22:10 -0400

According to a writing by a presumably younger netizen, the turning date for when the web went to shit was “around 2015”. Almost an entire decade later than when I would have judged it to be. Could it be that the gradual tightening of control over the web is causing each new generation to view the internet of their childhood through their own brand of rose tinted glasses? Or was the web of the 90s and early aughts even really as free as we often make it out to be?

Instead of relying on my own faulty human memory, let’s revisit just what made up the web experience around the turn of the century. I find that we often wash over the fact that:

The dominant web browser during that age was Internet Explorer, by over 80%! And the competitors at the time were also proprietary dumpster fires.
Macromedia/Adobe Flash (oh god please no) was a prevalent and often required plugin.
There was no intelligent way to block or manage cookies or other resources, and the common wisdom of the time was simply to periodically delete cookies & cache from your browser settings (which is woefully ineffective, in retrospect).
It was still common to dial in through walled silos such as AOL and CompuServe.
Everyone’s traffic was naked on the web. Only an extreme minority of sites ever used HTTPS at the time as it was still just emerging and only as a means of securing payments pages.
There was not yet consistent standardization. It wasn’t uncommon to see “This site is best viewed on ________ browser!”
The most widely used messenger at the time, AIM, being completely proprietary. And AIM didn’t adopt XMPP until 2008.
This type of autoplay scam embedded on nearly every other page you ever visited:
It wasn’t until 2002 that the first widely known ad blocker had been made (and for a browser lineage that, as noted above, barely anyone used at the time).

Some things were considerably better. Centralization hadn’t yet crystalized around cuckflare and massive ghettos like Amazombie AWS, FBIbook and REEddit for “homepages”. I even went through some archived sample sites to evaluate their standing on responsible resource usage.

Site	Notes
Yahoo (2001)	only one inline script http://www.yahoo.com/{inline_script} , some xhr and no cookies at all. Light and responsible, by today’s standards.
Yahoo (2023)	over 100 scripts with goodies such as “wf-geolocation-1.3.0.js” and “wf-beacon-1.3.4.js”, 3rd parties and trackers like scorecardresearch, attempts to fingerprint via basic browser info, querying permissions through APIs, window and canvas info among others.
Ebaum’s world (2002)	only http://www.ebaumsworld.com/facts.js , http://www.ebaumsworld.com/index2.shtml{inline_script} and some script relating to phpads. Quick and light.
Ebaum’s world (2023)	doesn’t even implement a strong cipher suite, deploys over 30 scripts, now uses a content delivery network, 3rd party CDNs and resources everywhere, social buttons, analytics, massive fingerprinting through font enumeration, time info, webstorage status, canvas, hardware querying, device enumeration and more!

But the one thing that really stands out as better in the before times was the demeanor of fellow netizens. People were much more thick skinned. So on a technological metric, the old web was not very free. But on a cultural metric, it was indeed very free. I maintain that the turning point falls sometime around the emergence of slavephones.

And that old experience hasn’t been expunged from existence. It has simply retreated. It is no longer the dominant norm, but hidden across federated networks, anonymity networks and in those last niche spaces in clearnet where users have outright rejected the NWO (New Web Order). Come and seek it out if you care about these issues.

Consider Blocking CSS By Default

Wed, 22 Mar 2023 18:07:42 -0400

You may be running some hotrodded addon suite that blocks the various attack vectors which the modern web likes to throw at you. But are you blocking quite enough? A colleague and I exchanged thoughts on the best defaults for which web resources to deny and he was surprised to learn that I even strip the style sheets (CSS) out of visited web pages.

CSS is commonly thought to be useful just for formatting and for the basic beautification of web pages. But it can be capable of so much more. That last link is innocent in nature, but demonstrates a point. Consider also that CSS can be used, as demonstrated by Davy Wybiral, to break up a page into a hidden grid with :hover selectors, which can then be used to remotely monitor the position of visitor’s cursors. All without the involvement of javascript and all without the browser reporting any network requests.

Wybiral highlighted some use cases for this:

Motion (gait) analysis is an active field of research

People use different resting positions for the cursor

Identifying mouse motion vs touchpad should be possible

Can give insight into other behavioral traits of visitors

If you think that sites would have no interest in conducting such focused tracking, please know that there is an entire industry catering to capturing “session replays”. Complete recordings of each visitor’s time on the site, obstensibly to “improve” the UI. But why would session replays need to capture keystrokes and, by extension, possibly passwords to “improve their UI”? They are willing to use everything down to DOM events. Would they not find CSS-based tracking useful? Especially considering how popular javascript-blocking has become?

Similarly, it had been possible to fingerprint and gather a visitor’s related browsing history through the :visited selector. Browsers have since implemented mitigations (spoofing values) but there remain so many other ways to fingerprint users through CSS. Such as techniques using background images or fonts, in which the browser is instructed to request a completely unique asset from the site server. Oliver Brotchie elaborates:

This technique avoids anti-tracking methods such as NoScript, VPNs or browser extensions, as it requires no Javascript or Cookies to function.

Or such as by gathering canvas information, browser information and other metrics, for which author ‘jbtronics’ explains the only possible defenses:

What you can do to prevent tracking with this method? … is to disable CSS for a web page completely, you can do this via browser settings or with plugins like uMatrix (currently unmaintained), CSS Toggler (currently unmaintained), Stylus or uBlock.

Or exfiltrating user input (and doubtlessly more to come!). Mike Gualtieri, who penned these methods, refers to extensions as a possible defense:

Defense for Web Users. For web users the best defense is to ensure that such malicious CSS is not parsed by your browser. As such, I developed a pair of browser plugins for Chrome and Firefox which aim to protect against CSS Exfil attacks. … Each plugin works by pre-processing the CSS which is loaded onto a web page. Inspection and sanitization of each CSSRule is done through the browser’s native CSSStyleSheet JavaScript API. If a CSSRule.selectorText is detected that: 1) Parses the value attribute of an element, and 2) If the corresponding CSSRule.cssText includes a call to a remote URL, a new rule is created to override the call to the remote URL.

Just a quick note: The CSS Exfil Protection Addon currently leaks requests for 3rd party stylesheets from behind blockers like uBlock Origin.

If you have the time, please consider reading through, in full, the excellent material that these researchers have produced. As the style sheet standard continues to get extended, we can only anticipate that the attack surface it presents will follow suit. At this point, I don’t trust anything without at least some layer of isolation and verification.

I suggest simply blocking CSS outright. It really isn’t much of a nuisance considering the majority of the time one spends on the web is just reading text. With style sheets stripped away, some sites will render large SVGs that fill your screen. You can either disable SVGs (in Firefox derived browsers that is at svg.disabled=true) or just scroll down to about 80% to the bottom and the textual content can almost always be found there. I basically only ever enable CSS on sites which I have used for a long time and have built a trustworthy rapport.

I have also found that CSS is one of the ways in which some websites will try to obscure their page in an attempt to punish visitors who block javascript. No CSS, no problem!

Research Tools From the Sunny Climes of Western Japan

Fri, 10 Mar 2023 11:45:39 -0500

This is a friendly critique of James Corbett’s known online research loadout. Actually just things that he has suggested, but some are clearly his go-to tools. My thoughts in cyan .

Feedly

James personally uses feedly.com (Really Simple Syndication Solutions Watch) to keep a queue of articles to be read. Categories:

Climate
MSM
News (Independent News)
OpEd

Users of Feedly rely on an external service. Feedly know in detail everything you read, which articles specifically you access, can infer how long you spend on each, etc. I would recommend using a dedicated desktop feed reader. This cuts out the middleman by grabbing the articles directly *and* saving local copies to be read offline in the event of getting Fahrenheit 451'd.

Browsers: Brave and Firefox

“I use different browsers on different occaisions” - (The Highlighter is Mightier than the Sword).
And an inexhaustive list of his known addons:

AdBlocker Ultimate
Ghostery Tries to block trackers *for* the user, but has an abysmal track record. I wouldn't recommend.
Highlighter + Notes
HTTPS Everywhere
NoScript Better than nothing, but not very granular. There are cases where only certain js need to be loaded.
Privacy Badger Same as with Ghostery, not worth it's space in lieu of better addons. It's supposed to 'train' with usage but ends up leaving the user's system connecting to tracking domains for long periods.
Video Download Helper
Further elaboration on addons below.

HTTPS Everywhere

Seen on his Firefox config.
HTTPS Everywhere *was* good at what it did, but is no longer necessary. Firefox now natively handles this functionality with HTTPS only mode, set with: dom.security.https_only_mode=true. There supposedly remain some pages which are more gracefully handled by the EFF’s HTTPS Everywhere but I have never seen evidence of it. And in events where a site simply has not setup TLS certs, instead of accepting the unencrypted page, push it through a proxying resource. I recommend pulling through torsocks curl. Or, the simple way, put it through archive.today for viewing.

AdBlocker Ultimate

*Has also been seen running Adblock Plus.
Default allow policies are weak. I would encourage instead to try uMatrix. It is undoubtedly the strongest browser firewall and handily alleviates the necessity of NoScript and several other addons. In fact, have a look at my Web Content Blocker Tier List.

Highlighter + Notes

Saving articles through Highlighter may limit access to their accessibility to that browser (Highlighter + Notes does not seem to be available to Chromium browsers). I get that the point of this addon is to highlight, but if one is relying on it for archival purposes, it may be pertinent to save in a more generalized way. Ctrl + S will save the page HTML, its formatting and some assets like embedded images to a local folder. It can later be viewed in any other browser. Or print to PDF via the page print options. From here, the document can be highlighted using native PDF functionality.

Heavy reliance on archive.org and archive.today

These web archivers are both excellent tools, but I do have concerns that they will eventually be coopted or memory holed. For the sake of expanding the toolbox, I would urge one to look at HTTrack. Think of it like an archive.today that you can run on your own machine. Again, with fully offline access.

Reliance on youtubepp.com

(video downloader site).
In fact, when I was reviewing Jame's tools for this writeup, I've found that youtubepp.com now redirects to y2mate.com with the message 'Our service has been discontinued as of August 1, 2019.'. Try invidious which, being a self hostable open source Youtube front end, is like the hydra. One instance goes down, another takes its place.

Uses (and indicates favor to) youtube-dl

(Research Tools You Should Know About), Has used youtube-dl to backup his entire Youtube channel before being depersoned.
Another excellent use case. youtube-dl is the Swiss army knife of video downloads, I cannot think of a better tool off the top of my head.

boingboing Youtube thumbnail grabber

Can be better handled with youtube-dl (Thumbnail Options, --get-thumbnail). It is best to cut out the middleman and just use youtube-dl.

He has used 4K video downloader in the past, but doesn’t tend to use it.

Is a standalone desktop program.
Proprietary. I would be leery of it. If you prefer a graphical desktop program, your web browser itself is already equipped to help with this. Press F12 (Firefox) or Ctrl+Shift+I (Chromium) to reveal the browser debugger. Select the 'Network' tab. Open a youtube video (direct or through invidious) and look for the domain containing *.googlevideo.com to appear in the network logger. You can copy paste this link into another tab to watch directly or use the link to save the video.

Cleaning up all caps text.

With ConvertCase.
Unfortunately, going through a site like this gives a third party your activity data. Better to do locally with tr and sed:

echo "WILL FRANCE SUBMIT TO COVID TYRANNY - #NEWWORLDNEXTWEEK" | tr "[A-Z]" "[a-z]" | sed -e "s/\b\(.\)/\u\1/g"

The output gives us: Will France Submit To Covid Tyranny - #Newworldnextweek

Search engines selection.

Per the Presearch Solutions Watch, he has since adopted Presearch into the rotation of search engines, following the announcement by Weinberg that DuckDuckGo would begin deranking results on a political basis. I cannot find the specific Corbett Report podcast but I know he is aware of SearX although has never detailed his usage of the tool. Perhaps in a future episode?

Has mentioned he keeps data offline on detachable media.

Can’t get much better than this. Just keep copies. Ideally across at least three storage devices, comprised of different storage technologies and with one or some kept in geographically separate locations. Also known as the 3-2-1 rule. But let’s take a look at some of those research folders:

Interesting, I would love to peek into Kakistocracy, or Environment, or really any one of those!

OS and hardware.

Sadly, evidenced by the screen shares and also the iMac that has been on that desk for years, he uses CrApple gear.
I'll concede the James has never *recommended* such iThings, although his usage of them could be misconstrued as an endoresment. Activists and independent researchers of all kinds should hold concern over the digital foundations on which they rely. And in the extremely unlikely event that this critique ever falls in front of the eyes of the man himself, I would like to advocate a few suggestions. Migrate away from a proprietary vendor known for hidden (and open) backdoors and a history of survielling escapades. [1] [2] [3]

Instead, consider expanding your usage of liberated software to also include your operating system, and perhaps even your device firmware. Maybe keep the hardware, if you have a penchant for their particular design, but flash libreboot or coreboot over the vendor's BIOS. Or consider similar, but liberated hardware which already has such free firmware. For OSes, I would recommend any flavor of Linux which does not include proprietary software by default. Whichever spin of Linux you find suitable, know that the GNOME desktop environment layout is very similar to that of Mac OS's and should feel right at home.

It is admirable to craft such great work ringing the alarm bells to the incoming technocratic cyber police state, but the message does tend to get undermined when one continues to do so while using the very same police state wares which help to fuel technocracy itself.

Overall score: 8/10

Libre Mapping and GPS Navigation

Mon, 06 Mar 2023 12:58:53 -0500

Some express grievance over needing SIM cards, phones and Google to navigate in unfamiliar places, but it doesn’t need to be this way. First of all, Google is not necessary to have access to detailed maps. Please check out Open Street Map. OSM data has been integrated into various other products and services, although it can be used directly for your own personal use case.

One great application which makes use of Open Street Map is Marble, which can functionally replace the spyware known as Google Earth. Marble also contains maps for temperature, precipitation and other useful formats. But let’s assume you want an anonymous “Google Earth”. Install Marble from whichever repository you use. For me, it is named marble-qt.

Open Marble, go to Settings > Configure Marble > Cache & Proxy:

Set Hard disc to Unlimited. This will save every map chunk that you look at so that the next time you view that area your computer does not need to reach out over a network to acquire data.

Then, assuming you already have the tor package installed and setup, set Proxy to:
Proxy: 127.0.0.1
Port: 9050
Proxy type: Socks5

Now your Marble will grab map data anonymously. It will load a little more slowly but remember that the next time you revisit that map area, it will be loaded instantly from your hard drive cache. No internet required.

I would also recommend changing the GPS coordinate format to Degree (Decimal) under Settings > Configure Marble > View > Angle. This seems to be the most widely used GPS coordinate type. That way you can right click anywhere on the map, copy coordinates and then plug them into your D.I.Y. GPS (which we will setup below).

Next, we want to prepare GPS functionality for your laptop or tablet. Acquire a USB GPS transceiver. They go for very cheap and do not require any service, payment, accounts or personal information to function. Just power and serial over a USB port. DYOR on which ones are most compatible with Linux and/or most performant.

Install the gpsd packages gpsd and gpsd-clients.

With the transceiver plugged in, list devices to make sure it shows up.

ls /dev

It should appear as something like “/dev/ttyUSB0 ”.

Depending on the model you bought, you may or may not have to change the output to NMEA for gpsd to read:

gpsctl -f -n /dev/ttyUSB0

Edit the gpsd configuration at /etc/default/gpsd and set:

DEVICES=”ttyUSB0”
START_DAEMON=”true”
GFSD_OPTIONS=”-n”

systemctl daemon-reload
systemctl restart gpsd

You can verify that it is up and running through gpsmon. There is usually enough signal to determine location once it has four or more satellites listed in the bottom left table with good signal, S/N.

When you revisit Marble there should now be an arrow indicator to show your location and heading. If not, Position Tracking through gpsd is configurable through Marble’s Location tab in the dropdown.

Lastly, one may want to take this GPS on the road. We can use Navit for this. Install Navit and the voice synthesizer Espeak.

Next, download OSM map data to use in Navit. This can be done through Marble (File > Download Region) or the site at Navit Project, although the site is not HTTPS encrypted.

Copy the default Navit config into place:

cp /etc/navit/navit.xml .navit/

And edit .navit/navit.xml to point to the map you just downloaded. The line can easily be found by searching for “binfile”. Append the line:

<map type=”binfile” enabled=”yes” data=”/path/to/map.bin”/>

You may need to disable surrounding mapsets since they default to enable="yes" out-of-the-box.

Also change the uncommented speech line to enable voice navigation:

<speech type="cmdline" data="espeak -s 150 %s" cps="15"/>

Now when you launch Navit, it should already be configured to source gpsd for location. It takes inspiration from commercial automotive GPS devices with things like routing, points of interest, vehicle type, avoid toll roads, etc. I recommend driving around a bit somewhere familiar at home to make sure everything is working before taking it into uncharted territory.

The best part: No definitive device association that can easily be tied back to you (especially if you can pay for the transceiver in cash or crypto). And when you’re done, you can physically disconnect the GPS. This is not just me spitballing concepts at anyone. I have personally used such a setup for several years now. It has enabled me to travel for work, and to better navigate foreign countries while still novice in their languages. All without relying on any commercial garbage that would have subjected me to tracking, paywalls and data harvesting.

Techtubers Who Cry About Their Own Captivity

Sun, 26 Feb 2023 17:20:39 -0500

After receiving unwanted flack from astute critics, an only-partially awake tech normie had recorded a diatribe lamenting how he just has no choice, woe is me, but to continue to use software which continues to dictate his operations. Jody Bruchon’s rationalizations boil down to strained analogies, bargaining (the third stage of grief), false equivalencies and self-guided assertions. The text is pulled from the video transcription, but the video itself can be found here if you’re looking for a good laugh.

In the comment section on my windows 11 must be stopped video i had a lot of comments from people saying that i didn’t have to agree to the windows license agreement ‘yeah, you don’t own windows it’s licensed to you and you can have that license revoked at any time by microsoft but hey man you agreed to it’. Well let me use an analogy that might illustrate the problem with this. If i offer you a hamburger or a hot dog you get to choose between eating a hamburger or eating a hot dog and you make your choice and you eat the food of your choice and that’s the end of it. If i offer you a hamburger and a hot dog but if you pick hot dog i tell you that you’ll get shot in the face well now your hot dog comes with a free execution. So what are you going to pick? Technically you have a choice you can choose hot dog and then be shot in the face and die but that’s not really a choice is it? Yes it’s a technical choice but it’s not a choice if you want to continue to survive and exist and be a living human being. In much the same way software terms of service licensing the whole ‘you are licensed not sold’ the fact that there’s no legal ownership of the copy of the software that you don’t own what you pay for well, you can choose not to agree to these terms much like you can choose not to agree to the click wrap agreement on adobe premiere pro or whatever but when you make that choice when you choose not to accept the license agreement you also don’t get to use that software.

Already he frames the decision to reject proprietary software as though it is death itself. If you made it far enough to be presented with a EULA prompt, the situation has already been preceded by a long chain of poor decisions. In reality, exclusivity is weaponized by monopolists to increase the costs of refusal. By caving and going along, you’re only fueling their desired snowball effect.

And a hamburger-hotdog dichotomy isn’t entirely fair. Choosing to use libre technology is more like eating vegetables sourced from a community garden. While the nonfree cattle elect to bloat themselves on the aforementioned street vendor food.

So what happens if you choose not to use windows? Well we’re going to assume that mac os is the same because the truth is mac os and windows the license agreements have very similar provisions. It’s licensed not sold the you don’t own your copy we can pull your license blah blah blah. So both of them have equally onerous terms of service or license agreements or whatever you want to call them. So linux would be your only other option. So what happens if you pick instead of windows or mac os? You go linux and you refuse to accept the windows license agreement. No quickbooks. No adobe premiere. No adobe illustrator. No adobe photoshop. These are major pro applications that you can’t use. Oh wait did you say microsoft office? No microsoft office. You have libreoffice. But guess what? It’s not compatible with microsoft office. Guess what else is a problem? Outlook. No access to outlook in office? Well people who use outlook might be sending an outlook rich text format and you’ll have to go find a thing in thunderbird to work around it and all that. This is a more general problem with ‘well you could have just chosen not to use windows and to use linux’. That’s fine and great but an operating system and a cluster of programs that come with it do not make a complete system. The problem is the application environment. The applications that you use are the most important thing on your system.

He conflates terms of service with whether or not an operating system is proprietary. No, the fact that the terms can be so egregious is enabled precisely because Windows and Mac are both nonfree. Here, he also lists out his anchor software, almost entirely consisting of Adobe and Microsoft prisonware. Stop saving your documents in proprietary formats. Advise your mail sender that they’ve erroneously sent their message in a specialized format which isn’t universally readable by everyone (how often does one even receive richtext mail?). What are you even doing in Illustrator that can’t be done in GIMP?

Now granted firefox and chrome you can get those for linux all day long you can get all kinds of web browsers. But web browsers are not what people who actually have to get real work done need to use. If you want a good video editor, if you want a professional grade video editor or audio editor or digital audio workstation, you’re not going to get those on linux. There are none. At least not that i am aware of. I am aware of many products on linux. The live’s video editing system. The uh caden live open shot. Yes, these are video editors but guess what i’ve tried them all they’re not very good.

I have seen nothing in your videos to suggest that you need any of the secret sauce capabilities of the aforementioned proprietary editors. In fact, your format could totally be handled by filming your rant and then splicing the bits together with ffmpeg (in terminal, like gigachad does). The entire notion that web videos need to be elaborately edited is a recent phenomenon to appease short attention spans and centralized video host algorithms.

A lot of them are imovie level. Lives looked like oh hey wow a non-linear editor that looks like maybe it might be more on par with permit. It’s not. Light works oh my god don’t even get me started on light works and light works. They did the whole open source thing but then they sort of backed away and became difficult and frankly i found light works to be very difficult to work with. If you want to edit video your options pretty much boil down to final cut pro 10 or adobe premiere pro. There’s also davinci resolve but i don’t think that’s available for linux either i haven’t looked.

In the video, he does later look to find that it has been released for Linuxes, but electing to use this would only prolongue the issue by failing to attack the source of the problem.

There are a few programs but they’re all mac os and windows so yeah you’re right i could just agree to not say yes to the license agreement that’s fine. I have that choice but guess what? I’m locked out of all these proprietary applications that are actually the only good solutions to get professional work done in certain fields. I’m also locked out of certain applications that are only made for windows and not for linux and that don’t run under wine. So while this choice exists you’re also talking about the video you’re watching right now potentially not being possible. I think k.rita or creta however you want to pronounce it may be one of the most professional looking replacements that you can get but is not photoshop. Creda is not photoshop or illustrator. You know inkscape is not illustrator. At all. There’s just all kinds of things that are missing from these open source solutions and until they catch up, if they ever catch up, they’re not going to be suitable replacements. You lock yourself out of professional software. You can’t do that professional work and this is the bigger problem. you can’t run premiere pro on wine. You can’t run a lot of things that are professional. Online quickbooks. Not online? Guess what the standard is for accounting for corporate accounting. It’s quickbooks that’s the standard that is the accounting package that the vast majority of businesses use. Oh oh you want to use sage 50 previously known as peachtree instead of quickbooks? Guess what you’re not going to get that to work on wine either. That’s a squirrely piece of software by the way. There’s all kinds of stuff that doesn’t work right under a linux system and i hate hate hate hate to say this but it’s the biggest problem with linux. It’s not that linux itself is some kind of terrible system. it’s great. there are a lot of wonderful things about open source software in linux but if you need premiere pro or final cut pro you can’t use linux.

Slave to your software. It’s not that you lock yourself out of such software, but they lock you out by refusing to free their source or otherwise make the program available on other environments. This idea that free software just “needs to catch up” is fallacious thinking insinuating that it is somehow “behind”. If you keep thinking like that, you might just end up like this guy.

And if you do you have to have another machine that runs that proprietary os lying around to run it on anyway or run it in a virtual machine well guess what? You ever try to edit video you know you need a lot of hardware acceleration for that garbage now you know that encoding is an extremely intensive process right? Emulating or virtualizing video editing is a disaster and you’re still running the proprietary os under the virtual machine. It’s not a viable option. I don’t know what else to say. The people that are saying it’s a choice that you can choose not to run windows well yes, but you can also choose not to run software that runs on windows. You can choose to not be a part of the environment that the vast majority of computers use and interface with. You can also choose to live in a cabin in the woods.

Oh, one sure can heh

But you won’t have internet or telephone or electricity that isn’t solar. You can choose to live in the middle of nowhere and have no infrastructure and be disconnected from society and guess what? It’ll be really hard to participate in society.

Oh no, what to do without soyciety?!

You can choose not to have a smartphone.

Also yes lol

But as you choose not to have a smartphone guess what? As everybody has standardized on text messaging as it’s now become to the point where you have to have a smartphone to set up two-factor authentication just to get an account on a website nowadays.

This is a clear sign that the websites you use are shit. Stop using shit websites and the problem goes away.

That everything assumes you have a smartphone or a cell phone that can do text messaging at a minimum and that you always have access to that and you totally won’t ever lose access to your own phone number, what are you going to do if you don’t have a smartphone? Guess what it’s going to be awful hard to set up a gmail account.

Why would anyone do a foolish thing like that?

If google demands that you provide a cell phone number it’s going to be awful hard to set up facebook or twitter, any modern social media account if google requires. Or facebook requires or whoever requires that you provide a telephone number.

You’re seriously crying about not being able to access FBIbook and Twitter? You need to move past that. Let me help you find your way to the fediverse 🠲

In addition to just feeding them an email address you can’t live without a smartphone today without cutting yourself off from a huge chunk of society. Much the same way you can run linux instead of windows.

Calling and texting are both possible without using any kind of proprietary software or even a physical slavephone at all. I have written about this on numerous occasions.

But you’re cutting yourself off from that professional software that is only available on windows or mac os. The point is you don’t necessarily always have a choice if you run proprietary operating systems. You gain access to the software that runs on top of them. But if you don’t you’re cut off. And if your job or just any way that you make money or get things done requires that, proprietary software you don’t really have a choice do you? Every day that you operate with linux only guess what? You can’t make money you can’t do those tasks.

You seriously use your personal devices for work? Strict separation of private and professional digital life is like opsec 101, come on, guy. Also, it is possible and even preferable to make money outside of the proprietary technology industry. You should try it some time. Your occupation doesn’t have to be your identity.

You might have a substitute that is unfortunately somewhat incompatible or inferior in some way or many ways but you don’t have that gold standard software. It’s a major problem it needs to be dealt with. I don’t have the answers for this. I think however and what i would propose is that someone needs to foster some kind of an open source foundation of some sort of non-profit and get everyone else on board to feed some money into that so they can hire programmers to write and work on professional replacements for these software packages. If there really is enough interest in free and open source software that we want to get away from windows and mac os and move towards linux, bsd, whatever maybe what we need is some kind of a corporate structure that can take donations, and enough people that support open source to pool their money into that and support actually replacing premiere pro and illustrator and quickbooks and these other pro applications that don’t work anywhere else, to replace them with a suitable open source easily available, cross-compilable, forkable, updatable you know serviceable long after the original developers are dead piece of software for open source stuff. And you know what? If it gets to that point i know i only have like 6,000 subscribers, i say only but it was like 1,400 two weeks ago, but if it gets to that point if enough people are behind me on this i would be willing to go through all of the pain and struggle that it takes to set up such a business entity.

No, please, the last thing libre software needs are more corporate interests mucking things up. All that so that you don’t have to relearn how to edit video or track your finances? The solutions are already out there but they just don’t have the infantalized buttons and GUI layouts that you’re clutching so hard to.

The biggest problem is that if you set up a business entity like this you, can’t really accept any kind of outside investment that comes with conditions because open source software you let it all go for free. You are giving the product away. You are literally getting money from other people to not charge money for the product which is a funny thing to think about. But that’s the only realistic solution. You need an actual corporation that professionally develops professional software and focuses on that and only that. What we have right now is all these other software packages that just have people who do it in their spare time or people that have devoted a significant amount of their time but one developer cannot write a premier pro. One developer cannot write a quickbooks. Although you can write.sql ledger which requires installation on a web server so that’s immediately out. For the vast majority of normal users this is not going to work. Anyway, I’m rambling. Bottom line is that sometimes you don’t have a choice. Sometimes you have to use proprietary software and operating systems. No, sometimes you don’t get the option to say no to that licensing agreement. Because you know what? At the end of the day somebody somewhere has to pay your bills, otherwise you don’t survive. And what do you do then? Take this house out of here. Take this camera away. Take away the electricity. And the water. And the trash and the sewer and all that. Take the car. Guess what? You’re not watching this video, you’re not hearing me speak and i can’t help you.

Lots of misconceptions here about how much of household name free software is developed, by whom and the ways that some do successfully monetize their efforts (Hint: it’s not selling the end product, but the services surrounding it). And TIL: People who exclusively use free software can’t view this video like I just did?

The whole thing comes across as though Jody is stuck in a rut, unwilling to learn new tools, as he can feel the constrictions of the walled garden continue to clasp down around him, but not understand why. Only a person still enslaved to Windows would take the time to make video rants about how Windows 11 is “ruining” Windows, as though it wasn’t already terrible. And, in a similar vein, only a person still enslaved to nonfree applications would take the time to make a video decrying the solutions for not being similar enough.

GooTube and other video sites, but especially GooTube, are littered with channels like his. Where the uploader will cry about how his proprietary software is mistreating him or that the next version is intruducing some new malicious antifeature (say it isn’t so!). Or how to “defang” Mac or Windows or Chrome or whichever other terrible vice they find themselves chained to. A word of wisdom to all of you burgeoning techtubers; you don’t “fix” an abuser, you leave them.

Possessive Language and Spellcasting on the Mind

Wed, 15 Feb 2023 11:45:41 -0500

A threshold was crossed once the opinion moulding echelons had succeeded in getting the public to begin referring to “a mask” as “my mask” and “the shots” as “your/my shots”. It’s the same trick pulled as when using “we” when describing an event in order to subtly involve the audience into the hypothetical group. They are not “your” injections. They are the injections sold, using stolen money, to the largest mafia in your geographical area who then try to force the product onto you. So if you want to help push back against this psychopathy, please consider avoiding their possessive terminology. Otherwise you’re participating in the charade just as the opinion moulders desire.

Using their own terminology, whether they had been crafted or commandeered, is also fraught with harm. “jabs”, “quarantine”, “immuno-comprimised”, etc. They are all selected to evoke a certain attitude surrounding these subjects. This linguistic play is not limited to the scamdemic either. Consider “alternative platform”, “ecosystem”, “Digital Rights Management” (Sure, if you like being managed and monetized, then you’ll love DRM!). The wording is carefully selected to frame any argument favorabily toward the various deceptions.

Or when the name of a thing itself represents particular interests. Genericized trademarks also help to solidify incumbent monopolies. Once a branded name becomes the widely used discription of a new class of item, there is basically no chance to later correct the new misnomer. For example, how “Ipad” has come to mean “Tablet” or “Google it” has come to mean “look it up”. It is no wonder nobody can think straight about these topics. They’ve already been using the manipulator’s newspeak without even realizing it.

The purpose of Newspeak was not only to provide a medium of expression for the world-view and mental habits proper to the devotees of Ingsoc, but to make all other modes of thought impossible.

Voat as a Cautionary Tale

Sat, 11 Feb 2023 09:27:16 -0500

In 2014 Voat became a destination of migration for groups who found themselves banished from REEddit. It was superior in a number of ways including a point rationing system to reduce vote induced groupthink, being open sourced (at a time when REEddit, which began as OSS, started closing their code up). It had better visibility and engagement with posts by virtue of having a smaller userbase, an open stance against censorship by the administrators (Atko, PuttItOut), and was self/community financed as opposed to REEddit’s shareholders, Conde Nast. At first, it was a diverse crowd. There were techies, there were health buffs, there were race realists and other outcasts.

But as an increasing number of refugees flooded the site, the culture, as well as the server capacity itself, fell under strain. Goats once cherished a hazing tradition to thin the incoming crowds while retaining the thick skinned cream of the crop. But even this wasn’t enough to stem the tides. And the proportion of those who held tunnel vision focus exclusively on judaism and race had reached a critical mass which in turn drove away some of those technologists and other demographics. The tone of the site began transforming primarily into their domain of subject matter. By 2017, financial woes befell Voat and Atko stepped down. They ultimately shut down in 2020 after exhausting the remaining funds.

In the time since Voat essentially became home to a singular political ideology, it it had become unrecognizable to the Voat of 2014. This is an issue looming over all “refuge” sites. They become known as “that place for X political tribe”, and then subject to all of the usual attacks which follow. Voat is now back up in an unofficial capacity with a much smaller userbase and only questionably in the spirit of old Voat. Sadly, they use cuckflare, and anyways I am long since done with any link aggregator sites. It is just completely inferior to building your own RSS feed and leaving discussion to the federated web or forums proper.

The Voat experience, for me, was a glimpse into the lifecycle of alt sites and the forces which drive them to eventual ruin. Centralizing communities all into one place and relying on the good will of a benevolent overlord is a recipe for failure. Even when the administration is principled and the space started in good faith. I’ll consider Voat’s rise and fall a tale of caution for those who still think in terms of platforms.

The Coming Cyber Dystopia Only Appears Farfetched

Tue, 07 Feb 2023 12:33:08 -0500

The average user, if you can believe, continues to decline in their capacity to understand how to use the technology they find in their hands. It was once thought that this was an age thing and that newer demographics would take to digital tech with excellence, a failed prediction which I take a look at in Refuting Computer Literacy. Here are some of the factors which I blame for this decline:

The emergence of voice assistants
Everything is now obscured from end users
“The Internet” is a shrinking collection of mega disservices
The de facto passport of the internet is being switched from email (federated freedom) to phone numbers (centralized tracking dystopia)
The imposition of the “let us do everything for you” attitude which permeates the industry. “You don’t need to know how that works, let us handle it.” hand rubbing intensifies
Everything happens in-cloud rather than on client devices
There are people coming of age today who do not know what the net (or tech in general) was like before its mass corporatization

I was recently illustrating some connectivity options to a curious Gen Z Joe Public, and they seemed to envision bandwidth demand in terms of the number of devices on the network without any consideration as to what those are being used for, the type of traffic or how often. Even the fact that a not-in-use device shouldn’t be sending/receiving much traffic at all was received as a mythical impossibility. Also present was their complete failure to understand the difference between latency and bandwidth.

“Digital Natives” are not what we were told they would be

As accessibility hand-holding increases, so too does the active pool of people who were never going to learn properly anyways. Reaching the lowest common denominator isn’t really anything new. If you’re reading these posts you likely also felt that rapid shift around 2008-2010 when mobile shartphones began enabling the masses of cattle to occupy the web en masse. And where there are masses, there is a market, in follow the corporations and their own particular brand of cancer.

Today the average, dominant portion of users are helpless if “their” device doesn’t offer them colorful Little Tykes buttons to carry out prescribed tasks. No recourse is offered to explore more deeply into a functionality or to think outside the box when tackling a problem. Their entire mode of operation is within the confines of whether big daddy CrApple/MS/Goolag will graciously allow them to. Often the processing is outsourced in some way to $BIG_COMPANY. Just cut their internet and watch them flail like a fish starving for oxygen.

At this rate, what could the future of the internet (and tech) look like?

One Horrific View of the Future

Everything that one must do is moderated through a phone. There are no other form factors, they have been criminalized as “contraband electronics”. It is all, to the maximum extent possible, subscription based. Not only that, but these subscription SaaSS are made mandatory through their centrality to civic function. Need a building permit? I hope you have a phone and all of the prerequisite proprietary apps + network connectivity + subscriptions + digital ID… or want a marriage license, permission to travel, permission to buy certain foods? You’d better be using that Fedcoin. The fondle slab itself might resemble a brightly colored children’s toy. The icons colorfully cutified with infantilizing animated emblems - Entertainment, games, streaming, porn, lots of porn “apps”, social conditioning media. Perhaps an anthropomorphic mascot that tells you whether you’re allowed to leave your house today.

Anyone detected out in public without a shartphone (or in possession of a contraband device) will be apprehended and points deducted from their CBDC social score. “Hey Google, I am ready to issue my public apology to the governance!” to which you might hear “Return to within range of cellular signal or local law enforcement will be dispatched”. If it sounds ridiculous to us now, just consider how outlandish what we have to endure today might have seemed only a few years prior.

Roots of War, Barnet On Technocracy And Government Power

Wed, 01 Feb 2023 15:52:18 -0500

Richard Barnet was covering topics such as government monopolies on violence and technocracy decades before those terms would ever come into the forefront of today’s discourse. In his book, Roots of War, he wastes no time diving straight into the state’s monopoly on crime. While parsing through it, I had to keep reminding myself that the piece was originally published in 1972!

Individuals get medals, promotions, and honors by committing the same acts for the state for which they would be hanged or imprisoned in any other circumstance.

Barnet’s writing is not specifically through the lense of liberterianism, but it bleeds through in his choice of language while divulging about the motivations and psychology of those within the national security managerial class and the business partners who collaborate with them. He also covers the machinations involved in swaying public opinion. Below are some excerpts I found worth highlighting (in the order they appear throughout the book).

p. 38

The constitutional historian Edward Corwin has noted that each war the United States has fought has increased the power of the executive and speeded the centralization of the government. This is a process in which Lewis Mumford finds repeated throughout history. Centralized, bureaucratic government, or what he calls the Megamachine, is both the product and the cause of war.

p. 43, bottom

The mobilization of social science had an even more profound effect on the university. During the war government discovered that social scientists could be useful, particularly in the areas of testing opinion manipulation, and propaganda. Social scientists, organized by anthropologists such as Margaret Mead and Clyde Kluckhohn, flattered that the academic interests they had been pursuing for poor pay and with scant attention should now be deemed relevant to universal political questions, flocked to Washington to become “problem-solvers” for the government. In the process new techniques of analysis such as operations analysis, systems analysis, and game theory were refined.

p. 51

The slowness of social adaptation in the midst of rapid technological change poses one of the most serious threats to civilization. This is a problem inherent in government and indeed in all of human organization. The time-consuming process of education and experience people must go through to become capable of making judgements carries them into a strange new world in which the lessons are already obsolete. To a certain extent, conceptual lag is inherent in the human condition, but ~ it is positively courted in the national security bureaucracy.

p. 58

But the real client was the state, and most managers, when they came to weigh the risks and make high policy, left the hopes, fears, failures, and suffering of the nonelect out of the balance. The notion that the pursuit of foreign policy could have subtle, lasting effects on what was discovered in the late 1960’s as “the quality of life” in America, was utterly foreign to them.

He goes on to detail how the parasites carry themselves in complete detachment from the suffering they cause.

The national security managers as a class have not had the training or incentive to develop understanding, compassion or empathy for people in different circumstances from their own.

p. 74

Rostow had the optimism and the naivete and the nerve to visualize the denouement of the American Century. It was to be the technocrat’s peace. Vietnam was Armageddon. The communist scavenger would slink back into the night, defeated, and the American elect would proceed to organize the peace through technology. [The anticipated outcome by the parasite class]

p. 123

Each service embellishes “the threat” to serve its bureaucratic interests. The Office of Naval Intelligence is especially good at finding extra Soviet ships which Air Force intelligence always manages to miss. There are tens of thousands of mysterious objects in the Soviet Union which the Army is convinced are tanks but which any Air Force intelligence officer knows are really airplanes.

Where else have we seen “the threat” being embellished? Hmm…

p. 126

Yet the “conspiracy” concept does not fit the facts, because conspiracy, for the layman if not for the lawyer, implies some consciousness of guilt. Conspirators, according to popular understanding of the term, are men who plot to commit acts they know to be wrong. Here is the crux of the problem. The men who were ready in the Cuban missile crisis to risk civilization for prestige, for what Dean Acheson calls “the shadow of power”, and to destroy Indochina to save America’s reputation for toughness, to lie and kill on a grand scale, all believed that they were doing right, that, indeed, they were acting under duty. It is impossible to understand how dangerous the structures of the national security bureaucracy are without also understanding the system of absolution that operate within those structures. … Any organization that devotes so much of its resources to propaganda is bound to fall victim to a certain amount itself. Many of the statements on Vietnam, for example, were analogous to the kind of advertising claims which Jules Henry has dubbed “pecuniary pseudo-truth”.

On the next page, he describes a propagandistic concept of “atmospherics”.

One of the clearest analyses of pseudo-truth in the national security establishment came in the form of testimony by Air Force Secretary Harold Brown. Defending his budget request for a new bomber before a Congressional committee by claiming the Soviets were probably building one of their own, he observed: “The Air Foce view is at least as much a view that ’they ought to have one’ as it is ’they will have one.’” The repeated public claims in the Vietnam War that victory was around the corner were of this character. The claims were contradicted by all available intelligence and where sufficiently at odds with public reporting that no reasonably informed citizen could swallow them. They were meant to be taken literally no more than the claim that Seven Crown whisky “holds within its icy depths a world of summertime.” They were part of what national security managers like to call “atmospherics,” official expressions of confidence designed to pep up the public.

Want to live peacefully? Consider moving to a country which has just been defeated in wartime: p. 161

The American Supreme Commander in Germany was directed to proceed with denazification, disarmament, and decartelization. The Potsdam agreements between the Western Allies and the Soviet Union provided for the elimination of Germany’s war potential, decentralization of the economy, and drastic reduction of heavy industry. (Bold mine)

When people ask “Who is at the top of the pyramid, you crazy conspiracy loon?”, this does justice to the nuance involved in the inevitable non-answer: p. 178

These questions are complicated by a certain unavoidable lack of precision in the meaning of power. It is hard to be precise about the locus of power in a system as complex as the national security partnership. Power is an elusive notion meaning different things in different contexts. For one thing, it is not the same as influence. To say that David Rockefeller can always be heard on the American foreign policy toward Latin America or South Africa is not quite the same thing as saying he sets the policy. To say that John Foster Dulles was once a lawyer for the United Fruit Company does not mean that he was taking orders from the company when he authorized the CIA rescue operation of United Fruit properties in Guatemala. It is surely worth noting, but it does not dispose of the case.

p. 237

The supreme value persued by the new breed of corporate managers is efficiency. This is an improvement, to be sure, over glory, machismo, and the excitement of winning, which, it will be recalled, are so important to the national security managers. For those who can make a contribution to the rationalized world economy there will be rewards. But the stark truth is that more than half of the population of the world is literally useless to the managers of the multinational corporation and their counterparts in the Soviet and Chinese state enterprises, even as customers.

“Educating” the public is just code for deception. p. 242

The national security managers, as the Pentagon papers make clear, constantly talk to one another about the need to “educate” the public. In many cases this word, with all its noble traditions, is merely a euphamism for outright deception; in others, “education” is a code word for more subtle propaganda, the reinforcement of sterotypes, the stimulation of fears, and the queiting of disturbing doubts.

p. 246

There are only two ways to get sustained public attention and concern on foreign policy issues. The first is to dramatize a crisis and the second is to link the national security issue to democratic issues.

p. 247

Political scientists pictured the public as a sleeping beast that must be frightened into supporting foreign policies it could never understand, but which, once aroused, was extraordinarily fierce. For example, as Professor Thomas E. Bailey put it, “The more ignorant the citizen, the more bellicose and jingoistic…” Yet, as we shall see, the national security managers talking to one another worry far more about the latent pacifism and isolationism of the public than about its jingoism.

Page 270 reveals insight on their justifications for exaggeration of narratives and scare tactics as “necessary” instruments of policy. I won’t quote the whole section, in part to avoid making this a wall of text, but also to encourage one to seek out material from Roots of War.

The importance of blood sacrifice to psychopatic rulers is not just a meme. p. 280

The most effective device for instilling unitial public support for an American war is to shed American blood in small quantities. In the early planning documents on the escalation of the Vietnam War, John T. McNaughton and others used to talk about the symbolic importance of an American blood sacrifice. Not only was it necessary to risk losing your own citizens to convince the enemy of America’s “will and determination”, it was necessary to “spill American blood” to commit the American people. Canettie obeserves that the blood sacrifice is an essential ritual to any war: ‘Rulers who want to unleash war know very well that they must procure or invent a first victim. It need not be anyone of particular importance, and can be someone quite unknown. Nothing matters except his death; and it must be believed that the enemy is responsible for this. Every possible cause of his death is suppressed except one: his membership of the group to which one belongs oneself.’

The above most assuredly gets me thinking back to those days following September the 11th 2001. Anyone else?

The following page (281) delivers some further insight on propagandistic tools. Barnet highlights the importance that both fear and guilt play in pursuit of moulding public opinion. “Standing by our friends” and “Honoring our commitments” have been favorite tools of propagandists pulling these particular levers.

The real meat and potatos starts around page 290. If nothing else, at least read this portion onward if you ever find yourself in possession of a copy of Roots of War. Believe it or not, the book closes off on a positive note envisioning a society restructered in such a way that does not reward the managerial classes for acts of evil.

Vlogging and Self-Doxxing

Sat, 28 Jan 2023 08:57:37 -0500

Using an alias and keeping secret the whereabouts of one’s property are a good start for anyone putting themselves out there in the name of truth, however please respect that opsec needs only a single slip up in order to be compromised. Let’s take a look at how easily an adversary can pinpoint an individual. This example vlogger (who will remain unnamed) shares content about his hobby vehicle, which we will use as the first point of data. Mistake #1 he films this video from his place of residence. Mistake #2, he has openly shared his town of residence in previous videos. Pay attention to the house color and the nearby homes.

The leaks occur across several videos which accumulate into quite a bit of information.

In this frame the camera pans up, only for a moment, to reveal that his property borders a waterside road. Note the fuel tank tower in the background.

After identifying a few tank towers in the region, we are able to discern the exact tower by referencing photography from the municipality.

Road positioning and landmark distance lines up correctly on a satellite map.

The home across the street, seen earlier.

The location in question.

How can this be mitigated? Well, it can’t really. But try to film your talks out away from your residence, preferably out in nature. Minimize filming upward toward the sky (contrails can map to flightpath info) or filming signage of any nearby roads or trails. Wait a number of days before uploading and do not share your location, or at least salt your data by lying about where you are. Also consider flipping your videos left/right, selectively obscuring any landmarks before final render, or suppressing ambient background audio which could be unique to your area.

I’ve found that some vloggers attempt to blur sensitive things like signage in an effort to conceal where they are. Although this may not be sufficient. If you ever want to censor out a portion of image or video to conceal some private information, do so with an opaque black box a.k.a. censor bar. Using a gaussian type blur is insufficient and can technically be reversed.

Showing one’s own face (and place) on video can be thought of as a compromise which sacrifices relative anonymity in exchange for recognizability, and perhaps closeness with one’s audience. If you’re goal is to become a publicly recognized figure, then I suppose the only thing left to conceal is where you live. All else becomes nil.

Selecting Decent Computer Hardware

Sat, 21 Jan 2023 09:54:29 -0500

Without accounting for level of technical aptitude, and assuming one seeks security as in security from corporate or dragnet state surveillance, there may be a few hardware options out there.

Desktops:

Assemble a workstation using boards flashed with liberated firmware, or pre-flashed from a company that will do it for you., [1]

Assemble a workstation using boards flashed with (mostly) liberated firmware, or preassembled from a company that will do it for you.

System76 purportedly uses their own spin of the somewhat-free firmware above in their more modern desktops.

Or sidestep the issue of x86 insecurity and backdoors by pursuing something like Raptor’s Power9 workstations, either preassembled or build it yourself. Or with SiFive’s Unmatched boards, which use RISC-V CPUs.

Laptops:

Libreboot free firmware Lenovos, [1]. Or flash your own.

Coreboot open firmware laptops, [1] Or flash your own.

The folks at Pine64 seem to be doing some good work with ARM based laptops. Although I’m not so familiar with these.

I place so much emphasis on trusted or open hardware and firmware because these things form the foundation of any system and if either cannot be trusted or owner-controlled then it doesn’t much matter what software is installed on top of them. Many newer computers have literal backdoor hardware rootkits embedded which I regularly point out in online discussions, since that is the type of hardware that will enable the new globalist order to build their panopticon internet.

To anyone who might have found the options overwhelming, I would like to simplify things through the power of analogy. How might these look in the context of aviation?

Normal computers (and the people who find themselves using them):

The real pilot is hidden away behind those locked flight deck doors.

Older computers , without the backdoor circuitry (freed & modernized with custom firmware):

What’s old is new. [1] [2]

Modern computers , reverse engineered to “neuter” the backdoors (faster but varying rate of success):

Some improvements made to a stock design. [1] [2]

Exotic computers , designed from the ground up to keep the user in master control:

May require specialized knowledge to operate. [1] [2]

Rebuking Libertarians Who Use Nonfree Tech

Wed, 18 Jan 2023 13:44:52 -0500

If you’re a libertarian anarchist and you use proprietary technology then you might not be practicing what you preach. Also that’s very sad. Here’s a logic blockchain for you: You cannot be free if you can’t exercise free thought. You cannot exercise free thought if you don’t have privacy in which to explore ideas. And you cannot have privacy so long as you use proprietary malware.

Because a person’s digital device is essentially an extension of their own mind, if somebody else can manipulate that device, they can manipulate your mind. Quite simple. Basically nothing can be trusted to remain a secret when stored and handled by nonfree software. Crypto bros are often walking contradictions because of this reality. Imagine making efforts to secure your super secret crypto wallet, only to then pass that information through a black box like Windows? So much for that high entropy passphrase and that “anonymous” ownership lol.

I get it, nobody can be an expert in everything. But you would think there would be a greater intersection between the free libertarians and the free software movement. In fact, much of the free software space is occupied by communist trannies. What the hell happened? Is it being induced deliberately to keep the movement fractured? Do freedom seeking people just exhaust themselves while persuing the already massive tasks involved with leading a self-sustainable life? Regardless of the cause, we really need some more cross pollination between the two groups.

"Converting" People Is Not Increasing Adoption

Sun, 15 Jan 2023 10:54:38 -0500

If you are “helping” somebody, perhaps a friend or family member, by setting them up with Linux or some free software tool and leaving them to swim on their own, you may be doing more harm than good. I think of the proverb “Give a man a fish, and you feed him for a day. Teach a man to fish, and you feed him for a lifetime”. The recipient needs to first comprehend the value of liberated software. Otherwise, you can await the inevitable “Why isn’t my Netflix working? Gawd, this loonix thing sucks…”.

I have seen it happen several times. Sometimes with people whom I thought I was assisting, and also as an onlooker to the same folly. A computer novice is struggling with some program, and a resident Linux geek swoops in and offers to set up a superior tool. At first, things look great. The user is happy to have a functioning solution and the techie feels a sense of accomplishment, having marched the world one person closer to the glorious year of the Linux desktop!

And on and on and on...

All of that hard effort gets undone the moment the tech newbie encounters any kind of hiccup. They can’t install their favorite program. Or they can’t play their favorite game in the same way. Their peers harangue them with comments about “that weird computer thing they use”. Or documents or the layout look too different. It can be any little thing. Suddenly, that new tooling is the enemy and they feel they have been wronged.

So then what have you accomplished? You took somebody who formely had no opinion either way about Linux and software freedom and turned them into somebody who avidly despises it. Or at best, they’re now aware of it but forever have a bad taste in their mouth from the experience.

My advice is to avoid doing any software installation for anybody and give only guidance if they express very genuine interest in trying out Linux, BSD or free programs. And don’t do it for them! Just show them how to install an operating system. If the journey isn’t taken of their own volition, it will fail. Share with them why having digital sovereignty is important. Share the things it enables you to do.

And lastly, is adoption really important? Does it change anything fundamentally about the operating system you use? Do you really want a tsunami of normies flooding into the free operating system world (more than they already have)? Market share is a term of corporate philanthropaths who want only to monopolize. Since we in the hackersphere have little to no stake to be had in monopolization, it seems that chasing the eternal dragon of market share is an exercise in futile egoism.

Self Censorship Among The Freedom Movement

Thu, 12 Jan 2023 18:56:23 -0500

Whispering under one’s breath. Replacing words with codewords. Garbling certain terms. These are the behaviors of an obedient gigacuck. Some speakers are so hell bent on sissifying themselves for their masters in order to remain within centralized corporate playpens that they will seriously preempt censor mechanisms by modifying their own speech. As an onlooker, this is both frustrating and sad that those in the freedom movement try so hard to continue using blatantly censorious hosts.

Dude…

(For the record, I respect much of JP Sear’s musings) No, this is not “getting around the censors”. This is complying with their cause. Remember that making your side look ridiculous and unhinged is likely about as effective as censoring yourself anyway.

And people tend to overestimate the role that algorithms play in detecting unwanted subject matter. Often it is human intervention (by desk jockies who have to look busy for boss anyway) and they typically only intervene on works which have begun to achieve substantial reach on their platforms. One way that we can tell that humans are involved is the fact that thoughtcrime hidden beyond the wadsworth constant often goes unnoticed for some time. A program iterating over a transcript would be likely to rapidly find strings of unwanted language regardless of where its timestamp resides. This is why things like pirate streams, “gaming channels” and “makeup tutorials” can get away with more sensitive messaging. While I find these efforts creative, it is still capitulating to the adversary without addressing the root cause of the issue. It doesn’t matter if you think you’re reaching more normies. Limiting your own voice is still selling your soul.

If you still have a vestigial account on $CENTRALIZED_DISSERVICE, the best use of it, if any, is to make mockery of them and link out to your own spaces. Something like “Nanny state doesn’t want me telling you about what I have to share so I invite you to read/watch/follow me over at my site.” Especially stupid is to self censor when you publish the same works to any freer host simultaneously. Anyone reading or watching it there will see your attempts to infantilize the information and wonder why you even wasted the time to share it in a more liberated space.

Why There Are So Many Transexuals in Tech

Tue, 10 Jan 2023 19:04:59 -0500

This might be stating the obvious, but there is no doubt a disproportionately high number of transexuals (See: UNIX trannies) within the computer industry and hobbyist spaces. I can only offer hypothesis on why this is. It could be totally wrong, but having an inquisitive exchange is all but impossible when that demographic is so ready to blockade anybody who can see that the emperor isn’t wearing any clothes. Some observations:

Eroding contact with female peers and inceldom

This is particularly accentuated among the shy computer nerd demographic. Courtship is being centralized and it has left a ton of desperate young men in its wake. So the mentality for some sufferers appears to shift to becoming what one cannot have.

The coorelation between autism, computers and transexualism

Covered in Asymmetry of Digital Literacy Between The Political Divide, paragraph two. To recap, there is strong coorelation between autism and interest in computers. There is also strong coorelation between autism and dysphoria. Apply transitive property.

Anime, female avatars and video game character creators

Again, there are lots of lonely nerds among IT ranks. Some of their only (and first) exposure to positive female “attention” comes in the form of anime or pony cartoons. To them it doesn’t matter that it is fake. They go on to, somewhat understandably, become enamored. If you’re feeling brave, just have a look through some of the dialogues in their community spaces. For others, I suspect things get taken a bit further. These female characters take on the position of role models to be emulated. The thinking must go something like “They’re so happy and successful, if only I were more like her I could be too!”. Queue slippery slope.

And a rhetorical question: What does playing through a role playing game as the opposite sex do to the psychology of a developing mind?

Crossing of the wires which compel the male mind to find the female figure appealing

This one rides on the back of another stereotype based in reality being that computer nerds are shrimpy wimps or greasy fatasses. When one’s body proportions stand so far from the male ideal, it must become easier to rationalize and persue female proportions instead. I believe this is one of the basis for autogynephilia. A fetish in which a man experiences sexual arousal by the thought of being a woman.

Observational anecdotes

I have attended a fair few technology conferences. I have worked at several IT organizations. Each and every time there has be a significant population of those bearing the qualities described above (with varying degrees of expression). It is the reason why I have even pondered on the topic. I’m aware that my hypothesis is not fully developed and probably riddled with holes. Just spitballing.

I once had known a rather chill and professional dude who I surmise had succumbed to the anime pipeline. He made known his favorite show being 君に届け, or Kimi ni Todoke, among a few others which a quick search reveals are heavily geared toward a female audience. The current sociopolitical atmosphere likely had a catalyzing effect. In a matter of years began the surgeries and formal transition.

With so many autogynephiles trying to bend reality who also work and tinker in tech, it is no wonder that there has been such a strong push to control language and create “tolerant” environments online. The force feeding of totally unecessary CoCs (codes of censorship) into FOSS projects makes its true intentions known. I predict further decay as their reach grows deeper into existing projects, and given historical trends.

The Internet Was Better When It Was Just Nerds And Outcasts

Thu, 05 Jan 2023 19:10:21 -0500

It was during the age when everyone knew it unwise to share real names and information anywhere online. Some of the wisdom driven by overly anxious boomer parents while most was basic common sense precaution. Privacy by default. It was the internet I remember hopping onto multiplayer skirmishes or perusing forums back when they were populous enough that refreshing the page would always yield new topics and posts. Slinging insults was more of an expected greeting to anyone who hadn’t yet become a regular in a haunt. And everyone had thicker skin because of it.

Normies did have a presence, but it was the inverse of what we have today, with them being confined to a select few spaces while most of the web was wild and free (hostile to them). And the tables turned only because we failed to gatekeep. If the appearance of that term has riled some nerves consider that it might be because linguistic spellcasting had been done on gatekeeping. Somehow it attained a negative connotation. Accusations of gatekeeping are used by crybullies in order to shame communities into lowering their guard for entry.

The first failure came to pass when socialization became a fixture of the web (2.0). And I don’t mean socialization as in commingling with others, but the glossy faux corporate social which managed to infect also gaming around that same time. The idea that one must maintain a “presense”. Features that would always be online, and inform others when you were on and what you were up to. It arrived in the trojan horse of MySpace, which was innocent enough in its intentions, and later FBIbook. The whole thing has since devolved into an entire sphere which normies have since dubbed “social media”.

A tech normie, hard at work making technology worse for everyone. Note the thousand mile stare from watching hours of subscription amusement media.

This made the once scary web palatable to those with more fragile sensibilities. Once they had everyone trained up using the same identity across different sites (or even their real identity), then came the like buttons, the cannibalization of feeds and feed readers, and the salivating corporate interests seeking to tend their new flocks.

The second failure occurred when the web began getting turned into television 2.0 as the new place to consume video media. The popularization of video streaming increased accessibility of theatrical distractions to passive audiences, with Netflix accounting for a significant share of all internet traffic not too long after (and it’s much worse today!). It got to the point where there were even ruminations about ISPs prioritizing certain paid corporate client traffic as bundled packages, much like the cable television model.

The third and probably most significant gate to fall was in the introduction of the little tykes shiney buttoned brainlet slabs we call phones crystalizing at their “smart” formfactor. Now, any fool who has only platform literacy can sadly inhabit the once great spaces of the internet. I would pin this downfall at around the time mobile browser share first eclipsed major desktop browsers, so somewhere no later than 2013.

Now, as the dominant group, everything has bent to cater to the tech cattle. And this is why attempting to shame people over gatekeeping misses the whole point of filtering who can participate in something which requires as much careful consideration as do computers and the internet. People who gatekeep foresee the strain on resources or even their way of life that occurs when herd mentality gets to decide the standard for everyone.

It might only be a pipedream today, but I maintain that the only demographics that should be allowed anywhere near the internet are those who; can install, repair & upgrade computer software and hardware, who have at least a basic understanding of terminal and scripting, can distinguish between local processing and remote processing, and who are generally capable of configuring their own devices and networks - basically what “power users” should have been had the 1980s-1990s timeline of home computer use been allowed to flourish unabated.

Quality Access to Information

Mon, 02 Jan 2023 17:12:57 -0500

A scary thing is happening. Everyone is beginning to talk about it. It’s plastered all over the media. Discussions in your friend circles and familiar online spaces are being dominated by the new topic. You’ve seen it all before. Another media blitz. But how can you persevere through this new hysteria with your perception of reality intact? Here’s a look at ways one can ensure their access to information remains as uncorrupted as possible through the next big psyop.

Prefer primary sources always. Articles citing (or aping) other’s claims place them downstream from reality. Follow the information up the chain until you cannot go any further. You’ll find that many normie outlets simply rephrase or completely parrot upstream publications or witness accounts. And that’s not even taking into consideration scrapers and AI generated writings.

Avoid passively accepting aggregated news off of a feed, even if it is from your own crafted selection such as RSS feeds. Remain critical even of personalities you trust who gather and share topics. Their newsletters or video reports are no substitute for verifying claims through primary sources. For the real zombies out there, particularly avoid news “apps”, and commercial news outlets.

Be prepared to dig back with archive sites like web.archive.org, archive.today and hozon.site. Liars and psychopaths like to gaslight the public by changing their stories after publication. Prefer the oldest or original captures of articles as they were first written. If the article isn’t archived, pay attention to the most recent indicators. Did comments cut off after a certain date? Where is the oldest external hyperlink that points to the article?

Some other pertinent questions which any media literate person should be asking:

Does the writing provide a date of publication or authorship/source information at all?
Does it come through from a press network like AP?
Why are you (the public) being allowed to learn of this thing?
Does it seek to outrage or instill fear?
Are catchphrases being pushed? (There is a classical three syllable cadence used in slogan crafting)

Actual real world events, since the dawn of the internet, have tended to be identified and discussed in online spaces, preempting the dinosaur media and, in turn, real world discourse as the information bubbles its way up through the normiesphere. I personally have noticed a lag time of about two weeks between first hearing about something online to overhearing people around me begin to drop it in conversation. Conversely, psyops have a tendency to follow this inversely, with IRL Karens shrieking about a new topic in unison before it generally had a chance to circulate organically among (non-corporatized) online spaces.

There is no magic rule that can universally be applied to determine whether a news piece is bullshit, but they can generally be sussed out by asking basic critical questions. I suppose this is braindead information to most anyone already reading this. But maybe the odd normie or somebody only just now waking up to things can find it useful. Basic media literacy is sorely lacking today.

Terminal Telephony

Sat, 31 Dec 2022 23:10:20 -0500

Phones suck, and so does the new expectation to have one or otherwise be excluded from family, work or increasingly from everywhere. But it doesn’t mean that you really need a physical phone. I’ve written about this before, but feel it pertinent to expand on the advice. Any little bit of info that can help people get away from satanphones and building the new world slavery grid, right?

I will remain vague in my recommendation of SIP hosts because I don’t believe there is a best one™, but there are choices of those who accept cryptocurrency payment, do not require javascript on their web portal and support SMS for those who want or need texting functionality. Or if you’d just like to dip your toes into softphones as a test, I suppose one of the free hosts are fine.

You should be given an option to choose your phone number when you sign up. And even numbers from legitimate nearby area codes might still get marked as “spam risk” by your friend’s or family’s carriers.

Guide, for those okay with GUIs and GTK libraries

Install Linphone from your repository and run the preferences dialogue. In the SIP accounts tab, add an account and enter the sip address using the account number provided by your SIP provider. It should be formatted like:

sip:[email protected]

Make sure that register is enabled and open ports on your firewall for 5061 as well as for audio RTP 7078-7079. Consider setting encryption as mandatory in the Calls and Chat tab. Any settings will be written to ~.config/linphone/linphonerc by default.

If everything was able to reach the provider and register, you should see the icon near your account turn green. Try calling out by entering a number (+ full area code) in the top bar. Linphone-desktop automatically enters the complete dialing information in the background (the terminal version needs manual entry, more on this below).

The resource over at callcentric have a fairly good runthrough of the whole process.

Guide, for command line purists

Install the linphone-cli package. Other distributions may go by different names. Debian once had it under linphone-nogtk. The first time you run the console linphone, a new configuration file will be created at .linphonerc. Note that this is in a different location from the GTK version.

I’ve found that it is very important that the linphonerc has information given for the proxy section for some reason.

Add default_proxy=0 under [sip]:

[sip]
root_ca=/usr/share/linphone/rootca.pem
verify_server_certs=1
verify_server_cn=1
contact=sip:[email protected]
media_encryption=none
default_proxy=0
guess_hostname=1
inc_timeout=30
in_call_timeout=0
delayed_timeout=4
register_only_when_network_is_up=1
register_only_when_upnp_is_ok=1

And account authentication info:

[auth_info_0]
username=0123456
realm=sip.mysiphost.com
domain=sip.mysiphost.com
algorithm=MD5

Supply configuration for proxy even if you don’t find that you’ll be using one and disable reporting:

[proxy_0]
reg_proxy=<sip:sip.mysiphost.com;transport=udp>
reg_identity=sip:[email protected]
realm=sip.linphone.org
contact_parameters=message-expires=604800
quality_reporting_collector=sip:[email protected];transport=tls
quality_reporting_enabled=0
quality_reporting_interval=0
reg_expires=3600
reg_sendregister=1
publish=1
avpf=-1
avpf_rr_interval=1
dial_escape_plus=0
privacy=32768
push_notification_allowed=0
idkey=proxy_config_5CpZ4jeMwtMmBi6
publish_expires=3600
nat_policy_ref=yYm95Uxki2OTCRx

Point linphone at your default sound device, if it isn’t already:

[sound]
ec_filter=MSWebRTCAEC
ringer_dev_id=ALSA: default
playback_dev_id=ALSA: default
capture_dev_id=ALSA: default
echocancellation=1
remote_ring=/usr/share/sounds/linphone/ringback.wav
playback_gain_db=0.000000
mic_gain_db=0.000000

Now, when you run linphonec, it should connect to your provider and await any incoming calls or user input. Type answer to pick up an incoming call or call out with:

call sip:[email protected]

End the call with terminate. Also consider using linphonecsh which sets up a linphone daemon (linphoncsh init) and then just place calls through that if you would prefer not to have a dedicated terminal window open for linphone or if you want to work telephony into your scripts.

For now, it seems that softphones with VoIP/SIP calling are accepted to interface with the gears of society although, like mentioned above, normie phones are now marking phone numbers originating from these services as spam risk. Who knows how long before the psychopaths catch on and try to start banning SIP from personal use or outright blocking the numbers from interacting with their NWO compliant companies. If calling was the last remaining functionality keeping you from ditching your zombie phone, then better to switch now than later.

Civic Infrastructure Is Being Monopolized

Tue, 20 Dec 2022 08:25:26 -0500

Civic infrastructure is rapidly coalescing around centralized disservices as towns, cities and states foolishly move away from in-person and pen & paper solutions. I have personally seen motor vehicle departments refuse the acceptance of cash or scheduling anywhere outside of their shitty web portals in the wake of the panic induced shutdowns. Grocers are now more comfortable than ever refusing cash at self checkouts (human checkouts to follow soon?). Several problems arise as the usual FAANGs eagerly gobble up the new human capital, cheif among them:

The exclusion of those who refuse to or cannot use proprietary technology
An incestuous relationship fostered between big business and the state
The trampling of user rights and privacy
Totally missing the original intention of the web
Crystalization of brand monopolies
Exponentially increased risks from corruption, downtime, breaches, etc.

Things which are currently falling victim:

State functions (trial by jury, meetings/minutes)
Businesses (foregoing proper websites) “download our app in order to X!”
Classifieds (FBI marketplace displacing craigslist and others)
Family collaboration (FBIbook for everything) And certainly much more to come.

Update 2024 (day 1!): The Japan Meteorological Agency, in entrusting TXitter to relay disaster information to citizens, proves the folly of pushing critical functions through big tech when the Gehirn account ran up against arbitrary API limits. The company with which the JMA codeveloped the mobile application even has their own in-house developed web tooling to do everything they relied on TXitter to do. Why gimp themselves out to another party?

This is a multi-faceted problem.

Failure of educating users and the public
Blitz by big tech interests
Laziness/lack of resources of small municipalities & small businesses

Can one resist this inertia? Favor using protocols instead of platforms. Self host as much as possible. Prefer independent and alternative vendors where digital services are unavoidable. Don’t give your time, effort, money or vote of confidence to the beast tech by participating, further contributing to the network effect.

However, this becomes a stumbling block when garbage tech is mandated under threat of penalty or force. If a state requires all present for a court hearing connect over Zoom (zooming us all straight into the dystopian hellscape) or for extortion payers to file over a government ordained proprietary program, then that state is also mandating the usage of nonfree client software along with any of the prerequisite nonfree platforms required to run it.

If the future of avoiding proprietary trash means acts of civil disobedience as protest, then myself and others are going to be in for one hell of a ride.

tcpdump, a Stethoscope for Network Activity

Wed, 14 Dec 2022 19:46:25 -0500

When I was devising my DNS solution (DNS as a standard is still so broken for privacy as of 2022, shame on root name server operators for brushing away cryptography efforts!) and some other traffic concealment solutions, I found myself relying on the traffic capture tool tcpdump. Prior to cutting my teeth with tcpdump, I had only experience with Wireshark. And I don’t think I’ll be using Wireshark very much anymore.

Here’s a decent cheat sheet.

Since network interfaces will be different across different machines, they can be checked with:

tcpdump -D

If we want to watch for traffic bound to a certain port:

tcpdump -n -i enp1s0 port 5061

Which reveals, on a test environment with a SIP client open, a check every few seconds over SIP service.

tcpdump: verbose output suppressed, use -v[v]… for full protocol decode listening on enp1s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 17:51:08.294212 IP 192.168.1.2.5061 > 64.71.158.4.5061: SIP 17:51:18.294091 IP 192.168.1.2.5061 > 64.71.158.4.5061: SIP 17:51:24.249671 IP 64.71.158.4.5061 > 192.168.1.2.5061: SIP 17:51:28.313744 IP 192.168.1.2.5061 > 64.71.158.4.5061: SIP 17:51:38.313755 IP 192.168.1.2.5061 > 64.71.158.4.5061: SIP

tcpdump -n -i interface port 9001

For example, can show us how talkative Tor is.

Or if you have daemons pointing to servers on the local host, specify loopback:

tcpdump -i lo port 443

It’s a good way to catch configurations which might be leaking requests, and stand as a call to revisit the .conf file. What it’s not so good at is looking holistically at an individual application’s network requests. For that, one might want to investigate mitmproxy with which many programs, after a bit of work, can be monitored for network requests.

tcpdump is sort of like oldschool non-application aware firewalls in this respect. It just looks at everything passing through a given port or protocol or otherwise, without any correlation made to the program from which it originates. Which can be desireable in scenarios where we simply want to find any unsolicited traffic among the wider system configuration.

mpv, ffmpeg and yt-dl - The Ultimate Team

Thu, 08 Dec 2022 18:44:03 -0500

mpv, ffmpeg and youtube-dl/yt-dlp. With this trifecta, almost any media can be accessible to view in any way you want. To download, manipulate and view anywhere, any time. It grants you complete control and totally outclasses the more widely known VLC. Some capabilities I have already covered in command line video/audio editing guides. * Note: I use yt-dl to refer to both youtube-dl and yt-dlp interchangeably, courtesy of the endless forking found in high profile projects.

Some of the programs make calls to one another, such as with mpv’s yt-dl calls. Either through –ytdl-raw-options, –ytdl-format=, and/or prefixing ytdl:// to a target download address. For example, playing back only the best quality version of a video file from ThemTube:

mpv --ytdl-format=best https://www.youtube.com/watch?v=GoqBKlRrIv8

yt-dl, in turn, can pass off to ffmpeg. In fact, many things yt-dl does behind the scenes uses ffmpeg (or avconv depending on which is present and which is best suited). But you can manually call ffmpeg functions with –postprocessor-args. The following would download only the video portion between 00:03 seconds and 01:03 minutes:

youtube-dl --postprocessor-args "-ss 00:00:03 -t 00:01:00" https://www.youtube.com/watch?v=GoqBKlRrIv8

Or if you would like to capture all videos posted from a certain channel within the last three weeks:

yt-dlp --extractor-args youtubetab:approximate_date --break-on-reject --dateafter now-3weeks -o "/path/to/storage/%(title)s.%(ext)s" https://youtube.com/watch?v=...

If a particular video is region locked or IP blocked, we can further mix in other programs (Using format selection for the lowest quality in respect of Tor network capacity):

torsocks yt-dlp -f 18 https://www.youtube.com/watch?v=GoqBKlRrIv8

mpv is its own beast. Some common shortcuts you might find useful include:

Shortcut	Function
9 / 0	Decrease/increase volume
Shift + #	Enable/disable audio
Shift + J	Cycle subtitles
[ / ]	Decrease/increase playback speed
Shift + L	Loop file
i / I	Display video file information

Start or end playback at a specific timestamp:

mpv --start=00:00:50 https://www.youtube.com/watch?v=GoqBKlRrIv8

Remember, content tyrants do not want you saving content locally for a reason. They would much prefer everyone be cattlechuted into DRM encumbered proprietary web stream players or mobile applications with restrictions on when, where, on what and by whom any piece of media can be accessed. It would be awful for them if you were to save and share any of it on massive external drives.

This tag team of software is pretty much unrivaled. Although VLC has Santa hats …I guess.

Site Moved to wrongthink.link

Sat, 03 Dec 2022 11:52:25 -0500

It is time for this site to practice what it preaches and claim a space on the web through more independent infrastructure. NeoCities is a good space for those just starting out but there are technical limitations (such as no media files) as well as the looming albatross of censorship. This NeoCities mirror will remain in place, but I will not be posting further updates here. If you subscribe via RSS or link to any of my works, please consider pointing it to the new address at https://wrongthink.link/.

I may still expand to hosting a darknet mirror, seeing how broken the clearnet has become. But I’m not yet giving up on the clearnet like I had given up on Bitcoin. The new site should enable me to expand the type of content I share, including how openly I cover various topics. It is said in engineering that two is one, one is none, so hosting one’s work in multiple places becomes an insurance policy against deplatforming.

My Video Game Music Favorites

Sat, 26 Nov 2022 11:17:23 -0500

It is true that back in the day, I used to play all manner of video games, even including console games. They played a formative role in my musical tastes and still occupy a significant portion of my music library to this day. A page over at digdeeper inspired me to share some of what I consider to be the absolute favorites among the collection. If we can put aside for a moment the laughable fact that a self admitted free software extremist has a soft spot for game soundtracks of one’s youth, then let’s dive in!

“In the thick of it” high intensity pieces

Goldeneye 007 - Runway. Rare, pre-Macrosuck aqcuisition, actually had a ton of great works. Perfect Dark’s OST also among them.
Goldeneye 007 - Cradle. Goldeneye on the N64 was an unusual instance in which the soundtrack may very well have actually been better than the source film.
Empire Earth - Shadows. An early epoch track from the best version of Empire Earth. II and III both sucked.
Megabyte Punch - Hyper Boss Battle. The high energy piece that plays during Megabyte Punch’s “Master Hand” style battle. Very climactic.
Need For Speed Most Wanted - The Mann. Set the scene perfectly for fleeing from squadrons of police vehicles. This one definitely succeeded at making one feel like a badass carrying out a mission.
Need For Speed Most Wanted - Kick It Up A Notch. More of the above, but with added intensity. Written for the final boss cop chase. (Starting at 07:10, why can’t this be it’s own genre?… That mixture of tech, brass & symphony, wow.)
Resident Evil 5 - Wind of Madness. Boss fight against some flying creature. Really good at conveying a struggle.
Sanctum 2 - Ruins of Brightholme. Only loses points for lack of variation throughout the duration.
Dungeon Defenders - Castle Combat Phase. Even though the score to Dungeon Defenders is “cutified” to match the rest of the game’s stylization, Castle Combat really punctuates the heat of the moment.
Planetside 2 - Terran Republic Combat 4. There’s nothing like storming a heavily defended base while this score rages on in the background.
Planetside 2 - Vanu Sovereignty Combat 1. The Vanu Sovereignty of course had their own. The New Conglomerate faction’s OST was kind of stupid IMO.
Tom Clancy’s H.A.W.X. - Tally On Multiple Contacts. Another badass theme. Perfect for high stakes business going down.
Tom Clancy’s H.A.W.X. - Ending Credits. Same as the above, extended and also applicable to lists “Building up to something big” and “Met with success, mission accomplished”.
Starfox 64 - Boss B. Something about media from the 1990s carried a more hopeful tone. Everything went so dark and gritty the following decade.
Starfox 64 - Starwolf Theme. Very anime in it’s “clash of rivals” scripted usage. The N64 MIDI(?) versions suffer enough quality that a live orchestra version may outclass the original Starfox 64 themes.
Tribes Ascend - Katabatic III. Also any of the “flag holder” pieces are also very fraught with intensity.
Deadcore - Scape Mind. Deadcore was the first game I ever played on a Linux installation. But the music is memorable all its own. Scape Mind’s buildup to 01:52 is just awesome.
Far Cry 3 Blood Dragon - Sloan’s Assault.
Metroid Prime - Parasite Queen Battle. I was very pleased when this piece made it’s way into Super Smash Bros. Brawl.
Super Mario Galaxy - Final Bowser Battle. There is a both choral version and a full piece.

Building up to something big

Barony - Twisting Passages. This piece plays early on in the levels, accentuating the “lost in the dark” feeling that permeates early Barony.
Barony - Automation. The scoring to the final levels just before Barony’s (very difficult) final bosses.
Barony - Braving The Unknown. Especially ominous around 02:03.
Starcraft Brood War - Intro. Starcraft always had very punching cinimatics. Mostly the last 40 seconds of this piece really let you know that you were getting into something huge.
Megabyte Punch - Ventu’s Lost. Accompanies a moment in the game where the homeworld succumbs just before a climactic battle.
The Legend of Zelda - Deku Tree. Alright, this link is a remastered version, but the original definitely carries it’s own foreboding mood.
The Legend of Zelda A Link To The Past - Dark World Theme. By the time you reached this point in the game, you accrued most of the cool gear all the while the world you knew has been transformed. This version is just so awesome.
Tom Clancy’s H.A.W.X. 2 - Over the Caucasus. The vocals make for a very ominous build up.
Tom Clancy’s H.A.W.X. - Ghost Rider. Also strong.
Tom Clancy’s H.A.W.X. 2 - Last Stand. Probably my favorite of all Tom Salta’s works. It opens in a kind of somber way before cascading into a bit that just screams high stakes final struggle.
Starfox 64 - Sector X. A creeping and haunting piece that went well with being out in open space.
Tribes Ascend - Temple Ruins I. The use of big brass and heavy percussion make for a very ancient sounding theme. It builds until climaxing at about 01:44.
Tribes Ascend - Sunstar I. Similarly with the Sunstar world map.
Crysis 2 - SOS New York. This track was used in the waiting lobby of Crysis 2’s original multiplayer. I forget where it was used in the campaign but set the scene excellently for an up and coming battle.
Planetside 2 - Vanu Sovereignty Combat 3. This piece is a little more chill than the other combat scores so it actually played when completing a capture or some less intense feat.
Deadcore - Jaws. Deadcore has some of my absolute favorite works. The heavy dark tech trance can hardly be found in any “legitimate” music genre.
Deadcore - Negative Wave. A little more lively. The piece is meant to work up as the player picks up pace in the speedrun game. Big drop at 01:45.
Deadcore - Cubik. More tech heavy.
F-Zero X - Car Select. How to say death race without saying death race.
F-Zero GX - Lightning.
Far Cry 3 Blood Dragon - Power Core. A modern take on 80s synth and it works out very well.
Civilization V - Pedro II War. When you start conflict with Pedro II in Civ V it sounds like you’ve just made a very bad decision.
Metroid Prime - Title Screen Intro. In addition to setting the scene, it has that dark psy sound that I enjoy so much.
Soul Calibur II - Under The Star Of Destiny.

Moving or just distinguished in their beauty

Dreamfall The Longest Journey - The Hospital Room. Dreamfall does a really good job of making one care about the characters in the story. This track perfectly evokes that during a playthrough.
Planet Explorers - Main Theme. Such high production value for a game that ultimately failed.
Halo 3 - Never Forget. The piano in particular is very strong.
The Talos Principle - Trials. Very calming piano starting at 02:05. Excellent focus music. This also could have gone into the “Building up to something big” list.
Metroid Prime - Inside the Crashed Space Pirate Frigate. As a nice repreive from the rest of the hostile environment (although there are still encounters in this area IIRC).

Met with success, mission accomplished

Barony - Hero’s Lament. It captures well the return to peace that the game’s story tries to convey, and is just very peaceful overall, especially after 01:04.
Tom Clancy’s H.A.W.X - Artemis Ascendance.
Starfox 64 - Mission Accomplished. Aptly named.
F-Zero X - Goal. You kind of have to experience shooting through the finish gate, your craft smoking and nearly destroyed, into first place as the score rolls. It’s a damn shame that F-Zero GX decided to drop the sound theming in favor of a more techno-y OST.
The Talos Principle - False God. When the last bit of the story slots in and it all begins to click what exactly the game is depicting.

Just fun I guess

Animal Crossing - Main Theme. This set the mood much better than the later guitar renditions.
Crypt of the Necrodancer - Dance of the Decorous.
Crypt of the Necrodancer - Tombtorial. Excellent crescendos and drops.

The Broadest Collection Of Global Telemetry

Sat, 19 Nov 2022 12:04:33 -0500

In addition to the fact that the [clown] world relies on certificate authorities remaining honest for HTTP Secure to do what it actually advertises, there is another standing issue that erodes my zeal to keep scrapping together workarounds.

One might argue that having many sites hosted behind the same server and IP might paradoxically help to obfuscate the sites one visits from snooping ISPs, such as those which might reversely resolve domains associated to server IPs. Even the average Joe can do this with something like:

dig @<some LARGE resolver> -x <ip address> +short

However, such obfuscation gets foiled by a shortcoming in Server Name Indication. SNI introduces an opportunity during any TLS handshake for an observer to obtain which site is being requested. The indicated hostname is not encrypted within the Client Hello of TLS handshakes and, at first glance, apparently cannot be out of design necessity.

There have been attempts to extend the standard for certificate request encryption, first with eSNI and later ECH. But these standards have run up against obstacles with big tech, namely Goolag, FBIbook and Amazog, failing to support eSNI. I’ve been informed that this is deliberate as the likes of big tech are afraid of being excluded from the massive Chinese market. If unencrypted TLS hello is adequately naked for China to spy on their subjects, then what does that mean for everyone else who must use it?

This compounds the issue of global adversaries with visibility into large swaths of internet traffic. A colleague and I were discussing recent light shed on the new commercial market surrounding netflow data which raised the question as to how badly this compromises even the privacy-consious techies. Some expressed concern that this could be used to “tag” and foil traffic concealed in the likes of Tor or in VPN connections.

One of the concerns long held by Tor developers is that the size of data transmitted can itself be used to correlate traffic. This is why they recommend against large file transfer over the Tor network. It may be adequately encrypted, but a global passive observer (using something like netflow data) might be able to look at the total size of upload bandwidth entering a Guard node, and associate it to an identical usage leaving an exit node to a clearnet server at the same time.

Maybe this could be addressed by padding all Tor traffic to a common size using junk data but would also massively decrease effeciency and throughput of the already constrained network. Such a padding method is actually used in v2ray-core, a derivative of shadowsocks common at one point for circumventing the aggressive Chinese firewall. This is only to illustrate that said “tagging” doesn’t have to be done within the “tunnel” of a VPN, but only by taking and comparing notes from either end.

And data brokers are well positioned to exploit this. Team Cymru, a netflow aggregator, make some extraordinary claims in their promotional material.

“Team Cymru’s product letting users trace the activity of servers linked to an Iranian hacking group further than other datasets, such as DNS lookups.”

I would be very interested to see if that group was doing anything at all to protect their DNS queries, or if they were just foolishly using plain old naked 1970s DNS resolution.

““Are any DoD components buying and using without a court order internet metadata, including ’netflow’ and Domain Name System (DNS) records,” the question read.”

The fact that senator Wyden’s office felt it necessary to specifically mention DNS records in this question is fairly telling as to how much they probably lean on that old and yet to be fixed standard in order to amass their “broadest collection of global telemetry”. So encrypting one’s DNS requests (and not through the lazy and poorly implemented DoH!) should mitigate some of this collection method.

“Through these relationships, Cortex Xpanse has access to a sample of approximately 80% of global flows,”

A textbook global adversary. Just in case anyone thought the aforementioned techies were just being paranoid in the extent of our countermeasures.

Whole-of-System VPN And The Clark Kent Dilemma

Tue, 15 Nov 2022 15:57:47 -0500

Despite the terms ‘privacy’ and ‘anonymity’ being used interchangeably by many, and particularly by VPN marketing, I want to first highlight the key difference being that VPN connections are not anonymous but only private. Even if no payment transaction trail leads back to you. This is because the same entity connecting you to your destinations also knows your external IP. And both privacy layers (VPN) and anonymity layers (Tor, etc.) offer only end-to-middle encryption, except perhaps for accessing .onion addresses. These limitations, among others, are reason enough for me to remain weary of whole-of-system VPN solutions.

The Clark Kent Dilemma

It can be said that Superman and Clark Kent are never seen in the same place at the same time, casually exposing his secret identity. A similar observation can be drawn to VPN users: Let’s say that every time your device is on you typically run an email client, IRC client, web browser and cryptocurrency node. Each of these reaching out to servers in a pattern wholly unique to your device. When you establish a VPN connection all of that traffic disappears at once on your WAN IP and reappears around the exact same time in, say, Dubai. It is obvious to any sufficiently large observer as to what has just occurred.

Unless one exhaustively tracks and remembers to close down such email, IRC clients and crypto node each time, it is possible to correlate when somebody “jumped” to a new VPN exit. Those who configure firewalls to disallow any non-VPN traffic may not expose themselves to this issue, but what when they need to change VPN exit locations (or when the VPN host decides to), when they require direct connectivity such as for navigating around known VPN IP blocks or for low latency applications? Some VPNs block various ports, such as those for VoIP telephony. Some granularity could be desirable.

What can be done about this?

Disclaimer: this is not gospel.

I would suggest a system of prioritization based on the type of traffic you need to send and receive. Then route your network traffic across a mix of the following accordingly.

Plain network traffic Avoid if usual TLS/HTTPS/Cryptography in general cannot be deployed
Conventional proxy Avoid if usual TLS/HTTPS/Cryptography in general cannot be deployed
Privacy layer (VPN)
Anonymity layer (Tor, etc.) Anything this level upward ^ automate requests if at all possible
Local host No network requests even necessary :)

The rationale for automating any network requests is that it conceals the human element, when you viewed a resource, when you might start and end your day, what times your system is in use versus not in use, your timezone. All of which gets stuffed behind an obfuscating and less interesting wall of automation. Let your computer do your web browsing for you.

Proxied (of any variety) traffic can be dealt with in a more fractured way. Try to visualize the traffic on a per request basis. The nature of the traffic should determine which snake hole it pops out of to an outside observer’s perspective. Tor is already really useful for this with running different applications through different SocksPorts ala Tor stream isolation. If you didn’t already know, something similar can be done with VPNs via split-tunneling. Further mix things up with some oldschool proxies and proxychains.

But look at what sits at the base of that priority chart: the local host! Ideally, cache locally, host locally, process locally! As much as practically possible. To build on an old analogy, if using the internet is like broadcasting your whereabouts over a megaphone, then using a whole-of-system VPN is like broadcasting your whereabouts over a megaphone… from the next room over.

The issue is not with VPNs per se. I guess I’m just an advocate for split-tunneling individual applications over VPN, in opposition of absentmindedly tossing all data-in-motion entirely over a VPN. Or through any single proxy layer. Don’t put all your eggs in one basket. The whole end-to-end situation is treacherous (more on that in The Broadest Collection Of Global Telemetry) so do what you can to encrypt as much as possible. And if that means a VPN, then great. Just respect that a VPN is not the set-and-forget solution that some make it out to be.

The Goldilocks UI Zone

Wed, 09 Nov 2022 12:28:22 -0500

A while ago I tried out the Sway window manager. While it is very fast, very minimal and purist in it’s design, a few nails stood out which I couldn’t quite hammer down. A caveat to the following is that I grew up on graphical desktops with only a brief stint on DOS command line which I can barely recall from childhood memories. I may not be as hell bent on getting stacking windows out of the way as some WM diehards. The Sway experience was great overall except…

Despite going out of the way to use TUI and terminal programs, there where still some which necessitate the usage of a graphical window. And some of these programs failed to obey the conventions of a WM like Sway, either by way of some dirty gtk_window_set_type_hint() trickery or by hardcoded settings panels which act as a child window that cannot be moved separately. These also pulled in a combination of QT and GTK libraries, so would take a lot more planning and diligence to avoid one or the other to keep a lean system.

The scriptability of WMs, as I experienced with Sway, is fantastic. But it can also become burdensome. Sway uses a program Swaylock to lock the session. There is no default configuration provided as users are expected to write their own. After some trial and error, I had gotten a solution running which aggressively blanked the display after locking. It was hackish and I didn’t trust what I wrote to actually reliably do it’s job. Even the big name desktop’s screen lockers occasionally have slip ups, and those are written in collaboration by people more experienced than myself. Add in the other some-assembly-required Sway components along with it’s grand .config, and one quickly discovers how much maintenance burden they incur.

Constant tinkering with the visuals ended up consuming more time at the device than I had to give. This is not an issue with Sway, per se, but there are so many little things down to the pixel width of individual window dressings. I found myself longing for a boring old DE with some basic GTK theme. Those with a different sense of aesthetics than myself can probably live with the unrefined Sway defaults or rapidly whip something up that looks outstanding on some Unixporn gallery.

So what is the goldilocks zone for Wrongthink? I do not want anything to do with the hugely bloated software suites like Gnome. They even gobble up other programs to assimilate into the DE borg. Just ask Falkon or Geary. Meanwhile WMs are a little too barebones for me. Sure, one could opt for the *-core packages (at least on Debian family distros) but that’s just a workaround to a malignant problem.

The perfect environment for me may just be a lightweight minimalist DE, without all of it’s own in-house reinventions of the wheel, paired with a really comfy terminal emulator and all of my cozy TUI applications.

Centralization Also A Failure In War

Sun, 06 Nov 2022 13:19:13 -0500

Many credit the miscalculation of entry into Russia during the winter, along with the waging of war on two fronts, as the downfall of Nazi Germany’s efforts in the second world war. Although Adolf Hitler may have made another, less obvious fault. And that was to so intensely centralize his control over war operations. In The Mask Of Command, John Keegan touches on the histories, successes and failures of several of history’s prominent generals. A passing remark is left that those who seek to command over others may, out of necessity, be insane.

Hitler’s micromanagerial control went beyond what was typically anticipated from a position of command. He had centralized decision making far from the front and took it upon himself to coordinate operations in the most minute detail. Through this, he missed critical but minute information, not at the forefront of planning, affecting the ebb-and-flow of battle. In contrast to Ulysses S Grant, who afforded his men a high degree of autonomy, Hitler can be viewed as having monopolized operations. While history also confirms a greater success in Grant’s overall generalship.

Parts of The Mask Of Command linger in my thoughts, among them a bit cited from Hitler’s Mein Kampf:

‘The stain of cowardly submission can never be effaced . . . This drop of poison in the blood of a people is passed on to posterity and will paralyse and undermine the strongest of later generations.’

A lesson that many of us today are beginning to [re]learn in the most regretful fashion.

Keegan also pontificates on the justification behind state violence:

There can, however, be nothing mechanistic about the excercise of power through force, whether naked or implicit, long though the power-holding and power-hungry have sought such a secret. Force finds out those who lack the virtue to wield it. Such virtue, in theocratic societies, is deemed to descend from God or the gods, and rulers by divine right may in consequence despatch their subjects to the battlefield without thought or the imputation of need to lead them there. Secular rulers enjoy no such moral exemption, in their worlds the virtues that attach to force are those by which it is resisted - therefore either go in person or else find the means of delegating the obligation without thereby invalidating their right to exercise authority outside the battlefield and in times of peace.

Where religion has given way as the motivator and grand justification for power and conquest, new systems have been devised and perfected to take up its place. If anyone reading follows the work of the Corbett Report, one might make connections as to how well a new technocratic security state may fit into that brief vacancy.

Keegan goes on:

Government is complex; its practice requires and endless and suble manipulation of the skills of inducement, persuasion, coercion, compromise, threat and bluff. Command, by contrast, is ultimately quite straightforward; its exercise turns on the recognition that those who are asked to die must not be left to feel that they die alone. But the relief of the warrior’s ultimate loneliness is achieved by means quite as complex as those that attach to government.

To that list, I might add robbery, narrative shaping, information control, the ceaseless suppression of discourse and, most of all, the erosion of choice.

The book is not, however, a commentary on government or on human free will. It is not about centralization versus decentralization. But it does cover some fascinating balances that must be made during large scale coordinated efforts, whether to lead boldly from in front, or safely from the rear, and the kinds of personality archetypes who find themselves forging decisive battles.

Retailers: How to Music

Sat, 29 Oct 2022 16:24:03 -0400

Your department store seeks to set a unique atmosphere while shoppers browse about. What do you play for them? Classical? Jazz? Maybe your establishment is themed. A bait & tackle shop might opt for some country. Perhaps some classic rock at the auto parts store. But reality is not so. Unfortunately, retailers now seem to take satisfaction in assailing their shoppers with Spotispy.

The following must be their guidebook on playing background music for customers in $CURRENT_YEAR:

The wall & ceiling speakers built into the establishment are not good enough. Instead, select a personal assistant with a single 5 watt mono speaker for a delightfully tinny sound.
Don’t use your own library. Just blast any channel from Spotispy. If you can’t decide, then allow your employees to supply their excellent personal tastes. Make sure that it’s a non-subscriber account so that ads wail every few minutes at +50% volume.
Position the personal assistant adjacent to the registers so that normal human conversation becomes incomprehensible.
Ensure that the device is immediately on the outer range of your wireless network so that the buffer (Yay, streaming!) empties every few seconds causing choppy playback.
If that doesn’t work, you can always fall back to broadcast radio using the dusty boom box found in the stock room.

That is not to say I think there is a right way to do it either. In an ideal world, shopping would not be something that has to be an “experience”. Dead silence is fine. Just go in, get your things and get out. But if you do own an establishment, it might be worth looking into something lighter weight like MOC.

Music On Console is an ncurses console audio player that supplies a fully featured music & playlist server without necessitating the complexities involved in MPD. Simply point it to a directory containing your desired music and let it handle the rest. Some common key bindings that you will probably find useful include:

Key	Command
a	Add highlighted song/folder to playlist
C	Clear playlist
n	Play next song
b	Go back one song
S	Toggle shuffle
R	Toggle repeat
</>	Increase/decrease volume
Space	Pause
q	Quit player, leaving audio server running in background
Q	Quit player and server

Brian Rose's Digital "Freedom" Platform

Tue, 25 Oct 2022 13:25:23 -0400

Amidst the waves of sweeping away voices critical of the 2020 health scare deception was Brian Rose, podcaster turned video interviewer. His April 6th interview with David Icke prompted Goolag to ban him from Youtube, shocking Rose into the realization that if you don’t host your own files, they’re not your files. So he set out to do the most reasonable thing any unpersoned individual should do: to establish his own platform. The “Freedom Platform”.

But, like with many NeoBoomers, he and his team have made some perplexing decisions in the construction of a platform bearing the word “Freedom” in its title. Rose was quick to run a crowdfunding campaign, capitalizing on the public’s general disorientation through the rapid life disruption brought about by the scamdemic. It turns out that donating twenty dollars to an entrepenuer during the early stages of an information war really doesn’t help to resolve an information blockade. Let’s take a look at what donors can proudly say they’ve helped build.

The Freedom Platform

Despite being billed, in his shameless crowdfunding pitches, as a place for everyone to have a voice, the platform really only hosts his own work. The site does not offer up raw video in a standardized way, but requires a javascript web player. Only samples can be played, with the site demanding viewers sign up or become subscribers to watch a full video.

Visitors are assaulted with connections to cloudflare, FBIbook (How nice of Brian to partner with the same cadre he found himself banned by), googleslavemanager along with onesignal and several other CDNs. Not really hosting your own content then, are you?

Viewers are offered an option to download clips although the linking is mediated through a third party, WeTransfer, a file sharing host who ostensibly derives revenue from harvesting data. Again, not hosting your own work on your own infrastructure, Brian? I thought you wanted to insulate yourself against the possibility of being censored. WeTransfer pages do not function at all without js.

Video comments are provided by Disqus, a Goolag partner and known censorious bad actor. Also, good job centralizing your discussion section into yet another third party. A very typical maneuver found among the technologically impaired rightist boomers. And since freedomplatform.tv tries to force users to login to even view the meatier parts, there is not bound to be much discourse anyway.

Thier centralized big tech mess also bears both a TOS and privacy policy in which we find:

By logging-in to our site you are also giving your explicit permission for us to correspond with your via email.

email harvesting

You are free to Unsubscribe from any and all emails at any time.

If I had to hazard a guess, the unsubscribe link is probably also to a third party data harvester.

We have the right to disclose your identity to any third party who is claiming that any content posted or uploaded by you to our site constitutes a violation of their intellectual property rights

Slaves to the DMCA.

We have the right to remove any posting you make on our site if, in our opinion, your post does not comply with the content standards set out in our Acceptable Use Policy.

Of course they have a Communist Guidelines, if only by another name.

The freedomplatform.tv boilerplate reads “We take your privacy seriously. We will never sell your information.” But upon further inspection:

The data we collect about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows: Usage Data includes information about how you use our website Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website. Marketing Data includes your preferences in receiving marketing. We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. We may receive Technical and Usage Data about you from third party analytics providers like Google and GoSquared, third party advertising networks and search information providers.

They go on to blatantly admit that visitor data is shared out to advertisers which comes as no surprise to anyone who takes the time to look at the third party site requests. And anyone still using cookies (for some reason) will find freedomplatform.tv plants tracking cookies.

How one might go about freeing the Freedom Platform

Ditch the third parties and CDNs. All of them.
If you’re going to require javascript programs, at least post up their source on some git repo.
Serve video directly as a file. They’re just interviews, they don’t need to be 4K lossless spectacles.
Drop cloudflare.
Don’t outsource your comments section. Did getting banned in multiple places not teach you anything?

Just deploy a peertube instance and allow federation to expand your discovery as well as increase your resiliency against censorship. It would also simultaneously resolve points 1, 2, 3 and 5 in a single pass. But I guess nobody has ever raised a million dollars in crowdfunding over a peertube instance. As it is right now, there is nothing free about freedomplatform.tv, not even for Brian himself as he has shackled his own service to many of the very parties involved in his banning to begin with.

Your Freedom Is Contingent on Others

Thu, 20 Oct 2022 18:25:26 -0400

You have just come into great wealth and find that you no longer need to work. You secure yourself with a ranch that runs on solar and wind power, raise and butcher your own meat, pull your own water from the ground and generally live with almost no dependence on others. I do not conjure this image to lambast some hypothetical prepper supreme, but to follow in question: Is this exceptionally independent person now truly free?

The sad truth of the matter is that no, they are not. Your freedom, my freedom and the freedom of any individual is intrinsically tied to the perceptions and attitudes of those around them. You, hypothetically, can rid yourself of all malicious influence and live strictly according to your principles but if Joe shopkeep is still fast asleep it could mean you don’t get to walk out with purchased goods simply because you didn’t submit to some arbitrary medical apparatus, or for using the wrong type of currency e.g. not using mark of the beast trackable digital payments.

And since we live in a world where most believe in the validity of “passports” (which didn’t exist until historic recency), centralized currency, borders, compulsory taxation, and a whole host of other dreadful fabrications, we are priviliged with being at the whims of the great narratives of the public opinion moulders. Perception precedes action.

Best for now is to gradually, selectively build the network of people around you so that it is comprised of those who possess greater awareness. Continually maneuvering around the sensibilities of the zombies is not worth the effort when it can be so much easier just to cut contact. YMMV

Moving Out to the Woods, Anticipate a Period of Silence

Wed, 24 Aug 2022 01:46:53 -0400

I am relocating away from clown town USA to a more natural setting. It is off-grid except for the electrical, for the time being. I do not know what the connectivity is going to be like there, and I do not know when I will next be online with my full workstation. Expect a few weeks of inactivity on this site. My apologies to anyone who has been enjoying frequent writings. I’m just continuing to architect my life around autonomy, self-determination and to fulfill some design goals I’d been planning for a long time.

Disingenuous Claims Around Support Availability

Sun, 21 Aug 2022 13:55:39 -0400

Windows junkies often toss around the rhetoric that Window$ has support available, therefore it is more fitting for the individual user. Assuming that can be taken at face value, is it not indicitave that Window$ shortcomings demand a massive support network? But that may not be a fair assessment as any sufficiently complicated system can require such assistance. I think the real confusion arises from the failure to distinguish between different types of support presence.

Proponents of this argument erroneously use this definition interchangeably to describe both enterprise support and end user support. I wonder if they know that they’re being disingenuous or if they really just fail to see that they’re ascribing two different meanings. This description, for example:

Support

Comparing Windows vs. Linux support is hard. Windows offers paid professional support as well as access to clear documentation and tutorials. Its popularity also drives the market of third-party support vendors and result in many tutorials and answered questions on the forums. On the controversy, Linux relies on community support, where regular users help each other out through forums and issue trackers. Results are often confusing - but from a broader perspective, the Linux community usually provides more detailed and “designed for humans” information.

How many home users of Windows have been able to receive human assistance from MS with a phone call? No, they end up dredging the depths of Goolag search or finding their way to the MS community support forum. The paid support that they speak of is actually pertaining to enterprise solutions, not Joe Sixpack. And support contracts are not unique to Window$, by any means, as similar can be had among the various Linux vendors. So if the author above wanted to make an honest comparison it should either be between home user support vs home user support or between enterprise vs enterprise.

Content as a Hostage

Fri, 19 Aug 2022 13:13:26 -0400

Joining SaaSS and GaaS, I propose CaaH. Content as a Hostage, also known as the exclusivity model. Present something that a user wants and make sure that the only place they can obtain it is through your own delivery platform. This has lead to the fracturing of streaming disservices into a million individual copycats who essentially host only their own internal works. CaaH was really perfected on gaming consoles which each held ransom some games to entice suckers into buying dedicated hardware. A strategy which has worked brilliantly against some demographics.

It is most prevalent right now in movies and games distribution. Some studio does not want another publisher to take a cut of their sales so they setup their own storefront and revoke all copies of their media from any other source. While this fixes the author’s revenue problem, it abuses the freedom of choice of their clientele. Those who watch runs of shows often complain of having to subscribe to dozens of various streaming toll roads.

Freeing The Hostage

There are two ways to address the issue. First, would be for the author/publisher to make their work available again through other sources. If they wish to keep the prices cheaper on their home turf, that’s understandable. Ideally, this would accompany the removal of DRM, although that remains a seperate issue.

Second, is for individuals to turn to file sharing (which industry erroneously refers to as piracy) as many have decided to do. Think of it as a just punishment for publishers who seek to put up blockades restricting where people can and cannot reach their content. It is the only assured way to be able to watch what you want, when you want, where you want and however you want.

There was only one storefront that I know of which did things right by serving their movies as DRM-free raw files for a one-time purchase. GOG unfortunately only carry movies oriented to video gaming and the site does require javascript, but their model serves as the only example of content delivery that I would be willing to pay for.

Bitcoin Is a Tale of Tragedy

Thu, 18 Aug 2022 00:47:14 -0400

Bitcoin is a tragedy. And I say this knowing full well that my donation section lists only a Bitcoin option. The cons outweigh the benefits and since I’m not paying for site hosting right now anyway, that section will be removed for the time being. Because I only like to run full nodes for any cryptocurrency and building from source + familiarizing myself with each one’s terminal commands all while taking precaution to do everything properly is mentally taxing. So I’d rather just use one cryptocoin and not have to deal with others. I’m still watching the crypto space to assess which would be best to spin up as the sole successor.

Why didn’t Satoshi & friends trial things out of public view while awaiting something like ring signatures to be devised? It’s really such a shame that the transparent chain took off and that there’s no backtracking to fix its flaws ever. In terms of privacy, Bitcoin is even worse than credit/debit cards since everyone can see all transactions forever, as opposed to just your bank and their partners. This creates a chilling effect where every transaction you make has to be carefully calculated out ahead of time to identify points of leakage and avoid exposing any paper trails that could correlate it to your real identity. I’m not even comfortable recommending it to people who are casually interested in cryptocurrency because of this.

Even if you do everything “right”; obtaining coin through cash payment outside of KYC, running your own node over Tor, creating new addresses for each receiving input and generally trying (and failing) to replicate the opsec of Jason Bourne, Bitcoin still operates totally in the open where even a single screwup can compromise your whole transaction history. Not to mention the other issues with slow transactions (lightning network doesn’t count, I’m not running another node with an entirely new chain just to fix this idiotic oversight), unnecessary transaction costs and mining which is completely out of reach from common users.

The only positive outcome I can see would be if institutions ended up adopting Bitcoin while average folks took up Monero or some other thoughtfully designed cryptocoin. That way movements of money between large organizations and even governments could be more transparent to the public. And they can eat the high cost of transactions since it would seldom be used to settle any small transfers.

I hate to say it but: Don’t use Bitcoin! It’s a treacherous hazard.

You Might Be a Zombie If...

Tue, 16 Aug 2022 15:57:46 -0400

You might be a zombie if…

You believe that the winners of all historic conflicts have always been the good guys.
Most of your understanding of the world comes from legacy media.
There is hardly any deviation between your views and those of the opinion molding class.
There exist organizations who censor anything which runs contrary to your beliefs.
You accept token rewards from authority for changing your own behavior.
Your personal devices still run the stock big tech software which came pre-installed.
Your outspokenness on issues only lasts for as long as they remain in the news cycle.
The beliefs you inherited lead you to aggress upon others.
You spend most of your day thinking about entertainment media and/or your next fix of it.
You’ve consumed your way into a state of physical obesity.
You unironically use Goolag search, Gfail, GooTube or information mediated through any other tech giants.
You think you have nothing to hide.
A shartphone is your primary or only device.
Questions are never a part of your informational hygiene, only passive acceptance.
You legitimately believe that humanity faced the deadliest pathogen in known history through the early 2020s.
You are willing (or even eager) to impoverish your standard of living to mitigate the perceived threat of climate change.
Nothing is ever your decision, you were just following orders from above.
You’ve never read a single book of your own volition.
You ragequit before reaching this line.

I Often Feel Like a Time Traveler From The '90s

Mon, 15 Aug 2022 13:14:25 -0400

A recent fediverse discussion had me ruminating on how the face of the internet, and tech in general, has changed drastically as it gets molded by powerful interests. For any generation Z who might not have been around to experience the web as it was in the 90s or aughts, I wanted to share a few key changes I have witnessed not only as time flows on but also since I’ve remained well insulated from the larger shifts unlike so many others. The change just in the last few years has been atrocious, but in cumulation with the previous decade or so there has been a remarkable decay. And that’s exactly how they get us, with a slow boil.

First, I should explain where I’m coming from. I refrained from participating in many of the web2.0 developments like Twitter and other things which have now fallen under the umbrella of social media. I grew up without cable television and so never took interest in keeping up with shows that dominated the culture of my peers. Circumstances left me without a phone when those around me all were learning to structure their lives around mobile connectivity. So I never really used a shartphone (the one that was eventually given to me remained mostly unused and ended up with a drill bit going through its ICs once I decided to ditch it). I share all this to illustrate that I’ve never followed the curve with the rest of millennials. I’ve lived on a technological island for the last twenty something years.

Here are some developments which bewilder me.

Everyone now uses their real names and images. Whatever happened to that old wisdom of never share your real name with anyone online?
The infantilization of communication through emojis and reactions. And video format has now been reduced to minute-long clips, courtesy of mobile zombie applications.
The default expectation to use other people’s computers instead of your own. People don’t even store their own files on their own hardware anymore, apparently?
The term “social media” itself. I’d first heard it in 2015 and found it eery how everyone else just knew and that it propagated so rapidly. My time in gaming taught me that anything using the term social was always a harbinger of the coming destruction of said thing.
Overmoderation and the extreme sensitivity of contemporary web users. Web culture now seems to care more about protecting feelings at the expense of truth.
Television 2.0. The web was supposed to be the world’s virtual library. But, for many, it is just the latest incarnation of television. How many just churn through videos on their scrying mirrors day in and day out?

With only a few exceptions, each new web technology is increasingly more decadent than the last. I can only imagine how bad things are going to be five or ten years from now. Please take me to the time machine. I want to go back.

What The Web Looks Like Without Any Blocking Measures

Fri, 12 Aug 2022 14:34:17 -0400

Anyone reading this probably has measures in place to cleanse their web experience of invasive garbage. But maybe it’s been a while since those protections were lowered, and maybe you haven’t seen what the modern web really looks like today. What do normies see when they open a browser? Well, it isn’t good. And things have only decayed since the last time I ran a naked browser.

I configured a stock Linux environment with a standard Firefox (non-ESR) without any addons and no blocking measures beside Firefox’s built in Enhanced Tracking Protection defaults. To the best of my knowledge, the system did not have any other filters configured. I then took it through a gauntlet of common sites visited by the cattle. It reveals to us how their access to information can be so poor.

One of the first things you will notice are the hovering bars that follow visitors as they scroll, harassing them about paywalls and subscription offers. Sometimes they’re tracking cookie notifications, and sometimes they’re just the site navigation menu. It crunches screen space and obnoxiously remains in your face until you actively respond to the prompt.

Another assault on the senses comes in the form of embedded autoplay content. I got part way down an article before identifying where the sound was coming from. Imagine trying to fight with that every time you wanted to focus on a few paragraphs.

Plebbit is atrocious with the redesigned layout. Apparently it is now too much to ask visitors to open a thread in order to view content. Now they just throw it right in the cattle’s faces in the overview. Anything to keep them scrolling I suppose.

Also there are the promotionals which take up a significant portion of screen real estate. Sites have no problem with crowding out the main content (the bait) with their own pleas to join various disservices and loyalty programs. And just look at how oversized everything is. I am convinced this is bleeding over from conventions established on mobile prisons.

When taking up most of your browser window isn’t good enough for them, they’ll just as soon throw a full popup in the way. The sneakier sites will even wait until a visitor has reached a certain section of the page to assault them with a digital billboard. Note that the CNBC example was begging about allowing ads. Again, I had nothing setup so either Firefox default ETP tripped something up or CNBC have now resorted to assuming visitors guilty of adblocking until proven innocent.

The New York Times took things even a step further by baiting the readership with only the first few paragraphs of an article before blurring the remaining text and demanding a subscription to access the rest. The funny thing is that the article text is all present in the plain HTML file, so those of us stripping out javascript and stylesheets don’t even notice this impediment.

NY Times are blatantly trying to hold their articles hostage. Anyone foolish enough to pay the ransom probably doesn’t realize they’re paying for something their computer has already completely downloaded in the background all along.

This last one was an interesting example of completely unnecessary features of the gigabloated sites of today. IGN have stuffed their pages with so much garbage that they actually implemented a “loading bar” to indicate the preparedness of a link you just clicked before displaying the new page. It stopped at about 80% and just hanged. It was my first and only click of the site. Good job, guys lol.

Maybe they were just trying to replicate the console gaming experience.

The web has become a virtual times square with resources fighting for visitor attention. When you hear laypersons lament how much they just hate computers, try to remember that this is what the average person is contending with. And it doesn’t have to be this way. My list at Web Content Blocker Tier List contains a breakdown of several addons, which I will try to keep updated.

Creating Graphs From Terminal

Thu, 11 Aug 2022 19:19:40 -0400

In the post about Visualizing Dependencies I shared a graphic relating some APIs. In the past, I would have painstakingly used something like GIMP or LibreOffice Draw to produce that. But recently I discovered graphviz, a brilliant command line tool to whip up complex relational graphs programatically. The more items you have to plot, the more sense it makes to use such a tool.

Let’s say you want to graph out a small social network. Create a graphviz file (.gv) and populate it as:

graph {
    Alice - {Bob,Carlos,Dan,Eve,Frank,Grace}
    Bob - {Alice,Carlos,Dan,Eve}
    Carlos - {Victor,Wendy,Walter}
}

Then pass the graphviz file to a plotter like dot:

dot -Tpng social_network.gv -o graph.png

An image file will be created in which the relationships will automatically get drawn in the most optimal pattern according to dot. There are other layouts as well. circo for circular layouts, patchwork for squarified layouts, and so on.

Also helpful is the directional graph functionality to indicate flow which can be declared like:

digraph {
    Dog -> Cat
    Cat -> Mouse
}

And if you want to export that as a scalable vector graphic it can be done with the -Tsvg switch:

twopi -Tsvg animals.gv -o graph.svg

I wish I had known about graphviz sooner, and I definitely wish I had known about it while going through school or when I had family trying to map out genealogy. It can also be used for flowcharts, block diagrams, lineages and is highly customizable. Just have a look at the man pages or the always fantastic Arch wiki. Whatever the appilcation, it is another good non-networked tool that can be used wherever you have access to a shell.

Reaching a Sound State of Mind

Wed, 10 Aug 2022 12:05:12 -0400

A major catalyst which has propelled our society into the perpetually rising shepard tone cycle of new hysterias is undoubtedly the crowded mental state which most people operate in. The human mind has never had to process as much incoming information as is demanded of it today. In a way, it is hard to blame the masses for outsourcing their thinking to others in a desperate effort to free up some thinking capacity for the things immediately present in life. But this has come at a great cost.

Do I say any of this as though I am immaculate of such behavior? Of course not. We have all, at some point or another, relinquished our guard when it has been convenient or demands have been too great. It is incredibly exhausting to be at constant alertness, hyperanalyzing the things you are being told about. And so people are unsurprisingly lulled into a sense that they are adequately informed by trusting the group consensus. Queue manufactured panics. Luckily, there are measures which can be taken to keep oneself out of this trap.

My own recovery to mental equilibrium began when I stopped watching broadcast television in my highschool years. It wasn’t some principled decision, I just grew sick of the commercials. And it was just a terrible delivery medium for entertainment anyway, where there was no control over what came through other than to change the channel. At that time, I was also an avid consumer of video game entertainment, mass media news sites such as cnn.com, popsci.com as well as other normie outlets, and of commercial non-free computer software.

A year later, I had started using adblockers on my browsers. Gootube and other sites suddenly became so much more spartan. I was better able to focus on what was being read and explored without autoplay garbage and interactive prompts getting in the way. I’d also made maneuvers to part ways with the early social sites that the public had only just begun to flirt with. Which was easy for me to do since I made little use of them to begin with.

Some sour experiences lead me to drop REEddit and the news of Snowden’s leaks had me migrating away from mainstream sites, engines, and other tech as I describe in my parallel journey of technological awakening. My hatred of all things advertising compelled me to ditch any clothing that bore branded logos. And, certainly by then, my trust in anything corporate news plummeted, though not being lofty to begin with. I had at least seen what manipulations Faux News had been able to exert on my family members.

I’d become more selective about what documentaries I watched and, in the process, came across works such as How Big Oil Conquered the World and Loose Change 9/11. I found myself actually taking the time to explore things more critically. I also deemphasized video and got more into reading, picking up books including; Manufacturing Consent: The Political Economy Of The Mass Media, George Orwell’s 1984, Four Arguments for the Elimination of Television, and some science fiction series.

By the time the scamdemic rolled around, I was already far outside the mass media bubble. I had only heard about its events through proxy and overhearing conversations. I naively thought it would be just another normie media health scare that would pass in a matter of weeks. The voices and communities I was already engaging had largely already migrated away from centralized platforms so I didn’t even notice the onslaught of bannings so many voices experienced so early amidst that hysteria. To my clean baseline perspective, it looked so bizarre to see people robotically reanacting “social distancing” platitudes all at once.

I had done such an effective job at cleansing media propaganda from my mental space that it has truly been, and continues to be, an experience akin to looking into a zoo exhibit from the outside. Like a space alien observing the antics of the dominant bipedal ape species of Earth. And that is the point one should strive for. To be able to look on with little stake in the ongoings of a demonstrably insane world. Make sure that your thoughts can operate in an enclave secure from the wailing of outside scaremongering and unattached, to the extent possible, from your own biases. The truth can be uncomfortable. And you can only realize certain truths once you become comfortable exploring the uncomfortable.

Your ISP Modem-router Is Hostile Territory

Tue, 09 Aug 2022 17:03:42 -0400

Even though most ISPs supply a “free” router, they should always be considered as external infrastructure not to be trusted. The line of demarcation in one’s local network should end at a device which is completely owned and controlled by oneself. There is just too much opportunity for underhanded abuse of the remotely managed ISP router-modem. And it certainly doesn’t help that many providers whitelist a strict set of approved third party devices for direct lease, if at all.

Providers are all too willing to change settings remotely and the settings exposed to end users are often inadequate. They also have a hard on for imposing firmware when it suits some new antifeature, like removing the local web administration functionality and moving it to their centrally managed cloud web panel. Or to use “your” router to supply wifi coverage to anyone out on the street, without your knowledge. Have fun trying to disable that malfeature. And, once they’ve decided that the router has been milked for all it’s worth, providers can refuse ever updating it again leaving the average user with no recourse but to obtain a new model.

All this in addition to the horrendous track record that SOHO router manufactures have in privacy and security. Some have been caught forwarding router traffic to partner organizations. Some exposed WAN exploitable backdoors. Many have been found with backdoor functionality implemented in such a way as to suggest plausible deniability [1] [2]. So even if an off the shelf router is still receiving updates, it cannot be assumed that the manufacturer themselves are acting in good faith.

Instead of staying on the hamster wheel, one should consider replacing the hostile equipment if possible. And if not, set it up in “bridge mode” or “modem mode” over to a trusted, user controlled router at the edge of the LAN. Consider placing the remaining ISP equipment inside a farady bag. Disable and opt out of as many antifeatures as you can on the provider’s modem-router and make sure the only attached device is your own router. It is not difficult to find a superior replacement.

Some possible options include:

LibreCMC - a fully free derivative of OpenWRT which is compatible with a few SOHO routers.
OpenWRT - a derivative of DD-WRT which rejects proprietary device drivers, compatible with several models.
DD-WRT - an open source effort that makes proprietary concessions to support the widest array of devices.
Roll your own with PfSense, perfect for installing to old desktops. Just get a fast ethernet expansion card.

Or something with any of the above preinstalled. The default configurations tend to be reasonable but could benefit from some customized DNS and firewalling rules. These options won’t stop your provider from intercepting traffic, but at least it denies them and others direct access to the heart of your local network.

The Last Time I Used Reddit

Mon, 08 Aug 2022 15:30:53 -0400

The last time I ever used reddit was to truthbomb r/linuxmasterrace with scathing comics I made in GIMP. At first it was all well received, but as I dug deeper with the anti-proprietary messaging, the fence sitters and resident proprietary authoritarians quickly grew to resent my u/EnjoyYourCensorship puppet. It was several years ago now and I forget if they kicked me (Redditors so probably) or if I just burned the account. The *masterrace groups tend to harbor the biggest hypocrites but that doesn’t mean there weren’t some cool folks along the way.

The run of comics archived here:

I would go back to turn up the heat again but I don’t think I could stomach using contemporary REEddit. That doesn’t mean that I’m no longer doing my dirty work. Maybe in a few years I can share the highlights from some of my current stakeouts.

Visualizing Dependencies

Sun, 07 Aug 2022 14:56:25 -0400

To better visualize how middleware can lock projects to specific platforms, one can generally create a flowchart of supported targets. A very prominent example being 3D rendering APIs and the battle that has been playing out to capture developer share. When looking at the following graph, ask yourself which starting point (red nodes) is going to offer the widest interoperability.

Any developer building their project atop DirectX or any DirectX reliant tools is effectively placing their software on a ball and chain to Window$. Even if the source code is available, the project would largely need to be rewritten or substantially modified in order to port it properly to other platforms. That is one of the goals of vendors who artificially restrict their APIs to certain platforms. I’ve seen it occur on a number of occasions, especially following Steam’s expansion into Linux, where a game developer pledges to support Mac and Linuxes but ultimately burns out trying to support builds on different APIs and ends up scrapping the effort. It is this developer tax which makes the exclusionary strategy so effective for monopolizing platforms.

And note how CrApple has completely avoided compatibility with open and industry standardized Khronos APIs Vulkan and OpenGL. They liked what Macrosuck did with their DirectX strategy so much that they decided to replicate it when they devised the Metal API. MoltenVK bridges this gap but it was made through no effort of CrApple. Gotta make sure those 3D programs don’t get freely built for your competitors… OpenGL techincally still works on Mac OS and iOS but it has been left to rot intentionally to keep development away from this interoperable solution.

Why Software Freedom Advocates Can Seem Obnoxious At Times

Sat, 06 Aug 2022 12:18:22 -0400

It’s happened just about everywhere. That guy who wants to interject for a moment, or those who attempt to put down any suggestion of your favorite software. It is a behavior not unique to free software proponents as this kind of chronic interposition is a product of anyone passionate about a topic they believe to be of high consequence. If you want the tl;dr then it is this: Malware affects others, even those who don’t use it.

The objection is similar to the rationale behind non-smoking sections. Others do not wish to be forced to smoke along with you. But if you use proprietary software, how is that forcing others in any way? Most directly is by friends or family who expect one to share or recieve media, join video chat sessions, or generally communicate online in any meaningful capacity through restrictive programs. They most often select solutions which deliberately force all parties involved to use one specific proprietary client. Such clients often only run on select proprietary operating systems. The message implicitly becomes “Use X if you want to be allowed to participate”, whether they know it or not.

Through the inertia that this creates, as a given crapware becomes more widely adopted, institutions begin to implement such restricted software as their primary (or only!) means of interaction. What happens once a certain technology ceases to be optional? In 2020 it became impossible in certain states to obtain or renew drivers licensing without running non-free software. Schools began imposing restrictive proprietary video chat clients as a requirement to participate. They forced students to infect their personal devices with spyware. In certain countries it even became impossible to enter stores and other public spaces without a smartphone. In come cases, citizens were even denied entry into their home country simply because they didn’t have a state-imposed phone application. Welcome to the world that you have built, proprietary software enthusiasts. Are you enjoying it?

The digital second-hand smoke also includes data collection. If you share a network with anyone running a Windows device, metrics about your network topology and available SSIDs are being gathered and sent to Macrosuck. Any conversations you hold around shartphones and personal assistants get catalogued. Email you send to Goolag gfail users (so basically everyone you know) is profiled and datamined. The same population who embraced a militant psychosis over not spreading perceived pathogens to others around them surely don’t seem to give a shit about the digital cancer they are subjecting others around them to.

Q1 2025: The age of machine learning is ushering in yet new forms of digital ‘second-hand smoke’ with automated profiling. ArsTechnicha makes a succinct observation:

even if User A never opts in to [Windows] Recall, they have no control over the setting on the machines of Users B through Z. That means anything User A sends them will be screenshotted, processed with optical character recognition and Copilot AI, and then stored in an indexed database on the other users’ devices. That would indiscriminately hoover up all kinds of User A’s sensitive material

Which leads into the long term effects felt by everyone. “So what if my data gets collected?” they might say, although it does affect you eventually… for example, when institutions begin modeling how populations will respond to draconian measures. Proprietary systems designed to catalogue your every action help to construct apparatus such as world similuation predictive models. It is an incredible power to have, to be able to know the thoughts of all individuals at all times, and to be able to craft narratives around that with immaculate precision. Rob Braxman summarizes the issue:

I’ve heard my own relatives say that people don’t mind that big tech can capture their thoughts because “it means that big tech can suggest what products to buy”. Surprisingly naive because big tech can also tell you what to think. Big tech can change society. Big tech can dictate what political views are seen and what are hidden.

The opinion molding class loves when you use proprietary surveillance platforms. Monopolists love when you become their deputized brand ambassadors, bullying your friends and family into using their products. One of the best ways to control populations, in macro, and individuals, in micro, is to get them hooked on technology which can control what they can or cannot do. Hooked into networks which control what they can or cannot see. Technocrats want for those who refuse participation in centralized proprietary slave tech to succumb to the harrassment and outcasting perpetuated by those who blindly obey.

So it should come as no surprise that some individuals advocating for the avoidance of proprietary traps can come across as obnoxious. They are fighting for their own freedom and for the freedom of others. They correctly recognize that they do not want to live in a totalitarian society enforced by digital mediators standing in the way of life itself. They will understandably get a bit loud at times and so consider that this might be why your suggestion to use $BIGTECH software got attacked so vehemently by those irritating software freedom advocates.

Advertising is a Cancer on Society

Fri, 05 Aug 2022 14:57:08 -0400

Advertisements are an adversarial affair. They seek to assault the minds of target populations and inculcate anxieties over what one might not have. Promotion of business has almost always existed in society, in some form, but it wasn’t until recent history that marketers were able to latch onto the coattails of printed media and later electronic media. It was those developments which spurred the monstrosity that today seeks to disrupt lives and even human thought itself.

The fact that titles such as “brand ambassadors” or “influencers” exists is a symptom of a parasitic force on society. Monopolists are not satisfied with just regulatory capture, they also want to capture ones own thought. They want to curate what people think about and the known ways to approach problems. And where they cannot succeed at influencing their way into people’s minds, they seek to force their way in.

This strategy is a bit like the rent-seeking of contrived subscription extortion. The goal is to get in your way somehow, usually by holding hostage something of desire, and then demanding your responsive action to advance beyond the barrier. Normsheep think they are “skipping” the ad when their javascript-ridden GooTube player mercifully allows them to click a button to stop an auto-playing ad. But by playing for any duration at all it has already succeeded in exposing their mind to the desired concept. As I explain in Advertising Should Now Be a Relic of The Past, they don’t need the viewer to actually like what they’re seeing or even to be consciously paying attention to it, they just need the message to get into the viewer’s conciousness.

In the age of interactive media where everything is becoming computerized with pervasive connectivity, anticipate that ads will become increasingly overtly in-your-face. They won’t just be a sound byte or displayed on a screen somewhere. They will be lived experiences, they will be your employer, they will be your friend (or become your friend), they will be toll collectors blocking your passage to a destination. If the advertising industry can parasitize an aspect of everyday life, they will.

We are dealing with an industry measuring in the hundred billions that doesn’t produce anything of value nor does it improve livelihood for anybody, rather, it reduces quality of life globally. We can fight it by minimizing as many vectors of entry as possible and by avoiding any electronic means of accomplishing things wherever possible. It is helpful if one has the resolve to achieve freedom from fear, living a self-sufficient life surrounded by friends, or what is known as ataraxia as proposed by Epicurus. Because pretty soon we will all need an “adblock” for life itself.

Learning Human Languages

Thu, 04 Aug 2022 00:16:34 -0400

Some may struggle to learn new languages because they take a top-down approach. They jump right into the larger overarching concepts and then anticipate tacking on the building blocks afterward. I am of the mind that one needs to begin with the mundane little things before moving on to formulate sentences. A bottom-up approach. It is what has worked for me anyway.

A few years ago I spent up to an hour each day while on break studying Japanese, beginning with the written characters and pronunciation and moving on through basic vocabulary and grammar. In the span of several months I had reached a basic transactional level in spoken comprehension and enough in reading signage (non-kanji) to be able to navigate comfortably. The writing system may be a non-issue depending on your native and target languages but it is the best place to start so you don’t end up accruing “technical debt” that needs to be revisited later on.

While there are a lot of great materials for learning Japanese, intermediate sentence clauses are not organized into one clean place so I wanted to share my own quick-reference for any other aspiring learners of the language. My idea was to place like and opposite structures adjacent one another, which for some reason a lot of resources seem not to do. This assumes one already knows basic どうし and い/なけいようし conjugation.

Sentence enders :

~てもいいです may do
~なくてもいいです don’t have to do

~なければなりません must do
~なければいけません must do
~なくてはいけません must do (lit. must not go without doing)
~てはいけません must not do

~てよかったです glad I had done/it was so
~ばよかったです wish I had done

~ほがいいです would be good to (advice)
~たらどうですか why don’t you… (strong advice)

~てほしいです want you to
~ないでほしいです don’t want you to　

~そうです it seems (drop the い/な in adj.)
~なさそうです it does not seem (drop the い/な in adj.)a

~でしょう it is probably so
~かもしれません it is probably so

~てくれてありがとう thanks for doing
~てすみませんでした sorry for doing
~てくれてください please do for me
~てもらいました was done (by someone else) for me

Sentence connectors :

~~のために~~ in order to/to the benefit of
~~のせいで~~ by the fault of

~~x ながら~~ while doing x
~~x あいだに y~~ y took place during x

~~たら、x~~ if, then x
~~x のに~~ even though x, despite x…
~~かどうか~~ whether or not
~~ようになる~~ became able to do
~~によると~~ according to
~~おかげで~~ thanks to

Sentence openers :

ところで、 by the way,
しかし、 however,
たとえば、 for example,
たしかに、 certainly,/surely,
そういえば、 that reminds me,
とにかく、 anyway,
とりあえず、 first of all,
まずは first of all
いつもどりに、 as always, つまり、 in other words, だいたい、　　　generally,

And if grammar is the scaffolding holding your sentence formulation together, then vocabulary makes up the plates forming the gangways. I found that Anki, as good as it is, was not readily available for ppc64el when I first began learning. So I took it upon myself to write a more portable flashcard program in bash.

flashcard.sh accepts text files with tab-separated list columns for the foreign word, its meaning, and optionally a middle column for its native script, if not studying in romanized characters.

flashcard.sh /path/to/cardset

After you begin a session, flashcard.sh will iterate through all the cards in the deck, while saving the cards you haven’t memorized yet into the next rotation. This continues until all the cards have been memorized. The first column vocabulary is presented alone before revealing its meaning. I recommend deck sizes of only one or two dozen vocabulary that share a common topic. Example deck.

Hopefully, this page can act as what I think can be a decent fast reference for learners who are no longer just starting out.

Last updated: June 14, 2024

The Alt Media Are Masochists

Wed, 03 Aug 2022 12:41:16 -0400

It has been amusing to watch, from a safe distance, the progressive stasi and the neoboomers clash over control of information flow on the web. It has almost always ended with the Qoomers getting kicked to the curb as institutions pick their favorite side. One would think that they would examine the situation and conclude that it is time to build their own infrastructure with blackjack and hookers. But instead they consistently run back into the arms of their abuser like a desperate lover.

Take, for instance, Parler when their choice to run with AWS lead to lots of bawwing when Amazon predictably suspended their web hosting on political grounds. They also had mobile applications pulled from walled garden Goolag Play and AppHell App stores. And, like any good subordinate, they went and submitted to all the demands necessary to get back into the controlled thought box. The same thing happened to Gab when their phone drone application was removed, even by F-Droid (How’s that “free” software repository working you for ya?). These moves prompted their founder to go off on a tirade:

Come Monday, it’s on with Apple. We are done playing games with their double standards. It’s about to rain free speech.

As though it were possible to bully supranational technocrats into accommodating you on their own turf. Like the others, Gab got in bed with big tech to earn a place eating table scraps. You can never truly be free as long as your adversary continues to also be your landlord. And why are they still using platforms capable of dictating what you can and cannot install?

Alt media, particularly those on the right, decry censorship while at the same time salivating at the prospect of being “reinstated” on tyrannical platforms. And when they return to the cell block, they make sure to self censor so as not to anger their masters again. They can be found using infantalising code words and outright stating “We can’t talk about that”. And yet being allowed back is cause for celebration? Even being unpersoned does not seem to motivate these people to setup their own online spaces.

And the safe havens they pick can hardly be called champions of freedom.

Alt Video Host	Brighteon	Rumble	Bitchute	BrandNewTube	Odyssee
Censors content	Effectively	Effectively	Yes	Yes	Effectively
Uses Cuckflare	Yes	No	Yes	No	Yes
Requires javascript	Yes	Yes	Yes	No	Yes
Centralized	Yes	Yes	Yes	Yes	Effectively
Big tech 3rd party resources	Yes	Yes	Yes	Yes	Yes

Often the platforms they deem as saviors will even turn against their own kind the moment anything “offensive” arises on a “free speech” platform like Gettr. AuthRight pleaser Truth Social has also demonstrated such double standards. How many times are Alt/Lib-Right going to need to experience getting bitch slapped before they realize that the only way to self sovereignty on the web is through self hosting, decentralization and libre technologies?

VPNs are Misunderstood by Many

Tue, 02 Aug 2022 12:21:39 -0400

VPN services are being shilled everywhere, on privacy sites, in just about every techtuber channel and by the masses on forums. It has gotten so loud that even the boomers in my life are openly inquiring whether a VPN is worth their effort. I think it often gets missed that VPNs are just a tool which can in only bring benefit in some applicable situations. It seems that those who have just begun exploring internet privacy and security treat VPN services as a magical cloak, and when your only tool is a hammer then every problem looks like a nail.

It doesn’t matter what the marketing says (In fact, never listen to marketing), VPNs only address two aspects of your online signature:

Conceal your WAN IP address from the destination servers or peers.
Obfuscate traffic from network observers such as your ISP or other devices on the LAN.

One is essentially only rotating ISPs through the use of VPNs. When you connect over one, you are only shifting the trust over from your real ISP to the VPN service. And that’s the thing; its model is trusted, not trustless. VPN services can only ever be used for privacy, but never anonymity. It doesn’t matter if you’ve paid in privacy coin or use a free service, they still see you connecting from your real WAN IP address. Anyone seeking anonymity should consider something like Tor or I2P instead.

While this limits the scope of useful applications, that is not to say that VPNs are useless either. They are a perfectly valid means of:

Circumnavigating geographical IP blockades.
Accessing sites which have blocked your real IP address.
Concealing file sharing activity from ISPs subject to tyrannical copywrong jurisdiction.
Interacting with P2P peers who may abuse knowledge of your real IP address.
Protecting traffic while on potentially hostile (W)LANs.

It may be inadvisable to constantly remain on a VPN connection. Giving your holistic fingerprint of network activity over to some exit point can serve to correlate it with where it appears elsewhere. I would recommend shutting down any email or IM clients and logging out of any web services before enabling a host-wide VPN to conduct any of the above activities. Or use application isolated VPN routing. And consider only using the VPN connection for the duration of the necessary activity. If you have any networked applications that you want to conceal 24/7 it is much better to Torrify them through socks proxy.

Contrary to popular belief, VPNs do not make you anonymous. They do not make you untracable. Use appropriately and be realistic about the use cases before diving in to sign up for the flashiest, slickest marketed, hardest shilled, hot new VPN service.

What I Learned From Running Minecraft and Minetest Servers

Mon, 01 Aug 2022 15:51:58 -0400

Starting in 2010, I began running my own Minecraft servers haphazardly until about 2015. Between 2015 and 2018, I also dabbled in hosting Minetest servers. It imparted some insights about people as well as the technicalities of running such a service. Things may be different now but I wanted to share some findings. These are in no particular order.

1. Don’t waste your time vetting players

If you put new users through some kind of purity test, it is only going to bottleneck active user growth. Reserve whitelists only for those instances intended for your IRL friend group. If the security model of your server world is so inadequate that you have to trust people not to be malicious, then you really need to reexamine your protection measures. At least borrow this bit of philosophy from the software development field: Always assume that the user is an idiot. And then build around that.

2. Expect players from everywhere

Open servers will see connections from many different countries. Some players do not view >200ms ping as any sort of impediment. You may think “Great, I’ll just machine translate the guide book into Spanish as well” and before you know it, players will be asking questions in languages you have no capacity to understand. A substantial Malaysian population accrued on one of my Minetest servers, so I even went the extra mile and tried to learn some very rudimentary Malay. It was not a casual endeavor so I had to give up and resign myself to the fact that the server world would have these isolated communities behind a language barrier.

3. Don’t waste your time creating an elaborate spawn town

Players seldom visit spawn and they pretty much never read the rules. Just place some basic amenities and some signage pointing to areas of interest. Literally just a basic shack will even suffice.

4. Never base the economy on any non-scarce material

I once set up a world bank that would take gold in exchange for credits, the standard currency. I felt like giving newer players a fair chance as well by allowing players to receive a very small sum of credits in exchange for beans and soups. We ended up with players who produced and deposited absurd amounts of beans and inflated the entire economy. Actually, this might be a good way to introduce people to Austrian economics.

5. Never start any big projects with anyone but yourself

Others will always lose interest and move on to something else halfway through your collaboration. It doesn’t matter how grand or how modest the scale. People generally have the attention span of a goldfish.

6. Be prepared to clean up the following things

Have administrative tools ready to remove the inevitable defacements; dirt/cobblestone towers, water & lava griefs, giant cobblestone swastikas, giant cobblestone penises, mesecon/redstone “lag machines” & “noise machines”, obsidian blockades and arson. Don’t delude yourself into expecting to do so by hand.

7. Treat it like an ant farm

Don’t try to control what anyone can or cannot do, don’t intervene in anything other than outright defacement. Check in from time to time to see the progress your visitors have made but don’t let yourself become involved.

8. Maintain a “normal” player account secretly in separation from your admin account

Don’t allow players to ever make an association between your privileged account and normal account. This will help to dodge all those needy Dutch/Spanish/Tagalog speakers that always want something from you for some goddamn reason.

9. Phone drones

Minetest allows mobile users to play on the same servers as everyone else, which is good in theory. They will complain about the mods being too strenuous to participate (as if expecting you to turn around and say “Oh, let me fix that right up for you! Right away sir!”). That’s their problem. Their builds generally suck anyway.

I sometimes think about spinning up another Minetest server. But then I remember all the litterbox shoveling it entails. Maybe if I can automate all the routine upkeep. Or maybe just give them an anarchy map and say “Here you go guys, the map resets itself every two weeks. Enjoy.”

My Own Journey to Free Technology

Sun, 31 Jul 2022 12:24:44 -0400

Despite the staunch views I now hold, I have not always been immersed in libre technology. In fact, I grew up in a family with IT roots under parents and grandparents who worked, in some capacity, in tech. The home of course was placed entirely on Macrosuck products which, in the course of this journey, I had to work to break away from. And perhaps that is why today I have such an intense perception to platform lock-in. WARNING: Long post ahead.

1993-1995

The earliest system I remember using was some MS-DOS (don’t ping me for details, I was literally a toddler) Dell media center desktop. It had the first text to speech synthesis I’d ever encountered, some flip book animation program, and a couple of games. I would later research to discover these games were Cosmo’s Cosmic Adventure and some other Apogee Software titles. And, being a DOS system, that Dell provided me my first contact with any command line interface.

1995-2002

Later we had gotten a family desktop running Windows 95 (or 98, again, I was just a kid) as our first internet connected machine running over dialup. Around that time I began experimenting with writing “books” in Office and tried, while failing miserably, at creating animations in Dreamweaver. I didn’t actually use the internet much except for Starcraft battlenet. Among the other games were Lego Island, which is now something of a cherished relic in PC gaming.

2002-2009

That desktop was eventually retired in favor of a Windows XP laptop, but by then I had gotten my own personal Dell Dimension series desktop. That was the first place I began digging around in the internals such as replacing the mouse cursor with an animated cursor (I templated it from the racoon character in the Gameboy title Links Awakening) and system sounds. Issues with games drove me to do my first operating system reinstallation and driver setup, from disks. Years later I ended up installing a graphics card, a new hard drive, additional memory, and a wireless adapter. It was then that I realized it is even possible to build a computer entirely from individual components.

But before I had any chance to explore computer building, I brushed paths with Linux. There was a Popular Mechanics article around 2003 or 2004 that detailed turning an Xbox into a full PC by installing some distro. I ended up researching what this outlandish “Linux” thing was only to fall in love with the flexible animated GUI (compiz) videos and people showing off Ubuntu with a rotating desktop cube workspace. Without a second thought, I went ahead and burned an Ubuntu download to a disk and tried to install it on my Dell Dimension. It failed because my BIOS didn’t recognize the disk. I also tried installing it on the family laptop only to reach the same issue. In retrospect, my noobish self probably just incorrectly burned the disk as a non-bootable or incorrectly formatted media.

So I gave up for a while on pursuing Ubuntu and refocused my effort on finally building my own PC. I drew up some plans around a cube case chassis but never had the money to go through with it until I was old enough to work.

2009-2013

It was in 2009/2010 that Minecraft had finally pushed me over the edge. Trying to run such an intensive game on a single core Pentium 4 proved a woeful experience. And when I investigated upgrading the motherboard, I discovered that Dell underhandedly uses their own fastener layouts to prevent standardized motherboard form factors from being installed. That’s where I first encountered the term “proprietary”. So instead, I took up a temp job to save up for parts and, by then, the Intel Core i series had been introduced. I ended up building my dream system consisting of:

Intel Core i7-2600
16GB DDR3
Nvidia Geforce GTX 560 TI
Some cheap Biostar motherboard
A 1TB 7200 RPM hard drive

All stuffed into a compact micro ATX case and installed Windows 7. As far as gaming goes, it was a breath of fresh air. I did what any young guy who just built a computer would do and put it through the gamut of high end games. That year, a movement was beginning to take off in the form of REEddit’s r/pcmasterrace. I was keen to hop on the bandwagon immediately and shit all over console peasants. Somebody made an edit to the master race hierarchy meme, placing “glorious Linux master race” over the king’s throne. I didn’t understand his criticism at the time. As r/pcmasterrace grew, it became painfully obvious that many there only cared about access to games.

PCMR got flooded with members who constantly made exceptions for consoles, especially Nintendo, ignoring the whole point that exclusivity and artifical barrier building is responsible for all the pointless restrictions we were fighting to begin with. I made a breakaway group which maintained a focus on choice and freedom against things like DRM which accrued a paltry following. But that exercize only made clear to me just how few people actually were into PC for the choice and freedom. It had become obvious that PCMR wasn’t and couldn’t really be my tribe.

In the meantime, the Minecraft experience had me finally dive back into Linux to host a server. A friend of mine had donated his old desktop to me, a dual core Pentium D Dell Dimension, which was perfectly capable for a small server of 2-6 players. I took a very brief crash course in MineOS (My appeciation to Wil Dizon “Hex Parrot”, all these years later) which is where I first cut my teeth in Bash terminal. It gave me a familiarity with SSH remote management, changing and moving files in terminal and setting up services such as Mumble. By then there were several spare computers available to me to play around with finally installing Ubuntu on, but I was perturbed by the Unity interface and once again wrote off the idea of running Linux on my main desktop.

2013-2015

That first build gave way to a smaller ITX system since small form factors are a favorite of mine. It was built with the intention to use the up and coming Window$ 10 and I had already been using 8.1 for some time. There wasn’t much thought of Linux until somebody rather close to me found themselves stuck with a Chromebook, keeping them from participating in games with the rest of my group. I thought “simple enough, I’ve heard Chromebooks can be freed with ‘Linux Mint’”, offered to take the laptop and liberate it. An install guide suggested dropping into developer mode after removing a write-protect screw from the motherboard, and overwriting everything with the Linux Mint installer. The interface was so intuitive (unlike Ubuntu at the time) that it left a very good impression on me.

It was shortly before that Chromebook liberation that Edward Snowden brought the world’s attention to the massive spying ring being run by the US and other governments. Already, I was uneasy with the prospect of Window$ 10 introducing a cloud assistant, Sky Drive (One Drive) and connected Microsoft Accounts. In retrospect, I was a fool to even have willingly used 7 or 8. I then committed fully to ridding myself of all things Microsoft, Google and whatever other crap I’d been using. But there was a problem: I still had projects tied up in Window$-only software.

I had a game project in Unity, which I ended up conceding to the abyss of vendor lock-in. But I also had home movie projects that were tied up with Window$ Movie Maker (XP version) that never rendered out due to Movie Maker’s crash prone nature. The rescue consisted of installing Window$ Vista Movie Maker which was still compatible with XP’s .WSWMM format. From there, the projects were saved to a newer format accepted by Window$ Live Movie Maker which could finally render the pieces without crashing. Once that was freed, I could finally install Linux Mint.

Linux Mint was still packed with proprietary soyware but my main goal at the time was to maintain as much compatibility as possible with the things I had extricated from Window$. This was during the transition period that AMD had going between fglrx proprietary graphics drivers to amdgpu open source drivers. I still made sure to keep proprietary wireless firmware, Steam, Minecraft & MCEdit, 7Zip, and even a period of time with other crapware like Goolag Earth since I hadn’t yet discovered Marble. My backup scripts, originally written in Batch, needed to be adapted to Bash which taught me a whole lot about the right and wrong ways to do things in shell scripting.

Next, I began converting my files into free formats. MP3s became OGG Vorbis, .rtf/.doc(x) turned to .odt, and Minecraft worlds converted into Minetest worlds. Tools needed replacing; Sony Vegas was replaced with Openshot and Kdenlive, Bandicam replaced with OBS Studio, among others. It forced me to reevaluate how I did everything with computers. And, often, the libre solutions were more minimalistic. A trend which delighted me.

2015-2017

Eventually, it became obvious that Linux Mint was too cluttered for me. I didn’t want to have to deal with opting out of proprietary defaults. Debian became the clear choice, being upstream, and being possible to install via netinst as a blank slate. And my time at some FOSS conferences made me aware to the issues of proprietary BIOS firmware and the hardware rootkits that were being built into CPUs. So on the systems I had at the time, I was disabling AMD PSP where possible and building up my fleet of pre-ME/PSP boards. I even reached out to an engineering firm who had been doing Coreboot ports and they qouted me $10,000 for one of the Opteron boards I had. A price that was prohibitive which wasn’t too much of an issue since that same firm went on to produce their own motherboards a few years later, much more affordably.

The system was rebuilt, minimalistically with Debian, around using libre wireless firmware and without proprietary packages outside of firmware-amd-graphics. It served well for two years while I made excellent ground in my security & privacy goals. This was the first time I hadn’t really played games as the device took on more the role of a tool than a toy. It is also where I graduated from scripting to programming. I was dipping my toes in writing game mods. I developed a front end suite for orchestrating the monitoring of system security tools. And those older scripts that handled my backups became overengineered in the midst of my enthusiasm.

2017-2019

By now, I was using almost entirely self hosted solutions and my dependence on external resources were reduced to a minimum. I finally got the Unix philosophy and building solutions for only one’s own needs. The findings and guides that I have been distributing really took off around this time. I cut all things wireless out of my setup. My work in the professional field opened me up to just how great ethernet really is.

2019-Today

My latest computer was built around one of the motherboards produced by that aforementioned engineering firm. I finally have a system which does not try to manipulate, force or spy on users in any discernable capacity. Something which I trust and, through a long road of experiences, now understand many of the internal components both hardware and software. It’s been so successful that I haven’t had to even consider any new build since. I think I’ve finally found a fitting tribe, and they are not gamers, not enthusiasts of shiney new tech, and not permissive open source updoooters. They are those who can see the dilineation between technological freedom and technocratic tyranny.

I was also introduced to the suckless philosophy. And, while I have yet to adapt all my tooling over to suckless solutions, many are now minimalistic TUI or command line programs. In fact, losing the display server on my system wouldn’t be too much of an impediment, albeit quite inconvenient. In an odd way, I have come full circle all the way back to that kid in the 90s who was just messing around with command line on a minimal, simple desktop. I do wonder how much more advanced my knowledge would be today if only I persisted in trying to get that Ubuntu disc to work 17 years ago, or if Canonical’s Unity desktop hadn’t been so repulsive. It’s a journey and, if you’re anything like my former self, start exploring liberated tech now rather than later.

The Lie That Phones are More Secure than Desktops

Sat, 30 Jul 2022 13:12:02 -0400

The Hated One has recently pivoted into doing mobile phone content. I actually respect most of his work, although his recent video Why phones are more secure than desktops has me wondering if a brain parasite has taken over his mind. He goes on to argue how anyone concerned with privacy and security should be using phones instead of desktops, making some contradictions along the way. I’ll try to keep my interjections to a minimum.

If you want to maximize your digital privacy and security you should use your phone. … The modern phone security model allow for a much greater protection of your sensitive data than any desktop offers today. … Any issue you can criticize a modern phone for is several times worse on a desktop equivalent of it so let’s tackle some of these myths real quick.

Hmm, interesting. Let’s explore some of these myths.

You might have heard plenty of times how these mobile devices were designed to track all of our movements and activities and that’s all they do but this is a factually wrong assumption because the exact opposite is true. If you believe this notion you probably don’t know that android apps have no access to your phone’s hardware identifier since android 10. You can revoke background location access or even foreground location access if you haven’t noticed any of these ubiquitous ad permissions prompts you see in the pop-up dialogues in your phone all the time are virtually non-existent on any desktop. If you go to your phone’s privacy settings you will find plenty of toggles that allow you to harden your security and limit what data apps can access. It’s amusing and tragic at the same time how many people suggest linux as a privacy alternative to phones when no such extensive privacy settings exist on pretty much any linux distro. Even windows has implemented more permission toggles and that system is a data collection hub.

From this we can glean that he definitely is talking specifically about desktops running Linux. Here’s the thing about privacy permission toggles: they only need to exist on platforms which actually collect your data. Since the vast majority of Linux distros don’t, there is little reason to present the user with a privacy settings panel. And those who are interested in battening down the hatches will dive into the internals for things like sysctl, custom kernels, mandatory access control and so on.

Also, just because individual mobile applications can be cutoff from location data (assuming one can even trust those software toggles) does not mean that the phone itself isn’t tracking location in realtime. And good luck preventing that as long as the baseband processor is present. It is disingenuous to claim that phones don’t track movement activity. False claim, dubious supporting info. Next.

Both android and ios were designed with a thorough threat model in mind. For example android’s threat model assumes your device could be stolen or the police might want to unlock it against your consent. To mitigate this threat, android developed a secure keystore implementation that generates and stores your undevised encryption keys in a tamper resistant hardware. This hardware bound key implementation was designed so that it is impossible to extract your cryptographic keys without your lock screen passcode so not even a full kernel exploit or system compromise can access your secret keys. All modern phones are encrypted by default most desktops don’t even offer it as an option and those that do have no or limited mitigation against brute force or cold boot attacks. Full disk encryption has been abandoned since android 7 due to its limitation of not being able to protect the encryption keys. There is virtually no protection of your desktop encryption once someone has physical access to it.

The Hated One hasn’t heard of LUKS? It is available on pretty much all distros and offered at install-time in many. He conveniently switches the focus from “Linux desktops” to “most desktops” to make this point. And what happens when somebody has physical access to the phone, like those police in the android threat model? They clone its image and then effectivly gain unlimited unlock attempts at the phone’s lock screen passcode. Physical access compromise is not unique to desktops. In fact, it is more likely that a mobile phone will come into the physical possession of an adversary.

Modern mobile operating systems implement defense in depth mechanisms that eliminate the ability of malicious software to access your sensitive data much of this is done via exploit mitigation, attack surface reduction and isolation. Isolation and containment is where the differences between desktop and mobile security models are most visible to the end user. For instance when I install a password manager app on my phone I can reasonably assume no other app is going to be able to access this data or log the keystrokes during password prompts. This is ensured with the application sandbox that strictly limits how apps can communicate and share data with each other and the system. If my password manager doesn’t allow a certain ipc mechanism no other app can reach it. This straight permission model enforces this consent. If I use the same password manager on my desktop machine, the only defense mechanism I have is the encryption of the password database. It’s easy for malicious apps on my desktop to steal my password database and brute force it locally. There is no permission model that would restrict other apps access to my password manager database.

He’s pretty much insinuating that exploit mitigation, attack surface reduction and isolation are not a thing on Linux, which is also completely false. Attack surface reduction is best achieved by installing only what you need, which is nearly an impossible feat on mobile OSes. Try uninstalling that facebook app. Go on, I’ll wait lol. And isolation is one of Linux’s fortés with tools like AppArmor, which can be made to confine all userspace programs in the same way that mobile OSes do, SELinux (which Android quietly uses for sandboxing, but The Hated One doesn’t tell you that) and Firejail. Users seeking even more extreme software isolation can even look to implementations like Qubes. Lastly, libre desktop operating systems seldom deploy software which tries to snoop on user input so there historically hasn’t been as much need for Linux desktop users to worry about this.

Privacy oftentimes balances between anonymity and security and sometimes trade-offs have to be made. For example the most secure way to install apps is through an official app repository. This is due to multiple reasons, mainly because of the app sign-in requirement which makes sure the app is coming from the developer and not an untrusted party. Various repositories have submission checks or a vetting process that eliminates the presence of malicious knockoffs. For instance the problem is that the only way google and apple allow you to use their app stores is after you sign in with a real phone number. At best, this is going to be pseudonymous because it’s hard or impossible to obtain an anonymous sim card and phone numbers will always be tied to an approximate location. This allows app stores to collect your app usage data or by the very least your app list which can be used to fingerprint you. On linux, on the other hand, you can also install apps from a repository but you’re not required to create an account. This is beneficial because the only identifier left pretty much is your ip address which can be obfuscated with a vpn or tor but that’s where the benefits end because linux app stores have no permission manifests and all linux apps you install are immediately granted access to all user data based on your logged in account. So while you can’t expect to be anonymous on a stock mobile app store you’re at least reasonably secure and private. On a desktop repository you could maintain anonymous to a limited extent but everything else is subject to a huge amount of trust in every single app you install.

The video transcription originally had “app repository” as “ad repository” which I found rather fitting. So he pretty much admits that mobile software stores are a panopticon but it’s somehow okay because “at least they’re vetted so you can trust them”. O rly? 1 2 3 4. Most distro repositories do have uploader and maintainer guidelines, with signatures made to mitigate against tampering on it’s way to the end user. And this whole notion that privacy and security are somehow at odds is complete misdirection. It is often impossible to achieve one without the other.

Many zealots in the privacy community, if such a thing even exists, do not make a distinction between services and platforms.

Services and platforms are often one in the same. The real distinction is between platforms and protocols, about which I made an entire writeup contrasting the two.

Android means a lot of completely unrelated things to a lot of different people but in reality android is just a free and open source mobile operating system. It has no google apps or services, no pre-installed bundles or bloatware it is a very clean and user-friendly operating system that’s available for everyone for free. It’s important to make this distinction because it’s possible to use an android device without any privacy invasive apps and services. The android’s model allows for it. Android is private and safe by default. It’s best if you can use it without privacy invasive services such as the google play store. This is best achieved on graphene os. But even if you can’t use your phone without them, it’s not all lost. You should still go through the privacy settings of each of these services and disable all the location you’re not comfortable with. What’s neat is that that even stock android allows you to create multiple user profiles. You can use these profiles to compartmentalize your online identities and have separate profiles for work, personal life and online banking, for instance. Much of your privacy depends on how you use the tools at your disposal.

“Android is great, guys, really but use graphene OS instead” *hand rubbing*. This is admission that he knows he’s peddling bullshit. The stock Android build is pretty much never what you get as an end product. Vendors load their images up with all kinds of crap.

Another common misconception that’s extremely damaging, yet too popular, is that iphones are just inherently more private and secure than any and all android phones. But this, again, is not true. There is nothing that iphones do fundamentally differently than android phones when it comes to protecting your private data on your phone. Especially protecting them from third-party data collection. The “what happens on your iphone stays in your iphone” is a disgustingly misleading campaign. Android protects their data just as well as ios. Where iphones generally trade better security updates, which are important but more and more android vendors are starting to catch up, especially pixel phones, that in many cases beat iphones in hardware security. If you’re buying a phone for privacy, pixel phones from google or the latest generation iphones are going to be your best bet. Pixel phones will let you go miles further than iphones if you decide to flash graphene os on them. That way your phone will be significantly protected against even unknown vulnerabilities and zero-day exploits and it will completely anonymize your device. But, other than that, this whole myth that ios is just infinitely more secure or private than android is just a gross lack of understanding of the security models of these systems.

I had to recompose myself from a bout of laughter after reading the phone recommendation. “Protected against even unknown vulnerabilities” that’s an interesting hypothesis. “Completely anonymize your device” even though you just admitted it’s a surviellance panopticon in the software repository argument? We don’t get any eloboration on those.

Mobile operating systems are constantly improving their security with every new release

And desktop distributions aren’t?

Their ultimate goal is to make individual vulnerabilities impossible to exploit

Good luck with that, also their ultimate goal is to track and advertise. Where are you getting this ridiculous delusion?

and increase the number of vulnerabilities required to bypass the security model. And, to a large extent, they have already achieved this goal. It usually takes a chain of exploits to hack a mobile device, both with physical access or remote code execution. The market prices for zero day exploits illustrates vividly how much ahead phones are as opposed to desktops.

Or it just reflects just how many more targets are now using mobile…

Android exploits are currently the most expensive ones followed by ios exploits both costing millions of dollars. Compare that to desktop exploits and you’ll immediately see the difference. It’s night and day. More privacy shouldn’t come at a cost of security. Phones aren’t going to be perfectly private out of the box. There is still plenty of room for hardening to do

So he’s arguing about the theoretical ceiling, not the defaults, making the whole premise even more dubious.

but the base features of mobile security are years if not decades ahead of desktop os’s. It’s easier to take advantage of mobile security while understanding where you need to take steps to safeguard your privacy than blindly trust much more inferior desktop systems that offer no substantial defenses. This channel has an extensive library of videos that will teach you a lot about online privacy, anonymity and security and I will be updating them with new videos that go even further on my patreon page. I dedicate two weekly episodes to discussing these issues even further and going even more in depth with my research. All of my work is free from corporate influence

Everything I just read above suggests otherwise.

“Just get a backdoored scrying mirror to be safe from hackers, bro!” I even went back through his videos to check whether he’s talked about mandatory access control before, so he cannot claim ignorance. Almost all of The Hated One’s videos since this upload have been shilling for phones in some way. Smartphones, in their current form, simply cannot be taken seriously as a privacy/security platform. His conclusion is basically telling people to get a Goolag phone, which cannot be trusted at the hardware or firmware level, and praying that replacing the OS and applications will somehow fix this. Let me share some insight:

The “stack”:

Programs
Operating system
Firmware
Hardware

Any compromise in the stack below a given component automatically invalidates any trust those resting above might have had. Tell me, which phones are running auditable, open, user controlled hardware and firmware?

And, in this mythical threat model, he keeps coming back to privacy and security somehow standing in opposition to one another. This couldn’t be further from the truth. Hardening a system is going to unavoidably increase privacy as well. The only other places I see security and privacy being billed as a “trade-off” are mainstream tech publications and REEddit-tier discussions. Something isn’t right here.

I can’t help feeling that The Hated One has begun falling off and I can no longer confidently point interested learners to his channel out of concern that they encounter such misdirection. Maybe it would be different if the works were presented more honestly like “Hey guys, phones are terrible and should be avoided, but if you absolutely must use one here are some bandaid solutions that might make them a little less tyrannical”. I speculate whether he might only be pivoting to phones in an effort to increase viewership. Hopefully he comes around on the issue since it would be a shame for one of the stronger voices in privacy and security to become just another big tech shill.

Idea Pool and Roadmap

Fri, 29 Jul 2022 08:51:29 -0400

I have been working through a backlog of topics that accumulated during a period of downtime starting in 2021. Which is what has facilitated daily postings as of late, but I will eventually exhaust this buffer. Once that happens, I will make an effort to keep sharing original ideas between one to three times a week. This will also help to prevent drowning the older writings out of sight. Looking at my notes, there are roughly two weeks worth of subject matter to catch up on. Just FYI.

I also want to share a bit of a roadmap. These are some things I would like to eventually implement:

Contact form
Comments
A proper webring / web constellation
A better tip jar
Migration to a proper web host

An email contact would be nice to have but I don’t want to put it up in plain text. Maybe it can be one of those cryptic visual links to obfuscate from spam bots. Both a contact form and comments would be very difficult to implement without using some kind of third party resource which I would absolutely detest. A colleague and I are currently exploring the feasibility of different webrings, or even a hyperlinked map of connections between the various peer sites.

It is probably unavoidable that Wrongthink will eventually outgrow Neocities. When that time comes, I’ll be sure to post notice clearly in advance of any major changes.

Fixing Comparison Memes

Thu, 28 Jul 2022 14:22:30 -0400

One trend I notice among all the Windows vs Mac vs Linux memes that have been made over the years is that most try to paint Windows as though it were some reasonable middle ground. I think a lot of it has to do with the authors trying to rationalize their own continued use of such a treacherous system. Microsoft is just as guilty as Apple, as explained in The Hypocrisy of Decrying Mac While Lauding Windows. You have probably seen one which makes analogy through vehicles:

Let’s make some corrections:

Or how about the one using dogs as comparison?

Windows… strong and fast? Riiight. Let’s fix this:

Also the sled dog team is in peak physical condition while the leashed pets are sickly and untrusting.

Picking Your Allies

Wed, 27 Jul 2022 00:46:19 -0400

The fragmentation of an already small ideological alignment can be devestating for those trying to set and achieve even modest goals for the wider group. It is even likely that the divisive flames are fanned by common enemies all too eager to see it induce infighting. When one finds oneself being viciously baited into despising another group for not being ideologically similar enough, one must contemplate why this might be. At what point do the smaller differences get shelved, at least temporarily, in order for like groups to secure ground in their own figurative Battle of Castle Itter?

In my article Asymmetry of Digital Literacy Between the Political Divide I highlight some things that the LibLeft and LibRight might benefit from cross pollination between one another’s strengths. In fact, I would argue that ancoms/LibLeft, ancaps/LibRight, minarchists, constitutionalists and even the Alt-Left/Right share more common ground than otherwise thought. Stripped down to its essence, the demarcation line forms between those who seek power to wield over others, and those who simply wish to go about their lives unmolested.

Parallels can be drawn through the same fracturing found between open source, free software, public domain and the various other instantiations of source-available software. If you’re an organization or institution looking to deploy or sell a software, then it might matter which type of licensing is at play. But at the individual scale all that really matters is whether you, and/or others, have access to view and modify the code. In this way, I would consider leaked, stolen and reverse engineered code under the same umbrella of other liberated software even though one cannot legally sell such software. You either have the code, or you don’t.

Even Richard Stallman concedes that there is significant overlap between what counts as free/libre and what counts as open source in Why Open Source Software Misses the Point of Free Software:

Another misunderstanding of “open source” is the idea that it means “not using the GNU GPL.” This tends to accompany another misunderstanding that “free software” means “GPL-covered software.” These are both mistaken, since the GNU GPL qualifies as an open source license and most of the open source licenses qualify as free software licenses. There are many free software licenses aside from the GNU GPL.

Cory Doctorow painted it clearly with the wisdom that one should care both about the motives and outcomes of software freedom efforts and to take allies wherever one can get them. If another group would overlap even partially on an ideological Venn diagram, it is time to consider building some bridges. Let’s try to make a conscious effort not to allow much larger adversaries, be they software monopolies or violence monopolies, to sow division among our already diminutive communities.

A Blueprint to Divorce From the Beast System

Tue, 26 Jul 2022 14:44:43 -0400

Anyone looking on in horror as a totalitarian technocratic global police state gets erected in the name of public safety™ has probably been ruminating on ways of avoiding it all. There may be no perfect one-size-fits-all strategy to follow, but there are tools and concepts that can get one well on their way to divorce with the system. Some of which may only be tenable for those living outside of densely crowded nations, so your mileage may vary.

Cheap Rural Land

Getting away from urban centers may be obvious. There is acreage of rural land to be had for cheap (Note: even though ruralvacantland’s owner shares the same name as Luke Smith, this is not the same Luke Smith who also advocates moving out to the country, it is just a funny coincidence). Such land can be purchased on just a few months of savings as one should always strive to avoid entering into a death pledge. And rural property has relaxed building codes with lower overall taxes. I’m told that some demographics even get to enjoy reduced or no property tax. Most importantly, you will have distance between yourself and whichever next crazy witch hunt hysteria surges through the oversocialized masses.