Use -- instead of --- for em-dash Signed-off-by: Anirudh Oppiliappan <x@icyphox.sh>
Anirudh Oppiliappan x@icyphox.sh
Thu, 28 May 2020 18:09:40 +0530
35 files changed,
300 insertions(+),
299 deletions(-)
jump to
M
bin/rss.py
→
bin/rss.py
@@ -2,7 +2,7 @@ #!/usr/bin/env python3
# generate an rss item import html -from markdown2 import markdown +from myrkdown import markdown import sys import os from collections import namedtuple
M
pages/blog/2019-09-17.md
→
pages/blog/2019-09-17.md
@@ -41,7 +41,7 @@ ## Other
I have been listening to my usual podcasts: Crime Junkie, True Crime Garage, Darknet Diaries & Off the Pill. To add to this list, I've begun binging Vice's CYBER. -It's pretty good---each episode is only about 30 mins and it hits the sweet spot, +It's pretty good -- each episode is only about 30 mins and it hits the sweet spot, delvering both interesting security content and news. My reading needs a ton of catching up. Hopefully I'll get around to finishing up@@ -50,7 +50,7 @@
I've begun learning Russian! I'm really liking it so far, and it's been surprisingly easy to pick up. Learning the Cyrillic script will require some relearning, especially with letters like в, н, р, с, etc. that look like English but sound entirely different. -I think I'm pretty serious about learning this language---I've added the Russian keyboard +I think I'm pretty serious about learning this language -- I've added the Russian keyboard to my Google Keyboard to aid in my familiarization of the alphabet. I've added the `RU` layout to my keyboard map too:
M
pages/blog/2019-10-17.md
→
pages/blog/2019-10-17.md
@@ -7,7 +7,7 @@ url: 2019-10-16
--- I've decided to drop the "Weekly" part of the status update posts, since -they were never weekly and---let's be honest---they aren't going to be. +they were never weekly and -- let's be honest---they aren't going to be. These posts are, henceforth, just "Status updates". The date range can be inferred from the post date.@@ -67,4 +67,4 @@ Monogatari_ (till the latest chapter) and _Another_, and I've just
started _Kakegurui_. I'll reserve my opinions for when I update the [reading log](/reading). -That's about it, and I'll see you---definitely not next week. +That's about it, and I'll see you -- definitely not next week.
M
pages/blog/2019-11-16.md
→
pages/blog/2019-11-16.md
@@ -17,7 +17,7 @@ [repo](https://github.com/icyphox/site)'s issues to track blog post ideas.
I've made a few, mostly just porting them over from my Google Keep note. This method of using issues is great, because readers can chime in with -ideas for things I could possibly discuss---like in [this +ideas for things I could possibly discuss -- like in [this issue](https://github.com/icyphox/site/issues/10). ## Contemplating a `vite` rewrite@@ -32,7 +32,7 @@ - Nim: My favourite, but I'll have to write bindings to [`lowdown(1)`](https://github.com/kristapsdz/lowdown). (`nite`?)
- Shell: Another favourite, muh "minimalsm". No downside, really. (`shite`?) -Oh, and did I mention---I want it to be compatible with `vite`. +Oh, and did I mention -- I want it to be compatible with `vite`. I don't want to have to redo my site structure or its templates. At the moment, I rely on Jinja2 for templating, so I'll need something similar.@@ -57,7 +57,7 @@ ## Other
I've been reading some more manga, I'll update the [reading log](/reading) when I, well... get around to it. Haven't had time to do -much in the past few weeks---the time at the end of a semester tends to +much in the past few weeks -- the time at the end of a semester tends to get pretty tight. Here's what I plan to get back to during this winter break: - Russian!
M
pages/blog/2019-in-review.md
→
pages/blog/2019-in-review.md
@@ -9,7 +9,7 @@
Just landed in a rainy Chennai, back in campus for my 6th semester. A little late to the "year in review blog post" party; travel took up most of my time. Last year was pretty eventful (at least in my books), -and I think I did a bunch of cool stuff---let's see! +and I think I did a bunch of cool stuff -- let's see! ## Interning at SecureLayer7@@ -24,7 +24,7 @@ [here](/blog/fb50).
## Conferences -I attended two major conferences last year---Nullcon Goa and PyCon +I attended two major conferences last year -- Nullcon Goa and PyCon India. Both super fun experiences and I met a ton of cool people! [Nullcon Twitter thread](https://twitter.com/icyphox/status/1101022604851212288) and [PyCon blog post](/blog/pycon-wrap-up).@@ -66,7 +66,7 @@ ```
So excluding today's post, and `_index.md`, that's 18 posts! I had initially planned to write one post a month, but hey, this is great. My -plan for 2020 is to write one post a _week_---unrealistic, I know, but +plan for 2020 is to write one post a _week_ -- unrealistic, I know, but I will try nevertheless. I wrote about a bunch of things, ranging from programming to
M
pages/blog/2020-01-18.md
→
pages/blog/2020-01-18.md
@@ -15,13 +15,13 @@ status update worthy, right? Not really, but we'll see.
## No more Cloudflare! -Yep. If you weren't aware---pre-2020 this site was behind Cloudflare +Yep. If you weren't aware -- pre-2020 this site was behind Cloudflare SSL and their DNS. I have since migrated off it to [he.net](https://he.net), thanks to highly upvoted Lobste.rs comment. Because of this switch, I infact, learnt a ton about DNS. Migrating to HE was very painless, but I did have to research a lot -about PTR records---Cloudflare kinda dumbs it down. In my case, I had to +about PTR records -- Cloudflare kinda dumbs it down. In my case, I had to rename my DigitalOcean VPS instance to the FQDN, which then automagically created a PTR record at DO's end.@@ -36,7 +36,7 @@ plays well with ZNC, that is.
## KISS stuff -I now maintain two new packages in the KISS community repository---2bwm +I now maintain two new packages in the KISS community repository -- 2bwm and aerc! The KISS package system is stupid simple to work with. Creating packages has never been easier.@@ -44,7 +44,7 @@ ## [icyphox.sh/friends](/friends)
Did you notice that yet? I've been curating a list of people I know IRL and online, and linking to their online presence. This is like a webring -of sorts, and promotes inter-site traffic---making the web more "web" +of sorts, and promotes inter-site traffic -- making the web more "web" again. If you know me, feel free to [hit me up](/about#contact) and I'll link@@ -52,7 +52,7 @@ your site too! My apologies if I've forgotten your name.
## Patreon! -Is this big news? I dunno, but yes---I now have a Patreon. I figured I'd +Is this big news? I dunno, but yes -- I now have a Patreon. I figured I'd cash in on the newfound traffic my site's been getting. There won't be any exclusive content or any tiers or whatever. Nothing will change. Just a place for y'all to toss me some $$$ if you wish to do so. ;)
M
pages/blog/covid19-disinfo.md
→
pages/blog/covid19-disinfo.md
@@ -8,13 +8,13 @@ ---
The virus spreads around the world, along with a bunch of disinformation and potential malware / phishing campaigns. There are many actors, -pushing many narratives---some similar, some different. +pushing many narratives -- some similar, some different. Interestingly, the three big players in the information warfare -space---Russia, Iran and China seem to be running similar stories on +space -- Russia, Iran and China seem to be running similar stories on their state-backed media outlets. While they all tend to lean towards -the same, fairly anti-U.S. sentiments---that is, blaming the US for -weaponizing the crisis for political gain---Iran and Russia's content +the same, fairly anti-U.S. sentiments -- that is, blaming the US for +weaponizing the crisis for political gain -- Iran and Russia's content come off as more...conspiratorial. In essence, they claim that the COVID-19 virus is a "bioweapon" developed by the U.S.@@ -33,7 +33,7 @@ [an op-ed](https://www.rt.com/op-ed/481831-coronavirus-kill-bill-capitalism-communism/)
suggests the virus' impact on financial markets might bring about the reinvention of communism and the end of the global capitalist system. Russian state-sponsored media can also be seen amplifying Iranian -conspiracy theories---including the Islamic Revolutionary Guard Corps' +conspiracy theories -- including the Islamic Revolutionary Guard Corps' (IRGC) suggestion that COVID-19 [is a U.S. bioweapon](https://www.rt.com/news/482405-iran-coronavirus-us-biological-weapon/).@@ -69,11 +69,11 @@ to battle the coronavirus. They [blame the U.S.](http://www.globaltimes.cn/content/1178494.shtml)
for unfair media coverage against China, and other [anti-China narratives](http://www.globaltimes.cn/content/1180630.shtml). There are a ton other articles that play the racism/discrimination -card---I wouldn't blame them though. [Here's one](http://www.globaltimes.cn/content/1178465.shtml). +card -- I wouldn't blame them though. [Here's one](http://www.globaltimes.cn/content/1178465.shtml). In the case of India, most disinfo (actually, misinfo) is mostly just pseudoscientific / alternative medicine / cures in the form of WhatsApp -forwards---"Eat foo! Eat bar!".[^cowpiss] +forwards -- "Eat foo! Eat bar!".[^cowpiss] [^cowpiss]: https://www.thehindu.com/news/national/coronavirus-group-hosts-cow-urine-party-says-covid-19-due-to-meat-eaters/article31070516.ece@@ -84,5 +84,5 @@ registered.
 -Anywho, there are bigger problems at hand---like the fact that my uni +Anywho, there are bigger problems at hand -- like the fact that my uni still hasn't suspended classes!
M
pages/blog/digital-minimalism.md
→
pages/blog/digital-minimalism.md
@@ -21,14 +21,14 @@ I've read about a lot of methods people employ to curb their phone
usage. Some have tried grouping "distracting" apps into a separate folder, and this supposedly helps reduce their usage. Now, I fail to see how this would work, but YMMV. Another technique I see often is using -a time governance app---like OnePlus' Zen Mode---to enforce how much +a time governance app -- like OnePlus' Zen Mode---to enforce how much time you spend using specific apps, or the phone itself. I've tried this for myself, but I constantly found myself counting down the minutes after which the phone would become usable again. Not helpful. My solution to this is a lot more brutal. I straight up uninstalled the apps that I found myself using too often. There's a simple principle -behind it---if the app has a desktop alternative, like Twitter, +behind it -- if the app has a desktop alternative, like Twitter, Reddit, etc. use that instead. Here's a list of apps that got nuked from my phone:@@ -56,7 +56,7 @@
My setup right now is just a simple bar at the top showing the time, date, current volume and battery %, along with my workspace indicators. No fancy colors, no flashy buttons and sliders. And that's it. I don't -try to force myself to not use stuff---after all, I've reduced it +try to force myself to not use stuff -- after all, I've reduced it elsewhere. :) Now the question arises: Is this just a phase, or will I stick to it?
M
pages/blog/disinfo.md
→
pages/blog/disinfo.md
@@ -8,7 +8,7 @@ ---
As with the disambiguation of any word, let's start with its etymology and definiton. According to [Wikipedia](https://en.wikipedia.org/wiki/Disinformation), -_disinformation_ has been borrowed from the Russian word --- _dezinformatisya_ (дезинформа́ция), +_disinformation_ has been borrowed from the Russian word -- _dezinformatisya_ (дезинформа́ция), derived from the title of a KGB black propaganda department. > Disinformation is false information spread deliberately to deceive.@@ -24,7 +24,7 @@
At the end, we'll also look at how you can use disinformation techniques to maintain OPSEC. In order to break monotony, I will also be using the terms "information operation", or the shortened -forms---"info op" & "disinfo". +forms -- "info op" & "disinfo". ## Creating disinformation@@ -32,15 +32,15 @@ Crafting or creating disinformation is by no means a trivial task. Often, the quality
of any disinformation sample is a huge indicator of the level of sophistication of the actor involved, i.e. is it a 12 year old troll or a nation state? -Well crafted disinformation always has one primary characteristic --- "plausibility". +Well crafted disinformation always has one primary characteristic -- "plausibility". The disinfo must sound reasonable. It must induce the notion it's _likely_ true. -To achieve this, the target --- be it an individual, a specific demographic or an entire -nation --- must be well researched. A deep understanding of the target's culture, history, +To achieve this, the target -- be it an individual, a specific demographic or an entire +nation -- must be well researched. A deep understanding of the target's culture, history, geography and psychology is required. It also needs circumstantial and situational awareness, of the target. There are many forms of disinformation. A few common ones are staged videos / photographs, -recontextualized videos / photographs, blog posts, news articles & most recently --- deepfakes. +recontextualized videos / photographs, blog posts, news articles & most recently -- deepfakes. Here's a tweet from [the grugq](https://twitter.com/thegrugq), showing a case of recontextualized imagery:@@ -101,7 +101,7 @@ info ops. Essentially, an actor attempts to create "discussions" amongst "users" (read: bots),
to push their narrative(s). Twitter also provides analytics for every tweet, enabling actors to get realtime insights into what sticks and what doesn't. The use of Twitter was seen during the previously discussed MH17 case, where Russia employed its troll -factory --- the [Internet Research Agency](https://en.wikipedia.org/wiki/Internet_Research_Agency) (IRA) +factory -- the [Internet Research Agency](https://en.wikipedia.org/wiki/Internet_Research_Agency) (IRA) to create discussions about alternative theories. In India, disinformation is often spread via YouTube, WhatsApp and Facebook. Political parties
M
pages/blog/efficacy-deepfakes.md
→
pages/blog/efficacy-deepfakes.md
@@ -38,13 +38,13 @@ - The infrastructure for fake news already exists: WhatsApp
- Fact checking media in 22 different languages is non-trivial India has had a long-standing problem with misinformation. The 2019 -elections, the recent CAA controversy and even more recently---the +elections, the recent CAA controversy and even more recently -- the coronavirus. In some cases, it has even lead to [mob violence](https://www.npr.org/2018/07/18/629731693/fake-news-turns-deadly-in-india). All of this shows that the populace is easily influenced, and deepfakes are only going to simplify this. What's worse is explaining to a rural -crowd that something like a deepfake can exist---comprehension and +crowd that something like a deepfake can exist -- comprehension and adoption of technology has always been slow in India, and can be attributed to socio-economic factors.
M
pages/blog/fb50.md
→
pages/blog/fb50.md
@@ -20,7 +20,7 @@ account before further functionality is available.
It also facilitates configuring the fingerprint, and unlocking from a range via Bluetooth. -We had two primary attack surfaces we decided to tackle---Bluetooth (BLE) +We had two primary attack surfaces we decided to tackle -- Bluetooth (BLE) and the Android app. ## Via Bluetooth Low Energy (BLE)@@ -42,7 +42,7 @@ ## Via the Android app
Reversing the app using `jd-gui`, `apktool` and `dex2jar` didn't get us too far since most of it was obfuscated. Why bother when there exists an -easier approach---BurpSuite. +easier approach -- BurpSuite. We captured and played around with a bunch of requests and responses, and finally arrived at a working exploit chain.
M
pages/blog/feed.xml
→
pages/blog/feed.xml
@@ -22,8 +22,8 @@ can see at the very bottom of this post!</p>
<h2 id="speeding-up-index-page-generation">speeding up index page generation</h2> -<p>The old script—the one that featured in <a href="/blog/hacky-scripts">Hacky -scripts</a>—was absolutely ridiculous, and not to +<p>The old script---the one that featured in <a href="/blog/hacky-scripts">Hacky +scripts</a>---was absolutely ridiculous, and not to mention <em>super</em> slow. Here’s what it did:</p> <ul>@@ -38,7 +38,7 @@ </code></pre></div>
<ul> <li>updated the markdown table (in <code>_index.md</code>) by in-place editing the -markdown, with the line created earlier—for the latest post.</li> +markdown, with the line created earlier---for the latest post.</li> <li>finally, I’d have to <em>rebuild</em> the entire site since this markdown hackery would happen at the very end of the build, i.e, didn’t actually get rendered itself. </li>@@ -111,7 +111,7 @@ vite. Currently, it reads a random sample of 3 feeds from a list of
feeds provided in a <code>feeds.txt</code> file, and updates the webring with those posts. Like a feed-bingo of sorts. ;)</p> -<p>I really like how it turned out—especially the fact that I got my CSS +<p>I really like how it turned out---especially the fact that I got my CSS grid correct in the first try!</p> ]]></description><link>https://icyphox.sh/blog/site-changes</link><pubDate>Wed, 27 May 2020 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/site-changes</guid></item><item><title>The efficacy of deepfakes</title><description><![CDATA[<p>A few days back, NPR put out an article discussing why deepfakes aren’t all that powerful in spreading disinformation.@@ -149,13 +149,13 @@ <li>Fact checking media in 22 different languages is non-trivial</li>
</ul> <p>India has had a long-standing problem with misinformation. The 2019 -elections, the recent CAA controversy and even more recently—the +elections, the recent CAA controversy and even more recently---the coronavirus. In some cases, it has even lead to <a href="https://www.npr.org/2018/07/18/629731693/fake-news-turns-deadly-in-india">mob violence</a>.</p> <p>All of this shows that the populace is easily influenced, and deepfakes are only going to simplify this. What’s worse is explaining to a rural -crowd that something like a deepfake can exist—comprehension and +crowd that something like a deepfake can exist---comprehension and adoption of technology has always been slow in India, and can be attributed to socio-economic factors. </p>@@ -213,12 +213,12 @@ <p>“B-but Linux is much bigger!” Indeed, it is, but it has a thousand times
(if not more) the number of eyes looking at the code, and there have been multiple third-party audits. There are hundreds of independent orgs and multiple security teams looking at it. That’s not the case with -systemd—it’s probably just RedHat.</p> +systemd---it’s probably just RedHat.</p> <p>Compare this to a bunch of shell scripts. Agreed, writing safe shell can be hard and there are a ton of weird edge-cases depending on your shell implementation, but the distinction here is <em>you</em> wrote it. Which means, -you can identify what went wrong—things are predictable. +you can identify what went wrong---things are predictable. systemd, however, is a large blackbox, and its state at runtime is largely unprovable and unpredictable. I am certain even the developers don’t know.</p>@@ -232,7 +232,7 @@ <p><a href="https://sourcehut.org/blog/2020-04-20-prioritizing-simplitity/">https://sourcehut.org/blog/2020-04-20-prioritizing-simplitity/</a></p>
<p>He manually provisions all sourcehut infrastructure, because tools like Salt, Kubernetes etc. are -just like systemd in our example—large monstrosities which can get you +just like systemd in our example---large monstrosities which can get you RCE’d. Don’t believe me? See <a href="https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/">this</a>.</p>@@ -295,7 +295,7 @@
<h2 id="authentication">authentication</h2> <p>With these out of the way, we can move on to configuring our -account—authenticating IMAP and SMTP. Before that, however, we’ll +account---authenticating IMAP and SMTP. Before that, however, we’ll have to create a <code>~/.netrc</code> file to store our account credentials. </p> <p>(This of course, assumes that your SMTP and IMAP credentials are the@@ -408,7 +408,7 @@ <div class="footnotes">
<hr /> <ol> <li id="fn-read-man"> -<p>Honestly, read the man page (and email Steffen!)—there’s +<p>Honestly, read the man page (and email Steffen!)---there’s a ton of useful options in there. <a href="#fnref-read-man" class="footnoteBackLink" title="Jump back to footnote 1 in the text.">↩</a></p> </li> </ol>@@ -439,7 +439,7 @@ <li>Number of users on mastodon.social: 529923</li>
</ul> <p>Surprisingly, there’s an instance even bigger than -mastodon.social—pawoo.net. I have no idea why it’s so big and it’s +mastodon.social---pawoo.net. I have no idea why it’s so big and it’s primarily Japanese. Its user count is over 620k. So mastodon.social and pawoo.net put together form over 1 million users, that’s <em>more than</em> 50% of the entire Mastodon populace. That’s nuts.<sup class="footnote-ref" id="fnref-federation-fallacy"><a href="#fn-federation-fallacy">1</a></sup></p>@@ -470,7 +470,7 @@ </div>
]]></description><link>https://icyphox.sh/blog/mastodon-social</link><pubDate>Tue, 05 May 2020 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/mastodon-social</guid></item><item><title>OpenBSD on the HP Envy 13</title><description><![CDATA[<p>My existing KISS install broke because I thought it would be a great idea to have <a href="https://github.com/alpinelinux/apk-tools">apk-tools</a> alongside the <code>kiss</code> package manager. It’s safe to say, that did not end -well—especially when I installed, and then removed a package. With +well---especially when I installed, and then removed a package. With a semi-broken install that I didn’t feel like fixing, I figured I’d give OpenBSD a try. And I did.</p>@@ -520,7 +520,7 @@ cwm also has a built-in launcher, so dmenu isn’t necessary anymore.
Refer to <a href="https://man.openbsd.org/cwmrc.5">cwmrc(5)</a> for all the config options.</p> -<p>Touchpad was pretty simple to setup too—OpenBSD has +<p>Touchpad was pretty simple to setup too---OpenBSD has <a href="http://man.openbsd.org/wsconsctl.8">wsconsctl(8)</a>, which lets you set your tap-to-click, mouse acceleration etc. However, more advanced configuration can be achieved by getting Xorg to use the Synaptics@@ -557,7 +557,7 @@ <p>I believe it’s set to 1 by default on some installs, but I’m not sure.</p>
<h2 id="impressions">impressions</h2> -<p>I already really like the philosophy of OpenBSD—security and +<p>I already really like the philosophy of OpenBSD---security and simplicity, while not losing out on sanity. The default install is plentiful, and has just about everything you’d need to get going. I especially enjoy how everything just works! I was pleasantly surprised@@ -586,7 +586,7 @@ yet to find something that I need not on there. I also wish they
debloated packages; maybe I’ve just been spoilt by KISS. I now have D-Bus on my system thanks to Firefox. :(</p> -<p>I appreciate the fact that they don’t have a political document—a Code +<p>I appreciate the fact that they don’t have a political document---a Code of Conduct. CoCs are awful, and have only proven to be harmful for projects; part of the reason why I’m sick of Linux and its community. Oh wait, OpenBSD does have one: <a href="https://www.openbsd.org/mail.html">https://www.openbsd.org/mail.html</a>@@ -609,18 +609,18 @@ </code></pre>
<p><img src="https://x.icyphox.sh/zDYdj.png" alt="openbsd rice" /></p> ]]></description><link>https://icyphox.sh/blog/openbsd-hp-envy</link><pubDate>Fri, 17 Apr 2020 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/openbsd-hp-envy</guid></item><item><title>The Zen of KISS Linux</title><description><![CDATA[<p><a href="/blog/five-days-tty">I installed KISS</a> early in January on my main -machine—an HP Envy 13 (2017), and I have since noticed a lot of changes +machine---an HP Envy 13 (2017), and I have since noticed a lot of changes in my workflow, my approach to software (and its development), and in life as a whole. I wouldn’t call KISS “life changing”, as that would be overly dramatic, but it has definitely reshaped my outlook towards -technology—for better or worse.</p> +technology---for better or worse.</p> -<p>When I talk about KISS to people—online or IRL—I get some pretty +<p>When I talk about KISS to people---online or IRL---I get some pretty interesting reactions and comments.<sup class="footnote-ref" id="fnref-bringing-up-kiss"><a href="#fn-bringing-up-kiss">1</a></sup> Ranging from “Oh cool.” to “You must be retarded.”, I’ve heard it all. A classic and a personal favourite of mine, “I don’t use meme distros because I actually get work done.” It is -actually, quite the opposite—I’ve been so much more productive using +actually, quite the opposite---I’ve been so much more productive using KISS than any other operating system. I’ll explain why shortly.</p> <p>The beauty of this “distro”, is it isn’t much of a distribution at all.@@ -682,11 +682,11 @@ <p>As far as I know, it mostly consists of the <code>#kisslinux</code> channel on
Freenode and the <a href="https://old.reddit.com/r/kisslinux">r/kisslinux</a> subreddit. It’s not that big, but it’s suprisingly active, and super helpful. There have been some interested new KISS-related projects -too: <a href="https://github.com/sdsddsd1/kiss-games">kiss-games</a>—a repository +too: <a href="https://github.com/sdsddsd1/kiss-games">kiss-games</a>---a repository for, well, Linux games; <a href="https://github.com/jedavies-dev/kiss-ppc64le">kiss-ppc64le</a> -and <a href="https://github.com/jedavies-dev/kiss-aarch64">kiss-aarch64</a>—KISS +and <a href="https://github.com/jedavies-dev/kiss-aarch64">kiss-aarch64</a>---KISS Linux ports for PowerPC and ARM64 architectures; -<a href="https://github.com/wyvertux/wyvertux">wyvertux</a>—an attempt at +<a href="https://github.com/wyvertux/wyvertux">wyvertux</a>---an attempt at a GNU-free Linux distribution, using KISS as a base; and tons more.</p> <h2 id="the-philosophy">the philosophy</h2>@@ -695,17 +695,17 @@ <p>Software today is far too complex. And its complexity is only growing.
Some might argue that this is inevitable, and it is in fact progress. I disagree. Blindly adding layers and layers of abstraction (Docker, modern web “apps") isn’t progress. Look at the Linux desktop ecosystem -today, for example—monstrosities like GNOME and KDE are a result of +today, for example---monstrosities like GNOME and KDE are a result of this…new wave software engineering.</p> <p>I see KISS as a symbol of defiance against this malformed notion. You don’t <em>need</em> all the bloat these DEs ship with to have a usable system. Agreed, it’s a bit more effort to get up and running, but it is entirely -worth it. Think of it as a clean table—feels good to sit down and work on, +worth it. Think of it as a clean table---feels good to sit down and work on, doesn’t it? </p> <p>Let’s take my own experience, for example. One of the initial few -software I used to install on a new system was <code>dunst</code>—a notification +software I used to install on a new system was <code>dunst</code>---a notification daemon. Unfortunately, it depends on D-Bus, which is Poetterware; ergo, not on KISS. However, using a system without notifications has been very pleasant. Nothing to distract you while you’re in the zone.</p>@@ -723,7 +723,7 @@ phone. Compartmentalizing work and play to separate devices has worked
out pretty well for me.</p> <p>I’m slowly noticing myself favor low-tech (or no-tech) solutions to -simple problems too. Like notetaking—I’ve tried plaintext files, Vim +simple problems too. Like notetaking---I’ve tried plaintext files, Vim Wiki, Markdown, but nothing beats actually using pen and paper. Tech, from what I can see, doesn’t solve problems very effectively. In some cases, it only causes more of them. I might write another post@@ -748,12 +748,12 @@ ]]></description><link>https://icyphox.sh/blog/kiss-zen</link><pubDate>Fri, 03 Apr 2020 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/kiss-zen</guid></item><item><title>Introducing mael</title><description><![CDATA[<p><strong>Update</strong>: The code lives here: <a href="https://github.com/icyphox/mael">https://github.com/icyphox/mael</a></p>
<p>I’ve been on the lookout for a good terminal-based email client since forever, and I’ve tried almost all of them. The one I use right now -sucks a little less—<a href="https://git.sr.ht/~sircmpwn/aerc">aerc</a>. I have +sucks a little less---<a href="https://git.sr.ht/~sircmpwn/aerc">aerc</a>. I have some gripes with it though, like the problem with outgoing emails not getting copied to the Sent folder, and instead erroring out with -a cryptic <code>EOF</code>—that’s literally all it says. +a cryptic <code>EOF</code>---that’s literally all it says. I’ve tried mutt, but I find it a little excessive. It feels like the -weechat of email—to many features that you’ll probably never use.</p> +weechat of email---to many features that you’ll probably never use.</p> <p>I need something clean and simple, less bloated (for the lack of a better term). This is what motivated me to try writing my own. The@@ -761,7 +761,7 @@ result of this (and not to mention, being holed up at home with nothing
better to do), is <strong>mael</strong>.<sup class="footnote-ref" id="fnref-oss"><a href="#fn-oss">1</a></sup></p> <p>mael isn’t like your usual TUI clients. I envision this to turn out -similar to mailx—a prompt-based UI. The reason behind this UX decision +similar to mailx---a prompt-based UI. The reason behind this UX decision is simple: it’s easier for me to write. :)</p> <p>Speaking of writing it, it’s being written in a mix of Python and bash.@@ -769,11 +769,11 @@ Why? Because Python’s <code>email</code> and <code>mailbox</code> modules are fantastic, and
I don’t think I want to parse Maildirs in bash. “But why not pure Python?” Well, I’m going to be shelling out a lot (more on this in a bit), and writing interactive UIs in bash is a lot more intuitive, thanks to -some of the nifty features that later versions of bash have—<code>read</code>, +some of the nifty features that later versions of bash have---<code>read</code>, <code>mapfile</code> etc.</p> <p>The reason I’m shelling out is because two key components to this -client, that I haven’t yet talked about—<code>mbsync</code> and <code>msmtp</code> are in +client, that I haven’t yet talked about---<code>mbsync</code> and <code>msmtp</code> are in use, for IMAP and SMTP respectively. And <code>mbsync</code> uses the Maildir format, which is why I’m relying on Python’s <code>mailbox</code> package. Why is this in the standard library anyway?!</p>@@ -813,13 +813,13 @@ </ol>
</div> ]]></description><link>https://icyphox.sh/blog/mael</link><pubDate>Sun, 29 Mar 2020 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/mael</guid></item><item><title>COVID-19 disinformation</title><description><![CDATA[<p>The virus spreads around the world, along with a bunch of disinformation and potential malware / phishing campaigns. There are many actors, -pushing many narratives—some similar, some different. </p> +pushing many narratives---some similar, some different. </p> <p>Interestingly, the three big players in the information warfare -space—Russia, Iran and China seem to be running similar stories on +space---Russia, Iran and China seem to be running similar stories on their state-backed media outlets. While they all tend to lean towards -the same, fairly anti-U.S. sentiments—that is, blaming the US for -weaponizing the crisis for political gain—Iran and Russia’s content +the same, fairly anti-U.S. sentiments---that is, blaming the US for +weaponizing the crisis for political gain---Iran and Russia’s content come off as more…conspiratorial. In essence, they claim that the COVID-19 virus is a “bioweapon” developed by the U.S.</p>@@ -840,7 +840,7 @@ <a href="https://www.rt.com/op-ed/481831-coronavirus-kill-bill-capitalism-communism/">an op-ed</a>
suggests the virus’ impact on financial markets might bring about the reinvention of communism and the end of the global capitalist system. Russian state-sponsored media can also be seen amplifying Iranian -conspiracy theories—including the Islamic Revolutionary Guard Corps’ +conspiracy theories---including the Islamic Revolutionary Guard Corps’ (IRGC) suggestion that COVID-19 <a href="https://www.rt.com/news/482405-iran-coronavirus-us-biological-weapon/">is a U.S. bioweapon</a>.</p>@@ -878,11 +878,11 @@ to battle the coronavirus. They <a href="http://www.globaltimes.cn/content/1178494.shtml">blame the U.S.</a>
for unfair media coverage against China, and other <a href="http://www.globaltimes.cn/content/1180630.shtml">anti-China narratives</a>. There are a ton other articles that play the racism/discrimination -card—I wouldn’t blame them though. <a href="http://www.globaltimes.cn/content/1178465.shtml">Here’s one</a>.</p> +card---I wouldn’t blame them though. <a href="http://www.globaltimes.cn/content/1178465.shtml">Here’s one</a>.</p> <p>In the case of India, most disinfo (actually, misinfo) is mostly just pseudoscientific / alternative medicine / cures in the form of WhatsApp -forwards—"Eat foo! Eat bar!”.<sup class="footnote-ref" id="fnref-cowpiss"><a href="#fn-cowpiss">1</a></sup></p> +forwards---"Eat foo! Eat bar!”.<sup class="footnote-ref" id="fnref-cowpiss"><a href="#fn-cowpiss">1</a></sup></p> <p>I’ve also been noticing a <em>ton</em> of COVID-19 / coronavirus related domain registrations happening. Expect phishing and malware campaigns using the@@ -891,7 +891,7 @@ registered.</p>
<p><img src="/static/img/corona_domains.png" alt="corona domains" /></p> -<p>Anywho, there are bigger problems at hand—like the fact that my uni +<p>Anywho, there are bigger problems at hand---like the fact that my uni still hasn’t suspended classes!</p> <div class="footnotes">@@ -909,10 +909,10 @@ Paula, and its associated party at Cidade de Goa, also by Taj.
Great choice of venue, perhaps even better than last time. The food was fine, the views were better.</p> -<p>With <em>those</em> things out of the way—let’s talk talks. I think -I preferred the panels to the talks—I enjoy a good, stimulating +<p>With <em>those</em> things out of the way---let’s talk talks. I think +I preferred the panels to the talks---I enjoy a good, stimulating discussion as opposed to only half-understanding a deeply technical -talk—but that’s just me. But there was this one talk that I really +talk---but that’s just me. But there was this one talk that I really enjoyed, perhaps due to its unintended comedic value; I’ll get into that later.</p>@@ -927,7 +927,7 @@ <li>Predicting Danger: Building the Ideal Threat Intelligence Model (Panel)</li>
<li>Lessons from the Cyber Trenches (Panel)</li> <li>Mlw 41#: a new sophisticated loader by APT group TA505 by Alexey Vishnyakov (Talk)</li> <li>Taking the guess out of Glitching by Adam Laurie (Talk)</li> -<li>Keynote: Cybersecurity in India – Information Assymetry, Cross Border +<li>Keynote: Cybersecurity in India—Information Assymetry, Cross Border Threats and National Sovereignty by Saumil Shah (Talk)</li> </ul>@@ -952,7 +952,7 @@
<p>He proposed that the security industry trust the user more, and let them make the decisions pertaining to personal security / privacy. Except…that’s just not going to happen. If all users were capable -of making good, security-first choices—we as an industry don’t +of making good, security-first choices---we as an industry don’t need to exist. But that is unfortunately not the case. Users are dumb. They value convenience and immediacy over security. That’s the sad truth of the modern age.</p>@@ -963,7 +963,7 @@
<p><em>…what?</em></p> <p>A “security professional” suggesting that we roll our own crypto? What -even. Oh and, to top it off—when +even. Oh and, to top it off---when <a href="https://twitter.com/tame_wildcard">Raman</a>, very rightly countered saying that the biggest opponent to encryption <em>is</em> the Government, and trusting them to build safe cryptosystems is probably not wise, he@@ -995,12 +995,12 @@ a personal attack. I think you’re a cool guy.</p>
<p>Note to the Nullcon organizers: you guys did a fantastic job running the conference despite Corona-chan’s best efforts. I’d like to suggest one -little thing though—please VET YOUR SPEAKERS more!</p> +little thing though---please VET YOUR SPEAKERS more!</p> <p><img src="/static/img/nullcon_beach.jpg" alt="group pic" /></p> ]]></description><link>https://icyphox.sh/blog/nullcon-2020</link><pubDate>Mon, 09 Mar 2020 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/nullcon-2020</guid></item><item><title>Setting up Prosody for XMPP</title><description><![CDATA[<p>Remember the <a href="/blog/irc-for-dms/">IRC for DMs</a> article I wrote a while back? Well…it’s safe to say that IRC didn’t hold up too well. It first -started with the bot. Buggy code, crashed a lot—we eventually gave up +started with the bot. Buggy code, crashed a lot---we eventually gave up and didn’t bring the bot back up. Then came the notifications, or lack thereof. Revolution IRC has a bug where your custom notification rules just get ignored after a while. In my case, this meant that@@ -1123,14 +1123,14 @@
<h2 id="closing-notes">Closing notes</h2> <p>That’s pretty much all you need for 1-on-1 E2EE chats. I don’t know much -about group chats just yet—trying to create a group in Conversations +about group chats just yet---trying to create a group in Conversations gives a “No group chat server found”. I will figure it out later.</p> <p>Another thing that doesn’t work in Conversations is adding an account using an <code>SRV</code> record.<sup class="footnote-ref" id="fnref-srv"><a href="#fn-srv">2</a></sup> Which kinda sucks, because having a <code>chat.</code> subdomain isn’t very clean, but whatever.</p> -<p>Oh, also—you can message me at +<p>Oh, also---you can message me at <a href="xmpp:icy@chat.icyphox.sh">icy@chat.icyphox.sh</a>.</p> <div class="footnotes">@@ -1154,20 +1154,20 @@ status update worthy, right? Not really, but we’ll see.</p>
<h2 id="no-more-cloudflare">No more Cloudflare!</h2> -<p>Yep. If you weren’t aware—pre-2020 this site was behind Cloudflare +<p>Yep. If you weren’t aware---pre-2020 this site was behind Cloudflare SSL and their DNS. I have since migrated off it to <a href="https://he.net">he.net</a>, thanks to highly upvoted Lobste.rs comment. Because of this switch, I infact, learnt a ton about DNS.</p> <p>Migrating to HE was very painless, but I did have to research a lot -about PTR records—Cloudflare kinda dumbs it down. In my case, I had to +about PTR records---Cloudflare kinda dumbs it down. In my case, I had to rename my DigitalOcean VPS instance to the FQDN, which then automagically created a PTR record at DO’s end.</p> <h2 id="i-dropped-icyrc">I dropped icyrc</h2> <p>The IRC client I was working on during the end of last -December–early-January? Yeah, I lost interest. Apparently writing C and +December--early-January? Yeah, I lost interest. Apparently writing C and ncurses isn’t very fun or stimulating.</p> <p>This also means I’m back on weechat. Until I find another client that@@ -1175,7 +1175,7 @@ plays well with ZNC, that is.</p>
<h2 id="kiss-stuff">KISS stuff</h2> -<p>I now maintain two new packages in the KISS community repository—2bwm +<p>I now maintain two new packages in the KISS community repository---2bwm and aerc! The KISS package system is stupid simple to work with. Creating packages has never been easier.</p>@@ -1183,7 +1183,7 @@ <h2 id="icyphoxshfriendsfriends"><a href="/friends">icyphox.sh/friends</a></h2>
<p>Did you notice that yet? I’ve been curating a list of people I know IRL and online, and linking to their online presence. This is like a webring -of sorts, and promotes inter-site traffic—making the web more “web” +of sorts, and promotes inter-site traffic---making the web more “web” again.</p> <p>If you know me, feel free to <a href="/about#contact">hit me up</a> and I’ll link@@ -1191,7 +1191,7 @@ your site too! My apologies if I’ve forgotten your name.</p>
<h2 id="patreon">Patreon!</h2> -<p>Is this big news? I dunno, but yes—I now have a Patreon. I figured I’d +<p>Is this big news? I dunno, but yes---I now have a Patreon. I figured I’d cash in on the newfound traffic my site’s been getting. There won’t be any exclusive content or any tiers or whatever. Nothing will change. Just a place for y’all to toss me some $$$ if you wish to do so. ;)</p>@@ -1214,7 +1214,7 @@ have increased since, or the number of reps × sets have. If you know of
a better way to quantify progress, let me know! I’m pretty new to this.</p> ]]></description><link>https://icyphox.sh/blog/2020-01-18</link><pubDate>Sat, 18 Jan 2020 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/2020-01-18</guid></item><item><title>Vimb&#58; my Firefox replacement</title><description><![CDATA[<p>After having recently installed <a href="https://getkiss.org">KISS</a>, and building Firefox from source, I was exposed to the true monstrosity that -Firefox—and web browsers in general—is. It took all of 9 hours to +Firefox---and web browsers in general---is. It took all of 9 hours to build the dependencies and then Firefox itself.</p> <p>Sure, KISS now ships Firefox binaries in the@@ -1225,10 +1225,10 @@ <h2 id="enter-vimb">Enter vimb</h2>
<p><a href="https://fanglingsu.github.io/vimb/">vimb</a> is a browser based on <a href="https://webkitgtk.org/">webkit2gtk</a>, with a Vim-like interface. -<code>webkit2gtk</code> builds in less than a minute—it blows Firefox out of +<code>webkit2gtk</code> builds in less than a minute---it blows Firefox out of the water, on that front.</p> -<p>There isn’t much of a UI to it—if you’ve used Vimperator/Pentadactyl +<p>There isn’t much of a UI to it---if you’ve used Vimperator/Pentadactyl (Firefox plugins), vimb should look familiar to you. It can be configured via a <code>config.h</code> or a text based config file at <code>~/.config/vimb/config</code>.@@ -1246,7 +1246,7 @@ </code></pre>
<p>Where the <code>-e</code> flag is populated with the <code>XID</code>, by tabbed. Configuring Firefox-esque keybinds in tabbed’s <code>config.h</code> is relatively easy. Once -that’s done—voilà! A fairly sane, Vim-like browsing experience that’s +that’s done---voilà! A fairly sane, Vim-like browsing experience that’s faster and has a smaller footprint than Firefox.</p> <h2 id="ad-blocking">Ad blocking</h2>@@ -1264,7 +1264,7 @@
<p><em>Some</em> websites tend to not work because they detect vimb as an older version of Safari (same web engine). This is a minor inconvenience, and not a dealbreaker for me. I also cannot login to Google’s services for -some reason, which is mildly annoying, but it’s good in a way—I am now +some reason, which is mildly annoying, but it’s good in a way---I am now further incentivised to dispose of my Google account.</p> <p>And here’s the screenshot y’all were waiting for:</p>@@ -1272,7 +1272,7 @@
<p><img src="/static/img/vimb.png" alt="vimb" /></p> ]]></description><link>https://icyphox.sh/blog/mnml-browsing</link><pubDate>Thu, 16 Jan 2020 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/mnml-browsing</guid></item><item><title>Five days in a TTY</title><description><![CDATA[<p>This new semester has been pretty easy on me, so far. I hardly every have any classes (again, so far), and I’ve a ton of free time on my -hands. This calls for—yep—a distro hop! </p> +hands. This calls for---yep---a distro hop! </p> <h2 id="why-kiss">Why KISS?</h2>@@ -1290,7 +1290,7 @@ </blockquote>
<p>Like many people did in the HN thread, “simplicity” here is not to be confused with “ease”. It is instead, simplicity in terms of lesser and -cleaner code—no +cleaner code---no <a href="https://www.urbandictionary.com/define.php?term=poetterware">Poetterware</a>.</p> <p>This, I can get behind. A clean system with less code is like a clean@@ -1302,8 +1302,8 @@ is pure POSIX sh, and does <em>just enough</em>. Packages are compiled from
source and <code>kiss</code> automatically performs dependency resolution. Creating packages is ridiculously easy too.</p> -<p>Speaking of packages, all packages—both official & community -repos—are run through <code>shellcheck</code> before getting merged. This is +<p>Speaking of packages, all packages---both official & community +repos---are run through <code>shellcheck</code> before getting merged. This is awesome; I don’t think this is done in any other distro.</p> <p>In essence, KISS sucks less.</p>@@ -1317,7 +1317,7 @@
<h3 id="day-1">Day 1</h3> <p>Although technically not in a TTY, it was still not <em>in</em> the KISS -system—I’ll count it. I’d compiled the kernel in the chroot and +system---I’ll count it. I’d compiled the kernel in the chroot and decided to use <code>efibootmgr</code> instead of GRUB. <code>efibootmgr</code> is a neat tool to modify the Intel Extensible Firmware Interface (EFI). Essentially, you boot the <code>.efi</code> directly as opposed to choosing which boot entry@@ -1345,10 +1345,10 @@
<h3 id="day-2">Day 2</h3> <p>Networking! How fun. An <code>ip a</code> and I see that both USB tethering -(ethernet) and wireless don’t work. Great. Dug around a bit—missing +(ethernet) and wireless don’t work. Great. Dug around a bit---missing wireless drivers was the problem. Found my driver, a binary <code>.ucode</code> from Intel (eugh!). The whole day was spent in figuring out why the kernel -would never load the firmware. I tried different variations—loading +would never load the firmware. I tried different variations---loading it as a module (<code>=m</code>), baking it in (<code>=y</code>) but no luck.</p> <h3 id="day-3">Day 3</h3>@@ -1416,7 +1416,7 @@ </div>
]]></description><link>https://icyphox.sh/blog/five-days-tty</link><pubDate>Mon, 13 Jan 2020 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/five-days-tty</guid></item><item><title>2019 in review</title><description><![CDATA[<p>Just landed in a rainy Chennai, back in campus for my 6th semester. A little late to the “year in review blog post” party; travel took up most of my time. Last year was pretty eventful (at least in my books), -and I think I did a bunch of cool stuff—let’s see!</p> +and I think I did a bunch of cool stuff---let’s see!</p> <h2 id="interning-at-securelayer7">Interning at SecureLayer7</h2>@@ -1431,7 +1431,7 @@ <a href="/blog/fb50">here</a>.</p>
<h2 id="conferences">Conferences</h2> -<p>I attended two major conferences last year—Nullcon Goa and PyCon +<p>I attended two major conferences last year---Nullcon Goa and PyCon India. Both super fun experiences and I met a ton of cool people! <a href="https://twitter.com/icyphox/status/1101022604851212288">Nullcon Twitter thread</a> and <a href="/blog/pycon-wrap-up">PyCon blog post</a>.</p>@@ -1476,7 +1476,7 @@ </code></pre>
<p>So excluding today’s post, and <code>_index.md</code>, that’s 18 posts! I had initially planned to write one post a month, but hey, this is great. My -plan for 2020 is to write one post a <em>week</em>—unrealistic, I know, but +plan for 2020 is to write one post a <em>week</em>---unrealistic, I know, but I will try nevertheless.</p> <p>I wrote about a bunch of things, ranging from programming to@@ -1513,7 +1513,7 @@ <h3 id="april-14-2018">April 14, 2018</h3>
<ul> <li>RT published an article claiming that Spiez had identified a different -toxin—BZ, and not Novichok.</li> +toxin---BZ, and not Novichok.</li> <li>This was an attempt to shift the blame from Russia (origin of Novichok), to NATO countries, where it was apparently in use.</li> <li>Most viral piece on the matter in all of 2018.</li>@@ -1589,7 +1589,7 @@ <ul>
<li>OPCW facilities receive an email from Spiez inviting them to a conference.</li> <li>The conference itself is real, and has been organized before.</li> -<li>The email however, was not—attached was a Word document containing +<li>The email however, was not---attached was a Word document containing malware.</li> <li>Also seen were inconsistencies in the email formatting, from what was normal.</li>@@ -1601,7 +1601,7 @@ a state actor:</p>
<ol> <li>Attack targetting a specific group of individuals.</li> -<li>Relatively high level of sophistication—email formatting, +<li>Relatively high level of sophistication---email formatting, malicious Word doc, etc.</li> </ol>@@ -1657,12 +1657,12 @@ <p>UK made the arrests public, published a list of infractions commited by
Russia, along with the specific GRU unit that was caught.</p> <p>During this period, just one of the top 25 viral stories was from -a pro-Russian outlet, RT—that too a fairly straightforward piece.</p> +a pro-Russian outlet, RT---that too a fairly straightforward piece.</p> <h2 id="wrapping-up">Wrapping up</h2> <p>As with conventional warfare, it’s hard to determine who won. Britain -may have had the last blow, but Moscow—yet again—depicted their +may have had the last blow, but Moscow---yet again---depicted their finesse in information warfare. Their ability to seize unexpected openings, gather intel to facilitate their disinformation campaigns, and their cyber capabilities makes them a formidable threat. </p>@@ -1685,20 +1685,20 @@ ]]></description><link>https://icyphox.sh/blog/ru-vs-gb</link><pubDate>Thu, 12 Dec 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/ru-vs-gb</guid></item><item><title>Instagram OPSEC</title><description><![CDATA[<p>Which I am not, of course. But seeing as most of my peers are, I am
compelled to write this post. Using a social platform like Instagram automatically implies that the user understands (to some level) that their personally identifiable information is exposed publicly, and they -sign up for the service understanding this risk—or I think they do, +sign up for the service understanding this risk---or I think they do, anyway. But that’s about it, they go ham after that. Sharing every nitty gritty detail of their private lives without understanding the potential risks of doing so.</p> <p>The fundamentals of OPSEC dictacte that you develop a threat model, and -Instgrammers are <em>obviously</em> incapable of doing that—so I’ll do it +Instgrammers are <em>obviously</em> incapable of doing that---so I’ll do it for them. </p> <h2 id="your-average-instagrammers-threat-model">Your average Instagrammer’s threat model</h2> <p>I stress on the word “average”, as in this doesn’t apply to those with more than a couple thousand followers. Those type of accounts inherently -face different kinds of threats—those that come with having +face different kinds of threats---those that come with having a celebrity status, and are not in scope of this analysis.</p> <ul>@@ -1712,7 +1712,7 @@ of the amount of visual information shared on the platform. A lot can be
gleaned from one simple picture in a nondescript alleyway. We’ll get into this in the DOs and DON’Ts in a bit.</p></li> <li><p><strong>Facebook & LE</strong>: Instagram is the last place you want to be doing an -illegal, because well, it’s logged and more importantly—not +illegal, because well, it’s logged and more importantly---not end-to-end encrypted. Law enforcement can subpoena any and all account information. Quoting Instagram’s <a href="https://help.instagram.com/494561080557017">page on this</a>:</p></li>@@ -1733,7 +1733,7 @@ <h3 id="donts">DON’Ts</h3>
<ul> <li><p>Use Instagram for planning and orchestrating illegal shit! I’ve -explained why this is a terrible idea above. Use secure comms—even +explained why this is a terrible idea above. Use secure comms---even WhatsApp is a better choice, if you have nothing else. In fact, try avoiding IG DMs altogether, use alternatives that implement E2EE.</p></li> <li><p>Film live videos outside. Or try not to, if you can. You might@@ -1743,9 +1743,9 @@ <li><p>Film live videos in places you visit often. This compromises your
security at places you’re bound to be at.</p></li> <li><p>Share your flight ticket in your story! I can’t stress this enough!!! Summer/winter break? “Look guys, I’m going home! Here’s where I live, -and here’s my flight number—feel free to track me!”. This scenario is +and here’s my flight number---feel free to track me!”. This scenario is especially worrisome because the start and end points are known to the -threat actor, and your arrival time can be trivially looked up—thanks +threat actor, and your arrival time can be trivially looked up---thanks to the flight number on your ticket. So, just don’t.</p></li> <li><p>Post screenshots with OS specific details. This might border on pendantic, but better safe than sorry. Your phone’s statusbar and navbar@@ -1784,7 +1784,7 @@ </ul>
<h2 id="fin">Fin</h2> -<p>Instagram is—much to my dismay—far too popular for it to die any +<p>Instagram is---much to my dismay---far too popular for it to die any time soon. There are plenty of good reasons to stop using the platform altogether (hint: Facebook), but that’s a discussion for another day.</p>@@ -1798,18 +1798,18 @@ <div class="footnotes">
<hr /> <ol> <li id="fn-ddepisode"> -<p><a href="https://darknetdiaries.com/episode/51/—Jack">https://darknetdiaries.com/episode/51/—Jack</a> talks about Indian hackers who operate on Instagram. <a href="#fnref-ddepisode" class="footnoteBackLink" title="Jump back to footnote 1 in the text.">↩</a></p> +<p><a href="https://darknetdiaries.com/episode/51/---Jack">https://darknetdiaries.com/episode/51/---Jack</a> talks about Indian hackers who operate on Instagram. <a href="#fnref-ddepisode" class="footnoteBackLink" title="Jump back to footnote 1 in the text.">↩</a></p> </li> </ol> </div> ]]></description><link>https://icyphox.sh/blog/ig-opsec</link><pubDate>Mon, 02 Dec 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/ig-opsec</guid></item><item><title>Save .ORG!</title><description><![CDATA[<p>The .ORG top-level domain introduced in 1985, has been operated by the <a href="https://en.wikipedia.org/wiki/Public_Interest_Registry">Public Interest Registry</a> since 2003. The .ORG TLD is used primarily by communities, free and open source projects, -and other non-profit organizations—although the use of the TLD isn’t +and other non-profit organizations---although the use of the TLD isn’t restricted to non-profits.</p> <p>The Internet Society or ISOC, the group that created the PIR, has -decided to sell the registry over to a private equity firm—Ethos +decided to sell the registry over to a private equity firm---Ethos Capital.</p> <h2 id="whats-the-problem">What’s the problem?</h2>@@ -1824,11 +1824,11 @@
<ul> <li><p>They control the registration/renewal fees of the TLD. They can hike the price if they wish to. As is stands, NGOs already earn very -little—a .ORG price hike would put them in a very icky situation.</p></li> +little---a .ORG price hike would put them in a very icky situation.</p></li> <li><p>They can introduce <a href="https://www.icann.org/resources/pages/rpm-drp-2017-10-04-en">Rights Protection Mechanisms</a> -or RPMs, which are essentially legal statements that can—if not -correctly developed—jeopardize / censor completely legal non-profit +or RPMs, which are essentially legal statements that can---if not +correctly developed---jeopardize / censor completely legal non-profit activities.</p></li> <li><p>Lastly, they can suspend domains at the whim of state actors. It isn’t news that nation states go after NGOs, targetting them with allegations@@ -1858,8 +1858,8 @@
<p>The Internet that we all love and care for is slowly being subsumed by megacorps and private firms, who’s only motive is to make a profit. The Internet was meant to be free, and we’d better act now if we want that -freedom. The future looks bleak—I hope we aren’t too late.</p> -]]></description><link>https://icyphox.sh/blog/save-org</link><pubDate>Sat, 23 Nov 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/save-org</guid></item><item><title>Status update</title><description><![CDATA[<p>This month is mostly just unfun stuff, lined up in a neat schedule – +freedom. The future looks bleak---I hope we aren’t too late.</p> +]]></description><link>https://icyphox.sh/blog/save-org</link><pubDate>Sat, 23 Nov 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/save-org</guid></item><item><title>Status update</title><description><![CDATA[<p>This month is mostly just unfun stuff, lined up in a neat schedule -- exams. I get all these cool ideas for things to do, and it’s always during exams. Anyway, here’s a quick update on what I’ve been up to.</p>@@ -1870,13 +1870,13 @@ <a href="https://github.com/icyphox/site">repo</a>’s issues to track blog post ideas.
I’ve made a few, mostly just porting them over from my Google Keep note.</p> <p>This method of using issues is great, because readers can chime in with -ideas for things I could possibly discuss—like in <a href="https://github.com/icyphox/site/issues/10">this +ideas for things I could possibly discuss---like in <a href="https://github.com/icyphox/site/issues/10">this issue</a>.</p> <h2 id="contemplating-a-vite-rewrite">Contemplating a <code>vite</code> rewrite</h2> <p><a href="https://github.com/icyphox/vite"><code>vite</code></a>, despite what the name suggests -– is awfully slow. Also, Python is bloat. +-- is awfully slow. Also, Python is bloat. Will rewriting it fix that? That’s what I plan to find out. I have a couple of choices of languages to use in the rewrite:</p>@@ -1887,7 +1887,7 @@ <li>Shell: Another favourite, muh “minimalsm”. No downside, really.
(<code>shite</code>?)</li> </ul> -<p>Oh, and did I mention—I want it to be compatible with <code>vite</code>. +<p>Oh, and did I mention---I want it to be compatible with <code>vite</code>. I don’t want to have to redo my site structure or its templates. At the moment, I rely on Jinja2 for templating, so I’ll need something similar.</p>@@ -1914,7 +1914,7 @@ <h2 id="other">Other</h2>
<p>I’ve been reading some more manga, I’ll update the <a href="/reading">reading log</a> when I, well… get around to it. Haven’t had time to do -much in the past few weeks—the time at the end of a semester tends to +much in the past few weeks---the time at the end of a semester tends to get pretty tight. Here’s what I plan to get back to during this winter break:</p> <ul>@@ -1943,7 +1943,7 @@ or Telegram. This is an account of how that went.</p>
<h2 id="the-status-quo-of-instant-messaging-apps">The status quo of instant messaging apps</h2> -<p>I’ve tried a <em>ton</em> of messaging applications—Signal, WhatsApp, +<p>I’ve tried a <em>ton</em> of messaging applications---Signal, WhatsApp, Telegram, Wire, Jami (Ring), Matrix, Slack, Discord and more recently, DeltaChat.</p> <p><strong>Signal</strong>: It straight up sucks on Android. Not to mention the@@ -1967,7 +1967,7 @@ really sucks for one-to-one chats.</p>
<p><strong>Slack</strong> / <strong>Discord</strong>: <em>sigh</em></p> -<p><strong>DeltaChat</strong>: Pretty interesting idea—on paper. Using existing email +<p><strong>DeltaChat</strong>: Pretty interesting idea---on paper. Using existing email infrastructure for IM sounds great, but it isn’t all that cash in practice. Email isn’t instant, there’s always a delay of give or take 5 to 10 seconds, if not more. This affects the flow of conversation.@@ -1986,7 +1986,7 @@
<p>This was the next obvious choice, but personal message buffers don’t persist in ZNC and it’s very annoying to have to do a <code>/query nerdypepper</code> (Weechat) or to search and message a user via Revolution -IRC. The only unexplored option—using a channel.</p> +IRC. The only unexplored option---using a channel.</p> <h2 id="setting-up-a-channel-for-dms">Setting up a channel for DMs</h2>@@ -2004,9 +2004,9 @@ modes.</p></li>
<li><p>Notifications: Also a trivial task; a quick modification to <a href="https://weechat.org/scripts/source/lnotify.py.html/">lnotify.py</a> to send a notification for all messages in the specified buffer (<code>#crimson</code>) did the trick for Weechat. Revolution IRC, on the other -hand, has an option to setup rules for notifications—super +hand, has an option to setup rules for notifications---super convenient.</p></li> -<li><p>A bot: Lastly, a bot for a few small tasks—fetching URL titles, responding +<li><p>A bot: Lastly, a bot for a few small tasks---fetching URL titles, responding to <code>.np</code> (now playing) etc. Writing an IRC bot is dead simple, and it took me about an hour or two to get most of the basic functionality in place. The source is <a href="https://github.com/icyphox/detotated">here</a>.@@ -2049,7 +2049,7 @@ <li>3-letter org steps in, wants him released.</li>
</ul> <p>So here’s the thing, his presence is a threat to public but at the same time, -he can be a valuable long term asset—giving info on drug inflow, exchanges and perhaps even +he can be a valuable long term asset---giving info on drug inflow, exchanges and perhaps even actionable intel on bigger fish who exist on top of the ladder. But he also seeks security. The 3-letter org must provide him with protection, in case he’s blown. And like in our case, they’d have to step in if he gets arrested.</p>@@ -2058,7 +2058,7 @@ <p>Herein lies the problem. How far should an intelligence organization go to protect an asset?
Who matters more, the people they’ve sworn to protect, or the asset? Because afterall, in the bigger picture, local PD and intel orgs are on the same side.</p> -<p>Thus, the question arises—how can we measure the “usefulness” of an +<p>Thus, the question arises---how can we measure the “usefulness” of an asset to better quantify the tradeoff that is to be made? Is the intel gained worth the loss of public safety? This question remains largely unanswered, and is quite the@@ -2067,11 +2067,11 @@
<p>This was a fairly short post, but an interesting problem to ponder nonetheless.</p> ]]></description><link>https://icyphox.sh/blog/intel-conundrum</link><pubDate>Mon, 28 Oct 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/intel-conundrum</guid></item><item><title>Hacky scripts</title><description><![CDATA[<p>As a CS student, I see a lot of people around me doing courses online -to learn to code. Don’t get me wrong—it probably works for some. +to learn to code. Don’t get me wrong---it probably works for some. Everyone learns differently. But that’s only going to get you so far. Great you know the syntax, you can solve some competitive programming problems, but that’s not quite enough, is it? The actual learning comes -from <em>applying</em> it in solving <em>actual</em> problems—not made up ones. +from <em>applying</em> it in solving <em>actual</em> problems---not made up ones. (<em>inb4 some seething CP bro comes at me</em>)</p> <p>Now, what’s an actual problem? Some might define it as real world@@ -2086,7 +2086,7 @@ examples.</p>
<h2 id="now-playing-status-in-my-bar">Now playing status in my bar</h2> -<p>If you weren’t aware already—I rice my desktop. A lot. And a part of +<p>If you weren’t aware already---I rice my desktop. A lot. And a part of this cohesive experience I try to create involves a status bar up at the top of my screen, showing the time, date, volume and battery statuses etc.</p>@@ -2108,7 +2108,7 @@ <p>My next avenue was the Spotify Web API. One look at the <a href="https://developer.spotify.com/documentation/web-api/">docs</a> and
I realize that I’ll have to make <em>more</em> than one request to fetch the artist and track details. Nope, I need this to work fast.</p> -<p>Last resort—Last.fm’s API. Spolier alert, this worked. Also, arguably +<p>Last resort---Last.fm’s API. Spolier alert, this worked. Also, arguably the best choice, since it shows the track status regardless of where the music is being played. Here’s the script in its entirety:</p>@@ -2226,9 +2226,9 @@ given that there are <a href="https://staticgen.com">so many</a> of them, but
I chose to write one myself.</p> <p>And that just about sums up what I wanted to say. The best and most fun -way to learn to code—write hacky scripts. You heard it here.</p> +way to learn to code---write hacky scripts. You heard it here.</p> ]]></description><link>https://icyphox.sh/blog/hacky-scripts</link><pubDate>Thu, 24 Oct 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/hacky-scripts</guid></item><item><title>Status update</title><description><![CDATA[<p>I’ve decided to drop the “Weekly” part of the status update posts, since -they were never weekly and—let’s be honest—they aren’t going to be. +they were never weekly and---let’s be honest---they aren’t going to be. These posts are, henceforth, just “Status updates”. The date range can be inferred from the post date.</p>@@ -2287,13 +2287,13 @@ Monogatari</em> (till the latest chapter) and <em>Another</em>, and I’ve just
started <em>Kakegurui</em>. I’ll reserve my opinions for when I update the <a href="/reading">reading log</a>.</p> -<p>That’s about it, and I’ll see you—definitely not next week.</p> +<p>That’s about it, and I’ll see you---definitely not next week.</p> ]]></description><link>https://icyphox.sh/blog/2019-10-17</link><pubDate>Wed, 16 Oct 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/2019-10-17</guid></item><item><title>PyCon India 2019 wrap-up</title><description><![CDATA[<p>I’m writing this article as I sit in class, back on the grind. Last -weekend—Oct 12th and 13th—was PyCon India 2019, in Chennai, India. +weekend---Oct 12th and 13th---was PyCon India 2019, in Chennai, India. It was my first PyCon, <em>and</em> my first ever talk at a major conference! This is an account of the all the cool stuff I saw, people I met and the talks I enjoyed. -Forgive the lack of pictures—I prefer living the moment through my +Forgive the lack of pictures---I prefer living the moment through my eyes. </p> <h2 id="talks">Talks</h2>@@ -2307,9 +2307,9 @@
<p>With that point out of the way, here are some of the talks I really liked:</p> <ul> -<li><strong>Python Packaging - where we are and where we’re headed</strong> by <a href="https://twitter.com/pradyunsg">Pradyun</a></li> +<li><strong>Python Packaging–where we are and where we’re headed</strong> by <a href="https://twitter.com/pradyunsg">Pradyun</a></li> <li><strong>Micropython: Building a Physical Inventory Search Engine</strong> by <a href="https://twitter.com/stonecharioteer">Vinay</a></li> -<li><strong>Ragabot - Music Encoded</strong> by <a href="https://twitter.com/vikipedia">Vikrant</a></li> +<li><strong>Ragabot–Music Encoded</strong> by <a href="https://twitter.com/vikipedia">Vikrant</a></li> <li><strong>Let’s Hunt a Memory Leak</strong> by <a href="https://twitter.com/sankeyplus">Sanket</a></li> <li>oh and of course, <a href="https://twitter.com/dabeaz">David Beazley</a>’s closing keynote</li>@@ -2329,10 +2329,10 @@
<h2 id="some-nice-people-i-met">Some nice people I met</h2> <ul> -<li><a href="https://twitter.com/abhirathb">Abhirath</a>—A 200 IQ lad. Talked to +<li><a href="https://twitter.com/abhirathb">Abhirath</a>---A 200 IQ lad. Talked to me about everything from computational biology to the physical implementation of quantum computers.</li> -<li><a href="https://twitter.com/meain_">Abin</a>—He recognized me from my +<li><a href="https://twitter.com/meain_">Abin</a>---He recognized me from my <a href="https://reddit.com/r/unixporn">r/unixporn</a> posts, which was pretty awesome.</li> <li><a href="https://twitter.com/h6165">Abhishek</a></li>@@ -2346,7 +2346,7 @@ <h2 id="pictures">Pictures!</h2>
<p>It’s not much, and I can’t be bothered to format them like a collage or whatever, so I’ll -just dump them here—as is.</p> +just dump them here---as is.</p> <p><img src="/static/img/silly_badge.jpg" alt="nice badge" /> <img src="/static/img/abhishek_anmol.jpg" alt="awkward smile!" />@@ -2356,7 +2356,7 @@
<h2 id="cest-tout">C’est tout</h2> <p>Overall, a great time and a weekend well spent. It was very different -from your typical security conference—a lot more <em>chill</em>, if you +from your typical security conference---a lot more <em>chill</em>, if you will. The organizers did a fantastic job and the entire event was put together really well. I don’t have much else to say, but I know for sure that I’ll be@@ -2367,7 +2367,7 @@ ]]></description><link>https://icyphox.sh/blog/pycon-wrap-up</link><pubDate>Tue, 15 Oct 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/pycon-wrap-up</guid></item><item><title>Thoughts on digital minimalism</title><description><![CDATA[<p>Ah yes, yet another article on the internet on this beaten to death
subject. But this is inherently different, since it’s <em>my</em> opinion on the matter, and <em>my</em> technique(s) to achieve “digital minimalism”.</p> -<p>According to me, minimalism can be achieved on two primary fronts – +<p>According to me, minimalism can be achieved on two primary fronts -- the phone & the computer. Let’s start with the phone. The daily carry. The device that’s on our person from when we get out of bed, till we get back in bed.</p>@@ -2378,14 +2378,14 @@ <p>I’ve read about a lot of methods people employ to curb their phone
usage. Some have tried grouping “distracting” apps into a separate folder, and this supposedly helps reduce their usage. Now, I fail to see how this would work, but YMMV. Another technique I see often is using -a time governance app—like OnePlus’ Zen Mode—to enforce how much +a time governance app---like OnePlus’ Zen Mode---to enforce how much time you spend using specific apps, or the phone itself. I’ve tried this for myself, but I constantly found myself counting down the minutes after which the phone would become usable again. Not helpful.</p> <p>My solution to this is a lot more brutal. I straight up uninstalled the apps that I found myself using too often. There’s a simple principle -behind it—if the app has a desktop alternative, like Twitter, +behind it---if the app has a desktop alternative, like Twitter, Reddit, etc. use that instead. Here’s a list of apps that got nuked from my phone:</p>@@ -2415,7 +2415,7 @@
<p>My setup right now is just a simple bar at the top showing the time, date, current volume and battery %, along with my workspace indicators. No fancy colors, no flashy buttons and sliders. And that’s it. I don’t -try to force myself to not use stuff—after all, I’ve reduced it +try to force myself to not use stuff---after all, I’ve reduced it elsewhere. :)</p> <p>Now the question arises: Is this just a phase, or will I stick to it?@@ -2461,7 +2461,7 @@
<h2 id="packaging-for-alpine">Packaging for Alpine</h2> <p>On a related note, I’ve been busy packaging some of the stuff I use for Alpine -– you can see my personal <a href="https://github.com/icyphox/aports">aports</a> +-- you can see my personal <a href="https://github.com/icyphox/aports">aports</a> repository if you’re interested. I’m currently working on packaging Nim too, so keep an eye out for that in the coming week.</p>@@ -2535,7 +2535,7 @@ <h2 id="other">Other</h2>
<p>I have been listening to my usual podcasts: Crime Junkie, True Crime Garage, Darknet Diaries & Off the Pill. To add to this list, I’ve begun binging Vice’s CYBER. -It’s pretty good—each episode is only about 30 mins and it hits the sweet spot, +It’s pretty good---each episode is only about 30 mins and it hits the sweet spot, delvering both interesting security content and news.</p> <p>My reading needs a ton of catching up. Hopefully I’ll get around to finishing up@@ -2544,7 +2544,7 @@
<p>I’ve begun learning Russian! I’m really liking it so far, and it’s been surprisingly easy to pick up. Learning the Cyrillic script will require some relearning, especially with letters like в, н, р, с, etc. that look like English but sound entirely different. -I think I’m pretty serious about learning this language—I’ve added the Russian keyboard +I think I’m pretty serious about learning this language---I’ve added the Russian keyboard to my Google Keyboard to aid in my familiarization of the alphabet. I’ve added the <code>RU</code> layout to my keyboard map too:</p>@@ -2554,7 +2554,7 @@
<p>With that ends my weekly update, and I’ll see you next week!</p> ]]></description><link>https://icyphox.sh/blog/2019-09-17</link><pubDate>Tue, 17 Sep 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/2019-09-17</guid></item><item><title>Disinformation demystified</title><description><![CDATA[<p>As with the disambiguation of any word, let’s start with its etymology and definiton. According to <a href="https://en.wikipedia.org/wiki/Disinformation">Wikipedia</a>, -<em>disinformation</em> has been borrowed from the Russian word — <em>dezinformatisya</em> (дезинформа́ция), +<em>disinformation</em> has been borrowed from the Russian word --- <em>dezinformatisya</em> (дезинформа́ция), derived from the title of a KGB black propaganda department.</p> <blockquote>@@ -2574,7 +2574,7 @@
<p>At the end, we’ll also look at how you can use disinformation techniques to maintain OPSEC.</p> <p>In order to break monotony, I will also be using the terms “information operation”, or the shortened -forms—"info op” & “disinfo”.</p> +forms---"info op” & “disinfo”.</p> <h2 id="creating-disinformation">Creating disinformation</h2>@@ -2582,15 +2582,15 @@ <p>Crafting or creating disinformation is by no means a trivial task. Often, the quality
of any disinformation sample is a huge indicator of the level of sophistication of the actor involved, i.e. is it a 12 year old troll or a nation state?</p> -<p>Well crafted disinformation always has one primary characteristic — “plausibility”. +<p>Well crafted disinformation always has one primary characteristic --- “plausibility”. The disinfo must sound reasonable. It must induce the notion it’s <em>likely</em> true. -To achieve this, the target — be it an individual, a specific demographic or an entire -nation — must be well researched. A deep understanding of the target’s culture, history, +To achieve this, the target --- be it an individual, a specific demographic or an entire +nation --- must be well researched. A deep understanding of the target’s culture, history, geography and psychology is required. It also needs circumstantial and situational awareness, of the target.</p> <p>There are many forms of disinformation. A few common ones are staged videos / photographs, -recontextualized videos / photographs, blog posts, news articles & most recently — deepfakes.</p> +recontextualized videos / photographs, blog posts, news articles & most recently --- deepfakes.</p> <p>Here’s a tweet from <a href="https://twitter.com/thegrugq">the grugq</a>, showing a case of recontextualized imagery:</p>@@ -2653,7 +2653,7 @@ info ops. Essentially, an actor attempts to create “discussions” amongst “users” (read: bots),
to push their narrative(s). Twitter also provides analytics for every tweet, enabling actors to get realtime insights into what sticks and what doesn’t. The use of Twitter was seen during the previously discussed MH17 case, where Russia employed its troll -factory — the <a href="https://en.wikipedia.org/wiki/Internet_Research_Agency">Internet Research Agency</a> (IRA) +factory --- the <a href="https://en.wikipedia.org/wiki/Internet_Research_Agency">Internet Research Agency</a> (IRA) to create discussions about alternative theories.</p> <p>In India, disinformation is often spread via YouTube, WhatsApp and Facebook. Political parties@@ -2741,7 +2741,7 @@
<p>For this attempt, I wanted a simpler approach. I recall how terribly confusing Dovecot & Postfix were to configure and hence I decided to look for a containerized solution, that most importantly, runs on my cheap $5 -Digital Ocean VPS — 1 vCPU and 1 GB memory. Of which only around 500 MB +Digital Ocean VPS --- 1 vCPU and 1 GB memory. Of which only around 500 MB is actually available. So yeah, <em>pretty</em> tight.</p> <h2 id="whats-available">What’s available</h2>@@ -2795,7 +2795,7 @@ </code></pre>
<p>But it eventually worked after a couple of attempts.</p> -<p>The next thing I struggled with — DNS. Specifically, the with the step where +<p>The next thing I struggled with --- DNS. Specifically, the with the step where the DKIM keys are generated<sup class="footnote-ref" id="fnref-2"><a href="#fn-2">2</a></sup>. The output under <br /> <code>config/opendkim/keys/domain.tld/mail.txt</code> <br /> isn’t exactly CloudFlare friendly; they can’t be directly copy-pasted into@@ -2818,11 +2818,11 @@ <code>A</code> record.
You’ll then have to set an <code>MX</code> record with the “Name” as <code>@</code> (or whatever your DNS provider uses to denote the root domain) and the “Value” to <code>mail.domain.tld</code>. And finally, the <code>PTR</code> (pointer record, I think), which is the reverse of -your <code>A</code> record — “Name” as the server IP and “Value” as <code>mail.domain.tld</code>. +your <code>A</code> record --- “Name” as the server IP and “Value” as <code>mail.domain.tld</code>. I learnt this part the hard way, when my outgoing email kept getting rejected by Tutanota’s servers.</p> -<p>Yet another hurdle — SSL/TLS certificates. This isn’t very properly +<p>Yet another hurdle --- SSL/TLS certificates. This isn’t very properly documented, unless you read through the <a href="https://github.com/tomav/docker-mailserver/wiki/Installation-Examples">wiki</a> and look at an example. In short, install <code>certbot</code>, have port 80 free, and run </p>@@ -2917,7 +2917,7 @@ account before further functionality is available.
It also facilitates configuring the fingerprint, and unlocking from a range via Bluetooth.</p> -<p>We had two primary attack surfaces we decided to tackle—Bluetooth (BLE) +<p>We had two primary attack surfaces we decided to tackle---Bluetooth (BLE) and the Android app.</p> <h2 id="via-bluetooth-low-energy-ble">Via Bluetooth Low Energy (BLE)</h2>@@ -2939,7 +2939,7 @@ <h2 id="via-the-android-app">Via the Android app</h2>
<p>Reversing the app using <code>jd-gui</code>, <code>apktool</code> and <code>dex2jar</code> didn’t get us too far since most of it was obfuscated. Why bother when there exists an -easier approach—BurpSuite.</p> +easier approach---BurpSuite.</p> <p>We captured and played around with a bunch of requests and responses, and finally arrived at a working exploit chain.</p>@@ -3109,7 +3109,7 @@ ]]></description><link>https://icyphox.sh/blog/fb50</link><pubDate>Mon, 05 Aug 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/fb50</guid></item><item><title>Return Oriented Programming on ARM (32-bit)</title><description><![CDATA[<p>Before we start <em>anything</em>, you’re expected to know the basics of ARM
assembly to follow along. I highly recommend <a href="https://twitter.com/fox0x01">Azeria’s</a> series on <a href="https://azeria-labs.com/writing-arm-assembly-part-1/">ARM Assembly Basics</a>. Once you’re -comfortable with it, proceed with the next bit—environment setup.</p> +comfortable with it, proceed with the next bit---environment setup.</p> <h2 id="setup">Setup</h2>@@ -3117,7 +3117,7 @@ <p>Since we’re working with the ARM architecture, there are two options to go
forth with: </p> <ol> -<li>Emulate—head over to <a href="https://www.qemu.org/download/">qemu.org/download</a> and install QEMU. +<li>Emulate---head over to <a href="https://www.qemu.org/download/">qemu.org/download</a> and install QEMU. And then download and extract the ARMv6 Debian Stretch image from one of the links <a href="https://blahcat.github.io/qemu/">here</a>. The scripts found inside should be self-explanatory.</li> <li>Use actual ARM hardware, like an RPi.</li>@@ -3233,7 +3233,7 @@ <p>Since we know the offset at which the <code>pc</code> gets overwritten, we can now
control program execution flow. Let’s try jumping to the <code>winner</code> function.</p> <p>Disassemble <code>winner</code> again using <code>disas winner</code> and note down the offset -of the second instruction—<code>add r11, sp, #4</code>. +of the second instruction---<code>add r11, sp, #4</code>. For this, we’ll use Python to print our input string replacing <code>FFFF</code> with the address of <code>winner</code>. Note the endianness.</p>@@ -3274,7 +3274,7 @@ <p>Clean and mean.</p>
<h2 id="the-exploit">The exploit</h2> -<p>To write the exploit, we’ll use Python and the absolute godsend of a library—<code>struct</code>. +<p>To write the exploit, we’ll use Python and the absolute godsend of a library---<code>struct</code>. It allows us to pack the bytes of addresses to the endianness of our choice. It probably does a lot more, but who cares.</p>@@ -3347,7 +3347,7 @@ <p><img src="https://i.redd.it/jk574gworp331.png" alt="scrot" /></p>
<p>Most of my work is done in either the browser, or the terminal. My shell is pure <a href="http://www.zsh.org">zsh</a>, as in no plugin frameworks. It’s customized using built-in zsh functions. Yes, you don’t actually need -a framework. It’s useless bloat. The prompt itself is generated using a framework I built in <a href="https://nim-lang.org">Nim</a>—<a href="https://github.com/icyphox/nicy">nicy</a>. +a framework. It’s useless bloat. The prompt itself is generated using a framework I built in <a href="https://nim-lang.org">Nim</a>---<a href="https://github.com/icyphox/nicy">nicy</a>. My primary text editor is <a href="https://neovim.org">nvim</a>. Again, all configs in my dotfiles repo linked above. I manage all my passwords using <a href="https://passwordstore.org">pass(1)</a>, and I use <a href="https://github.com/carnager/rofi-pass">rofi-pass</a> to access them via <code>rofi</code>.</p>@@ -3539,7 +3539,7 @@ <span class="go">strcmp 0x200fc8</span>
<span class="go">malloc 0x200fd0</span> </code></pre></div> -<p>Remember the function call at <code>0x200fe0</code> from earlier? Yep, so that was a call to the well known <code>__libc_start_main</code>. Again, according to <a href="http://refspecs.linuxbase.org/LSB_3.1.0/LSB-generic/LSB-generic/baselib—libc-start-main-.html">linuxbase.org</a></p> +<p>Remember the function call at <code>0x200fe0</code> from earlier? Yep, so that was a call to the well known <code>__libc_start_main</code>. Again, according to <a href="http://refspecs.linuxbase.org/LSB_3.1.0/LSB-generic/LSB-generic/baselib---libc-start-main-.html">linuxbase.org</a></p> <blockquote> <p>The <code>__libc_start_main()</code> function shall perform any necessary initialization of the execution environment, call the <em>main</em> function with appropriate arguments, and handle the return from <code>main()</code>. If the <code>main()</code> function returns, the return value shall be passed to the <code>exit()</code> function.</p>@@ -3638,6 +3638,6 @@ <p>Wew, that took quite some time. But we’re done. If you’re a beginner, you might find this extremely confusing, or probably didn’t even understand what was going on. And that’s okay. Building an intuition for reading and grokking disassembly comes with practice. I’m no good at it either.</p>
<p>All the code used in this post is here: <a href="https://github.com/icyphox/asdf/tree/master/reversing-elf">https://github.com/icyphox/asdf/tree/master/reversing-elf</a></p> -<p>Ciao for now, and I’ll see ya in #2 of this series—PE binaries. Whenever that is.</p> +<p>Ciao for now, and I’ll see ya in #2 of this series---PE binaries. Whenever that is.</p> ]]></description><link>https://icyphox.sh/blog/python-for-re-1</link><pubDate>Fri, 08 Feb 2019 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/python-for-re-1</guid></item></channel> </rss>
M
pages/blog/five-days-tty.md
→
pages/blog/five-days-tty.md
@@ -8,7 +8,7 @@ ---
This new semester has been pretty easy on me, so far. I hardly every have any classes (again, so far), and I've a ton of free time on my -hands. This calls for---yep---a distro hop! +hands. This calls for -- yep---a distro hop! ## Why KISS?@@ -24,7 +24,7 @@ > architecture and the English language.
Like many people did in the HN thread, "simplicity" here is not to be confused with "ease". It is instead, simplicity in terms of lesser and -cleaner code---no +cleaner code -- no [Poetterware](https://www.urbandictionary.com/define.php?term=poetterware). [^hn]: https://news.ycombinator.com/item?id=21021396@@ -38,8 +38,8 @@ is pure POSIX sh, and does _just enough_. Packages are compiled from
source and `kiss` automatically performs dependency resolution. Creating packages is ridiculously easy too. -Speaking of packages, all packages---both official & community -repos---are run through `shellcheck` before getting merged. This is +Speaking of packages, all packages -- both official & community +repos -- are run through `shellcheck` before getting merged. This is awesome; I don't think this is done in any other distro. In essence, KISS sucks less.@@ -53,7 +53,7 @@
### Day 1 Although technically not in a TTY, it was still not _in_ the KISS -system---I'll count it. I'd compiled the kernel in the chroot and +system -- I'll count it. I'd compiled the kernel in the chroot and decided to use `efibootmgr` instead of GRUB. `efibootmgr` is a neat tool to modify the Intel Extensible Firmware Interface (EFI). Essentially, you boot the `.efi` directly as opposed to choosing which boot entry@@ -82,10 +82,10 @@
### Day 2 Networking! How fun. An `ip a` and I see that both USB tethering -(ethernet) and wireless don't work. Great. Dug around a bit---missing +(ethernet) and wireless don't work. Great. Dug around a bit -- missing wireless drivers was the problem. Found my driver, a binary `.ucode` from Intel (eugh!). The whole day was spent in figuring out why the kernel -would never load the firmware. I tried different variations---loading +would never load the firmware. I tried different variations -- loading it as a module (`=m`), baking it in (`=y`) but no luck. ### Day 3
M
pages/blog/hacky-scripts.md
→
pages/blog/hacky-scripts.md
@@ -7,11 +7,11 @@ url: hacky-scripts
--- As a CS student, I see a lot of people around me doing courses online -to learn to code. Don't get me wrong---it probably works for some. +to learn to code. Don't get me wrong -- it probably works for some. Everyone learns differently. But that's only going to get you so far. Great you know the syntax, you can solve some competitive programming problems, but that's not quite enough, is it? The actual learning comes -from _applying_ it in solving _actual_ problems---not made up ones. +from _applying_ it in solving _actual_ problems -- not made up ones. (_inb4 some seething CP bro comes at me_) Now, what's an actual problem? Some might define it as real world@@ -26,7 +26,7 @@ examples.
## Now playing status in my bar -If you weren't aware already---I rice my desktop. A lot. And a part of +If you weren't aware already -- I rice my desktop. A lot. And a part of this cohesive experience I try to create involves a status bar up at the top of my screen, showing the time, date, volume and battery statuses etc.@@ -46,7 +46,7 @@ My next avenue was the Spotify Web API. One look at the [docs](https://developer.spotify.com/documentation/web-api/) and
I realize that I'll have to make _more_ than one request to fetch the artist and track details. Nope, I need this to work fast. -Last resort---Last.fm's API. Spolier alert, this worked. Also, arguably +Last resort -- Last.fm's API. Spolier alert, this worked. Also, arguably the best choice, since it shows the track status regardless of where the music is being played. Here's the script in its entirety:@@ -126,7 +126,7 @@ def update_index(s):
path = "../pages/_index.md" with open(path, "r") as f: md = f.readlines() - ruler = md.index("| --- | --: |\n") + ruler = md.index("| -- | --: |\n") md[ruler + 1] = s + "\n" with open(path, "w") as f:@@ -166,4 +166,4 @@ given that there are [so many](https://staticgen.com) of them, but
I chose to write one myself. And that just about sums up what I wanted to say. The best and most fun -way to learn to code---write hacky scripts. You heard it here. +way to learn to code -- write hacky scripts. You heard it here.
M
pages/blog/ig-opsec.md
→
pages/blog/ig-opsec.md
@@ -10,20 +10,20 @@ Which I am not, of course. But seeing as most of my peers are, I am
compelled to write this post. Using a social platform like Instagram automatically implies that the user understands (to some level) that their personally identifiable information is exposed publicly, and they -sign up for the service understanding this risk---or I think they do, +sign up for the service understanding this risk -- or I think they do, anyway. But that's about it, they go ham after that. Sharing every nitty gritty detail of their private lives without understanding the potential risks of doing so. The fundamentals of OPSEC dictacte that you develop a threat model, and -Instgrammers are _obviously_ incapable of doing that---so I'll do it +Instgrammers are _obviously_ incapable of doing that -- so I'll do it for them. ## Your average Instagrammer's threat model I stress on the word "average", as in this doesn't apply to those with more than a couple thousand followers. Those type of accounts inherently -face different kinds of threats---those that come with having +face different kinds of threats -- those that come with having a celebrity status, and are not in scope of this analysis. - **State actors**: This doesn't _really_ fit into our threat model,@@ -32,7 +32,7 @@ there are select groups of individuals that operate on
Instagram[^ddepisode], and they can potentially be targetted by a state actor. -[^ddepisode]: https://darknetdiaries.com/episode/51/---Jack talks about Indian hackers who operate on Instagram. +[^ddepisode]: https://darknetdiaries.com/episode/51/ -- Jack talks about Indian hackers who operate on Instagram. - **OSINT**: This is probably the biggest threat vector, simply because of the amount of visual information shared on the platform. A lot can be@@ -40,7 +40,7 @@ gleaned from one simple picture in a nondescript alleyway. We'll get
into this in the DOs and DON'Ts in a bit. - **Facebook & LE**: Instagram is the last place you want to be doing an -illegal, because well, it's logged and more importantly---not +illegal, because well, it's logged and more importantly -- not end-to-end encrypted. Law enforcement can subpoena any and all account information. Quoting Instagram's [page on this](https://help.instagram.com/494561080557017):@@ -57,7 +57,7 @@
### DON'Ts - Use Instagram for planning and orchestrating illegal shit! I've -explained why this is a terrible idea above. Use secure comms---even +explained why this is a terrible idea above. Use secure comms -- even WhatsApp is a better choice, if you have nothing else. In fact, try avoiding IG DMs altogether, use alternatives that implement E2EE.@@ -70,9 +70,9 @@ security at places you're bound to be at.
- Share your flight ticket in your story! I can't stress this enough!!! Summer/winter break? "Look guys, I'm going home! Here's where I live, -and here's my flight number---feel free to track me!". This scenario is +and here's my flight number -- feel free to track me!". This scenario is especially worrisome because the start and end points are known to the -threat actor, and your arrival time can be trivially looked up---thanks +threat actor, and your arrival time can be trivially looked up -- thanks to the flight number on your ticket. So, just don't. - Post screenshots with OS specific details. This might border on@@ -111,7 +111,7 @@ change, and consequentially the risks do too.
## Fin -Instagram is---much to my dismay---far too popular for it to die any +Instagram is -- much to my dismay---far too popular for it to die any time soon. There are plenty of good reasons to stop using the platform altogether (hint: Facebook), but that's a discussion for another day.
M
pages/blog/intel-conundrum.md
→
pages/blog/intel-conundrum.md
@@ -20,7 +20,7 @@ - Local PD busts his operation and proceed to arrest him.
- 3-letter org steps in, wants him released. So here's the thing, his presence is a threat to public but at the same time, -he can be a valuable long term asset---giving info on drug inflow, exchanges and perhaps even +he can be a valuable long term asset -- giving info on drug inflow, exchanges and perhaps even actionable intel on bigger fish who exist on top of the ladder. But he also seeks security. The 3-letter org must provide him with protection, in case he's blown. And like in our case, they'd have to step in if he gets arrested.@@ -29,7 +29,7 @@ Herein lies the problem. How far should an intelligence organization go to protect an asset?
Who matters more, the people they've sworn to protect, or the asset? Because afterall, in the bigger picture, local PD and intel orgs are on the same side. -Thus, the question arises---how can we measure the "usefulness" of an +Thus, the question arises -- how can we measure the "usefulness" of an asset to better quantify the tradeoff that is to be made? Is the intel gained worth the loss of public safety? This question remains largely unanswered, and is quite the
M
pages/blog/irc-for-dms.md
→
pages/blog/irc-for-dms.md
@@ -12,7 +12,7 @@ or Telegram. This is an account of how that went.
## The status quo of instant messaging apps -I've tried a _ton_ of messaging applications---Signal, WhatsApp, +I've tried a _ton_ of messaging applications -- Signal, WhatsApp, Telegram, Wire, Jami (Ring), Matrix, Slack, Discord and more recently, DeltaChat. **Signal**: It straight up sucks on Android. Not to mention the@@ -36,7 +36,7 @@ really sucks for one-to-one chats.
**Slack** / **Discord**: _sigh_ -**DeltaChat**: Pretty interesting idea---on paper. Using existing email +**DeltaChat**: Pretty interesting idea -- on paper. Using existing email infrastructure for IM sounds great, but it isn't all that cash in practice. Email isn't instant, there's always a delay of give or take 5 to 10 seconds, if not more. This affects the flow of conversation.@@ -55,7 +55,7 @@
This was the next obvious choice, but personal message buffers don't persist in ZNC and it's very annoying to have to do a `/query nerdypepper` (Weechat) or to search and message a user via Revolution -IRC. The only unexplored option---using a channel. +IRC. The only unexplored option -- using a channel. ## Setting up a channel for DMs@@ -73,10 +73,10 @@
* Notifications: Also a trivial task; a quick modification to [lnotify.py](https://weechat.org/scripts/source/lnotify.py.html/) to send a notification for all messages in the specified buffer (`#crimson`) did the trick for Weechat. Revolution IRC, on the other -hand, has an option to setup rules for notifications---super +hand, has an option to setup rules for notifications -- super convenient. -* A bot: Lastly, a bot for a few small tasks---fetching URL titles, responding +* A bot: Lastly, a bot for a few small tasks -- fetching URL titles, responding to `.np` (now playing) etc. Writing an IRC bot is dead simple, and it took me about an hour or two to get most of the basic functionality in place. The source is [here](https://github.com/icyphox/detotated).
M
pages/blog/kiss-zen.md
→
pages/blog/kiss-zen.md
@@ -7,18 +7,18 @@ date: 2020-04-03
--- [I installed KISS](/blog/five-days-tty) early in January on my main -machine---an HP Envy 13 (2017), and I have since noticed a lot of changes +machine -- an HP Envy 13 (2017), and I have since noticed a lot of changes in my workflow, my approach to software (and its development), and in life as a whole. I wouldn't call KISS "life changing", as that would be overly dramatic, but it has definitely reshaped my outlook towards -technology---for better or worse. +technology -- for better or worse. -When I talk about KISS to people---online or IRL---I get some pretty +When I talk about KISS to people -- online or IRL---I get some pretty interesting reactions and comments.[^bringing-up-kiss] Ranging from "Oh cool." to "You must be retarded.", I've heard it all. A classic and a personal favourite of mine, "I don't use meme distros because I actually get work done." It is -actually, quite the opposite---I've been so much more productive using +actually, quite the opposite -- I've been so much more productive using KISS than any other operating system. I'll explain why shortly. [^bringing-up-kiss]: No, I don't go "I use KISS btw". I don't bring it@@ -84,11 +84,11 @@ As far as I know, it mostly consists of the `#kisslinux` channel on
Freenode and the [r/kisslinux](https://old.reddit.com/r/kisslinux) subreddit. It's not that big, but it's suprisingly active, and super helpful. There have been some interested new KISS-related projects -too: [kiss-games](https://github.com/sdsddsd1/kiss-games)---a repository +too: [kiss-games](https://github.com/sdsddsd1/kiss-games) -- a repository for, well, Linux games; [kiss-ppc64le](https://github.com/jedavies-dev/kiss-ppc64le) -and [kiss-aarch64](https://github.com/jedavies-dev/kiss-aarch64)---KISS +and [kiss-aarch64](https://github.com/jedavies-dev/kiss-aarch64) -- KISS Linux ports for PowerPC and ARM64 architectures; -[wyvertux](https://github.com/wyvertux/wyvertux)---an attempt at +[wyvertux](https://github.com/wyvertux/wyvertux) -- an attempt at a GNU-free Linux distribution, using KISS as a base; and tons more. ## the philosophy@@ -97,17 +97,17 @@ Software today is far too complex. And its complexity is only growing.
Some might argue that this is inevitable, and it is in fact progress. I disagree. Blindly adding layers and layers of abstraction (Docker, modern web "apps") isn't progress. Look at the Linux desktop ecosystem -today, for example---monstrosities like GNOME and KDE are a result of +today, for example -- monstrosities like GNOME and KDE are a result of this...new wave software engineering. I see KISS as a symbol of defiance against this malformed notion. You don't _need_ all the bloat these DEs ship with to have a usable system. Agreed, it's a bit more effort to get up and running, but it is entirely -worth it. Think of it as a clean table---feels good to sit down and work on, +worth it. Think of it as a clean table -- feels good to sit down and work on, doesn't it? Let's take my own experience, for example. One of the initial few -software I used to install on a new system was `dunst`---a notification +software I used to install on a new system was `dunst` -- a notification daemon. Unfortunately, it depends on D-Bus, which is Poetterware; ergo, not on KISS. However, using a system without notifications has been very pleasant. Nothing to distract you while you're in the zone.@@ -125,7 +125,7 @@ phone. Compartmentalizing work and play to separate devices has worked
out pretty well for me. I'm slowly noticing myself favor low-tech (or no-tech) solutions to -simple problems too. Like notetaking---I've tried plaintext files, Vim +simple problems too. Like notetaking -- I've tried plaintext files, Vim Wiki, Markdown, but nothing beats actually using pen and paper. Tech, from what I can see, doesn't solve problems very effectively. In some cases, it only causes more of them. I might write another post
M
pages/blog/mael.md
→
pages/blog/mael.md
@@ -10,12 +10,12 @@ **Update**: The code lives here: https://github.com/icyphox/mael
I've been on the lookout for a good terminal-based email client since forever, and I've tried almost all of them. The one I use right now -sucks a little less---[aerc](https://git.sr.ht/~sircmpwn/aerc). I have +sucks a little less -- [aerc](https://git.sr.ht/~sircmpwn/aerc). I have some gripes with it though, like the problem with outgoing emails not getting copied to the Sent folder, and instead erroring out with -a cryptic `EOF`---that's literally all it says. +a cryptic `EOF` -- that's literally all it says. I've tried mutt, but I find it a little excessive. It feels like the -weechat of email---to many features that you'll probably never use. +weechat of email -- to many features that you'll probably never use. I need something clean and simple, less bloated (for the lack of a better term). This is what motivated me to try writing my own. The@@ -26,7 +26,7 @@ [^oss]: I have yet to open source it; this post will be updated with
a link to it when I do. mael isn't like your usual TUI clients. I envision this to turn out -similar to mailx---a prompt-based UI. The reason behind this UX decision +similar to mailx -- a prompt-based UI. The reason behind this UX decision is simple: it's easier for me to write. :) Speaking of writing it, it's being written in a mix of Python and bash.@@ -34,11 +34,11 @@ Why? Because Python's `email` and `mailbox` modules are fantastic, and
I don't think I want to parse Maildirs in bash. "But why not pure Python?" Well, I'm going to be shelling out a lot (more on this in a bit), and writing interactive UIs in bash is a lot more intuitive, thanks to -some of the nifty features that later versions of bash have---`read`, +some of the nifty features that later versions of bash have -- `read`, `mapfile` etc. The reason I'm shelling out is because two key components to this -client, that I haven't yet talked about---`mbsync` and `msmtp` are in +client, that I haven't yet talked about -- `mbsync` and `msmtp` are in use, for IMAP and SMTP respectively. And `mbsync` uses the Maildir format, which is why I'm relying on Python's `mailbox` package. Why is this in the standard library anyway?!
M
pages/blog/mailserver.md
→
pages/blog/mailserver.md
@@ -13,7 +13,7 @@
For this attempt, I wanted a simpler approach. I recall how terribly confusing Dovecot & Postfix were to configure and hence I decided to look for a containerized solution, that most importantly, runs on my cheap $5 -Digital Ocean VPS --- 1 vCPU and 1 GB memory. Of which only around 500 MB +Digital Ocean VPS -- 1 vCPU and 1 GB memory. Of which only around 500 MB is actually available. So yeah, *pretty* tight. ## What's available@@ -62,7 +62,7 @@ Error response from daemon: cannot stop container: 2377e5c0b456: Cannot kill container 2377e5c0b456226ecaa66a5ac18071fc5885b8a9912feeefb07593638b9a40d1: OCI runtime state failed: runc did not terminate sucessfully: fatal error: runtime: out of memory
``` But it eventually worked after a couple of attempts. -The next thing I struggled with --- DNS. Specifically, the with the step where +The next thing I struggled with -- DNS. Specifically, the with the step where the DKIM keys are generated[^2]. The output under `config/opendkim/keys/domain.tld/mail.txt` isn't exactly CloudFlare friendly; they can't be directly copy-pasted into@@ -72,11 +72,11 @@ This is what it looks like.
``` mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; " "p=<key>" - "<more key>" ) ; ----- DKIM key mail for icyphox.sh + "<more key>" ) ; -- -- DKIM key mail for icyphox.sh ``` But while configuring the record, you set "Type" to `TXT`, "Name" to `mail._domainkey`, and the "Value" to what's inside the parenthesis `( )`, *removing* the quotes `""`. -Also remove the part that appears to be a comment `; ----- ...`. +Also remove the part that appears to be a comment `; -- -- ...`. To simplify debugging DNS issues later, it's probably a good idea to point to your mailserver using a subdomain like `mail.domain.tld` using an@@ -84,11 +84,11 @@ `A` record.
You'll then have to set an `MX` record with the "Name" as `@` (or whatever your DNS provider uses to denote the root domain) and the "Value" to `mail.domain.tld`. And finally, the `PTR` (pointer record, I think), which is the reverse of -your `A` record --- "Name" as the server IP and "Value" as `mail.domain.tld`. +your `A` record -- "Name" as the server IP and "Value" as `mail.domain.tld`. I learnt this part the hard way, when my outgoing email kept getting rejected by Tutanota's servers. -Yet another hurdle --- SSL/TLS certificates. This isn't very properly +Yet another hurdle -- SSL/TLS certificates. This isn't very properly documented, unless you read through the [wiki](https://github.com/tomav/docker-mailserver/wiki/Installation-Examples) and look at an example. In short, install `certbot`, have port 80 free, and run
M
pages/blog/mnml-browsing.md
→
pages/blog/mnml-browsing.md
@@ -9,7 +9,7 @@
After having recently installed [KISS](https://getkiss.org), and building Firefox from source, I was exposed to the true monstrosity that -Firefox---and web browsers in general---is. It took all of 9 hours to +Firefox -- and web browsers in general---is. It took all of 9 hours to build the dependencies and then Firefox itself. Sure, KISS now ships Firefox binaries in the@@ -20,10 +20,10 @@ ## Enter vimb
[vimb](https://fanglingsu.github.io/vimb/) is a browser based on [webkit2gtk](https://webkitgtk.org/), with a Vim-like interface. -`webkit2gtk` builds in less than a minute---it blows Firefox out of +`webkit2gtk` builds in less than a minute -- it blows Firefox out of the water, on that front. -There isn't much of a UI to it---if you've used Vimperator/Pentadactyl +There isn't much of a UI to it -- if you've used Vimperator/Pentadactyl (Firefox plugins), vimb should look familiar to you. It can be configured via a `config.h` or a text based config file at `~/.config/vimb/config`.@@ -42,7 +42,7 @@ ```
Where the `-e` flag is populated with the `XID`, by tabbed. Configuring Firefox-esque keybinds in tabbed's `config.h` is relatively easy. Once -that's done---voilà! A fairly sane, Vim-like browsing experience that's +that's done -- voilà! A fairly sane, Vim-like browsing experience that's faster and has a smaller footprint than Firefox. ## Ad blocking@@ -58,7 +58,7 @@
_Some_ websites tend to not work because they detect vimb as an older version of Safari (same web engine). This is a minor inconvenience, and not a dealbreaker for me. I also cannot login to Google's services for -some reason, which is mildly annoying, but it's good in a way---I am now +some reason, which is mildly annoying, but it's good in a way -- I am now further incentivised to dispose of my Google account. And here's the screenshot y'all were waiting for:
M
pages/blog/my-setup.md
→
pages/blog/my-setup.md
@@ -36,7 +36,7 @@ 
Most of my work is done in either the browser, or the terminal. My shell is pure [zsh](http://www.zsh.org), as in no plugin frameworks. It’s customized using built-in zsh functions. Yes, you don’t actually need -a framework. It’s useless bloat. The prompt itself is generated using a framework I built in [Nim](https://nim-lang.org)---[nicy](https://github.com/icyphox/nicy). +a framework. It’s useless bloat. The prompt itself is generated using a framework I built in [Nim](https://nim-lang.org) -- [nicy](https://github.com/icyphox/nicy). My primary text editor is [nvim](https://neovim.org). Again, all configs in my dotfiles repo linked above. I manage all my passwords using [pass(1)](https://passwordstore.org), and I use [rofi-pass](https://github.com/carnager/rofi-pass) to access them via `rofi`.
M
pages/blog/nullcon-2020.md
→
pages/blog/nullcon-2020.md
@@ -13,10 +13,10 @@ Paula, and its associated party at Cidade de Goa, also by Taj.
Great choice of venue, perhaps even better than last time. The food was fine, the views were better. -With _those_ things out of the way---let's talk talks. I think -I preferred the panels to the talks---I enjoy a good, stimulating +With _those_ things out of the way -- let's talk talks. I think +I preferred the panels to the talks -- I enjoy a good, stimulating discussion as opposed to only half-understanding a deeply technical -talk---but that's just me. But there was this one talk that I really +talk -- but that's just me. But there was this one talk that I really enjoyed, perhaps due to its unintended comedic value; I'll get into that later.@@ -52,7 +52,7 @@
He proposed that the security industry trust the user more, and let them make the decisions pertaining to personal security / privacy. Except...that's just not going to happen. If all users were capable -of making good, security-first choices---we as an industry don't +of making good, security-first choices -- we as an industry don't need to exist. But that is unfortunately not the case. Users are dumb. They value convenience and immediacy over security. That's the sad truth of the modern age.@@ -63,7 +63,7 @@
_...what?_ A "security professional" suggesting that we roll our own crypto? What -even. Oh and, to top it off---when +even. Oh and, to top it off -- when [Raman](https://twitter.com/tame_wildcard), very rightly countered saying that the biggest opponent to encryption _is_ the Government, and trusting them to build safe cryptosystems is probably not wise, he@@ -95,6 +95,6 @@ a personal attack. I think you're a cool guy.
Note to the Nullcon organizers: you guys did a fantastic job running the conference despite Corona-chan's best efforts. I'd like to suggest one -little thing though---please VET YOUR SPEAKERS more! +little thing though -- please VET YOUR SPEAKERS more! 
M
pages/blog/openbsd-hp-envy.md
→
pages/blog/openbsd-hp-envy.md
@@ -9,7 +9,7 @@
My existing KISS install broke because I thought it would be a great idea to have [apk-tools](https://github.com/alpinelinux/apk-tools) alongside the `kiss` package manager. It's safe to say, that did not end -well---especially when I installed, and then removed a package. With +well -- especially when I installed, and then removed a package. With a semi-broken install that I didn't feel like fixing, I figured I'd give OpenBSD a try. And I did.@@ -61,7 +61,7 @@ cwm also has a built-in launcher, so dmenu isn't necessary anymore.
Refer to [cwmrc(5)](https://man.openbsd.org/cwmrc.5) for all the config options. -Touchpad was pretty simple to setup too---OpenBSD has +Touchpad was pretty simple to setup too -- OpenBSD has [wsconsctl(8)](http://man.openbsd.org/wsconsctl.8), which lets you set your tap-to-click, mouse acceleration etc. However, more advanced configuration can be achieved by getting Xorg to use the Synaptics@@ -100,7 +100,7 @@ I believe it's set to 1 by default on some installs, but I'm not sure.
## impressions -I already really like the philosophy of OpenBSD---security and +I already really like the philosophy of OpenBSD -- security and simplicity, while not losing out on sanity. The default install is plentiful, and has just about everything you'd need to get going. I especially enjoy how everything just works! I was pleasantly surprised@@ -130,7 +130,7 @@ yet to find something that I need not on there. I also wish they
debloated packages; maybe I've just been spoilt by KISS. I now have D-Bus on my system thanks to Firefox. :( -I appreciate the fact that they don't have a political document---a Code +I appreciate the fact that they don't have a political document -- a Code of Conduct. CoCs are awful, and have only proven to be harmful for projects; part of the reason why I'm sick of Linux and its community. Oh wait, OpenBSD does have one: https://www.openbsd.org/mail.html@@ -143,12 +143,12 @@
I'll close this post off with my new rice, and a sick ASCII art I made. ``` - \.-----./ + \. -- --./ / ^ ^ ^ \ (o)(o) ^ ^ |_/| {} ^ ^ > ^| \| \^ ^ ^ ^/ - /-----\ + / -- --\ ~icy ```
M
pages/blog/prosody.md
→
pages/blog/prosody.md
@@ -8,7 +8,7 @@ ---
Remember the [IRC for DMs](/blog/irc-for-dms/) article I wrote a while back? Well...it's safe to say that IRC didn't hold up too well. It first -started with the bot. Buggy code, crashed a lot---we eventually gave up +started with the bot. Buggy code, crashed a lot -- we eventually gave up and didn't bring the bot back up. Then came the notifications, or lack thereof. Revolution IRC has a bug where your custom notification rules just get ignored after a while. In my case, this meant that@@ -141,14 +141,14 @@
## Closing notes That's pretty much all you need for 1-on-1 E2EE chats. I don't know much -about group chats just yet---trying to create a group in Conversations +about group chats just yet -- trying to create a group in Conversations gives a "No group chat server found". I will figure it out later. Another thing that doesn't work in Conversations is adding an account using an `SRV` record.[^srv] Which kinda sucks, because having a `chat.` subdomain isn't very clean, but whatever. -Oh, also---you can message me at +Oh, also -- you can message me at [icy@chat.icyphox.sh](xmpp:icy@chat.icyphox.sh). [^srv]: https://prosody.im/doc/dns
M
pages/blog/pycon-wrap-up.md
→
pages/blog/pycon-wrap-up.md
@@ -7,11 +7,11 @@ url: pycon-wrap-up
--- I'm writing this article as I sit in class, back on the grind. Last -weekend---Oct 12th and 13th---was PyCon India 2019, in Chennai, India. +weekend -- Oct 12th and 13th---was PyCon India 2019, in Chennai, India. It was my first PyCon, _and_ my first ever talk at a major conference! This is an account of the all the cool stuff I saw, people I met and the talks I enjoyed. -Forgive the lack of pictures---I prefer living the moment through my +Forgive the lack of pictures -- I prefer living the moment through my eyes. ## Talks@@ -45,10 +45,10 @@
## Some nice people I met -- [Abhirath](https://twitter.com/abhirathb)---A 200 IQ lad. Talked to +- [Abhirath](https://twitter.com/abhirathb) -- A 200 IQ lad. Talked to me about everything from computational biology to the physical implementation of quantum computers. -- [Abin](https://twitter.com/meain_)---He recognized me from my +- [Abin](https://twitter.com/meain_) -- He recognized me from my [r/unixporn](https://reddit.com/r/unixporn) posts, which was pretty awesome. - [Abhishek](https://twitter.com/h6165)@@ -61,7 +61,7 @@ ## Pictures!
It's not much, and I can't be bothered to format them like a collage or whatever, so I'll -just dump them here---as is. +just dump them here -- as is.  @@ -71,7 +71,7 @@
## C'est tout Overall, a great time and a weekend well spent. It was very different -from your typical security conference---a lot more _chill_, if you +from your typical security conference -- a lot more _chill_, if you will. The organizers did a fantastic job and the entire event was put together really well. I don't have much else to say, but I know for sure that I'll be
M
pages/blog/python-for-re-1.md
→
pages/blog/python-for-re-1.md
@@ -201,7 +201,7 @@ malloc 0x200fd0
``` -Remember the function call at `0x200fe0` from earlier? Yep, so that was a call to the well known `__libc_start_main`. Again, according to [linuxbase.org](http://refspecs.linuxbase.org/LSB_3.1.0/LSB-generic/LSB-generic/baselib---libc-start-main-.html) +Remember the function call at `0x200fe0` from earlier? Yep, so that was a call to the well known `__libc_start_main`. Again, according to [linuxbase.org](http://refspecs.linuxbase.org/LSB_3.1.0/LSB-generic/LSB-generic/baselib -- libc-start-main-.html) > The `__libc_start_main()` function shall perform any necessary initialization of the execution environment, call the *main* function with appropriate arguments, and handle the return from `main()`. If the `main()` function returns, the return value shall be passed to the `exit()` function. And its definition is like so@@ -309,4 +309,4 @@ Wew, that took quite some time. But we’re done. If you’re a beginner, you might find this extremely confusing, or probably didn’t even understand what was going on. And that’s okay. Building an intuition for reading and grokking disassembly comes with practice. I’m no good at it either.
All the code used in this post is here: [https://github.com/icyphox/asdf/tree/master/reversing-elf](https://github.com/icyphox/asdf/tree/master/reversing-elf) -Ciao for now, and I’ll see ya in #2 of this series---PE binaries. Whenever that is. +Ciao for now, and I’ll see ya in #2 of this series -- PE binaries. Whenever that is.
M
pages/blog/rop-on-arm.md
→
pages/blog/rop-on-arm.md
@@ -10,14 +10,14 @@ Before we start _anything_, you’re expected to know the basics of ARM
assembly to follow along. I highly recommend [Azeria’s](https://twitter.com/fox0x01) series on [ARM Assembly Basics](https://azeria-labs.com/writing-arm-assembly-part-1/). Once you’re -comfortable with it, proceed with the next bit---environment setup. +comfortable with it, proceed with the next bit -- environment setup. ## Setup Since we’re working with the ARM architecture, there are two options to go forth with: -1. Emulate---head over to [qemu.org/download](https://www.qemu.org/download/) and install QEMU. +1. Emulate -- head over to [qemu.org/download](https://www.qemu.org/download/) and install QEMU. And then download and extract the ARMv6 Debian Stretch image from one of the links [here](https://blahcat.github.io/qemu/). The scripts found inside should be self-explanatory. 2. Use actual ARM hardware, like an RPi.@@ -131,7 +131,7 @@ Since we know the offset at which the `pc` gets overwritten, we can now
control program execution flow. Let’s try jumping to the `winner` function. Disassemble `winner` again using `disas winner` and note down the offset -of the second instruction---`add r11, sp, #4`. +of the second instruction -- `add r11, sp, #4`. For this, we’ll use Python to print our input string replacing `FFFF` with the address of `winner`. Note the endianness.@@ -171,7 +171,7 @@
## The exploit -To write the exploit, we’ll use Python and the absolute godsend of a library---`struct`. +To write the exploit, we’ll use Python and the absolute godsend of a library -- `struct`. It allows us to pack the bytes of addresses to the endianness of our choice. It probably does a lot more, but who cares.
M
pages/blog/ru-vs-gb.md
→
pages/blog/ru-vs-gb.md
@@ -28,7 +28,7 @@
### April 14, 2018 - RT published an article claiming that Spiez had identified a different -toxin---BZ, and not Novichok. +toxin -- BZ, and not Novichok. - This was an attempt to shift the blame from Russia (origin of Novichok), to NATO countries, where it was apparently in use. - Most viral piece on the matter in all of 2018.@@ -94,7 +94,7 @@
- OPCW facilities receive an email from Spiez inviting them to a conference. - The conference itself is real, and has been organized before. -- The email however, was not---attached was a Word document containing +- The email however, was not -- attached was a Word document containing malware. - Also seen were inconsistencies in the email formatting, from what was normal.@@ -104,7 +104,7 @@ but there are a lot of tells here that point to it being the work of
a state actor: 1. Attack targetting a specific group of individuals. -2. Relatively high level of sophistication---email formatting, +2. Relatively high level of sophistication -- email formatting, malicious Word doc, etc. However, the British NCSC have deemed with "high confidence" that the@@ -153,12 +153,12 @@ UK made the arrests public, published a list of infractions commited by
Russia, along with the specific GRU unit that was caught. During this period, just one of the top 25 viral stories was from -a pro-Russian outlet, RT---that too a fairly straightforward piece. +a pro-Russian outlet, RT -- that too a fairly straightforward piece. ## Wrapping up As with conventional warfare, it's hard to determine who won. Britain -may have had the last blow, but Moscow---yet again---depicted their +may have had the last blow, but Moscow -- yet again---depicted their finesse in information warfare. Their ability to seize unexpected openings, gather intel to facilitate their disinformation campaigns, and their cyber capabilities makes them a formidable threat.
M
pages/blog/s-nail.md
→
pages/blog/s-nail.md
@@ -18,7 +18,7 @@ emails with its [very friendly author](https://www.sdaoden.eu). I did it
so you don't have to[^read-man], and I present to you this guide. -[^read-man]: Honestly, read the man page (and email Steffen!)---there's +[^read-man]: Honestly, read the man page (and email Steffen!) -- there's a ton of useful options in there. ## basic settings@@ -66,7 +66,7 @@
## authentication With these out of the way, we can move on to configuring our -account---authenticating IMAP and SMTP. Before that, however, we'll +account -- authenticating IMAP and SMTP. Before that, however, we'll have to create a `~/.netrc` file to store our account credentials. (This of course, assumes that your SMTP and IMAP credentials are the
M
pages/blog/save-org.md
→
pages/blog/save-org.md
@@ -9,11 +9,11 @@
The .ORG top-level domain introduced in 1985, has been operated by the [Public Interest Registry](https://en.wikipedia.org/wiki/Public_Interest_Registry) since 2003. The .ORG TLD is used primarily by communities, free and open source projects, -and other non-profit organizations---although the use of the TLD isn't +and other non-profit organizations -- although the use of the TLD isn't restricted to non-profits. The Internet Society or ISOC, the group that created the PIR, has -decided to sell the registry over to a private equity firm---Ethos +decided to sell the registry over to a private equity firm -- Ethos Capital. ## What's the problem?@@ -27,12 +27,12 @@ to the .ORG community:
- They control the registration/renewal fees of the TLD. They can hike the price if they wish to. As is stands, NGOs already earn very -little---a .ORG price hike would put them in a very icky situation. +little -- a .ORG price hike would put them in a very icky situation. - They can introduce [Rights Protection Mechanisms](https://www.icann.org/resources/pages/rpm-drp-2017-10-04-en) -or RPMs, which are essentially legal statements that can---if not -correctly developed---jeopardize / censor completely legal non-profit +or RPMs, which are essentially legal statements that can -- if not +correctly developed -- jeopardize / censor completely legal non-profit activities. - Lastly, they can suspend domains at the whim of state actors. It isn't@@ -60,4 +60,4 @@
The Internet that we all love and care for is slowly being subsumed by megacorps and private firms, who's only motive is to make a profit. The Internet was meant to be free, and we'd better act now if we want that -freedom. The future looks bleak---I hope we aren't too late. +freedom. The future looks bleak -- I hope we aren't too late.
M
pages/blog/simplicity-security.md
→
pages/blog/simplicity-security.md
@@ -25,12 +25,12 @@ "B-but Linux is much bigger!" Indeed, it is, but it has a thousand times
(if not more) the number of eyes looking at the code, and there have been multiple third-party audits. There are hundreds of independent orgs and multiple security teams looking at it. That's not the case with -systemd---it's probably just RedHat. +systemd -- it's probably just RedHat. Compare this to a bunch of shell scripts. Agreed, writing safe shell can be hard and there are a ton of weird edge-cases depending on your shell implementation, but the distinction here is _you_ wrote it. Which means, -you can identify what went wrong---things are predictable. +you can identify what went wrong -- things are predictable. systemd, however, is a large blackbox, and its state at runtime is largely unprovable and unpredictable. I am certain even the developers don't know.@@ -44,7 +44,7 @@ https://sourcehut.org/blog/2020-04-20-prioritizing-simplitity/
He manually provisions all sourcehut infrastructure, because tools like Salt, Kubernetes etc. are -just like systemd in our example---large monstrosities which can get you +just like systemd in our example -- large monstrosities which can get you RCE'd. Don't believe me? See [this](https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/).
M
pages/blog/site-changes.md
→
pages/blog/site-changes.md
@@ -17,8 +17,8 @@ can see at the very bottom of this post!
## speeding up index page generation -The old script---the one that featured in [Hacky -scripts](/blog/hacky-scripts)---was absolutely ridiculous, and not to +The old script -- the one that featured in [Hacky +scripts](/blog/hacky-scripts) -- was absolutely ridiculous, and not to mention _super_ slow. Here's what it did: - got the most recent file (latest post) by sorting all posts by@@ -30,7 +30,7 @@ ```python
line = f"| [{meta['title']}]({url}) | `{meta['date']}` |" ``` - updated the markdown table (in `_index.md`) by in-place editing the - markdown, with the line created earlier---for the latest post. + markdown, with the line created earlier -- for the latest post. - finally, I'd have to _rebuild_ the entire site since this markdown hackery would happen at the very end of the build, i.e, didn't actually get rendered itself.@@ -104,5 +104,5 @@ vite. Currently, it reads a random sample of 3 feeds from a list of
feeds provided in a `feeds.txt` file, and updates the webring with those posts. Like a feed-bingo of sorts. ;) -I really like how it turned out---especially the fact that I got my CSS +I really like how it turned out -- especially the fact that I got my CSS grid correct in the first try!
M
templates/text.html
→
templates/text.html
@@ -30,7 +30,7 @@ <header>
{{ header }} </header> <div style="float: right"> - view in <a href="/blog/{{ url }}.txt">plain-text</a> + view in <a href="/txt/{{ url }}.txt">plain-text</a> </div> <div style="float: left"> {{ date }}@@ -48,12 +48,11 @@ <hr>
<div class="openring"> <div class="openring-feed"> - <h4><a href="https://k1ss.org/blog/20200525a">25/05/2020: This month in KISS (#2)</a></h4> - <p>Welcome to the second monthly update for KISS. This post will be -quite a long one, we've seen some nice changes this month and some -great work by the Community.…</p> + <h4><a href="https://peppe.rs/posts/auto-currying_rust_functions/">Auto-currying Rust Functions</a></h4> + <p>This post contains a gentle introduction to procedural macros in Rust and a guide to writing a procedural macro to curry Rust functions. The source code for the entire library can be found here. It is also available on crates.io. +The following links might …</p> - <p>via <a href="https://k1ss.org">KISS Linux Blog</a> on May 25, 2020</p> + <p>via <a href="https://peppe.rs">nerdypepper's μblog</a> on May 09, 2020</p> </div>@@ -70,10 +69,12 @@ </div>
<div class="openring-feed"> - <h4><a href="https://www.bellingcat.com/resources/2020/05/25/investigate-tiktok-like-a-pro/">Investigate TikTok Like A Pro!</a></h4> - <p>TikTok videos have grown increasingly popular over the last few years, with short clips showing people dancing, lip syncing, doing viral challenges, and so on. This relatively new platform lets users share short video clips, and can be looped. It is simila…</p> + <h4><a href="https://k1ss.org/blog/20200525a">25/05/2020: This month in KISS (#2)</a></h4> + <p>Welcome to the second monthly update for KISS. This post will be +quite a long one, we've seen some nice changes this month and some +great work by the Community.…</p> - <p>via <a href="https://www.bellingcat.com">bellingcat</a> on May 25, 2020</p> + <p>via <a href="https://k1ss.org">KISS Linux Blog</a> on May 25, 2020</p> </div>