"Wtf? Jake, I am not reading all this text. Give it to me straight: is it worth it to GPU passthrough?"
Honestly? In my opinion? ... It's fun to set up! Passing the GPU to and from a VM involves restarting X each time which is annoying but since I'm GAYMING its not that bad, but sometimes I think I might as well just dual-boot. But I hate Windows too much to do that. So, this is mainly for bragging rights.
I have began to replay a game I haven't played in a long time since that game doesn't work with Proton. It's a bitter-sweet nostalgic trip - the game isn't as good as I remember.
Recently I have began playing a video game. It isn't too graphic intensive and Steam's Proton handles it perfectly. Except for one small, tiny, miniscule detail: my operating system isn't Windows so, obviously, I am not allowed to access the online features of this game. But I want to access the online features of this proprietary game...
This leaves me with either: hacking Proton and somehow tricking Easy Anti Cheat (EAC) or installing Windows, either dual-boot or through a Virtual Machine (VM). (Some anti-cheat software, like EAC, run along the Windows kernel as a kernel module to make sure you aren't 'cheating'. :)
I am not smart enough to hack Proton, additionally I strongly dislike the idea of having to restart my computer just to play video games and reboot into */Linux when finished, so rather than dual-boot I decided to install Windows into a VM. I will passthrough my GPU which would allow me to play video games almost as if Windows was on 'bare-metal'... Almost like it.
Here I will note some things that are useful to know in a situation like mine:
The Zen kernel already applies the ASC patch.
The Zen kernel does not apply RDTSC trickery.
The Arch Wiki page on this topic is excellent. (Boy do I wish that I could utilize 1000f the screen space that my monitor gives me on this Wiki. I don't understand why they feel they must ruin their Wiki.)
Certain anti-cheat software will outright BAN you if you are running in a VM and there are MANY ways of detecting this.
'Pafish' can help you discover what you need to fix/hide.
'Al-Khaser' can help you discover what you need to fix/hide.
Cygwin provides some Linux-like stuff on Windows (I've wrote this bullet point in a cygwin terminal - after ssh-ing into my host).
Another computer to SSH or Remote Desktop to fix things if/when things break.
With Arch it is a simple matter of accessing my package manager to download and install linux-zen since Arch officially supports the Zen kernel (they provide a binary so I do not have to compile it).
However, this may be naught if you decide you need to do some RDTSC trickery so you'll end up compiling a kernel anyway - it is a lot easier than you might think but definitely time consuming. In my case, EAC doesn't ban VMs so I did not bother patching any RDTSC trickery.
Passing the GPU while I had a spare GPU for GNU/Linux is pretty easy. But I was not happy with this configuration because my monitors had insufficient amount of plugs... My main monitor only supports 1 VGA and 1 DVI. My TV 'monitor', only 1 HDMI, 1 VGA, and 1 RCA. Neither of my GPU's support VGA so it wouldn't be possible to tell my main monitor to change it's source which would've been the easiest solution.
In other words, one half of my monitors would be off unless I always use a VM. This annoyed me, so I decided that I will stick with one GPU and that I will pass that to and from a VM. This is known as single GPU passthrough, for which there are many tutorials for. With this configuration, I pass through my main GPU to Windows (even though I was using it previously!) and use the motherboards iGPU for displaying GNU/Linux.
I ended up having to dump the bios of the GPU I was using, a Nvidia card, because when I would try to start the VM the GPU would have an `error 43`. Remote desktop helps in identifying these situation. You could use Spice too, I suppose, but at that time I didn't use my motherboard's iGPU (I probably should've. Hindsight is 20/20). Fortunately, after commanding Windows to shutdown, the GPU would be successfully passed back to the host and X would restart, using QEMU + Libvirt hooks. So, at least, that was half of the battle done.
When I was trying to dump the bios of my GPU (and nothing was using it, including vfio-pci as I unbinded it prior to dumping) and I was greeted with `cat: rom Input/output error`. I found that setting the kernel parameter 'vfio-pci.disable_idle_d3=1' and running '# setpci -s 01:00.0 COMMAND=2:2' would allow me to dump the rom. Afterwards I ran '# setpci -s 01:00.0 COMMAND=0:2' though I am uncertain how important that is. I made sure to remove the kernel parameter as well.
Another detail that I've seen is to open the resulting rom file in a hex-editor and look for something that starts with `VIDEO` and delete everything above the `U`. Everything - all they way to the top. However, I did not need to do that since my dump didn't contain anything above the `U`. However for this advice was for Nvidia cards, I am not sure about AMD.
Some tutorials recommend booting into Windows 'bare-metal' and using a program called GPU-Z but I haven't tried this.
As of this date, Dec 19 2021, I can confirm that EAC (at least implemented for Xenoverse 2) doesn't ban VM users but they may decide to change their mind in the future. If that happens I will hopefully learn my lesson about playing proprietary games and will never do it again. Doubtful though.
An aside: I had a paragraph explaining that Windows doesn't properly shutdown GPUs when it itself shuts off thus resulting in instability but I discovered that actually it was a bug in Mesa that was causing graphical glitches rather than passthrough doing anything weird. This paragraph serves no purpose but to remind myself in the future that maybe it is just the software. Though with AMD, this is a legitimate concern since their GPUs have reset bugs. There are some work-arounds for them: Window Pro allows one access to 'shutdown scripts' that Windows will run prior to shutting itself off where you can turn off the GPU. If you don't have Windows Pro or better then you aren't allowed access to the shutdown function, and need to fork out several hundred dollars to upgrade. However, there is a host side option called vendor-reset but I do not know much about how it would work.
However; at least with my AMD GPU the reset bug only happened with Windows. I could restart my VM that ran GNU/Linux Mint over and over and over and the AMD GPU would still work. But when I booted into Windows, uh oh! Nothing works anymore! :'(
An additional aside: AMD's Adrenaline, when trying to install the driver for a minimum of 10 minutes, it has so, so, so many ads. The AMD installation failed for me so I decided to poke around in the logs and discovered that AMD attempted* to send analytics to Google! What a different world from package managers. Also, I very much dislike it that they replaced every driver link to their Adrenaline software.
"Why yes, I would like to download software that is half a GB big with the sole purpose of downloading and installing drivers for me! It is too hard to just download the specific driver for my specific GPU and click install. I am just too stupid for it!" - Imaginary person that AMD created and somehow believes we are him.
With Nvidia... I know they get a lot of hate for how they treat the */Linux community (well deserved IMO), however installing the specific driver for my GPU on Windows was very easy, even if it was in the second-slot. It was so easy I actually cannot remember anything noteworthy about it. Nvidia had a page for that specific GPU that contained the driver, whereas AMD decided that made too much sense. Gotta make those 3Ā¢ per ad, don't you know?!
Note: * = attempted to, since the guest was subject to the host's `/etc/hosts` :)
If you wanted to view my XML sheet and hooks for some reason:
[Author's Note: I don't actually know anything about fingerprinting technology so if I give you the impression that I am an expert or something, I am not! (Advisory for North Korean wanna-be defects {I don't want them to get deleted thinking they're safe - I don't actually know what fingerprinting technology will say about TLS connections besides "they're TLS but ... X" and I do worry what 'X' could be. But for most people having TLS is completely fine.})]
Many moons ago I when I was away from my desktop I had my laptop and my phone. Perhaps I realized that I wanted to edit something on my computer, so I thought a thought that most people would think: "I'll just use my phone's hotspot and SSH into my computer!"
Unfortunately, this did not work. I remembered to allow SSH on 443 and setup port forwarding since I was behind a NAT for the next time I was out and about.
Bafflingly, this does not work either. It was on port 443! ... I realized that the answer must lie not only with ports but also what the connection looks like because for some reason my phone's ISP is fingerprinting*.
A word about 'modern' TLS/SSL that old guides don't mention because it wasn't a requirement at the time. A cert and a key file is required, if it is not present this will not work unless some software (probably OpenSSL (my current version is 1.1.1l)) is outdated. Here is what I am using, those marked with an '*' are entirely optional and you can use what you want.
Software
Description
OpenSSL
To self sign a cert and key
Nginx*
To proxy the SSH server on 443
socat*
To connect to the SSH server
I'll assume you are smart enough to figure out if you have these or some reasonable equivalent installed or not. My guide will be based these specifically but I will include 'honorable' mentions. I will also assume you have basic understanding of how *nix operating systems works, how to configure software, and you will at least look at the man pages for each software.
Please note that is does require setting it up before hand; if you are on vacation and are in a similar position as me, you're SOL. Make sure to bookmark this page and revisit it when you get back home, eh? (Also there are A LOT of tcp-over-tls services and I would not be surprised if they were all ran by one person.)
Eas{y,ier} way
You should make a directory where your certs will be. Ideally, only root will be able to read and write in it.
The very first thing to do is to generate the cert or nothing will work and you will get very angry. So, run the following: '# openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 1000'. When it asks for information, in this case, it doesn't matter. You might as well just press enter on all of them. In this instance, we will not verify that the cert is 'valid.' Of course, if you have a real cert along with a real domain name that is issued by a real CA then use that.
Nginx 1.20.1
nginx.conf
http {
...
}
stream {
upstream ssh {
server 127.0.0.1:22;
}
server {
# IP address under the NAT
listen 192.168.0.68:443 ssl;
#listen [::]:433 ssl;
ssl_certificate /var/cert/cert.pem;
ssl_certificate_key /var/cert/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
proxy_pass ssh;
}
}
The above block cannot be in the http block. So, if you have a `sites-enabled/` directory and in nginx.conf `include sites-enabled/*.nginx;` IN the http block, the block above will not work. Why? Because SSH protocol is not HTTP. They are different.
The simplest 'fire-and-forget' way to connect to it (that I've found) would be with socat.
At this point your SSH connection should be concealed by TLS on port 443. Fingerprinting will think it is just normal TLS traffic, i.e. HTTPS traffic. With that the guide is over... But typing ssh -o ProxyComannd='...' every time is tiresome! Edit your ~/.ssh/config:
~/.ssh/config
host ssh_tls
Hostname <IP address>
Port 443
ProxyCommand socat STDIO OPENSSL-CONNECT:%h:%p,cipher=HIGH,verify=0
User <username>
With above you can very quickly ssh like this: '$ ssh ssh_tls'. A lot quicker, eh? (What is this? Hint: '$ man 5 ssh_config')
Socat (1.7.4.1) is an honorable mention because I do some web-development and turning off Nginx/Apache was not really an option. The verify option can be removed if you have a real cert that isn't self-signed. Socat is an interesting piece of software and can do many other things, not just this.
Stunnel is a little confusing to understand at first but after you understand it, it becomes 'ezpz.' Basically, you set up stunnel first, which binds to a port and stunnel forwards everything that goes into that port to go to a specific location with TLS. So in this case everything on *:9048 should be encrypted with TLS and go out to 192.168.0.68 at 443. Don't forget to turn off/kill stunnel after you finish using it. (Check the reference for stunnel to get a 'fire-and-forget' script.)
Apache (2.4.51) and proxytunnel (1.10.20210128)
forward_proxy.conf
# Change IP to yours under the NAT
<VirtualHost 192.168.0.68:443>
SSLEngine on
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCertificateFile /var/cert/cert.pem
SSLCertificateKeyFile /var/cert/key.pem
# Normally you want this turned OFF
# otherwise you are an open relay
ProxyRequests on
# Only allow port 22
AllowConnect 22
<Proxy *>
# Disallows proxying for everything...
Require all denied
</Proxy>
<Proxy 127.0.0.1>
# But allows proxying to 127.0.0.1
Require all granted
</Proxy>
</VirtualHost>
Make sure you have enabled: ssl_module, proxy_module, proxy_connect_module. Additionally, make sure you actually have a `Listen 443` somewhere. Turn Apache on or restart it.
Try this: '$ ssh -p 443 -o ProxyCommand='proxytunnel -z -E -p %h:%p -d 127.0.0.1:22' 192.168.0.68'. If it works, it works and you should test if Apache will allow proxying to other locations (it should not and if it does you did something very wrong). If it results in an error, check if Apache is turned on, then check Apache's error logs.
The difference between connecting to Nginx or Apache is how the proxy pass is done. Nginx proxy passes to 127.0.0.1 automatically (reverse proxy) and with Apache you tell the server that you want to proxy to 127.0.0.1 on port 22 (forward proxy [admittedly, only to itself]). I'd like to reverse proxy with Apache but Apache is best suited as a web server rather than a proxy server. Don't use a spoon as a fork - kind of thing.
Now, if I had many services that I wanted to offer but only had port 443 I'd use forward proxying which Apache and/or Nginx (with some difficulty I must mention) can do.
Similar to socat but less typing I guess. It is an honorable mention because if a packet is bad then it gives up entirely and I haven't figured out how to tell it to ignore them. If you look at the man page '$ man s_client' you might notice a `-reconnect` but that does not do what you think it does. It is also somewhat noisy.
Closing thoughts
Brief thoughts on SSH over TLS: double encryption with TLS and default SSH to me seems like wasted CPU cycles. If possible it maybe better to use something like OpenVPN or WireGuard but not every phone will have that and it is a question if a device connected to hotspot will even be able to connect to other devices with OpenVPN or WireGuard because connections are being fingerprinted. With this, it is a guarantee that you will be able to connect to your computer, at least until fingerprinting software figure out how to do more privacy invading things. Also use ssh-keys with SSH and disallow passwords.
I suppose one could use rlogin or telnet with TLS (trivial with with stunnel) to reduce the CPU cycle waste but I won't write the guide on that - I don't want to be responsible for anything bad happening (since rlogin and telnet send things plainly) and it doesn't seem like that big of an overhead anyway. (What? Your computer can't handle TLS and SSH at the same time or something? lol! Stop using a 3rd world computer already. ... Although if it is that old then it probably isn't back doored... Hmm...)
If you have a spare computer (under the same NAT) do the same commands and if it works then you're golden. If it does not work then obviously it won't work when you use hotspot. I'd avoid connecting with the hotspot if you are unsure if you set it up correctly - when they disconnected me I couldn't connect back to my home IP address. I waited for about a day for the block to expire (not that I was constantly testing).
Jake, you are a liar and a techlet! This will not work!
Compare these files then, please. Wireshark is pretty good at it.
If you see TLS inside the NAT you will see TLS outside the NAT as well, meaning hotspot will work. If you are on the technical side you will be able to see how you can configure a lot of this in somewhat different ways. Now, if you are exposing your stuff to the outside world it goes without saying: make sure your stuff is protected/hardened/hard-to-break-into.
Other software can do proxying as well, like Squid, but I chose to focus on Nginx and Apache since I actually use them on a daily basis.
I compiled this from various sources so future me will not have to spend hours tweaking search phrases.
This post would not have been possible without the following resources:
Disclaimer: * = When I was able to connect to my computer for like 5 seconds then suddenly it would no longer work my first thought was "THEY'RE FUCKING ME!" and caused me to write this blog post in mainly because I wanted to fuck them back (my reasoning was that they could block SSH but they won't block TLS). I don't know what happened but I can SSH into my computer with hotspot. I am not sure what to make of this.
19 Nov 2021 01:16:43 -0500** Addendum to the authors note (less confusing)
I hope everyone had a good halloween! I, unfortunately, went to take a nap and when I woke up I missed halloween :(
Anyway, I am running a dictionary service which may interest some people. Basically, it uses the same dictionary that the wotd service uses but this time you can specify what word to look up. I should mention that because of the dictionary's age, some modern words like 'zoom', 'yeet', etc, will not be present.
It has an API!: $ curl -d "word=the word" https://jakesthoughts.xyz/dictionary
Because of that it is also very easy to impliment into a bash function:
function lookup() {
curl -d "word=$1" https://jakesthoughts.xyz/dictionary
}
There are other dictionary programs that you can use, of course: Artha, Goldendict, ... there aren't actually that many. Hmm. I haven't used any of these programs so idk if they are good or not. Artha claims to be able to use offline copy which I would be interested in had I not already done this.
Jake you'll just be a creep and see what words I look up!
No - All I will see is someone accessing the url. If this is a major concern, you can download the source script yourself and run it locally.
You can directly visit https://jakesthoughts.xyz/dictionary but I am not applying any stylesheet to it (meaning black text on white background), so your eyeballs will melt if you got used to my current stylesheet. As for Gemini users... I haven't written this yet but I figure the easiest way to serve FCGI content would be with yet another CGI script that queries the FCGI script since Doppio (and I assume many other Gemini servers) don't do FCGI.
The title may suggest saving your favorite websites or saving images or saving videos to your hard drive. This is just a subset of what I meant, albeit a useful endeavor. My real intentions go further than that: Print that website out! Print that image out! Burn that video to a DVD disk! Print/burn EVERYTHING!
Meme sort of related but doesn't go far enough. Hard drives and other forms of electronic memory can FAIL.
But J-j-jake! I don't have enough ink for that! I don't have a DVD writer because modern gaming computer cases do not create space for them!
Pathetic. I suppose I can settle with you just saving everything on to a flash drive. I actually happen to possess a rather sizeable flash drive that I update infrequently - so I am at least understanding on that front. Also `ink` š¤. I will let you in on a secret regarding printers: a single cartridge (toner) for a lazer printer will typically last longer than an inkjet cartridge by sometimes thousands of pages with a cheaper cost per page. The hardest part by far will be getting the printer to work but that is a different story for another day.
After watching the Civilization video, I was left with some kind of impression specifically about the past and how lessons of the past often BARELY made it to the present.
"For 2000 known ancient Greek writers, we have 130f it. ... And a smaller fragment of complete works."
"00f this culture is present with us today [because 2/3 of the Chinese population died which includes the entirety of this culture]."
This fear encourages the schizo within. What if the internet breaks? What if electricity gets turned off forever? You can't read your blog if it's intangible! Obviously that would never happen unless aliens invaded Earth. And I'm not saying that aliens will invade Earth and target these specific weak points... but they could. The chance is non-zero. How much data exactly is intangible and therefore at risk? I suspect a rather high degree and if something bad happens that semi-intangible data will remain forever intangible. Now, I also think in the event of a real alien invasion (real or imagined), they would probably bring back the 'internet' but only selectively and with lots of restrictions meaning your creative blog posts probably will not make the cut. Additionally, 'privacy' will most likely be heavily discouraged, so Tor, and other methods of getting 'anonymous connections' will not be allowed to function the way they have previously. My uninformed schizo-take on technology but whatever: maybe they will make it so that packets will require some kind of identification just to be transmitted[1]. I should stop giving them ideas.
A different perspective if my favorite boogy-man, the aliens (a place in for some powerful entity), doesn't sit well with you... Internet archives ... *can* be modified! One example that I know of is nearly every archive for original mewch, one of my favorite chans before it got [REDACTED]'d, does not exist even though, according to others, it used to. You cannot find internet archives on them even though they did exist at one point (I've made some personal copies of some threads but not enough, something I regret). Unless they are somehow made immutable through something like the blockchain, files can be removed or worse, altered. Of course, physical paper can also be modified and destroyed but the effort to do this would require it to be deliberate or a very bad case of carelessness. Paper documents will last much longer than electric documents would because they are already physical and not an abstraction somehow created from 1's and 0's that also somehow appears in a logical manner on a screen. Paper documents can also be converted back into electronic documents and printed again.
Regardless of the hypothetical risks, having a printed copy of something makes the intangible tangible (sure, you could argue semantics about 'what *is* written language? How does the brain interpret letters in such a way that we can understand abstract ideas from random chicken scratch?' but I think the planet's lingua franca will be somewhat resistant to being eradicated, take a look at Latin or ancient Greek for example). You DO have a piece of history. With luck it will find its way to the right person in the future. Maybe it will end up being a 'redpill' or maybe every one will greatly enjoy the story 1000 years later or maybe future readers will think 'wtf were they doing back then?!' or maybe the religion will gain a new follower or whatever. To me it doesn't really matter what the content is as long as it can reach the next generation(s) somehow.
I am doing my part! I've printed my entire blog! :^) Future historians will thank me for it.
I've also printed out some holy books, fiction, philosophy, and other things that I enjoy. You get bonus points for reading what you've printed more than once since you are making that paper pay for itself. Information is valuable and nearly priceless - worth more than the paper itself. Next step might be organizing it somehow and I cannot offer advice on that though I want to. Another benefit of printing is that you can annotate the paper without feeling guilty. It's not a $70 book!
Jake, I am totally unable to acquire a printing device and even if I do, what I print will be used against me regardless of the content printed.
Hmm... I hope your future will change for the better so that you can spend hundreds of dollars on paper, a lazer printer, and some toners. When I say print I mean print, if you are printing a book that you could buy, maybe buy the book? Perhaps printing will be a waste of paper if are going to end up buying the book as I have for some titles. Don't buy eBooks though, unless either: you figure out a way to print them, or it can be transferred to your file system.
Also, I heard that looking to the past is like looking to the future. Be someone's past so they can see their future! Or something.
[1] That idea alone kind of spooked me. I have thought of some things that might help in dealing with it. It would be a good idea for people, myself included, to learn about 'underground' ways of connecting to the internet (more than just Tor and I2P and Yggdrasil). Maybe look into what is needed to create some kind of private intranet that could connect to other private intranets. I believe this will reduce the power that 'turning off the internet' will have. Off the top of my head, large mesh-nets seem like a decent-ish option, though I will plainly admit I don't really know how they work besides connected devices are server-clients. I agree that it will be a pain to get people to even experiment with mesh-nets as with everything technology related especially when their internet already 'just works'. If one can create or join a mesh-net community, it would be a good idea to use TLS since who knows what the other nodes are doing. Ah, but if the mesh-net gets super big then the FCC might get force themselves to get involved and... hmm...
(This blog post was 'in progress' before Facebook went down for several hours while the media is pushing that they should have a seat at the UN. These incidents did encourage me to actually finish this... Lately I have been having difficulty saying 'yes, this is finished.' I have to almost impulsively publish blog posts (the Doppio cgi post was finished before the Gemini blog post, for instance) otherwise I will try to perfect them forever.)
One cannot easily understand how to use CGI with Doppio, a Gemini Server. Here I will provide some examples which may require input from a user. My language of choice is Perl but these examples should be trivial to translate into other languages. The `-T` flag indicates taint-mode and that Perl should do not allow unsafe interactions with user submitted data. You should do what ever the equivalent is for other languages.
The example yaml file suggests that `cgiDir` is absolute. This is wrong; it uses a relative path, so for me it is `cgi/`.
guestbook.cgi
#!/usr/bin/perl -T
use strict;
use warnings;
# Doppio expects header in this format
print "Content-Type: text/gemini\n\n";
open(my $fh, "<", "/path/to/guestbook.txt") or die "$0 cannot read guestbook.txt: $!";
while (my $line = <$fh>) {
print $line;
}
close($fh);
print "=> ./sign.cgi Sign the guest book!";
sign.cgi
#!/usr/bin/perl -T
use strict;
use warnings;
use POSIX qw(strftime);
# checking to see if key has a value/exists (returns true or false)
if ($ENV{QUERY_STRING}) {
my $date = strftime "%b %e %Y", localtime;
open(my $fh, '>>', "/path/to/guestbook.txt") or die "$0 cannot append guestbook.txt: $!";
# write to file
print $fh "$date: $EVN{QUERY_STRING}\n";
close($fh);
# Redirection for browsers
print "Status 30\nContent-Type: ./guestbook.cgi\n\n";
} else {
# Prompt user to give query
print "Status 10\nContent-Type: What will you sign in the guest book?\n\n";
}
login.cgi
#!/usr/bin/perl -T
use strict;
use warnings;
# checking to see if key has a value/exists (returns true or false)
if ($ENV{REMOTE_USER}) {
# in case matching does not work
my $remote_user = "47";
# matching the common name
if ($ENV{REMOTE_USER} =~ m/,?CN=(.+),?) {
# matching works
$remote_user = $1;
}
print "Content-Type: text/gemini\n\n";
print "# Welcome back, agent $remote_user!\n";
# Maybe put a heredoc right here? Just an idea :)
} else {
# Prompts the user to submit a cert.
print "Status: 60\nContent-Type: Certificate (any) required.";
}
Scripts that prompt the user to do something will run twice, so sign.cgi and login.cgi will run two times depending on what header (the first print) Doppio receives from them and will omit anything after.
Some advice... Most (all?) languages have environment varibles, so, maybe one could have a script print out each key and the value of each key so you know what you can work with. (a hint to search `x-programming-language environment variables`)
Additional advice... If you follow the OpenSSL instructions from Doppio's github page, I recommend setting `-days` (on the second command [it has `req` and `-x509`]) to a high number because it defaults at a low number which can be problematic for a protocol that TOFUs.
Yeah, that's right, I got gemi-pilled. Only after creating a mock-up Gemini capsule (as opposed to an http 'website') do I see the value in it. Gemtext (as opposed to html) is very easy to understand and to write. It is stupid easy to create a capsule . To host this capsule I am using Doppio as it is is licensed with AGPL and also supports CGI. Gemini is a really wonderful from my perspective. Some criticisms that I have seen, for example, boasting that 'it at least has Emoji support!' (a reference to the significant lack of features that Gemtext supports including italics, bold, underline) is valid, honestly. It strikes me as odd that one cannot indicate š¾šš¶šš¾šøš (italics) or š ±š ¾š »š ³ (bold) but TLS is a requirement. Another complaint that I have is that you are unable to forcibly change the cursor on gemtext documents, and in this area, Gemini has totally failed... :^)
Anyway, one (you?) can access my capsule at gemini://jakesthoughts.xyz. Gemini browsers probably doesn't need to specify `gemini://` protocol. At the moment, my capsule is missing some links like to the tests page since those rely on HTML forms. Additionally, I've decided not to have a comment section because if one wanted to really respond to me they could do it with `RE: <title>` or send me an email or go to http version of my website and leave a comment.
You might be wondering 'Jake, did you really recreate your entire website in gemtext?' Sort of? I wrote a script that spits out both html and gemtext from a single file so this way I don't have to maintain two slightly different but nearly identical mediums of content which I know from previous experience would drive me insane (editing two files just to say one thing? No thanks!). A regular might notice that the website looks... the same-ish! Actually I've using the modified layout for some time. What you are seeing is what resulted from my script. Maybe you would not notice anything if I did not say anything? With my script there is considerably much less SSI usage than previously. As for the gemtext version, what you see is what you get unless your browser prettifies it. (It only occurs to me after writing the script that I could've used a markdown converter or something else rather than creating 'gemtext+'. Oh well - at least I am better at Perl's regexp now.)
Honestly, one of my favorite aspects of Gemini is plainly just text. I have read hours of text and more often than not I learn something new. I've read the most compelling argument for reducing the intake of coffee; humans have adenosine receptors (sleepy time) and coffee/caffeine jams it up, that there is a new (2010) type of connection akin to TCP and UDP called Named Data Networking (NDN); rather than telephone-pole type connections it is more like a mesh net (I've heard rumors that 7G will prioritize mesh nets). These two concepts stand out to me in particular. One is personal as I am a current coffee addict and the other strongly interests the geek within despite wishing that computers were never invented. You can also read from the... phlogs? Flight Logs? of the creators of Gemini. My favorite topic that they discuss would be about TLS.
Actually, my favorite favorite part about Gemini is how HUMAN most the text feels. Not some bland corporate website that has five ginormous images and a single line of trite text on top of the image, NO! Not `Terms and Conditions` (that I actually read) or `Accept Cookies, Click Here` or a pop up that appears when you scroll the page! You are reading what is probably a long document that was intended to be read by humans. They are almost always interesting to me because I am always intrigued by someone's compiled thoughts on something they enjoy. If what they say overall contains an essence of their Weltanschauung, then I like their blog post even more. Seldom do I regret visiting a capsule. If I do regret visiting a capsule it is because the content on the capsule is something that I disagree with, rather than because the JavaScript on a page is trying to mine bitcoin or that the website straight up doesn't load because JavaScript was disabled! With Gemini, everyone is on the same playing field. (Despite these complaints, I have noticed a lot of 'empty' or dead capsules.)
As for privacy... The Gemini Specs demands TLS so no worries about insecure data transfer. The next step for anonymizing connections would be making the capsule available via darknet links. I've read some guides to setting up Gemini to use Tor but it doesn't feel clean to me because I would have to have Doppio running twice since Doppio does not support vhost or having multiple host names. Maybe I could write a patch for Doppio but that would involve learning Java... Well, until then I will launch two Doppio servers. The issue now becomes which server listens on port 1965? They BOTH can't listen to one port! One guide's recipe was to launch a server on port 1966 and have Tor redirect connections from 1965 to 1966 which seems like the easiest way to handle it.
I can access capsules with Torsocks or with Proxychain (sometimes; the exit polices of some nodes are clearly `ports 80 and 443 only`) but how many people actually browse Gemini using Tor? Dozens? This seems like a niche within a niche (easy tracking?) but maybe there is a greater overlap than I imagine; people can be interested in more than one thing.
I remember when one bought a book, it stayed in their possession and did not automatically expire. RMS's Right to Read was the first thing I thought of when the email told me that the eBook will expire in a year AFTER buying the Basic Bundle.
No where on the product page (of the bundle, where I bought it) does it say that the eBook expires even in the 'eBook details' tab. Of course, when properly riled up I looked at the eBook's standalone product page it says 'Once redeemed, eBook access will be valid for 12 months.' CompTIA sells paper copies of these books but do not mention that they expire or that they are being rented. They also do not sell the paper copy of the book in the bundles which I would have went for instead. If they are the same BOOK then why does the electronic version expire? Why don't they also sell paper copies of the book with a bundle? ... Obviously I know the answer, I am not naĆÆve. Money.
This is a PSA for those who are unaware and are looking to buy books from cert companies... and I guess other companies that sell eBooks as well. I will assume that this is a standard practice and a rule of thumb is 'companies will expire eAnything (even if they neglect to mention it on the product page) if they think someone will buy it twice.' It's not even like they priced the eBook or the physical book that differently, just ten dollars apart.
Hooray! This website has existed for a year now! God, time flies. I remember when I was scared to SSH but now I do it everyday. I went from using a traditional web-host service to self-hosting to hosting on a VPS.
In light of this 'hard to achieve' achievement I have changed the way my website looks! It is same exact content just laid out differently, My website is now mobile friendly... -ish! Not that I had planned for mobile friendly-ness but it seemed to have worked out that way regardless.
In any case, may the next year be uneventful as this year! May the next year be full of learning and more useful :^) blog posts!
I've recently joined an IRC server, Freenode. I use the program known as Irssi (which I pronounce as 'Rrr-see') and it has my full recommendation. The program itself is excellent 'normie-repellent' but I cannot say the same for other clients. I use it with tmux which allows me to re/detach the session, which is particularly useful with a server that is on 24/7 so I do not jam up the chat logs with my constant leaving and joining. Plus I get to read what people have said which usually interesting.
There are a lot of channels on Freenode! It was surprising to me! I am hardly in any but the ones I do participate in, they have members that actually know what they are talking about, to a degree which terrifies me. I prefer to find things out by myself as I have been doing that for a really long time, but with a community stupid mistakes are noticed and they make really helpful suggestions. Occasionally someone can introduce you to a concept that you have never even knew existed. It is amazing! I truly and honestly wish I have been using IRC before this point. There are channels and users that have been using Freenode for over 20 years. To me, that is just mind boggling.
However, this brings me to my next point... People! People have opinions... people do things... It is just my luck that there seems to be some kind of Freenode-ending drama, shortly after I join. From what I gather... the bossman of PIA, Andrew Lee, convinced someone who owns Freenode ltd to sell it to them and now PIA bossman believes that he owns/controls Freenode's server and wants the data Freenode has and is using lawyers to get it.
Because of this development, Freenode (volunteer) staff resigned en masse and they now participate in something known as libera.chat, which is Freenode without the Andrew Lee.
It's just funny to me that shortly after I join Freenode, I experience my first and last Freenode drama which results in me leaving Freenode, possibly forever. Fair warning to newbies: Libera.Chat/Freenode does not exactly cloak your IP/Hostname on first arrival, if you care about that sort of thing. Some channels save logs which probably include your IP/Hostname, for all to see.
I moped around for about four days wondering how I am going to word this discussion to people who don't really care about privacy at all. I wondered if I should attempt to #metoo the company somehow. You know something stupid like, "$COMPANY hates women and minorities because they do not allow them to express their plight on the internet anonymously with Tor!" I've realized that the issue isn't going to go away unless either I have a conversation with the person who put the block in place (and there is a chance he will just take a high moral ground 'you transport abuse which put US and our CUSTOMERS at risk. How DARE you. Stop putting MY servers and MY customers at risk with YOUR actions') or get a new IP address that wouldn't appear in some random Tor blacklist.
The first idea was to turn my RPi into a wifi router and when it detects an attempt to access the company's webpage it would ask a remote server to access the webpage and return what it sees. There would be communication between the RPi and the remove server at all the steps. However, this would require a wifi adapter that is capable of endless 'Netflims', 'Alyxia', and every other stupid smart-device in the house. This seemed unlikely to work or likely to be unsustainable. It is a needle which would work if the things connecting to it were just a small applications but since everything (+50 devices) need to connect to it... eh... Also, I would need know what software I will need to do that which I do not and to even search for HOW to do something like that, I would need to know the specific terminology to search for, which again I do not. So the hardware option was out. What about the software option?
I am assuming that you know how to read or that you are using a screen reader which hopefully makes it obvious where I am going with this. In order to avoid having awkward discussions with people who are unlikely to see the point of Tor (and who are going to 'ask' me to 'fix it' if I do explain it (I'd also rather them not google 'Tor' and freak out because some CNN article says only evil criminals use it)) I created a VPN which has access to the internet. This allows me to actually access the corporations website... Bastards. They caused me a lot of emotional distress.
I am somewhat proud of myself for mitigating this problem, but I wish that I did not have too. I've always wanted to have my own VPN server that can interface with the internet (I do not trust NordVPN/PIA or any VPN services that can afford advertisement) but I never expected me to REQUIRE one. Yet another discussion topic for the mythological creature known as 'job interview.'
Anyway! I'm proud to introduce https://jakes-vpn.top/, a top tier electronic virtual private network that is owned by me, Jake! I secure and protect your data from the NSA! Give me your money for 10 dollars a month and if the NSA asks me for logs, I'll tell them to shove it! Your money is more important to me than a lifetime in Gitmo! This paragraph is sarcasm NSA already has your data anyway
Also, unrelated, why does OpenVPN Connect (official OpenVPN 'app' for windows) neglect to ask for PEM password? That is really, really, dumb. There is nowhere to specify password for the key file! OpenVPN GUI however, does allow you to put a password... Albeit in the .opvn file as a parameter: askpass, which loads a file that contains the password in plain text. Really dumb.
Recently, a corporation that I am afflicted with has decided to block all access from Tor. This is fine except the fact they apparently downloaded the entire Tor database and plugged all IP addresses into their block list... including relays.
In case you don't know how Tor works I will explain it briefly, to be succinct: Guard -> Relay -> Exit Point.
Guard: When connecting to the tor network you first connect to a guard. Relay: The guard connects to the Relay. Exit Point: The Relay Connects to the Exit Point.
When accessing the Clearnet through Tor, you are given the IP address of the EXIT POINT. NOT the guard's IP address and not the relay's IP address. Server logs show the Exit Point's IP address rather than your own, hence the name exit point.
What is the difference between guard's, relay's and exit point's then? It is clear in the name: Guards are like relays except they are the first point of the connections. Relay RELAYS internet information to the exit point. Exit point is what does all the connections for you.
Yes, exit points can be used for abuse, but RELAYS have no way of telling what is abuse or not. "You are transporting the abuse to other people." It is just more than 'transporting abuse', the privacy benefits of using Tor outweigh the 'transporting abuse'; and anyone who thinks RELAYS themselves allow abuse are total brainlets. You are just punishing people who want to help increase privacy against the increasing global corporate and government surveillance states. Relay's RELAY ALL TRAFFIC which might include abuse, or it might include Muhammed complaining about his government but he has to complain over Tor because otherwise his government might cut his head off. Go fuck yourselves. I am really fuming right now.
If there is one thing that I pride myself in is the ability to be honest to myself. If I read something that makes me say "huh, that is a valid point and changes the way I view something" then my view point is changed. It is easy to do nothing after having an opinion changed... However, I believe that honesty is hard to come by and since I already schizo-rant about aliens, I might as well do it again. If someone actually did read my opinion piece regarding the alien menace and their view point has also changed, well, I might as well reflect it here otherwise what good am I? You might as well call me "Jake Piece of Crap Who Keeps 'Enlightened' Thoughts To Himself." Not that these view points are entirely enlightened mind you, just something I read and thought "yep, that is a valid point that I did not consider." And so, this is a reflection of change that I feel compelled to compile.
To start off with, aliens are not entirely bad! If they act human, enjoy the same things as humans and don't trigger some kind of 'these guys are FRICKED' feeling, then they might be good. The hard part will be determining how they are good. If the current cabal of the planet oppose them entirely then to me, they must be good. Or, I suppose, an alternative evil that even the cabal didn't think of or plan for. In which case... Hmm... Obviously, many factors are at stake here... The hardest part of this whole thing is determining if they are beneficial to humanity or not or whether we are some kind of grand plan.
Alien arrival would certainly shake a pillar of civilization but people would still go to work, possibly at WacRonald's or KurgerBing. People will still open Rikerosoft Word and Powerpoint and still do their job. Unless aliens actually overturn the 'natural order,' whatever that may be, I do not see much change in how the world works.
I've made the claim that 'good' aliens would not at all interfere with humanity and let humanity develop by themselves. When I have said this, I was still thinking in the same lines that Summers presented: 'enlightened' of some kind and the total opposite of 'bad'. I've realized that seeing the world/inhabitants-of-the-universe as 'white vs black' or 'good vs evil' or something like that is extremely subjective. While I do believe the universe has a rigid standard for what is good (what humanity considers to be good is probably bad and vice versa. Virginity v.s. Promiscuity, as an example. Which of two is good? Which one is bad? Who knows!), life is not required to follow it. Wild life kill to eat: does this make them evil, or just varying degrees of bad? This claim is like saying 'because 2+2=4, good aliens will not interfere with humanity'. This, of course, has nothing to do with the way aliens are good or bad - and frankly speaking, what exactly do I know about 'good' besides it isn't evil? Ignoring my ignorance regarding good and bad, who is to say the aliens themselves are not ignorant? You will not hear it from me! If they know objectively what is good or bad by the standards of the universe then that might be worth listening too, otherwise, it is all subjective. So, unless they objectively know what is good and decide to be as objectively good as possible, they are neither completely good nor completely bad... Probably something like humanity at best.
Previously, I've said that it would be good for humanity to reject offerings of technology from aliens. In my humble opinion, it would still be to the benefit of humanity to develop these things ourselves, but I suppose if humanity can act upon alien technology and 'turn it our own', plainly by tinkering with it and actually understanding what it does and HOW it works, then that is an acceptable alternative to me. I am mainly worry about becoming dependent on advanced technology that we did not develop; I do not want it to be used against us, if a scenario even comes to light (not that I have any control over how people handle alien tech).
I have also said that we should treat them like demons... I am not sure if human principles can apply to them and vice versa; whatever principle aliens have for us maybe totally alien to us. If we cannot be allies culturally and in other various manners like genuine friendship, then perhaps treating them like demons is a good policy, but unless they are actually hostile then I am reluctant to even call them demons but maybe at best, 'aliens'. (Aliens are indeed aliens. I am an enlightened thinker, on par with Plato.) But if they ACTUALLY understand human emotions, and in fact they too feel 'human' emotions (love, hate, etc) then that is very promising. At a minimal it would suggest that we are compatible as allies in some form, but hopefully a lot more than just 'allies'.
I've claimed that the only reason that aliens would show up is because "they think the world is so SO close to agree to join them." I still think this, but I also think that it does not have to be entirely bad. Specifically, in the manner of 'Hello there! This planet belongs to us now. Welcome to the intergalactic community! Here is your space-relay station that allows humanity and other sentient life to travel to different locations in the galaxy, including to and from Earth!" If their intentions are honest, then that, to me, is very good. Not many human beings are honest about their intentions or obfuscate it with 'tricky' language, especially from the very top. From certain perspectives, it may seem like an invasion, and I can understand that point of view... But if they did not conquest the planet from us through war then was it really an invasion? If our nukes and other atomic-like weapons do literally nothing to them and they themselves act in self-defense then... eh... Might of Right says we/the planet belong to them now.
Some people might say "they should leave us alone and let us enlighten!" or "This planet belongs to humans! They should only arrive when we ask them to!" or something that amounts to "leave humanity to its own devices." This, I sort of agree with, at least, at the moment. Maybe after a while their extended presence here will be a great boon to humanity and I will say "I wish they came sooner!" At the moment technology developed by humans serve to enslave humanity and further enact the elite's goals. I will not say alien technology will not do the same, enslaving humanity, but if the aliens are aware of the evil plans and destroy it then well, obviously, that is good. Ideally humanity would do that ourselves but I simply do not see that happening and I only see endless hell by technology developed by humanity. If you are apart of the 'the science is settled' crowd this 'primary source' is a reflection of the type of thing I am talking about: A plan to dim the sun by spraying dust into the atmosphere. A link to Forbes! So, what I am saying is, the actions and plans of aliens might be a better alternative compared to the actions and plans of the 'elite' who clearly love pain and want to put Hell on Earth. Provided, of course, the aliens themselves are not literally evil or apart of the same plot.
A thought occurs to me. If NPCs/masses/'blue-checkmarks'/reddit/etc are all rejecting aliens, then as a principle, aliens must be good or at least worth looking into from a positive light. If everyone starts saying something like "they may look like us but they actually want to ENSLAVE US!" then something has happened to their programming and they are saying this. (Ironically, by being programmed they are already enslaved. Their programming dictates that they are to be against being reprogrammed by something else. Humorous, in a blackpill kind of way.)
"Why did Jake change his opinion? Did he get enslaved by the aliens with their mind-altering techno-magic?" Maybe! The main point of all of this opinion piece is to simply reflect a change of a view point I once had. Aliens can be super cool or totally messed up. I really mean that: they can be what I described in the previous entry or they can be very cool. That is all.
Actually, that is not all. Just because they are aliens and have advanced technology does not mean that they are enlightened or anything of that sort. It just means that they have advanced technology and we do not. If they choose to 'just give us technology', then I am willing to make the argument that we are as 'advanced' as they are technologically. Spiritually is entirely a different matter. If they have psychic abilities as a result of their enlightenment (and not due to biological features) and the usage of their technology requires enlightenment, then I would say they are more enlightened than humanity. But only up to the point humanity cannot operate their technology by the same standards.
My view points in this post should be considered as subject to change.
[This article was originally posted on June 19 2020, however, for a reason that I thought was suitable (I was worried about 'blind leading the blind') I took it down. I am republishing it because upon reading it over I do not disagree with what I have written; and in fact is hardly misleading or a bad article. RSS chads will notice that this is in fact apart of my feed which I forgot to remove but decided to keep it there as a 'secret' article. I will add to this article because it has been 10 months since writing it and I have a few more things to say regarding it.]
Meditation is one of those things that everyone should do. I will not describe the benefits or how to meditate since that information is widely avalible and likely the reader is here to 'fact check' me or wants to compare their meditating method with mine. Instead I will describe what I wish I knew when I was just beginning.
"Meditation is just sitting there and thinking."
"Meditation will make me one with God and I will be in a deep trance and I will know everything; no secret shall be hidden from me and..." NO! If you want to go into a trance then that is what you meditate for. If you want to think about a certain topic then that is what you meditate about. I used to think what is in the quotation but when I strangly 'never became one with God and knew everything' I lost motivation... and never did it again because I 'cannot' meditate. This line of thinking cost me 2-3 years.
So to be clear: meditation will not make one equal to God or something... and it really is just sitting there and 'thinking' or if one is doing 'step 1' then only observing or doing as instructed.
With that out of the way, I will describe an important part of meditation that I also wished I knew back then: GOOD record keeping.
I will share an example of what I tried in the past here.
Concen trabum(?) | Aug 3 | 6 in morn
"I see myself in the Astral World."
I was am attempting to astral going to Astral Project by mere will and stubberness.
I don't know how long I said that.
Issues: I cannot accurately tell what was wrote in the top left unless I look at other entries, date has no year in it, '6 in morn' is not accurate enough. Despite noting that it was '6 in morn' I did not know how long I said "I see myself in the Astral World." Also, meditation does not give you super powers so I was unable to astral project (though perhaps in due time I may be able to astral project straight from meditation... meditation beginners like me really should just stick with 'sitting and thinking').
An example of better record keeping similar to the one I keep:
June 17
12:20PM - 12:43:~43PM
Disturbances: Neiughbors dog was barking, text message notifications, non stop chatting in mind, suppressing yawns, extreme itch on hand. Sucked into thoughts 13 times
Note: I keep interacting with thoughts, need to observe only. Got 'sucked into' my thoughts 13 times. Don't sit on foot. Itch on hand was hard to ignore but it went away eventually. Consumed like 3 cups of coffee prior to.
This is better but it I forgot to add the year. 'Sucked into' may be confusing to outside readers but I know exactly what it means. It appears that getting 'sucked into thoughts' every 2 minutes is an issue in this example record so I ought to work on that... (inhaling through nose and exhaling through mouth reduces that number by a significant margin I find). I use disturbances to list the disturbances immeditally so I don't forget and I use note to note things of interest or better explain some disturbances.
One can clearly see the advantages of good note keeping vs ... bare minimum note keeping. With that I will end the blog post on the topic of meditation.
I have added another RSS feed called Media RSS. It is meant for media topics like games, anime, art... etc. RSS Feed links. [ignore this paragraph for it is totally wrong]
After about 10 months, I still have to agree that good note-keeping is good. How one takes their notes doesn't really matter as long as you mention things that you have experienced/felt/saw. This is a good habit to have since it tracks your progress with meditation which is important. Once you are able to break the 1 hour mark it is... When you go into the 'meditation pose' you will find that your body automatically relaxes, which was surprising for me, and that meditation becomes easier and easier. I feel dirty if I do not meditate for more that 1 hour a day and worse if I do not meditate at all. I don't think I've ever felt 'body happy' before until the first time I went over an hour. It is different from 'head happy' where you see a dank meme and laugh. 'body happy' is... I felt totally at ease, happy, peaceful... I couldn't stop smiling. It seemed to radiate from my body rather than my head which is why I call it 'body happy'. The world itself would've been unable to remove the feeling.
It is more than just tracking progress that you want to jot down what happens during mediation. It is common knowledge that people 'enlighten' from doing meditation; if something comes across your mind while meditating then it is a good idea to write it down, lest you forget it.
A very good point I wrote which I will write again because it is just that good, it is a golden nugget of truth: Meditation is just sitting there and thinking! (or not thinking at all)
You CHOOSE what you want to do when meditating. Want to silence your mind? You do that. Want to visualize things so that your visualization skills get better? You do that. Want to merely be aware of all things that occur while you are sitting? You do that. Want to discuss something internally? You do that. Want to count to 60, x number of times? You do that. Want to go really deep and into a trance? You do that.
There are a lot of things you can choose to do while meditating. Of course, if you are brand new, you should just meditate until the internal mental chatter and visuals (if any) are not overwhelming, but also up to you of course.
I really like mediating, more than I did 10 months ago. If it were up to me, mediation would be taught in schools.
I've recently signed up for a WOTD (word of the day) program, naively believing that the resulting emails will simply be a pretty form of "word" : "definition". Instead, I receive an unbelievable massive amount of HTML that is nearly unparsable by the human eye which causes me to open the email in a browser.
Upon opening the email (in a browser), I am pleased to note that there is indeed a pretty form of "word" : "definition", but I am extremely displeased by the ads and external links.
I kind of have a feeling that this is 'standard practice' for this kind of thing, so I went ahead and created my own WOTD program. Unlike, what I assume is standard practice, you do not need to sign up with an email and in fact you do not receive an email at all. It is a matter of you subscribing your RSS client to the feed. Look mom! I'm fighting big tech.
You can view the WOTD program with your RSS client and your browser at appropriately named links: wotd.xml and wotd.html, respectively.
Occasionally some definitions will be "See 'x'" ... Yeah, I don't feel like doing anything about that. Enjoy!
I've come up with a method that will work 100% of the times with accessing OpenNIC tlds (provided the upstream DNS doesn't catch on fire) and allows me to access ICANN tlds. As you probably have figured out from the title, using dnsmasq. I know this method works because I forgot to mention it on my humble blog because it works and didn't bother me until I realized that upon reading my previous blog post that, it warrants an update.
When I say dnsmasq, I do not mean NetworkManager's implementation of it. If an enslaved dnsmasq works with NetworkManager using my way of doing it then that is good but I am running a separate dnsmasq process that is not enslaved. I will go ahead and say NetworkManager will fail to run if systemd-resolved does not work so you will need put under your [main], 'dns=none' and 'systemd-resolved=false' in a NetworkManager's conf file. This stops NetworkManager from turning on systemd-resolved and it won't do some weird self DNS stuff. Additionally, in my previous post I made a suggestion about [global-dns-domain-*]. Just ignore it. It only works when it wants to and doesn't even store a local cache as far as I could tell.
In my /etc/resolv.conf my upstream DNS is 127.0.0.1 and ::1. My computer queries the DNS server located at '127.0.0.1' or '::1' on port 53 and if neither have an answer then the DNS server ('127.0.0.1' or '::1') asks it's upstream DNS servers (as determined in it's config file) for an answer.
Dnsmasq goes down the list of dns servers from top to bottom to try unless it is told to stop by a DNS server. Normally, when trying to access .geek tld, my ISP's DNS server would tell dnsmasq to essentially, just stop seeking I think (no idea what is actually happening behind the scenes). But with the /geek/.../162.243.19.47 thing dnsmasq directly queries this server rather than go from top to bottom. If that server gives dnsmasq an answer then dnsmasq stores it in its cache! You can determine if dnsmasq is caching things with the dig or the drill command.
'o' tld does not work and I don't know why. Somehow they're using a github repository as a DNS server? How do you query that? I've already added a bunch of other tlds that aren't OpenNIC with my config file. Good luck finding any non-OpenNIC websites though! You will need it. Grep.geek doesn't crawl through New Nation's tld (.ti (tibet), .uu (uyghur), .te (tamil eelam), .ku (kurdish), .ko ('internal use'), .rm ('private use') so if there even is an actual domain associated with these tlds (there is a shockingly very good chance that there isn't) I haven't found them. Grep.geek has crawled through some .fur websites ... It seems that the only person who uses the .fur tld is the same person who runs the tier 1 DNS server(s) for the tld. Through more work than should be required, I can confirm that bazar tld is being used, at least by one person.
Hey you! Do you want free webhosting? Yes? Great, I am offering free* webhosting for a limited time! Thats right, hop on your html5 compatible browser and go to http://free.jakesthoughts.xyz and start filling out the forms! What are you waiting for?? Don't delay! Get free* webhosting today!1
Oh, what's that? You're worried that the consequences of my actions will be far too much for me to bearš»? Ha! Nonsense! I LAUGH at such a preposterous idea! I am a certified!TM professional webdev with about 1 months of experience (so many!). I am very qualified!TM to handle your BORING plain html/css/js website. :^)
Oh, you didn't like my joke? Oh, you will just use Neocities instead? Yes, I suppose that is good: since they do offer 1GB of space whereas I only give you 50MiB of space; since they serve websites basically immediately whereas I am self-hosting this; since they make managing your website VERY easy whereas I expect you to either learn or be good at it; since they do other things as well... that I don't remember.
B-but! Neocities does NOT offer server side scripting, DO THEY? (they don't.) Neocities doesn't give you PHP, DO THEY?? (they don't.) Well, I do! And, I allow you to upload any kind of file that you want (as long as the contents of files doesn't have an arrangement of bits and bytes that would cause a violation of US law. I'm self hosting this you know!)
"This seems too good to be true." -You.
Yeah. Yeah it does. You have to deal with me. That might be the downside to this: I am not an expert at this but I feel like I can handle about... 20(?) websites easily. Maybe. I have about 10Mps up, which I predict will be the bottleneck in this project but we'll see. If my home internet becomes slow I will stop allowing new people for sure. The main target demographic is people who want to use SSI, server side scripting, MySQL (I will add this... 'soon'), and other server side features as long as it isn't too heavy on the system. Basically, I want to get good at this stuff for the hypothetical job interview.*
I also wanted to do this because I thought it would be a lot of fun! Setting up the processes that automate most of my work was definitely fun. I've done some stuff I that I would describe as clever so your website should should be safe from people who are logged in/rouge scripts, specifically, itk module. Each virtual host has its own userid and groupid assigned to it so basically, if something on your website gets pwned it shouldn't affect the rest of the machine. I even set up your login inside a working chroot with many things that you will probably need. Apache is chrooted as well, of course. If you need/want some features then I am totally cool with it, all get them.
>inb4 chroot not secure
I also wanted to do this because running my own website is literally the easiest thing in the world. I wanted to make it more 'challenging' which is adding features that paid-for hosting would give you, like SQL databases for example which I do plan on adding. It is worth mentioning that I have never actually used a SQL database before so if setting it up is a pain in the ass it may be a while before it is accessible. I'll keep in contact with people who want it, if they want me to keep in contact.
I will explicitly mention: for those who came across this page through a search engine result, please note the date that this was posted.
Iptables is fun tool to learn. But something that wasn't fun to learn was realizing certain information required a specific search phrase, in this case 'iptables tor hidden service'. Think of it: there are things I have wanted to know about but because I wasn't sure how to phrase the search or because I was unfamiliar with the lingo (and thus was completely unable to search for it albeit in vague terms) I had to pass on it or come up with my own idea on how to implement it. Sad!
Anyway, here is a* recipe for getting your hidden service to work with iptables:
iptables -A OUTPUT -j ACCEPT -m owner --uid-owner tor
iptables -A INPUT -p tcp --dport 9001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 9001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 9050 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 9050 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 9060 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 9060 -m conntrack --ctstate ESTABLISHED -j ACCEPT
In this set of instructions... port 9060 is the socks port that my hidden service is listening on. I've separated my relay from my hidden service because the relay hits the cap often. I'll just assume you know how to work out the rest on your own! :)
To begin to access tlds that OpenNIC offers is quite simple really; modify or tell the program(s) that modifies /etc/resolv.conf to use OpenNIC's DNS's as its upstream DNS.
I predict three responses:
"Huh?"
"Ah, I see, I understand now" (doesn't understand at all)
"Ok"
From personal experience... Let me just say, NetworkManager makes it difficult to set your own DNS stuff. For about three days I was trying some strange combination of NetworkManager and dnsmasq and couldn't get it to work. I mean normal networking was fine, but accessing domains with OpenNIC tlds simply was not happening. What did work 'sort of' was creating a file in NetworkManager's conf.d/ directory called dns-servers.conf and putting in OpenNIC's DNS was well as my ISP's DNS under a header(?) called [global-dns-domain-*].
This sort of works, meaning that sometimes I simply cannot connect to OpenNIC tlds which causes me to restart NetworkManager and my browser. However, due to this method, there is NO caching. I have to query DNSs every time I want to resolve something. Obviously, not good, but at the moment it works. I will work out the kinks later, I feel kind of bad for querying things that should already be in my cache.
Anyway... http://jakesthoughts.geek is officially a website! (I serve the same files as my .xyz tld, you are not missing much). You might want to keep this topic in mind (OpenNIC, the tlds, etc) when ICANN mafia decides that they are arbiters of justice and must start yoinking domains left and right (you don't want little Timmy being exposed to unauthorized anime, do you?).
I've noticed that all of the devices connected to my WiFi router have their own IPv6 address (if they support it) and that when accessing the internet that is the IP address that gets logged in remote servers (if they support IPv6, of course). What this means is, when banning IPv6 addresses, there are a lot more devices that could connect to you from the same house. For some reason my main computer has two IPv6 addresses. One stays static and the other changes but I am unsure of the frequency of changes.
If/when IPv6 becomes the de facto standard, the implications of this can be... spooky. Who is assigning the IPv6 addresses to each of the internet devices? The ISP most likely (albeit through an automated system). This seems like it can be used in a way for an ISP to be able to tell if there is a new internet device connected to the router (if Mr. Hacker Man accesses your router to do bad shit it will have his own IPv6 address which would hopefully aid you legally, somehow [probably not, gotta keep that conviction ratio up!]. Thinking more about it, if Mr. Hacker Man connects to a lot of random routers... they all have to get their IPv6 address from the ISP so the ISP could determine stuff about the device if they wanted to, maybe, idk, I do not know anything about assigning IP addresses*). A way of mitigating this, I suppose, is to attach your own router to the ISP's router and have all of your devices connect to your router. If my thinking is correct and there is a very good chance that it is not, it should seem, to the ISP router, there is only one device connected? Maybe some kind of communication between routers will tell the ISP router that there are 'x' devices connected to it and each need their own IPv6 address.
Oh god, imagine this: every virtual machine gets it's own IPv6 address. Hahaha, try to ban each one if someone wants to grief your website or something. I don't fucking believe it. I did that as a JOKE. My virtual machine has it's own IPv6 address. Two of them in fact, different from the host machine. And my other virtual machine has two IPv6 addresses... AND THE OTHER ONE DOES TOO. Apparently IPv6 addresses grow on trees or something! Ok, I did a search and discovered that there are 340,000,000,000,000,000,000,000,000,000,000,000,000 IPv6 addresses*.
With that in mind, banning IPv6 address will be... Why even bother? It is so easy to circumvent IPv6 bans. I did notice however, when I did a look up on each, it pretty much put it in the same area that I do live in so, so banning by up looking location might be effective short term..... depends of course.
* One of these days I will actually learn something about networking (haha WiFi adapter goes blinkblinkblinkblinkblinkblink)
They won't stab you, true, but they also won't encourage you to think. These days when people are 'bored' they open their phone, but you can't do that while driving. So, here comes a solution: a book reader that talks to you while you drive, now you can't be 'bored'. Perfect solution! That is if, you are a NPC.
This is what NPCs do: "Oh noooooo, that sucks! I'm alone with my thoughts! Normally I'd be watching TV (for HOURS WITHOUT A BREAK) or scroooolling on my phone but now I'm driving! Now I have to be alone with my thoughts!! Oh noooooooooooooo! Oh wait! I don't have to think thoughts, I can just listen to the voice of God audiobook, so now I won't ever gain an internal monologue! Yes!"
Obviously, since NPCs don't think, the last paragraph couldn't happen: they feel and use their brain's logic powers to help them express their feelings. Their feelings can be complex and have many interacting components which their brain typically is able to handle. In the case of an audiobook, it is simple: "I'm bored. Audiobook relieves boredom. I listen."
Audiobooks prevent the NPC from forming his own thoughts because the audiobook occupies the NPC's mind with what the speaker is saying. Likewise, the TV and the phone prevent the NPC from thinking as well since they are preoccupied with the activity. Being bored inspires you. It causes you to do something to relieve it, ideally thinking about anything. This is why audiobooks are dangerous. And the TV and the phone. I am probably barking up the wrong tree here. Obviously, audiobooks can be useful, but do not use them to relieve boredom. Also, obviously, this rule is not black and white. The blind for instance might as well ignore it, maybe. In all the years of my life I have never seen a braille book, so I will just assume they are extremely rare.
Since I brushed the topic of NPC and seeing that I am not an NPC (probably), it might be beneficial to explain the 'other side'. This is my thought process: I have an idea, I have a feeling about the idea, I express/explore the idea the best way I can (usually to myself), I have a feeling about the way I expressed/explored my idea (can it be 'better'?, etc), I reevaluate the way I feel about the idea when expressed/explored, and regardless of the result I ask myself "do I agree with this idea and the way I expressed it?" As you can see, I am not an NPC. Seriously, what NPC would accidentally express his feelings of his insecurity about being a NPC by using the logical part of his brain to express how he is NOT an NPC? Definitely not me... :^)
Ah, but if he actually has enough self-awareness to realize someone might 'read-in-between-the-lines', he might just make a joke which would cause the attack (at least from that angle) to be less effective while at the same time stroking the ego of 'not-NPCs' (NPCs who believe they are not NPCs and their identity revolves around the fact 'they are not NPCs') who 'realize' the 'joke' is about him being a NPC because he is scared of confronting the fact that he might be one and does not want to question it or go down that line of thought which would ironically be a starting point in becoming a real human being. Truly, he is a smart man if he does that! By the way, totally unrelated, not sure if you can tell, but my IQ is at least 3 (three) digits.
Ah, AH! But if he actually has enough self-awareness to realize someone might 'read-in-between-the-lines-IN-BETWEEN-THE-LINES' then... no, no, he's just a NPC, so that wouldn't happen.
The Socratic method is how I found out some people in my life probably haven't had an original thought before and act primarily on semi-controlled emotion. I am not saying that it is bad to be an NPC. If they are good people and the emotions they possess causes them to be altruistic of sorts then maybe they are better than 'not-NPCs' and genuine people. Asking pointed questions to myself reveals things to me, which sort of requires extreme honesty which NPCs are incapable of possessing.
I should have mentioned this earlier: I now have a new secure GPG key, if you care about that sort of thing.
I have made my website slightly more accessible for the blind/hard-of-sight/people who use screen readers. I am aware that my comment form need some improvements. I am toying with the idea of adding an 'audioblog' file along with each blog post so that people can listen rather than read.
I am finally happy enough with how I implemented comment system on my blog. It was possible to leave a post on my blog for a while, but now I am finally talking about it.
You can find the source codes here (jcs-v08.tar.gz) (NSFW, super ugly code). Feel free to use any of them! Or do not, I don't care. Actually, if you want a comment system I suggest you make your own as that is a lot of fun and you learn some stuff about coding, html, and css. Be sure to understand what tainting is and how to untaint user submitted info.
Both scripts do one thing: comment.cgi reads comments, and post.cgi writes comments. Diligent observers will notice that my guestbook, guestbook.cgi is actually a different script. It is a modified version of comment.cgi with hard-coded values.
How do they work? Both read and write plain text files. Each comment is kept on one line. Substitution is heavily used by comment.cgi to make comments appear presentable. Both are written in Perl. I did not go for a database type of system as that, at least to me, seemed super overkill. Keep it stupid simple (KISS), as they say. My code has references to files like 'comment_form.html' and these are files which allow me to edit them and they get reflected without me editing the script itself to print html code which is an annoying hassle. The form allows post.cgi to work. Since I use SSI, all of my blog pages has this line of html: <!--#include virtual="../comment.cgi?blog=some-blog-post" -->. In this example, comment.cgi would try to load 'some-blog-post.txt'. It would replace and put 'some-blog-post' as the hidden blog value.
These scripts are definitely abuse-able in some way. I know for a fact that the following will work:
This leaves an entry on the blog post 'guest', with the correct captcha, and a comment. A way to deal with this would be to roll out some kind of real captcha system or maybe if I wanted to make things hard, store IP addresses in logs and monitor the rate of commenting. I'm sure my meager website won't attract the attention of people who would automate the one line of code to run a thousand times... :). Well, since I decided to share that useful tidbit I guess I better think of some kind of captcha system that I could implement easily...
comment.cgi could create a file in '../tmp/captcha/' with the correct value and post.cgi can compare the values between the file in '../tmp/captcha/' and the user submitted value. The user submitted value will need to be untainted because comparing something like 'rm -rf /' may end badly for me. The main issue with it is there will be a lot of files created in '../tmp/captcha/' that will remain basically unused from people just looking at each blog post. A crontab might be able to clean it all up at the end of everyday depending on when the file was created. This would work and should not be that difficult to implement.
Issue then becomes what should the captcha be? It cannot be something hard-coded, or if it is then there has to be like a million hard-coded values as spam scripts could have only one captcha value and could get lucky enough times to spam... In other words, if I have 100 captcha answers, and assuming spammer is lazy, the spammer can have the script try one answer repeatedly without stopping for hours WHICH WILL WORK. Maybe some automatically generated math questions could work. Assuming the spammer is dedicated the spammer can easily write a script to circumvent that. Maybe I could ask things like "What country is Rome located in?" but then the spambot can search for that and return some answer. I am becoming aware of the fact captcha is not easy create efficiently without also impacting user experience. Maybe I could do something where images spell something..? But that is what 90% of other captcha systems do!
Well, I won't fret about it until I need to. That is it for this blog post. If you feel like you want to break my website through my comment section, do it with loveā¤.
