www.frostsnow.net
Please present proof of COVID-19 vaccination as an X.509v3 extension in your client certificate in order to access this site. Thank you!
Thoughts that are not worth their own blog.
Had an issue upgrading my BeagleBone Black
kernel from the 5.10 to the 6.1 series where the ethernet interface disappeared.
Turned out the driver had been changed from cpsw to cpsw-switch;
I had to enable first NET_SWITCHDEV and then TI_CPSW_SWITCHDEV in order to fix the issue.
Thanks to zmatt for helping debug the issue!
Two days after the xz backdoor announcement, I found the following suspect entries in my log:
Apr 1 16:13:25 hesse sshd[10047]: Invalid user jiatan from 138.197.165.171 port 34390
Apr 1 16:13:25 hesse sshd[10047]: Connection closed by invalid user jiatan 138.197.165.171 port 34390 [preauth]
Apr 1 16:13:25 hesse sshd[10052]: Invalid user jiat0218 from 138.197.165.171 port 34404
Apr 1 16:13:25 hesse sshd[10052]: Connection closed by invalid user jiat0218 138.197.165.171 port 34404 [preauth]
Apr 1 16:13:26 hesse sshd[10055]: Invalid user jiat75 from 138.197.165.171 port 34408
Apr 1 16:13:26 hesse sshd[10055]: Connection closed by invalid user jiat75 138.197.165.171 port 34408 [preauth]
Apr 1 16:15:26 hesse sshd[10058]: fatal: Timeout before authentication for 138.197.165.171 port 34412
...plus three similar sets of entries, and then never again. The conclusion is obvious: I was the target. I'm truly flattered.
As much as I'm liking my NexDock 360, they sure make finding a replacement battery difficult.
NexDock has instructions for replacing a battery
but nowhere to order one that I can see.
The information labels on the back of the battery in the aforementioned instructions show a Model #30154200P, 7.6V, 5800mAh and a "Carried" (Carrier?) Standard of GB31241.
Based on this I found a similar battery on AliExpress
though it's only 5000mAh and its "Carried" (Carrier?!) Standard is 18287-2013.
Hopefully it works, but it will take about two months to ship (highlighting the importance of always having a spare battery on hand) and it will probably be longer than that before the inevitable happens and I try using the spare.
Addendum (2024-04-07): the battery arrived, and with two cute keychain pandas! I'll be storing the battery as a spare until it's time to replace the old one.
I created an eBay account in order to buy something.
Next day my account was permanently suspended.
No reason given.
I used Web chat; they refused to provide a reason and closed the chat.
I called; they refused to provide a reason and hung up.
I sent them a physical letter; months later I have not heard back.
This makes eBay the single worst company I have ever dealt with.
I wouldn't recommend eBay to anyone.
So I had this weird bug
which turned out to have been caused by umask being set to 0777. Since all the documentation I found stated that the default value should be 0022, fixing should be a matter of finding the configuration file where it was erroneously being set and editing it, right? Was it set in /etc/profile? No. How about /etc/profile.d? No. ~/.bash_profile? No. ~/.bashrc? No. /etc/bash/bashrc? /etc/skel/.bash_profile? /etc/skel/.bashrc? /etc/profile.env? /etc/env.d? /etc/environment? No. No. No. No. No. No. Ugh. I just set it at the end of /etc/profile for now.
Had an issue building LibreCMC v1.5.12 where the build appeared to complete but no upgrade image was generated. Re-running make with V=s showed: [mktplinkfw] *** error: images are too big by 53697 bytes. I was able to fix this by running make menuconfig and disabling IPv6. No one likes IPv6 anyways.
I ran into an issue
building LibreCMC v1.5.10 where none of the package mirrors for OpenSSL 1.1.1p had the package. I was able to workaround this by opening package/libs/openssl/Makefile and adding a mirror from the OpenSSL mirror list
to the PKG_SOURCE_URL variable.
Had a Minetest mod issue that wasn't giving me a stack trace. In order to get the stack trace I had to switch from Lua 5.1 to LuaJIT (USE=-lua_single_target_lua_5-1 lua_single_target_luajit). Weird.
I (eventually) managed to get Phasmophobia
working. Experimental Proton didn't work at all, but I got things sort of working with Proton 7.0-4. First issue I ran into was:
002d:fixme:dbghelp:elf_search_auxv can't find symbol in module
...and much more followed by a crash. This was fixed by setting the Steam launch command to PROTON_USE_WINED3D=1 %command%. Next I ran into an issue where the game would crash shortly after loading a contract with many messages of the form:
eventfd: Too many open files
I was able to work around this by increasing the open file descriptor limit with the following series of commands:
su
ulimit -n 65536
su -l <user>
export DISPLAY=:0
That being said, audio did not work at all. That might have been because I was using ALSA and apulse rather than PulseAudio proper. Trying to launch the game through Windows Steam via WINE, I first ran into an issue where, before I could type in two characters of my password, Steam would crash with the following error message:
Unhandled exception: unimplemented function urlmon.dll.414 called in 32-bit code (0x7bc51bb1).
This was solved by running winetricks urlmon. Though Steam would launch, it would display a black screen; I worked around this by launching the game directly:
wine "/path/to/steam.exe" -no-browser +open open/minigameslist -applaunch 739630
Sometimes I get issues where the mouse/keyboard aren't picked up and/or released properly, but I can workaround that by a combination re-launching the game and re-loading i3 as needed. Other than that, the game, including multiplayer and voice recognition, have been running just fine.
Had an issue with my Librem5 where calls would instantly disconnect. Modem manager logs showed:
ModemManager[647]: <warn> [modem2] network reject indication received
ModemManager[647]: <warn> [modem2] service domain: cs
ModemManager[647]: <warn> [modem2] radio interface: lte
ModemManager[647]: <warn> [modem2] reject cause: cs-service-temporarily-not-available
Turns out the modem firmware was old. Purism sent me a new one and calls now work! Comparing the before and after output of mmcli -m any shows that, beyond IDs and signal quality, the only differences appear to be:
firmware revision: MPSS.JO.2.0.2.c1.1-00032-9607_GENNS_PACK-1 1 [Feb 25 2019 01:00:00]
carrier config: default
to
firmware revision: MPSS.JO.2.0.2.c1.1-00032-9607_GENNS_PACK-1.351938.1 1 [Nov 26 2020 02:00:00]
carrier config: ROW_Generic_3GPP
carrier config revision: 05010821
Not much to go on. At least it's working now.
Got this completely baffling error when running repoman commit:
<tmp/tmpva6xwekm.repoman.msg/COMMIT_EDITMSG" 4L, 150B written
* 0 files being committed...
error: gpg failed to sign the data
fatal: failed to write commit object
!!! Exiting on git (shell) error code: 128
Yet gpg -k didn't reveal anything; it wasn't until I ran touch ugh; gpg -v –clear-sign ugh that I got gpg: Note: signature key 52922D5D15C76E7A expired Mon Feb 28 22:45:16 2022 PST. Apparently a subkey expiration. Modifying the expiration time of the new subkey was a simple matter of: navigating to the master key location, export GNUPGHOME=., gpg –with-keygrip –list-key <FINGERPRINT> in order to find out which file in private-keys-v1.d actually corresponded to the key fingerprint, gpg –edit-key <FINGERPRINT>, then, in the interactive prompt, >key #, >expire, 1y, >save to close the interactive prompt, then gpg –export <FINGERPRINT> > key.gpg to export the key, copying the updated subkey from the offline location to the online location, and finally gpg –import key.gpg. Simple. Yeah.
Had some trouble validating the signature on the newest TAILS
image. Apparently the new image is signed using a new subkey with fingerprint 753F901377A309F2731FA33F7BFBD2B902EE13D0, but this subkey isn't visible on hkp://pgp.surf.nl and I had to manually retrieve it from a different keyserver with gpg --keyserver hkp://keyserver.ubuntu.com --search-keys A490D0F4D311A4153E2BB7CADBB802B258ACD84F. Weird.
I found a fix for slow UDP scans via nmap on systems which I have root on: relax the Linux kernel's ICMP ratelimiting. Based on the info in ip-sysctl.txt, remove the ratelimit for ICMP “Destination Unreachable” messages by unmasking significant bit 3 in /proc/sys/net/ipv4/icmp_ratemask (default: 6168) and also increase the overall message rate in /proc/sys/net/ipv4/icmp_msgs_per_sec from 1000 to 1000000. Restore old settings when finished scanning. Reduced scan time from 2 days to a matter of minutes.
I had some more fun upgrading from PiHole v5.2.1 to v5.8.1 (IIRC; I forgot to write the version numbers down). First up was FTL failed to start due to cannot open or create lease file /var/lib/misc/dnsmasq.leases: Permission denied which was fixed by a change of ownership: chown pihole:pihole /var/lib/misc. Next was a more perplexing Warning in dnsmasq core: no address range available for DHCP request via lo; I ended up fixing this via the PiHole Web interface by navigating to Settings -> DNS and then setting Bind only to interface eth0. Not exactly sure what PiHole was trying to do there, but it seems to be functional now.
I decided to upgrade my old Think Penguin router
with the latest LibreCMC
version. The image I needed wasn't available; so I braced myself for a difficult cross-compilation journey. Thankfully, it turned out to be a smooth process of: downloading the source, running make menuconfig, setting Subtarget to Devices with small flash, setting Target Profile to TP-Link TL-WR841N/ND v8, then running make V=s. After a few hours and 7.5GB of disk space I had an upgrade image at bin/targets/ath79/tiny/librecmc-ath79-tiny-tplink_tl-wr841-v8-squashfs-sysupgrade.bin which worked as expected (the upgrading command is posted in a previous blurb). My compliments to the author!
Finally figured out my mic issue on FSF Jitsi Meet. Apparently there's a difference between audio input options “Monitor of Built-in Audio Analog Stereo” and “Built-in Audio Analog Stereo”, but once a microphone has been allowed there's no way to even view or modify the selection without manually revoking the permission, refreshing the page, and selecting a different option to allow. This is a good example of the distinction between hiding complexity rather than managing complexity.
Some quick notes on setting up Pi-Hole
on a BeagleBone Black
with a Debian image
installed. I had to disable Nginx:
systemctl disable nginx
I fixed the following dnsmasq issues:
FTL failed to start due to illegal repeated keyword at line 8 of /etc/dnsmasq.d/SoftAp0
FTL failed to start due to cannot open or create lease file /var/run/dnsmasq.leases: Permission denied
...by opening /etc/dnsmasq.d/SoftAp0 and removing both cache-size=2048 and dhcp-leasefile=/var/run/dnsmasq.leases then opening /etc/dnsmasq.d/01-pihole.conf and adding dhcp-leasefile=/var/run/pihole/leases. The changes to SoftAp0 got reset on boot and even opening /etc/default/bb-wl18xx and changing USE_GENERATED_DNSMASQ=yes to USE_GENERATED_DNSMASQ=no didn't help, so I instead ran chattr +i /etc/dnsmasq.d/SoftAp0. Lastly I ran systemctl disable dnsmasq which generates the following log message at boot (slightly edited) FAILED Failed to start dnsmasq - ...t DHCP and caching DNS server. but Pi-Hole seems to work fine anyways.
Lastly, to always boot from the SDCard I opened /boot/uEnv.txt on the eMMC filesystem and un-commented disable_uboot_overlay_emmc=1 (thanks to this page). Things appear to be working now...
Thanks to this forum post, I learned that the workaround for:
gpg: key ID: public key "NAME (COMMENT) <EMAIL>" imported
gpg: key ID/SUBID: error sending to agent: Permission denied
gpg: error reading 'subkey.gpg': Permission denied
gpg: import from 'subkey.gpg' failed: Permission denied
gpg: Total number processed: 0
gpg: imported: 1
gpg: secret keys read: 1
...was to add –pinentry-mode loopback.
I wrote a quick ebuild
for the Valheim
server. No guarantees with regards to its efficacy.
Glenn Greenwald, most famous for helping Snowden to expose the government's betrayal of U.S. citizens' Fourth Amendment rights, has resigned
from The Intercept citing, “repression, censorship, and ideological homogeneity”. Fake News is real.
I managed to get “Borderlands 2” working thanks to the good people on this Gentoo forums post.
Should this blurb read, “Facebook considered harmful” or “Oculus considered harmful”? At this point, it makes no difference.
Below are my brief notes on Gentoo auto-login with SSDM; it should be more secure than running xorg-server with the suid flag. Create file /etc/sddm.conf.d/autologin.conf with contents:
[Autologin]
User=myuser
Session=i3.desktop
In file /etc/conf.d/xdm, set the following line:
DISPLAYMANAGER="sddm"
Then be sure to add xdm to the default runlevel with rc-update add xdm default.
The Revolution will be corporate-sponsored.
YouTube has updated their website to be a fetid morass of JavaScript. Some good alternatives appear to be Invidious, youtube-viewer, and straw-viewer.
“Bioshock: Infinite” is starting to look less like a video game and more like a prophecy.
Zoom considered harmful.
Web considered harmful.
Last time I audited my home network with nmap, my scanning box got banned from my server, so this time I used fail2ban-client set ssh-iptables addignoreip IP_ADDRESS in order to prevent my scanning box from getting banned.
Got this error when trying to mount my BeagleBone Black's boot partition:
[883063.268285] FAT-fs (mmcblk0p1): IO charset ascii not found
Turns out the proper kernel module was compressed for some reason and wouldn't load:
dante /lib/modules # insmod 4.14.71/kernel/fs/nls/nls_ascii.ko.xz
insmod: ERROR: could not insert module 4.14.71/kernel/fs/nls/nls_ascii.ko.xz: Invalid module format
Easy enough to fix: decompress and re-run insmod:
xz -d 4.14.71/kernel/fs/nls/nls_ascii.ko.xz
Seems to me rather weird to install a module in a format that can't readily be used, though.
A writer for “The Atlantic” appears to have mistaken
a subset of naive progressives within the Open Source community for the Open Source community itself. There is no “existential question” about the nature of Open Source, but there is a question about the judgemental capabilities of those who joined the Open Source bandwagon without actually comprehending what freedom #0
meant. Their bubble having been popped, they are now upset at what they thought Open Source was and are acting like it's a revelation to anyone but themselves.
Sonos considered harmful.
New Seasons has sold
out
to South Korea, not seeming to realize that many of us prefer to support our local enconomy rather than international business.
It appears that the FCC License Manager webpage
doesn't work when network.http.sendRefererHeader is set to 0.
emerge-webrsync: warning: FEATURES=webrsync-gpg is deprecated, see the make.conf(5) man page. Hrmph. After a bit of searching, I found that the global FEATURES flag in /etc/make.conf was migrated to a per-repo setting in /etc/portage/repos.conf/${NAME}.conf. At first I tried using regular rsync by both setting sync-type = rsync and sync-rsync-verify-metamanifest = yes then installing app-crypt/openpgp-keys-gentoo-release and app-portage/gemato, but the cryptographic verification was extremely slow so I moved back to webrsync by setting sync-type = webrsync and sync-webrsync-verify-signature = true instead.
Pokemon Go considered harmful.
I managed to fix the tearing I was experiencing when using mplayer by changing the video output device with -vo gl; the default was xv. A list of available devices can be gotten by -vo help. I was also able to change the default by adding vo=gl to ~/.mplayer/config.
Workaround for the Firefox add-on signature verification failures: xpinstall.signatures.required to false. Warning: this is insecure and you do so at your own risk.
frostsnow@localhost ~/hobby/www.frostsnow.net $ gs
gs: relocation error: /usr/lib/libgnutls.so.30: symbol _idn2_punycode_decode version IDN2_0.0.0 not defined in file libidn2.so.0 with link time reference
I'm not sure what caused this, and recompiling ghostscript-gpl threw a similar linking error (which I forgot to record), but I managed to "fix" it via:
emerge -avC cups-filters cups
USE="-cups" emerge -1av ghostscript-gpl
I'm...going to hope the problem just stays away now.
If programs are written by programmers it follows that applications are written by applicationers.
frostsnow@hesse ~/linux-4.19.13 $ make
Makefile:958: *** "Cannot generate ORC metadata for CONFIG_UNWINDER_ORC=y, please install libelf-dev, libelf-devel or elfutils-libelf-devel". Stop.
frostsnow@hesse ~/linux-4.19.13 $ grep ORC .config
CONFIG_IRQ_FORCED_THREADING=y
# CONFIG_I2C_NFORCE2 is not set
# CONFIG_UNWINDER_ORC is not set
After some digging, this appears to be caused by: https://lkml.org/lkml/2017/12/25/211. So much for breaking my woeful kernel upgrade streak.
I had an issue where audio stopped working on my Novena. Looking via 'alsamixer' showed that it appeared to be using 'DW-HDMI' instead of imx-audio-es8328'. I was able to get it working again by creating '/etc/asound.conf' with contents:
pcm.!default {
type hw
card 1
}
ctl.!default {
type hw
card 1
}
Found at: https://superuser.com/questions/626606/how-to-make-alsa-pick-a-preferred-sound-device-automatically.
In order to clone from an HTTPS site which uses self-signed certificates, use 'GIT_SSL_CAINFO="/path/to/selfsigned/cert.pem" git clone blah blah'.
I ran into an issue after a system upgrade (Gentoo) last night where X wouldn't start after the upgrade. The error was: (EE) parse_vt_settings: Cannot open /dev/tty0 (Permission denied). It looks like in moving x11-base/xorg-server from version 1.19.5-r2 to 1.20.3 the suid USE flag was disabled; enabling it fixed the issue for me.
Google Docs considered harmful.
Noting: In order to upgrade LibreCMC, run scp image-sysupgrade.bin root@address:/tmp/ then sysupgrade -v image-sysupgrade.bin.
Looks like stunnel 5.43 (or perhaps some slightly earlier version) now only binds to the loopback interface by default; as a result I had to change accept = 874 to accept = 0.0.0.0:874.
In a marvelous bit of Security Theater, Google Voice prevented me from signing in while in a different town, then, upon returning to my usual town, signing in, then telling Google that "Yes, this was me", tells me that, "For your security, we'll continue to show this alert in your Recent security events page." which means that, should someone else actually try signing into my account I will not notice because I will assume that the warning is referring to the previous attempt which I have already marked as valid. Can I disable this garbage, please?
Managed to fix my XTerm display after the Gentoo CHOST change; the .Xresources file now doesn't like
XTerm*background: black
XTerm*foreground: white
...but does accept:
xterm*background: black
xterm*background: white
Go figure.
Noting: Google Voice requires media.peerconnection.enabled to be true in order to display data; likewise, Nextdoor requires network.http.sendRefererHeader to be greater than 0 in order to log in.
PKI considered harmful: https://arstechnica.com/information-technology/2018/03/23000-https-certificates-axed-after-ceo-e-mails-private-keys/.
TIL xclip -selection clipboard in order to use the Ctrl-V paste buffer (the default selection is primary).
Every time an employer asks for a "can do" attitude: https://www.youtube.com/watch?v=CRMcSAgoabw.
Web considered harmful: https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/.
Poem I wrote during a recent fever:
The Googlaug
Through me you pass into the Chamber of Echos,
Through me you pass into eternal surveillance,
Through me among consumers in debt for aye.
Boole the fab of my circuit exec'd,
To bootstrap me were the threads of Free Software,
Open Source, and Hacker Culture.
Before me things centralized were none, save things
In meatspace, and in meatspace I endure.
Free Will abandon, ye who SYN here.
You have died of skyrocketing property values: http://www.wweek.com/culture/2017/10/30/holy-crap-theres-a-new-oregon-trail-video-game-with-craft-kombucha-and-great-notion-key-lime-pie/
Web considered harmful: https://www.eff.org/deeplinks/2017/09/open-letter-w3c-director-ceo-team-and-membership.
A segment from one of my favourite documentaries: https://www.youtube.com/embed/4xoM6-1SWl4?start=2958&end=3111.
test a # echo 1 > crlnumber
test a # openssl ca -gencrl -config openssl.cnf -cert certs/a.pem -keyfile private/a.pem -out crl/a.pem
Using configuration from openssl.cnf
unable to load number from .//crlnumber
error while loading CRL number
140084037076624:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:210:
test a # echo 10 > crlnumber
test a # openssl ca -gencrl -config openssl.cnf -cert certs/a.pem -keyfile private/a.pem -out crl/a.pem
Using configuration from openssl.cnf
test a #
Guess one isn't a number anymore. It must feel lonely.
Double King
is a pretty neat animated video.
Generated using LaTeX2html: Source