vim with rclone on MFA-enabled Nextcloud

I forgot that I enabled MFA on my Nextcloud instance and it broke rclone. This is something the Nextcloud documentation makes clear but neither the instance nor rclone itself will tell you what’s actually wrong or how to fix it.

First, on Nextcloud:

  1. Go to Settings › Security.
  2. Scroll down to the bottom. Enter something descriptive like “rclone” in the entry box, then click Generate App Password.
  3. Nextcloud will display an application-specific password. Leave the screen here. Nextcloud will only display it the one time

You can always start over if you don’t copy it so depending on your password policies you might want to save it in your password manager.

Now, switch over to your shell:

  1. First, kill the current rclone mount: $ fusermount -u /home/nullrend/Nextcloud. Do not just kill the rclone job. Apparently the rclone devs think it’s too hard to implement a rclone umount /mount/dir command or sum’thin’.
  2. Do $ rclone config and delete the current Nextcloud remote endpoint. Much easier to start from scratch.
  3. When you get to the password entry, enter the password given to you by Nextcloud.
  4. Finish the process.

At this point you can save the password on Nextcloud so it actually allows rclone to connect through WebDAV.

To mount the new remote endpoint do something like $ rclone mount endpoint:/ ~/Nextcloud --daemon --dir-cache-time 120m --max-read-ahead 256 --no-modtime --vfs-cache-mode full --vfs-cache-poll-interval 120m. You will need to play with the caching flags depending on what you’re doing and what your needs are.

For my own use case I’m mostly using vim to interact with my vimwiki files so I also often do :set noswapfile to stop vim from bitching about files that are likely open elsewhere.

Venture Capital is a plague

Allowing masses of underpaid workers to be exploited in order to provide widespread convenience was always a depraved bargain, built on a rickety ethical and economic foundation.

Source: Instacart Is a Parasite and a Sham | The New Republic

This industry is ripe for some entity to come out with a co-op model where drivers are not only the employees making the delivery, but also owner shareholders in the company. No one will get rich quickly but they’d earn substantially more than poverty wages.

The “uber but for x” economic model is reliant on destroying everything around it so VC can get rich. Hopefully we won’t need 50 years to gig economy doesn’t work, just like trickle-down economics.

Fuck venture capital, really

It’s almost poetic that the debate over .ORG reached a climax just as COVID-19 was becoming a worldwide crisis. Emergencies like this one are when the world most relies on nonprofits and NGOs; therefore, they’re also pressure tests for the sector. The crisis demonstrated that the NGO community doesn’t need fancy “products and services” from a domain registry: it needs simple, reliable, boring service. Those same members of Congress who’d scrutinized the .ORG sale wrote a more pointed letter to ICANN in March (PDF), plainly noting that there was no way that Ethos Capital could make a profit on its investment without making major changes at the expense of .ORG users.

Source: How We Saved .ORG: 2020 in Review | Electronic Frontier Foundation

Domain ownership should be a boring enterprise now that the age where you could get rich just by selling domains is past. You can do price speculation but that is another thing entirely.

Pushing on “products and services” is how we ended up with GoDaddy, which time and time again has proved to be a shitty company to do business with and to work for.

We don’t need any companies like GoDaddy running .ORG, much less venture capital.

Why would I take LinkedIn seriously anyway?

Every platform has its royalty. On Instagram it’s influencers, foodies, and photographers. Twitter belongs to the founders, journalists, celebrities, and comedians. On LinkedIn, it’s hiring managers, recruiters, and business owners who hold power on the platform and have the ear of the people. The depravity of a platform where HR Managers are the rockstars speaks for itself.

Source: LinkedIn’s Alternate Universe – Divinations

My job listings on LinkedIn:

  • Get yelled at by customers
  • Drink coffee
  • ?????
  • Get yelled at by the boss
  • Boredom

This is a social network for HR and godinez types.

In the olden days they used to call it indentured servitude

I still use ride hailing and food delivery services, but the fact is that the core functionality of these apps — despite all their fancy technology — is not significantly different than having a servant. What the technology has done is pool the servants, make them available to more people, make it easier to communicate tasks, and — most importantly — make it possible to not think of them as servants at all.

Source: The Gig Economy Is White People Discovering Servants | by Indi Samarajiva | Medium

When you don’t think of people as your servant you don’t have to think about the implications of servitude— including the linguistics of it, like “master”, “servant”, or “honor”. How long before people find themselves finding themselves in “exclusive contracts” with a specific gig agency?

The Racist Legacy of Computer-Generated Humans – Scientific American

The technological white supremacy extends to human hair, where the term “hair” has become shorthand for the visual features that dominate white people’s hair. The standard model for rendering hair, the “Marschner” model, was custom-designed to capture the subtle glints that appear when light interacts with the micro-structures in flat, straight hair. No equivalent micro-structural model has ever been developed for kinky, Afro-textured hair. In practice, the straight-hair model just gets applied as a good-enough hand-me-down.

Source: The Racist Legacy of Computer-Generated Humans – Scientific American

Pixar continues this in their latest film: an epic to the Magical Negro trope, where the Black person isn’t portrayed as black for most of the film but rather as a blue blob.

Sitting in the dark watching the screen, somewhere

Will young people — trained during the pandemic to expect instant access to new movies like “Hamilton” and “Borat Subsequent Moviefilm” — get into the habit of going to the movies like their parents and grandparents did? Generation Z forms a crucial audience: About 33 percent of moviegoers in the United States and Canada last year were under the age of 24, according to the Motion Picture Association.

Source: Hollywood’s Obituary, the Sequel. Now Streaming. – The New York Times

Millenials and Zoomers have a little problem though… we haven’t got any money to spend. Even if there is an economic boom we will not benefit from it unless there is systemic change at all levels of government, business and society.

The cost of a single movie at the theatre will get us an entire month of streaming. The math isn’t hard.

A different lens of sorts

Especially in big companies where these monoliths spanned more than a team’s cognitive horizon, violations of those boundaries were often a simple import away, and of course rife.

Source: Microservices — architecture nihilism in minimalism’s clothes – Blog by Vasco Figueira

Most of this is way, way over my head but I’m now introduced to the concept of “cognitive horizon”, which applies to more than IT. It describes perfectly what’s happening when I’m expediting in a restaurant.

Migración de alto calibre

NOGALES, Mexico — North of the border, the .50-caliber sniper rifle is the stuff of YouTube celebrity, shown blasting through engine blocks and concrete walls. Deployed with U.S. troops to foreign wars, it is among the most destructive weapons legally available in the United States.But every week, those rifles are trafficked across the border to Mexico, where increasingly militarized drug cartels now command arsenals that rival the weaponry of the country’s security forces. In many cases, criminals outgun police.

Source: Mexico guns: Sniper rifles are flowing to Mexican drug cartels from the U.S. – Washington Post

Los carteles todavía no se animan a realizar asesinatos tácticos de una bala, prefiriendo mostrar sus poderío enviando comandos armados.

Pero para allá van.

Storage

        <a href="https://www.flickr.com/people/nullrend/">nullrend</a> posted a photo:

Storage

Forefront are five HP 36 GB 10K SAS hard disk drives, next to five Micron 5200 PRO solid state drives.

It’s both amazing and ridiculous how quickly technology evolves.

‘Rona Saturday

        <a href="https://www.flickr.com/people/nullrend/">nullrend</a> posted a photo:

'Rona Saturday

Indoor dining suspended until December 18. At least.

Accessorize your Windows toys with WSL

Normally I would consider this a bug. However over the years I’ve come to the conclusion that Windows is a pretty toy. It works wonderfully “in the small”. But it isn’t useful for significant programmer workloads (like typing :-) ).

Source: WSL Isn’t Linux | Hacker News

Your mistake was considering Windows suitable for anything but media consumption. It will phone home, it will reboot when it feels like it, and it won’t resume state when it does reboot or resume from sleep.

The best use for WSL is to use it to shell into a proper Linux host. Only way you can guarantee you won’t lose your work when the OS decides to do something.

The Third Surge Is Breaking Health-Care Workers – The Atlantic

With only lax policies in place, those cases will continue to rise. Hospitalizations lag behind cases by about two weeks; by Thanksgiving, today’s soaring cases will be overwhelming hospitals that already cannot cope. “The wave hasn’t even crashed down on us yet,” Perencevich said. “It keeps rising and rising, and we’re all running on fear. The health-care system in Iowa is going to collapse, no question.”

Source: The Third Surge Is Breaking Health-Care Workers – The Atlantic

The scene on Interstellar when our protagonists realize those aren’t mountains.

They’re waves. The next one is cresting over the US right now and we’re just here for the ride.

A lot of people are not going to make it

Block attacker IP addresses, four ways

If you run WordPress you’ve seen these in your web server logs:

132.232.46.230 - - [29/Oct/2020:13:58:41 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:44 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:48 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:52 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:55 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:58 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"

Fucken scanners just slamming xmlrpc.php looking for a way in. When this happens CPU usage just goes through the roof for as long as the scan lasts and it could be five minutes, could be six hours, could be all week; before it ends. The gods help you if you’re paying by CPU usage.

So you have to block access to the file. You could just block all access to XML-RPC but doing this will prevent the WP mobile app from working.

We’ll just block that specific IP address but we need to be quick about it; just do a quick one liner on the terminal before the OS just topples over and becomes completely unresponsive or worse.

iptables

This should work for any Linux distribution that has iptables out of the box which is basically all of them.

# iptables -I INPUT -s 132.232.46.230 -j DROP
  • -I: Insert the rule as the first rule to be applied in the INPUT chain. You could use -A (append) but the sooner we get rid of that traffic the less work the CPU has to do.
  • -s: Source address, in this case 132.232.46.230, which belongs to Tencent.
  • -j: jump to the DROP target. If you use the REJECT target you’re just creating more work for the CPU.

Documentation here but the Ubuntu how-to is far more useful in getting people started.

pf

As it is part of both FreeBSD and OpenBSD base installations it should be enabled in /etc/rc.conf but from reading the (almost useless) documentation and looking around the web You need to fuck around with pf.conf first, then you can manipulate the table. This is the first result on the web when you search for “pf block ip address”. So no one-liner that can save your life.

Edit /etc/pf.conf and add

table <badhosts> persist
block on fxp0 from <badhosts> to any
  • Create table named badhosts, and set it to be persistent in kernel memory
  • Block, on interface fxp0 (you’ll want to change this), traffic from rules in the badhosts table to any destination.

Once you have this you can manipulate the table from the command line with pfctl

# pfctl -t badhosts -T add 132.232.46.230
  • -t means pfctl will manipulate the badhosts table
  • -T will show statistics
  • add address 132.232.46.230 to the table

Fucken hell FreeBSD documentation is the fucken worst. Dryer than Melania Trump’s libido. Now, reading through the OpenBSD pf documentation it looks like you can do

# pfctl -t badhosts -T add 203.0.113.0/24

Which will create the badhosts table automatically without having to fuck around with /etc/pf.conf. Don’t know if this will work on FreeBSD though.

ipfw

It is part of the FreeBSD base installation so it does depend on ipfw being enabled in /etc/rc.conf but it looks like you can go

# ipfw add deny all from 132.232.46.230 to any
  • Add rule denying any and all fraffic from 132.232.46.230 to any destination

At least these rules are succint and easy to read. Whomever wrote the documentation seemed to pay more attention to usage at least.

Still, fuck FreeBSD.

Windows

Super easy now that PowerShell is built into Windows itself:

PS C:\WINDOWS\system32> New-NetFirewallRule -DisplayName "Block traffic from 132.232.46.230" -Direction Inbound -LocalPort Any -Protocol Any - Action Block -RemoteAddress 132.232.46.230
  • -DisplayName: The human-readable name of the firewall rule
  • -Direction: Can be Outbound or Inbound. We want Inbound obviously.
  • -LocalPort: Going with any ports because fuck crackers.
  • -Protocol: Same, block all port
  • -Action: Block traffic
  • -RemoteAddress: Specifying only 132.232.46.230

The documentation for the commandlet is super nice. No, I’m not typing ‘cmdlet’.

The old way involved so, so manny clicks. PowerShell makes it easy.


Now all of the previous bits of code cease to have any effect after a system reboot so if you want the rules to be permanent… don’t. Blackhats will just scan from different hosts and different networks so blocking an IP address permanently is just unproductive.

A better solution is to use fail2ban:

There is also CrowdSec but I haven’t personally used them.

This post came to be cos I spent 30+ minutes trying to figure out how to block traffic on a FreeBSD host and their documentation is just… inscrutable. Should you ask for help in their forums you’ll just get told to RTFM.

You end up going in circles, consuming yourself in rage and frustration which does not feel nice. Rage-posting is where it’sat.

sigh

This is pretty fucken sad lemme tell ya.

Screenshot of RSS reader "City Pages is dead. We had a good run."

What else is there to say? We’re sad as fuck. CP, born Sweet Potato, has employed hundreds of people over the last four decades; below you’ll find a farewell from the edit staffers who rearranged those Titanic deck chairs right up until the very end.

City Pages is dead. We had a good run..

I found my first apartment on its classifieds pages. My first job too as a barista in a Dunn Brothers location that no longer exists.

Last post at CityPages.com

Fork it

        <a href="https://www.flickr.com/people/nullrend/">nullrend</a> posted a photo:

Fork it

The last stack of City Pages issues. Ever

Ray of Sun

        <a href="https://www.flickr.com/people/nullrend/">nullrend</a> posted a photo:

Ray of Sun

I’m so happy I got a new bed. I’m flat broke after spending a ton of money on it but it’s been totally worth it.

The replies are fucken hilarious too.

>_<

With the closing, 30 people will lose their jobs. It adds Minneapolis-St. Paul to the growing list of U.S. cities with no more so-called “alternative” newspapers, which rose out of the 1960s counterculture scene and flourished through the 1990s, throwing sharp elbows in political coverage and spotting the edgiest ideas in arts.

Source: City Pages is closing, ending era of Twin Cities alternative weeklies – StarTribune.com

This fucken sucks