I needed to connect to a Fortinet SSLVPN, but the certificate on it had expired. While the official Mac client prompts and lets you connect anyways, Linux with NetworkManager (and the FortiSSLVPN plugin) would refuse without providing any messages. Unfortunately, I couldn’t ask the administrator to renew the certificate. What you can do is add the certificate as a trusted certificate for that VPN. Unfortunately, the interface to do this is unclear, so I’ll try to explain it here.
Continue readingTechnology
Loose ideas for operating systems
This post has been copy-edited by doppler. Thanks!
Most research nerds either start writing Unix hagiographies or start stapling a 99-point thesis at the doors of Murray Hill. This is the latter kind of post; I’ll try to cover ideas for systems that could be meaningfully different from current systems. I’ve done a lot of research on existing concepts and existing systems, particularly those that could have been the future. Existing systems can be extrapolated into something new.
A lot of the ideas have been percolating in my head for a while now and are rough ideas for what could be. Perhaps I’ll iterate on them further, or realize there’s a reason no one was doing these before. The main idea is a place to start off, and it iterates from there. Treat it like a buffet of ideas; caveat emptor for people who don’t like musing.
Continue readingFiles with accents not showing from an SMB share on macOS
I recently had an issue where some files with accents were showing, but not all of them. If none of them were showing, I might have assumed an encoding issue, but it’s clear something else was at play here. This was pretty annoying when I wanted to play a specific song.
As it turns out, on macOS, it’s almost certainly a Unicode normalization issue, where Apple is (unnecessarily) strict about Unicode. I seem to keep running into these issues on macOS – I first into it trying to notarize a zip file. Luckily, there’s a tool that can handle this for you.
Continue readingGhosts of OSI: The Spectre Haunting IP
The dominance of the Internet protocol suite has made it hard to think of anything else. Yet in the 80s and 90s, an alternative to the IP model (outside of the proprietary vendor-specific suites like SNA or DECnet) was challenging its rise: the Open Systems Interconnect, or the OSI protocol suite. The short story is while IP won, OSI didn’t disappear completely. It left its view of the world, the seven layer stack, in every CCNA course – even when it doesn’t fit IP at all.
More than that, it also left several protocols still in use today and made its mark on everyday software. They might be rebased onto IP, but their origins were in OSI. Who’s still out there?
Continue readingWhy ThinkPads are overrated and misunderstood
Before I begin, I’ll make a note that I actually do like and use ThinkPads. However, I hate how technologists (well, the ThinkPad enthusiast community, often seen on thinkpads.com, /g/, or /r/thinkpad) have constantly misunderstood them, be it celebrating workarounds for clumsy flaws, or are completely ignorant of their history. Nowadays, I’ve switched to a MacBook Air (since I want a compact laptop that was lightweight and got good battery life… and I am a sucker for an actually good RISC CPU), but I often buy ThinkPads as a “known quantity” for whatever age of machine I need. That is, I know exactly what I’m getting into, and they’re widely compatible with whatever you throw at them. However, I often recommend other lines of machine, be it something radically different like a MacBook or Surface, or something that’s actually more like what a ThinkPad enthusiast’s platonic ideal of a ThinkPad is, like a Latitude or Let’s Note. This post sums up my opinions why.
Continue readingRedirecting privileged ports to unprivileged ports on the same system with pf on FreeBSD
I needed to set up a daemon for a service that’s in the low 1024 ports reserved for root on FreeBSD. However, I didn’t want to run the service as root. Instead, I set up pf (the firewall in BSDs) to simply redirect the port.
Continue readingFixing VisualEditor not being able to contact RESTBase server
If you set up a new wiki with MediaWiki 1.35 (since it adds the PHP-based Parsoid server), and you get this error trying to load VisualEditor:
Error contacting the Parsoid/RESTBase server: (curl error: 28) Timeout was reachedIt’s because the server is trying to contact itself with the server name (hostname/IP). If it’s a DNS name, then make sure the name it uses resolves to itself; a quick fix was to add it to the hosts file.
DNS as Code with DNSControl and GitLab
With the “infrastructure as code” renaissance, managing infrastructure has never been easier. Every change is easily recordable and reproducible and, because it’s all code, it’s never been easier to store a history of what’s changed to easily review in git log.
But short of running your own DNS servers and running custom scripts to convert code into a BIND zonefile, it’s historically been hard to manage DNS in the same way – so often, even though the servers themselves are easy to change, managing DNS means connecting to Route53, or Cloudflare, or any of a myriad of different domain registrars and DNS providers and manually changing fields in their application with no easy way to propagate changes across multiple domains or to roll back to a historical record if a new change causes something to break.
Using a tool like DNSControl, which allows a provider-agnostic view of DNS records as code, along with automatic capabilities to update records at your provides, fixes all of this.
Continue readingMastodon really is crumbling — and it will only get worse
I am 100% serious with the title, despite the appearance of click-bait. Mastodon has a serious structural rot that is only worsening as time gets on. I think this is for a few reasons which I will outline below.
Ironically, I don’t feel safe posting this directly to the fediverse because of the very forces I’m about to describe. I’m not worried about the cancel crew, I just don’t want to deal with hostile interactions right now. I might link to this post but it’s less likely to get hate mail I suspect if I do it that way rather than write this all up in a giant thread on fedi.
What I am presenting is largely anecdotal opinion, although it has been gathered from countless others (I’m not going to name any names, they deserve better than harassment or people trying to change their views and in the process merely reinforcing them).
Continue readingEmbeding application manifests into Windows executables as a resource
If your Win32 application needs to declare that is supports something before it even executes, this is where a manifest file comes in. While you can ship one with your application (in the form of appname.exe.manifest), it’s more fool-proof to just embed it into your application. You can do so with