Hello! I've got experience working on censorship circumvention for a major VPN provider (in the early 2020s).
- First things first, you have to get your hands on actual VPN software and configs. Many providers who are aware of VPN censorship and cater to these locales distribute their VPNs through hard-to-block channels and in obfuscated packages. S3 is a popular option but by no means the only one, and some VPN providers partner with local orgs who can figure out the safest and most efficient ways to distribute a VPN package in countries at risk of censorship or undergoing censorship.
- Once you've got the software, you should try to use it with an obfuscation layer.
Obfs4proxy is a popular tool here, and relies on a pre-shared key to make traffic look like nothing special. IIRC it also hides the VPN handshake. This isn't a perfectly secure model, but it's good enough to defeat most DPI setups.
Another option is Shapeshifter, from Operator (https://github.com/OperatorFoundation). Or, in general, anything that uses pluggable transports. While it's a niche technology, it's quite useful in your case.
In both cases, the VPN provider must provide support for these protocols.
- The toughest step long term is not getting caught using a VPN. By its nature, long-term statistical analysis will often reveal a VPN connection regardless of obfuscation and masking (and this approach can be cheaper to support than DPI by a state actor). I don't know the situation on the ground in Indonesia, so I won't speculate about what the best way to avoid this would be, long-term.
I will endorse Mullvad as a trustworthy and technically competent VPN provider in this niche (n.b., I do not work for them, nor have I worked for them; they were a competitor to my employer and we always respected their approach to the space).
If you ever hear my name on the PA, please come up to say hello! In fact, after the flight when it is not busy, we are always happy to have visitors in the flight deck. Feel free to drop me a message any time too, the A350 is a pretty small fleet, so the chances are higher than one would think! :)
A saying of my own: America is superficially conservative and deeply liberal, while Europe is superficially liberal and deeply conservative.
Tangentially, it’s why I don’t think authoritarian reactionary stuff will “take” here for any length of time. The instant Americans figure out it’s anything more than a stylistic performative way to “own” the other side — the instant they are actually told what to do — it is over.
I can't believe I am learning of tabular options for fonts from this post... I have always just used a different monospace font for the numbers, didn't realize it was an option that some fonts supported.
I steer clear of Apple products, but I've still had a lot of fun in this space thanks to DJ Studio (https://dj.studio/), a desktop app that helps make offline (rather than real-time) mixes. I use it to make a monthly personal mixtape, which is a nice way to remember what I used to listen to. They call it a "DAW for DJs," which is accurate.
I especially admire the team that makes it. The CEO records demo videos that are so filled with enthusiasm and accessible expertise that you can't help but appreciate the product more each time you watch them, and the COO sends out email announcements that are actually useful and not spammy.
It's a niche product, but they fill that niche well.
That March 1977 map always brings back a flood of memories to this old-timer.
Happy nights spent hacking in the Harvard graduate computer center next to the PDP-1/PDP-10 (Harv-1, Harv-10), getting calls on the IMP phone in the middle of the night from the BBN network operations asking me to reboot it manually as it had gotten wedged...
And, next to me, Bill Gates writing his first assembler/linker/simulator for the Altair 8080... (I tried talking him out of this microcomputer distraction -- we have the whole world of mainframes at our fingertips! -- without success.)
(Edit:) We also would play the game of telnet-till-you-die, going from machine to machine around the world (no passwords on guest accounts in the early days), until the connection died somewhere along the way.
Plus, once the hackers came along, Geoff Steckel (systems guy on the PDP-10) wrote a little logger to record all incoming guests keystrokes on an old teletype, so we could watch them attempting to hack the system.
For any engineer interested in nuclear weapons, I highly recommend this three-part series produced by Sandia National Laboratory on their development of Permissive Action Link, the warhead’s electrical isolation and cryptological module that ensures US nuclear weapons will detonate if any only if authorized by the President.
It’s fascinating how they thought about bad path scenarios like thermal damage causing carbon tracking of PCBs potentially defeating the control system.
It is called “Always/Never: The Quest for Safety, Control, and Survivability”
The ways in which we fail to address societal issues are not in fact our responsibility, they're a systemic issue that is a function of human nature - or political nature/societal nature - that will not be solved by morose feelings of condemnation. "Why can't people not be the way they are" is just as useless a sentiment as "Why can't mathematics not be the way it is", and will be just as ineffective at causing 2 and 2 to add to 5.
I'm going to go back to my comparatively easy computer engineering tasks after writing this comment, and have the greatest respect for those willing to confront coordination problems in the political sphere. That's playing the game on hard mode.
The whole thing reminds me of this thread [1] from a few weeks ago referencing Orwell's critique of Dickens:
>> The truth is that Dickens's criticism of society is almost exclusively moral. Hence the utter lack of any constructive suggestion anywhere in his work. ... His whole ‘message’ is one that at first glance looks like an enormous platitude: If men would behave decently the world would be decent.
> I can't help but feel like TS Eliot's "public-spirited pigs" are the same thing as Dickens' "good rich men".
The good news is that we've developed systems of governance and economics that are not exclusively worse than uneducated tribalistic hunter-gatherer anarchy - a very large number of people live in significant comfort in relatively ordered, mostly polite societies, generally free to do what they want, and for the most part those societies build things like roads, landfills, electric grids, and fire departments together that make the community better. It's not perfect, for sure, and we're really missing the ball on this particular externality of global warming, but I have some hope that we'll figure out a way to address the problem that doesn't rely exclusively on weak moral appeals.
This article is missing a key detail: that the expected workflow is that the workstations are basically just build machines.
My workstation is just an SSH server that I do builds on, everything else is on my laptop. I can’t remember the last time I used the internet on my workstation. I install packages but those come via a mirror, I scp files back and forth but that’s internal only.
Lots of people aren’t on this workflow yet, but I don’t think anyone is suggesting airgapping the main interface people are using.
thanks for the shoutout. Dealers of Lightning is indeed excellent.
My book takes the path of putting fictional characters (except for Dan, who is me) in it, who do not know how it's going to turn out. I had the help of nearly everyone who's still alive, and all the actual events really happened. Xerox really did have a guy with a roll of $100 bills for paying off the unions at the trade shows.
As for the 40+ year-old debate about what Xerox should have done, Jerry Morrison and I considered that at length here:
A very good lesson I learned from a previous company (medium size, 1-2K employees) where a C-Level exec was hired in and needed to make some large scale changes in the company with speed:
1. You can't "fake it" at this level. One of the most impressive things IMO about this exec was his ability to know, at a fairly low level, what every department and org in the company was doing, and to diagnose their strengths and weaknesses very quickly. We'd have quarterly day-long meetings where every department would present, and his ability to quickly hone in on critical low-level details was extremely impressive. I think he would have failed if he had just thought that his job was to "brush with broad strokes". (Aside, this did NOT mean he was a micromanager, it just meant that he had a very good understanding of the details across many departments).
2. It's important to put some structures in place where departments are forced to show some accountability for speed. For example, one metric that I actually hated at the time, but later learned to appreciate the purpose, was that individual departments were judged on the number of A/B tests they ran per month. I hated this metric at the time because I felt it was easily "gamed" - departments would run small little A/B tests like button color changes. However, after a while there were a couple of big cultural changes that had taken place: (1) the company built tools and processes that made it easier to deploy and run tests in the first place (better CI/CD pipelines, better analysis tools, etc.) which had the overall effect of letting us ship faster with higher quality, (2) while yes, there was a lot of "gaming" of count of A/B tests run in the beginning, it didn't take that long for teams to actually run out of tests to game, and people actually put in the hard work of thinking about better tests to run, and (3) it changed our culture to become much more data-driven - it wasn't perfect, and "data driven" can be a double-edged sword, but it was an improvement.
How about they start by publishing official EOL/support dates for their operating system software? Which is a basic expectation of any bordering-on-competent IT department so they can perform advance planning. But I guess that would upturn the apple cart (no pun intended) of the culture of secrecy.
This is why Apple will continue to be a failure in any IT department larger than a startup. The only reason MacOS is supported in larger businesses is because the whiny graphics department would riot if they took their Macs away. And I don't want to hear "but I do all my software development on a Mac!!!1!" Yeah, in an unmanaged configuration on your rogue developer box, sure, whatever. No one is running thousands of Macs outside Apple and if they are they're not doing it without many third-party system management kludges and an army of people to support it. And the whole thing hangs on by a thread.
Apple's enterprise support is a joke and will continue to be unless there are major changes. Even Linux and FreeBSD (!) are better at this.
Okay. I have an idea. Let’s see what happens if we treat…
06: 00 B5 push {lr}
… as the start of this weird code(?) sequence. It pushes the link register (i.e., the return address to the caller).
08: 42 40 eors r2, r0
0a: 00 2A cmp r2, #0
This XORs R2 and R0 and compares the result against zero. But that’s just a decoy, as we’ll see.
0c: 00 F0 02 F8 bl #0x14
This calls into…
14: 70 46 mov r0, lr
16: 00 47 bx r0
… which moves the return address to R0, and then returns. Using the addresses in this disassembly (not in the actual boot ROM), the return address is 0x10; but LR and, therefore, R0 will actually contain 0x11 because the LSB signifies Thumb mode.
None of the previous three instructions modifies the flags. (I checked in the ARM reference manual.) Thus, “BHS” (branch unsigned higher or same) uses the flags from the “CMP R2,#0” above. _Every_ value of R2 is higher (in the unsigned sense) or same as 0. Hence, the following branch is always taken:
10: F6 D2 bhs #0
… to…
00: 11 38 subs r0, #0x11
R0 contained 0x11 relative to the start of this code sequence. (The absolute address in boot ROM is of course different.) Now, R0 points to the start of the code sequence.
02: C0 7A ldrb r0, [r0, #0xb]
This loads the byte at offset 0xB in this code sequence. Look above, it is 0x2A.
04: 00 BD pop {pc}
This returns to the caller, using the LR pushed at the beginning. The return value in R0 is 0x2A.
0x2A is 42 (decimal)! Could this be an Easter egg; a very obfuscated way of returning 42, the Answer to the Ultimate Question of Life, the Universe, and Everything? (Remember that the Raspberry design team is from Britain, same as Douglas Adams.)
For simple requests where it's just convenient to have them in a list, with a description/easy to find for replaying, a VSCode extension like Rest Client [0] can be useful instead of the desktop apps. Well, VSCode is a desktop app too, but if you already use it... :P
I like it because you can just write a text file with the request and any comments you need around them, and... being just text, it's so easy to manipulate.
When I need scripts for special auth I fall back to postman though, haven't digged enough to see if I can make it work with that addon (or any other one).
Also there's Thunder Client [1] which I haven't tried but apparenly has more features.
ACME is a standardized protocol (RFC8555) and there are more providers than Let's Encrypt, and you can switch transparently. That combined with the standard procedure of renewing a few weeks before the expiration date lets one handle even a total failure rather nicely.
Some other ACME providers I know of:
- ZeroSSL.com
- BuyPass.com
- SSL.com
(most of those provide free certs in some form, but some with limitations and may then ask for money if you want more features).
Fewer than 10% of HN users are in the Bay Area. I don't know what the number for California is but I'd be surprised if it were above 15%. Half of the userbase is outside the U.S. People make a lot of false assumptions about the demographics here.
HN has always had a mix of topics. That hasn't changed.
Video walks on Youtube. If you haven't heard of them before, they're simple first-person videos where the filmer walks around some area with a stabilized video camera - no talking, just walking. I've really missed traveling and watching video walks while exercising has been a great way to satisfy that travel craving a bit and also trick my brain into experiencing some semblance of normalcy (not sure I could remember what a crowded street feels like otherwise haha).
I'm partial to Japan so my favorite channel has been Rambalac [1], and I recently also started watching another channel with the very creative name JAPAN 4K [2]. There are tons of other channels and places too, for example I recently watched a few in Lisbon [3] and Seoul [4] and Copenhagen [5]. They're very relaxing and fun to watch and going from place to place with no cuts captures the usual tourist experience quite well. If you like traveling you can probably find some that are interesting to you!
How do you run an application on a cluster of plain old linux machines? How do you do load balancing? How do you scale up and down? How do you update your app without downtime? How do you roll back easily if something goes wrong? How do you ensure all your servers are running the same version of dependencies? How do you update those dependencies? How do you replicate your environment if you want to add a new server to your cluster? If your app has microservices how do services discover each other? How do you mount volumes from cloud storage? How do you update configuration? How do you automatically restart failed applications? How do you monitor if your applications are working? How do you make sure the right number of MongoDB replicas are running at all times? How do you view your log files remotely? How do you port-forward from localhost to your Linux server to test your app locally?
Use Equalizer APO with a noise-reduction VST. This is by far the best option on Windows if you are concerned about latency×compatibility×underruns as a figure of merit. It is far superior to using "virtual audio cables" and a VST host (like Lighthost or SAVI) or voicemeeter.
It's not well known, but it really works spectacularly well compared to those other options. For me it never has had any audible buffer underruns (unlike Lighthost), no noticeable latency (unlike SAVI and Voicemeeter, even with small buffer sizes), no problems regarding exclusive mode (unlike voicemeeter) and it works with every single application.
The UI is not terribly clear about this, but it can drive multiple devices independently, simply by adding several "Device" blocks to the configuration.
- First things first, you have to get your hands on actual VPN software and configs. Many providers who are aware of VPN censorship and cater to these locales distribute their VPNs through hard-to-block channels and in obfuscated packages. S3 is a popular option but by no means the only one, and some VPN providers partner with local orgs who can figure out the safest and most efficient ways to distribute a VPN package in countries at risk of censorship or undergoing censorship.
- Once you've got the software, you should try to use it with an obfuscation layer.
Obfs4proxy is a popular tool here, and relies on a pre-shared key to make traffic look like nothing special. IIRC it also hides the VPN handshake. This isn't a perfectly secure model, but it's good enough to defeat most DPI setups.
Another option is Shapeshifter, from Operator (https://github.com/OperatorFoundation). Or, in general, anything that uses pluggable transports. While it's a niche technology, it's quite useful in your case.
In both cases, the VPN provider must provide support for these protocols.
- The toughest step long term is not getting caught using a VPN. By its nature, long-term statistical analysis will often reveal a VPN connection regardless of obfuscation and masking (and this approach can be cheaper to support than DPI by a state actor). I don't know the situation on the ground in Indonesia, so I won't speculate about what the best way to avoid this would be, long-term.
I will endorse Mullvad as a trustworthy and technically competent VPN provider in this niche (n.b., I do not work for them, nor have I worked for them; they were a competitor to my employer and we always respected their approach to the space).