Chrome prefetch

So, Google came up with something new.
Or actually, it’s not really new, because this URL dates back to May 2022. But I was just cleaning up my web server logs, and I ran into something I didn’t know.

What it comes down to is that, instead of optimizing Google Chrome, Google has decided to lay the responsibility for the (lack of) speed of their browser with website developers worldwide. If you want to help them pretend that Chrome is a browser that can keep up with other browsers, you are expected to host a specially crafted file, which will allow Chrome to prefetch all linked URLs in your website, even if your visitor does not click on those links.
Obviously, this is not a good idea: this will increase internet traffic exponentially, without any real benefits, which in turn makes using the internet more expensive for all of us (more traffic = higher cost for our providers = higher cost for us). But of course Google doesn’t care too much about our cost…

So, here is something you can do if you, like me, don’t feel like paying for Google’s expansionism.

The file that Chrome expects to find is called /.well-known/traffic-advice. By blocking access to this URL, you will help Google Chrome management realize that they are the ones responsible for optimizing the Google Chrome code, and that you (and the users of your website, and users of the internet in general) are not ready to pay for the investments that they are not willing to make.

If you’re a webhosting provider, and your webserver is Apache, add these lines to your Apache configuration:

<Location "/.well-known/traffic-advice">
    Redirect 404
    Header always set X-AttnGoogle "Let's optimize Chrome code, instead of increase overall internet traffic."
</Location>

Obviously, you should feel free to modify the contents of the X-AttnGoogle header, or even to delete it altogether.

If you are not a wehosting provider, but you do have a website, you can add these lines to your .htaccess file:

Redirect 404 "/.well-known/traffic-advice"
Header always set X-AttnGoogle "Let's optimize Chrome code, instead of increase overall internet traffic." "expr=%{REQUEST_URI} =~ m#^/.well-known/traffic-advice#"

And here as well: do with the X-AttnGoogle header what you want. Clearly, I cannot guarantee that the contents of this header will ever reach Google headquarters, and I’m pretty sure that even if it does, they won’t care. But, at least to me, it feels good to send a message.

If you, or your webhosting provider, are running any other webserver than Apache, I am very open to receiving alternative configurations for your webserver. Feel free to contact me at traffic-advice@ohreally.nl; let me know if you prefer that your contribution is added anonymously.

O, and you could stop using the Google Chrome browser, which would not only benefit the internet as a whole, but also you personally.
The following browsers are all superior, not only because they don’t prefetch websites you were not going to visit anyway (which benefits the internet), but also in terms of speed and memory management (which benefits your PC), and in terms of privacy control and spam blocking (which benefits you as a person). So follow these links to download and install them:

• Mozilla Firefox (available for Windows, macOS, Linux/BSD, Android, iOS)
• Microsoft Edge (available for Windows, macOS, Linux, Android, iOS)
• Opera (available for Windows, macOS, Linux, Android, iOS)

And just so we’re clear: I am not affiliated with any of the companies or products mentioned in this article. I just think that the internet should be available to everyone, at a reasonable price and under reasonable conditions.

WordPress: Flag possibly outdated posts

I use this blog’s Nerd stuff category for IT and technology related posts. But the oldest posts date back more than 10 years, and technology changes fast.

So I decided to add a warning to messages older than 3 years in that category. To do so, I added this code snippet to the functions.php file in the theme folder:

<?php
add_filter('the_content', 'post_age');
function post_age($content) {
    if (is_category('nerd-stuff') || ((is_home() || is_single()) && in_category('nerd-stuff'))) {
        # Minimum post age to display the message.
        # 3 years seems reasonable for technology.
        $min_yrs = 3;
        $min_sec = $min_yrs * 365 * 24 * 60 * 60;

        # Post age in seconds.
        $post_sec = date('U') - get_post_time();

        if ($post_sec > $min_sec) {
            # Post age in years.
            $post_yrs = round($post_sec / 60 / 60 / 24 / 365);

            # Prepend the warning to the content.
            return "<div style='border:1px dashed #cc0000; padding:25px; margin-bottom:25px; text-align:center; font-weight:bold; color:#cc0000;'>Please keep in mind that this post is about $post_yrs years old.<br>Technology may have changed in the meantime.</div>" . $content;
        }

        # Post is not old enough for a warning.
        return $content;
    }

    # We are not on the category page, the home page, or a single post page.
    return $content;
}

For the category, I used the ‘slug’ in the code above, but I could also have taken the category name or the category ID.

And I didn’t actually add this code to the theme’s functions.php. I first created a child theme as described here, and then added the code to the child theme’s functions.php. This way, I don’t lose my code if and when the theme is updated.

For the result, you can just browse the Nerd stuff category.

Blur your house!

Google, Apple, Bing and Mappy have all added images to their map apps.
Great, you can now see your own house on the internet!

Or not?
If you’re privacy minded, like I am, maybe it’s not. If I want to see my own house, I’ll just step outside. And I really don’t need others, like (future) employers for example, to snoop around my stuff.

So I had those apps blur my house, making it unrecognisable. Follow the instructions below to blur your own house.
And if you want even more privacy, create a dedicated email address before following the instructions, to prevent these companies from linking your physical address to your email address; you can delete the new email address once you’re done.

And remember: freedom cannot exist without privacy!

(I’m translating from french, so if you can’t find the exact options I tell you to click or select, be creative.)

Google

Go to Google Maps.
Find your address.
Open Street View.
Drag the image until you’re looking at your house.
Find the Report a problem link (top left corner, 3 vertical dots), and click it.
Under Request blurring select My home.
Fill in your full address (country included).
Fill in your email address, solve the captcha, and submit the form.

In a day or 2 you’ll receive a mail telling you that the changes will be made within 24 hours. And those changes are indeed made (in my case they also blurred my neighbours’ house, so this story may have a sequal someday).

Apple

I haven’t found Apple Plans online, so these instructions are for iPhone.

If you don’t own an Apple device, or don’t want to use it, send a mail to MapsImageCollection@apple.com requesting to censor your home; this mail should probably be in english, and must contain your full address (country included).

On iPhone, and probably other Apple devices:
Open Plans.
Find your address.
Tap on the binoculars icon in the bottom left corner of the map.
Maximize the image that appears (if it isn’t maximized already).
Drag the image around a little (strangely enough, this seems to change the available options for the image).
In the list of options below the image, tap on Report a problem.
Select Privacy issues.
Select Blur the image of my home.
Fill in your address.
Submit the form (top right).

Within a few days you receive confirmation that your request has been received and will be acted upon. A week or two after this confirmation my house was blurred.

Bing

Bing’s images are of such low quality that blurring doesn’t really change much. But since we’re on the topic, let’s include them.

Go to Bing Maps.
Find your address.
Click on the photo of your street on the left side of the window.
Drag the image until you’re looking at your house.
Click on Report a privacy concern with this image in the bottom left corner of the image.
In the form that opens, select House in the dropdown list.
In the textfield, ask to have your house blurred, and add your full address (country included); also add your email address, in case they want to verify.
In the (horrible) panoramic photo, click on your house.
Submit the form.

Bing does not confirm the reception of your request, nor the blurring itself, but after one or two weeks your house is blurred. (Bing also blurred my neighbours’ house.)

Mappy

I haven’t been able to test Mappy, because 360° view, as it’s called on Mappy, is not yet available for my address. But the possibility to blur your address is available; it is, however, a bit more work than for the sites above.

Go to Mappy.
Find your address.
Click on the 360° icon on the right of the screen (figure with arrow around), and then click in front of your house on the map.
Click on Report in the bottom left corner of the image.
Under B) you will find the list of information to provide; you need

• the ID of the image containing your house (follow the instructions, and click on the provided link for an example)
• your complete address
• a document that proves that this really is your address
• a screenshot on which you’ve indicated which part of the image to blur (click on the provided link for an example)

E-mail all of the above to contact@mappy.com; the message’s subject should be “Signaler une image – Facade” (Mappy is french).

Since I’ve not been able to test this (yet), I don’t know whether Mappy confirms reception of your request, nor the time it takes for your house to be blurred.

FreeBSD: when did I last update my ports/packages?

This tip is again FreeBSD only, and won’t work on Linux.

So it’s been a while since you updated your ports and/or packages, and actually you don’t remember exactly when. And now you’re ready to run a new update, but you don’t know from where to start reading /usr/ports/UPDATING before you update.

Luckily, this information can simply be extracted from the SQLite database that contains info on all installed packages. Add the following alias to your ~/.bashrc:

alias pupl='sqlite3 /var/db/pkg/local.sqlite "select datetime(time, \"unixepoch\") from packages order by time desc limit 1"'

Clearly, if you don’t use the Bash shell, you should figure out how to add aliases in your shell. The alias will be active after you re-login; invoke it like any other command.

$ pupl

This alias will display the date and time that the last package or port was updated or installed.

Note: if you last installed a package without updating the already installed packages, this alias will display the date and time for the last installation, and not for the last update!

If you’re going to play around with that database to see what other info you can extract from it, you should probably make a copy of it, to make sure you don’t accidentally write to the original; you don’t want to mess up your package database.

P.s.: the name for the alias comes from ‘Ports UPdated Last’; change it to anything you like.

Related: puptd

9GAG: Hide anonymous posts

There’s probably a rather small audience for this tip.
I’ll share it anyway.

9GAG decided to display usernames of OPs. Which is mostly a good thing, as it seems to have reduced double posts, bot posts and spam posts.
However, posters can still indicate that they want to be anonymous. Posts from these OPs are then posted under the generic fake username 9GAGGER, a user that cannot be blocked. And obviously there are posters who abuse this possibility to continue to post bullshit posts.

Luckily it’s not very hard to just hide all posts from fake user 9GAGGER; in your desktop browser, that is.

Install the uBlock Origin add-on in your browser.
Open it’s settings, and add this filter on the My filters tab:

9gag.com##article:has(a.ui-post-creator__author:has-text(/^9GAGGER$/))

Hit the Apply changes button, and you’re done.

All anonymous posts will now be hidden. Mind you: they are still loaded, they are just hidden from sight.

Obviously, you can also use this to hide other users’ posts. This way you won’t have to create an account just to ignore certain users. Just replace 9GAGGER with the user to be ignored in the rule above; make sure to leave the caret ( ^ ) before the username intact, as well as the dollar sign ( $ ) behind it.
You can make as many of these rules as you like, one rule per line.

Additionally, if you don’t have a 9GAG user account, you can’t make ‘sensitive content‘ visible, so you might as well filter that out, too:

9gag.com##article:has(div.post-sensitive-mask__body)

And personally I have configured my browser to block all YouTube content (or all Google content, actually), so I don’t need 9GAG to display these ’empty’ posts either:

9gag.com##article:has(div.youtube-post)

Tip:
If you now have both the uBlock Origin and uMatrix add-ons installed, you could copy the rules from uMatrix‘ My rules tab to uBlock‘s My rules tab. Both add-ons are created by the same developer team, and the rules are compatible. You could then disable or uninstall uMatrix.
You may have to add some new rules to get some sites working again, though, since uBlock Origin blocks a bit more than uMatrix.
The uMatrix GitHub repository has been archived, so I think uMatrix may be retired soon (although I have not been able to find any confirmation about that).

Custom kernel on a remote host

This is a FreeBSD tutorial; it’s useless for Linux.

The FreeBSD handbook describes how to build a custom kernel. However, this documentation assumes that you have access to the boot menu in case the new kernel won’t boot. And on a remote server this is not always an option.
So I will describe the process for building a custom kernel on a remote server here. For clarity and sysadmin friendliness I will start at the beginning, instead of only explaining how to boot the old, working kernel if something is wrong with your new kernel.

Read More

Password generation

Let’s do a quickie, because it’s been a while…

Did you know that if you type password 32 into DuckDuckGo, it will generate a 32 character random password?

→ https://duckduckgo.com/?q=password+32

To generate a stronger password, with 1 or more special characters, add the word strong.

→ https://duckduckgo.com/?q=password+strong+32

The 1 thing that’s missing in 2FA

Wikipedia, Twitter, GitHub, Trello, …
Hundreds, if not thousands of websites require multi-factor authentication, or at least offer it as a complementary security measure.

WordPress, Roundcube, Kanboard, Nextcloud, …
Hundreds, if not thousands of web applications offer multi-factor authentication by default or as a module/plugin.

And yet, there is one thing that none of all these 2FA developers/implementors have thought of. And since I don’t have the time, nor the desire, to submit a bug report for each of these thousands of applications and websites, I’m just going to say it here. Kudos to all developers who read this, realize that I’m right, and implement this.

IF AND WHEN SOMEONE REACHES MY 2FA FORM AND CANNOT COMPLETE IT, I WANT TO BE NOTIFIED!

If someone reaches the 2FA form, this means that they have correctly entered my password.
If someone cannot complete the 2FA form, this means that they probably do not have my phone or 2FA device.
So it is very probable that someone who cannot complete the 2FA challenge IS NOT ME.
This means that someone who is not me has managed to correctly enter my password.

This means that very probably my password has been compromised, and I must change it. NOW!

So, if the above is too much text for you, let me summarize below:

IF SOMEONE CANNOT COMPLETE MY 2FA CHALLENGE,
THEY HAVE PROBABLY ALREADY COMPROMISED MY PASSWORD,
AND I NEED TO KNOW ASAP!

And actually, I’d even prefer to know if they reach the 2FA form and don’t try to complete the challenge. Because if I want to log in, I go all the way, and I don’t abandon between password and 2FA.

Check the ACL!

I just shot myself in the foot using Access Control Lists.

# ls -l ./somefile.txt
-rw-r-----+  1 root  www  893  Apr 4 00:44 ./somefile.txt
# getfacl ./somefile.txt
user::rw-
user:www:--x  # effective: ---
group::r-x    # effective: r--
mask::r--
other::---

In the above example, the file inherited the default ACL from the parent directory.

I’m not even going to tell you how long it took me to figure out why the web server couldn’t access the file…

If you can’t find it: check those ACL!

And if you want to drive your colleague crazy:

# setfacl -m u:george:--- /some/random/commonly/used/file

PF cheatsheet

Cheatsheet for the PF firewall (*BSD, macOS/iOS, Solaris, QNX/BlackBerry).

Read More