1 files changed, 173 insertions, 46 deletions
diff --git a/TODO.md b/TODO.md
index 955ba9f..4f48455 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,42 +1,54 @@
 # Site TODO
 
 ## Notes
-
 - use `zf` to fold sections
 - use `zc` to expand tem
 
 ## general
-- replace `<img>` in old posts with `{{< figure >}}` (partial work
-  done on stuff `>= 2019`)
-- fix broken links in posts
-- import files
+- import old files
+  backup: `user.k3:/data/backup/k2/sda6/share/www/pablotron.org/htdocs`
 - add "music" somewhere ("songs", keep pmdn.org for personal stuff)
 - add sticky footer:
   https://css-tricks.com/couple-takes-sticky-footer/
 - toc: add title and aria-label
 - toc: show on right sidebar on desktop
-- htmltest/htmltidy post-receive hook (already installed as
-  web.k3:~/go/bin/htmltest): <https://github.com/wjdp/htmltest>
 - monthly link sweep?
 - upgrade from bulma 0.9.3 to bulma 1.0.0
   <https://bulma.io/documentation/start/migrating-to-v1/>
-- add html linter.  see reviews here:
+- projects: better project pages (pull from `README.md`)
+- wkd for pgp
+- home: rename "Archived Posts..." to "Older Posts"
+- archive: rename "Archived Posts..." to "Older Posts"
+- index with pagefind: (<https://pagefind.app/>, <https://www.tbray.org/ongoing/When/202x/2025/11/01/Blog-Search-Pagefind>)
+
+## linting
+- replace `<img>` in old posts with `{{< figure >}}` (partial work
+  done on stuff `>= 2019`)
+- fix broken links in posts
+- htmltest/htmltidy post-receive hook (already installed as
+  `web.k3:~/go/bin/htmltest`)
+- add automatic html linter.  see reviews here:
   <https://chezsoi.org/lucas/blog/a-review-of-html-linters.html>
+- fix old links with `ia` tool:
+  <https://archive.org/developers/quick-start-cli.html>
+- restore old projects, releases, and picture content from backup
+  directory: `user.k3:/data/backup/k2/sda6/share/www/pablotron.org/htdocs`
+  note: will need to reduce size of `gallery`
 
 ## post ideas
 - fast document search: postgres fts, `pg_trgm`, and tika (git/test/sift)
   (richard asked about this on 2019-07-22, so +1)
   - sqlite3 fts search
 - compiler surprises: https://godbolt.org/z/ZQbZ2R
-- pwasm
 - RewriteMap/docker (gist)
-- ev-crash-course (~/git/ev-crash-course)
 - pocket-jim
 - greenwashing: ccs/nuclear/hydrogen is a scam
   great link: <https://www.vox.com/climate/363076/climate-change-solution-shell-exxon-mobil-carbon-capture>
   - plug-in hybrids: find link about people mashing accelerators and
     effective mpg being substantially lower than advertised
   - lots of good stuff in "science/climate" bookmarks
+  - wind kills birds garbage:
+    <https://codingrelic.geekhold.com/2024/12/wind-turbines-and-bird-deaths.html>
 - thoughts on "relevance of classic fuzz testing"
   - https://neverworkintheory.org/2021/10/01/the-relevance-of-classic-fuzz-testing.html
   - "law of small numbers": http://psychology.iresearchnet.com/social-psychology/decision-making/law-of-small-numbers/
@@ -54,6 +66,14 @@
   - tulip mania
   - irony: <https://www.jwz.org/blog/2024/11/bitcoin-tulips/>
   - nerd sniping
+  - <https://web3isgoinggreat.com>
+  - charlie strauss
+    - <https://www.antipope.org/charlie/blog-static/2022/11/decision-fatigue.html>
+    - <https://www.antipope.org/charlie/blog-static/2013/12/why-i-want-bitcoin-to-die-in-a.html> !! (lots of good stuff content here)
+  - ftc fraud:
+    <https://www.ftc.gov/news-events/news/press-releases/2022/06/new-analysis-finds-consumers-reported-losing-more-1-billion-cryptocurrency-scams-2021>
+    <https://www.ftc.gov/news-events/news/press-releases/2022/06/new-analysis-finds-consumers-reported-losing-more-1-billion-cryptocurrency-scams-2021>
+    (note: bullet in second article is a "pig butchering" scam)
   https://www.jwz.org/blog/2022/01/mozilla-blinked/
   https://www.wired.com/story/theres-no-good-reason-to-trust-blockchain-technology/
   (nicholas weaver article)
@@ -69,7 +89,6 @@
 - syzkaller/syzbot:
   https://www.youtube.com/watch?v=YwX4UyXnhz0
   https://clangbuiltlinux.github.io/CBL-meetup-2020-slides/glider/Fighting_uninitialized_memory_%40_CBL_Meetup_2020.pdf
-  http://www.antipope.org/charlie/blog-static/2022/11/decision-fatigue.html
 - bpf:
   https://ebpf.io/
   https://www.brendangregg.com/blog/2021-07-03/how-to-add-bpf-observability.html  https://qmonnet.github.io/whirl-offload/2021/09/23/bpftool-features-thread/
@@ -98,7 +117,7 @@
 - log4j and dependency usefulness as a function of time for projects
 - postgres tiny tricks
   - CTEs as optimization barrier:
-    https://old.reddit.com/r/programming/comments/suyidt/a_hairy_postgresql_incident/hxdvwl4/
+    <https://old.reddit.com/r/programming/comments/suyidt/a_hairy_postgresql_incident/hxdvwl4/>
   - `~* ANY(string_to_array(?))` (comment in reddit w/json array)
   - pub/sub?
   - domains instead of repeated check constraints
@@ -109,6 +128,10 @@
   - timestamptz, long timezone names aware of DST
   - RETURNING
   - GENERATED STORED tsvector (bookman)
+  - INT PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY vs
+    INT PRIMARY KEY GENERATED ALWAYS AS IDENTITY
+    (fix sequence permission nonsense)
+  - EXISTS rather than COUNT() (depz article about this somewhere)
 - compare and contrast cyclonedx vs spdx
   - (at the moment i like cyclonedx more, it seems less ad-hoc)
   - https://cyclonedx.org/docs/1.4/json/
@@ -123,6 +146,9 @@
     <https://blog.tidelift.com/the-state-of-package-signing-across-package-managers>
   - declarative install (go)
     rationale: <https://blog.phylum.io/phylum-discovers-dozens-more-pypi-packages-attempting-to-deliver-w4sp-stealer-in-ongoing-supply-chain-attack>
+    - counterexamples:
+      - rubygems (arbitrary ruby)
+      - rust (arbitrary rust in `build.rs`)
   - typosquatting (see sqo vulns from may email)
   - starsquatting (requests, phpass): https://medium.com/checkmarx-security/typosquatting-attack-on-requests-one-of-the-most-popular-python-packages-3b0a329a892d
   - ref: https://kerkour.com/rust-crate-backdoor
@@ -158,9 +184,7 @@
     https://bitbucket.org/brucelet/space-trader/src/master/app/src/main/java/com/brucelet/spacetrader/
   and the 70s one w/ source:
     https://en.wikipedia.org/wiki/Star_Trader
-- markovian (golang markov chain generator)
-  (~/git/test/go/markovian)
-- hq (~/git/hq)
+- hq (`flex:~/git/hq`)
 - secure C wiki is confluence!?!?
   <https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard>
 - fuzzing (afl)
@@ -181,9 +205,7 @@
   gambler's ruin (intro to prob, ch 3.5)
   constant-time fibonacci
 - fzf, ripgrep
-- https://krebsonsecurity.com/2022/08/the-security-pros-and-cons-of-using-email-aliases/
-  (email aliases, suggest whitelist instead of blacklist)
-- bad defaults:
+- bad defaults ("knives up in dishwasher"):
   - nullable in code/db (see also: <https://carlineng.com/?postid=sql-critique#blog>)
   - mutable variables
   - fallthrough in switch
@@ -191,35 +213,36 @@
   - nullable parameters
   - defer (go, c proposal) vs manual freeing
 - create openssl 3.x provider, see:
-  https://www.openssl.org/docs/manmaster/man7/provider.html
+  <https://www.openssl.org/docs/manmaster/man7/provider.html>
   (could use pt-aes, pt-chacha20, md4, md5, sha2, etc)
-- summary of minification work w/ links to posts, reference this
-  article:
-  https://endtimes.dev/why-your-website-should-be-under-14kb-in-size/
 - minikube vs k3s (https://minikube.sigs.k8s.io/docs/handbook/)
-- on passwords (crypto training, https://arstechnica.com/civis/viewtopic.php?f=2&t=1486155&p=41174039#p41174039)
-  - lots of bad info floating around (see comments of
-    https://arstechnica.com/information-technology/2022/08/plex-imposes-password-reset-after-hackers-steal-data-for-15-million-users/
-    https://old.reddit.com/r/programming/comments/wxx674/password_management_firm_lastpass_was_hacked_two/
-    etc
-  - passkeys (good replacement, too complicated internally)
-  - owasp password security cheat sheet, fips 183?
 - compare sanitizer api, dompurify, fastest htmlesc
 - tiny-binaries redux w/go 1.20, point out grype scanner output for
   minimal images
 - browser addons:
-  (ublock origin)
+  (ff: ublock origin, chrome: ublock origin lite)
   https://arstechnica.com/gadgets/2022/09/beloved-browser-extension-acquired-by-non-beloved-antivirus-firm/?comments=1
   <https://consentomatic.au.dk/>
   cosmetic filter example:
   https://github.com/gorhill/uBlock/wiki/Procedural-cosmetic-filters
   <https://rubyweekly.com/issues/620>
   ##table.item:has(p.name > .tag-sponsor)
-- try out various lsms
-- systemd hardening
+  - dark reader
+  - tab stash
+- hardening
+  - try out various lsms
+    - apparmor
+    - lockdown
+    - selinux
+  - systemd hardening (examples: spamassassin config)
+  - owasp guides
+  - disa stigs
+  - dropping system calls (firejail)
+  - opensnitch
 - heat pump (pictures/heat-pump-20220930)
 - <https://insideevs.com/news/509767/tesla-model3-control-arm-fix/>
 - `curl|bash` is madness
+  - vulnerable to clickfix: <https://arstechnica.com/security/2025/11/clickfix-may-be-the-biggest-security-threat-your-family-has-never-heard-of/>
 - gosec vs govulncheck
   https://github.com/securego/gosec
   https://www.pixelstech.net/article/1667102060-Secure-Your-Go-Code-With-Vulnerability-Check-Tool
@@ -238,9 +261,6 @@
 - thoughts on tesla: <https://digbysblog.net/2022/11/27/elon-musk-remembered-for-tech-he-destroyed/>
 - try out pgsodium:
   <https://github.com/michelp/pgsodium>
-- aegis authenticator dance w/ tablet
-  <https://github.com/beemdevelopment/Aegis>
-  (including installing lineage 20)
 - fix-enterprise-episodes.rb
 - imagecompare (flex:git/go/test/imagecompare)
 - don't expose ssh (imap)
@@ -275,9 +295,13 @@
   - sorta: elasticsearch (opensearch), redis
   - reddit, stackoverflow
 - my tools
+  - hnb
   - vim: (2 pragbooks vim books, vimhelp.org, learnvimthehardway)
+    - tried neovim, still like vim more
   - irssi
+    - bitlbee (except googlechat broke on 2025-05-25, :/)
   - screen
+    - tried tmux, still like screen more
   - mutt/offlineimap/notmuch
     (dovecot index config for android)
   - irb (show irbrc w/3.x mods)
@@ -286,10 +310,12 @@
   - perf
   - wireguard
   - minify, imagemagick/gm, pngquant
+    - `mod_deflate` mime types tweaked to compress svgs
   - meson?
   - postgres, sqlite
-  - firefox (ublock origin, tab stash, firefox sync)
+  - firefox (ublock origin, tab stash, firefox sync, dark reader)
   - gnome (extensions: hidetopbar, workspace matrix)
+    - gnome-extensions tool
   - podman
   - mtr
   - programming languages
@@ -299,8 +325,20 @@
     - python (matplotlib, sympy, sagemath)
     - assembly
     - js (es2015)
-- sagemath, jupyterlab
-- ollama
+  - neat tool: qalculate
+    - ref: <https://qalculate.github.io/>
+    - cli and gtk iface
+    - installed on flex
+    - recommended in lwn comments
+    - used for unit conversions
+    - derivatives switch quickly from symbolic to numeric evaluation
+  - sagemath, jupyterlab
+  - ollama
+  - btop (recommended by alonzo)
+  - goaccess: apache log reporting tool
+  - aegis authenticator dance w/ tablet
+    <https://github.com/beemdevelopment/Aegis>
+    (including installing lineage 20)
 - compare signify, age, and minisign:
   https://flak.tedunangst.com/post/signify
   https://blog.gtank.cc/modern-alternatives-to-pgp/
@@ -319,7 +357,6 @@
 - firefox terms of use nonsense
   https://arstechnica.com/tech-policy/2025/02/firefox-deletes-promise-to-never-sell-personal-data-asks-users-not-to-panic/
   https://lwn.net/Articles/1012430/
-- firefox tab groups (new in firefox 136)
 - problems w/ tracking apis:
   - orwellian name (does not preserve privacy)
   - analogies for folks to understand correlation: clue, sudoku, wordle
@@ -416,7 +453,7 @@
   - cryptopals introduction (most crypto fatally broken)
   - etc
   - lots of older stuff is "knives up in dishwasher"
-- ai/llm mania
+- ai/llm mania (slop)
   - article name: "ai canard"
   - how many fused-multiply adds does it take for sentience?
   - ai dropkick
@@ -426,7 +463,6 @@
     <https://linux.slashdot.org/story/15/06/30/0058243/interviews-linus-torvalds-answers-your-question>
   - summary of goldman sachs report which is negative on LLMs:
     <https://www.wheresyoured.at/pop-culture/>
-  - (lots of other stuff by ed zitron)
   - <https://arstechnica.com/information-technology/2024/07/openai-board-shakeup-microsoft-out-apple-backs-away-amid-ai-partnership-scrutiny/>
     (link to brutal goldman sachs report in comments which talks about
     technology limits, power consumption limits, and chip limits)
@@ -439,6 +475,12 @@
     <https://arstechnica.com/ai/2025/04/researchers-find-ai-is-pretty-bad-at-debugging-but-theyre-working-on-it/>
     (quote from brian kernighan about "clever code":
     <https://www.linusakesson.net/programming/kernighans-lever/index.php>)
+  - links:
+    - chatgpt <https://www.jwz.org/blog/2023/02/the-bullshit-fountain/>
+    - ai is not intelligence: <https://current.workingdirectory.net/posts/2023/enough-about-ai/>
+    - (lots of other stuff by ed zitron)
+  - "grift bubble":
+    <https://codingrelic.geekhold.com/2025/01/tale-of-two-crises-y2k-and-o3.html>
 - pi cases (fish, lemon, and pumpkin, see pics on phone)
 - transport-layer shenanigans:
   - included in openssl 3.4 (phoronix article)
@@ -466,6 +508,8 @@
   seed, openssl disagrees w/ ietf)... "the key issue":
   https://openssl-library.org/post/2025-01-21-blog-positionandplans/?utm_source=atom_feed
   https://mailarchive.ietf.org/arch/browse/spasm/?q=draft-ietf-lamps-kyber-certificates
+  - sotak, shmieg, and fillipo all have posts on this
+  - ietf email thread too
 - fast modular arithmetic
   - good book: primes: a computational approach (crandall primes)
   - hacker's delight
@@ -483,13 +527,68 @@
 - tls for internal hosts w/ certbot and dns-01
 - privacy (23andme bs):
   https://www.cnn.com/2025/03/25/tech/23andme-bankruptcy-how-to-delete-data/index.html
+- run tails in gnome boxes with persistent storage
+  (see x1 notes for details, but it's `qemu-img convert ... qemu-img resize`)
+  ref: <https://unix.stackexchange.com/questions/517524/install-tails-with-persistent-storage-on-virtualbox>
+- signal in tails:
+  <https://bisco.org/notes/installing-and-running-signal-on-tails/>
+- bot user-agent blocking:
+  <https://www.jwz.org/blog/2025/05/user-agent-blocking/#comment-259206>
+  <https://perishablepress.com/ultimate-ai-block-list/> (linked from comment)
+  (consider modsecurity.org ...)
+- site backend: document custom mime types in `MOD_DEFLATE`
+- site backend: add "blocking llm crawlers" or "blocking llm slop"
+  section with `robots.txt` and more (see jwz above)
+- passwords:
+  - article about storing passwords, password choices
+  - older idea:
+    - on passwords (crypto training, https://arstechnica.com/civis/viewtopic.php?f=2&t=1486155&p=41174039#p41174039)
+      - lots of bad info floating around (see comments of
+        https://arstechnica.com/information-technology/2022/08/plex-imposes-password-reset-after-hackers-steal-data-for-15-million-users/
+        https://old.reddit.com/r/programming/comments/wxx674/password_management_firm_lastpass_was_hacked_two/
+        etc
+      - passkeys (good replacement, too complicated internally)
+      - owasp password security cheat sheet, fips 183?
+  - link to guidance from 800-63b
+    - avoid composition requirements
+  - bits from "storing passwords" from crypto training
+  - cracking luks:
+    - <https://diverto.github.io/2019/11/18/Cracking-LUKS-passphrases>
+    - <http://www.hungry.com/~pere/blog/Some_notes_on_Linux_LUKS_cracking.html>
+  - links to passkeys
+  - diceware, eff word list
+- sequoia-pgp: https://sequoia-pgp.org/
+  - much better command-line iface than gpg: commands are "encrypt",
+    "decrypt", "sign", "verify", etc
+  - still making sense of trust handling
+  - available in debian
+- privacy:
+  - mozilla "privacy preserving" garbage (above)
+  - https://krebsonsecurity.com/2022/08/the-security-pros-and-cons-of-using-email-aliases/
+  (email aliases, suggest whitelist instead of blacklist)
+  - web fingerprinting: <https://www.amiunique.org/fingerprint>
+    eff coveryourtracks: <https://coveryourtracks.eff.org/>
+  - eff surveillance self-defense: <https://ssd.eff.org/>
+  - msn good article about facebook snafu with a gratuitous omission: <https://www.msn.com/en-us/news/technology/meta-found-a-new-way-to-violate-your-privacy-here-s-what-you-can-do/ar-AA1GecPs>
+  - ars comment about ublock origin setting: <https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/?comments=1&post=43767385>
+- spamprobe to spamassassin (notes in v3.txt)
+  - had to disable dnswl check, was causing grief
+  - `sa-check.py`, got 184/200 (~92% true positive rate)
+  - added `sa-train.sh`, runs nightly
+  - updated `~/.mailfilter`
+  - will monitor
+- cwe id in u16, cve id in u32
+  (`~/git/test/rust/nvd-cve/src/lib.rs`)
+- "quick numbers vs accurate numbers"
+  - quick disease test versus blood test
+  - BLS jobs reports
+- `polycvss` article about bit packing and `cvss-calcs`
 
 ## linkdump (2022-08-10):
 - css bg fade:
   <file:///data/home/pabs/git/test/html/css-bg-fade/index.html>
   <https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types/preload>
 - https://www.mgaudet.ca/technical/2022/8/9/faster-ruby-thoughts-from-the-outside
-- https://www.fuzzingbook.org/
 - https://security.googleblog.com/2022/05/retrofitting-temporal-memory-safety-on-c.html
 - allocation in go: https://medium.com/eureka-engineering/understanding-allocations-in-go-stack-heap-memory-9a2631b5035d
   (src: <https://old.reddit.com/r/golang/comments/wl7qyx/when_writing_functions_when_should_i_pass_by/iju1bhs/>)
@@ -507,8 +606,9 @@
 - https://research.nccgroup.com/2022/08/16/wheel-of-fortune-outcome-prediction-taking-the-luck-out-of-gambling/
 - https://carlineng.com/?postid=sql-critique#blog
 - https://www.openssl.org/blog/blog/2022/08/24/FIPS-validation-certificate-issued/
-- constant-time fibonacci: https://specbranch.com/posts/const-fib/
-- https://fabiandablander.com/r/Fibonacci.html
+- constant-time fibonacci:
+  <https://specbranch.com/posts/const-fib/>
+  <https://fabiandablander.com/r/Fibonacci.html>
 - https://specbranch.com/posts/common-perf-numbers/
 - (reminds me of "tyranny of metrics"): <https://old.reddit.com/r/programming/comments/x37u7k/be_goodargumentdriven_not_datadriven/>
 - chebyshev, taylor series: <https://specbranch.com/posts/faster-div8/>
@@ -558,14 +658,12 @@
 - c23:
   <https://gustedt.wordpress.com/2022/12/18/checked-integer-arithmetic-in-the-prospect-of-c23/>
   <https://queue.acm.org/detail.cfm?id=3588242>
-- chatgpt <https://www.jwz.org/blog/2023/02/the-bullshit-fountain/>
 - bitslicing <https://timtaubert.de/blog/2018/08/bitslicing-an-introduction/>
 - pqc parameter debates (kyber, turboshake, dilithium)
 - <https://paulgeorgiou.org/post/2023/05/sbox-cryptanalysis/>
 - <https://ratfactor.com/forth/the_programming_language_that_writes_itself.html>
 - <https://www.mattb.nz/w/2023/06/02/calling-time-on-dnssec/>
 - "another look at  " (15 years of...): <https://www.math.uwaterloo.ca/~ajmeneze/anotherlook/>
-- <https://current.workingdirectory.net/posts/2023/enough-about-ai/>
 - <https://mirrors.edge.kernel.org/pub/linux/kernel/people/paulmck/perfbook/perfbook.html>
 - <https://www.sevarg.net/2023/03/25/why-people-hate-tech/>
 - 4 pillars of program analysis (slide 5):
@@ -576,6 +674,7 @@
   <https://www.jwz.org/blog/2024/06/your-personal-information-is-very-important-to-us/>
 - <https://arstechnica.com/gadgets/2024/08/nova-launcher-savior-of-cruft-filled-android-phones-is-on-life-support/>
 - software: <https://www.lawfaremedia.org/article/the-crowdstrike-outage-and-market-driven-brittleness>
+- <https://github.com/C2SP/wycheproof>
 
 ## done
 - add project folders
@@ -700,3 +799,31 @@
   https://arstechnica.com/security/2024/09/microsoft-adds-quantum-resistant-algorithms-to-its-core-crypto-library/?comments=1&comments-page=1
 - final version of fip203 and fips204
   - explanation of math for both? (not done, but covered in post above)
+- goaccess
+- tor: auto-build update hidden service (right now it's static)
+- tor: add `Onion-Location` header
+- summary of minification work w/ links to posts
+  - ref: <https://endtimes.dev/why-your-website-should-be-under-14kb-in-size/>
+  (added to site backend)
+- old projects (obe):
+  - pwasm
+  - ev-crash-course (~/git/ev-crash-course)
+  - markovian (golang markov chain generator)
+    (~/git/test/go/markovian)
+- tor: hidden service (see `tor` section above)
+  <http://pabstordmsrzhushs5drpb5mtb2ml56iyacidsjfebl2jlss65rlbsqd.onion/'>
+  (added to site backend)
+- Projects: make each entry a `<li>`
+- set up logrotate for more granular `goaccess` reports.  done, see
+  k3 notes and this gist:
+  <https://gist.github.com/pablotron/57aea9422a56bf59fedb3282bcc96109>
+- vanity `pablotron*.onion` address. done.  url is:
+  <http://pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion/>
+- firefox tab groups (new in firefox 136).  done: added to "firefox
+  redux" post
+- link to openvpn article in wayback machine:
+  <https://web.archive.org/web/20070812003116/http://www.linux-mag.com/id/2502>
+  (done: updated `content/posts/2006-03-19-openvpn*.html`)
+- openvpn article wayback link
+- site backend updates (nginx config)
+- armbian on odroid n2l