Off the Goolag (2): Low cost shared hosting

For absolutely privacy, avoid using email (say, talk on Signal instead). Unless it’s inter-server mail in zero-knowledge encrypted providers like ProtonMail that also encrypt the message headers (meta-data, especially who’s sending to who), expect determined people with enough social engineering or authority can see it naked. It’s the same deal as snail mail where people in the post office can see what’s written on the envelope.

For big files like photos and typical cloud storage, which you should self-host these at home anyway. If you are worried about slow internet connection and downtime, you can pay for Zero-Knowledge cloud storage (which the server owners don’t have the master keys to your files) to add redundancy.

The next step down is to self-host your email, contacts, calendar, tasks (productivity suite) which you physically own so nobody can peek into it as long as you guard your home.

Hosting these services from home might be more work and risks (downtime), especially when it’s possible that your ISP’s IP address block is on the spammer’s list or if your ISP blocks the ports needed. The less secure alternative is to pay for extremely cheap shared web hosting services (we are talking about <$4/mo regular price and <$2 for the first year) which

  • you can make as many email accounts as you wanted
  • each email account comes with contacts, calendar, tasks as a bundle
  • use your own domain name
  • also host your own webpage and wordpress site

With Google, Microsoft, Apple and other big providers, they have big security teams to protect your data from hackers, but because of their centralized nature, it’s much more rewarding for hackers to breach one big provider than going after little accounts spread across different servers and IPs. Unless you are a high profile person or expect to be specifically targeted, you are better off managing your own productivity suite’s hosting/storage.

More importantly, it feels creepy when Google harvest my email and suggest I allow them to automatically register my appointment on my calendar. Random staff might not be reading our emails, but bots are and god knows what else they can do just by updating their code if they someday want to turn on us. They’ve become so powerful that with enough bankroll, they can make our politicians look the other way so there’s no way to stop them if we become dependent on their platforms.


cPanel

The instructions below assumes your shared hosting provider adopted cPanel as the account management interface which you have access to.

Like Google, your Gmail (email) account is also your account for a variety of productivity services (contacts, calendar, tasks). You can set it up by logging into cPanel, often https://(your server here)/cpanel.

There are a few naming conventions in cPanel that are different from Google’s ecosystem:

  • Login name is your ENTIRE email address because you can have different domains attached to the same hosting storage so you must enter the domain name after the @ sign for it to tell the accounts apart

Email

In modern times, I’d stick with IMAP for email (which is enabled by default in cPanel). Since Google would like to keep you in their ecosystem as much as possible, IMAP is not enabled by default for Gmail.

Webmail

Web email interface (you have a choice between Horde or RoundCube) is at port 2096. You can access it by

https://{name or IP to the shared host server assigned by your provider}:2096

or

https://{name or IP to the shared host server assigned by your provider}/webmail
(which will redirect you to port 2096 above)

In most cases, your domain name attached to the hosting points to the actual underlying shared hosting server assigned by your provider. I’d prefer not to use the underlying server address/IP because it might change when you move between hosting plans.

Also, per security design, WebMail doesn’t warn you when you enter non-existent email addresses (login). I’ll just silently loop you back to the login page again without explanation if you got any part of the login or password wrong.

DavX5 for calendar/tasks (CalDAV) and contacts (CardDAV)

In Android, calendar and contacts (also known as address book) are stored in a standard place shared by apps that picks them up from the system (email storage is per app, since POP3 and IMAP itself already does things very differently)

The default Calendar/Contacts app made it look like you have to use Google Calendar/Contacts to set up an online account (by default it came with Device/Local and Google accounts as option), but you can inject CalDAV/CardDAV accounts into the Android’s calendar/contacts system with an app called DAVx5.

The App is FREE if you download it from F-droid but costs $5.99 if you download it from Google Play. It’s not a loophole, but the authors want people to move away from Google Play and use F-droid, a Free-and-Open-Source (FOSS) app store.

DAVx5 works in a little unusual way that accounts are NOT added through calendar/contacts app but instead you register your CalDAV/CardDAV accounts, select the folders to sync, SYNC IT, then each sync’ed FOLDER (you hear me right) will show up as standard Android Accounts (just like Google/Samsung Accounts) which will work with any standard Calendar/Contacts app. All management (add/removal) happens in DAVx5.

When you set up an CalDAV/CardDAV account, remember NOT to use the first option “Login with email address”! You must enter the URL which points to Port 2080 of the shared hosting server

If you forget to enter the port number, the account will be set up with CalDAV/WebCAL, without CardDAV!

Select “Groups are separate vCards“:

Help - Davx5 (Davdroid): How do I use the Posteo address book and the  Posteo calendar on Android devices? - posteo.de
https://posteo.de/en/help/synchronising-contacts-and-calendar-entries-with-the-address-book-and-calendar-using-davdroid-android

Basically CardDAV is just a folder storing each contact as VCF (vCARD) file and CalDAV is just a folder storing each event/task as an ICS file. Basically it’s just a primitive HTTP file manager hosted with HTTPS login and apps are supposed to find the folder using a consistent naming scheme.

 1 total views

Freshtomato for Netgear (Nighthawk) R7000

Netgear R7000 supports these major forms of firmware

  • DD-WRT (Powerful, but very messy web interface that are sometimes non-intuitively organized)
  • FreshTomato (Powerful. I wouldn’t say easy to use but mortal souls can understand it)
  • XWRT-Vortex (Easy to use AsusWRT Merlin web interface adapted for non-Asus routers)

There are other forms of Tomato that support R7000 but only FreshTomato is actively maintained as of late 2021.

However updating it from stock firmware to FreshTomato has some model-specific quirks (that you cannot extrapolate from general procedures for other models)

First of all. You cannot update directly to the latest firmware. There’s a bootstrap (intermediate) firmware called INITIAL (usually downloaded from ‘Netgear R-series initial files’ folder) that must be installed (upgraded from stock firmware to) FIRST so the router is ready to accept the latest/full firmware.

Here’s the model specific quirk: the default login/password is non-standard for R7000! It’s not root/admin (unless you press the button to reset the NVRAM)! It’s admin/@newdig!

After logging into the bootstrap/INITIAL freshtomato with the password above, upgrade the firmware to the latest (the one intended) and choose clear NVRAM along the way. The default login/password will be root/admin as standard for freshtomato.

 2 total views

Off the Goolag (1): Android (AOSP)

App Stores

The first thing to worry about after a fresh install is getting the Apps you need. I’d recommend installing all these app stores to start with:

  • F-droid (Only free and open source, privacy-respecting and community verified apps. Some paid apps on Google Play such as DavX and FairMail is free on F-droid to promote it! Note that sometimes the F-droid repository might be a little behind)
  • Aptoide (App writers self-publishes app under community scrutiny, which sometimes let you download geoblocked app. Fairly updated but not as updated as Auora. The apps are not tightly guarded as F-droid)
  • Auora (It’s a proxy to downloading the APK from Google Play store without letting Google track you. It’s anonymous account is international, which makes the search for the basic apps very difficult as it’s seeing a worldwide scope. You can have Auora sign in with a disposable Google account for apps that are relevant to your regions. Remember to disable your Google Play if installed and have Google Play links open with Auora.)

Yalp store is outdated and not actively maintained. Google Play store proxies needs to constantly fight with Google’s changes so they need to be updated frequently. Just stick with Auora for now.

Install Island (Sandboxing apps)

This is the very first app you need to install after you get F-droid or Auora. This app is a must even if your phone is not DeGoogled. A lot of apps asks for more permissions than they actually needed, but sometimes we are stuck with using them (like required at work).

The solution is to create a sandbox (another copy/instance of the app) that has a different space for app data and they cannot see your actual call logs, contact list, photos, etc even if you gave them the permission to do so. It’s called an ‘Island’ and the native space is called ‘Mainland’.

Putting an app in Island (work mode) doesn’t protect you from other access requests such as location, etc. Nonetheless the mainland and island app has their own data space (i.e. you have to configure it twice as if the apps are freshly installed) so they can have two sets of settings and application permissions.

Apps installed through the Island instance of the App Stores / Browsers above will stay in Island mode. Apps installed through Mainland instance of the App Stores will stay in Mainland mode. They are totally separate as intended. You can clone the APK/app between Island and Mainland through the Island App.

Note that some VPN clients will have a split personality (which is a good thing) between Mainland and Island! This means you get to have a group of apps that’s on VPN and a group of apps that’s on the direct network without managing them one by one with split tunneling!

Also note that the Island won’t be able to access external storage like SD cards. It’s by design so that Island apps are trapped in their own virtual space so they cannot snoop around your personal data even if you gave them the permissions (demanded during installation)

Browsers: Brave + DuckDuckGo

DuckDuckGo (sometimes the permissions and default app lunching do not work correctly with it. I use DuckDuckGo first whenever it doesn’t break)

Brave (based on Chromium). Replaces Chrome. It has a chain sync feature that syncs passwords, bookmarks, etc like Google Chrome does but WITHOUT AN ACCOUNT. As long as you have one device with Brave connected to the Internet and you did the steps to match the devices, they will sync up.

Keyboard: MS Swift Keyboard

I speak 5 languages and found Microsoft Swift on screen keyboard having nice IME (Input Method Engine) for all of them and also have an intuitive interface that’s not clumsy to use. I prefer it over Gboard and AOSP that came with LineageOS). I do not log in to Microsoft Swift and share data with them (the petty convenience of sharing the clipboard is just not worth it).

NON-CLOUD based Email client: Fairmail / MailDroid

Email is a huge topic which I’ll discuss in a separate post as it often come as a bundle with contact list, task lists, calendars, and taking notes.

Do NOT use free apps that sends your credentials to the provider‘s BACK-END SERVERS which you don’t own and manage, such as BlueMail if you are doing all these to protect your privacy (you might as well use Google if you do that)! NextCloud is OK as long as you host it.

K-9 mail client is promising but I do not like it implicitly forcing you to log in through Google’s web interface to set it up instead of doing the traditional IMAP setup if you use Gmail.

Fairmail has a lot of extra steps during setup because it let you customize the heck out of it and by default (out of the box), it protects you from tracking images and malicious HTML dingleberries out of the box (which hurts readability).

MailDroid is is supported by in-app advertisements (you can remove ads with Pro version). It’s more intuitive than Fairmail and K-9. It automatically detects Gmail’s IMAP settings (not Google OAuth2 login) correctly, but doesn’t autodetect does not work with namecheap’s cPanel mail while Fairmail does.

I don’t use Aqua Mail because the free version do not allow multiple accounts like MailDroid does.

K-@ Mail feels like Gmail. Support multiple accounts. Also autodetect Gmail IMAP correctly but not cPanel email correctly like Maildroid. IMAP Folders do not work correctly for either Gmail/cPanel (it shows nothing): the folder button (bottom left) shows generic Inbox/Draft/Outbox/Sent/Trash/{Folder list} which do not match the IMAP folders. “Folder list” shows the IMAP folders, but when I clicked on them it shows nothing.

Just because of the non-working IMAP folders, I chose to not use K-@ Mail and stick with MailDroid.

I personally like Fairmail because the interface wastes no visual space showing all my IMAP folders. MailDroid is visually pleasing but the folder panel took up too much white space and I cannot tuck away the special (local) folders in the side panel.

Chat: Signal, VoIP: Telegram

Fascist book now requires data sharing with Whatsapp, so people in Hong Kong who don’t trust the fascist Chinese Communist Party regime is dropping it like a hot potato.

Signal App do not keep a master key on your message (if you lose the key, you lock yourself out and there’s no recovery) and is my preferred app for chat. Although Telegram’s owner has a good track record of protecting political dissidents (that’s why it was used in 2019 Hong Kong Protests), it’s not fully open source and the owner still has the master key. Telegram is still way better than Whatsapp but for full privacy I stick with Signal App.

Signal App’s voice over IP is a little weak and it can break up easily on spotty network connection. Telegram is much better in terms of voice quality so I basically use Telegram as a VoIP phone and leave the chats to Signal.

 4 total views

Off the Goolag Applelago! (0) – Introduction

Privacy: detaching identity (fingerprinting) from activities!

The new idea of privacy is not hiding what you normally do (legal) perfectly, but to make it difficult for automation to uniquely identify and match you so your habit doesn’t get observed and stereotyped. For example, I love fried chicken and watermelon, but I don’t want to see advertisements for malt liquor.

Apple’s ecosystem is tightly controlled, so the uniqueness is guaranteed. If you use Apple products, you are totally at the mercy of Apple Inc AND their employees (whom you didn’t hire) honoring their legal, contractual and moral obligations. It’s by design: Apple limits what you can do within their imaginations so they can limit the scope of what kinds of thing that can possibly go wrong. The side effect is customers are giving away their freedoms to authoritarians for convenience and promised protections.

Therefore my exploration of escaping the Goolag Applelago do not consider Apple products. They can turn into Chinese Communist Party dictatorship at a flip of a switch when they’ve became so powerful that they are above law. Given how they bankroll the lobbyists and how close they are to ChiCom/CCP, it’s a more realistic threat than most think.

Operating system: AOSP

I don’t have a Pixel so I cannot try CalyxOS and GrapheneOS. For usability, it’s most practical to have Android-Open Source Projects builds that does not contain proprietary Google apps. Many proprietary Google services are built in stock ROM, so these AOSP builds either remove them or replace them with MicroG (which do not track users) so apps that depends on the proprietary Google Play Services will still run.

So far I’ve tried these OS that supports a wide range of old phones:

I’m least impressed by the performance of /e/. It’s very laggy compared to the rest to the extent it’s close to the Stock ROM. The concept is good that it tries to have a tightly integrated user experience (including Cloud) to replace Google’s ecosystem, but the apps that came out of the box is primitive. “Apps” is a nice package installer that gives a bit more access to common apps that’s a little less than Auora OSS (but easier to find) and a lot more than F-droid. That’s the only good thing I can say about it for now.

NanoDroid came with a lot of well-designed, excellent privacy-respecting open source apps that is eye opening (I’ll discuss it in later posts). They have a few more apps pre-installed than what I wanted, so I went with LineageOS + microG so I can pick-and-choose my apps.

The official LineageOS comes without these Google’s proprietary infrastructure, so either you install proprietary Gapps through TWRP (one of the universal bootloaders to install LineageOS and the like), which defeats DeGoogling, or painfully install microG on top of it. I decided to go with the latter.

The phone works A LOT FASTER (fluid user experience) with LineageOS than the bloated crap that came with Stock ROM.

WARNING: Things to watch out while mucking with Android OS upgrades/changes

Absolutely back up your files (apps, photos, videos, downloads, settings, etc) to external drive or cloud storage first! Do NOT trust any of the doc that your OS might work after an ‘upgrade’. It doesn’t. The AOSP builders did not spend much time thinking of migration issues (these are boring thankless menial work that nobody wants to do it for free, so don’t get your hopes up).

You MUST ALWAYS assume that you’ll have to factory reset your device, which I recently learned the hard way by losing data because I formatted the SD card as internal storage (called adoptable storage) in LineageOS 15.1 then unwittingly deleted the encryption key to the SD card while factory resetting the device because the /data and /system partitions are not in a compatible state with the new 18.1 (or even 16.0)!

Some maintainers are not very fond of adoptable storage so they don’t put much thought into it hoping it’ll go away. Adoptable storage a useful feature but it’s full of traps (fragile) so it’s best to avoid it altogether unless you swear to not upgrade your LineageOS and assume the SD card will live and die with the device.

 6 total views

DBeaver connecting to MySQL in Namecheap Shared Hosting

Namecheap already provided instructions to connect MySQL Workbench client for its shared hosting, which involves SSH-tunneling because they disallowed direct MySQL connection out of security concerns.

So here’s basically the logistics:

  1. SSH to your namecheap hostname (can use your domain name) at SSH port 21098
  2. Tunnel listens to Port 5522 and forward it to localhost (the client itself) at MySQL Port 3306
  3. Instead of connecting directly to the {namecheap shared hosting server}:3306, connect to the localhost:3306

It’s a little confusing on how to do it on DBeaver because “Advanced settings” is hidden by default which you will need. The name ‘local client’ (source) vs ‘remote’ (destination) in the dialog box is confusing. It’s actually equivalent to

ssh -L ["Local host":]"Local port":"Remote host":"Remote port"
ssh -L [bind_address:]port:host:hostport

bind_address can be left blank. If you are paranoid and don’t want other machines to use your current MySQL client machine as a gateway (they tunnel into your machine to use the tunnel you are currently establishing), set (aka bind) it to localhost, or you can bind it to the client’s network adapter’s IP which you want to allow machines on a trusted network to use this MySQL client computer as a gateway.

For some reason (I suspect it’s IPv6), “Remote host” needs to be set to the loopback adapter 127.0.0.1 (cannot use the special hostname ‘localhost‘).

Remember MySQL’s username and password is the special database-only login credentials you created at cPanel.

 6 total views

Get myself comfortable with Raspberry Pi

I2C is disabled by default. Use raspi-config to enable it. Editing config file /boot/config.txt directly might not work

Locale & Keyboard (105 keys) defaults to UK out of the box. Shift+3 “#” (hash) sign became “£” pound sign. Use raspi-config to change the keyboard.

It reads random garbage partitions for MFT assigned to FAT16 drives. Just use FAT32

USB drives does not automount by default. usbmount is messy as it creates dummy /media/usb[0-7] folders. Do this instead.

 11 total views

Evoluent Vertical Mouse 4 Cable Mod

The mouse cable for Evoluent Vertical Mouse 4 is extremely long, which creates a lot of clutters especially when my keyboard has a USB hub relay built in (it’s the mouse is less than a feet away from it). Instead of splicing the cable, which creates a hard junction that’s not flexible, I modified the mouse to take a micro-USB cable instead.

 10 total views

Flashing router firmware through Serial Port: CFE bootloader (usually Broadcom) based routers

Here’s a summary of learnings from dd-wrt’s serial recovery instructions:

  1. Use a UART controller that signals at 3.3V (e.g. FTDI TTL-232R-3V3) to talk to the board. Regular serial RS-232 ports requires a voltage level shifter converting the signal to swing between 0V to 3.3V.
  2. You only need 3 pins: Tx, Rx and Ground. There’s voltage contention if you plug in the Vcc from TTL-232R-3V3 (It’s the USB’s 5V despite the signaling is 3.3V) to the 3.3V supply of the router. You don’t need the Vcc pin. It didn’t harm anything or do anything when I connected the Vcc pin.
  3. Stick with all serial port defaults and only set the baud to 115200 (default is 9600) and turn off flow control (default is xon/xoff). I use Putty for terminal.
  4. The terminal serves as the monitor for the computer on the router that shows a text console. Broadcom uses CFE bootloader (others use U-Boot with busybox).
  5. CFE bootloader defaults to 192.168.1.1 with subnet mask 255.255.255.0 (aka /24). Set up the network interface to have a static IP on the same subnet to talk to the board.
  6. Good habit: nvram erase
  7. The flash program relies on TFTP protocol to receive the firmware file. So get your TFTP client ready. Microsoft included a TFTP client/server since Windows 7 but usually disabled (turn it on in Windows OptionalFeatures.exe).
  8. TFTP is a simple push(put)/pull(get) design. You can either “push a file on your computer” or “get a file as filename”. You’d want to specify -i switch (binary image transfer) with Windows tftp.exe.
  9. So type this command at the command prompt but don not press enter until your router is ready to grab the file: tftp -i 192.168.1.1 put {path to whatever TRX firmware file}
  10. Go back to the serial terminal and tell the router to accept a TFTP push (in a window of a few seconds before it time out) and flash the memory region flash1.trx with this command: flash -ctheader : flash1.trx
  11. Immediately initiate the TFTP push from your computer (Windows command line example in Step #9 above)
  12. Wait for a couple of hours! The terminal might tell you that it has received the file completely, but it won’t show anything when it’s writing to the flash! It’s a painfully slow process with no feedback. Just be patient!

Some observations

  • FreshTomato firmware absolutely won’t tell you on the screen after it has done flashing (Merlin-WRT does). Just turn the router back on after a couple of hours.
  • Merlin firmware repeats (exposes) the raw passwords to the serial port!
  • FreshTomato firmware boots to a linux prompt on the serial port

 26 total views,  1 views today