• Installing anything other than ChromeOS on it requires complex fiddling (including reflashing parts of the firmware from “some random website” on the internet) which maybe will void your warranty and has a non-trivial chance to brick your box
• With all the respect to the people creating the custom firmware: it’s a hobby for them, and it shows (again, it’s a great thing they are doing, just setting expectations here). For example, I can’t set a BIOS password. Also, even though SecureBoot is half-working (as in, when it’s enabled, it refuses to run MemTest because it’s “unsigned”), Ubuntu still can’t use the TPM to encrypt the disk.
• Finally, the hardware support is probably less than stellar. For example I couldn’t get HDMI audio out to work. It may be related to the driver (here is a tweak I didn’t try yet) or I might need to get a HDMI audio injector (or two). Oh, and the Ubuntu install just managed to corrupt itself. I didn’t have time yet to do a reinstall and try diagnosing it…

That said, here are the cliff-notes:

• Enable developer mode – this will wipe your device!!
• Shut down the machine. Disassemble it (here is my iFixit guide showing how to) and carefully short the write protection jumpers, as shown here: https://docs.mrchromebox.tech/images/wp/Duffy_wp_jumper.png
  • Make sure that the paperclip is not pushed through too much, such that it shorts to the metal shield on the bottom
  • This is also a good opportunity to do any SSD/RAM upgrade you might want to do. If you upgrade the SSD, you first need to use a recovery stick (see my iFixit guide).
  • The “remove the battery” mode didn’t work for me. Plus, the battery holder is very flimsy and easy to break! (ask how I know :/)
  • As written in the guide, you can use an USB-C (laptop)charger to temporarily power the box while it’s opened up to make the setup less awkward (because the 19V input jack is on the upper panel you just removed)
• Boot up in developer mode, log in
• Now switch to the second terminal (Ctrl+Alt+F2), login with “chronos” as instructed (doesn’t need a password). Using Ctrl+Alt+T to launch a shell does not work! It will give an error when trying to use sudo:
  The “no new privileges” flag is set, which prevents sudo from running as root.
If sudo is running in a container, you may need to adjust the container configuration to disable the flag .
  Use the second terminal! (Ctrl+Alt+F2)
• Run the commands:
  cd
curl -LO mrchromebox.tech/firmware-util.sh
sudo install -Dt /usr/local/bin -m 755 firmware-util.sh
sudo firmware-util.sh
• Yes, we need to download random scripts from the internet to make this work :(. Yes, the shell script really needs to be copied to /usr/local/bin, we can’t run it from the home directory, even if we try to set the executable bit.
• Choose option 2 (“Install/Update UEFI (Full ROM) Firmware”). On the first run it will talk about disabling software write protect and ask you to reboot. Do so.
• After rebooting log in. Even though you’re able to enter the second terminal (Ctrl+Alt+F2) without logging in, you won’t see the install script! Have a USB stick read to back up the original firmware. Confirm that you can see it in ChromeOS before switching to the terminal.
• Switch to the terminal (Ctrl+Alt+F2). Login as “chronos”. Run the install script again (sudo firmware-util.sh) and choose option 2 (“Install/Update UEFI (Full ROM) Firmware”).
• This time it should run to the end and reboot your box. You can now remove the short on the write-protect pins and re-assemble your chromebox.
• Now you should be able to use an USB stick to install your GNU/Linux distribution of choice. If the box doesn’t seem to want to boot from the USB stick, even after adjusting the boot order, select the “Boot options” (or something similar, I’m writing this from memory – it’s the first menu option) and select the USB stick directly.

That’s it folks!

So, I did a small experiment by purchasing something from the shop back in January and then again in August, to see if they will be shipped from different addresses. And I’m happy to report that, indeed, they shipped from different addresses, making it highly likely that “we’re changing warehouses” is the truth.

• shipper address in January:

• shipper address on August:

So, that’s nice. They also seem to be working on a world building game (link, Steam link), which is planned to come out next year (in ’25). Sounds interesting!

I found the “graphic guide” book concept intriguing, yet reading through multiple of them, I felt like they are more directories – pointers for further readings – rather than something I could use – while having little idea about the subject – as an introduction or overview into the subject.

This idea was further strengthened by Introducing Quantum Theory: A Graphic Guide to Science’s Most Puzzling Discovery. This one I found rather enjoyable and I think it gives a bit more of “human” face to the quantum theory – but also, I already had basic notion in physics.

• It should be reliable
• It should help protect my privacy by:
  • not unnecessarily exposing the contents to my discussions*
  • allow aliases to prevent easy cross-correlation between different sites**
• Managing aliases should be easy
  • It should be easy to set up new aliases (possibly with a “catch-all” address, where all emails for the domain go)
  • Replying from an alias should be easy (or at least possible)

Which leads me to my current setup: use simplelogin.io from Proton with a fallback to Cloudflare Email Routing.

Advantages of this setup

• Both Proton and Cloudflare are trusted companies (though this can be subjective, but I certainly rank them higher than the FAANGs)
• The simplelogin software stack is open source, which means that it’s better audited and theoretically I could run it on my own if it makes sense
• Both providers promise to only forward, never store your email
• Simplelogin also provides some generic domains, which means that I can hide even more “in the crowd”, but using those generic domains when creating low-value accounts
• Replying through a simplelogin account is simple (you “just reply” to the email), though it has some funkyness to it (simplelogin rewrites the email address to “man in the middle” the communication to achieve this – then again, it also includes the original email address in a custom email header)
• Simplelogin has some advanced features (like “send email from this address to multiple recipients) that can be useful for families for example (where both parents want to get the communication from the school)
• Simplelogin also has Bitwarden integration

Details of the setup

The description of the setup is probably shorter than the list of advantages, which is probably a good thing

• Get a domain and “link it” to Cloudflare (aka. point the nameservers to the Cloudflare ones)
  • I’m assuming here that you already have a Cloudflare account
  • I’m also assuming here that you want to have a custom domain. If not, and just want to use the domains provided by Simplelogin, just create an account with them, done
  • Since I would like to separate my (little bit public) persona from my private persona (ie. why should Amazon know that the person ordering a book from them also runs a blog?), I also have a secondary, more private domain set up this way, in addition to grey-panther.net.
• Enable Cloudflare “Email Routing” for your domain
• Enable “Catch-all” for Cloudflare Email Routing and configure it to send to the preferred email address
  • Remember that this is just a fallback / backup solution, normally emails wouldn’t be routed here
• Enable DMARC in Cloudflare to get some reports about bouncing emails. Alternatively you can use a third-party DMARC service like easydmarc.com to get periodic reports about potential email problems
• Now go to your Simplelogin account and start setting up the domain
• To set the MX records for the domain, you’ll need to go to Email > Email Routing > Settings in Cloudflare and click on “Start disabling”
  • Click “Unlock and keep DNS records”! This will allow us to use the Cloudflare email servers as backups later
• Now continue with the Simplelogin DNS setup
  • Since the Simplelogin MX servers are added with priority “10” and “20” respectively, it means senders will generally prefer them and only fall back to Cloudflare if the simplelogin servers are not available
  • After you finish the setup of the domain in Simplelogin, you probably want to go to said domain > settings in Simplelogin and enable “Auto create/on the fly alias” (Catch-all)
• Now we want to do a bit more tweaking to the DNS entries in Cloudflare:
  • We should update the SPF record to: v=spf1 include:simplelogin.co include:_spf.mx.cloudflare.net -all
  • (this allows Cloudflare to also forward emails when it acts as a fallback email server. Also, this says that emails for the domain not coming from the enumerated set of servers should be dropped. If you want to be less strict, you can use “~all” instead of “-all”. You can use tools like the SPF Record analyzer to double check that the SPF record is well formed)
  • Update the _dmarc record if you want to use EasyDMARC.com as instructed by the site. You probably want to set “p=reject” here.

That’s it! Here is again a the relevant DNS records for grey-panther.net:

;; CNAME Records
dkim02._domainkey.grey-panther.net. 1 IN CNAME dkim02._domainkey.simplelogin.co.
dkim03._domainkey.grey-panther.net. 1 IN CNAME dkim03._domainkey.simplelogin.co.
dkim._domainkey.grey-panther.net. 1 IN CNAME dkim._domainkey.simplelogin.co.

;; MX Records
grey-panther.net. 1 IN MX 20 mx2.simplelogin.co.
grey-panther.net. 1 IN MX 10 mx1.simplelogin.co.
grey-panther.net. 1 IN MX 147 amir.mx.cloudflare.net.
grey-panther.net. 1 IN MX 119 linda.mx.cloudflare.net.
grey-panther.net. 1 IN MX 163 isaac.mx.cloudflare.net.

;; TXT Records
_dmarc.grey-panther.net. 1 IN TXT "v=DMARC1;p=reject;rua=mailto:[email protected];ruf=mailto:[email protected];fo=1;"
grey-panther.net. 1 IN TXT "v=spf1 include:simplelogin.co include:_spf.mx.cloudflare.net include:sites.nearlyfreespeech.net -all"
grey-panther.net. 1 IN TXT "sl-verification=xznetmbmfgmkinlnopzlakneigjhzk"

Who can spy on me? (aka. threat model)

Nothing is perfect, and I’m enabling quite some people to spy on my in the worst case:

• Both Proton and Cloudflare can decide to log my emails
  • Although Cloudflare is only a “low priority backup server” in this setup, if we assume that they are acting maliciously (or somebody took control of my Cloudflare account), they can remove the Simplelogin MX records and force email to be forwarded to whatever system they control.
• If the hardware that runs Proton / Cloudflare services is compromised, I have the same problem
  • Although, hopefully, I’m too small of a fish for somebody who pulls that off to target me specifically (this goes back to “hiding between all the people)
• My domain registrar (or somebody who gets access to my account there) can decide to repoint my domain to different nameservers that serve different MX registries
  • Not too much to do – just have complex passwords, 2FA and hope that the security of the registry / registrar is good enough
• The final destination of the emails
  • I host the final address everything is forwarded to in the cloud, so that means that the specific cloud provider also has access to everything. I could use a different solution, but for now the sync-in between devices is just too convenient…

Alternatives considered

• Self hosting email infrastructure
  • This would have given me the ultimate flexibility, but it would have also tasked me with monitoring and updating the service
• Using a “catch all” email address with Google Workspace / Google Apps / whatever it’s called this week
  • It’s not all to difficult to set up
  • However, it requires a separate Workspace account that doesn’t work well with many other Google products
• Migadu
  • Run out of Switzerland, just like Simplelogin/Proton
  • Can pay for it, just like Proton, to hopefully ensure that they’re around longer
  • However less well known, so I don’t feel like I have a good insight into “how they tick”
  • They’re more a “let’s make email hosting simple” kind of company, rather than focusing on privacy, which means they don’t provide additional “generally used” domains (which could be used to better hide in the crowd)

* Yes, unencrypted email can be considered mostly public anyway – still, basic security precautions like making sure that your email server speaks SSL/TLS for incoming and outgoing emails is useful.

** So, if I sign up with [email protected] for two different sites, it’s easy to conclude that it’s one person who owns both accounts. However if I use [email protected] for one site and [email protected] for the two different sites, it’s much less clear that there is the same person behind them.

Sadly it seems like the maintainer might have passed sometime last year (or is at least gravely ill). From the page:

Folks … sorry for the delay (again) in getting out an update … just got out of the Hospital … I now have some severe health issues to deal with (complete Kidney failure … need a Kidney transplant) plus another operation … large needles inserted into my spine …however I will try to better maintain the MVPS HOSTS file. Well just got back from Hospital again (excessive water in lungs)

If you could … please consider a donation. Thanks to all that contributed … every little bit helps.

https://winhelp2002.mvps.org/hosts.htm (archive.org link)

So, I donated – may it be of some use to them / their family! And I encourage to do the same if you benefited from this great file!

As for alternatives, there are several good ones:

• I now use nextdns.io on the machines/mobile devices I maintain
• pi-hole is also an alternative
• Specifically for Windows, HostsMan is a good software to manage/update hosts files
• Browser plugins like uBlockOrigin are also very useful

For the last decade it has been the case – and continues to be the case in my opinion – that ad/tracker blocking is the single most effective way to keep devices from being infected with all kinds of malware (and, it generally makes web browsing faster!)

• Arcane login procedure
  • that doesn’t support 2FA
  • that prompts you to change your (randomly generated, high entry, kept in a password manager) password, even though the NIST has recommended against this practice for many years
  • which fails to actually log you out (!) – discovered this when I was trying to verify that my updated password worked
• Machine console sometimes work and sometimes doesn’t
• Arcane procedure to attach disks to VMs (to be fair: they show the commands in a popup window)
  • And even with these commands one can’t switch the boot disk of a given VM

They have a generous amount of free credit, but I wouldn’t recommend them for production use.

Trying to set up CloudFlare Access and it seems that some information are hard to find:

• The tunnel communicates over 7844/udp (important in case you want/have a restrictive firewall and/or your cloud provider requires to configure the node-independent firewall)
• The authenticated user is specified by the Cf-Access-Authenticated-User-Email header. Other useful headers can be Cf-Connecting-Ip or Cf-Ipcountry.
• To link the authentication with the tunnel you desire, simply configure the “Self-hosted application” on the same (sub)domain as the tunnel.

In 2016 I wrote A fresh start with Pelican. And now, 6 years later I’m writing this. Lots has changed since then and lots has stayed the same. It still fills me with joy writing texts that may be useful to somebody.

So, what’s to like about WordPress? For one, it can do blogs (and websites in general – so I don’t have to keep up with the latest (micro)formats and trust that it handles them reasonably well) and for most usual things (like code highlighting), there are well supported plugins. It’s also F/LOSS software and portable – I must say I quite liked the interview with Matt on FLOSS Weekly.

An other big thing is that it supports comments – something which static websites generally don’t and the alternatives (like Disqus) don’t respect user’s privacy at the level I would like them to.

So type away your comments! (also, if you’re on the feedburner feed, please switch over to https://grey-panther.net/feed, because who knows how long the former will be around!).

But there are also a couple of things not to like about WordPress – for one, using it, I’m painting a big target on my back (lots of WordPress sites are getting hacked every day). I do believe that I’ve taken reasonable precautions against this (stay tuned for a description on how this is set up!), but it’s a risk.

Also, running dynamic websites is not free (though not astronomically expensive either). My main worry around this is that if I become incapacitated for a longer time, this content will disappear (and one big reason for me starting up writing the blog again is to have a documentation for my family for such cases – so that they can get technical help to access – and maintain if they wish to – all the digital trinkets I’m creating). Also stay tuned about my plans around this problem, but the short version is that I’m planning to mirror the content periodically to several “free” providers and hope that at least one of the mirrors will be around long enough.

Until the next time!

Image credits to rawpixel.com through PxHere.

I recently saw an interesting proof for Pythagoras’s theorem in the MathHistory series which I wanted to share with y’all

So a quick reminder, Pythagoras’s theorem says that if we have a right-angle (90 degree) triangle, then there is the following relation between the length of the sides:

a = sqrt(b^2 + c^2) (where a is the length of the longest side) – and vice-versa.

The proof goes like this: lets rewrite the formula like a^2 = b^2 + c^2. We can interpret this geometrically as: (for a right-angled triangle) the are of the square constructed on the longer side is equal to the sum of the areas of the two squares constructed on the shorter sides.

And now the proof goes as follows:

• consider a right angled triangle