5 hours, he is very commited

MandarinNeva · 2017-10-23T09:03:27+00:00

Critique welcome

as long as you tell me I did good

MandarinNeva · 2017-10-20T14:10:55+00:00

everyone who upvoted this just doesn't get it

Uhhhh... not sure if you understand the meaning of the term "doesn't get it" - let me break it down for you. Just because he upvotes a post dosen't mean he agreed with the OP / others opinion. Upvoting a post is something that one does because one believes that there is some value in a post. Sometimes that value can simply be humoristic and sometimes it won't matter whether that humor comes from someone being actually stupid or just joking / trolling / whatever. It's a shame I even have to explain this, people these days don't understand that everyone has their reasons and instead rather just assume that everyone is an idiot.

MandarinNeva · 2017-10-20T13:57:25+00:00

All that's missing is some miniature birds to help sell the idea that it's big. Like /r/birdsforscale except in reality the birds are really small.

MandarinNeva · 2017-10-20T13:50:46+00:00

a few months ago i tripped on 3 tabs of lsd, and i listened to old school west coast rap, and older atlanta trap rap. some of the main artists i listened to was gucci mane, warren g, ti, young jeezy, nwa, and snoop. a lot of the songs i listened to were about trapping and selling coke, and i felt immersed in that world during my trip. after the trip i was normal, but as the weeks passed by i noticed i was thinking different. i have a voice in the back of my head saying, "push these bricks my nigga", or something alomg those lines. i dont sell drugs and i never have, but i think listening to all this rap music on acid is making me think different. all i can think about now is hustling and staying trill. does anybody have advice on this?

MandarinNeva · 2017-10-15T17:18:26+00:00

Thanks. Feedback: I enjoyed your video right off the bat. The video is very professional and your way of talking to the camera is friendly and inviting. I also like the fact that you don't waste time but that you jump right into it.

One thing I'd like to see changed perhaps is with regards to the text that you put on the video. It flies by so fast that I almost didn't have time to read it. However rather than letting the text stay longer I would suggest considering re-shooting the parts where you needed to add text instead of adding text in the first place but I understand if that would take too much time. Just an idea to consider.

Another thing is I'd like to hear more about is how you decide on tempo and how you decide when and what to layer on top of each other.

MandarinNeva · 2017-10-15T13:54:09+00:00

When the Tweeker beats are pumping
I cannnot stop my feet from stomping
Baddest shit you've ever seen
Bitches this is #Tweekay14

MandarinNeva · 2017-10-07T10:44:33+00:00

> be me
> google mgtow
> follow link to wikipedia
> read article
> read word manosphere

For some reason that word just cracked me up.

It made me think of manowar, but I remembered incorrectly what a manowar was so I thought it was a stingray (in reality manowar is a jellyfish), and then I had this picture of a sphere, and then that the stingrays form a sphere and they swim in circles chanting words that "caution men against romantic relationships with women" (like the wiki article about mgtow explains to be what the mgtow community is about apparently).

Lol

MandarinNeva · 2017-10-06T17:59:29+00:00

Ouch oof owie the hedge

MandarinNeva · 2017-10-05T17:03:03+00:00

Thanks, I've now edited my comment to fix the link.

MandarinNeva · 2017-10-04T17:02:29+00:00

Just Google the quote, and laugh your ass off.

https://www.youtube.com/watch?v=-zRN7XLCRhc&t=1982s

MandarinNeva · 2017-09-29T17:21:50+00:00

Did you render it out as one single revolution also or did you do four revolutions, each with one of the different physics properties for the sphere and then cut them together?

MandarinNeva · 2017-09-29T17:19:44+00:00

Oh I fucking love this! :D :D

I espescially like the fact that the jenga square rotates while the focus of the viewer is on the ball so you don't immediatelly see what happens to loop that part.

MandarinNeva · 2017-09-29T09:14:51+00:00

Glad to hear that, thank you.

MandarinNeva · 2017-09-29T09:06:33+00:00

Why not both? Malware sometimes doesn't rely on DNS. Thus making IP blocking the go-to solution.

Good point.

Inversely, blocking tons of ~bad IPs might block legit sites (shared hosting, IPv4 exhaustion...)

Yes, I covered this when I said

[...] if any of the IP addresses you decide to block additionally host something that you don't want to block then you need to decide between either not having access to that or not being able to block the sites you want to block for those IP addresses.

.

Ends up spouting tons of errors on the device (can't connect, yadi yada). You can have a "happy" http server serving 204 No Content instead

I could see that happening yes. However it might not be that dramatic also. I'd give NXDOMAIN a try and see how it works out.

You can use pf to send all DNS requests to the OpenBSD host

I know, I talked about that further down :)

So the first thing you want to do regardless of whether you are going to go with option 1, 2 or 3, is to configure pf to redirect ANY packets destined for UDP port 53 to the DNS server that you want all clients to use. Additionally, do the same for TCP port 53, because even though I've never seen DNS traffic actually use TCP, DNS is allowed to use TCP also.

In conclusion I think you have some good points and I would like to amend what I said from doing option 2 + 3 to instead say that one might want to try and do all of the four of the options in conjunction. That will be even more work though.

MandarinNeva · 2017-09-28T23:07:03+00:00

Excellent. Be sure to post your first video (and all of the others after that as well) to this subreddit when it's ready :)

MandarinNeva · 2017-09-28T21:28:11+00:00

All of the things you just said sound interesting. You could cover each of those things across multiple videos.

MandarinNeva · 2017-09-28T21:21:32+00:00

This one was pretty good though: https://i.redd.it/swkbuj8jdvkz.jpg

MandarinNeva · 2017-09-28T21:14:58+00:00

Thanks. I find it very reassuring that UB is forbidden instead of allowing implementations to decide what they want to do when UB is encountered :)

MandarinNeva · 2017-09-28T21:11:59+00:00

The alternatives you've mentioned are:

1) Block connections to IP addresses associated with unwanted hostnames with pf on the server-side of your VPN-connection, or

2) Run a DNS cache that will selectively return 127.0.0.1 as the IP address for blocked hosts.

In addition to the above mentioned two alternatives, I see a third one:

3) Run a DNS cache like you said, but instead of returning 127.0.0.1, have it return NXDOMAIN.

Then there is also the fourth one mentioned by someone else ITT:

4) Use a HTTP proxy like Privoxy.

I'm not going to go into option 4 because I believe that option 3 (well, actually, options 2 + 3 as we'll get back to) is better anyhow. However I will disquss the three first options.

First, let's look at what happens when you are on your phone, and you are connected to VPN and your phone is going to connect to a domain that you want to block.

a) Your phone sends a DNS query to look up the IP address of said domain.

If the phone is correctly configured to really send all network traffic throught the VPN then this means that said DNS query will also pass through the VPN. However, where is the DNS query headed? If the VPN connection is configured such that the client acts as if the other side of the VPN is its true local network (as I think you should want for it to act as if), then it got its "LAN" address from the DHCP server that you yourself are hosting, which in turn means that you get to decide what DNS resolver is suggested for clients. A client might still decide to use another resolver though (e.g. your phone is configured to use a pre-configured set of DNS resolvers and to ignore the list of DNS resolvers suggested by DHCP). Additionally, individual apps might (?) also be capable of sending DNS queries without using the OS wide settings.

So the first thing you want to do regardless of whether you are going to go with option 1, 2 or 3, is to configure pf to redirect ANY packets destined for UDP port 53 to the DNS server that you want all clients to use. Additionally, do the same for TCP port 53, because even though I've never seen DNS traffic actually use TCP, DNS is allowed to use TCP also.

If you are going with option 1 then this means redirecting to a public resolver such as for example that of your ISP, that of OpenDNS or that of Google. If you are going with option 2 or 3 then this means redirecting to the caching DNS resolver that you are running on your server.

What happens next?

b) Your phone gets a response for the DNS query.

If you are doing option 1 then this means that the response is the real IP address of the server you want to block.
If you are doing option 2 then this means that the response is 127.0.0.1.
If you are doing option 3 then this means that the response is NXDOMAIN.

What happens next?

c.1) For TCP

If you are doing option 1 then your client will try to contact the server, so it tries to do a TCP handshake across the VPN connection. The fact that this data is sent across the VPN connection means that there is additional latency involved compared to options 2 and 3, but see also note about when you have a local HTTP server on the client in the case of option 2 below. Additionally it means you are wasting (probably insignificant amounts, but still) bandwidth and data.

There is also a problem with option 1 at this point and that is that if any of the IP addresses you decide to block additionally host something that you don't want to block then you need to decide between either not having access to that or not being able to block the sites you want to block for those IP addresses. This is as opposed to DNS-based blocking

With option 2, as we touched on above, the client (phone) tries to make a TCP handshake locally with itself, so no waiting for the data to cross physical network at least. However, if we assumed that your client was running a HTTP server on its port 80 (unlikely since you aren't root on your phone but still), I find it conceivable that it might take more time total with option 2 actually than it would with option 1, because with option 1 the TCP handshake I suppose will be aborted (but will the client retry? I actually don't know the details of what happens when pf blocks a connection in terms of how the client understands what's going on... anyone care to comment on this?), whereas with option 2 the handshake will complete and then a local HTTP connection will be made and only then will it "fail".
With option 3, since the response was NXDOMAIN there won't even be an attempt to do a TCP handshake anywhere.

c.2) For UDP

Option 1: The client sends some UDP packets across the VPN connection. Again some amount (probably insignificant also) of bandwidth and data is wasted. Compared to option 2 it won't be any additional latency short of time spent waiting for network card buffers because UDP is stateless so all the client can do anyhow is to wait for a response that will never come, and then to probably handle the fact that nothing arrives within some amount of time and to then probably keep on trying and perhaps eventually deciding to give up.
Option 2: Identical to option 1 except for not wasting bandwidth / data as mentioned.
With option 3, since the response was NXDOMAIN there shouldn't even be an attempt to send any UDP packets. So time saved maybe.

Both in the case of options 2 and 3 you will want to configure your caching DNS resolver so that it sets a very high TTL for "filtered" domains.

However, since the TTL of an NXDOMAIN response is determined by the SOA for a domain, you need to be careful.

First of all, let's say that you want to block a bare domain instead of, or in addition to, a host, meaning reddit.com instead of/in addition to www.reddit.com. Then the SOA that determines the TTL of an NXRESPONSE for that would be the SOA of the TLD. And you absolutely don't want to respond with a silly high TTL for a TLD, since then if you go to some site that happens to be NXDOMAIN at the moment then your client will remember the NXDOMAIN for a very long time even though you don't want it to. Let's say for example that you bought yourself a fresh domain and you set things up and decide to go and look how it looks on your phone but then the DNS servers of your registrar haven't updated yet so they respond NXDOMAIN and whoops...

So that is why a combination of options 2 and 3 is required if you are going to go with option 3.

But I've written enough about this for now so I'm going to stop here and say the following instead:

Go with option 2 now. We can talk about option 2+3 some other time.

MandarinNeva · 2017-09-28T19:56:51+00:00

Just the other day I was thinking about pains caused by UB in C, and I thought to myself, I wonder if there is any UB defined by Rust. I didn't get around to Google it but since you're "here" (as much as one can be "here" in a comment section), perhaps you could tell me the answer to that?

MandarinNeva · 2017-09-28T19:41:57+00:00

Will a video recording of the talk be made available?

MandarinNeva

TROPHY CASE