Tags: #uspol #politics

Even when I wrote the title for this post, I could feel how much that the sentence failed to capture the feeling everyone who wasn't a fascist was feeling. The 2024 #election did not go the direction that a lot of people thought. I mean, look at how much the #gop was fighting to change laws, to purge voter rolls, and all the other nefarious plans to steal the election. They thought they were going to lose as much as the #Democrats thought they were going to win. Everyone was caught off guard.

Since then, I have watched the hastags on the #fediverse, followed some of the content of YouTubers that I trust and caught up on a lot of the talk on corpo social media. There is a few things I found that surprised me.

Everyone is Standing Together

I think the thing that surprised me the most is that across the internet among the communities I follow, there have been an outpouring of support for the vulnerable groups that are going to be targeted by thew new regime coming in. Support links, advice, mentions of communities they can hide in. I did not see anything like this in the 2016 election.

I'm confident it is because we know what we're getting into but instead of just fury, there is also the helping of one another. That brought me to tears more than the loss of the election.

In a country that I had thought had lost this, I was happy to see that I was wrong. I'm doing better today because of the kindness and camaraderie that I have seen.

All is Not Lost

I know I say this and it has been only three days since the election loss. But I think it is something that needs to be said. We all had a lot of hope that the healing that President Biden had been bringing to this country after the damage Trump inflicted would continue under Vice President Harris. No, she was not the best choice but she was the only choice we had in time and I think the best chance of trying to win. She ran a good campaign and I'm proud of have had a sign for her and voted for her.

The reason I say there is hope in these coming times is because of the following things:

• Even if the GOP have a trifecta (control of the House, Senate, and White House), the cowardly Republicans are going to still play it safe when it comes to their own seats. They are still at the whim of their voters and things like Project 2025 have been detested by Americans on both sides of the line. I'm thinking that they may start small to see how much they can get away with and we have the ACLU to fight them tooth and claw. (The ACLU is always looking for donations to help the good fight).
• We only have to wait two years before we can vote again to remove the assholes from power. The House of Representatives come up once every two years and if you remember, the Trump Economy and situation was so bad, that the GOP lost so many seats. Also in the 2026 mid terms, not only are the 435 House seats not back open, 35 Senate seats will also and more than half of them held by Republicans.
• You are still here. I don't want this to sound hokey but you are still here. We were beaten, we are angry and disgusted at what our fellow citizens chose. But we are still here to fight for the rights of people to be safe, to be themselves, and for women to have full autonomy of their bodies. Right now there is nothing we can do but the time is coming to fight back again.

It will be dark Before it Becomes light

I won't lie to you or ramp my optimism up to 1000%. What is coming is dark and we are about to go through some bad times again. Unlike 2016, we know how bad of a leader Trump and his sycophants are but this time, we're dealing with someone who looks as if they are in the throes of dementia, who cares nothing for anyone but himself, and ready to appoint Nazis to positions of power.

Don't give up! We have been lucky that many of the fascists in Trump's circle are stupid. I mean, they wrote their entire plan out in a manifesto and published it for the world to see. They gave us the blueprint on how to block them.

But even stupid fascists are dangerous. We will need to keep putting pressure on our representatives and senators to make sure they don't stray (or give into their worst impulses if you live in a red state) and continue to point out that we are up against actual Nazis and that we will not accept a Christo-fascist theocracy. I believe in separation of Church and State and it is our right to speak, believe, and live the way we want to.

Hang in there! We'll get through this together.

I cannot remember where I saw it (though I know it was on my Mastodon social feed), someone had said that an aspiring infosec specialist should consider creating a blog to document their dive into the world of computers and IT. Over the next few days I thought about it and realized that, not only was that a good idea, it could possibly help someone in the future who is struggling with the exact same issue as you were.

So, here I am, writing a blog post to document it and start of my adventure. Now, I have been an writer for a long period of time and consider myself more of an author than actually in information security. For anyone reading this blog, you’re going to find a wide variety of posts about all sorts of subjects but I’ll try to make sure that the subjects are clear enough for easy parsing for future searchers.

This blog post is short. I just wanted to get something posted while I work on designing the other posts including the issues I have had with my pursuit of decentralizing my presence on the internet.

If any of this looks interesting to you or you want to follow along, feel free to subscribe or if you are part of any social media like mastodon, you can also follow the blog as it has been federalized!

Until next time!

Tags: #infosec #security

I have used Keyoxide for awhile now to verify my identity so I thought to throw together a step by step instructions in case someone wants to do it themselves.

---

What You’ll Need

1. A way to create a PGP key (this is just a fancy term for a digital signature that’s unique to you).
2. Some of your social media profiles or other online accounts you want to link together with this key.

Step 1: Install a Tool to Create Your PGP Key

To get started, you’ll need an app that can make a PGP key for you. Here are some good options: – Windows: Gpg4win – macOS: GPG Suite – Linux: Try running sudo apt install gnupg in your terminal if you don’t already have it.

Follow the instructions on the website for installing the app that matches your operating system. Once you’re set, you’re ready to make your key.

Step 2: Make Your Unique PGP Key

Your PGP key will be like your online signature that connects to all the profiles you want to share.

1. Open the app you just installed and look for the option to make a new key.
2. The app will ask you for some info:
   • Name: This is what people will see connected to your key. It can be your real name or something else you’d like to use.
   • Email: This will help identify your key, so choose one you’re comfortable linking to your online identity.
   • Passphrase: Make sure to pick a good one! This keeps your key secure.

Once you’re done, the app will generate a public key and a private key: – Public key: Safe to share! This is what other people will use to verify your identity. – Private key: Keep this secret—this is what proves the public key is really yours.

Step 3: Find Your Key’s Fingerprint

Your fingerprint is like a digital ID number for your key. It’s a unique mix of numbers and letters that helps Keyoxide identify you.

1. Go back to the app, find your key, and look for the fingerprint (it’s usually a string of about 40 characters).
2. Copy this somewhere handy because you’ll need it soon.

Step 4: Create Proofs to Link Your Social Profiles

This is where you show that certain online accounts really belong to you. You’ll make a short “proof” message for each account, and then link it to your PGP key. Let’s start with an example for Twitter.

1. Write a simple message like:

   This is an OpenPGP proof that connects my Twitter profile (@YourTwitterHandle) to my OpenPGP key.
   

   Replace @YourTwitterHandle with your actual Twitter username.

2. Sign this message with your PGP key to make it official.

   • Most apps will have a “Sign” button for messages. You just paste your proof message there and sign it.
   • If you’re on the command line, use: bash echo "This is an OpenPGP proof that connects my Twitter profile (@YourTwitterHandle) to my OpenPGP key." | gpg --clear-sign This will give you a signed message that you’ll post next.

3. Post the signed message on Twitter as a tweet.

And that’s it! You’ve just linked your Twitter account to your PGP key.

Quick Tips for Other Accounts

Each site may need a different kind of post: – GitHub: Post your signed proof as a Gist. – Reddit: Post your signed proof as a comment or post. – Your own website: Just paste the signed message on a page you control.

Step 5: Make Your Key Public

To get everything working on Keyoxide, you’ll need to share your public key with a key server (like a phonebook for these keys). This way, Keyoxide can find your key and your proofs.

1. In your PGP app, export your public key.
2. Upload it to a key server (like keys.openpgp.org).
   • Most PGP apps have an option to upload it directly, or you can use the command: bash gpg --keyserver keys.openpgp.org --send-keys [YourFingerprint] Now, your public key (and the proofs you linked) are accessible on the web.

Step 6: Check Out Your Keyoxide Profile

Now comes the fun part—seeing it all come together!

1. Go to Keyoxide.
2. Type in your PGP key’s fingerprint and press enter.
3. You should now see your Keyoxide profile, showing all the proofs you’ve linked. Anyone who visits can confirm these profiles belong to you!

Step 7: Share Your Keyoxide Profile

Your profile link on Keyoxide will look like this:

https://keyoxide.org/[YourFingerprint]

Share it anywhere you’d like people to know it’s really you!

---

That’s It!

Hopefully this helps. You can check out Keyoxide’s documentation for more details if you need to know more!

I had some spare cores on my proxmox server and I decided that I wanted to self host my own matrix server again. When I had gone to the official matrix-synapse page, I found that a lot had changed and, unfortunately, there install instructions are quite complicated unless you have a deep understanding of their system.

So! I decided to put together my own, little tutorial and some of the hurdles that I ran into and what wasn't clear to me.

Installing was the easy part. You can easily follow the tutorial that conduit has right here. Here are some of the hurdles I ran into

Reverse Proxy is a Little Finicky

I am using a reverse proxy where I have one machine taking all the connections and sending the traffic to a cluster of machines that I have in the backend. The Reverse proxy was not as easy as I thought it would be. I had decided to set mine up on port 8448 to receive the federated traffic while conduit itself ran on port 6167. When I initially setup my server config (I am using NGINX) I had the first server config grab the traffic and send it directly to 6167. It did NOT like that.

Let's say the internal IP address of my DMZ server is 192.168.10.1 and the machine that conduit is running on is 192.168.10.2. What I had to do was send the traffic from 192.168.10.1:8448 to 192.168.10.2:8448 and then the server config on 10.2 then had to be sent to 6167. I tried a few different ways and this was the only one I got to work. Maybe it's my lack of experience?

Also! One of the other quirks of this program is that it doesn't like http in any part of the flow. If you have your SSL certificates on the DMZ machine for 8448 and you're sending traffic to the internal 8448, conduit expects there to be certificates there too, even if the traffic is already being encrypted as the DMZ and the internal server is not at risk. It can even be different certificates. They just have to be there. If you don't do this you'll get a message along the lines of “Received an HTTP request when it should have been HTTPS” even though the entry server is SSL secured.

Here are the nginx config examples:

DMZ Server (192.168.10.1)

server {
        listen 8448;
        server_name WEBSITE.NAME;

        ssl_certificate /path/to/ssl/certificates/fullchain.pem;
        ssl_certificate_key /path/to/ssl/certificates/privkey.pem;

        ssl_protocols TLSv1.2 TLSv1.3;  # Ensure these protocols are enabled
        ssl_ciphers 'HIGH:!aNULL:!MD5';  # Use strong cipher

        location / {
                proxy_pass http://192.168.10.2:8448; #Not real. Just used for example.
                proxy_set_header X-Forwarded-For $remote_addr;
        }

Conduit Server (192.168.10.2)

server {
    listen 8448 ssl;
    listen [::]:8448 ssl;

    server_name WEBSITE.NAME
    merge_slashes off;

    # Nginx defaults to only allow 1MB uploads
    # Increase this to allow posting large files such as videos
    client_max_body_size 20M;

        ssl_certificate /path/to/ssl/certificates/fullchain.pem;
        ssl_certificate_key /path/to/ssl/certificates/privkey.pem;

    location /_matrix/ {
        proxy_pass http://192.168.10.2:6167$request_uri;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_buffering off;
        proxy_read_timeout 5m;

    }

}

Getting Admin Privileges for your new Server

If you have used Matrix Synapse in the past, you are probably used to being able to generate an admin user right up front with the CLI. This is not possible with conduit and it took me awhile (plus with some help from the users over at # conduit:fachschaften.org to get me on the right direction.

Once you are certain your server is up and running and the federation is working on 8448, you'll need to register an account with your new server first. This means going to a place that you can sign up for a server and go through the registration steps. I went to element.io, selected register, entered my own server's domain name, and then went through the registration process. You will need to give the registration code that you setup in conduit-example.toml and once it's done registering, you will then need to login with the said username and password. Again, I used Element. Once you do that, the very first account that logs in will be granted admin rights and it will generate a room named @conduit: and there you will be able to issue admin commands.

And that's it!

I hope this helps anyone else who was stumbling over Conduit and if this was obvious, well...I then have a lot more to learn.

I don't know how else to say it. I'm 40 years old, witnessed the Financial crisis of 2008, watched the rise of Authoritarianism in 2016, the Great Plague of 2020, and the implementation of fascism in 2025. I'm tired.

It is shocking how much has changed over the years since I was a teenager to the age I am now. Shocked of not only how cruel people have become but how so much progress in society has been lost.

I grew up with family telling me that we were to love our neighbors, good traditional beliefs, and the importance of religion just to see them put on those fucking red hats and somehow delude themselves into thinking God and the MAGA movement were one in the same.

Though I was on the fence when it came to Religion (ultra conservative family, really hard to shake some learned behaviors), they made me renounce my religion and do a completely 180 dismissing traditional beliefs to embrace what I have come to learn is a much more honest, freeing, and loving existence.

I did not realize how much narrow mindedness existed in the way I was raised. The hate I used to spout as a stupid teenager. I was saved thanks to my loving, bi wife who was the antithesis of how I was raised.

I'm not trying to be political. I'm just trying to understand how so much hate could win again after so much work of trying to be considerate and create a world where everyone could co exist.

That was the goal as a millenial. We were going to be the ones to break the norms, to create a better world due to the previous generation abandoning us. We made the crack, Gen-Z started to push through but this hate, this inequality burned them out and they feel as hopeless as I do.

The thing I am sure of is that I'm not done fighting. I may be older and do not have the same energy as I used to but I'm an old soldier. I supported the mission in Afghanistan, I cried when I saw those people I tried to help put back under Taliban control. I'm not giving up. I will fight this fascist dictatorship any way I can.

I'm just tired.

It took me a while to put this piece into words I could convey instead of wild ravings of a madman. If anything, it's a message to myself at the least.

We Are NOT Someone's Product

I don't know about you but there is an unspoken pressure, an expectation for us creative types to produce. This feeling that you aren't good enough if you can't keep writing, drawing (or any other craft).

This feeling ate at me when I couldn't meet my self imposed deadlines. The feeling that something had to go out the door so that I looked successful. It’s a subtle and suffocating feeling which grabs you in a way that you don't realize it until you're deep in it.

If anything, it feels like we have become a product that keeps generating content for our fans. It took awhile for me to realize it but that's not what art is. That's not why I began as a writer.

Creativity isn’t a Factory Line

I have learned the hard way that art doesn't come from some factory line. Art, and in my case writing, is an extension of me and I spend true emotion and my soul on each piece and I mean every piece. From the sophisticated scifi stories I love to the trashy to trashy short stories.

I have found that I have been pushing myself to just “write another story” so that there is something out. Those works feel souless.

The last short story I wrote felt so souless that an AI detector thought it was written by AI. That was the worst insult.

Over the decade we have been told that we need to hustle, to produce to become successful. We have embraced a form of capitalism that is just eating us artists up and I'm empty.

Reclaiming the Meaning of our Art

I'm not giving up writing. I don't want anyone who is reading this to think I am throwing in the towel on any of my projects. I love my projects, every single one of them but I have come to the realization that I needed to step back. I need to look at what I am doing and change how I see the things that I do.

I need to write from my heart again and stop pushing out drivel. In hindsight, it is just insulting to what started me out in this journey.

Why am I writing this? If anything, it's a stream of conciousness on what I have been thinking. Maybe I could inspire or let another writer or artist know that they aren't alone. It is okay to step back, look, and re-affirm why they are doing this. I did and I think I'll be better for it.

It has been awhile since I have had the opportunity to sit down and write a blog post. Things have been hectic and some projects just fall by the wayside. One of the things I promised to do is write a blog post about my experiences running a single user instance.

 You’re all on your Own

After spending about a month on Infosec.exchange and learning the ups and downs of mastodon, I decided that the biggest thing I wanted to do was own my own instance where I could control my entire social media presence. Instead of existing on someone’s server, I wanted my own. So, I set up a single user interface.

One of the biggest challenges is not federation but re-connecting to everyone and seeing all the posts again. One of the major things that helped me is that I had already followed 100+ people so when I migrated my account, I was able to automatically re-follow all of them allowing my feed to fill up.

One of the impacts that never crossed my mind is that you immediately lose the use of the local feed portion of mastodon. If you were on a different instance, you could use that to see what was being talked about on the instance you inhabited but if you exist as a Single User Instance, all that page has is your own toots. You lose a major portion of finding new content to engage with.

What this does is make more effort required to explore other instances and follow people so that you can get a varied feed.

 If you don’t engage, you don’t exist.

Engaging and communicating becomes even more important because nobody can use their local feed button to find you and you will more than likely be drowned out in the federated feed. To engage and to be found and to talk with other people requires much more exploration and actually responding to posts with your thoughts and opinions so that more people see your handle.

I’m not saying that one should go and spam for attention or participate in clout chasing. I am simply pointing out the fact that the ability for someone to stumble on to you is much harder. You can join a relay but sometimes what you post is outweighed by the flood of what is sent to you.

This also means that the use of hashtags becomes critical. I have discovered it’s a fine line between two little hashtags and too much. 

Actively Managing your server is a Must

There is no one else on your instance that is blocking inappropriate or illegal servers, cleaning out the databases and media folders using the tootctl CLI. All the day to day managing to keep yourself up and running will be handled entirely by you.

(This won’t really apply if you are hosting with a site that promises to take care of that for you but many SUIs I have seen are hosted on their own machines).

It got so bad that I had to write a bash script to automate a lot of the cleaning for me weekly and still have to check on it to make sure it ran correctly, I don’t have to adjust the speed, etc.

This can become doubly worse if you follow a large relay and that relay can swamp your server, run you out of space, and when that happens, your instance goes down.

The safety and security of your server and your feed is one hundred percent on you.

 Need a Script?

I’ve actually offered the script I use for any Ubuntu servers on my public git. I’m still working on it but might give you a good place to start cleaning!

 https://gitlab.com/JonathanS223/mastocleaner

 Until next time!

 

It took me a while to put this piece into words I could convey instead of wild ravings of a madman. If anything, it's a message to myself at the least.

We Are NOT Someone's Product

I don't know about you but there is an unspoken pressure, an expectation for us creative types to produce. This feeling that you aren't good enough if you can't keep writing, drawing (or any other craft).

This feeling ate at me when I couldn't meet my self imposed deadlines. The feeling that something had to go out the door so that I looked successful. It’s a subtle and suffocating feeling which grabs you in a way that you don't realize it until you're deep in it.

If anything, it feels like we have become a product that keeps generating content for our fans. It took awhile for me to realize it but that's not what art is. That's not why I began as a writer.

Creativity isn’t a Factory Line

I have learned the hard way that art doesn't come from some factory line. Art, and in my case writing, is an extension of me and I spend true emotion and my soul on each piece and I mean every piece. From the sophisticated scifi stories I love to the trashy to trashy short stories.

I have found that I have been pushing myself to just “write another story” so that there is something out. Those works feel souless.

The last short story I wrote felt so souless that an AI detector thought it was written by AI. That was the worst insult.

Over the decade we have been told that we need to hustle, to produce to become successful. We have embraced a form of capitalism that is just eating us artists up and I'm empty.

Reclaiming the Meaning of our Art

I'm not giving up writing. I don't want anyone who is reading this to think I am throwing in the towel on any of my projects. I love my projects, every single one of them but I have come to the realization that I needed to step back. I need to look at what I am doing and change how I see the things that I do.

I need to write from my heart again and stop pushing out drivel. In hindsight, it is just insulting to what started me out in this journey.

Why am I writing this? If anything, it's a stream of conciousness on what I have been thinking. Maybe I could inspire or let another writer or artist know that they aren't alone. It is okay to step back, look, and re-affirm why they are doing this. I did and I think I'll be better for it.

A Quiet Place on the Fediverse

tags: #infosec #fediverse

It would be an understatement to say that the recent U.S. #elections didn’t exactly go smoothly, and it’s left a lot of people feeling uneasy about the next few years. Whether it’s the chaos of the results or the ongoing fallout, many are already looking for safer spaces to weather the storm. For those of us on the #fediverse, the pressure’s on to find places where we can just exist without the constant noise and toxicity that’s been so hard to avoid. As things continue to unfold, it’s likely we’ll see more people flocking to smaller, tighter-knit communities—places where moderation is strong, and the focus is on creating a space for real conversation, away from the chaos of the wider internet.

The ION Network

Right now, social media networks like #Mastodon rely on an open federation model, where servers can connect with just about anyone, and that creates some serious moderation challenges. Harmful users or groups can easily slip through the cracks by joining open-registration servers, and even if you block them, they can just pop up again on a different server. The idea behind this proposal is to switch things up with an allowlist-only system, where servers only federate with others they’ve specifically approved. This way, we create smaller, more manageable communities that are easier to keep safe and moderate. It’s all about limiting federation to trusted servers, making the whole network a lot more secure.

In this system, servers would need to mutually agree to connect, which means the network is built on trust. There’d be a published allowlist to show which servers are part of the network, and new servers could join after a provisional period. Sure, it’s still a work in progress and comes with some challenges—like how to keep the allowlist updated and how to make sure it scales—but the idea is really about giving users a safer, more controlled space. With smaller, curated communities, moderation could be more proactive, and users would have a better sense of security knowing they’re not likely to run into abusive or harmful content.

Oliphant does a good explanation with his blog on the subject

Places to Sign up as a User

If you are a user that is looking for a place to sign up for the ION network, there are already a few choices made available. There are some instances that are open to sign ups here:

• Island Uno
• Island Dos
  
• Island Tres
• Canary Island
• Epic Worlds

Places to Join as an Instance

If you own an instance or are looking to setup an instance yourself, you can find the instructions to do so at the repo setup to help!

It is important to have tools like this available especially with the direction this might go.

I cannot remember where I saw it (though I know it was on my Mastodon social feed), someone had said that an aspiring infosec specialist should consider creating a blog to document their dive into the world of computers and IT. Over the next few days I thought about it and realized that, not only was that a good idea, it could possibly help someone in the future who is struggling with the exact same issue as you were.

So, here I am, writing a blog post to document it and start of my adventure. Now, I have been an writer for a long period of time and consider myself more of an author than actually in information security. For anyone reading this blog, you’re going to find a wide variety of posts about all sorts of subjects but I’ll try to make sure that the subjects are clear enough for easy parsing for future searchers.

This blog post is short. I just wanted to get something posted while I work on designing the other posts including the issues I have had with my pursuit of decentralizing my presence on the internet.

If any of this looks interesting to you or you want to follow along, feel free to subscribe or if you are part of any social media like mastodon, you can also follow the blog as it has been federalized!

Until next time!