I had never been to ACLfest before this weekend. I loved it, but ohgod I am so exhausted.

Trying to eat as many calories as possible between now and November 2nd so I have enough energy to survive FunFunFunFest, which I am also doing for the first time this year.

Ohgod.

Video playlist for what's below. Works with youtube-dl!

Edit: oh my god this was a lot more work than I thought.

Day 1 (Friday)

M83

The highlight of my day was M83. I loved them. Seeing their lights show outside at night was so good I just can't even say. Seriously, if you get a chance to see them, you should go.

This is a good video of them live: - it has the sound from the venue and has cameras close to the band. You can see that everything behind them is basically covered in lights, and it is just so pretty when you're live at the show. Let me tell you, the video doesn't do it justice. (Monitors just don't have enough contrast to show the darkest darks with the brightest lights, and the effect is just not the same. Not even close.)

Part of the above set:

Not part of the above set:

There were two frustrating parts of this show, though. One was that it simply wasn't loud enough. This may have been a strategic decision by event staff (because Gotye was at the same stage at a similar time on Saturday, and he was also too quiet), but it sucked to be so much closer than I had been to the band on other stages, but have the band be just too quiet.

The second problem was that I just didn't get there early enough, and I had a little trouble seeing parts of the show. I'm pretty tall, which helped, but the venue sort of negated my advantage, in this case... the Barton Springs stage they were on has a flat area in front of it but dips down around it, and I was on the dipping-down part. I want to see them at a smaller venue sometime - that club in the live video I linked above looks fucking amazing.

I felt that way about several acts that I saw at ACL this year, but this one most acutely. If there was just one band I could have been closer to the stage for, it wouldn't have been The Black Keys or Jack White, it would have been M83.

Weezer

I saw Weezer and not Florence + the Machine. I do not recommend this course of action, and am pretty sad about it in general.

That said, I went because not one person I went with wanted to see Florence, and it was worth going to see Weezer with them instead.

Also? Weezer put on a great show and I had lots of fun, so it's not like it was a bad time! Weezer is great.

Just. I wish I could have seen Florence + The Machine.

A sampling:

They didn't play this one at ACL but I like it, and it's a pretty good representation of how they sounded live.

Mother fucking sumo wrestlers:

One of my favorites from theirs back in the day:

One of my favorites from the early 2000s:

New discoveries - The Wombats

I got to the festival pretty early and I happened by the Wombats. They're... really good! They're a kind of dancey post-punk and they reminded me of Matt & Kim in that regard. I remember liking these two songs in particular and oh look they're singles:

New discoveries - First Aid Kit

I also heard First Aid Kit. They're this folk (maybe pagan?) music duo, and they would start off mellow and beautiful and by the end they retain the beauty of the music but they're just rocking out hard, like headbanging and dancing with their whole bodies. I didn't see any live recordings that showed this, but it was really powerful and climactic. They played very emotional music.

I like the song and I love the video, it's half low budget kaleidoscope visuals and half wolfy and creepy:

Live on a streetcorner with just a guitar:

Really beautiful song; live recording at a club with a drummer:

The end of the day - Avicii

I started out going to The Black Keys and fucking hell was that not the right place for Tired Micah to be. Too many people, all of them wanting to be right in front of me hundreds and hundreds of feet from the stage.

If that sounds dumb because I was at a giant fucking music festival, well... yes. I eventually even realized this myself!

So I went across the park to lie on the grass and listen to Avicii instead. I think a friend had mentioned him but I hadn't gone to seek out his music directly before. I wish I had just started out there - the music was great, the lights were great, the glowsticks were great, the crowd was much more chill, and you could get so, so, so much closer to the stage without even trying.

OH SHIT IT'S THE DANCEVIRUS:

This is a sort-of live set that isn't actually all Avicii, and has some occasional interview parts and a fucking announcer talking over the stream. However, I started it at 0:50 and ended it at 8:52 in the youtube playlist so the whole playlist still flows (at least sorta) and it cuts out all that bullshit. There is quite a bit of other listenable music in there too, but even this smaller section shows some cool visuals and that he does a great job live.

Day 2 (Saturday)

It rained today and that was so fucking great. Came with some ziplock bags, and left with all of my electronic devices still working, woo.

Metric

I love this band so much. This was the one band today where I got in the audience early enough to get an actual good view of everything, and it was worth it. The are very good live - the band is very together and professional, and Emily Haines has a ton of energy on stage. Loved this show a lot.

Also it rained on us during what had been the hottest part of the day and seeing this show in the rain was just exhilarating.

One of the first Metric songs I heard and I still really love it:

Another one of my favorite Metric songs:

God I love this song too:

This is a great song that I hadn't heard before writing this post; I don't think they played it. I like the mix better than their newer stuff, which mixes the lows reeeeally quiet:

See also this live song, which is a fucking good song too. I think they actually sound a lot better live - the lows and drums are so much louder and they just really hit you in the chest. Their recorded stuff almost sounds chill by comparison. Well, still angry, but a chill anger. Or something. ...

Tangent: Zeale

Zeale was not at ACL Fest, but it's relevant. He's local and I have seen his live show and he is fucking great hip-hop, highly recommended.

Zeale does a mashup of Metric and MSTRKRFT:

.

You can actually get his EP Wake Hell Or Make Peace for free, which contains another awesome collaboration with Patricia Lynn of The Soldier Thread:

.

Gotye

Sad parts: I had to miss out on BASSNECTAR to see Gotye, but unlike when I missed most of Avicii's show yesterday for the Black Keys, I do not regret missing BASSNECTAR at all - Gotye was that good. Gotye was also too quiet, just like M83 was yesterday. Nobody I was with was really into it (because they have no taste I guess) and we left a bit before it was over to get better seats for Jack White, which turned out to be a big mistake because apparently Kimbra came on like right after we left.

Good parts: god this was a cool show. I loved the drum pads and percussion, and he does the performance really well with excellent visuals and cool lights. Certainly less intense than M83's amazing light show, but I think I liked it almost as much. This was also apparently his first show in Austin, so I'm super glad I got to see it. I love that he does the thing with two mics - one normal, one heavily processed or distorted. I love his drumpad dance. I loved seeing it at night.

This definitely one of my favorite shows I saw the whole weekend. He is worth seeing live! Do it.

Apparently unlike everyone else I talked to, I still am not sick of this song, so fuck you:

A beautiful song with a fucking brilliant video.

Simpler than some of his other music but really beautiful as well. The video reminds me a lot of Princess Mononoke.

A live recording with great sound (unlike any other live recording I could find) but unfortunately it's in black and white with somewhat boring visuals. Still, it shows you how cool he can sound, with the loop machines and two mics (one distorted and the other unprocessed) and percussion and stuff.

Every music video I've seen by Gotye has been really cool; there are more than I've listed here. You should go listen to them.

New discoveries - Zola Jesus

I think I heard of her around SXSW but never actually heard her music. I heard her from a distance and got closer when I realized who it was.

She does this sort of ambient electronic music and I liked her vocals a lot. Some songs are slower with more ethereal vocals, and some were harder and more industrial.

This recording was different than the stuff I saw live, because there was a string quartet and she has that cool light cocoon around her. It's rad. (I fucked with the start/stop times for the YouTube playlist so that it would just play the song, not the pre interview.

Well shit, here's a whole 30 minute show. This will really give you a feel for what she's like live:

Band of Skulls (missed)

Band of Skulls is great, I saw them at SXSW so I wasn't too sad to miss out on seeing them today.

Like Metric, their live show feels a lot more punchy and powerful than their recorded stuff. I think they sound a little bit like Led Zeppelin - actually, a bit like a Metric/Zeppelin crossover. BoS has both male and female lead singers, and when I saw them in March they even covered a Zeppelin song (maybe more than one). They are definitely worth seeing live, I just didn't get the chance this time.

Music video from the new album:

Music video from the first album:

Hear that Zeppelin? Hear that punch? I think it might be partially the mix on their album recordings, because the drums in particular are louder in this video, and I love it:

Punch Brothers (missed)

I was sad to miss Punch Brothers today, since I missed them I think twice at SXSW.

Most of their stuff isn't like this wonderful fucking song, but this is my favorite out of everything they've made so far. And oh yeah, it's live (in a studio):

This is more representative of their style. Beautiful, and also just weird for a "bluegrass" band. This is also live, at a music festival in 2010.

As far as I can tell they don't have any official music videos or even a Youtube channel, so that's why I didn't link any.

Jack White

I was too tired to see Jack White tonight just like I was too tired to see The Black Keys yesterday, but I went anyway. His music really is fucking great, and the band was also just really good (and also all women, which I found somewhat hilarious). I wish I could have enjoyed it more. I wrote down, "Jack White was very, very cool and very, very far away", which pretty much sums it up.

Day 3 (Sunday)

Kimbra

I love Kimbra. I had heard her recorded stuff which is just really excellent, and then saw her live at SXSW. Before I knew I was going to ACL Fest proper, I was going to see her show at the Belmont (part of ACL Nights), which seems like the perfect venue for her.

I was really happy to see how big the crowd was to see her, and honestly it's kind of a shame she was so early - I think she could have filled out a stage even much later in the day.

She is just so good:

Wow, again, those vocals:

Good god this song and video are both amazing. I love this video and the live recording next so much I have to keep them both.

This is a really cool video because it shows her playing with a loop box and rocking everything all by herself. I hadn't seen this before (I saw her at a different venue), and shit it's good. (Also lol @ the girl in the background at 1:17.)

Another fucking great single. She's this crazy on stage too!

This is actually a Converse-backed collaboration between Kimbra, A-Trak, and Mark Foster (of Foster the People), and it is really really good.

Post-show interview where she says she "owes YouTube a fair bit" which is kind of cool. (Somewhat ironically this video is not hosted on YouTube.)

I wish I could find a video with actually good sound of her up on stage with her full band, because the band is excellent too and she really runs all over the whole stage in giant heels and huge dresses and jumps up and down... it's amazing, all that energy.

Die Antwoord

There really aren't any words, so let's start off with the videos.

SO GREAT:

I'm certain you will note the late-90s J-Pop influences in this video...

...no? Let me refresh your memory:

An interview where they give you at least some context as to whence the mindfuck cometh. (Not everything is in English but most of what the band itself says is.)

So yeah. I saw the shit outta Die Antwoord. Enjoyed the songs, but their live show was only OK, so I'm not going to try to find video of it.

New Discoveries - The Freelance Whales

Folk pop with cool instruments and good vocals. Some that remind me of The Postal Service, but not all the time. Liked them a lot.

LIVE FROM A SXSW HOTEL HALLWAY, IT'S actually still cool

More folky:

More synthy:

New Discoveries - Moon Duo

Ambient electronic.

I'll link a video or two but you can't really recreate the experience of listening to them live. They had the bass turned allll the way up and it didn't thump, it just vibrated your body for the whole song. That part was amazing. They weren't really a see-them-in-the-middle-of-the-day sort of band, so I didn't stay long. I'd see them in a club sometime, though.

The Civil Wars

The Civil Wars were fucking amazing. Two people, no band, no drums, no autotune. I got onto the field early for this one and I do not regret it.

They were easily the most normal people I saw on a stage the entire weekend. They seemed honestly blown away by the size of the crowd, but they didn't let that get in the way of their performance, oh my god.

It is hard to overstate how technically perfect their performance was. It was gorgeous and extremely well executed live. You should see this band live. Absolutely.

A beautiful cover that they did play today:

And one they did not play today. (Sidenote: you should really listen to this. It's one of the saddest, most beautiful things in the world.)

My favorite song of theirs, though perhaps not as representative of the rest of their stuff.

Also beautiful:

I love that they're on a European tour and SELLING IT OUT! Check out the dates in March in Australia - they're all in churches and cathedrals. How amazing would that be.

Crystal Castles

I was going to see Childish Gambino, but was again too far away from the Barton Springs stage and I decided I didn't want to deal with it, so I left and saw Crystal Castles instead.

The light show was beautiful, and the sound was really cool too - more ambient than I was expecting, but I liked it a lot. I don't think I had actually heard their music before, and I went into it expecting something more housey or trancey or something more upbeat, but I liked the sound a lot anyway and I thought it was a really great way to end the night. Would totally see them again.

This one is more upbeat than a lot of their tracks:

You can kind of see what their lights show was like here, but the sound isn't very good (and there wasn't a better representation of what they're like, unfortunately).

I dunno if strangers are really going to be interested in this (OH THANK GOD, SOME GUY ON THE INTERNET WROTE ABOUT JULIAN ASSANGE), but it's mostly for friends on Facebook anyway.

(The whole reason this blog post exists is because Facebook doesn't let you link to more than one site per post.)

So. First let's get the wikipedia links out of the way.

https://en.wikipedia.org/wiki/Julian_Assange

https://en.wikipedia.org/wiki/Assange_v_The_Swedish_Prosecution_Authority

Julian Assange is the editor in chief and founder of WikiLeaks. WikiLeaks has published a lot of stuff. Some of that has been reeeeeeeeeeeeeally boring. Some of it has been pretty interesting.

Some leaks

In my opinion, WikiLeaks has released things about (at least) my own government that should have been leaked.

WikiLeaks has released a lot of things, and I don't have enough information to intelligently discuss all of them. Here are some of the leaks that I consider righteous.

I'm also listing these things to demonstrate that my government certainly has a reason to want to silence Assange.

• Collateral Murder is video capture of American servicemen killing people in Iraq from a helicopter. Among those dead were Reuters staff reporters; among those wounded were two children.
• The Guantanamo Bay leak contains evidence of waterboarding and other cruelties.
• The Trapwire leak provides evidence that there is a private company (Abraxas) who operates a surveillance network of cameras that record at least American and British citizens, a backend database that centralizes the information, and integration with a system that does facial recognition.

The rape allegations

The Swedish government wishes to (re-)arrest Assange in relation to two sexual assaults that are alleged to have occurred in that country.

I am confused regarding whether Assange has been charged or simply accused. Media reports tend to say "charged"; many of the people I follow on Twitter (who are almost all pro-Assange) say that he has been simply "accused" and the "no charges have been filed". Wikipedia says:

Assange has not yet been formally charged with any offence;[35] the prosecutor said that, in accordance with the Swedish legal system, formal charges will be laid only after extradition and a second round of questioning. The High Court found that the Swedish process has reached the stage of criminal proceedings, which would be equivalent to having been charged under English process[36].

It cites an article from The Guardian titled 10 days in Sweden: the full allegations against Julian Assange as 35 and a PDF from the Judiciary of England and Wales titled Julian Assange v Swedish Prosecution Authority - SUMMARY TO ASSIST THE MEDIA as 36.

This doesn't answer the question for me, but it does raise an important point: Swedish legal procedings are different from those in Australia (where Assange is from, and where he has many supporters, some of whom I follow on Twitter), or the United States (where I live and about whose laws I know the most, and also where Assange has many supporters), or the United Kingdom (where Assange had been living until he fled to the Ecuadorian Embassy in the UK, which I believe is technically Ecuadorian soil). I will say that I have no faith whatsoever in the UK government to provide accurate information to the media in this regard, but I am also not willing to make the unequivocable claim that "no charges have been filed"... I just don't know anything about the Swedish legal system.

Fear of extradition

Assange is afraid of being extradited to the US. According to the AP:

The Australian, 40, said he is prepared to go to Sweden to face questioning over sex assault claims, but fears Stockholm will turn him over to the US where he could face espionage and conspiracy charges over revelations by WikiLeaks.

"Ultimately it may be a matter of what guarantees the United Kingdom, the United States and Sweden are willing to provide," he told the Sydney Morning Herald from the Ecuador embassy in London, where he is seeking asylum.

Assange believes Washington will pursue him after WikiLeaks published a cache of sensitive documents, including about the Afghan and Iraq wars, and thousands of diplomatic cables which have embarrassed governments worldwide.

"For example, if the US were to guarantee (it would) drop the grand jury investigation and any further investigation of WikiLeaks publishing activity, that would be an important guarantee ... diplomatic commitments do have some weight," he said.

I have seen several claims (including this one from Glenn Greenwald) that Assange has stated he is willing to return to Sweden upon a guarantee from the Swedish government that he will not be extradited from there to the US; the closest thing I have found to that is the above, which is not nearly as strong. Time Magazine reports,

Assange's attorneys in the U.K. and Sweden have complained to the Swedish Prosecution Authority that an arrest warrant is unnecessary, as Assange is willing to face questioning in a Swedish embassy abroad or via telephone or video link.

... this is interesting, and it is also interesting that Sweden apparently refused, but it hinges on what legal procedings in Sweden are like, and again, is not nearly as strong as being willing to return to Sweden to face these charges if they promise to offer him protection from extradition.

Finally, it is worth noting that Ecuador offered to allow Swedish officials to come into their embassy in the UK to question Assange, but they refused this as well.

Assange was so afraid of American extradition, that he sought political asylum in the Embassy of Ecuador in the UK.

Further evidence regarding extradition

• Sweden has been willing to extradite suspected terrorists to other countries before, and at least once has violated international law in so doing by not taking sufficient steps to prevent torture of the asylum-seekers (according to the UN Human Rights Committee.
• The ACLU has accused the US government of violating our own FOIA law simply to avoid embarrassment in e.g. this brief (PDF), where it says (PDF page 54) "The only rationale for now denying that the United States killed three of its citizens in Yemen is to protect our own government from embarrassment, but that is an illegitimate aim under the Executive Order and therefore under FOIA."

It appears to me that Sweden is willing to both extradite asylum-seekers and violate international law to do so, and that my government is willing to violate its own laws in order to protect its officials from nothing more than embarrassment.

Ecuadorian sovereignty

Assange has been in the Embassy of Ecuador since June 19, 2012, requestion political asylum and waiting for an answer from the Ecuadorian government.

Yesterday (August 15), the United Kingdom threatened to enter the embassy and forcibly take Assange. (Widely reported; The Australian and BBC News both have stories.) Later, the UK Foreign Office Twitter account (which bears the checkmark of approval indicating that Twitter has verified it to be an authentic account) would state:

The UK does not accept the principle of diplomatic asylum.

An article in the Guardian entitled Can police enter an embassy? A guide says,

Under international law, security forces across the world are not allowed to enter an embassy without the express permission of the ambassador – even though the embassy remains the territory of the host nation.

...

However, the Foreign Office told Ecuador that it had the power to revoke the embassy's diplomatic status under the Diplomatic and Consular Premises Act 1987.

Ecuadorian Foreign Minister Ricardo Patino replied to these threats,

"We want to be very clear, we're not a British colony. The colonial times are over," Ecuadorean Foreign Minister Ricardo Patino said in an angry statement after a meeting with President Rafael Correa.

"The move announced in the official British statement, if it happens, would be interpreted by Ecuador as an unfriendly, hostile and intolerable act, as well as an attack on our sovereignty, which would force us to respond in the strongest diplomatic way," Patino told reporters.

...

"We are deeply shocked by British government's threats against the sovereignty of the Ecuadorean Embassy and their suggestion that they may forcibly enter the embassy," the mission said on its website.

"This is a clear breach of international law and the protocols set out in the Vienna Convention."

Asylum

Today (Augist 16), Ecuador has finally granted Assange asylum. (Original Spanish, Google-translated English.)

This statement includes the (Google-translated) passages:

In the course of these conversations, our country has called on the UK get more stringent safeguards for Assange front, unobstructed, open legal process in Sweden. These safeguards include, once vented their legal responsibilities in Sweden does not extradite to a third country, ie the guarantee does not apply the figure of the specialty. Unfortunately, despite the repeated exchanges of texts, the UK at no time showed signs of wanting to reach political compromises, merely repeat the content of legal texts.

and

On the other hand, Ecuador sounded the possibility that the Swedish government to establish safeguards that are not in sequence Assange extradited to the United States. Again, the Swedish government rejected any compromise in this regard.

and

The U.S. response has been that it can not provide information about the Assange case, saying it is a bilateral matter between Ecuador and the United Kingdom.

These passages give more credence (IMO) to Assange's fears... even if you are not inclined to believe his word on the subject, this is the word of the Ecuadorian ambassador. None of the relevant governments would promise that the sexual assault charges are the only issue on the table!

More evidence comes from former UK Ambassador Craig Murray, who writes:

I returned to the UK today to be astonished by private confirmation from within the FCO that the UK government has indeed decided – after immense pressure from the Obama administration – to enter the Ecuadorean Embassy and seize Julian Assange.

If true, this means that the United States certainly does have in interest in the case, and strongly indicates that they do plan on getting him on trial here in my country.

Comparative situations

Twitter has been blowing up with a bunch of what-if scenarios where other countries violate sovereignty by invading embassies. How afraid must the British ambassadors oversears be? Furthermore, there are two incidents in history I believe are immediately relevant:

• China did not violate US sovereignty when it sought the arrest of Chinese dissident and human rights activist Chen Guangcheng, who escaped house arrest in China and sought asylum in the US embassy. Eventually, we did grant his asylum, and he is now living in the United States.
• The Guardian reports on Britain's protestations and even threats against the Iranian government for failing to protect the British embassy in Iran (even against attacks by apparent protesters).

Conclusion

• There are unresolved legal procedings in Sweden, regarding allegations that Assange raped two women.
• Assange and Ecuador have both sought promises from Sweden, the UK, and the US that he will not be extradited to the US, and none of those three are willing to provide these promises.
• The UK wants to extradite Assange to Sweden to face these charges so badly that they are willing to violate Ecuador's sovereignty.

SSL certificates are kind of a pain in the ass.

You have to create a PKI, which is really frustrating when you do it for the first time. You can use OpenSSL or GnuTLS for this. I ended up making minipki, a python3 wrapper around the OpenSSL binary, specifically so I wouldn't have to put up with OpenSSL's shit interface any more.

But after that, how do you actually get your certificate out to your users? Each browser on each OS may have its own way of storing trusted CA certificates.

Installing certificates on Debian/Ubuntu

Almost all applications on Debian/Ubuntu will use this store, including curl and wget, but not including Mozilla applications or Google Chrome.

• aptitude install ca-certificates
• install --mode 644 ca.crt /usr/local/share/ca-certificates/ca.crt
• update-ca-certificates

Note that the ca-certificates package installs the Debian/Ubuntu certificate authorities, and also (at least as of now) the bundle from Mozilla. It puts these in /usr/share/ca-certificates, and uses the /etc/ca-certificates.conf file to determine whether files in that directory are trusted. However, all certificates in /usr/local/share/ca-certificates are trusted implicitly.

Installing certificates on a Mac

Native Mac applications (such as Safari and Mail) use this store. Google Chrome uses it as well.

Command line

You may be able to add CA certs to /Library/Preferences/cacert.pem but I'm not sure how robust that is / what happens if that file gets updated by something else (such as Keychain.app).

Using Keychain.app (either per-user or for the whole computer)

• Open a .crt file with Keychain (this is the default double-click action for a .crt file)
• Select the keychain you want to add the cert to
  • To trust for all users, add it to the System keychain (requires admin password)
  • I believe you can add it to the login keychain instead if you want only your current user to trust the CA, but I'm not sure about that.
• Select the trust settings for the CA - choose "Always Trust" for everything.

Installing certificates on Windows

Native Windows applications (such as Internet Exploerer and Outlook) use this store. Google Chrome uses it as well.

Via Active Directory

• This procedure is correct at least on Windows Server 2008 R2
• http://technet.microsoft.com/en-us/library/cc738131%28WS.10%29.aspx
• gpmc.msc -> Create and link a new GPO
• Right click-> Edit that GPO
• Computer Configuration/Policies/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities -> right-click -> import

Manually on the commandline

• You can use certutil.exe for this per Microsoft's certutil documentation.aspx), though I haven't done it. This is available at least on Win7 Pro.

Manually via the GUI

• Open the .cer file and click the "Install" button
• On Windows XP, you can just click next through all the options until you're done.
• However, on Vista and 7, you have to specifically select the root certificate store. When the wizard opens, select the "Place all certificates in the following store" radio button, and browse to the "Trusted Root Certification Authorities" store. Then click OK -> Next -> Finish, etc, until you're all done.

Installing certificates to a Mozilla profile

Mozilla products have a separate store in each user profile.

Exciting fact: This means that you'll have to do this seperately for your Firefox and Thunderbird profiles!

Manually in the GUI

Options -> Advance -> Encryption -> View Certificates -> Authorities tab -> Import

Using NSS certutil

See mozilla-ssl-nss for information on using Mozilla's (not Microsoft's) certutil.exe to directly modify the certificate store in Firefox and Thunderbird.

Installing certificates in Chrome

Chrome is an exciting blend of the Mozilla Way and the OS Way.

• Chrome reads certificates from the OS store on Windows and Mac OS X. If these are your platforms, you're done.
• However, Chrome has an NSS certificate store on Linux inside ~/.pki/nssdb. As far as I know, there is not a global certificate store for Chrome on Linux. There's a Chromium wiki page for cert management. There's also a blog post which is a bit more concise and also has some information about self-signed certs.

A quick note about NSIS

NSIS is the NullSoft Installer System. There's an NSIS script to import root certificates. It works with the Windows default store and the Firefox one. It's useful for employees who work from home and don't have company-provided equipment on the domain. Unfortunately it doesn't do Thunderbird, although it looks like it'd be pretty easy to add support for it. Also unlike my batch files, this only installs it to the default FF profile, not all profiles in %APPDATA%\Mozilla\Firefox\Profiles

This script works for me but the NSIS language is really ugly and I don't wanna wade through it again right now, so I'm just going to link to the official page.

Tangents

This post is about the pragmatics of managing a small SSL PKI, but keep in mind that TLS/SSL in general is a total clusterfuck.

SSL actually kind of sucks

• Trust is permanent. Our current system has no way to un-trust a CA that has gone bad without breaking SSL for many, many sites.
• CAs already go bad.
• OpenSSL is complete horseshit. "I can not believe that the internet is running on such a ridiculous complex and gratuitously stupid piece of code."
• I actually wrote a project whose whole goal is just wrapping OpenSSL because the interface is really bad, and documentation is a fucking joke.
• GNU TLS is actually not quite as terrible as SSL, UI wise. However, I have had problems moving from OpenSSL -> GNU TLS before involving at least Apache (in the past) and curl (recently).

You can do cool stuff with it anyway

• OCSP stapling can be enabled for a given site, with the caveat that it introduces significant (though not necessarily show-stopping) latency to TLS connections.
• EFF has a project called the SSL Observatory which collects statistics about SSL use on the Internet
• sslh is an SSL/SSH multiplexer that lets you run multiple services (https, ssh, openvpn, more) behind one ssl port (such as 443). This might be useful if your network blocks port 22 outbound, and you want to ssh to a server you control anyway.
• Moxie Marlinspike's Convergence project is an attempt to solve the irrevocability and accountability problems that current SSL certificate authorities have.
• Moxie's sslsniff lets you MITM SSL connections (seemlessly, if you have the private key which generated the SSL certificate and/or CA certificate), which is useful for troubleshooting SSL problems.

Part one: Why?

I use a Linux livecd frequently in my work.

• Clonezilla is a useful tool to quickly back up data. I use it on client machines before I do something potentially destructive, or before a reimage, to make sure that I can't forget something (as I have done before trying to manually copy important data off the old disk).
• Knoppix is of course very useful in that it's a whole environment. It has imaging tools, can read documents, browse the web, etc.
• Backtrack has been very useful when I attend cons, and when I worked the InfoSec Southwest Demolition Derby CTF.
• Offline NT Password and Registry editor is tiny (fits on a floppy, even) and resets Windows passwords.

However, there is a huge, crippling problem with every single livecd out there.

They all ship with caps lock as caps lock by default.

Fuck.

That.

Shit.

And, though that is obviously the worst problem with livecds, there are others. (God does alias l=ls instead of alias l=less annoy me.) If I'm going to build my own livecd anyway, I might as well include a decent screenrc/bashrc/profile/inputrc, and actually install

• Include dhd, my "distributed home directory" git repository that contains dotfiles and the like. Never have to remember ls -Flarth (sort by mtime, ascending) again!
• Include stumpwm, the lovechild of GNU Screen and GNU Emacs. (stumpwm is a really nice "X multiplexer", if you want your X session to be a lot like a screen session. I tried using it as my main desktop manager for a while and decided it was a little too restrictive - sometimes I do want to move a window with my mouse, dammit! - but for a computer that I'm trying to fix, rather than do all of my work from, it's perfect.
• Include conkeror, the web browser that got Emacs disease. (Unlike stumpwm, I do use conkeror every day, but like stumpwm, I don't switch over to it completely, but instead use it alongside other browsers.)
• Include Emacs. Obviously
• Include X, but don't start it by default.

And since this is a totally custom livecd, I could also do pretty interesting things like

• Include a recent ~/.ssh/known_hosts file. Actually, I decided to start keeping this inside my dhd repository that I'm including anyway, so every machine I use can have a synced-up copy. (Except Windows, because PuTTY uses the registry for this shit, ugh.) Note: if you publish your known_hosts file, whether on the web, in git, or on a livecd that might find its way outside of your control, you should consider turning on hashing (discussed in ssh_config(5) or on the internets); this is turned on by default on new versions of OpenSSH.
• Include the certificate of my own SSL certificate authority which I use for non-customer stuff.

Part two: Selecting the tools

I have tried several methods for creating a Linux livecd, and found several with downsides. I eventually settled on Debian Live under a dedicated Debian Wheezy (currently "testing", and will be released as 7.x). (I couldn't make it work under Ubuntu, which is my normal distribution.)

Here are some notes about my somewhat frustrating selection process.

• I investigated rebuilding Knoppix, but initial investigation seemed to indicate that you must have Knoppix installed to your hard drive, which I wanted to avoid if possible.
• I saw the same requirement for customizing SystemRescueCd, which is another livecd I've found use for in the past.
• Next I tried this page on the Ubuntu wiki: LiveCDCustomizationFromScratch. It looked promising. However:
  • I had a problem causing a kernel panic on a system with mdadm-configured disks. Bug report.
• I later tried Debian Live, using a 3.x package installed from Ubuntu 11.08 (Oneiric).
  • I had a problem where the live.cfg that was generator for isolinux would not contain the proper name for the kernel on the disk. Bug report.
  • Since upgrading from Oneiric to Precise in April, I have not revisited this.
• I tried the Casper scripts (from Ubuntu's LiveCDCustomizationFromScratch page) under Precise, when it came out, but even when starting totally from scratch (no customizations at all), it just panics on boot.
• I decided to try to use Debian Live from Debian itself. I installed Wheezey (testing / what is going to be 7.x when it is officially release) and used the Debian-Live in APT (again the unstable 3.x distribution), and it worked! This does have the downside of requiring a dedicated build machine (actually a virtual machine) for my livecd, but unlike a dedicate Knoppix build machine, this one is easily updatable, and so forth.

I heard about, but didn't get around to, these methods:

• grml-live is strange because it relies on the AIK which relies on (a customized version of) Debian Live, so you end up having to know a little about D-L, AIK, and grml.
• Gentoo's catalyst sounds interesting, and I like Gentoo OK and all, but the thought of a Gentoo VM compiling packages all day on my already old and overloaded VM server just didn't sound like much fun. It takes long enough just unpacking debian pacakges already on my disk, if I was recompiling them all the time it'd probably take half the day to do one test build.
• I haven't tried the Debian Live package in Ubuntu Precise, only Oneiric. I do note that there is an important difference between Ubuntu and Debian - Ubuntu uses Upstart, and Debian uses sysvinit. This is relevant because live depends on the live-config-backend virtual package which resolves to one of live-config-{systemd,sysvinit,upstart, and that package relies on systemd, sysvinit, or upstart being installed on the host system.

Part three: Working with Debian Live

• D-L has some sorta-OK documentation on its homepage. Well... it did. When I was using it, you could get documentation for 1.x ("oldstable"), 2.x ("stable"), or 3.x ("testing") at http://live-manual.debian.net; now, that server refuses HTTP requests. Even when I was using it, the 1.x and 2.x documentation had a bad CSS link (though 3.x worked). All in all, it's best to install the live-manual-all package on Debian or Ubuntu so you can get a decent copy of the documentation.
• This documentation is useful for simple customizations. If you want to replace files in the livecd filesystem, for example, this is easy. It's also pretty short - you can read through the whole thing in 20 minutes or less.

Here's a straight walkthrough to get to what I'm using (with sensitive bits removed). See this snapshot of my configuration files when they're referenced below.

• run mkdir livecd; cd livecd; lb config to create initial directory structure
• Modify the auto/config script. You specify basic settings here like livecd username, lists of packages to install, local mirrors, etc.
  • One change I made from the default was to by default run the kernel with console= parameters that specify both the keyboard/monitor and the first serial port as the console. Very nice if you're used to serial ports. Of course, this requires that the machine be configured to boot from cd by default, but still, it's pretty handy.
• Add a list of packages inside a file like config/package-lists/list.chroot (it must end in .chroot if it is to be installed inside the livecd filesystem). These Debian packages will be installed and usable when you boot your livecd.
• If you want to modify the isolinux configuration, add files to config/includes.binary/isolinux. For example, to a custom splashscreen, create a splash.png file in that directory.
• Add stuff to config/includes.chroot that you want to be part of the livecd's filesystem.
• I create some dedicate livecd ssh keys and put them inside config/includes.chroot/etc/ssh containing sshd_host_*_key{,.pub} files, so that I can ssh albacore and be relatively sure that I'm not being MITM'd. D-L removes ssh keys by default, so if you want to do this you have to remove the file /usr/share/live/build/hooks/006-remove-openssh-server-host-keys.chroot on the host system. (I renamed it to *.disabled and that works too.)

• Make changes to live-config scripts in config/includes.chroot/lib/live/config

  • First, install the live-config package on the host
  • Then copy all the files in /lib/live/config inside the chroot.

  • Then make these changes

      mkdir -p config/includes.chroot/lib/live/config
      # cp /lib/live/config/* config/config/includes.chroot/lib/live/config 
      # you could copy the whole directory there, but since we only want to zero out
      # some files, I'm just going to do that like this:
      cd config/includes.chroot/lib/live/config
      for file in 006-gdm 007-gdm3  008-kdm 009-lxdm 010-nodm 011-slim 012-xinit \
          102-gnome-panel-data 103-gnome-power-manager 104-gnome-screensaver \
          107-kde-services 117-xserver-xorg 111-sslcert 002-user-setup
      do 
          echo -n "" > $file
      done
    

  • All that does is copy completely blank files over some of the default live-config scripts, so it will:

    • speed up boot time by not autogenerating an ssl certificate
    • disable the gnome and kde services I don't care about anyway
    • disable X from starting at boot (you can still run startx though)
    • disable live user creation entirely (I do it myself in an rc script instead)

• Add your certificate authority to config/includes.chroot/usr/local/share/ca-certificates. Any certs in this directory are automatically added to the trusted store by update-ca-certificates (see the man page for more info).

  • Then add a file config/hooks/update-ca-certificates.chroot
  • This file is run in the chroot stage, before the iso is generated.

• Create a default/keyboard file to make capslock be control. This is useful because it works in the console, not just X!

• To create my user, I did this:

  • I called my user "jessica".
  • Added an /etc/skel-jessica directory.
    • Almost all of what's in here is symlinks to stuff in the dhd directory... see dhd/hbase for the type of stuff I keep there.
    • (I was having some permissions problems when creating /home/jessica directly, even when doing a subsequent chown -R. Adding a different skel directory and using it in the user creation hook solved that problem.)
  • Added a users.chroot hook. This adds the user and group using my skel directory, and lets the user sudo without typing its password.
  • It also does a clone of my dhd git repository in the user's homedir. This is a more ghetto way of doing a git submodule, which is probably a better solution. Note that this clone is done at livecd build time and therefore I have a single version of my dhd repo baked in to the disc.
  • This script also sets the live user's password with useradd's --password option. This option accepts an encrypted password that you can generate like this echo password | mkpasswd --method=sha-512 --stdin

Part four: checking the configuration into git.

• You'll want a .gitignore file that excludes the temporary stuff that lb creates.
• Git doesn't store full permissions, only the executable bit. This is a problem because of the stuff that goes into includes.chroot - if you have umask as 077 like I do, when you check out the git repo, all files will prohibit group and other from reading them, which causes a headache in lots of the things in the chroot.
  • I have a setperms.sh script which does this, which I run before doing the build at all.
  • I also have a doit.sh script which runs that command, and sets up a build log with tee and ghetto log rotation.

Part five: Misc

• I have a config/hooks/disabled-services.chroot which disables services I dont' want to run at boot time. It's useful to have nfs installed in case I need it, but there's no reason to have e.g. portmapper start when you boot - it's more secure, plus it will boot faster without it.
• I have a config/includes.chroot/etc/rc.local which runs this line: su jessica -c 'bash ${HOME}/.rc.user' &, where jessica is my livecd user I created earlier. I can add any command I want inside ~jessica/.rc.user, and it is run at boot time. I use this to update my dhd git repository at boot time so that I always have the latest bashrc.

Part six: Security

There are some things I do that should give you cause for concern. Here's a list of concerns and my reasoning for doing what I did.

• Bake in a user's password, so that anyone who gets a copy of the livecd can get it and crack it.
  • This saves me trouble - I can just boot from the cd and walk away, and later ssh into the machine because I already know the password.
  • I give a good passphrase for my user, not a simple password. It's easier to type ~20 characters than drive to a client's site because I forgot to fucking run passwd before leaving.
  • For this fact to be of any use to an attacker, they'd have to be interested in targetting the system that I boot from. On the one hand, this is not controlled by me (I don't break the systems, I just fix them), but on the other hand, if the attacker can break it so bad that it has to be solved from a livecd, they don't need a livecd to compromise it.
  • Furthermore, for this to be useful to an attacker, they'd have to know when the livecd is booted, and be on its local network. Because this changes so often, it is unlikely, though possible.
• Bake in the host ssh keys
  • This is honestly of more concern to me than exposing the hash of a good password.
  • It still requires an attacker to specifically target the system I'm working on, and prepare to MITM me in advance
  • I believe that this is less likely to compromise me than generating new ssh keys on each boot and ignoring the security check when sshing to the livecd (come on, we've all done it). On the other hand, if it goes unnoticed, the results may be more damaging.

Possible security solution - full disc encryption

I really want to completely encrypt the livecd filesystem. This is possible - old versions (2.x) of debian-live supported the --encryption switch, but the 3.x version removed it. I think that TAILS may have done some work in this area?

This would solve my main security problems:

• My password hash can't be compromised until the filesystem is decrypted. This is unlikely but still possible.
• My ssh host private keys can't be compromised. This is a far bigger concern because they're just sitting unencrypted in side the livecd's filesystem.squashfs file.

Other security stuff

• I can configure xscreensaver to lock the screen after a certain period of time by default.
• I can prevent autologin somehow (maybe with the user-setup package thing?)

Tangents

Interesting shit I discovered while writing this post:

• Someone has written a script to help brutforce hashed known_hosts files.

Addendum - adding third party repositories

Of course, APT supports third party repositories. The documented Debian Live way to do this, however, won't work for us.

Debian Live lets you add a repository line to the config/archives/live.list.{binary,chroot} files in order to add the repository to the livecd system and the chroot respectively. (I don't really understnad this distinction well, but it doesn't matter because we can't really use this anyway.) Almost all apt repositories have their packages signed by a GPG key, however, Debian Live provides no way to add a key to the trusted list.

All I do is create a hook that adds the repository manually and then installs the packages I want from it.

An example, config/hooks/drbl-apt-repository-gpg.chroot:

slist=/etc/apt/sources.list.d/albacore.list
rm $slist
touch $slist
packages=""

## DRBL repository, contains Clonezilla
# NOTE: you could replace 'testing' with 'stable' or 'unstable' if you like:
echo "deb http://free.nchc.org.tw/drbl-core drbl testing" >> $slist
gpg --keyserver keys.gnupg.net --recv 40009511D7E8DF3A
gpg --export 40009511D7E8DF3A | sudo apt-key add -
packages="${packages} clonezilla"

## Add other repositories here:
echo "deb http://deb.torproject.org/torproject.org sid main" >> $slist
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
packages="${packages} deb.torproject.org-keyring tor tor-geoipdb torsocks"

apt-get update
apt-get install --yes $packages

Almost all apt repositories are signed by GPG keys.

• After the normal packages have been installed, add the repository to /etc/apt/sources.list inside the chroot
• Get the GPG key that signs packages from the new repo
• Add

One of the reasons I wanted to do this was to replace the seperate Clonezilla livecd with this one. I had thought that the clonezilla packages was installed from my package list, but it turns out that it's not in Debian at all. You need to add this repository to the chroot's sources.list.

• To add the repository to the chroot's sources.list, add this line to config/archives/drbl.list.chroot (You could also choose stable or unstable rather than testing):

• You should also add it to the livecd's sources.list by adding the same line to config/archives/live.list.binary.

• Importing the GPG key requires a chroot hook. Add the following to config/hooks/drbl-apt-repository-gpg.chroot:

SXSW stuff

This is mostly so I can tell friends, "here's how to do SXSW". It's not a real blog post; it's more how I write notes, but with better grammar.

If you don't have a badge

This is what everybody wants to know. Just go to austin2012.sched.org and filter by "unofficial". You might also care about what I'm doing (below).

If you've never done this before, you'll be totally shocked at how many free events with no badge required give away alcohol by the buckets. It's easier to find free alcohol than food. Seriously. Some of it is even good!

If you do have a badge

• http://austin2012.sched.org is amazing. It lists every party, panel, and show; it categorizes official/unofficial; it even includes information on free booze/food/swag. For events that require RSVP, they include the link to do this. You can also create an account and add events to your schedule - this is recommended, because the strategy for this site is to RSVP to anything that sounds remotely interesting, and decide whether to actually go at the last minute. You'll have a great list on your phone of a bunch of stuff that sounded cool and probably has free booze.
• http://schedule.sxsw.com is pretty good, but it's only for official events.

Specific events for badgeholders

• PureVolume House is its own mini-event inside SXSW every year (or at least, it is this year and it was last year). You have to RSVP online and pick up a separate badge and bring the email (a printout or on your smartphone) they sent you when you pick it up. However, it's free, and there's loads of parties with free alcohol and such (search for purevolume on the sched.org page to see). Pick up your badge as early as possible. The lines are fucking horrible.
• HypeMachine Hotel seems to be a similar thing, I dunno, but I'm trying it out. Again, search for "hypemachine" on sched.org to see how many events are here.

What am I doing?

Lots of stuff. Keep in mind that I'm probably going to show up to maybe 15% of the events I'm listed for.

• My sched.org stuff - this is a big list of what I might go to
• My schedule on sxsw.com - this is stuff I know I want to see, although whether I actually make it is dependent on how I feel and who I'm with at the time of the show. It's also obviously only going to have official stuff.
• Google Calendar: XML, iCAL. I don't honestly use this much, but some things aren't conveniently listed on one of the other services

Partymongering

• https://twitter.com/#!/sxswpartylist or https://www.facebook.com/SXSWPartyList
• http://twitter.com/#!/mager
• http://austinist.com/sxswist - Supposed to be something here, but it's just blank
• http://do512.com/c/sx2012/events/all-parties/2012/03/08/?time - All the parties according to do512
• http://eventbrite.com/sxsw - EventBrite is an event management site sorta like sched

Strategy

• sched.org gives you an .ics file that you can use in iCal on the Mac, Calendar on the iPhone, Google Calendar, etc etc. You can also use it, at least on the iPhone, as a web app on your homepage. It works OK, but not great; I'm using the .ics file on my phone when I can, and only going to the site (which is S-L-O-W, probably because everyone is hitting it like mad this close to SXSW) when I have to.
• There's also schedule.sxsw.com, provides an .ics file as well. However, the official SXSW Go app is pretty good, and I've been using it.
• You almost certainly want a separate email account for sxsw stuff that you can turn off afterward.
• Lots of parties use EventBrite or Do512, so sign up for all those so you don't have to keep entering your name, email, etc.
• You can link some of these other web accounts with Facebook if you want, although I haven't found this to be particularly useful.
• You don't mind being on a waitlist for a party. Probably most of the people ahead of you are flakes like you are.
• You do mind paying for a party. Fuck that shit.
• Some of these RSVPs require action on your part - you might have to reply to the email they send you, or you might have to actually bring the email on your phone to the event (like PureVolume). Try to note this where you can.

Yay, Windows supports symbolic links!

First problem: The only damn interface for this is a cmd.exe builtin. That's right, mklink isn't an executable, and there ain't no other way to make a link without third-party tools. If you want to do it from, say, PowerShell, you have to do something stupid like add this to your PowerShell Profile:

function mklink {
    echo "(Running mklink from cmd.exe...)"
    cmd /c mklink $args
}

(It's also been pointed out to me that there are third-party extensions which add the ability to deal with links, such as PowerShell Community Extensions, but come on. This should be first party stuff right here.)

Second problem: If you're an administrator, you absolutely cannot do this without elevated privileges. "But no", you say, "it says so right on that page you linked. All you have to do is edit security policy in secpol.msc."

Yeah, well, I tried that. Here's what Microsoft has to say about it:

After giving “Everyone” the privilege “Create symbolic link”, please reboot (or log off) and log in as a standard user, a user who is NOT a member of group “Administrators”. You should be able to create a symbolic link using mklink command in a directory where user has write permissions.

The reason a member of “Administrators” cannot create symbolic link is because “Create symbolic link” privilege is removed from the filtered token since user is a member of “Administrators” group. Section “Access Token Changes” of article at link http://msdn.microsoft.com/en-us/library/bb530410.aspx describes in more details on how filtered token is created.

So you're telling me that you can change it so that a restricted user can create links (without elevation, obviously), but it's just not possible at all to change it so an administrator can create links without elevating? And this is by design?

Are you fucking kidding me?

I use ikiwiki for this site. There are things I like about ikiwiki a lot:

• It uses Markdown
• No database required
• The history is stored in a revision control system (git in my case)

However, it's not very easy to set up the first time. These are my notes on how I did it.

The setup file

It's easiest to follow the setup instructions and use auto-blog.setup, and then tweak it later.

Ikiwiki and permissions

This is a bit hard for me to remember for some reason, so I'll write it down here.

• For normal editing, check out your ikiwiki repo to somewhere inside ~. OK.
• The user that runs ikiwiki --setup must have write access to somewhere in your document root. IkiWiki's documentation generally assumes that this is your user, which is fine for personal setups but for a company I'd rather have a dedicated user for this sort of thing.
• You can use www-data for this. Apparently this is goes against Debian policy, because www-data isn't supposed to own any files for security reasons. I think I'm going to use www-data for this in spite of that, because I already have www-data owning files elsewhere anyway.
• In the past I've taken the approach of creating a dedicated user for these files called ikiadmin or something, with a primary group of www-data.
• Just understand that it doesn't matter who owns the files as long as they have write access to the srcdir and destdir in your .setup file. Given that, the post-commit hook will be generated with all the appropriate permissions so that the web user can see and execute what it needs to, no matter what else.
• A very wrong-headed way to approach this is to run ikiwiki --setup as root and then chown the files to www-data manually, like I kept wanting to do for some reason. DON'T DO THAT.
• For one of my wikis, the repos are already owned by www-data and accessed via dav_svn, which works great. The site is private, so it shouldn't be world-readable, and www-data can commit directly to the svn repository using file:/// (bypassing dav_svn) when a page is changed via the web.
• This site, though, is public, which means that world-readable is OK, but since apache wasn't handling my commits to the repo, www-data can't own the bare repo. The repo should be owned by me and stored in a place that www-data has access to... I think I'm going to choose /var/www/ikiwiki. chown that directory to me with a 755 mode.
• I then created the ikiwiki as my own user with ikiwiki --setup /etc/ikiwiki/auto-blog.setup. Edit the setup file to change the locations for everything, and the umask. Move the src dir, the bare repo, etc into /var/www/ikiwiki and chown/chmod them properly. -- I have /var/www/ikiwiki/{younix.us.git,younix.us.src,younix.us.dest}. As part of the move, you also have to edit .git/config inside the srcdir or it won't be able to find the bare repository to pull from.
• Make sure that apache knows that your DocumentRoot is the destdir (or, if ikiwiki is managing just a subset of your site, you might use the Alias directive to point it in the right place).
• now you do a clone of your bare repo and start working and committing

Chatterbox / firehose

• I have a "firehose" on the main page (based on what Joey calls a chatterbox). This was mostly pretty easy.

• I did tweak the CSS by adding this to local.css:

    /*  I want to use Ikiwiki's aggregate plugin for a chatterbox: http://ikiwiki.info/tips/add_chatterbox_to_blog/
        However, it generates annoying "posted by @mrled" on every tweet. This gets rid of that. */
    .microblog-header {
        display: none
    }
  

• I'm putting the !aggregate directive in HTML comments like <!--[[!aggregate expirecount=5 name="Pinboard" dir="pinboard" url="http://pinboard.in/u:mrled" feedurl="http://feeds.pinboard.in/rss/u:mrled"]]-->. Ikiwiki still processes it, but the resulting "$Feedname: last checked $date" isn't displayed before each feed. That way I can make my own, simpler headers.

• The page isn't getting rendered from Markdown to HTML, so I'm just doing everything in HTML. That's OK with me though... it isn't a page where I'm writing a bunch of text, it's just a bunch of directives with some English glue so humans can parse it a little better

• The ikiwiki chatterbox tip says "To filter out @-replies, append and !@ to the PageSpec", but this didn't work for me at all. I ended up with this pagespec:

    "internal(./tweets/*) and !title(mrled: @*)"
  

  Obviously where I have "mrled", put your own Twitter account name.

• That is also the reason that I have expirecount=25 in the aggregate directive, but show=5 in the inline directive... if some of the most recent 5 tweets were @ replies, there are 20 more to fall back on that aren't so that the Twitter feed will have something to display.

local.css

You can of course see my local.css file. It started out its life as "Swiss.css" that is distributed with Marked, a MultiMarkdown preview app for Mac OS X that I like a lot. I made a couple of tweaks - I didn't like how list item text was larger than body text, for example - but mostly left it alone, and then added specific styling to ikiwiki-specific classes and ids at the bottom.

Importing old posts from Wordpress

I did this manually because I just had a dozen or so posts I needed to migrate. I still ran into some issues, though

Blog post dates

I had thought that these dates were based on the repo's date for add/modify... but that does not seem to be the case at all. All you really need to do is add a line like this to a markdown file and ikiwiki will change the modified date accordingly: [[!meta date="Aug 12, 2011 18:21"]]

Post titles

• ikiwiki does NOT support MultiMarkdown's metadata stuff or wiki linking... which means that although MMD supports having a line like this in your document: Title: Title of my blog post ikiwiki just sees that as text. Suck.
• You can use the meta directive
• If you don't do that, ikiwiki derives it from the filename. I like this idea, but underscores are converted to spaces and upper/lower is preserved, which means your filenames end up looking like /blog/Post_title_with_underscores_and_some_upper_case. Eww.
• I guess the good thing about doing it the ikiwiki way is that wiki linking just works. If you de-couple your post title from the filename, then you have to wikilink with the filename, not the title. Not sure I really care about this though.

Apache redirects

My Wordpress URLs used the scheme http://younix.us/blog/$date/$slug, like http://younix.us/blog/20111015/heres-what-i-dont-like-about-this-whole-social-music-thing/. I made sure the slugs were the same, and the redirected /blog/$date/$slug to /soc/$slug in Apache like this:

RewriteEngine on
RewriteRule ^/blog/[0-9]*/(.*) /soc/$1 [L,R]

This doesn't handle lots of stuff - tag pages, category pages, old RSS feeds, or the URLs that were like ?p=123 - but it gets everything I care about, which is that external links won't break. (If I had anyone actually reading my feed besides me, I might care about RSS too, but... eh.)

Ikiwiki and Emacs

I wrote a few Emacs functions to make blog posting easier. One of my favorite things about Wordpress or Tumblr, or even Facebook, is that you don't have to decide what you want to call your post right away. Most of my work here is trying to replicate that experience as best as I can.

I created two several new functions for this purpose:

• iki/rename-to-title, which takes the contents of a meta title directive and creates a Wordpress slug -like name out of it.

  For example, if I have a title of "Something randome -- a post!", it converts it to "something-random-a-post".

• iki/new-blog-post, which creates a temporary file in the site's blog directory with a temporary name based on the time.

  This is useful, but it would be a lot more useful if I added a drafts directory that is checked into git but ignored by ikiwiki (which I think you can do in the .setup file somewhere), and then this function added the page there and automatically checked it into the repo for me.

With those two functions, I can now create a new document and start typing, and add a title later.

I also created some metadta functions:

• iki/insert-meta-title bound to C-cit inserts a !meta title directive
• iki/insert-meta-date bound to C-cid inserts a !meta date directive, and was mostly useful when I was importing old posts from Wordpress.
• iki/insert-directive-tag bound to C-ciy inserts a !tag directive

There are a few other functions that these rely on, but that's the meat of it. I also include Steve Yeggey's rename-file-and-buffer and move-buffer-file functions, because not only are they so useful that they really belong in Emacs by default, but I also rely on rename-file-and-buffer to make iki/rename-to-title work properly.

You can see the most recent version of my whole .emacs file which is checked into git, or you can just see a snapshot of the relevant bits that I saved today.

These are beautiful.

If there's something more powerful than cash, it's design.

Local mirror of just the images, much slower.

Well. Maybe "don't like" is a bit strong. Here's why I think it's (as yet) uninteresting.

Background: Mostly the context for this is just that now Spotify is in my Facebook feed, but I also just read a fascinating article, Why music ID resolution matters to every music fan on Facebook. Then there's also this silly thing and this even sillier thing.

When I hear day9 tweet his song of the day, I know what I'm getting. He heard it. He loved it. I know what he likes. I know I (usually) like that too. Sometimes there's a description about the song in question, which makes me yet more likely to click. The most important thing - he's shared it with me on purpose. That's interesting.

When your mom listens to 18 songs on Spotify, though, I don't know a thing about them. For all I know, she's walked out of the room for a second. The only time I'll even notice is when she listens to a song I already know is awesome, which, while it gives us a chance to e-high-five to our favorite "fucking" music, is pretty much the equivalent of a conversation made up entirely of Monty Python quotes - rehashed, and at worst annoying to everyone else in the room. Plus, if I haven't heard the song before, it just can't be interesting to me because it's on this Giant List Of Shit She Heard One Time.

What users are really interested in is a recommended and/or curated set of music links. "Recommended" meaning that someone liked a song enough to recommend it to a specific person (the best case), a subset of people, or at the very least she enjoyed enough to blast it out to the world on purpose. "Curated" meaning that it's tended by someone who makes sure that it's linking to the right version (remember all that song ID resolution shit from the first link?), who in the very least can fix mistakes (heh, heh, totally didn't mean to listen to Lady GaGa there, guys!), or maybe even (in the best case) has some sort of intentions for the stream they're putting out to the world.

Blogs are already like this. Organically - that is, not because of some social music app but because people are already doing this in Messages(tm) and Wall(tm) Posts(tm) and so forth - Facebook itself is already like this. Compare a curated link blog or a recommendation post to something like "I'm Here And There". Sure, "I'm Here And There" might be a curiosity, but do you even for a second want it in your RSS feed? If someone auto-tweeted every link they click on, would you follow them? (TERRIFYING FACT: someone could easily make a Firefox extension that does this.)

Maybe what I'm trying to say is that our algorithms just aren't smart enough (an alternative perspective would be that they aren't creepy enough) to tell us what the users care about, which is not what you're listening to but why. Technically this is what the big companies care about too, but they have big datacenters and millions of users and metrics and probability models, so they just figure if you tell them the "what", they'll calculate the "why". Users - your friends - don't have those resources. If your 57th viewing of "Dancing in the Dark" is going to be really interesting to them, you're going to have to tell them why you're so enthralled.

Maybe in the future the algorithms will be able to figure this out for us, much like Facebook's ability to tell when 27 people are writing on your mom's wall for her birthday. Then we'll be living in the wonderful world of "Your Dad and 7 of your other friends paused Dev's hit 'Dancing in the Dark' at 00:22 in for the nudie bits! Click here to see the video!". (And possibly also in the wonderful world of "Your Mom just heard a sweet new track and based on your past listening preferences, we're pretty sure you're going to like it.", although if I think about this honestly, it's more likely that all that cool math will deliver popups for whatever off-brand of futureviagra you're most likely to click on.)

While you're pondering our dark future, let me also say that I'm not at all opposed or even really annoyed by what's going on with Spotify and Facebook. It's kind of cool, I guess (all of this bullshit aside, anyway). But what's really going to resonate with users is a platform that lets them speak up when they have something to say, not one that amplifies the minutiae of everyday life.

You can't parse [X]HTML with regex. Because HTML can't be parsed by regex. Regex is not a tool that can be used to correctly parse HTML. As I have answered in HTML-and-regex questions here so many times before, the use of regex will not allow you to consume HTML. Regular expressions are a tool that is insufficiently sophisticated to understand the constructs employed by HTML. HTML is not a regular language and hence cannot be parsed by regular expressions. Regex queries are not equipped to break down HTML into its meaningful parts. so many times but it is not getting to me. Even enhanced irregular regular expressions as used by Perl are not up to the task of parsing HTML. You will never make me crack. HTML is a language of sufficient complexity that it cannot be parsed by regular expressions. Even Jon Skeet cannot parse HTML using regular expressions. Every time you attempt to parse HTML with regular expressions, the unholy child weeps the blood of virgins, and Russian hackers pwn your webapp. Parsing HTML with regex summons tainted souls into the realm of the living. HTML and regex go together like love, marriage, and ritual infanticide. The <center> cannot hold it is too late. The force of regex and HTML together in the same conceptual space will destroy your mind like so much watery putty. If you parse HTML with regex you are giving in to Them and their blasphemous ways which doom us all to inhuman toil for the One whose Name cannot be expressed in the Basic Multilingual Plane, he comes. HTML-plus-regexp will liquify the n​erves of the sentient whilst you observe, your psyche withering in the onslaught of horror. Rege̿̔̉x-based HTML parsers are the cancer that is killing StackOverflow it is too late it is too late we cannot be saved the trangession of a chi͡ld ensures regex will consume all living tissue (except for HTML which it cannot, as previously prophesied) dear lord help us how can anyone survive this scourge using regex to parse HTML has doomed humanity to an eternity of dread torture and security holes using regex as a tool to process HTML establishes a breach between this world and the dread realm of c͒ͪo͛ͫrrupt entities (like SGML entities, but more corrupt) a mere glimpse of the world of reg​ex parsers for HTML will ins​tantly transport a programmer's consciousness into a world of ceaseless screaming, he comes, the pestilent slithy regex-infection wil​l devour your HT​ML parser, application and existence for all time like Visual Basic only worse he comes he comes do not fi​ght he com̡e̶s, ̕h̵i​s un̨ho͞ly radiańcé destro҉ying all enli̍̈́̂̈́ghtenment, HTML tags lea͠ki̧n͘g fr̶ǫm ̡yo​͟ur eye͢s̸ ̛l̕ik͏e liq​uid pain, the song of re̸gular exp​ression parsing will exti​nguish the voices of mor​tal man from the sp​here I can see it can you see ̲͚̖͔̙î̩́t̲͎̩̱͔́̋̀ it is beautiful t​he final snuffing of the lie​s of Man ALL IS LOŚ͖̩͇̗̪̏̈́T ALL I​S LOST the pon̷y he comes he c̶̮omes he comes the ich​or permeates all MY FACE MY FACE ᵒh god no NO NOO̼O​O NΘ stop the an​*̶͑̾̾​̅ͫ͏̙̤g͇̫͛͆̾ͫ̑͆l͖͉̗̩̳̟̍ͫͥͨe̠̅s ͎a̧͈͖r̽̾̈́͒͑e n​ot rè̑ͧ̌aͨl̘̝̙̃ͤ͂̾̆ ZA̡͊͠͝LGΌ ISͮ̂҉̯͈͕̹̘̱ TO͇̹̺ͅƝ̴ȳ̳ TH̘Ë͖́̉ ͠P̯͍̭O̚​N̐Y̡ H̸̡̪̯ͨ͊̽̅̾̎Ȩ̬̩̾͛ͪ̈́̀́͘ ̶̧̨̱̹̭̯ͧ̾ͬC̷̙̲̝͖ͭ̏ͥͮ͟Oͮ͏̮̪̝͍M̲̖͊̒ͪͩͬ̚̚͜Ȇ̴̟̟͙̞ͩ͌͝S̨̥̫͎̭ͯ̿̔̀ͅ

---

Have you tried using an XML parser instead?

Source.

(Screencap, just in case.)

(Edit: Oh god, it spreads.)