blog | ~wheresalice

a blog about ~wheresalice

Personal highlights from 39c3

December 31, 2025 — ~wheresalice

Videos from all the #39c3 talks I attended are now online at media.ccc.de. There’s a huge number of videos here, and most of the talks I haven’t seen yet. But some personal highlights include:

But I’ve still got 60+ videos still to watch from the talks I didn’t attend

The people who attended in-person will probably tell you that the workshops, meetups, etc were more valuable than the talks. But they’re (mostly) not shared online

I had a great time joining remotely via the streams, Matrix and Mastodon. But I do miss the smaller Congress events of the Berlin era where it felt like a tighter-knit community

Let me know your favorites on mastodon

Tags: 39c3

Self-hosted webmentions

December 06, 2025 — ~wheresalice

The centralisation of webmentions on webmention.io is bad, partly caused by the lack of good options. There’s a couple of self-hosted servers available, including go-jamming and webmentiond but these require you to run your own server. So instead of figuring out how to make either of these work in docker-compose, I wrote my own. In Bash. As a CGI script.

#!/bin/bash
# setup:
# 1. chmod a+x this file
# 2. mkdir ~/webmentions && chmod a+w ~/webmentions
# 3. sqlite3 ~/webmentions/webmention.db "CREATE TABLE webmentions(published TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,source TEXT NOT NULL,target TEXT NOT NULL,UNIQUE(source, target));"
# 4. change DB_DIR to point to the full path to your webmentions directory
#
# test:
# curl -i -d source="https://www.example.com" -d target="https://wheresalice.info" https://wheresalice.envs.net/cgi-bin/webmention.sh
#
# references
# https://devtut.github.io/bash/cgi-scripts.html#request-method-get
# https://gist.github.com/dam2k/5df0d8d3fdabc41e8ce2c799734f65d4
set -euo pipefail
readonly DB_DIR="/home/wheresalice/webmentions"
: "${FILTER_PATTERN:=^[A-Za-z0-9_]+$}"
function urldecode() {
  : "${*//+/ }"
  echo -e "${_//%/\\x}"
}
filter() {
  echo "$1" | tr -d \' | tr -d \` | tr -d \$ | tr -d \;
}
sendstatus() {
  printf 'Content-Type: text/plain\n'
  printf 'Status: %s\n' "$1"
  printf '\n'
}
main() {
  export REQUEST_METHOD=${REQUEST_METHOD:-}
  export CONTENT_TYPE=${CONTENT_TYPE:-}
  if [ "${REQUEST_METHOD}" != "POST" ]; then
    sendstatus '400 Bad Request'
    printf 'Only POST is supported'
    exit 0
  fi
  if [ -z "${CONTENT_TYPE##*x-www-form-urlencoded*}" ]; then
    true
  else
    sendstatus '400 Bad Request'
    printf 'Unsupported Media Type\n'
    printf 'Expected application/x-www-form-urlencoded'
    exit 0
  fi
  read -r -n "$CONTENT_LENGTH" QUERY_STRING_POST
  local source target
  source=$(echo "${QUERY_STRING_POST}" | awk 'match($0, /source=([^&]+)/, a) { print a[1] }')
  target=$(echo "${QUERY_STRING_POST}" | awk 'match($0, /target=([^&]+)/, a) { print a[1] }')
  source=$(urldecode "${source}")
  target=$(urldecode "${target}")
  source=$(filter "${source}")
  target=$(filter "${target}")
  if [ -z "${source}" ] || [ -z "${target}" ]; then
    sendstatus '400 Bad Request'
    printf 'source and target are required\n'
    printf "%s -> %s\n" "${source}" "${target}"
    echo "${QUERY_STRING_POST}"
    exit 0
  fi
  (printf "PRAGMA journal_mode = WAL; INSERT INTO webmentions (source,target) VALUES('%s','%s');" "${source}" "${target}") | sqlite3 "${DB_DIR}/webmention.db" >/dev/null
  sendstatus '202 Accepted'
  printf "%s -> %s\n" "${source}" "${target}"
}
main "$@"

Tags: indieweb

WHY2025 and HOPE 16 Linkdump

August 23, 2025 — ~wheresalice

WHY2025 was the latest in a series of hacker camps in the Netherlands that have gone by multiple names. It's a young and queer crowd.

HOPE 16 was the 16th iteration of HOPE, the now-annual Hackers On Planet Earth conference. I've lost count of which iterations I've attended, but it's definitely one of my favourite conferences. The inclusion of us remote European attendees via Matrix works really well. It tends to be an older and more anarchist-leaning crowd.

So here's what we learned

  • There are good maturity models for threat detection engineering 1 2. You should probably be using these.
  • ADSB.lol makes their global ADSB tracking data available for export and ADSB.exposed lets you query ADSB data with Clickhouse queries. The latter enables such things as mapping unusually steep climbs
  • Dependency-check supports a lot more than just Java now, and together with Renovate you can get good dependency vulnerability checking without GitHub
  • We've known for a long time that a new server with a public IP gets lots of requests, but what if we say yes to them all? certainly is an offensive security toolkit for capturing large amounts of traffic in bitflip and typosquatting scenarios
  • Forensically is good for detecting image manipulation and photo forensics in general
  • It's ok to have Severely Deficient Autobiographical Memory
  • Bitpart lets you run bots on Signal to support activists using Rust and CSML
  • h4ck3rs is an amazing vaporwave edit of the movie Hackers
  • ProjectBookmark is an ESP8266 based project replicating the old pirateboxes of old, a wireless access point and captive portal to provide file sharing
  • Is BGP safe yet? No, at least not on my ISP
  • But maybe I should become my own ISP
  • And use containerlab to test out the networking first
  • You should map the electrical grid in your area, using these tools
  • Here's how to make your spaces neuro-inclusive
  • The autistic space is fragile to the neurotypical gaze
  • If buying isn't owning then pirating isn't stealing. alpha60 has some data on torrent-based piracy
  • sticktock is another attempt at making Tiktoks available with no spying

Tags: linkdump

indiewebification of wheresalice.info

June 08, 2025 — ~wheresalice

wheresalice.info now has much indieweb goodness as possible with Obsidian Digital Garden:

  • webmention.io header in src/site/_includes/components/user/common/head/myhead.njk
  • hidden h-card added to src/site/_includes/components/user/index/footer/hcard.njk within a section with style="display: none;"
  • notes layout updated to include all the h-entry bits in src/site/_includes/layouts/note.njk (this bit can probably be pushed upstream)
  • webmention form added, and mentinos are listed on each page via some javascript in src/site/_includes/components/user/common/afterContent/mentions.njk

2025-03-28

March 28, 2025 — ~wheresalice

Things you may have missed in March, or my monthly(ish) linkblog

Articles

Tools / Websites

  • bearlytics is a straightforward web analytics tool that helps you understand your website traffic without selling your soul to the tracking gods. No cookies, no PII problems, just the basics
  • Redirector rewrite URLs in your browser based on regex patterns. For example rewrite all Twitter links to xcancel or all Reddit links to old.reddit.com
  • Search Engine Party compares search engines in terms of privacy in a nice table. Maybe combine it with search engines with their own index
  • TrainPlanner is an open-ended puzzle game where you have to create a safe, efficient and pretty rail network to let Miku deliver her leeks. It's important work!
  • zk is my new pkm tool of choice at work, combined with a neovim plugin. No more needing a mouse, everything in the commandline

Music

Videos

Infrastructure updates for wheresalice.info

January 31, 2025 — ~wheresalice
  • migrated my main site to European hosting, a European dns provider, and removed the dependency on Cloudflare. It is still a .info domain though, which does depend on the USA
  • added HTTP/3 support to subdomains serving dynamic content
  • added HTTPS records for wheresalice.info (which means it theoretically works in IPv6 on modern browsers, but probably doesn't)

Why can't we support IPv6 for legacy browsers and other applications? A very good question

  • RFC2181 says we can't use a CNAME for the apex. Specifically, it can't be used in combination with NS and SOA records (and historically MX records)
  • AAAA records exist for the hostname we would CNAME to but aren't documented as being usable by the hosting provider
  • ALIAS records aren't a real thing, they just dynamically return the relevant A/AAAA records. This is a problem because the nameservers would all need the private keys for dnssec signing

Let's hope that HTTPS records become more widely used

Failing to find music on the fediverse

January 04, 2025 — ~wheresalice

Inspired by Martin's 38C3 talk on search engines I spent some time today taking up the idea of using Mastodon's trending links API to see if I could find some interesting music-related links.

I did this by fetching https://www.fediverse.to/data/dataset.js and stripping the javascript to turn it into json and then extracting just the mastodon hosts with a "music" category:

cat dataset.js | jq -r '.[] | select(.cat[] | contains("music")) | select(.sw=="mastodon") | .url' > hosts

I then looped through all 82 hosts to fetch "https://%s/api/v1/trends/links"

Of the 82 hosts, only 15 had any links. And none of the links were music related, most were popular news stories.

It was a nice idea, but it looks like you'd have to actually crawl the instances to collect links if you want anything other than the popular sites.

hacky go code if you want to replicate - https://pb.envs.net/?264dc776fc8d4a69#H2wQEFt8fcGPSvRWmekigHuHqbSb8CABwd69FzKsatsP

2025-01-01

January 01, 2025 — ~wheresalice

Things you may have missed in December:

  • HOPE (Hackers Of Planet Earth) is now annual, next conference August 15-17, 2025
  • Ghostty (a new terminal emulator) had their first public release
  • 38C3 Chaos Computer Club Congress happened and videos of the talks are already online
  • My 2024 Soundcloud Playback
  • I guess I have a blog again now?
  • And a matrix account @wheresalice:envs.net?