Contact Info via WeChat or Email

If  you want to contact me, maybe the fastest way is via WeChat or Email:

  • WeChat ID (微信号) thinkweird
  • Email address: thinkweird#gmail.com (replace # with @)

I’d be happy to get to know you.

Do not directly connect to your VPS using OpenVPN

The traffic that goes through a direct OpenVPN connection can be easily detected by the Firewall, and it will not take long before the IP address of the VPS is blocked. The traffic must be masqueraded via another layer of obfuscation. But if the Firewall decides to block the full ranges of IP addresses of a VPS provider, it can easily do so, thus categorically making any means of obfuscation useless.

I am no networking expert, but I will jut propose a wild idea here: perhaps the Syncthing protocol can be used as non-centralised proxies for web traffic, because I find its relaying servers very efficient in circumventing firewalls.

Experience with BuyVM and Ramnode

As you may be aware, this blog runs on the VPS from Ramnode. My experience with Ramnode has been very positive, because the uptime of the instances are quite good (I have one instance that has over 200 days of uptime) and the system is very stable. The connect is also very fast from the mainland China. Either connecting from providers such as China Telecom or China Mobile, the download speed can peak at about 10MB/s via a SSL tunnel. If an instance expires, that will not affect other running instances, and only the VPS with an unpaid notice will be suspended. Often times, I don’t want to use a VPS instance any more, or the IP was blocked by GFW, so I will simply let it expire but keep ordering new ones from Ramnode. Right now I have ordered over 17 orders of VPS from Ramnode over the past few years and I even recommended it to other people.

This is unlike BuyVM is very strict with unpaid instances — even you do not want to use one of the VPSs any more, an unpaid instance will affect all the running instances (this is at least what I experienced when I was their unwanted client). All the invoices must be paid in full or otherwise, they don’t want to do business with me.

If you reside in China and need a VPS, I highly recommend Ramnode and especially the servers hosted in Seattle. For BuyVM, I don’t know if they are still in business, but my experience with them was very negative.

Why is it so difficult contact RFI Chinese and send them a feedback?

I enjoyed listening to the Chinese language program (les grands) penseurs Français (法国思想长廊) by 赵越胜。The program is a great introduction to French thinkers because it is concise, clear and the content is well-structured. However, when I want to listen to all the previous episodes from the very first one, I found that the only way to do it is visiting their website and click on dozens of program pages to download the mp3 files one by one. This is time consuming, error-prone and frustrating.

Why not use a podcast app instead? Because I cannot find the complete list of all the podcasts of this program, and only the latest ones are available for download. I also checked the RFI Chinese website, and the feed subscription on it is not complete.

Is this due to the restrictions of the feed mechanism or just a stingily misconfigured setting of the number of feeds for subscription? I don’t know, but I want to get the complete podcast of this program and listen from the very beginning and it is not easy to do so. Also, RFI Chinese uploaded the wrong file for the episode called 卢梭与伏尔泰, because the mp3 file on the website feed is Asia_weekly_09-12-17_SEM49.mp3, which is not about les grands penseurs Français.

And I took my time to send a feedback through the contact form on RFI’s website. However, after I clicked ‘send’, I saw a cirle spinning and spinning forever, and my suggestions to RFI Chinese failed to go through.

Then I thought maybe I can send them a private message via twitter, however, I was prompted by twitter that @RFI_Cn was not following me so I couldn’t send them a message. No, I am giving RFI a international long distance call to send my feedback and suggestions.

As a last resort, I thought I should post my frustrations here on my blog, because if RFI Chinese cares about their listener’s feedback, they should fix their website contact form or simply leave an email address.

If RFI Chinese read this post, please kindly contact me at thinkweird (replace with.@.symbol) gmail.com.

I don’t like Systemd and I have complaints about Debian

Today, after installing Debian Testing, which is code-named as ‘stretch’, I noticed that my network interface is changed into enp0s25 instead of the familiar eth0. After some quick search, it was revealed that Systemd did this. The tentacles of Systemd have extended too far and too many. What was initially as init management program, now tends to control every aspect of the system. I am seriously considering switching away from all Linux distributions that come with Systemd. Devuan is a promising option (https://devuan.org/) and next year, instead of donating to Wikipedia as I usually do, I will donate to devuan to show my support.

Here are more complaints for Systemd:

  • It was developed by some guys working in Redhat. Beware of the Linux with corporate agenda and be cautious of people working for the corporate interest
  • It is unnecessarily complicated. When using systemctl to start a process with errors, it does not provide error log directly, but rather gives out partial information and asks me to use journalctl to view the errors, and in often times, the information provided by journalctl is of not much help either

Init has been working perfectly for me, and I don’t need whatever magic Systemd claims to have

Now I also have some complaints about Debian. When installing a program, –no-install-recommends and –no-install-suggests should be the default setting. I want to clean system and I don’t want to install unnecessary dependencies which take up the hard drive and memories.

If the colossal ship of Nokia was sunk by a mole from Microsoft, fellow Linuxer, beware of Systemd, it can damage the Linux ecosystem by its corporate agenda. Fuck Systemd.

Linux should always be a system of individual tools working happily together, each responsible for doing one thing only and doing it excellently. By no means should a monolithic system service like Systemd extend its claws in the tried-and-true philosophy of *nix systems.

Switch to Devuan.

Protect Windows with Virtualbox, pfsense, ipcop, ipfire and t1n1wall

This is a precursor of possible a long post about configuring a software firewall using virtualbox together with an open source firewall distribution such as ipcop, pfsense and t1n1wall (one of the successors of m0n0wall).

I will jot down the most important elements here and these are the results of hours of tests on various combination of configurations.

My network settings

  1. One external IP address directly connected to the outside world.
  2. One physical network card.
  3. MS Loopback network card (installed under Windows to function as the Bridged Network interface).

Network properties in the host machine

Instead of keeping just the Bridge Protocal of vmware and Bridged Networking Driver of virtualbox, I ticked another two additional protocols:

  1. Link-layer Topology Discovery Mapper I/O Driver
  2. Link-layer Topology Discovery Responder

In particular, Link-layer Topology Discovery Responder is essential for connecting to the wireless network. When it is unticked, the WAN interface under ipcop or pfsense finds it very difficult to connect to the wireless router. As a result, the network property for the physical network interface on the Windows host machine looks as follows:

Keep both the bridge protocols and the Link-layer protocols in the host machine
Keep both the bridge protocols and the Link-layer protocols in the host machine

Network configuration under virtualbox

  1. The most important thing is the network configuration under virtualbox. Both the adapter 1 and adapter2 need to be attached to Bridged Adapter (see attached pictures).
  2. I did limited tests and it appeared that selecting the Host-only adapter can also work, since there is a virtualbox bridged network driver ticked for “VirtualBox Host-Only Network”. However, if I choose Host-Only network for adapter2, t1n1wall cannot forward traffic from the host Windows machine to the outside world. For t1n1wall, and maybe other BSD flavored firewalls, it is better to set the adapter2 as bridged — although I assume making adapter2 the Host-Only network will make the host machine safer.
  3. I also installed Debian+arnos iptables firewall in virtualbox, and the adapter2 can be Host-Only or Bridged, both will work. In arno’s iptables firewall, just enable NAT and the host Windows machine will be able to visit the outside world.
  4. To easily identify which NIC is designated to WAN or LAN, click on Advanced and manually edit the automatically generated MAC address to something you can identify. I change the last two digits of the WAN MAC address into something like 080027276FAA and the last two digits of the LAN MAC address into something like 080027698CBB.
virtualbox.adapter1
virtualbox network configuration for ipcop, pfsense adapter1
virtualbox.adapter2
virtualbox network configuration for ipcop, pfsense adapter2. For adapter2, selecting host-only network should also work, but I am not so sure if portforwarding will be affected or not.

Do you need to setup VLAN under t1n1 and pfsense?

No. If you use bridged network, there is no need to setup VLAN.

If you choose to attach the network adapter to Internal Network, you may need to setup VLAN for the LAN to access the Internet, however, I didn’t test it. I am not so sure if you can even choose Internal Network when you want the host Windows machine to access the Internet.

Pfsense

I experienced several problems with pfsense and I don’t recommend using it with virtualbox and vmware if your sole purpose is using a firewall to protect your Windows PC with a firewall.

  1. Time drifts under vmware. pfsense experienced serious time drifts under vmware workstation 9.0. I simply can’t get the accurate time for pfsense under vmware. There is no time-drifting problems for virtualbox and pfsense.
  2. Port forwarding does not work. after numerous attempts, I still can’t reliably forward the ports to bittorrent clients running on the Windows host machine. I setup both NAT and firewall rules, and set the log to record the hits of the rules, however, it either turns up a few hits or no hits at all — even though the bittorrent client is working heavily with multiple downloads. Port forwarding works well under t1n1wall and ipcop, and the firewall log shows up the hit records with no problems.
  3. Overkill for the purpose. I run a single Windows PC as a host and I don’t need all the bells and whistles of pfsense, which have numerous configurations and settings I will never use.

ipcop vs ipfire

  1. Ipcop is simple and elegant. Its settings are easy to understand and intuitive. Just works and serves the purpose as a firewall very well.
  2. Ipfire has many features and packages. It appears it uses much more resources with my limited tests.

t1n1wall and smallwall

  1. t1n1 is simple to use and port forwarding for bittorrent clients works well. Its development is more recent than smallwall.
  2. smallwall should work almost identically with t1n1wall, and I chose t1n1wall simply because its releases are newer.

vmware and its network configuration

  1. For the LAN interface, I created vmnet2 and designated it as host-only network. There is no problems installing ipcop running on it, although I haven’t tested port forwarding heavily on it.
  2. You can also install MS Loopback NIC, create a new vmnet interface and designate it as bridged network.
  3. In virtual machine settings, in the Network Adapter section, click on Advanced, and modify its MAC address so that you will know which interface is assigned to WAN or LAN in the firewall.

questions that remains to be solved

  1. Linux firewalls appears to be less “secure”, because I don’t have to set port-forwarding rules to make bittorrent clients directly connect to the outside. With BSD flavored firewalls, I will need to specifically configure NAT rules and portforwarding to allow bittorrent work properly. Don’t know why this happens.
  2. Is for the LAN adapter, is Host-Only network safer than than Bridged network?
  3. For BSD firewalls, using Host-Only adapter does not seem to work. It has to be bridged network.

acknowledgements

These two resources provides very useful information for sett

  1. http://www.dowdandassociates.com/blog/content/howto-software-routers-on-virtual-machines/
  2. http://timita.org/wordpress/2011/07/31/protect-windows-with-pfsense-and-virtualbox-part-3-installing-virtualbox-and-creating-a-new-vm-for-pfsense/

What’s wrong with Hollywood?

Gravity is mediocre. The Internship is a commercial for Google. This is the End is a disaster. These are all getting high scores from IMDB. When the bad things get good reviews and high scores, it means the whole industry is at risk — the trust is lost. When movie watchers know the hard earned money and precious time are spent on manipulated reviews and scores, they will stop going to movie theaters. What’s coming next Hollywood? Depression.

AxCrypt is evil and it installs heinous Adware on your computer. Avoid at all costs!

AxCrypt is a nightmare for my computer. It downloaded many exe files and installed Conduit Adware across the system. My Firefox starting pages are deleted and the homepage is changed into http://search.conduit.com. An ugly and intrusive toolbar is also install on Internet Explorer (IE).

A virus total scan report shows that AxCrypt is infected with OpenCandy Adware. Actually it is worse than normal Adware because it is so pervasive and intrusive — most important of all, no user consent was acquired before this heinous AxCrypt infected system with Trojan like malicious applications: Malwarebye scan reports that there are about 140 folders, files and registry keys which are infected with conduit malware. Please avoid using AxCrypt at all cost. You have been warned.

To the developers of AxCrypt: shame on you!

Don’t watch Gravity

Gravity’s score and reviews on IMDB is dubious. For a stunning high score of 8.7 and over 48 thousand votes, I thought this movie must be very good. However, the result is disappointing. I will just give this movie a 6.0 for its visual effects but the story line is very simple and hurried to the end.

The inflated score on IMDB, just like it is on Taobao, will hurt the whole movie industry as the disappointed audience will no longer pay to watch movies with good reviews, knowing that the scores have been rigged. The good movies will suffer because they will not get the attention they deserve and are easily drowned in the noises created by illicit promotional activities. The individual’s voice will not be easily heard, although they supposedly have an equal vote with the movie ticket they buy.

In a digital age, the public opinion can be easily created and swung by a few key strokes and clicks — the monopoly of media tycoon can manipulate the statistics and the masses will buy into it and buy the mediocre products — the best ones do not even have a chance.

Some notes in the aftermath of Breaking Bad

OK, I was wrong about the finale of Breaking Bad and Heisenberg did die. The most unforgettable line in the last episode is, when talking about why he did what he did, “I liked it. I am good at it”. This explained why he wasn’t successful as chemistry teacher, because he didn’t fulfill his destiny — to do the things he is good at. The scene when the hidden machine gun in the trunk mowed down all the gang members is a cathartic outbreak of revenge. It is well done. However, it could be even better if he used his chemistry skills to deal with the gangs.

Now here is some new information I found about Breaking Bad. Bob Odenkirk performs the lawyer role brilliantly in the movie. He grew up in Naperville, Illinois. From his biography on IMDB, he is “three credits shy of graduation” and wrote extensively for comedian shows. He also won a few Emmy awards. One day, I perhaps need to write a book to list the successful college dropouts and the unsuccessful college graduates. Bryan Cranston certainly know the importance of sticking to it. I think when he was at the lowest point of his career, he had thought about quitting and became an insurance salesman. However, he didn’t. Here is what he said about why he didn’t give up: “You know, this business is pure luck. It truly is. There is a tangible amount of luck that is necessary for a successful career, and the only way that luck happens is if you’re prepared for it and you stick with it. If you drop out of the scene, your opportunity for luck diminishes greatly. No one’s going to say, ‘Hey you’re an insurance salesman. Come and do this movie.'” “I don’t need to work, but I love to work and I will make the movie if I would want to go and see it. ” “It is also interesting to learn he drove motorcycle around the US. It was just two confused boys running away. My brother was on the verge of becoming a deputy sheriff, and I was grappling with whether I wanted to be a police officer or an actor. So we got on our motorcycles and just left California with no plan. I had $70 in my pocket, and that soon ran out. We got odd jobs wherever we could. We worked at cafés, in carnivals, at beachfront hotels selling suntan lotion, earning just enough to get back on the road. We camped everywhere, the cheaper the better. Just a patch of grass was all we needed. A few times we stayed at midnight missions, in Texas and Louisiana, and those were always scary.”