Category: Geek Bits

Posted on

Goodbye, Askimet

I’ve been using WordPress for my site/blog so long I don’t remember when I started. It was definitely more convenient than the html blog I maintained in 1996 and edited with vi; though not as fun and quirky as the website I built with HoTMetaL Pro.

WordPress offers a slew of cool features and plugins. There are thousands, though I only use a few. Pretty much anytime I set up WordPress for a friend, there are two plugins I always install and activate:

  1. Duo for MFA logins, to protect against brute force login hacking.
  2. Askimet to block comment spam.

Both have been free to use within limitations. Duo has a free tier that allows you to have up to ten users, which is more than enough for personal WordPress installs where one or two users is the norm. Askimet is free for non-commercial sites, which is what I’ve always considered this site to be.

This site is a mixture of the occasional security/tech tips, political rants, television show plot speculation, and a bunch of highly personal posts I’ve written and hidden over the years. In short, this site is just my personal bullshit.

Like everyone else who has hosed their own content through the Web 2.0 evolution, I added Google adSense and Amazon affiliate links to my site in the hopes of capturing some of that sweet sweet internet money. But, like I said, this site is bullshit, so it isn’t raking in the ad cash. In the last four years it has made $27 in Google adSense (Less than the threshold necessary for them to pay out.), and since the ads were obnoxious I wound up disabling them. I’ve also made a whopping $0.40 in Amazon affiliate commissions in the last year. I’m Canada rich!

Well, times are hard in the tech world, and that means money grabs. Everyone has heard of Elon and his Blue Check Scam, but there’s a lot of similar money grabs that aren’t making the news. Askimet, owned by Automatic who also owns WordPress, Jetpack, and Crowdsignal, has started scanning websites for any hint of monetization and is categorizing those sites as commercial. I received this email on December 29th:

Thanks for using Akismet to prevent spam on your site, ghostwheel.com

You’re currently using Akismet for free, but the free plan is only allowed on non-commercial sites. 

You are displaying ads on your site, so it does not qualify as non-commercial. 

To continue using Akismet, please upgrade to the $10/month Plus plan

If you continue using the free plan, your account will be suspended. 

If you have any questions or believe that you have received this email in error, please get in touch

Thanks,
The Akismet Team

Ummm… OK… I go and look at my site settings, and I confirm I don’t have Google adSense anymore. Given how much I’m raking in on Amazon I didn’t even think about those instances. After contacting support, they confirmed that the existence of those Amazon links qualifies me as commercial, and that I need to pay them $10/month (US) to keep using their service.

Yeah, nah; that ain’t going to happen. So, I’ve disabled Askimet. Within the first few minutes blog spam started showing up in my moderation queue, which is just the annoyance Automatic/Askimet is counting on to make me shell out $10/month for their service. Rather than give in to extortion, I’ve installed a plugin for managing code snippets, and I’ve activated the built in snippet for disabling comments on all pages. Welcome back to Web 1.0, brought to you by Automatic, makers of WordPress and Askimet.

UPDATE: So, Bob, a “Happiness Engineer”, wrote me back to point out that “For what it is worth, this isn’t a new policy:” Yeah, Bob is right, this policy isn’t exactly new. But, it wasn’t the policy back when I first started using Askimet. Back then the policy was a lot more forgiving: “The free plan is designed for personal sites only. If your site is commercial in nature or involves a business than you need to sign up for one of the paid plans.”  My site is not commercial in nature, and does not involve a business. The prohibition against ads wasn’t added until September of 2019, and as far as I can recall Askimet did not proactively reach out to advise of this change to their policy. So, while the change may not be new, it wasn’t an informed change; and the aggressive campaign of hunting down websites that have a couple of affiliate links is certainly new.

Posted on

Squeezing more life out of Apple hardware

Planned obsolescence is theft. That’s the perfect distillation of my feelings on the topic. If I spend my hard earned money on a product I don’t think the manufacturer gets to tell me when I have to stop using it. And yet, there are countless cases of this:

Don’t get me wrong, I’m not some crazy person who thinks Apple should still be selling parts for the Apple II+ my uncle has in his attic. There does need to be a line drawn somewhere; just don’t ask me where.

Ask yourself this: If you just spent $5,999.00 USD for a MacPro (that’s the base model, with no upgrades), would you feel a bit ripped off in seven years when Apple won’t even sell you replacement parts?

Bare bones Mac Pro, 2022-08-28

What if you were really crazy and bought a full decked-out Mac Pro for a whopping $54,384 USD? Yeah, well, Apple is still going to cut off your support in seven years.

Maxed out Mac Pro, 2022-08-28

The thing is, everything Apple sells with a Pro moniker comes with a premium price, and it doesn’t seem too outlandish to expect them to support these products for a reasonable amount of time. What makes for a reasonable amount of time? I’d say that if a bunch of hobbyists on the internet can support a product, then one of the world’s most valuable companies can probably manage it as well.

For instance, I have a Mid-2010 Mac Pro (MacPro5,1). The last supported OS for this model was Mojave, but some of the nifty features like Handoff were expected to be broken since Yosemite due to the Bluetooth module used in this model. Apple would have you believe that the Bluetooth incompatibility was un-fixable, and that no OS past Mojave will work on this model. And yet… via a series of upgrades over the years, I’ve got this twelve year old machine running Monterey just fine, and even Handoff works. So much for impossible.

I owe a lot of my machine’s lifetime to the folks at macvidcards.com, who have been providing custom flashed video cards, and other bits, for years. While you technically don’t need a Mac EFI driver flashed video card to run most versions of MacOS, you do need it if you encrypt your boot drive with FileVault or you won’t get the screen to unlock the drive’s encryption. For a security wonk such as myself, full disk encryption is absolutely necessary. So far, I’ve installed the following upgrades:

So, all of that got me up to Mojave. I did have some fun little issues, like MacOS claiming that FileVault was not supported on my Mac Pro and refusing to encrypt my drive after installing Mojave. I solved that by moving my SSD to an external enclosure, booting my laptop on it, and enabling FileFault. Funny, my Mac Pro booted from that FileVault drive just fine, and hasn’t had a problem since.

My adventures have not been without pitfalls, though. The roughest being when I installed Big Sur, because that point I had to give up using VMWare Desktop. The version of VMWare Desktop I ran under Mojave wouldn’t run on Big Sur, and pointed me to a newer version. That newer version would not run on my hardware because my installed CPUs lacked a particular instruction set. This was a bit of a blow, particularly because when I tried Parallels Desktop it would seem to import my VMWare systems, but then they wouldn’t boot. So far, there doesn’t seem to be a way around this. If you’ve got any suggestions, please comment below!

Up until this point, I thought Big Sur was as far as I’d be able to take it. Shoehorning Big Sur on had taken experimenting with a few different EFI bundles, from several forum and blog posts, where the takeaway was that Monterey was too problematic. But then… I saw this slashdot post: Devs Make Progress Getting MacOS Venture Running On Unsupported, Decade-Old Macs

I was aware of OpenCore, but I couldn’t recall if I’d come across the OpenCore Legacy Patcher. Reading through the docs, it looked pretty simple. Could it really be this easy? I deviced to give it a try and dropped a spare SSD into my machine. I’m not going to detail the steps I had to go through, as they are all very well documented here, but I will say that an hour later I had a functional Monterey installation on my Mac Pro complete with hardware graphics acceleration for HVEC and h.264 encoding!

OpenCore Legacy Patcher is proof that my twelve year old Mac Pro is capable of running modern MacOS, and that Apple’s planned obsolescence is not a technology issue.

Posted on

Never Give Someone Your Secret Keys

You didn’t need me to tell you that, though. Right? It goes without saying, as it’s right in the name. Secret Key. You give people the other half, the Public Key. I think they teach that in kindergarten these days.

So, why am writing a post about such a simple topic? Let me tell you a story…

I’ve been using keybase.io for years.

I probably haven’t been using all its features, but it serves as another way of verifying some ways of communicating securely with me.

keybase.io was bought by Zoom, and we don’t know what that means yet. Will it stay free? Will it get shut down because all Zoom cared about was the crypto skills and tech?

One thing that is happening is that at least one ‘competitor’ has already popped up. Yesterday I received an invite from Cyph to sign up. They’d conveniently scraped my public info at keybase.io and populated an account that was ready for me if I accepted the invite. All I had to do was click the link and provide a new password and PIN. What the heck, I’ll sign up and make sure I get the name Ghostwheel before Scott in Atlanta grabs it.

There’s a reason I put ‘competitor’ in quotes is because there is something very phishy about Cyph. The website at cyph.app wants me to prove I own the pgp public key they scraped from keybase.io by… uploading my private key to their servers.

That. is. not. going. to. happen.

That’s now how it works. That’s not how any of this works!

You want me to prove I own the secret key? Give me a random blob of text to sign, and you verify it with my public key.

You want to compromise any pgp/gnupg encrypted communications I have ever had? Yeah, that’s when you ask for my secret key.

Now that I’m taking another look at the invitation email, it isn’t even properly signed. It has a signed.asc but it’s malformed. Looking more phishy by the minute.

We’re supposed to move from keybase.io to a website that wants us to add our secret keys to their keystore, and where the CEO can’t send a properly pgp signed email?

Yeah, nah.

I use Amazon affiliate links in some of my posts. I think it is fair to say my writing is not influenced by the $0.40 I earned in 2022.