Snap VLC

 Happy fucking New Year, nerds!

I've been using VideoLAN (VLC) for longer than I can remember.  It has always been quirky to the extreme but I use it on my phone (Droid) and all my computers.  Back in the day my work phone was an iPhone and the Apple version of VLC was seen as a threat by iOS.  You could use it for a few cuts, but the OS always shut it down as soon as the screen blanked.  I guess this was a way to force you into iTunes but I just used my personal Droid to listen to music.

For a few years, Do Not Disturb (DND) on Android did nothing but shut the sound off system-wide so if you wanted to listen to music you had to be disturbed.  Mildly infuriating.  They "fixed" that by breaking DND in a different way,  For a few months whenever you got a phone call it would say "The phone is ringing but Do Not Disturb is activated!"

What part of Do Not Disturb do you not understand?

They fixed that relatively quickly.

Desktop VLC was less vexing but it had its own problems, like imposing a sort order you didn't ask for or want.  The Icecast Radio Directory was an awesome feature that offered absolutely everything at dir.xiph.org.  EVERYTHING.  But then one day the folks at xiph.org decided to upgrade their site and broke that feature for good.  Until now.

My old desktop (Ubuntu) version of VLC is 3.0.16 Vetinan and it has the annoying habit of flashing multiple video windows when starting a video.  I could not get rid of that, even with a rip/reinstall.  I was aware of Snapd Apps but had ignored them for years (unless forced to use them like with Chromium and Firefox).  I thought I'd give the Snap version a try since it was listed as 3.0.20 Vetinan.

I was pleasantly surprised.  For the most part.

The flashing multiple video windows problem was flat out gone.  The Icecast Radio Directory was finally fixed.  Two thumbs up.  We're on a roll.

Unfortunately I have two USB ATSC devices I have been using to watch television using playlists output by w_scan ("version 20170107 (compiled for DVB API 5.11)").  These playlists do not work on the 3.0.20 version of VLC.

w_scan is marked all-caps EXPERIMENTAL so I suspect that is the issue.  But you never know, VLC 3.0.21 might fix it.  Until something is fixed I'll be running both versions.

Shitty globals 2023

 Eleven years ago I published Shitty Globals.  Funny how time flies.

This was about the network discovery tool aptly named "netdiscover", which was delivered broken in BackTrack 5.  I have been using it ever since.  I keep the code around to put it on new boxes.  I have two new Jammy Jellyfish systems I got last week and that old code finally broke.  I can no longer compile it.  I have no clue what the issue is and I spent too much time on trying to fix it.

It had to be re-compiled often because the OUI database of MAC addresses goes out of date all the time.  The database is stored in the oui.h source file.  The stock package from Ubuntu has no way to update the MAC database.  You need the code.  I found the version 0.10 code at Launchpad.  Praise Bob.

Here we are 23 years into in the 21st century and this thing still doesn't support CIDR.  And you still have to re-compile it to update the OUI database.  There were ~2600 more OUIs than when the code was published (shitty globals and all).  And I still have 4 "Unknown Vendor" MACs on my network.  I'm not complaining.  Just sayin'.

Blocking QUIC

 I trashed iptables and switched over to netfilter ("Fearless Fosdick") a while ago.  The motivation was IPv6.  I wanted to write rules that would apply to both protocol stacks at the same time instead of having separate rules for IPv4 and IPv6.

Well, at the time that didn't work out at all.

Time passed.  I figured out how to use Spectrum's native IPv6 stack, getting rid of my old Hurricane Electric 6in4 tunnel.  I upgraded netfilter to Lester Gooch #3 and tried it again.  I had much better luck.  Then, Spectrum decided to start bouncing their network, which is a BAD thing to have happening when you're working on firewall rules.  Outages two days in a row, guaranteed to secure your system.

If you have been living under a rock since the dialup day sand you don't know what QUIC is, it is essentially http and tls (https) running on UDP ports 80 and 443, respectively.  A right and proper reinvention of the wheel of TCP.  Google says you want it.  That is a lie.  They want it and you're going to take it and like it.  Browser companies fell into line and now they all support it.  There is no on/off switch.  If you find one let me know.

Your only defense is your control over your network stack.

I recently learned Microtek products don't support UDP.  I know that the default mode of RHE is to open a port on both stacks.  I was once informed by a "Secure Gateway" vendor (I think it was Bluecoat) that nobody does UDP.

Essentially, it really doesn't matter much because it's so incredibly easy to punch a udp hole in almost any firewall.  You've been hanging your ass out on the Internet all this time and you didn't even know it.  For details, look into the STUN protocol.  

You may have exacerbated this condition with IPTables by putting an "ESTABLISHED, RELATED" stanza somewhere in your ruleset (every IPtables guru/wizard/tard puts it in their online example scripts--EVERY DAMN ONE!  You would think it's a good idea but it's not).

As luck would have it, Google has a huge STUN infrastructure (surprise!) that's ready and waiting to turn your firewall into Swiss cheese.  What an incredible coincidence.  If you're running a Tor Snowflake proxy, you're using this service.  The QUIC tunnels your browser makes are persistent and ready to swallow as many ads as Google can cram into them.

Normally I do all my port blocking with DROP, which worked for the most part.  For some reason my Galaxy A9 tablet was managing to jump around those rules.  I can't explain that but I switched to REJECT first, DROP second in the forward chain and that cleaned up all the sneaky traffic.  In fact, very little traffic hits the DROP rules anymore.

Back when all the rules were DROP, the A9 droid tablet would switch to tls over udp port 80, which I thought was rather sneaky and unladylike.  Whenever I switch ports like that the ITSec noobs screech "SECURITY BY OBSCURITY!" at me.

You may have heard of DoT and DoH (DNS over http and tls respectively).  I'm not sure if anyone uses DoQ (DNS over QUIC), but if they do these rules will block that as well.  That would sort of violate the intent of running DNS over tcp in the first place but I'm sure some clown somewhere will try it.  They always do.

I believe telling you this violates Google's Terms of Service so if I disappear (again) you'll know why.