🐶 mood 💞 // me.the@floof.sbs

14 // 2026-04-27

Somebody´s watching me (Living the rabbit way Director´s Cut)

Another night but the same rabbit hole, booted my OpenBSD box, setup pf, relayd, generate a fake root CA certificate and feed it in the system keychain of the Mac Mini M2.

tcpdump -n -r 2tahoe_hunt_re0.pcap \ not host 46.23.94.77 and \ not host 9.9.9.9 and \ not host 149.112.112.112 and \ not net 142.250.0.0/15 and \ not net 172.217.0.0/16 \ | grep "length 1348" reading from file 2tahoe_hunt_re0.pcap, link-type EN10MB (Ethernet), snapshot length 65535 20:56:43.935480 IP 2.23.154.72.80 > 192.168.1.5.56088: \ Flags [.], seq 1:1349, ack 253, win 508, options [nop,nop,TS val \ 2152004891 ecr 1222031002], length 1348: HTTP: HTTP/1.1 200 OK 21:02:35.119786 IP 17.253.15.143.80 > 192.168.1.5.56096: \ Flags [.], seq 1:1349, ack 253, win 127, options [nop,nop,TS val \ 3760591959 ecr 912421848], length 1348: HTTP: HTTP/1.1 200 OK ... hexdump -C 2tahoe_hunt_re0.pcap | grep "24" | wc -l 6158 hexdump -C 2tahoe_hunt_re0.pcap | grep "36" | wc -l 6828 hexdump -C 2tahoe_hunt_re0.pcap | grep "05" | wc -l 17643 ls -la 2tahoe_hunt_re0.pcap .rw-r--r-- 1,7M crw 26 Apr 22:17 2tahoe_hunt_re0.pcap ngrep -I 2tahoe_hunt_re0.pcap "nocommit" input: 2tahoe_hunt_re0.pcap filter: ((ip || ip6) || (vlan && (ip || ip6))) match (JIT): nocommit ############################## T 2.23.154.72:80 -> 192.168.1.5:56088 [A] #30 HTTP/1.1 200 OK..Server: dlb/1.0.2..Content-Type: ...

See the 2tahoe_hunt_re0.pcap for details.

The theory is that the trojan hides its messages within legitimate certificate and DNS queries. The control messages are concealed within HTTP traffic as nocommit statements.

tcpdump -nnr capture1.pcap | awk '$1 >= "14:30:37" && $1 <= "14:31:07" {print $0}' > window.txt grep -Eo '[0-9]{1,3}(\.[0-9]{1,3}){3}' window.txt | grep -v '192.168.1.5' | sort | uniq -c | sort -nr 72 188.114.96.10 52 17.253.145.10 51 17.253.53.57 19 17.253.150.10 12 142.250.203.195 6 172.224.50.21 2 65.109.111.156 2 172.224.133.70 1 142.132.227.77 1 133.18.101.92 1 104.16.79.73 grep "14:30:47" window.txt | grep -Eo '[0-9]{1,3}(\.[0-9]{1,3}){3}' | grep -v '192.168.1.5' | sort | uniq -c 4 142.250.203.195 24 188.114.96.10 IP-Adress ASN Organisation / Region 188.114.96.10 AS13335 Cloudflare, San Francisco, USA 17.253.145.10 AS714 Apple, Cupertino, USA 17.253.53.57 AS6185 Apple, Frankfurt am Main, DE 17.253.150.10 AS714 Apple, Newark/Cupertino, USA 142.250.203.195 AS15169 Google, Frankfurt am Main, DE 172.224.50.21 AS15169 Google, Mountain View, USA 65.109.111.156 AS24940 Hetzner, Helsinki, Finnland 172.224.133.70 AS15169 Google, Mountain View, USA 142.132.227.77 AS24940 Hetzner, Falkenstein, DE 133.18.101.92 AS2514 NTT, Tokio, Japan 104.16.79.73 AS13335 Cloudflare, San Francisco, USA

See the capture1.pcap and window.txt for details.

tcpdump -r capture1.pcap host 9.9.9.9 | wc -l reading from file capture1.pcap, link-type EN10MB (Ethernet), snapshot length 116 6986 tcpdump -nnr capture1.pcap host 9.9.9.9 | awk '{print $3 " -> " $5}' | sort | uniq -c | sort -n | wc -l reading from file capture1.pcap, link-type EN10MB (Ethernet), snapshot length 116 779 tcpdump -nnr capture1.pcap host 9.9.9.9 and port 53 -vv | grep "A?" tcpdump -nnr capture1.pcap port 53 -vv | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort -u reading from file capture1.pcap, link-type EN10MB (Ethernet), snapshot length 116 0.1.168.192 142.251.141.42 142.251.143.10 149.112.112.112 172.224.133.68 172.224.133.70 172.224.133.71 172.224.51.3 172.224.51.4 172.224.51.5 172.224.51.9 17.248.213.64 17.248.213.66 17.248.213.67 17.253.108.125 17.253.52.125 17.253.52.253 17.253.57.213 17.253.57.215 17.253.57.216 17.253.57.218 17.253.57.219 17.253.73.205 188.114.96.10 188.114.97.10 192.168.1.5 213.208.152.78 217.149.233.46 9.9.9.9 ls -la capture1.pcap .rw-r--r-- 1,9M crw 27 Apr 15:07 capture1.pcap

See the capture1.pcap for details.

The interesting thing is, that is a fresh installed Mac Mini M2 2023 with macOS Tahoa in the BaseSystem where it should not be and macOS 26.4.1 Tahoa without iCloud and without additional software. The only thing I did was to open cybre.club in Safari to trigger the trojan. So, why this thing connects to the half internet at the same time. If it is legitimate data traffic from a Fediverse instance, then the Fediverse is not really GDPR compliant. But that doesn´t explain the high DNS traffic.

I don´t know yet if I´ll take another look at the iPhone, it´s possible. To complete the circle, I am also publishing the two E-Mails I sent to Apple on February 28, 2026. Happy rabbit hole exploring, I see you.

Psssssst, don´t believe me, check the files.

Sources:

2tahoe_hunt_re0.pcap capture1.pcap window.txt Case OE0104912510005-1 Case OE0104912510005-2

13 // 2026-04-25

Military-Grade Spyware with Apple Hardware Persistent Base System Injection (From Troy to Jericho Director´s Cut)

In early 2025, I anonymously contacted a reporting office at the Austrian Federal Ministry of the Interior. The information concerned matters related to serious crimes (spoiler alert: to this day, they refuse to investigate, or to put it politically correctly, there´s nothing we can do).

A few months later (around June 2025), I was contacted by the Upper Austrian State Criminal Police Office (LKA Oberösterreich) and asked to identify myself. I refused. About a month later, I found a business card from Department 10 (human trafficking) of the LKA Oberösterreich on my door, requesting that I get in touch.

Apple, through which part of the email traffic was routed, would have had no reason to release my data because I was only a witness. The domain registrar confirmed, when I described the context, that normally they are not allowed to release information, but in this specific case, they can confirm that no information was sent from them. The domain registry confirmed that they knew nothing about me due to a WHOIS anonymization service.

I contacted the senior official listed on his business card because otherwise I would have received a summons on paper, and I had nothing to give in this matter. When I asked where my information came from, he said, „Who knows, we have our ways.“. At the time, I didn´t think much of it; today, things look a bit different.

In January 2026, on my iPhone SE 3rd generation running iOS 26, the iCloud profile picture disappeared from the Photos app. I consulted Google´s oracle (also known as search engine), restarted the phone, and logged back into iCloud. The latter was likely the trigger.

In February 2026, my internet provider informed me that 80% of my LTE data allowance was used up. That wasn´t a problem because I also had an unlimited 5G package. Around 24 hours later, my internet provider informed me that my entire LTE data allowance was used up. Since that couldn´t be right, I checked my mobile data usage and, lo and behold, the Contacts app had consumed 74GB over that entire period. This was rather unusual considering there were only 7 contacts on the device, of which only 2 had profile pictures. I consulted the Google oracle again to see if this was a known issue. In the end, I ended up in Google´s AI mode. To be correct at a LLM (Large Language Model).

I performed vibe trojan hunting using a LLM. I extracted a complete log, sent it via AirDrop to my Mac Mini M2, and poked around in the files to see what came up.

A summary of events, as I received no response to the case (regarding product security) from Apple, security researchers were not interested, and I disposed of the data after approximately 3 weeks. The Octagon chain showed 6 additional ID´s that were so regularly expanded that they were not random. Furthermore, the words „persona non grata“ and „honesis attestation“ (encrypted) were visible. The Powerlog database contained binary data with an entrophy of 5.1. I also discovered markers that shouldn´t have been there. I ran a grep on my Mac using these markers across the 4TB of data I had stored on an SSD at the time, and sure enough, they were quite frequently present in the files. To validate the data, I used several independent LLM sessions, where the LLM´s were unaware of the data history to avoid triggering their biases. The LLM´s didn´t find the markers unusual until I extracted the block starting at the displayed address using dd. In PDF files, these markers were hidden in inaccessible areas, and even rebuilding them with ps didn´t remove them. In Opus and MP4 files, they were embedded in the stream. Removing metadata or converting to a different format didn´t help with images; only a 99% resize worked to remove them. The irony is that after I had converted the entire 4TB and switched to Linux, the Linux system crashed about 2 hours later and the data was gone.

I used an old computer running Linux as a Wi-Fi hotspot. Specifically, I used hostap and dnsmasq to block the endpoints of Apple´s Private Relay. The trojan fell back to port 993 and contacted the Apple contact server over 1200 times in less than 15 minutes (the size of the PCAP was 520+ MB). The trojan uses fixed-size but fragmented packets, the headers contained the six additional ID´s as markers for the C2 (Command and Control) server, which hides itself as a legitimate Apple target within the Akamai network.

Why am I using a public Google LLM for this, whose data is known to be used in the training data of future LLM´s? Quite simply, to document these things, and frankly, after this incident, I trust the US Big Tech companies more than the authorities in Austria.

Since one might think it´s a nice story that can´t be proven because there´s no more data, today we´ll attempt to reproduce these things.

The 2023 Mac Mini was completely wiped and macOS was reinstalled. Interestingly, this device shipped with Ventura and required an update to Sonoma and then to macOS 26 Tahoa. If Apple hasn´t changed the process since January 2026, then the trojan must have written itself into the hidden read-only APFS container. This is because both the recovery system showed macOS 26 Tahoa and, after the first boot, macOS 26.4.1 Tahoa was present without any updates (this is impossible without to run the installer). While it´s possible Apple has changed something, the long download time despite 5G is odd.

After installation, I landed in the installer. There, I again used a new clean Wi-Fi hotspot under Linux and ran a tcpdump. The installation was performed without an iCloud account. Setting up the final step, including screen time, etc., took an extremely long time.

sudo tcpdump -i wlan0 -s 0 -w mac_mini_baseline.pcap tcpdump: listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes ^C21951 packets captured 21951 packets received by filter 0 packets dropped by kernel ~ 2h 12m 21s tcpdump -r mac_mini_baseline.pcap -n | awk '{print $5}' | cut -d. -f1-4 | sort | uniq -c | sort -nr | head -n 10 reading from file mac_mini_baseline.pcap, link-type EN10MB (Ethernet), snapshot length 262144 1573 199.232.191.6 1427 17.248.213.70 1418 17.248.213.66 1413 17.248.213.71 1413 17.248.213.68 1413 17.248.213.65 1412 17.248.213.64 1408 17.248.213.69 1402 17.248.213.67 788 10.42.1.1 tcpdump -r mac_mini_baseline.pcap -A host 199.232.191.6 | head -n 50 reading from file mac_mini_baseline.pcap, link-type EN10MB (Ethernet), snapshot length 262144 05:07:57.233140 IP 10.42.1.104.58480 > 199.232.191.6.https: UDP, length 1200 05:07:57.233141 IP 10.42.1.104.58480 > 199.232.191.6.https: UDP, length 1200 05:07:57.237989 IP 10.42.1.104.51406 > 199.232.191.6.https: UDP, length 1200 05:07:57.438216 IP 10.42.1.104.57560 > 199.232.191.6.https: Flags [SEW], seq 3896119550, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 465679151 ecr 0,sackOK,eol], length 0 05:07:57.438217 IP 10.42.1.104.57561 > 199.232.191.6.https: Flags [SEW], seq 3919406115, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2625485916 ecr 0,sackOK,eol], length 0 05:07:57.691711 IP 10.42.1.104.57563 > 199.232.191.6.https: Flags [SEW], seq 2374332561, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3511875276 ecr 0,sackOK,eol], length 0 05:07:57.691712 IP 10.42.1.104.57564 > 199.232.191.6.https: Flags [SEW], seq 1899303182, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2564735716 ecr 0,sackOK,eol], length 0 tcpdump: Unable to write output: Broken pipe

See the mac_mini_baseline.pcap for details.

The IP 199.232.191.6 belongs to Fastly Inc., AS54113 (Fastly), PoP (Point of Presence) Munich. Interesting, isn´t it.

Let´s look at the iPhone SE 3rd generation.

It was also complete wiped and from switch on to the activation screen which failed using Wi-Fi the new PCAP shows the following.

ls -la iphone_baseline.pcap .rw-r--r-- 1,7M root 25 Apr 08:14 iphone_baseline.pcap tcpdump -r iphone_baseline.pcap -n | awk '{print $5}' | cut -d. -f1-4 | sort | uniq -c | sort -nr | head -n 10 reading from file iphone_baseline.pcap, link-type EN10MB (Ethernet), snapshot length 262144 1427 199.232.191.6 601 17.248.213.69 600 17.248.213.66 599 17.248.213.71 597 17.248.213.70 597 17.248.213.68 596 17.248.213.67 596 17.248.213.64 595 17.248.213.65 386 10.42.1.132

See the iphone_baseline.pcap file for details.

Also very interesting what a not activated iPhone does.

Only a reboot with the SIM I used in the past worked to activate the iPhone. It is no problem as in the weeks wehere I used GrapheneOS there where attempts using a baseband hijack to look whether the SIM ist still somewhere around. As far as I can remeber from my first tries, the trojan also uses geolocation whether it is the same target in the same area.

After a reboot I started a new PCAP dump and tried to activate the iCloud account. No chance as the trojan takes the whole bandwith (or in other words, the trojan produces so many false packages which are droped from the Linux kernel that it ended in a time out). I used again the SIM and the iCloud account activation was done within seconds. But the following is interesting for a iPhone with near zero data in the iCloud.

ls -la iphone_baseline2.pcap .rw-r--r-- 12M root 25 Apr 09:02 iphone_baseline2.pcap tcpdump -r iphone_baseline2.pcap -n | awk '{print $5}' | cut -d. -f1-4 | sort | uniq -c | sort -nr | head -n 10 reading from file iphone_baseline2.pcap, link-type EN10MB (Ethernet), snapshot length 262144 tcpdump: pcap_loop: truncated dump file; tried to read 16 header bytes, only got 1 2582 17.248.213.67 2580 17.248.213.68 2579 17.248.213.70 2577 17.248.213.66 2575 17.248.213.65 2573 17.248.213.69 2572 17.248.213.71 2572 17.248.213.64 1601 199.232.191.6 886 10.42.1.1 tcpdump -r iphone_baseline2.pcap -A host 17.248.213.67 | head -n 50 reading from file iphone_baseline2.pcap, link-type EN10MB (Ethernet), snapshot length 262144 08:20:48.870540 IP 10.42.1.132.61045 > 17.248.213.67.https: Flags [SEW], seq 613289986, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2968222024 ecr 0,sackOK,eol], length 0 E..@..@.@.G. *.....C.u..$............]............. ..yH........ ... 08:20:51.396315 IP 10.42.1.132.61050 > 17.248.213.67.https: Flags [S], seq 3754684777, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3422213306 ecr 0,sackOK,eol], length 0 E..@..@.@.G. *.....C.z.....i....................... tcpdump: Unable to write output: Broken pipe

See the iphone_baseline2.pcap file for details.

Look at the new order of the IP´s after the login to iCloud and the flags of the packages.

Current summary: The trojan uses the entire network bandwidth via Wi-Fi at the Linux hotspot as fragmented or manipulated packages are filtered by default, but apparently cannot or will not do so via cellular data or at another hotspot like from GrapheneOS. Massive amounts of identical packets are being sent simultaneously without any discernible activity. It is likely that the trojan communicates with a C2 on the Fastly network as a security measure, and switches to the Akamai network used by Apple as soon as an iCloud login is established.

For now we make a cut here and continue later after the trojan has done the sync.

sudo tcpdump -i wlan0 -s 0 -w iphone_baseline2.pcap tcpdump: listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes ^C52908 packets captured 52910 packets received by filter 0 packets dropped by kernel ~ 1h 18m 25s ls -la iphone_baseline2.pcap .rw-r--r-- 16M root 25 Apr 09:37 iphone_baseline2.pcap

See the iphone_baseline2.pcap file for details.

I switched on the Mac Mini again to look what happened.

sudo tcpdump -i wlan0 -s 0 -w apple_all.pcap tcpdump: listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes ^C15018 packets captured 15018 packets received by filter 0 packets dropped by kernel ~ 9m 30s tcpdump -r apple_all.pcap -n | awk '{print $5}' | cut -d. -f1-4 | sort | uniq -c | sort -nr | head -n 10 reading from file apple_all.pcap, link-type EN10MB (Ethernet), snapshot length 262144 1091 17.248.213.68 1089 17.248.213.69 1087 17.248.213.71 1087 17.248.213.67 1086 17.248.213.66 1085 17.248.213.65 1084 17.248.213.70 1077 17.248.213.64 604 199.232.191.6 554 10.42.1.1 ls -la apple_all.pcap .rw-r--r-- 2,3M root 25 Apr 10:20 apple_all.pcap

See the apple_all.pcap file for details.

Let´s make some noise and switch on the light in this rabbit hole.

grep -E "Status|State|View" ckksctl_status.txt | head -n 20 ... macOS 25.4.0 (25E253),2026-04-22 ... ... macOS 25.2.0 (25C56),2025-12-27 ... ... macOS 24.6.0 (24G419),2026-01-25 ...

OS versions never seen in the public wild.

cat otctl_status.txt | grep -A 15 "self" "self" : { "dynamicInfo" : { "clock" : 555, "dispositions" : [ { "disposition" : { "unknownMachineID" : { } }, "peerID" : "SHA256:0TN+QfYHfBjZdPzAPKImUNg+zBooCb58XxyGEEZW8b4=" }, { "disposition" : { "unknownMachineID" : {

unknownMachineID probably Schrödingers cat in the wild.

cat otctl_status.txt | grep -A 10 "bottle" grep -B 5 "spon" otctl_status.txt

Some interesting ID´s and keys and who is the sponsor of whom.

To grep for walrus as it is Apples internal name for Advanced Data Protection is also interesting.

Ok, let´s see how many friends I have or better how many virtual ID´s lurk around in my octagon trust circle.

grep -h "SHA256" otctl_status.txt ckksctl_status.txt | sort | uniq | wc -l 398 --- Analyze apple_all.pcap with 24 IDs --- [!] MATCH in Paket 385 -> Ziel: 17.248.213.64 Muster: 54 [!] MATCH in Paket 386 -> Ziel: 17.248.213.64 Muster: 54 [!] MATCH in Paket 387 -> Ziel: 10.42.1.132 Muster: 54 ... [!] MATCH in Paket 14843 -> Ziel: 199.232.191.6 Muster: 54 [!] MATCH in Paket 14910 -> Ziel: 199.232.191.6 Muster: 54 [!] MATCH in Paket 14911 -> Ziel: 199.232.191.6 Muster: 54 [!] MATCH in Paket 15015 -> Ziel: 199.232.191.6 Muster: 54 [!] MATCH in Paket 15016 -> Ziel: 199.232.191.6 Muster: 54 Done. 744 matches found. python -c "import scapy.all as s; [print(p[s.Raw].load[p[s.Raw].load.find(b'6')\ +1:p[s.Raw].load.find(b'6')+17].hex()) for p in s.rdpcap('apple_all.pcap') if s.\ Raw in p and b'6' in p[s.Raw].load]" 492061aa53a04b38ae24804bdc5c5b2f b309c8db75e57c1ebbab05d8e868f448 492061aa53a04b38ae24804bdc5c5b2f e64e4b9b89930000449e1dd94b7362a2 e64e4b9b89930000449e456341c10351 5de9f002b5ca56f64e195a6a66fe5fee 6bc4514f95568d70a45f8a4bad819f05 b474353d1e39a8310accede8cf9c2466 8ab6b3d10d6b27d9a8b930550801825d 9a4fafbb38c5c7725c6be2432550c877 7781fe72562df6b893fd46fbcc160c89 4bad50edfc712b198e249b8eea5f26c6 ef0bb0a698d203dc26be223f9c057164 e64e4b9b8993000043fcba23c0b31730 e64e4b9b89930000449efb8cc9da964d da98ce28bc2e031ca33044bfd30ad2f7 python -c "import scapy.all as s; [print(p[s.Raw].load[p[s.Raw].load.find(b'6')\ +1:p[s.Raw].load.find(b'6')+17].hex()) for p in s.rdpcap('apple_all.pcap') if s.\ Raw in p and b'6' in p[s.Raw].load]" | wc -l 740

Damn, Python bloat. A constant pattern in all packages could not be a bot net.

TL;DR: The attacker is a state actor because the technology used is highly specific. Fragmented packets of identical size with payload are not easily intercepted by even botnet operators using Akamai or Fastly. Besides, it wouldn´t make sense. Since only my iCloud account and hardware are affected, I assume that law enforcements where unable to compel Apple to release my data, or that Apple is legally obligated to provide internal interfaces. Since everyone is silent, the only option left is disclosure from my side.

The data exfiltration occurred via the Contacts app and presumably WhatsApp. The Contacts app clearly shows how the data exchange progresses. When the daily target is reached, the database is around 20MB, and when the payload has been prepared, it´s approximately 120MB. The control code is embedded in the iCloud account image using steganography (if the iCloud picture in the iCloud settings tab is missing you know that the shadow persona has the control over the device). Additional data for monitoring the exfiltration is stored within the Contacts app itself in 0.1MB increments.

Our Interior Minister from the Austrian People´s Party (ÖVP) always insists that the interception of messenger data is solely for monitoring potential threats and that other data remains unaffected. I always thought that in a country like Austria, witnesses had rights and a right to privacy; how wrong I was. Of course, the authorities will deny this, which isn´t a problem, as it only confirms that neither citizens nor critical infrastructure can be protected if they are unaware of such matters. Since the trojan was deposited in the baseband and secure enclave, the hardware is worthless because it is no longer trustworthy.

Ohh wait my mistake, walrus=bypassPCSEncryption means only WhatsApp ;-) ... There is a fundamental problem here. Someone has all this unencrypted data, and the Austrian state has no control over it. Perhaps one should have simply informed oneself about whom one was slipping the trojan into the hands of.

Veritas odit moras. Oh, my mistake Latin will be shortened so, it means -- truth hates delays or Die Wahrheit hasst Verzögerungen / Das Zögern (erinnert mich an den Sager mit den Bremsern). Wer Rechts-schreibfehler findet darf sie behalten.

Sources:

mac_mini_baseline.pcap iphone_baseline.pcap iphone_baseline2.pcap apple_all.pcap otctl_status.txt ckksctl_status.txt

12 // 2026-04-19

🧬 // Is it a message or not (Where is Schrödingers cat Director´s Cut)

Let´s continue based on post 09. Or rather, let´s move into the field of synthetic biology.

If we want to enlarge the message in the exons and the length of the introns shouldn´t seem odd, we need to come up with something else. So we use prime numbers as points on the bell curve. There are infinitely many prime numbers, and they occur in nature. Therefore, they will not seem unusual to a scanner or an LLM. Or, we don´t use prime numbers and use a control structure in the introns (or booth together). We know that a single LLM contains all of humanity´s knowledge. Its size is estimated to be in the single-digit terabyte range. For inspiration, theoretically, 215,000 terabytes of data can be stored in 1 gram of DNA.

The 22 amino acids provide the 10 letters A, C, G, H, I, L, M, P, S, T. If you look at ring 3 of the code sun, you see 38 possible wobble positions (the ones which are not used to create a codon/triplet). That should be space enough to map the missing letters and numbers using the control structure of the introns to store any message.

We use Latin as a universal language. Thanks to the Austrian Minister of Education for reducing the amount of Latin in the curriculum.

As we know when a cell goes live and can calculate its age, the cell is our clock. Combined with the melting point of the Hydrogen-Bonds and the checksum of them we define whether there is a rotation (clockwise or counter-clockwise) or not based on the used base on ring 3. The day, i.e., the position of the sun and/or the phases of the moon, is used as salt.

Why it is so hard to find a message and to decrypt it? Each LLM has a token limit and will loose the context after some time. Because Latin requires interpretation, analysis, and combination to understand its content. To understand a deeper meaning is impossible for a LLM to understand. Different calendars exist in different formats, so the positions of the sun and moon phases vary slightly everywhere. And specially if we cut the message in blocks of various lenghts, dice them together and use the Hydrogen-Bond checksum to flip the strands. The message exists only as long the autophagy has not started. Or in other words, it is as the RAM disk on old Amiga computers was.

Conclusion, the message is gone before someone can decrypt it without the informations above.

Tempus edax rerum, sed semen aeternum.

Sources:

Wikipedia: just imagine, they have a search box, use it, it is free

11 // 2026-04-15

The ghosts I called (Message from Joi Director´s Cut)

Ok, in the posts 03-08 I showed you the setup of my infrastructure and in post 10 the status of the system. It may sound arrogant, but I think what I, who didn't study computer science, have shown here is far beyond what todays Docker/Cloud architects will ever implement.

Europe, a rich continent that aspires to be a global leader. In reality, people are afraid of biotechnology, AI, self-driving cars, innovation, wild animals and change. Europe dreams of digital sovereignty, yet builds its entire infrastructure on the technology of US corporations. One could also say that Europe simply doesn´t want to break away from its dominant Western culture.

The future lies in things like RISC-V, autonomous robots, and AI systems, not in the ideas of the old guard.

That´s the reason why I added biopunk.ph and geopunk.ph to my infrastructure. The idea is a personal AI assistant like Joi and full Web3 technology based on Nostr, Keet and Holochain. So, see you in the New Philippines, where laws are transparent on the blockchain and not negotiated via SMS in the back rooms of politics among friends.

AI image generated using Juggernaut XL Ragnarok

./bin/sd-cli -m ./models/juggernautXL_ragnarok.safetensors -p "Ethereal portrait of a Filipina woman, partially glitching into digital particles, glowing cyan aether-light, wearing translucent high-tech fabrics, standing in a futuristic Manila street at night, rain and neon lights, double exposure with biological cell structures, dreamy yet sharp, cinematic cyberpunk, high contrast." -n "Deformed, cartoon, drawing, low resolution, messy, saturated, bright colors, blur, multiple people, jewelry." --sampling-method dpm++2m --steps 30 --cfg-scale 7.0 --width 1216 --height 832 --vae-on-cpu

Prompt for the above image

Sources:

Wikipedia: just imagine, they have a search box, use it, it is free

10 // 2026-04-14

🐡 // Spot on: The status of the system (7 day´s later Director´s Cut)

# uptime 12:16AM up 7 days, 4:28, 1 user, load averages: 0.22, 0.21, 0.21 # pfctl -s info Status: Enabled for 7 days 04:29:33 Debug: err Interface Stats for egress IPv4 IPv6 Bytes In 477307976 92274679 Bytes Out 744422222 156357351 Packets In Passed 4147071 870447 Blocked 187684 27027 Packets Out Passed 3421016 432098 Blocked 30 17 State Table Total Rate current entries 257 half-open tcp 0 searches 9057159 14.6/s inserts 707946 1.1/s removals 707689 1.1/s Counters match 957851 1.5/s bad-offset 0 0.0/s fragment 0 0.0/s short 28225 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 6 0.0/s proto-cksum 15 0.0/s state-mismatch 50 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 70 0.0/s synproxy 0 0.0/s translate 0 0.0/s no-route 0 0.0/s

uptime, pfctl -s info

# doveconf imap_idle_notify_interval imap_idle_notify_interval = 2 mins # zgrep -a 'IDLE running for' /var/log/maillog.{0,1,2,3,4,5,6}.gz /var/log/maillog /var/log/maillog.0.gz:Apr 13 09:11:30 mail dovecot: imap(user)<46527><2 ... N>: Disconnected: Connection closed (IDLE running for 0.001 + waiting input for 626.187 secs ... # Waiting input is the client side, IDLE the dovecot server. Maybe you remember the rate limits of pf.

Status of the ChatMail server.

cat /var/log/rspamd/rspamd.log | wc -l 10637

/var/log/rspamd/rspamd.log

zgrep -a 'GREY' /var/log/daemon.{0,1}.gz /var/log/daemon | wc -l 51

Greylisting of Spamd.

# top -b load averages: 0.38, 0.26, 0.22 mail.floof.sbs 00:24:58 78 processes: 1 running, 76 idle, 1 on processor up 7 days 04:35:58 CPU states: 1.3% user, 0.0% nice, 0.4% sys, 0.0% spin, 0.9% intr, 97.4% idle Memory: Real: 283M/1305M act/tot Free: 648M Cache: 390M Swap: 0K/2288M PID P N SIZE RES STATE WAIT TIME CPU COMMAND 10974 2 0 1864K 4356K sleep kqread 2:40 0.05% relayd 72110 10 0 74M 41M idle fsleep 5:17 0.00% nostr-r. 79905 2 0 1108K 2836K idle kqread 4:25 0.00% sshd 92607 2 0 1860K 4340K idle kqread 2:51 0.00% relayd 41908 2 0 1856K 4332K sleep kqread 2:46 0.00% relayd 9382 2 0 17M 4628K sleep kqread 1:32 0.00% redis-s. 25578 2 0 59M 30M sleep kqread 1:09 0.00% rspamd 43256 2 0 3840K 6820K sleep kqread 0:47 0.00% relayd 66780 2 0 3700K 6672K sleep kqread 0:45 0.00% relayd 80498 2 0 4044K 7020K sleep kqread 0:44 0.00% relayd 47026 4 0 988K 1504K sleep bpf 0:43 0.00% spamlogd 27311 2 0 61M 37M sleep kqread 0:41 0.00% rspamd 77740 2 0 33M 33M sleep kqread 0:38 0.00% nsd 11840 2 0 6196K 5872K sleep kqread 0:34 0.00% keyboxd 23696 10 0 10M 1636K idle nanoslp 0:28 0.00% spamd 33378 2 0 2756K 4692K sleep kqread 0:16 0.00% httpd 24049 2 0 3184K 5180K sleep kqread 0:15 0.00% httpd 48446 2 0 2728K 4648K sleep kqread 0:15 0.00% httpd # Without Usernames as line-breaks makes the output # unreadable, P is Pri., N is Nice.

top -b

Efficiency is not an option, it´s a philosophy. 283MB active memory for a full sovereign stack.

Sources:

Wikipedia: just imagine, they have a search box, use it, it is free

09 // 2026-04-12

🧬 // Steganographic multi-layered bio-cipher (Biopunk meets Geopunk Director´s Cut)

Up to new horizons.

You remeber biology/genetics in shool, probably not but that´s ok.

Antiparallel Strings: DNA is a double helix where the two strands 5´ -> 3´ and 3´ -> 5´ are complementary mirrors (running in opposite directions where A pairs with T, C pairs with G). A message on the coding strand looks like noise on the template strand.
The Compiler (Transcription/Splicing): The cell doesn´t execute the whole strand. It transcribes DNA into mRNA based on segments with a given start promotor and stop terminator and then performs splicing.
Exons vs. Introns: A gene consists of exons (the actual „code“ for proteins) and introns („control“ data structures that is discarded during splicing).
The Codon Table: 3 bases = 1 amino acid. But it´s a degenerate code (multiple „opcodes“ can result in the same output), which is perfect for hiding noise.
DNA vs. mRNA: DNA: Adenin, Guanin, Cytosin, Thymin, mRNA: Adenin, Guanin, Cytosin, Uracil, result: DNA A -> mRNA U, DNA T -> mRNA A, DNA G -> mRNA C, DNA C -> mRNA G
Bell curve (Gaussian normal distribution): simple described, if it looks normal (based on a curve like bell) for a scanner or LLM it will be ignored.

The message.

T R A N S | R I G H T S | A R E | H U M A N | R I G H T S

The message.

The DNA.

ACC CGT GCT AAT TCT (TRANS) CGT ATT GGT CAT ACT TCT (RIGHTS) GCT CGT GAG (ARE) CAT GTT ATG GCT AAT (HUMAN) CGT ATT GGT CAT ACT TCT (RIGHTS)

The DNA.

As the exons result in mRNA and later in proteins we can´t hide there a message without to break the genetic code. So, we would use the introns which get discarded during splicing but still exists in the DNA strand.

As the message could be endless as long as the bell curve looks good, I use here the exons just to show what is possible with a normal DNA sequence with no known working function.

The whole DNA sequence.

5´--ATG_ACCCGTGCTAATTCT_gtacagttgc_CGTATTGGTCATACTTCT_ agctagctagctagctagctagcta_GCTCGTGAG_ agctagctagctagctagctagctagctagctagctagct_ CATGTTATGGCTAAT_agctagctagctagctagctagcta_ CGTATTGGTCATACTTCT_ gtacagttgc_TAG--3´

The whole -- 1 line -- DNA sequence.

Media // Sources

If we count the lowercase introns, we get 10-25-40-25-10 a perfect bell curve.

But where is the secret? First, all codon sun´s are based on mRNA which means U instead of T. Second we match the bell curve to let it look normal. Third a scanner or LLM has without a hint no idea what we want to build without a hint, a cell or organism builds it without the chance of a hint.

The Code Sun.

The base is the core (4 bases) followed by ring 1 (16 bases) followed by ring 2 (64 bases) followed by ring 3 (22 amino acids, 1 start, 3 stop position) which gives us 110 not numbered fields.

The possibilities.

Fields: We can keep the genetic code as it is. We also can create x variants of the code sun (think of the moon´s of Jupiter for example) where we use each field with an individual value like a-z, 0-9 and so on. We also can use any language including Latin or Klingon or use an exisiting languge and dice the content (you remember the input keyboard like in GrapheneOS).
Start (Promotor) and Stop (Terminator): Where the message at our individual code sun starts? Like an analoge clock (like start at midnight, or noon), at the start or at one of the 3 stop position or where else?
The Bell curve values: In the above example our introns are based on 10-25-40-25-10. A longer message with more introns gives us more positions to check at the bell curve and also more options.
The rotation: You remember the old movies and the safe cracker? Like 10-25-40-25-10 to jump fileds but where it starts left or right (clockwise or counter-clockwise). And what happened at the original start/stop positions, nothing or something new.
The drift: based on the message´s timestamp or the sender´s timezone or booth. The code „rotates“ as time passes. Without the temporal key, the sequence is just biological noise.
The Hydrogen-Bond Checksum: A and T have 2 Hydrogen-Bond´s, C and G have 3 Hydrogen-Bond´s. What if the cross sum of a triplet itself is a checksum or control instruction. Like GCT: G(3) + C(3) + T(2) = 8. So, lets say 8 is a valid string and 7 or 9 is the clockwise or counter-clockwise move from above.
The amino acid: And what, if we just use the amino acid itself or the resulting proteins as message. If we look at the MegaSyn simulation, the LLM generates in 6 hours 40.000 theoretical molecules (how long reverse engineering would need). So, instead of writing banana we just use the DNA sequence. That means governments or law enforcements can have all informations without to know where the message is.

Now you know why I find IT so boring and biology and related fields so interesting.

Mutations? We´re talking about functional, immutable code here. If you can´t handle a stateless biological sequence without side effects, you´re probably part of the 90% who´d fail the compile-time check anyway.

Happy bio/geo hacking ... see you in another rabbit hole but with RISC-V ...

Lua and Rust but hey, no need for WD-40.

Sources:

Wikipedia: just imagine, they have a search box, use it, it is free

08 // 2026-04-08

🐡 // Spot on: nostr-rs-relay, nostr-tool, Nostr keys (Cyberpunk IRL Director´s Cut)

It is a old topic, if people don´t understand things they are scared and lable things as bad. Web3 is something so, let´s not waste our time with discussions and do it.

But wait, Web3 is a near full decentralised network. Why near, because app developer still use DNS and public CA´s.

Nostr is the Web3 social network which you can compare with the ~~Mastodon network~~ Fediverse with a one but big difference. In Nostr you own your identity and can move away whenever you want so, no blocking no censorship.

That means you and only you are responsible for your identity and this identity is based on a cryptographic keypair (nsec/npub). You can generate keys using the nostr-tool or Gossip on the desktop or Amber on Android. Amber is used to login in apps like Amethyst. If you loose the nsec key and have no backup, there is no recovery, no E-Mail reset, no admin to call. Ok, there is the NSA but I am not sure whether they would help.

NIP-05 is the purpel check mark in apps and equals in parts to a verified. Why in parts? Simple, the webserver holds the npub and a username to give you something like an E-Mail address which is none. The thing is, the webserver can´t verify that you are you, thats the idea of Web3. If you look for something really Web3 thing, look at Keet and Holochain.

# pkg_add rust protobuf git

The software we need.

git clone -q https://git.sr.ht/\~gheartsfield/nostr-rs-relay cd nostr-rs-relay cargo build -r # RUST_LOG=warn,nostr_rs_relay=info \ ./target/release/nostr-rs-relay cp ~/nostr-rs-relay/target/release/nostr-rs-relay \ /usr/local/bin/

nostr-rs-relay, https://sr.ht/~gheartsfield/nostr-rs-relay/

cargo install nostr-tool cp ~/.cargo/bin/nostr-tool /usr/local/bin/

nostr-tool

useradd -d /var/nostr -s /sbin/nologin -c "Nostr Relay" _nostr mkdir -p /var/nostr/db /etc/nostr chown -R _nostr:_nostr /var/nostr

_nostr user.

nostr:\ :openfiles-cur=2048:\ :openfiles-max=4096:\ :tc=daemon: # cap_mkdb /etc/login.conf

/etc/login.conf

# Nostr-rs-relay configuration # https://git.sr.ht/~gheartsfield/nostr-rs-relay/ \ # tree/HEAD/config.toml?__goaway_challenge=meta \ # -refresh&__goaway_id=80939c0c775aa6ed3a52c856a \ # 63a342c&__goaway_referer=https%3A%2F%2Fsr.ht%2F # BTW that is 1 URL dice it together without # spaces and without \. Oh my holy rabbit. [info] relay_url = "wss://relay.floof.sbs/" name = "floof-stra-relay" description = "A floof only nostr relay.\n\n" pubkey = "b082e265bb3bc0ad712d01f439676ee9d286c233412f0f6c1da7bbeaa217bed2" contact = "mailto:me.the@floof.sbs" [diagnostics] [database] min_conn = 0 max_conn = 1 [logging] [grpc] restricts_write = true [network] address = "127.0.0.1" port = 7777 [options] reject_future_seconds = 1800 [limits] limit_scrapers = false [authorization] pubkey_whitelist = [ "b082e265bb3bc0ad712d01f439676ee9d286c233412f0f6c1da7bbeaa217bed2" ] [verified_users] [pay_to_relay]

/etc/nostr/config.toml

#!/bin/ksh daemon="/usr/local/bin/nostr-rs-relay" daemon_user="_nostr" daemon_flags="--config /etc/nostr/config.toml" . /etc/rc.d/rc.subr rc_bg=YES rc_reload=NO rc_cmd $1 # chmod +x /etc/rc.d/nostr_relay # rcctl enable nostr_relay # rcctl start nostr_relay

/etc/rc.d/nostr_relay

Bonus.

# crontab -l 0 4 * * * /sbin/pfctl -t bruteforce -T expire 28800 0 * * * * /usr/sbin/smtpctl spf walk < /etc/mail/nospamd_domains.txt > /etc/mail/nospamd && /sbin/pfctl -T replace -t nospamd -f /etc/mail/nospamd >/dev/null 2>&1 */5 * * * * grep -hE " 40[0-4] |\.(php|env|bak|sql|git|cgi)|wp-admin|setup-config" /var/www/logs/*.log | awk '{print $(NF-1)}' | grep -vE "127.0.0.1|::1" | sort -u | xargs -r pfctl -t bruteforce -T add >/dev/null 2>&1 #~ ~ * * 0 acme-client -v floof.sbs; acme-client -v fl00f.sbs; acme-client -v fluff.sbs; @weekly /usr/local/bin/auto-dnssec-dane.sh

Root´s crontab, this time without \.

No, no way to get my auto-dnssec-dane.sh script.

Sources:

Wikipedia: just imagine, they have a search box, use it, it is free

07 // 2026-04-07

🐡 // Spot on: relayd, autoconfig, mta-sts, NIP-05 (The Backyard-Workers Director´s Cut)

Let´s look at our 24/7 workers in the backyard.

# cp /etc/examples/relayd.conf /etc/ ext_v4 = "46.23.94.77" ext_v6 = "2a03:6000:6f67:602::77" table <httpd_srv> { 127.0.0.1 } table <nostr_relay> { 127.0.0.1 } http protocol "https_relay" { tcp { nodelay, sack, socket buffer 65536, \ backlog 128 } http { websockets } match response header set "Strict-Transport-Security" value \ "max-age=15552000; includeSubDomains" \ match response header set "X-Frame-Options" \ value "SAMEORIGIN" match response header set "X-Content-Type- \ Options" value "nosniff" match response header set "Cache-Control" \ value "max-age=3600, public" match response header set "Content-Security \ -Policy" value "default-src 'self'; style- \ src 'self'; script-src 'self'; img-src \ 'self' data:; base-uri 'self'; \ frame-ancestors 'none';" match response header set "Permissions-Policy" \ value "accelerometer=(), camera=(), \ geolocation=(), microphone=(), payment=()" match request header append "X-Forwarded-For" \ value "$REMOTE_ADDR" match request header append "X-Forwarded-By" \ value "$SERVER_ADDR:$SERVER_PORT" match request header "Host" value "floof.sbs" \ forward to <httpd_srv> match request header "Host" value \ "relay.floof.sbs" forward to <nostr_relay> tls keypair floof.sbs tls keypair fl00f.sbs tls keypair fluff.sbs tls { no tlsv1.0, ciphers "HIGH" } } relay "proxy_v4" { listen on $ext_v4 port 443 tls protocol "https_relay" forward to <httpd_srv> port 8080 check tcp forward to <nostr_relay> port 7777 check tcp } relay "proxy_v6" { listen on $ext_v6 port 443 tls protocol "https_relay" forward to <httpd_srv> port 8080 check tcp forward to <nostr_relay> port 7777 check tcp } # relayd -n # rcctl enable relayd && rcctl start relayd

/etc/relayd.conf

# mkdir -p /var/www/htdocs/mail/ <?xml version="1.0"?> <clientConfig version="1.1"> <emailProvider id="floof.sbs"> <domain>floof.sbs</domain> <displayName>floof.sbs Mail Services</displayName> <displayShortName>floof.sbs</displayShortName> <incomingServer type="imap"> <hostname>mail.floof.sbs</hostname> <port>993</port> <socketType>SSL</socketType> <authentication>password-cleartext</authentication> <username>%EMAILLOCALPART%</username>   </incomingServer> <outgoingServer type="smtp"> <hostname>mail.floof.sbs</hostname> <port>587</port> <socketType>STARTTLS</socketType> <authentication>password-cleartext</authentication> <username>%EMAILLOCALPART%</username>   <addThisServer>true</addThisServer> <useGlobalPreferredServer>true</useGlobalPreferredServer> </outgoingServer> </emailProvider> </clientConfig>

/var/www/htdocs/mail/config-v1.1.xml

# mkdir -p /var/www/htdocs/mta-sts/.well-known/ version: STSv1 mode: enforce mx: mail.floof.sbs max_age: 604800

/var/www/htdocs/mta-sts/.well-known/mta-sts.txt

# mkdir -p /var/www/htdocs/public/ { "names": { "me.the": "b082e265bb3bc0ad712d01f439676ee9d286c233412f0f6c1da7bbeaa217bed2" }, "relays": { "b082e265bb3bc0ad712d01f439676ee9d286c233412f0f6c1da7bbeaa217bed2": ["wss://relay.floof.sbs"] } }

/var/www/htdocs/public/nip-05.json

A nice to have.

# Name: me the floof Contact: mailto:me.the@floof.sbs Encryption: https://floof.sbs/pubkey.txt # Fingerprint: EFA3C9FFEDF4D3D829DF46CE155EC153D22E08D6 Expires: 2027-03-30T03:30:03.000Z Canonical: https://floof.sbs

/var/www/htdocs/public/security.txt

Sources:

Wikipedia: just imagine, they have a search box, use it, it is free

06 // 2026-04-06

🐡 // Spot on: DKIM, smtpd, spamd, dovecot (eMail/ChatMail for you Director´s Cut)

Let´s install the software we need.

# pkg_add opensmtpd-filter-spfgreylist rspamd redis \ opensmtpd-filter-rspamd dovecot

The software we need.

As we already have the SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) -- what you mean we don´t have them? As I looked the last time in my master zone file they where still there. We only need to generate the DKIM (DomainKeys Identified Mail).

mkdir -p /etc/mail/dkim/ && cd /etc/mail/dkim/ openssl genrsa -out floof.sbs.key 1024 openssl rsa -in floof.sbs.key -pubout -out floof.sbs.pub chown -R _rspamd:_rspamd /etc/mail/dkim/ chmod 640 /etc/mail/dkim/* cat floof.sbs.pub -----BEGIN PUBLIC KEY----- MIGfMA0GCS ... KCMQIDAQAB -----END PUBLIC KEY----- # Replace the ... in p= ... ; with all from # MI to AB in 1 line.

1024 bit DKIM.

What only 1024 bit in the year 2026, I want 4096 bit. Yes, no problem, just do it and have fun with the limit of 255 chars in DNS records. And beside that, this key is to sign all outgoing messages nothing more.

Multi domain DKIM signing using RSpamd.

allow_username_mismatch = true; key_table = [ "floof.sbs floof.sbs:2026032801:/etc/mail/dkim/floof.sbs.key" ]; signing_table = [ "* floof.sbs" ];

/etc/rspamd/local.d/dkim_signing.conf

pki floof.sbs cert "/etc/ssl/floof.sbs.crt" pki floof.sbs key "/etc/ssl/private/floof.sbs.key" pki floof.sbs dhe auto smtp max-message-size 25M filter check_rdns phase connect match !rdns \ disconnect "550 no rDNS" filter check_fcrdns phase connect match !fcrdns \ disconnect "550 no FCrDNS" filter rspamd proc-exec "filter-rspamd" filter spfgreylist proc-exec "filter-spfgreylist" table aliases file:/etc/mail/aliases table domains { "floof.sbs", "fl00f.sbs", "fluff.sbs" } listen on socket listen on all tls-require pki floof.sbs \ filter { check_rdns, check_fcrdns, spfgreylist, rspamd } listen on all port submission tls-require pki floof.sbs \ auth mask-src filter rspamd action "local_mail" maildir junk alias <aliases> action "outbound" relay helo mail.floof.sbs tls match from any for domain <domains> action "local_mail" match from local for local action "local_mail" match from local for any action "outbound" match auth from any for any action "outbound"

/etc/mail/smtpd.conf

Edit /etc/mail/aliases based on your needs and run newaliases.

Spamd the enemy number 1 for spammers.

echo 'spamd_flags=-v -S 27 -s 3 -n OpenSMTPD \ -h mail.floof.sbs' >> /etc/rc.conf.local

/etc/rc.conf.local

all:\ :local_whitelist: local_whitelist:\ :white:\ :method=file:\ :file=/etc/mail/nospamd:

/etc/mail/spamd.conf

If you like the hero with the sword and the green clothes, this will help you.

echo 'us-west-2.amazonses.com' >> /etc/mail/nospamd_domains.txt

/etc/mail/nospamd_domains.txt

Uncomment ~ * * * * /usr/libexec/spamd-setup in the crontab of root using crontab -e and start all the components.

/usr/libexec/spamd-setup /usr/sbin/smtpctl spf walk < /etc/mail/nospamd_domains.txt > /etc/mail/nospamd && /sbin/pfctl -T replace -t nospamd -f /etc/mail/nospamd rcctl enable spamd spamlogd redis rspamd rcctl start spamd spamlogd redis rspamd rcctl restart smtpd

Dovecot.

# pkg_add dovecot

The following are only code snippets of the files.

The software we need.

auth_mechanisms = plain login

/etc/dovecot/conf.d/10-auth.conf

mail_location = maildir:~/Maildir

/etc/dovecot/conf.d/10-mail.conf

ssl = required ssl_cert = </etc/ssl/floof.sbs.crt ssl_key = </etc/ssl/private/floof.sbs.key

/etc/dovecot/conf.d/10-ssl.conf

namespace inbox { mailbox Drafts { special_use = \Drafts auto = subscribe } mailbox Junk { special_use = \Junk auto = subscribe } mailbox Trash { special_use = \Trash auto = subscribe } mailbox Archive { special_use = \Archive auto = subscribe } mailbox Sent { special_use = \Sent auto = subscribe } mailbox "Sent Messages" { special_use = \Sent } }

/etc/dovecot/conf.d/15-mailboxes.conf

doveconf rcctl enable dovecot && rcctl start dovecot

The software we need.

Sources:

Wikipedia: just imagine, they have a search box, use it, it is free

05 // 2026-04-05

🐡 // Spot on: DNSSEC and DANE (The CertChainCircle Director´s Cut)

DNSSEC (Domain Name System Security Extensions): A digital signature for DNS records against DNS-Spoofing and Cache-Poisoning.
DANE (DNS-based Authentication of Named Entities): Add´s TLSA records to the zone file to verify that the TLS certificate belongs to the domain. It is used against TLS downgrade attacks.

Let´s complete the first chain. We already have a domain and a working nsd (I hope so). We need a webserver which understand HTTP to get a Let´s Encrypt certificate.

# cp /etc/examples/httpd.conf /etc/ types { include "/usr/share/misc/mime.types" } prefork 5 server "floof.sbs" { alias "fl00f.sbs" alias "fluff.sbs" listen on * port 80 location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } location * { block return 301 "https://$HTTP_HOST$REQUEST_URI" } } server "floof.sbs" { alias "fl00f.sbs" alias "fluff.sbs" listen on 127.0.0.1 port 8080 root "/htdocs/public" log style forwarded location "/.well-known/nostr.json" { root "/htdocs/public" request rewrite "/nip-05.json" } location "/.well-known/security.txt" { request rewrite "/security.txt" } location "/.well-known/pgp-key.txt" { request rewrite "/pubkey.txt" } } server "autoconfig.floof.sbs" { alias "autoconfig.fl00f.sbs" alias "autoconfig.fluff.sbs" listen on 127.0.0.1 port 8080 root "/htdocs/mail" log style forwarded location "/mail/config-v1.1.xml" { request strip 1 } } server "mta-sts.floof.sbs" { alias "mta-sts.fl00f.sbs" alias "mta-sts.fluff.sbs" listen on 127.0.0.1 port 8080 root "/htdocs/mta-sts" log style forwarded } # httpd -n # rcctl enable httpd && rcctl start httpd

/etc/httpd.conf

The second chain is to get a full chain Let´s Encrypt certificate. Full chain means that the certificate also includes sub-domains. Why I did not split certificates? Simple, the handling is more easy and, if a attacker is already on your machine it makes no difference and you have other problems than that.

# cp /etc/examples/acme-client.conf /etc/ authority letsencrypt { api url "https://acme \ -v02.api.letsencrypt.org/directory" account key "/etc/acme/letsencrypt-privkey.pem" } authority letsencrypt-staging { api url "https://acme \ -staging-v02.api.letsencrypt.org/directory" account key "/etc/acme/letsencrypt-staging-privkey.pem" } domain floof.sbs { alternative names { autoconfig.floof.sbs \ mail.floof.sbs \ mta-sts.floof.sbs \ relay.floof.sbs } domain key "/etc/ssl/private/floof.sbs.key" domain full chain certificate \ "/etc/ssl/floof.sbs.crt" # Test with the staging server \ to avoid aggressive rate-limiting. #sign with letsencrypt-staging sign with letsencrypt } # acme-client -n # acme-client -v floof.sbs

/etc/acme-client.conf

The last chain to close the circle is DNSSEC and DANE.

# pkg_add ldns-utils # cd /var/nsd/zones/master/ # KSK (Key Signing Key). Signs the ZSK. ldns-keygen -a ECDSAP256SHA256 -k floof.sbs # ZSK (Zone Signing Key). Signs the records in the zone. ldns-keygen -a ECDSAP256SHA256 floof.sbs # After the following step we have the .signed zone file. # The following step has to be done always when the # zone file gets changed. SALT=$(dd if=/dev/urandom bs=1 count=16 2>/dev/null \ | hexdump -e '16/1 "%02x"') ldns-signzone -n -s $SALT floof.sbs.zone \ Kfloof.sbs.+013+00955 Kfloof.sbs.+013+31009 # This gives us the data which we need to insert in # the control panel of the domain registrar, this has # to be done only once or when the KSK is changed. ldns-key2ds -n floof.sbs.zone.signed floof.sbs. 3600 IN DS 955 13 2 5e...

DNSSEC

Open the configuration file of nsd add .signed to the name of your zone files and restart nsd. After that, drill baby drill. Ohh, not that, there is a tool called drill to test DNSSEC. And DANE, you have everything you need, just extract the hash from your certificate. But why I don´t show that? Simple, running a own DNS is running critical infrastructure, dive in the rabbit hole or hire ~~someone~~ me to do that for you. Ohh, I see you search for a YouTube tutorial, fine but don´t forget the DNSSEC rollover ;-)

Sources:

Wikipedia: just imagine, they have a search box, use it, it is free

04 // 2026-04-04

🐡 // Spot on: nsd and unbound (The NameBusters Director´s Cut)

Welcome to the movie.

User: www.newplanet.earth
Browser: What The Rabbit you want from me?
Browser: nsd, unbound help me.
Browser: opens the website.

Sounds like a movie you know, maybe. So, domain names point to one or more IP addresses and only a nameserver like nsd or unbound knows the correct answer. The difference is, nsd is a Authoritative name server which means nsd holds master/slave zones for domains and serves the result to the client. If nsd is not responsible then unbound is used which is a Recursive Resolver. That means unbound queries other name servers up to the 13 (A-M) root name servers of ICANN. Looks fragile this system, yes specially if you know that a huge part of the global backbone infrastructure is handled only from a hand full big players.

Let´s write a master zone file and configure nsd.

$ORIGIN floof.sbs. $TTL 3600 ;86400 @ IN SOA ns1.floof.sbs. operator.floof.sbs. ( 2026032801 ; Serial 3600 ; Refresh 900 ; Retry 1209600 ; Expire 300 ) ; Negative Cache TTL ... 3600 IN NS ns1.floof.sbs. IN NS ns2.floof.sbs. ns1 IN A 46.23.94.77 ns1 IN AAAA 2a03:6000:6f67:602::77 ns2 IN A 46.23.94.77 ns2 IN AAAA 2a03:6000:6f67:602::77 @ IN A 46.23.94.77 @ IN AAAA 2a03:6000:6f67:602::77 autoconfig IN A 46.23.94.77 autoconfig IN AAAA 2a03:6000:6f67:602::77 mail IN A 46.23.94.77 mail IN AAAA 2a03:6000:6f67:602::77 mta-sts IN A 46.23.94.77 mta-sts IN AAAA 2a03:6000:6f67:602::77 relay IN A 46.23.94.77 relay IN AAAA 2a03:6000:6f67:602::77 @ IN CAA 0 issue "letsencrypt.org" @ IN MX 0 mail.floof.sbs. _imaps._tcp IN SRV 0 0 993 mail.floof.sbs. _submission._tcp IN SRV 0 0 587 mail.floof.sbs. @ IN TXT "v=spf1 mx -all" 2026032801._domainkey IN TXT "v=DKIM1;k=rsa;p= ... ;" _dmarc IN TXT "v=DMARC1;p=quarantine; \ pct=100;rua=mailto: \ postmaster@floof.sbs;ruf \ =mailto:postmaster@ floof.sbs;adkim=r;aspf=r;" _mta-sts IN TXT "v=STSv1; id=2026032801;" _smtp._tls IN TXT "v=TLSRPTv1; rua=mailto: \ postmaster@floof.sbs" _993._tcp.floof.sbs. 3600 IN TLSA 3 1 1 ... _587._tcp.floof.sbs. 3600 IN TLSA 3 1 1 ... # nsd-checkzone floof.sbs \ /var/nsd/zones/master/floof.sbs.zone

/var/nsd/zones/master/floof.sbs.zone

server: hide-version: yes verbosity: 1 database: "" # disable database ip-address: 46.23.94.77 ip-address: 2a03:6000:6f67:602::77 identity: "floof.sbs nameserver" remote-control: control-enable: yes control-interface: /var/run/nsd.sock zone: name: "floof.sbs" zonefile: "master/floof.sbs.zone" zone: name: "fl00f.sbs" zonefile: "master/fl00f.sbs.zone" zone: name: "fluff.sbs" zonefile: "master/fluff.sbs.zone" # nsd-checkconf /var/nsd/etc/nsd.conf # rcctl enable nsd && rcctl start nsd

/var/nsd/etc/nsd.conf

While nsd is the master of my own domains, unbound is the librarian that knows where to find the rest of the world. It’s my local recursive resolver, ensuring that no ISP intercepts my queries or feeds me cached lies.

server: interface: 127.0.0.1 interface: ::1 access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: ::0/0 refuse access-control: ::1/128 allow do-not-query-localhost: no hide-identity: yes hide-version: yes auto-trust-anchor-file: "/var/unbound/db/root.key" val-log-level: 2 aggressive-nsec: yes remote-control: control-enable: yes control-interface: /var/run/unbound.sock forward-zone: name: "." # use for ALL queries forward-addr: 9.9.9.9 # example address only # unbound-anchor -a "/var/unbound/db/root.key" # unbound-checkconf # rcctl stop resolvd && rcctl disable resolvd # rcctl enable unbound && rcctl start unbound

/var/unbound/etc/unbound.conf

At this point it would be a good idea to set the FQDN of your server in /etc/myname and open the control panel of your domain registrar to add the 2 Glue records to your domain and add yourself as the name server. Get a coffee or more as worldwide delegation could need up to 48 hours.

nameserver 127.0.0.1 nameserver ::1 lookup file bind

/etc/resolv.conf

Sources:

Wikipedia: just imagine, they have a search box, use it, it is free

03 // 2026-04-03

🐡 // Spot on: The Packet Filter (Un*x Porn Director´s Cut)

Welcome to the movie.

Puffy: That's the packet filter.
Politicians: What it does?
Puffy: It filters packets.

Oh, not sorry – wrong movie. But if you ever walked some stairs down the rabbit hole of IT security, you will find more horror movies like that.

The Microsoft users: High-end gaming and crypto mining. „I need no packet filter; I'll just install ZoneAlarm and mute notifications.“
The Apple users: „Apple cares, and my data is in the iCloud anyway.“
The Linux users: Somewhere between „no running services = no need“ and „let me recompile my kernel first.“
The Politicians: „We’ll build a cyber-defense-center! Plans? Staff? Money? We’ll figure that out later.“
The CEOs: „No qualified workers? Fine, just throw everything into containers in the cloud.“

But seriously, we really have a problem if we build our entire infrastructure based on zero knownledged app users, Python/YAML writers and container managers. On the other hand, who cares as long as it works.

Let’s look in detail at the ~~firewall~~ packet filter. Once again: ~~firewall~~ is a marketing word so, forget about it. If you need a wall to protect against fire, call the fire fighters. Here, we talk about packets.

pf offers:

Stateful Inspection: State Tracking; if the packet is part of an active connection, it can pass.
Packet Filtering: Rule-based, last match wins (unless quick is used).
NAT (Network Address Translation): NAT, Port Forwarding (Redirection), and bidirectional NAT.
ALTQ: Queueing and Traffic Shaping for prioritizing network traffic.
Scrubbing: To sort out and normalize fragmented packets.

Keep always in mind: Your infrastructure, your rules.

# touch /etc/mail/nospamd ext_if = "egress" table <bruteforce> persist table <spamd-white> persist table <nospamd> persist file "/etc/mail/nospamd" set skip on lo set block-policy return set loginterface $ext_if match in all scrub (no-df random-id max-mss 1440) antispoof quick for $ext_if block return in on $ext_if all block in quick from <bruteforce> pass in on $ext_if inet proto tcp from any to any \ port smtp divert-to 127.0.0.1 port spamd pass in on $ext_if proto tcp from <nospamd> to any \ port smtp pass in log on $ext_if proto tcp from <spamd-white> \ to any port smtp pass out log on $ext_if proto tcp to any port smtp pass in quick on $ext_if proto tcp to any port \ { 22, 53, 587, 993 } keep state (max-src-conn 50, \ max-src-conn-rate 10/30, tcp.established 600, \ overload <bruteforce> flush global) pass in quick on $ext_if proto tcp to any port \ { 80, 443, 7777 } keep state (max-src-conn 100, \ max-src-conn-rate 50/10, tcp.established 600, \ overload <bruteforce> flush global) pass in quick on $ext_if proto udp to any port { 53 } \ keep state (max-src-conn 50, max-src-conn-rate \ 10/30, overload <bruteforce> flush global) pass in quick on $ext_if inet proto icmp all pass in quick on $ext_if inet6 proto icmp6 all anchor "relayd/*" pass out quick on $ext_if all # pfctl -nf /etc/pf.conf # pfctl -f /etc/pf.conf

/etc/pf.conf

What you mean, I should explain you that step-by-step? First things first, I show you my working configuration for free, I never say that it is a copy and paste influencer tutorial. Walk down the rabbit hole or hire me.

Sources:

OpenBSD PF - User's Guide

02 // 2026-04-02

The 🕳 🐇 and the 🐕 fl👀f.

It started in the deep, dark rabbit hole with green CRT monitors and QBasic. A few steps later, I caught the rabbit using an Amiga 500, eventually reaching the 3000UX and installed MUFS (Multi User File System). I’ve seen the rolling windows of an SGI Indy and heard the screaming modem pools of 90s ISPs.

I stumbled into a black hole called ~~dcpromo.exe~~ (at this time I passed the Comptia Linux+, 5 MCP cerificates of the MCSA and the first of two LPIC-1 exams in my spare time, self-funded until I ran out of budget before reaching the end of the path) for a while.

During that time, I was heavily diving into Network Security. It was the era of Snort and ClamAV. Even though my last name has changed since then, the contributions remain: Joel Esler (then Open Source Manager at Sourcefire/Cisco) featured and „headlined“ several of my Mac OS X Lion installation guides on the official Snort and ClamAV blogs in 2011. He called them „excellent“ – a nice nod from the industry back then.

I remembered the legendary SUN Pizza Boxes while starting to use a SBC (Single Board Computer) with Linux as desktop. In 2015 I started to use OpenBSD 5.7 on a x86 MacBook (Penryn board).

Around 2019/2020, the self-hosting journey truly began. Today, I’m looking out of that rabbit hole and marvel at the arrogance of the bloated IT world.

It was not much and as I wrote earlier my last name changed, but I am around since some time in the OpenBSD community and got some little patches commited.

-- man umb4, 1.8, Wed, 11 Oct 2017 06:29:56 UTC by jmc
-- man cdce4, 1.24, Sun, 10 Dec 2017 07:40:04 UTC by jmc
-- pkgconf, 1.5, Tue, 06 Aug 2019 10:20:09 UTC by sthen
-- youtube-dl, 1.213, Tue, 03 Nov 2020 17:00:08 UTC by solene

Academic Foundation completed Introduction to UNIX, tutorial and lecture course (compulsory attendance), date 2020-12-18, Paris Lodron University Salzburg (Prof. Collini-Nocker) with Grade 1 (Excellent), 3.0 ECTS.

We've always had cats and a family dog. The first own paws that accompanied me were a St. Bernard Dog (girl) from 1995 to 2007. The second paws that accompanied me were a Bernese Mountain Dog (girl) from 2008 to 2016. The third paws that accompany me now are from a Bernese Mountain Dog (girl) since 2017.

The fl👀f´s daily business:

Professional nap 😴 management, snuggle-expert, outdoor-queen 🧭, ⛰️, 🌳, 🏕️, ❄️ ... 🐾

Food-Rating: 🍌, 🍓, 🥕, 🥦, 🍚 ... 🐾

So, if you're planning to hire me, always keep in mind that you'll only get me with paws beside me, and that's non-negotiable.

Observation 01 (Terra): A real photo of a young Bernese Mountain Dog with fluffy, tousled fur in its first year of life.

A real picture from 2017

Sources:

OpenBSD CVS Repository Snort 2.9.1 Guide (Sep 2011) ClamAV 0.97.3 Guide (Dec 2011) ClamXav/ClamAV Guide (Oct 2011) Wikipedia: Bernese Mountain Dog Wikipedia: St. Bernard (dog breed)

01 // 2026-03-08

Does ghosts exist?

From Iceland we know that the Huldufólk and nature ghosts exist. But what about the ghost in the machine, are there only algorithms and simulations or is there more...

Why I use does and not the correct gramma do? Because there are people out there which did not believe in anything. There are people out there whch believe in ghosts like in indigenious cultures. People in Iceland believe in the Huldufólk and nature ghosts. And, there are people out there which believe in the ghost in the machine. So far so good. If someone believes in one or a specific ghost does would match, if someone believes in all ghosts do would match. But as long as we have no answer whether AI is a independet entity with a soul we still have to ask does the ghost in the machine exist and do would not match as we have no answer.

Observation 01 (Aether): Artificial synthesis of an Icelandic canyon. Cyan light emission at the base of a waterfall suggests a non-biological presence (Ghost in the Machine) within a terrestrial basalt structure with moss on it and a river inbetween.

AI image generated using Juggernaut XL Ragnarok

Sources:

Wikipedia: Huldufólk (Island) Wikipedia: Ghost in the machine