added new article

content/posts/github-commit-faking.md

@@ -19,7 +19,8 @@ The problem is that when you now commit to a GitHub repository, GitHub will map
 The E-Mail addresses of popular devs are often known from mailing lists etc. or can be found with a simple Google search. Look at the following [example](https://github.com/downIoads/downIoads.github.io/graphs/contributors) (purely as a Proof-of-Concept), here you can see who "contributed" to my blog:
 ![targets](/images/github-fake-commit.png "Commit overview of my blog")
 
-As you can see, it looks as if Notch (Minecraft), Linus Torvalds (Linux) and Tim Berners-Lee all contributed to my blog. There is no warning about unverified commit signatures and GitHub links to their actual profiles. The only way to tell whether the commit is real or not is to look at the recent activity on their profiles (where these fake contributions do not show up). I think it should not be that easy to spoof contributions. The next time you see an open source projects with 2000 contributors and a lot of stars (these can easily be faked too by creating accounts / pay services) better look at the actual source code instead of "trusting" the repo because it appears to be popular. It's trivial to write a script that uses a list of common E-Mail addresses (that might be used by someone on GitHub) to bloat the contributors number. IMO, GitHub should enable "verified commits" by default to make this strategy infeasible: I generate a private key and add the corresponding public key to my GitHub account (which is linked to MY e-mail address), now when I push changes it's trivial to check whether my Git E-Mail identify is equal to that of my account or not. While I do understand that it should be possible to push commits of someone else, there must be a solution to this problem as the current situation is not acceptable IMO.
+As you can see, it looks as if Notch (Minecraft), Linus Torvalds (Linux) and Tim Berners-Lee all contributed to my blog. There is no warning about unverified commit signatures and GitHub links to their actual profiles. Verfied commits do exist on GitHub (green checkmark) but the lack of verified commit does not necessarily raise suspicion. In fact, even signed commits [could be faked](https://iter.ca/post/gh-sig-pwn/) for some time.
+The only way to tell whether the commit is real or not is to look at the recent activity on their profiles (where these fake contributions do not show up). I think it should not be that easy to spoof contributions. The next time you see an open source projects with 2000 contributors and a lot of stars (these can easily be faked too by creating accounts / pay services) better look at the actual source code instead of "trusting" the repo because it appears to be popular. It's trivial to write a script that uses a list of common E-Mail addresses (that might be used by someone on GitHub) to bloat the contributors number. IMO, GitHub should enable "verified commits" by default to make this strategy infeasible: I generate a private key and add the corresponding public key to my GitHub account (which is linked to MY e-mail address), now when I push changes it's trivial to check whether my Git E-Mail identify is equal to that of my account or not. While I do understand that it should be possible to push commits of someone else, there must be a solution to this problem as the current situation is not acceptable IMO.
 
 ## Conclusion
 

content/posts/swiftui-ytdl.md

@@ -28,11 +28,11 @@ gave the info I needed: "File created by an AppSandbox, exec/open not allowed".
 ```bash
 stat ./filename
 ```
-on the binary that the sandbox downloaded and the binary that you downloaded manually. Only then, you can see that the file sizes are different. This is interesting, as running 
+on the binary that the sandbox downloaded and the binary that you downloaded manually. Only then, you can see that the inodes are different (unique identifier that macOS uses manage the file's metadata). Running 
 ```bash
 shasum -a 256 ./filename
 ```
-will result in the same hash for both files. After removing the sandbox permission (which I do not need for private use), everything worked perfectly. Below you can see some testing I did:
+will result in the same hash for both files, so macOS remembers which files were created/affected by a sandboxed app and places restrictions on these files. After removing the sandbox permission (which I do not need for private use), everything worked perfectly. Below you can see some testing I did:
 ![targets](/images/ytdl/sandbox-noExec1.png "Hashes and permissions are the same, but one can not be executed")
 ![targets](/images/ytdl/sandbox-noExec2.png "Spctl and stats commands made me understand why this is happening")
 

content/posts/win98-se-vmware.md

@@ -0,0 +1,50 @@
+---
+title: "Running Windows 98 SE in Vmware Workstation on modern hardware"
+date: 2024-02-13T14:00:23+02:00
+description: It works if you work around a few issues.
+draft: false
+tags: [tutorial, windows, windows 98, vmware]
+---
+
+## Introduction
+
+Remember the good old days when your OS did not annoy you with ads or features you never asked for? When everything seemed minimalistic and lightweight, and it did not feel as if every mouse movement you make gets data mined and sent to Microsoft servers? I found an old Win98 SE (Second Edition, 4.10.2222A) install disc, created an image and tried to set it up using VMware Workstation 16. This blog post is about the general setup and a few tricks to make it work. It is not as easy to spin up as let's say a Win XP VM, but when you get it working it runs flawlessly (except that there is no 3D acceleration with stops some but not all games from running).
+
+## VM settings and getting past the installer
+
+There are a few things to keep in mind when configuring the settings of the VM itself, as the VMware/Win 98 combi has a few restrictions:
+* Max 1 CPU / 1 Core per CPU
+* Max 1 GB of RAM
+* Less than 128 GB of storage
+* Set USB mode to 1.1 or 2.0 (the latter requires a fix also described in this post)
+* All virtualization options disabled
+
+Not sure if that is necessary, but when setting up the VM I chose "Custom" and then set VMware's compatibility mode to VMware 5.x (as new versions of workstations are not officially supported, but maybe they just mean the 3D acceleration driver).
+
+When you start your VM, you choose "Boot from CD" and then "Boot from this CD-ROM". Now, if you have a modern AMD CPU (Ryzen 3000+) or Intel CPU (11 Gen or newer) like me, the installer will crash due to a well-known [TLB invalidation bug](https://blog.stuffedcow.net/2015/08/win9x-tlb-invalidation-bug/). The workaround is to use [patcher9x on GitHub](https://github.com/JHRobotics/patcher9x) to patch the VMM.VXD driver. All you need to do is download the [floppy image](https://github.com/JHRobotics/patcher9x/releases/download/v0.8.50/patcher9x-0.8.50-boot.ima) and pass it to the VM by adding a floppy disk in the VM settings. When you then restart the VM, just enter "patcher9x" followed by pressing enter a few times and confirming with "y" and the bug is fixed! It is great to see an active community that builds simple, open-source tools to fix these niche problems. Now the VM will install without crashing. 
+
+## Installing VMware tools to get support of high resolutions and true color mode
+
+Even though not listed on their website, the file "winPre2k.iso" is a working vmware-tools installer for Windows 97, and it still exists in the installation folder of Vmware Workstation's modern version and can be passed to the VM via the CD-Rom ISO option. Windows then will install it and allow you to set high resolutions (my monitor maxes out at 1080p and that worked perfectly). Generally, since copy-paste between Host and Guest is not working (even with vmware-tools) and it also does not support folder sharing, at first the only option to pass data from the host to the guest is via the CD-Rom ISO option. Note that you can bundle any file as ISO (e.g. text.txt and myProgram.exe) by e.g. using Ubuntu and running 
+```bash
+sudo apt install genisoimage
+
+genisoimage -r -J -o ./output.iso ./<folder-to-compress>/
+```
+This is your best option until you followed the next step that enables USB stick support (which Windows 98 SE does not have by default).
+
+## Getting USB stick pass-through to work
+
+There is a nice unoffical tool called [nusb36e](https://www.philscomputerlab.com/windows-98-usb-storage-driver.html) which adds the necessary drivers to Windows 98 so that USB sticks are recognized (even USB 2.0 will be working!). So you bundle that .exe as .iso and pass it through the VM and follows its steps (remove all USB drivers and Unknown Device drivers via Device Manager before running the tool). After rebooting you will get all necessary drivers (just keep clicking Next, Next, Ok, Ok, Skip if necessary due to error that occurs) and you will be able to pass-through your USB stick to the VM, and it will be recognized and usable if you make sure to format it to be FAT32. I think modern Windows does not even list FAT32 as a formatting option these days, so I recommend you use [Rufus](https://rufus.ie/en/) to do that. Now you are able to pass data from the VM back to the host! Before I tried this, I tried nusb33e, and I could not get it to work, so I recommend using nusb36e.
+
+## Screenshots
+
+The main thing that motivated me to do this afternoon project is to run the best version of Paint. I greatly dislike modern versions of it, and last time I tried using it on Windows 11 it failed on me. The good old Win 98 Paint on the other hand just works :)
+
+![targets](/images/win98/win98_paint.png "Paint is an amazing tool")
+
+![targets](/images/win98/win98_usb_working.png "My USB stick is now usable")
+
+## Summary
+
+It is much more work to get Win 98 to run than e.g. Windows XP, as tools like VMware officially do not support it anymore. But it still can be done, and once you figure out how it runs perfectly! The lack of 3D acceleration with the driver that winPre2k.iso provides only becomes noticeable when you try to play old games that rely on 3D acceleration, but there are plenty of games that will work without it. The only thing I would like to see in the future is a fix on how to enable copy-and-paste between guest and host, but even without it the USB stick pass-through is a decent workaround. All in all, a nice project and a beautifully simple OS.

public/index.html

@@ -52,6 +52,17 @@
 
 
 
+				<section class="list-item">
+					<h1 class="title"><a href="/posts/win98-se-vmware/">Running Windows 98 SE in Vmware Workstation on modern hardware</a></h1>
+					<time>Feb 13, 2024</time>
+					<br><div class="description">
+
+	It works if you work around a few issues.
+
+</div>
+					<a class="readmore" href="/posts/win98-se-vmware/">Read more ⟶</a>
+				</section>
+
 				<section class="list-item">
 					<h1 class="title"><a href="/posts/swiftui-ytdl/">Minimalistic SwiftUI GUI for Yt-dlp</a></h1>
 					<time>Jan 13, 2024</time>
@@ -129,17 +140,6 @@ <h1 class="title"><a href="/posts/stable-diffusion-gopher/">Using Stable Diffusi
 					<a class="readmore" href="/posts/stable-diffusion-gopher/">Read more ⟶</a>
 				</section>
 
-				<section class="list-item">
-					<h1 class="title"><a href="/posts/twitch-adblock-streamlink/">Blocking Twitch Ads by piping the stream to VLC</a></h1>
-					<time>Oct 14, 2023</time>
-					<br><div class="description">
-
-	Your browser&#39;s ad blocker is not working on Twitch? Read this.
-
-</div>
-					<a class="readmore" href="/posts/twitch-adblock-streamlink/">Read more ⟶</a>
-				</section>
-
 
 
 <ul class="pagination">

public/index.xml

@@ -6,8 +6,15 @@
     <description>Recent content on Blog for Tech Enjoyers</description>
     <generator>Hugo -- gohugo.io</generator>
     <language>en-us</language>
-    <lastBuildDate>Sat, 13 Jan 2024 14:00:23 +0200</lastBuildDate>
+    <lastBuildDate>Tue, 13 Feb 2024 14:00:23 +0200</lastBuildDate>
     <atom:link href="https://example.com/index.xml" rel="self" type="application/rss+xml" />
+    <item>
+      <title>Running Windows 98 SE in Vmware Workstation on modern hardware</title>
+      <link>https://example.com/posts/win98-se-vmware/</link>
+      <pubDate>Tue, 13 Feb 2024 14:00:23 +0200</pubDate>
+      <guid>https://example.com/posts/win98-se-vmware/</guid>
+      <description>Introduction Remember the good old days when your OS did not annoy you with ads or features you never asked for? When everything seemed minimalistic and lightweight, and it did not feel as if every mouse movement you make gets data mined and sent to Microsoft servers? I found an old Win98 SE (Second Edition, 4.10.2222A) install disc, created an image and tried to set it up using VMware Workstation 16.</description>
+    </item>
     <item>
       <title>Minimalistic SwiftUI GUI for Yt-dlp</title>
       <link>https://example.com/posts/swiftui-ytdl/</link>

public/page/2/index.html

@@ -52,6 +52,17 @@
 
 
 
+				<section class="list-item">
+					<h1 class="title"><a href="/posts/twitch-adblock-streamlink/">Blocking Twitch Ads by piping the stream to VLC</a></h1>
+					<time>Oct 14, 2023</time>
+					<br><div class="description">
+
+	Your browser&#39;s ad blocker is not working on Twitch? Read this.
+
+</div>
+					<a class="readmore" href="/posts/twitch-adblock-streamlink/">Read more ⟶</a>
+				</section>
+
 				<section class="list-item">
 					<h1 class="title"><a href="/posts/hackintosh-ventura-rx6650xt/">Hackintosh #2: Running Ventura using Haswell CPU and a spoofed AMD RX 6650 XT</a></h1>
 					<time>Oct 10, 2023</time>
@@ -129,17 +140,6 @@ <h1 class="title"><a href="/posts/nfc-mifare-acr122u/">How to authenticate and w
 					<a class="readmore" href="/posts/nfc-mifare-acr122u/">Read more ⟶</a>
 				</section>
 
-				<section class="list-item">
-					<h1 class="title"><a href="/posts/nfc-overview-and-playing-around/">NFC in 2023</a></h1>
-					<time>Jul 9, 2023</time>
-					<br><div class="description">
-
-	Learn how to use NFC with your smartphone or dedicated NFC USB device.
-
-</div>
-					<a class="readmore" href="/posts/nfc-overview-and-playing-around/">Read more ⟶</a>
-				</section>
-
 
 
 <ul class="pagination">

public/page/3/index.html

@@ -52,6 +52,17 @@
 
 
 
+				<section class="list-item">
+					<h1 class="title"><a href="/posts/nfc-overview-and-playing-around/">NFC in 2023</a></h1>
+					<time>Jul 9, 2023</time>
+					<br><div class="description">
+
+	Learn how to use NFC with your smartphone or dedicated NFC USB device.
+
+</div>
+					<a class="readmore" href="/posts/nfc-overview-and-playing-around/">Read more ⟶</a>
+				</section>
+
 				<section class="list-item">
 					<h1 class="title"><a href="/posts/how-to-calculate-any-weekday/">How to calculate any weekday</a></h1>
 					<time>Jul 4, 2023</time>

public/posts/github-commit-faking/index.html

@@ -76,7 +76,8 @@ <h2 id="introduction">Introduction</h2>
 </ul>
 <p>The E-Mail addresses of popular devs are often known from mailing lists etc. or can be found with a simple Google search. Look at the following <a href="https://github.com/downIoads/downIoads.github.io/graphs/contributors">example</a> (purely as a Proof-of-Concept), here you can see who &ldquo;contributed&rdquo; to my blog:
 <img src="/images/github-fake-commit.png" alt="targets" title="Commit overview of my blog"></p>
-<p>As you can see, it looks as if Notch (Minecraft), Linus Torvalds (Linux) and Tim Berners-Lee all contributed to my blog. There is no warning about unverified commit signatures and GitHub links to their actual profiles. The only way to tell whether the commit is real or not is to look at the recent activity on their profiles (where these fake contributions do not show up). I think it should not be that easy to spoof contributions. The next time you see an open source projects with 2000 contributors and a lot of stars (these can easily be faked too by creating accounts / pay services) better look at the actual source code instead of &ldquo;trusting&rdquo; the repo because it appears to be popular. It&rsquo;s trivial to write a script that uses a list of common E-Mail addresses (that might be used by someone on GitHub) to bloat the contributors number. IMO, GitHub should enable &ldquo;verified commits&rdquo; by default to make this strategy infeasible: I generate a private key and add the corresponding public key to my GitHub account (which is linked to MY e-mail address), now when I push changes it&rsquo;s trivial to check whether my Git E-Mail identify is equal to that of my account or not. While I do understand that it should be possible to push commits of someone else, there must be a solution to this problem as the current situation is not acceptable IMO.</p>
+<p>As you can see, it looks as if Notch (Minecraft), Linus Torvalds (Linux) and Tim Berners-Lee all contributed to my blog. There is no warning about unverified commit signatures and GitHub links to their actual profiles. Verfied commits do exist on GitHub (green checkmark) but the lack of verified commit does not necessarily raise suspicion. In fact, even signed commits <a href="https://iter.ca/post/gh-sig-pwn/">could be faked</a> for some time.
+The only way to tell whether the commit is real or not is to look at the recent activity on their profiles (where these fake contributions do not show up). I think it should not be that easy to spoof contributions. The next time you see an open source projects with 2000 contributors and a lot of stars (these can easily be faked too by creating accounts / pay services) better look at the actual source code instead of &ldquo;trusting&rdquo; the repo because it appears to be popular. It&rsquo;s trivial to write a script that uses a list of common E-Mail addresses (that might be used by someone on GitHub) to bloat the contributors number. IMO, GitHub should enable &ldquo;verified commits&rdquo; by default to make this strategy infeasible: I generate a private key and add the corresponding public key to my GitHub account (which is linked to MY e-mail address), now when I push changes it&rsquo;s trivial to check whether my Git E-Mail identify is equal to that of my account or not. While I do understand that it should be possible to push commits of someone else, there must be a solution to this problem as the current situation is not acceptable IMO.</p>
 <h2 id="conclusion">Conclusion</h2>
 <p>GitHub contributions can easily be spoofed. Do not trust repos that appear popular, always check the code yourself. If you checked the code, and it looks harmless, do not assume that the binaries in the Releases section are trustworthy too. I stumbled on this issue by accident, but of course it was already known. It seems that GitHub does not view this as a critical security problem, but IMO the current situation is unacceptable.</p>
 

public/posts/index.html

@@ -47,6 +47,8 @@ <h1 class="page-title">All articles</h1>
 
 
 <ul class="posts"><li class="post">
+			<a href="/posts/win98-se-vmware/">Running Windows 98 SE in Vmware Workstation on modern hardware</a> <span class="meta">Feb 13, 2024</span>
+		</li><li class="post">
 			<a href="/posts/swiftui-ytdl/">Minimalistic SwiftUI GUI for Yt-dlp</a> <span class="meta">Jan 13, 2024</span>
 		</li><li class="post">
 			<a href="/posts/github-commit-faking/">How to fake GitHub commits</a> <span class="meta">Jan 3, 2024</span>