Fazal Majid's low-intensity blog

Until the 1970s, there were only four TV networks in the US. Then cable led to an explosion, from 28 in 1980, 79 in 1990 to well over a thousand today. Part of this was cheaper distribution via cable, but also because technology like computer video editing reduced the cost of production.

The flip side of this explosion was a fragmentation of audiences. The big four networks went from having 20-30% of the population and 80-90% of prime-time TV viewership to 20-30% prime time audience and low single digits of the population. This had all sorts of consequences, including politically as there is no longer a widely shared frame of reference, or someone like Walter Cronkite to tell Nixon the Vietnam War was over and lost.

The same fragmentation is coming for software via LLMs, for the same structural reasons. The SaaSpocalypse is overblown, because writing code is only a small part of the cost of producing software, developing requirements, integration, testing and maintenance are far larger components. Thus the dream of DIY enterprise software will remain that, a dream. Software will remain the preserve of companies that can manage the development process, but the dropping cost of coding will increase the number of software houses, and their addressable market will shrink, as it did for the big four TV networks. This will have an impact on the economics, as the cost of development and marketing, even if lowered by LLMs, will also be spread over a smaller customer base.

One of the downsides of self-hosting critical applications like email on your homelab is that if you lose connectivity, especially when you are travelling, you are out of luck. It’s happened to me twice. The first time I had to ask a colleague (Hi Jason!) to go get my spare keys from the building super and reboot my home server. In the other instance, I walked my wife over the phone through the steps of rebooting our OpenBSD home router that runs on a somewhat dubious computer sourced from AliExpress with an Intel N100. I actually ordered an industrial-grade Asus NUC 13 Rugged N50 to replace it, but in a variant of the Heisenberg effect, the original machine started working flawlessly, go figure.

On some of my HP machines (Z workstations and EliteDesk 8xx Mini), the firmware includes Intel AMT/IME spyware management firmware. You can install the MeshCommander software to get a poor man’s version of the IPMI remote management facility included in most servers. IPMI usually includes remote KVM, i.e. being able to control the computer over the network as if you were directly in front of its keyboard, mouse and monitor. KVM stands for Keyboard, Video and Mouse, although most KVM systems also give you the ability to insert a virtual USB drive to boot into diagnostics or a rescue drive. This allows access to the BIOS and other things you can’t do from the OS itself, or recover if the OS itself has crashed.

To resolve this vulnerability, I have been equipping the majority of my key machines that don’t have Intel AMT with physical IP KVM devices. These used to be very expensive and required having some cursed version of the Java plugin installed in your browser, but recently the Pi-KVM project has opened up the market and there are now a host of relatively inexpensive (in the $100 range) devices available like the JetKVM and GL.iNet’s Comet line of IP KVMs.

GL.iNet is known for its well-regarded line of travel routers like the tiny but mighty Mango, but has been expanding into IoT and now IP KVMs. That line is now quite extensive, with:

• The basic Comet GL-RM1.
• A variant with PoE, the GL-RM1PE which also supports USB-C PD for power.
• A pro variant, the GL-RM10 (I haven’t tried it).
• More interestingly, a 5G cellular equipped model, the GL-RM10C.

Like their travel routers, the KVMs have an open operating system based on Linux with SSH and root access, and excellent support for VPN protocols actually invented in this millennium, i.e. WireGuard rather than hoary L2TP, PPTP, IKE/IPsec or OpenVPN.

I have a basic Comet, two PoE powered ones and the 5G cellular one attached to the router.

Due to the exhaustion of available IPv4 address pools, almost all cellular carriers today use some form of Carrier-grade NAT (CGNAT), which means you do not have a permanent IP address for your mobile device. Some cellular carriers will offer plans with static IP addresses, but they are extremely expensive including the per-kilobyte charges because this is a niche market, primarily enterprises wanting remote monitoring and access to satellite offices.

GL.iNet offers a cloud service for remote access and also supports Tailscale and ZeroTier. Either of these would obviate the need for an exotic data plan SIM. I don’t trust the cloud, however, and find Tailscale too invasive, so I opted instead to set up WireGuard between the GL-RM10C and a cloud server, with routes forcing it to use the 5G wwan0 interface instead of Ethernet for the tunnel.

The /etc/wireguard/wg0.conf config on the server is:

[Interface]
Address = 192.168.2.1/24, fddd::ffff/64
ListenPort = 45340
PrivateKey = <redacted>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;ip6tables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;ip6tables -D FORWARD -o %i -j ACCEPT
 
[Peer]
PublicKey = <redacted>
AllowedIPs = 192.168.2.2/32, fddd::1/128

on the GL-KVM, it is:

[Interface]
Address = 192.168.2.2/24, fddd::1/64
#ListenPort = 45340
PrivateKey = <redacted>
 
[Peer]
PublicKey = <redacted>
AllowedIPs = 192.168.2.0/24
Endpoint = <redacted>:45340
PersistentKeepalive = 30

Add opening UDP port 45340 on the firewall, and on the KVM a /etc/init.d startup script to call route add <ip of server> wwan0 and wg-quick up wg0 at boot time, that establishes the tunnel. Since the IPs on either end are not routable, I also have HAProxy running in TCP mode on the server to allow access from the Internet:

global
    log /dev/log local0
    log /dev/log local1 notice
    daemon
    user nobody
    group nobody

defaults
    mode tcp
    log global
    option tcplog
    timeout connect 5s
    timeout client  1m
    timeout server  1m

frontend https_in
    bind <redacted>:443
    default_backend wg_https_out

backend wg_https_out
    mode tcp
    server wg0_peer 192.168.2.2:443 check

I have a £5/month SIM card and plan installed, with a 5GB quota. I only start HAProxy when I actually need it so I don’t waste any of it on script kiddies trying to break in.

The user interface is largely the same across the entire GL.iNet KVM product line, is excellent, uses native Web technologies and WebRTC to provide the remote video, so no janky VNC plugins or Java required. The video is crisp, as can be expected from a purely digital signal path, and I haven’t noticed compression artifacts, even when running over cellular.

It does have the same problem as almost all IoT devices with a Web UI, of not being able to self-provision a TLS certificate. I modified my monthly Let’s Encrypt certificate rotation script to copy the keys and certificates to /etc/kvmd/user/ssl/server.{key,crt} where the firmware expects them to be. There is an IETF effort to fix this once and for all, but it is still very much work-in-progress and probably still too complex for the average consumer to deal with.

It’s also worth noting the 5G in the Comet 5G is RedCap (reduced capability), which is a cheaper and more power-efficient version of 5G that is capped at around 100Mbps instead of the gigabit speeds full-fat 5G offers. This is unlikely to be an issue for this class of devices, as people are not buying them to play Doom remotely.

What you don’t get with the Comets is the ability to remotely power-cycle the machine you get with IPMI or AMT. They have an accessory for computers with ATX motherboards, but I haven’t had one in ages, and a Rube Goldberg-like contraption poetically named Fingerbot that physically pushes the power button. JetKVM does have an accessory that interposes between computers with a barrel DC connector and their power brick, to allow turning them on and off. Let’s hope GL.iNet is inspired to make their own, and also a USB-C one while they are at it. In the meantime, I plan on using a smart-home type Wi-Fi-controlled power switch running Tasmota to do forced power cycles.

I also have a JetKVM. It’s a cute little device, very compact (but surprisingly heavy), and I am planning to add it to my portable computer-maintenance toolkit rather than keeping it stationary like my Comets.

I have been on a bender this weekend experimenting with various LLM-capable machines in my homelab, specially the very capable yet fast Qwen3.6-35B-A3B. I haven’t found good benchmarks, though, so I ran the small Gemma4 E4B Q4_K model (4.62 GiB, 7.52B params) using llm-bench. This has two measures: prompt processing 512 (pp512) is how quickly in tokens/second the LLM can read a 512-token prompt, i.e. how good the LLM is at “reading”, and token generation 128 (tg128) is how quickly it can write 128 tokens’ worth of text, i.e. how fast it is at answering the question.

(click on the hostnames to get the raw report)

The Mac Studio performs very well at token generation, despite being a 4 year old machine, but perhaps that reflects how Llama.cpp is particularly optimized for Apple Silicon. I was also surprised at how strong the performance of the A2000 is, despite it being a fairly weak low-power graphics card meant for 2D CAD in small form-factor workstations like my HP Z2 Mini G9 where it lives. Conversely, the Strix Point performance is underwhelming, even if subjectively it performs reasonably well with Qwen 3.

It’s been a while since I last did a chocolate review. There are not many bars that can claim to be made using a patented process invented by a Nobel laureate. The Dardenne Lait Praliné (dark milk chocolate with ground hazelnuts) is one.

The special cooking process was invented in 1910 by Paul Sabatier (Chemistry Nobel, 1912) to make chocolate easier to digest for people who don’t tolerate it well. In any case, this is an organic and Fairtrade bar with a moderately high 43% cacao content (for milk chocolate).

The bar is not too sweet, and as expected has a strong chocolate taste. The texture is mostly smooth like a milk gianduia, but you can feel an ever so slightly grainy feel, as if the hazelnuts were not ground finely enough or the chocolate not sufficiently conched. Despite this minor flaw, this is an excellent bar that is relatively inexpensive for organic chocolate. The only drawback is, it may be difficult to source outside France.

TL:DR A living diary of how I am slowly moving away from Apple

My first computer was an Apple ][+ in 1981. The first computer I purchased with my own money was a Mac Plus, circa 1990. Then I discovered Linux in 1991 and switched. When Apple introduced Mac OS X, I purchased an iMac G4, and over time transitioned fully to the new UNIX-based Mac. I also got the first iPod, iPhone and iPads, so I could fairly be accused of being an Apple fanboi, even if I have never been blind to the platform’s limitation and Apple’s questionable business practices.

Over the last year and more, I have been souring over Apple as a platform and a company:

• Their software quality, never particularly high (even if Microsoft made them look good in comparison), has tanked since they fired Scott Forstall. I am not even sure whether they are any better than Microsoft at this point.
• Their need to eke out growth from a maturing smartphone and PC business means they are incredibly rapacious with the App Store tax, and pushing developers towards user-hostile business models like subscription pricing.
• Their claim to privacy leadership was always more marketing than reality, but is now in tatters, see my previous article on how to circumvent their tracking (not always possible, e.g. notarization).
• Their extortionate pricing on RAM and storage has grown impossible to ignore.
• Their constant self-shilling for useless services like Apple News or Apple Fitness in the UI makes a mockery of their claim to provide a superior user experience.

So what is to be done? I am working to switch to Ubuntu and CachyOS Linux on the desktop and laptops (I still use Alpine Linux on servers), and to GrapheneOS, a degoogled and highly secure fork of Android. To this end, I purchased a few laptops to run Linux as a daily driver (Asus Vivobook S and Lenovo Thinkpad E16 G3), a Google Pixel 8 Pro and Google Pixel Tablet. I also have a Beelink GTR9 Pro on order (running the AMD Strix Halo Ryzen AI Max+ 395 processor) to be the twin and successor to my Mac Studio.

I carry both my iPhone 16+ and the Pixel with me at all times, and force myself to use the GrapheneOS device first, and only fall back to the iPhone if all else fails, which indicates which functionality I need to migrate next.

The rest of this article is a living diary of the migration and what software I am using as a replacement, and I will update it as I progress.

iOS and iPadOS to GrapheneOS

• Browser: Vivaldi, which is also my primary browser on Mac.
• Email: FairEmail Pro.
• Prompt (SSH client): Termux.
• TOTP 2FA code generator: Aegis.
• Password manager: KeePass DX.
• Offline Maps: OrganicMaps.
• Navigation: MagicEarth.
• eBooks: ReadEra Premium. Migrating iBooks to DRM-free ePubs is left as an exercise for the reader…
• Loyalty Cards: SuperCards, replacing Barcodes.
• AirDrop: LocalSend.
• Weather widget: Met Office app (UK only).
• Calculator: fortunately, the official HP-15C app is also available on the Google Play Store and works just fine on GrapheneOS.
• Contacts: DAVx⁵.
• Calendar: DAVx⁵and Etar.
• Shellfish or Transmit (SFTP clients): Cx File Explorer

Of course, many apps are cross-platform and migrating is straightforward.

It’s annoying that Signal and WhatsApp don’t allow you to run the same account concurrently on two phones, a vestige of their original sin, i.e. basing identity on the rotten foundation of the Public Switched Telephone Network.

Upcoming:

• Things (to do list manager): I couldn’t find what I wanted so I vibe-coded a PWA using Claude: Thufir, although it is still quite janky.
• Apple Pay: there are reports Curve Pay works on GrapheneOS.
• Backups: I set up nginx as a WebDAV server for Seedvault, but it is not yet reliable.
• Signing PDFs on an iPad: no solution in sight.
• CarPlay: my 2020 Mini Cooper Electric only supports CarPlay and not Android Auto, so I am stuck.

macOS to Linux

• Email: Emacs with mu4e, mbsync and smtpmail, as well as Thunderbird and Geary.
• Browser: Vivaldi.
• Password Manager: KeepassXC. Apple Passwords gained the ability to export all passwords to CSV, but there is no way to automate this.
• eBooks: Okular and Foliate.
• AirDrop: LocalSend.
• PDF Library and Spotlight: Recoll with RecollWebUI and Paperless-ngx.
• Photo Booth as a UVC camera viewer: guvcview
• Photo editor: Darktable
• Photo DAM: Immich
• QuickTime Player: VLC
• Affinity Designer: Inkscape
• Preview.app (for signing PDFs): Okular
• Brother P-touch Editor: brother_ql_web
• Final Cut Pro: Da Vinci Resolve is available for Linux

Upcoming:

• Scanning: probably SANE.
• Desktop publishing: either back to LaTeX or Typst, though neither is WYSIWYG.
• Quick Look: no equivalent that I know of, I certainly miss this.
• Finder column view: no equivalent either.
• Affinity Publisher: TBD