There’s an internet web game slash social experiment thing called Internet Roadtrip that started a few months ago, where players collectively “drive” a car on Google Street View and can vote for which directions to go in. Here’s the website if you’d like to look at it before reading the rest of this post: https://neal.fun/internet-roadtrip.

I was introduced to it on the day that the game launched by my friend Mikarific — who also happens to own the Discord server for the game. I thought it’d be fun to reverse-engineer and create a bot for, so I decided to join the Discord and start investigating how the game works.

My first idea for something cool that I could make was a bot with a built-in pathfinder that could make the car go wherever I wanted in the most optimal way possible. To do this, I’d have to reverse engineer Google Maps, then figure out how it’s used by Internet Roadtrip, and finally I could actually make the pathfinder. Surely this can’t be that complicated, right? Shouldn’t take longer than a couple of days, right?

Reverse-engineering Google Maps

Unfortunately for me, Google Maps wasn’t as well-documented as I’d like, so I ended up having to reverse-engineer a lot of things (

I’ve recently been engaging in some tomfoolery to acquire a list of 51 million Minecraft: Java Edition player UUIDs (out of ~61 million total existing UUIDs). This blog post will explain exactly what I did to make this list.

Abusing the Mojang API with IPv6

Mojang has an internal API (documented by the community at wiki.vg) which the game uses to convert player usernames to UUIDs and to obtain information about player UUIDs. Mojang also allows anyone to use the API for their own purposes, but with ratelimits (about 10 requests per IP per second). The most obvious way of circumventing the ratelimits is obtaining proxies, but proxies tend to be slow and obtaining many high-quality proxies is costly.

One solution to this problem is IPv6. Most server hosts will provide you with a /64 subnet (2^64 addresses), so by using a random IPv6 address for each request you can sidestep the ratelimits. There’s an open-source project on GitHub called freebind that describes itself as an “IPv6 address rate limiting evasion too

In 2020, tired of every search engine seemingly having suboptimal results and missing the instant answers I wanted, I decided to make a search engine for myself. I knew making a general-purpose web search engine from scratch by myself was infeasible, so instead I opted to make a meta-search engine, which aggregates results from other web search engines. First I tried forking Searx, but it was slow and the old Python codebase was annoying to work with. So instead of forking an existing project, I made my own (but with several ideas borrowed from Searx) in NodeJS which I called simply ”metasearch” (very unique name). I used it as my primary search engine for over a year, but it was slow (mostly due to it being hosted on Replit and being written in JS) and brittle to the point where at the time of writing the only working search engine left is Bing.

A few weeks ago I decided to rewrite metasearch as (brace for it)

matscan is a Minecraft bot that joins potentially vulnerable Minecraft servers and sends a message in chat to inform the admins.

How should I secure my server?

• Enable backups, and maybe additionally install a plugin like CoreProtect.
• If the server was meant to be private: Enable a whitelist with /whitelist on and /whitelist add <player>
• If the server is offline-mode: Enable online-mode in the server.properties or install a plugin such as AuthMeReloaded.
• If the server has an exposed BungeeCord backend: Firewall it, install BungeeGuard, or switch to Velocity.

If you’ve done all of the above that apply to you, then you’re probably fine.

How did you find my server?

I scan the internet for Minecraft servers, basically sending a packet to every IP address and seeing which ones respond (it’s a little more complex than this).

Is your data public?

No. You should still secure your server though since there are several griefing/h

Gemini is a protocol similar to HTTP, in that it’s used for transmitting (mostly) text in (usually) a markup language. However, one of the primary goals of Gemini is simplicity. Requests are always a single TLS/TCP connection with the route, and a correct response looks like 20 text/gemini\n\rhello world\n. Additionally, Gemini uses a language called “Gemtext” as its markup language. It’s kind of like Markdown, but even simpler. Every line can only contain a single type of data, so for example you can’t have links in the middle of text. Read the Gemini spec if you’re interested.

Translating HTML to Gemtext

Anyways, so I decided to make my website support the Gemini protocol for fun. The plan is to make it translate the HTML on my blog into Gemtext, which shouldn’t be too hard considering that HTML is generated from mostly markdown.

Here’s an example of a typical blog post I write, mostly markdown and some HTML.

At first, I tried using the html_parser Rust crate to read the HTML and flatten it out. However, I soon ran into issue #22: Incorrectly trimming whitespaces for text nodes. This made text b

For several years I’ve occasionally logged onto Shodan and searched for Minecraft servers. I just join, look around, and maybe leave a sign for the server owner. I’d also occasionally heard stories about people making their own Minecraft server scanners.

A while ago, on April 1st 2022, cybersecurity YouTuber LiveOverflow uploaded a video titled “I Spent 100 Days Hacking Minecraft”. Despite being uploaded on April Fools’, the video and series that followed was actually really interesting. Anyways, after a bit I got the idea of searching for “liveoverflow” on Shodan. To my surprise, the server actually showed up and even more surprisingly it wasn’t whitelisted. There were signs at spawn that congratulated you but said “I hope you built a tool yourself”. I had not built a tool myself.

A few weeks later, Minecraft documentary YouTuber TheMisterEpic uploaded a video about “Minecraft’s most dangerous glitch”. Spoiler: The bug in the video is not dangerous. I wanted to let TheMisterEpic know, so I joined his Discord and pinged h

A couple years ago when I was creating the matdoes.dev blog I wrote a somewhat powerful markdown system with Regex to allow me to more easily write blog posts. Although I’ve barely written any posts, I’m still proud of it. Also this post is mostly just reference for myself, lol. I present: matdown™

Relative anchor: [matdoesdev](/blog) matdoesdev

External anchor: [matdoesdev](https://matdoes.dev) matdoesdev (External anchors have target=_blank so they open in new pages)

Normal links: https://matdoes.dev https://matdoes.dev

Code block: ```py print(‘code’) ```

print('code')

Inline code: `code` code

Block quote: > text

text

Italic: *text* text Bold: **text** text Italic & bold: ***text*** text

Horizo

I wrote this story on the Hypixel Forums a while ago, but I realized it would be a good idea if I posted it on my blog too.

Intro

ReportScammers was a robot on the Hypixel SkyBlock Forums that automatically replied to posts where people were complaining that they got scammed. It all started on April 27th, 2020. I was bored and wanted to make a Hypixel Forums bot. At first, I wasn’t sure what I wanted it to do. Then I thought, “what’s a task that humans do often that could be easily automated?”: complaining about people getting scammed, of course.

madcausebad11

I didn’t do anything with this idea until a couple weeks later on May 14th, when I remembered it, and was actually motivated to create it. I asked around on the SkyBlock Community Discord for what it should be called and what it should do, and I decided on calling it madcausebad11 (name chosen by @TatorCheese), and making it say “thats crazy but I dont remember asking” (@Bliziq chose that one) to all posts that mentioned being scammed. When that had been decided, I started working on the code. It was written in Python, using BeautifulSoup to scrape the web pages and aiohttp to make the requests. After an hour of writing code, madcausebad11 was working.

Less tha

So a few days ago my friend Slip got a DM on Discord from this “Twitch” bot asking him to invite it to my servers as well as to join theirs. The message the bot said claimed that Discord and Twitch had partnered up to give its users free Nitro Games and free Twitch Prime.

It obviously looked fake, so Slip created a testing server and added me and some friends to help. Upon joining, the fake Twitch bot DMed everyone in the server with the same message as it sent to Slip. It looked like some sort of social engineering worm, but it hadn’t done anything bad yet, so we revoked the bot’s perms and left it in the server.

When I joined the server it linked, it looked like some sort of bad giveaway server with giveaway channels, and even a rules and TOS channel. Unfortunately for us, there were no channels that we could talk in to inform other people. Soon after joining, we got another DM from a different bot but with the same name. Again, it contained a link to join a Discord server. However, this time, instead of saying it was from Twitch, it took a more straightforward attempt, saying to join for “Nitro / Nudes”.

It was getting late, so we went to sleep. When we woke up, we were greeted by at least 4 other bots with the same message and name, so we just invited all of th

A domain hack is a domain in which both the top level domain (TLD) and the second level domain (SLD) are combined to make up a word or phrase. For example, matdoes.dev is a domain hack for mat does dev. Domain hacks are not security-related and they are completely legal.

Most domain hacks use country code top level domains (ccTLDs), for example, .it is for italy, .am is for Armenia, etc. Some companies even purchase their own custom TLDs from the Internet Assigned Numbers Authority in order to create a hack for their domains. Most notably is goo.gle, which was created by Google as a domain hack for their website.

Why Use a Domain Hack?

An advantage to using a domain hack is that your domain is much shorter and therefore easier to remember. Many URL shortening sites such as bit.ly, goo.gl (Google), youtu.be, etc, use domain hacks to make their URLs shorter.

Domain hacks are more fun than normal domains, too, which increases the chance of people clicking on them in search results.

How to Choose a Domain Hack?

Finding a good domain isn’t always easy, so I’ve created a tool hosted on