1. 3
                 X509v3 Basic Constraints: critical
                    CA:TRUE, pathlen:0
    

    That doesn’t look good for the leaf certificate…

    1. 2

      Whoops. Thanks for finding that! Just pushed a typo fix.

    1. 1

      Mozilla’s mozdef is a pretty good starting point. It’s an elk stack on a stick plus some log inspection logic.
      https://github.com/mozilla/MozDef

      1. 4

        Thanks for sharing. I had no idea these directives existed.

        1. 4

          They are really underrated. I often configure them for services packaged for Debian. Most upstream developers are unaware of those or even unaware of sandboxing in general.

          1. 3

            There are a lot more than the ones mentioned in the article. It’s meant as an introduction to make more people aware that these exist. Check the systemd.exec man page for more directives.

            1. 1

              Many thanks!

          1. 2

            The only issue I see with this is that whoever controls the infrastructure will de-facto make the rules. Decentralization is great except it tends to only break kingdoms into fiefdoms.

            1. 2

              Don’t you mean stars into planets? #urbit

            1. 1

              In 2019, though, Python 3 has finally (mostly) become the default version of the language for new Python development, and many companies and projects are using the top features of Python 3: f-strings, Path, type hints, asyncio, and, of course, Unicode rendering.

              Wait, what parts of Python 3 does Unicode rendering?

              1. 1

                str objects are unicode objects (utf-32 iirc) rather than byte strings as they were in python 2. That change was the single most painful point for my own code transition.

                1. 3

                  Yeah, I know python 3 strings are unicode, but what does that have to do with rendering?

                  1. 1

                    Oh…. I missed the word rendering. Not sure.

                  2. 2

                    I believe the default is utf8.

                    1. 1

                      After a bit of reading it looks like you are correct. PEP393 changed it from something (utf-32?) to a flexible internal representation which defaults to utf-8.

                1. 1

                  Is the notify form not working for anyone else? I’ve tried three different browsers and I keep getting a
                  You must write an e-mail.
                  error.

                  1. 1

                    It’s not just you, I ran into the same issue. So I’m either signed up about eleven times or it’s not working.

                    1. 0

                      Haha same.

                  1. 3

                    Can someone ELI5 this? It has 10 upvotes in just an hour but I have no idea what this is about.

                    1. 15

                      Difficult to explain DNS like you are five but I’ll try to boil down the idea assuming a certain level of knowledge:

                      1.1.1.1 is a DNS service from cloudflare. It’s like google’s 8.8.8.8, and other services.

                      If you use it, you will find you cannot resolve archive.is pages.

                      This is because they won’t resolve the EDNS subnet. Archive.is are using EDNS for DDOS protection.

                      Cloudflare provide DDOS protection too, so by not allowing EDNS on their service, they are blocking websites who otherwise wouldn’t be blocked if they were using cloudflare.

                      I don’t know if this really is their motive, but it’s easy to read between the lines…

                      1. 2

                        Difficult to explain DNS like you are five but I’ll try to boil down the idea assuming a certain level of knowledge

                        Heh, yeah, good assumption - I do know what DNS is :D

                        Thanks for the explanation, it helped me understand the issue

                        1. 1

                          Here’s resolution via 1.1.1.1 and via my default dns

                          jon~/i/d/d/h❯❯❯ dig archive.is
                          
                          ; <<>> DiG 9.10.6 <<>> archive.is
                          ;; global options: +cmd
                          ;; Got answer:
                          ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44289
                          ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                          
                          ;; OPT PSEUDOSECTION:
                          ; EDNS: version: 0, flags:; udp: 4096
                          ;; QUESTION SECTION:
                          ;archive.is.			IN	A
                          
                          ;; ANSWER SECTION:
                          archive.is.		293	IN	A	212.80.216.76
                          
                          ;; Query time: 3 msec
                          ;; SERVER: 192.168.2.1#53(192.168.2.1)
                          ;; WHEN: Thu Oct 03 23:56:24 PDT 2019
                          ;; MSG SIZE  rcvd: 55
                          
                          jon~/i/d/d/h❯❯❯ dig archive.is @1.1.1.1
                          
                          ; <<>> DiG 9.10.6 <<>> archive.is @1.1.1.1
                          ;; global options: +cmd
                          ;; Got answer:
                          ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35264
                          ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                          
                          ;; OPT PSEUDOSECTION:
                          ; EDNS: version: 0, flags:; udp: 1452
                          ;; QUESTION SECTION:
                          ;archive.is.			IN	A
                          
                          ;; ANSWER SECTION:
                          archive.is.		65936	IN	A	127.0.0.3
                          
                          ;; Query time: 252 msec
                          ;; SERVER: 1.1.1.1#53(1.1.1.1)
                          ;; WHEN: Thu Oct 03 23:56:28 PDT 2019
                          ;; MSG SIZE  rcvd: 55
                          
                        2. 14

                          Cloudflare makes all their money from running a CDN — Content Delivery Network — protecting web-site operators from DDoS attacks and speeding up website performance through multiple points-of-presence worldwide. They’ve had an IPO a few weeks ago, $NET, valued at 3.5 billion US dollars.

                          Last year, they’ve launched a free public recursive DNS resolver, called 1.1.1.1, similar to Google’s 8.8.8.8. There’s no statements about monetisation for it. Unlike 8.8.8.8, which supported EDNS-Client-Subnet, which is necessary for proper CDN functioning, and has been supported by Google since at least 2013, Cloudflare decided not to support it on 1.1.1.1, citing rather disingenuous privacy claims that don’t stand the most basic litmus test — your IP address is guaranteed to leak anyways once you make that HTTP/HTTPS request, so, hiding it from DNS is rather pointless, especially if it’s going to interfere with CDNs and hinder performance — for no added real privacy benefits, either.

                          archive.today had none of it. Folks noticed that archive.is doesn’t resolve through 1.1.1.1. The official statement on Twitter was that it’s due to Cloudflare not supporting EDNS-Client-Subnet.


                          To me, though, the conflict of interest, with Cloudflare making all their money from being the CDN, yet now running a public recursive resolver at 1.1.1.1 that makes it much more difficult for other CDNs to do their job properly, seems like a rather obvious CoI, yet noone seems to bothered to point this out up until now. ¯\_(ツ)_/¯

                        1. 1

                          Related: Gnome could really use a decent volume mixer in the toolbar UI.

                          1. 2

                            I think that’s a reasonable rational and I wonder if DoH is going to end up being OS supported at some point.

                            1. 4

                              Absolutely not! Why the hell would you want to centralise something that was decentralised since before Al Gore invented the internet?

                              1. 5

                                What? How would providing a DoH at an OS level centralize anything more than providing dns over tcp?

                                Edit: It occurs to me that perhaps you thought I meant dns over https (DoH) as is implemented by firefox, ie with cloudflare being the defacto resolver. What I meant was that I wonder if DoH might come to be provided as a an alternative to or super set of normal OS DNS support with some sort of resolver discovery.

                                1. 2

                                  Maybe cnst is talking about CAs.

                                  1. 1

                                    DoH/DoT don’t inherently require CAs. The OS could offer an interface like “set IP address and expected certificate in resolv.conf”, for example. (but, IMO, concerns about CAs are silly. Everything in userspace WILL use CAs, why would an OS take a hard stance against CAs?)

                              2. 2

                                I’m still not convinced that we need DoH in the OS. What does DoH gives us that DoT doesn’t?

                                1. -1

                                  What does DoH gives us that DoT doesn’t?

                                  Transport encryption.

                                  1. 3

                                    What does the T in dot stand for?

                                    1. 1

                                      TCP

                                      1. 6

                                        No, it’s TLS.

                                        1. 1

                                          Is it? My bad.

                                            1. 2

                                              Conventional DNS is a UDP protocol ;)

                                              1. 5

                                                Primarily UDP, but TCP if the response it too large and EDNS is not supported; also for zone transfers.

                                1. 2
                                  1. 4

                                    You’ve got to love how they skipped from 2005 to 2018 in their history. Nothing to see in-between.

                                  1. 3

                                    Company: Discord

                                    Company site: https://discordapp.com

                                    Position(s): Security Engineer

                                    Location: San Francisco, CA

                                    Description: We’re hiring security engineers (well, and a bunch of other stuff, but I’m the hiring manager for security engineers) to work on Discord’s brand new security engineering team! We’re a small company so this is a very broad role – you don’t have to be an expert at (or even be familiar with) all of the things we’ll be doing, but the ideal candidate would be an expert in at least one of the areas we’ll be working in. There are no hard requirements, definitely get in touch even if you have a nontraditional background.

                                    Check out the job description here: https://discordapp.com/jobs/4362278002

                                    Contact: Feel free to reach out with any questions on Discord at cmFtc2V5IzAwMDE=. I’m also on IRC. Happy to give resume/career advice too, even if you aren’t interested in the role.

                                    1. 7

                                      Experience with Linux system administration (we’re on Ubuntu 14.04…)

                                      Oh my

                                      1. 2

                                        It’s fine, technology doesn’t change much in 5 years. Definitely not in the security arena.

                                        1. 1

                                          Definitely not in the security arena.

                                          That couldn’t be more false given both the amount of effort/tooling applied to finding vulnerabilities in Linux kernels and the recent focus on hardware flaws popularized by Meltdown/Spectre. Even projects in high-assurance security targeting commodity platforms need updates due to flaws below or around their developers’ scope.

                                          1. 3

                                            Maybe I should’ve put a /s tag on my comment…

                                            1. 1

                                              I hear ya. My bad misreading it

                                        2. 2

                                          Yep

                                      1. 9

                                        Can someone explain why this email is an incredible internet wide sensation?

                                        1. 17

                                          Personally, I’ve been annoyed by this behaviour for years and just assumed I’d done something wrong. Finding out that it’s a widely-known problem, and that it’s not my fault, was tremendously validating.

                                          1. 6

                                            In my experience if you have used Solaris or a BSD professionally you’ll quickly observe this when you are forced to run Linux in production. The memory management of Linux is just awful.

                                          2. 4

                                            My guess is because at the surface level it is easy to understand the problem and people feel like it is a ‘gotcha’ on a successful project, which is entertaining I guess.

                                            1. 4

                                              The discussion on this on the orange website is terrible. The issue in the email is on systems with no swap that the kernel may thrash when forced into paging clean pages of code in and out in order to function. 90% of the discussion on the other site is about how terrible swapping is.

                                            2. 1

                                              People tend to like performance improvements and this email may lead to better performance in some edge cases

                                            1. 1

                                              user~/a/b/r/eviatedPath:branch❯❯❯

                                              Fish

                                                1. 1

                                                  I’m unsure of how I feel about this. On the one hand this triggers my free software sensibilities and instills a sense of anger at mozilla in me. On the other hand; mozilla needs cash and if people are willing to pay for a shiny version of firefox which underwrites all firefox development… I don’t see that as a problem. I think a wait and see approach appropriate here.

                                                  1. 30

                                                    There’s nothing anti-freedom about selling open-source software. As long as Mozilla makes it easy to run these hosted services yourself, I don’t particularly mind Mozilla selling hosting in order to make money.

                                                    1. 2

                                                      The more I sit on these thoughts the more I don’t mind either, but there is a certain negative animal instinct reaction that I have to news like this.

                                                      1. 2

                                                        A few years ago, I wouldn’t have thought much of this move. Now I get a flash of negative when reading news like this because of the ‘open core’ bullshit that many projects have adopted, where the base is FLOSS but a significant portion of functionality is proprietary stuff they bolt on and sell. I sure hope Mozilla doesn’t go in this direction with Firefox (e.g. it seems Google is trying to go down this road with Chrome now, with their recent ‘you only get decent adblock on the paid version’ move).

                                                        1. 3

                                                          Certainly only time will tell, but I find it telling that no real efforts have been made to make an open source chrome competitor from a chromium base.

                                                          1. 1

                                                            Where did the Mozilla source come from originally again, and who paid for it?

                                                            1. 3

                                                              NETSCAPE ANNOUNCES PLANS TO MAKE NEXT-GENERATION COMMUNICATOR SOURCE CODE AVAILABLE FREE ON THE NET (1998)

                                                              BOLD MOVE TO HARNESS CREATIVE POWER OF THOUSANDS OF INTERNET DEVELOPERS; COMPANY MAKES NETSCAPE NAVIGATOR AND COMMUNICATOR 4.0 IMMEDIATELY FREE FOR ALL USERS, SEEDING MARKET FOR ENTERPRISE AND NETCENTER BUSINESSES

                                                              (edit: it’s from 1998, not 2002, whoops)

                                                              1. 2

                                                                I think @friendlysock was trying to make a point—that IMO they should have been explicit about (if this was what they meant)—that Mozilla’s codebase originated from Netscape’s proprietary code and profit-seeking business model and structure, and so fears that Mozilla seeking new revenue streams may be a slippery slope to loss of the only credibly community-based browser may be premature.

                                                                I would counterargue that money corrupting is so universal an outcome that Netscape’s original code dump should be seen as a fluke and a mark of desperation, and so it would be premature not to be concerned about that possibility. But obviously, we can’t actually know how this will turn out (if it even comes to fruition, Mozilla’s track record on delivering new products is… poor), and Mozilla being a non-profit is definitely a cause for confidence.

                                                                1. 2

                                                                  Oh, I’m tracking the conversation. :) Love that press release, though.

                                                                  I’m surprised that nobody has made a comparison to Google yet. Along the lines of “We trusted Google, and now see how that turned out.”

                                                                  I want to trust somebody, though. I’m ready. My relationship with Google has been over for years. …Granted, all my mail still goes to her place… That doesn’t mean I shouldn’t get in bed with Mozilla, right?

                                                                  Of course, who I really trust are the tildes, and the gopherspace, and hacker collectives. But they’re .. still in school? Not ready to move in together? (I think I took this analogy as far as possible.)

                                                                  1. 1

                                                                    Not quite where I was going with it, but I do like your point. :)

                                                                    The reason I brought it up was in response to hand-wringing about the community core thing: Mozilla was a fluke whereby the community and society got a massive gift subsidized by venture capitalists, investors, and shareholders. That being the case, the idea of a premium offering to defray expenses isn’t that big a deal–after all, the “commons” being fenced in was originally the property of ruthless capitalists who let hippies move in.

                                                                    A premium TempleOS or Linux offering or something would be much more objectionable to me.

                                                        2. 15

                                                          I can’t claim that I have any inside knowledge, but what oozes out of discussions with Mozilla employees is that Mozilla is interested in entering the business of offering you a hosted service, which you may optionally run yourself. So, take this with appropriate salt.

                                                          Given that Mozilla has tremendous operations that makes and effort in being open, I hope that this is the path they would go. I’m a huge fan of the “pay for a service” model, as long as I can inspect the service.

                                                          1. 3

                                                            I agree. I think Mozilla should get into the services business. They make a product called Mozdef which I use at work and I would pay for if I could get a managed version.

                                                          2. 4

                                                            I mean, human people giving them money means that they are then subject to market pressure in a way that their current business model prevents. I think it’s a good thing.

                                                            1. 1

                                                              As opposed to right now, where they are not subject to any market pressure whatsoever?

                                                              1. 3

                                                                I find their position unbelievably tenuous. Google could choose at any time to stop pumping money in there. I would much rather Mozilla seek opportunities to sell things of value to people, instead of trying for some kind of ad-based monetization.

                                                                1. 4

                                                                  Google could choose at any time to stop pumping money in there.

                                                                  This isn’t quite true. My understanding is that Mozilla actually auctions stuff like the default search engine and space on the new tab page, so if Google dropped out, they’d still get nearly as much money from Microsoft/Bing.

                                                                  However, that market is very, very shallow. After those two, I’m not sure who’s left—Yahoo!? I doubt DDG has the depth of pockets to fund Mozilla as well as their own business. I’m certainly in agreement that alternative revenue streams are highly desirable, and if you’re getting money from anywhere, having your users give it to you for a product at least aligns the incentives appropriately.

                                                                  1. 2

                                                                    Fair enough. Still, though, the forbearance of tech Godzillas is a vanishingly thin reed to hang the future of the “open internet” on.

                                                                    1. 1

                                                                      so if Google dropped out, they’d still get nearly as much money from Microsoft/Bing

                                                                      Provided their market share continues to be relevant, but it has been going down due to the prevalence of Blink-derived browsers.

                                                                    2. 1

                                                                      Ah, I misunderstood. I though you were saying their current business model was a good thing.

                                                                      1. 1

                                                                        Yeah, when I reread my original comment, it was definitely not clear.

                                                                1. 1

                                                                  Thank you! <3

                                                                1. 1

                                                                  Very cool. I look forward to having a basic form of transport encryption available for all my system traffic.

                                                                  1. 2

                                                                    “Announcing”, but there are episodes back to march.

                                                                    1. 1

                                                                      Very cool. Looks like it’s designed to be used on networked machines first and foremost.

                                                                      1. 1

                                                                        So might people go from this to a clean implementation in C/golang/Rust/C++? I hope so, but getting the Linux world to adopt it is probably a tricky task. I just hope ZoL remains the reference implementation, so our ZFS pools can all work.

                                                                        1. 1

                                                                          Possibly. If you read this guys notes there are still a number of stumbling blocks specifically around raidz.

                                                                          1. 1

                                                                            Yeah but non linear just means you need more automated tests of what ZFS does, only looking at the tests… I think that still means it’s in a clean room.