1. 14

    And this, folks, is why I no longer run my own email server and likely never will.

    1. 3

      DMARC records aren’t just for self‐hosted email. You’ll want to set them up if you use a personal domain, even if your email is hosted by a cloud provider like Google or Microsoft.

      1. 8

        … because you didn’t want to add a couple DNS records?

        1. 13

          If you pay an email provider to do the hard stuff, then yes, it’s just a matter of adding some DNS records. But, when running your own email server, you have to set up and maintain a DKIM and a DMARC suite yourself and make sure everything works together along with the SMTP server.

          1. 6

            Sure, you have to install opendkim and drop a line in your config, then generate the DNS records. Don’t need any software for DMARC, if you need reports they’re all human readable XML, but usually just set the DNS to enforce DKIM and done.

            1. 2

              To be fair I only use my domains as email slingshot if I can, nothing goes in, only out - which is good enough for 99% of my services. Different story for my work, because for real email you need a lot more these days. (push notifications for apple and android which are different systems and totally insecure, carddav, maybe caldav, webview, greylists, spamlist …). I can highly recommend this video from one CCC talk, though it’s probably only in german. But it comes with this nice overview.

            2. 11

              Because adding a couple of DNS records is a vast oversimplification and I just don’t want the deal with the actual complexity your comment is pretending doesn’t exist.

              1. 11

                I’m genuinely curious what else one could take as needed after reading this article? As I allowed in the sibling, yes, you also need to run opendkim I guess. The article very clearly talks about three kinds of DNS records and how to set them up. They say if you run an email service and care about DMARC reports you might want an aggregation tool, but admit right in the article that for self hosters you can just read the report (and probably don’t have to if you just have one mail server anyway)

                1. 5

                  The article also says that they “had to do a lot of hard work and research to understand this problem”, so sure, it’s “just” a couple DNS records (and some config, and…), but the work involved to get there from nothing is clearly not non-existent. For comparison, I’m sure most programmers here have had the experience of spending all day understanding a problem just to end up committing 5 lines of code.

                  1. 5

                    Yes, sure, if you don’t know you need these or what the syntax is it will take time to learn. But now that this article exists, you could just read it and know more than everything you need. That’s why I’m curious why the reaction to the article giving the answer is to think the question is too hard.

          1. 4

            The compose key - https://en.wikipedia.org/wiki/Compose_key - is so wonderful that it’s one of the only computer things I almost can’t do without.

            “Curly quotes” are as simple as “< and “>. I hit the extra key without effort, and it’s so much nicer especially when programming to put a string inside straight quotes.

            x = "some “quote” here is nice, isn’t it?"
            

            But I recommend just taking 20 minutes to learn the defaults mostly by exploration because they’re so common sense. It’s like drawing with your keyboard.

            ^ 2 = ²
            c o = ©
            n ~ = ñ
            . .  = …
            - - - = —
            L - = £
            E = = €
            Y = = ¥
            
            1. 2

              Compose is so useful, that I even use it on Windows.

              But back to *NIX, I recommend to read about .XCompose project, which extends the default Compose’s key combinations, and is also a good reference in the subject.

              Of course, the Compose’s manpage is also a great reference on the matter.

              1. 1

                Indeed. I wanted to find an easy way to type the wonderful —. I’m glad I stumbled upon this little tidbit of the internet which introduced me to .XCompose as a bonus. I also second Carpetsmoker’s comment in the original forum: looking into this has been on my TODO list for some time.

                1. 2

                  Glad you liked it.

              1. 5

                My email server is similar in a lot of ways (OpenBSD, OpenSMTPD, Vultr) but also different.

                The biggest difference is how the emails actually make their way to my LAN. I wanted to avoid a 5‐minute cronjob because I want some mails, like login codes, to show up as soon as they come in. Instead of using rsync, my Vultr server’s smtpd is configured as a relay. Incoming mail is sent over a WireGuard tunnel to a small always‐on machine on my LAN. Helpfully, if the LAN server is down, the relay will queue the mail and automatically retry once the connection is restored. The LAN server’s smtpd delivers incoming mail to a maildir, and Dovecot serves IMAP to my LAN with the maildir as the backing store.

                I also have httpd serving a MTA-STS policy for my domain. Several big providers (Google, Microsoft, and Comcast at least) will use it to send email to me via TLS rather than negotiating STARTTLS (which can be MITM’d).

                1. 4

                  STARTTLS (which can be MITM’d).

                  It shouldn’t be able to be MITM’d unless you’re using an implementation with a nasty bug. If you require STARTTLS and validate the certificate correctly, it provides exactly the same MITM protection as a TLS MTA. An MITM on STARTTLS would either not validate or not be able to see the traffic it is MITM-ing.

                  MTA-STS is new to me, though, and it looks like I should enable it. Thanks for pointing it out.

                  1. 1

                    If you require STARTTLS and validate the certificate correctly

                    You can’t require STARTTLS. It’s designed to fall back to plaintext if the destination server doesn’t support encryption. Thus it can be exploited by attackers—and has been, rather famously by the Thai government, and also by Cricket.

                    It’s analogous to a plaintext HTTP URL that immediately 30x redirects to HTTPS: better than nothing, but still vulnerable, because an active attacker can simply strip the redirect to keep the entire session in plaintext.

                    If the sender simply refused to send mail without a successful STARTTLS negotiation, you’d be right that it would provide as much protection as a full TLS session. But STARTTLS has an insecure fallback baked in. MTA-STS was designed to solve that problem by providing a means for receiving servers to advertise a desire for TLS‐only mail.

                    1. 3

                      You can’t require STARTTLS.

                      You damn sure can, on a client. I have personally written a client that refuses to proceed if STARTTLS doesn’t work, and it wasn’t anything exotic.

                      It’s designed to fall back to plaintext if the destination server doesn’t support encryption.

                      This isn’t accurate at all. While I’d dispute that STARTTLS was “designed” to begin with, it certainly isn’t meant to fall back to cleartext. STARTTLS is a means of upgrading an insecure channel to a secure one. Failing to proceed if that upgrade doesn’t work is the only sensible behavior, IMO; otherwise why would you write your client to issue the STARTTLS command in the first place?

                      If the sender simply refused to send mail without a successful STARTTLS negotiation, you’d be right that it would provide as much protection as a full TLS session.

                      This is literally the only reasonable way to write a client that uses STARTTLS. If a client isn’t going to do that, why bother with STARTTLS at all? TLS isn’t something that’s just supposed to work if everyone is being nice. It’s a means of secure communication over an insecure, hostile network. Giving up and falling back to insecure communication in response to an error defeats the purpose of TLS. If the developer of an endpoint is going to do that, they may as well save themselves the time and labor and leave TLS support out altogether.

                      Sure, from the server’s perspective, requiring STARTTLS would be weird. But on a client, requiring it is the only sane thing to do if the client’s operator indicates that STARTTLS should be used. Anyone who writes a client that issues the STARTTLS command and doesn’t require it to succeed opens their users to the rather famous exploits you yourself point out.

                      1. 1

                        You damn sure can, on a client.

                        The context here isn’t sanely written clients. The context is a public‐facing MX that has no control over whether incoming mailservers continue to send mail upon failure to negotiate STARTTLS and cannot reject plaintext mail.

                        While I’d dispute that STARTTLS was “designed” to begin with, it certainly isn’t meant to fall back to cleartext.

                        I refer you to RFC 3207:

                           A publicly-referenced SMTP server MUST NOT require use of the
                           STARTTLS extension in order to deliver mail locally.  This rule
                           prevents the STARTTLS extension from damaging the interoperability of
                           the Internet's SMTP infrastructure.  A publicly-referenced SMTP
                           server is an SMTP server which runs on port 25 of an Internet host
                           listed in the MX record (or A record if an MX record is not present)
                           for the domain name on the right hand side of an Internet mail
                           address.
                        

                        TLS isn’t something that’s just supposed to work if everyone is being nice. It’s a means of secure communication over an insecure, hostile network. Giving up and falling back to insecure communication in response to an error defeats the purpose of TLS.

                        I agree entirely, which is precisely why I suggest using MTA-STS, because STARTTLS behaves insecurely on a hostile network, exactly the way you decry.

                        1. 3

                          The context here isn’t sanely written clients. The context is a public‐facing MX that has no control over whether incoming mailservers fall back to plaintext or not.

                          Then we’re having a stupid discussion, and I apologize for that. In the case of either STARTTLS or a plain TLS server on a public-facing MX, we’re still only talking about “server authenticated” TLS. That means that the server presents a certificate for the client to validate, but not vice versa. A server would never be able to detect an MITM in either scenario. They are equivalent in that regard.

                          Without a context of sanely written clients, server-auth TLS is useless. You need mutual auth to harden against badly behaved clients in this regard.

                          1. 1

                            Sorry for editing my comment. I didn’t notice you’d replied already.

                            1. 1

                              Your edit pointed out a MUST NOT in the RFC that I absolutely hadn’t been thinking about. So thanks, even if I replied too fast to catch it the first time. I’ve spilled a lot of words to mostly agree with you, I think.

                              After a pass over RFC 8461, though, I still don’t think there’s a meaningful difference even for a public facing MX unless you can turn off cleartext SMTP completely.

                              Section 4 explicitly calls out that STARTTLS is supported:

                              4.  Policy Validation
                              
                                 When sending to an MX at a domain for which the sender has a valid
                                 and non-expired MTA-STS Policy, a Sending MTA honoring MTA-STS MUST
                                 check whether:
                              
                                 1.  At least one of the policy's "mx" patterns matches the selected
                                     MX host, as described in Section 4.1, "MX Host Validation".
                              
                                 2.  The recipient mail server supports STARTTLS and offers a PKIX-
                                     based TLS certificate, during TLS handshake, which is valid for
                                     that host, as described in Section 4.2, "Recipient MTA
                                     Certificate Validation".
                              

                              If you can’t turn the non-TLS MTA off, I don’t see the difference.

                              I do still think the STS record is a win. But I can’t see a meaningful difference between an MTA that requires TLS from the handshake versus STARTTLS.

                              1. 1

                                In the context of SMTP server‐to‐server transactions, if STARTTLS negotation fails, the mail sender is likely to continue in plaintext rather than drop the mail. If STARTTLS succeeds but the TLS certificate is invalid, the mail sender is likely to continue with the invalid certificate rather than drop the mail. Not all senders continue in these cases, but many do, because STARTTLS‐capable servers with valid certificates have historically been far from universal (and still aren’t, probably, even after Let’s Encrypt). Naturally, this situation is ripe for MITM.

                                Turning off cleartext SMTP on your MX doesn’t help. Senders will still default to port 25, which an attacker can spoof a cleartext server on without you in the loop at all.

                                MTA-STS policies provide a way for an MX to require secure transport. In “enforce” mode, STARTTLS is mandatory, and certificates must be valid. Senders can’t continue without STARTTLS, and they can’t accept an invalid certificate; such mail must be rejected. So MTA-STS prevents MITM in a way that was not possible before.

                                This helps only when the sender checks for MTA-STS. Even so, you’re no worse off than before, and slightly better, because many of the big providers like Google and Microsoft do check. If you’ve configured your policy properly, incoming mail can’t be MITM’d between you and any MTA-STS–compliant sender.

                                1. 3

                                  Senders will still default to port 25

                                  I guess there’s the rub. If the MTA-STS spec lets servers consider STARTTLS as mandatory, though, I’m still not seeing how STARTTLS is more vulnerable to MITM than TLS at the handshake.

                                  After all this, I see a few options for a server operator:

                                  1. Cleartext SMTP listener with STARTTLS. Can be MITMd if it doesn’t require STARTLS, and might be MITM-able even if it does due to poor “client” (by this I mean othethatr servers, principally) implementations.

                                  2. Cleartext SMTP listener with no STARTTLS. Obviously MITM-able.

                                  3. TLS at the handshake. MITM could just block the port and cause “clients” to fall back to 25 anyway. Also, it’s unlikely that those clients who don’t validate certs for STARTTLS suddenly start doing so at the handshake.

                                  4. Turn off port 25. Still MITM-able because non MTA-STS “clients” will try it first and proceed with no STARTTLS anyway.

                                  MTA-STS is obviously a win insofar as it induces a few big implementations to be better clients. I wasn’t doubting that, though. I’m not seeing where sending via TLS at the handshake buys anything over STARTTLS. Am I missing a spot where it does?

                  2. 3

                    That’s a pretty good way to set things up, definitely better than my hacky cron job. I didn’t have experience with wireguard, and it’s usually not a big deal for me to wait 5 minutes. If I’m expecting an email and don’t want to wait, I run the cron job manually. But maybe I’ll look into using wireguard.

                    Serving MTA-STS also sounds interesting, I may look into doing that as well.

                    Thanks for the ideas!

                  1. 9

                    You should rotate ssh keys. Also, all ssh keys should be protected with a passphrase. To solve this problem, yet maintain your convenience, Consider generating your ssh credentials on yubikey or similar device. According to Yubico, it’s impossible to exfiltrate these private key from the yubikey. While I don’t believe that anything is impossible, I’m convinced that exfiltrating these keys is beyond the abilities of anyone short of governments.

                    The basic steps for using a yubikey for ssh authentication are:

                    • Install and setup the full gnupg package including all smart card utilities on your laptop or from whence you plan to originating ssh.
                    • Make sure to setup gnupg as your ssh agent.
                    • Use the gpg card setup commands to generate a key on the card.
                    • Use ssh-add -L | grep card to get your public key.
                    • Install that key on the target systems where you need to have ssh sessions.
                    • Fix your .profile on your laptop so that gpg-agent is always available.

                    In practice you will want to have two yubikeys. I have a low profile one that’s always there and convenient and a backup stored in a safe place. When you attempt to setup an ssh session, gpg-agent will prompt you for the yubikey’s pin code to unlock the key for a configurable amount of time.

                    Passphrase or not, the problem with ssh private keys in files is that they are non-appropriable. That means that an ssh token stored in a file can be copied and used by someone else with or without your permission. Since a rsa private key on a yubikey device can’t be exfiltrated, the only way for someone to appropriate it is would be to take possession of the yubikey. You can assume that a yubikey that’s gone missing has been compromised and you can invalidate the public keys associated with it.

                    Finally, Openssh also allows you to generate certificates for authentication. While I prefer Yubikeys and manual rotation myself, ssh certificates should be considered because they are self expiring.

                    1. 4

                      I settled on something a bit more convenient (IMO), but not as secure. I generate all my ssh private keys with passphrases. I store both the keys and the passphrases in pass, which is encrypted with my GPG key. I have a hodge podge of shell scripts that will add my ssh keys to my agent by only typing the password for my GPG key. It’s convenient and avoids using unprotected ssh keys. I guess the downside is that I’ve put all my eggs in one basket. But it’s good enough for my personal threat model. For a business, I’d do something stronger.

                      1. 1

                        I take an alternative approach with a similar result: generating SSH keys that are tied to a FIDO device (such as a Yubikey). This is natively supported in OpenSSH; no gpg necessary. Without the hardware, exfiltration is useless—a much nicer situation than described in the article.

                        I also keep SSH certificates on all my machines, clients and servers, with an expiration date. As part of my normal setup process for any new SSH sever—disabling password logins and enforcing keypair auth only—I also pull off the host keys to sign with the CA, and enable a cronjob to fetch a newly signed certificate for expiration. And whenever I generate keypairs on a new client, I specify my trusted host CA at the same time. This has the benefit of completely eliminating host key warnings; I haven’t seen one on my own servers since I started this practice two years ago.

                      1. 3

                        Privacy:

                        When you host your own mailserver, you truly own your email without having to rely on any third-party.

                        Yeah, not really.

                        • If you send email to someone with a Gmail address, then Google reads the email.
                        • If someone send you an email from a Gmail address, Google reads the email.

                        Only in a scenario where both parties own their infrastructure do you get the privacy gain the author assumes. Even then, you have to trust that the third party has good intentions and sound security practices.

                        I think the best approach to (unencrypted) email is to assume that anyone can read it.

                        1. 1

                          I still relay outgoing mail through Google (most of which is to public mailing lists or GMail accounts anyway), but I set up a receive‐only mail server last month, and now Google no longer has access to my sales receipts, my utility bills, my flight itineraries, nor knows all the mailing lists I subscribe to. That’s a big win in my book, even if email is ultimately unsecurable.

                        1. 2

                          I ♥️ this.

                          btw. my personal minimal (responsive 😉) html boilerplate:

                          <!doctype html><html lang="de"><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0">
                          
                          1. 2

                            That’s a lot of unnecessary quotation marks! Also I think your two meta tags can be merged.

                            1. 1

                              Thanks for the feedback 😊👍 These are great suggestions.

                            2. 2

                              do meta tags not go in <head>?

                              1. 2

                                Head (& body) are no longer required.

                                1. 2

                                  <head>, <body>, and even <html> have never been required in HTML.

                            1. 1

                              During my first semester at university, I submitted nearly all my homework using groff, and when the math part came up, I had to learn some eqn. It war really horrible, if the formula got slightly complicated, let alone when trying to write a mathematical proof.

                              And then there’s the general problem that troff/groff has so little good documentation, which is kind of ironic.

                              The good thing is that you don’t even need to know any of this to use groff, nowadays, which still produces smaller pdfs in less time. Since pandoc 2.0 has been released, a pdfroff exporter has been added that can parse TeX math and convert it to eqn syntax. Emacs calc mode can do a similar trick, but it more cumbersome.

                              1. 7

                                I’m a big fan of the eqn syntax: concise, powerful, easy to write, easy to read. TeX was heavily inspired by it, but has too many backslashes.

                                eqn:

                                x = {- b +- sqrt {b sup 2 - 4 a c}} over {2 a}
                                

                                TeX:

                                x = {-b \pm \sqrt{b^2-4ac}} \over 2a
                                

                                Plain UTF‐8:

                                𝑥 = (−𝑏 ± √(𝑏² − 4𝑎𝑐))⁄2𝑎
                                

                                MathML:

                                <mrow>
                                 <mi>x</mi>
                                 <mo>=</mo>
                                 <mfrac>
                                  <mrow>
                                   <mo>−</mo>
                                   <mi>b</mi>
                                   <mo>±</mo>
                                   <msqrt>
                                    <mrow>
                                     <msup>
                                      <mi>b</mi>
                                      <mi>2</mi>
                                     </msup>
                                     <mo>−</mo>
                                     <mi>4ac</mi>
                                    </mrow>
                                   </msqrt>
                                  </mrow>
                                  <mi>2a</mi>
                                 </mfrac>
                                </mrow>
                                
                                1. 1

                                  The square root formula is too simple, it’s not what I’d consider “complicated”. What I was thinking about was aligned equations, using other fonts or with symbols not included in the default.

                                  Take for example

                                  \[fa] n >= 0: \fCcn(n)\fP ~\[==]~ C sub n = { ( 2 n ) ! } over { ( n + 1 ) ! cdot n ! }
                                  

                                  or

                                  .EQ L
                                  wp(\fC\(dq df := df * x; x := x - 2\(dq\fI, I)
                                  .EN
                                  .EQ I
                                  \(== ~ wp(\fC\(dq df := df * x; x := x - 2\(dq\fI, df cdot x !! = n !! ~ \(AN ~ x >= 0)
                                  .EN
                                  .EQ I
                                  \(== ~ wp(\fC\(dq df := df * x\(dq\fI, df cdot ( x - 2 ) !! = n !! ~ \(AN ~ x - 2 >= 0)
                                  .EN
                                  .EQ I
                                  \(== ~ wp(\fC\(dq\(dq\fI, df cdot x cdot ( x - 2 ) !! = n !! ~ \(AN ~ x - 2 >= 0)
                                  .EN
                                  .EQ I
                                  \(== ~ df cdot x cdot ( x - 2 ) !! = n !! ~ \(AN ~ x >= 2
                                  .EN
                                  

                                  both which I remember took a white to correctly typeset.

                                2. 2

                                  Eqn IMO has a cleaner syntax compared to main stream alternatives like MathML & MathJax.

                                  I am still not sure why it didn’t become popular

                                  1. 4

                                    I attribute it to Joe Ossanna’s untimely death and troff being proprietary to AT&T.

                                1. 25

                                  Copyleft licenses like AGPL and SSPL have a weaker result in terms of overall benefit to society than liberal licenses like MIT and Apache2

                                  People are motivated not only by a sense of purpose and the desire to contribute to something greater, but also by improving their lot in life and that of their families and heirs (read: capitalism)

                                  All hail MIT, because that will motivate the internal capitalist in our families and heirs to benefit society more since they can take the code out of the commons and use it to… amass capital. Or something.

                                  Or maybe, just maybe, the model of selling an intangible, infinitely copy-able good is just not a great business model and the enforcement we see with licenses, DRM etc. is an indication of this fact?

                                  Ultimately, in my philosophy, copyleft doesn’t represent real open source, despite what the OSI says. Copyleft is a restriction.

                                  An argument as old as the GPL itself. In similar vein: if democracy were democratic, why does it not offer the option of abolishing democracy even with a majority?

                                  1. 9

                                    Similarly, I like to argue that the thirteenth amendment to the US constitution doesn’t represent real freedom, despite what the abolitionists say. Banning slavery is a restriction.

                                    And it is! …on the masters. But the point is to protect the slaves from the masters. And the GPL is the same idea: it is supposed to protect the users of the software from misdeeds of the authors. For example, do you have a phone app that sends spurious push notifications to monopolize your time? If it was GPL, you’d have the right to hack that malicious code out (or have a developer do it and share their change with you, since not all users have the technical skills to do it themselves).

                                    I think a lot of commentators about the GPL forget this. It isn’t about money per se, it is about letting the users escape the author’s dark patterns.

                                    1. 2

                                      This argument is unclear. You can hack the part out if it was released under any OS license, such as MIT or Apache 2.0 The GPL adds a restriction irrelevant to your use case which is that you are required to release the modified source code if you distribute the modified software.

                                      1. 6

                                        adam_d_ruppe is assuming that the source code of the application would not be released unless it was built on, and with, GPL components. The assumption is correct: 99% of phone apps are closed source.

                                        1. 2

                                          Of the 1% that are open source, what proportion are copyleft and what proportion are permissive?

                                        2. 4

                                          MIT etc. let the publisher decide - they can distribute the program without the source (modified or no). Some of them forward this to the end user, but many don’t. The GPL says the publisher MUST let the end user have that access, by requiring they make the full source - including modifications - available to them too. That’s what the “viral” thing is all about - making sure those rights actually make it to the end user and aren’t stripped out by a middle man.

                                      2. 8

                                        The comparison is spot on! Also see: https://en.wikipedia.org/wiki/Paradox_of_tolerance

                                        “In order to maintain a tolerant society, the society must be intolerant of intolerance.” - Karl Popper

                                        1. 3

                                          I think you’re right that the selling model doesn’t work, which is why we have SaaS. The question is how to fairly compensate those who enable the sale of services, or goods built with open source, while retaining the benefits of open source.

                                          As I allude to above, I think that software is more like music than anything else, and we need something like collecting societies to share the wealth.

                                          1. 1

                                            “and use it to… amass capital. Or something.”

                                            Basically what they do.

                                            “why does it not offer the option of abolishing democracy “

                                            The 2nd Amendment in US is specifically included as a way to address government corruption, abolishing specific politicians or whole thing.

                                            1. 2

                                              The 2nd Amendment in US is specifically included as a way to address government corruption, abolishing specific politicians or whole thing.

                                              I understood the argument as “if we have democracy (roughly: rule of the [majority of the] people), why can’t such a majority decide that they prefer to live in an absolutist monarchy and thereby end democracy?”. The 2nd Amendment to the US Constitution is a feature specifically designed to prevent that from happening.

                                            2. 0

                                              not offer the option of abolishing democracy even with a majority

                                              It depends on the constitution, but it’s quite possible to turn a democracy into a defacto autocracy by changing laws and process through the democratic process. For example, it is possible to change the US constitution with sufficient majority in the house and senate or the state legislatures. The hope is that the distributed nature of the power makes such a hack very hard to do and requires a conspiracy of mind boggling proportion (or similarly sized stupidity and greed) but it can be done.

                                            1. 3

                                              This is a fun read. Not the ‘usual’ way of dumping the ROM, and there’s some visualization/analysis of the contents.

                                              1. 2

                                                Do you know what the usual way of dumping a ROM is? I was fascinated by this article because I didn’t know anything about the process.

                                                1. 4

                                                  Hooking up to the ROM chip directly as in the article is pretty much the “usual” way a typical electronics person would dump a ROM. But someone who’s already knowledgeable about how the console works might prefer to interface through the cartridge connector and so avoid soldering things to the cartridge itself. Most (maybe even all) commercial game dumpers work this way.

                                                  1. 1

                                                    On the SNES/SFC, usually people use an edge connector (often from an actual SNES because finding one with the right pin spacing is hard) to build a cartridge dumper. Then they just do the same thing the SNES would do through the cartridge pins to read out the ROM.

                                                    Soldering jumper wires directly to the ROM chip on the cartridge is somewhat more inefficient (usually you want to dump a bunch of games), but is also totally awesome :)

                                                1. 2

                                                  Unpopular opinion time!

                                                  These types of services can not work as marketed. If you don’t use their DNS-over-TLS service, then you’re still sending DNS queries and getting the responses back over plaintext. US ISPs, Comcast being the biggest offender, are known to hijack those requests.

                                                  Even with DNS-over-TLS, it’s possible for a passive attacker to infer queries based on packet metadata. The size of packets aren’t going to change for when I do an A record lookup for google.com yesterday versus today. A passive attacker could pre-compute the packet data length for the most common domains (Alexa top million, for example).

                                                  The only real solution is to mix different kinds of traffic in to a network specially crafted for privacy/anonymization, like Tor, which supports tunneling DNS queries.

                                                  1. 3

                                                    If you don’t use their DNS-over-TLS service, then you’re still sending DNS queries and getting the responses back over plaintext.

                                                    Well… yeah. Of course you don’t get any security benefits if you don’t use TLS. (Well, even without it you do get some, but it really buys you very little.)

                                                    Even with DNS-over-TLS, it’s possible for a passive attacker to infer queries based on packet metadata. The size of packets aren’t going to change for when I do an A record lookup for google.com yesterday versus today.

                                                    You can pad an HTTPS query URL with random data. Google even documents it.

                                                    1. 3

                                                      Cloudflare actually addresses that in their blog post:

                                                      While DNSSEC ensures integrity of data between a resolver and an authoritative server, it does not protect the privacy of the “last mile” towards you. DNS resolver, 1.1.1.1, supports both emerging DNS privacy standards - DNS-over-TLS, and DNS-over-HTTPS, which both provide last mile encryption to keep your DNS queries private and free from tampering.

                                                      An attacker can also observe server name indication in your TLS connections to see who you’re contacting anyway. Preventing hijacking is much more significant in my opinion.

                                                      1. 2

                                                        Not all resolvers support DNSSEC. Not all people even like or trust DNSSEC.

                                                        Either way, I don’t buy that Cloudflare’s solution, especially when using plaintext DNS, enhances security. It simply allows more entities to snoop and/or modify your data en-route.

                                                        1. 2

                                                          That’s true, your ISP can still snoop the DNS traffic going to Cloudflare. But it does make it harder for them to send you bogus records than if you were querying them directly. Assuming Comcast isn’t modifying my traffic in flight, which I agree is sadly a big assumption, I trust Cloudflare more. Right now I use Google DNS, which has all the same problems you’re describing. At minimum, I’m happy Cloudflare is championing a more secure version of DNS (over HTTP / TLS), even if it isn’t perfect.

                                                          I have considered setting up a recursive DNS resolver on a $2.50/mo VPS and tunneling DNS from my home network to there. The IANA of course provides the root information for the root DNS servers, so it wouldn’t be that hard.

                                                          So I guess I don’t disagree with you. DNS is a complete shitshow one way or another, there’s no way to deny that. Unpopular or not, your opinion is objectively correct. It’s more of an uncomfortable fact than an opinion.

                                                          1. 1

                                                            It’s trivial for an ISP to anycast announce 1.1.1.1 and 8.8.8.8 wholly within their own network, capturing all of your DNS requests anyway. They can configure (or not, who would even notice?) all the same features available on CloudFlare or Google. I would be very surprised if people are already not doing it. If you wanted to be sneaky about it you can even set up a reverse proxy for the web content.

                                                            1. 1

                                                              Some Linux nerd might run traceroute and blog about it.

                                                              In any case, if you’re using Cloudflare DNS over HTTPS, they can’t forge Cloudflare’s certificate.

                                                    1. 4

                                                      The example given by the author sound hacky more than anything, to “discover” source files.

                                                      I’ve been using makefiles of this kind for years now, and it works remarkably well. I do that so they’re easy to package, regardless of the distro. I must admit my projects are fairly simple, but I never missed any “feature” with this makefile. I’m probably missing something here though so feel free to tell me!

                                                      1. 1

                                                        I use a very similar makefile for my own projects. It doesn’t support header dependencies, though, and separate (out‐of‐tree) builds would be nice. I’ve been considering adding a (non‐autotools) configure script to the mix for that reason.

                                                        1. 1

                                                          The example I gave doesn’t have header files, but you can easily add them to the mix (example). For out-of-tree build, I don’t get the point of it. Is it only to keep the source tree clean? I’ve seen some handmade configure script in the wild as well, pretty short ones (some only included the line “echo do not use autotools!”). In my case, they would generate the config.mk file, which includes all the customizable bits. IMO, customization should be done at the environment level, and with make -e. That is the reason why I like mk a lot, which does that by default (but that’s another topic!)

                                                      1. 9

                                                        I don’t understand all the Xvfb/Xephyr stuff. I do simple screencasts just by enabling audio monitoring and:

                                                        ffmpeg -f sndio -i snd/0.mon -video_size 1680x1050 -framerate 30 -f x11grab -i :0.0 -c:v libx264 -qp 0 -preset ultrafast output.mkv
                                                        
                                                        1. 1

                                                          “Maybe we can finally get past our nemesis: the lady in the red dress! … Nope, Well, it was worth a shot.”

                                                          someone help me out here, what is this referencing?

                                                          1. 1

                                                            Just a guess, but the game probably crashes early on, enough to reach that character but no further.

                                                            1. 3

                                                              Is the website failing HTTPS cert verification for anyone else?

                                                                1. 10

                                                                  I keep seeing this as a reply but I’m not sure what purpose does it serve: you still can’t read the site. The only thing you can get from comments is that yes, the site is using a self-signed certificate, meaning that the breakage is intentional.

                                                                  1. 7

                                                                    It is not broken - it is simply a different approach to CAs.

                                                                    1. 4

                                                                      It is not broken

                                                                      Broken has a couple of different meanings in this context. The relevant ones being (a) “according to design” and (b) “according to reasonable expectations of users.” It can be broken(b) while also not-broken(a). Or in other words it can be “broken by design.”

                                                                      1. 2

                                                                        The user process is broken. The browser tries its best to give a very technical workaround, but the fact is that all other sites I read on the web don’t require me to trade my own sense of security for that of the author.

                                                                        I do respect his choice, to be sure, but I ask people here to stop just silently referring to that original comment thread as if it explains anything. It doesn’t.

                                                                      2. 2

                                                                        In Chrome at least you can certainly read the site, you just have to click “Advanced” and “proceed to teduangst.com”

                                                                        1. 2

                                                                          The idea is to add the CA to the browser store. The CA is constrained to creating certs for tedunangst.org, which is nice. The weakness here is acquiring the CA in a secure way in the first place; the model is similar to SSH or signify.

                                                                          Ideally you would acquire the CA out of band, like by meeting Ted in person. Good luck with that.

                                                                          Unfortunately clicking through like you described loses any benefit: you’re obviously not checking the cert every time, so you’re prone to being MITMed each time you visit the site, as opposed to just the first time. (Firefox lets you save the exception, but Chrome doesn’t.)

                                                                          The benefit of this over Let’s Encrypt is that if you add Ted’s CA and remove all the other CAs (that don’t have their own name constraints) from your cert store, you know that any valid HTTPS cert for tedunangst.com came from Ted and not from another compromised CA. I doubt even people who have added Ted’s CA have removed those other CAs, though, so it doesn’t seem like a real benefit to me.

                                                                        2. 2

                                                                          Indeed. I don’t understand this at all.

                                                                      3. 2

                                                                        Hi wyager, seems it’s my turn to direct you to: https://lobste.rs/s/qeqqge/moving_https ;-)

                                                                      1. 6

                                                                        And now they’re trying to persuade every project they use to switch to Apache License 2:

                                                                        1. 2

                                                                          I wish the ASF would still be using APlv1. It’s sad that the US legal system and patent situation caused this mess. The ASF is a very US-centric organisation (even though they don’t tend to view themselves as such), and from a perspective of a country where software paternts are not (yet) a thing, the differences between APLv1 and APLv2 appear as a solution looking for a problem.

                                                                          1. 1

                                                                            Even in the US, this feels like a solution looking for a problem. BSD licenses have long been considered to provide an implicit patent grant (by the very wording: “Permission is hereby granted to use, copy, modify and distribute for any purpose…”). http://en.swpat.org/wiki/Implicit_patent_licence

                                                                          2. 2

                                                                            And now they’re trying to persuade every project they use to switch to Apache License 2

                                                                            No, they are asking politely if the projects might be willing to consider changing their licensing to be compatible. There is no persuasion going on by ASF people (which I assume you mean by “they”).

                                                                            1. 1

                                                                              Maybe I used the word incorrectly, but to me a polite request to change the license or the influential in the open source world organization would stop using the product feels pretty close to persuasion.

                                                                              1. 1

                                                                                I don’t see any major problem with them trying to persuade React and RocksDB to use a different license (in fact, I welcome it, personally). What they aren’t trying to do is coerce RocksDB and React to use the APL2. That would be a very different situation.

                                                                          1. 1

                                                                            Is the current source available? I can only find the original Undeadly tarball (http://undeadly.org/undeadly-src.tar.gz).

                                                                            1. 7

                                                                              What’s unclear about MIT/ISC and patents? I always assumed the answer was a simple no.

                                                                              1. 6

                                                                                “Unclear” probably just means “would have to be decided in court”.

                                                                                US-based lawyers are super happy with an explicit patent grant they can use to defend their client in court, should someone sue for patent infringement.

                                                                                1. 5

                                                                                  The author has a full article on MIT. It comes down to “Neither copyright law nor patent law uses “to deal in” as a term of art; it has no specific meaning in court.” and refers to the following part of MIT:

                                                                                  to deal in the Software without restriction,

                                                                                  1. 5

                                                                                    ISC does not use this terminology. So why did he throw it in one bucket with MIT?

                                                                                    EDIT: See https://www.openbsd.org/policy.html for arguments in favour of ISC.

                                                                                  2. 2

                                                                                    I think that’s because MIT doesn’t mention patents explicitly while Apache has this:

                                                                                    1. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.
                                                                                    1. 2

                                                                                      There’s an implicit patent grant in these licenses. Given the statement “Permission to use, copy, modify, and distribute this software … is hereby granted” I think it would be hard to argue that the recipient is not given a license to use the patent.

                                                                                      This only works if the copyright holder also holds the patent. But I (an eminently unqualified non‐lawyer) don’t see what the Apache 2.0 text provides that the ISC text doesn’t. “Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual … patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted.”

                                                                                      What’s really annoying about Apache, besides the deluge of verbiage, is the next sentence: “If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.”

                                                                                      1. 1

                                                                                        What’s annoying about the patent pooling? It discourages a sue fest by revoking any patents granted to you by other contributors if you sue users of the software for patents you have granted to the project.

                                                                                    1. 4

                                                                                      It’s been about ten years, but I had an idea for a site called “listen to my CDs”. I’d upload a CD, and then allow a visitor (one, singular) to listen to it, streaming data in real time, but no faster. Surely I’m allowed to do that?

                                                                                      I thought it would be a really good test case for copyright law, but never quite got around to it. Never decided to give it up, maybe it’ll still work.

                                                                                      1. 2

                                                                                        the aereo case seems relevant.

                                                                                        1. 2

                                                                                          Indeed. By the way, Scalia (RIP) dissented in Aereo:

                                                                                          We came within one vote of declaring the VCR contraband 30 years ago… The dissent in that case was driven in part by the plaintiffs’ prediction that VCR technology would wreak all manner of havoc in the television and movie industries. … We are in no position to judge the validity of those self‐interested claims or to foresee the path of future technological development.

                                                                                          1. 1

                                                                                            surprisingly enough, I was in favour of the aereo ruling. I absolutely believe rebroadcasting should not be illegal, but if it is, the sophistry of having one microantenna per customer to make it technically okay is a clear case of evading the law

                                                                                      1. 6

                                                                                        Maybe also of interest:

                                                                                        Document Formatting and Typesetting on the UNIX System (ISBN: 9780961533625)

                                                                                        Document Formatting and Typesetting on the UNIX System: GRAP, MV, MS and TROFF (ISBN: 9780961533632)

                                                                                        Some parts are also available at google books.

                                                                                        1. 5

                                                                                          there’s some more titles on http://www.troff.org/books.html

                                                                                          1. 3

                                                                                            A free ebook for writing manpages, Practical Unix Manuals, by Kristaps Dzonsons (the author of mandoc): https://manpages.bsd.lv/

                                                                                            It also contains “The History of UNIX Manpages”, another nice read.