1. 1

    Mine is at https://eldrid.ge withe the blog at https://blog.eldrid.ge.

    I write mostly about IT/infosec, but also whatever else I’m interested in at the time. I’m fairly pleased with the homepage overall, and I like the blog design-wise but it could definitely load faster I think.

    1. 1

      https://blog.eldrid.ge/

      I write about whatever tech/security project I’m working on/open sourcing and very occasional longer pieces on something random that interested me like economics or large scale security breaches.

      My projects are usually in the domain of DNS security, home automation, tracker/ad blocking, BeyondCorp/ZeroTrust for home/SMB users, etc.

      1. 2

        I have a small Thinkserve running Debian stable with KVM, libvirt, and weblibvirt for managing VMs.

        One VM running FreeIPA, all my VMs use LDAP for authentication. I have one VM running nginx as a reverse proxy and an SSH relay to get in to my apps. One running FreeNAS with the hard drives direct mounted to the VM.

        Then three Docker nodes running Docker swarm. My next project is to move to Kubernetes, or likely k3s. In the swarm I’m running

        • Visualizer to view the Swarm state
        • calibre-web for ebook management
        • nassh-relay as a proxy SSH host for ChromeOS Chrome app ssh clients as they can’t use standard SSH proxying
        • Plex for movies, TV, and photos.
        • Tautulli for Plex metrics
        • theiaide a web IDE
        • Transmission for torrents
        • a VPN client that other containers can route traffic through.

        I also have a Raspberry Pi running Home Assistant for home automation.

        1. 1

          Isnt PWA just a buzzword? I keep seeing it in different articles, and correct me if I’m wrong, but PWA seems to essentially be “I wrote a website that uses JavaScript and localstorage”. Am I missing something?

          1. 2

            It’s not a ‘buzzword’, it’s jargon.

            We find ourselves saying “A website that uses JavaScript and localstorage” that we found a shorter way to write it, as we’ve done with every other long phrase we need to use often.

            1. 1

              From a web developer perspective it’s broadly building a web app with those components, but browsers/OSes are treating them differently. E.g. on Android if you hit “Add to Home Screen” on a traditional website it just adds a bookmark. For a PWA it’s added to the app drawer and appears on your Settings > Applications list. It works similarly on other systems that are supporting PWAs.

              1. 1

                Yeah, but that still doesnt explain how the site itself is different. So I can bookmark it in a different way on mobile. That has nothing to do with desktop version, and it has nothing to do with the site itself.

                I ask again, how is a PWA different from a JavaScript site with localStorage? The fact that you didnt give a single concrete example makes me think PWA is just marketing talk.

                1. 2

                  It does look like it’s mainly a traditional web app with an extra web app manifest to give it an ‘app’ flavour:

                  https://developer.mozilla.org/en-US/docs/Web/Progressive_web_apps/Advantages

                  I’m not totally convinced, but I’ll keep an eye on it. I’d prefer web apps are just upfront about being web apps than pretend to be something else. If installing a PWA gives it some further capabilities, then sure, I’m on board with that.

                  1. 1

                    I find PWA to be too generic of a description, as it doesn’t tell us anything. The main difference is the ability to use the website while offline, even after refresh. E.g. my company has an app that uses IndexedDB to manually cache video and other dynamic content, while a PWA would be able to more easily handle that.

                    1. 1

                      My (very limited) understanding was that it just uses normal web technologies to achieve this, e.g. service workers, which don’t require a PWA, is that not the case?

                      1. 2

                        You’re correct about the service workers. That’s why I don’t find PWA to be a helpful word/acronym/whatever as it doesn’t actually tell you anything. PWA is the service workers + manifest for “installing” + whatever else anyone wants to use on that particular day. PWA can also be just 1 of those things, and not all of them. It’s a very unhelpful word.

            1. 24

              I like how you recommend not using a service, and then recommend some other service.

              Back at the beginning of medium, they weren’t annoying, hence why everyone started using them. They became annoying over time, to make $$’s.

              I’m not saying netlify will be annoying in the same ways, but if everyone starts using them, they will likely start becoming annoying in an attempt to make $$‘s.. as that’s how businesses work, their goal(s) and your goal(s) are not always the same.

              1. 25

                “Back at the beginning of medium, they weren’t annoying, hence why everyone started using them. They became annoying over time, to make $$’s.”

                This is why I came up with a rule to not put my stuff into any service that’s incentivized to become evil over time. VC-based startups or small businesses with unclear, business model are warning signs. Anything ad-driven or likely to be.

                1. 7

                  The risks of Medium becoming a closed silo or turning evil were raised from the very start. But I think this is something people will have to experience themselves, much like financial irrational exuberance.

                  1. 4

                    I think we can speed up the learning process with a concise list of examples across a few services. Then, maybe some alternatives with better setup.

                  2. 4

                    This is why I came up with a rule to not put my stuff into any service that’s incentivized to become evil over time.

                    The problem with this is that you never know what’s going to eventually be incentivized to become evil over time.

                    1. 11

                      I think it’s best to assume by default that any online service you’re not paying for is incentivized to become evil over time.

                      That way you can be pleasantly surprised, instead of angry and disappointed.

                      1. 1

                        That seems like a great rule of thumb.

                      2. 1

                        I know what usually does. I know what sometimes doesnt. I cant know much more than that as you said. So, I avoid what goes bad the most focusing on whats more good. What else to do?

                    2. 13

                      I’m not the author, but the appeal of Netlify to me is that it’s just hosting, not the CMS.

                      The actual site building is done in the open source Hugo, which is generating static pages, the easiest thing to host. If Netlify goes evil tomorrow, the amount of work required to move your site is measure in hours, if not minutes. And the places to which you could move your site is a lot.

                      1. 6

                        This is true, only if you own your URL’s.. i.e. have your own domain. But I totally agree with you, it’s a lot easier to replace netlify than medium.

                      2. 5

                        Netlify here is CI and CDN. Hugo is the CMS. Netlify makes it easy but, you could literally use any web front end (service or not).

                      1. 1

                        Is it possible to restrict it so only you can use it? I know people would have to guess the hostname but I’m not sure I’m willing to run a public dns server.

                        1. 2

                          I can’t think of a way that wouldn’t require a VPN or some other type of private network, but I’m not super familiar with Android’s implementation, there may be a way to validate based on something but I’m not aware of one.

                          The biggest concern for me about a public DNS server is me unwittingly participating in a DDoS attack, but in the case of DoT, a three-way handshake has to be completed first so it shouldn’t be possible for that to happen for a DoT or DoH server.

                        1. 2

                          I have been curious if targeting a virtual machine such as qemu would make driver implementation easier; only one disk interface, one network card, one gfx device, etc. since your just accessing what the vm gives you. Does anyone have experience with this?

                          1. 3

                            I don’t personally but I’ve been following [https://www.redox-os.org/](Redox OS) and that seems to be their process for that reason.

                            1. 2

                              (Note: markdown links have the text in the square brackets, and the link in the parentheses)

                          1. 16

                            I fucking hate reCaptcha, partly because the problems seem to be getting harder over time. Sometimes I literally can’t spot the cars in all the tiles.

                            1. 19

                              It’s also very effective at keeping Tor out. ReCATPCHA will, more often than not, refuse to even serve a CAPTCHA (or serve an unsolveable one) to Tor users. Then remember that a lot of websites are behind CloudFlare and CloudFlare uses ReCAPTCHA to check users.

                              Oops.

                              1. 2

                                For the Cloudflare issue you can install Cloudflare’s Privacy Pass extension that maintains anonymity, but still greatly reduces or removes the amount of reCaptchas Cloudflare shows you if you’re coming from an IP with bad reputation, such as a lot of the Tor exit nodes.

                                (Disclaimer: I work at Cloudflare but in an unrelated department)

                                1. 2

                                  Luckily, CloudFlare makes it easy for site owners to whitelist Tor so Tor users don’t get checked.

                                  1. 9

                                    Realistically, how many site owners do that, though?

                                2. 16

                                  I don’t hate it because it’s hard. I hate it because I think Google lost its moral compass. So, the last thing that I want to do is to be a free annotator for their ML efforts. Unfortunately, I have to be a free annotator anyway, because some non-Google sites use reCaptcha.

                                  1. 7

                                    Indeed, also annoying is you have to guess at what the stupid thing is trying to indicate as “cars”. Is it a full image of the car or not? Does the “car” span multiple tiles? Is it obscured in one tile and not in another? Which of those “count” if so? Should I include all the tiles if say the front bumper is in one tile or not? (my experiments have indicated not).

                                    Or the store fronts, some don’t have any signage, they could be store fronts, or not, literally unknowable by a human or an AI with that limited of information.

                                    I’m sick of being used as a training set for AI data, this is even more annoying than trying to guess if the text in question was using Fraktur and the ligature in question is what google thinks is an f, or an s. I love getting told I’m wrong by a majority of people not being able to read Fraktur and distinguish an f from an s from say an italic i or l. Now I get to be told I can’t distinguish a “car” by an image training algorithm.

                                    1. 4

                                      At some point, only machines will be able to spot the cars.