1. 12

    Just sit down and think about what you need. Then ask for it maybe some surplus. Be confident about it and make clear this is not negotiable.

    If this is reasonable I am sure you will succeed. Don’t be greedy and don’t compare yourself to others. Even if they have a largely greater salary: if yours is enough to pay your bills and to keep you happy everything should be fine.

    1. 11

      This is an interesting comment because it brings in the missing component - a philosophy of life. At one end, there is Tolstoy, whose answer to “How much land does a man need” is “just enough for a grave” (much less if you are Hindu, possibly). This spartan answer is a little extreme, but it does point to remembering to balance living your life and working to provide for it.

      It also brings to mind the studies which suggest that it’s not how much we earn in absolute terms that is important but how much we earn in relation to our peers. Which suggests that the happiest man is he who does not compare anything!

      To pause from going down this philosophical rabbit hole, the correct answer is that there is no correct answer but I will point out one phenomenon I think is fairly universal - your lifestyle expands to fit your income. If you can fit your lifestyle within your income, with some buffer for the inevitable economic turndown you are doing as well as you can.

      1. 4

        Very wise advise. Like they say, comparison is the thief of joy.

        It would still be pertinent to check what market salaries are and negotiate. For persons who are able to accurately tally what they “need”, the number will likely be much less than what their work is worth . Any extra headroom can also bring a person closer to retirement. A benchmark rather than a comparison i suppose.

      1. 10
        Speed is Stellar

        The speed of the system is stellar. I feel like it is faster than the Linux and FreeBSD installations, but I don’t have proof of it. I suspect there is less bloat to weight things down and the hardware support for Thinkpads is super in OpenBSD.

        I find this rather surprising, because the last time I installed OpenBSD this (or rather the fact that it was too slow) was my main issue. I’m not sure, but as far as I understood this was because of the global kernel lock that inhibits some parallelism, where Linux permits it. Was really shocked me was the difference in time needed for Emacs to start for the first time, it was something like 1-2 seconds on Linux vs 15-20 seconds on OpenBSD.

        1. 4

          Was really shocked me was the difference in time needed for Emacs to start for the first time, it was something like 1-2 seconds on Linux vs 15-20 seconds on OpenBSD

          Not really certain about much of this and not much of an Emacs user myself, but I recall that Emacs uses some awful build hack where it pre-loads a bunch of stuff (Emacs-lisp macros I guess) and serialises it out by simply writing a chunk of memory out to disk. I vaguely recall that this needed a special Glibc hack to work properly and as a result couldn’t be done on non-Glibc systems. Ultimately I guess what I’m trying to say is, I’m not sure that Emacs launch time is a great benchmark for OS performance generally. (But again, I’m not willing to make any firm claims here).

          1. 4

            Everyone knows Emacs stands for “Eight megabytes and constantly swapping”…

            1. 2

              Hmm, it makes sense. This is the phenomenon you’re mentioning, and all I knew about that and OpenBSD was that they couldn’t compile Emcas to be fully ASLR (?) compatible. But it would make sense that that could slow down the start-up time.

              But that didn’t change the general issue, it was just very pronounced when it came to booting Emacs. Anything like opening a file, generating an overview, etc. was noticeably slower, which saddened me, since I like OpenBSD but my primary allegiance is to Emacs :(

              1. 2

                You recall correctly. It basically starts from a minimal executable (temacs), loads a bunch of elisp files, and then dumps the resulting memory image out to create what the manual calls a “pure Emacs”:

                The command temacs -l loadup would run temacs and direct it to load loadup.el. The loadup library loads additional Lisp libraries, which set up the normal Emacs editing environment. After this step, the Emacs executable is no longer bare.

                Because it takes some time to load the standard Lisp files, the temacs executable usually isn’t run directly by users. Instead, as one of the last steps of building Emacs, the command temacs -batch -l loadup dump is run. The special dump argument causes temacs to dump out an executable program, called emacs, which has all the standard Lisp files preloaded. (The -batch argument prevents temacs from trying to initialize any of its data on the terminal, so that the tables of terminal information are empty in the dumped Emacs.)

                The dumped emacs executable (also called a pure Emacs) is the one which is installed. The variable preloaded-file-list stores a list of the Lisp files preloaded into the dumped Emacs. If you port Emacs to a new operating system, and are not able to implement dumping, then Emacs must load loadup.el each time it starts.

                Emacs on Android - via Termux - has the same issue: it takes more than six seconds to start on my phone, and it loads far more files than what I see on my laptop (or even my netbook, which has a comparable startup time “thanks” to its 2011 Atom CPU and 5400 rpm HDD).

              2. 3

                I love OpenBSD but yeah, speed is not it’s strong suit nor the focus of the project. But to me it was always fast enough with the exception of youtube (which I rarely use so things might have changed there)

                1. 1

                  global kernel lock that inhibits some parallelism

                  If I remember correctly, there’s been a lot of development recently to get rid of this. Last I heard the networking stack was being refactored to be lock free, so OpenBSD might be significantly more performant in the near future. Someone who’s more involved with OpenBSD dev would know more…

                  1. 1

                    That would most certainly be nice to see!

                  1. 4

                    Fascinating and glorious. One might be depressed at the pile of hacks, but really we should be amazed at how well it all works!

                    That said, we still all need to use IPv6 everywhere. :D

                    1. 2

                      I do have a lab setup for our apprentices where they have to build a network for a fictional business and it is supposed to be v6 only. But every now and then stuff creeps up that’s not v6 capable. I am also seeing the ipv4 mindset sneaking into the design most notably transfer networks where probably link-local should be used.

                    1. 1

                      a honk in German is someone who does stupid things ;-) but looking forward to it :-)

                      1. 5

                        Excellent, the German translation is already complete.

                        1. 1

                          :-)

                      1. 2

                        I used rdist to distribute my pf.conf and do a pfctl -f /etc/pf.conf after doing so to keep a cluster in sync :-)

                        1. 2

                          is someone aware about similar discussions for systems engineers? I can translate the points to my field of work but I wonder if systems engineers reflect in the same way about how they get stuff done.

                          1. 2

                            just recently I did set up collectd + influxdb + grafana in 6.3. and boy it was easy. so easy that I threw alerts via pushover into the mix. From zero knowledge about any of the products (besides OpenBSD and pushover) to I have something workable in 1 hour. after a 12hr shift. after midnight. I was really impressed because I expected way more hassle…

                            1. 1

                              Looking forward to the writeup :)

                            1. 8

                              One of my most beloved “features” of OpenBSD is that I am constantly not surprised by stuff that I do with it while linux just keeps on surprising me.

                              As an admin I love that I can predict the outcome of my actions.

                              1. 8

                                Bit of a rubbish response from the 1Password team:

                                “The realistic threat from this issue is limited,” 1Password’s security developer Jeffrey Goldberg told PCMag in an email. “No password manager (or anything else) can promise to run securely on a compromised computer.”

                                “Fixing this particular problem introduces new, greater security risks,” Goldberg said. 1Password would have to switch to a different, older programing language, which might prove to be less reliable in other ways, and leave users insecure, he added.

                                The latter comment hints at them moving from C/C++ to C# or similar (the ISE article suggests that 1Password 7 was a rewrite), which may make it more difficult to remove plaintext values from memory. But surely doing that is fundamental to the proper functioning of a password manager?

                                1. 10

                                  I’m mostly with them on this one, to be honest. If you have a program on your box that is actively hunting passwords by reading RAM, all of these password managers (and any new ones) are going to fail. 1Password 7 may fall more quickly, I suppose, but you’re in irrecoverably bad shape regardless.

                                  What would be nice, and older versions of 1Password on Windows could do, would be to open the password manager on the privileged desktop, which makes RAM scanning impossible (unless something compromised the privileged desktop, but then you really are fucked). That’s a generic technique that would provide a bit of better isolation.

                                  1. 4

                                    I’m mostly with them on this one, to be honest. If you have a program on your box that is actively hunting passwords by reading RAM

                                    Yeah I went right to Keypass to see the attack. They read all the RAM of the process containing passwords. Well, they’re going to see one eventually no matter what it does with that level of access. Might as well keylog the system or read the RAM of wherever the password is going while they’re at it. There’s still value in calling out the fact that they weren’t cleaning them out of memory as much as they claimed, though.

                                    Also a good time to plug separation kernels. Keeping the secrets in a dedicated partition outside a Windows or Linux VM is one of their use-cases. Outside a side channel, there’s no way something in the VM would be reading the memory of the process or partition containing secrets.

                                    1. 3

                                      Well, re: separated VM – A normal Unix process isn’t supposed to read other processes’ memory either (unless debugging is allowed with something like security.bsd.unprivileged_proc_debug) outside a side channel.

                                      Seems like a good time to plug Yubikeys :)

                                      1. 1

                                        “A normal Unix process isn’t supposed to read other processes’ memory either”

                                        Except a normal UNIX process has no assurance it enforces that given its kernel size and complexity of the system. Could be bypasses galore. Whereas, a separation kernel is usually 4-10kloc with a straight-forward model of information sharing (eg IPC primitives). Muen, being a SPARK program, is also verified to not have most of the coding errors that lead to vulnerabilities. seL4 similarly.

                                        “Seems like a good time to plug Yubikeys :)”

                                        Sounds good. Keep the untrustworthy hosts away from your secrets.

                                        1. 1

                                          kernel size and complexity of the system

                                          This is repeated very often, but (the relevant parts of the) unix kernels are actually not that big. It’s easy to say “Linux is a hundred million lines!!” but most of these lines are device drivers. The virtual memory and process subsystems aren’t that big.

                                          Of course small verified kernels are awesome (when security is the only thing you care about), but old school kernels that only get statically analyzed and fuzzed with sanitizers seem to be good enough for the most part.

                                          1. 1

                                            “unix kernels are actually not that big”

                                            They’re hundreds of thousands of lines of code, if you exclude drivers, in a language that makes turning screwups into exploits easy. The software people get right and/or formally verify is usually under ten thousand. If verifying informally, the other rule is you have to fit its entire behavior into your head. I have no reason to think anyone can fit the entire Linux kernel plus all component interactions into their heads. So, they’re really as big as we say if the goal is to know it will succeed or fail-safe in all circumstances with size and implementation language dictating likely success of that.

                                            “Of course small verified kernels are awesome (when security is the only thing you care about), but old school kernels that only get statically analyzed and fuzzed with sanitizers seem to be good enough for the most part.”

                                            Nope. (pdf) Each tool I submit here from CompSci also finds new problems in those codebases. Best to consider them ridden with bugs, some of which your enemies already possess. Whereas, a few security and separation kernels did way better during NSA pentesting. They also change slowly: fewer new bugs will be introduced. That’s a huge, qualative difference from UNIX-style kernels.

                                            One supporting point I’ve been looking at is Zerodium’s prices since they indirectly hint at how hard things are to exploit. Especially local, privilege escalation given attackers will likely chain a cheap one on a vulnerable service with a LPE. Linux/BSD’s payouts for LPE’s are currently at $50,000. Windows LPE at $80,000. They must be finding them fast.

                                    2. 3

                                      Don’t disagree with you about all bets being off when a program is actively reading RAM, but it’s not great that all passwords are left in memory in plaintext, even after 1Password is locked again. Not to mention the exposure via OS crash dumps…

                                      From the ISE article:

                                      1Password7 decrypted all individual passwords in our test database as soon as it is unlocked and caches them in memory, unlike 1Password4 which kept only one entry at a time in memory. Compounding this, we found that 1Password7 scrubs neither the individual passwords, the master password, nor the secret key (an extra field introduced in 1Password6 that combines with the master password to derive the encryption key) from memory when transitioning from unlocked to locked.

                                      1. 3

                                        The crash dump aspect is a fair one; I agree. The bigger issue I had after (literally) sleeping on it is that their excuse makes no sense. The binary on Windows appears to be a normal .NET Standard executable, in which case SecureString would do exactly what they want. (The binary on macOS appears to be Objective-C, possibly with some Swift mixed, which also makes their “secure language” take a bit odd to me, but that’s mostly irrelevant to this discussion.)

                                        1. 3

                                          I didn’t know about SecureString and it sounds really cool… except the docs you linked include, near the top, a recommendation that it not be used. I guess securing strings is a pretty hard problem in general. :-/

                                          1. 1

                                            AFAIK KeePass uses SecureString extensively, still failed the inspection. The article hints that GUI Toolkits leak this information, as the widgets are not designed to be memory-safe in this sense. I can totally imagine Windows Forms caching strings here and there, and leaking information by using simple strings not securestring in the implementation of various controls.

                                            On the other hand the inability to clean up after locking warrants for a different approach… Maybe starting the unlocked shell as a subprocess, and killing it on locking the session would help.

                                          2. 1

                                            The problem with the ISE article is that it fails to do threat modeling around password managers properly.

                                            In the overwhelming majority of cases reading process memory means having such privileged access to the system so as to make any scrubbing meaningless. With that kind of access attackers can just install persistent malicious code and wait for the user to unlock any password databases.

                                            If your threat model includes read or write access to arbitrary process memory then your only realistic defense is hardware tokens/dongles and SGX-type stuff.

                                            1. 1

                                              Bingo!

                                              This also bothers me in that I’ve seen this being waved around by UberGeeks who are telling people “SEE? Using a password manager is terrible!” when in fact for most humans with leaky brains and AWFUL opsec using a password manager is exactly the right way to go in this modern age of daily breaches.

                                          3. 3

                                            It certainly is not something that would call immediate action if you are using one of those but what’s the point of having e.g. all of the passwords lingering in RAM while most of the time not nearly all of them are actively being used? The response of 1password just feels cheap. Also I am using the web GUI of 1password from time to time. Does it mean that I smear all of my passwords into the RAM of a shared machine? Just doesn’t feel right. Maybe I should get off of my lazy ass and start selfhost bitwarden.

                                            1. 4

                                              Using a separate process for password managers is important given that the Spectre class of attacks appears to be un-fixable.

                                              Any website able to run javascript for a significant period of time should be able to extract your passwords from browser ram unless they are stored in a separate process.

                                              1. 1

                                                all of the passwords lingering in RAM while most of the time not nearly all of them are actively being used?

                                                You’re right, they don’t have to pull all passwords in RAM. But if they don’t, they at least have to have the secret in RAM to enable you to view other passwords on demand. If that can be read by an attacker, it’s trivial to then read the other passwords off disk. To my mind, it’s therefore no worse to keep all the passwords in RAM.

                                                1. 1

                                                  I wouldn’t mind if I had to enter my master password after a specified amount of time which obviously would only make sense if they don’t still hang around after the timeout. And I am mainly conecerned about memory dumps, IIRC it has already been the case that an attacker extracted secrets from memory dumps laying around at some vendor. So most of my passwords would still be safe even if the attacker got a grip on my master password.

                                                  Also 1password should be honest to their customers and stop telling them that all is lost if they lose the master password when the data is recoverable as long as 1password is still running. But I guess this wouldn’t instill trust ;-)

                                                  Joking aside, yeah the threat is probably not that high…

                                                  1. 1

                                                    Spectre attacks are the main thing mitigated by clearing the passwords from RAM since they let you read memory but not execute code.

                                                    In that case, stealing the master password to the vault doesn’t help you if the vault isn’t in memory.

                                            2. 1

                                              1Password 7 was a rewrite, as confirmed recently to me by their support staff when explaining why some locking options from 1Password 4 are missing from 1Password 7.

                                            1. 7

                                              Now this is somewhat surprising. Too bad that that they haven’t checked bitwarden. So now I have to remember to not send any crash reports until this has been fixed.

                                              1. 2

                                                Bitwarden has been audited, though with a different focus https://blog.bitwarden.com/bitwarden-completes-third-party-security-audit-c1cc81b6d33

                                                1. 1

                                                  What do u mean “audited, though with a different focus”?

                                                  I have read the blog post still don’t seem to understand your context.

                                                  1. 2

                                                    Blog post focused mostly on secure erasing of memory,m (which needs a local attacker). The linked audit took a different approach.

                                              1. 2

                                                If I would have been the volunteer, I’d have also chosen AWK. For some reason beyond logic I do like working with AWK.

                                                1. 2

                                                  Sounds like you haven’t ever tried implementing graph algorithms with AWK ^^

                                                  1. 2

                                                    Nope :-) Mainly tools helping me w/ various tasks of my life as an admin. And I can’t put my finger on it but I just enjoy awk’ing away

                                                1. 1

                                                  and the payments file after run the script… how is it updated?

                                                  1. 1

                                                    After the script runs, you empty the payments file, move the output on top of the old members file, and (if I was doing it now, and not 20 years ago), git commit the result.

                                                    1. 1

                                                      I think it’s a ledger that is being updated manually.

                                                    1. 1

                                                      I’ve used this before and can say I was very satisfied with it’s effectiveness and ease of use. It doesn’t block everything, but it is a great addition to whatever you already use for ad blocking.

                                                      1. 3

                                                        DNS firewalling is so much more than just ad blocking. It also - and IMHO more importantly - adds to your protection against malware. Done right it also extends your resilience against dns spoofing and rebinding. But I wonder how this will stand if DNS over HTTPs is going to win the race.

                                                        1. 1

                                                          Good to know! I will set this up again over the weekend

                                                      1. 3

                                                        I was looking for DNS RPZ and unbound but didn’t find something that I liked so I came up with a makeshift solution and thought maybe someone else might be interested here…

                                                        1. 3

                                                          It is. Thanks for sharing. Really like his static website generator and I am inspired to make something similar. First step… learn shell?

                                                          1. 6

                                                            You can write it in any language. If you’re interested in learning shell or anything web dev related, ask me anything here or on Twitter/Mastodon (DMs are open) ;)

                                                            1. 4

                                                              Kristaps’ sblg is also worth a look. My blog is using sblg and lowdown. Sites are generated on my laptop, then pushed by rdist which is also a nice tool in OpenBSD base

                                                              1. 2

                                                                Thanks! :)

                                                                1. 1

                                                                  cool, I have to check that out as well.

                                                                2. 1

                                                                  yeah, like Romans reply. Anything goes. Any language will do.

                                                                1. 0

                                                                  FINALFUCKINGLY :-)

                                                                  1. 2

                                                                    What any reasonable person SHOULD do is: wipe the pi and reinstall. I would have done that if I had an sd card reader with me. I might do it on next visit. But for now, this seemed enough.

                                                                    No. What a reasonable person SHOULD do is not running a machine with default credentials; especially when you are handing that thing to a layman a. Unless he used that pi as a honeypot.

                                                                    Also I hope he reported the issue to the police. I know that there wouldn’t be any outcome but in the long run the police will only be able to get knowledgable officers for such kind of crime if the numbers rise. At least that’s what I have taken away from multiple chats I had with the force in Germany.

                                                                    1. 3

                                                                      In the US, you would be laughed right out of the police station if you came in to report that somebody uploaded a malicious program to your $35 raspberry pi that you forgot to change the default password on. And rightfully so.

                                                                      1. 1

                                                                        The point of the officers I spoke with was that there’s basically not enough budget for the “cybercrime” department and the more crimes are being reported the better (but still slim) are the chances to change that. But maybe this is not representative even for Germany.

                                                                    1. 5

                                                                      Funny. My ERL slagged itself and I moved to protectli recently. Full review forthcoming.

                                                                      1. 4

                                                                        why not an apu from pc engines?

                                                                        1. 2

                                                                          The last time I looked at pc engines, you had to remember to buy a board, and a case, and a power supply, and power cord, and probably something else I’m surely forgetting. I don’t mind installing ram or ssd, but I had little confidence I would successfully order all the parts needed to build a functional apu.

                                                                          1. 2

                                                                            yes, that sucks. nowadays you can buy them as kits. maybe even preassembled. and openbsd runs nicely on them :-)

                                                                            1. 2

                                                                              There’s also (EU: business customers only). Followed by a long list of distributors in random EU countries, many (most?) of which don’t seem to stock the current boards and kits at all..

                                                                              It just seems so much easier to buy something else.

                                                                              1. 2

                                                                                I got mine from amazon.de but it’s possible that there’s no such thing on amazon.com. But this is not an endorsement, just wanted to know if there’s a technical reasoning behind the decision, nothing more ;-)

                                                                            2. 1

                                                                              Hah, I just last week bought another APU2 and was similarly disinterested in fussing with assembly. Found at least one vendor who does fully built boxes. I picked one of these and put a storage drive in the same order and it showed up fully assembled.

                                                                              http://www.mini-box.com/ALIX-APU-Systems

                                                                        1. 3

                                                                          sendmsg(2), sendto(2), recvfrom(2) and recvmsg(2) are run without KERNEL_LOCK.

                                                                          Does anybody have an idea how this affects the performance of those system calls?

                                                                          1. 2

                                                                            On the general topic of performance, OpenBSD is usually known to be not as fast as other BSDs or Linux? Can someone who knows more about this say what the reasons are? Is it just programming that isn’t focused on micro optimisation or is there a necessary tradeoff between security and speed?

                                                                            1. 3

                                                                              It’s not always a tradeoff, but doing it right takes huge effort. Anyone who ran fbsd 5.x with the 3? different thread models and emulating linux threads for mysql perf knows there is lots more to it than just flipping a bit and let the cores race around at their whim. Obsd seems to try ‘not screw up’ with available manpower and that means being behind. Might also mean less silly bugs slip through.

                                                                              1. 3

                                                                                Not a contributor but I am lurking in the community for quite a while now and AFAIK the largest reason why OpenBSD is as “performant” as it is, is that they don’t aim for performance. So the trade off is not as much about security as it is about man power and interest.

                                                                                What I can say is that it was never performing bad for any workload I aimed for, besides web browsing - which is getting better and better.

                                                                                But I also value those lovely man pages, sane defaults and the overall stable and thus boring interfaces that they keep on providing and improving without alienating long time users more than “performance” whatever the metric is by which you want to measure it.

                                                                              2. 1

                                                                                According to my best knowledge KERNEL_LOCK is the so called big kernel lock. By having these syscalls not use that lock performance is supposed to increase.