Threads for jtdowney

  1. 11

    I might use this if I weren’t worried about linux users other than my main having access to tailscale’s net interface.

    Someday I’ll get around to learning nftables. Today is not that day

    Actually now that I think about it, if I were to filter all outbound packets by user, how would I host services on the tailnet via a daemon user? Can I use conntrack with nftables? What about UDP? Would I even care about isolating tailnet internal services to another user? Maybe I should focus on not needing to worry about network access by other users so I can rely on loopback as a safe interface. Maybe I should go crazy with network namespaces

    1. 4

      I hope this style of posting isn’t too bothersome to others. I’m not used to interacting like this vs lurking here discussing/rambling on discord with friends

      1. 6

        Not at all! It’s on topic discussion and people do benefit from reading this kind of thought, in general.

        1. 1

          Absolutely your comments are 100% on point and not bothersome at all!

          I LOVE tailscale, but I’m a one man shop and just using it for my personal infrastructure so I wouldn’t even know to think about problems like the one you cite.

          1. 2

            I replaced self-managed wireguard with tailscale. Much easier to handle and runs on Linux (arm64 and amd64) and OSX.

        2. 2

          It’s been a long time since I played with nftables, but IIRC you can mark packets originating from different UIDs and then you can make decisions based on metainformation. Have not tested the theory though.

          1. 2

            My understanding is with this feature, the SSH connection is handled by tailscaled before the Linux kernel ever sees them, so nftables wouldn’t be helpful. It can do that because the userspace daemon terminates the WireGuard connection.

          1. 1

            Then, connect from the source device as normal: $ ssh root@100.100.100.100

            Aren’t some of the advantages of using tailscale ssh lost if they only offer a server, not a client? I would appreciate some more technical detail.

            1. 1

              Do you have a specific loss in mind? My impression is that generally the design is that the client part is transparent for existing apps, and their customization happens mostly on the server side, where there is less variety in software.

              1. 1
                • double encryption
                • still having to deal with ssh keys
                1. 2

                  You don’t need to deal with SSH keys unless I am massively misunderstanding the submission.

                  1. 1

                    You always have double encryption with ssh over wireguard (or any VPN). There are no client SSH keys because it knows what host you’re coming from and uses that information to match the ACL to grant access. As for the other technical details, their docs are pretty good and the code is open source.

              1. 4

                This came up in another forum, specifically as an alternative to TLS.

                It’s already been submitted, with no comments, so I’m interested if it’s had more traction, or if people have worked with it.

                1. 9

                  Noise is used by Wireguard. So in that regard it certainly has traction.

                  1. 2

                    It is also used by ipfs to setup encrypted network links between peers.

                    1. 1

                      Also Signal, the encrypted messaging app.

                      1. 4

                        No, but those are related:

                        Noise is inspired by:

                        • The KDF chains used in the Double Ratchet Algorithm [23].

                        [23] T. Perrin and M. Marlinspike, “The Double Ratchet Algorithm,” 2016. https://whispersystems.org/docs/specifications/doubleratchet/

                        1. 2

                          What parts of the Signal Protocol use Noise?

                  1. 6

                    Seems to be missing a mention of Rancher Desktop.

                    1. 16

                      For me it’s mu4e in Emacs. The speed of mailutils, convenient keybindings and sane composition defaults you don’t have to fight to submit patches.

                      1. 3

                        Another vote here for mu4e. It helps me focus on getting through my inbox to have it outside of my browser and be able to use even more keyboard shortcuts than the gmail interface.

                        1. 3

                          I also use mu4e. I haven’t found another email client that offers the same speed of execution and of user input. It connects with my password manager with a single line of configuration: (auth-source-pass-enable) which is builtin to Emacs. I also have the ability to define custom bookmarks to, with a single keystroke, show me all my inboxes, just my flagged emails, etc.

                          The big feature for me though is contexts. For each email account I have, I define a :match-func function. I actually used a macro to create the functions to match on the account’s given Maildir. A large part of the mu4e workflow is marking messages to delete/flag/move/etc and then executing those marks (similar to dired). When I realized the contexts automatically reassign for each message you mark in “real time”, I was pleasantly surprised. This means, for example, if I there are a bunch of emails in a row from potentially different accounts, I can just spam the d key to mark them for deletion, then x to actually delete, and they will all go to their respective trash folders, not just the trash folder of the context you selected when you launched mu4e.

                          1. 2

                            Yet another vote for mu4e. Been using it for a few years and it’s great. A bonus is that it integrates especially well with orgmode; e.g. it’s trivial to link to emails from within orgmode TODOs, which is exceptionally helpful when a lot of TODOs come in via email :)

                            1. 1

                              I used to use mu4e, but I could never get the moving parts of mu, mbsync and Office365 to play nice together

                              1. 1

                                Same! Would love to hear from anyone with an Emacs-Office365 workflow they’re happy with to be honest.

                                1. 1

                                  I’m using Gnus/nnimap now, which works reliably, if sometimes a wee bit slow due to O365 throttling

                                2. 1

                                  I use it primarily with office365/exchange via offlineimap.

                              1. 42

                                The logic showing that warning tries to avoid false positives. I don’t know what burntsushi saw it - he disowned all his comments when he deleted his account, so I don’t know what his last few comments were to see what the flags were or who made them. In the last three years no mod had a private conversation with him, either about his posting or anything to do with the site (the mod notes were added three years ago, so I can’t speak confidently about before then). I don’t have more insight into why he deleted his account and I’m sorry to see him go.

                                1. 15

                                  The disowned comments might be a bug: https://twitter.com/burntsushi5/status/1399716212028985351

                                  1. 36

                                    I found the line in the logs, it’s a very unfortunate bug:

                                    Parameters: {"authenticity_token"=>"[FILTERED]", "user"=>{"password"=>"[FILTERED]", "i_am_sure"=>"1", "disown"=>"0"}, "commit"=>"Yes, Delete My Account"}
                                    

                                    I’ll take a look at the threads linked there, thanks for the reference.

                                    EDIT: filed the bug

                                    1. 7

                                      Is there a way we can get his name back on his comments? Most of his comments were excellent and helpful, and it seems a shame to not have his name on those (not to mention making this whole scenario look a lot worse for Lobsters).

                                      1. 7

                                        The code is:

                                          def self.disown_all_by_author! author
                                            author.stories.update_all(:user_id => inactive_user.id)
                                            author.comments.update_all(:user_id => inactive_user.id)
                                            refresh_counts! author
                                          end
                                        

                                        So it just runs an update comments set user_id=-1 where user_id=42 query. Unless you’re going to restore from a backup, I don’t think this can just be corrected.

                                        Unfortunate indeed :-(

                                        1. 17

                                          Well, if there are database back-ups, it would certainly be possible to make a query against a back-up to find all the comments made by burntsushi, then run the queries to change those comments’ owner to burntsushi’s deleted account against the live database.

                                          1. 5

                                            If this is to be done, it should probably be done for not just burntsushi, but also other users since december 2018 (which is when the bug was introduced). And if that commit contains other bugs as well, not just disowning comments, should it be done for it as well?

                                          2. 1

                                            If the generated SQL statement is in the logs, it might not be too difficult to reverse.

                                            1. 3

                                              You would need the data. The statement itself won’t tell you what specific rows were affected by it at the time. If it somehow logged the ID of the stories and comments it was updating it would be trivial but that would be somewhat unusual to log.

                                        2. 1

                                          I guess I’m wondering why this is logging people’s access tokens and passwords?

                                          1. 3

                                            I think that’s a literal [FILTERED] in the logs, see here.

                                    1. 1

                                      I used to do something similar with LVM on Linux servers. Leave a few gigs unallocated to a volume so you can dip into it in an emergency.

                                      1. 1

                                        Does anyone know the backstory on this one? Did I miss Internet Drama™?

                                        1. 4

                                          other thread: https://lobste.rs/s/cqdh3x/wireguard_for_freebsd_development_for_13

                                          No idea of the veracity of any of the below…

                                          some backstory: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247853#c7

                                          more backstory: https://lists.zx2c4.com/pipermail/wireguard/2021-March/006494.html

                                          even more: https://lists.freebsd.org/pipermail/freebsd-hackers/2021-March/057082.html

                                          yellow site thread: https://news.ycombinator.com/item?id=26475519

                                          Do note: FWIW, Netgate does seem (at least from my perspective) to have a bit of a history of being kind of… weirdly hostile about some stuff? Example: whole opnsense badmouthing thing (domain registration, reddit community creation, etc). On the other hand, also known for contributing code to FreeBSD and donating to FreeBSD. Unsure what to make of it.

                                          1. 3

                                            From my perspective, it was great that Netgate got the ball rolling on in-kernel FreeBSD wireguard. They clearly have a commercial stake in it but they contributed it to the FreeBSD project, even if it lacked important features (jail support) and they just dropped off the code and walked.

                                            Clearly there were code quality and some security issues and Netgate was caught off guard and embarrassed, which no one likes to be. To me the part that is the worst of all of this is what Scott tried to pull in his private communication to Jason:

                                            On Mon, Mar 15, 2021 at 6:08 PM Scott Long wrote:

                                            I’ve also spoken with the FreeBSD Security Officer, and we’ve agreed that wireguard will be removed from all branches of FreeBSD until further notice. I’ve also informed Kyle of this. I do not support its reintroduction into FreeBSD, whether in the src tree or in the ports tree, at this time. As for pfSense, we are conducting an audit and will decide on the best course of action for our customers and our company.

                                            That sort of “take the ball and go home” shit is not at all professional and trying to lean on the security team to enforce your grudge is messed up.

                                            1. 2

                                              I also feel like calling out the original status of that patch was correct. Some of the issues (like sleeping against race conditions, copying 40KLOC from linux and put a bunch of ifdefs around) have a very bad taste for me.

                                            2. 3

                                              The Ars Technica article that forms the base of the HN submission is pretty good, IMO: https://arstechnica.com/gadgets/2021/03/in-kernel-wireguard-is-on-its-way-to-freebsd-and-the-pfsense-router/

                                              1. 2

                                                yellow site thread: […]

                                                Surely, you meant orange, no? ;^)

                                                1. 1

                                                  haha. Indeed!

                                            1. 2

                                              My current feeling is we’re getting a glimpse of a brilliant person who may be having a mental health crises. There are prominent cryptographers who also believe that https://twitter.com/kennyog/status/1367132559117848583.

                                              1. 8

                                                Applied Cryptography by Bruce Schneier is a really good primer on crypto. It’s old, but it’s a really good introduction to the basics, which haven’t changed over the 25 years since it was published.

                                                1. 12

                                                  IMO, skip Applied Cryptography and read Cryptography Engineering which is also from Schneier but much more modern.

                                                  1. 2

                                                    Crypto Engineering looks perfect. Grabbed a copy, thanks to you and the other commenters.

                                                  2. 5

                                                    Required caveats:

                                                    https://sockpuppet.org/blog/2013/07/22/applied-practical-cryptography/

                                                    https://www.schneier.com/blog/archives/2009/09/the_cult_of_sch.html

                                                    But in the introduction to Bruce Schneier’s book, Practical Cryptography, he himself says that the world is filled with broken systems built from his earlier book. In fact, he wrote Practical Cryptography in hopes of rectifying the problem.

                                                  1. 1

                                                    Any encryption experts willing to explain what’s the catch with this kind of software? There must be a catch right?

                                                    1. 2

                                                      You can look at the Supported Ciphers page and more or less figure it out. It targets historical (read pre-computer) ciphers like the Vigenère cipher. It is not magic and can’t break modern encryption systems. You can try out the cryptopals challenges if you want to give it a shot on your own.

                                                      1. 1

                                                        You are right, thanks!

                                                    1. -1

                                                      Finally some good news.

                                                      Good to know that Microsoft finally went open source … not intentionally but still.

                                                      The ReacOS developers could not be more happy I think - to have ready to use/read reference instead of doing time consuming reverse engineering :)

                                                      1. 16

                                                        The source code is still under copyright even if it was leaked, so that would seem ill advised at best.

                                                        1. 9

                                                          Emulator and clone OS developers tend to run like the plague from this kind of thing.

                                                          1. 8

                                                            I’m not sure ReactOS developers want to provoke more accusations like this: ReactOS ‘a ripoff of the Windows Research Kernel’, claims Microsoft kernel engineer

                                                            1. 7

                                                              ReactOS people once halted the development for over a year to make sure there is no ill-gotten code in their repository, where code obtained by disassembling any Microsoft binary was considered just as illegal as leaked source code.

                                                              They take the “cleanroom” part very seriously.

                                                              Anyway, Windows XP API/ABI support in ReactOS is already very good. The real difficulty with using ReactOS as a free Windows alternative is that it doesn’t support anything beyond the Windows XP ABI, while all new software is now built with the Vista/7 ABI in mind. No modern toolchain, free or non-free, has an option to target WinXP anymore.

                                                            1. 3

                                                              Starting the build of my new 3D printer a Voron 2.2 350mm.

                                                              1. 8

                                                                I find it odd that CEO Super-Secure didn’t change their password in Slack after the widely publicized 2015 breach, even if they didn’t get a notice from Slack that they were included.

                                                                1. 3

                                                                  My thoughts exactly, especially since he totally threw out $5K of computer equipment…

                                                                1. 4

                                                                  I’m not a fan of this change actually. I suspect that this will result in a thousand thousand repositories with useful bits of code to be read and re-used will go dark.

                                                                  That’s a shame.

                                                                  1. 8

                                                                    I stopped using GitHub years ago because I couldn’t have private repos for free. I’m sure most people who want to have private repos already do somewhere else.

                                                                    1. 7

                                                                      A lot of those repositories didn’t have licenses and so using that code would be dubious from a legal standing. If it did have a license then it is likely the author wouldn’t have made it private.

                                                                      1. 1

                                                                        but you can still read unlicensed code and heavily lean on it while “rewriting” it.

                                                                        1. 1

                                                                          Still seems legally dubious. According to Harvard Law School’s Copyright Basics, that is copyright infringement. Specifically:

                                                                          1. create a new work derived from the original work (for example, by translating the work into a new language, by copying and distorting the image, or by transferring the work into a new medium of expression)
                                                                          1. 3

                                                                            legally dubious but impossible to actually get sued for

                                                                            1. 1

                                                                              Legally dubious, morally wrong.

                                                                              1. 1

                                                                                there is no moral basis for copyright

                                                                                1. 1

                                                                                  Does a person not have a right to the product of their work?

                                                                                  1. 1

                                                                                    yes, nobody should take their code away from them

                                                                                    1. 1

                                                                                      With a right to the product of your labor, you have the right to keep control of the direct product of your labor.

                                                                                      1. 1

                                                                                        true, nobody can force you to put your code on github

                                                                                        1. 1

                                                                                          So you think once you share something in any way, you lose all moral rights to that work?

                                                                                          1. 1

                                                                                            having exclusive dominion over an idea has no more legitimacy than having exclusive dominion over a plot of land. we might decide that certain rules are for the good of society, but if those rules are idiotic you have no moral obligation to follow them.

                                                                                            1. 1

                                                                                              So you can have exclusive dominion over a chair you make, but not a website you build? What about a song you perform?

                                                                                              1. 1

                                                                                                having a degree of personal property is a sensible rule, so it would be wrong to steal someones chair in most cases. preventing people from making copies of something at no cost to you crosses the line into unjust power. copyright laws were never justified on the basis of morality: it was always justified on the basis that it would incentivise the creation of new works. maybe a 10 year copyright on books makes sense as a way to incentivize publishers to produce hard copies of a book, but that’s not a question of morality.

                                                                                                this is a good lecture: https://archive.org/details/Dr.RichardStallmanCopyrightVs.Community

                                                                                                1. 1

                                                                                                  So you think that once you record a song with the purpose of selling it, there are no moral problems with someone else coming along and sharing it for free?

                                                                                                  1. 1

                                                                                                    of course not, why would there be

                                                                                                    1. 1

                                                                                                      Because the creator expects as a term of his creation that he will derive benefit in the form of money from his effort. Therefore by copying without permission, you are stealing what was no less a product than a chair.

                                                                                                      1. 1

                                                                                                        so the injury is done when someone forms an unreasonable expectation. maybe if someone reads this thread they will be saved from that :)

                                                                                                        1. 1

                                                                                                          There is a natural right to property, so it’s not unreasonable.

                                                                                                          1. 1

                                                                                                            no there isn’t and yes it is

                                                                                                            1. 2

                                                                                                              I’m sorry, I simply believe in the right to property, including intellectual, and the right to things you produce, even if the cost of copying is closer to zero than ever before.

                                                                                                              1. 0

                                                                                                                do i have a right to prevent you from wearing your hair like mine?

                                                                                                                1. 1

                                                                                                                  I don’t know anything about hair. I just wash it. There is some hair soap thing involved. That’s it. So I can’t answer your question.

                                                                                                                  1. 1

                                                                                                                    oh okay

                                                                                                              2. 1

                                                                                                                Partly I do believe that you have a right to your labor, not just the product of your labor. Thus you have a right to your music video, even if the copying of that music video is free. You have a right to your code, even if it’s on github. You are morally in the wrong if you steal, even when that stealing doesn’t detract from the original work at all.

                                                                                                                The natural right of property by the way emerged in the medieval period, and is the basis of all modern civilizations. It is the reason we have the capabilities we have today, and without it, the world would be in a worse place.

                                                                                                                1. -1

                                                                                                                  wanna know why else we have the capabilities we have today? slavery.

                                                                      1. 2

                                                                        This post has a bizarre mismatch of crypto primitives, and I can honestly say I’ve never seen a system that uses both DES and SHA-512 at the same time. I’d stay very far away from this. Maybe check out tink from Google.

                                                                        1. 1

                                                                          There is no way in heck that linus will merge some DIY home rolled crypto code into the kernel

                                                                          1. 11

                                                                            It seems like you may not recognize the author. I would typically agree with you on first glance, but given who it is and what it is I wouldn’t be surprised if it got merged.

                                                                            1. 8

                                                                              That’s a good point but missing key detail. I’ll add author did WireGuard which has had good results in both formal verification and code review.

                                                                            2. 7

                                                                              Where else is kernel crypto code rolled?

                                                                                1. 2

                                                                                  High praise from linus!

                                                                                2. 2

                                                                                  Why not? How would Linus even know if some crypto code was DIY nonsense?

                                                                                  (The subtext of these commits from Jason is that the existing kernel crypto APIs are not particularly good, IMO.)

                                                                                1. 5

                                                                                  Is this legal in Europe? In Australia if not being tracked was considered legally to be a “common law right” it’s not possible to opt out of it.

                                                                                  1. 7

                                                                                    I think we need to wait and see, as GDPR will go into effect on May 25 and probably a number of practices like this one will be challenged legally. I personally feel this give-your-consent-or-so-long approach is not in the spirit of the law.

                                                                                    1. 2

                                                                                      If it’s not legal, they’ll make it legal and sugar-coat it with GDPR in a way that’s impractical or infeasible to the users.

                                                                                      I hope Facebook users can combat this with addons, but as most users are mobile users, they surely lack the addons or the technical know-how to set it up.

                                                                                      Just opt out of Facebook already.

                                                                                      1. 10

                                                                                        I hope Facebook users can combat this with addons

                                                                                        At some point, the person being abused has to acknowledge that they are being abused, and choose to walk away.

                                                                                        1. 3

                                                                                          Yeah, just opt out. But sadly there are people who, say, expatriated and have no better way to stay in touch with old friends.

                                                                                          Until a viable replacement comes along, which may never happen, I think it’s a nice hope that they can find a way to concentrate on their use case without all the extra baggage.

                                                                                          1. 14

                                                                                            I am an expat.

                                                                                            I manage to keep in contact with the friends that matter, the same as I did when I didn’t use Facebook in a different state in my home country.

                                                                                            If they’re actually friends, you find a way, without having some privacy raping mega-corp using every conversation against you.

                                                                                            1. 3

                                                                                              Agreed, I don’t buy the argument that Facebook is the only way to keep in touch from afar.

                                                                                              I’m an expat, and I have regular healthy contact with my friends and loved ones from another continent, sharing photos and videos and prose. I have no Facebook account.

                                                                                        2. 2

                                                                                          I hope Facebook users can combat this with addons

                                                                                          Then this will happen: https://penguindreams.org/blog/discoverying-friend-list-changes-on-facebook-with-python/

                                                                                          Unfriend Finder was sent a cease and desist order and chose not to fight it. I made my own python script that did the same thing, and ironically, Facebooks changes the fixed the Cambridge Analytica issue broke my plugin. It stopped 3rd parties yes, but it also kept developers from having real API access to our own data.

                                                                                          I also wrote another post about what I really think is going on with the current Facebook media attention:

                                                                                          https://fightthefuture.org/article/facebook-politics-and-orwells-24-7-hate/

                                                                                        3. 1

                                                                                          You’re not forced to use Facebook. It looks like they’re following GDPR and capturing consent. It seems the biggest issue is the bundling of multiple things into one consent and not letting folks opt in or out individually.

                                                                                        1. 23

                                                                                          GitHub URLs are pretty badly designed.

                                                                                          For example, /contact is their contact page, and /contactt is a user profile.

                                                                                          Apparently, there’s a hardcoded list of ”reserved words” in the code, and when someone adds a new feature, they add the word/path segment there and check that it’s not taken by a user.

                                                                                          So it could perhaps be the case that they’re adding some feature related to malware?

                                                                                          1. 13

                                                                                            That could very well be the case – and I’d be totally fine with that. I understand being coded into a corner, and wanting to fix things for the greater good at the expense of a few users.

                                                                                            I just can’t figure out why, for the sake of “privacy and security”, they don’t want to tell me.

                                                                                            1. 16

                                                                                              I think this is absurd behavior on GitHub’s part, and you’re right to be upset by it.

                                                                                              Since you do seem curious, I have a guess why they’re being so evasive, and it’s pretty simple: They’re a large organization. The person you’re talking to would probably need to get approval from both legal and PR teams to tell you about their product plan before it’s launched. I have no information on how busy GitHub’s lawyers and PR people are, but I would expect an approval like that to take a few weeks. Based on what they told you about the timeframe, it sounds like they want to launch their feature sooner than that.

                                                                                              What I’d really like to know is whether this is a one-off, or whether they’ve done it to other people before. It seems like their URL scheme will require it pretty frequently…

                                                                                              1. 7

                                                                                                The person you’re talking to would probably need to get approval from both legal and PR teams to tell you about their product plan before it’s launched.

                                                                                                Which is why I didn’t single out the support representative that contacted me; they clearly were not in the decision process for any of this, and I don’t want to cause them any undue grief/trouble past my first email reply asking for clarification.

                                                                                                To be clear: I don’t really care about the malware username, other than it’s a pretty cool name. I’m more interested in the reason behind why the forced rename.

                                                                                                Lots of people (read: salty News of Hacker commenters) say it’s obvious (wanting to reserve the /malware top level URL) and call me dumb for even asking, but no one has given me any evidence other than theories and suppositions. Which is great! I love thinking and hypothesizing.

                                                                                                1. 5

                                                                                                  I don’t have any documented evidence other than anecdotal, but when I worked at a similar company with an almost identical URL structure this was one of the hardest parts of launching a new top level feature. It turns out recognizable words make for good usernames… so it’s almost impossible to find one that’s still available when working on a new feature. The choice ends up being between picking a horrible URL or displacing one user to make it easier to find.

                                                                                                  It’s also worth noting that GitHub has a habit of being very secretive about what they’re working on - it’s almost impossible to get information about known bugs which have been reported before, let alone information about a potential new feature.

                                                                                                  I would be willing to bet that this is being done for something we’ll hear about in the next year or two.

                                                                                            2. 11

                                                                                              We made a team that was just the unicode pi symbol and GitHub assigned us the url /team/team.

                                                                                              1. 4

                                                                                                That’s a great unicode hack.

                                                                                              2. 11

                                                                                                The curse of mounting user paths directly to /. When in doubt, always put a namespace route on it.

                                                                                                1. 6

                                                                                                  That was my thought as well. I would imagine they want it as a landing page for some new feature or product.