1. 1

    Back in 2011, I happened to get a job writing Backbone.js app. If you never did that, don’t. I was complaining about difficulties with composition left and right to whoever would listen.

    I’ve written a fairly big SPA (my one and only) with most of it’s development from 2011 until somewhere in 2014. At the time, Backbone.js was in vogue, but there was a steady stream of new daily JS frameworks coming out. Angular did not exist yet. Backbone is not perfect, but the fact that it’s a digestible and well documented 2096 line library that simply let’s you organize user action and behaviour into views, and business logic into models and collections, makes it fit in any framework or way you like to compose it. This means you really have to come up with the architecture of the application all by yourself. This can be a pro or a con depending on experience and skills.

    Recently we’ve started refactoring the UI and I’m all into Backbone again and find myself very pleased that it is still maintained, small and digestible, and sort of done so I’m happy to keep using it. Even if in the worst case Backbone maintenance is dropped, it is conceivable that I can maintain the 2k lines myself. This is in stark contrast with the liability you get when using fully fledged frameworks. Instead of having to learn a framework now I can just focus on native Javascript, the DOM and the application at hand.

    1. 2

      I might look at using this as a basis for grsecurity rbac in HardenedBSD.

      1. 1

        Unrelated to the OP, I wonder if you have any thoughts on implementing pledge(2) and/or unveil(2) in HardenedBSD?

        1. 3

          Some work is being/has been done on that front by a HardenedBSD community member. Nothing official as of yet. :)

      1. 6

        But even with these improvements where significant portions of the Intel ME are disabled, secret sauce is still needed to bring up the CPU and you have to trust that the sauce is only and specifically doing what it says it is, in addition to the other partitions of the ME which activated or not are still not fully understood. The situation is even worse for AMD Ryzen processors with the Platform Security Processor, which (at least the 3000 and 4000 variants) aren’t presently supported by Coreboot at all, though System76 is apparently working on a port.

        I think right after Jaguar they’ve introduced this PSP / ARM TrustZone via an integrated Cortex-A5 processor. So the only AMD processor available today without PSP is one for an AM1 socket like the AMD Sempron 3850. Unfortunately the AMD Athlon 5350 and 5370 (both AM1) sold out last year.

        1. 5

          Getting off topic, but I don’t think that any CPU that AMD made between 2011 and 2016 actually exceeded the Phenom II X6 (Thuban) chips for raw desktop usefulness. Bulldozer was a bit of a dark age.

          1. 4

            I have an 5350, but it’s kind of outdated in terms of performance and power consumption

          1. 1

            Nitpick:

            Widely considered to be the most secure operating system in the world

            While true (the widely considered part), it definitely isn’t the most secure operating system in the world.

            That label belongs to seL4, which has formal proof of correctness.

            A better statement would be qualified, like: “most secure UNIX-like…”

            1. 12

              I’d argue that seL4 isn’t an operating system but merely a microkernel. Most of the insecurities in common systems these days happen outside its scope (where, for a long time, the focus was up the stack, but with all the CPU side channels, people are now looking down the stack, too) so whatever you add to seL4 to make it useful needs to be evaluated as well.

              For example: Having an “unbreakable” seL4 is a nice basic component (and helps contain some damage) but is of little comfort if your file system server is thoroughly broken, giving attackers unbounded access to your data.

              1. 10

                I’d argue that seL4 isn’t an operating system but merely a microkernel.

                I’d argue it’s not even that. For example, seL4 has no dynamic memory management in the kernel, rather, dynamic memory management is pushed to userspace. And it’s not that seL4 doesn’t use dynamic memory, in a real system that uses seL4 you have to implement it. seL4 is proven correct in the sense of not violating its invariants regardless of what the userspace is doing, but of course, the interesting part of a production system is in the userspace, not in the kernel.

                If you want to formally prove your dynamic memory allocator, you are on your own, seL4 won’t help you.

                Not to take anything away from the seL4 folks, what they did is both important and impressive, and I recommend anyone to read the papers, which are very approachable, but comparing components of a system with the system is a category error.

                Similarly, comparing an embedded real-time system with an interactive timesharing system is also apple and oranges…

                1. 5

                  Similarly, comparing an embedded real-time system with an interactive timesharing system is also apple and oranges…

                  seL4 does both. It implements mixed criticality. Critical realtime tasks and non-critical tasks can share the same system, without detriment to the properties the critical tasks need. The guarantees hold.

                  in a real system that uses seL4 you have to implement it (dynamic memory).

                  Not really. Many scenarios can and are in fact often implemented without dynamic memory; Components get what they need as they’re launched and that’s it. Non-deterministic behavior is avoided in critical systems.

                  Furthermore, in a mixed criticality scenario, a subset of the non-critical tasks might actually get dynamic memory from a memory manager that has a limited pool of memory to begin with, doesn’t deal with non-critical tasks and thus does not need to be part of the TCB, nor formally proven.

                  comparing components of a system with the system is a category error.

                  This much is correct. Openbsd is more than the kernel or the base system. It’s the whole thing.

                  SeL4, however, is a much better kernel than Openbsd’s is, on a fundamental level. But (unlike Minix3’s design) a system built around seL4 is not going to be UNIX-like. At most it will offer POSIX compatibility.

                  Which is why I suggested “The most secure UNIX-like”. Because seL4 isn’t that, and Minix3 could be but isn’t quite there.

                2. 5

                  I’d argue that seL4 isn’t an operating system but merely a microkernel.

                  Fair.

                  but is of little comfort if your file system server is thoroughly broken

                  Much emphasis must be put on seL4 being built around the concept of capabilities, making it better on a fundamental level, as it actually allows for security, which isn’t possible with UNIX’s ambient authority, due to the confused deputy problem.

                  In this case, no matter how broken one instance of filesystem server is, it won’t affect processes that aren’t using it, nor other filesystem servers, nor any block devices that the filesystem server does not have a capability to. The affected fs server might not be part of the TCB. SeL4’s design allows for critical and non-critical (mixed criticality) tasks to run in the same system, with formal proof of enforcement of separation. It might be that the system is at the core of the hard realtime flight system of an helicopter full of people, keeping them safe despite this compromised fs server being stuck in an infinite loop.

                  Remarkably, filesystems aren’t mounted in a global vfs as they are in UNIX, either. Whereas most processes, even those using files, do not have capabilities to filesystem access. To read a file, all that’s needed is a capability to it. There’s no need to e.g. know where it does reside.

                  1. 4

                    I’m well aware of how things are ideally done in a microkernel system. Thing is, people ask for (see sibling answer) and implement shortcuts.

                    File system access is among the harder parts to fully redesign due to the many expectations users have when it comes to file management, so I picked that one as an example. See Android and iOS, both which tried to deemphasize files as a category but gave up at some point and ship file system browsers now.

                    Thus I expect file system access to allow (not necessarily use, in all cases) broad access capabilities instead of the fine grained scheme advocated in microkernel/security kernel design literature (“user wants to open a file, so the editor process asks the file picker service. The file picker provides the UI to select files, but can’t read their contents. When the user has chosen, the file picker sends a capability to the editor process that provides the desired level of access to that file only, without even telling where it resides”)

                    1. 1

                      Thus I expect file system access to allow (not necessarily use, in all cases) broad access capabilities

                      That’d be quite sad. If it helps be more optimistic, know that Genode’s dynamic general-purpose scenario, Sculpt, does not fall into that trap.

                    2. 3

                      This definitely feels like a good design. Are there intermediates possible? Such as limiting the effect of troubles in one subsystem onto the other, and bringing more features from microkernels to other operating systems?

                      After all, MINIX3 is a distribution of NetBSD with the MINIX microkernel…

                      1. 3

                        After all, MINIX3 is a distribution of NetBSD with the MINIX microkernel…

                        I wish Netbsd took Minix3 under its wing. Minix3 is a good idea, and I’m saddened to see it isn’t as active as I’d like it to be.

                  2. 10

                    I’m the author of these slides. I’ve changed the wording to say “most secure general purpose operating system in the world” in order to fix the issue you have with it. I’m a little disappointed the discussion has gone so far in this direction considering it’s meant as an introduction to OpenBSD for non-OpenBSD folk, and not a document of absolute truths.

                    1. 5

                      Don’t worry. With an increase in popularity, the amount of nitpickers increases as well. Thanks for creating and publishing the slides!

                      1. 4

                        I’m the author of these slides.

                        Good work, I really liked them. I was also happy about the effort promoting Openbsd; There doesn’t seem to be anywhere near enough of that.

                        I’ve changed the wording to say “most secure general purpose operating system in the world” in order to fix the issue you have with it.

                        Well-intended change, but still, I stand by “most secure UNIX-like”.

                        Some people seemingly believe it’s impossible to make a general-purpose operating system out of a microkernel. Like Genode (which implements Sculpt, a general-purpose dynamic scenario), I strongly object to this belief.

                        I’m a little disappointed the discussion has gone so far in this direction

                        As an Openbsd user (and fan) I’m also as disappointed that this thread got the discussion this far off track, when my nitpick was explicitly a nitpick.

                        1. 2

                          I am claiming “most secure” just like I’d claim “my dad’s the best dad”. Lightheartedly, but then checking out what OpenBSD does toward security I see there is something going on for real here.

                          I do not care too much how many the 1 most secure operating systems there are around. I prefer “more secure everyday”, as you cannot reach this goal for real, feels funnier.

                        2. 9

                          Proof of correctness aren’t the same as proofs of security. It’s entirely possible to correctly specify that the wrong person is allowed to access my data – and, in most major security breaches I read about, it seems like that’s precisely what happens: Someone leaves an S3 bucket wide open, and an attacker looks at it. No component of the system has malfunctioned (other than the human in charge of configuring things, arguably).

                          In my opinion, a secure system is one designed to not only be correct – that’s necessary, but not sufficient. It’s also one designed to restrict what the user-facing components are able to access by default, making it easy to reason who is able to access what, and focusing on reducing the number of places where interactions of correctly-functioning components can lead to unexpected behaviors.

                          1. 5

                            Proof of correctness aren’t the same as proofs of security.

                            Yet seL4 is provably secure, as the proofs cover security enforcement. The kernel does guarantee confidentiality, integrity and availability. What you do with the kernel is up to you, but it does offer the tools. Building a secure system with it is thus possible. It also ensures safety of time-critical systems, by providing a sound analysis of worst-case execution time. More on this in the whitepaper.

                            It’s also one designed to restrict what the user-facing components are able to access by default,

                            Capabilities give explicit access to fine-grained resources, and thus they make POLA a possibility, whereas ambient authority runs contrary to POLA and does hinder efforts to attain security.

                            Openbsd is no doubt the most secure UNIX-like at the present time, but UNIX isn’t the definitive of operating system design, nor anywhere near perfect by any means.

                            Still, it doesn’t have the best possible overall design for a UNIX, from a security or reliability perspective. Minix3 is much closer to that, by going much further in privilege separation thanks to its pure microkernel, multiserver design.

                          2. 4

                            It feels like OpenBSD aims protecting the userland in addition to the kernel itself. With alternate implementations incorporating privsep features (the pledge(2) unveil(2) dance).

                            So maybe OpenBSD userbase, designed to split responsibility and privilege across components communicating (imsg, pipes, unix sockets…) between each other, would be a good fit for something like SeL4 ? Maybe making use of CAmkES (that I still do not know) ?

                            1. 3

                              If I had the resources (time or excess money to buy developer time with), I’d personally give Minix3 (a stalled project) its much needed push.

                              It’s still limited by the fact it implements a UNIX system, but thanks to its pure microkernel, multiserver architecture and its fault tolerance focus, it can do what Openbsd, limited by its monolith kernel, cannot.

                              pledge/unveil

                              Are really clever, and a feature I wish everybody else in the UNIX world adopted. I understand Dragonfly has made some steps into that, but to my knowledge nobody else has.

                            2. 3

                              Way to take the focus off of an already under-appreciated thing.

                              1. 4

                                I don’t know, OpenBSD gets a lot of love on lobste.rs.

                                1. 3

                                  It used to, but I think quite some OpenBSD devs have moved away from lobste.rs over the years.

                                  1. 2

                                    Selection bias. lobste.rs was originally founded by @jcs who is an OpenBSD developer, this naturally drew a lot of OpenBSD people towards the site. Quick grep hats for “openbsd.org” lists 20 committers with accounts on this site.

                                    1. 1

                                      fallacy of composition, sick burn, next

                                      (please read this as me attempting humor, not me being insulting :) )

                                2. 3

                                  I think a better statement would have been: “Widely considered to be the most secure general purpose operating system in the world”

                                  1. 2

                                    I stand by UNIX-like, which is very different from general purpose.

                                    There’s many ways to create general purpose operating systems without making a copy of UNIX. Many of them are fundamentally better equipped for security than UNIX is.

                                    There’s also the quite unfortunate widespread yet baseless belief that microkernels aren’t suitable for the creation of general purpose operating systems. I’ll take steps to prevent supporting these beliefs, if they are easy and harmless to take. Restricting the claim to UNIX-like is one such step.

                                  2. 2

                                    no

                                    no need to add qualifications to a true statement which aren’t relevant to the topic. at least here it feels like it would add confustion.

                                    1. 1

                                      no need to add qualifications to a true statement

                                      That’s the issue. It isn’t true unless qualified. Openbsd isn’t the most secure operating system in the world.

                                      I doubt the authors themselves do appreciate this sort of advertisement, either.

                                      1. 3

                                        Openbsd isn’t the most secure operating system in the world.

                                        the article did not state that OpenBSD is the most secure operating system in the world

                                        “openbsd is widely considered to be …” is the claim the author is making; the … is what the author is saying a lot of people believe. this is how english works.

                                        1. 1

                                          “openbsd is widely considered to be …” is the claim the author is making

                                          And that’s the claim I’ve addressed. I quote myself (top level post) here:

                                          While true (the widely considered part), it definitely isn’t the most secure operating system in the world.

                                          The explicit nitpick was, very specifically, to ensure nobody falls for the “widely considered” trap and walks away with an unfortunately incorrect belief.

                                          To achieve this, it’s necessary to point out why the belief is incorrect (a simple counterexample), and what small change would instead make it correct: The most secure UNIX-like.

                                          So that’s what my post was meant to achieve, and how it was implemented to achieve the intended result.

                                          What happened instead honestly baffles me.

                                          1. 2

                                            it’s subjective whether the statement is misleading, or whether a clarification is useful or needed. the response tells you what others think, which is important if you care about clear communication.

                                            my last comment was responding to your statment that “it isn’t true unless qualified,” which is different from what it seems you are now saying, that people might misunderstand the “widely considered” part.

                                            at any rate my subjective opinion is that the statement is fine, and we can expect tech readers not think the author is denying the existence of academic or niche projects that are technically more secure, whatever that means.

                                        2. 1

                                          The original statement (“widely considered”) only considers sentiment (and describes it reasonably well, I think). Your statement (”[being] the most secure operating system”) is much harder to deal with, not the least because it assumes that one could sort operating system by “security” - but that depends on the definition of security which is vast.

                                          As mentioned somewhere else in the thread, seL4 still uses dynamic memory management in kernel, even though it defers that management to a userspace process. Muen (www.muen.sk) is designed to not need that at all, so there won’t be a kernel-needs-memory-but-can’t-get-it situation. Arguably that could be considered more secure than any seL4 configuration. Then again, the entire security model of Muen hinges on Intel VT-x and VT-d, so… maybe not?

                                          1. 1

                                            The original statement (“widely considered”) only considers sentiment (and describes it reasonably well, I think).

                                            Sure, and I addressed that on my post at the top level. To be careful and not confuse the two. As a nitpick.

                                            Then again, the entire security model of Muen hinges on Intel VT-x and VT-d, so… maybe not?

                                            I like seL4’s approach to virtualization better anyway. Run VMM (which handles vm exits/exceptions) unprivileged. Since it doesn’t get more capabilities than it needs, an otherwise successful VM escape by attacking the VMM is fruitless.

                                            so there won’t be a kernel-needs-memory-but-can’t-get-it situation.

                                            No worries, seL4’s kernel can’t be in that situation.

                                    1. 2

                                      The “goroutine-per-request” model and GC overhead greatly increase memory requirements in high-connection services like ours.

                                      I wonder if it would be possible to use one goroutine-per-core in order to avoid context-switching just like nginx does. (I’ve never used Go)

                                      1. 4

                                        Possible, but not natural in Go. Goroutines are lightweight threads and all libraries are written assuming this and most I/O is sync. You’d have to reinvent a lot to make I/O async in each per core goroutine.

                                        More likely someone will write a proxy like that in Rust. I’m eagerly awaiting…

                                        1. 2

                                          Linkerd is written in Rust.

                                        2. 3

                                          Go already does one OS thread per core (ish), goroutines are entirely a userspace thing without (kernel level) context switching. Still, there’s obviously some overhead associated with them.

                                        1. 2

                                          Related to the Confused Deputy Problem.

                                          The solution is to use capabilities, e.g. as implemented in seL4.

                                          But yes, mitigation is better than nothing.

                                          1. 2

                                            Thanks! Your comment made me stumble upon this gem: https://lobste.rs/s/pfn2rl/what_are_capabilities.

                                            1. 3

                                              You might enjoy Genode Foundations Book, which also has some intro to capabilities.

                                          1. 6

                                            It is simple (and cheap) to run your own mail server, they even sell them pre baked these days as the author wrote.

                                            What is hard and requires time is server administration (security, backups, availability, …) and $vendor black-holing your emails because it’s Friday… That’s not so hard that I’d let someone else read my emails, but YMMV. :)

                                            1. 8

                                              not so hard that I’d let someone else read my emails

                                              Only if your correspondants also host their own mail. Realistically, nearly all of them use gmail, so G gets to read all your email.

                                              1. 4

                                                I have remarkably few contacts on GMail, so G does not get to read all my email, but you’re going to say that I’m a drop in the ocean. So be it.

                                                1. 4

                                                  you’re going to say that I’m a drop in the ocean. So be it.

                                                  I don’t know what gave you that impression. I also host my own email. Most of my contacts use gmail. Some don’t. I just don’t think you can assume that anyone isn’t reading your email unless you use pgp or similar.

                                                  1. 1

                                                    Hopefully Autocrypt adoption will help.

                                                    1. 2

                                                      This is the first time I’m hearing of Autocrypt. It looks like just a wrapper around PGP encrypted email?

                                                      1. 1

                                                        This is a practice described by a standard, that help widspread use of PGP : by flowing the keys all all around.

                                                        What if every cleartext email you received did already have a public PGP key attached to it, and that the mail client of everyone was having its own key, and did like so: sending the keys on every new cleartext mail?

                                                        Then you could answer to anyone with a PGP-encrypted message, and write new messages to everyone encrypted? That would bring a first level where every communication is encrypted with some not-so-string model where you exchanged your keys by whispering out every byte of the public key in base64 to someone’s ear alone in alaska, but as a first step, you brought many more people to use PGP.

                                                        I think that is the spirit, more info on https://autocrypt.org/ and https://www.invidio.us/watch?v=Jvznib8XJZ8

                                                        1. 2

                                                          Unless I misunderstand, this still doesn’t encrypt subject lines or recipient addresses.

                                                          1. 1

                                                            Like you said. There is an ongoing discussion for fixing it for all PGP at once, including Autocrypt as a side effect, but this is a different concern.

                                                2. 1

                                                  Google gets to read those emails, but doesn’t get to read things like password reset emails or account reminders. Google therefore doesn’t know which email addresses I’ve used to give to different services.

                                                3. 4

                                                  Maybe I’m just out of practice, but last time I set up email (last year, postfix and dovecot) the “$vendor black-holing your emails” problem was the whole problem. There were some hard-to-diagnose problems with DKIM, SPF, and other “it’s not your email, it’s your DNS” issues that I could only resolve by sending emails and seeing if they got delivered, and even with those resolved emails that got delivered would often end up in spam folders because people black-holed my TLD, which I couldn’t do anything about. As far as I’m concerned, email has been effectively embraced, extended, and extinguished by the big providers.

                                                  1. 4

                                                    This was my experience when I set up and ran my own email server: everything worked perfectly end to end, success reports at each step … until it came time to the core requirement of “seeing my email in someone’s inbox”. Spam folder. 100% of the time. Sometimes I could convince gmail to allow me by getting in their contact/favorite list, sometimes not.

                                                    1. 1

                                                      I wonder how much this is a domain reputation problem. I’ve hosted my own email for well over a decade and not encountered this at all, but the domain that I use predates gmail and has been sending non-spam email for all that time. Hopefully Google and friends are already trained that it’s a reputable one. I’ve registered a different domain for my mother to use more recently (8 or so years ago) and that she emails a lot of far less technical people than most of my email contacts and has also not reported a problem, but maybe the reputation is shared between the IP and the domain. I do have DKIM set up but I did that fairly recently.

                                                      It also probably matters that I’ve received email from gmail, yahoo, hotmail, and so on before I’ve sent any. If a new domain appears and sends an email to a mail server, that’s suspicious. If a new domain appears and replies to emails, that’s less suspicious.

                                                      1. 2

                                                        Very possible. In my case I’d migrated a domain from a multi-year G-Suite deployment to a self-hosted solution with a clean IP per DNSBLs, SenderScore, Talos, and a handful of others I’ve forgotten about. Heck, I even tried to set up the DNS pieces a month in advance – PTR/MX, add to SPF, etc. – in the off chance some age penalty was happening.

                                                        I’m sure it’s doable, because people absolutely do it. But at the end of the day the people I cared about emailing got their email through a spiteful oracle that told me everything worked properly while shredding my message. It just wasn’t worth the battle.

                                                  2. 3

                                                    That’s not so hard that I’d let someone else read my emails

                                                    Other than your ISP and anyone they peer with?

                                                    1. 2

                                                      I have no idea how bad this is to be honest, but s2s communications between/with major email providers are encrypted these days, right? Yet, if we can’t trust the channel, we can decide to encrypt our communication too, but that’s leading to other issues unrelated to self-hosting.

                                                      Self-hosting stories with titles like “NSA proof your emails” are probably a little over sold 😏, but I like to think that [not being a US citizen] I gain some privacy by hosting those things in the EU. At least, I’m not feeding the giant ad machine, and just that feels nice.

                                                      1. 7

                                                        I’m a big ‘self-hosting zealot’ so it pains me to say this…

                                                        But S2S encryption on mail is opportunistic and unverified.

                                                        What I mean by that is: even if you configure your MTA to use TLS and prefer it; it really needs to be able to fall back to plaintext given the sheer volume of providers who will both: be unable to recieve and unable to send encrypted mails, as their MTA is not configured to do encryption.

                                                        It is also true that no MTA I know of will actually verify the TLS CN field or verify a CA chain of a remote server..

                                                        So, the parent is right, it’s trivially easy to MITM email.

                                                        1. 3

                                                          So, the parent is right, it’s trivially easy to MITM email.

                                                          That is true, but opportunistic and unverified encryption did defeat passive global adversaries or a passive MITM. These days you have to become active as an attacker in order to read mail, which is harder to do on a massive scale without leaving traces than staying passive. I think there is some value in this post-Snowden situation.

                                                          1. 1

                                                            What I’ve done in the past is force TLS on all the major providers. That way lots of my email can’t be downgraded, even if the long tail can be. MTA-STS is a thing now though, so hopefully deploying that can help too. (I haven’t actually done that yet so I don’t actually know how hard it is. I know the Postfix author said implementation would be hard though.)

                                                      2. 1

                                                        I get maybe 3-4 important emails a year (ignoring work). The rest is marketing garbage, shipping updates, or other fluff. So while I like the idea of self hosting email, I have exactly zero reason to. Until it’s as simple as signing up for gmail, as cheap as $0, and requires zero server administration time to assure world class deliverability, I will continue to use gmail. And that’s perfectly fine.

                                                        1. 7

                                                          Yeah, I don’t want self-hosted email to be the hill I die on. The stress/time/energy of maintaining a server can be directed towards more important things, IMO

                                                        1. 1

                                                          One of the key aspects of NGINX that made it several orders of magnitude faster than the then dominant player, Apache, was to wait for “anything for the server to do” instead of waiting for “the client to send it’s request”. This allowed to spawn only one worker process per logical CPU core and thus saves a lot of context switching compared to one worker proces per client, on busy servers. This is true even with lightweight processes like threads.

                                                          1. 1

                                                            I came across this paper while looking at vis. The paper has some interesting critique on awk(1) and the line based approach of most Unix tools in general. I.e.:

                                                            The real awk suffers from a mismatch between the patterns and the actions. It would be improved by making the parsing actions of the patterns visible in the actions, and by having the pattern-matching abilities available in the actions.

                                                            It suggests to treat input as a true byte stream instead of an array of lines and let regular expressions not match lines that contain a matched text, but match the actual matched text only, possibly spanning multiple lines. Then input structure can be fully expressed using regular expressions without being limited to line boundaries.

                                                            1. 2

                                                              It’s funny, when I first learned about sed about 9 years ago, that was the first thing I wanted out of it, albeit phrased differently.

                                                              “It would be nice if I could use this syntax to glob over multiple lines lines”

                                                              1. 2

                                                                I’ve been wanting this recently too, and someone sent me a link to gsar, which is decent.

                                                                https://github.com/abronte/gsar

                                                                It doesn’t do everything sed does, but for searching and replacing I like it.

                                                              2. 2

                                                                I use the gawk extension match() in some of my scripts for this reason. It lets you extract submatches, which I think there’s no way to do in awk unfortunately.

                                                                The submatch extraction is also missing from grep / GNU grep… You can do -o but not anything more than that.

                                                              1. 1

                                                                I love how clean and simple the whole upgrade process is for DragonflyBSD. You just checkout the new branch, build, and restart.

                                                                As compared to OpenBSD, where there is a bit of accidental complexity in upgrades, it is amazing that this is possible.

                                                                1. 5

                                                                  I really like DragonflyBSD upgrade process as well. But OpenBSD has sysupgrade, which has great ergonomics!

                                                                  https://man.openbsd.org/sysupgrade

                                                                  I haven’t tried it yet but it looks awesome

                                                                  1. 3

                                                                    It just works. I was really impressed when I used it to upgrade from 6.5 to 6.6.

                                                                    1. 1

                                                                      Thanks! I was a bit scared to run “sysupgrade” due to the language on the upgrade page: https://www.openbsd.org/faq/upgrade66.html

                                                                      also, the fact that is not (yet?) listed as the first update procedure

                                                                  1. 3

                                                                    On a tangential note, just yesterday I found out about M-DISC, which might make me buy another burner again. This time for archival purposes though, not warez ;)

                                                                    1. 4

                                                                      For me, that was too-little, too late. By the time the 100GB disks came along, I had 1TB+ hard disks that needed backing up. A stack of 10 BD-XL disks (not even the archival M-DISC variants) for 1TB costs over £100, cloud storage costs £2/TB/Month for archive storage, so I can back up the same amount of data for 4 years for the same price (ignoring the cost of the drive). Backing things up to optical disks also means I need to store them somewhere safe and doesn’t help against the threat model of ‘oh dear, my house burned down with my NAS inside’.

                                                                      I bought a BluRay writer when I built my NAS and a stack of disks for it, but I’ve never actually used it. Now I use zfsbackup-go to GPG-encrypt ZFS incremental snapshots and send them to the cloud. I can drive that from a cron job and don’t need to insert media for a manual process.

                                                                      1. 2

                                                                        Interesting.

                                                                        I’m using something inspired by rsnapshot with different servers in different cities that run daily backups via cron. The total set spans a couple of TB with many GBs of change each day and would be a pain to put on optical discs. But for stuff that is both personal and non-volatile like documents and pictures the set is much smaller and not in flux like the rest of the data so initially a couple of 25 GB M-DISCs and then later maybe an extra disk once a year would do the trick. This would protect the data in a scenario in which my internet connected backup servers somehow got hacked and destroyed. I also like the idea of having this stuff on a different medium than a magnetic disk as is pointed out here by @nickpsecurity.

                                                                        1. 2

                                                                          This would protect the data in a scenario in which my internet connected backup servers somehow got hacked and destroyed

                                                                          Most cloud storage providers offer you a few options here. The NAS that pushes all of these backups to the cloud for me has a shared access key that doesn’t allow it to delete things, so a compromise would not allow someone to delete things and I can revoke it easily. For extra fun, you can have a small VM that isn’t exposed to the Internet, only to the cloud provider’s back-end services, which runs complex policies such as moving the backed-up blobs to another storage account or duplicating the metadata.

                                                                          I also like the idea of having this stuff on a different medium than a magnetic disk

                                                                          The archive tier for cloud providers is often tape. Even the storage mechanisms that are disk are usually not just a simple disk storage or even a conventional RAID array, they’re using complex error correcting codes and spreading your data over a load of disks. They’re much more reliable than anything you could affordably build at home. If you want to pay more, you can opt for geographic replication so even if a particular data center is hit by a meteorite or nuclear bomb, your data is still safe somewhere else. I generally consider my data to not be sufficiently important to need to survive a nuclear war, but your threat model may vary.

                                                                          1. 2

                                                                            Appreciate the shoutout. Yeah, I lost a lot of data one time due to multiple failures of magnetic disks. Per a 3rd party, turned out to be that they all used the same connector and drivers on a safer system that fed them silent errors. (sighs) So, I say diversify as much as you can without high, maintenance headaches. And some media should be immune to electromagnetic failures.

                                                                            That something you’re using is pretty cool, too. :)

                                                                            1. 2

                                                                              That something you’re using is pretty cool, too. :)

                                                                              thanks! :)

                                                                              Now that we have unveil(2) the next major update to snaps can drop all my custom patches to chroot and privdrop rsync, or maybe implement rsyncs “–link-dest” so that I can use the new openrsync. But these are just idea’s for a hypothetical future update. ;)

                                                                        2. 2

                                                                          Interesting. I’d appreciate you sharing the experience with an M-DISC based archival setup.

                                                                          1. 1

                                                                            Whenever I get that far I’ll try to remember this comment and come back to you. :)

                                                                          2. 2

                                                                            My issue with M-DISC is it’s pretty damn hard to find the burners these days.

                                                                            If I had a M-DISC Bluray burner, I’d be burning to discs 100%. I would only burn absolutely important data.

                                                                            1. 1

                                                                              I was happy to see that at least here in the Netherlands there are enough options to buy one.

                                                                          1. 4

                                                                            Tempting, but I’m curious about a few things:

                                                                            • It mentions OpenGL ES 3.2 support. The official ARM drivers support ES 3.2 but only for a few select situations (mostly Android), and getting them to actually function on arbitrary linux distros is nontrivial. What’s the graphics support actually like?
                                                                            • Does it annoyingly route almost all network and disk I/O through USB like the RPi does?
                                                                            1. 3

                                                                              I just ordered one. If you like I can run some tests for you when it comes in. I had a C2 years ago and at least for that device network and disk were routed to the SOC.

                                                                              1. 1

                                                                                If you feel like it. If you get graphics working well then glxinfo | grep OpenGL should have the info I want.

                                                                                1. 2

                                                                                  Here you go. This is with Ubuntu 20.04 pre-installed default from their emmc module. The vendor string might be due to me doing export DISPLAY=:0 to get around the display not being available in my headless setup.

                                                                                  root@odroid:~# glxinfo | grep OpenGL
                                                                                  OpenGL vendor string: VMware, Inc.
                                                                                  OpenGL renderer string: llvmpipe (LLVM 9.0.1, 128 bits)
                                                                                  OpenGL core profile version string: 3.3 (Core Profile) Mesa 20.0.4
                                                                                  OpenGL core profile shading language version string: 3.30
                                                                                  OpenGL core profile context flags: (none)
                                                                                  OpenGL core profile profile mask: core profile
                                                                                  OpenGL core profile extensions:
                                                                                  OpenGL version string: 3.1 Mesa 20.0.4
                                                                                  OpenGL shading language version string: 1.40
                                                                                  OpenGL context flags: (none)
                                                                                  OpenGL extensions:
                                                                                  OpenGL ES profile version string: OpenGL ES 3.1 Mesa 20.0.4
                                                                                  OpenGL ES profile shading language version string: OpenGL ES GLSL ES 3.10
                                                                                  OpenGL ES profile extensions:
                                                                                  
                                                                                  1. 1

                                                                                    Thanks! That’s certainly… something, though it kind of raises more questions than answers. VMWare and llvmpipe suggest it’s a software OpenGL renderer, which means it’s emulating a GPU instead of actually using the hardware available. If the setup is headless, without any X server running and no display plugged in, then that may or may not be influencing it. If you’re doing X forwarding then it often can’t do much of any use with the GPU hardware anyway.

                                                                                    Interpreting this is always kinda a black art on Linux, since almost all GPU drivers use Mesa to some degree or another, whether they’re binary blobs or open source drivers, and while Mesa is pretty good at choosing the best driver it has available, I’ve yet to find a way to get it to explain to me why it’s choosing a particular driver and which ones it’s choosing among. I mostly just rely on distro packages to do the correct black arts for me. If anyone has any pointers, I’d love to hear more.

                                                                                    1. 1

                                                                                      Well, turns out that it’s the same with an hdmi cable plugged in and displaying out to a TV. No idea why it shows up as VMWare ¯_(ツ)_/¯

                                                                                      1. 1

                                                                                        Glad to help. I’ll give glxinfo another go once I get an hdmi cable and get this hooked up to my TV.

                                                                                2. 3

                                                                                  Does it annoyingly route almost all network and disk I/O through USB like the RPi does?

                                                                                  I’m not sure, but does this help? https://wiki.odroid.com/_detail/odroid-c4/c4_blockdiagram_rev0.4.png?id=odroid-c4%3Aodroid-c4

                                                                                  1. 2

                                                                                    It does help, if I’m reading it correctly. Looks like the GigE and SD go through their own interfaces instead of piggybacking off of USB. Thanks!

                                                                                  1. 3

                                                                                    Congrats on the new job indeed, curious what it will bring to all things security and privacy related!

                                                                                    1. 2

                                                                                      Great writeup!

                                                                                      I recently made the jump from Postfix to OpenSMTPD and have been very happy. It was on my wishlist for years but I really needed filters to work. I loosely followed the blog post by Gilles himself: https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/ although it is quite lengthy and aimed at absolute beginners.

                                                                                      nitpick:

                                                                                      disable_plaintext_auth = yes

                                                                                      That’s the default so you could shorten the text with one explanation less ;-)

                                                                                      1. 2

                                                                                        Thanks! That blog post also helped me a lot, and I gave him a shoutout in the OpenSMTPD section.

                                                                                        I think I’ll leave that Dovecot setting as-is, because I prefer to be explicit about such an important setting… even though the text could definitely use some shortening. ;-D

                                                                                      1. 9

                                                                                        I strongly recommend using Algo if you want a brainless Wireguard + IPSec VPN setup that works well across a lot of devices, including those that can’t run Wireguard for some reason.

                                                                                        1. 5

                                                                                          I actually looked into this last week, but while IPSec technically does support more devices, I don’t think this is something that people will be having problems with. My setup was for people with close no technical knowledge, and involved different BSDs, Windows, Linux and Mobile OSs. So I think it is worthwhile to think about whether you actually want to have multiple VPN technologies running.

                                                                                          Wireguard isn’t exactly hard to set up. Not even on non-Linux.

                                                                                          • Generate keypairs Server, Peer1, …, PeerN
                                                                                          • Create a server.conf (where you put in key+ip for each peer and key+port for the server, optional preshared key)
                                                                                          • Depending on the OS, enable IP forwarding, internet access (two to three config lines on OpenBSD for example)
                                                                                          • Create a client conf for the peers (server IP, DNS server, server key, client key)
                                                                                          • Distribute the client configs and use them: All of the client have some simple command wg-quick or a simple GUI (mobile, windows, …), make qrcodes of the config with qrencode.

                                                                                          I would strongly advise against setting up a VPN (or any service for that matter) “brainless”. Hiding understanding complexity at setup time makes it hard to reason about it at runtime, and you will likely spend more time on having it running, than setting it up.

                                                                                          Here a nice OpenBSD guide.

                                                                                          1. 6

                                                                                            Here a nice OpenBSD guide.

                                                                                            I have been working on a privilege separated implementation of WireGuard for OpenBSD. It has been stable for me personally for over a year now and has recently been accepted as part of the upcoming OpenBSD 6.7 ports system. If you have some opinions about it please share, I would appreciate any feedback.

                                                                                            1. 1

                                                                                              This is really cool! Also that it has been accepted into ports. Given that the license matches, it uses pledge and so on wouldn’t it potentially be something for the base system? Did you consider that?

                                                                                              1. 2

                                                                                                It would be really cool if it got included in base, but that decision is not for me to make. Aside from that, I think in the long term the kernel version that is being developed has a good chance of getting included at some point.

                                                                                          2. 2

                                                                                            +1 on Algo, been giving it to family and friends and it works easily and securely,

                                                                                          1. 7

                                                                                            I can really recommend UNIX Network Programming, Volume 1: The Sockets Networking API (3rd Edition)

                                                                                            It’s from 2003 but still relevant today. It’s very concise and complete in my opinion and more to the point than Advanced Programming in the Unix Environment when it comes to socket programming.

                                                                                            1. 1

                                                                                              It’s older than that, isn’t it? I have a copy on my shelf and I’m almost positive I bought it in 1998. I still go to it on an irregular basis… it’s no stretch to call it my longest-lived useful tech book right next to Cormen/Leiserson/Rivest’s algorithms text.

                                                                                              1. 1

                                                                                                It’s very concise

                                                                                                Amazon lists it at over 1000 pages.

                                                                                                1. 2

                                                                                                  It is indeed a huge book, but has concise coverage of a zillion different Unix APIs.

                                                                                                  1. 1

                                                                                                    Those statements are not mutually exclusive.

                                                                                                    I did this stuff in my first professional programming job (working on the DPOP mail server, mostly, in C) and it’s a deep and broad field.

                                                                                                1. 6

                                                                                                  Today I’ve spent installing Jitsi on a new VPS in a datacenter nearby, run by a small company I trust more than any corporation from Silicon Valley. Just had the first multi-hour conversation with a close relative and while the video had some dips now and then, the audio was good 99% of the time. I’m quite happy that this traffic isn’t available for analysis by Facebook, Google or Amazon. It was quite easy to setup and I can recommend anyone interested to check it out: https://github.com/jitsi/jitsi-meet

                                                                                                  1. 3

                                                                                                    I can recommend Talky as a trustworthy zero-setup WebRTC video chat solution, for those who don’t want to put the effort into hosting their own. QoS has always been fine for me. Here’s their privacy policy – it’s pretty straightforward.

                                                                                                    1. 2

                                                                                                      I’ve been using Nextcloud Talk for the same reason and purpose for a while now. If you happen to have a Nextcloud server around this option is worth a try, it works wonders for us here to keep in contact with out spread-out family in these times of isolation and quarantine. I first installed it last year after my father died so I could make daily video calls with my mother - I live in Sweden, she lives in the Netherlands - without having to feed Suckerberg, Apple, Google or Microsoft in the process. Once SARS2 hit the use has been expanded to my wife’s mother and brother and some others.

                                                                                                      1. 1

                                                                                                        Did anyone try to use jitsi with LDAP ? Because I could only find sprase information or unresolved threads and failed to do so. The idea is to limit the creation of rooms to LDAP authenticated users, otherwise this is a possible DDoS problem.

                                                                                                        1. 1

                                                                                                          Would you say it’s a reasonable approach for hosting business meetings?

                                                                                                          1. 1

                                                                                                            I’ve been using the hosted version at https://meet.jit.si with a group of four to six people for two years now, and apart from last summer it really is good enough. You can easily give it try it before deciding on setting up your own instance.

                                                                                                            1. 1

                                                                                                              I wouldn’t self host jitsi for business, I’d use meet.jitsi. The killer feature over at meet.jitsi is the SIP integration they’ve setup in a large number of countries. When your mic just isn’t being picked up today, you always have the dial-in.

                                                                                                            2. 1

                                                                                                              I’m quite happy that this traffic isn’t available for analysis by Facebook, Google or Amazon

                                                                                                              It’s not like they’re sending all their data to Facebook; what is probably going on is that they’re just using a Facebook API, by the sound of it for Facebook logins.

                                                                                                              What is most certainly not going on is sending all your data to Facebook “for analysis”. I’m not saying that makes it fine or that it’s great, but there is a nuance to these things, and I find it disappointing that whenever these kind of topics come up, the nuance goes out the window at the speed of light pretty much every single time :-/

                                                                                                              1. 1

                                                                                                                It’s not like they’re sending all their data to Facebook; what is probably going on is that they’re just using a Facebook API, by the sound of it for Facebook logins.

                                                                                                                Of course, and re-reading my comment one could easily conclude that, sorry for being sloppy. That said, I’d argue this is not so much about the actual content of a conversation as much as about the fact that I’m talking to a close relative, at that moment in time, for a certain period. It is just one data sample that in itself is insignificant, but combined with all the other small data points gives a quite accurate view of what keeps me busy and who’s around me. So I still stand by my comment but please interpret “this traffic” as “the meta-data” ;)

                                                                                                                As a side-note, https://meet.jit.si does forward all traffic through Amazon.

                                                                                                            1. 2

                                                                                                              Very interesting stuff. I see you’re considering I2P, have you looked at other networks, i.e. Loopix?

                                                                                                              1. 3

                                                                                                                I’m always open to ideas! :)

                                                                                                                After I meet some really tight deadlines at work (freeing up spare time), I can investigate any ideas or suggestions to improve access to our infrastructure.

                                                                                                                1. 2

                                                                                                                  You might also find Nym interesting to follow if you haven’t yet already heard about it: https://github.com/nymtech/nym