Threads for ols

  1. 1

    Writing my anthropomorphic frog TTRPG zine, and figuring out how much it will cost to make the front cover detach and be the referee screen. Also playing some D&D and trying to get my group to look at Mörk Borg. Quite an RPG-heavy weekend!

    1. 2

      Really interesting post. As an aside, the Stretched Master Key diagram breaks the site’s responsive design by stretching the page out.

      1. 2

        Thank you so much :D the breaking diagram gonna be fixed soon :D

      1. 1

        Trying to decide on a commuter bike, and watching the Six Nations

        1. 1

          The Priority Continuum Onyx has been my commuter for years now. Best bike I’ve ever ridden

        1. 1

          PGP encrypt, save as DNS TXT records

          1. 7

            Today, many email providers have some kind of method of contacting them, but I have never once received a response or even evidence of action due to one of these messages… both for complaints of abuse on their end and deliverability problems

            Strangely, one thing I was surprised about was how it was possible to get in touch with Postmasters when we had issues with blacklisting. It generally took a while to track down the proper way to contact them, but I think there’s only been one mailhost (Apple) who we never heard back from – although we were removed from their blacklist the day after. When blacklisted by Microsoft (Outlook, Hotmail, Live, etc.) I even got to chat with a helpful real person; an actual named person no less!

            1. 8

              Suppose it depends on the provider. I’ve had quick and helpful responses from Migadu when needed in the past

              1. 2

                This was my experience also. A couple of years ago, I was trying to change my Warby Parker password after a breach on their end. The process failed at the send a nonce to Chris via email step. I could see that the cause of the failure was that I hadn’t added warbyparker.com to my greylister so I wasn’t going to get immediate delivery. Even after bypassing warbyparker.com I wasn’t getting the nonce. A letter to hostmaster@warbyparker.com got a response but I didn’t need glasses at the time. I honestly didn’t know it was fixed until today when I remembered as a result of this thread.

              2. 6

                Maybe I’m just being in too bad of a mood! Most of this comment dates back to when I was working in university IT 6-7 years ago and spent a long time battling blacklisting problems. I don’t think I ever got responses from Google, and while they did start accepting mail from us again each time it was long enough later (a few days) that it was unclear whether someone had read my message or the blocklist entry had just hit an expiration date. The worst problems we had in the other direction were abuse coming from Google (spam and fraud email, calendar invites, and phishing via Google Forms) and I don’t think I ever saw any evidence of their acting on abuse complaints. We started blacklisting certain gmail addresses at the institutional level because they were sending so much mail to us that just had very long address lists pasted into the To/Cc. The irony is that SpamAssassin was picking this stuff up and we had to manually bump the domain reputation of gmail.com to avoid it learning to spamcan every marginal email coming from Google.

                I have not seen this kind of problem since I worked there (although I haven’t run as large of a mailserver since), but I would assume Google has tightened up their controls at some point because it was remarkably brazen behavior to continue from a major email provider for, as I recall, around a year. I’d guess this was 2013 or so. This situation actually lead somewhat directly to that institution switching to Google Workspace later because it fostered a perception that the in-house operation was incompetent, which is sort of ironic. It really got at one of those no-win problems in security: we were getting phished via Google Forms on a weekly basis, but whenever we tried taking active measures like dropping email with Google Forms links it turned into a huge upset and we had to back off. When I worked in incident response in 2015-2017 phishing via Google Forms continued to be a top-ten problem, but at that organization we had somewhat better tools available to combat it and ended up using our outbound web filters to inject a redirect to a warning page the user had to click through (we were fortunate enough to have TLS interception). Google now provides some additional measures to mitigate this problem but they of course require that you be a Google Workspaces customer. I assume they’ve also stepped up detection and enforcement a lot because in more recent cases where I’ve seen Google Forms phishing, the link has often been dead by the time I saw it. In any case the whole thing left me with a very negative perception of how Google runs their email operation (which was boosted when I was involved in the pre-sales process on the switch to G-Suite, which was amazingly incompetent).

                And I shouldn’t let Google color my perception of the whole industry, my recollection is that Microsoft was pretty easy to get a hold of on hotmail/outlook.com issues, although I think we may have leveraged our existing relationship with them to get a better contact than what they have publicly.

                With smaller organizations it’s always been a lot easier, of course being a university much of our interaction was with other universities and postmaster@ almost always got a response from someone helpful, whether we were the source or victim of the problem. Unfortunately this situation has become worse over the years as more and more institutions and businesses are moving over to cloud services that they have limited control over and knowledge of. In my current position, where I don’t even really deal with email, I’ve run into a few cases of “something is blocking email from you but we can’t figure out what.” It’s almost always a cloud email security gateway they use, which have a tendency to be very opaque.

                1. 1

                  Although we haven’t had any issues so far sending to Google, I don’t doubt for a second that they would be a pain to deal with. We manage several dozen Google Workspaces for clients and it is constantly causing bother.

                2. 2

                  It’s also a good idea to have an alias for postmaster@ (root too, often aliases tables have that per default). There’s many systems and people that default to sending there.

                1. 4

                  Why do websites like this insist on making me click through seven pages when most of them are just images?

                  1. 3

                    More impressions = more ads

                  1. 16

                    Wow. This is eye-wateringly bad.

                    I know several sites that will be saved by outbound firewall rulesets that were considered somewhere between burdensome and unreasonable when we insisted on them. But it seems likely there will be exploits that don’t involve pointing JNDI at an attacker-controlled server, so that’s likely temporary.

                    1. 7

                      I have had it pointed out to me that the LDAP URL includes a port number. Better check those outbound rulesets to see if they are draconian enough: allowlists of specific trusted servers are a good start.

                      1. 2

                        Trivial to change the port as part of the exploit though

                        1. 1

                          It does indeed allow a port number. The systems I’m thinking of were only allowed to connect to anything external through an HTTP proxy. CONNECT was not one of its features, and it had a short whitelist of remote systems they could reach.

                          It was a painful environment.

                          They’ll still be in a hurry to patch this. It sounds like a great way for someone who’s popped a less important box on the same network as the application servers to pivot, even if LDAP will never leave the LAN.

                      1. 3

                        Playing with the band at the Victorian Christmas Market today, visiting as a civi tomorrow

                        1. 2

                          I’m auditioning for improv house teams. I’ve been out of practice during the pandemic, so I don’t know how it will go. I’m just gonna try to have fun.

                          1. 2

                            Good luck!

                          1. 73

                            I think it is time for a nix tag, since unix is very broad for this article

                            1. 4

                              It’s been suggested many times hasn’t it? I do hope it’s considered this time round

                              1. 3

                                The usual way to make the case for a new tag is to put together a list of existing articles that would fit under it. Feel free! It should be a new meta thread so it doesn’t get missed.

                                1. 11

                                  Here is the last year’s suggestion: https://lobste.rs/s/i5fneg/add_tag_for_nix_nixos (there were more articles since then).

                                  1. 8
                                1. 4

                                  I’m not actually a software engineer by trade, but I am giving this a go in…Go (https://git.sr.ht/~ols/advent-of-code-2021)

                                  1. 2
                                  1. 3

                                    Came to say something along the lines of “naming things is hard but FYI ‘spack’ is a derogatory term for someone with mental illness, at least where I’m from in the UK”

                                    But then I saw it’d a pretty big package already, yikes!

                                    1. 2

                                      Git?

                                      Derogatory terms not aimed at people seem fine in our space.

                                      1. 4

                                        Semi-agree, except mental illness and disability are protected characteristics so different to calling someone a git

                                        1. 1

                                          There are inclusive and non-inclusive insults. Git is not aimed at a particular group and does not insult the target by likening them to a particular target group. It’s not a fantastic idea to name your project after an insult[1] but at least git doesn’t attack a particular group.

                                          [1] Linus’ disarming rationale for the naming was that he always names projects after himself. Since the original name for Linux was Freax, there’s a bit of a precedent for this.

                                        2. 1

                                          The same concerns were mentioned on Lobsters when it was shared 2 years ago.

                                          Unclear though if the authors are aware, as I couldn’t find any discussion of the name in their issue tracker.

                                        1. 1

                                          Trying to get some more book written, NaNoWriMo has been a disaster so far

                                          1. 5

                                            I’ve updated the little docker + X11 I use to run it on mac (without macports) if someone finds it of use https://github.com/deddu/nyxt-docker

                                            1. 4

                                              Fantastic, perhaps we should link that on our downloads page? I think we will, as an unofficial way to install.

                                              1. 1

                                                Totally up to you, I’d be honored. Please be aware that I can’t really guarantee top of the line support for the repo. I guess I can put a GitHub action to have an image pushed to the hub, and maybe a little scraper to check the latest version.

                                                As far as having a single standalone bundled runner, I still don’t know - I’ve to dig in the xquartz docs, and perhaps see how Inkscape did it.. open to ideas. Sadly x11docker does not support MacOS.

                                                1. 2

                                                  You know, I wonder if we can help you with that, we should be able to run docker on our machines and do part of the automation testing. Of course we can’t do xquartz stuff, but we COULD keep the repository up to date somehow. I’ll think about it.

                                                  1. 1

                                                    Tbh I think the best way to deal with Mac would be to try to follow this process https://balintreczey.hu/blog/beautiful-wireshark-on-os-x-using-homebrew-and-gtk3quartz/ and have it in home brew.. docker does really seem like an extra dependency..

                                                2. 1

                                                  Nice! I have been close to tears trying to build this on macOS but anything that gets me away from WebKitGTK+ is a plus.

                                                1. 9

                                                  I built Kubernetes tooling at Airbnb (previous employer) and am very happy Notion (current employer) is all ECS.

                                                  1. 1

                                                    Do Notion have an engineering blog of some kind? I love learning more about the products I use.

                                                    1. 2

                                                      So far we only have one post: https://www.notion.so/blog/topic/tech

                                                  1. 3

                                                    Not much. I have a custom Xbox controller coming in today and I’m probably gonna work on either my homebrew gameboy game for a competition or an app to help others scratch an itch when it comes to plurality.

                                                    1. 1

                                                      Any more info on this app?

                                                      1. 1

                                                        In time.

                                                    1. 1

                                                      Company: Sky Betting and Gaming

                                                      Company site: skybetcareers.com

                                                      Position(s): Senior Devops Engineer

                                                      Location: HYBRID: REMOTE (not fully) with ONSITE Sheffield, UK in agreement with Line Manager

                                                      Description:

                                                      • Own and lead substantial units of work, from concept and inception all the way through to production.

                                                      • Take responsibility for the quality of our deployment pipelines, ensuring the resilience, capacity, performance, repeatability, security, scalability of our platforms.

                                                      • Drive a proactive approach to platform monitoring and improvement that meets the needs of our customers.

                                                      • Deliver industry-leading systems, which are secure, appropriately tested, perform well, and help provide an engaging customer experience.

                                                      • Line-manage and mentor other DevOps Engineers in your team through their personal development aspirations.

                                                      • Manage and maintain our build and deployment pipelines, ensuring reliability, repeatability and ease of use.

                                                      • Identify and champion resolution of technical debt in the services you own.

                                                      • Proactively and collaboratively identify and address potential problems in component design and tooling and be able to articulate these to the team and wider stakeholders.

                                                      • Create and maintain quality technical documentation.

                                                      • Play a proactive part in owning the Tribe’s platforms, environments and services; taking responsibility for support, monitoring, measuring performance and addressing technical issues when required.

                                                      • Contribute enthusiastically to our continuous improvement of configuration practices, application quality, tooling and agile processes.

                                                      • Participate in code reviews, and embrace peer feedback on your work.

                                                      • Communicate constructively with peers, seniors and stakeholders in all territories.

                                                      • Contribute new ideas while keeping the long-term perspective in mind.

                                                      • Demonstrate a wider technical and Tribe wide awareness, helping to design technical solutions while solving higher level problems.

                                                      • See things from a range of perspectives, acting as the bridge that helps your team engage with others within the Tribe.

                                                      • Monitor progress and use your influence to remove blockers.

                                                      • Facilitate networks and share knowledge, helping others to connect and learn in technical and non-technical discussions in the team and beyond.

                                                      • Help contribute to our DevOps culture, guilds and working groups.

                                                      • Act as a role model, being able to handle challenges calmly and creatively within the team.

                                                      Tech stack:

                                                      • RHEL
                                                      • Chef
                                                      • Docker
                                                      • Kubernetes
                                                      • Istio
                                                      • Helm
                                                      • Terraform
                                                      • Prometheus
                                                      • Nagios
                                                      • Jenkins
                                                      • Redis
                                                      • MySQL
                                                      • F5
                                                      • ZXTM

                                                      Contact: Drop me a message, it’s not been published externally yet but is available. It’s my backfill, and a great team!

                                                      1. 3

                                                        If you want to get into kernel mode programming on other systems, then please take note that OS manufacturers make it harder and harder to load thirdparty kernel code for each OS update.

                                                        For example, in recent macOS versions Apple has deprecated kernel extensions. Instead, you should write ‘system extensions’ that don’t have ring-0 permissions. So if you want to distribute some privileged code with your software, then if system extensions won’t cover it you can just forget about this functionality.

                                                        Linux kernel modules require distributing the source code along with them, not only because of the license, but also because the ABI between kernel versions is completely unstable by design. So it’s hard to distribute kernel modules with your software. Not impossible, but you’re much better off if you’ll figure out how to introduce your kernel module in the main kernel tree somehow.

                                                        Some BSD distributions have completely disabled the ability to load kernel code, so if you’re not a kernel hacker then it’s pointless to even consider writing it.

                                                        I think the only OS that allows loading kernel drivers from thirdparty vendors without much hassle is Windows. You still need to sign the driver with MS certificates (I think), and that will probably cost some money, but I don’t think MS tried to discourage developers from writing kernel code.

                                                        1. 4

                                                          For example, in recent macOS versions Apple has deprecated kernel extensions. Instead, you should write ‘system extensions’ that don’t have ring-0 permissions. So if you want to distribute some privileged code with your software, then if system extensions won’t cover it you can just forget about this functionality.

                                                          This leads somewhat to the question of what your code actually needs to do. Modern operating systems are moving towards a more microkernel-like model. A lot of the old preformance-related arguments against microkernels no longer apply because thing the kernel does tend to fall into two categories:

                                                          • Sufficiently far off the critical path that an extra context switch is fine.
                                                          • Sufficiently performance-critical that even a monolithic kernel’s system call is too slow.

                                                          The first means that things like CUSE, FUSE, and so on can happily run things in userspace without users seeing any performance problems. The second means that there’s a trend for high-performance devices to do kernel bypass and map a PCI VF directly into userspace: The kernel sets up some IOMMU mappings and then gets out of your way. With S-IOV (Intel) and Revere (Arm), hardware is moving towards making this even more scalable so that future devices will support hundreds of contexts instead of the handful that’s possible with SR-IOV.

                                                          Linux kernel modules require distributing the source code along with them, not only because of the license, but also because the ABI between kernel versions is completely unstable by design. So it’s hard to distribute kernel modules with your software. Not impossible, but you’re much better off if you’ll figure out how to introduce your kernel module in the main kernel tree somehow.

                                                          nVidia gets around this with a shim. The shim is distributed in source form and is recompiled against the current kernel. There’s some infrastructure now for Linux that automatically rebuilds kernel modules when you install a new kernel, which helps avoid KBI changes breaking things, but doesn’t help with KPI changes breaking things. The nVidia model provides a permissively licensed kernel module that talks to the kernel interfaces and treats the majority of the driver as a black box. The rest of the driver is a blob that expects to talk to a kernel abstraction layer and is the same code for Linux, Windows, FreeBSD, and macOS.

                                                          Some BSD distributions have completely disabled the ability to load kernel code, so if you’re not a kernel hacker then it’s pointless to even consider writing it.

                                                          BSDs have had a securelevel mechanism for decades. At the highest securelevel, you can’t load kernel modules and you can’t open /dev/kmem. I believe OpenBSD defaults to (or at least encourages running at) the higher levels, other BSDs don’t. I’m not sure what the ABI guarantees are in Open- and NetBSD, but FreeBSD provides strong KBI guarantees across an entire major release series. Before an X.0 version is branched, they typically add a few padding fields to structures to allow them to be extended. If you’ve written a kernel module against one major release it should work with any later ones in that release series.

                                                          I think the only OS that allows loading kernel drivers from thirdparty vendors without much hassle is Windows. You still need to sign the driver with MS certificates (I think), and that will probably cost some money, but I don’t think MS tried to discourage developers from writing kernel code.

                                                          Windows will not load unsigned drivers by default. If you enable this, then some features that depend on the secure boot attestation will not work. Like other kernels, NT is encouraging developers to write extensions in userspace where possible, with userspace frameworks for writing USB devices, filesystems, and a few other things.

                                                          The Windows situation isn’t that different from a Linux distro that enables kernel code signing, except that the Windows KBI guarantees are a lot stronger than Linux and weaker than FreeBSD. Windows exposes a set of symbols to loadable drivers and these are the only guaranteed stable ones. Linux similarly exposes a subset of kernel symbols to loadable modules, but does not guarantee that they’re stable. In FreeBSD, any kernel structure and any symbol that is not static is part of the KBI.

                                                          1. 1

                                                            BSDs have had a securelevel mechanism for decades. At the highest securelevel, you can’t load kernel modules and you can’t open /dev/kmem. I believe OpenBSD defaults to (or at least encourages running at) the higher levels, other BSDs don’t. I’m not sure what the ABI guarantees are in Open- and NetBSD, but FreeBSD provides strong KBI guarantees across an entire major release series. Before an X.0 version is branched, they typically add a few padding fields to structures to allow them to be extended. If you’ve written a kernel module against one major release it should work with any later ones in that release series.

                                                            I believe OpenBSD completely removed loadable kernel modules entirely.

                                                            1. 1

                                                              Yes, that is correct. Meaning as I tested this I would need to rebuild the kernel each time (and hence why I decided to do it on Linux)

                                                              1. 1

                                                                Out of interest, how long does an incremental build of the OpenBSD kernel take? For Linux kernel work, I use [eudyptula-boot][https://github.com/vincentbernat/eudyptula-boot], which spins up a VM with the new kernel and a minimal init, with my host FS mounted read-only there and drops me into a shell. I do this even when testing kernel modules, because a bug in my kernel module can corrupt kernel state and I don’t want to do that on my host system. It takes around 10 seconds to boot the VM, so if an incremental rebuild of the kernel takes a comparable amount of time, my compile-test-debug cycle on OpenBSD would be similar. If I have to do a clean rebuild, it would be more painful. FreeBSD can do make buildkernel -DNO_CLEAN very quickly (not as quickly as I’d like), I’ve never managed to successfully do an incremental recompile of Linux.

                                                                1. 1

                                                                  I do know OpenBSD relinks the kernel on boot, so I assume it’s short, or it’s long and they’re OK with the punishment in the name of security.

                                                        1. 14

                                                          I’ve found the article from which this is inspired by to be meatier:

                                                          https://lyngvaer.no/log/writing-pseudo-device-driver

                                                          1. 4

                                                            Yep, it’s a really great article. I didn’t want to just pull paragraphs from it though so thought it best to link off and keep mine briefer.

                                                          1. 3

                                                            I used maddy possibly over a year ago now and even when it was super early in dev I didn’t have any complaints.