1. 17

    My favourite use case for systemd user services is sneaky backdoors that disappear when users log in: https://hosakacorp.net/p/systemd-user.html

    1. 3

      This is awesome. I ran systemctl --user on my system, and there’s so much noise there (from units that handle mounts and so much other stuff you wouldn’t consider a ‘service’) that even if something malicious existed it would be hard to immediately spot. And it would be impossible to spot if it used a name that made it look like one of the noise.

      1. 4

        It’s better to run systemctl --user list-dependencies as it would give you a better overview of the services you (probably) care about.

        1. 1

          oh, thanks, that’s much better. Though, does this show the sneaky backdoor services that OP mentioned?

      2. 2

        Wow. That’s fantastic!

        1. 2

          This is great, thanks for sharing. Def an argument here for a systemd –user whitelist or a reminder to check the noise from time to time

          1. 10

            It gets even better, I haven’t ever published it because I actually use it on red teams but there are ways to use the dependency checks on services to essentially create very difficult to kill back door by making multiple systemd user backdoors that depend on each other and also create and enable more of themselves hydra style. You can also have them running and clean themselves up so that there are no on-disk service files for even more nastiness. Lots of fun to be had everywhere!

            1. 2

              Seems like this should be reported if it hasn’t been already…

              1. 13

                The security reporting process is a bit nebulous and hard to approach, so I think it’s valuable to explain why it’s not actually a reportable issue. The ability to create these unit files is intended functionality using allowed user rights, I’m not actually breaking any security here. The reason why this seems like an “issue” is the difference between a vulnerability and a persistence technique, I’m not actually breaking any security assumptions with this, so there would be no reason for there to be something like say… a CVE, which most people are familiar with.

                There are places where this is documented as a potential security impacting place that requires additional monitoring for indicators of compromise, such as in the MITRE ATT&CK framework. In fact this technique and the Metasploit module I wrote for it are referenced in ATT&CK in the 4th reference.

        1. 6

          Posts like these always make me feel like I’m living on another planet than some people. Why use docker? Why use a pi-hole at all? Is this all just for the web interface?

          I personally think it’s much better to run DNSCrypt Proxy and just either point it to an upstream adblocking DNS or host my internal one with it’s own set of blocklists that use the same list from the Pi-hole. That could probably even be simplified to a set of firewall rules instead of DNS, or just DNS local resolver without DNSCrypt.

          1. 3

            I signed up for NextDNS about two weeks ago due to some excited Slack chatter about it (and to test my Handshake domain) and I quite like it. I’m gonna see about applying it to my router, if possible, next week.

            1. 3

              Honestly I just use one of the public resolvers that does AdBlocking on my phone or mobile device and at home I run an internal resolver that blackholes using the uBlock origin lists and a tiny script that turns it into unbound format. All of these solutions seem… Massively complex for what they really are.

              1. 1

                Oh that’s neat, thanks for sharing!

                1. 1

                  Since public resolvers can see DNS request originating from your network, the privacy impact can be quite severe. I’d suggest to choose your upstream provider wisely. That’s why I’d never chose a public DNS server from google for example. Since you are already running unbound, you could also chose to take another way:

                  I’ve set up unbound to query the root dns servers directly and increased cache size to 128 megs. When the prefetch option is set, cache entries are revalidated before they expire. Not only does this increase privacy, but also dramatically reduces response times for most sites when the cache is warmed up. Be aware that the DNS traffic goes up by around 10 percent or so.

                2. 1

                  Been a NextDNS user since the beta and now a paid user. I’ve set up DNS over HTTPs on devices that support it, and have it added my router for devices that don’t. It’s blocked about ~15% of queries over the last month and that’s with all browsers running ad blockers. Well worth it to me.

                3. 2

                  People don’t understand how things work, so instead of learning how to build something simple, the, throw heaps of complex software on top of each other, because that is how things are done in 2020.

                  I too have a cron job that creates an unbound block list. The great thing is that I can easily debug it, because I understand all of it

                  1. 1

                    How many devices do you own that talk to the internet?

                    If it’s literally just me, then I would configure a thing on my laptop and call it done. I live with a bunch of other people, and even if I could individually configure all of their devices (some of them are too locked down for that), I wouldn’t really want to have to learn how to configure ad blocking on six different operating systems from three different vendors.

                    A centralized solution is actually easier, and it inherently gives ad blocking to everyone. It also has a web interface, so you can teach someone how to turn the ad blocker off if they really, really need to, but turning it off is enough of a pain in the neck that they usually just decide that reading such and such a listicle isn’t work it.

                    1. 1

                      8 physical devices and 30 virtual machines (technically 20 talking to the internet because the others are active directory labs for testing and they switch around depending on my needs). The reality is that if I were in your situation I’d just set my router to give out the DHCP nameserver for dns.adguard.com or to the local resolver to recurse up. That wouldn’t even require software installs but does rely entirely on a third party resolver.

                      1. 1

                        That would’ve been an option, too. I did consider it.

                        OTOH, as you mentioned, “is it just for the web interface?” Yes, that’s one of the biggest reasons.

                  1. 5

                    I have read for years about how evil is email enumeration… but guess what? I think the benefits of being able to tell a user that is using the wrong username instead of a wrong password, outweighs any theoretical danger of revealing that certain email is being used. Change my mind.

                    1. 10

                      I’ll take a stab at trying to change your mind. For some context I’m a Penetration Tester by trade and this specific topic is, in my opinion a great example of subtle risks with huge real world impacts.

                      The issue of username/email enumeration has two attack patterns:

                      • Password spraying - Guessing a weak password across tons of accounts, like bruteforcing but trying to find the email with the weak password not the weak password for the email.
                      • Password “stuffing” - Taking a known compromised credential and trying to authenticate to tons of other services that the credential pair was re-used at

                      For password spraying, there is only one thing I actually need: a username/email. In the real world I go from an External Network Penetration Test to internal network access ~80% of the time because of username enumeration and some strategically guessed passwords. Having the ability to get a list of known usernames to target greatly reduces the amount of guesses I have to make and ramps my accuracy up a ton.

                      For a full example, say I am targeting your corporate mail server based off of Exchange or O365 to try and guess credentials that I can then re-use on the target VPN infrastructure. My very first step is to grab a list of known emails/usernames from previous password dumps, public information, or directories. Then I generate a list of potential name combinations from location specific birth information by year. Next comes the actual username enumeration where I try and identify the “valid” accounts (aka what you are asking). In my example, Microsoft agrees with you and doesn’t believe that username/email enumeration is a risk… Which is why I wrote a ton of tooling to automatically use NTLM/HTTP timing based responses to enumerate the valid users. Now armed with a list of what are guaranteed usernames/emails, I just start picking down the list of the seasons hottest passwords over the next few days; Summer2020!, Password1!, Companyname2020!. All I really need is one credential. It’s not about the single user, it’s about the bulk knowledge. If I was going in blind without the confirmed accounts then I would be generating tons and tons more traffic and would be even easier to flag on, having enumeration puts the statistics of getting automated guesses way way more on the attackers side.

                      The other example is password stuffing. This is more straight forward, given that I have a compromised username/email and password for a user I can take a bot that knows how to authenticate to tons of different services (banks, social media, blah blah blah) and try those combinations. If username enumeration exists on these services it actually allows me to check to see if accounts are valid for the service before actually submitting my automated logins. If I am a bot herder my job is to try and stay undetected for as long as possible and the enumeration greatly assists in that.

                      Hopefully that helps! It’s one of those strange things where people forget about the collective risk and focus more on the singular threat models, attackers rarely care about the individual irl.

                      1. 4

                        This is great advice. And it really reinforces for me why appsec people should be way more involved in the software development process as early as possible.

                        At a previous job we were identified by nine digit numeric characters (no, not those nine digits!). I built a public facing API for internal use that returned public facing data created by employees. No problem, thinks me. But I left the SSO ID on the API because why not? Ship it!

                        A few days later one of the blue team guys sends me an email with 2/3rd of my database, exfiltrated by walking the API with a dictionary file and explains what you just explained above. Oops.

                        1. 2

                          Not a pen-tester, but I would’ve assumed allowing Password1! as a valid password is a bigger issue than email enumeration. You can now check against lists of bad passwords from dumps.

                          1. 2

                            You’d think right? But you are fighting human nature and historical IT theories. As it turns out making a comprehensive deny list is extremely difficult, and then you add the fact that hashing is in play the only time it gets checked is at the filter level when changing that credential. You can’t just look up your passwords in your ntds.dit and compare it with historical dumps (I try and do that for my clients because the reality is the offensive tools are actually better at it than the defensive). As for historical reasons, often times IT resets credentials to a weak or organizationally default credential and it never gets changed, support desk staff often don’t remember to check the “change after first login” checkbox.

                            Like I said, it only takes one. Also password patterns follow human nature in more ways than one, I’ve been popping my American clients that have comprehensive blocklists left and right with Trump2020!. Passwords suck haha.

                            EDIT: To add another thing think about Password1!, lots of orgs have an 8 character password with special and numerical requirement. Technically it fits lots of places. If there is organizational SSO if the filters are not forced everywhere it can also propagate to other authentication areas.

                            1. 2

                              To add another thing think about Password1!, lots of orgs have an 8 character password with special and numerical requirement.

                              Even better is to have entropy requirements, including dictionary files. zxcvbn is a good example of a frontend library for this.

                              You can also compare hashes with the HIBP Pwned Passwords dataset and reject new passwords that match.

                              1. 1

                                Are there other databases than HIBP that are commonly used for this?

                                1. 2

                                  I don’t know. Pwned Passwords has 573 million SHA1 hashes, so I’ve not felt the need to look further.

                          2. 1

                            This is great advice. Thank you for writing such a comprehensive answer.

                          3. 1

                            Aside from the technical side explored by other replies, depending on your location and/or the location of your users, you could face legal consequences. Under legislation such as the GDPR, an email address is considered personally identifying information. If someone realises that you are leaking such personal information and reports you, you could face a fine. In some cases, the user may also claim compensation from you. If the user suffers a loss due to your failure to safeguard their data, then it could a large amount of money. (e.g. Imagine you run a site which is legal, but not considered socially acceptable. A public figure signs up using their email address. Someone uses email enumeration to discover that said public figure has an account on your site, causing damage to their reputation and consequent loss of earnings)

                          1. 2

                            I always really love it when ideas collide and to see how other people reach almost the same goals with completely different tooling. I actually do something nearly “identical” with my little side project stagnant. I essentially set up a bunch of stages for each step of the blog generation step and one of those is very very close to your template structure. I actually use the same thing for my real blog and my notes server which just uses get hooks to generate from stagnant at push time. I combine this with pervane and some git hooks/cron/laminar-ci and I just write my notes from my phone or desktop.

                            I even use this internally at work for writing up my notes and fitting internal style guides and I often time get compliments on how good my notes look when all I do is write them in markdown and never look back haha.

                            1. 1

                              Your template structure is divine, really well laid out. I’ll definitely take inspiration from there as I iterate upon mine

                            1. 4

                              This is amazing news, I think many many aspects of the WireGuard project will be a case study on “doing things well”. I’d been following since 2017 and seeing the project grow has been really neat and /u/zx2c4 deserves a ton of credit. The care and meticulousness really shows and this was the last barrier for me before I fully adopted it everywhere.

                              1. 0

                                I hate these use-ids & fragments for magical behavior - it messes up my browsing history and it’s annoying. I would expect a JS solution if JS is possible and an optional fallback to ids only when no JS is executed.

                                1. 22

                                  This is literally plain HTML. If something is magical here, it is the usage of javascript to emulate a behavior that has been standard in the web since the nineties.

                                  1. 5

                                    I gave up on the back button roughly a decade ago.

                                    1. 3

                                      I wanted to ask you what kind of browser would do such a silly thing, but apparently that’s (also?) what Firefox does: fragments do get added to history, and all the “back” button does is dropping the fragment.

                                      I still find it peculiar that there’s even a need for such button (on PC I have a Home button, and on mobile providing one should be the browser’s job imo), but seems like there is a good reason why people use JS for this after all.

                                      1. 24

                                        I like that it gets added to the history. You can press a link to a reference or footnote, and then press back to go to where you were.

                                        1. 4

                                          There has been a craze for “hash-bang URLs” that abused URL fragments for keeping state and performing navigation. This let JS take over the whole site and make it painfully slow in the name of being a RESTful web application.

                                          That was when HTML5 pushState was still too poorly supported and too buggy to be usable. But we’re now stuck with some sites still relying on the hashbang URLs, so removing them from history would be a breaking change.

                                          1. 2

                                            It’s always crazy to see how people abuse the anchor tag. My favourite personal abuse is I kept finding that SysAdmins and IT were always just emailing cleartext credentials for password resets and during pentests I’d often use this to my advantage (mass watching for password reset emails for example). So I jokingly ended up writing a stupid “password” share system that embedded crypto keys in the hash url and would delete itself on the backend after being viewed once: https://blacknote.aerstone.com/

                                            Again, this is stupid for so many reasons, but I did enjoy abusing it for the “doesn’t send server side” use case. EDIT: I originally had much more aggressive don’t use this messages, but corporate gods don’t like that.

                                            1. 1

                                              One useful trait of hash-bang URLs is that your path is not sent to the server. This is useful for things like encryption keys. MEGA and others definitely use this as lawful deniability that they cannot reveal the contents of past-requested content. Though, if given a court order I suppose they can be forced to reveal future requests by placing a backdoor in the decryption JS.

                                          2. 2

                                            Hmmm that’s a good point, and not something I had considered. Thanks for the feedback.

                                          1. 5

                                            Cloudflare is trying to centralize the internet

                                            I agree this is not ideal. But they provide good services and actively contribute to the security of the internet in terms of open source work and pushing for stronger standards. Ideally everyone would host their own services but I don’t think centralisation on its own is a very strong argument. Disincentivizing centralisation takes more than tackling centralised services one by one.

                                            Instead of the user directly connecting to the intended website, the user is connected to Cloudflare’s servers instead. […] Cloudflare gets to see the billing details and possibly payment information of customers

                                            No worse than trusting your own hosting provider. This issue exists any place you’re not self-hosting. However Cloudflare can do a lot more damage if at any time they turn malicious.

                                            In addition to that, while your browser may show that the connection is encrypted using HTTPS, it does not necessarily mean that the connection between Cloudflare and the target site is encrypted as well.

                                            100% agree with this statement. They should enforce that a trusted certificate be installed and verified on the origin server. You can manually enable this but for sure lots of people do not.

                                            Cloudflare is shielding cybercriminals

                                            So is encryption. So does the NHS. Criminals also breathe air like the rest of us. This argument implies that Coudflare should also be acting as a moderator for content which I do not agree with.

                                            they do not seem too bothered about some of their customers hosting the very services they strive to protect against, on their own platform

                                            The attacks themselves will not be coming from Cloudflare’s servers.

                                            Scaring internet users into thinking their ISPs are insecure in the middle of a global pandemic

                                            What? So is SSLLabs bad for listing the TLS ratings of different services? Or internet.nl? I don’t understand this viewpoint. And you’re going to back it up by appealing to coronavirus?

                                            1. 0

                                              Cloudflare is shielding cybercriminals

                                              So is encryption.

                                              Encryption is a technology and is therefore blind.

                                              So does the NHS.

                                              Yes, they do not discriminate.

                                              Criminals also breathe air like the rest of us.

                                              C’mon.

                                              This argument implies that Coudflare should also be acting as a moderator for content which I do not agree with.

                                              It’s not just about content which I do not agree with or is morally objectionable but the kind which is illegal. On the other hand Cloudflare, with their 1.1.1.1 for Families service, was absolutely fine to filter LGBT resources and sex education websites so how aren’t they a moderator?

                                              So is SSLLabs bad for listing the TLS ratings of different services? Or internet.nl?

                                              Both provide opt-in tests - the former allows for the results not to appear on their site, while the latter has a Hall of Fame, not Hall of Shame. Also, they neither encourage nor facilitate using Twitter to spread fear and cause panic.

                                              1. 6

                                                absolutely fine to filter LGBT resources

                                                How did you interpret “never intended to do it, reverted the wrong list as fast as they could, and apologized profusely for the mistake” as being “absolutely fine” with it?

                                                1. 3

                                                  On the other hand Cloudflare, with their 1.1.1.1 for Families service, was absolutely fine to filter LGBT resources and sex education websites so how aren’t they a moderator?

                                                  This is what I would use to respond to your first point. Cloudflare as a content service provider, sitting on the internet acting as a proxy and middle-man, providing this technological service, should not be moderating what content is and is not permitted to exist.

                                                  but the kind which is illegal

                                                  Sure, but arguably it is up to the original host to take that content down, not Cloudflare. I doubt the feds are sitting there trying to DDoS illegal websites.

                                                  Also, they neither encourage nor facilitate using Twitter to spread fear and cause panic.

                                                  Man people aren’t sitting there terrified in their homes because some guy on Twitter said their ISPs aren’t secure. There absolutely should exist a list tracking the adoption of secure technologies by providers that make up a significant market share. And there should be people encouraging the adoption of these technologies.

                                                  What Cloudflare did here is not harmful by any stretch of the word and it’s a reach to claim that it is.

                                                  1. 2

                                                    I am no fan of Cloudflare, but I’ve found your tone on this topic absolutely obnoxious. Go back through any post you’ve had in just the last couple of days and count the amount of bolds, underlines, and “hot takes”. Even this post has no real information about the arguments on the field and isn’t even a good satire (opinion obviously). I have no idea who is upvoting this post.

                                                    People absolutely do shame each other for things like that and those have been the only time it’s worked, see plaintext offenders. I have gone through literal year long disclosure process with vulnerabilities I’ve found in companies just to have them drag their feet until someone else discovered the vuln and published it publicly. Guess which one got things fixed? It’s not a one size fits all, but publishing the routing information about RPKI support is making public information that is not available to the average user. I think it’s a service, shame or not.

                                                1. 3

                                                  As there are no VMs, I can’t SSH into the machine and make changes, which is excellent from a security perspective since there is no chance of someone compromising and running services on it.

                                                  What’s wrong with SSH? Extendeding this logic, if someone compromised your Google account, you’re toast. Just use passwordless login, a off-disk key with something like a Yubikey (password protected, of course), and disable root login.

                                                  1. 4

                                                    SSH can be plenty secure but no SSH is even more secure.

                                                    1. 7

                                                      Until you invent a less-secure workaround for not having access to ssh.

                                                      1. 2

                                                        They’re using the appliance model here. They build the appliance with no ability to log into it. It’s uploaded to run on Google’s service. When time to fix or upgrade, a new one is built, the other is thrown away, and new one put in its place. It’s more secure than SSH if Google’s side of it is more secure than SSH.

                                                        Now, that part may or may not be true. I do expect it’s true in most cases since random developers or admins are more likely to screw up remote security than Google’s people.

                                                        1. 2

                                                          Uploading Docker images that can’t be SSH into IMHO is much more secure.

                                                      2. 3

                                                        If someone accesses my Google account, they can access my GCP account anyways. The advantage here is that my Google account is more protected (not just with 2-factor) but because Google is always on the watch out. For example, if I am logging in from the USA and suddenly there is a login from Russia, Google is more likely to block that or warn me about it. That’s not going to happen with a VM I am running in GCP.

                                                        Just use passwordless login, a off-disk key with something like a Yubikey (password protected, of course),

                                                        None of that protects against vulnerability in the software though. For example, my Wordpress installation was compromised and someone served malware through it. That attack vector goes away with docker container based websites (Attack vector-like SQL injection do remain though since the database is persistent)

                                                        1. 8

                                                          I am a PenTester by trade and one of the things I like to do is keep non-scientific statistics and notes about each of my engagements because I think they can help me point out some common misconceptions that are hard for people to compare in real world (granted these are generally large corporate entities not little side projects).

                                                          Of that data only about 4 times have I actually gotten to sensitive data or internal network access via SSH, and that was because they were configured for LDAP authentication and I conducted password sprays. On the other side of the coin, mismanagement of Cloud keys that has lead to the compromise of the entire cloud environment has occurred 15 times. The most common vectors are much more subtle, like Server Side Request Forgery that allows me to access the metadata instances and gain access to deployment keys, developers accidentally publishing cloud keys to DockerHub or a public CI or in source code history, or logging headers containing transient keys. Key managment in the cloud will never be able to have 2FA and I think that’s the real weakness, not someone logging into your Google account.

                                                          Also in my experience actual log analysis from cloud environments does not actually get done (again just my experience). The amount of phone calls from angry sysadmins asking if I was the one who just logged into production SSH during an assessment versus entire account takeovers in the cloud with pure silence is pretty jarring.

                                                          I often get the sense that just IP whitelisting SSH or having a bastion server with only that service exposed and some just networking design could go a long way

                                                          1. 1

                                                            The most common vectors are much more subtle, like Server Side Request Forgery that allows me to access the metadata instances and gain access to deployment keys, developers accidentally publishing cloud keys to DockerHub or a public CI or in source code history, or logging headers containing transient keys. Key managment in the cloud will never be able to have 2FA and I think that’s the real weakness, not someone logging into your Google account

                                                            Thanks for sharing this.

                                                            1. SSRF or SQL injection will remain a concern as long as its a web service irrespective of docker or VM
                                                            2. logging headers containing transient keys - this again is a poor logging issue which holds for both docker and VM
                                                            3. I agree that key management in the cloud is hard. But I think you will have to deal with that both on docker and VM

                                                            I often get the sense that just IP whitelisting SSH or having a bastion server with only that service exposed and some just networking design could go a long way This won’t eliminate most issues like SQL injection or SSRF etc. to a great extent. And IP whitelisting doesn’t work in the new world especially when you are traveling and could be logging in from random IPs (unless you always log into through VPN first)

                                                            1. 4

                                                              You seem to be kind of missing my point, I’m not arguing between Docker vs VMs or even application security. The original comment was about SSH specifically and I am making an argument that the corner cases for catastrophic failures with SSH tend to be around weak credentials or leaked keys which are all decently well understood. Whereas in the cloud world, the things that can lead to catastrophic failure (sometimes not even of your own mistakes) are much much more unknown, subtle, and platform specific. The default assumption of SSH being worse than cloud native management is not one I agree with, especially for personal projects.

                                                              IP whitelisting doesn’t work in the new world especially when you are traveling and could be logging in from random IPs

                                                              For some reason I hear this a lot and I seriously wonder, do you not think that’s how it’s always been? There’s a reason that some of the earliest RFC’s for IPv6 address the fact that mobility is an issue. I’m not necessarily advocating this in the personal project territory, but this is the whole point of designing your network with bastion hosts. That way you can authenticate to that one location with very strict rules, logging, and security policies and then also not have SSH exposed to your other services.

                                                              1. 2

                                                                All fair points.

                                                      1. 15

                                                        Cloud Run sounds cool I guess, and I might try it sometime. But honestly, I don’t see a problem with just getting a conventional server. I have a $5/month Digital Ocean server, and I run like 10 things on it. That’s the nice thing about a plain old Linux server, as long as none of your individual things takes up a ton of resources or gets too much traffic, you can fit quite a few of them on one cheap server.

                                                        1. 2

                                                          Do you manage SSH certs for those 10 yourself? What happens when the services go down? What about logging?

                                                          1. 4

                                                            It’s all running on 1 server, so there’s only one SSH key to manage. Well, one for every device I connect to it from, but that’s not that many, and there really isn’t anything to manage.

                                                            Everything is set up through SystemD services. I wrote control files for the services that didn’t already have them (Nginx, Postgres, etc). It’s perfectly capable of restarting things and bringing them up if the server reboots. Everything that has logs is set up with logrotate and transports to SumoLogic. I did set up a few alerts through there for services that I care about keeping running and have been troublesome in the past. Also have some automatic database backups to S3. These are all one-off toy projects used pretty much only by me, and this level of management has proved sufficient and low-maintenance enough to keep them up to my satisfaction.

                                                            Of course, I would re-evaluate things and probably set up something dedicated and more repeatable if any of those services ever got a significant number of users, generated revenue, or otherwise merited it. There’s plenty of options for exactly how, and which one to use would depend on the details.

                                                            1. 3

                                                              They said a single server so yes a single SSH key I’d imagine, every major init system on Linux has service crash detection and restart, and syslog (and if you are feeling brave GoAccess).

                                                              1. 1

                                                                Assuming you meant SSH and mistyped cert instead of key it’s one machine so one key.

                                                                Assuming you meant SSL instead of SSH. I run everything in Docker compose. I use this awesome community maintained nginx image[1] that sets it up as a reverse proxy and automates getting let’s encrypt certificates for each domain I need with just a little config in the compose file.

                                                                From there I write a block in the nginx configuration for each service, add the service to my compose file and voila it is done.

                                                                [1]https://docs.linuxserver.io/images/docker-letsencrypt

                                                                1. 1

                                                                  Good point, could have meant SSL Certs. I use the Let’s Encrypt automated package. It’s quite good these days - can set up your nginx config for you mostly-correctly right off the bat, and renews in place automatically. I just set up a cron job to run it once a week, pipe the logs to Sumologic, and then forget about it. Worked fine automatically when I was serving multiple domains from the same nginx instance too, though I’m not doing that right now.

                                                                  1. 1

                                                                    Sorry, I did mean SSL certs. You are right about automating it and that’s what I would do for professional work. For a side-project, however, I prefer eliminating it completely and letting Google do it.

                                                                    From there I write a block in the nginx configuration for each service, add the service to my compose file and voila it is done Can you share more details of your setup here?

                                                                2. 1

                                                                  I used this too but then my provider sunset the hardware I was on and migration was a nightmare because it’s easy to fall into bad patterns with this mode.

                                                                  Admittedly it was over 10 years of cruft but still.

                                                                  1. 2

                                                                    That did honestly kind of happen to me too. I had a server like that running with I think Ubuntu 14.04 LTS for quite a while. Eventually I decided it needed upgrading to a new server with 18.04 - security patches, old instance, etc. It was a bit of a pain figuring out the right way to do the same things on a much newer version. It only really took about a full day or so to get everything moved over and running though, and a good opportunity to upgrade a few other things that probably needed it and shut off things that weren’t worth the trouble.

                                                                    I’d say it’s a pretty low price overall considering the number of things running, the flexibility for handling them any way I feel like, the low price, and the overall simplicity of 1 hosting service and 1 server instead of a dozen different hosting systems I’d probably be using if I didn’t have that flexibility.

                                                                1. 31

                                                                  Do note the title has been edited by a moderator.

                                                                  My original submission used the original title, which calls it for what it is: A rootkit.

                                                                  Similarly, the tag “privacy” has been removed. I will not edit the article back, but I ought to point out this does not feel right.

                                                                  1. 16

                                                                    The article is inflammatory in tone, the title is clickbait, and it is a news submission without technical content beyond “Don’t install this game if you don’t want kernel-level unaudited anticheat” and a throwaway eyebrow waggle that your computer might end up as some part of the CCP botnet.

                                                                    A title change to make it less clickbaitey is probably the best outcome.

                                                                    1. 14

                                                                      People should be inflamed about video games including sneaky rootkits.

                                                                      1. 16

                                                                        The article is inflammatory in tone

                                                                        I do not see it.

                                                                        the title is clickbait

                                                                        It is actually accurate. I do not see the clickbait, honest.

                                                                        and it is a news submission without technical content beyond “Don’t install this game if you don’t want kernel-level unaudited anticheat”

                                                                        It raises legitimate concerns, as this code can be updated at any time once installed, for any purpose.

                                                                        your computer might end up as some part of the CCP botnet.

                                                                        A legitimate concern, as the company is under Chinese jurisdiction.

                                                                        A title change to make it less clickbaitey is probably the best outcome.

                                                                        If it was a story about a person, I would agree with you as I do most of the time. However, I do find the goodwill is wasted on a company.

                                                                        1. 8

                                                                          It is actually accurate.

                                                                          Right.

                                                                          It raises legitimate concerns, as this code can be updated at any time once installed, for any purpose.

                                                                          Which is true for most of the software running consumer device. Calling everything you disagree with a rootkit, wether you are right or wrong, won’t convince anyone already not convinced and only make you look to others like someone who doesn’t come to discuss.

                                                                          You can get much further by discussing the implication of running kernel code to support anti-cheat features developped by a foreign company from an area well known for its governement practice. Phrasing it as “Rootkit made by Chinese company”.

                                                                          your computer might end up as some part of the CCP botnet.

                                                                          A legitimate concern, as the company is under Chinese jurisdiction.

                                                                          That’s complete FUD. Are we going to post article about every software component coming from China and that run as admin?

                                                                          I’m writing all this while being convinced that installing kernel driver to run DRM and anti-cheat are totally unecessary and plainly a bad idea. But seeing those claims being made get just as tiring, especially when there are so many based fact and arguments already available (And especially after working in an industry where Rootkit has a clear definition and implication).

                                                                        2. 7

                                                                          Not only is it all of the things you stated, but it’s also just bad threat modelling. There seems to be this funny “well the attackers want kernel access” mentality, when in reality if you can maintain persistence and access to the data you are trying to get why would you need a rootkit? They already have their closed source userspace application that could already be harvesting the data. Why unnecessarily add a layer? I personally don’t understand that thinking either, but shouldn’t the article be focused on the application itself too since it’s closed source and from china?

                                                                          What about the fact that this has been common place for…. idk ever? I’d much much rather see some actual analysis of the kernel module itself, because as it stands there is no technical merit in this article and I really don’t think it belongs here.

                                                                      1. 17

                                                                        I can happily recommend the Ergodox EZ (https://ergodox-ez.com/). It really holds up to expectations. I’m using it at my day job and also at home.

                                                                        1. 4

                                                                          The Ergodox legitimately changed the way I see peripherals and even at a deeper level computer interaction. The combination of ortho-linear and split, thumb clusters, and layers made me feel like I’d never been using a keyboard properly my whole life. I’ve been chasing that same thing for mouse input ever since. Obviously I highly suggest haha.

                                                                          1. 1

                                                                            I’m very interested in whether anyone has found a mouse that is similarly game-changing. I think part of what makes Ergodox EZ so impressive is its open source nature, including the firmware, configuration tools, and hardware. I haven’t found any meaningfully open source mouse in production. I just might make a separate post on Lobste.rs asking for mouse recommendations!

                                                                            1. 2

                                                                              I can’t speak for open source but the Logitech MX Ergo has been wonderful.

                                                                              1. 2

                                                                                Not a game changer in the way you’re talking about (open source) - but from a personal ergonomic perspective I got similar benefits to the split ortholinear keyboard from a vertical mouse and prefer to pair the two if possible. I’m not aware of a similarly successful open source vertical mouse design. I use a Kinesis VM4.

                                                                                1. 1

                                                                                  I also recommend it. Also have it paired with the ergodox. Very happy with this setup.

                                                                            2. 3

                                                                              I went with Redox (https://github.com/mattdibi/redox-keyboard) - a modified version of Ergodox which is slightly smaller. If one is living in EU and don’t have time/supplies/heart for hardware hacking you may order one from falba.tech (I’m not affiliated, just a happy customer).

                                                                              1. 3

                                                                                I bought an Ergodox EZ this past summer and it’s one of the best decisions I’ve made. It was expensive but certainly worth it- the quality is great. I plan to eventually build a second one when I get the time.

                                                                                1. 3

                                                                                  I got one a few weeks ago and I’m loving it. It has user swappable key switches which make it super customisable. You can get the exact feeling you want on each individual key if you want to.

                                                                                  1. 3

                                                                                    I have an Ergodox EZ and I also have a Kinesis Advantage2. I really prefer the Advantage, but both are great keyboards.

                                                                                    1. 1

                                                                                      One of the best choices I made! I’m using the Ergodox Infinity, but that’s kinda similar. Makes typing super comfy. I’m using my mouse in the middle (when using the mouse…).

                                                                                      1. 2

                                                                                        I love pcengines, but I wish more people would use the APU4 instead: https://www.pcengines.ch/apu4b4.htm it’s very excellent and much better for my workloads.

                                                                                        1. 4

                                                                                          There is no APU4 yet ;)

                                                                                          The apu4b4 model belongs to the APU2 series. Here is a list of all models within that series:

                                                                                          • apu2d0 (2 GB DRAM, 2 i211AT NICs)
                                                                                          • apu2e2 (2 GB DRAM, 3 i211AT NICs)
                                                                                          • apu2e4 (4 GB DRAM, 3 i210AT NICs)
                                                                                          • apu3c2 (2 GB DRAM, 3 i211AT NICs, optimized for 3G/LTE modems)
                                                                                          • apu3c4 (4 GB DRAM, 3 i211AT NICs, optimized for 3G/LTE modems)
                                                                                          • apu4d2 (2 GB DRAM, 4 i211AT NICs)
                                                                                          • apu4d4 (4 GB DRAM, 4 i211AT NICs)
                                                                                          1. 2

                                                                                            I got an APU2 before the APU4 was out. I don’t see any major differences besides an additional Ethernet port and SIM slot. I’m curious, what makes it so much better for you, and why does it matter what other people use?

                                                                                            1. 3

                                                                                              Oh you are correct, I was thinking the original APU so this was my mistake. The APU & ALIX didn’t have AES-NI support and were really hard to get to handle gigabit saturation, which is what I was thinking.

                                                                                          2. 1

                                                                                            But how do you use this? Do you install OpenWRT on this and use it as your router?

                                                                                            1. 2

                                                                                              I’m using its predecessor ALIX with OpenBSD for

                                                                                              • routing/firewalling between 3 subnets (LAN, WLAN, Uplink)
                                                                                              • DHCP
                                                                                              • DNS
                                                                                            2. 1

                                                                                              I see the APU2 mentioned a lot recently. What’s the big selling point for it? Would I use it instead of a Ubiquity Edge Router X?

                                                                                              1. 4

                                                                                                One of the selling points for me is it being an amd64 machine and thus (probably) having better support in most OS. Being designed by a Swiss company is also nice.

                                                                                                1. 2

                                                                                                  Thanks. Use case is what I think it is? Edge Router/VPN Endpoint/things Raspberry Pis are used for? But amd64 and coreboot

                                                                                              2. 1

                                                                                                I posted about OpenWRT on the Netgear 7800 above, but honestly thinking of switching to one of these. This is pretty dope. Thanks a bunch for sharing!

                                                                                                Seems like maybe they’re releasing apu3 soon? Seems like this mentions it: https://pcengines.ch/spi1a.htm

                                                                                              1. 5

                                                                                                A practical work around may be to set up an http to https proxy on your local network. Maybe mitmproxy could do the job? I never tried setting that up, I may be wrong

                                                                                                1. 1

                                                                                                  You are correct, I was personally going to make a comment about socat or literally a reverse proxy of any sort.

                                                                                                  1. 1

                                                                                                    I think this won’t work for Google Play because Android heavily uses certificate pinning.

                                                                                                    edit - I may give it a try though

                                                                                                  1. 18

                                                                                                    I’ve weighed in on this before. In my experience, things on lobste.rs that get both heavy upvotes and heavy downvotes tend to be on topics that both upvoters and downvoters regard as important. For example, they are often on diversity issues. The voting expresses people’s opinions on whether conversations around those issues should be allowed to happen. Applying a hotness modifier would privilege downvotes over upvotes, allowing a minority of people on the site to silence a majority.

                                                                                                    I have seen this done, in practice, in other forums. Its effect has been to reduce the quality of discussion by penalizing controversy - however necessary the controversy might be. In fact, I actually campaigned to stop this practice on a communication platform internal to Google, where it was very clear that the formula had been chosen specifically to silence labor organization efforts. The company’s upper management even disseminated talking points about how it would be better this way, because we could all stop caring about ethics and focus on shiny toys. (That’s my summary, not their words…)

                                                                                                    That campaign was unsuccessful, but here on lobste.rs we can do better - right?

                                                                                                    1. 10

                                                                                                      How’d that work with the Darmore thing?

                                                                                                      The putative reason for allowing controversial stuff is to “let the minority speak”…and then there was the time recently where in the wee hours of the morning you deleted a submission about a fork of TempleOS over the author’s Github avatar since it referenced Nazis. Somehow that minority didn’t make the cut–and you were more than happy to let a minority of users who brought in concerns over the tackiness of the avatar overrule the majority of users (seriously, it was like 2-3:1) who just upvoted a neat fork of TempleOS.

                                                                                                      In the case of RMS deathball, we had a massive ugly trashfire of stories for a week that just sat on the front page and harmed the community. All that happened was users got drawn into grumpy lines and proceeded to antagonize each other. That’s what controversial gets you–and while that is the bread and butter of various political extremist subgroups, for the rest of us it is a problem.

                                                                                                      The failure mode of boosting downvotes is that you let people hasten the slide of controversial stuff.

                                                                                                      The failure mode of not so doing so is abiding shitflinging that hurts the community.

                                                                                                      Edit: just to be absolutely crystal clear here, we as Lobsters have demonstrated repeatedly that our aptitude for productively discussing technology with civility in no way extends outside of that domain.

                                                                                                      We aren’t going to have wizened discussion about controversial things where we all take turns litigating the factual details of the case and being enlightened by different perspectives and worldviews, we are going to devolve into bickering over the evil feminists and Nazis and capitalists and whatever else. The most straightforward way around this is just to remove those controversial things.

                                                                                                      The motte-and-bailey people want to pull here is justifying discussion of “controversial” submissions like rants about Go or whatever, but the real effect will be felt with culture war articles submitted under the guise of technology because “technology is inherently political”.

                                                                                                      1. 4

                                                                                                        We aren’t going to have wizened discussion about controversial things where we all take turns litigating the factual details of the case and being enlightened by different perspectives and worldviews, we are going to devolve into bickering over the evil feminists and Nazis and capitalists and whatever else.

                                                                                                        I’ve seen your comments improve drastically, taking conscious steps to avoid attacking people. Are you saying that others should be denied that same opportunity to discuss and grow and learn from each other?

                                                                                                        The only way people learn and grow is through communication with people with whom they disagree. Sometimes they discover they’re right, sometimes they discover they’re wrong, and sometimes they discover that they’re both right and wrong in a fascinating mixture of self-discovery and improvement. I love that stuff. I want it around. I want people to have that opportunity.

                                                                                                        The most straightforward way around this is just to remove those controversial things.

                                                                                                        Or, you could click “Hide”. That seems way more straightforward to me.

                                                                                                        1. 3

                                                                                                          I thank you for your points. I had been hoping I’d find time to write up my thoughts on them and reply, but unfortunately I don’t think that’s realistic. I do think that when there’s overt fighting for the sake of fighting, the moderation team does a decent job of shutting that down; however, as a member of the moderation team, it isn’t really for me to decide whether we’ve done a good job or not.

                                                                                                        2. 5

                                                                                                          Good points. I’ll add that…

                                                                                                          “Applying a hotness modifier would privilege downvotes over upvotes, allowing a minority of people on the site to silence a majority. I have seen this done, in practice, in other forums.”

                                                                                                          …people already do that here to the degree they can. They’ve been clear they’ll take it further to keep the front page free of (thing they don’t like). It will definitely happen as you predicted.

                                                                                                          What I don’t know is if it will escalate from there with back and forth among the two, main groups penalizing each others’ submissions.

                                                                                                          1. 4

                                                                                                            I think this is a fair critique. My suspicion is that most “controversial” pieces aren’t actually high-quality and the ones that are high-quality do much better. But I’d have to think of a database query to check this for certain.

                                                                                                            1. 4

                                                                                                              This is exactly right.

                                                                                                              For some reason, people have yet to learn to disagree with each other. They take things personally, get angry and refuse to entertain the idea that they might be wrong.

                                                                                                              The solution is to help people to be better. Not to shut down the platform that enable their argument, nor to privilege downvote over upvote.

                                                                                                              BTW, even if we could not stop people getting mad over people not agreeing with their ideology, the fact of the matter is that the argument itself is useful. Two sides present their best arguments, and for every angry person there are 10 more silently reading both sides and updating their world views.

                                                                                                              If people care to spend their time clicking to vote, and to spend their time typing a response, they clearly care about the subject at discussion. And your response to that is to just make it so that the more people care, the less the subject is exposed? Shouldn’t it be the other way around?

                                                                                                              And no, I don’t need you to tell me what stories I should or should not be able to see.

                                                                                                              We should encourage discussion, and moderation should be used to maintain civility, to maximise the benefit of a conversation and minimise the downside.

                                                                                                              1. 2

                                                                                                                There is no world in which two sides presenting their best arguments about the Holocaust is going to generate more good than harm to our community.

                                                                                                                There is no world in which two sides in a subthread arguing about how to count trans people for demographic purposes in tech benefits our community.

                                                                                                                There is no world in which closely parsing RMS’ remarks about various forms of consent and rape and Epstein and the media lab creates positive feelings about our community.

                                                                                                                I used to be right there with you on “oh gee maybe these smart people will be able to have nuanced and productive discussions about topics that have non-technical aspects”…and then I ran repeatedly into lobsters that just couldn’t be reasoned with or who had to be shrill about everything.

                                                                                                                From a practical point of view, kicking everybody out of the pub is both a fair and reasonable way to maintain decorum.

                                                                                                                1. 3

                                                                                                                  There is no world in which two sides presenting their best arguments about the Holocaust is going to generate more good than harm to our community.

                                                                                                                  About the holocaust? How can one argue about an event?

                                                                                                                  There is no world in which two sides in a subthread arguing about how to count trans people for demographic purposes in tech benefits our community.

                                                                                                                  I would say don’t count any people for demographic purposes at all.

                                                                                                                  There is no world in which closely parsing RMS’ remarks about various forms of consent and rape and Epstein and the media lab creates positive feelings about our community.

                                                                                                                  Discussions about difficult things have value even if you don’t feel good doing it. Doctors don’t look at a gaping wound because it’s pleasant, but because they needs to know what to do to fix it. So even if this statement were true, it wouldn’t negate the need for discussion.

                                                                                                                  and then I ran repeatedly into lobsters that just couldn’t be reasoned with or who had to be shrill about everything.

                                                                                                                  If somebody cannot be reasoned with, then nobody should be allowed to voice their reason? Is that right?

                                                                                                                  From a practical point of view, kicking everybody out of the pub is both a fair and reasonable way to maintain decorum.

                                                                                                                  Decorum’s purpose is to enable social engagement. So removing social engagement to maintain decorum is cart-b4-horsing.

                                                                                                                  1. 2

                                                                                                                    I would say don’t count any people for demographic purposes at all.

                                                                                                                    Please don’t chase red herrings.

                                                                                                                    Discussions about difficult things have value even if you don’t feel good doing it. Doctors don’t look at a gaping wound because it’s pleasant, but because they needs to know what to do to fix it. So even if this statement were true, it wouldn’t negate the need for discussion.

                                                                                                                    Doctors don’t just look at unpleasant things for entertainment. They look at them because they have the power and the knowledge to do something about it.

                                                                                                                    1. 4

                                                                                                                      Doctors don’t just look at unpleasant things for entertainment. They look at them because they have the power and the knowledge to do something about it.

                                                                                                                      And we don’t?

                                                                                                              2. 3

                                                                                                                Absolutely agree of the danger of a small minority “burying” uncomfortable content in the graveyard of page 2.

                                                                                                                1. 3

                                                                                                                  These are good points and I appreciate you bringing them up. I have a “conspiracy” that I can’t personally confirm but might be worth adding to the thought experiment to the people who have access to this information. I suspect this same group of people uses the lack of weighting to upvote brigade and create a scenario where the minority is already silencing the majority, essentially I would bet that the same people are the ones only contributing upvotes to those specific articles or topics and nothing else. It would be interesting to see if the same group upvotes anything else. Additionally, I would be curious to see the % of upvotes that come from a invite branch directly in that equation.

                                                                                                                  1. 3

                                                                                                                    And there is that “hide” button that @hwayne (and anyone else who feels the same) is welcome to use to hide the stories that so offend them. It was designed explicitly for that purpose. Don’t like the comments or story? Click “hide”. It’s not hard. There’s no need to penalize other people for enjoying a lively conversation.

                                                                                                                    1. 1

                                                                                                                      Under this process the story just won’t be on the frontpage as long. You’re not being penalized. You can still comment and get notifications that people are replying to you. It’s more inconvenient for everybody else to be expected to click hide on a story that’s attracting a lot of flamewars.

                                                                                                                      1. 1

                                                                                                                        Under this process the story just won’t be on the frontpage as long.

                                                                                                                        That would be the problem.

                                                                                                                        It’s more inconvenient for everybody else to be expected to click hide

                                                                                                                        That’s an interesting framing, and one that I reject. You have no idea how many people will find a thread or story bothersome or interesting, nor do you speak for the entire community. The “hide” button was created for exactly this reason, so use it, as I’m doing on this submission. Some other people might find it interesting, and they can choose to upvote instead.

                                                                                                                  1. 7

                                                                                                                    I’m really glad this was brought up. I’d been struggling the last few months with a feeling that there were quite a few articles that had an odd amount of staying power by a few very… vocal and passionate… groups that I frankly didn’t seem to think fit the quality of lobsters, but I didn’t think of a good solution besides saying it directly in thread thus contributing to the staying power. I’d always sort of assumed there was weight to downvotes, but now that /u/hwayne pointed it out this is pretty decent solution imo.

                                                                                                                    1. 13

                                                                                                                      Void hits a really special and niche spot for me. I do a ton of pretty huge penetration tests and often times have a short amount of time to do them it gets very messy to keep everything in my brain when you are running through 2 or 3 /8’s of vulnerabilities and attack chains. Void(map) helped keep me in the terminal paradigm while also still letting me mentally map things, I wrote about this a bit more in-depth for anyone who wants to see a not so standard workflow.

                                                                                                                      1. 6

                                                                                                                        WHOAH it feels so damn cool to see that all those random features I chucked in there are actually getting used by other people :)

                                                                                                                        I use void frequently every day and it’s always heartwarming to see that it has helped others to better understand things that are happening in their lives. While the repo is more or less stalled right now, it’s still important in my life, and I mostly consider it done. Although I do aspire to close out those remaining tickets.

                                                                                                                        1. 6

                                                                                                                          I was actually hoping you’d see this, since I believe I found void through a thread where you mentioned it here on lobsters. Thanks for your hard work on it, there are a lot of little things that I very much appreciate how much thought you put in. You’d also probably be happy to know that I’ve used this in executive meetings to show visualizations of “attack paths” where I had hundreds of nodes and it was incredibly well received and it’s made it into multi-hundred page reports. This project was actually one of the driving reasons I have been learning rust, I have a small backlog of little bugs that I was hoping I could send patches for, so I for one really hope you keep maintaining it!

                                                                                                                      1. 73

                                                                                                                        He’s not wrong, but a quarter of a page about how almost all laptops are worse than 2008-era thinkpads is a little bit low-information for the lobste.rs frontpage isn’t it?

                                                                                                                        1. 14

                                                                                                                          I think you’re right, it’s low information. But, if others here feel the same as the article, I’m optimistic it will promote conversation on what can be used (I’m hoping I am wrong about what’s out there). I’d love an alternative to the Dell stack I currently use.

                                                                                                                          1. 11

                                                                                                                            It is a good justification for me to mention (once again) that there are a lot of barely-touched second hand 10 year old thinkpads on ebay for, like, less than $100. So, you can get like a dozen good laptops for the price of a bad one.

                                                                                                                          2. 19

                                                                                                                            Maybe it’s not the most “technical” post, but I think the point / heart of it is that there is a change that many would like to see in future laptops. Instead of razor thin laptops with horrible keyboards, many people want something that just works.

                                                                                                                            It’s an opinion piece, and I personally don’t see anything wrong with it being posted here (and the tags are correct).

                                                                                                                            1. 7

                                                                                                                              Sure. It’s just both an opinion piece & very short.

                                                                                                                              1. 25

                                                                                                                                The only reason it’s on the front page is because drew wrote it. There’s zero doubt about this.

                                                                                                                                This place loves to laud over him which annoys me specifically given I’ve seen him harass friends of mine because according to him, if you don’t use the “right software” (aka, software he believes is right), it makes you an absolute horrible person deserving of harrassment.

                                                                                                                                Wish I could filter out domains…

                                                                                                                                1. 8

                                                                                                                                  Mostly, I wish there was more consistency. I post ranty things with more substance than this & get downvoted to hell (here & HN) – and my rants are rarely less than a five minute read. (On top of that, I stay away from ad hominems when arguing with strangers on the internet, which is not nothing.) If lobste.rs was rant-friendly I’d post more of them here.

                                                                                                                                  Folks posting links to low-quality posts that are popular because people already agree with them is a much bigger part of the signal/noise ratio problem on lobste.rs than actual spammers, & because Drew is a name, he seems to get attention even when the same exact content in a comment would get one or two upvotes. (Like, this blog post is just a more severe version of comments I’ve literally made on this site.)

                                                                                                                                2. 7

                                                                                                                                  I’d rather read this than yet another post about how Unix is so terrible because it’s based on plain text like that “Programmer’s critique of missing structure of operating systems” post, or some company talking about using AWS (literally nobody cares whether you use AWS), or yet another “I rewrote [unix standard command] in Rust” post.

                                                                                                                                  1. 5

                                                                                                                                    “Programmer’s critique of missing structure of operating systems” post,

                                                                                                                                    There was a lot more in that post than you’re giving it credit for, the AWS thing can be interesting from a “This is how switching works/is motivated”. The Rust stuff is what it is.

                                                                                                                                    This submission was basically a complaint about the state of consumer products without any relevant links or analysis/context (at least when I read it). It contains really inflammatory and frankly mean screeds like:

                                                                                                                                    If you work at any of these companies and you’re proud of the garbage you’re shipping, then I’m disappointed in you.

                                                                                                                                    On a factual basis, it’s a lot easier to get a multicore laptop right now with a better camera than it was 12 years ago. It is a lot easier to get one with USB 3. It is a lot easier to get one with a high-resolution screen. It is a lot easier to get one with a good graphics card. Drew is happy to ignore all of that progress because he finds them difficult to service and difficult to run Free as in Freedom software on, and so immediately condemns everything else as garbage.

                                                                                                                                    I’d rather read somebody talking about their attempt at making wordcount in Rust than such a shallow and negative and just obviously narrow-minded outburst.

                                                                                                                                    1. 1

                                                                                                                                      Fair enough. I like that first category so long as it says something new (which it often does), but the other two are at least as spammy & low-effort as this.

                                                                                                                                3. 19

                                                                                                                                  It’s correctly tagged as rant, and @cfenollosa can’t help that Drew is the darling child of lobsters who can say no wrong.

                                                                                                                                  EDIT (clarification, in case you don’t see the below): this is criticism of Lobsters, and defense of this blog post being posted, not criticism of any individuals.

                                                                                                                                  1. 53

                                                                                                                                    In reality, there also seem to be a fair number of people on Lobsters who think I can say no right. I don’t post my own writing to Lobsters anymore because of issues ranging from valid concerns about spam to obnoxious toxicity.

                                                                                                                                    My take is, I write for myself, not for Lobsters. When a Lobster seems to think something I’ve written is worth discussing, then I leave it up to the community to vote on as they see fit. I’ll usually drop into the threads to answer questions, but I find it difficult to engage with Lobsters beyond this - and even that much is difficult. Because you know who I am and what I work on, it seems like any topic I weigh in on is interpreted as spam, be it via submissions or commenting in discussions, even if I go out of my way not to frame my comments in the context of anything I work on.

                                                                                                                                    I don’t really like this community anymore, but I reckon some Lobsters would argue that’s by design.

                                                                                                                                    1. 16

                                                                                                                                      obnoxious toxicity

                                                                                                                                      I’m not going to claim that Lobsters is perfect, but “obnoxious toxicity” doesn’t seem like an apt description either; at least not in my experience. How is it toxic, specifically?

                                                                                                                                      1. 29

                                                                                                                                        Obviously tone is mostly subjective, but I have noticed the same thing recently on some of Drew’s writings that get posted here. Even the comment by @mz could be seen as really negative

                                                                                                                                        @cfenollosa can’t help that Drew is the darling child of lobsters who can say no wrong

                                                                                                                                        I have a hard time not reading that with vitriol or almost malice (though as indicated by @mz this was supposed to be sarcastic). Saying, “hey I don’t think there isn’t a ton of technical information here” and not upvoting is one thing, but when Drew clearly didn’t post the article themselves and still gets comments that to me seem very unpleasant. It really would be hard to like a community.

                                                                                                                                        EDIT: Again in this same thread, I’m just going to start collecting the comments that if I were reading about me that I’d consider to be disheartening and drive me away from this community.

                                                                                                                                        I’ve seen much worse Drew Dewalt rants keep the top spot on lobste.rs for weeks tbh.

                                                                                                                                        1. 25

                                                                                                                                          Ya, that comment is clearly less-than-perfect, but I also wouldn’t describe it as “obnoxious toxicity” personally, but YMMV.

                                                                                                                                          It’s not like Drew’s communication style is always … gentle. I mean, in this post he’s literally telling people they should die. Obviously I know it’s supposed to be a joke and intended to be hyperbolic, but sjeez man; that’s pretty harsh… Reasonably sure such a comment would be downvoted to hell on Lobsters or HN.

                                                                                                                                          If you dish out harsh words, then don’t be surprised if people reply with harsh words, too.

                                                                                                                                          1. 4

                                                                                                                                            This is definitely a case of a missing /s or otherwise tone being lost in text form. Please see my clarification and comment follow-up.

                                                                                                                                            1. 5

                                                                                                                                              I really don’t mean this as a cut to you either, it is just how I read it tonally. Text communication is hard.

                                                                                                                                          2. 9

                                                                                                                                            In my experience the toxicity has various specific loci, and if you happen to avoid those in your interactions with the community then you’re fine.

                                                                                                                                            Woe betide you however it you step on a hot button.

                                                                                                                                            Still love the place. I donned my asbestos underwear for the first time long before at least some of you were born :)

                                                                                                                                          3. 6

                                                                                                                                            I absolutely know what you’re saying, and I commend you for writing for yourself rather than for clout or for internet points. I think a lot of the blog spam we see on lobsters is stuff trying to be topical enough to be unoffensive, but content-less enough to be spam.

                                                                                                                                            I in no way meant this as a criticism of you @ddevault. I meant it as a criticism of lobsters, a community which seems to be very addicted to being polarized over your content.

                                                                                                                                            I totally get why you don’t post your stuff here. In general, a blog post not being appropriate for lobsters is not a criticism of the blog post (to think otherwise is some serious tech elitism).

                                                                                                                                            Thanks for engaging with the comment. It seems you interpreted it the way I intended it, as I had no intention of offense.

                                                                                                                                            1. 6

                                                                                                                                              Point of fact: you took advantage of us as a marketing channel.

                                                                                                                                              1. 45

                                                                                                                                                Here is my self-evaluation of my posting history. Green = unambiguously not spam. Blue = cool stuff I made, but which doesn’t make me money. Together these make up almost half of my posts. Pink = dubious, I could benefit indirectly from these, but would argue that they’re on topic and relevant. That covers all but 3 of my posts. Of the remainder, which are definitely more ads than not, one is the most highly upvoted story of all time in each of its tags.

                                                                                                                                                I think that this balance was reasonable enough, but in the BSD submission there was some discussion about whether or not it was too spammy, so I curbed my posting on Lobsters. The vast majority of submissions from my blog are not submitted by me, but it seems like I’m being held accountable for all of them as spam.

                                                                                                                                                In any case, I don’t post my stuff here anymore. Take it up with the rest of the community if you don’t like seeing my posts here.

                                                                                                                                                1. 32

                                                                                                                                                  I’m sad and sorry that the community has responded this way to your posts, especially as you have stopped linking them yourself. You can’t control what other people do, yet you bear the brunt of their unhappiness.

                                                                                                                                                  I like seeing your posts here, as there is often good discussion that is prompted by them. Even if some think of them as “ads”, at least it’s for good, open source software (and not things much worse like Google and Facebook).

                                                                                                                                                  I’m glad you’re writing for yourself- I (and others) will continue to enjoy reading what you write.

                                                                                                                                                2. 8

                                                                                                                                                  Drew’s content may not always be earth-shattering, but a typical post of his likely opens my eyes as anything else on the site. Lobsters is not a place that discourages people from posting their own content.

                                                                                                                                                  ☑️ I am the author of the story at this URL (or this text)

                                                                                                                                                  1. 7

                                                                                                                                                    The link doesn’t seem to prove the “took advantage of” part, or am I missing something?

                                                                                                                                                3. 0

                                                                                                                                                  Fair enough! And yes, I’ve seen much worse Drew Dewalt rants keep the top spot on lobste.rs for weeks tbh. I guess I can’t argue with success.

                                                                                                                                                4. 3

                                                                                                                                                  Yes, it could have been contained in a comment. But maybe that’s why the article gets upvoted a lot: It’s low-effort to read, everyone basically agrees, and it’s a relief that apparently everyone feels the same (and it’s not their fault for not being able to find a proper laptop).

                                                                                                                                                  1. 1

                                                                                                                                                    How’s it a quarter of a page? It’s an entire page on my fairly high-resolution screen (1440p with no scaling). How zoomed out is your web browser?

                                                                                                                                                    1. 1

                                                                                                                                                      I have a portrait display & my zoom setting is only 100% – basically because I don’t want a ‘screenful’ to be thirty seconds of reading.

                                                                                                                                                  1. 7

                                                                                                                                                    Meanwhile if you’re looking for a Linux-based operating system that looks just like Windows 10, may I suggest Kali Linux.

                                                                                                                                                    I haven’t used it myself, but from what I gather Kali is explicitly discouraged for Linux newcomers and/or general-purpose distro. See e.g. Why is Kali Linux so hard to set up? Why won’t people help me? and Should I Use Kali Linux?.

                                                                                                                                                    1. 6

                                                                                                                                                      Yep. This is absolutely not good advice, the maintainers even quote it here:

                                                                                                                                                      should you use Kali as your daily driver, as the primary OS? It’s up to you. There wasn’t anything really stopping you before, we just don’t encourage it. We still don’t.

                                                                                                                                                      I use Kali professionally for Penetration Testing and created the build pipeline for $COMPANY to roll out customized versions of Kali, spin up new instances every engagement, and have run it as host OS for years (even in the Backtrack days). If you don’t specifically need the security tooling, it’s entirely based off of Debian Testing and that should meet most of the needs Kali does.

                                                                                                                                                      1. 1

                                                                                                                                                        I would go a step farther and say it’s bad advice to tell someone to use pentesting tools from their daily driver OS.

                                                                                                                                                        I wish I had specific findings in a form I could share, but some time back I got to help experiment with adversarial responses to probes from common penetration testing tools.

                                                                                                                                                        The results weren’t pretty, and many tools need elevated permissions, so their failings were instantly magnified. (As an aside: because of this need for elevated permissions for some tools, the OS installs that host them tend to be less-than-hardened against privilege escalation attacks. So even those tools that don’t themselves need elevated permissions are usefully attacked.) Test tools tended to be less than robust against those who wanted to exploit the testers.

                                                                                                                                                        I came away from the exercise convinced that these tools were best run on a short lived Kali instance that had no other data and no privileges anywhere.

                                                                                                                                                        If someone wants to use Kali as a daily driver? Maybe that’s fine. You don’t need to log in as root anymore, and it’s just Debian testing anyway. I can’t swear today’s Kali is a soft target for privilege escalation. But if you’re using it for non-testing purposes, you shouldn’t run pentesting tools on it IMO. In which case why use Kali? Because you like its windows-alike skin? I bet that can be installed on a better general purpose system.

                                                                                                                                                        That’s a lot of words to say that I am much more loudly in the “don’t use it for other things” camp than the Kali maintainers you linked.

                                                                                                                                                      2. 2

                                                                                                                                                        I can’t see why anyone would recommend a special-purpose distro as a Windows 10 alternative. Windows 12 Lite may really be one’s best bet if that’s what they want. ;)

                                                                                                                                                      1. 3

                                                                                                                                                        How this compare with tinc?

                                                                                                                                                        1. 7

                                                                                                                                                          So I was a heavy tinc user for years and was a big fan, but have since made the switch to WireGuard. I’ll try and do a quick summary from memory (plz don’t hurt me if I get some slightly wrong). WireGuard has no meshing capabilities (currently) and does not have the concept of the meta-protocol that tinc does. So there is essentially no configuration pushed from the servers and no runtime configuration that can happen with WireGuard. Where in my testing WireGuard did a lot better was in speed, use of ip(1) configuration, stateless connections, a really thorough analysis of the protocol (whereas tinc 1.1 has a cool protocol but has been in beta hell for ages), a Go implementation as well as the Linux in kernel.

                                                                                                                                                          Based on the TODO it looks like a lot of those features are actually planned to be there. Realistically I had a few different use cases for both and I think WireGuard fit the traditional VPN structure better while tinc allows for some more wild configurations.

                                                                                                                                                          1. 2

                                                                                                                                                            Don’t know if you might mean something else with meshing then me, but I have a 60+ node wireguard network, which is a full-mesh … every node directly talks to every other node, like they would if they shared a local area network.

                                                                                                                                                            1. 2

                                                                                                                                                              I do mean something different. tinc has discover-ability in order to create it’s mesh. Essentially a node does not need to know about another node and as long as one of the nodes authorizes a new node it can discover and find out about the others and immediately start routing to it through the network.

                                                                                                                                                        1. 20

                                                                                                                                                          I’ve heard from pen-testers in my building that they now recommend Windows Defender because it’s the default one everywhere and therefore have a much user base for detection and reports.

                                                                                                                                                          I have no idea if this is what the security community agrees with, but I thought it made sense.

                                                                                                                                                          1. 12

                                                                                                                                                            Yup, I can confirm that. There was a test here in Germany by a respected security firm and they found that Windows Defender really upped its game since Vista days, being the best from all tested solutions in regard to detection, speed and security. There’s no reason to use anything else other than wanting to unnecessarily slow one’s system down or having their data sold. :P

                                                                                                                                                            1. 8

                                                                                                                                                              Penetration Tester here, yep I agree with that. The other AV vendors have a tendency to do some crazy kernel module behaviour that would normally be considered pretty crazy/risky whereas Defender is now much better and clearly more sanely integrated. I will say, it still feels odd suggesting Defender though, it used to be the worst.

                                                                                                                                                              I should also add a note that if you are talking about Windows production servers or things that are a bit more in the “change management” role, most of the time I still suggest using Application Whitelisting over AV (or as a supplement).

                                                                                                                                                              1. 1

                                                                                                                                                                That’s similar to my thoughts. Makes sense too.

                                                                                                                                                                1. 1

                                                                                                                                                                  In my personal experiencing pentesting (although I do far less of it now than I used to), the paid software rarely offers anything over Windows Defender, but often comes with a bunch of overheads. Most people think AV does something it doesn’t. In over 20 years of testing AV hasn’t stopped me once. That’s not AV’s fault, it’s just not generally designed to stop the workarounds people use. What is AV’s fault is that it’s marketed as a catch-all.

                                                                                                                                                                  Having said that, MalwareBytes is one of the better set and forget antimalware tools I’ve used. For people who need that confidence or are attacked it’s something I’ve been comfortable with suggesting for peace of mind in some cases.