Threads for surstromning

  1. 1

    Wow. These are great. I would love if it would be possible to run “perf stat” as a regular user in some limited form so that it would be a replacement for ‘time’ but with more details.

    1. 5

      Never heard the term page builder before. Does this just mean CMS?

      1. 3

        Maybe tools like FrontPage? But I thought that was depreciated a long time ago…

        1. 3
          1. 2

            The article mentions “ I am referring to the WordPress and Shopify ecosystems here”. So CMS-ish.

            1. 2

              Think Google Sites, Squarespace or Wix. These are WYSIWYG interfaces where you drag and drop text boxes, images, forms and so on to create pages. They are technically CMSes, but a lot less sophisticated and but more easily made to show a custom page than a true CMS like drupal.

            1. 1

              It has been about a year now. Is this guide still valid?

              1. 1

                It is, very few things change and I updated it.

              1. 15

                Warrant canaries seem to be useless:

                • they’re built on a legally questionable premise

                • there’s no way to monitor them in bulk because no standard format exists

                • providers update them with meaningless frequency and discontinue them without any acknowledgement

                and the worst point: all those things train us to ignore them. If you accept the premise we’d be treating Talos as compromised, right now. That’s what a warrant canary expiring means. It doesn’t mean “ask (the federal agent) on Twitter if they’re going to sign a new canary”, it means “you now must assume this entity has been compromised because they took the time to build a system to tell you that and look they’re now using it”.

                Sadly it seems warrant canaries are a fail open system.

                1. 6

                  They’re still somewhat useful. When riseup “forgot” to update theirs, everyone knew it was the FBI and bailed ship.

                  1. 3

                    Why isn’t everyone assuming the same thing is happening here?

                    1. 1

                      Occam’s Razor, I suppose (without having any knowledge on the matter).

                      1. 7

                        When Riseup’s canary expired HN was saying the same things:


                        The top comments from a techno wonk audience that would be likely to understand canaries were dismissive of the situation, even when Riseup posted suggestive tweets and stalled when asked about the canary.

                        If Occam’s Razor points you to thinking that the expiry of a canary is anything other than signal, the channel is nothing but noise.

                        1. 3

                          Anybody who knows the state of infosec understands that they ought to be paranoid.

                          Actually being paranoid is exhausting, so when it comes to the brass tacks, few people actually go to the hassle of being truly paranoid.

                          1. 2

                            Yeah. If someone goes through the effort of having a canary and it expires there’s no reason not to believe something happened without evidence.

                      2. 1

                        Agree. What good alternatives are there for riseup?

                      3. 3

                        Yes, it’s only my best guess about the company that says they aren’t. I can’t prove they’re not until they update it, which they haven’t so far.

                        1. 3

                          A machine-readable format would be pretty easy to create since there’s hardly any bikeshedding fodder (a true/false flag and a signature). I guess the real limiting factors are the other ones, and the first one is the biggest.

                          1. 2

                            You also have to include a not-created-before proof (not just a timestamp). This is canonically done by mentioning a newspaper headline, although you could also use lottery numbers and sports scores. Or hey, most recent Bitcoin hash, why not.

                            1. 2

                     is good for this I believe.

                        1. 1

                          Thanks for creating wireguard. Do you still mail out stickers?