• 0 Posts
  • 132 Comments
Joined 3 years ago
cake
Cake day: June 18th, 2023

help-circle

  • I wonder what you are securing against?

    OK, you’re familiar with vulnerability scanners and port scanners right?

    The threat model here isn’t really attackers specifically targeting your home network for any particular reason (unless you’re a LastPass engineer working remotely while running an exposed Plex server). They’re not looking for you, they’re looking for anything useful.

    The threat model is attackers using scanning tools to discover vulnerable systems connected to the Internet. All they need from you is an active connection and a system that can store data, from which they can host malware files for distribution to other targets or conduct attacks or just run a cryptominer (if you’re lucky and they’re not very ambitious). They can find this by scanning for open ports and then running a vulernability scanner to figure out if there’s some exposed hardware that can be exploited.

    An unsecured system is a hazard that could land you in jail when someone else starts using your device and network connection to commit crimes.

    Now, as long as you’re behind a standard residential network service, and your ISP is in control of your gateway device, you’re relatively safe from this. Most ISPs will block any traffic like that very strictly. If your ISP is in control of your gateway device then they’re responsible for its behavior (demarcation matters).

    But, most self-hosters run into limitations with their ISP blocking a lot of ports by default, because they want to access their personal server from outside their home, and so they take control by running their own gateway device or paying for a business connection which gives them complete control over which ports are open. This is where the risk comes in. You are assuming the responsibility for properly securing your connection to the public Internet, taking it off your ISP’s hands.

    If you’re going to do this, you should know exactly which ports you have open to the outside and why, and a general idea of what traffic you expect to see on them when and how much. Monitor that traffic at your firewall. Every other port should be closed and your firewall (on your router, gateway device, or better yet a dedicated OPNSense firewall) should be configured to drop packets received by closed ports (“stealth” mode). You don’t want it to respond that those ports are blocked, you want it to appear to not be there at all.

    Every other security implementation is a secondary concern for a home network. Yes you should patch your software regularly and you should practice deny-by-default and least-privilege as a matter of course, but you’re going to mitigate 90% of your risk by just not accepting incoming connections for anything you don’t need. Most vulnerable systems are discovered by automated scanning, so the less your system responds to external connections the better. If you’re going to worry about configuring, securing and patching one device, make it that front line firewall. And be very selective about which internally hosted services you expose externally.



  • You are running into the ultimate, and ultimately unavoidable, limitation of self-hosting, which is the self.

    You should run a VM on the VPS for Vaultwarden, with no other services in the VM except whatever you need to connect to it remotely. Keep it simple. Run an exact copy of the VM on your local server. Have the VPS instance push its database to the local instance regularly, to keep up with any changes that your users make. Make regular backups of the local instance.

    When you need to update the software, freeze an image of the local VM and then update the local VM, then when you’re sure it’s stable, copy the updated local VM to the VPS. If either the local or VPS instance crashes out, you should be able to recover (or reproduce) one from the other.

    In the end though, it is functionally impossible to ensure reliability by yourself. Hosting Vaultwarden on a VPS shifts the responsibility for running the underlying server and network connection to the provider, and probably removing the dependence on your residential network connection will be better for your family/users.

    You are still the weak point in your system. You need someone else who can log in to your local server, and into the VPS, and perform recovery if needed. There is no technical solution for this. You cannot be the sole admin, and also ensure reliability for other users.


  • One thing I think people forget, or were never taught in school, is that there was a time period (like, hundreds of years) when European imperialist nations went to war every summer. After the winter cold passed, and the ground dried up from the spring rains and snow melt, the armies marched. Mercenaries were a part of every serious national military, it was a common profession, alongside regularly practiced conscription. Destruction and death was an annual event for civilians, basically from the end of the Pax Romana until the end of the Napoleonic wars.

    Capitalism (coupled to industrialism) tied the wealth of nations to their productivity more than hoarded treasures or even land. Destroying a nation’s infrastructure, and killing its people, damaged its value, possibly irreparably. Going to war became expensive, and less rewarding.

    Reality is more complicated, of course, and there were a lot of other factors. The global market also created other avenues for the wealthy and powerful to exercise greed. Economic conquest was a practical substitute for military conquest. The relatively long periods without widespread international warfare are a historical anomaly.

    All of that sounds like I’m praising capitalism, and that’s not the point. My point is, I agree, capitalism was an improvement over the way things were before, maybe moreso than people realize in the present. Capitalism isn’t good, but it was a step on the path out of rampant violence - but only a step, not the end of the path.




  • There’s a new one being launched by a San Francisco-based startup that has some impressive specs, is powered by Linux, and isn’t looking to sell user data.

    yet.

    This is not an open source project. We covered it because the operating system for this is based on Linux.

    It’s (not) FOSS

    Some use cases the company points to include hands-free coding agents, reading board schematics mid-build, following a recipe in the kitchen, and keeping sheet music in view while playing an instrument.

    We’re trying really hard to come up with justifications to normalize people wearing a camera and microphone on their face all the time.

    Before you get worried, Raven Prism will ship with a physical cover for the camera that you remove when you want to use it and put back when you don’t.

    Which people will discard or lose within a month, especially if it looks like a weird extra piece attached to the frame.

    There’s also “Beakon” lights that illuminate when the camera is active, making it visible to both the wearer and anyone nearby.

    Which will get disabled almost immediately.




  • Meat/eggs/dairy, definitely.

    Vegetables, maybe, depending on what else they’ve touched.

    Dry/canned goods, probably not unless they’re wet (e.g if it’s in a cardboard box or paper package and it’s damp, it’s not worth the risk - if we’re talking about grocery store waste then for all you know that was water used to wash the butcher’s work station or mop the floor).

    Bacterial contamination is your primary concern, and after that mold. Salmonella could just end your life.


  • So, here’s a problem: food logistics is a massive, complicated morass of infrastructure. Getting food from the area where it’s produced to the area where there are people who want to eat it is difficult. A lot of individual steps have to go right for a bell pepper grown in Coahuila to show up in a grocery store in Tokyo, unspoilt and ready to eat.

    The timing of when the pepper is picked, how fast it will ripen and how long until it spoils is built into the steps of the supply chain. The cost of the logistics system for distributing food, and the overhead for managing and containing the chaos, is probably substantially higher than the cost of actually producing the food.

    The point being, when the bell pepper is at the store it is now ready for consumption. It will be there 2, maybe 3 days, and then if it is unsold it is at least halfway to rotten. Now at this point you want to try to redistribute it, which will require another supply chain, but there isn’t time to figure out where to send an overripe bell pepper or who would want to eat it, or to pack it and ship it and then unpack it and hopefully use it before it’s completely rotten.

    Refrigeration is a wonderful technology that has brought massive reduction of food waste, but it has limits. You can’t un-ripen a fruit. Trying to re-ship food at this point would not be worth the cost, and ultimately would create environmental harms that would outweigh any benefit.


    Always buy local, as much as you can!







  • No, we’re talking about companies scraping hundreds of millions if not billions of labor hours of output to train their models for the sake of developing software products which they then sell for profit.

    Every model that was trained on legally acquired free public data and open source code should be freely publicly available and open source.

    Every model that was trained on not legally acquired public data (e.g. Meta’s models) should be taken out of production until all of the lawsuits are concluded, and hopefully the parties responsible are put out of business.

    I’m not talking about future, potential labor that AI might replace. I’m talking about the labor which was stolen to produce these models in the first place.

    But, please use AI.


  • Please identify the issues with the LLM generated code.

    Why would the issues be obvious and easy to point out? Most issues with code aren’t. If they were, we wouldn’t have Patch Tuesday, a direct code review would prevent issues from shipping in the first place.

    Throwing this out as if it means LLM code is acceptable and ends the argument is ridiculous. Do you have any grasp of how software vulnerabilities are discovered at all?