AlexanderESmith

Didn’t know about David Gerard before, but thanks for letting me know he exists so I can follow him 👍

@dgerard@awful.systems

Whoa there, I never have - and never would - suggest that anything should be protected by a single factor. Where are you getting that?

Authy sucks. It’s not just that the TOTP they send you might not be secure (SMS is easily exploited), it’s been shown that they’re leaking other personal data.

You don’t have to cobble anything together. As you say, self-hosted BitWarden is a good option. As for your “glue”, you should trust it more than a third party, since you know what went into yours, and its not a massive honeypot treasure trove.

Edit: I’ve been using “honeypot” wrong. It would actually be good if the hackers tried to hack one of those.

Who said you shouldn’t be able to access your backups remotely?

A lot of tools allow you to set up google drive, drop box, whatever. Yes, this brings you back to cloud, but it’s better to have a hacker wonder if some random google drive might have juicy auth data than know for sure that some SaaS platform absolutely does. Also, even if they got the file, it should be encrypted, and should be a massive pain to get into (at least long enough to change the passwords stored in the file).

The other (better) option is to have it back up to sftp (or similar), which you manage yourself on private servers. Normally this would be accessed through RSA and/or TOTP, but you can set up secure backup methods (combo any/all of; port knocking, long-password, human-knowable timed password, biometrics, security questions, other trusted humans that have some TOTP that can’t open your storage alone, etc).

Stop. Trusting. Cloud/SAAS. Security. Apps.

Don’t give them your passwords and private keys, because you can never know of they’re being stored responsibly, or who has access to them.

Don’t give them your personal details, they don’t care about protecting user anonymity.

Keep your keys and passwords in local, encrypted files, and generate your TOTPs locally.

“But that’s not convenient!” - It’s plenty convenient, find an app that supports your phone’s biometrics. There are plenty on both Android and iPhone that also work in Windows/MacOS/Linux.

“What if I lose my phone?” - Keep your files backed up. If you don’t do this, you deserve to get locked out. Fear of losing data is a good thing, it keeps you vigilant. Apathy gets you another of these stories.

There are plenty of apps that encrypt local storage for security keys and code generation. Stop allowing these tech bros to create honeypots catnip for hackers, and making you pay them for the privilege of being an easy target.

Edit: I’ve been using “honeypot” wrong. It would actually be good if the hackers tried to hack one of those.

It’s not harmful to tell average people who run windows to disable updates, because you can’t disable the updates as a single-license scrub.

(Theres usually some hacky bullshit to delay or block updates, but they break constantly and you have to keep finding new ones, because Microsoft thinks of their userbase as stupid babies who can’t be trusted with their own hardware).

Also, you live in your own personal slice of Windows control with your hundreds/thousands of systems being managed with group policies. I have no doubt that you don’t see issues, because your company chose a few models of laptop or desktop and know how they’ll react to the updates. You can turn off the annoying shit, and choose specific updates at specific times. Microsoft doesn’t want to piss off their corporate customers, especially the ones with massive spending contracts with Dell/HP/Lenovo.

Thing is, outside of you - and your groups of other corporate windows admins - the general user (with varied hardware/software configurations) don’t have the safety of catching issues on a few test machines and delaying a deploy to the fleet, or even the option to delay updates at all, and they’re screwed over constantly by random broken drivers, system setting that aren’t respected between updates, and bloat/backdoors that you can’t opt out of.

It is you who is being disingenuous, by suggesting that the windows update system has no flaws, because you operate in an extremely controlled environment with tons of safeguards and - ironically - way more autonomy.

lol “anymore”

I’m gonna go ahead and say that it’s weird all the way around. Any gender combo for kid/parent/audience.

Out of nowhere, I logged in like a month ago. Everything was still there (at least, my friends list was). Hadn’t logged in since the early 2000s. A few weeks later, I heard it was being shuttered. Weird.

85453462 . Burned into my memory forever.

Not a lawyer: I’ve never seen it be an issue if whoever’s running the site isn’t pretending to be something they’re not. Take that for what you will.

Hey, I’ve been a Linux gamer for many, many years, and before Steam Deck it was exclusively on nVidia hardware (mostly because I also wanted CUDA cores for Blender).

I can’t let this interrobang go unmentioned/unappreciated. Good to see you, old friend…

We need to prepare for the future where there is no jobs and AI replaced all of them.

You seem to think that the natural extension of this is that everyone who used to have a job continues to flourish, and doesn’t die in the gutter because they have no money/shelter/food.

The naivity would be adorable, if it weren’t also extremely dangerous and playing directly into rich assholes’ plans to bleed everything dry for themselves.

To add to this; I’ve done some corporate work in this area as a systems admin. If something like this comes up (within the context of being a representative of a company that finds out that someone has a domain that we may hold rights to), one of the things I’ve been asked to do is submit a “Uniform Domain-Name Dispute-Resolution Policy” (UDRP) complaint to ICANN (icann.org - Internet Corporation for Assigned Names and Numbers). They basically regulate domain usage and ownership, among many other things.

To read about how these complaints work, see; https://www.icann.org/resources/pages/help/dndr/udrp-en

Read that over while deciding whether you want to use the domain and how you use it. Give particular attention to https://www.icann.org/resources/pages/udrp-rules-2024-02-21-en , section 3-b-ix (titled “Describe, in accordance with the Policy, the grounds on which the complaint is made…”), and it’s sub-items.

LinkedIn is Facebook, if the people you follow could fire you for not being a total brown-nosing boot licker.

Well, the other option is an unemployable dipshit that needs somewhere to rant, thereby making themselves even less employable.

There’s a whole lot of advice here, and practically none is it is aimed at a beginner. You don’t need a reverse proxy or SSL to get started.

1. Install the OS - You’ve done this already.
2. Install some kind of http server - Apache is fine, people recommending anything else are overcomplicating. The package is called either apache2 or httpd, depending your flavor of Linux.
3. Put your files in the web root - Usually /var/www/html/. If the file is something like index.html, it’ll load as the default page without having to type http://youraddress/index.html
4. Restart Apache - different across OSes, Google will get you there. Something like systemctl restart httpd, but “systemctl” might be “service”, and “httpd” might be “apache2”.

Once you’ve done that, you have a computer that will serve your html files when someone hits http://[yourIP]/ . At this point, make sure your router/etc is allowing connections on port 80 (the http port), specifically to that one computer. Also, don’t allow that computer to connect to the rest of your home network (not getting into a step-by-step here; every home network uses different hardware), because now that the Internet can touch it, it’s a target for hackers. If all they can touch is this one computer (start calling it a server), the risk is minimal.

If you want to point a domain at it, that gets into DNS (the Domain Name System; literally how domains are mapped to IPs so humans don’t have to remember them). Cloudflare has guides for this.

Since it’s your home IP, it might change. Either be fine changing your DNS if your IP changes (which usually isn’t often if you have a decent connection), or look into something called “dynamic DNS” (just a thing that grabs your current IP and updates your domain to point at it).

NOW you can start getting into things like SSL. Remember that SSL doesn’t protect you from some guy trying to hack your site/server, it just makes it harder for them to view or change content while it’s being sent from the server to a site visitor (or back again, if you have a form).

Google “add SSL to Apache”, you’ll find references to “VirtualHost” and a bunch of config lines starting with “SSLCertificate…”. You’ll also find plenty of references to “LetsEncrypt” (a free SSL provider) and “Certbot” (a program that lets you generate the certificates with LetsEncrypt). Follow those.

As above with port 80, you’ll need to make sure that port 443 (the https port) is allowed for your server through your router. Again, block your server from connecting to the rest of your network. The Internet can touch it, someone will try to hack it. The SSL doesn’t save you from this.

As for reverse proxies, you don’t need one unless you’re getting into load balancing or header manipulation (which means you’ll probably never need one for this project).

I’m happy to answer follow-up questions.

Yeah, I posted a knee-jerk reaction, then followed up with an edit that says exactly that. Congrats for being able to read.

Adding to the increased attention: it was Microsoft night at the ballpark, with thousands of fans in attendance with ties to the Redmond-based software giant.

Honestly, my gut tells me this was a stunt.

Edit: Yeah, this is BS; You can hear typing in the video. What, they have a hot mic in the booth? And the article straight up calls it a gimmick. Definitely a stunt.

Hell, the fact that XP is handling an ultra wide display is enough to call bullshit xD

I just started my mbin instance a week or two ago. When I did, I wrote a guided install script (it’s a long story, but I ended up having to blow away the server like 7 times and re-install).

This might be overkill for your purposes, but it’s the kind of thing I have in mind.

Note1: Sorry, it’s kinda sloppy. I need to clean it up before I submit a PR to the mbin devs for possible inclusion in their documentation. Note2: It assumes that you’re running a single-user instance, and on a single, small server, with no external requirements.

https://alexanderesmith.com/mbin/install_mbin.bash