Notices by lj·rk (ljrk@todon.eu)

broke: stream of consciousness
woke: scream of consciousness

@aetios #ALT4you

I stumbled onto this subreddit looking for tips on running a basic Plex server, and holy shit, you people are insane. Instead of finding normal humans, i complete psychos debating ZFS configurations like they're discussing fine wine. "Ah yes, this RAIDZ2 has subtle notes of data integrity." You are all a bunch of sick vitamin D deficient freaks.

I actually work with and manage multiple Kubernetes, mission critical infrastructure that actually matters. I spend my entire day working with containerised applications, and what do I find when I load up Reddit? Ansible playbook writing maniacs trying to automate their light switches. You are all a bunch of sick freaks who probably dream in YAML and wake up in cold sweats wondering if you forgot to enable that cron job

The worst part is how you enable each other. "Hey guys, just finished my basic home automation setup", and then you post a system diagram that looks like the blueprint for a nuclear reactor. Fourteen Docker containers just to manage a suite of 'internet of things connected shitware. You celebrate each others descent into madness with vomit inducing comments like "Nice setup! Have you considered adding Prometheus monitoring?" You are all a bunch of sick freaks, you make me ill.

1/x

And the money you guys must spaff away... you've somehow convinced yourself that spending thousands on enterprise server equipment from 2012 is justified as it was originally 10x the cost. And then you refer to it as "your little setup". "Oh this? Just my Dual mirrored RAID 10 arrays with triple redundant UPS and backup diesel generator that kicks in if the power flicks for more than 3 milliseconds. You know, for my Linux ISO collection" Meanwhile your electricity meter spins so fast it could probably generat its own electricity. You are all a bunch of sick freaks, and you need help.

I take solace in imagining what your home lives are like, I laugh as l imagine your families, having to sit through dinner listening to you explain why running Pi-hole with Unbound is superior to forwarding to Cloudflare. I bet your kids start crying when you mention DNS-over-HTTPS. Your wife just stares at you now, especially since you've replaced all your family photos with grafana dashboards.

2/3

I imagine you boiling over when when the women you made vows to asks "why can't we just go back to using iCloud" when your precious self-hosted photo library goes down during your third Photoprism upgrade this week. They completely ignore your 'impressive (97% lol) uptime statistics and offsite backups. You are all a bunch of sick freaks, and your loved ones are losing hope.

No, you don't need Kubernetes or 10gig network switches or 7u rack. You don't need any of these increasingly abstract layers of complexity that exist only to solve the problems created by your previous solutions. Your simple file server didn't need containers, those containers didn't need orchestration, that orchestration didn't need a service mesh, Yet here you are, staring at 10,000 lines of YAML, wondering if maybe just one more helm chart would finally make it all perfect. But I know you'll keep adding more, because you're all just a bunch of sick freaks.

3/3

@sour @hakan_geijer Absolutely! Security focused live systems are neat for some throwaway work, just do recognize that if the hardware is tampered with, it's hard for the OS to defend against that.

But most attacks that work well against Linux but not so against modern Windows/macOS are attacks targeting the installed OS. With a live system you circumvent that. In theory, you can harden a Linux to a similar degree as Windows BitLocker (i.e., measuring Secure Boot state + long password or fido2 stick, using
signed UKIs, etc.) or perhaps even more than that, but it's not the default and requires quite some knowledge.

FFS, I'm not sure whether this was already the case or just a bending over by Google, but @ryanc's EMF talk about transitioning is age-restricted on YouTube?!

https://www.youtube.com/watch?v=dGklNDJZX1k

(yes, the talk has explicit pictures but honestly, there's so much more explicit stuff on YT that's... simply not queer and fine)

@dalias @rysiek Oh, I didn't mean that ^^'

The Fedi in general is a bit of a circle-jerk, but I like it (we do have discussions, but it's a bubble nontheless but I really don't mind).

@dalias @rysiek tbf, we’re circle jerking too, but we are right (at least i believe so)

@dalias @khm @ambiguous_yelp @sammi @joelanman I'm not saying that there's a lot of marketing bs, you don't need to repeat that in front of me.

But there /has/ been quite some development in QC on a hardware level, denying that is seriously denying reality. Even more, there /has/ been increased velocity in the development.

The only question is whether you consider this "relevant" or "much" or not. And while I don't think it's anywhere near to be done, I find the development worrying enough to think about this scenario in *some very select* contexts. Not as a threat now, but as something to consider and better protect against rather than not doing anything

Like we should've done something against the climate crisis in the 1920 already, even though the impact was quite far off, but signs where there. It's quantum resilience not "the big scary quantum is coming".

@dalias @khm @ambiguous_yelp @sammi @joelanman I disagree, we had quite some development in the recent years and while this is no guarantee, a lot more progress has been made than earlier. In other terms, it's not the same velocity of development but has accelerated.

But: There are still real problems to be solved and at any given point we may run into a wall. And one real problem could also be that we have WW3 before any QC get's successfully constructed, whelp.

But regardless, that's really no helpful debate and I'd rather not bet on that for some stuff and rather be safe (hybrid schemes) than sorry.

@khm @ambiguous_yelp @dalias @sammi @joelanman While I agree that it's nowhere "close", the "Harvest Now, Decrypt Later" is a tangible threat -- even if they're 10 years out.

However, I wouldn't bring that up for Signal since that'd require a *lot* of Harvesting, a *lot* of cracking and we'd only get some of the data to decrypt a whole Signal interaction since only the KEX would be affected and things like PFS etc. help against a lot of simpler attacks.

This *is* a threat for, say, secret govt. documents where deciphering has a big impact even 20 yrs later and the computing requirements (given you have access to quantum computers) are comparatively acceptable.

@ainmosni @dalias @hipsterelectron Tbf, I've seen many constructions that are insecure even though the primitives where fine. They were just misused. Those primitives ranged from wrong application of SHA2, to PBKDF2 to just using GPG wrongly...

But yes, learning things and trying to do new things with crypto is absolutely fine. But *please* ask a cryptographer latest when you are dealing with data from other people.

@jwildeboer I’d recommend not necessarily using your name… as long as you’re not 100% sure it might change 0:-)

@dalias @whitequark @glyph @mcc You have not encountered normies using Google Chrome? And you may argue that it's a single platform authority, but the statement is then widely misleading as you can use very different systems beneath. But idc, the reality is that people use it, you like it or not.

And yes, iCloud is not synced to Windows. But you said, I quote:

> Even on Apple's walled garden ecosystem

and to my knowledge Windows is not part of the Apple walled garden. Regardless though, Apple Passwords syncs to Chrome and Edge (~80% market share, much higher if you restrict to Windows only for your example) just fine...

@dalias @whitequark @glyph @mcc

> They absolutely are not. There is no such thing by default, only if all your devices are from a single platform authority (Apple, Google, or Microsoft) and you trust them. Most people do not fit it that category.

Okay, you *are* widely out of touch. Chrome alone has about 68% market share and has a built-in E2E password manager that works on Linux/macOS/Windows/Android + syncs with the Android keystore for use outside of the browser. I wouldn't call that "single platform authority" but either way, *a lot* of users use this. We may not like it but that's how it *is*.

> Even on Apple's walled garden ecosystem it's hard af to get this magical transfer to new device to work.

*if* you are in Apple's walled garden it's just in iCloud and transparently on all your devices.

> Only critical passwords like your email actually have to be written down. Everything else you just do a reset via email.

That's one solution. Which, you know, will work with passkeys too, so you've just invalidated your whole fucking point.

(Besides: I'd love to rip out email from this too in the future because it undermines the whole security but that's outside of the scope of this discussion.)

@dalias @whitequark @glyph @mcc Through transparent E2E and synchronization b/w devices. This mythological technology that they are... you know... widely using already.

Also: You yourself brought up password managers and generated unique passwords. Which have literally the same problem: If you lose access to it, you lose access to the sites you've logged in to. And the high # of log ins make it unrealistic to memorize or write the passwords down. If you really think that's what they're do then you're widely out of touch with the general user's reality.

@dalias @whitequark @glyph @mcc What, no, @whitequark didnt say anything about a separate device and the point still stands stands. It’s just pub/private crypto vs shared secrets. It’s one reason why we use SSH keys instead of passwords despite passwords being possible to generate uniquely and strongly.

For sure, this problem has been “solved” in the sense that you (and me) just use a password manager, tweak its generator when websites want some different “secure” password requirement and know how to deal with the PITA if the passwords are shared across domains etc. Possibly even monitor HIBP and rotate the password in that case.

But all this is something that requires domain knowledge and we should admit that. We failed to make computers useable by end users. Which would be fine if we wouldn’t require them to that.

If Passkeys were implemented correctly the above problems wouldn’t appear, Phishing would almost completely be gone and it would even be easier for users. And “losing credentials” neither.

I’m honestly surprised about this pushback by you. We’re effectively unrestricting FIDO2 which has been our go-to advice for ages and make the keys copyable like SSH keys are … and suddenly it’s all evil

Very enraged about the missed opportunity to put Freddie on the Queen card…

ADHD is just being cat-brained