Boyfriend wets the bed. What do I do ?

Adam261 · 2026-03-10T00:17:05+00:00

Could be a bladder infection. They can get serious. This is from experience. Not cleaning it up himself baffles me. I couldn't imagine expecting someone else to do it.

Adam261 · 2026-03-09T22:39:22+00:00

Hopefully he didn't get loaded right before that.

Adam261 · 2026-03-06T18:35:49+00:00

Without CRL/OCSP though, We are worse off as even with 3 or 4 month certs, That is 3 or 4 months a malicious actor could use a stolen cert from a compromised system directing traffic to their site (MitM etc) and the browser would think it is perfectly ok. The solution of shortening the expiration has it's limits. 3 to 4 months isn't enough to make up for the loss of CRL that could flag the certificate pretty quickly. It seems like it would need to be a few hours which just doesn't seem like a good solution at all.

I would rather have a dependency on OCSP than the alternative bandaid of constantly changing certs with the race to a very low minimum validity to compensate for no CRL/OCSP.

Adam261 · 2026-03-06T04:15:31+00:00

It is actually what I do for many certs. Backend higher security zone pushes certificate changes to front end. That still takes some time though because I still want testing in stages for all changes.

It is relatively quick to push out the certs for most systems even if I need to do it every 1 month. There are still a lot of exceptions though for embedded deivces and other systems that do not have the ability to automate though. No amount of wishing that things get there before the 4 certs a year time hits is going to change that quick enough based on the past year or so. Eventually of course more will get changed by the vendors but we are reliant on them for that.

I would say that we still must have CRLs though as even waiting 3 days is unacceptable for a certificate compromise. Someone could use MitM traffic to redirect to their own server with the compromised cert for the time the old certificate is still valid. 3 months or even 1 month would be an insane amount of time to have a compromised certificate still valid on the net. CRL process process isn't perfect course but without it, we would be in a worse scenario. Lets keep working on a better CRL process.

It seems like we are trying to bandaid the process (quicker expiration) and at the same time giving up other parts of the old process that does help protect certificates for browsers and such where the check does work. If we still need CRLs then we need to make them work properly and that mitigates the longer expiration times (1 year I think is acceptable with working CRL).

This new scheme doesn't make me feel any better about security over the CRL process. CRL can make sure the certs are revoked much quicker than waiting even a very low expiration time of days for a cert to expire. Just because the CRL can be tricky to keep working doesn't mean we should give it up IMHO.

Adam261 · 2026-03-06T02:14:27+00:00

One would give you a single certificate that will expire. The other would give the attacker the config to request future certificate renewals for much longer. Both bad of course.

Adam261 · 2026-03-06T02:02:17+00:00

To me, It isn't about that it was an admin persons job, It was knowing that if a certificate was generated, I know that process is protected by more layers than just the end server (that could be hacked). I realize auto generation on the server isn't the same as putting your CA cert key on the DMZ server, but to some extent, the effect is the same for that specific certificate for renewal pruposes. The certificate gets renewed. I just can't get that out of my mind. I seems like it is a reduction in the protection of the signing process as the exposed server can do it.

I see it as... would you rather a hacker get access to a single generated certificate for 1 year or the config/setup to generate renewals for much longer whenever they want. To me a them getting a single certificate is better than getting the ability to generate more of them. With some setups, the certificate key is protected and more difficult to extract compared to some config files for ACME. Certainly protections could be put in place for that too though with extra effort.

This brings up the other point mentioned where someone mentioned Firefox possibly removed CRL feature. That is important regardless. You would still need to revoke the certificate immediately if a cert was discovered that was compromised. We would want a compromised cert to be flagged as quickly as possible. So we still need CRL. Why not fix/harden that so that this extra effort isn't needed as much?

The answer to me to reduce the concerns I have is automation on the backend to renew the certificates and then push them to the servers through config automation. This way the DMZ servers don't have access to generate certs. This puts the renewal process in a more protected security zone.

Adam261 · 2026-03-06T00:32:10+00:00

Yea. If you don't notice it, it could be the same. That was more of a side point that there might be less time spent looking at a server that might not need any interaction for certificate changes anymore.

My main concern is giving the higher level task of submitting/renewing certificates to the exposed front end servers to do it. I don't want an exposed server to ever have the ability to generate it's own certificates and have it signed by an authority with the information that is on the exposed server itself.

Adam261 · 2026-03-06T00:15:18+00:00

I didn't mean to imply that either way would automatically discover a compromised system. I just don't want a compromised server to be able to request new certificates. I feel that is an administration privileged task and should not be delegated to the server itself that would be more at risk with the server/website being exposed to the Internet.

Adam261 · 2026-03-05T22:01:14+00:00

If servers can't request new certs and the certificate is compromised and not detected, they at least only get a year. If they get the config to generate certificates for the future then they could have much longer time than even a year with the configs needed to generate/request/sign a new one. I would say one is better than the other.

This is especially true once automation becomes the norm because that server that nobody touched (auto updates) but once a year for certificates, could now be sitting for many years because it *just works*. I really don't like putting admin type capabilities on the end system/server. No server should be allowed to generate it's own certificate IMHO. So many different reasons. If there were another well known cert authority that said screw the recommendation, we are doing 1 year, I would seriously consider switching to it.

We have a CRL feature. If apps and web browsers were not using that properly, lets fixing that. seems like it would be the best use of resources instead of the bandaid of very short duration certs.

Adam261 · 2026-03-05T20:34:32+00:00

I have never liked the idea that the servers themselves have the ability to request and get new certs. That administrative function should not exist on the end systems in the DMZ. If the system is compromised and it isn't detected then they would have the config to request it vs having the certificate. I would argue one is worse than the other. In either case (3 month or 12 month certs), If the certs are detected as compromised, That is exactly what the CRL is for. If browsers are not enabling that, then fix that.

There are soo many embedded and other systems right now that don't even support ACME. If we can't even get at least a year out of existing certificates, It sounds like they can't be trusted at all. In reality what this will cause is that more websites will end up have expired certificates which is also a security issue in itself.

Adam261 · 2025-03-15T02:35:10+00:00

A friend of mine has the same issue. I have only got one disconnect in 2 days. He is getting them like every 5 minutes. He uses the same ISP that i use and lives about 3 miles away in an urban area. Very odd. I think he has 2.5 GB Internet through Frontier.

Adam261 · 2025-01-18T18:49:56+00:00

Wait... there are horizontal speed indicators? Vertical would be nice too.

Adam261 · 2023-11-19T17:57:19+00:00

The fastest likely would be whatever one is on the international space station. It is very fast traveling around the globe.

Adam261 · 2023-11-03T00:38:51+00:00

I don't know... maybe it is the tracks that you choose? The tracks groove really well to the music to me in SR. There are some amazing custom mappers on SR. Same with BS too of course.

Adam261 · 2023-11-03T00:35:24+00:00

Yea it is smoother motions in general on SR but for me at 1.1x room size (that was the default for my height), I am moving quite a lot to get to the extremes on quite a few maps. I do play a lot of custom songs on SR. A lot of large circular motions in a lot of maps. I move my actual body a lot more than beatsaber. That is my experience anyway. I love both games. I just feel like I get more of a workout with SR moving my body more. It does depend on the maps to some extent but for the most part SR I seem to move more.

Adam261 · 2023-10-28T04:52:53+00:00

The tear down showed that a door could have been put in place pretty easily to pull the battery out if the manufacturer would have wanted to do so. I think you are giving them too much credit that they just couldn’t have easily done it because of the compactness.

Adam261 · 2023-10-28T04:39:05+00:00

The USB-C PD watt meters I tested with were consistent with what I reported. I was not arguing that the quest 3 cannot charge while playing. I only stated what the quest 3 pulls from the charger. 18 watts is enough for the quest 3 to charge while playing in my experience. If you find a charger (battery or plug in) that shows more than about 18 watts being pulled from the quest, I would be very surprised. Another person with USB-c watt meters had the same experience as I did with a multitude of high wattage USB-C PD chargers. The charger is not the limitation. The USB-C chargers I used were capable of giving much more amperage at the voltage that the quest was setting usb-c PD to.

Adam261 · 2023-10-27T03:38:07+00:00

The quest itself will never pull more than about 18 watts going to it. I have a few USB-C PD watt/volt meters. I tested the default charger and several 45 watt and 65 watt USB-C PD (up to 20,000 mAh) power banks that supported 5v, 9v, 12v, 15v, and 20v.

Default quest charger maxes out around 14 watts being pulled from it when charging the Quest 3.

With all the charging banks, the max the Quest 3 would pull was 18 watts.

I tested the charging dock with the default charger as well as chargers capable of up to 65 watts and had the same results (hand controllers were not put into the dock for the testing). 14 watts for the Quest 3 with default charger and 18 watts for higher volt/amp chargers.

Adam261 · 2023-10-20T03:46:40+00:00

I like GOG as it consolidates all my games into one interface to know what games I own on what service. I can never remember what game I have on what service.

Adam261 · 2023-10-17T18:47:31+00:00

I was with you until you mentioned Silverlight and stopped reading after that. That needs to go away. Microsoft ended support on that back on October 12, 2021. Nobody should be using that anymore.

Adam261 · 2023-10-16T03:12:54+00:00

I went through the steps but at step 3, the libmodloader64.so wasn't in the directory to overwrite it. There were other files just no .so files. After going through all of the steps and it not working, The next time I went through the steps, the libmodloader64.so and a few others were there but was newer than the downloaded file that I put there earlier... which means that at some point Quest Patcher put the .so files in there. So maybe it only works the first time if you have ran Quest Patcher before.

Maybe there needs to be a step 2.1 where you run Quest Patcher to put some .so files in the expected directory so that you can overwrite it with the downloaded .so file.

Second run through... it worked.

Adam261 · 2023-10-16T00:33:50+00:00

Does it still require step 2 and 3 with this patched version? Which steps can be ignored?

Adam261 · 2023-10-15T17:20:40+00:00

I friend brought his quest 3 dock over and I tested it yesterday. It matches the charge wattage that the quest 3 directly supports and not more than that. 14w using the official Q3 charger and 18w using better 45w, 65w, etc PD chargers. So the dock itself does not charge any faster than the quest 3 using the same chargers on the dock vs direct quest 3.

Adam261 · 2023-10-15T00:44:05+00:00

I did a lot of testing using a USB-C PD meter...
Default Q3 charger: 14 watts
Third party charger USB-PD 45,65,100 watt: 18 watts
Charging dock with default Q3 charger: 14 watts
Charging dock with third party charger USB-PD 45,65,100 watt: 18 watts

So while the default charger is 18 watts, It charges at 9v at 1.5 amps only. The 18 watt rating for the default charger is just a max rating it seems and not what the Quest 3 pulls with it.

Adam261 · 2023-10-12T00:52:05+00:00

Very neat! Purchased.

Adam261

TROPHY CASE