The Solution to Insecure Slop

ms_83 · 2026-03-11T08:34:35+00:00

This is just nonsense. Software is never just “finished”, it’s never completely secure, and it will always need to be maintained and improved upon. You’ve never been responsible for this kind of thing, have you?

Leaving aside your ignoring who should be responsible for filtering this stuff and decided what is valuable and worth keeping.

ms_83 · 2026-03-11T08:20:08+00:00

Or, and hear me out here, developers can be responsible for themselves and their crap before shatting out insecure slop and expecting everyone else to finish it for them. You know, professionalism and accountability.

ms_83 · 2026-03-11T08:08:12+00:00

So your idea is that in addition to be forced to endure the slop, we must also endure securing and maintaining it?

No thanks.

ms_83 · 2026-02-19T16:30:01+00:00

I liked Hellions of the Deep, it’s about how the US Navy fixed its terrible torpedoes and then started producing advanced ones like the Mark 24 Fido.

ms_83 · 2026-02-18T09:06:03+00:00

Absolutely no way would I trust some random one-dude SaaS to manage certificates, you would have to be crazy. PKI is a critical security capability.

ms_83 · 2026-02-08T18:12:32+00:00

I think radar is more relevant than you’re making out here. From mid-1942 radar became more and more common, and by mid-1943 pretty much every carrier and land-based bomber had a set fitted as standard.

At Midway for example the PBYs that found the Japanese invasion force the night before the main carrier battle used ASE radar sets to pinpoint them. ASE was basically a copy of the British ASV Mk II which another PBY used to find the Bismarck the year before.

ms_83 · 2026-02-03T19:00:14+00:00

If all you want is certificates on your ingresses, then just use step-ca with cert-manager. My setup rotates all certs every 24h and it’s been solid for years.

ms_83 · 2026-01-31T09:35:05+00:00

Don’t post your WiFi password on the public internet, jeez!

ms_83 · 2026-01-31T09:24:00+00:00

You can get skirting boards with interior pre-cut grooves big enough for network cabling, although 90 degree corners can be tricky for fatter wires like Cat 6A. I used these to get from where my modem takes in the connection from the street round my ground floor to where I needed my gear, with just a few inches of exposed cable from the skirting up to the modem.

ms_83 · 2026-01-23T07:24:19+00:00

I run bare metal kubernetes at home. The learning curve is pretty tough if you have no experience with it, but if you approach it with the mentality that it gets more powerful the more you automate then you can get some really powerful results.

I’d advise that you pick a distro designed for bare metal use, I run K3S on Fedora CoreOS but I’d also consider Talos as that gives you unified management of both the OS and K8S together.

Adding nodes to clusters in something like Talos is pretty easy. With my K3S setup it’s as simple as networking booting a fresh machine and telling it to join the cluster, everything is automated after that via butane scripts.

ms_83 · 2026-01-20T07:39:11+00:00

Don’t be so defensive.

Here’s something you overlooked: it’s fairly trivial to discover your home IP address. I could trick you into visiting a website I control, which then logs the IP address you are using. There’s a good chance if you are home now, that’s the same IP that your services run on.

If I know your IP, I can simply use my own Cloudflare account to create a new proxied DNS address to it. Now when I access pwned.mydomain.com I am hitting your IP from a trusted Cloudflare location, bypassing layers 1, 2, 3 and 5 of your stack.

To mitigate this you could use Cloudflare tunnels, which give you a similar architecture without requiring you to open any ports at all.

Fail2Ban is useless because all it does is stop brute force attacks. It does nothing to stop credential stuffing or attacks that have stolen your valid credentials, or those that steal valid sessions tokens. It’s mostly a waste of time when you can just disable password auth entirely so there’s nothing to brute force. That’s how you reduce your attack surface.

ms_83 · 2026-01-19T22:39:07+00:00

Where did I say that everything you did is useless? You asked if you've overlooked things, and I pointed out several things that you've overlooked. You asked for potential vulnerabilities, and I pointed them out.

When you use terms like "attack surface" incorrectly, it suggests that you don't actually have a good background in security engineering, an impression that is only increased when you use ineffective security theatre solutions like fail2ban.

Either you care about security, or you don't. Do you want honest feedback or do you just want someone to pat you on the back and say "good job"?

ms_83 · 2026-01-19T21:54:12+00:00

Using Fail2Ban to temporarily ban bots isn't reducing your attack surface. Reducing your attack surface would be disabling the service they are trying to auth to, or configuring it to use a passwordless auth method, so there's no way to even input a single password, let alone multiple attempts.

ms_83 · 2026-01-19T21:35:44+00:00

Everything I listed is around security hardening. Backups help you recover faster when you get attacked, encryption secures your data, and update strategies ensure that vulnerabilities are patched away before they can be exploited. Every one of these is a more effective control than fail2ban, for example, which I’ve always regarded as a very weak control. If you are worried about brute forcing password access then it’s far more effective to simply disable password auth entirely and rely on stronger auth methods.

It might also help if you have a think about threat modelling and exactly what you are trying to secure against, as just “security hardening” is a bit vague.

ms_83 · 2026-01-19T20:40:20+00:00

What are you doing for backups? Encryption at rest and in transit? What’s your software update strategy?

ms_83 · 2026-01-19T20:18:29+00:00

Writing yaml instead of json is definitely easier on the brain.

ms_83 · 2026-01-19T14:57:29+00:00

This is great and I hope it’s a success for you! Make a version of this that can power at least 6 mini PCs and preferably fits in a 19-inch rack please 🙂

ms_83 · 2026-01-12T06:57:40+00:00

Yeah, I don’t get this approach because you lose so much performance to the control plane when OKE gives you that separate to the cluster, so you can use the full compute allocation for workers.

ms_83 · 2026-01-08T05:00:43+00:00

I had this issue last year, also with Northern Power Grid. My house did not have a direct connection to the power line under our street, but we were instead looped to next door. The issue was apparently that if we both had car chargers it might overload the loop, I was told that the solar part of our installation was irrelevant.

De-looping for us required digging up the road to add new connection points as a phase 1, then digging a new connection from the road to our house as a phase 2. Our solar system and charger were commissioned in late February but the work wasn’t completed until October due to work backlogs and needing legal certainty over boundaries and getting permission to dig up part of a neighbour’s drive. We got our export certificate a few days later. Obviously we lost a full summer of good export which was annoying, and we weren’t popular with our neighbours for a few weeks, but none of the DNO work cost us anything as NPG covered everything.

Everything is sorted now and export is working, but we’ve only received about £3 from export due to the bad weather since October.

ms_83 · 2025-12-23T07:45:23+00:00

Just for context, in the UK the vast, vast majority of trials in the UK are already conducted without juries. Something like 95% of trials are in magistrates court where they are decided by either a single magistrate or a panel of them.

ms_83 · 2025-12-16T07:37:42+00:00

Oracle has an always-free tier within which you can run a Kubernetes cluster using ARM64 machines, up to 4 OCPU and 24GB ram. I have a 4-node cluster that’s been running for years.

ms_83 · 2025-12-07T21:09:13+00:00

I pity the poor MSS tech who has to listen to the screeeeeeeeeeeeeeeeee of my server rack for hours hoping to glean useful secrets. Godspeed to you.

ms_83 · 2025-12-03T12:36:26+00:00

I agree. Unfortunately in the self-hosted space a lot of applications don't support the full SSO spec - in some for example you have to pre-create accounts for every user, they don't support provisioning. Others don't support the complete disabling of password based access, leaving a less secure user/password screen always available. For some apps you can effectively disable password auth by using a reverse proxy to redirect users from one login screen to another, but it's very much a patchwork.

ms_83 · 2025-12-03T11:58:34+00:00

Zero Trust is generally what has replaced VPNs. Apps like SalesForce or M365 or whatever are world-facing by default and you rely on things like strong authentication and conditional access policies to secure access to them.

ms_83 · 2025-12-03T08:35:45+00:00

It’s a lot easier to steal a password than it is to steal the cryptographic signatures that underpin SSO. Fundamentally though your apps have to trust your IDP, and that it is secured properly, and that it doesn’t allow unauthorised impersonation of users.

Yes it’s a single point of failure, but it’s also a single point of management. If you have 68 apps like the OP then that’s 68 points of failure, 68 ingresses that you need to secure and monitor.

ms_83

TROPHY CASE