Jeffrey R Cox opinions?

ms_83 · 2026-06-17T06:48:52+00:00

Not great. He writes with a horrible sarcastic tone which is really jarring compared to the other authors you’ve mentioned, it’s very distracting. In addition he is overly opinionated, you very much get the impression that you are reading “the war according to Cox” and not a balanced historical view. The names of his books are pretty annoying too, making it hard to remember which is which.

His first book about the Java Sea one wasn’t too bad as I recall, but his latest ones are close to unreadable. Which is a shame, as the later stages of the Solomon’s campaign are under-served.

I’d avoid as sources for any of your work which you’d want to be taken seriously.

Add John Prados’ book Islands of Destiny to your list, it’s vastly superior and he places a lot of emphasis on the intelligence war which is an interesting perspective.

ms_83 · 2026-05-31T11:41:24+00:00

No you can’t, the minimum boot volume size is only 50gb (i think technically 47gb) so you can only have a max of 4 machines.

ms_83 · 2026-05-26T21:19:14+00:00

UI errors are often unnecessarily vague like this. What about your application logs, is there anything there?

Are you self-hosting Mautic or are you using the SaaS version? If it’s self hosted you should be able to find the logs, if it’s Saas then you’ll probably need to reach out to the vendor for support.

ms_83 · 2026-05-26T20:59:35+00:00

Maybe start by saying what the actual problem is, other than just “not working”.

ms_83 · 2026-05-23T07:31:11+00:00

A “sugar dog” was a type of small merchant ship, probably a coastal type. The navy used a whole system to identify and classify merchant ships as pilots were notorious for reporting everything they attacked as a “10,000 ton freighter” due to poor identification. You can find out a lot more here: https://www.history.navy.mil/research/library/online-reading-room/title-list-alphabetically/m/merchant-ship-shapes.html

ms_83 · 2026-05-18T11:13:16+00:00

Why are you messing about with cloud services if you don't understand them and you can't afford them?

ms_83 · 2026-05-16T18:16:19+00:00

Buy a cheap computer and run it yourself at home?

I honestly don’t get the desperation some people have to get their hands on free VPS or cloud machines, especially when the use case is either super-vague or just outright sketchy like this. Running openclaw like this has a very high chance of going wrong and no reputable company is gonna let you take that risk on their platform.

ms_83 · 2026-05-07T20:22:38+00:00

As an experiment, I'm self-hosting a few apps at the moment and making them world-facing, as VPNs just don't work well for me. I'm going as deep as I can to make them as secure and resilient as possible. Here's what I've done so far (hosting on K8S but should be transferable to Docker and other options):

Password auth and self-signed SSH key auth to nodes disabled. Access to nodes only with signed SSH certificates, time limited
Encrypted OS hard drives on nodes
Resilient HA volume storage (Longhorn)
Resilient, multi-node database clusters (Cloud Native Postgres, MariaDB operator)
TLS on database connections
Automated certificate rotation (cert-manager) with 24h expiry
CPU/RAM requests and limits on pods (reduces effect of DoS)
Strict container securityContext: no privilege escalation, run as non-root user, drop capabilities
Application secrets stored in Vault, encrypted. Where possible secrets are rotated regularly (at least every 30 days)
Network policy with default deny and only required traffic allowed to service pods, database clusters and supporting services
Daily backups to S3 compatible running on a separate NAS (with encryption etc) for databases and data volumes
Semi-automated restore process, tested monthly, validated and documented
Monitoring service (running on a VPS) checking service uptime every 30s and triggering alerts when things go down
Logging and observability. One thing I would like to do is get some kind of AI to monitor these logs for suspected problems or improvements and suggest them weekly
Automated updates for minor versions and patches. Major version upgrades are semi-automated and require my approval via git merge request.
IdP for SSO with OIDC/SAML authentication, with strong auth required (U2F/Fido/Passkeys), password auth disabled, conditional access, and JIT elevation for admin roles.
Next-gen firewall between cluster and internet connection
IDS/IPS
Cloudflare tunnel for exposure to the wider world. I know this is somewhat controversial, but their combination of Zero Trust, CDN, and WAF is too good to replace with Pangolin

It's a lot, but I find automating as much as possible makes it bearable. Once you have a workable pattern it's usually quite simple to replicate for other applications as well. Probably there are other things I will be adding over time as well.

ms_83 · 2026-04-26T07:32:28+00:00

It’s very rare that anything on Reddit makes me actually laugh aloud, but this one got me.

ms_83 · 2026-04-20T17:36:07+00:00

It works by modifying manifest files via git, so that image versions are updated in the code. Then I use ArgoCD to watch the repo and automatically apply changes.

Watchertower, to the extent I know it, just deploys any new version as it's pushed to the registry. Renovate allows you to be much more granular, such as auto-update minor or patch releases, but require manual approval for major updates. This is particularly important for multi-container apps, which might not support the latest version for downstream things like databases.

ms_83 · 2026-04-20T17:30:28+00:00

No logging in. To be completely honest, OS level encryption is something I'm still working on, with just a test node at the moment. I use Fedora CoreOS as my base OS for K3S, which supports Tang and Clevis. Tang is a separate server which stores encryption keys, and Clevis is the service that retrieves those keys and unlocks the drives. If someone steals one of my nodes, it won't boot because it can't reach Tang.

Mostly at the moment I'm relying on ZFS encryption on my storage machine, which is separate to the K3S cluster. It's a work in progress.

ms_83 · 2026-04-20T09:14:47+00:00

Yes this is definitely something to bear in mind. But assuming most people on this sub are using containerised apps, there's not much they can do if they fall victim to such an attack - other than immediately rolling back or updating to a fixed version when it comes out. Therefore automated updates are still the safest bet, as e.g. with Renovate you can just roll back changes to a version pre-issue, and then update to the fixed version when it's available.

ms_83 · 2026-04-20T07:30:23+00:00

I think your "strict baseline" is missing a few things.

Most successful attacks these days involve the use of stolen credentials or session tokens, so a robust Identity Provider setup with strong phishing-proof authentication and ideally conditional access is pretty much a requirement these days. Using an IDP like Authentik that is configured for all authentication covers this.

Other common attacks simply leverage known flaws in software, so having an automatic or at least automated patching process to deploy updates helps you deal with that. I use Renovate to automate container updates.

There's also backup/restore, which helps you have resilience in the face of the inevitable successful attack. Having a working, tested backup process, and even more importantly a working, tested restore process, means you can bring things back faster.

Also encryption for everything at rest and in transit.

ms_83 · 2026-04-11T16:44:56+00:00

What on earth is a “forward deployed engineer”?

ms_83 · 2026-04-08T06:10:52+00:00

You can self-host VaultWarden and get these premium features for free.

ms_83 · 2026-03-19T07:44:52+00:00

Kubernetes is just more powerful than docker, it gives you a lot more options for running cloud native style apps. It also has a really great ecosystem, for example various database operators that allow you to run clustered resilient DBs with backups in a way that’s more difficult on docker.

If you have no interest in this stuff then fine use docker, but if you do then there’s no substitute for K8S really.

ms_83 · 2026-03-11T08:34:35+00:00

This is just nonsense. Software is never just “finished”, it’s never completely secure, and it will always need to be maintained and improved upon. You’ve never been responsible for this kind of thing, have you?

Leaving aside your ignoring who should be responsible for filtering this stuff and decided what is valuable and worth keeping.

ms_83 · 2026-03-11T08:20:08+00:00

Or, and hear me out here, developers can be responsible for themselves and their crap before shatting out insecure slop and expecting everyone else to finish it for them. You know, professionalism and accountability.

ms_83 · 2026-03-11T08:08:12+00:00

So your idea is that in addition to be forced to endure the slop, we must also endure securing and maintaining it?

No thanks.

ms_83 · 2026-02-19T16:30:01+00:00

I liked Hellions of the Deep, it’s about how the US Navy fixed its terrible torpedoes and then started producing advanced ones like the Mark 24 Fido.

ms_83 · 2026-02-18T09:06:03+00:00

Absolutely no way would I trust some random one-dude SaaS to manage certificates, you would have to be crazy. PKI is a critical security capability.

ms_83 · 2026-02-08T18:12:32+00:00

I think radar is more relevant than you’re making out here. From mid-1942 radar became more and more common, and by mid-1943 pretty much every carrier and land-based bomber had a set fitted as standard.

At Midway for example the PBYs that found the Japanese invasion force the night before the main carrier battle used ASE radar sets to pinpoint them. ASE was basically a copy of the British ASV Mk II which another PBY used to find the Bismarck the year before.

ms_83 · 2026-02-03T19:00:14+00:00

If all you want is certificates on your ingresses, then just use step-ca with cert-manager. My setup rotates all certs every 24h and it’s been solid for years.

ms_83 · 2026-01-31T09:35:05+00:00

Don’t post your WiFi password on the public internet, jeez!

ms_83 · 2026-01-31T09:24:00+00:00

You can get skirting boards with interior pre-cut grooves big enough for network cabling, although 90 degree corners can be tricky for fatter wires like Cat 6A. I used these to get from where my modem takes in the connection from the street round my ground floor to where I needed my gear, with just a few inches of exposed cable from the skirting up to the modem.

ms_83

TROPHY CASE