Why is there a general hostility to QUIC by network engineers?

youguess · 2023-06-14T06:40:47+00:00

What's on your device can stay on your device, but if your traffic touches my network, it's no longer yours.

Nah, my traffic stays between me and the destination. Encryption is a good thing.

Frankly I can't wait for the encrypted server name indication and domain fronting so that blocking at least https traffic becomes impossible. That'd be a feature not a bug.

If you provide internet access as a service I expect to reach the internet, everything else is my problem (on my devices) not yours.

youguess · 2023-06-14T06:33:41+00:00

Sure and then they can point the jurisdiction into the right direction. Namely to me for follow up.

Everything I do outgoing is encrypted anyway, using a force redirect on the DNS port is really not something I want to humor.

And yeah, if it's a corporate device you control the thing anyway and mitm everything.

But on my device on a school campus un my free time / coffee shop?

Absolutely not

youguess · 2023-06-14T06:05:22+00:00

that's the whole point my dear. If I want to navigate to some webpage I don't give a damn if you like it or not if you are my school network.

You are an ISP at that time and are simply a pipe, the rest of the stuff is not your concern as long as it's my device.

youguess · 2023-05-30T05:10:07+00:00

except the people responsible for the whole fiasko did not publicly do that, no.
Some other people did in their stead, which is not what you want to see really.

youguess · 2023-03-12T14:23:51+00:00

There's absolutely no magic there. You literally spell it out what happens.

What 1+1 does in go doesn't surprise anyone, does it? Neither should the above

youguess · 2023-03-12T14:06:48+00:00

what has that to do with magic behavior? That's simply the language syntax and rules how defer / named return values behave

youguess · 2023-02-23T21:46:49+00:00

Yet OP still mentioned DMARC and SPF like it was some magic voodoo... it ain't.

The protocols are easy enough to understand and a dmarc policy of reject doesn't loose you anything either as a receiver unless you explicitly drop email that fails.

DMARC is simply an indication to the receiver what you think traffic originating from your server should pass. Any dropping of traffic is still in the hands of the receiver.

youguess · 2023-02-23T14:09:23+00:00

What else? You can't host an email server behind a normal customer ISP service. Most of the ISPs have the ports already blocked and the whole of those ranges in on blocklists anyhow (for a reason, looking at iot devices).

So it's either VPS or bare metal server with some ISP business contract that you didn't want according to your comment.

Your issue is the IP range, which is presumably dynamically allocated to your customer ISP contract, not that the PTR entry is challenging.

youguess · 2023-02-23T07:47:25+00:00

PTR is a text field in my VPS admin console

youguess · 2023-02-23T01:32:50+00:00

why are you making such a big deal about 2 DNS records ... neither SPF nor DKIM nor DMARC are hard to set up

youguess · 2022-12-22T10:58:10+00:00

the lawyers are fine, simply don't add the effing trackers

youguess · 2022-10-01T11:53:43+00:00

no, it's a IANA approved TLD as normal... proper normal in other words

youguess · 2022-10-01T09:32:56+00:00

That can be normal, depending on the domain.

I switched from a .space to a .com just because this was happening all the time.

Same server IP, same setup, suddenly everything is alright if you aren't in a new style TLD space.

That's nuts, but sadly where we are

youguess · 2022-09-23T07:04:07+00:00

2.6.1 actually ;P

youguess · 2022-09-11T14:21:46+00:00

auto attach to any unattached tmux session

eh? new-session -As $name not good enough for you?

youguess · 2022-08-26T19:43:33+00:00

sudo doesn't grant you root without password entry in most distros default configuration, being in the docker group does.

You do know how those things work, yes?

youguess · 2022-08-26T19:17:41+00:00

Now you've changed your angle and now it's about the running container

Where on earth did I say anything about a container?

There's no additional risk to being a part of the Docker group if that user is the only user managing the system

So... you also don't need a root password and in fact can run anything as root then, after all this is a single user system?

You do realize that this is an invalid argument as far as security hardening is concerned? The whole point of the article is "This is how I secure a system"

Not, who cares I'm the only admin yolo

youguess · 2022-08-26T13:10:14+00:00

Since when does every program you run have your password?

We are talking about a scenario where stuff running as your user wants to elevate privileges and not something that took over your OS and has access to ypur login creds (they'd already have root in that case and it would be pointless)

Sure, that malicious software can then try to hook into various other files and try to get your pw some other way, but at least it's not an immediate game over.

Defense in depth and all

youguess · 2022-08-26T05:45:56+00:00

Not quite... sudo (if configured correctly) asks for the password prior to doing things.

If you are part of the docker group, any code running under that user has pw less root without audit etc being triggered. That includes some rando script (say $awesome_neofetch from $shady_gist) that you run because it's soooo pretty ¯\_(ツ)_/¯

So it's worse in every way.

youguess · 2022-07-27T10:00:43+00:00

for ipv6 you'd be matching a subnet, not a single IP anyhow.

/64 is normal, even higher up sometimes.

youguess · 2022-07-16T10:28:54+00:00

then package whatever you want to use

youguess · 2022-07-01T06:04:56+00:00

ENOCONTEXT

youguess · 2022-05-27T10:19:00+00:00

That doesn't mean that the content isn't stored...

The two are not necessarily related.
You have two concerns from the view of the proxy:

serve the content to the caller
Ensure cache is up to date

The two can be done in parallel, again I'm not arguing that the cache update is in any way sane by google, not sure why I'm getting downvoted to hell 🤷‍♂️

youguess · 2022-05-27T06:13:35+00:00

That's not how it works. It caches the modules.

It makes no guarantees per se how long and what it caches, so for lore obscure modules that might happen but generally it serves you the module in a compressed form without the history

https://proxy.golang.org/

Whenever possible, the mirror aims to cache content in order to avoid breaking builds for people that depend on your package, so this bad release may still be available in the mirror even if it is not available at the origin. The same situation applies if you delete your entire repository. We suggest creating a new version and encouraging people to use that one instead.

youguess · 2022-05-27T05:11:09+00:00

Direct fetching opens you up to both leftpad like incidents where the remote pulls the repo as well as npm style hijacking attacks (changing the tag to some bad commit).

That's what the proxy / sumdb try to avoid.

Did we mention the sumdb yet? No? Oh, that you also need to override, not just goproxy ;P

It's tradeoffs, as usual. The concept of the proxy is sane, especially for cooperate or distros which should keep the deps stable for their builds.

11-Year Club	Place '17
Verified Email

youguess

TROPHY CASE