Posts by jeroen@secluded.ch
(DIR) Post #AZGkS4a22MGMFHxkEC by jeroen@secluded.ch
2023-08-30T21:38:13Z
0 likes, 0 repeats
@mjg59 ehhh nope nope nope nope.... no way, full body anesthesia is an option for that? kidney surgery with local anesthesia is fine, but stic.... nope nope... I hope you are okay ;)
(DIR) Post #AaXlxSi7RQFKScELyq by jeroen@secluded.ch
2023-10-08T00:40:06Z
0 likes, 0 repeats
@mjg59 the shelly.cloud ones are an ESP and custom firmware exists... soooo; but yes less fun than hacking, building and maintaining your own ;)
(DIR) Post #Aale9Kuu0DW5kmpS2i by jeroen@secluded.ch
2023-10-14T17:17:33Z
0 likes, 0 repeats
@mjg59 68004, I see you are in Motorola territory of article numbers ;)
(DIR) Post #Ab94KdfBiSYHgiSQNc by jeroen@secluded.ch
2023-10-26T00:29:49Z
0 likes, 0 repeats
@mjg59 at least they drive you in a jaaagggg -- now if only it had an actual driver that could drive ;)
(DIR) Post #AbRd6Yf4wcyiZw4HAm by jeroen@secluded.ch
2023-11-03T12:05:06Z
0 likes, 0 repeats
@alarig you really need to check out all the VPP articles that @IPngNetworks has been writing ;) -- https://ipng.ch/s/articles/
(DIR) Post #AbRd6bXOFfbvUxUg6a by jeroen@secluded.ch
2023-11-03T13:01:49Z
0 likes, 0 repeats
@alarig @PorCus @IPngNetworks so https://ipng.ch/s/articles/2023/10/21/vpp-ixp-gateway-1.html ? ;)
(DIR) Post #Ad4seXBX4yYUoomGOG by jeroen@secluded.ch
2023-12-21T15:14:02Z
1 likes, 0 repeats
@jssfr "open source does not pay us"........ nasty way to do business... :( fortunately for all services where I admin, the default is to reject unauthentic pipelined commands as that also stops a lot of very badly written spam robots... and I would not be surprised if many others have that setting like that for that reason. Implementing it for a large service where it is not enabled yet can be tricky with this timeline.
(DIR) Post #Ahx0VC0iZJ4wgw5m2C by jeroen@secluded.ch
2024-05-03T11:37:40Z
0 likes, 0 repeats
@bagder @KHoos they got javascript execution on each ad "display", and fingerprinting is a thing (and chrome has the new "Topics" or whatever they call it today); IP addresses are mostly not unique especially in combo with even a light fingerprint.Disabling third party cookies is good, but only disadvantages those who do not build browsers and control what they load up in there.
(DIR) Post #Ahx0VEZX2q7CdUObZo by jeroen@secluded.ch
2024-05-03T11:46:41Z
0 likes, 0 repeats
@bagder @KHoos proof in point: https://mastodon.social/@mysk/112376334343918219
(DIR) Post #Ahxjz6XPyYXULM1a2y by jeroen@secluded.ch
2023-02-24T14:12:31Z
0 likes, 0 repeats
https://research.swtch.com/telemetry-opt-in opt-in \o/
(DIR) Post #Ai1ePCIVMX52dtwoEK by jeroen@secluded.ch
2022-12-17T21:41:19Z
0 likes, 0 repeats
Note that it is live since yesterday-ish that one can have:```example.com. CAA issuewild "letsencrypt.org; validationmethods=dns-01"```and thus restrict that Let's Encrypt can only issue when validated through DNS, or for a given account name on HTTP :)https://community.letsencrypt.org/t/enabling-acme-caa-account-and-method-binding/189588
(DIR) Post #Ai5FGeWPKredLn7RAm by jeroen@secluded.ch
2024-04-16T06:55:55Z
0 likes, 0 repeats
@zekjur FYI: I just noticed in the Wingo customer portal that they per default have these two options enabled, especially the first one is .... not so nice.If it was really anonymous they would not have an option for it, as then it would not be PII one would think. Because indeed, it cannot be really "anonymous" as there might be few folks actually on a rural cell site...
(DIR) Post #AiQExieZpVUEyy4QWu by jeroen@secluded.ch
2024-05-30T16:02:50Z
0 likes, 0 repeats
@huitema @mnot the answer maybe lies in DANE: replace the CAs with DNSSEC. Note also that we currently we have effectively only one CA: Let's EncryptAs long as the large corps do not move though, little will change, as most companies follow the big ones, even though they might need their tech...
(DIR) Post #AiQUWqH8yvR24NJdbM by jeroen@secluded.ch
2024-05-30T16:29:26Z
0 likes, 0 repeats
@feld @huitema @mnot 71% of all certs issued are from ISRG/LetsEncrypt, ZeroSSL falls under "other" (<5%) as per https://ct.cloudflare.comBut indeed, ZeroSSL is an option and one can configure multiple SSL certs with different cert paths on the same HTTP host, in case one of them breaks. Backups are good to have
(DIR) Post #AiQUWri7e6bqWKwhI8 by jeroen@secluded.ch
2024-05-30T18:01:48Z
0 likes, 0 repeats
@huitema @feld @mnot TLDs can set policy, and they should, it is their TLD after all. Note that .dev already has mandatory HSTS.Changing domain names is horrible anyway; and using different nameservers in other TLD does not help that: delegation from TLD to domain not working, no domain at all.Thus that single domain/TLD risk exists already today, with SSL on top if there was an active component in checks (the CA not being revoked). DANE in theory could remove that...
(DIR) Post #AiQUWtQ7I1OXp4XLVI by jeroen@secluded.ch
2024-05-30T18:15:27Z
0 likes, 0 repeats
@huitema @feld @mnot good point, an adversary/hacked TLD could indeed change the DNSSEC keys and thus also swap out everything else including DANE TLS certs; would be a very easily caught (cert transparency)Similar to a rogue SSL CA issuing a wrong cert, they can make a private key and sign it with the CA as they are the CA. Would also need to attack DNS then though.Side effect of hierarchies.Would need multi-signer to avoid that.... and hope not all compromised.
(DIR) Post #AiQUWuw3ekXUWQUMvg by jeroen@secluded.ch
2024-05-30T18:31:35Z
0 likes, 0 repeats
@huitema @feld @mnot those lists are run by Mozilla (for Linux distro), Google (who own >80% of browser market) and la bit at Microsoft.... only a few mostly anonymous/inaccessible blobs with big legal departments. LetsEncrypt sponsored by... ah the above.ccTLDs tend to be covered by law of their local government; .com though is a US corporation.... I know I can walk into the SWITCH.ch offices ;) [and why my primary domain is .ch ;) ]But yes, complex...
(DIR) Post #Akp9JumEwPj6zbzEfI by jeroen@secluded.ch
2024-08-09T13:07:24Z
0 likes, 0 repeats
@winterschon @Tubsta Optionally take https://dnsdist.org and put https://www.knot-resolver.cz behind it, next to unbound and powerdns as with dndist you can load balance them ;)From a performance, configuration, feature and stability perspective both Knot and PowerDNS are pretty great, cannot go wrong.For the anycast part: prepend when your checks fail, thus enabling last-resort in case of check failures.
(DIR) Post #An4iRG1hnBCKg49fyS by jeroen@secluded.ch
2024-10-16T14:25:49Z
1 likes, 0 repeats
@Codeberg when transporting your servers like that, do anticipate for dirt, and worse, rain. Two Ikea blue bags fit great for most servers ;) [one over the top, one over the bottom upwards due to dirt/mud coming from the floor).At arrival, do acclimatize the server and ensure to reseat many cards; which is why a outer carton box is advised. Good luck with the new toy! -- fellow server-by-public-transport person ;)
(DIR) Post #ApcXAZscAMDG7uRkSu by jeroen@secluded.ch
2024-12-31T11:55:13Z
1 likes, 0 repeats
@bagder if it hurt your ego, it is a bug you will not make again and lesson learnt ;) I tend to read CVEs and more the fixes to learn what classes of bugs are being fixed so to avoid them myself; also do check if similar mistakes have not been made elsewhere if applicable