r/theydidthemonstermath

r/theydidthemath

Private trackers disgust me. What kind of pirate turns away from the world, to re-seeding fragments of files they don’t care about to other cowards with slightly slower rss feeds; all for a chance at enough ratio to get the show you want? It’s a country club, with self-validating assholes, dry hot dogs, and tall fences.

The Mainline DHT is the way forward. There is no social credit here. The kids in Africa are starving, and I will throw them as much as I can, kilobyte by kilobyte, for no reason at all, for I too was a leecher once.

It’s an open source linux graphics driver.

It is very widespread, despite being quite slow, because it works. It ships by default with almost everything, and is the fallback when card-specific drivers fail

Edit: what Max_P said

I have declared war on notifications. My immediate family, two closest friends, and my boss can call me. In no other circumstances will my phone make a noise or vibrate. I will check my texts when I feel like it.

Other than a few exceptions, no apps may show the notification badge either. Discord will show DMs and mentions from one or two servers. Everything else is blocked. My work email may show unread email. I’ve even turned off banners on my work chat app. I don’t think I’ve checked my personal email in months.

All my recurring charges are paperless + autopay. That’s another notification badge I forgot about - I have a budgeting app that can show transactions. I categorize them, make sure their categories are covered, and I’m done.

On the first of the month, I pay rent and set the budgeting app categories. Then I have nothing to worry about, and near-zero distractions. My biggest pain point in life is deciding what to eat for dinner.

Anything exposed to the internet will be found by the scanners. Moving ssh off of port 22 doesn’t do anything except make it less convenient for you to use. The scanners will find it, and when they do, they will try to log in.

(It’s actually pretty easy to write a little script to listen on port 20 (telnet) and collect the default login creds that the worms so kindly share)

The thing that protects you is strong authentication. Turn off password auth entirely, and generate a long keypair. Disable root login entirely.

Most self-hosted software is built by hobbyists with some goal, and rock solid authentication is generally not that goal. You should, if you can, put most things behind some reverse-proxy with a strong auth layer, like Teleport.

You will get lots of advice to hide things behind a vpn. A vpn provides centralized strong authentication. It’s a good idea, but decreases accessibility (which is part of security) - so there’s a value judgement here between the strength of a vpn and your accessibility goals.

Some of my services (ssh, wg, nginx) are open to the internet. Some are behind a reverse proxy. Some require a vpn connection, even within my own house. It depends on who it’s for - just me, technical friends, the world, or my technically-challenged parents trying to type something with a roku remote.

After strong auth, you want to think about software vulnerabilities - and you don’t have to think much, because there’s only one answer: keep your stuff up to date.

All of the above covers the P in PICERL (pick-uh-rel) for Prepare. I stands for Identify, and this is tricky. In an ideal world, you get a real-time notification (on your phone if possible) when any of these things happen:

• Any successful ssh login
• Any successful root login
• If a port starts listening that you didn’t expect
• If the system watching for these things goes down (have two systems that watch each other)

That list could be much longer, but that’s a good start.

After Identification, there’s Contain + Eradicate. In a homelab context, that’s probably a fresh re-install of the OS. Attacker persistence mechanisms are insane - once they’re in, they’re in. Reformat the disk.

R is for recover or remediate depending on who you ask. If you reformatted your disks, it stands for “rebuild”. Combine this with L (lessons learned) to rebuild differently than before.

To close out this essay though, I want to reiterate Strong Auth. If you’ve got strong auth and keep things up to date, a breach should never happen. A lot of people work very hard every day to keep the strong auth strong ;)

For the Nth time, crowdstrike circumvented the testing process

Edit: this is not to say that cs didn’t have to in order to provide their services, nor is this to say that ms didn’t know about the circumvention and/or delegate testing of config files to CS. I’ll take any opportunity to rag on MS, but in this case it is entirely on CS.

Crowdstrike runs at ring 0, effectively as part of the kernel. Like a device driver. There are no safeguards at that level. Extreme testing and diligence is required, because these are the consequences for getting it wrong. This is entirely on crowdstrike.

It’s not rocket appliances

The leg tapers and the rounded edges give it such a refined, polished look. This is fantastic.

I strongly recommend the NAT loopback route over attempting split-horizon dns.

It really depends on the parameters of the thought experiment.

If everyone suddenly received a lot of money, there would be a wild period of adjustment before we figure out the pricing system again and life continues as normal. Even though there’s a lot more money, there is not magically more TVs to buy. Nor would we all start building tv factories - there’s not magically more copper or concrete to buy either.

If we all got more money and buried it in our yards and swore never to use it, then nothing has changed. For the sake of the thought experiment, someone would break the promise (I would - I want air conditioning), and then everyone else would break it too, and we end up in the previous situation.

If everyone were suddenly truly wealthy - as in stuff / things - some might think we would chill out and coast for a while. But having satisfied our big needs ( I am not being hunted by tigers) and our medium needs (Air conditioning, yay!), I imagine humanity would just keep working - there are always more problems to solve / there is always more work to do.

I think it’s a D-tier article. I wouldn’t be surprised if it was half gpt. It could have been summarized in a single paragraph, but was clearly being drawn out to make screen real-estate for the ads.

The threat model helps a lot.

I work for a small consulting firm. We do security assessments, but not the kind you’re looking for. I don’t want to sell you anything.

From your intro here, I would expect to book a resource on this project at 50% utilization (to avoid burnout) for about 3 weeks. One week of assessment, one week of report writing, and we’ll say a week of overhead / buffer (to get things rolling / ask questions / interviews / report readout). That’s a total of 60 hours.

My employer is expensive; we charge about $300/hr per resource. That comes out to about $18k. I would call this an upper limit (though in truth there is no upper limit. If you put multiple $700/hr resources on a project and let them bring in SMEs, things get expensive fast)

If you haven’t done a security review before, I wouldn’t worry - you aren’t ready for the $18k service, or the $1k service. You will need a 3rd-party certificate eventually, but right now all you need is trust from your userbase, and openness and transparency are a good initial strategy.

When it’s time, throw a hundred bucks at a local college student who’s into cryptography. Then fix / address all their findings. Then go for the next level, and fix their findings. There will always be findings; what you are buying is user trust. The more in-depth the review, the more trustworthy - but you don’t want the expensive service to be distracted by things a college student could have caught.

I am intoxicated and rambling - let me know what questions you have :)

I’m happy to revisit and explain, but I don’t have much time to type right now - the wikipedia page for estonia has great info; you will need a basic understanding of cryptographic hashing and merkle trees

I pay attention to credit card readers.

I have gotten to know their makes and some models. I have developed preferences. When I go to a run down establishment and they have a nice reader, I am pleasantly surprised. I know that walmart uses ingenico isc250s, and they do not support tap. I know that dunkin has high quality readers, and sometimes tim hortons does too, but less frequently.

When leaving a place, I might say something like “damn, you don’t see that model of verifone very often”, and my friends will look at me funny.

Semi-related, did you know that most receipt printers have embedded telnet servers in them?

I can’t help but be curious, does udm=13 or udm=15 do anything?

Helix + vim => Helim => Helium?

Vim + helix => velix / vimix / vix / velimix?

Tailscale might be the best bet at this point. It will manage the wireguard mesh for you, and use nat holepunching for handshaking instead of needing listening ports.

Apex by Unleash the Archers.

It’s a power-metal concept album, telling the story of an immortal being cursed to carry out the wishes of their summoner - in this iteration, “the Matriarch” - to kill her three sons so she may also gain immortality. The lead vocalist’s range is unlike anything else I’ve heard. It is incredibly well done.

Deloused in the Comatorium by The Mars Volta

I don’t have any way to describe this. It’s eccentric and awesome. The drums and guitars are powerful and delicious. Where were you when exoskeletal junction at the railroad delayed?