People will tell you they have reset the computer and mean they turned the screen on and off.

Same. Literally had two very similar options for a flight last week and it was between Delta and American. Delta made it almost impossible to book last time if I didnt download their app. So the choice was simple, American got my money.

Hard disagree. Please tell me where Linus said he expects normal users to “pay” (or whatver you meant with the quotes.) The thing that makes these revolutionary is that they are free in a world where everyone is always trying to get something from you.

There is literally no expectation of money or commits or anything. Don’t shame people for using FOSS the way FOSS was intended. If you are well off and want to support them do it! Authors will appreciate it, but dont try to turn FOSS into yet another guilt trip.

Its good they are talking about this. But I dont know why I expected Time to care about listing details for anyone other than modern white folks. The actual history is much richer and longer, but white people dont get to be the heros.

Adobe played a huge role in creating a generation of hackers by charging 2x the price of a car for a photoshop license.

That and hatred for the drummer of Metallica.

I did not. Hadn’t even heard of it. I do love to read though. Would you recommend the series?

This should be higher. The days have become longer which means the humans will not die in a dark cold forever winter. The warmth will return, the crops will have another season and the lengthening of daylight hours is the harbinger of future good tidings.

The creator of the meme is in fact the idiot who doesn’t realize his entire physical sustenance is dependent on this cycle.

Edit: I’m an idiot who didn’t realize I’m using some weird sorting algo and apparently winter solstice was already highly upvoted.

I used vanilla arch as a daily driver for about 3 years and I loved it. but started to need a more ephemeral OS and switched to atomic fedora and centos/Alma precisely for the defaults. So i know you asked about cachyOS and I dony have an answer there. So you can skip the rest of this if that is all you wanted. Im not saying RHEL or bust. Each person has their own needs and i highly recommend just going and doing the hard things yourself to learn, but I get it that it isnt possible for everyone.

What defaults? Several. 1st SELinux. 2nd ability to select old kernels on boot. 3. Firewall enabled out of the box.

Sure you can do a lot of additional hardening and nothing is to stop a simple bash script from setting these up on Arch, but I figured I only know a little bit and those have saved my ass multiple times. So there are probably other things the folks in that ecosystem have figured out that I dont know about yet.

Im from the Midwest and never heard of this dish but i know how “Midwest Healthy” works. So I’m willing to bet in the “unhealthy version” you basically double the sugar and possibly also the cream cheese. Oh and switch to full fat creme cheese.

Sometimes you do something outrageous like serve it ontop of a banana split and/or add copious amounts of chocolate syrup.

This was the go to computer prank for 10 year old boys in the schools computer lab.

Real learning moment.

Great way to end up with a medical malpractice lawsuit.

deleted by creator

Here is the thing, does the corporate entity you work with use Microsoft? Then your password is stored as an NTLM hash in NTDS.dit. That means you are using MD4.

Has anyone in your organization clicked a phishing link? It only takes one weak link to get in. Then it only takes one (Maybe 2) bad configuration for a malicious actor to escalate privileges. Then dump the whole organization passwords from the Domain Controller.

Hope you aren’t reusing passwords anywhere.

We fixed SQL injection?

Everyone in the world: “India please stop the scam call centers operating out of Kolkata, who prey on the weak and elderly”

Indian Govt: “Best I can do is surveillance and ewaste.”

My guest network is restricted to TFTP only if you know what I mean.

The venn diagram is in fact just one circle.

Thanks! Glad it was helpful. I didnt have any similar realization until I had worked in the field for awhile amd honestly didnt have anyone to tell so i probably rambled. Good summary. Lean more into WAF, EDR and observability before a honeypot but yeah both are valid.

Hope your talk goes well!

By no means am I the microservices guy. Im more of a self hosted person than anything and used to always be a monolith guy and would still prefer that in many situations. But now I would at least “wrap” the monolith with supplemental self hosted microservices.

But TLDR this is the logic as I understand it and the key thing. Dont cast your pearls before swine. Its basically biblical. Lol jk jk. But really put a cheap reverse proxy with a honey pot and some alerting… or even better a WAF and/or EDR then catch and isolate them when they compromise your front end and garbage honey pot before they can even move laterally internally.

The longer slightly more technical answer is a malicious actor compromises one utility they likely made a lot of noise doing it which is key to securing the assets. First a lot of malicious activity can be mitigated with a proactive WAF. There are a few free solutions here Crowdsec WAF (ModSecurity, i think is another, working from memory could be wrong) has a decent signature detection and shared banned list. If you couple it with proper alerting you should be able to see, watch and isolate attackers in near real time. So even if they get the reverse Proxy and you messed up alerting on WAF, if you have layers of security, you still have your fall back EDR (like elk stack) alert for when proxyUser starts issuing ping commands and performing asset discovery. So you should see it days before they escalate privileges (unless 0 day or nation state etc).

They will still do damage you are absolutely right. But let’s assume a tiered microservice approach for a functioning SAAS app where you have something like pocketbase for Auth, Umami for analytics, Stripe for payments and Postgres for paid api data. Even an issue in pocketbase / Auth doesn’t necessarily mean they get all your paid api data because hopefully you have per user rate limits on postgres and backend services (should your pocketbase user even be reading or writing to your paid data tables? Additionally alerting should provide observability into admin sign ins from new /suspicious locations, or multiple other suspicious behavior such as one user signing into multiple accounts, seeking priv escalation and so on.) But the main thing, they don’t get any cardholder data and that is a huge win. In fact if you are storing cardholder data PCI compliance requires segmentation.

Additionally look at actual CVEs related to pocketbase and you will find a lot to do with OATH so in this case its simple. Disable OATH for best security. Put a WAF in front of your app using something like traefik with crowdsec or ModSecurity with an nginx reverse proxy to catch bad actors when they try to abuse your non existent OATH endpoint and ban them instantly. You catch a lot of bad actors with that trap.

Or to take it back to your first example, if I have a segmented service that is compromised. I want to catch and isolate them before they even realize they are in a rootless podman container by taking advantages of the natural footguns that any script or malicious actor would naturally stumble into. For instance if my “reverseProxyUser” or any process in that entire container uses the sudo command that is a 10/10 fire type alert. That im pretty sure you could even automatically isolate or spin down with a few scripts, something like Argo or probably even off the shelf EDR.

Is it perfect, no. Any determined actor will find a way into any system given enough time. But a layered approach like this is best in my opinion. Of course it needs modified for every system this is just one example.

You can do the same thing with a monolith and good scripting. It isnt exclusive to microservices. Its just natively built that way in the instances that I am aware of thanks to the prominence of Kubernetes really. At least I think that’s why.

Edit: i can’t type / got interrupted mid reply. Its half decent now.

Separation of concerns is a major benefit that shouldn’t be overlooked with security implications. Assuming you are properly restricting access to each worker node / “tier”, when one tier inevitably becomes compromised; it doesn’t result in the complete compromise of the entire monolith.