Kid_Thunder

I see some comments recommending wordpress but wordpress is a security problem, especially if you’re using 3rd party plugins. It is such a bad problem that their are ‘wordpress security’ applications but even then wordpress sites get hacked all the time. If you are going to use it, it is best to let some other host handle it for you if you don’t know a whole lot about what you’re doing.

There are many, many other content management systems out there. Some are lighter than wordpress and some heavier. They are all about posting and managing content. Most of them have some sort of user and authoring system. Once you’re webserver is set up, many are written in a mixture of php and python so setting them up is generally drag and drop with either minor configuration file edits or wizards. Many of them have sections that you can set up using a labeling/tagging system. Most of them allow you to have the ‘stories’ as private or draft where you have to actually click publish before people can view them. Some have user roles systems where you can limit viewing and even editing between different roles for sections.

Generally, once their setup is done, they are point and click to do everything.

Here’s a nice list of FOSS CMS’ (which includes Wordpress of course).

Just to be clear, if you’re in the US, you 100% have copyright protection as soon as you put pen to paper.

For the big products, I think Google Assistant will be next followed by barely doing anything further with Android Auto until it dies a few years after GAS starts getting pushed out while it probably either won’t or will stop supporting ‘legacy’ Android Auto apps, so AA dies ‘because developers aren’t supporting apps anymore – totally not our fault and we’re sorry to see this happen.’

Former Googlers have always said that the big issue with sustaining products at Google is that it is highly competitive and Google rewards new products, not sustaining current products. So, most people want to continuously join/form teams for new products leaving little resources for current products. This has been the way since Google started becoming a large company – so decades now.

This makes sense as to why Google puts out applications that seemingly do the same thing as something else but ever so slightly different and why there are sometimes cool new products that die on the vine years later and if there was no slightly different thing available it just dies or if there is then there is a half-assed migration.

In the Reddit AMA the Google Home team answered a few questions and only the very few softball ones. One interesting comment they made though is that because of the Nest products and generally new products, they believe it is a challenge to support the older hardware, including integrating Google and Nest hardware, so basically you get features removed to make it all work. Of course, there was the promise and supposed internal roadmap that puts these features back eventually, but we’ve seen that kind of promise over and over from Google and it rarely happens. They are trying to replace Assistant with their Gemini AI which you can do now but it comes with even less features (but parity is coming – they promise!..one day!). Is that parity with current Assistant which seems to be supporting less and less and working worse?

Google is losing a lot of consumer trust in products I think and it’s going to get worse for them as this trickles to the general consumer-base.

A 30% cut for steam games sold on steam and a 0% cut for steam keys sold by the publisher wherever they want with the caveat that they must give steam users the same sales at around the same time. They get their games hosted on Steam’s industry best CDN, a page with support for images and videos, an API with features users like, workshop API for mod hosting and delivery, and other SteamWorks API stuff for stuff like multiplayer, patch management without charging a fee for it, forum hosting to hit the highlights. Pretty much all of that drives engagement and is mostly turn-key though you do have to programmatically interact with their API when it makes sense.

Steam provides a lot of benefit for a 30% cut of what is sold on their store front and a lot more benefit for getting all of the above for a 0% cut if they sell steam keys outside of steam.

Sounds like you have nothing listening on port 80 that resolves for your domain for Let’sEncrypt to verify that you own the domain. You need a webserver listening on port 80 and that Certbot can access if you’re using the http method.

Basically you’re forwarding traffic to port 80 but there’s nothing on port 80.

Depends on if there’s an IPv6NAT and how your ISP converts between IPv4 and IPv6 or actually supports IPv6 straight through. It also depends on your router.

Currently, there’s still some debate since IPv6NAT (NAT66/NPT6/NATv6) isn’t really needed for WAN boundaries for the reasons NAT exists. However, without it you are right on that this will be a problem for the consumer because PCs, IoT devices, printers, circuts or whatever my wife has, etc. could all be exploitable and even worse, you may never know you’re contributing to the botnet.

As an example, I have a global IPv6 on a few on my devices. They can connect to IPv6 if it originates from me but if it originates from them or is UDP it doesn’t route to my IPv6. My router doesn’t care. It’ll route it just fine either way. It would appear that my ISP has me behind one of the IPv6 NATs.

I’d imagine that’s true for most people at home.

NAT provides some measure of security as pure coincidence to how it works. It is not designed or intended to provide security. It does not inspect packet payloads in order to filter them for security. It looks at the header and attempts to route it to an internal IP address (your devices on your LAN) and if it cannot, it will drop the packet because the header will only have the external IP address – the packet has no idea which device it is supposed to go to. Forwarding a port is telling the NAT to assume that when a packet hits a certain port, if it doesn’t know the destination internal IP, forward it to some internal IP anyway.

The reason you can connect to websites, ssh outside, FTP, whatever, is because your connection comes from your internal IP first to some other IP and therefore, NAT knows which internal IP to route those packets to.

Take for example this scenario:

You download some software. It has malware that provides command and control (C2) to someone else outside of your network. A firewall and/or antivirus may be able to stop this and hopefully notify you. NAT will not help here. Furthermore, if you have uPNP enabled (usually it is by default on your router) the malware can forward any ports through your NAT to the compromised device opening it up to bot attacks and the like.

Another scenario:

You want to play a video game with you and your friends and you’re going to host it. So either you manually forward those ports or perhaps uPNP just does it for you. That game has an exploit known by attackers, or perhaps it can just be DDoS’d. Your NAT isn’t going to stop that. Hopefully a firewall will help you here. It definitely will if you set up explicit rules so that if they aren’t your friend’s IPs it will drop them. Though it is possible the game is exploitable and your friend’s are compromised.

Take for example malware has been known to spread via Minecraft.

As I understand it, NAT is a firewall

NAT is not a firewall. NAT does not inspect packet payloads, it doesn’t do anything except attempt to route packets to where they are supposed to go. If the connection originates from outside or it is a ‘connectionless’ protocol, the NAT has no idea which internal IP to route to, so it drops the packet.

NAT provides some security by sheer coincidence and not by design.

In short, his argument in court is that the lack of evidence is evidence of criminal intent.

The SSH keys don’t help me if I get locked out of a Domain Controller unless you’re using OpenSSH (which is now a native feature you can turn on). In that case you can actually still log into the DC via command line because it authenticates based on authorized_keys and not the LDAP of the DC. I actually do this on the enterprise, not because I may get locked out but because it is just convenient. Granted you’ll have to execute powershell on the command line once in to use the AD cmdlets.

On the other hand when you create a DC now-a-days (Server 2019…I don’t remember if this is asked in the wizard when in Server 2016) you can create a “Directory Services Restore Mode” password which is basically a local admin account on the DC that you can log into only when the DC is booted into safe mode. You’ll be asked to create it when you promote your DC.

Personally I use FreeIPA for my LDAP. I like that I can create sudoers rules from one centralized place and manage ssh keys across all clients. Granted I could just use Ansible I suppose, which is how I update multiple distributions in my network and online but I like that I can just change SSH keys and sudoers from one place easily instead of changing tasks/roles. I also usually run cockpit even on my non-Red Hat distros with SSH keys just so I don’t have to log into everything though it is somewhat limited outside of the Red Hat sphere.

If you don’t want to use ProxMox or some other specialized HyperVisor ecosystem, you can also use Cockpit to manager your VMs along with your Pods. I wish there’d be more attention to it for features because it feels like it could do a lot more.

I also don’t really worry about locking myself out for two reasons:

1. I use SSH keys.

2. I also have a break-glass local account on every system…with SSH keys. If its on your local network, you can use VNC/VM console/Remote Desktop with a local account while only allowing SSH with keys if you’d like. Just make sure if you’re going to allow remote access outside of your network that you never forward the VNC/RDP ports. For SSH when I do this I always pick some random port – never default and never common ones like 2222 to at least keep my logs less noisy from the botnet auto attacks.

For my online VPS’ I use a firewall with geoIP from Maxmind and drop all ports but 443 from the world, except for whatever country I’m in. I drop all packets from certain countries that seem to auto-attack more often than others. I try to drop packets from all known (to me) Shodan scanners. If I’m not traveling I just restrict all other ports to my public IP’s subnet though my IP hasn’t changed for years. For status checking services like StatusCake, I use the “push” method instead using a simple cron job with curl instead of relying on servers around the world checking my ports. In this case, the services just check that my server has successfully hit them within X minutes to be “up”.

Can’t wait for a story from a developer or sysadmin that knows how all the duct tape is held together, gets laid off and refuses to come back to fix everything. Then the former employer doubles doubt and threatens to sue them for loss of revenue. It would be absurd but I expect the absurd now.

The free solution I was referring to was my comment about using ControlD, which certainly offers a free service…which is the comment that the other person was responding to.

I run pihole and my wireguard VPN server locks all queries through it, which in turn uses unbound and queries via different providers like Cisco’s OpenDNS, Cloudflare and Quad9. However, I wanted to present a similar offering that also has a free-tier without a query cap for people interested.

NextDNS caps your queries per month on the free account. ControlD doesn’t and you can pick a various mix of their public DNS resolvers. You don’t necessarily get the granular control with doing it this way for free that you can get with NextDNS though.

If you do check out these, make sure you click the Secure Resolvers if you’d prefer for DLS/DOQ/DNS over HTTPS instead of Legacy.

Finally. Intuit has been lobbying for years to keep this from happening.

Derrick Plummer, a spokesman for Intuit, said taxpayers can already file their taxes for free and there are online free-file programs available to some people. Individuals of all income levels can submit their returns for free via the mail.

A “direct-to-IRS e-file system is a solution in search of a problem, and that solution will unnecessarily cost taxpayers billions of dollars,” he said. “We will continue unapologetically advocating for American taxpayers and against a direct-to-IRS e-file system because it’s a bad idea.”

And who believes that crap anyway? Intuit markets their solution due to the complicated nature of anything outside of standard deductions and figuring out if you should itemize and how to do that.

Intuit has spent $25.6 million since 2006 on lobbying, H&R Block about $9.6 million and the conservative Americans for Tax Reform roughly $3 million.

Now if the states get on board for easy filing online, it’ll be great.

Pretty much sounds exactly like I was thinking of doing for the DIY. miniATX/ATX for all the expansion potential + SATA ports + large case to handle it + a CPU with 6 to 8 cores at least. Case would probably be a rack form factor but it doesn’t really matter. Probably 32 GB of RAM + a Quadro GPU/Some cheap AMD GPU or something cheapish like that strictly for encoding + Proxmox + TrueNAS or perhaps just unraid. Probably no desktop environments unless something really needs it for some reason. Not sure if I’ll go with a motherboard with an ILO/IPMI with its own NIC + vlan or not.

I was going to mix SSD/NVME for performance (if I mix these two, it’d be two separate performance tiers) and HDDs for capacity. Probably two 1+ Gbps NICs bonded and maybe a LACP port channel down the line. VPN with killswitch of course.

I could def. go cheaper on the hardware if I just wanted to use docker/podman mostly but I want VMs too. I’ll probably manage updates and backups of what I really care about off network via ansible + rclone + restic repos. I might would use zram + lz4 for most of my VMs because why not.

I appreciate the advice! I am thinking of Synology or perhaps DIY with either TrueNAS (Scale likely) or Unraid. Synology would be cheap, small, easy on power and thermals too though and I’ve been looking at the latest and previous gen DS2XX lines.

Also I appreciate the Jellyfin mention. I’ve been using Plex so long and was thinking about something else like Jellyfin especially but I’ve never worked with it before.

This and the rising costs plus adding ads to ‘basic’ tiers and attempting to create limitations (resolutions, “screens”, offline downloads) is what might push me to build a nice, large NAS. We don’t want Cable again.