<ashkitten>
i'd be interested in an open source vr headset i could buy though :p
<V>
ashkitten: I hear people are bridging to XMPP
<V>
I've only heard terrible things about Matrix
<ashkitten>
i happen to like matrix
<V>
I've never used it
<ashkitten>
but last time i used matrix's irc bridges they were pretty unreliable and slow
<V>
I am currently put off by the fact that in order to run a homeserver I need like
<V>
a lot of mebibytes of RAM
<ashkitten>
dendrite should fix that
<ashkitten>
and conduit even moreso
<V>
total used free shared buff/cache available
<V>
v@march ~> free -h
<V>
Mem: 1.9Gi 1.3Gi 203Mi 4.0Mi 444Mi 407Mi
<V>
and I do not exactly have much RAM on my server
<V>
ashkitten: are these alternate matrix homeserver impls?
<ashkitten>
yes
<V>
are they feature-complete with it?
<ashkitten>
dendrite is set to replace synapse when it's ready
<ashkitten>
not yet
<V>
oh
<V>
Okay, so there you go
<V>
I can stick a shitty bouncer on my VPS today
<V>
I can't reasonably do that with Matrix
<ashkitten>
sure
<V>
(which sucks, because there's some communities I'd like to be in that are only on there)
<ashkitten>
i would like to point out that irc has been around since the 80s
<ashkitten>
it's a miracle that matrix even exists still
<V>
IRC is definitely dying
<ashkitten>
it looks like conduit is approaching its 1.0 release as a non-federating but otherwise fully functional matrix server
<V>
ashkitten: do you have your bets placed on dendrite or conduit
<ashkitten>
i will be upgrading my server to conduit because there is a direct migration path planned
<ashkitten>
er
<ashkitten>
to dendrite
<ashkitten>
i like conduit, it seems very fast
<ashkitten>
i may switch in the future especially if server migration becomes a thing
<V>
if it doesn't have federation it doesn't seem particularly interesting to me currently
<ashkitten>
it will have federation but the roadmap places client-server functionality first
<ashkitten>
joepie91: did they ever figure out why dendrite was so slow in the benchmark?
<ashkitten>
V: anyway there was a romeo and juliet benchmark that took synapse and dendrite around 2 minutes to complete and conduit finished in 4 seconds
<V>
neat :3
<ashkitten>
that's why i care about conduit
<V>
any reason why dendrite couldn't be optimised more?
<ashkitten>
idk, last i heard they were trying to figure out why it's so slow
<V>
flamegraphs
<ashkitten>
it's not finished, for one thing
<V>
looooots of flamegraphs
<V>
neither are
<ashkitten>
yes, that's true
<V>
I'd like to see conduit's results on that benchmark *after* it's feature-complete with synapse
<ashkitten>
i agree
<ashkitten>
especially with federation involved
<V>
since maybe it's not implementing something that would just slow it down
<ashkitten>
i don't think so
<V>
what was being tested?
<ashkitten>
the benchmark creates a room and goes through the entirety of romeo and juliet, creating a user for each character and having them join to say their lines
<V>
ohh
<V>
no idea if adding federation would slow that down
<ashkitten>
i think a big thing here might be down to conduit using a key-value store while dendrite and synapse use postgresql
<V>
aha
<ashkitten>
sled is supposedly extraordinarily fast
<ashkitten>
i don't know how it compares at scale ofc
<V>
sled is awesome
<ashkitten>
oh you know it
<ashkitten>
i haven't looked at it
<V>
indeed I do
<ashkitten>
it's interesting though. is sled so much faster here because postgres is slow? or is it because a matrix server doesn't need a full fledged relational database?
<infinisil>
I feel like I'm missing something here. Is this really almost a whole HN thread agreeing that security through obscurity is a good thing?! https://news.ycombinator.com/item?id=24444497
<samueldr>
it's an additional layer
<samueldr>
but it's probably the worst layer in depth
<samueldr>
and probably the last one you want to think about
<infinisil>
Okay so I think it's bad even as an additional layer
<infinisil>
Because it gives you a false sense of security
<ashkitten>
security through obscurity works if nobody cares about you specifically. in the case of a targeted attack it might as well not exist
<aleph->
I mean it helps from skiddies/automated bots
<aleph->
Not so much from anything targetted
<infinisil>
If you rely on obscurity for non-targeted attacks, that seems to imply it's the only layer
<aleph->
Does it?
<samueldr>
obscurity might take different forms
<ashkitten>
not necessarily, but it could deter broad sweeping 0day exploits
<aleph->
You should of course have other sec measures
<samueldr>
the name "security by obscurity" has been used as an euphemism
<samueldr>
for years
* aleph-
shudders in memory at the 0day his org almost got hit by
<samueldr>
so in the collective mind it's probably associated with "haha I hide the admin page at /notadmin"
<infinisil>
Okay but going back to what security through obscurity actually means:
<samueldr>
but it can be more than that
<samueldr>
though I don't have an example on hand :/
<infinisil>
It's hiding your source code
<infinisil>
And more often than not, source code is hidden because it's totally insecure
<aleph->
Is it? Like to me it just means putting ssh on a non standard port on your bastion to halt bot attacks a bit
<ashkitten>
i would stilly consider it obscurity if i changed the ssh port on my server and left that in my nixos-config publicly, as an example
<aleph->
It should of course not be your only layer, ever
<infinisil>
aleph-: I don't think that's security through obscurity. That's just a very very easily guessable password (the port number)
<samueldr>
but it is what was discussed in this very article
<ashkitten>
is any script kiddie gonna look through my nixos-config to see what port i changed it to? no. obviously.
<samueldr>
and thus what the threads are likely about (if indeed they do read TFA)
<infinisil>
samueldr: Yeah and I think that this isn't security through obscurity (a comment pointed this out)
<aleph->
What do you consider it then?
<samueldr>
who's the definite authority on that definition?
<aleph->
^
<samueldr>
not wanting to be flippant
<infinisil>
aleph-: Just mentioned it above, hiding source code
<aleph->
No?
<samueldr>
but that's most likely the reason there are disagreements
<infinisil>
What no?
<aleph->
I mentioned hiding an ssh port
<aleph->
Nothing about source
<samueldr>
I've never heard it as simply as "just hiding source code"
<aleph->
Oh wait hold on
xd1le has quit [Read error: Connection reset by peer]
<aleph->
I thought that was referring to me having said all of that line :p
<infinisil>
How is changing the SSH port different than just choosing an 8bit password?
<aleph->
Nevermind
<aleph->
It deters bots which are generally configured to only search port 22?
<aleph->
Which honestly a lot do
<samueldr>
according to wikipedia: « is the reliance in security engineering on design or implementation secrecy as the main method of providing security to a system or component »
<infinisil>
Yeah totally
<infinisil>
I'm not saying changing the SSH port doesn't help with automated attacks
<infinisil>
But I don't think it's what "security by obscurity" means
<samueldr>
to my understanding, changing a default port and not documenting it is secrecy, even if enumerable
xd1le has joined #nixos-chat
<aleph->
^
* samueldr
reads more
<infinisil>
I wouldn't say it's design or implementation
<infinisil>
The implementation is an SSH server, and an internet connection to it. Nothing secret about that
<infinisil>
I guess you could consider choosing a random port as design
<infinisil>
Somewhat
<samueldr>
yeah so it's disagreement over the definition
<samueldr>
since reading through it's really about "I won't tell you how it works, but it _is_ secure"
<samueldr>
e.g. lock makers not showing how a lock works
<infinisil>
Yeah
<samueldr>
in that sense yes, I do agree with the premise that nah, not worth it
<ashkitten>
i'd consider even a publicly documented record that you changed the port is exactly as secure as otherwise because if it's not a targeted attack then they're not going to go looking for the configs you uploaded, and if it is a targeted attack then it won't matter
<ashkitten>
something like a port knocking system to open ssh on the other hand...
<infinisil>
Those are valid ways to deter automated attacks I agree
<samueldr>
so it's all a discussion about the taxonomy of such defenses: is it obscurity?
<infinisil>
Yeah, I don't think port knocking is obscurity
<samueldr>
is deviating from the norm obscurity?
<infinisil>
It's "obscure" I guess, but the implementation/design isn't secret
rajivr has joined #nixos-chat
<infinisil>
Also, even if nobody from the outside can figure out the "secret" implementation/design
<infinisil>
Somebody from the inside can spill it
<infinisil>
And once spilled it's out
<infinisil>
No unspilling!
<infinisil>
Can't just change a couple numbers in the implementation to make it secret again
<ashkitten>
sure
<ashkitten>
i mean, you could change a lot of things
<ashkitten>
have unknown timings with both a lower and upper bound
<ashkitten>
not necessarily just a sequence
<ashkitten>
but i agree in the general sense
<infinisil>
Hm yeah, but even then, you can only change the implementation so much. Once the attacker knows you're using port knocking with variable timings or whatever, it's just a matter of how fast the password is brute-forcable
<ashkitten>
anyway the best attack surface is one that doesn't exist
<infinisil>
Can't be hacked if you have no machine! :P
<ashkitten>
i was thinking more along the lines of "everything on a vpn" to only have one outside surface :p
<infinisil>
Yea :)
<infinisil>
Oh, I guess a good way how I'd describe security through obscurity is that you're using the implementation as a password. If the attacker can brute force through all possible implementations they've passed it. And the number of possible implementations is tiny compared to e.g. a 2048bit key
<ashkitten>
right
xd1le has quit [Read error: Connection reset by peer]
xd1le has joined #nixos-chat
xd1le has quit [Read error: Connection reset by peer]
xd1le has joined #nixos-chat
endformationage has quit [Quit: WeeChat 2.9]
cole-h has joined #nixos-chat
<aleph->
Hmm, I should really write more Erlang.
<ldlework>
I should add Erlang to The Tower of Babix
waleee-cl has quit [Quit: Connection closed for inactivity]
cole-h has quit [Quit: Goodbye]
peel has quit [Ping timeout: 244 seconds]
danielrf[m] has quit [Ping timeout: 244 seconds]
peel has joined #nixos-chat
taktoa[c] has quit [Ping timeout: 240 seconds]
cbarrett has quit [Ping timeout: 240 seconds]
CRTified[m] has quit [Ping timeout: 244 seconds]
alaskacanyon[m] has quit [Ping timeout: 244 seconds]
aaronjanse has quit [Ping timeout: 244 seconds]
claudiii has quit [Ping timeout: 244 seconds]
jackdk has quit [Ping timeout: 244 seconds]
pinage404[m] has quit [Ping timeout: 240 seconds]
Irenes[m] has quit [Ping timeout: 240 seconds]
cbarrett has joined #nixos-chat
aaronjanse has joined #nixos-chat
taktoa[c] has joined #nixos-chat
claudiii has joined #nixos-chat
jtojnar has quit [Ping timeout: 244 seconds]
jackdk has joined #nixos-chat
Irenes[m] has joined #nixos-chat
worldofpeace has quit [Ping timeout: 244 seconds]
kraem has quit [Ping timeout: 240 seconds]
puzzlewolf has quit [Ping timeout: 244 seconds]
thefloweringash has quit [Ping timeout: 244 seconds]
noneucat has quit [Ping timeout: 240 seconds]
emily has quit [Ping timeout: 240 seconds]
puzzlewolf has joined #nixos-chat
alaskacanyon[m] has joined #nixos-chat
arcnmx has quit [Ping timeout: 240 seconds]
CRTified[m] has joined #nixos-chat
kraem has joined #nixos-chat
worldofpeace has joined #nixos-chat
thefloweringash has joined #nixos-chat
noneucat has joined #nixos-chat
emily has joined #nixos-chat
arcnmx has joined #nixos-chat
rajivr has quit [Quit: Connection closed for inactivity]
danielrf[m] has joined #nixos-chat
sphalerite has quit [Quit: WeeChat 2.6]
maxdevjs has quit [Ping timeout: 272 seconds]
sphalerite has joined #nixos-chat
monsieurp has quit [Remote host closed the connection]
maxdevjs has joined #nixos-chat
maxdevjs has quit [Ping timeout: 240 seconds]
<joepie91>
<ashkitten> joepie91: did they ever figure out why dendrite was so slow in the benchmark?
<joepie91>
unsure, haven't seen anything scroll by but also had a busy week :P
<ashkitten>
ah damn
<joepie91>
infinisil: samueldr: that article about security by obscurity is basically full of the usual bad arguments I get thrown at me about it
<joepie91>
changing SSH port shouldn't matter, if it makes an ounce of difference that means you have a much more serious problem, namely you are not using keypair auth
<joepie91>
obfuscating code doesn't really help because most attackers don't even look at the code anyway and those who do will have the tools to get past it
<joepie91>
encrypting DBs is pointless because again, if you are in a situation where this is useful, it signals that you have a much bigger problem: why is your application vulnerable to SQLi when today there exist categorical solutions to this problem that just completely rule out the entire attack? and in basically every other case (other than super complex setups) people don't compromise "just the database"
<joepie91>
TL;DR no this article does not make any novel or good points
<joepie91>
bonus criticism: the intro section suggests that the author doesn't understand why there are certain mantras being repeated over and over again as absolutes: because if you leave outspoken room for edgecases, then everyone and their dog believes they are the edgecase because they overestimate their understanding of security
<tilpner>
joepie91: I would expect database encryption to be a countermeasure to an attacker stealing a file-level copy of your database without access to application code, not to SQLi
<joepie91>
this is why "never roll your own crypto" is said - the only people who *should* be rolling their own crypto a) understand why it is being said that way, b) agree that it should be said that way, and c) can reason in depth about why it doesn't apply to them even though it says "never"
<joepie91>
it
<joepie91>
it's a sort of shibboleth basically*
<joepie91>
tilpner: yeah but in practice that basically doesn't happen
<joepie91>
because your database server is pretty much never the point of entry for your internal network (the customer/web-facing app is) and for latency reasons they need to be close together which means that even in a physical attack it's easier to just take the whole rack rather than try to guess what the DB server is
<tilpner>
joepie91: I don't have the data/experience to agree or disagree with that statement. I maintain it adds some measure of defense-in-depth, albeit at a cost that may be hard to justify in many contexts
<joepie91>
right, it's the tradeoffs I'm criticizing here. in a very absolute sense it adds some security, but if it secures against a basically non-existent threat at a significant complexity cost... yeah :P
<sphalerite>
joepie91: I've often considered moving ssh to a different port to reduce log noise :p
<joepie91>
more complexity means more attack surface, especially when cryptography is involved
<tilpner>
(I make no assessment about the value of encrypted databases, I only wanted to question its relation to SQLi)
<joepie91>
sphalerite: it pisses me off that OpenSSH won't let you just disable the failed-auth logs
<joepie91>
they are functionally useless in practice anyway and just lead to people doing weird stuff to try and reduce the logs
<joepie91>
tilpner: the article makes the SQLi claim :) and it's the most common reason I've heard
<joepie91>
hence addressing it like that
<sphalerite>
ashkitten: pay someone $100 to build you a relativty :po
<joepie91>
anyway, more generally, this is basically the problem with all the security-through-obscurity arguments. it's always either make-believe (eg. code obfuscation) or a signal that there's a much bigger problem (eg. DB encryption, SSH port)
<sphalerite>
joepie91: how about moving SSH to IPv6-only? %)
<joepie91>
combining that with the false sense of security and the generally extremely high degree of protection that the correct solution offers..
<joepie91>
:(
<ashkitten>
sphalerite: at that point i'd just have my gf do it, i'm sure she'd be up for the task
<ashkitten>
doesnt seem that hard anyways
<ashkitten>
i just don't like effort
<sphalerite>
joepie91: only allowing SSH via IPv6 could actually be an improvement for real security though, right? Because of the enumerability stuff
<sphalerite>
oh wait no
<sphalerite>
because you should still be using the actual security mechanism x)
<joepie91>
sphalerite: not likely. keypair auth basically already solves the problem of SSH security in full, short of actual SSHd exploits, which 1) are rare and 2) IPv6 addresses are not as un-enumerable as people like to think
<eyJhb>
Anyone worked with UART/JTAG/whaever + digital photoframes?
<joepie91>
sphalerite: right
<sphalerite>
ashkitten: someone's going to make the effort either way, the difference is whether you see it or not :D
<ashkitten>
yes yes
<joepie91>
sphalerite: also, more generally: don't expect things to be un-enumerable, unless they were specifically designed for that purpose :)
<joepie91>
because chances are they are quite enumerable, you are just not aware of how
<sphalerite>
fair enough
<joepie91>
(which interestingly mirrors the problem with homegrown crypto - you might not know how to break your own homebrew crypto, but other people with more knowledge on the matter certainly do)
<sphalerite>
aaaah I just had a flashback to an argument with a friend who claimed that disabling the user list on the windows login screen makes the system more secure
<joepie91>
:P
<sphalerite>
(back in the days when encrypting a hard drive was entirely unheard of for consumers)
<sphalerite>
(not that I knew how important that is back then)
<MichaelRaskin>
Hmmm. Did my ii connection just survive like a minute of no connectivity, including _WiFi kernel module reload_??
<MichaelRaskin>
Impressive
monsieurp has joined #nixos-chat
parsley936 has joined #nixos-chat
<eyJhb>
joepie91: which 3d software for Linux could you "program" the 3d model?
MichaelRaskin has quit [Ping timeout: 260 seconds]
<joepie91>
eyJhb: maybe you're thinking of openscad here?
adisbladis has quit [Remote host closed the connection]
adisbladis has joined #nixos-chat
waleee-cl has joined #nixos-chat
<sphalerite>
> let in let in let in let in let in let in 2
<{^_^}>
2
rajivr has joined #nixos-chat
<crazazy[m]>
alright, so for some odd reason github actions doesn't allow me to update repositories with niv. For some reason the repositories now give a 404 when trying to access them
<sphalerite>
andi-: just replying to that discourse post I linked above
<sphalerite>
andi-: we did base our (mayflower's) freeradius config module on it as well though :)
* andi-
checks license file in repo :D
<sphalerite>
I might also use it for personal use of EAP-PSK because really, who wants WPA2-PSK nowadays? :p
<andi->
yeah
<aleph->
sphalerite: Ooooh, wonderful
<aleph->
I didn't know about that weechat home manager module
<aleph->
Perfect
__monty__ has joined #nixos-chat
parsley936 has quit [Read error: Connection reset by peer]
parsley936 has joined #nixos-chat
c4rc4s has quit [Ping timeout: 256 seconds]
c4rc4s has joined #nixos-chat
<ashkitten>
it seems like every release of wine since 5.7 is more broken than the last. anyone know what's going on that's causing so many regressions lately?
<ar>
sphalerite: some devices, kindles for example, don't support wpa2-eap
<sphalerite>
ar: sounds like another reason not to get a kindle :D
cole-h has joined #nixos-chat
<ashkitten>
why does f-droid suck so bad
<ashkitten>
it takes forever to get updates on fdroid
<aleph->
__monty__: I do kinda. Watcha need to scrape?
<aleph->
And or do?
<__monty__>
Tons of webcomics provide useless rss feeds that just have a link to the site. I'd like feeds with the comics and any extra text that's part of regular posts.
<aleph->
So what do you use for rss?
<aleph->
I use tt-rss myself
<__monty__>
Selfoss.
<aleph->
Let me think. They might have a full text plugin like tt rss
<__monty__>
They do.
<__monty__>
But isn't that the full text of the RSS entry?
<joepie91>
ashkitten: Twitter should have a translate button?
<joepie91>
below the tweet
<__monty__>
Never gotten me desireable results tbh.
<ashkitten>
joepie91: only when logged in i think
<joepie91>
oh. that sucks
<joepie91>
welp. there went the last remaining "Twitter does a thing better than most other sites" I guess
<samueldr>
didn't they announce that they'll start auto-translating tweets recently?
<samueldr>
which is horrifying
neeasade has joined #nixos-chat
<aleph->
__monty__: So depends on what you mean by full text.
<aleph->
__monty__: Honestly the easiest option might be to set up huginn
<aleph->
And filter it through that before passing the feed on
<{^_^}>
#18590 (by mogorman, 4 years ago, closed): huginn: init at 2016-09-14
__monty__ has quit [Quit: leaving]
<aleph->
Yeah there's that or just run it in a docker container
<tokudan>
freshrss allows specifying a CSS selector for each feeed to scrape text from the linked webpage of each item
<samueldr>
good thing websites are fixing that glaring flaw by making awful preprocessing steps that mangle class names in the "server side rendered" page
<samueldr>
(tip: I'm being fascetious)
<MichaelRaskin>
I think I read more webpages after auto-scraping them than directly by now
<MichaelRaskin>
RSS… if it breaks, site operator might not even notice, and it doesn't go back in time far enough if I am offline for a period of time
<infinisil>
Oh wow, I didn't think my shell could load any slower than it already did
<infinisil>
Yet here I am, with `time zsh -ic 'echo hi'` taking 15 seconds..
<MichaelRaskin>
Repeatedly, even with warm FS caches??
<infinisil>
Yup, repeatedly
<MichaelRaskin>
Does it eat CPU for 15 seconds? How many cores?
<infinisil>
5.36s user 7.37s system 98% cpu 12.897 total
<infinisil>
I guess a little lower that time
<MichaelRaskin>
So, majority system but probably not file reads…
<infinisil>
Hmm and after the latest update firefox feels super slow too..
<infinisil>
FF 80.0.1
<infinisil>
I guess that's the hardware rendering thing.. for some reason
evanjs has quit [Read error: Connection reset by peer]
evanjs has joined #nixos-chat
<infinisil>
Or lack of maybe
<infinisil>
Actually my whole machine feels slow as hell
<MichaelRaskin>
Maybe Firefox is not the problem…
<lovesegfault>
jtojnar amazed that you remembered to check that :D
<infinisil>
A rollback it is!
parsley936 has quit [Remote host closed the connection]
<MichaelRaskin>
Hopefully it's more rollback-able than running AMD EPYC in a Dell's motherboard
<infinisil>
Yee seems just fine after rolling back. Don't have the nerves to bisect or debug this right now