Avatar

mspencer712

mspencer712@programming.dev
Joined
0 posts • 37 comments
Direct message

Are you going to be hosting things for public use? Does it feel like you’re trying to figure out how to emulate what a big company does when hosting services? If so, I’ve been struggling with the same thing. I was recently pointed at NIST 800-207 describing a Zero Trust Architecture. It’s around 50 pages and from August 2020.

Stuff like that, your security architecture, helps describe how you set everything up and what practices you make yourself follow.

permalink
report
reply

Mostly I’m scared I’ll write a firewall rule incorrectly and suddenly expose a bunch of internal infrastructure I thought wasn’t exposed.

permalink
report
reply

In a general sense, you are discussing a way to control other people and organizations, and to make them stop talking about you. (Communicating and storing your information) This isn’t always possible or practical.

If you pay a merchant with your payment card, that merchant is allowed to know your payment card number. If you call a toll free number, the recipient of your call is allowed to know your phone number.

If they decide to share what they learn about you, and they do so legally, there’s not a whole lot you can do to stop them. I’m not saying this to antagonize or hurt you. I invite you to think differently about what you can control and what is worth worrying about.

permalink
report
reply

Remove these blank lines.

I’m not seeing unit tests for this.

Unnecessary comment.

BLAM

Ow! Also, this could’ve been a smaller calibur.

permalink
report
reply

I’ve been ranting about this a lot lately, but as the owner of mspencer.net (completely useless personal domain, but is 199 days older than wikipedia.org for what it’s worth)…

There is sort of a way to do that, but it’s still labor intensive so not a lot of people do it. Movements to investigate are homelab and selfhosted. Homelab equipment is old (extra power-hungry for the capability you get) or expensive. Self hosting requires a bunch of work to stand things up the way you want it.

Biggest barriers to self hosting - or hosting through your nearest nerdy relative - are the following:

Free ad-supported offerings (with the privacy and terms and conditions impacts you describe) are better and easier, so they out compete DIY options. If a nerdy family member offers to host forums and chat for your community club or whatever, the common response isn’t gratitude, it’s “That’s stupid, I’ll just use Facebook.” Without that need and attention, volunteer projects get way fewer eyeballs and volunteers are way less motivated.

Security is difficult to figure out. Project volunteers have enough on their plate just helping users get their stuff working at all. Helping novice users secure their installations is so much extra work.

Many volunteers feel taken advantage of if they produce something that could help companies make money better, when they don’t share any of the money they make through donations or support arrangements. Similarly, many open source projects get taken over by for-profit companies who diminish efforts to make their open source offerings easier to use for free. (They want companies to buy support contracts, even if it means frustrating use by private individuals without kilobucks to spare.)

permalink
report
reply

Looking closer at the image, I’m going with “in this house we use single sideband.” (But, as a Plex user, I love yours too.)

permalink
report
parent
reply

That does make a lot of sense.

I think I’m feeling embarrassed about not being a perfect ops person, while I was going to school for computer science. Like, part of me wants to create this unrealistic private cloud thing, like I’m going to pretend “I’m still around, where have you been? See your old password still works, and look at all the awesome stuff I can do now!”. I already have my 20+ year old passwd file imported into OpenLDAP / slapd and email is using that already.

It’s not realistic. I feel fondness for the internet of 20-25 years ago, but it’s not coming back. If people can log in with 20 year old passwords and upload web content, we both know what’s really going to happen.

I just feel like such a failure for letting it rot away. Really, any place that accepts submissions requires a live audience and staff to keep it moderated, and accepting new submissions is the only reason to even run original code. What you’re describing is probably the only sane way to do this.

Edit: although I do still feel that the world needs that sort of private cloud in a box. Sure Facebook has taken all the wind out of the sails of many private web hosting efforts - the “family nerd” no longer gets love and gratitude for offering to host forums and chat, they get “that’s stupid, I’ll just use Facebook” - but we still need the capability.

And an open security architecture to clone would help cover the daylight between “here’s a web app in a docker container” and an actual secure hosted instance of it. It would require more inconvenience than necessary for the substantial security benefits it would offer. (A better designed, more customized solution would help that, but one step at a time.) But that would give the average homelab user protection against future attacks that today would feel like wild “whoa who are you protecting against, the NSA?” paranoia.

permalink
report
parent
reply

Last time I went snooping:

15 installs of phpbb, which would require work to put back online as their communities are of course gone. Remove spam, undo defacement, etc.

7 installs of Dormando’s Oekaki BBS Clone

5 installs of WonderCatStudio BBS

4 installs of OekakiPotato / RanmaGuy etc.

and several users who just used php to ‘include’ headers and table of contents page parts.

(Yes I was quite the weeb. Still am, but I was one too. :-) )

permalink
report
parent
reply

I’m part of the problem, a tiny bit. For altruistic reasons - ok more like “I’m kinda weird, maybe this will make people on IRC like me more” reasons - I ran mspencer.net and hosted web pages for people for free. Ended up with web content for around 100 people, and they weren’t all just using it as a drop box. (Older than wikipedia.org by 199 days, woo!)

Hosted on ancient hardware, nothing even remotely approaching a modern security architecture, I eventually left it to run un-maintained until the IDE HDD died. More recently I got the data off of it. (Heads unstuck themselves while in a cardboard box for a decade? Dunno.) But I don’t know how to get everything back online in a safe way.

I’m a proper software engineer now, I can kinda see how work handles securely hosting web services. Now just throwing everything together on one box feels too lazy and insecure. But I can’t figure out a reasonable security architecture to use. I thought I had one, but I failed to account for VM jackpotting attacks. And it feels like it takes me a month to do what a competent ops person can do in a day.

But that’s a discussion for a different comment section.

permalink
report
reply