It's a feedback loop between governance, social structures and individuals. But out of those, only individuals are the ones with free will who are able to "break" the loop and direct society along a different path. It's not just building "big things" that changes us, it's every small individual decision about what you choose to spend your labor on. No revolution would succeed without people willing to rebel and no dictator could dictate without people willing to follow them.
I see no reason not to go with a rolling release distro for personal servers. Run all the services in containers and have the base OS auto-update itself as often as it needs.
Went with openSUSE MicroOS myself, it updates and reboots almost daily so I can be pretty confident my server is healthy and it's atomic so if something does break and I don't feel like dealing with it, I can just click rollback button from cockpit and deal with it whenever I have time.
>!!!I see no reason not to go with a rolling release distro!!! for personal servers. Run all the services in containers and !!!have the base OS auto-update itself as often as it needs.!!!
There are things that need 9^5 and there are things that don't. If someone backs up their application configs and data properly, then the only thing that really matters is a proper backup strategy.
All my critical files are backed up periodically (manually) via rclone to S3 glacier, and all my services are documented in dokuwiki. If you use ansible or want to store configs and installation scripts, a private git repo would do well.
After that, I don't see a problem running rolling or short-support OS like Fedora Server for application hosting.
Great. I like my personal servers to just keep working. Without having to restore backups. And without having to spend one Saturday every month to update and fix all the servers.
I have around 20 "personal toy servers". I really don't like to fix them all the time.
Most of them are some small VMs or some Rasperry Pis controlling something. I want minimal changes on those systems, but still being able to update them.
Then you also have to auto-update the containers, if it's a public facing service. Either you'll have to build containers yourself or hope the developer pushes a new update whenever the base image has relevant security fixes.
So "big companies only, absolutely no anonymous sign-ups" should be the only ones able to put stuff on the internet without fearing that a random teenager can take your site offline for days just because they're bored?
How? Their sign-up flow would have to change dramatically. It might even become a process that is internally "expensive". There is likely one or more managers in charge of this decision and they don't want it. Additionally the current universe rewards the current situation (for them)
This is called KYC and is a standard part of operating a financial service. Seems to me like it should be part of internet infrastructure services as well. And, I thought, in some cases already is?
... and financial services companies huge and small still go out of their way to help their clients move money around in a myriad of ways, because it's very lucrative and there are so many loopholes and ways to obscure things. Offloading the responsibilities of law enforcement and regulatory bodies to private companies makes things worse for everybody. Providing non-crime services to criminals should not be a crime any more than selling a candy bar to a criminal is. As long as you aren't actively aiding or covering up for a crime, not reporting criminal activity is not even a crime in many areas, and if KYC can effectively identify criminals, law enforcement should be able to do it themselves.
No fintech within reach of the US government is going to give money to terrorists under sanctions on the SDN without facing severe fines/consequences. That various groups have faced consequences for giving money to terrorists is a sign of the system working, not that it doesn't work. No system is going to be 100% perfect, but the US is pretty serious about having no one they have control over sending money to eg North Korea.
Ok, terrorists and countries we've been at war with for 70 years. What about drug dealers, mafias, hitmen, corrupt politicians, white collar criminals, scammers, etc? Criminals that actually threaten Americans? Nobody cares about whether terrorists or whatever tinpot dictator can get funding through US banks, because the CIA is bringing pallets of cash to them anyway.
Plausible deniability is all they really need. Asking companies not to make money in very likely to be legal ways will never work. If these people are really doing illegal business in plain sight it should be easy for law enforcement to catch them.
The danger with this is that you're asking cloudflare to know more about you and your website and to be more ready to take websites offline. That's a monkey paw if ive ever seen one.
Articles like these seem to hold a weird belief that Cloudflare does not react to security reports or legal orders? From my experience, they react appropriately and relatively quickly compared to rest of the industry.
Could Cloudflare be more proactive or add more friction to their signups? Yes, probably, but the reasons they have outlined for not playing internet police make sense to me.
I don't think it should be a requirement to provide your credit card, phone number and a copy of your ID in order to host content on the internet...
The internet worked for so long because people responsible for each little island did what was for the most part in the best interests of the rest of the islands. If you didn't, other islands would shut off their links to you. Law enforcement was a last resort because 1. the courts don't move at the speed of the internet and 2. nobody wanted the internet getting top down governmental regulation because it was trans-national.
Cloudflare spent a bunch of venture capital to give away expensive things for free and buy market share. If you convince all the grocery stores to move to your island, you can operate a den of criminal activity with no fear of everyone else shunning you.
Talk to anyone who fights botnets, malware, or online scams. Once you hit the Cloudflare dead end you just have to give up. Law enforcement isn't going to take up a case where only 7,000 peoples computers are infected, and Cloudflare isn't going to investigate and take action themselves.
I do fight botnets, malware and scams. Criminals flock to any service where they can spread their stuff and appear legitimate. Google, Facebook, Vercel, Netlify, Amazon, Oracle, Microsoft, OVH, etc. In my experience, Cloudflare is not any more or less of a dead end than any of the other providers, there are some others in that list who deserve being called out a lot more.
Yes, Cloudflare has always been really shitty and automated at responding to abuse reports, and because they are the front-end connection, it is impossible to pursue the report against the 'real' host unless Cloudflare is willing to provide you with information about where that host is: which they won't typically do, even if you are a fellow infrastructure provider. It's been several years, so maybe they have gotten better, but I would be surprised.
Oh absolutely agreed. Cloudflare becoming a giant internet chokepoint is certainly a real problem. It would be a much better world where ddos protection would not be a needed service or where we it was provided as a public service, rather than by private companies. However, that's not the world we live in.
How did you get that from the comment? It’s the other way around - if you report criminal or illegal sites hosted by cloudflare they will take it down.
I’ve hosted content online for decades and never once talked to cloudflare.
Will they? Have you gone through that process with them? In my experience (admittedly somewhat stale) it was fairly hard to get through to them, much less to get the information required to actually report bad actors to their real hosting provider that Cloudflare is fronting.
I once came across a website hosting extremely inappropriate content while surfing the web. I discovered that this website was using Cloudflare for DDoS protection and other purposes. I had a bit of a look online and found out how to submit a complaint to Cloudflare. On that form, I was asked for my email address and no other personal details, if I remember correctly. On the very same day, I received an email confirming that my complaint had been accepted and was under review - presumably an automated response. It was already quite late, so I went to sleep.
And just a few hours later, I received a letter informing that the information about the website in question had been forwarded to the relevant authorities, as well as to the website’s hosting provider. To be honest, I didn’t read that second email until the next day (I was sleeping), and it seems the website's hosting provider acted quickly (or the site owners decided to cover their tracks), because when I went to that website to check how it is going, it was no longer active, no longer existed at all. It just was gone. That was about six months ago.
So... I won’t speak for others’ experiences, but in this particular case, they reacted quickly and quite effectively. Perhaps other people have had different experiences.
Cloudflare & AWS wouldn't even INVESTIGATE a abuse report I sent because there weren't any "infringing URLs" or "specific resources".
I provided enough evidence for them to at least be able to kickstart a internal investigation or even CONTACT the abusive customer, which they did not do.
If it were a stresser, all they would see is a login panel. It's not like these sites are publicly advertising what they're doing...
That's not a "weird belief". Cloudflare positions itself as "infrastructure". That means they think they are not responsible for the content that they carry.
In a normal scenario, if you want to protect your systems from other "bad" systems on the internet, you can block them on the IP layer.
But Cloudflare operates at the IP layer proxying data between you and good and bad (and everything in between) systems.
In a normal situation you could block and report a site that is run by the the mob, by either blocking them at the IP level or by contacting the abuse@ of the organization that is hosting the content.
Cloudflare is making it so that you can't do either. And if you send an abuse report to Cloudflare, you cannot be sure that they will not just forward your contact information directly to the entity that you are complaining about. They have changed their stance over the years to appear more responsible, but the fact remains:
If I want to send an abuse@ report to a system that is hidden behind Cloudflare I can not be sure that they won't just forward it without me knowing who they are forwarding it to.
This is a good thing. You shouldn’t be able to get a Discord full of “activists” with personality disorders to spam someone’s host with false abuse reports and threaten them until the host boots them out of sheer annoyance.
90% of those sites don't have anything resembling a sysadmin. If they've not already been hijacked by one of the Wordpress vulns or hijacked plugins years ago, they will be now. And absolutely nobody will spend any effort to fix them, so they will just end up chugging along until safebrowsing flags them and basically removes them from the internet.
I've always found the most complicated part of IPv6 to be address scopes and source address selection. The fact that one interface can have any number of addresses in different scopes and prefixes complicates things a lot.
Another thing that will always trip up new IPv6 network engineers is solicited-node multicast. You know the theory, computers talk to ff02::1 for neighbor discovery and then you hop onto a real network and see none of that actually happening.
And probably the most complicated thing for network engineers - how to set up firewall rules if machines are constantly changing their addresses.
For developers and security people - just parsing and validating v6 addresses is a whole bunch more work, but at least for this, the tools are available to help you now.
Yes you can. Fight with clever technical solutions and the politics will follow once the solution becomes common or displays its usefulness. It is in fact the most effective way to fight dumb political issues.
In my country (Russia) the politics followed, now the ISPs block the OpenVPN and wireguard packets. And sometimes the white list mode is enabled, so you cannot connect, with your clever custom VPN solution, to a host outside the country
You should be able to use things like sshuttle or even tunnel through HTTPS whatever you want, right? As you can control both sides of the tunnel with encryption (comes by default), no MITM-ing unless you are forced to use solutions that install and eavesdrop on your secure traffic too.
1) they do protocol sniffing, and any inconsistency (including statistical) gets you blocked
2) "white list mode" which engaged sometimes (poorly implemented atm), means nothing goes outside of country at all (means 99.9% of everything is broken). They really want to become North Korea soon
Are any streaming sites allowed? It should be really easy to make a VPN through HTTPS tunnel appear to have a traffic pattern exactly like you are streaming videos and/or music (depending in the bandwidth needs) by throwing discardable traffic through when no valuable traffic is needed.
Obviously, everything can be cut off, but the point is that if encrypted something is allowed, there should be a way to get anything through.
If they turn off the internet, that gives you more time to meet your neighbors and do "arts and crafts" and read (cook)books. He's getting so old, at some point the horse throws him off
It sucks so much that there is no standard way of linking additional domains to your main one and inheriting the reputation.
Want to set up a new domain for whatever purposes (conference, new product, etc)? Be prepared to spend the first half a year fighting the various blacklists before people can actually reliably connect.
Would make so much sense if you could just have a .well-known/other-domains.txt (or something something DNS) with a list of domain names that should be considered just as trustworthy as your main domain.
It's not even about .online or other weird TLDs, it's just that the domain is new and therefore "not trustworthy". Even worse if you need to use your existing branding on the new domain - instantly flagged as a phishing site everywhere.
I've always found it weird that CNAMEs get resolved and lumped into the answer section in the first place. While helpful, this is not what you asked for and it makes much more sense to me to stick that in additional section instead.
As an aside, I am super annoyed at Cloudflare for calling their proxy records "CNAME" in their UI. Those are nothing like CNAMEs and have caused endless confusion.
