Chobbes @ Chobbes @lemmy.world

Posts

0

Comments

465

Joined

2 yr. ago

XMPP didn’t really die a natural death, it was kind of murdered. It’s still around though, and works great, but of course the problem is as you mentioned — your friends probably aren’t using it.

You mentioned you’re not really hosting things, but… wouldn’t the easiest solution be to host radicale somewhere so you can just sync your calendars with all of your devices using CalDAV? That seems far cleaner than using syncthing and other services + radicale to sync the calendars.

To be honest, antivirus software is just not really a security tool. If you’re at the point where malicious software is running on your server you’ve already lost and it’s hard to know what extent the damage will be. Having proper isolation is much more important (something which, tbh, Linux isn’t quite as great at as we’d like to think, at least not with additional effort… mobile operating systems seem to take the isolation of applications a lot more seriously). You could maybe argue that the anti virus software is useful for monitoring, but I’d rather have some stronger guarantees that my application isn’t going to take my lunch money and private keys than a notice a day later that something sketchy is on my machine… I won’t flat out say a virus scanner is completely useless, because of course you can contrive of scenarios where one could be helpful, but they’re kind of dubious.

Also yeah, ClamAV afaik isn’t really used like a typical windows antivirus. It’s mostly used on mail servers to scan email attachments. It’s not necessarily even looking for “Linux viruses”.

AFAIK this is not what happens on NixOS. Every package gets installed into a directory that’s a hash of its dependencies in the nix store, but there’s no special isolation or anything on NixOS (well, when the packages are built there’s some isolation, but that’s mostly to keep the builds honest). That said, NixOS is a little better than most distros about creating separate daemon users for services with different permissions, but I don’t think it’s done universally. I love NixOS and it has many benefits, but I don’t think this is one.

Artisanally woven substitution-permutation networks.

Org mode is great, particularly if you're already in the Emacs ecosystem because it can do a lot of stuff. Calendars, executable code blocks, spreadsheets, time tracking, org-roam for more ad-hoc notes and searching, capture templates for ingesting data...

I like org mode's markup format a lot better than markdown's. It's a bit easier to do complicated things with escaping and stuff, and it supports syntax highlighting for different languages in code blocks, and LaTeX markup and stuff (which it can even display inline if you want).

As far as I am concerned the only reason to use markdown is that more people are familiar with it and there's better support for it on certain platforms. These are certainly good enough reasons to use markdown, but in my experience if you're in the position to use org-mode it's just so much better.

I feel the same way about cheesecake. It’s really more of a pie if anything.

How do you feel about chicken or tuna salad?

Honestly, this makes the most sense to me. I never really hear about the Simpsons now, and don't know anybody who watches it... It feels like it's just being put out into the void right now.

Yeah pretty much! Everybody keeps complaining that the new phones aren’t very innovative and like… what do you want them to do? I can’t really even imagine anything more a phone can do with current technology other than incremental improvements. Maybe I just lack imagination, and I guess there’s some stuff I want like USB C and maybe to eventually get rid of the notch for FaceID… but I just don’t care enough to replace my phone until it dies. Honestly my current phone is barely any different from my phone from 10 years ago for all intents and purposes. The only thing I want my phone to do that it doesn’t already is software stuff… Like allowing sideloaded apps, or better support for things like nfc for transit systems… Hardware wise… What could I possibly even want?

Okay, so I did some research to confirm my previous understanding and for the sake of completeness I just wanted to throw this information into this thread... Neither DNSSEC/DANE nor MTA-STS is required. AFAIK none of the huge e-mail providers like Gmail, Outlook, or iCloud implement DNSSEC/DANE, but protonmail and tutanota both do. Of those everybody implements MTA-STS, except for iCloud.

In the case of e-mail both of these aim to alleviate a big security flaw in e-mail, which is that when Alice is trying to send you an e-mail, Alice's mail server has no clue whether or not your e-mail server supports TLS (e-mail is older than TLS, so it's bolted on in an opportunistic fashion)... As a result if somebody can get in the middle of Alice's mail server and your mail server they can say "hey, I don't support TLS", and then Alice's mail server will just say "okay, fine, here's the e-mail unencrypted". Obviously such a downgrade attack is BAD, so DNSSEC/DANE and MTA-STS are attempts to prevent this from happening.

DNSSEC/DANE solves this problem because it guarantees that DNS records are legitimate and it can guarantee whether or not a DNS record that says "hey the mailserver supports TLS" does or doesn't exist. The disadvantage of this is just that it relies on DNSSEC, which has its own caveats.

MTA-STS attempts to mitigate the problem... With MTA-STS you add some DNS records that say "hey, look up the MTA-STS policy from this HTTPS server", and the HTTPS server provides a file that says whether or not the mail server requires TLS connections to prevent downgrades. This always bothered me, though, because if somebody can attack DNS this arguably gives you very little... And if somebody is in the position to block HTTPS traffic they can prevent the policy from being fetched as well. Theoretically this doesn't provide much of a guarantee, but I guess in practice it's probably a decent mitigation because if a policy has been fetched before there will be a cached version available, so you'd need a sustained or well-timed attack to break MTA-STS, and on the plus side they can't generate a bogus policy file to disable TLS connections to the mail server unless they can get a valid TLS certificate for your domain.

Either way, both of these things are pretty much entirely about receiving e-mail, and aren't spam mitigation measures, so they shouldn't have anything to do with your ability to send e-mail (which is the harder part). It matters for sending in the sense that you don't want e-mail that you send to other mail servers to get downgraded from TLS when it shouldn't either, which means your mail server should validate MTA-STS + DNSSEC/DANE for mail servers that you are sending mail to. Ideally you would set up DNSSEC/DANE and MTA-STS in order to prevent this class of attacks on your personal e-mail, though it's not strictly necessary. MTA-STS is pretty trivial to set up as long as you already have an HTTP server on hand to serve up the policy file (which you probably do). DNSSEC may be a heavier ask for people depending on TLD support, registrar support, nameserver support, and software support (a lot of the DNSSEC signing software coughldnscough seems to choke on certain RRs -_-), but this may be easy for many people to implement.

In general you're pretty hard pressed to find a laptop that is all around as solid as a Macbook. Macbooks do pretty well across all categories... Good battery life, performance, screen, build quality, keyboard, trackpad, speakers, weight, size, etc... It's hard to find a competitor that provides close to as good of an experience on all factors at the same time. I don't have a Macbook at the moment because I prefer to run Linux and got my last laptop before the M1 came out... But it feels pretty hard to justify staying in Lenovo land these days.

I'm not sure if it's such a direct conspiracy, but I'm sure some of this happens inadvertently at least. Developers of big budget games are likely going to target higher end hardware, and API usage that might cause problems on lower end hardware probably sneaks in as a result of that. I'm sure there's some deals between game studios and Nvidia / AMD to get the latest GPUs for workstations at some discount, which probably means the machines they're using for the bulk of development are beefier than the average consumer's (you also probably want a bit of headroom while developing)... But this kind of stuff can naturally lead to higher requirements for software because you don't run into performance issues unless you're very serious about testing on lower end hardware... Which you might care about to some extent, but it's an additional cost that can take away from other aspects of the game, which might make it less marketable (graphics are a big deal for marketing, for example).

Obviously it's not great if a game uses API calls inefficiently and that means it runs worse than it would otherwise... But I'm not really that surprised when it happens? Working on big projects on deadlines there's often a "try the obvious solution, worry later if it's too slow" mentality, and I'm not sure you need any more of a conspiracy than that to account for stuff like this.

This is almost certainly the primary reason why they do this… It’s just a dick move. Especially since, sure, per byte the accounting gets more complicated… but there’s no reason to not let people buy storage in reasonably sized increments. Even 50gb at a time would be an improvement.

It’s incredibly silly that you can just run out of the top iCloud storage tiers. It’s not something most people will run into probably… but it’s really weird that they won’t just sell you more. Glad there’s some higher tiers now, but I hate bucket sizes like this. I wish it was more granular and we paid per byte or something.

No you’re right, I shouldn’t discourage, just wanted to warn it’s not the same as most other self hosting projects, where often you just need to spin up a docker container.

Yeah, this is very fair! I just wanted to also provide the other perspective. Self hosting e-mail is very doable, and I think there are some things like mailcow / mail-in-a-box that make setting up the software on the server a lot easier (I haven't used these, but I've heard good things)... But you're probably still going to have to double check your rDNS and make sure to add the appropriate DNS entries... And you might not even realize that you have to do that, and then you're like "why the hell can't I send e-mail to anybody", and it's not the easiest thing to debug (especially if you haven't set up DMARC entries for getting reports from other mail servers). Plus... If you get the DNS entries wrong it can be a pain to wait for the TTL to expire to make changes. The setup definitely isn't without its headaches and hassles, but it's not impossible and once it's good to go you probably won't have to change anything.

FWIW hasn’t DNSSEC/DANE been added to the prerequisites these days or is that still optional?

This is currently optional afaik. I believe you can use this to establish that your e-mail server accepts TLS so other mail servers can know not to downgrade to an unencrypted connection. Admittedly, I'm not super up to date on this, and I'm slightly confused about the differences between MTA-STS and DANE. Also fwiw, I think both of these solutions mainly impact receiving mail, and shouldn't make much of a difference if any for you sending mail to the big providers.

I think if somebody does want to self host email we really shouldn’t discourage them. It’s a bit more complicated than somebody might expect going in, but you really don’t need that much to get everything in a working state, and it’s something that will get better the more people do it because more people will write tools and guides and make saner defaults, and large mail companies will have to take independent mail servers more seriously.

Totally cool if it isn’t for you of course, and people should be aware that it’s important to set up rDNS, dkim, DMARC, and SPF (most of these are just simple DNS entries that you need that help with interacting with other mail servers), because otherwise their emails are going to be sent to the spam zone… But these are not insurmountable obstacles if you really do want to do it!

These days almost every mail server will send mail over tls, but it’s not a guarantee which is a little unfortunate. Like you say there’s always privacy concerns with email, unfortunately.

I think in terms of privacy it really depends what you care about and what you’re using it for. If you care about Google reading your inbox, then self hosting can in theory help (at least for emails where the other party isn’t on Google or whatever)… Personally I like the idea of Google not knowing every company that I have an account with and everything I order online, which is information that’s definitely in your inbox. If you care about obscuring who you are to services that you sign up for with email, then arguably self hosting is not ideal because you’ll be the only one using that domain for email, and you might be better obscuring yourself through something like Apple’s “hide my email” service (which of course means you trust Apple to see those emails instead).

If you have more serious concerns and are having conversations that you don’t want anybody other than the recipient to know about email is probably the wrong choice for that conversation, but PGP is a decent option in these cases, albeit too clunky for most people. You may consider other services like protonmail or tutanota, but there are concerns with these services as well (eg, protonmail gets some flack for not encrypting metadata like message subjects, which is a big deal) and again there aren’t necessarily good guarantees for anybody you’re talking to on gmail or whatever.

Personally I like self hosting my email because of the flexibility that it offers and the price. It’s nice to be able to have as many email accounts as I want and it’s cheap to host, and I enjoyed learning about it and setting it up. My personal inbox is out of the hands of giants, but obviously if I’m emailing normal people it’s probably going to be available in the clear to Google or Microsoft (which is likely the case regardless of your solution). That’s not ideal, but it’s the reality right now with email. I kind of think of email more like a Twitter account or something at this point. It’s a semi-public way for random people to get in touch with you and a lot of conversations might be kind of explicitly public like on mailing lists, or something more akin to talking to a colleague in a public space — not super private, but a convenience, I guess?

I’d still recommend that people do try to self host their email if they’re thinking about this. Independent mail servers seem like a healthy thing for the web and learning more about it will give you a better sense of how secure / private your emails really are. Things like protonmail seem to have some advantages, but I also get some weird vibes from them and I’m not sure how much of a privacy increase they really give if you aren’t talking to other protonmail users and stuff anyway.

Yeah. I think Forth is kind of just interesting for what it is and it fits it’s niche well. If you’re looking into Forth you probably appreciate it for what it is, and it’s a super flexible language so it can kind of be what you want it to be. It’s obviously not perfect, and it’s not the ideal fit for what most people want to do… but I guess people just don’t really expect it to be more than it is and it’s a smaller community so nobody is too vocal or angry about it. People will complain about other niche languages like lisp, ocaml, prolog, or Haskell all the time, but people don’t say much about Forth, and when somebody does talk about it it’s pretty much all praise. The Forth people are just content I guess!

I feel like nobody ever bad mouths forth. Arguably it’s just because it’s super niche, but there’s lots of niche languages that people shit on all the time. I guess if you’re the kind of person to bother trying out a forth you’re probably going to think it’s neat.