markstos @ markstos @lemmy.world

Posts

11

Comments

427

Joined

2 yr. ago

If you use the AWS load balancer product or their certificates, they have access to the private key, regardless of whether you forward traffic from the LB to the container over HTTPS or not.

If you terminate the SSL with your own certificate yourself, Amazon still installs the SSM agent by default on Linux boxes. That runs as root and they control it.

If you disable the SSM agent and terminate SSL within Linux boxes you control at AWS, then I don’t think they can access inside your host as long as you are using encrypted EBS volumes encrypted with your key.

With what? HTTPS has to terminate the encryption somewhere and that place has to have the private key to do so.

CloudFlare is providing the same service here as all other hosts of HTTPS websites do.

Chromebooks are sold in both architectures. The Arm Chromebooks may be cheaper and have better battery life.

It’s not who issues the cert that matters, it is who hosts it. Hosting it includes having the private key. You always have to trust your website host, full stop.

Chromebooks have a great builtin support for running Linux in a container. No need to wipe and re-install. And they are consistently cheap and often small.

A older Dell XPS 13 could be good too.

One of the services they provide is free SSL certificates. As part of that, they have the private key to decrypt the traffic. They aren’t trying to hide that— this is true of any service that hosts the SSL cert for your site.

Ghost is working on adding ActivityPub to their self-hostable blog software now.

I’ve generated HTML before and then used an HTML to PDF converter as a second step. If you were already familiar with building building webpages, this might be a good option.

In both cases of rootless and rootful-with-non-root process your process is running as a non-root user with respect to the host.

To break out the container will require two steps. First, adguard itself must be exploited. A second exploit is then required elevate privileges from the adguard user to root.

If your attacker successfully gets that far, then having a rootless container would matter, because in a rootful container, root in the container equals root on the host. In a rootless container, "root" only gives you the abilities of the user running the rootless container.

But as you've found, rootless containers can be a pain.

Making sure your container is running as non-root user in a rootful container is better than giving up.

You can get similar security in rootful mode, by making sure within the container the adguard binary is not running as root.

My dog authenticates access to back yard with a Yubark Key that works over the wireless audio network.

These days you are likely running some code nobody read closely.

The author trusted AI and didn’t fully understand it.

The maintainer trusted the author and merged because the change sounded good and the tests passed and they are grateful anyone contributed at all.

The packager trusted the maintainer. The security team trusted the packager. The user trusted the distro.

Yes

How many Steam deck users are uploading their hardware stats though? This is opt-in reporting.

That’s a good question for Nvidia.

Some hunger strikes have been effective. Others not.

They don’t necessarily end in death.

https://www.bbc.com/news/magazine-14540696

They are willing to die for a cause they believe in.

We are all going to die. Some of us will take a stand for something that matters to us.

It’s all true. The bird muscle, the animal flesh, the carcasses and the propensity of humans to cook it so we can tolerate eat it. This is unlike obligate carnivores like our cats which enjoy ripping the flesh off the bone with their teeth and eating the bird muscle right off the fresh carcass.

Vegans already think about grilling meat in terms of charring animal carcasses.

Brilliant!