Oh, this looks really interesting. You only need dedicated CPU cores, but the rest of the hardware can be shared? Better performance than VMs, including Xen? Still some security benefits due to the isolation between kernels? “zero-down kernel update”?

This reads phenomenal, even though I understand it’s just RFC at this point. Let’s see what comes out of it…

I like that none of my local devices are externally addressable unless an outgoing connection has been established.

This can also be achieved using (other) firewall rules.

but then it’s essentially just maintaining a NAT table without the translation piece.

So… a firewall?

NAT isn’t a security feature and shouldn’t be relied on for managing access to hosts.

It also breaks the assumption of IP that connections between hosts are end-to-end, which requires sophisticated solutions so that everything works (more or less).

I too employ NAT to make services accessible over IPv4. But only because it doesn’t work otherwise. Not because it “makes sense”. I don’t use it at all for IPv6.

Idk man, NAT makes a lot of sense once you get used to it.

That’s a lie, NAT is bullshit, sometimes necessary, but it will never “make sense”.

Well, technically, there’s a second time

The best mini stroke they’ve ever seen.

I might have to agree.

A twitch chatter used the same term in Atrioc’s stream where this was presented, saw it on YouTube and had to laugh

Fortunately, it was the imaginary half, dislocated from the real one

Every other doctor agreed

The difference is that tourists are not a somehow disadvantaged group. My livelihood isn’t endangered because I can’t go to a tourist spot in Spain somewhere without being heckled (though, when I actually was in Spain, everyone was nice, but Madrid isn’t that much of a tourist spot compared to others).

Also, in some cases, it isn’t “the rich” – I too love to point out the issues they cause – but sometimes, it’s just ordinary people hoping to make a quick buck buying up property to rent it out on AirBNB. Yes, it’s also rich foreigners getting property everywhere for themselves, which is a problem. But “the rich” don’t bother with AirBNB, they just build hotels, and these normally don’t compete with normal housing.

Raceism, specifically centering around skin colour and related features, is actually pretty recent and pretty Western.

If I may take a guess, it’s also because up until historically recently, larger groups of ethnicities didn’t know that other such groups existed. To be racist, you need to be aware of people you’d clarify as another race

It’s not like homophobia (or, say, racism) is unique to western civilizations.

It’s funny how the bigots insist that only what your birth certificates states is relevant for anything except for when they don’t like what it says.

Client data absolutely is encrypted in TLS. You might be thinking of a few fields sent in the clear, like SNI, but generally, it’s all encrypted.

I never said it isn’t, but it’s done using symmetric crypto, not public key (asymmetric) crypto.

Asymmetric crypto is used to encrypt a symmetric key, which is used for encrypting everything else (for the performance reasons you mentioned).

Not anymore, this was only true for RSA key exchange, which was deprecated in TLS 1.2 (“Clients MUST NOT offer and servers MUST NOT select RSA cipher suites”). All current suites use ephemeral Diffie-Hellman over elliptic curves for key agreement (also called key exchange, but I find the term somewhat misleading).

As long as that key was transferred securely and uses a good mode like CBC, an attacker ain’t messing with what’s in there.

First, CBC isn’t a good mode for multiple reasons, one being performance on the encrypting side, but the other one being the exact reason you’re taking about: it is in fact malleable and as such insecure without authentication (though you can use a CMAC, as long as you use a different key). See https://pdf-insecurity.org/encryption/cbc-malleability.html for one example where this exact property is exploited (“Any document format using CBC for encryption is potentially vulnerable to CBC gadgets if a known plaintext is a given, and no integrity protection is applied to the ciphertext.”)

As I wrote in my comment, I was a bit pedantic, because what was stated was that encryption protects the authenticity, and I explained that, while TLS protects all aspects of data security, it’s encryption doesn’t cover the authenticity.

Anyhow, the point is rather moot because I’m pretty sure they won’t get a certificate for the IP anyways.

Public key crypto, properly implemented, does prevent MITM attacks.

It does, but modern public key crypto doesn’t encrypt any client data (RSA key exchange was the only one to my knowledge). It also only verifies the certificates, and the topic was about payload data (i.e. the site you want to view), which asymmetric crypto doesn’t deal with for performance reasons.

My post was not about “does TLS prevent undetected data manipulation” (it does), but rather if it’s the encryption that is responsible for it (it’s not unless you put AES-GCM into that umbrella term).

Right, and for the challenge, you need to have access to a privileged port (which usually implies ownership), which you won’t get assigned.

Let’s Encrypt are rolling out IP-based certs, you may wanna follow its development. I’m not sure if it could be used for your forwarded VPN port, but it’d be nice anyhow

It shouldn’t be because you’re not actually the owner of the IP address. If any user could get a cert, they could impersonate any other.

I believe encryption helps prevent tampering the data between the server and user too. It should prevent for example, someone MITM the connection and injecting malicious content that tells the user to download malware

No, encryption only protects the confidentiality of data. You need message authentication codes or authenticated encryption to make sure the message hasn’t been transported tampered with. Especially stream ciphers like ChaCha (but also AES in counter mode) are susceptible to malleability attacks, which are super simple yet very dangerous.

Edit: this post is a bit pedantic because any scheme that is relevant for LE certificates covers authenticity protection. But it’s not the encryption part of those schemes that is responsible.

Very cool

The whole thing is super dumb, as you said, burning the flag is the proper way to get rid of one no longer for for display (imagine the flag hanging out of a bin or something).

You know what’s also against the flag code? Plastering it everywhere that’s not a flag, like towels or whatever. But the flag code is only binding for government bodies if I’m not mistaken.

But yeah, the whole thing is just stupid.

I’m all for alternatives, regardless of whether I’m gonna use them, but in my opinion, one of systemd’s big advantages is that you’re not relying on scripts for service management; scripts mix configuration with logic and this was a big reason why a lot of distributions switched to systemd in the first place. The init scripts (that they had to write themselves) were sometimes getting very large and complex in order to cover interdependencies (both to other services, but also to eventual mountpoints) and ordering.

Now, please don’t see this as a general criticism of this init system, firstly I’m not an expert on the subject, second I don’t believe there is the one and true design that covers all cases. My criticism is more towards the reporting about this when comparing to systemd.

There are comparisons that state that this isn’t the monolith systemd is. From the author’s own blog in comparison to runit:

nitro favors a monolithic approach, and keeps everything in a single process. This makes it also easier to install for containerization.

So if you’re really into that “do one thing and do it well” mantra, use something different. Note: personally, I think use what does the job best, and if you think nitro does a particular job better than systemd, go for it. I’d guess that it could be particularly suited better for the last three bullet points in the OP compared to systemd, but that would need to be tested in practice.

Anyhow, if you hate systemd or another piece of free software, go touch grass.

None of this matters, what matters is what dumb money believes