• 0 Posts
  • 31 Comments
Joined 1 year ago
cake
Cake day: July 1st, 2023

help-circle




  • Are you going to be hosting things for public use? Does it feel like you’re trying to figure out how to emulate what a big company does when hosting services? If so, I’ve been struggling with the same thing. I was recently pointed at NIST 800-207 describing a Zero Trust Architecture. It’s around 50 pages and from August 2020.

    Stuff like that, your security architecture, helps describe how you set everything up and what practices you make yourself follow.



  • Thank you for your reply, but to be clear, I’m not looking for individual details to be spelled out in comments. What you said is absolutely correct, thoughtful, and very helpful. But emotions are running a little high and I’m worried I’ll accidentally lash out at someone for helping. Apologies in advance.

    But do you have any links? Beyond just the general subjects of security architecture, secure design, threat modeling, and attack surface identification, I’d love to see this hypothetical “generic VM and web application housing provider in a box” come with a reasonably secure default architecture. Not what you’re running, but how you’re running it.

    Like, imagine decades in the future, internet historians uncover documentation and backups from a successful generic hosting company. They don’t necessarily care what their customers are hosting, their job is to make sure a breach in one customer’s stuff doesn’t impact any other customer. The documentation describes what policies and practices they used for networking, storage, compute, etc. They paid some expensive employees to come up with this and maintain it, it was their competitive advantage, so they guarded it jealously.

    I’d want to see that, but (a) a public, community project and (b) now, while it’s still useful and relevant to emulate it in one’s own homelab.

    If I can get some of that sweet, sweet dopamine from others liking the idea and wishing for my success, maybe I can build my own first version of it, publish my flawed version, and it can get feedback.



  • I think this needs to exist, but as a community supported system, not as a commercial product.

    Pick a set of open technologies - but not the best, lightest weight, just pick something open.

    Come up with a security architecture that’s reasonably safe and only adds a moderate amount of extra annoyance, and build out a really generic “self-hosted web hosting and VM company-like thingy” system people can rally around.

    Biggest threat to this, I think, is that this isn’t the 90s and early 2000s any longer, and for a big project like this, most of the oxygen has been sucked out already by free commercial offerings like Facebook. The technical family friend offering to self-host email or forums or chat no longer gets gratitude and love, they get “why not Facebook?”

    So… small group effort, resistant to bad actors joining the project to kill it, producing a good design with reasonably safe security architecture, that people can install step by step, and have fun using while they build and learn it.


  • Married, we both work from home, and we’re in an apartment.

    First, all of my weird stuff is not between her work and living room pcs and the internet. Cable modem connects to normal consumer router (openwrt) with four lan ports. Two of those are directly connected to her machines (requiring a 150-ish foot cable for one), and two connect to my stuff. All of my stuff can be down and she still has internet.

    Second, no rack mount servers with loud fans, mid tower cases only. Through command line tools I’ve found some of these are in fact capable of a lot of fan noise, but this never happens in normal operation so she’s fine with it.

    Separately I’d say, have a plan for what she will need if something happens to you. Precious memories, backups, your utility and service accounts, etc. should remain accessible to her if you’re gone and everything is powered off - but not accessible to a burglar. Ideally label and structure things so a future internet installer can ignore your stuff and set her up with normal consumer internet after your business internet account is shut off.

    Also keep in mind if you both switch over so every movie and show you watch only ever comes from Plex (which we both like), in an extended power outage situation all of your media will be inaccessible. It might be good to save a few emergency-entertainment shows to storage you can browse from your phone, usb or iXpand drive you can plug directly into your phone for example.


  • As a Flight Simulator / study-level airliner add-on enjoyer I want to point out / supplement the above, that the main point of a real-world airline transport pilot is handling exceptions and problems. Sure I can American-Truck-Simulator-Airbus-Edition my way through a flight from cold and dark at one gate to cold and dark at another. I do not know how to handle failures.

    Makes for a fun shower thought. And a fun exercise in task saturation, going into the menu and triggering a bunch of random failures. You usually need a bunch for a fun challenge because, in a study level thingy, the list of potential faults is huge and most of them are just a reduction in redundancy, a “crew awareness” item, or loss of a convenience feature. But I do not belong on a flight deck under any realistic circumstance.

    Gives you huge appreciation for how massively redundant airliners are, how much “we already thought this through and here’s what gives you the best chances at a safe outcome” research went into every checklist and procedure, and how much study and practice goes into training and maintaining every fight crew member, cabin crew included.







  • And those jobs are critical to the process of making new developers.

    An important part of my education - the part that grad school can’t teach you, you have to learn it on the job - was being new and terrible, grinding on a simple problem and feeling like a waste of money. Any of the experienced guys sitting behind me could have done this thing in a few hours but I’ve been working on it for a week. “What’s the point? Any minute now they’re going to tap me on the shoulder and tell me I’m done, it’s time to go find another job.”

    But that never happened.

    Those early problems weren’t fun. At home I would have never chosen to work on them. I’d leave them for someone else. “But now that I’m collecting a paycheck for it, this isn’t up to me. I have to work on it. I can’t give up. I can ask for help, but I need to show my peers that I belong. I can solve difficult problems. I can persevere.”

    As a mediocre professional developer, I had to struggle to learn that. I wasn’t getting far on my own, without mentorship and motivation. Homework, pursuing degrees, wasn’t getting me there. (And even now, I seem to have about two weeks of attention span, for projects at home.)


  • As a professional C# developer since 2012, I’d say a programmer needs four kinds of knowledge. As an organizational user of Github Copilot for a couple months, I’d say AI tools can help with one, maybe two of those.

    Understanding language and syntax, so you can communicate the ideas in your head to the machine accurately: AI is fairly good at this, will certainly get a lot better.

    Understanding algorithms and data structures, well enough to compare and contrast, and choose the most appropriate ones for each circumstance: AI can randomly select something, unless it’s a frequently solved problem. I don’t expect this to get better except for the most repetitive of coding tasks.

    Understanding your execution environment and adapting your solutions to use it well: I don’t see the current generation of AI tools ever approaching this. I don’t think they have context for how a piece of code is used, when trying to learn from it. One size fits all is not a great approach.

    Understanding your customer’s needs and specific problems, and creating products, not code. Problem domains and solutions are a business’s entire reason for existence. This is all kept confidential (and outside the reach of an AI training data set) for competitive reasons. As a human employee, you get to peek behind the curtain and learn these things yourself.